示例#1
0
ExtRemoteTyped
GetHive(
    _In_ PWSTR FullKeyPath
    )
{
    PHIVE_OBJECT Hive = NULL;
    ULONG64 HiveAddress = NULL;
    ULONG HiveRootLength;
    ULONG KeyPathLength;

    if (g_Hives.size()) {

        KeyPathLength = (ULONG)wcslen(FullKeyPath);

        for (size_t i = 0; i < g_Hives.size(); i++) {

            HiveRootLength = (ULONG)wcslen(g_Hives[i].HiveRootPath);

            if (HiveRootLength && (HiveRootLength <= KeyPathLength) && (0 == _wcsnicmp(g_Hives[i].HiveRootPath, FullKeyPath, HiveRootLength))) {

                Hive = &g_Hives[i];
                break;
            }
        }

        if (!Hive) {

            Hive = &g_Hives[0];
        }

        HiveAddress = Hive->HivePtr;
    }

    return ExtRemoteTyped("(nt!_HHIVE *)@$extin", HiveAddress);
}
示例#2
0
vector<HANDLE_OBJECT>
ObOpenObjectDirectory(
    _In_ ULONG64 InputObject
)
/*++

Routine Description:

    Description.

Arguments:

    InputObject - 

Return Value:

    vector<HANDLE_OBJECT>.

--*/
{
    vector<HANDLE_OBJECT> Handles;
    HANDLE_OBJECT Handle = { 0 };
    ExtRemoteTyped Directory;

    ULONG64 ObjectDir = InputObject;

    if (!ObjectDir)
    {
        ReadPointer(GetExpression("nt!ObpRootDirectoryObject"), &ObjectDir);
    }

    Directory = ExtRemoteTyped("(nt!_OBJECT_DIRECTORY *)@$extin", ObjectDir);

    ObReadObject(ObjectDir, &Handle);

    for (UINT i = 0; i < 37; i += 1)
    {
        ULONG64 Entry = Directory.Field("HashBuckets").ArrayElement(i).GetPointerTo().GetPtr();
        if (!Entry) continue;

        //
        // ExtRemoteTypedList requires a POINTER to the first entry. Not the offset of the first entry.
        //
        ExtRemoteTypedList EntryList(Entry, "nt!_OBJECT_DIRECTORY_ENTRY", "ChainLink");

        for (EntryList.StartHead(); EntryList.HasNode(); EntryList.Next())
        {
            HANDLE_OBJECT Handle = {0};

            ULONG64 Object = EntryList.GetTypedNode().Field("Object").GetPtr();
            ObReadObject(Object, &Handle);

            Handles.push_back(Handle);
        }
    }

    return Handles;
}
示例#3
0
    bool Walk(WalkResult* result) {
        if ( !IsValid() ) {
            return false;
        }

        result->reserve(static_cast<size_t>(GetTableCount()));

        const auto offset = GetTableStart() + GetTableSkipStart();

        for ( uint32_t tc = 0; tc < GetTableCount(); tc++ ) {
            try {
                result->emplace_back(ExtRemoteTyped(m_type.c_str(),
                                                    offset + tc * m_type_size,
                                                    false,
                                                    m_sym_cache->GetCookieCache(m_type),
                                                    nullptr));
            } catch ( const ExtRemoteException &Ex ) {
                err << wa::showminus << __FUNCTION__ << ": " << Ex.GetMessage() << endlerr;
            }
        }

        return !result->empty();
    }
示例#4
0
BOOLEAN
ObReadObject(
    _In_ ULONG64 Object,
    _Out_ PHANDLE_OBJECT HandleObj
)
/*++

Routine Description:

    Description.

Arguments:

    Object - 
    HandleObj - 

Return Value:

    BOOLEAN.

--*/
{
    BOOLEAN Result = FALSE;
    LPWSTR ObjName = NULL;

    ULONG BodyOffset = 0;
    GetFieldOffset("nt!_OBJECT_HEADER", "Body", &BodyOffset);

    WCHAR TypeStr[64] = { 0 };

    if ((!Object) || (!IsValid(Object))) return FALSE;

    if (!ObTypeInit)
    {
        ObjTypeTable = ExtRemoteTyped("(nt!_OBJECT_TYPE **)@$extin", GetExpression("nt!ObTypeIndexTable"));
        ObTypeInit = TRUE;
    }

    ULONG64 ObjHeaderAddr = Object - BodyOffset;

    if (!IsValid(ObjHeaderAddr)) return FALSE;

