mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
575 lines
13 KiB
575 lines
13 KiB
/*++
|
|
|
|
Copyright (c) 1999-2002 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
nt4.c
|
|
|
|
Abstract:
|
|
|
|
NT 4 specific routines.
|
|
|
|
The following routine are exported from this file:
|
|
|
|
o Nt4OpenThread
|
|
|
|
o Nt4GetProcessInfo
|
|
|
|
o Nt4EnumProcessModules
|
|
|
|
o Nt4GetModuleFileNameExW
|
|
|
|
Author:
|
|
|
|
Matthew D Hendel (math) 10-Sept-1999
|
|
|
|
Revision History:
|
|
|
|
|
|
Environment:
|
|
|
|
NT 4.0 only.
|
|
|
|
--*/
|
|
|
|
#include "pch.h"
|
|
|
|
#include "ntx.h"
|
|
#include "nt4.h"
|
|
#include "nt4p.h"
|
|
#include "impl.h"
|
|
|
|
BOOL
|
|
WINAPI
|
|
Nt4EnumProcessModules(
|
|
HANDLE hProcess,
|
|
HMODULE *lphModule,
|
|
DWORD cb,
|
|
LPDWORD lpcbNeeded
|
|
);
|
|
|
|
|
|
HANDLE
|
|
WINAPI
|
|
Nt4OpenThread(
|
|
DWORD dwDesiredAccess,
|
|
BOOL bInheritHandle,
|
|
DWORD dwThreadId
|
|
)
|
|
{
|
|
NTSTATUS Status;
|
|
NT4_OBJECT_ATTRIBUTES Obja;
|
|
HANDLE Handle;
|
|
NT4_CLIENT_ID ClientId;
|
|
|
|
ClientId.UniqueThread = (HANDLE)LongToHandle(dwThreadId);
|
|
ClientId.UniqueProcess = (HANDLE)NULL;
|
|
|
|
Nt4InitializeObjectAttributes(
|
|
&Obja,
|
|
NULL,
|
|
(bInheritHandle ? NT4_OBJ_INHERIT : 0),
|
|
NULL,
|
|
NULL
|
|
);
|
|
|
|
Status = NtOpenThread(
|
|
&Handle,
|
|
(ACCESS_MASK)dwDesiredAccess,
|
|
(POBJECT_ATTRIBUTES)&Obja,
|
|
(PCLIENT_ID)&ClientId
|
|
);
|
|
if ( NT_SUCCESS(Status) ) {
|
|
return Handle;
|
|
}
|
|
else {
|
|
return NULL;
|
|
}
|
|
}
|
|
|
|
|
|
BOOL
|
|
Nt4GetProcessInfo(
|
|
IN HANDLE hProcess,
|
|
IN ULONG ProcessId,
|
|
IN ULONG DumpType,
|
|
IN MINIDUMP_CALLBACK_ROUTINE CallbackRoutine,
|
|
IN PVOID CallbackParam,
|
|
OUT PINTERNAL_PROCESS * ProcessRet
|
|
)
|
|
{
|
|
BOOL Succ;
|
|
ULONG i;
|
|
NTSTATUS Status;
|
|
ULONG BufferSize;
|
|
LPVOID Buffer;
|
|
PNT4_SYSTEM_PROCESS_INFORMATION ProcessInfo;
|
|
PNT4_SYSTEM_THREAD_INFORMATION ThreadInfo;
|
|
PINTERNAL_THREAD Thread;
|
|
PINTERNAL_MODULE Module;
|
|
PINTERNAL_PROCESS Process;
|
|
HMODULE Modules [ 512 ];
|
|
ULONG ModulesSize;
|
|
ULONG NumberOfModules;
|
|
ULONG_PTR Next;
|
|
|
|
|
|
BufferSize = 64 * KBYTE;
|
|
Buffer = NULL;
|
|
|
|
do {
|
|
|
|
if (Buffer) {
|
|
FreeMemory (Buffer);
|
|
}
|
|
Buffer = AllocMemory ( BufferSize );
|
|
|
|
if ( Buffer == NULL) {
|
|
return FALSE;
|
|
}
|
|
|
|
Status = NtQuerySystemInformation (
|
|
Nt4SystemProcessInformation,
|
|
Buffer,
|
|
BufferSize,
|
|
NULL
|
|
);
|
|
|
|
if (!NT_SUCCESS (Status) && Status != STATUS_INFO_LENGTH_MISMATCH) {
|
|
GenAccumulateStatus(MDSTATUS_CALL_FAILED);
|
|
return FALSE;
|
|
}
|
|
|
|
BufferSize += (8 * KBYTE);
|
|
|
|
} while (Status == STATUS_INFO_LENGTH_MISMATCH);
|
|
|
|
//
|
|
// Find the correct process in the process list.
