2016-11-01 03:36:32 -07:00
|
|
|
#pragma once
|
|
|
|
|
|
|
|
#include <winternl.h>
|
|
|
|
|
2016-12-15 19:58:16 -08:00
|
|
|
#define THREAD_STATE_WAITING 5
|
|
|
|
#define THREAD_WAIT_REASON_SUSPENDED 5
|
|
|
|
|
2017-12-12 18:20:56 +01:00
|
|
|
typedef struct _OBS_SYSTEM_PROCESS_INFORMATION2 {
|
2019-06-22 22:13:45 -07:00
|
|
|
ULONG NextEntryOffset;
|
|
|
|
ULONG ThreadCount;
|
|
|
|
BYTE Reserved1[48];
|
|
|
|
PVOID Reserved2[3];
|
|
|
|
HANDLE UniqueProcessId;
|
|
|
|
PVOID Reserved3;
|
|
|
|
ULONG HandleCount;
|
|
|
|
BYTE Reserved4[4];
|
|
|
|
PVOID Reserved5[11];
|
|
|
|
SIZE_T PeakPagefileUsage;
|
|
|
|
SIZE_T PrivatePageCount;
|
|
|
|
LARGE_INTEGER Reserved6[6];
|
2017-12-12 18:20:56 +01:00
|
|
|
} OBS_SYSTEM_PROCESS_INFORMATION2;
|
2016-12-15 19:58:16 -08:00
|
|
|
|
2017-12-12 18:20:56 +01:00
|
|
|
typedef struct _OBS_SYSTEM_THREAD_INFORMATION {
|
2016-12-15 19:58:16 -08:00
|
|
|
FILETIME KernelTime;
|
|
|
|
FILETIME UserTime;
|
|
|
|
FILETIME CreateTime;
|
|
|
|
DWORD WaitTime;
|
|
|
|
PVOID Address;
|
|
|
|
HANDLE UniqueProcessId;
|
|
|
|
HANDLE UniqueThreadId;
|
|
|
|
DWORD Priority;
|
|
|
|
DWORD BasePriority;
|
|
|
|
DWORD ContextSwitches;
|
|
|
|
DWORD ThreadState;
|
|
|
|
DWORD WaitReason;
|
|
|
|
DWORD Reserved1;
|
2017-12-12 18:20:56 +01:00
|
|
|
} OBS_SYSTEM_THREAD_INFORMATION;
|
2016-12-15 19:58:16 -08:00
|
|
|
|
2016-11-01 03:36:32 -07:00
|
|
|
#ifndef NT_SUCCESS
|
|
|
|
#define NT_SUCCESS(status) ((NTSTATUS)(status) >= 0)
|
|
|
|
#endif
|
|
|
|
|
2019-06-22 22:13:45 -07:00
|
|
|
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
|
2016-12-15 19:58:16 -08:00
|
|
|
|
2019-06-22 22:13:45 -07:00
|
|
|
#define init_named_attribs(o, name) \
|
|
|
|
do { \
|
|
|
|
(o)->Length = sizeof(*(o)); \
|
|
|
|
(o)->ObjectName = name; \
|
|
|
|
(o)->RootDirectory = NULL; \
|
|
|
|
(o)->Attributes = 0; \
|
|
|
|
(o)->SecurityDescriptor = NULL; \
|
2016-11-01 03:36:32 -07:00
|
|
|
(o)->SecurityQualityOfService = NULL; \
|
|
|
|
} while (false)
|
|
|
|
|
2019-06-22 22:13:45 -07:00
|
|
|
typedef void(WINAPI *RTLINITUNICODESTRINGFUNC)(PCUNICODE_STRING pstr,
|
|
|
|
const wchar_t *lpstrName);
|
|
|
|
typedef NTSTATUS(WINAPI *NTOPENFUNC)(PHANDLE phandle, ACCESS_MASK access,
|
|
|
|
POBJECT_ATTRIBUTES objattr);
|
|
|
|
typedef ULONG(WINAPI *RTLNTSTATUSTODOSERRORFUNC)(NTSTATUS status);
|
|
|
|
typedef NTSTATUS(WINAPI *NTQUERYSYSTEMINFORMATIONFUNC)(SYSTEM_INFORMATION_CLASS,
|
|
|
|
PVOID, ULONG, PULONG);
|
2016-11-01 03:36:32 -07:00
|
|
|
|
|
|
|
static FARPROC get_nt_func(const char *name)
