Merge branch 'master' into gentle-explorer-restart

winsiderss · Dec 10, 2024 · 3b2baa1 · 3b2baa1
2 parents 4d25173 + 0e90663
commit 3b2baa1
Show file tree

Hide file tree

Showing 3 changed files with 118 additions and 11 deletions.
diff --git a/SystemInformer/memsrcht.c b/SystemInformer/memsrcht.c
@@ -56,6 +56,8 @@ typedef struct _PH_MEMSTRINGS_CONTEXT
 {
     PPH_PROCESS_ITEM ProcessItem;
     HANDLE ProcessHandle;
+    BOOLEAN UseClone;
+    HANDLE CloneHandle;
 
     HWND WindowHandle;
     HWND TreeNewHandle;
@@ -135,7 +137,8 @@ typedef struct _PH_MEMSTRINGS_SEARCH_CONTEXT
 BOOLEAN PhpShowMemoryStringTreeDialog(
     _In_ HWND ParentWindowHandle,
     _In_ PPH_PROCESS_ITEM ProcessItem,
-    _In_opt_ PPH_LIST PrevNodeList
+    _In_opt_ PPH_LIST PrevNodeList,
+    _In_ BOOLEAN UseClone
     );
 
 VOID PhpShowMemoryEditor(
@@ -152,20 +155,26 @@ NTSTATUS NTAPI PhpMemoryStringSearchTreeNextBuffer(
     )
 {
     NTSTATUS status;
+    HANDLE handle;
     PPH_MEMSTRINGS_SEARCH_CONTEXT context;
 
     assert(Context);
 
     context = Context;
 
+    if (context->TreeContext->UseClone)
+        handle = context->TreeContext->CloneHandle;
+    else
+        handle = context->TreeContext->ProcessHandle;
+
     *Buffer = NULL;
     *Length = 0;
 
     if (context->ReadRemaning)
         goto ReadMemory;
 
     while (NT_SUCCESS(status = NtQueryVirtualMemory(
-        context->TreeContext->ProcessHandle,
+        handle,
         PTR_ADD_OFFSET(context->BasicInfo.BaseAddress, context->BasicInfo.RegionSize),
         MemoryBasicInformation,
         &context->BasicInfo,
@@ -202,8 +211,10 @@ NTSTATUS NTAPI PhpMemoryStringSearchTreeNextBuffer(
             context->CurrentReadAddress = context->NextReadAddress;
             length = min(context->ReadRemaning, context->BufferSize);
 
+            assert(context->Buffer);
+
             if (NT_SUCCESS(status = NtReadVirtualMemory(
-                context->TreeContext->ProcessHandle,
+                handle,
                 context->CurrentReadAddress,
                 context->Buffer,
                 length,
@@ -563,6 +574,13 @@ VOID PhpDeleteMemoryStringsTree(
     }
     Context->StopSearch = FALSE;
 
+    if (Context->CloneHandle)
+    {
+        NtTerminateProcess(Context->CloneHandle, STATUS_PROCESS_CLONED);
+        NtClose(Context->CloneHandle);
+        Context->CloneHandle = NULL;
+    }
+
     PhpAddPendingMemoryStringsNodes(Context);
 
     PhpDeleteMemoryStringsNodeList(Context->NodeList);
@@ -593,6 +611,20 @@ VOID PhpSearchMemoryStrings(
     TreeNew_NodesStructured(Context->TreeNewHandle);
     TreeNew_SetRedraw(Context->TreeNewHandle, TRUE);
 
+    if (Context->UseClone)
+    {
+        NTSTATUS status;
+
+        if (!NT_SUCCESS(status = PhCreateProcessClone(
+            &Context->CloneHandle,
+            Context->ProcessItem->ProcessId
+            )))
+        {
+            PhShowStatus(Context->WindowHandle, L"Unable to clone the process", status, 0);
+            return;
+        }
+    }
+
     Context->State = PH_MEMSEARCH_STATE_SEARCHING;
     EnableWindow(Context->FilterHandle, FALSE);
 
@@ -1434,7 +1466,12 @@ INT_PTR CALLBACK PhpMemoryStringsDlgProc(
 
                     PhpCopyFilteredMemoryStringsNodes(context, &nodeList);
 
