27 #define PH_DEVICE_PREFIX_LENGTH 64
28 #define PH_DEVICE_MUP_PREFIX_MAX_COUNT 16
31 _In_ HANDLE ProcessHandle,
32 _In_ PLDR_DATA_TABLE_ENTRY Entry,
33 _In_ PVOID AddressOfEntry,
34 _In_opt_ PVOID Context1,
35 _In_opt_ PVOID Context2
39 _In_ HANDLE ProcessHandle,
41 _In_ ULONG AddressOfEntry,
42 _In_opt_ PVOID Context1,
43 _In_opt_ PVOID Context2
52 static ULONG PhDeviceMupPrefixesCount = 0;
73 _Out_ PHANDLE ProcessHandle,
74 _In_ ACCESS_MASK DesiredAccess,
113 _Out_ PHANDLE ThreadHandle,
114 _In_ ACCESS_MASK DesiredAccess,
146 _Out_ PHANDLE ProcessHandle,
147 _In_ ACCESS_MASK DesiredAccess,
148 _In_ HANDLE ThreadHandle
186 _Out_ PHANDLE TokenHandle,
187 _In_ ACCESS_MASK DesiredAccess,
188 _In_ HANDLE ProcessHandle
219 _Out_ PHANDLE TokenHandle,
220 _In_ ACCESS_MASK DesiredAccess,
221 _In_ HANDLE ThreadHandle,
222 _In_ BOOLEAN OpenAsSelf
235 _In_ SECURITY_INFORMATION SecurityInformation,
236 _Out_ PSECURITY_DESCRIPTOR *SecurityDescriptor
244 buffer = PhAllocate(bufferSize);
246 memset(buffer, 0, bufferSize);
248 status = NtQuerySecurityObject(
256 if (status == STATUS_BUFFER_TOO_SMALL)
259 buffer = PhAllocate(bufferSize);
260 memset(buffer, 0, bufferSize);
262 status = NtQuerySecurityObject(
277 *SecurityDescriptor = (PSECURITY_DESCRIPTOR)buffer;
284 _In_ SECURITY_INFORMATION SecurityInformation,
285 _In_ PSECURITY_DESCRIPTOR SecurityDescriptor
288 return NtSetSecurityObject(
304 _In_ HANDLE ProcessHandle,
305 _In_ NTSTATUS ExitStatus
317 if (status != STATUS_NOT_SUPPORTED)
321 return NtTerminateProcess(
334 _In_ HANDLE ProcessHandle
343 return NtSuspendProcess(ProcessHandle);
354 _In_ HANDLE ProcessHandle
363 return NtResumeProcess(ProcessHandle);
376 _In_ HANDLE ThreadHandle,
377 _In_ NTSTATUS ExitStatus
390 if (status != STATUS_NOT_SUPPORTED)
395 return NtTerminateThread(
410 _In_ HANDLE ThreadHandle,
411 _Out_opt_ PULONG PreviousSuspendCount
414 return NtSuspendThread(ThreadHandle, PreviousSuspendCount);
426 _In_ HANDLE ThreadHandle,
427 _Out_opt_ PULONG PreviousSuspendCount
430 return NtResumeThread(ThreadHandle, PreviousSuspendCount);
442 _In_ HANDLE ThreadHandle,
443 _Inout_ PCONTEXT Context
452 return NtGetContextThread(ThreadHandle, Context);
464 _In_ HANDLE ThreadHandle,
465 _In_ PCONTEXT Context
474 return NtSetContextThread(ThreadHandle, Context);
490 _In_ HANDLE ProcessHandle,
491 _In_ PVOID BaseAddress,
492 _Out_writes_bytes_(BufferSize) PVOID Buffer,
493 _In_ SIZE_T BufferSize,
494 _Out_opt_ PSIZE_T NumberOfBytesRead
537 _In_ HANDLE ProcessHandle,
538 _In_ PVOID BaseAddress,
539 _In_reads_bytes_(BufferSize) PVOID Buffer,
540 _In_ SIZE_T BufferSize,
541 _Out_opt_ PSIZE_T NumberOfBytesWritten
580 _In_ HANDLE ProcessHandle,
581 _In_ PROCESSINFOCLASS ProcessInformationClass,
587 ULONG returnLength = 0;
589 status = NtQueryInformationProcess(
591 ProcessInformationClass,
597 if (status != STATUS_BUFFER_OVERFLOW && status != STATUS_BUFFER_TOO_SMALL && status != STATUS_INFO_LENGTH_MISMATCH)
600 buffer = PhAllocate(returnLength);
601 status = NtQueryInformationProcess(
603 ProcessInformationClass,
631 _In_ HANDLE ProcessHandle,
640 ProcessImageFileName,
666 _In_ HANDLE ProcessHandle,
675 ProcessImageFileNameWin32,
703 _In_ HANDLE ProcessHandle,
712 #define PEB_OFFSET_CASE(Enum, Field) \
713 case Enum: offset = FIELD_OFFSET(RTL_USER_PROCESS_PARAMETERS, Field); break; \
714 case Enum | PhpoWow64: offset = FIELD_OFFSET(RTL_USER_PROCESS_PARAMETERS32, Field); break
727 return STATUS_INVALID_PARAMETER_2;