|
|
//
|
|
|
|
ProcessInfo = (PNT4_SYSTEM_PROCESS_INFORMATION) Buffer;
|
|
|
|
while (ProcessInfo->NextEntryOffset &&
|
|
ProcessInfo->UniqueProcessId != (HANDLE) ProcessId) {
|
|
|
|
Next = ((ULONG_PTR)ProcessInfo + ProcessInfo->NextEntryOffset);
|
|
ProcessInfo = (PNT4_SYSTEM_PROCESS_INFORMATION) Next;
|
|
}
|
|
|
|
//
|
|
// Could not find a matching process in the process list.
|
|
//
|
|
|
|
if (ProcessInfo->UniqueProcessId != (HANDLE) ProcessId) {
|
|
Succ = FALSE;
|
|
GenAccumulateStatus(MDSTATUS_INTERNAL_ERROR);
|
|
goto Exit;
|
|
}
|
|
|
|
//
|
|
// Create an INTERNAL_PROCESS object and copy the process information
|
|
// into it.
|
|
//
|
|
|
|
Process = GenAllocateProcessObject ( hProcess, ProcessId );
|
|
|
|
if ( Process == NULL ) {
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// Walk the thread list for this process, copying thread information
|
|
// for each thread. Walking the thread list also suspends all the threads
|
|
// in the process. This should be done before walking the module list
|
|
// to minimize the number of race conditions.
|
|
//
|
|
|
|
ThreadInfo = (PNT4_SYSTEM_THREAD_INFORMATION)(ProcessInfo + 1);
|
|
Process->NumberOfThreads = 0;
|
|
|
|
for (i = 0; i < ProcessInfo->NumberOfThreads; i++) {
|
|
|
|
ULONG WriteFlags;
|
|
|
|
if (!GenExecuteIncludeThreadCallback(hProcess,
|
|
ProcessId,
|
|
DumpType,
|
|
(ULONG)ThreadInfo->ClientId.UniqueThread,
|
|
CallbackRoutine,
|
|
CallbackParam,
|
|
&WriteFlags) ||
|
|
IsFlagClear(WriteFlags, ThreadWriteThread)) {
|
|
ThreadInfo++;
|
|
continue;
|
|
}
|
|
|
|
Status = GenAllocateThreadObject (
|
|
Process,
|
|
hProcess,
|
|
(ULONG) ThreadInfo->ClientId.UniqueThread,
|
|
DumpType,
|
|
WriteFlags,
|
|
&Thread
|
|
);
|
|
if (FAILED(Status)) {
|
|
Succ = FALSE;
|
|
goto Exit;
|
|
}
|
|
|
|
// If Status is S_FALSE it means that the thread
|
|
// couldn't be opened and probably exited before
|
|
// we got to it. Just continue on.
|
|
if (Status == S_OK) {
|
|
InsertTailList (&Process->ThreadList, &Thread->ThreadsLink);
|
|
Process->NumberOfThreads++;
|
|
}
|
|
|
|
ThreadInfo++;
|
|
}
|
|
|
|
|
|
//
|
|
// Get the module information. Use PSAPI since it actually works.
|
|
//
|
|
|
|
ModulesSize = 0;
|
|
Succ = Nt4EnumProcessModules (
|
|
Process->ProcessHandle,
|
|
Modules,
|
|
sizeof (Modules),
|
|
&ModulesSize
|
|
);
|
|
|
|
if ( !Succ ) {
|
|
GenAccumulateStatus(MDSTATUS_CALL_FAILED);
|
|
goto Exit;
|
|
}
|
|
|
|
NumberOfModules = ModulesSize / sizeof (HMODULE);
|
|
for (i = 0; i < NumberOfModules; i++) {
|
|
ULONG WriteFlags;
|
|
|
|
if (!GenExecuteIncludeModuleCallback(hProcess,
|
|
ProcessId,
|
|
DumpType,
|
|
(LONG_PTR)Modules[i],
|
|
CallbackRoutine,
|
|
CallbackParam,
|
|
&WriteFlags) ||
|
|
IsFlagClear(WriteFlags, ModuleWriteModule)) {
|
|
continue;
|
|
}
|
|
|
|
Module = NtxAllocateModuleObject (
|
|
Process,
|
|
Process->ProcessHandle,
|
|
(LONG_PTR) Modules [ i ],
|
|
DumpType,
|
|
WriteFlags,
|
|
NULL
|
|
);
|
|
|
|
if ( Module == NULL ) {
|
|
Succ = FALSE;
|
|
goto Exit;
|
|
}
|
|
|
|
InsertTailList (&Process->ModuleList, &Module->ModulesLink);
|
|
}
|
|
|
|
Process->NumberOfModules = NumberOfModules;
|
|
|
|
Succ = TRUE;
|
|
|
|
Exit:
|
|
|
|
if ( Buffer ) {
|
|
FreeMemory ( Buffer );
|
|
Buffer = NULL;
|
|
}
|
|
|
|
if ( !Succ && Process != NULL ) {
|
|
GenFreeProcessObject ( Process );
|
|
Process = NULL;
|
|
}
|
|
|
|
*ProcessRet = Process;
|
|
|
|
return Succ;
|
|
}
|
|
|
|
|
|
//
|
|
// From PSAPI
|
|
//
|
|
|
|
BOOL
|
|
Nt4FindModule(
|
|
IN HANDLE hProcess,
|
|
IN HMODULE hModule,
|
|
OUT PNT4_LDR_DATA_TABLE_ENTRY LdrEntryData
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function retrieves the loader table entry for the specified
|
|
module. The function copies the entry into the buffer pointed to
|
|
by the LdrEntryData parameter.
