From 39f77ed2553b147860b627215c7e02b92afe05da Mon Sep 17 00:00:00 2001 From: Johnny Shaw Date: Mon, 9 Dec 2024 19:56:39 -0700 Subject: [PATCH 1/2] kph update dyndata --- kphlib/kphdyn.c | 52 ++++++++++++++++++++++++++++++++++++++++++----- kphlib/kphdyn.xml | 21 +++++++++++++++++++ 2 files changed, 68 insertions(+), 5 deletions(-) diff --git a/kphlib/kphdyn.c b/kphlib/kphdyn.c index 87d50ddb34a1..c34d54998e0f 100644 --- a/kphlib/kphdyn.c +++ b/kphlib/kphdyn.c @@ -79,8 +79,10 @@ CONST BYTE KphDynConfig[] = 0x79, 0x20, 0x8c, 0xcb, 0xa3, 0xe3, 0x53, 0x4e, 0x8b, 0x2e, 0xc1, 0x9c, 0x0a, 0x53, 0x1a, 0x14, 0x65, 0x71, 0xc4, 0x66, 0x4a, 0x82, 0x8a, 0xf3, - 0x67, 0x50, 0xfa, 0xb7, 0x3a, 0x25, 0x61, 0x2a, - 0x09, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1a, + 0x67, 0x50, 0xfa, 0xb7, 0x3a, 0x25, 0x61, 0x3f, + 0x09, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x0a, + 0xd8, 0x3a, 0x55, 0x00, 0x20, 0x84, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x1a, 0x3c, 0x9f, 0x55, 0x00, 0x20, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x14, 0xd1, 0xa9, 0x55, 0x00, 0x20, 0x85, 0x00, 0x00, @@ -306,6 +308,8 @@ CONST BYTE KphDynConfig[] = 0x1c, 0x8b, 0x56, 0x00, 0xc0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa9, 0x49, 0xa8, 0x56, 0x00, 0xc0, 0x7c, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4e, + 0x07, 0xcc, 0x56, 0x00, 0xc0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x10, 0x44, 0xcd, 0x56, 0x00, 0xc0, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf5, @@ -966,6 +970,8 @@ CONST BYTE KphDynConfig[] = 0x25, 0x4f, 0x5f, 0x00, 0xc0, 0x8d, 0x00, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x32, 0x3b, 0x74, 0x5f, 0x00, 0xc0, 0x8d, 0x00, 0x7c, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe4, + 0x8b, 0xb5, 0x5a, 0x00, 0x50, 0x96, 0x00, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x66, 0x89, 0xcd, 0x5a, 0x00, 0x50, 0x96, 0x00, 0x7c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x48, @@ -1426,6 +1432,8 @@ CONST BYTE KphDynConfig[] = 0xa5, 0xf1, 0xe2, 0x00, 0x20, 0xab, 0x00, 0x7e, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x27, 0x43, 0xef, 0xf4, 0x00, 0x20, 0xab, 0x00, 0x7e, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xb0, + 0x99, 0xaa, 0x4d, 0x00, 0x20, 0xab, 0x00, 0x7e, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xcc, 0x2a, 0x09, 0xfc, 0x00, 0x20, 0xab, 0x00, 0x7e, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x09, @@ -1440,6 +1448,8 @@ CONST BYTE KphDynConfig[] = 0x15, 0xda, 0x74, 0x00, 0x50, 0xab, 0x00, 0x7e, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x59, 0x76, 0x70, 0x35, 0x00, 0x50, 0xab, 0x00, 0x7e, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xe3, + 0x27, 0xed, 0x72, 0x00, 0x50, 0xab, 0x00, 0x7e, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x8e, 0x3c, 0x1a, 0x57, 0x00, 0x50, 0xab, 0x00, 0x7e, 0x01, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x4d, @@ -2330,6 +2340,8 @@ CONST BYTE KphDynConfig[] = 0xbb, 0xfa, 0x1a, 0x00, 0x10, 0x04, 0x01, 0xf2, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd5, 0x7b, 0xf9, 0x11, 0x00, 0x70, 0x04, 0x01, 0x76, + 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x65, + 0xeb, 0x72, 0x44, 0x00, 0x10, 0x04, 0x01, 0xf2, 0x02, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0xc9, 0xf1, 0xd3, 0x1e, 0x00, 0x00, 0x11, 0x00, 0xf8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd3, @@ -2388,7 +2400,9 @@ CONST BYTE KphDynConfig[] = 0x44, 0x64, 0x74, 0x00, 0x10, 0x04, 0x01, 0xf2, 0x02, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x07, 0xc2, 0x7a, 0x09, 0x00, 0x00, 0x11, 0x00, 0xf8, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa1, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xd9, + 0x1a, 0x05, 0xd4, 0x00, 0x70, 0x04, 0x01, 0x76, + 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa1, 0x43, 0x6b, 0xdd, 0x00, 0x70, 0x04, 0x01, 0x76, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xa4, 0x7c, 0x02, 0xac, 0x00, 0x70, 0x04, 0x01, 0x76, @@ -2420,6 +2434,8 @@ CONST BYTE KphDynConfig[] = 0xd1, 0x0b, 0xa4, 0x00, 0x10, 0x04, 0x01, 0xf2, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x49, 0x6e, 0x41, 0xca, 0x00, 0x70, 0x04, 0x01, 0x76, + 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x74, + 0x4f, 0x66, 0x7a, 0x00, 0x10, 0x04, 0x01, 0xf2, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc4, 0x45, 0xa3, 0x2a, 0x00, 0x70, 0x04, 0x01, 0x76, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xd5, @@ -2788,6 +2804,10 @@ CONST BYTE KphDynConfig[] = 0x4f, 0x49, 0x95, 0x00, 0x70, 0x04, 0x01, 0x76, 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x60, 0xb7, 0x53, 0x39, 0x00, 0x10, 0x04, 0x01, 0xf2, + 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xc2, + 0xcd, 0x08, 0x21, 0x00, 0x70, 0x04, 0x01, 0x76, + 0x02, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xbf, + 0x37, 0x97, 0x92, 0x00, 0x10, 0x04, 0x01, 0xf2, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xbf, 0x92, 0xbb, 0xaf, 0x00, 0x70, 0x04, 0x01, 0x76, 0x02, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0xf5, @@ -3026,6 +3046,10 @@ CONST BYTE KphDynConfig[] = 0x05, 0x8b, 0x11, 0x00, 0xf0, 0x44, 0x01, 0x30, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x0a, 0xfc, 0x72, 0x97, 0x00, 0x90, 0x24, 0x01, 0x6e, + 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x7b, + 0x80, 0xec, 0x47, 0x00, 0xf0, 0x44, 0x01, 0x30, + 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x41, + 0x45, 0xdb, 0xbe, 0x00, 0x90, 0x24, 0x01, 0x6e, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x63, 0x7d, 0x94, 0x0f, 0x00, 0xe0, 0x44, 0x01, 0x30, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0xbc, @@ -3092,7 +3116,9 @@ CONST BYTE KphDynConfig[] = 0xbd, 0x7e, 0x11, 0x00, 0xf0, 0x44, 0x01, 0x30, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x07, 0xbb, 0xf2, 0xed, 0x00, 0x00, 0x11, 0x00, 