732 PROCESS_BASIC_INFORMATION basicInfo;
733 PVOID processParameters;
765 unicodeString.Buffer,
778 ULONG processParameters32;
787 &processParameters32,
807 UlongToPtr(unicodeString32.
Buffer),
834 _In_ HANDLE ProcessHandle,
846 ProcessCommandLineInformation,
875 _In_ HANDLE ProcessHandle,
876 _Out_ PULONG WindowFlags,
882 BOOLEAN isWow64 =
FALSE;
892 ProcessWindowInformation,
912 PROCESS_BASIC_INFORMATION basicInfo;
913 PVOID processParameters;
943 ULONG processParameters32;
951 &processParameters32,
975 *WindowFlags = windowFlags;
992 _In_ HANDLE ProcessHandle,
993 _Out_ PBOOLEAN IsPosix
997 PROCESS_BASIC_INFORMATION basicInfo;
998 ULONG imageSubsystem;
1006 if (!basicInfo.PebBaseAddress)
1007 return STATUS_UNSUCCESSFUL;
1019 *IsPosix = imageSubsystem == IMAGE_SUBSYSTEM_POSIX_CUI;
1034 _In_ HANDLE ProcessHandle,
1035 _Out_ PULONG ExecuteFlags
1050 return NtQueryInformationProcess(
1052 ProcessExecuteFlags,
1061 _In_ HANDLE ProcessHandle,
1062 _Out_ PULONG DepStatus
1086 *DepStatus = depStatus;
1110 _In_ HANDLE ProcessHandle,
1115 PROCESS_BASIC_INFORMATION basicInfo;
1116 PVOID processParameters;
1144 PVOID pointer = NULL;
1145 PVOID firstPointer = NULL;
1146 PVOID lastPointer = NULL;
1147 BOOLEAN zeroReached =
FALSE;
1149 ULONG commandLineChunkSize;
1150 PCHAR commandLineChunk;
1156 while (i <
sizeof(PVOID) * 100)
1166 if (pointer && !firstPointer)
1167 firstPointer = pointer;
1169 lastPointer = pointer;
1181 commandLineChunkSize = (ULONG)((PBYTE)lastPointer - (PBYTE)firstPointer);
1184 if (commandLineChunkSize > 0x1000)
1185 return STATUS_UNSUCCESSFUL;
1187 commandLineChunk = PhAllocate(commandLineChunkSize);
1194 commandLineChunkSize,
1198 PhFree(commandLineChunk);
1203 for (i = 0; i < commandLineChunkSize; i++)
1205 if (commandLineChunk[i] == 0)
1207 commandLineChunk[i] =
' ';
1210 if (i == commandLineChunkSize - 1)
1212 commandLineChunkSize--;
1219 PhFree(commandLineChunk);
1241 _In_ HANDLE ProcessHandle,
1243 _Out_ PVOID *Environment,
1244 _Out_ PULONG EnvironmentLength
1248 PVOID environmentRemote;
1249 MEMORY_BASIC_INFORMATION mbi;
1251 ULONG environmentLength;
1255 PROCESS_BASIC_INFORMATION basicInfo;
1256 PVOID processParameters;
1284 ULONG processParameters32;
1285 ULONG environmentRemote32;
1295 &processParameters32,
1304 &environmentRemote32,
1310 environmentRemote = UlongToPtr(environmentRemote32);
1318 sizeof(MEMORY_BASIC_INFORMATION),
1323 environmentLength = (ULONG)(mbi.RegionSize -
1324 ((ULONG_PTR)environmentRemote - (ULONG_PTR)mbi.BaseAddress));
1331 return STATUS_NO_MEMORY;
1345 *Environment = environment;
1347 if (EnvironmentLength)
1348 *EnvironmentLength = environmentLength;
1354 _In_ PVOID Environment,
1355 _In_ ULONG EnvironmentLength,
1356 _Inout_ PULONG EnumerationKey,
1369 length = EnvironmentLength /
sizeof(WCHAR);
1371 currentIndex = *EnumerationKey;
1372 currentChar = (PWCHAR)Environment + currentIndex;
1373 startIndex = currentIndex;
1379 if (currentIndex >= length)
1381 if (*currentChar ==
'=')
1383 if (*currentChar == 0)
1390 nameLength = currentIndex - startIndex;
1394 startIndex = currentIndex;
1395 value = currentChar;
1400 if (currentIndex >= length)
1402 if (*currentChar == 0)
1409 valueLength = currentIndex - startIndex;
1412 *EnumerationKey = currentIndex;
1414 Variable->Name.Buffer = name;
1415 Variable->Name.Length = nameLength *
sizeof(WCHAR);
1416 Variable->Value.Buffer = value;
1417 Variable->Value.Length = valueLength *
sizeof(WCHAR);
1434 _In_ HANDLE ProcessHandle,
1435 _In_ PVOID BaseAddress,
1442 SIZE_T returnLength;
1446 buffer = PhAllocate(bufferSize);
1457 if (status == STATUS_BUFFER_OVERFLOW)
1460 bufferSize = returnLength;
1461 buffer = PhAllocate(bufferSize);
1481 unicodeString->Buffer,
1499 _In_ HANDLE ProcessHandle,
1507 bufferSize = 0x8000;
1508 buffer = PhAllocate(bufferSize);
1517 )) == STATUS_INFO_LENGTH_MISMATCH)
1524 return STATUS_INSUFFICIENT_RESOURCES;
1526 buffer = PhAllocate(bufferSize);
1549 _In_ HANDLE ProcessHandle,
1580 *WsCounters = wsCounters;
1593 _In_ HANDLE ProcessHandle,
1594 _In_ ULONG IoPriority
1608 return NtSetInformationProcess(
1627 _In_ HANDLE ProcessHandle,
1628 _In_ ULONG ExecuteFlags
1640 _In_ HANDLE ProcessHandle,
1641 _In_ ULONG DepStatus
1660 _In_ HANDLE ProcessHandle,
1661 _In_ ULONG DepStatus,
1662 _In_opt_ PLARGE_INTEGER Timeout
1666 HANDLE threadHandle;
1667 PVOID setProcessDepPolicy;
1672 if (!setProcessDepPolicy)
1673 return STATUS_NOT_SUPPORTED;
1678 flags |= PROCESS_DEP_ENABLE;
1680 flags |= PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION;
1699 if (threadHandle = CreateRemoteThread(
1703 (PTHREAD_START_ROUTINE)setProcessDepPolicy,
1709 status = STATUS_SUCCESS;
1721 status = NtWaitForSingleObject(threadHandle,
FALSE, Timeout);
1722 NtClose(threadHandle);
1742 _In_ HANDLE ProcessHandle,
1743 _In_ PWSTR FileName,
1744 _In_opt_ PLARGE_INTEGER Timeout
1748 static PVOID loadLibraryW32 = NULL;
1753 BOOLEAN isWow64 =
FALSE;
1754 BOOLEAN isModule32 =
FALSE;
1759 PVOID baseAddress = NULL;
1761 HANDLE threadHandle;
1771 isModule32 = mappedImage.
Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC;
1783 threadStart = loadLibraryW32;
1789 kernel32FileName =
PhConcatStrings2(USER_SHARED_DATA->NtSystemRoot, L
"\\SysWow64\\kernel32.dll");
1792 kernel32FileName->
Buffer,
1803 threadStart = loadLibraryW32;
1809 allocSize = fileName.
Length +
sizeof(WCHAR);
1825 fileName.
