|
|
//+-------------------------------------------------------------------------
//
// Microsoft Windows
//
// Copyright (C) Microsoft Corporation, 1999 - 2000
//
// File: modules.cpp
//
//--------------------------------------------------------------------------
// Modules.cpp: implementation of the CModules class.
//
//////////////////////////////////////////////////////////////////////
#ifndef NO_STRICT
#ifndef STRICT
#define STRICT 1
#endif
#endif /* NO_STRICT */
#include <WINDOWS.H>
#include <STDIO.H>
#include <TCHAR.H>
#include "Globals.h"
#include "Modules.h"
#include "ProgramOptions.h"
#include "UtilityFunctions.h"
#include "ModuleInfo.h"
#include "ModuleInfoNode.h"
#include "ModuleInfoCache.h"
#include "FileData.h"
//////////////////////////////////////////////////////////////////////
// Construction/Destruction
//////////////////////////////////////////////////////////////////////
CModules::CModules(){ m_lpModuleInfoHead = NULL; m_hModuleInfoHeadMutex = NULL; m_lpDmpFile = NULL;
m_fInitialized = false; m_iNumberOfModules = 0;}
CModules::~CModules(){ WaitForSingleObject(m_hModuleInfoHeadMutex, INFINITE);
// If we have Module Info Objects... nuke them now...
if (m_lpModuleInfoHead) {
CModuleInfoNode * lpModuleInfoNodePointer = m_lpModuleInfoHead; CModuleInfoNode * lpModuleInfoNodePointerToDelete = m_lpModuleInfoHead;
// Traverse the linked list to the end..
while (lpModuleInfoNodePointer) { // Keep looking for the end...
// Advance our pointer to the next node...
lpModuleInfoNodePointer = lpModuleInfoNodePointer->m_lpNextModuleInfoNode; // Delete the one behind us...
delete lpModuleInfoNodePointerToDelete;
// Set the node to delete to the current...
lpModuleInfoNodePointerToDelete = lpModuleInfoNodePointer; } // Now, clear out the Head pointer...
m_lpModuleInfoHead = NULL; }
// Be a good citizen and release the Mutex
ReleaseMutex(m_hModuleInfoHeadMutex);
// Now, close the Mutex
if (m_hModuleInfoHeadMutex) { CloseHandle(m_hModuleInfoHeadMutex); m_hModuleInfoHeadMutex = NULL; }}
bool CModules::Initialize(CModuleInfoCache *lpModuleInfoCache, CFileData * lpInputFile, CFileData * lpOutputFile, CDmpFile * lpDmpFile){ // We need the following objects to do business...
if ( lpModuleInfoCache == NULL) return false;
m_lpModuleInfoCache = lpModuleInfoCache; m_lpInputFile = lpInputFile; m_lpOutputFile = lpOutputFile; m_lpDmpFile = lpDmpFile;
m_hModuleInfoHeadMutex = CreateMutex(NULL, FALSE, NULL);
if (m_hModuleInfoHeadMutex == NULL) return false;
m_fInitialized = true; return true;}
bool CModules::GetModulesData(CProgramOptions::ProgramModes enumProgramModes, bool fGetDataFromCSVFile){ switch (enumProgramModes) { case CProgramOptions::InputModulesDataFromFileSystemMode:
if (fGetDataFromCSVFile) { GetModulesDataFromFile(); } else { GetModulesDataFromFileSystem(); } break;
case CProgramOptions::InputDriversFromLiveSystemMode:
if (fGetDataFromCSVFile) { GetModulesDataFromFile(); // ISSUE-2000/07/24-GREGWI: I think we can use the same method as above ????
} else { GetModulesDataFromDeviceDrivers(); } break;
default: break; }
return true;}
bool CModules::GetModulesDataFromFileSystem(){ bool fProcessPath = true;
// Okay... here we go...