    ExtRemoteTyped ObjHeader("(nt!_OBJECT_HEADER *)@$extin", ObjHeaderAddr);
    HandleObj->ObjectPtr = Object; // ObjHeader.Field("Body").GetPointerTo().GetPtr();

    if (ObjHeader.HasField("TypeIndex"))
    {
        HandleObj->ObjectTypeIndex = ObjHeader.Field("TypeIndex").GetChar();
        if ((HandleObj->ObjectTypeIndex <= 1) || (HandleObj->ObjectTypeIndex >= 45)) return FALSE;

        ExtRemoteTypedEx::GetUnicodeString(ObjTypeTable.ArrayElement(HandleObj->ObjectTypeIndex).Field("Name"), TypeStr, sizeof(TypeStr));
        wcscpy_s(HandleObj->Type, TypeStr);
    }
    else
    {
        if (!IsValid(ObjHeader.Field("Type").GetPtr())) goto CleanUp;

        ExtRemoteTypedEx::GetUnicodeString(ObjHeader.Field("Type").Field("Name"), TypeStr, sizeof(TypeStr));
        wcscpy_s(HandleObj->Type, TypeStr);
    }

    if (_wcsicmp(TypeStr, L"File") == 0)
    {
        ExtRemoteTyped FileObject("(nt!_FILE_OBJECT *)@$extin", HandleObj->ObjectPtr);
        ObjName = ExtRemoteTypedEx::GetUnicodeString2(FileObject.Field("FileName"));
    }
    else if (_wcsicmp(TypeStr, L"Driver") == 0)
    {
        ExtRemoteTyped DrvObject("(nt!_DRIVER_OBJECT *)@$extin", HandleObj->ObjectPtr);
        ObjName = ExtRemoteTypedEx::GetUnicodeString2(DrvObject.Field("DriverName"));
    }
    else if (_wcsicmp(TypeStr, L"Process") == 0)
    {
        ExtRemoteTyped ProcessObj("(nt!_EPROCESS *)@$extin", HandleObj->ObjectPtr);
        ObjName = ExtRemoteTypedEx::GetUnicodeString2(ProcessObj.Field("ImageFileName"));
    }
    else if (_wcsicmp(TypeStr, L"ALPC Port") == 0)
    {
        // dt nt!_ALPC_PORT
    }
    else if (_wcsicmp(TypeStr, L"EtwRegistration") == 0)
    {
        // dt nt!_ETW_?
    }
    else if (_wcsicmp(TypeStr, L"Thread") == 0)
    {
        // dt nt!_ETHREAD
    }
    else if (_wcsicmp(TypeStr, L"Event") == 0)
    {
        // dt nt!_KTHREAD
    }
    else if (_wcsicmp(TypeStr, L"Key") == 0)
    {
        ExtRemoteTyped KeyObject("(nt!_CM_KEY_BODY *)@$extin", HandleObj->ObjectPtr);
        HandleObj->ObjectKcb = KeyObject.Field("KeyControlBlock").GetPtr();
        ObjName = RegGetKeyName(KeyObject.Field("KeyControlBlock"));
        // dt nt!_CM_KEY_BODY -> nt!_CM_KEY_CONTROL_BLOCK
    }
    else
    {
        ULONG Offset = 0;
        UCHAR InfoMask = 0;

        if (ObjHeader.HasField("InfoMask"))
        {
            InfoMask = ObjHeader.Field("InfoMask").GetUchar();

            if (InfoMask & OBP_NAME_INFO_BIT)
            {
                if (InfoMask & OBP_CREATOR_INFO_BIT) Offset += GetTypeSize("nt!_OBJECT_HEADER_CREATOR_INFO");
                Offset += GetTypeSize("nt!_OBJECT_HEADER_NAME_INFO");
            }
        }
        else
        {
            Offset = ObjHeader.Field("NameInfoOffset").GetUchar();
        }

        if (Offset)
        {
            ExtRemoteTyped ObjNameInfo("(nt!_OBJECT_HEADER_NAME_INFO *)@$extin", ObjHeaderAddr - Offset);
            ObjName = ExtRemoteTypedEx::GetUnicodeString2(ObjNameInfo.Field("Name"));
        }
    }

    if (ObjName)
    {
        wcscpy_s(HandleObj->Name, ObjName);
        free(ObjName);
        ObjName = NULL;
    }

    Result = TRUE;
CleanUp:
    return Result;
}
示例#5
0
BOOLEAN
PEFile::InitImage(
)
/*++

Routine Description:

    Description.

Arguments:

    - 

Return Value:

    BOOLEAN.