Length +
sizeof(WCHAR),
1849 if (!(threadHandle = CreateRemoteThread(
1853 (PTHREAD_START_ROUTINE)threadStart,
1865 status = NtWaitForSingleObject(threadHandle,
FALSE, Timeout);
1866 NtClose(threadHandle);
1892 _In_ HANDLE ProcessHandle,
1893 _In_ PVOID BaseAddress,
1894 _In_opt_ PLARGE_INTEGER Timeout
1898 static PVOID ldrUnloadDll32 = NULL;
1903 BOOLEAN isWow64 =
FALSE;
1904 BOOLEAN isModule32 =
FALSE;
1906 HANDLE threadHandle;
1925 if (isWow64 && status == STATUS_DLL_NOT_FOUND)
1952 threadStart = ldrUnloadDll32;
1958 ntdll32FileName =
PhConcatStrings2(USER_SHARED_DATA->NtSystemRoot, L
"\\SysWow64\\ntdll.dll");
1972 threadStart = ldrUnloadDll32;
1994 if (!(threadHandle = CreateRemoteThread(
1998 (PTHREAD_START_ROUTINE)threadStart,
2011 status = NtWaitForSingleObject(threadHandle,
FALSE, Timeout);
2013 if (status == STATUS_WAIT_0)
2021 NtClose(threadHandle);
2034 _In_ HANDLE ThreadHandle,
2035 _In_ ULONG IoPriority
2049 return NtSetInformationThread(
2059 _In_ HANDLE JobHandle,
2060 _Out_ PJOBOBJECT_BASIC_PROCESS_ID_LIST *ProcessIdList
2068 buffer = PhAllocate(bufferSize);
2070 status = NtQueryInformationJobObject(
2072 JobObjectBasicProcessIdList,
2078 if (status == STATUS_BUFFER_OVERFLOW)
2081 buffer = PhAllocate(bufferSize);
2083 status = NtQueryInformationJobObject(
2085 JobObjectBasicProcessIdList,
2098 *ProcessIdList = (PJOBOBJECT_BASIC_PROCESS_ID_LIST)buffer;
2115 _In_ HANDLE TokenHandle,
2116 _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
2122 ULONG returnLength = 0;
2126 TokenInformationClass,
2131 buffer = PhAllocate(returnLength);
2134 TokenInformationClass,
2164 _In_ HANDLE TokenHandle,
2165 _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
2171 TokenInformationClass,
2187 _In_ HANDLE TokenHandle,
2188 _Out_ PTOKEN_USER *User
2209 _In_ HANDLE TokenHandle,
2210 _Out_ PTOKEN_OWNER *Owner
2231 _In_ HANDLE TokenHandle,
2232 _Out_ PTOKEN_PRIMARY_GROUP *PrimaryGroup
2253 _In_ HANDLE TokenHandle,
2254 _Out_ PTOKEN_GROUPS *Groups
2275 _In_ HANDLE TokenHandle,
2276 _Out_ PTOKEN_PRIVILEGES *Privileges
2287 _In_ HANDLE TokenHandle,
2288 _In_ ULONG SessionId
2313 _In_ HANDLE TokenHandle,
2314 _In_opt_ PWSTR PrivilegeName,
2315 _In_opt_ PLUID PrivilegeLuid,
2316 _In_ ULONG Attributes
2320 TOKEN_PRIVILEGES privileges;
2322 privileges.PrivilegeCount = 1;
2323 privileges.Privileges[0].Attributes = Attributes;
2327 privileges.Privileges[0].Luid = *PrivilegeLuid;
2329 else if (PrivilegeName)
2337 &privileges.Privileges[0].Luid
2356 if (status == STATUS_NOT_ALL_ASSIGNED)
2363 _In_ HANDLE TokenHandle,
2364 _In_
LONG Privilege,
2365 _In_ ULONG Attributes
2384 _In_ HANDLE TokenHandle,
2385 _In_ BOOLEAN IsVirtualizationEnabled
2388 ULONG virtualizationEnabled;
2390 virtualizationEnabled = IsVirtualizationEnabled;
2394 TokenVirtualizationEnabled,
2395 &virtualizationEnabled,
2412 _In_ HANDLE TokenHandle,
2413 _Out_opt_ PMANDATORY_LEVEL IntegrityLevel,
2414 _Out_opt_ PWSTR *IntegrityString
2418 PTOKEN_MANDATORY_LABEL mandatoryLabel;
2420 MANDATORY_LEVEL integrityLevel;
2421 PWSTR integrityString;
2431 switch (subAuthority)
2433 case SECURITY_MANDATORY_UNTRUSTED_RID:
2434 integrityLevel = MandatoryLevelUntrusted;
2435 integrityString = L
"Untrusted";
2437 case SECURITY_MANDATORY_LOW_RID:
2438 integrityLevel = MandatoryLevelLow;
2439 integrityString = L
"Low";
2441 case SECURITY_MANDATORY_MEDIUM_RID:
2442 integrityLevel = MandatoryLevelMedium;
2443 integrityString = L
"Medium";
2445 case SECURITY_MANDATORY_HIGH_RID:
2446 integrityLevel = MandatoryLevelHigh;
2447 integrityString = L
"High";
2449 case SECURITY_MANDATORY_SYSTEM_RID:
2450 integrityLevel = MandatoryLevelSystem;
2451 integrityString = L
"System";
2453 case SECURITY_MANDATORY_PROTECTED_PROCESS_RID:
2454 integrityLevel = MandatoryLevelSecureProcess;
2455 integrityString = L
"Protected";
2458 return STATUS_UNSUCCESSFUL;
2462 *IntegrityLevel = integrityLevel;
2463 if (IntegrityString)
2464 *IntegrityString = integrityString;
2470 _In_ HANDLE FileHandle,
2478 ULONG bufferSize = 0x200;
2480 buffer = PhAllocate(bufferSize);
2489 FileInformationClass
2492 if (status == STATUS_BUFFER_OVERFLOW || status == STATUS_BUFFER_TOO_SMALL || status == STATUS_INFO_LENGTH_MISMATCH)
2496 buffer = PhAllocate(bufferSize);
2517 _In_ HANDLE FileHandle,
2518 _Out_ PLARGE_INTEGER
Size
2542 _In_ HANDLE FileHandle,
2543 _In_ PLARGE_INTEGER
Size
2561 _In_ HANDLE TransactionManagerHandle,
2562 _In_ TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass,
2568 ULONG bufferSize = 0x100;
2570 if (!NtQueryInformationTransactionManager_Import())
2571 return STATUS_NOT_SUPPORTED;
2573 buffer = PhAllocate(bufferSize);
2577 status = NtQueryInformationTransactionManager_Import()(
2578 TransactionManagerHandle,
2579 TransactionManagerInformationClass,
2585 if (status == STATUS_BUFFER_OVERFLOW)
2590 if (bufferSize > 1 * 1024 * 1024)
2591 return STATUS_INSUFFICIENT_RESOURCES;
2593 buffer = PhAllocate(bufferSize);
2614 _In_ HANDLE TransactionManagerHandle,
2615 _Out_ PTRANSACTIONMANAGER_BASIC_INFORMATION BasicInformation
2618 if (NtQueryInformationTransactionManager_Import())
2620 return NtQueryInformationTransactionManager_Import()(
2621 TransactionManagerHandle,
2622 TransactionManagerBasicInformation,
2624 sizeof(TRANSACTIONMANAGER_BASIC_INFORMATION),
2630 return STATUS_NOT_SUPPORTED;
2635 _In_ HANDLE TransactionManagerHandle,
2640 PTRANSACTIONMANAGER_LOGPATH_INFORMATION logPathInfo;
2643 TransactionManagerHandle,
2644 TransactionManagerLogPathInformation,
