NTSTATUS kkll_m_notify_list_object(PKIWI_BUFFER outBuffer)
{
NTSTATUS status = STATUS_SUCCESS;
POBJECT_DIRECTORY_ENTRY pEntry;
ULONG_PTR pType;
POBJECT_CALLBACK_ENTRY pCallbackEntry;
ULONG i, j;
PVOID miniProc;
if(!ObpTypeDirectoryObject)
status = kkll_m_notify_search(ObjectReferences, sizeof(ObjectReferences) / sizeof(KKLL_M_MEMORY_GENERIC), (PUCHAR *) &ObpTypeDirectoryObject, NULL, &pObpTypeDirectoryObjectOffsets);
if(ObpTypeDirectoryObject)
{
for(i = 0; NT_SUCCESS(status) && (i < OBJECT_HASH_TABLE_SIZE); i++)
{
for(pEntry = (*ObpTypeDirectoryObject)->HashBuckets[i]; NT_SUCCESS(status) && pEntry; pEntry = pEntry->ChainLink)
{
if(pType = (ULONG_PTR) pEntry->Object)
{
status = kprintf(outBuffer, L"\n * %wZ\n", pType + pObpTypeDirectoryObjectOffsets->off1);
if(KiwiOsIndex >= KiwiOsIndex_VISTA)
{
for(pCallbackEntry = *(POBJECT_CALLBACK_ENTRY *) (pType + pObpTypeDirectoryObjectOffsets->off3) ; NT_SUCCESS(status) && (pCallbackEntry != (POBJECT_CALLBACK_ENTRY) (pType + pObpTypeDirectoryObjectOffsets->off3)) ; pCallbackEntry = (POBJECT_CALLBACK_ENTRY) pCallbackEntry->CallbackList.Flink)
{
if(pCallbackEntry->PreOperation || pCallbackEntry->PostOperation)
{
status = kprintf(outBuffer, L"\t* Callback [type %u]\n", pCallbackEntry->Operations);
if(NT_SUCCESS(status) && pCallbackEntry->PreOperation)
{
status = kprintf(outBuffer, L"\t\tPreOperation : ");
if(NT_SUCCESS(status))
status = kkll_m_modules_fromAddr(outBuffer, pCallbackEntry->PreOperation);
}
if(NT_SUCCESS(status) && pCallbackEntry->PostOperation)
{
status = kprintf(outBuffer, L"\t\tPreOperation : ");
if(NT_SUCCESS(status))
status = kkll_m_modules_fromAddr(outBuffer, pCallbackEntry->PostOperation);
}
}
}
}
for(j = 0; NT_SUCCESS(status) && (j < 8) ; j++)
{
if(miniProc = *(PVOID *) (pType + pObpTypeDirectoryObjectOffsets->off2 + (sizeof(PVOID) * j)))
{
status = kprintf(outBuffer, L"\t%s - ", procCallToName[j]);
if(NT_SUCCESS(status))
status = kkll_m_modules_fromAddr(outBuffer, miniProc);
}
}
}
}
}
}
return status;
}
NTSTATUS kkll_m_ssdt_list(PKIWI_BUFFER outBuffer)
{
NTSTATUS status;
USHORT idxFunction;
ULONG_PTR funcAddr;
#ifdef _M_X64
status = kkll_m_ssdt_getKeServiceDescriptorTable();
if(NT_SUCCESS(status))
{
#endif
status = kprintf(outBuffer, L"KeServiceDescriptorTable : 0x%p (%u)\n", KeServiceDescriptorTable, KeServiceDescriptorTable->TableSize);
for(idxFunction = 0; (idxFunction < KeServiceDescriptorTable->TableSize) && NT_SUCCESS(status) ; idxFunction++)
{
#ifdef _M_IX86
funcAddr = (ULONG_PTR) KeServiceDescriptorTable->ServiceTable[idxFunction];
#else
funcAddr = (ULONG_PTR) KeServiceDescriptorTable->OffsetToService;
if(KiwiOsIndex < KiwiOsIndex_VISTA)
funcAddr += KeServiceDescriptorTable->OffsetToService[idxFunction] & ~EX_FAST_REF_MASK;
else
funcAddr += KeServiceDescriptorTable->OffsetToService[idxFunction] >> 4;
#endif
status = kprintf(outBuffer, L"[%5u] ", idxFunction);
if(NT_SUCCESS(status))
status = kkll_m_modules_fromAddr(outBuffer, (PVOID) funcAddr);
}
#ifdef _M_X64
}
#endif
return status;
}
NTSTATUS kkll_m_notify_desc_object_callback(POBJECT_CALLBACK_ENTRY pCallbackEntry, PKIWI_BUFFER outBuffer)
{
NTSTATUS status = STATUS_SUCCESS;
if(pCallbackEntry->PreOperation || pCallbackEntry->PostOperation)