|
|
|
|
Arguments:
|
|
|
|
hProcess - Supplies the target process.
|
|
|
|
hModule - Identifies the module whose loader entry is being
|
|
requested. A value of NULL references the module handle
|
|
associated with the image file that was used to create the
|
|
process.
|
|
|
|
LdrEntryData - Returns the requested table entry.
|
|
|
|
Return Value:
|
|
|
|
TRUE if a matching entry was found.
|
|
|
|
--*/
|
|
|
|
{
|
|
NT4_PROCESS_BASIC_INFORMATION BasicInfo;
|
|
NTSTATUS Status;
|
|
PNT4_PEB Peb;
|
|
PNT4_PEB_LDR_DATA Ldr;
|
|
PLIST_ENTRY LdrHead;
|
|
PLIST_ENTRY LdrNext;
|
|
|
|
Status = NtQueryInformationProcess(
|
|
hProcess,
|
|
Nt4ProcessBasicInformation,
|
|
&BasicInfo,
|
|
sizeof(BasicInfo),
|
|
NULL
|
|
);
|
|
|
|
if ( !NT_SUCCESS(Status) ) {
|
|
return(FALSE);
|
|
}
|
|
|
|
Peb = BasicInfo.PebBaseAddress;
|
|
|
|
|
|
if ( hModule == NULL ) {
|
|
if (!ReadProcessMemory(hProcess, &Peb->ImageBaseAddress, &hModule, sizeof(hModule), NULL)) {
|
|
return(FALSE);
|
|
}
|
|
}
|
|
|
|
//
|
|
// Ldr = Peb->Ldr
|
|
//
|
|
|
|
if (!ReadProcessMemory(hProcess, &Peb->Ldr, &Ldr, sizeof(Ldr), NULL)) {
|
|
return (FALSE);
|
|
}
|
|
|
|
if (!Ldr) {
|
|
// Ldr might be null (for instance, if the process hasn't started yet).
|
|
SetLastError(ERROR_INVALID_HANDLE);
|
|
return (FALSE);
|
|
}
|
|
|
|
|
|
LdrHead = &Ldr->InMemoryOrderModuleList;
|
|
|
|
//
|
|
// LdrNext = Head->Flink;
|
|
//
|
|
|
|
if (!ReadProcessMemory(hProcess, &LdrHead->Flink, &LdrNext, sizeof(LdrNext), NULL)) {
|
|
return(FALSE);
|
|
}
|
|
|
|
while (LdrNext != LdrHead) {
|
|
|
|
PNT4_LDR_DATA_TABLE_ENTRY LdrEntry;
|
|
|
|
LdrEntry = CONTAINING_RECORD(
|
|
LdrNext,
|
|
NT4_LDR_DATA_TABLE_ENTRY,
|
|
InMemoryOrderLinks);
|
|
|
|
if (!ReadProcessMemory(hProcess, LdrEntry, LdrEntryData, sizeof(*LdrEntryData), NULL)) {
|
|
return(FALSE);
|
|
}
|
|
|
|
if ((HMODULE) LdrEntryData->DllBase == hModule) {
|
|
return(TRUE);
|
|
}
|
|
|
|
LdrNext = LdrEntryData->InMemoryOrderLinks.Flink;
|
|
}
|
|
|
|
SetLastError(ERROR_INVALID_HANDLE);
|
|
return(FALSE);
|
|
}
|
|
|
|
|
|
BOOL
|
|
WINAPI
|
|
Nt4EnumProcessModules(
|
|
HANDLE hProcess,
|
|
HMODULE *lphModule,
|
|
DWORD cb,
|
|
LPDWORD lpcbNeeded
|
|
)
|
|
{
|
|
NT4_PROCESS_BASIC_INFORMATION BasicInfo;
|
|
NTSTATUS Status;
|
|
PNT4_PEB Peb;
|
|
PNT4_PEB_LDR_DATA Ldr;
|
|
PLIST_ENTRY LdrHead;
|
|
PLIST_ENTRY LdrNext;
|
|
DWORD chMax;
|
|
DWORD ch;
|
|
|
|
Status = NtQueryInformationProcess(
|
|
hProcess,
|
|
Nt4ProcessBasicInformation,
|
|
&BasicInfo,
|
|
sizeof(BasicInfo),
|
|
NULL
|
|
);
|
|
|
|
if ( !NT_SUCCESS(Status) ) {
|
|
return(FALSE);
|
|
}
|
|
|
|
Peb = BasicInfo.PebBaseAddress;
|
|
|
|
//
|
|
// Ldr = Peb->Ldr
|
|
//
|
|
|
|
if (!ReadProcessMemory(hProcess, &Peb->Ldr, &Ldr, sizeof(Ldr), NULL)) {
|
|
