Rooba
/
WinObjEx64
mirror of https://github.com/hfiref0x/WinObjEx64.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

2.0.5 

Added Pnp manager callbacks, implemented #35
This commit is contained in:
hfiref0x 2024-03-25 19:53:05 +07:00
parent 2b5bfeb596
commit 33e35dcb4f
No known key found for this signature in database
GPG Key ID: 5A20EE3C6F09AF95
12 changed files with 497 additions and 143 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Compiled/WinObjEx64.exe
View File

Binary file not shown.

3
Source/CHANGELOG.txt
View File

@ -1,3 +1,6 @@
v2.0.5
added Pnp manager callbacks
v2.0.4
win11 23h2 compatibility
win11+ 24h2 compatibility improvements

77
Source/Shared/ntos/ntos.h
View File

@ -5,9 +5,9 @@
*
* TITLE: NTOS.H
*
* VERSION: 1.221
* VERSION: 1.223
*
* DATE: 11 Jan 2024
* DATE: 12 Mar 2024
*
* Common header file for the ntos API functions and definitions.
*
@ -101,6 +101,7 @@ typedef ULONGLONG REGHANDLE, *PREGHANDLE;
typedef PVOID *PDEVICE_MAP;
typedef PVOID PHEAD;
typedef PVOID PEJOB;
typedef PVOID PKTHREAD;
typedef struct _IO_TIMER* PIO_TIMER;
typedef LARGE_INTEGER PHYSICAL_ADDRESS;
typedef struct _EJOB* PESILO;
@ -5516,6 +5517,61 @@ typedef struct _EMP_CALLBACK_LIST_ENTRY {
SINGLE_LIST_ENTRY CallbackListEntry;
} EMP_CALLBACK_LIST_ENTRY, * PEMP_CALLBACK_LIST_ENTRY;
typedef enum _IO_NOTIFICATION_EVENT_CATEGORY {
EventCategoryReserved,
EventCategoryHardwareProfileChange,
EventCategoryDeviceInterfaceChange,
EventCategoryTargetDeviceChange
} IO_NOTIFICATION_EVENT_CATEGORY;
typedef
NTSTATUS
(*PDRIVER_NOTIFICATION_CALLBACK_ROUTINE) (
IN PVOID NotificationStructure,
IN PVOID Context
);
typedef struct _KGUARDED_MUTEX {
LONG Count;
PKTHREAD Owner;
ULONG Contention;
KEVENT Event;
union {
struct {
SHORT KernelApcDisable;
SHORT SpecialApcDisable;
};
ULONG CombinedApcDisable;
};
} KGUARDED_MUTEX, * PKGUARDED_MUTEX;
typedef struct _DEVICE_CLASS_NOTIFY_ENTRY {
//
// Header entries
//
LIST_ENTRY ListEntry;
IO_NOTIFICATION_EVENT_CATEGORY EventCategory;
ULONG SessionId;
HANDLE SessionHandle;
PDRIVER_NOTIFICATION_CALLBACK_ROUTINE CallbackRoutine;
PVOID Context;
PDRIVER_OBJECT DriverObject;
USHORT RefCount;
BOOLEAN Unregistered;
PKGUARDED_MUTEX Lock;
PERESOURCE EntryLock;
//
// ClassGuid - the guid of the device class we are interested in
//
GUID ClassGuid;
} DEVICE_CLASS_NOTIFY_ENTRY, * PDEVICE_CLASS_NOTIFY_ENTRY;
/*
** Callbacks END
*/
@ -6920,10 +6976,15 @@ typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION {
/*
** KUSER_SHARED_DATA START
*/
#define NX_SUPPORT_POLICY_ALWAYSOFF 0
#define NX_SUPPORT_POLICY_ALWAYSON 1
#define NX_SUPPORT_POLICY_OPTIN 2
#define NX_SUPPORT_POLICY_OPTOUT 3
#define NX_SUPPORT_POLICY_ALWAYSOFF 0
#define NX_SUPPORT_POLICY_ALWAYSON 1
#define NX_SUPPORT_POLICY_OPTIN 2
#define NX_SUPPORT_POLICY_OPTOUT 3
#define SEH_VALIDATION_POLICY_ON 0
#define SEH_VALIDATION_POLICY_OFF 1
#define SEH_VALIDATION_POLICY_TELEMETRY 2
#define SEH_VALIDATION_POLICY_DEFER 3
#include <pshpack4.h>
typedef struct _KSYSTEM_TIME {
@ -7004,7 +7065,7 @@ typedef struct _KUSER_SHARED_DATA {
ULONG Reserved3;
volatile ULONG TimeSlip;
ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture;
ULONG AltArchitecturePad;
ULONG BootId; //previously AltArchitecturePad
LARGE_INTEGER SystemExpirationDate;
ULONG SuiteMask;
BOOLEAN KdDebuggerEnabled;
@ -7114,6 +7175,8 @@ typedef struct _KUSER_SHARED_DATA {
KSYSTEM_TIME FeatureConfigurationChangeStamp;
ULONG Spare;
ULONG64 UserPointerAuthMask;
} KUSER_SHARED_DATA, *PKUSER_SHARED_DATA;
#include <poppack.h>

