BOOLEAN
ObReadObject(
_In_ ULONG64 Object,
_Out_ PHANDLE_OBJECT HandleObj
)
/*++
Routine Description:
Description.
Arguments:
Object -
HandleObj -
Return Value:
BOOLEAN.
--*/
{
BOOLEAN Result = FALSE;
LPWSTR ObjName = NULL;
ULONG BodyOffset = 0;
GetFieldOffset("nt!_OBJECT_HEADER", "Body", &BodyOffset);
WCHAR TypeStr[64] = { 0 };
if ((!Object) || (!IsValid(Object))) return FALSE;
if (!ObTypeInit)
{
ObjTypeTable = ExtRemoteTyped("(nt!_OBJECT_TYPE **)@$extin", GetExpression("nt!ObTypeIndexTable"));
ObTypeInit = TRUE;
}
ULONG64 ObjHeaderAddr = Object - BodyOffset;
if (!IsValid(ObjHeaderAddr)) return FALSE;
ExtRemoteTyped ObjHeader("(nt!_OBJECT_HEADER *)@$extin", ObjHeaderAddr);
HandleObj->ObjectPtr = Object; // ObjHeader.Field("Body").GetPointerTo().GetPtr();
if (ObjHeader.HasField("TypeIndex"))
{
HandleObj->ObjectTypeIndex = ObjHeader.Field("TypeIndex").GetChar();
if ((HandleObj->ObjectTypeIndex <= 1) || (HandleObj->ObjectTypeIndex >= 45)) return FALSE;
ExtRemoteTypedEx::GetUnicodeString(ObjTypeTable.ArrayElement(HandleObj->ObjectTypeIndex).Field("Name"), TypeStr, sizeof(TypeStr));
wcscpy_s(HandleObj->Type, TypeStr);
}
else
{
if (!IsValid(ObjHeader.Field("Type").GetPtr())) goto CleanUp;
ExtRemoteTypedEx::GetUnicodeString(ObjHeader.Field("Type").Field("Name"), TypeStr, sizeof(TypeStr));
wcscpy_s(HandleObj->Type, TypeStr);
}
if (_wcsicmp(TypeStr, L"File") == 0)
{
ExtRemoteTyped FileObject("(nt!_FILE_OBJECT *)@$extin", HandleObj->ObjectPtr);
ObjName = ExtRemoteTypedEx::GetUnicodeString2(FileObject.Field("FileName"));
}
else if (_wcsicmp(TypeStr, L"Driver") == 0)
{
ExtRemoteTyped DrvObject("(nt!_DRIVER_OBJECT *)@$extin", HandleObj->ObjectPtr);
ObjName = ExtRemoteTypedEx::GetUnicodeString2(DrvObject.Field("DriverName"));
}
else if (_wcsicmp(TypeStr, L"Process") == 0)
{
ExtRemoteTyped ProcessObj("(nt!_EPROCESS *)@$extin", HandleObj->ObjectPtr);
ObjName = ExtRemoteTypedEx::GetUnicodeString2(ProcessObj.Field("ImageFileName"));
}
else if (_wcsicmp(TypeStr, L"ALPC Port") == 0)
{
// dt nt!_ALPC_PORT
}
else if (_wcsicmp(TypeStr, L"EtwRegistration") == 0)
{
// dt nt!_ETW_?
}
else if (_wcsicmp(TypeStr, L"Thread") == 0)
{
// dt nt!_ETHREAD
}
else if (_wcsicmp(TypeStr, L"Event") == 0)
{
// dt nt!_KTHREAD
}
else if (_wcsicmp(TypeStr, L"Key") == 0)
{
ExtRemoteTyped KeyObject("(nt!_CM_KEY_BODY *)@$extin", HandleObj->ObjectPtr);
HandleObj->ObjectKcb = KeyObject.Field("KeyControlBlock").GetPtr();
ObjName = RegGetKeyName(KeyObject.Field("KeyControlBlock"));
// dt nt!_CM_KEY_BODY -> nt!_CM_KEY_CONTROL_BLOCK
}
else
{
ULONG Offset = 0;
UCHAR InfoMask = 0;
if (ObjHeader.HasField("InfoMask"))
{
InfoMask = ObjHeader.Field("InfoMask").GetUchar();
if (InfoMask & OBP_NAME_INFO_BIT)
{
if (InfoMask & OBP_CREATOR_INFO_BIT) Offset += GetTypeSize("nt!_OBJECT_HEADER_CREATOR_INFO");
Offset += GetTypeSize("nt!_OBJECT_HEADER_NAME_INFO");
}
}
else
{
Offset = ObjHeader.Field("NameInfoOffset").GetUchar();
}
if (Offset)
{
ExtRemoteTyped ObjNameInfo("(nt!_OBJECT_HEADER_NAME_INFO *)@$extin", ObjHeaderAddr - Offset);
ObjName = ExtRemoteTypedEx::GetUnicodeString2(ObjNameInfo.Field("Name"));
}
}
if (ObjName)
{
wcscpy_s(HandleObj->Name, ObjName);
free(ObjName);
ObjName = NULL;
}
Result = TRUE;
CleanUp:
return Result;
}
BOOLEAN
ObReadObject(
_In_ ULONG64 Object,
_Out_ PHANDLE_OBJECT HandleObj
)
/*++
Routine Description:
Description.
Arguments:
Object -
HandleObj -
Return Value:
BOOLEAN.
--*/
{
BOOLEAN Result = FALSE;
PWSTR ObjectName = NULL;
WCHAR TypeStr[64] = {0};
ULONG BodyOffset = 0;
GetFieldOffset("nt!_OBJECT_HEADER", "Body", &BodyOffset);
try {
ZeroMemory(HandleObj, sizeof(HANDLE_OBJECT));
if ((!Object) || (!IsValid(Object))) return FALSE;
if (!ObTypeInit)
{
ObjTypeTable = ExtRemoteTyped("(nt!_OBJECT_TYPE **)@$extin", ObTypeIndexTableAddress);
ObTypeInit = TRUE;
}
ULONG64 ObjHeaderAddr = Object - BodyOffset;
if (!IsValid(ObjHeaderAddr)) return FALSE;
ExtRemoteTyped ObjHeader("(nt!_OBJECT_HEADER *)@$extin", ObjHeaderAddr);
HandleObj->ObjectPtr = Object; // ObjHeader.Field("Body").GetPointerTo().GetPtr();
if (ObjHeader.HasField("TypeIndex"))
{
BYTE HeaderCookie;
HandleObj->ObjectTypeIndex = ObjHeader.Field("TypeIndex").GetUchar();
if (g_Ext->m_Data->ReadVirtual(ObHeaderCookieAddress, &HeaderCookie, sizeof(HeaderCookie), NULL) == S_OK) {
HandleObj->ObjectTypeIndex = (((ObjHeaderAddr >> 8) & 0xff) ^ HandleObj->ObjectTypeIndex) ^ HeaderCookie;
}
ExtRemoteTypedEx::GetUnicodeString(ObjTypeTable.ArrayElement(HandleObj->ObjectTypeIndex).Field("Name"), TypeStr, sizeof(TypeStr));
StringCchCopyW(HandleObj->Type, _countof(HandleObj->Type), TypeStr);
}