//#ifdef _DEBUG
// _tprintf(TEXT("Processing the path [%s]\n"), m_lpProgramOptions->GetInputModulesDataFromFileSystemPath());
//#endif
LPTSTR tszExpandedSymbolPath= NULL, tszSymbolPathStart, tszSymbolPathEnd;
// Mark the start of the path to process
tszSymbolPathStart = g_lpProgramOptions->GetInputModulesDataFromFileSystemPath();
// Find the end of the path
tszSymbolPathEnd = _tcschr( tszSymbolPathStart, ';' );
// If tszSymbolPathEnd is non-zero, then there is another path following...
if (tszSymbolPathEnd) *tszSymbolPathEnd = '\0'; // Change the ';' to a Null temporarily...
while (fProcessPath) {//#ifdef _DEBUG
// _tprintf(TEXT("\n\nProcessing Path [%s]\n"), tszSymbolPathStart);
//#endif
// Begin the "madness"... ;)
ScavengeForFiles(tszSymbolPathStart, 1);
// Post processing... replace the null if necessary, and advance to next string
if (tszSymbolPathEnd) { *tszSymbolPathEnd = ';'; tszSymbolPathStart = tszSymbolPathEnd + 1; tszSymbolPathEnd = _tcschr( tszSymbolPathStart, ';' );
if (tszSymbolPathEnd) { *tszSymbolPathEnd = '\0'; } } else fProcessPath = false; }
if (tszExpandedSymbolPath) { delete [] tszExpandedSymbolPath; } return true;}
bool CModules::ScavengeForFiles(LPCTSTR tszSymbolPathStart, int iRecurseDepth){ // Bale if we're in too deep...
if (iRecurseDepth > MAX_RECURSE_DEPTH) return true;
TCHAR tszFileBuffer[MAX_PATH+1]; TCHAR drive[_MAX_DRIVE]; TCHAR dir[_MAX_DIR]; TCHAR fname[_MAX_FNAME]; TCHAR ext[_MAX_EXT]; bool fNew; CModuleInfo * lpModuleInfo;
_tsplitpath(tszSymbolPathStart, drive, dir, fname, ext);
WIN32_FIND_DATA lpFindFileData;
HANDLE hFileOrDirectoryHandle = FindFirstFile(tszSymbolPathStart, &lpFindFileData);
while ( INVALID_HANDLE_VALUE != hFileOrDirectoryHandle ) { // Compose the path to the file or directory...
_tmakepath(tszFileBuffer, drive, dir, NULL, NULL); _tcscat(tszFileBuffer, lpFindFileData.cFileName);
if (lpFindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) { // Check to see if we've got the . or .. directories!
if ( ( 0 == _tcscmp(lpFindFileData.cFileName, TEXT(".")) ) || ( 0 == _tcscmp(lpFindFileData.cFileName, TEXT("..")) ) ) { // Skip this one...
if (!FindNextFile(hFileOrDirectoryHandle, &lpFindFileData)) break;
// Go up for more fun...
continue; }
//#ifdef _DEBUG
// _tprintf(TEXT("DIRECTORY FOUND: [%s]\n"), tszFileBuffer);
//#endif
// If this is a directory, and no wild card was provided.. then use *.*
if ( CUtilityFunctions::ContainsWildCardCharacter(tszSymbolPathStart) ) { // We need to preserve the Wild Char stuff...
_tcscat(tszFileBuffer,TEXT("\\")); _tcscat(tszFileBuffer,fname); _tcscat(tszFileBuffer, ext); } else { // Append the *.*
_tcscat(tszFileBuffer, TEXT("\\*.*")); }
ScavengeForFiles(tszFileBuffer, iRecurseDepth+1);
} else {//#ifdef _DEBUG
// _tprintf(TEXT("FILE FOUND: [%s]\n"), tszFileBuffer);
//#endif
fNew = false;
TCHAR tszFullFileBuffer[_MAX_PATH+1]; LPTSTR tszFileNamePointer; DWORD cbBytesCopied = GetFullPathName(tszFileBuffer , _MAX_PATH+1, tszFullFileBuffer, &tszFileNamePointer);
if (cbBytesCopied) { // If "-MATCH" was specified, look to see if this filename meets our criteria
// before we save this away in our module cache...
if (!g_lpProgramOptions->fDoesModuleMatchOurSearch(tszFileBuffer)) goto getnextmodule;
// Okay, let's go ahead and get a ModuleInfo Object from our cache...
// If pfNew returns TRUE, then this object is new and we'll need
// to populate it with data...
lpModuleInfo = m_lpModuleInfoCache->AddNewModuleInfoObject(tszFullFileBuffer, &fNew);
if (false == fNew) { // We may have the object in the cache... now we need to
// save a pointer to this object in our Process Info list
AddNewModuleInfoObject(lpModuleInfo); // Just do our best...