BIN
Source/WinObjEx64/Resource.rc
View File

Binary file not shown.

195
Source/WinObjEx64/extras/extrasCallbacks.c
View File

@ -4,9 +4,9 @@
*
* TITLE: EXTRASCALLBACKS.C
*
* VERSION: 2.04
* VERSION: 2.05
*
* DATE: 11 Jan 2024
* DATE: 12 Mar 2024
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -149,6 +149,7 @@ OBEX_DISPLAYCALLBACK_ROUTINE(DumpPspPicoProviderRoutines);
OBEX_DISPLAYCALLBACK_ROUTINE(DumpKiNmiCallbackListHead);
OBEX_DISPLAYCALLBACK_ROUTINE(DumpPspSiloMonitorList);
OBEX_DISPLAYCALLBACK_ROUTINE(DumpEmpCallbackListHead);
OBEX_DISPLAYCALLBACK_ROUTINE(DumpPnpDeviceClassNotifyList);
OBEX_FINDCALLBACK_ROUTINE(FindPspCreateProcessNotifyRoutine);
OBEX_FINDCALLBACK_ROUTINE(FindPspCreateThreadNotifyRoutine);
@ -173,6 +174,7 @@ OBEX_FINDCALLBACK_ROUTINE(FindPspPicoProviderRoutines);
OBEX_FINDCALLBACK_ROUTINE(FindKiNmiCallbackListHead);
OBEX_FINDCALLBACK_ROUTINE(FindPspSiloMonitorList);
OBEX_FINDCALLBACK_ROUTINE(FindEmpCallbackListHead);
OBEX_FINDCALLBACK_ROUTINE(FindPnpDeviceClassNotifyList);
OBEX_CALLBACK_DISPATCH_ENTRY g_CallbacksDispatchTable[] = {
{
@ -308,6 +310,11 @@ OBEX_CALLBACK_DISPATCH_ENTRY g_CallbacksDispatchTable[] = {
0, L"EmpCallbacks",
QueryCallbackGeneric, DumpEmpCallbackListHead, FindEmpCallbackListHead,
&g_SystemCallbacks.EmpCallbackListHead
},
{
0, L"PnpCallbacks",
QueryCallbackGeneric, DumpPnpDeviceClassNotifyList, FindPnpDeviceClassNotifyList,
&g_SystemCallbacks.PnpDeviceClassNotifyList
}
};
@ -3182,6 +3189,111 @@ OBEX_FINDCALLBACK_ROUTINE(FindEmpCallbackListHead)
return kvarAddress;
}
/*
* FindPnpDeviceClassNotifyList
*
* Purpose:
*
* Returns the address of PnpDeviceClassNotifyList for callbacks registered with:
*
* IoRegisterPlugPlayNotification
*
*/
OBEX_FINDCALLBACK_ROUTINE(FindPnpDeviceClassNotifyList)
{
ULONG Index;
LONG Rel;
PBYTE ptrCode;
hde64s hs;
ULONG_PTR kvarAddress = 0;
ULONG SignatureSize = 0;
PBYTE Signature = NULL;
UNREFERENCED_PARAMETER(QueryFlags);
if (kdIsSymAvailable((PSYMCONTEXT)g_kdctx.NtOsSymContext)) {
kdGetAddressFromSymbol(&g_kdctx,
KVAR_PnpDeviceClassNotifyList,
&kvarAddress);
}
if (kvarAddress == 0) {
ptrCode = (PBYTE)GetProcAddress((HMODULE)g_kdctx.NtOsImageMap,
"IoRegisterPlugPlayNotification");
if (ptrCode == NULL)
return 0;
//
// Find subpattern first.
//
switch (g_NtBuildNumber) {
case NT_WIN7_RTM:
case NT_WIN7_SP1:
Signature = PnpDeviceClassNotifyList_SubPattern_7601;
SignatureSize = sizeof(PnpDeviceClassNotifyList_SubPattern_7601);
break;
case NT_WIN8_RTM:
Signature = PnpDeviceClassNotifyList_SubPattern_9200;
SignatureSize = sizeof(PnpDeviceClassNotifyList_SubPattern_9200);
break;
default:
Signature = PnpDeviceClassNofityList_SubPattern_9600_26080;
SignatureSize = sizeof(PnpDeviceClassNofityList_SubPattern_9600_26080);
break;
}
ptrCode = (PBYTE)supFindPattern(
ptrCode,
1024,
Signature,
SignatureSize);
if (ptrCode == NULL)
return 0;
Index = SignatureSize;
Rel = 0;
//
// Find lea rcx, PnpDeviceClassNotifyList
//
do {
hde64_disasm(ptrCode + Index, &hs);
if (hs.flags & F_ERROR)
break;
if ((hs.len == 7) &&
(hs.flags & F_PREFIX_REX) &&
(hs.flags & F_DISP32) &&
(hs.flags & F_MODRM) &&
(hs.opcode == 0x8D))
{
Rel = *(PLONG)(ptrCode + Index + 3);
break;
}
Index += hs.len;
} while (Index < 64);
kvarAddress = ComputeAddressInsideNtOs((ULONG_PTR)ptrCode, Index, hs.len, Rel);
}
return kvarAddress;
}
/*
* AddRootEntryToList
*
@ -5226,6 +5338,85 @@ OBEX_DISPLAYCALLBACK_ROUTINE(DumpEmpCallbackListHead)
}
}
/*
* DumpPnpDeviceClassNotifyList
*
* Purpose:
*
* Dump Pnp manager notify list from kernel and send them to output window.
*
*/
OBEX_DISPLAYCALLBACK_ROUTINE(DumpPnpDeviceClassNotifyList)
{
LIST_ENTRY ListEntry;
ULONG_PTR ListHead = KernelVariableAddress;
HTREEITEM RootItem;
LPWSTR GuidString;
DEVICE_CLASS_NOTIFY_ENTRY NotifyEntry;
UNICODE_STRING ConvertedGuid;
//
// Add callback root entry to the treelist.
//
RootItem = AddRootEntryToList(TreeList, CallbackType);
if (RootItem == 0)
return;
ListEntry.Flink = ListEntry.Blink = NULL;
//
// Read head.
//
if (!kdReadSystemMemory(
ListHead,
&ListEntry,
sizeof(LIST_ENTRY)))
{
return;
}
//
// Walk list entries.
//
while ((ULONG_PTR)ListEntry.Flink != ListHead) {
RtlSecureZeroMemory(&NotifyEntry, sizeof(NotifyEntry));
if (!kdReadSystemMemory(
(ULONG_PTR)ListEntry.Flink,
&NotifyEntry,
sizeof(NotifyEntry)))
{
break;
}
if (NotifyEntry.CallbackRoutine != NULL) {
if (NT_SUCCESS(RtlStringFromGUID(&NotifyEntry.ClassGuid, &ConvertedGuid)))
GuidString = ConvertedGuid.Buffer;
else
GuidString = NULL;
AddEntryToList(TreeList,
RootItem,
(ULONG_PTR)NotifyEntry.CallbackRoutine,
GuidString,
Modules);
if (GuidString)
RtlFreeUnicodeString(&ConvertedGuid);
}
if (NotifyEntry.ListEntry.Flink == NULL)
break;
ListEntry.Flink = NotifyEntry.ListEntry.Flink;
}
}
/*
* QueryIopFsListsCallbacks
*