{
status = kprintf(outBuffer, L"\t* Callback [type %u] - Handle 0x%p (@ 0x%p)\n", pCallbackEntry->Operations, pCallbackEntry->Handle, pCallbackEntry);
if(NT_SUCCESS(status) && pCallbackEntry->PreOperation)
{
status = kprintf(outBuffer, L"\t\tPreOperation : ");
if(NT_SUCCESS(status))
status = kkll_m_modules_fromAddr(outBuffer, pCallbackEntry->PreOperation);
}
if(NT_SUCCESS(status) && pCallbackEntry->PostOperation)
{
status = kprintf(outBuffer, L"\t\tPreOperation : ");
if(NT_SUCCESS(status))
status = kkll_m_modules_fromAddr(outBuffer, pCallbackEntry->PostOperation);
}
}
return status;
}
NTSTATUS kkll_m_notify_list_reg(PKIWI_BUFFER outBuffer)
{
NTSTATUS status = STATUS_SUCCESS;
PKKLL_M_NOTIFY_CALLBACK pNotifyCallback;
PLIST_ENTRY pEntry;
ULONG i;
if(!CallbackListHeadOrCmpCallBackVector)
status = kkll_m_notify_search(RegReferences, ARRAYSIZE(RegReferences), (PUCHAR *) &CallbackListHeadOrCmpCallBackVector, NULL, &pCmpCallBackOffsets);
if(CallbackListHeadOrCmpCallBackVector)
{
if(KiwiOsIndex < KiwiOsIndex_VISTA)
{
for(i = 0; NT_SUCCESS(status) && (i < CM_REG_MAX_CALLBACKS); i++)
{
if(pNotifyCallback = (PKKLL_M_NOTIFY_CALLBACK) KIWI_mask3bits(CallbackListHeadOrCmpCallBackVector[i]))
{
status = kprintf(outBuffer, L"[%.2u] ", i);
if(NT_SUCCESS(status))
status = kkll_m_modules_fromAddr(outBuffer, pNotifyCallback->callback);
}
}
}
else
{
for(pEntry = (PLIST_ENTRY) *CallbackListHeadOrCmpCallBackVector, i = 0 ; NT_SUCCESS(status) && (pEntry != (PLIST_ENTRY) CallbackListHeadOrCmpCallBackVector); pEntry = (PLIST_ENTRY) (pEntry->Flink), i++)
{
status = kprintf(outBuffer, L"[%.2u] ", i);
if(NT_SUCCESS(status))
status = kkll_m_modules_fromAddr(outBuffer, *(PVOID *) ((ULONG_PTR) pEntry + pCmpCallBackOffsets->off1));
}
}
}
return status;
}
NTSTATUS kkll_m_notify_remove_process(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer)
{
NTSTATUS status = STATUS_INVALID_HANDLE;
UNICODE_STRING uString;
if(bufferIn && (szBufferIn == sizeof(PCREATE_PROCESS_NOTIFY_ROUTINE)))
{
status = PsSetCreateProcessNotifyRoutine(*(PCREATE_PROCESS_NOTIFY_ROUTINE *) bufferIn, TRUE);
if(!NT_SUCCESS(status) && pPsSetCreateProcessNotifyRoutineEx)
status = pPsSetCreateProcessNotifyRoutineEx(*(PCREATE_PROCESS_NOTIFY_ROUTINE_EX *) bufferIn, TRUE);
if(NT_SUCCESS(status))
{
status = kprintf(outBuffer, L"Removed : ");
if(NT_SUCCESS(status))
status = kkll_m_modules_fromAddr(outBuffer, *(PVOID *) bufferIn);
}
}
return status;
}
NTSTATUS kkll_m_notify_list(PKIWI_BUFFER outBuffer, PKKLL_M_MEMORY_GENERIC generics, SIZE_T cbGenerics, PUCHAR * ptr, PULONG pRoutineMax)
{
NTSTATUS status = STATUS_SUCCESS;
PKKLL_M_NOTIFY_CALLBACK pNotifyCallback;
ULONG i;
if(!*ptr)
status = kkll_m_notify_search(generics, cbGenerics, ptr, pRoutineMax, NULL);
if(*ptr)
{
for(i = 0; NT_SUCCESS(status) && (i < *pRoutineMax); i++)
{
if(pNotifyCallback = (PKKLL_M_NOTIFY_CALLBACK) KIWI_mask3bits(((PVOID *) *ptr)[i]))
{
status = kprintf(outBuffer, L"[%.2u] ", i);
if(NT_SUCCESS(status))
status = kkll_m_modules_fromAddr(outBuffer, pNotifyCallback->callback);
}
}
}
return status;
}
NTSTATUS kkll_m_minifilters_list(PKIWI_BUFFER outBuffer)
{
NTSTATUS status = STATUS_SUCCESS;
ULONG NumberFiltersReturned, NumberInstancesReturned, sizeOfBuffer;