--*/
{
    PIMAGE_DOS_HEADER Header = NULL;
    PVOID Image = NULL;
    ULONG BytesRead = 0;
    ULONG64 BaseImageAddress = m_ImageBase;

    PIMAGE_NT_HEADERS32 NtHeader32 = NULL;
    PIMAGE_NT_HEADERS64 NtHeader64 = NULL;

    PIMAGE_DATA_DIRECTORY DataDirectory = NULL;
    ExtRemoteTyped BaseImage;

    BOOLEAN Result = FALSE;
    ULONG64 ProcessDataOffset = 0ULL;

    if (m_Image.Initialized)
    {
        // g_Ext->Dml("b_Initialized already set to TRUE\n");
        Result = TRUE;
        goto CleanUp;
    }

    if (!m_ImageSize)
    {
        Header = (PIMAGE_DOS_HEADER)malloc(PAGE_SIZE);
        if (Header == NULL) goto CleanUp;
        RtlZeroMemory(Header, PAGE_SIZE);

        if (g_Ext->m_Data->ReadVirtual(BaseImageAddress, Header, PAGE_SIZE, &BytesRead) != S_OK)
        {
#if VERBOSE_MODE
            g_Ext->Dml("Error: Can't read 0x%I64x bytes at %I64x.\n", PAGE_SIZE, BaseImageAddress);
#endif
            goto CleanUp;
        }

        BaseImage = ExtRemoteTyped("(nt!_IMAGE_DOS_HEADER *)@$extin", BaseImageAddress);
        if (BaseImage.Field("e_magic").GetUshort() != IMAGE_DOS_SIGNATURE) goto CleanUp;

        NtHeader32 = (PIMAGE_NT_HEADERS32)((PUCHAR)Header + BaseImage.Field("e_lfanew").GetUlong());

        if (NtHeader32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
        {
            m_ImageSize = NtHeader32->OptionalHeader.SizeOfImage;
        }
        else if (NtHeader32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
        {
            NtHeader64 = (PIMAGE_NT_HEADERS64)NtHeader32;
            NtHeader32 = NULL;
            m_ImageSize = NtHeader64->OptionalHeader.SizeOfImage;;
        }
        else
        {
#if VERBOSE_MODE
            g_Ext->Dml("Error: Invalid signature.\n");
#endif
            goto CleanUp;
        }
    }

    Image = malloc(m_ImageSize);
    if (Image == NULL) goto CleanUp;
    RtlZeroMemory(Image, (ULONG)m_ImageSize);

    if (ExtRemoteTypedEx::ReadVirtual(BaseImageAddress, Image, (ULONG)m_ImageSize, &BytesRead) != S_OK)
    {
#if VERBOSE_MODE
        g_Ext->Dml("Error: Can't read 0x%I64x bytes at %I64x.\n", m_ImageSize, BaseImageAddress);
#endif
        goto CleanUp;
    }

    m_Image.Image = (PIMAGE_DOS_HEADER)Image;
    REF_POINTER(m_Image.Image);

    m_Image.NtHeader32 = (PIMAGE_NT_HEADERS32)((PUCHAR)Image + m_Image.Image->e_lfanew);
    NtHeader32 = m_Image.NtHeader32;

    if (NtHeader32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
    {
        m_Image.NtHeader32 = NULL;
        m_Image.NtHeader64 = (PIMAGE_NT_HEADERS64)((PUCHAR)Image + m_Image.Image->e_lfanew);
        m_Image.DataDirectory = (PIMAGE_DATA_DIRECTORY)m_Image.NtHeader64->OptionalHeader.DataDirectory;
        m_Image.Sections = (PIMAGE_SECTION_HEADER)(m_Image.NtHeader64 + 1);

        m_Image.NumberOfSections = m_Image.NtHeader64->FileHeader.NumberOfSections;
    }
    else if (NtHeader32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
    {
        m_Image.NtHeader64 = NULL;
        m_Image.DataDirectory = (PIMAGE_DATA_DIRECTORY)m_Image.NtHeader32->OptionalHeader.DataDirectory;
        m_Image.Sections = (PIMAGE_SECTION_HEADER)(m_Image.NtHeader32 + 1);
        m_Image.NumberOfSections = m_Image.NtHeader32->FileHeader.NumberOfSections;
    }
    else
    {
        goto CleanUp;
    }

#if VERBOSE_MODE
    g_Ext->Dml("m_Image = %p\n"
        "m_NtHeader32 = %p\n"
        "m_DataDirectory = %p\n"
        "m_Sections = %p\n", m_Image.Image, m_Image.NtHeader32, m_Image.DataDirectory, m_Image.Sections);

    g_Ext->Dml("m_NumberOfSections = %x\n", m_Image.NumberOfSections);
#endif

    Result = TRUE;