22
Source/WinObjEx64/extras/extrasCallbacksPatterns.h
View File

@ -4,9 +4,9 @@
*
* TITLE: EXTRASCALLBACKSPATTERNS.H
*
* VERSION: 2.04
* VERSION: 2.05
*
* DATE: 11 Jan 2024
* DATE: 11 Mar 2024
*
* Header with search patterns used by Callbacks dialog routines.
*
@ -85,3 +85,21 @@ BYTE g_CiCallbacksMatchingPattern[] = {
BYTE g_EmpSearchCallbackDatabase[] = { 0x48, 0x8B, 0x4E, 0xF8, 0x48, 0x85, 0xC9 };
BYTE g_EmpSearchCallbackDatabase2[] = { 0x49, 0x8B, 0x4A, 0xF8, 0x48, 0x85, 0xC9 };
BYTE g_EmpSearchCallbackDatabase3[] = { 0x4B, 0x8B, 0x0C, 0xF7, 0x48, 0x85, 0xC9 };
/*
* PnpDeviceClassNotifyList search pattern
*/
//
// mul ecx
//
BYTE PnpDeviceClassNotifyList_SubPattern_7601[] = { 0xF7, 0xE1 };
BYTE PnpDeviceClassNotifyList_SubPattern_9200[] = { 0xC1, 0xEA, 0x02, 0x6B, 0xD2, 0x0D };
//
// shr edx, 2
// imul eax, edx, 0Dh
//
BYTE PnpDeviceClassNofityList_SubPattern_9600_26080[] = { 0xC1, 0xEA, 0x02, 0x6B, 0xC2, 0x0D };