|
|
|
|
{
|
|
|
|
static bool initialized = false;
|
|
|
|
static HANDLE ntdll = NULL;
|
|
|
|
if (!initialized) {
|
|
|
|
ntdll = GetModuleHandleW(L"ntdll");
|
|
|
|
initialized = true;
|
|
|
|
}
|
|
|
|
|
|
|
|
return GetProcAddress(ntdll, name);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void nt_set_last_error(NTSTATUS status)
|
|
|
|
{
|
|
|
|
static bool initialized = false;
|
|
|
|
static RTLNTSTATUSTODOSERRORFUNC func = NULL;
|
|
|
|
|
|
|
|
if (!initialized) {
|
|
|
|
func = (RTLNTSTATUSTODOSERRORFUNC)get_nt_func(
|
2019-06-22 22:13:45 -07:00
|
|
|
"RtlNtStatusToDosError");
|
2016-11-01 03:36:32 -07:00
|
|
|
initialized = true;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (func)
|
|
|
|
SetLastError(func(status));
|
|
|
|
}
|
|
|
|
|
|
|
|
static void rtl_init_str(UNICODE_STRING *unistr, const wchar_t *str)
|
|
|
|
{
|
|
|
|
static bool initialized = false;
|
|
|
|
static RTLINITUNICODESTRINGFUNC func = NULL;
|
|
|
|
|
|
|
|
if (!initialized) {
|
|
|
|
func = (RTLINITUNICODESTRINGFUNC)get_nt_func(
|
2019-06-22 22:13:45 -07:00
|
|
|
"RtlInitUnicodeString");
|
2016-11-01 03:36:32 -07:00
|
|
|
initialized = true;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (func)
|
|
|
|
func(unistr, str);
|
|
|
|
}
|
|
|
|
|
2016-12-15 19:58:16 -08:00
|
|
|
static NTSTATUS nt_query_information(SYSTEM_INFORMATION_CLASS info_class,
|
2019-06-22 22:13:45 -07:00
|
|
|
PVOID info, ULONG info_len, PULONG ret_len)
|
2016-12-15 19:58:16 -08:00
|
|
|
{
|
|
|
|
static bool initialized = false;
|
|
|
|
static NTQUERYSYSTEMINFORMATIONFUNC func = NULL;
|
|
|
|
|
|
|
|
if (!initialized) {
|
|
|
|
func = (NTQUERYSYSTEMINFORMATIONFUNC)get_nt_func(
|
2019-06-22 22:13:45 -07:00
|
|
|
"NtQuerySystemInformation");
|
2016-12-15 19:58:16 -08:00
|
|
|
initialized = true;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (func)
|
|
|
|
return func(info_class, info, info_len, ret_len);
|
|
|
|
return (NTSTATUS)-1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static bool thread_is_suspended(DWORD process_id, DWORD thread_id)
|
|
|
|
{
|
|
|
|
ULONG size = 4096;
|
|
|
|
bool suspended = false;
|
|
|
|
void *data = malloc(size);
|
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
NTSTATUS stat = nt_query_information(SystemProcessInformation,
|
2019-06-22 22:13:45 -07:00
|
|
|
data, size, &size);
|
2016-12-15 19:58:16 -08:00
|
|
|
if (NT_SUCCESS(stat))
|
|
|
|
break;
|
|
|
|
|
|
|
|
if (stat != STATUS_INFO_LENGTH_MISMATCH) {
|
|
|
|
goto fail;
|
|
|
|
}
|
|
|
|
|
|
|
|
free(data);
|
|
|
|
