/*
* exceptShowException
*
* Purpose:
*
* Output exception information to the user.
*
*/
VOID exceptShowException(
EXCEPTION_POINTERS *ExceptionPointers
)
{
WCHAR szMessage[MAX_PATH * 2];
ULONGLONG IdFile;
RtlSecureZeroMemory(&szMessage, sizeof(szMessage));
_strcpy(szMessage, L"Sorry, exception occurred at address: \n0x");
u64tohex((ULONG_PTR)ExceptionPointers->ExceptionRecord->ExceptionAddress, _strend(szMessage));
if (ExceptionPointers->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION) {
switch (ExceptionPointers->ExceptionRecord->ExceptionInformation[0]) {
case 0:
_strcat(szMessage, L"\n\nAttempt to read at address: \n0x");
break;
case 1:
_strcat(szMessage, L"\n\nAttempt to write at address: \n0x");
break;
}
u64tohex(ExceptionPointers->ExceptionRecord->ExceptionInformation[1], _strend(szMessage));
}
IdFile = GetTickCount64();
if (exceptWriteDump(ExceptionPointers, IdFile)) {
_strcat(szMessage, L"\n\nMinidump wobjex");
u64tostr(IdFile, _strend(szMessage));
_strcat(szMessage, L".dmp is in %TEMP% directory");
}
_strcat(szMessage, L"\n\nPlease report this to the developers, thanks");
MessageBox(GetForegroundWindow(), szMessage, NULL, MB_ICONERROR);
}
/*
* propBasicQueryDesktop
*
* Purpose:
*
* Set information values for Desktop object type
*
* Support is very limited because of win32k type origin.
*
*/
VOID propBasicQueryDesktop(
_In_ PROP_OBJECT_INFO *Context,
_In_ HWND hwndDlg
)
{
BOOL bExtendedInfoAvailable;
HANDLE hDesktop;
ULONG_PTR ObjectAddress, HeaderAddress, InfoHeaderAddress;
WCHAR szBuffer[MAX_PATH + 1];
OBJINFO InfoObject;
if (Context == NULL) {
return;
}
//
// Open Desktop object.
//
// Restriction:
// This will open only current winsta desktops
//
hDesktop = NULL;
if (!propOpenCurrentObject(Context, &hDesktop, DESKTOP_READOBJECTS)) {
return;
}
bExtendedInfoAvailable = FALSE;
ObjectAddress = 0;
if (supQueryObjectFromHandle(hDesktop, &ObjectAddress, NULL)) {
HeaderAddress = (ULONG_PTR)OBJECT_TO_OBJECT_HEADER(ObjectAddress);
//we can use driver
if (g_kdctx.hDevice != NULL) {
RtlSecureZeroMemory(&InfoObject, sizeof(InfoObject));
InfoObject.HeaderAddress = HeaderAddress;
InfoObject.ObjectAddress = ObjectAddress;
//dump object header
bExtendedInfoAvailable = kdReadSystemMemory(HeaderAddress,
&InfoObject.ObjectHeader, sizeof(OBJECT_HEADER));
if (bExtendedInfoAvailable) {
//dump quota info
InfoHeaderAddress = 0;
if (ObHeaderToNameInfoAddress(InfoObject.ObjectHeader.InfoMask,
HeaderAddress, &InfoHeaderAddress, HeaderQuotaInfoFlag))
{
kdReadSystemMemory(InfoHeaderAddress,
&InfoObject.ObjectQuotaHeader, sizeof(OBJECT_HEADER_QUOTA_INFO));
}
propSetBasicInfoEx(hwndDlg, &InfoObject);
}
}
//cannot query extended info, output what we have
if (bExtendedInfoAvailable == FALSE) {
//Object Address
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
szBuffer[0] = L'0';
szBuffer[1] = L'x';
u64tohex(ObjectAddress, &szBuffer[2]);
SetDlgItemText(hwndDlg, ID_OBJECT_ADDR, szBuffer);
//Object Address
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
szBuffer[0] = L'0';
szBuffer[1] = L'x';
u64tohex(HeaderAddress, &szBuffer[2]);
SetDlgItemText(hwndDlg, ID_OBJECT_HEADER, szBuffer);
}
}
//
// Query object basic and type info if needed.