214
Source/WinObjEx64/extras/extrasUSD.c
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2023
* (C) COPYRIGHT AUTHORS, 2015 - 2024
*
* TITLE: EXTRASUSD.C
*
* VERSION: 2.02
* VERSION: 2.05
*
* DATE: 15 May 2023
* DATE: 11 Mar 2024
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -68,7 +68,8 @@ LPWSTR T_PROCESSOR_FEATURES[] = {
L"PF_AVX512F_INSTRUCTIONS_AVAILABLE",
L"PF_ERMS_AVAILABLE",
L"PF_ARM_V82_DP_INSTRUCTIONS_AVAILABLE",
L"PF_ARM_V83_JSCVT_INSTRUCTIONS_AVAILABLE"
L"PF_ARM_V83_JSCVT_INSTRUCTIONS_AVAILABLE",
L"PF_ARM_V83_LRCPC_INSTRUCTIONS_AVAILABLE"
};
LPCWSTR T_SharedDataFlagsW7[] = {
@ -95,7 +96,7 @@ LPCWSTR T_SharedDataFlags[] = {
L"DbgStateSeparationEnabled"
};
VALUE_DESC SuiteMasks[] = {
VALUE_DESC USD_SuiteMasks[] = {
{ L"ServerNT", VER_SERVER_NT },
{ L"WorkstationNT", VER_WORKSTATION_NT },
{ L"SmallBusiness", VER_SUITE_SMALLBUSINESS },
@ -117,6 +118,92 @@ VALUE_DESC SuiteMasks[] = {
{ L"MultiUserTS", VER_SUITE_MULTIUSERTS }
};
VALUE_DESC USD_NXSupportPolicyFlags[] = {
{ L"AlwaysOff", NX_SUPPORT_POLICY_ALWAYSOFF },
{ L"AlwaysOn", NX_SUPPORT_POLICY_ALWAYSON },
{ L"OptIn", NX_SUPPORT_POLICY_OPTIN },
{ L"OptOut", NX_SUPPORT_POLICY_OPTOUT }
};
VALUE_DESC USD_SEHValidationPolicyFlags[] = {
{ L"AlwaysOff", SEH_VALIDATION_POLICY_ON },
{ L"AlwaysOn", SEH_VALIDATION_POLICY_OFF },
{ L"Telemetry", SEH_VALIDATION_POLICY_TELEMETRY },
{ L"Defer", SEH_VALIDATION_POLICY_DEFER }
};
/*
* UsdDumpMitigationPolicies
*
* Purpose:
*
* Display dump of SEH and NX policies.
*
*/
VOID UsdDumpMitigationPolicies(
_In_ HTREEITEM tviRoot,
_In_ PKUSER_SHARED_DATA pUserSharedData
)
{
HTREEITEM h_tviSubItem;
TL_SUBITEMS_FIXED subitems;
WCHAR szValue[MAX_PATH + 1];
RtlSecureZeroMemory(&subitems, sizeof(subitems));
//
// Expanded to more values starting from Windows 8+
//
RtlSecureZeroMemory(szValue, sizeof(szValue));
RtlStringCchPrintfSecure(szValue,
MAX_PATH,
TEXT("0x%02X"),
pUserSharedData->MitigationPolicies);
subitems.Text[0] = szValue;
subitems.Count = 1;
h_tviSubItem = supTreeListAddItem(
g_UsdDlgContext.TreeList,
tviRoot,
TVIF_TEXT | TVIF_STATE,
(UINT)0,
(UINT)0,
TEXT("MitigationPolicies"),
&subitems);
if (h_tviSubItem) {
propDumpEnumWithNames(
g_UsdDlgContext.TreeList,
h_tviSubItem,
TEXT("NXSupportPolicy"),
pUserSharedData->NXSupportPolicy,
USD_NXSupportPolicyFlags,
RTL_NUMBER_OF(USD_NXSupportPolicyFlags));
propDumpEnumWithNames(
g_UsdDlgContext.TreeList,
h_tviSubItem,
TEXT("SEHValidationPolicy"),
pUserSharedData->SEHValidationPolicy,
USD_SEHValidationPolicyFlags,
RTL_NUMBER_OF(USD_SEHValidationPolicyFlags));
propObDumpByte(
g_UsdDlgContext.TreeList,
h_tviSubItem,
TEXT("CurDirDevicesSkippedForDlls"),
(LPWSTR)NULL,
pUserSharedData->CurDirDevicesSkippedForDlls,
(COLORREF)0,
(COLORREF)0,
FALSE);
}
}
/*
* UsdDumpSharedRegion