// We save having to get the module info again for this module...
goto getnextmodule; }
// Not in the cache... so we need to init it, and get the module info...
// Okay, let's create a ModuleInfo object and pass this down
// routines that will populate it full of data...
if (lpModuleInfo->Initialize(NULL, m_lpOutputFile, NULL)) {
// Let's do it!! Populate the ModuleInfo object with data!!!!
if (lpModuleInfo->GetModuleInfo(tszFileBuffer)) { // Start obtaining information about the modules...
/*
#ifdef _DEBUG
_tprintf(TEXT("Module[%3d] = [%s]\n"), i+1, szFileName);#endif
*/ // We may have the object in the cache... now we need to
// save a pointer to this object in our Process Info list
if (AddNewModuleInfoObject(lpModuleInfo)) { } } }
} }
getnextmodule:
if (!FindNextFile(hFileOrDirectoryHandle, &lpFindFileData)) break; }
if ( INVALID_HANDLE_VALUE != hFileOrDirectoryHandle ) FindClose(hFileOrDirectoryHandle);
return true;}
bool CModules::AddNewModuleInfoObject(CModuleInfo *lpModuleInfo){ if (!m_fInitialized) return false;
// First, create a ModuleInfoNode object and then attach it to the bottom of the
// linked list of nodes...
CModuleInfoNode * lpModuleInfoNode = new CModuleInfoNode(lpModuleInfo);
//#ifdef _DEBUG
// _tprintf(TEXT("Adding Module Info Object for [%s]\n"), lpModuleInfo->GetModulePath());
//#endif
if (lpModuleInfoNode == NULL) return false; // Couldn't allocate memory..
// Acquire Mutex object to protect the linked-list...
WaitForSingleObject(m_hModuleInfoHeadMutex, INFINITE);
CModuleInfoNode * lpModuleInfoNodePointer = m_lpModuleInfoHead;
if (lpModuleInfoNodePointer) {
// Traverse the linked list to the end..
while (lpModuleInfoNodePointer->m_lpNextModuleInfoNode) { // Keep looking for the end...
lpModuleInfoNodePointer = lpModuleInfoNodePointer->m_lpNextModuleInfoNode; } lpModuleInfoNodePointer->m_lpNextModuleInfoNode = lpModuleInfoNode;
} else { // First time through, the Process Info Head pointer is null...
m_lpModuleInfoHead = lpModuleInfoNode; }
// Be a good citizen and release the Mutex
ReleaseMutex(m_hModuleInfoHeadMutex);
InterlockedIncrement(&m_iNumberOfModules);
return true;}
//bool CModules::OutputModulesData(LPCTSTR tszOutputContext)
bool CModules::OutputModulesData(CollectionTypes enumCollectionType, bool fCSVFileContext){ // Are we in quiet mode?
if ( !g_lpProgramOptions->GetMode(CProgramOptions::QuietMode) ) { // Output to Stdout?
if (!OutputModulesDataToStdout(enumCollectionType, fCSVFileContext)) return false; }
// Output to file?
if (g_lpProgramOptions->GetMode(CProgramOptions::OutputCSVFileMode)) { // Try and output to file...
if (!OutputModulesDataToFile(enumCollectionType)) return false; }
if (m_lpModuleInfoHead) { CModuleInfoNode * lpCurrentModuleInfoNode = m_lpModuleInfoHead; DWORD dwModuleNumber = 1;
while (lpCurrentModuleInfoNode) { // We have a node... print out Module Info for it, then the Modules Data...
if (lpCurrentModuleInfoNode->m_lpModuleInfo) { lpCurrentModuleInfoNode->m_lpModuleInfo->OutputData(NULL, 0, dwModuleNumber); dwModuleNumber++; }
lpCurrentModuleInfoNode = lpCurrentModuleInfoNode->m_lpNextModuleInfoNode; }
} return true;
}
bool CModules::OutputModulesDataToStdout(CollectionTypes enumCollectionType, bool fCSVFileContext){ _tprintf(TEXT("\n")); CUtilityFunctions::OutputLineOfStars();
// Output to stdout...
