diff --git a/Compiled/WinObjEx64.exe b/Compiled/WinObjEx64.exe index 78ea6a0..5346294 100644 Binary files a/Compiled/WinObjEx64.exe and b/Compiled/WinObjEx64.exe differ diff --git a/Source/CHANGELOG.txt b/Source/CHANGELOG.txt index 48074d3..3458ca1 100644 --- a/Source/CHANGELOG.txt +++ b/Source/CHANGELOG.txt @@ -1,3 +1,6 @@ +v2.0.5 +added Pnp manager callbacks + v2.0.4 win11 23h2 compatibility win11+ 24h2 compatibility improvements diff --git a/Source/Shared/ntos/ntos.h b/Source/Shared/ntos/ntos.h index ddaa8c3..340de02 100644 --- a/Source/Shared/ntos/ntos.h +++ b/Source/Shared/ntos/ntos.h @@ -5,9 +5,9 @@ * * TITLE: NTOS.H * -* VERSION: 1.221 +* VERSION: 1.223 * -* DATE: 11 Jan 2024 +* DATE: 12 Mar 2024 * * Common header file for the ntos API functions and definitions. * @@ -101,6 +101,7 @@ typedef ULONGLONG REGHANDLE, *PREGHANDLE; typedef PVOID *PDEVICE_MAP; typedef PVOID PHEAD; typedef PVOID PEJOB; +typedef PVOID PKTHREAD; typedef struct _IO_TIMER* PIO_TIMER; typedef LARGE_INTEGER PHYSICAL_ADDRESS; typedef struct _EJOB* PESILO; @@ -5516,6 +5517,61 @@ typedef struct _EMP_CALLBACK_LIST_ENTRY { SINGLE_LIST_ENTRY CallbackListEntry; } EMP_CALLBACK_LIST_ENTRY, * PEMP_CALLBACK_LIST_ENTRY; +typedef enum _IO_NOTIFICATION_EVENT_CATEGORY { + EventCategoryReserved, + EventCategoryHardwareProfileChange, + EventCategoryDeviceInterfaceChange, + EventCategoryTargetDeviceChange +} IO_NOTIFICATION_EVENT_CATEGORY; + +typedef +NTSTATUS +(*PDRIVER_NOTIFICATION_CALLBACK_ROUTINE) ( + IN PVOID NotificationStructure, + IN PVOID Context + ); + +typedef struct _KGUARDED_MUTEX { + LONG Count; + PKTHREAD Owner; + ULONG Contention; + KEVENT Event; + union { + struct { + SHORT KernelApcDisable; + SHORT SpecialApcDisable; + }; + + ULONG CombinedApcDisable; + }; + +} KGUARDED_MUTEX, * PKGUARDED_MUTEX; + +typedef struct _DEVICE_CLASS_NOTIFY_ENTRY { + + // + // Header entries + // + + LIST_ENTRY ListEntry; + IO_NOTIFICATION_EVENT_CATEGORY EventCategory; + ULONG SessionId; + HANDLE SessionHandle; + PDRIVER_NOTIFICATION_CALLBACK_ROUTINE CallbackRoutine; + PVOID Context; + PDRIVER_OBJECT DriverObject; + USHORT RefCount; + BOOLEAN Unregistered; + PKGUARDED_MUTEX Lock; + PERESOURCE EntryLock; + // + // ClassGuid - the guid of the device class we are interested in + // + + GUID ClassGuid; + +} DEVICE_CLASS_NOTIFY_ENTRY, * PDEVICE_CLASS_NOTIFY_ENTRY; + /* ** Callbacks END */ @@ -6920,10 +6976,15 @@ typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION { /* ** KUSER_SHARED_DATA START */ -#define NX_SUPPORT_POLICY_ALWAYSOFF 0 -#define NX_SUPPORT_POLICY_ALWAYSON 1 -#define NX_SUPPORT_POLICY_OPTIN 2 -#define NX_SUPPORT_POLICY_OPTOUT 3 +#define NX_SUPPORT_POLICY_ALWAYSOFF 0 +#define NX_SUPPORT_POLICY_ALWAYSON 1 +#define NX_SUPPORT_POLICY_OPTIN 