vector<HANDLE_OBJECT>
ObOpenObjectDirectory(
_In_ ULONG64 InputObject
)
/*++
Routine Description:
Description.
Arguments:
InputObject -
Return Value:
vector<HANDLE_OBJECT>.
--*/
{
vector<HANDLE_OBJECT> Handles;
HANDLE_OBJECT Handle = { 0 };
ExtRemoteTyped Directory;
ULONG64 ObjectDir = InputObject;
if (!ObjectDir)
{
ReadPointer(GetExpression("nt!ObpRootDirectoryObject"), &ObjectDir);
}
Directory = ExtRemoteTyped("(nt!_OBJECT_DIRECTORY *)@$extin", ObjectDir);
ObReadObject(ObjectDir, &Handle);
for (UINT i = 0; i < 37; i += 1)
{
ULONG64 Entry = Directory.Field("HashBuckets").ArrayElement(i).GetPointerTo().GetPtr();
if (!Entry) continue;
//
// ExtRemoteTypedList requires a POINTER to the first entry. Not the offset of the first entry.
//
ExtRemoteTypedList EntryList(Entry, "nt!_OBJECT_DIRECTORY_ENTRY", "ChainLink");
for (EntryList.StartHead(); EntryList.HasNode(); EntryList.Next())
{
HANDLE_OBJECT Handle = {0};
ULONG64 Object = EntryList.GetTypedNode().Field("Object").GetPtr();
ObReadObject(Object, &Handle);
Handles.push_back(Handle);
}
}
return Handles;
}
BOOLEAN
PEFile::InitImage(
)
/*++
Routine Description:
Description.
Arguments:
-
Return Value:
BOOLEAN.
--*/
{
PIMAGE_DOS_HEADER Header = NULL;
PVOID Image = NULL;
ULONG BytesRead = 0;
ULONG64 BaseImageAddress = m_ImageBase;
PIMAGE_NT_HEADERS32 NtHeader32 = NULL;
PIMAGE_NT_HEADERS64 NtHeader64 = NULL;
PIMAGE_DATA_DIRECTORY DataDirectory = NULL;
ExtRemoteTyped BaseImage;
BOOLEAN Result = FALSE;
ULONG64 ProcessDataOffset = 0ULL;
if (m_Image.Initialized)
{
// g_Ext->Dml("b_Initialized already set to TRUE\n");
Result = TRUE;
goto CleanUp;
}
if (!m_ImageSize)
{
Header = (PIMAGE_DOS_HEADER)malloc(PAGE_SIZE);
if (Header == NULL) goto CleanUp;
RtlZeroMemory(Header, PAGE_SIZE);
if (g_Ext->m_Data->ReadVirtual(BaseImageAddress, Header, PAGE_SIZE, &BytesRead) != S_OK)
{
#if VERBOSE_MODE
g_Ext->Dml("Error: Can't read 0x%I64x bytes at %I64x.\n", PAGE_SIZE, BaseImageAddress);
#endif
goto CleanUp;
}
BaseImage = ExtRemoteTyped("(nt!_IMAGE_DOS_HEADER *)@$extin", BaseImageAddress);
if (BaseImage.Field("e_magic").GetUshort() != IMAGE_DOS_SIGNATURE) goto CleanUp;
NtHeader32 = (PIMAGE_NT_HEADERS32)((PUCHAR)Header + BaseImage.Field("e_lfanew").GetUlong());
if (NtHeader32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
{
m_ImageSize = NtHeader32->OptionalHeader.SizeOfImage;
}
else if (NtHeader32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
{
NtHeader64 = (PIMAGE_NT_HEADERS64)NtHeader32;
NtHeader32 = NULL;
m_ImageSize = NtHeader64->OptionalHeader.SizeOfImage;;
}
else
{
#if VERBOSE_MODE
g_Ext->Dml("Error: Invalid signature.\n");
#endif
goto CleanUp;
}
}
Image = malloc(m_ImageSize);
if (Image == NULL) goto CleanUp;
RtlZeroMemory(Image, (ULONG)m_ImageSize);
if (ExtRemoteTypedEx::ReadVirtual(BaseImageAddress, Image, (ULONG)m_ImageSize, &BytesRead) != S_OK)
{
#if VERBOSE_MODE
