Exemple #1
0
BOOLEAN
ObReadObject(
    _In_ ULONG64 Object,
    _Out_ PHANDLE_OBJECT HandleObj
)
/*++

Routine Description:

    Description.

Arguments:

    Object - 
    HandleObj - 

Return Value:

    BOOLEAN.

--*/
{
    BOOLEAN Result = FALSE;
    LPWSTR ObjName = NULL;

    ULONG BodyOffset = 0;
    GetFieldOffset("nt!_OBJECT_HEADER", "Body", &BodyOffset);

    WCHAR TypeStr[64] = { 0 };

    if ((!Object) || (!IsValid(Object))) return FALSE;

    if (!ObTypeInit)
    {
        ObjTypeTable = ExtRemoteTyped("(nt!_OBJECT_TYPE **)@$extin", GetExpression("nt!ObTypeIndexTable"));
        ObTypeInit = TRUE;
    }

    ULONG64 ObjHeaderAddr = Object - BodyOffset;

    if (!IsValid(ObjHeaderAddr)) return FALSE;

    ExtRemoteTyped ObjHeader("(nt!_OBJECT_HEADER *)@$extin", ObjHeaderAddr);
    HandleObj->ObjectPtr = Object; // ObjHeader.Field("Body").GetPointerTo().GetPtr();

    if (ObjHeader.HasField("TypeIndex"))
    {
        HandleObj->ObjectTypeIndex = ObjHeader.Field("TypeIndex").GetChar();
        if ((HandleObj->ObjectTypeIndex <= 1) || (HandleObj->ObjectTypeIndex >= 45)) return FALSE;

        ExtRemoteTypedEx::GetUnicodeString(ObjTypeTable.ArrayElement(HandleObj->ObjectTypeIndex).Field("Name"), TypeStr, sizeof(TypeStr));
        wcscpy_s(HandleObj->Type, TypeStr);
    }
    else
    {
        if (!IsValid(ObjHeader.Field("Type").GetPtr())) goto CleanUp;

        ExtRemoteTypedEx::GetUnicodeString(ObjHeader.Field("Type").Field("Name"), TypeStr, sizeof(TypeStr));
        wcscpy_s(HandleObj->Type, TypeStr);
    }

    if (_wcsicmp(TypeStr, L"File") == 0)
    {
        ExtRemoteTyped FileObject("(nt!_FILE_OBJECT *)@$extin", HandleObj->ObjectPtr);
        ObjName = ExtRemoteTypedEx::GetUnicodeString2(FileObject.Field("FileName"));
    }
    else if (_wcsicmp(TypeStr, L"Driver") == 0)
    {
        ExtRemoteTyped DrvObject("(nt!_DRIVER_OBJECT *)@$extin", HandleObj->ObjectPtr);
        ObjName = ExtRemoteTypedEx::GetUnicodeString2(DrvObject.Field("DriverName"));
    }
    else if (_wcsicmp(TypeStr, L"Process") == 0)
    {
        ExtRemoteTyped ProcessObj("(nt!_EPROCESS *)@$extin", HandleObj->ObjectPtr);
        ObjName = ExtRemoteTypedEx::GetUnicodeString2(ProcessObj.Field("ImageFileName"));
    }
    else if (_wcsicmp(TypeStr, L"ALPC Port") == 0)
    {
        // dt nt!_ALPC_PORT
    }
    else if (_wcsicmp(TypeStr, L"EtwRegistration") == 0)
    {
        // dt nt!_ETW_?
    }
    else if (_wcsicmp(TypeStr, L"Thread") == 0)
    {
        // dt nt!_ETHREAD
    }
    else if (_wcsicmp(TypeStr, L"Event") == 0)
    {
        // dt nt!_KTHREAD
    }
    else if (_wcsicmp(TypeStr, L"Key") == 0)
    {
        ExtRemoteTyped KeyObject("(nt!_CM_KEY_BODY *)@$extin", HandleObj->ObjectPtr);
        HandleObj->ObjectKcb = KeyObject.Field("KeyControlBlock").GetPtr();
        ObjName = RegGetKeyName(KeyObject.Field("KeyControlBlock"));
        // dt nt!_CM_KEY_BODY -> nt!_CM_KEY_CONTROL_BLOCK
    }
    else
    {
        ULONG Offset = 0;
        UCHAR InfoMask = 0;

        if (ObjHeader.HasField("InfoMask"))
        {
            InfoMask = ObjHeader.Field("InfoMask").GetUchar();

            if (InfoMask & OBP_NAME_INFO_BIT)
            {
                if (InfoMask & OBP_CREATOR_INFO_BIT) Offset += GetTypeSize("nt!_OBJECT_HEADER_CREATOR_INFO");
                Offset += GetTypeSize("nt!_OBJECT_HEADER_NAME_INFO");
            }
        }
        else
        {
            Offset = ObjHeader.Field("NameInfoOffset").GetUchar();
        }

        if (Offset)
        {
            ExtRemoteTyped ObjNameInfo("(nt!_OBJECT_HEADER_NAME_INFO *)@$extin", ObjHeaderAddr - Offset);
            ObjName = ExtRemoteTypedEx::GetUnicodeString2(ObjNameInfo.Field("Name"));
        }
    }

    if (ObjName)
    {
        wcscpy_s(HandleObj->Name, ObjName);
        free(ObjName);
        ObjName = NULL;
    }

    Result = TRUE;
CleanUp:
    return Result;
}
Exemple #2
0
BOOLEAN
ObReadObject(
    _In_ ULONG64 Object,
    _Out_ PHANDLE_OBJECT HandleObj
)
/*++

Routine Description:

    Description.

Arguments:

    Object - 
    HandleObj - 

Return Value:

    BOOLEAN.

--*/
{
    BOOLEAN Result = FALSE;
    PWSTR ObjectName = NULL;
    WCHAR TypeStr[64] = {0};
    ULONG BodyOffset = 0;

    GetFieldOffset("nt!_OBJECT_HEADER", "Body", &BodyOffset);

    try {

        ZeroMemory(HandleObj, sizeof(HANDLE_OBJECT));

        if ((!Object) || (!IsValid(Object))) return FALSE;

        if (!ObTypeInit)
        {
            ObjTypeTable = ExtRemoteTyped("(nt!_OBJECT_TYPE **)@$extin", ObTypeIndexTableAddress);
            ObTypeInit = TRUE;
        }

        ULONG64 ObjHeaderAddr = Object - BodyOffset;

        if (!IsValid(ObjHeaderAddr)) return FALSE;

        ExtRemoteTyped ObjHeader("(nt!_OBJECT_HEADER *)@$extin", ObjHeaderAddr);
        HandleObj->ObjectPtr = Object; // ObjHeader.Field("Body").GetPointerTo().GetPtr();

        if (ObjHeader.HasField("TypeIndex"))
        {
            BYTE HeaderCookie;

            HandleObj->ObjectTypeIndex = ObjHeader.Field("TypeIndex").GetUchar();

            if (g_Ext->m_Data->ReadVirtual(ObHeaderCookieAddress, &HeaderCookie, sizeof(HeaderCookie), NULL) == S_OK) {

                HandleObj->ObjectTypeIndex = (((ObjHeaderAddr >> 8) & 0xff) ^ HandleObj->ObjectTypeIndex) ^ HeaderCookie;
            }

            ExtRemoteTypedEx::GetUnicodeString(ObjTypeTable.ArrayElement(HandleObj->ObjectTypeIndex).Field("Name"), TypeStr, sizeof(TypeStr));

            StringCchCopyW(HandleObj->Type, _countof(HandleObj->Type), TypeStr);
        }