0xf8, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x33, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x85, + 0x2f, 0x9e, 0x19, 0x00, 0xf0, 0x44, 0x01, 0x30, + 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x33, 0x4f, 0x1d, 0x99, 0x00, 0xf0, 0x44, 0x01, 0x30, 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x3c, 0xf7, 0x2d, 0xe9, 0x00, 0x90, 0x24, 0x01, 0x6e, @@ -3146,6 +3172,12 @@ CONST BYTE KphDynConfig[] = 0x5a, 0x5c, 0x72, 0x00, 0x90, 0x24, 0x01, 0x6e, 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x98, 0x23, 0x45, 0x7f, 0x00, 0x00, 0x11, 0x00, 0xf8, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0x86, 0x01, + 0x16, 0xca, 0xc1, 0x00, 0xf0, 0x44, 0x01, 0x30, + 0x03, 0x00, 0x00, 0x01, 0x00, 0x64, 0x86, 0x5f, + 0x26, 0xf4, 0x53, 0x00, 0x90, 0x24, 0x01, 0x6e, + 0x03, 0x00, 0x00, 0x02, 0x00, 0x64, 0x86, 0x9e, + 0xe8, 0x4d, 0x7d, 0x00, 0x00, 0x11, 0x00, 0xf8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x76, 0x52, 0xdc, 0x59, 0x00, 0xb0, 0x8c, 0x00, 0xac, 0x03, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x2a, @@ -4574,6 +4606,8 @@ CONST BYTE KphDynConfig[] = 0xd0, 0xa7, 0x82, 0x00, 0xd0, 0x03, 0x01, 0x9c, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xcb, 0x2b, 0x4b, 0x46, 0x00, 0xd0, 0x03, 0x01, 0x9c, + 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xea, + 0x2f, 0xea, 0x53, 0x00, 0xd0, 0x03, 0x01, 0x9c, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x03, 0xc0, 0x9f, 0x43, 0x00, 0xf0, 0x10, 0x00, 0xf8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x52, @@ -4582,7 +4616,9 @@ CONST BYTE KphDynConfig[] = 0x09, 0xe8, 0x23, 0x00, 0xd0, 0x03, 0x01, 0x9c, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x23, 0x2d, 0x80, 0x38, 0x00, 0xf0, 0x10, 0x00, 0xf8, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb7, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x66, + 0x81, 0xf2, 0xdf, 0x00, 0xd0, 0x03, 0x01, 0x9c, + 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb7, 0x4a, 0xd2, 0xc9, 0x00, 0xd0, 0x03, 0x01, 0x9c, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xaa, 0xb0, 0xa4, 0xdb, 0x00, 0x00, 0x04, 0x01, 0x9c, @@ -4700,6 +4736,8 @@ CONST BYTE KphDynConfig[] = 0xdd, 0x91, 0x52, 0x00, 0x90, 0x24, 0x01, 0xda, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x11, 0x23, 0xb0, 0x83, 0x00, 0x90, 0x24, 0x01, 0xda, + 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0x1f, + 0x32, 0x57, 0x74, 0x00, 0x90, 0x24, 0x01, 0xda, 0x05, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xb9, 0xa8, 0xa2, 0xce, 0x00, 0x90, 0x24, 0x01, 0xda, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x0f, @@ -4772,6 +4810,10 @@ CONST BYTE KphDynConfig[] = 0xaf, 0x30, 0xc6, 0x00, 0x90, 0x24, 0x01, 0xda, 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x15, 0x15, 0xba, 0xc8, 0x00, 0xe0, 0x10, 0x00, 0xf8, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x64, 0xaa, 0xc6, + 0x93, 0xce, 0x5b, 0x00, 0x90, 0x24, 0x01, 0xda, + 0x05, 0x00, 0x00, 0x02, 0x00, 0x64, 0xaa, 