//
if (bExtendedInfoAvailable == FALSE) {
propSetDefaultInfo(Context, hwndDlg, hDesktop);
}
CloseDesktop(hDesktop);
}
/*
* propSetBasicInfoEx
*
* Purpose:
*
* Set information values received with kldbgdrv help
*
*/
VOID propSetBasicInfoEx(
_In_ HWND hwndDlg,
_In_ POBJINFO InfoObject
)
{
INT i;
HWND hwndCB;
WCHAR szBuffer[MAX_PATH];
if (InfoObject == NULL)
return;
//Object Address
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
szBuffer[0] = L'0';
szBuffer[1] = L'x';
u64tohex(InfoObject->ObjectAddress, &szBuffer[2]);
SetDlgItemText(hwndDlg, ID_OBJECT_ADDR, szBuffer);
//Header Address
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
szBuffer[0] = L'0';
szBuffer[1] = L'x';
u64tohex(InfoObject->HeaderAddress, &szBuffer[2]);
SetDlgItemText(hwndDlg, ID_OBJECT_HEADER, szBuffer);
//Reference Count
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
ultostr(InfoObject->ObjectHeader.PointerCount, _strend(szBuffer));
SetDlgItemText(hwndDlg, ID_OBJECT_REFC, szBuffer);
//Handle Count
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
ultostr(InfoObject->ObjectHeader.HandleCount, _strend(szBuffer));
SetDlgItemText(hwndDlg, ID_OBJECT_HANDLES, szBuffer);
//NonPagedPoolCharge
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
ultostr(InfoObject->ObjectQuotaHeader.NonPagedPoolCharge, szBuffer);
SetDlgItemText(hwndDlg, ID_OBJECT_NP_CHARGE, szBuffer);
//PagedPoolCharge
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
ultostr(InfoObject->ObjectQuotaHeader.PagedPoolCharge, _strend(szBuffer));
SetDlgItemText(hwndDlg, ID_OBJECT_PP_CHARGE, szBuffer);
//Attributes
hwndCB = GetDlgItem(hwndDlg, IDC_OBJECT_FLAGS);
if (hwndCB) {
EnableWindow(hwndCB, (InfoObject->ObjectHeader.Flags > 0) ? TRUE : FALSE);
SendMessage(hwndCB, CB_RESETCONTENT, (WPARAM)0, (LPARAM)0);
if (InfoObject->ObjectHeader.Flags > 0) {
for (i = 0; i < 8; i++) {
if (GET_BIT(InfoObject->ObjectHeader.Flags, i))
SendMessage(hwndCB,
CB_ADDSTRING,
(WPARAM)0,
(LPARAM)T_ObjectFlags[i]);
}
SendMessage(hwndCB, CB_SETCURSEL, (WPARAM)0, (LPARAM)0);
}
}
}
/*
* SdtListTable
*
* Purpose:
*
* KiServiceTable query and list routine.
