processhacker源码分析

preview

1. PhInitializePhLibEx
   PhInitializeWindowsVersion RtlGetVersion
   PhInitializeSystemInformation NtQuerySystemInformation
   PhHeapInitialization RtlCreateHeap RtlSetHeapInformation
   PhQueuedLockInitialization NtCreateKeyedEvent PhQueuedLockSpinCount = 2000
   PhRefInitialization RtlInitializeSListHead PhInitializeFreeList TlsAlloc KUSER_SHARED_DATA 内核共享区域
   PhBaseInitialization

2. NtCreateMutant

3. PhGuiSupportInitialization PhCreateHashtable

4. PhSettingsInitialization PhAddDefaultSettings PhUpdateCachedSettings

5. PeInitializeSettings 初始化参数 appdata中xml配置

6. PvPropInitialization

7. PhTreeNewInitialization

8. PhLoadMappedImageEx PhMapViewOfEntireFile

   #define IMAGE_DOS_SIGNATURE 0x5A4D // MZ
   #define IMAGE_ELF_SIGNATURE 0x457f // “\x7fELF”

9. PvPeProperties
   PrivateExtractIconExW 获取图标user32.dll
   PvpLoadDbgHelp InitializeListHead PhInitializeQueuedLock PhInitializeAvlTree
   PhLoadModuleSymbolProvider PhfAcquireFastLockExclusive 锁定pdb
   PvCreatePropContext

processhacker

1. PHP_BASE_THREAD_DBG teb processid threadid

2. PhInitializePhLibEx(同上)

3. PhInitializeDirectoryPolicy GetApplicationDirectory SetCurrentDirectory

4. PhInitializeExceptionPolicy WIN7以上 GetErrorMode RtlSetUnhandledExceptionFilter

5. PhInitializeNamespacePolicy mutex

6. PhInitializeMitigationPolicy //Mitigation：缓解 https://docs.microsoft.com/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10

7. PhInitializeRestartPolicy //vista 因为更新等原因重启后 重新启动计算机应用程序 RegisterApplicationRestart EWX_RESTARTAPPS
   一般方式： WM_QUERYENDSESSION RegisterApplicationRestart 系统重启是用ExitWindowsEx+EWX_RESTARTAPPS 或者InitiateShutdown+SHUTDOWN_RESTARTAPPS

8. PhInitializeAppSystem
   PhProcessProviderInitialization

    PhProcessImageListInitialization
   

   PhServiceProviderInitialization
   PhNetworkProviderInitialization