-                    if (!PhpShowMemoryStringTreeDialog(hwndDlg, context->ProcessItem, nodeList))
+                    if (!PhpShowMemoryStringTreeDialog(
+                        hwndDlg,
+                        context->ProcessItem,
+                        nodeList,
+                        context->UseClone
+                        ))
                     {
                         PhpDeleteMemoryStringsNodeList(nodeList);
                         PhDereferenceObject(nodeList);
@@ -1518,7 +1555,8 @@ NTSTATUS NTAPI PhpShowMemoryStringDialogThreadStart(
 BOOLEAN PhpShowMemoryStringTreeDialog(
     _In_ HWND ParentWindowHandle,
     _In_ PPH_PROCESS_ITEM ProcessItem,
-    _In_opt_ PPH_LIST PrevNodeList
+    _In_opt_ PPH_LIST PrevNodeList,
+    _In_ BOOLEAN UseClone
     )
 {
     NTSTATUS status;
@@ -1538,6 +1576,7 @@ BOOLEAN PhpShowMemoryStringTreeDialog(
     context = PhAllocateZero(sizeof(PH_MEMSTRINGS_CONTEXT));
     context->ProcessItem = PhReferenceObject(ProcessItem);
     context->ProcessHandle = processHandle;
+    context->UseClone = UseClone;
     context->PrevNodeList = PrevNodeList;
 