@ -132,7 +219,7 @@ VOID UsdDumpSharedRegion(
{
BOOL bAny = FALSE;
UINT i;
DWORD mask, cFlags;
DWORD cFlags;
LPCWSTR* pvSharedFlagsDesc;
@ -370,66 +457,13 @@ VOID UsdDumpSharedRegion(
//
// SuiteMask
//
RtlSecureZeroMemory(&subitems, sizeof(subitems));
RtlSecureZeroMemory(&szValue, sizeof(szValue));
szValue[0] = TEXT('0');
szValue[1] = TEXT('x');
ultohex(pUserSharedData->SuiteMask, &szValue[2]);
subitems.Text[0] = szValue;
subitems.Count = 1;
h_tviSubItem = supTreeListAddItem(
g_UsdDlgContext.TreeList,
propDumpEnumWithNames(g_UsdDlgContext.TreeList,
h_tviRootItem,
TVIF_TEXT | TVIF_STATE,
(UINT)0,
(UINT)0,
TEXT("SuiteMask"),
&subitems);
pUserSharedData->SuiteMask,
USD_SuiteMasks,
RTL_NUMBER_OF(USD_SuiteMasks));
if (h_tviSubItem) {
h_tviLast = NULL;
mask = pUserSharedData->SuiteMask;
for (i = 0; i < RTL_NUMBER_OF(SuiteMasks); i++) {
if (mask & SuiteMasks[i].dwValue) {
RtlSecureZeroMemory(&subitems, sizeof(subitems));
RtlSecureZeroMemory(&szValue, sizeof(szValue));
szValue[0] = TEXT('0');
szValue[1] = TEXT('x');
ultohex(SuiteMasks[i].dwValue, &szValue[2]);
subitems.Text[0] = szValue;
subitems.Text[1] = SuiteMasks[i].lpDescription;
subitems.Count = 2;
h_tviLast = supTreeListAddItem(
g_UsdDlgContext.TreeList,
h_tviSubItem,
TVIF_TEXT | TVIF_STATE,
(UINT)0,
(UINT)0,
(LPWSTR)T_EmptyString,
&subitems);
mask &= ~SuiteMasks[i].dwValue;
}
}
//
// Output dotted corner for suite mask.
//
if (h_tviLast) {
RtlSecureZeroMemory(&itemex, sizeof(itemex));
itemex.hItem = h_tviLast;
itemex.mask = TVIF_TEXT | TVIF_HANDLE;
itemex.pszText = T_EMPTY;
TreeList_SetTreeItem(g_UsdDlgContext.TreeList, &itemex, NULL);
}
}
//
// KdDebuggerEnabled
//
propObDumpByte(
@ -464,60 +498,8 @@ VOID UsdDumpSharedRegion(
//
// Expanded to more values starting from Windows 8+
//
UsdDumpMitigationPolicies(h_tviRootItem, pUserSharedData);
RtlSecureZeroMemory(&subitems, sizeof(subitems));
RtlSecureZeroMemory(szValue, sizeof(szValue));
RtlStringCchPrintfSecure(szValue,
MAX_PATH,
TEXT("0x%02X"),
pUserSharedData->MitigationPolicies);
subitems.Text[0] = szValue;
subitems.Count = 1;
h_tviSubItem = supTreeListAddItem(
g_UsdDlgContext.TreeList,
h_tviRootItem,
TVIF_TEXT | TVIF_STATE,
(UINT)0,
(UINT)0,
TEXT("MitigationPolicies"),
&subitems);
if (h_tviSubItem) {
propObDumpByte(
g_UsdDlgContext.TreeList,
h_tviSubItem,
TEXT("NXSupportPolicy"),
(LPWSTR)NULL,
pUserSharedData->NXSupportPolicy,
(COLORREF)0,
(COLORREF)0,
FALSE);
propObDumpByte(
g_UsdDlgContext.TreeList,
h_tviSubItem,
TEXT("SEHValidationPolicy"),
(LPWSTR)NULL,
pUserSharedData->SEHValidationPolicy,
(COLORREF)0,
(COLORREF)0,
FALSE);
propObDumpByte(
g_UsdDlgContext.TreeList,
h_tviSubItem,
TEXT("CurDirDevicesSkippedForDlls"),
(LPWSTR)NULL,
pUserSharedData->CurDirDevicesSkippedForDlls,
(COLORREF)0,
(COLORREF)0,
FALSE);
}
}
//