if (m_iNumberOfModules) { _tprintf(TEXT("%s - Printing Module Information for %d Modules.\n"), g_tszCollectionArray[enumCollectionType].tszCSVLabel, m_iNumberOfModules); _tprintf(TEXT("%s - Context: %s\n"), g_tszCollectionArray[enumCollectionType].tszCSVLabel, fCSVFileContext ? g_tszCollectionArray[enumCollectionType].tszCSVContext : g_tszCollectionArray[enumCollectionType].tszLocalContext);
} else { _tprintf(TEXT("\n%s - No modules were found!\n\n"), g_tszCollectionArray[enumCollectionType].tszCSVLabel); }
CUtilityFunctions::OutputLineOfStars(); _tprintf(TEXT("\n"));
return true;
}
bool CModules::OutputModulesDataToFile(CollectionTypes enumCollectionType){ // Don't write anything if there are no processes to report...
if (0 == m_iNumberOfModules) return true;
// Write out the Modules tag so I can detect this output format...
if (!m_lpOutputFile->WriteString(TEXT("\r\n")) || !m_lpOutputFile->WriteString(g_tszCollectionArray[enumCollectionType].tszCSVLabel) || !m_lpOutputFile->WriteString(TEXT("\r\n")) ) { _tprintf(TEXT("Failure writing CSV header to file [%s]!"), m_lpOutputFile->GetFilePath()); m_lpOutputFile->PrintLastError(); return false; }
// Write out the [Modules] header...
if (!m_lpOutputFile->WriteString(g_tszCollectionArray[enumCollectionType].tszCSVColumnHeaders)) { _tprintf(TEXT("Failure writing CSV header to file [%s]!"), m_lpOutputFile->GetFilePath()); m_lpOutputFile->PrintLastError(); return false; }
return true;
}
bool CModules::GetModulesDataFromFile(){ CModuleInfo * lpModuleInfo;
// Read the Modules Header Line
if (!m_lpInputFile->ReadFileLine()) return false;
// I need these near the end when I probe to see if the next module
// is for this process...
enum { BUFFER_SIZE = 128};
// Unfortunately, when reading from the CSV file, the data is MBCS... so I need
// to convert...
// Read the first field (should be blank, unless this is a new collection type
if (m_lpInputFile->ReadString()) return true;
// Read the second field (should be blank)
if (m_lpInputFile->ReadString()) return true;
// Read the second field (should be blank)
if (m_lpInputFile->ReadString()) return true;
// Local buffer for reading data...
char szModulePath[_MAX_PATH+1]; TCHAR tszModulePath[_MAX_PATH+1]; bool fDone = false; bool fNew = false;
while (!fDone) { // Read in the Module Path
if (!m_lpInputFile->ReadString(szModulePath, _MAX_PATH+1)) return true;
CUtilityFunctions::CopyAnsiStringToTSTR(szModulePath, tszModulePath, _MAX_PATH+1);
// If "-MATCH" was specified, look to see if this filename meets our criteria
// before we save this away in our module cache...
if (!g_lpProgramOptions->fDoesModuleMatchOurSearch(tszModulePath)) { // Okay... read to the start of the next line...
if (!m_lpInputFile->ReadFileLine()) goto cleanup;
goto probe_line; // We save having to get the module info again for this module...
}
// Okay, let's go ahead and get a ModuleInfo Object from our cache...
// If pfNew returns TRUE, then this object is new and we'll need
// to populate it with data...
lpModuleInfo = m_lpModuleInfoCache->AddNewModuleInfoObject(tszModulePath, &fNew);
if (false == fNew) { // We may have the object in the cache... now we need to
// save a pointer to this object in our Process Info list
AddNewModuleInfoObject(lpModuleInfo); // Just do our best...
// Okay... read to the start of the next line...
if ( !m_lpInputFile->ReadFileLine() ) goto cleanup;
goto probe_line; // We save having to get the module info again for this module...
}
// Not in the cache... so we need to init it, and get the module info...
if (!lpModuleInfo->Initialize(m_lpInputFile, m_lpOutputFile, NULL)) { return false; // Hmmm... memory error?