2652 logPathInfo->LogPath,
2653 logPathInfo->LogPathLength
2661 _In_ HANDLE TransactionHandle,
2662 _In_ TRANSACTION_INFORMATION_CLASS TransactionInformationClass,
2668 ULONG bufferSize = 0x100;
2670 if (!NtQueryInformationTransaction_Import())
2671 return STATUS_NOT_SUPPORTED;
2673 buffer = PhAllocate(bufferSize);
2677 status = NtQueryInformationTransaction_Import()(
2679 TransactionInformationClass,
2685 if (status == STATUS_BUFFER_OVERFLOW)
2690 if (bufferSize > 1 * 1024 * 1024)
2691 return STATUS_INSUFFICIENT_RESOURCES;
2693 buffer = PhAllocate(bufferSize);
2714 _In_ HANDLE TransactionHandle,
2715 _Out_ PTRANSACTION_BASIC_INFORMATION BasicInformation
2718 if (NtQueryInformationTransaction_Import())
2720 return NtQueryInformationTransaction_Import()(
2722 TransactionBasicInformation,
2724 sizeof(TRANSACTION_BASIC_INFORMATION),
2730 return STATUS_NOT_SUPPORTED;
2735 _In_ HANDLE TransactionHandle,
2736 _Out_opt_ PLARGE_INTEGER Timeout,
2737 _Out_opt_ TRANSACTION_OUTCOME *Outcome,
2742 PTRANSACTION_PROPERTIES_INFORMATION propertiesInfo;
2746 TransactionPropertiesInformation,
2755 *Timeout = propertiesInfo->Timeout;
2760 *Outcome = propertiesInfo->Outcome;
2766 propertiesInfo->Description,
2767 propertiesInfo->DescriptionLength
2777 _In_ HANDLE ResourceManagerHandle,
2778 _In_ RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass,
2784 ULONG bufferSize = 0x100;
2786 if (!NtQueryInformationResourceManager_Import())
2787 return STATUS_NOT_SUPPORTED;
2789 buffer = PhAllocate(bufferSize);
2793 status = NtQueryInformationResourceManager_Import()(
2794 ResourceManagerHandle,
2795 ResourceManagerInformationClass,
2801 if (status == STATUS_BUFFER_OVERFLOW)
2806 if (bufferSize > 1 * 1024 * 1024)
2807 return STATUS_INSUFFICIENT_RESOURCES;
2809 buffer = PhAllocate(bufferSize);
2830 _In_ HANDLE ResourceManagerHandle,
2831 _Out_opt_
PGUID Guid,
2836 PRESOURCEMANAGER_BASIC_INFORMATION basicInfo;
2839 ResourceManagerHandle,
2840 ResourceManagerBasicInformation,
2849 *Guid = basicInfo->ResourceManagerId;
2855 basicInfo->Description,
2856 basicInfo->DescriptionLength
2866 _In_ HANDLE EnlistmentHandle,
2867 _Out_ PENLISTMENT_BASIC_INFORMATION BasicInformation
2870 if (NtQueryInformationEnlistment_Import())
2872 return NtQueryInformationEnlistment_Import()(
2874 EnlistmentBasicInformation,
2876 sizeof(ENLISTMENT_BASIC_INFORMATION),
2882 return STATUS_NOT_SUPPORTED;
2886 typedef struct _OPEN_DRIVER_BY_BASE_ADDRESS_CONTEXT
2890 HANDLE DriverHandle;
2896 _In_opt_ PVOID Context
2902 POPEN_DRIVER_BY_BASE_ADDRESS_CONTEXT context = Context;
2906 HANDLE driverHandle;
2941 if (basicInfo.
DriverStart == context->BaseAddress)
2943 context->Status = STATUS_SUCCESS;
2944 context->DriverHandle = driverHandle;
2950 NtClose(driverHandle);
2970 _Out_ PHANDLE DriverHandle,
2971 _In_ PVOID BaseAddress
2977 HANDLE driverDirectoryHandle;
2981 &driverDirectoryName,
2986 &driverDirectoryName,
2992 if (!
NT_SUCCESS(status = NtOpenDirectoryObject(
2993 &driverDirectoryHandle,
2999 context.Status = STATUS_OBJECT_NAME_NOT_FOUND;
3000 context.BaseAddress = BaseAddress;
3003 driverDirectoryHandle,
3007 NtClose(driverDirectoryHandle);
3014 *DriverHandle = context.DriverHandle;
3017 return context.Status;
3035 _In_ HANDLE DriverHandle,
3042 ULONG returnLength = 0;
3046 DriverInformationClass,
3051 buffer = PhAllocate(returnLength);
3054 DriverInformationClass,
3085 _In_ HANDLE DriverHandle,
3100 unicodeString->Buffer,
3121 _In_ HANDLE DriverHandle,
3136 unicodeString->Buffer,
3153 HANDLE serviceKeyHandle;
3161 return STATUS_NAME_TOO_LONG;
3168 &fullServiceKeyName->
sr,
3174 if (disposition == REG_CREATED_NEW_KEY)
3184 NtSetValueKey(serviceKeyHandle, &valueName, 0, REG_DWORD, &dword,
sizeof(ULONG));
3186 NtSetValueKey(serviceKeyHandle, &valueName, 0, REG_DWORD, &dword,
sizeof(ULONG));
3188 NtSetValueKey(serviceKeyHandle, &valueName, 0, REG_DWORD, &dword,
sizeof(ULONG));
3192 NtSetValueKey(serviceKeyHandle, &valueName, 0, REG_SZ, imagePath.Buffer, imagePath.
Length + 2);
3197 if (disposition == REG_CREATED_NEW_KEY)
3203 NtClose(serviceKeyHandle);
3228 _In_opt_ PVOID BaseAddress,
3233 HANDLE driverHandle;
3236 if (!BaseAddress && !Name)
3237 return STATUS_INVALID_PARAMETER_MIX;
3239 return STATUS_INVALID_PARAMETER_MIX;
3252 NtClose(driverHandle);
3259 if (!serviceKeyName && Name)
3273 serviceKeyName = name;
3277 if (!serviceKeyName)
3278 return STATUS_OBJECT_NAME_NOT_FOUND;
3310 _In_ HANDLE SourceProcessHandle,
3311 _In_ HANDLE SourceHandle,
3312 _In_opt_ HANDLE TargetProcessHandle,
3313 _Out_opt_ PHANDLE TargetHandle,
3314 _In_ ACCESS_MASK DesiredAccess,
3315 _In_ ULONG HandleAttributes,
3324 SourceProcessHandle,
3326 TargetProcessHandle,
3335 if (status != STATUS_NOT_SUPPORTED)
3339 return NtDuplicateObject(
3340 SourceProcessHandle,
3342 TargetProcessHandle,
3351 _In_ HANDLE ProcessHandle,
3353 _In_opt_ PVOID Context1,
3354 _In_opt_ PVOID Context2
3358 PROCESS_BASIC_INFORMATION basicInfo;
3361 PLIST_ENTRY startLink;
3362 PLIST_ENTRY currentLink;
3363 ULONG dataTableEntrySize;
3364 LDR_DATA_TABLE_ENTRY currentEntry;
3398 return STATUS_UNSUCCESSFUL;
3401 dataTableEntrySize = LDR_DATA_TABLE_ENTRY_SIZE_WIN8;
3403 dataTableEntrySize = LDR_DATA_TABLE_ENTRY_SIZE_WIN7;
3405 dataTableEntrySize = LDR_DATA_TABLE_ENTRY_SIZE_WINXP;
3414 currentLink != startLink &&
3418 PVOID addressOfEntry;
3420 addressOfEntry = CONTAINING_RECORD(currentLink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
3433 if (currentEntry.DllBase)
