char* win_get_filename_from_handle(drakvuf_t drakvuf, drakvuf_trap_info_t* info, addr_t handle) { addr_t process = drakvuf_get_current_process(drakvuf, info->vcpu); if (!process) return NULL; addr_t obj = drakvuf_get_obj_by_handle(drakvuf, process, handle); if (!obj) return NULL; unicode_string_t* us = drakvuf_read_unicode(drakvuf, info, obj + drakvuf->offsets[OBJECT_HEADER_BODY] + drakvuf->offsets[FILEOBJECT_NAME]); if (!us) return NULL; char* filename = (char*)us->contents; us->contents = NULL; vmi_free_unicode_str(us); return filename; }
static std::string get_file_name(filedelete* f, drakvuf_t drakvuf, vmi_instance_t vmi, drakvuf_trap_info_t* info, addr_t handle, addr_t* out_file, addr_t* out_filetype) { // TODO: verify that the dtb in the _EPROCESS is the same as the cr3? if (!info->proc_data.base_addr) return {}; addr_t obj = drakvuf_get_obj_by_handle(drakvuf, info->proc_data.base_addr, handle); if (!obj) return {}; addr_t file = obj + f->offsets[OBJECT_HEADER_BODY]; addr_t filename = file + f->offsets[FILE_OBJECT_FILENAME]; addr_t filetype = file + f->offsets[FILE_OBJECT_TYPE]; if (out_file) *out_file = file; if (out_filetype) *out_filetype = filetype; access_context_t ctx; ctx.translate_mechanism = VMI_TM_PROCESS_DTB; ctx.addr = filetype; ctx.dtb = info->regs->cr3; uint8_t type = 0; if (VMI_FAILURE == vmi_read_8(vmi, &ctx, &type)) return {}; if (type != 5) return {}; unicode_string_t* filename_us = drakvuf_read_unicode(drakvuf, info, filename); if (!filename_us) return {}; std::string ret = {(const char*)filename_us->contents}; vmi_free_unicode_str(filename_us); return ret; }
static bool get_file_object_flags(drakvuf_t drakvuf, drakvuf_trap_info_t* info, vmi_instance_t vmi, filedelete* f, handle_t handle, uint64_t* flags) { addr_t obj = drakvuf_get_obj_by_handle(drakvuf, info->proc_data.base_addr, handle); if (!obj) return false; // Break operatioin to not crash VM addr_t file = obj + f->offsets[OBJECT_HEADER_BODY]; addr_t fileflags = file + f->offsets[FILE_OBJECT_FLAGS]; access_context_t ctx; ctx.translate_mechanism = VMI_TM_PROCESS_DTB; ctx.addr = fileflags; ctx.dtb = info->regs->cr3; uint32_t flags_value; bool success = (VMI_SUCCESS == vmi_read_32(vmi, &ctx, &flags_value)); if (success && flags) *flags = flags_value; return success; }