}
// Let's do it!! Populate the ModuleInfo object with data!!!!
if (!lpModuleInfo->GetModuleInfo(tszModulePath, false, 0, true)) { // Well, we tried and failed...
return false; }
// Start obtaining information about the modules...
if (!AddNewModuleInfoObject(lpModuleInfo)) { // Failure adding the node.... This is pretty serious...
return false; } // Okay, let's go ahead and probe to see what's coming...
probe_line: if ( m_lpInputFile->EndOfFile() ) goto cleanup;
// Read the first field (should be blank, unless this is a new collection type
if (m_lpInputFile->ReadString()) goto cleanup;
// Read the second field (should be blank)
if (m_lpInputFile->ReadString()) return true;
// Read the second field (should be blank)
if (m_lpInputFile->ReadString()) return true; }
cleanup: // We need to reset out pointer so the functions above us can re-read
// them (they expect to)...
m_lpInputFile->ResetBufferPointerToStart(); return true;}
// We need to enumerate device drivers on this system
bool CModules::GetModulesDataFromDeviceDrivers(){ LPVOID * lpImageBaseArray = NULL; DWORD dwImageBaseArraySizeUsed, dwImageBaseArraySize, dwNumberOfDeviceDrivers, dwIndex; TCHAR tszModulePath[_MAX_PATH]; CModuleInfo * lpModuleInfo = NULL; bool fReturn = false, fNew = false;
// NOTE: In the documentation, the third parameter of
// EnumProcesses is named cbNeeded, which implies that you
// can call the function once to find out how much space to
// allocate for a buffer and again to fill the buffer.
// This is not the case. The cbNeeded parameter returns
// the number of PIDs returned, so if your buffer size is
// zero cbNeeded returns zero.
dwImageBaseArraySize = 256 * sizeof( LPVOID ) ;
do { if( lpImageBaseArray ) { // Hmm.. we've been through this loop already, double the HeapSize and try again.
delete [] lpImageBaseArray; dwImageBaseArraySize *= 2 ; }
lpImageBaseArray = (LPVOID *) new DWORD[dwImageBaseArraySize]; if( lpImageBaseArray == NULL ) { goto error_cleanup; }
// Query the system for the total number of processes
if( !g_lpDelayLoad->EnumDeviceDrivers(lpImageBaseArray, dwImageBaseArraySize, &dwImageBaseArraySizeUsed ) ) { // It's bad if we can't enum device drivers... no place to go but to bail out...
goto error_cleanup; } } while( dwImageBaseArraySizeUsed == dwImageBaseArraySize );
// How many DeviceDrivers did we get?
dwNumberOfDeviceDrivers = dwImageBaseArraySizeUsed / sizeof( LPVOID ) ;
// Loop through each Device Drivers
for(dwIndex = 0 ; dwIndex < dwNumberOfDeviceDrivers; dwIndex++ ) { // Spin until we get a device driver filename!
if (!g_lpDelayLoad->GetDeviceDriverFileName(lpImageBaseArray[dwIndex], tszModulePath, _MAX_PATH)) continue;
CUtilityFunctions::UnMungePathIfNecessary(tszModulePath);
// For some reason, even though GetDeviceDriverFileName() is supposed to return the fullpath to the device
// driver... it don't always... sometimes it returns only the base file name...
CUtilityFunctions::FixupDeviceDriverPathIfNecessary(tszModulePath, _MAX_PATH);
if (!g_lpProgramOptions->fDoesModuleMatchOurSearch(tszModulePath)) continue;
// Okay, let's go ahead and get a ModuleInfo Object from our cache...
// If pfNew returns TRUE, then this object is new and we'll need
// to populate it with data...
lpModuleInfo = m_lpModuleInfoCache->AddNewModuleInfoObject(tszModulePath, &fNew);
if (false == fNew) { // We may have the object in the cache... now we need to
// save a pointer to this object in our Process Info list
AddNewModuleInfoObject(lpModuleInfo); // Just do our best...
continue; // We save having to get the module info again for this module...
}
// Not in the cache... so we need to init it, and get the module info...
if (!lpModuleInfo->Initialize(m_lpInputFile, m_lpOutputFile, NULL)) { continue; }
// Let's do it!! Populate the ModuleInfo object with data!!!!
if (!lpModuleInfo->GetModuleInfo(tszModulePath, false, 0, false)) { // Well, we tried and failed...
continue; }
// We may have the object in the cache... now we need to
// save a pointer to this object in our Process Info list
if (!AddNewModuleInfoObject(lpModuleInfo)) { // Failure adding the node.... This is pretty serious...
continue; } }
fReturn = true; goto cleanup;
error_cleanup:
cleanup:
if (lpImageBaseArray) { delete [] lpImageBaseArray; }
return fReturn;}
|