3446 currentLink = currentEntry.InLoadOrderLinks.Flink;
3454 _In_ HANDLE ProcessHandle,
3455 _In_ PLDR_DATA_TABLE_ENTRY Entry,
3456 _In_ PVOID AddressOfEntry,
3457 _In_opt_ PVOID Context1,
3458 _In_opt_ PVOID Context2
3465 PWSTR fullDllNameOriginal;
3466 PWSTR fullDllNameBuffer;
3467 PWSTR baseDllNameOriginal;
3468 PWSTR baseDllNameBuffer;
3470 parameters = Context1;
3471 mappedFileName = NULL;
3480 ULONG_PTR indexOfLastBackslash;
3485 if (indexOfLastBackslash != -1)
3487 Entry->BaseDllName.Buffer = Entry->FullDllName.Buffer + indexOfLastBackslash + 1;
3488 Entry->BaseDllName.Length = Entry->FullDllName.Length - (USHORT)indexOfLastBackslash * 2 - 2;
3489 Entry->BaseDllName.MaximumLength = Entry->BaseDllName.Length;
3493 Entry->BaseDllName = Entry->FullDllName;
3500 fullDllNameOriginal = Entry->FullDllName.Buffer;
3501 fullDllNameBuffer = PhAllocate(Entry->FullDllName.Length + 2);
3502 Entry->FullDllName.Buffer = fullDllNameBuffer;
3506 fullDllNameOriginal,
3508 Entry->FullDllName.Length,
3512 fullDllNameBuffer[Entry->FullDllName.Length / 2] = 0;
3516 fullDllNameBuffer[0] = 0;
3517 Entry->FullDllName.Length = 0;
3520 baseDllNameOriginal = Entry->BaseDllName.Buffer;
3525 (ULONG_PTR)baseDllNameOriginal >= (ULONG_PTR)fullDllNameOriginal &&
3526 (ULONG_PTR)baseDllNameOriginal + Entry->BaseDllName.Length >= (ULONG_PTR)baseDllNameOriginal &&
3527 (ULONG_PTR)baseDllNameOriginal + Entry->BaseDllName.Length <= (ULONG_PTR)fullDllNameOriginal + Entry->FullDllName.Length
3530 baseDllNameBuffer = NULL;
3532 Entry->BaseDllName.Buffer = (PWCHAR)((ULONG_PTR)Entry->FullDllName.Buffer +
3533 ((ULONG_PTR)baseDllNameOriginal - (ULONG_PTR)fullDllNameOriginal));
3539 baseDllNameBuffer = PhAllocate(Entry->BaseDllName.Length + 2);
3540 Entry->BaseDllName.Buffer = baseDllNameBuffer;
3544 baseDllNameOriginal,
3546 Entry->BaseDllName.Length,
3550 baseDllNameBuffer[Entry->BaseDllName.Length / 2] = 0;
3554 baseDllNameBuffer[0] = 0;
3555 Entry->BaseDllName.Length = 0;
3569 PhFree(fullDllNameBuffer);
3571 if (baseDllNameBuffer)
3572 PhFree(baseDllNameBuffer);
3590 _In_ HANDLE ProcessHandle,
3592 _In_opt_ PVOID Context
3599 parameters.
Flags = 0;
3615 _In_ HANDLE ProcessHandle,
3627 typedef struct _SET_PROCESS_MODULE_LOAD_COUNT_CONTEXT
3635 _In_ HANDLE ProcessHandle,
3636 _In_ PLDR_DATA_TABLE_ENTRY Entry,
3637 _In_ PVOID AddressOfEntry,
3638 _In_opt_ PVOID Context1,
3639 _In_opt_ PVOID Context2
3642 PSET_PROCESS_MODULE_LOAD_COUNT_CONTEXT context = Context1;
3644 if (Entry->DllBase == context->BaseAddress)
3648 PTR_ADD_OFFSET(AddressOfEntry, FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, ObsoleteLoadCount)),
3649 &context->LoadCount,
3672 _In_ HANDLE ProcessHandle,
3673 _In_ PVOID BaseAddress,
3674 _In_ ULONG LoadCount
3680 context.Status = STATUS_DLL_NOT_FOUND;
3681 context.BaseAddress = BaseAddress;
3682 context.LoadCount = LoadCount;
3694 return context.Status;
3698 _In_ HANDLE ProcessHandle,
3700 _In_opt_ PVOID Context1,
3701 _In_opt_ PVOID Context2
3710 ULONG dataTableEntrySize;
3721 return STATUS_NOT_SUPPORTED;
3748 return STATUS_UNSUCCESSFUL;
3760 startLink = (ULONG)(ldr + FIELD_OFFSET(
PEB_LDR_DATA32, InLoadOrderModuleList));
3764 currentLink != startLink &&
3768 ULONG addressOfEntry;
3770 addressOfEntry = (ULONG)CONTAINING_RECORD(UlongToPtr(currentLink),
LDR_DATA_TABLE_ENTRY32, InLoadOrderLinks);
3773 UlongToPtr(addressOfEntry),
3783 if (currentEntry.DllBase)
3804 _In_ HANDLE ProcessHandle,
3806 _In_ ULONG AddressOfEntry,
3807 _In_opt_ PVOID Context1,
3808 _In_opt_ PVOID Context2
3815 LDR_DATA_TABLE_ENTRY nativeEntry;
3817 PWSTR baseDllNameBuffer;
3818 PWSTR fullDllNameBuffer;
3822 parameters = Context1;
3826 memset(&nativeEntry, 0,
sizeof(LDR_DATA_TABLE_ENTRY));
3827 nativeEntry.DllBase = UlongToPtr(Entry->DllBase);
3828 nativeEntry.EntryPoint = UlongToPtr(Entry->EntryPoint);
3829 nativeEntry.SizeOfImage = Entry->SizeOfImage;
3830 UStr32ToUStr(&nativeEntry.FullDllName, &Entry->FullDllName);
3831 UStr32ToUStr(&nativeEntry.BaseDllName, &Entry->BaseDllName);
3832 nativeEntry.Flags = Entry->Flags;
3833 nativeEntry.ObsoleteLoadCount = Entry->ObsoleteLoadCount;
3834 nativeEntry.TlsIndex = Entry->TlsIndex;
3835 nativeEntry.TimeDateStamp = Entry->TimeDateStamp;
3836 nativeEntry.OriginalBase = Entry->OriginalBase;
3837 nativeEntry.LoadTime = Entry->LoadTime;
3838 nativeEntry.BaseNameHashValue = Entry->BaseNameHashValue;
3839 nativeEntry.LoadReason = Entry->LoadReason;
3841 mappedFileName = NULL;
3850 ULONG_PTR indexOfLastBackslash;
3855 if (indexOfLastBackslash != -1)
3857 nativeEntry.BaseDllName.Buffer = nativeEntry.FullDllName.Buffer + indexOfLastBackslash + 1;
3858 nativeEntry.BaseDllName.Length = nativeEntry.FullDllName.Length - (USHORT)indexOfLastBackslash * 2 - 2;
3859 nativeEntry.BaseDllName.MaximumLength = nativeEntry.BaseDllName.Length;
3863 nativeEntry.BaseDllName = nativeEntry.FullDllName;
3870 baseDllNameBuffer = PhAllocate(nativeEntry.BaseDllName.Length + 2);
3874 nativeEntry.BaseDllName.Buffer,
3876 nativeEntry.BaseDllName.Length,
3880 baseDllNameBuffer[nativeEntry.BaseDllName.Length / 2] = 0;
3884 baseDllNameBuffer[0] = 0;
3885 nativeEntry.BaseDllName.Length = 0;
3888 nativeEntry.BaseDllName.Buffer = baseDllNameBuffer;
3892 fullDllNameBuffer = PhAllocate(nativeEntry.FullDllName.Length + 2);
3896 nativeEntry.FullDllName.Buffer,
3898 nativeEntry.FullDllName.Length,
3902 fullDllNameBuffer[nativeEntry.FullDllName.Length / 2] = 0;
3907 if (!(nativeEntry.FullDllName.Length & 1))
3909 fullDllName.