return(FALSE);
|
|
}
|
|
|
|
LdrHead = &Ldr->InMemoryOrderModuleList;
|
|
|
|
//
|
|
// LdrNext = Head->Flink;
|
|
//
|
|
|
|
if (!ReadProcessMemory(hProcess, &LdrHead->Flink, &LdrNext, sizeof(LdrNext), NULL)) {
|
|
return(FALSE);
|
|
}
|
|
|
|
chMax = cb / sizeof(HMODULE);
|
|
ch = 0;
|
|
|
|
while (LdrNext != LdrHead) {
|
|
PNT4_LDR_DATA_TABLE_ENTRY LdrEntry;
|
|
NT4_LDR_DATA_TABLE_ENTRY LdrEntryData;
|
|
|
|
LdrEntry = CONTAINING_RECORD(
|
|
LdrNext,
|
|
NT4_LDR_DATA_TABLE_ENTRY,
|
|
InMemoryOrderLinks);
|
|
|
|
if (!ReadProcessMemory(hProcess, LdrEntry, &LdrEntryData, sizeof(LdrEntryData), NULL)) {
|
|
return(FALSE);
|
|
}
|
|
|
|
if (ch < chMax) {
|
|
try {
|
|
lphModule[ch] = (HMODULE) LdrEntryData.DllBase;
|
|
}
|
|
except (EXCEPTION_EXECUTE_HANDLER) {
|
|
return(FALSE);
|
|
}
|
|
}
|
|
|
|
ch++;
|
|
|
|
LdrNext = LdrEntryData.InMemoryOrderLinks.Flink;
|
|
}
|
|
|
|
try {
|
|
*lpcbNeeded = ch * sizeof(HMODULE);
|
|
}
|
|
except (EXCEPTION_EXECUTE_HANDLER) {
|
|
return(FALSE);
|
|
}
|
|
|
|
return(TRUE);
|
|
}
|
|
|
|
|
|
DWORD
|
|
WINAPI
|
|
Nt4GetModuleFileNameExW(
|
|
HANDLE hProcess,
|
|
HMODULE hModule,
|
|
LPWSTR lpFilename,
|
|
DWORD nSize
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function retrieves the full pathname of the executable file
|
|
from which the specified module was loaded. The function copies the
|
|
null-terminated filename into the buffer pointed to by the
|
|
lpFilename parameter.
|
|
|
|
Routine Description:
|
|
|
|
hModule - Identifies the module whose executable file name is being
|
|
requested. A value of NULL references the module handle
|
|
associated with the image file that was used to create the
|
|
process.
|
|
|
|
lpFilename - Points to the buffer that is to receive the filename.
|
|
|
|
nSize - Specifies the maximum number of characters to copy. If the
|
|
filename is longer than the maximum number of characters
|
|
specified by the nSize parameter, it is truncated.
|
|
|
|
Return Value:
|
|
|
|
The return value specifies the actual length of the string copied to
|
|
the buffer. A return value of zero indicates an error and extended
|
|
error status is available using the GetLastError function.
|
|
|
|
Arguments:
|
|
|
|
--*/
|
|
|
|
{
|
|
NT4_LDR_DATA_TABLE_ENTRY LdrEntryData;
|
|
DWORD cb;
|
|
|
|
if (!Nt4FindModule(hProcess, hModule, &LdrEntryData)) {
|
|
return(0);
|
|
}
|
|
|
|
nSize *= sizeof(WCHAR);
|
|
|
|
cb = LdrEntryData.FullDllName.MaximumLength;
|
|
if ( nSize < cb ) {
|
|
cb = nSize;
|
|
}
|
|
|
|
if (!ReadProcessMemory(hProcess, LdrEntryData.FullDllName.Buffer, lpFilename, cb, NULL)) {
|
|
return(0);
|
|
}
|
|
|
|
if (cb == LdrEntryData.FullDllName.MaximumLength) {
|
|
cb -= sizeof(WCHAR);
|
|
}
|
|
|
|
return(cb / sizeof(WCHAR));
|
|
}
|