0x9f, + 0x7b, 0x3b, 0x84, 0x00, 0xe0, 0x10, 0x00, 0xf8, 0x00, 0x00, 0x00, 0x18, 0x00, 0x18, 0x04, 0x20, 0x00, 0x30, 0x00, 0x10, 0x00, 0x28, 0x00, 0x14, 0x00, 0x11, 0x00, 0x10, 0x00, 0x18, 0x00, 0x00, diff --git a/kphlib/kphdyn.xml b/kphlib/kphdyn.xml index 5204a0882396..48f139dcd990 100644 --- a/kphlib/kphdyn.xml +++ b/kphlib/kphdyn.xml @@ -7,6 +7,7 @@ This file is part of System Informer. THIS IS AN AUTOGENERATED FILE, DO NOT MODIFY --> + 1 1 1 1 @@ -120,6 +121,7 @@ THIS IS AN AUTOGENERATED FILE, DO NOT MODIFY 1 1 1 + 1 1 1 1 @@ -450,6 +452,7 @@ THIS IS AN AUTOGENERATED FILE, DO NOT MODIFY 2 2 2 + 2 2 2 14 @@ -680,6 +683,7 @@ THIS IS AN AUTOGENERATED FILE, DO NOT MODIFY 5 5 5 + 5 5 5 5 @@ -687,6 +691,7 @@ THIS IS AN AUTOGENERATED FILE, DO NOT MODIFY 5 5 5 + 5 5 5 5 @@ -1132,6 +1137,7 @@ THIS IS AN AUTOGENERATED FILE, DO NOT MODIFY 8 13 8 + 13 14 8 8 @@ -1161,6 +1167,7 @@ THIS IS AN AUTOGENERATED FILE, DO NOT MODIFY 8 13 14 + 8 8 8 13 @@ -1177,6 +1184,7 @@ THIS IS AN AUTOGENERATED FILE, DO NOT MODIFY 8 13 8 + 13 8 13 8 @@ -1361,6 +1369,8 @@ THIS IS AN AUTOGENERATED FILE, DO NOT MODIFY 13 8 13 + 8 + 13 8 8 8 @@ -1480,6 +1490,8 @@ THIS IS AN AUTOGENERATED FILE, DO NOT MODIFY 26 25 26 + 25 + 26 25 26 14 @@ -1513,6 +1525,7 @@ THIS IS AN AUTOGENERATED FILE, DO NOT MODIFY 25 25 14 + 25 25 26 14 @@ -1540,6 +1553,9 @@ THIS IS AN AUTOGENERATED FILE, DO NOT MODIFY 25 26 14 + 25 + 26 + 14 15 15 15 @@ -2254,10 +2270,12 @@ THIS IS AN AUTOGENERATED FILE, DO NOT MODIFY 22 22 22 + 22 14 22 22 14 + 22 22 22 24 @@ -2317,6 +2335,7 @@ THIS IS AN AUTOGENERATED FILE, DO NOT MODIFY 14 24 24 + 24 24 14 24 @@ -2353,6 +2372,8 @@ THIS IS AN AUTOGENERATED FILE, DO NOT MODIFY 14 24 14 + 24 + 14 From 0e9066352e1912df21dee5d0e7a95b2311ccfaed Mon Sep 17 00:00:00 2001 From: Johnny Shaw Date: Mon, 9 Dec 2024 22:30:08 -0700 Subject: [PATCH 2/2] memsrcht use clone for current process --- SystemInformer/memsrcht.c | 56 ++++++++++++++++++++++++++++++++++----- 1 file changed, 50 insertions(+), 6 deletions(-) diff --git a/SystemInformer/memsrcht.c b/SystemInformer/memsrcht.c index 3a1d18dbeab2..7f054e20a9ac 100644 --- a/SystemInformer/memsrcht.c +++ b/SystemInformer/memsrcht.c @@ -56,6 +56,8 @@ typedef struct _PH_MEMSTRINGS_CONTEXT { PPH_PROCESS_ITEM ProcessItem; HANDLE ProcessHandle; + BOOLEAN UseClone; + HANDLE CloneHandle; HWND WindowHandle; HWND TreeNewHandle; @@ -135,7 +137,8 @@ typedef struct _PH_MEMSTRINGS_SEARCH_CONTEXT BOOLEAN PhpShowMemoryStringTreeDialog( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem, - _In_opt_ PPH_LIST PrevNodeList + _In_opt_ PPH_LIST PrevNodeList, + _In_ BOOLEAN UseClone ); VOID PhpShowMemoryEditor( @@ -152,12 +155,18 @@ NTSTATUS NTAPI PhpMemoryStringSearchTreeNextBuffer( ) { NTSTATUS status; + HANDLE handle; PPH_MEMSTRINGS_SEARCH_CONTEXT context; assert(Context); context = Context; + if (context->TreeContext->UseClone) + handle = context->TreeContext->CloneHandle; + else + handle = context->TreeContext->ProcessHandle; + *Buffer = NULL; *Length = 0; @@ -165,7 +174,7 @@ NTSTATUS NTAPI PhpMemoryStringSearchTreeNextBuffer( goto ReadMemory; while (NT_SUCCESS(status = NtQueryVirtualMemory( - context->TreeContext->ProcessHandle, + handle, PTR_ADD_OFFSET(context->BasicInfo.BaseAddress, context->BasicInfo.RegionSize), MemoryBasicInformation, &context->BasicInfo, @@ -202,8 +211,10 @@ NTSTATUS NTAPI PhpMemoryStringSearchTreeNextBuffer( context->CurrentReadAddress = context->NextReadAddress; length = min(context->ReadRemaning, context->BufferSize); + assert(context->Buffer); + if (NT_SUCCESS(status = NtReadVirtualMemory( - context->TreeContext->ProcessHandle, + handle, context->CurrentReadAddress, context->Buffer, length, @@ -563,6 +574,13 @@ VOID PhpDeleteMemoryStringsTree( } Context->StopSearch = FALSE; + if (Context->CloneHandle) + { + NtTerminateProcess(Context->CloneHandle, STATUS_PROCESS_CLONED); + NtClose(Context->CloneHandle); + Context->CloneHandle = NULL; + } + PhpAddPendingMemoryStringsNodes(Context); PhpDeleteMemoryStringsNodeList(Context->NodeList); @@ -593,6 +611,20 @@ VOID PhpSearchMemoryStrings( TreeNew_NodesStructured(Context->TreeNewHandle); TreeNew_SetRedraw(Context->TreeNewHandle, TRUE); + if (Context->UseClone) + { + NTSTATUS status; + + if (!NT_SUCCESS(status = PhCreateProcessClone( + &Context->CloneHandle, + Context->ProcessItem->ProcessId + ))) + { + PhShowStatus(Context->WindowHandle, L"Unable to clone the process", status, 0); + return; + } + } + Context->State = PH_MEMSEARCH_STATE_SEARCHING; EnableWindow(Context->FilterHandle, FALSE); @@ -1434,7 +1466,12 @@ INT_PTR CALLBACK PhpMemoryStringsDlgProc( PhpCopyFilteredMemoryStringsNodes(context, &nodeList); - if (!PhpShowMemoryStringTreeDialog(hwndDlg, context->ProcessItem, nodeList)) + if (!PhpShowMemoryStringTreeDialog( + hwndDlg, + context->ProcessItem, + nodeList, + context->UseClone + )) { PhpDeleteMemoryStringsNodeList(nodeList); PhDereferenceObject(nodeList); @@ -1518,7 +1555,8 @@ NTSTATUS NTAPI PhpShowMemoryStringDialogThreadStart( BOOLEAN PhpShowMemoryStringTreeDialog( _In_ HWND ParentWindowHandle, _In_ PPH_PROCESS_ITEM ProcessItem, - _In_opt_ PPH_LIST PrevNodeList + _In_opt_ PPH_LIST PrevNodeList, + _In_ BOOLEAN UseClone ) { NTSTATUS status; @@ -1538,6 +1576,7 @@ BOOLEAN PhpShowMemoryStringTreeDialog( context = PhAllocateZero(sizeof(PH_MEMSTRINGS_CONTEXT)); context->ProcessItem = PhReferenceObject(ProcessItem); context->ProcessHandle = processHandle; + context->UseClone = UseClone; context->PrevNodeList = PrevNodeList; if (!NT_SUCCESS(PhCreateThread2(PhpShowMemoryStringDialogThreadStart, context))) @@ -1557,5 +1596,10 @@ VOID PhShowMemoryStringTreeDialog( _In_ PPH_PROCESS_ITEM ProcessItem ) { - PhpShowMemoryStringTreeDialog(ParentWindowHandle, ProcessItem, NULL); + PhpShowMemoryStringTreeDialog( + ParentWindowHandle, + ProcessItem, + NULL, + ProcessItem->ProcessId == NtCurrentProcessId() + ); }