/* * exceptShowException * * Purpose: * * Output exception information to the user. * */ VOID exceptShowException( EXCEPTION_POINTERS *ExceptionPointers ) { WCHAR szMessage[MAX_PATH * 2]; ULONGLONG IdFile; RtlSecureZeroMemory(&szMessage, sizeof(szMessage)); _strcpy(szMessage, L"Sorry, exception occurred at address: \n0x"); u64tohex((ULONG_PTR)ExceptionPointers->ExceptionRecord->ExceptionAddress, _strend(szMessage)); if (ExceptionPointers->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION) { switch (ExceptionPointers->ExceptionRecord->ExceptionInformation[0]) { case 0: _strcat(szMessage, L"\n\nAttempt to read at address: \n0x"); break; case 1: _strcat(szMessage, L"\n\nAttempt to write at address: \n0x"); break; } u64tohex(ExceptionPointers->ExceptionRecord->ExceptionInformation[1], _strend(szMessage)); } IdFile = GetTickCount64(); if (exceptWriteDump(ExceptionPointers, IdFile)) { _strcat(szMessage, L"\n\nMinidump wobjex"); u64tostr(IdFile, _strend(szMessage)); _strcat(szMessage, L".dmp is in %TEMP% directory"); } _strcat(szMessage, L"\n\nPlease report this to the developers, thanks"); MessageBox(GetForegroundWindow(), szMessage, NULL, MB_ICONERROR); }
/* * propBasicQueryDesktop * * Purpose: * * Set information values for Desktop object type * * Support is very limited because of win32k type origin. * */ VOID propBasicQueryDesktop( _In_ PROP_OBJECT_INFO *Context, _In_ HWND hwndDlg ) { BOOL bExtendedInfoAvailable; HANDLE hDesktop; ULONG_PTR ObjectAddress, HeaderAddress, InfoHeaderAddress; WCHAR szBuffer[MAX_PATH + 1]; OBJINFO InfoObject; if (Context == NULL) { return; } // // Open Desktop object. // // Restriction: // This will open only current winsta desktops // hDesktop = NULL; if (!propOpenCurrentObject(Context, &hDesktop, DESKTOP_READOBJECTS)) { return; } bExtendedInfoAvailable = FALSE; ObjectAddress = 0; if (supQueryObjectFromHandle(hDesktop, &ObjectAddress, NULL)) { HeaderAddress = (ULONG_PTR)OBJECT_TO_OBJECT_HEADER(ObjectAddress); //we can use driver if (g_kdctx.hDevice != NULL) { RtlSecureZeroMemory(&InfoObject, sizeof(InfoObject)); InfoObject.HeaderAddress = HeaderAddress; InfoObject.ObjectAddress = ObjectAddress; //dump object header bExtendedInfoAvailable = kdReadSystemMemory(HeaderAddress, &InfoObject.ObjectHeader, sizeof(OBJECT_HEADER)); if (bExtendedInfoAvailable) { //dump quota info InfoHeaderAddress = 0; if (ObHeaderToNameInfoAddress(InfoObject.ObjectHeader.InfoMask, HeaderAddress, &InfoHeaderAddress, HeaderQuotaInfoFlag)) { kdReadSystemMemory(InfoHeaderAddress, &InfoObject.ObjectQuotaHeader, sizeof(OBJECT_HEADER_QUOTA_INFO)); } propSetBasicInfoEx(hwndDlg, &InfoObject); } } //cannot query extended info, output what we have if (bExtendedInfoAvailable == FALSE) { //Object Address RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer)); szBuffer[0] = L'0'; szBuffer[1] = L'x'; u64tohex(ObjectAddress, &szBuffer[2]); SetDlgItemText(hwndDlg, ID_OBJECT_ADDR, szBuffer); //Object Address RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer)); szBuffer[0] = L'0'; szBuffer[1] = L'x'; u64tohex(HeaderAddress, &szBuffer[2]); SetDlgItemText(hwndDlg, ID_OBJECT_HEADER, szBuffer); } } // // Query object basic and type info if needed. // if (bExtendedInfoAvailable == FALSE) { propSetDefaultInfo(Context, hwndDlg, hDesktop); } CloseDesktop(hDesktop); }
/* * propSetBasicInfoEx * * Purpose: * * Set information values received with kldbgdrv help * */ VOID propSetBasicInfoEx( _In_ HWND hwndDlg, _In_ POBJINFO InfoObject ) { INT i; HWND hwndCB; WCHAR szBuffer[MAX_PATH]; if (InfoObject == NULL) return; //Object Address RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); szBuffer[0] = L'0'; szBuffer[1] = L'x'; u64tohex(InfoObject->ObjectAddress, &szBuffer[2]); SetDlgItemText(hwndDlg, ID_OBJECT_ADDR, szBuffer); //Header Address RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); szBuffer[0] = L'0'; szBuffer[1] = L'x'; u64tohex(InfoObject->HeaderAddress, &szBuffer[2]); SetDlgItemText(hwndDlg, ID_OBJECT_HEADER, szBuffer); //Reference Count RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); ultostr(InfoObject->ObjectHeader.PointerCount, _strend(szBuffer)); SetDlgItemText(hwndDlg, ID_OBJECT_REFC, szBuffer); //Handle Count RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); ultostr(InfoObject->ObjectHeader.HandleCount, _strend(szBuffer)); SetDlgItemText(hwndDlg, ID_OBJECT_HANDLES, szBuffer); //NonPagedPoolCharge RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); ultostr(InfoObject->ObjectQuotaHeader.NonPagedPoolCharge, szBuffer); SetDlgItemText(hwndDlg, ID_OBJECT_NP_CHARGE, szBuffer); //PagedPoolCharge RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); ultostr(InfoObject->ObjectQuotaHeader.PagedPoolCharge, _strend(szBuffer)); SetDlgItemText(hwndDlg, ID_OBJECT_PP_CHARGE, szBuffer); //Attributes hwndCB = GetDlgItem(hwndDlg, IDC_OBJECT_FLAGS); if (hwndCB) { EnableWindow(hwndCB, (InfoObject->ObjectHeader.Flags > 0) ? TRUE : FALSE); SendMessage(hwndCB, CB_RESETCONTENT, (WPARAM)0, (LPARAM)0); if (InfoObject->ObjectHeader.Flags > 0) { for (i = 0; i < 8; i++) { if (GET_BIT(InfoObject->ObjectHeader.Flags, i)) SendMessage(hwndCB, CB_ADDSTRING, (WPARAM)0, (LPARAM)T_ObjectFlags[i]); } SendMessage(hwndCB, CB_SETCURSEL, (WPARAM)0, (LPARAM)0); } } }
/* * SdtListTable * * Purpose: * * KiServiceTable query and list routine. * */ VOID SdtListTable( VOID ) { BOOL cond = FALSE; PUTable Dump = NULL; PRTL_PROCESS_MODULES pModules = NULL; PVOID Module = NULL; PIMAGE_EXPORT_DIRECTORY pexp = NULL; PIMAGE_NT_HEADERS NtHeaders = NULL; DWORD ETableVA; PDWORD names, functions; PWORD ordinals; LVITEM lvitem; WCHAR szBuffer[MAX_PATH + 1]; char *name; void *addr; ULONG number, i; INT index; __try { do { pModules = (PRTL_PROCESS_MODULES)supGetSystemInfo(SystemModuleInformation); if (pModules == NULL) break; //if table empty, dump and prepare table if (g_SdtTable == NULL) { if (g_NtdllModule == NULL) { Module = GetModuleHandle(TEXT("ntdll.dll")); } else { Module = g_NtdllModule; } if (Module == NULL) break; g_SdtTable = (PSERVICETABLEENTRY)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(SERVICETABLEENTRY) * g_kdctx.KiServiceLimit); if (g_SdtTable == NULL) break; if (!supDumpSyscallTableConverted(&g_kdctx, &Dump)) break; NtHeaders = RtlImageNtHeader(Module); if (NtHeaders == NULL) break; ETableVA = NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; pexp = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)Module + ETableVA); names = (PDWORD)((PBYTE)Module + pexp->AddressOfNames), functions = (PDWORD)((PBYTE)Module + pexp->AddressOfFunctions); ordinals = (PWORD)((PBYTE)Module + pexp->AddressOfNameOrdinals); //walk for Nt stubs g_cSdtTable = 0; for (i = 0; i < pexp->NumberOfNames; i++) { name = ((CHAR *)Module + names[i]); addr = (PVOID *)((CHAR *)Module + functions[ordinals[i]]); if (*(USHORT*)name == 'tN') { number = *(ULONG*)((UCHAR*)addr + 4); if (number < g_kdctx.KiServiceLimit) { MultiByteToWideChar(CP_ACP, 0, name, (INT)_strlen_a(name), g_SdtTable[g_cSdtTable].Name, MAX_PATH); g_SdtTable[g_cSdtTable].ServiceId = number; g_SdtTable[g_cSdtTable].Address = Dump[number]; g_cSdtTable++; } }//tN }//for HeapFree(GetProcessHeap(), 0, Dump); Dump = NULL; } //list table for (i = 0; i < g_cSdtTable; i++) { //ServiceId RtlSecureZeroMemory(&lvitem, sizeof(lvitem)); lvitem.mask = LVIF_TEXT | LVIF_IMAGE; lvitem.iSubItem = 0; lvitem.iItem = MAXINT; lvitem.iImage = TYPE_DEVICE; //imagelist id RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); ultostr(g_SdtTable[i].ServiceId, szBuffer); lvitem.pszText = szBuffer; index = ListView_InsertItem(SdtDlgContext.ListView, &lvitem); //Name lvitem.mask = LVIF_TEXT; lvitem.iSubItem = 1; lvitem.pszText = (LPWSTR)g_SdtTable[i].Name; lvitem.iItem = index; ListView_SetItem(SdtDlgContext.ListView, &lvitem); //Address lvitem.iSubItem = 2; RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); szBuffer[0] = L'0'; szBuffer[1] = L'x'; u64tohex(g_SdtTable[i].Address, &szBuffer[2]); lvitem.pszText = szBuffer; lvitem.iItem = index; ListView_SetItem(SdtDlgContext.ListView, &lvitem); //Module lvitem.iSubItem = 3; RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); number = supFindModuleEntryByAddress(pModules, (PVOID)g_SdtTable[i].Address); if (number == (ULONG)-1) { _strcpy(szBuffer, TEXT("Unknown Module")); } else { MultiByteToWideChar(CP_ACP, 0, (LPCSTR)&pModules->Modules[number].FullPathName, (INT)_strlen_a((char*)pModules->Modules[number].FullPathName), szBuffer, MAX_PATH); } lvitem.pszText = szBuffer; lvitem.iItem = index; ListView_SetItem(SdtDlgContext.ListView, &lvitem); } } while (cond); } __except (exceptFilter(GetExceptionCode(), GetExceptionInformation())) { return; } if (pModules) { HeapFree(GetProcessHeap(), 0, pModules); } if (Dump) { HeapFree(GetProcessHeap(), 0, Dump); } }