PFLT_FILTER *FilterList = NULL;
PFLT_INSTANCE *InstanceList = NULL;
PFLT_VOLUME Volume = NULL;
PFILTER_FULL_INFORMATION myFilterFullInformation = NULL;
PVOID pCallBack, preCallBack, postCallBack;
ULONG i, j, k;
status = FltEnumerateFilters(NULL, 0, &NumberFiltersReturned);
if((status == STATUS_BUFFER_TOO_SMALL) && NumberFiltersReturned)
{
sizeOfBuffer = sizeof(PFLT_FILTER) * NumberFiltersReturned;
if(FilterList = (PFLT_FILTER *) ExAllocatePoolWithTag(NonPagedPool, sizeOfBuffer, POOL_TAG))
{
status = FltEnumerateFilters(FilterList, sizeOfBuffer, &NumberFiltersReturned);
for(i = 0; NT_SUCCESS(status) && (i < NumberFiltersReturned); i++)
{
status = FltGetFilterInformation(FilterList[i], FilterFullInformation, NULL, 0, &sizeOfBuffer);
if((status == STATUS_BUFFER_TOO_SMALL) && sizeOfBuffer)
{
if(myFilterFullInformation = (PFILTER_FULL_INFORMATION) ExAllocatePoolWithTag(NonPagedPool, sizeOfBuffer, POOL_TAG))
{
status = FltGetFilterInformation(FilterList[i], FilterFullInformation, myFilterFullInformation, sizeOfBuffer, &sizeOfBuffer);
if(NT_SUCCESS(status))
{
status = kprintf(outBuffer, L"[%.2u] %.*s\n", i, myFilterFullInformation->FilterNameLength/sizeof(WCHAR), myFilterFullInformation->FilterNameBuffer);
if(NT_SUCCESS(status))
{
status = FltEnumerateInstances(NULL, FilterList[i], NULL, 0, &NumberInstancesReturned);
if((status == STATUS_BUFFER_TOO_SMALL) && NumberInstancesReturned)
{
if(InstanceList = (PFLT_INSTANCE *) ExAllocatePoolWithTag(NonPagedPool, sizeof(PFLT_INSTANCE) * NumberInstancesReturned, POOL_TAG))
{
status = FltEnumerateInstances(NULL, FilterList[i], InstanceList, NumberInstancesReturned, &NumberInstancesReturned);
for(j = 0; NT_SUCCESS(status) && (j < NumberInstancesReturned); j++)
{
if(NT_SUCCESS(FltGetVolumeFromInstance(InstanceList[j], &Volume)))
{
status = kprintf(outBuffer, L" [%.2u] %wZ\n", j, (PUNICODE_STRING) (((ULONG_PTR) Volume) + MF_OffSetTable[KiwiOsIndex][CallbackVolumeNameOffset]));
FltObjectDereference (Volume);
}
else
{
status = kprintf(outBuffer, L" [%.2u] /\n", j);;
}
for(k = 0x16; NT_SUCCESS(status) && (k < 0x32); k++)
{
if(pCallBack = (PVOID) *(PULONG_PTR) (( ((ULONG_PTR) InstanceList[j] )+ MF_OffSetTable[KiwiOsIndex][CallbackOffset]) + sizeof(PVOID)*k))
{
preCallBack = (PVOID) *(PULONG_PTR) (((ULONG_PTR) pCallBack) + MF_OffSetTable[KiwiOsIndex][CallbackPreOffset]);
postCallBack = (PVOID) *(PULONG_PTR) (((ULONG_PTR) pCallBack) + MF_OffSetTable[KiwiOsIndex][CallbackPostOffset]);
if(preCallBack || postCallBack)
{
status = kprintf(outBuffer, L" [0x%2x] %s\n", k, irpToName[k - 0x16]);
if(NT_SUCCESS(status) && preCallBack)
{
status = kprintf(outBuffer, L" PreCallback : ");
if(NT_SUCCESS(status))
status = kkll_m_modules_fromAddr(outBuffer, preCallBack);
}
if(NT_SUCCESS(status) && postCallBack)
{
status = kprintf(outBuffer, L" PostCallback : ");
if(NT_SUCCESS(status))
status = kkll_m_modules_fromAddr(outBuffer, postCallBack);
}
}
}
}
FltObjectDereference (InstanceList[j]);
}
ExFreePoolWithTag(InstanceList, POOL_TAG);
}
}
}
}
ExFreePoolWithTag(myFilterFullInformation, POOL_TAG);
}
}
FltObjectDereference (FilterList[i]);
}
ExFreePoolWithTag(FilterList, POOL_TAG);
}
}
return status;
}