7
Source/WinObjEx64/kldbg.h
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2023
* (C) COPYRIGHT AUTHORS, 2015 - 2024
*
* TITLE: KLDBG.H
*
* VERSION: 2.03
* VERSION: 2.05
*
* DATE: 21 Jul 2023
* DATE: 12 Mar 2024
*
* Common header file for the Kernel Debugger Driver support.
*
@ -361,6 +361,7 @@ typedef struct _NOTIFICATION_CALLBACKS {
ULONG_PTR KiNmiCallbackListHead;
ULONG_PTR PspSiloMonitorList;
ULONG_PTR EmpCallbackListHead;
ULONG_PTR PnpDeviceClassNotifyList;
} NOTIFICATION_CALLBACKS, *PNOTIFICATION_CALLBACKS;
//

8
Source/WinObjEx64/ksymbols.h
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2020 - 2023
* (C) COPYRIGHT AUTHORS, 2020 - 2024
*
* TITLE: KSYMBOLS.H
*
* VERSION: 2.03
* VERSION: 2.05
*
* DATE: 21 Jul 2023
* DATE: 12 Mar 2024
*
* Header file for kernel symbol names.
*
@ -71,6 +71,8 @@
#define KVAR_EmpCallbackListHead L"EmpCallbackListHead"
#define KVAR_PnpDeviceClassNotifyList L"PnpDeviceClassNotifyList"
#define KVAR_Win32kApiSetTable L"Win32kApiSetTable"
#define KFLD_UniqueProcessId L"UniqueProcessId"

