DotNetTools: Don't query block table entry if version mismatched

dmex · dmex · commit 1c9f65ec6651 · 2016-03-17T17:42:59.000+11:00
diff --git a/plugins/DotNetTools/counters.c b/plugins/DotNetTools/counters.c
@@ -633,13 +633,11 @@ BOOLEAN OpenDotNetPublicControlBlock_V4(
             {
                 PVOID ntdll;
 
-                if (ntdll = PhGetDllHandle(L"ntdll.dll"))
-                {
-                    NtOpenPrivateNamespace_I = PhGetProcedureAddress(ntdll, "NtOpenPrivateNamespace", 0);
-                    RtlCreateBoundaryDescriptor_I = PhGetProcedureAddress(ntdll, "RtlCreateBoundaryDescriptor", 0);
-                    RtlDeleteBoundaryDescriptor_I = PhGetProcedureAddress(ntdll, "RtlDeleteBoundaryDescriptor", 0);
-                    RtlAddSIDToBoundaryDescriptor_I = PhGetProcedureAddress(ntdll, "RtlAddSIDToBoundaryDescriptor", 0);
-                }
+                ntdll = PhGetDllHandle(L"ntdll.dll");
+                NtOpenPrivateNamespace_I = PhGetProcedureAddress(ntdll, "NtOpenPrivateNamespace", 0);
+                RtlCreateBoundaryDescriptor_I = PhGetProcedureAddress(ntdll, "RtlCreateBoundaryDescriptor", 0);
+                RtlDeleteBoundaryDescriptor_I = PhGetProcedureAddress(ntdll, "RtlDeleteBoundaryDescriptor", 0);
+                RtlAddSIDToBoundaryDescriptor_I = PhGetProcedureAddress(ntdll, "RtlAddSIDToBoundaryDescriptor", 0);
 
                 PhEndInitOnce(&initOnce);
             }
@@ -863,8 +861,7 @@ PPH_LIST QueryDotNetAppDomainsForPid_V2(
             AppDomainEnumerationIPCBlock_Wow64* appDomainEnumBlock;
 
             legacyPrivateBlock = (LegacyPrivateIPCControlBlock_Wow64*)ipcControlBlockTable;
-            appDomainEnumBlock = GetLegacyBlockTableEntry(TRUE, ipcControlBlockTable, eLegacyPrivateIPC_AppDomain);
-
+            
             // NOTE: .NET 2.0 processes do not have the IPC_FLAG_INITIALIZED flag.
 
             // Check the IPCControlBlock version is valid.
@@ -873,6 +870,12 @@ PPH_LIST QueryDotNetAppDomainsForPid_V2(
                 __leave;
             }
 
+            appDomainEnumBlock = GetLegacyBlockTableEntry(
+                Wow64,
+                ipcControlBlockTable,
+                eLegacyPrivateIPC_AppDomain
+                );
+
             appDomainsList = EnumAppDomainIpcBlockWow64(
                 ProcessHandle, 
                 appDomainEnumBlock
@@ -884,8 +887,7 @@ PPH_LIST QueryDotNetAppDomainsForPid_V2(
             AppDomainEnumerationIPCBlock* appDomainEnumBlock;
 
             legacyPrivateBlock = (LegacyPrivateIPCControlBlock*)ipcControlBlockTable;
-            appDomainEnumBlock = GetLegacyBlockTableEntry(FALSE, ipcControlBlockTable, eLegacyPrivateIPC_AppDomain);
-
+            
             // NOTE: .NET 2.0 processes do not have the IPC_FLAG_INITIALIZED flag.
 
             // Check the IPCControlBlock version is valid.
@@ -894,6 +896,12 @@ PPH_LIST QueryDotNetAppDomainsForPid_V2(
                 __leave;
             }
 
+            appDomainEnumBlock = GetLegacyBlockTableEntry(
+                Wow64,
+                ipcControlBlockTable, 
+                eLegacyPrivateIPC_AppDomain
+                );
+
             appDomainsList = EnumAppDomainIpcBlock(
                 ProcessHandle, 
                 appDomainEnumBlock