g_Ext->Dml("Error: Can't read 0x%I64x bytes at %I64x.\n", m_ImageSize, BaseImageAddress);
#endif
goto CleanUp;
}
m_Image.Image = (PIMAGE_DOS_HEADER)Image;
REF_POINTER(m_Image.Image);
m_Image.NtHeader32 = (PIMAGE_NT_HEADERS32)((PUCHAR)Image + m_Image.Image->e_lfanew);
NtHeader32 = m_Image.NtHeader32;
if (NtHeader32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
{
m_Image.NtHeader32 = NULL;
m_Image.NtHeader64 = (PIMAGE_NT_HEADERS64)((PUCHAR)Image + m_Image.Image->e_lfanew);
m_Image.DataDirectory = (PIMAGE_DATA_DIRECTORY)m_Image.NtHeader64->OptionalHeader.DataDirectory;
m_Image.Sections = (PIMAGE_SECTION_HEADER)(m_Image.NtHeader64 + 1);
m_Image.NumberOfSections = m_Image.NtHeader64->FileHeader.NumberOfSections;
}
else if (NtHeader32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
{
m_Image.NtHeader64 = NULL;
m_Image.DataDirectory = (PIMAGE_DATA_DIRECTORY)m_Image.NtHeader32->OptionalHeader.DataDirectory;
m_Image.Sections = (PIMAGE_SECTION_HEADER)(m_Image.NtHeader32 + 1);
m_Image.NumberOfSections = m_Image.NtHeader32->FileHeader.NumberOfSections;
}
else
{
goto CleanUp;
}
#if VERBOSE_MODE
g_Ext->Dml("m_Image = %p\n"
"m_NtHeader32 = %p\n"
"m_DataDirectory = %p\n"
"m_Sections = %p\n", m_Image.Image, m_Image.NtHeader32, m_Image.DataDirectory, m_Image.Sections);
g_Ext->Dml("m_NumberOfSections = %x\n", m_Image.NumberOfSections);
#endif
Result = TRUE;
CleanUp:
if (Header) free(Header);
m_Image.Initialized = Result;
return Result;
}
ExtRemoteTyped
GetKeyNode(
_In_ PWSTR FullKeyPath
)
{
ULONG64 CmpMasterHive;
ULONG64 CmpRegistryRootObject;
ExtRemoteTyped KeyNode;
try {
ReadPointer(CmpMasterHiveAddress, &CmpMasterHive);
ReadPointer(CmpRegistryRootObjectAddress, &CmpRegistryRootObject);
ExtRemoteTyped KeyHive("(nt!_HHIVE *)@$extin", CmpMasterHive);
ExtRemoteTyped KeyBody("(nt!_CM_KEY_BODY *)@$extin", CmpRegistryRootObject);
ExtRemoteTyped KeyControlBlock("(nt!_CM_KEY_CONTROL_BLOCK *)@$extin", KeyBody.Field("KeyControlBlock").GetPtr());
ULONG KeyCell = KeyControlBlock.Field("KeyCell").GetUlong();
KeyNode = ExtRemoteTyped("(nt!_CM_KEY_NODE *)@$extin", RegGetCellPaged(KeyHive, KeyCell));
vector<KEY_NAME> KeysNames = GetKeysNames(FullKeyPath);
for (size_t i = 1; i < KeysNames.size(); i++) {
BOOL IsFound = FALSE;
vector<KEY_NODE> SubKeys = GetSubKeys(KeyHive, KeyNode);
for (size_t j = 0; j < SubKeys.size(); j++) {
if (0 == _wcsicmp(KeysNames[i].Name, SubKeys[j].Name)) {
KeyNode = SubKeys[j].KeyNode;
if (KeyNode.Field("Signature").GetUshort() == CM_LINK_NODE_SIGNATURE) {
KeyHive = ExtRemoteTyped("(nt!_HHIVE *)@$extin", KeyNode.Field("ChildHiveReference.KeyHive").GetPtr());
KeyCell = KeyNode.Field("ChildHiveReference.KeyCell").GetUlong();
KeyNode = ExtRemoteTyped("(nt!_CM_KEY_NODE *)@$extin", RegGetCellPaged(KeyHive, KeyCell));
}
IsFound = TRUE;
break;
}
}
if (!IsFound) {
KeyNode = ExtRemoteTyped("(nt!_CM_KEY_NODE *)@$extin", NULL);
break;
}
}
}
catch (...) {
}
return KeyNode;
}