92
Source/WinObjEx64/props/propObjectDump.c
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2023
* (C) COPYRIGHT AUTHORS, 2015 - 2024
*
* TITLE: PROPOBJECTDUMP.C
*
* VERSION: 2.01
* VERSION: 2.05
*
* DATE: 06 Feb 2023
* DATE: 11 Mar 2024
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -34,6 +34,92 @@ typedef VOID(NTAPI* pfnObDumpRoutine)(
_In_ HWND hwndDlg, \
_In_ HWND hwndTreeList)
/*
* propDumpEnumWithNames
*
* Purpose:
*
* Dump given enumeration to the treelist (simple output).
*
*/
VOID propDumpEnumWithNames(
_In_ HWND TreeList,
_In_ HTREEITEM ParentItem,
_In_ LPWSTR EnumName,
_In_ ULONG EnumValue,
_In_ PVALUE_DESC EnumNames,
_In_ ULONG EnumNamesCount
)
{
ULONG i, mask;
HTREEITEM h_tviSubItem, h_tviLast = NULL;
TVITEMEX itemex;
TL_SUBITEMS_FIXED subitems;
WCHAR szValue[MAX_PATH + 1];
RtlSecureZeroMemory(&subitems, sizeof(subitems));
szValue[0] = TEXT('0');
szValue[1] = TEXT('x');
ultohex(EnumValue, &szValue[2]);
subitems.Text[0] = szValue;
subitems.Count = 1;
h_tviSubItem = supTreeListAddItem(
TreeList,
ParentItem,
TVIF_TEXT | TVIF_STATE,
(UINT)0,
(UINT)0,
(LPWSTR)EnumName,
&subitems);
if (h_tviSubItem) {
h_tviLast = NULL;
mask = EnumValue;
for (i = 0; i < EnumNamesCount; i++) {
if (mask & EnumNames->dwValue) {
RtlSecureZeroMemory(&subitems, sizeof(subitems));
RtlSecureZeroMemory(&szValue, sizeof(szValue));
szValue[0] = TEXT('0');
szValue[1] = TEXT('x');
ultohex(EnumNames->dwValue, &szValue[2]);
subitems.Text[0] = szValue;
subitems.Text[1] = EnumNames->lpDescription;
subitems.Count = 2;
h_tviLast = supTreeListAddItem(
TreeList,
h_tviSubItem,
TVIF_TEXT | TVIF_STATE,
(UINT)0,
(UINT)0,
(LPWSTR)T_EmptyString,
&subitems);
mask &= ~EnumNames->dwValue;
}
EnumNames++;
}
}
//
// Output dotted corner.
//
if (h_tviLast) {
RtlSecureZeroMemory(&itemex, sizeof(itemex));
itemex.hItem = h_tviLast;
itemex.mask = TVIF_TEXT | TVIF_HANDLE;
itemex.pszText = T_EMPTY;
TreeList_SetTreeItem(TreeList, &itemex, NULL);
}
}
/*
* propObDumpGUID
*

14
Source/WinObjEx64/props/props.h
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2022
* (C) COPYRIGHT AUTHORS, 2015 - 2024
*
* TITLE: PROPS.H
*
* VERSION: 2.00
* VERSION: 2.05
*
* DATE: 19 Jun 2022
* DATE: 11 Mar 2024
*
* Common header file for properties dialog definitions.
*
@ -177,3 +177,11 @@ VOID propObDumpUnicodeString(
_In_ LPWSTR StringName,
_In_ PUNICODE_STRING InputString,
_In_ BOOLEAN IsKernelPointer);
VOID propDumpEnumWithNames(
_In_ HWND TreeList,
_In_ HTREEITEM ParentItem,
_In_ LPWSTR EnumName,
_In_ ULONG EnumValue,
_In_ PVALUE_DESC EnumNames,
_In_ ULONG EnumNamesCount);

8
Source/WinObjEx64/ui.h
View File

@ -4,9 +4,9 @@
*
* TITLE: UI.H
*
* VERSION: 2.04
* VERSION: 2.05
*
* DATE: 31 Jan 2024
* DATE: 12 Mar 2024
*
* Common header file for the user interface.
*
@ -49,8 +49,8 @@ typedef HWND(WINAPI *pfnHtmlHelpW)(
#define PROGRAM_MAJOR_VERSION 2
#define PROGRAM_MINOR_VERSION 0
#define PROGRAM_REVISION_NUMBER 4
#define PROGRAM_BUILD_NUMBER 2402
#define PROGRAM_REVISION_NUMBER 5
#define PROGRAM_BUILD_NUMBER 2403
#ifdef _USE_OWN_DRIVER
#define PROGRAM_NAME L"Windows Object Explorer 64-bit (Non-public version)"