*
*/
VOID SdtListTable(
VOID
)
{
BOOL cond = FALSE;
PUTable Dump = NULL;
PRTL_PROCESS_MODULES pModules = NULL;
PVOID Module = NULL;
PIMAGE_EXPORT_DIRECTORY pexp = NULL;
PIMAGE_NT_HEADERS NtHeaders = NULL;
DWORD ETableVA;
PDWORD names, functions;
PWORD ordinals;
LVITEM lvitem;
WCHAR szBuffer[MAX_PATH + 1];
char *name;
void *addr;
ULONG number, i;
INT index;
__try {
do {
pModules = (PRTL_PROCESS_MODULES)supGetSystemInfo(SystemModuleInformation);
if (pModules == NULL)
break;
//if table empty, dump and prepare table
if (g_SdtTable == NULL) {
if (g_NtdllModule == NULL) {
Module = GetModuleHandle(TEXT("ntdll.dll"));
}
else {
Module = g_NtdllModule;
}
if (Module == NULL)
break;
g_SdtTable = (PSERVICETABLEENTRY)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY,
sizeof(SERVICETABLEENTRY) * g_kdctx.KiServiceLimit);
if (g_SdtTable == NULL)
break;
if (!supDumpSyscallTableConverted(&g_kdctx, &Dump))
break;
NtHeaders = RtlImageNtHeader(Module);
if (NtHeaders == NULL)
break;
ETableVA = NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
pexp = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)Module + ETableVA);
names = (PDWORD)((PBYTE)Module + pexp->AddressOfNames),
functions = (PDWORD)((PBYTE)Module + pexp->AddressOfFunctions);
ordinals = (PWORD)((PBYTE)Module + pexp->AddressOfNameOrdinals);
//walk for Nt stubs
g_cSdtTable = 0;
for (i = 0; i < pexp->NumberOfNames; i++) {
name = ((CHAR *)Module + names[i]);
addr = (PVOID *)((CHAR *)Module + functions[ordinals[i]]);
if (*(USHORT*)name == 'tN') {
number = *(ULONG*)((UCHAR*)addr + 4);
if (number < g_kdctx.KiServiceLimit) {
MultiByteToWideChar(CP_ACP, 0, name, (INT)_strlen_a(name),
g_SdtTable[g_cSdtTable].Name, MAX_PATH);
g_SdtTable[g_cSdtTable].ServiceId = number;
g_SdtTable[g_cSdtTable].Address = Dump[number];
g_cSdtTable++;
}
}//tN
}//for
HeapFree(GetProcessHeap(), 0, Dump);
Dump = NULL;
}
//list table
for (i = 0; i < g_cSdtTable; i++) {
//ServiceId
RtlSecureZeroMemory(&lvitem, sizeof(lvitem));
lvitem.mask = LVIF_TEXT | LVIF_IMAGE;
lvitem.iSubItem = 0;
lvitem.iItem = MAXINT;
lvitem.iImage = TYPE_DEVICE; //imagelist id
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
ultostr(g_SdtTable[i].ServiceId, szBuffer);
lvitem.pszText = szBuffer;
index = ListView_InsertItem(SdtDlgContext.ListView, &lvitem);
//Name
lvitem.mask = LVIF_TEXT;
lvitem.iSubItem = 1;
lvitem.pszText = (LPWSTR)g_SdtTable[i].Name;
lvitem.iItem = index;
ListView_SetItem(SdtDlgContext.ListView, &lvitem);
//Address
lvitem.iSubItem = 2;
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
szBuffer[0] = L'0';
szBuffer[1] = L'x';
u64tohex(g_SdtTable[i].Address, &szBuffer[2]);
lvitem.pszText = szBuffer;
lvitem.iItem = index;
ListView_SetItem(SdtDlgContext.ListView, &lvitem);
//Module
lvitem.iSubItem = 3;
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
number = supFindModuleEntryByAddress(pModules, (PVOID)g_SdtTable[i].Address);
if (number == (ULONG)-1) {
_strcpy(szBuffer, TEXT("Unknown Module"));
}
else {
MultiByteToWideChar(CP_ACP, 0,
(LPCSTR)&pModules->Modules[number].FullPathName,
(INT)_strlen_a((char*)pModules->Modules[number].FullPathName),
szBuffer,
MAX_PATH);
}
lvitem.pszText = szBuffer;
lvitem.iItem = index;
ListView_SetItem(SdtDlgContext.ListView, &lvitem);
}
} while (cond);
}
__except (exceptFilter(GetExceptionCode(), GetExceptionInformation())) {
return;
}
if (pModules) {
HeapFree(GetProcessHeap(), 0, pModules);
}
if (Dump) {
HeapFree(GetProcessHeap(), 0, Dump);
}
}