size += 1024;
|
|
|
|
data = malloc(size);
|
|
|
|
}
|
|
|
|
|
2017-12-12 18:20:56 +01:00
|
|
|
OBS_SYSTEM_PROCESS_INFORMATION2 *spi = data;
|
2016-12-15 19:58:16 -08:00
|
|
|
|
|
|
|
for (;;) {
|
2018-03-12 16:16:38 -07:00
|
|
|
if (spi->UniqueProcessId == (HANDLE)(DWORD_PTR)process_id) {
|
2016-12-15 19:58:16 -08:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
ULONG offset = spi->NextEntryOffset;
|
|
|
|
if (!offset)
|
|
|
|
goto fail;
|
|
|
|
|
2019-06-22 22:13:45 -07:00
|
|
|
spi = (OBS_SYSTEM_PROCESS_INFORMATION2 *)((BYTE *)spi + offset);
|
2016-12-15 19:58:16 -08:00
|
|
|
}
|
|
|
|
|
2017-12-12 18:20:56 +01:00
|
|
|
OBS_SYSTEM_THREAD_INFORMATION *sti;
|
|
|
|
OBS_SYSTEM_THREAD_INFORMATION *info = NULL;
|
2019-06-22 22:13:45 -07:00
|
|
|
sti = (OBS_SYSTEM_THREAD_INFORMATION *)((BYTE *)spi + sizeof(*spi));
|
2016-12-15 19:58:16 -08:00
|
|
|
|
|
|
|
for (ULONG i = 0; i < spi->ThreadCount; i++) {
|
2018-03-12 16:16:38 -07:00
|
|
|
if (sti[i].UniqueThreadId == (HANDLE)(DWORD_PTR)thread_id) {
|
2016-12-15 19:58:16 -08:00
|
|
|
info = &sti[i];
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (info) {
|
|
|
|
suspended = info->ThreadState == THREAD_STATE_WAITING &&
|
2019-06-22 22:13:45 -07:00
|
|
|
info->WaitReason == THREAD_WAIT_REASON_SUSPENDED;
|
2016-12-15 19:58:16 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
fail:
|
|
|
|
free(data);
|
|
|
|
return suspended;
|
|
|
|
}
|
|
|
|
|
2019-06-22 22:13:45 -07:00
|
|
|
#define MAKE_NT_OPEN_FUNC(func_name, nt_name, access) \
|
|
|
|
static HANDLE func_name(const wchar_t *name) \
|
|
|
|
{ \
|
|
|
|
static bool initialized = false; \
|
|
|
|
static NTOPENFUNC open = NULL; \
|
|
|
|
HANDLE handle; \
|
|
|
|
NTSTATUS status; \
|
|
|
|
UNICODE_STRING unistr; \
|
|
|
|
OBJECT_ATTRIBUTES attr; \
|
|
|
|
\
|
|
|
|
if (!initialized) { \
|
|
|
|
open = (NTOPENFUNC)get_nt_func(#nt_name); \
|
|
|
|
initialized = true; \
|
|
|
|
} \
|
|
|
|
\
|
|
|
|
if (!open) \
|
|
|
|
return NULL; \
|
|
|
|
\
|
|
|
|
rtl_init_str(&unistr, name); \
|
|
|
|
init_named_attribs(&attr, &unistr); \
|
|
|
|
\
|
|
|
|
status = open(&handle, access, &attr); \
|
|
|
|
if (NT_SUCCESS(status)) \
|
|
|
|
return handle; \
|
|
|
|
nt_set_last_error(status); \
|
|
|
|
return NULL; \
|
|
|
|
}
|
2016-11-01 03:36:32 -07:00
|
|
|
|
|
|
|
MAKE_NT_OPEN_FUNC(nt_open_mutex, NtOpenMutant, SYNCHRONIZE)
|
|
|
|
MAKE_NT_OPEN_FUNC(nt_open_event, NtOpenEvent, EVENT_MODIFY_STATE | SYNCHRONIZE)
|
|
|
|
MAKE_NT_OPEN_FUNC(nt_open_map, NtOpenSection, FILE_MAP_READ | FILE_MAP_WRITE)
|