     if (!NT_SUCCESS(PhCreateThread2(PhpShowMemoryStringDialogThreadStart, context)))
@@ -1557,5 +1596,10 @@ VOID PhShowMemoryStringTreeDialog(
     _In_ PPH_PROCESS_ITEM ProcessItem
     )
 {
-    PhpShowMemoryStringTreeDialog(ParentWindowHandle, ProcessItem, NULL);
+    PhpShowMemoryStringTreeDialog(
+        ParentWindowHandle,
+        ProcessItem,
+        NULL,
+        ProcessItem->ProcessId == NtCurrentProcessId()
+        );
 }
diff --git a/kphlib/kphdyn.c b/kphlib/kphdyn.c
@@ -79,8 +79,10 @@ CONST BYTE KphDynConfig[] =
     0x79, 0x20, 0x8c, 0xcb, 0xa3, 0xe3, 0x53, 0x4e,
     0x8b, 0x2e, 0xc1, 0x9c, 0x0a, 0x53, 0x1a, 0x14,
     0x65, 0x71, 0xc4, 0x66, 0x4a, 0x82, 0x8a, 0xf3,
-    0x67, 0x50, 0xfa, 0xb7, 0x3a, 0x25, 0x61, 0x2a,
-    0x09, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1a,
+    0x67, 0x50, 0xfa, 0xb7, 0x3a, 0x25, 0x61, 0x3f,
+    0x09, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0a,
+    0xd8, 0x3a, 0x55, 0x00, 0x20, 0x84, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1a,
     0x3c, 0x9f, 0x55, 0x00, 0x20, 0x85, 0x00, 0x00,
     0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x14,
     0xd1, 0xa9, 0x55, 0x00, 0x20, 0x85, 0x00, 0x00,
@@ -306,6 +308,8 @@ CONST BYTE KphDynConfig[] =
     0x1c, 0x8b, 0x56, 0x00, 0xc0, 0x7c, 0x00, 0x00,
     0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa9,
     0x49, 0xa8, 0x56, 0x00, 0xc0, 0x7c, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4e,
+    0x07, 0xcc, 0x56, 0x00, 0xc0, 0x7c, 0x00, 0x00,
     0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x10,
     0x44, 0xcd, 0x56, 0x00, 0xc0, 0x7c, 0x00, 0x00,
     0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf5,
@@ -966,6 +970,8 @@ CONST BYTE KphDynConfig[] =
     0x25, 0x4f, 0x5f, 0x00, 0xc0, 0x8d, 0x00, 0x7c,
     0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x32,
     0x3b, 0x74, 0x5f, 0x00, 0xc0, 0x8d, 0x00, 0x7c,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe4,
+    0x8b, 0xb5, 0x5a, 0x00, 0x50, 0x96, 0x00, 0x7c,
     0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x66,
     0x89, 0xcd, 0x5a, 0x00, 0x50, 0x96, 0x00, 0x7c,
     0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x48,
@@ -1426,6 +1432,8 @@ CONST BYTE KphDynConfig[] =
     0xa5, 0xf1, 0xe2, 0x00, 0x20, 0xab, 0x00, 0x7e,
     0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x27,
     0x43, 0xef, 0xf4, 0x00, 0x20, 0xab, 0x00, 0x7e,
+    0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb0,
+    0x99, 0xaa, 0x4d, 0x00, 0x20, 0xab, 0x00, 0x7e,
     0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcc,
     0x2a, 0x09, 0xfc, 0x00, 0x20, 0xab, 0x00, 0x7e,
     0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x09,
@@ -1440,6 +1448,8 @@ CONST BYTE KphDynConfig[] =
     0x15, 0xda, 0x74, 0x00, 0x50, 0xab, 0x00, 0x7e,
     0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x59,
     0x76, 0x70, 0x35, 0x00, 0x50, 0xab, 0x00, 0x7e,
+    0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe3,
+    0x27, 0xed, 0x72, 0x00, 0x50, 0xab, 0x00, 0x7e,
     0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8e,
     0x3c, 0x1a, 0x57, 0x00, 0x50, 0xab, 0x00, 0x7e,
     0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4d,
@@ -2330,6 +2340,8 @@ CONST BYTE KphDynConfig[] =
     0xbb, 0xfa, 0x1a, 0x00, 0x10, 0x04, 0x01, 0xf2,
     0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd5,
     0x7b, 0xf9, 0x11, 0x00, 0x70, 0x04, 0x01, 0x76,
+    0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x65,
+    0xeb, 0x72, 0x44, 0x00, 0x10, 0x04, 0x01, 0xf2,
     0x02, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xc9,
     0xf1, 0xd3, 0x1e, 0x00, 0x00, 0x11, 0x00, 0xf8,
     0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd3,
@@ -2388,7 +2400,9 @@ CONST BYTE KphDynConfig[] =
     0x44, 0x64, 0x74, 0x00, 0x10, 0x04, 0x01, 0xf2,
     0x02, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x07,
     0xc2, 0x7a, 0x09, 0x00, 0x00, 0x11, 0x00, 0xf8,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa1,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd9,
+    0x1a, 0x05, 0xd4, 0x00, 0x70, 0x04, 0x01, 0x76,
+    0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa1,
     0x43, 0x6b, 0xdd, 0x00, 0x70, 0x04, 0x01, 0x76,
     0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa4,
     0x7c, 0x02, 0xac, 0x00, 0x70, 0x04, 0x01, 0x76,
@@ -2420,6 +2434,8 @@ CONST BYTE KphDynConfig[] =
     0xd1, 0x0b, 0xa4, 0x00, 0x10, 0x04, 0x01, 0xf2,
     0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x49,
     0x6e, 0x41, 0xca, 0x00, 0x70, 0x04, 0x01, 0x76,
+    0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x74,
+    0x4f, 0x66, 0x7a, 0x00, 0x10, 0x04, 0x01, 0xf2,
     0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc4,
     0x45, 0xa3, 0x2a, 0x00, 0x70, 0x04, 0x01, 0x76,
     0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd5,