Buffer = fullDllNameBuffer;
3910 fullDllName.
Length = nativeEntry.FullDllName.Length;
3920 fullDllName.
Buffer[1] =
'S';
3921 fullDllName.
Buffer[4] =
'W';
3922 fullDllName.
Buffer[5] =
'O';
3923 fullDllName.
Buffer[6] =
'W';
3924 fullDllName.
Buffer[7] =
'6';
3925 fullDllName.
Buffer[8] =
'4';
3933 fullDllNameBuffer[0] = 0;
3934 nativeEntry.FullDllName.Length = 0;
3937 nativeEntry.FullDllName.Buffer = fullDllNameBuffer;
3949 PhFree(baseDllNameBuffer);
3950 PhFree(fullDllNameBuffer);
3974 _In_ HANDLE ProcessHandle,
3976 _In_opt_ PVOID Context
3983 parameters.
Flags = 0;
4005 _In_ HANDLE ProcessHandle,
4018 _In_ HANDLE ProcessHandle,
4020 _In_ ULONG AddressOfEntry,
4021 _In_opt_ PVOID Context1,
4022 _In_opt_ PVOID Context2
4025 PSET_PROCESS_MODULE_LOAD_COUNT_CONTEXT context = Context1;
4027 if (UlongToPtr(Entry->DllBase) == context->BaseAddress)
4032 &context->LoadCount,
4060 _In_ HANDLE ProcessHandle,
4061 _In_ PVOID BaseAddress,
4062 _In_ ULONG LoadCount
4068 context.Status = STATUS_DLL_NOT_FOUND;
4069 context.BaseAddress = BaseAddress;
4070 context.LoadCount = LoadCount;
4082 return context.Status;
4085 typedef struct _GET_PROCEDURE_ADDRESS_REMOTE_CONTEXT
4091 static BOOLEAN PhpGetProcedureAddressRemoteCallback(
4092 _In_ PLDR_DATA_TABLE_ENTRY Module,
4093 _In_opt_ PVOID Context
4096 PGET_PROCEDURE_ADDRESS_REMOTE_CONTEXT context = Context;
4103 context->DllBase = Module->DllBase;
4127 _In_ HANDLE ProcessHandle,
4128 _In_ PWSTR FileName,
4129 _In_opt_ PSTR ProcedureName,
4130 _In_opt_ ULONG ProcedureNumber,
4131 _Out_ PVOID *ProcedureAddress,
4132 _Out_opt_ PVOID *DllBase
4144 context.DllBase = NULL;
4146 if (mappedImage.
Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
4159 status = STATUS_NOT_SUPPORTED;
4172 (USHORT)ProcedureNumber,
4180 *DllBase = context.DllBase;
4203 ULONG bufferSize = 2048;
4205 buffer = PhAllocate(bufferSize);
4207 status = NtQuerySystemInformation(
4214 if (status == STATUS_INFO_LENGTH_MISMATCH)
4217 buffer = PhAllocate(bufferSize);
4219 status = NtQuerySystemInformation(
4249 ULONG bufferSize = 2048;
4251 buffer = PhAllocate(bufferSize);
4253 status = NtQuerySystemInformation(
4260 if (status == STATUS_INFO_LENGTH_MISMATCH)
4263 buffer = PhAllocate(bufferSize);
4265 status = NtQuerySystemInformation(
4322 _Out_ PVOID *Processes
4341 _Out_ PVOID *Processes,
4345 static ULONG initialBufferSize[3] = { 0x4000, 0x4000, 0x4000 };
4351 switch (SystemInformationClass)
4363 return STATUS_INVALID_INFO_CLASS;
4366 bufferSize = initialBufferSize[classIndex];
4367 buffer = PhAllocate(bufferSize);
4371 status = NtQuerySystemInformation(
4372 SystemInformationClass,
4378 if (status == STATUS_BUFFER_TOO_SMALL || status == STATUS_INFO_LENGTH_MISMATCH)
4381 buffer = PhAllocate(bufferSize);
4395 if (bufferSize <= 0x40000) initialBufferSize[classIndex] = bufferSize;
4396 *Processes = buffer;
4415 _Out_ PVOID *Processes,
4416 _In_ ULONG SessionId
4419 static ULONG initialBufferSize = 0x4000;
4425 bufferSize = initialBufferSize;
4426 buffer = PhAllocate(bufferSize);
4428 sessionProcessInfo.
SessionId = SessionId;
4432 sessionProcessInfo.
SizeOfBuf = bufferSize;
4433 sessionProcessInfo.
Buffer = buffer;
4435 status = NtQuerySystemInformation(
4437 &sessionProcessInfo,
4442 if (status == STATUS_BUFFER_TOO_SMALL || status == STATUS_INFO_LENGTH_MISMATCH)
4445 buffer = PhAllocate(bufferSize);
4459 if (bufferSize <= 0x20000) initialBufferSize = bufferSize;
4460 *Processes = buffer;
4478 _In_ PVOID Processes,
4508 _In_ PVOID Processes,
4544 static ULONG initialBufferSize = 0x4000;
4549 bufferSize = initialBufferSize;
4550 buffer = PhAllocate(bufferSize);
4552 while ((status = NtQuerySystemInformation(
4557 )) == STATUS_INFO_LENGTH_MISMATCH)
4564 return STATUS_INSUFFICIENT_RESOURCES;
4566 buffer = PhAllocate(bufferSize);
4575 if (bufferSize <= 0x100000) initialBufferSize = bufferSize;
4600 static ULONG initialBufferSize = 0x10000;
4605 bufferSize = initialBufferSize;
4606 buffer = PhAllocate(bufferSize);
4608 while ((status = NtQuerySystemInformation(
4613 )) == STATUS_INFO_LENGTH_MISMATCH)
4620 return STATUS_INSUFFICIENT_RESOURCES;
4622 buffer = PhAllocate(bufferSize);
4631 if (bufferSize <= 0x200000) initialBufferSize = bufferSize;
4650 _Out_ PVOID *Pagefiles
4655 ULONG bufferSize = 0x200;
4657 buffer = PhAllocate(bufferSize);
4659 while ((status = NtQuerySystemInformation(
4664 )) == STATUS_INFO_LENGTH_MISMATCH)
4671 return STATUS_INSUFFICIENT_RESOURCES;
4673 buffer = PhAllocate(bufferSize);
4682 *Pagefiles = buffer;
4706 ULONG bufferSize = 0x100;
4709 buffer = PhAllocate(bufferSize);
4714 processIdInfo.
