char* win_get_filename_from_handle(drakvuf_t drakvuf, drakvuf_trap_info_t* info, addr_t handle)
{
addr_t process = drakvuf_get_current_process(drakvuf, info->vcpu);
if (!process) return NULL;
addr_t obj = drakvuf_get_obj_by_handle(drakvuf, process, handle);
if (!obj) return NULL;
unicode_string_t* us = drakvuf_read_unicode(drakvuf, info, obj + drakvuf->offsets[OBJECT_HEADER_BODY] + drakvuf->offsets[FILEOBJECT_NAME]);
if (!us) return NULL;
char* filename = (char*)us->contents;
us->contents = NULL;
vmi_free_unicode_str(us);
return filename;
}
static std::string get_file_name(filedelete* f, drakvuf_t drakvuf, vmi_instance_t vmi,
drakvuf_trap_info_t* info,
addr_t handle,
addr_t* out_file, addr_t* out_filetype)
{
// TODO: verify that the dtb in the _EPROCESS is the same as the cr3?
if (!info->proc_data.base_addr)
return {};
addr_t obj = drakvuf_get_obj_by_handle(drakvuf, info->proc_data.base_addr, handle);
if (!obj)
return {};
addr_t file = obj + f->offsets[OBJECT_HEADER_BODY];
addr_t filename = file + f->offsets[FILE_OBJECT_FILENAME];
addr_t filetype = file + f->offsets[FILE_OBJECT_TYPE];
if (out_file)
*out_file = file;
if (out_filetype)
*out_filetype = filetype;
access_context_t ctx;
ctx.translate_mechanism = VMI_TM_PROCESS_DTB;
ctx.addr = filetype;
ctx.dtb = info->regs->cr3;
uint8_t type = 0;
if (VMI_FAILURE == vmi_read_8(vmi, &ctx, &type))
return {};
if (type != 5)
return {};
unicode_string_t* filename_us = drakvuf_read_unicode(drakvuf, info, filename);
if (!filename_us) return {};
std::string ret = {(const char*)filename_us->contents};
vmi_free_unicode_str(filename_us);
return ret;
}
static bool get_file_object_flags(drakvuf_t drakvuf, drakvuf_trap_info_t* info, vmi_instance_t vmi, filedelete* f, handle_t handle, uint64_t* flags)
{
addr_t obj = drakvuf_get_obj_by_handle(drakvuf, info->proc_data.base_addr, handle);
if (!obj)
return false; // Break operatioin to not crash VM
addr_t file = obj + f->offsets[OBJECT_HEADER_BODY];
addr_t fileflags = file + f->offsets[FILE_OBJECT_FLAGS];
access_context_t ctx;
ctx.translate_mechanism = VMI_TM_PROCESS_DTB;
ctx.addr = fileflags;
ctx.dtb = info->regs->cr3;
uint32_t flags_value;
bool success = (VMI_SUCCESS == vmi_read_32(vmi, &ctx, &flags_value));
if (success && flags) *flags = flags_value;
return success;
}