@@ -2788,6 +2804,10 @@ CONST BYTE KphDynConfig[] =
     0x4f, 0x49, 0x95, 0x00, 0x70, 0x04, 0x01, 0x76,
     0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x60,
     0xb7, 0x53, 0x39, 0x00, 0x10, 0x04, 0x01, 0xf2,
+    0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc2,
+    0xcd, 0x08, 0x21, 0x00, 0x70, 0x04, 0x01, 0x76,
+    0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xbf,
+    0x37, 0x97, 0x92, 0x00, 0x10, 0x04, 0x01, 0xf2,
     0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbf,
     0x92, 0xbb, 0xaf, 0x00, 0x70, 0x04, 0x01, 0x76,
     0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf5,
@@ -3026,6 +3046,10 @@ CONST BYTE KphDynConfig[] =
     0x05, 0x8b, 0x11, 0x00, 0xf0, 0x44, 0x01, 0x30,
     0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x0a,
     0xfc, 0x72, 0x97, 0x00, 0x90, 0x24, 0x01, 0x6e,
+    0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7b,
+    0x80, 0xec, 0x47, 0x00, 0xf0, 0x44, 0x01, 0x30,
+    0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x41,
+    0x45, 0xdb, 0xbe, 0x00, 0x90, 0x24, 0x01, 0x6e,
     0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x63,
     0x7d, 0x94, 0x0f, 0x00, 0xe0, 0x44, 0x01, 0x30,
     0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xbc,
@@ -3092,7 +3116,9 @@ CONST BYTE KphDynConfig[] =
     0xbd, 0x7e, 0x11, 0x00, 0xf0, 0x44, 0x01, 0x30,
     0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x07,
     0xbb, 0xf2, 0xed, 0x00, 0x00, 0x11, 0x00, 0xf8,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x33,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x85,
+    0x2f, 0x9e, 0x19, 0x00, 0xf0, 0x44, 0x01, 0x30,
+    0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x33,
     0x4f, 0x1d, 0x99, 0x00, 0xf0, 0x44, 0x01, 0x30,
     0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x3c,
     0xf7, 0x2d, 0xe9, 0x00, 0x90, 0x24, 0x01, 0x6e,
@@ -3146,6 +3172,12 @@ CONST BYTE KphDynConfig[] =
     0x5a, 0x5c, 0x72, 0x00, 0x90, 0x24, 0x01, 0x6e,
     0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x98,
     0x23, 0x45, 0x7f, 0x00, 0x00, 0x11, 0x00, 0xf8,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x01,
+    0x16, 0xca, 0xc1, 0x00, 0xf0, 0x44, 0x01, 0x30,
+    0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x5f,
+    0x26, 0xf4, 0x53, 0x00, 0x90, 0x24, 0x01, 0x6e,
+    0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x9e,
+    0xe8, 0x4d, 0x7d, 0x00, 0x00, 0x11, 0x00, 0xf8,
     0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x76,
     0x52, 0xdc, 0x59, 0x00, 0xb0, 0x8c, 0x00, 0xac,
     0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x2a,
@@ -4574,6 +4606,8 @@ CONST BYTE KphDynConfig[] =
     0xd0, 0xa7, 0x82, 0x00, 0xd0, 0x03, 0x01, 0x9c,
     0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xcb,
     0x2b, 0x4b, 0x46, 0x00, 0xd0, 0x03, 0x01, 0x9c,
+    0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xea,
+    0x2f, 0xea, 0x53, 0x00, 0xd0, 0x03, 0x01, 0x9c,
     0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x03,
     0xc0, 0x9f, 0x43, 0x00, 0xf0, 0x10, 0x00, 0xf8,
     0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x52,
@@ -4582,7 +4616,9 @@ CONST BYTE KphDynConfig[] =
     0x09, 0xe8, 0x23, 0x00, 0xd0, 0x03, 0x01, 0x9c,
     0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x23,
     0x2d, 0x80, 0x38, 0x00, 0xf0, 0x10, 0x00, 0xf8,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb7,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x66,
+    0x81, 0xf2, 0xdf, 0x00, 0xd0, 0x03, 0x01, 0x9c,
+    0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb7,
     0x4a, 0xd2, 0xc9, 0x00, 0xd0, 0x03, 0x01, 0x9c,
     0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xaa,
     0xb0, 0xa4, 0xdb, 0x00, 0x00, 0x04, 0x01, 0x9c,
@@ -4700,6 +4736,8 @@ CONST BYTE KphDynConfig[] =
     0xdd, 0x91, 0x52, 0x00, 0x90, 0x24, 0x01, 0xda,
     0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x11,
     0x23, 0xb0, 0x83, 0x00, 0x90, 0x24, 0x01, 0xda,
+    0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1f,
+    0x32, 0x57, 0x74, 0x00, 0x90, 0x24, 0x01, 0xda,
     0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb9,
     0xa8, 0xa2, 0xce, 0x00, 0x90, 0x24, 0x01, 0xda,
     0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x0f,
@@ -4772,6 +4810,10 @@ CONST BYTE KphDynConfig[] =
     0xaf, 0x30, 0xc6, 0x00, 0x90, 0x24, 0x01, 0xda,
     0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x15,
     0x15, 0xba, 0xc8, 0x00, 0xe0, 0x10, 0x00, 0xf8,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc6,
+    0x93, 0xce, 0x5b, 0x00, 0x90, 0x24, 0x01, 0xda,
+    0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x9f,
+    0x7b, 0x3b, 0x84, 0x00, 0xe0, 0x10, 0x00, 0xf8,
     0x00, 0x00, 0x00, 0x18, 0x00, 0x18, 0x04, 0x20,
     0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14,
     0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00,