ImageName.Buffer = buffer;
4716 status = NtQuerySystemInformation(
4723 if (status == STATUS_INFO_LENGTH_MISMATCH)
4729 processIdInfo.
ImageName.Buffer = buffer;
4731 status = NtQuerySystemInformation(
4760 _Out_ PBOOLEAN IsDotNet
4767 _In_ PLDR_DATA_TABLE_ENTRY Module,
4768 _In_opt_ PVOID Context
4794 frameworkPart = &frameworkString;
4799 frameworkPart = &framework64String;
4803 fileName = Module->FullDllName;
4809 fileName.Buffer = (PWCHAR)((PCHAR)fileName.Buffer + systemRoot.
Length);
4814 fileName.Buffer = (PWCHAR)((PCHAR)fileName.Buffer + frameworkPart->
Length);
4817 if (fileName.
Length >= 4 *
sizeof(WCHAR))
4819 if (fileName.Buffer[1] ==
'1')
4821 if (fileName.Buffer[3] ==
'0')
4823 else if (fileName.Buffer[3] ==
'1')
4826 else if (fileName.Buffer[1] ==
'2')
4830 else if (fileName.Buffer[1] >=
'4' && fileName.Buffer[1] <=
'9')
4870 _In_opt_ HANDLE ProcessHandle,
4872 _Out_opt_ PBOOLEAN IsDotNet,
4873 _Out_opt_ PULONG Flags
4876 NTSTATUS status = STATUS_SUCCESS;
4877 HANDLE processHandle;
4885 HANDLE sectionHandle;
4904 PhInitFormatS(&format[0], L
"\\BaseNamedObjects\\Cor_Private_IPCBlock_v4_");
4905 sectionName =
PhFormat(format, 2, 96);
4922 if (
NT_SUCCESS(status) || status == STATUS_ACCESS_DENIED)
4925 NtClose(sectionHandle);
4933 return STATUS_SUCCESS;
4938 PhInitFormatS(&format[0], L
"\\BaseNamedObjects\\Cor_Private_IPCBlock_");
4939 sectionName =
PhFormat(format, 2, 90);
4956 if (
NT_SUCCESS(status) || status == STATUS_ACCESS_DENIED)
4959 NtClose(sectionHandle);
4967 return STATUS_SUCCESS;
4972 processHandle = NULL;
4979 ProcessHandle = processHandle;
5007 NtClose(processHandle);
5029 _In_ HANDLE DirectoryHandle,
5031 _In_opt_ PVOID Context
5036 BOOLEAN firstTime =
TRUE;
5038 POBJECT_DIRECTORY_INFORMATION buffer;
5043 buffer = PhAllocate(bufferSize);
5049 while ((status = NtQueryDirectoryObject(
5057 )) == STATUS_MORE_ENTRIES)
5061 if (buffer[0].Name.Buffer)
5068 return STATUS_INSUFFICIENT_RESOURCES;
5073 buffer = PhAllocate(bufferSize);
5090 POBJECT_DIRECTORY_INFORMATION info;
5096 if (!info->Name.Buffer)
5102 cont = Callback(&name, &typeName, Context);
5113 if (status != STATUS_MORE_ENTRIES)
5121 return STATUS_SUCCESS;
5125 _In_ HANDLE FileHandle,
5128 _In_opt_ PVOID Context
5133 BOOLEAN firstTime =
TRUE;
5135 ULONG bufferSize = 0x400;
5139 buffer = PhAllocate(bufferSize);
5163 if (status == STATUS_PENDING)
5165 status = NtWaitForSingleObject(FileHandle,
FALSE, NULL);
5171 if (status == STATUS_BUFFER_OVERFLOW || status == STATUS_INFO_LENGTH_MISMATCH)
5175 buffer = PhAllocate(bufferSize);
5184 if (status == STATUS_NO_MORE_FILES)
5186 status = STATUS_SUCCESS;
5232 _In_ HANDLE FileHandle,
5233 _Out_ PVOID *Streams
5256 for (i = 0; i < 26; i++)
5258 PhDevicePrefixes[i].
Length = 0;
5260 PhDevicePrefixes[i].Buffer = (PWCHAR)buffer;
5273 HANDLE orderKeyHandle;
5296 NtClose(orderKeyHandle);
5304 for (i = 0; i < PhDeviceMupPrefixesCount; i++)
5307 PhDeviceMupPrefixes[i] = NULL;
5310 PhDeviceMupPrefixesCount = 0;
5312 PhDeviceMupPrefixes[PhDeviceMupPrefixesCount++] =
PhCreateString(L
"\\Device\\Mup");
5320 remainingPart = providerOrder->
sr;
5322 while (remainingPart.
Length != 0)
5325 HANDLE networkProviderKeyHandle;
5335 serviceKeyName =
PhConcatStringRef3(&servicesStringPart, &part, &networkProviderStringPart);
5338 &networkProviderKeyHandle,
5341 &serviceKeyName->
sr,
5347 PhDeviceMupPrefixes[PhDeviceMupPrefixesCount] = deviceName;
5348 PhDeviceMupPrefixesCount++;
5351 NtClose(networkProviderKeyHandle);
5370 WCHAR deviceNameBuffer[7] = L
"\\??\\ :";
5373 for (i = 0; i < 26; i++)
5379 deviceNameBuffer[4] = (WCHAR)(
'A' + i);
5380 deviceName.Buffer = deviceNameBuffer;
5381 deviceName.
Length = 6 *
sizeof(WCHAR);
5393 SYMBOLIC_LINK_QUERY,
5401 &PhDevicePrefixes[i],
5405 PhDevicePrefixes[i].
Length = 0;
5410 NtClose(linkHandle);
5414 PhDevicePrefixes[i].
Length = 0;
5445 for (i = 0; i < 26; i++)
5447 BOOLEAN isPrefix =
FALSE;
5460 if (Name->Length == prefix.
Length || Name->Buffer[prefix.
Length /
sizeof(WCHAR)] ==
'\\')
5473 newName->
Buffer[0] = (WCHAR)(
'A' + i);
5474 newName->
Buffer[1] =
':';
5477 &Name->Buffer[prefix.