2 +#define NX_SUPPORT_POLICY_OPTOUT 3 + +#define SEH_VALIDATION_POLICY_ON 0 +#define SEH_VALIDATION_POLICY_OFF 1 +#define SEH_VALIDATION_POLICY_TELEMETRY 2 +#define SEH_VALIDATION_POLICY_DEFER 3 #include typedef struct _KSYSTEM_TIME { @@ -7004,7 +7065,7 @@ typedef struct _KUSER_SHARED_DATA { ULONG Reserved3; volatile ULONG TimeSlip; ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture; - ULONG AltArchitecturePad; + ULONG BootId; //previously AltArchitecturePad LARGE_INTEGER SystemExpirationDate; ULONG SuiteMask; BOOLEAN KdDebuggerEnabled; @@ -7114,6 +7175,8 @@ typedef struct _KUSER_SHARED_DATA { KSYSTEM_TIME FeatureConfigurationChangeStamp; ULONG Spare; + ULONG64 UserPointerAuthMask; + } KUSER_SHARED_DATA, *PKUSER_SHARED_DATA; #include diff --git a/Source/WinObjEx64/Resource.rc b/Source/WinObjEx64/Resource.rc index 1dac965..db93773 100644 Binary files a/Source/WinObjEx64/Resource.rc and b/Source/WinObjEx64/Resource.rc differ diff --git a/Source/WinObjEx64/extras/extrasCallbacks.c b/Source/WinObjEx64/extras/extrasCallbacks.c index 65729a8..f554bb5 100644 --- a/Source/WinObjEx64/extras/extrasCallbacks.c +++ b/Source/WinObjEx64/extras/extrasCallbacks.c @@ -4,9 +4,9 @@ * * TITLE: EXTRASCALLBACKS.C * -* VERSION: 2.04 +* VERSION: 2.05 * -* DATE: 11 Jan 2024 +* DATE: 12 Mar 2024 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -149,6 +149,7 @@ OBEX_DISPLAYCALLBACK_ROUTINE(DumpPspPicoProviderRoutines); OBEX_DISPLAYCALLBACK_ROUTINE(DumpKiNmiCallbackListHead); OBEX_DISPLAYCALLBACK_ROUTINE(DumpPspSiloMonitorList); OBEX_DISPLAYCALLBACK_ROUTINE(DumpEmpCallbackListHead); +OBEX_DISPLAYCALLBACK_ROUTINE(DumpPnpDeviceClassNotifyList); OBEX_FINDCALLBACK_ROUTINE(FindPspCreateProcessNotifyRoutine); OBEX_FINDCALLBACK_ROUTINE(FindPspCreateThreadNotifyRoutine); @@ -173,6 +174,7 @@ OBEX_FINDCALLBACK_ROUTINE(FindPspPicoProviderRoutines); OBEX_FINDCALLBACK_ROUTINE(FindKiNmiCallbackListHead); OBEX_FINDCALLBACK_ROUTINE(FindPspSiloMonitorList); OBEX_FINDCALLBACK_ROUTINE(FindEmpCallbackListHead); +OBEX_FINDCALLBACK_ROUTINE(FindPnpDeviceClassNotifyList); OBEX_CALLBACK_DISPATCH_ENTRY g_CallbacksDispatchTable[] = { { @@ -308,6 +310,11 @@ OBEX_CALLBACK_DISPATCH_ENTRY g_CallbacksDispatchTable[] = { 0, L"EmpCallbacks", QueryCallbackGeneric, DumpEmpCallbackListHead, FindEmpCallbackListHead, &g_SystemCallbacks.EmpCallbackListHead + }, + { + 0, L"PnpCallbacks", + QueryCallbackGeneric, DumpPnpDeviceClassNotifyList, FindPnpDeviceClassNotifyList, + &g_SystemCallbacks.PnpDeviceClassNotifyList } }; @@ -3182,6 +3189,111 @@ OBEX_FINDCALLBACK_ROUTINE(FindEmpCallbackListHead) return kvarAddress; } +/* +* FindPnpDeviceClassNotifyList +* +* Purpose: +* +* Returns the address of PnpDeviceClassNotifyList for callbacks registered with: +* +* IoRegisterPlugPlayNotification +* +*/ +OBEX_FINDCALLBACK_ROUTINE(FindPnpDeviceClassNotifyList) +{ + ULONG Index; + LONG Rel; + PBYTE ptrCode; + hde64s hs; + ULONG_PTR kvarAddress = 0; + + ULONG SignatureSize = 0; + PBYTE Signature = NULL; + + UNREFERENCED_PARAMETER(QueryFlags); + + if (kdIsSymAvailable((PSYMCONTEXT)g_kdctx.NtOsSymContext)) { + + kdGetAddressFromSymbol(&g_kdctx, + KVAR_PnpDeviceClassNotifyList, + &kvarAddress); + + } + + if (kvarAddress == 0) { + + ptrCode = (PBYTE)GetProcAddress((HMODULE)g_kdctx.NtOsImageMap, + "IoRegisterPlugPlayNotification"); + + if (ptrCode == NULL) + return 0; + + // + // Find subpattern first. + // + + switch (g_NtBuildNumber) { + + case NT_WIN7_RTM: + case NT_WIN7_SP1: + + Signature = PnpDeviceClassNotifyList_SubPattern_7601; + SignatureSize = sizeof(PnpDeviceClassNotifyList_SubPattern_7601); + break; + + case NT_WIN8_RTM: + Signature = PnpDeviceClassNotifyList_SubPattern_9200; + SignatureSize = sizeof(PnpDeviceClassNotifyList_SubPattern_9200); + break; + + default: + Signature = PnpDeviceClassNofityList_SubPattern_9600_26080; + SignatureSize = sizeof(PnpDeviceClassNofityList_SubPattern_9600_26080); + break; + } + + ptrCode = (PBYTE)supFindPattern( + ptrCode, + 1024, + Signature, + SignatureSize); + + if (ptrCode == NULL) + return 0; + + Index = SignatureSize; + Rel = 0; + + // + // Find lea rcx, PnpDeviceClassNotifyList + // + + do { + + hde64_disasm(ptrCode + Index, &hs); + if (hs.flags & F_ERROR) + break; + + if ((hs.len == 7) && + (hs.flags & F_PREFIX_REX) && + (hs.flags & F_DISP32) && + (hs.flags & F_MODRM) && + (hs.opcode == 0x8D)) + { + Rel = *(PLONG)(ptrCode + Index + 3); + break; + } + + Index += hs.len; + + } while (Index < 64); + + kvarAddress = ComputeAddressInsideNtOs((ULONG_PTR)ptrCode, Index, hs.len, Rel); + } + + return kvarAddress; +} + /* * AddRootEntryToList * @@ -5226,6 +5338,85 @@ OBEX_DISPLAYCALLBACK_ROUTINE(DumpEmpCallbackListHead) } } +/* +* DumpPnpDeviceClassNotifyList +* +* Purpose: +* +* Dump Pnp manager notify list from kernel and send them to output window. +* +*/ +OBEX_DISPLAYCALLBACK_ROUTINE(DumpPnpDeviceClassNotifyList) +{ + LIST_ENTRY ListEntry; + ULONG_PTR ListHead = KernelVariableAddress; + HTREEITEM RootItem; + + LPWSTR GuidString; + + DEVICE_CLASS_NOTIFY_ENTRY NotifyEntry; + UNICODE_STRING ConvertedGuid; + + // + // Add callback root entry to the treelist. + // + RootItem = AddRootEntryToList(TreeList, CallbackType); + if (RootItem == 0) + return; + + ListEntry.Flink = ListEntry.Blink = NULL; + + // + // Read head. + // + if (!kdReadSystemMemory( + ListHead, + &ListEntry, + sizeof(LIST_ENTRY))) + { + return; + } + + // + // Walk list entries. + // + while ((ULONG_PTR)ListEntry.Flink != ListHead) { + + RtlSecureZeroMemory(&NotifyEntry, sizeof(NotifyEntry)); + + if (!kdReadSystemMemory( + (ULONG_PTR)ListEntry.Flink, + &NotifyEntry, + sizeof(NotifyEntry))) + { + break; + } + + if (NotifyEntry.CallbackRoutine != NULL) { + + if (NT_SUCCESS(RtlStringFromGUID(&NotifyEntry.ClassGuid, &ConvertedGuid))) + GuidString = ConvertedGuid.Buffer; + else + GuidString = NULL; + + AddEntryToList(TreeList, + RootItem, + (ULONG_PTR)NotifyEntry.CallbackRoutine, + GuidString, + Modules); + + if (GuidString) + RtlFreeUnicodeString(&ConvertedGuid); + } + + if (NotifyEntry.ListEntry.Flink == NULL) + break; + + ListEntry.Flink = NotifyEntry.ListEntry.Flink; + } + +} + /* * QueryIopFsListsCallbacks * diff --git a/Source/WinObjEx64/extras/extrasCallbacksPatterns.h b/Source/WinObjEx64/extras/extrasCallbacksPatterns.h index d94391f..77c7f4e 100644 --- a/Source/WinObjEx64/extras/extrasCallbacksPatterns.h +++ b/Source/WinObjEx64/extras/extrasCallbacksPatterns.h @@ -4,9 +4,9 @@ * * TITLE: EXTRASCALLBACKSPATTERNS.H * -* VERSION: 2.04 +* VERSION: 2.05 * -* DATE: 11 Jan 2024 +* DATE: 11 Mar 2024 * * Header with search patterns used by Callbacks dialog routines. * @@ -85,3 +85,21 @@ BYTE g_CiCallbacksMatchingPattern[] = { BYTE g_EmpSearchCallbackDatabase[] = { 0x48, 0x8B, 0x4E, 0xF8, 0x48, 0x85, 0xC9 }; BYTE g_EmpSearchCallbackDatabase2[] = { 0x49, 0x8B, 0x4A, 0xF8, 0x48, 0x85, 0xC9 }; BYTE g_EmpSearchCallbackDatabase3[] = { 0x4B, 0x8B, 0x0C, 0xF7, 0x48, 0x85, 0xC9 }; + + +/* +* PnpDeviceClassNotifyList search pattern +*/ + +// +// mul ecx +// +BYTE PnpDeviceClassNotifyList_SubPattern_7601[] = { 0xF7, 0xE1 }; + +BYTE PnpDeviceClassNotifyList_SubPattern_9200[] = { 0xC1, 0xEA, 0x02, 0x6B, 0xD2, 0x0D }; + +// +// shr edx, 2 +// imul eax, edx, 0Dh +// +BYTE PnpDeviceClassNofityList_SubPattern_9600_26080[] = { 0xC1, 0xEA, 0x02, 0x6B, 0xC2, 0x0D }; diff --git a/Source/WinObjEx64/extras/extrasUSD.c b/Source/WinObjEx64/extras/extrasUSD.c index f3e0627..22268dd 100644 --- a/Source/WinObjEx64/extras/extrasUSD.c +++ b/Source/WinObjEx64/extras/extrasUSD.c @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2015 - 2023 +* (C) COPYRIGHT AUTHORS, 2015 - 2024 * * TITLE: EXTRASUSD.C * -* VERSION: 2.02 +* VERSION: 2.05 * -* DATE: 15 May 2023 +* DATE: 11 Mar 2024 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -68,7 +68,8 @@ LPWSTR T_PROCESSOR_FEATURES[] = { L"PF_AVX512F_INSTRUCTIONS_AVAILABLE", L"PF_ERMS_AVAILABLE", L"PF_ARM_V82_DP_INSTRUCTIONS_AVAILABLE", - L"PF_ARM_V83_JSCVT_INSTRUCTIONS_AVAILABLE" + L"PF_ARM_V83_JSCVT_INSTRUCTIONS_AVAILABLE", + L"PF_ARM_V83_LRCPC_INSTRUCTIONS_AVAILABLE" }; LPCWSTR T_SharedDataFlagsW7[] = { @@ -95,7 +96,7 @@ LPCWSTR T_SharedDataFlags[] = { L"DbgStateSeparationEnabled" }; -VALUE_DESC SuiteMasks[] = { +VALUE_DESC