CleanUp:
    if (Header) free(Header);

    m_Image.Initialized = Result;

    return Result;
}
示例#6
0
ExtRemoteTyped
GetKeyNode(
    _In_ PWSTR FullKeyPath
    )
{
    ULONG64 CmpMasterHive;
    ULONG64 CmpRegistryRootObject;
    ExtRemoteTyped KeyNode;

    try {

        ReadPointer(CmpMasterHiveAddress, &CmpMasterHive);
        ReadPointer(CmpRegistryRootObjectAddress, &CmpRegistryRootObject);

        ExtRemoteTyped KeyHive("(nt!_HHIVE *)@$extin", CmpMasterHive);
        ExtRemoteTyped KeyBody("(nt!_CM_KEY_BODY *)@$extin", CmpRegistryRootObject);
        ExtRemoteTyped KeyControlBlock("(nt!_CM_KEY_CONTROL_BLOCK *)@$extin", KeyBody.Field("KeyControlBlock").GetPtr());

        ULONG KeyCell = KeyControlBlock.Field("KeyCell").GetUlong();

        KeyNode = ExtRemoteTyped("(nt!_CM_KEY_NODE *)@$extin", RegGetCellPaged(KeyHive, KeyCell));

        vector<KEY_NAME> KeysNames = GetKeysNames(FullKeyPath);

        for (size_t i = 1; i < KeysNames.size(); i++) {

            BOOL IsFound = FALSE;

            vector<KEY_NODE> SubKeys = GetSubKeys(KeyHive, KeyNode);

            for (size_t j = 0; j < SubKeys.size(); j++) {

                if (0 == _wcsicmp(KeysNames[i].Name, SubKeys[j].Name)) {

                    KeyNode = SubKeys[j].KeyNode;

                    if (KeyNode.Field("Signature").GetUshort() == CM_LINK_NODE_SIGNATURE) {

                        KeyHive = ExtRemoteTyped("(nt!_HHIVE *)@$extin", KeyNode.Field("ChildHiveReference.KeyHive").GetPtr());
                        KeyCell = KeyNode.Field("ChildHiveReference.KeyCell").GetUlong();
                        KeyNode = ExtRemoteTyped("(nt!_CM_KEY_NODE *)@$extin", RegGetCellPaged(KeyHive, KeyCell));
                    }

                    IsFound = TRUE;
                    break;
                }
            }

            if (!IsFound) {

                KeyNode = ExtRemoteTyped("(nt!_CM_KEY_NODE *)@$extin", NULL);
                break;
            }
        }
    }
    catch (...) {

    }

    return KeyNode;
}
示例#7
0
BOOLEAN
ObReadObject(
    _In_ ULONG64 Object,
    _Out_ PHANDLE_OBJECT HandleObj
)
/*++

Routine Description:

    Description.

Arguments:

    Object - 
    HandleObj - 

Return Value:

    BOOLEAN.

--*/
{
    BOOLEAN Result = FALSE;
    PWSTR ObjectName = NULL;
    WCHAR TypeStr[64] = {0};
    ULONG BodyOffset = 0;

    GetFieldOffset("nt!_OBJECT_HEADER", "Body", &BodyOffset);

    try {

        ZeroMemory(HandleObj, sizeof(HANDLE_OBJECT));

        if ((!Object) || (!IsValid(Object))) return FALSE;

        if (!ObTypeInit)
        {
            ObjTypeTable = ExtRemoteTyped("(nt!_OBJECT_TYPE **)@$extin", ObTypeIndexTableAddress);
            ObTypeInit = TRUE;
        }

        ULONG64 ObjHeaderAddr = Object - BodyOffset;

        if (!IsValid(ObjHeaderAddr)) return FALSE;

        ExtRemoteTyped ObjHeader("(nt!_OBJECT_HEADER *)@$extin", ObjHeaderAddr);
        HandleObj->ObjectPtr = Object; // ObjHeader.Field("Body").GetPointerTo().GetPtr();

        if (ObjHeader.HasField("TypeIndex"))
        {
            BYTE HeaderCookie;

            HandleObj->ObjectTypeIndex = ObjHeader.Field("TypeIndex").GetUchar();

            if (g_Ext->m_Data->ReadVirtual(ObHeaderCookieAddress, &HeaderCookie, sizeof(HeaderCookie), NULL) == S_OK) {

                HandleObj->ObjectTypeIndex = (((ObjHeaderAddr >> 8) & 0xff) ^ HandleObj->ObjectTypeIndex) ^ HeaderCookie;
            }

            ExtRemoteTypedEx::GetUnicodeString(ObjTypeTable.ArrayElement(HandleObj->ObjectTypeIndex).Field("Name"), TypeStr, sizeof(TypeStr));

            StringCchCopyW(HandleObj->Type, _countof(HandleObj->Type), TypeStr);
        }