Length /
sizeof(WCHAR)],
5478 Name->Length - prefix.
Length
5491 for (i = 0; i < PhDeviceMupPrefixesCount; i++)
5493 BOOLEAN isPrefix =
FALSE;
5494 SIZE_T prefixLength;
5496 prefixLength = PhDeviceMupPrefixes[i]->
Length;
5498 if (prefixLength != 0)
5505 if (Name->Length != prefixLength && Name->Buffer[prefixLength /
sizeof(WCHAR)] ==
'\\')
5515 newName =
PhCreateStringEx(NULL, 1 *
sizeof(WCHAR) + Name->Length - prefixLength);
5516 newName->
Buffer[0] =
'\\';
5519 &Name->Buffer[prefixLength /
sizeof(WCHAR)],
5520 Name->Length - prefixLength
5553 newFileName = FileName;
5559 memcpy(newFileName->
Buffer, &FileName->Buffer[4], FileName->Length - 4 * 2);
5569 memcpy((PCHAR)newFileName->
Buffer + systemRoot.
Length, &FileName->Buffer[11], FileName->Length - 11 * 2);
5580 memcpy((PCHAR)newFileName->
Buffer + systemRoot.
Length + 2, FileName->Buffer, FileName->Length);
5582 else if (FileName->Length != 0 && FileName->Buffer[0] ==
'\\')
5590 newFileName = resolvedName;
5599 newFileName->
Buffer[0] = USER_SHARED_DATA->NtSystemRoot[0];
5600 newFileName->
Buffer[1] =
':';
5601 memcpy(&newFileName->
Buffer[2], FileName->Buffer, FileName->Length);
5619 typedef struct _ENUM_GENERIC_PROCESS_MODULES_CONTEXT
5626 ULONG LoadOrderIndex;
5629 static BOOLEAN EnumGenericProcessModulesCallback(
5630 _In_ PLDR_DATA_TABLE_ENTRY Module,
5631 _In_opt_ PVOID Context
5634 PENUM_GENERIC_PROCESS_MODULES_CONTEXT context;
5653 moduleInfo.
Type = context->Type;
5655 moduleInfo.
Size = Module->SizeOfImage;
5657 moduleInfo.
Flags = Module->Flags;
5661 moduleInfo.
LoadCount = Module->ObsoleteLoadCount;
5665 moduleInfo.
LoadReason = (USHORT)Module->LoadReason;
5666 moduleInfo.
LoadTime = Module->LoadTime;
5676 cont = context->Callback(&moduleInfo, context->Context);
5687 _In_opt_ PVOID Context,
5696 for (i = 0; i < Modules->NumberOfModules; i++)
5700 module = &Modules->Modules[i];
5746 cont = Callback(&moduleInfo, Context);
5759 _In_opt_ PVOID Context,
5803 cont = Callback(&moduleInfo, Context);
5816 _In_ PVOID AllocationBase,
5817 _In_ SIZE_T AllocationSize,
5821 _In_opt_ PVOID Context,
5828 moduleInfo.
Type = Type;
5830 moduleInfo.
Size = (ULONG)AllocationSize;
5832 moduleInfo.
Flags = 0;
5840 cont = Callback(&moduleInfo, Context);
5849 _In_ HANDLE ProcessHandle,
5852 _In_opt_ PVOID Context,
5856 BOOLEAN querySucceeded;
5858 MEMORY_BASIC_INFORMATION basicInfo;
5860 baseAddress = (PVOID)0;
5867 sizeof(MEMORY_BASIC_INFORMATION),
5874 querySucceeded =
TRUE;
5876 while (querySucceeded)
5878 PVOID allocationBase;
5879 SIZE_T allocationSize;
5884 if (basicInfo.Type == MEM_MAPPED || basicInfo.Type == MEM_IMAGE)
5886 if (basicInfo.Type == MEM_MAPPED)
5893 allocationBase = basicInfo.AllocationBase;
5898 baseAddress = (PVOID)((ULONG_PTR)baseAddress + basicInfo.RegionSize);
5899 allocationSize += basicInfo.RegionSize;
5906 sizeof(MEMORY_BASIC_INFORMATION),
5910 querySucceeded =
FALSE;
5913 }
while (basicInfo.AllocationBase == allocationBase);
5946 BaseAddressHashtable
5956 baseAddress = (PVOID)((ULONG_PTR)baseAddress + basicInfo.RegionSize);
5963 sizeof(MEMORY_BASIC_INFORMATION),
5967 querySucceeded =
FALSE;
5978 return *(PVOID *)Entry1 == *(PVOID *)Entry2;
6008 _In_opt_ HANDLE ProcessHandle,
6011 _In_opt_ PVOID Context
6036 baseAddressHashtable
6045 BOOLEAN opened =
FALSE;
6047 BOOLEAN isWow64 =
FALSE;
6073 context.Callback = Callback;
6074 context.Context = Context;
6076 context.BaseAddressHashtable = baseAddressHashtable;
6077 context.LoadOrderIndex = 0;
6079 parameters.
Callback = EnumGenericProcessModulesCallback;
6080 parameters.
Context = &context;
6094 context.Callback = Callback;
6095 context.Context = Context;
6097 context.BaseAddressHashtable = baseAddressHashtable;
6098 context.LoadOrderIndex = 0;
6117 baseAddressHashtable
6122 NtClose(ProcessHandle);
6142 PTOKEN_USER tokenUser;
6152 stringSid.Buffer = stringSidBuffer;
6157 tokenUser->User.Sid,
6164 NtClose(tokenHandle);
6172 currentUserKeyName->Buffer = PhAllocate(currentUserKeyName->
Length +
sizeof(WCHAR));
6173 memcpy(currentUserKeyName->Buffer, currentUserPrefix.Buffer, currentUserPrefix.
Length);
6174 memcpy(¤tUserKeyName->Buffer[currentUserPrefix.
Length /
sizeof(WCHAR)], stringSid.Buffer, stringSid.
Length);
6191 _In_opt_ HANDLE RootDirectory,
6193 _In_ ULONG Attributes,
6195 _Out_ PHANDLE NeedsClose
6199 ULONG predefineIndex;
6200 HANDLE predefineHandle;
6225 predefineHandle = PhPredefineKeyHandles[predefineIndex];
6227 if (!predefineHandle)
6231 if (!PhPredefineKeyNames[predefineIndex].Buffer)
6232 return STATUS_UNSUCCESSFUL;
6235 &predefineObjectAttributes,
6236 &PhPredefineKeyNames[predefineIndex],
6245 &predefineObjectAttributes
6252 &PhPredefineKeyHandles[predefineIndex],
6259 *NeedsClose = predefineHandle;
6263 ObjectAttributes->RootDirectory = predefineHandle;
6267 return STATUS_SUCCESS;
6290 _Out_ PHANDLE KeyHandle,
6291 _In_ ACCESS_MASK DesiredAccess,
6292 _In_opt_ HANDLE RootDirectory,
6294 _In_ ULONG Attributes,
6295 _In_ ULONG CreateOptions,
6296 _Out_opt_ PULONG Disposition
6305 return STATUS_NAME_TOO_LONG;
6329 NtClose(needsClose);
6345 _Out_ PHANDLE KeyHandle,
6346 _In_ ACCESS_MASK DesiredAccess,
6347 _In_opt_ HANDLE RootDirectory,
6349 _In_ ULONG Attributes
6358 return STATUS_NAME_TOO_LONG;
6378 NtClose(needsClose);
1.8.2