USD_SuiteMasks[] = { { L"ServerNT", VER_SERVER_NT }, { L"WorkstationNT", VER_WORKSTATION_NT }, { L"SmallBusiness", VER_SUITE_SMALLBUSINESS }, @@ -117,6 +118,92 @@ VALUE_DESC SuiteMasks[] = { { L"MultiUserTS", VER_SUITE_MULTIUSERTS } }; +VALUE_DESC USD_NXSupportPolicyFlags[] = { + { L"AlwaysOff", NX_SUPPORT_POLICY_ALWAYSOFF }, + { L"AlwaysOn", NX_SUPPORT_POLICY_ALWAYSON }, + { L"OptIn", NX_SUPPORT_POLICY_OPTIN }, + { L"OptOut", NX_SUPPORT_POLICY_OPTOUT } +}; + +VALUE_DESC USD_SEHValidationPolicyFlags[] = { + { L"AlwaysOff", SEH_VALIDATION_POLICY_ON }, + { L"AlwaysOn", SEH_VALIDATION_POLICY_OFF }, + { L"Telemetry", SEH_VALIDATION_POLICY_TELEMETRY }, + { L"Defer", SEH_VALIDATION_POLICY_DEFER } +}; + +/* +* UsdDumpMitigationPolicies +* +* Purpose: +* +* Display dump of SEH and NX policies. +* +*/ +VOID UsdDumpMitigationPolicies( + _In_ HTREEITEM tviRoot, + _In_ PKUSER_SHARED_DATA pUserSharedData +) +{ + HTREEITEM h_tviSubItem; + TL_SUBITEMS_FIXED subitems; + WCHAR szValue[MAX_PATH + 1]; + + RtlSecureZeroMemory(&subitems, sizeof(subitems)); + + // + // Expanded to more values starting from Windows 8+ + // + + RtlSecureZeroMemory(szValue, sizeof(szValue)); + + RtlStringCchPrintfSecure(szValue, + MAX_PATH, + TEXT("0x%02X"), + pUserSharedData->MitigationPolicies); + + subitems.Text[0] = szValue; + subitems.Count = 1; + + h_tviSubItem = supTreeListAddItem( + g_UsdDlgContext.TreeList, + tviRoot, + TVIF_TEXT | TVIF_STATE, + (UINT)0, + (UINT)0, + TEXT("MitigationPolicies"), + &subitems); + + if (h_tviSubItem) { + + propDumpEnumWithNames( + g_UsdDlgContext.TreeList, + h_tviSubItem, + TEXT("NXSupportPolicy"), + pUserSharedData->NXSupportPolicy, + USD_NXSupportPolicyFlags, + RTL_NUMBER_OF(USD_NXSupportPolicyFlags)); + + propDumpEnumWithNames( + g_UsdDlgContext.TreeList, + h_tviSubItem, + TEXT("SEHValidationPolicy"), + pUserSharedData->SEHValidationPolicy, + USD_SEHValidationPolicyFlags, + RTL_NUMBER_OF(USD_SEHValidationPolicyFlags)); + + propObDumpByte( + g_UsdDlgContext.TreeList, + h_tviSubItem, + TEXT("CurDirDevicesSkippedForDlls"), + (LPWSTR)NULL, + pUserSharedData->CurDirDevicesSkippedForDlls, + (COLORREF)0, + (COLORREF)0, + FALSE); + } + +} /* * UsdDumpSharedRegion @@ -132,7 +219,7 @@ VOID UsdDumpSharedRegion( { BOOL bAny = FALSE; UINT i; - DWORD mask, cFlags; + DWORD cFlags; LPCWSTR* pvSharedFlagsDesc; @@ -370,66 +457,13 @@ VOID UsdDumpSharedRegion( // // SuiteMask // - RtlSecureZeroMemory(&subitems, sizeof(subitems)); - RtlSecureZeroMemory(&szValue, sizeof(szValue)); - szValue[0] = TEXT('0'); - szValue[1] = TEXT('x'); - ultohex(pUserSharedData->SuiteMask, &szValue[2]); - subitems.Text[0] = szValue; - subitems.Count = 1; - - h_tviSubItem = supTreeListAddItem( - g_UsdDlgContext.TreeList, + propDumpEnumWithNames(g_UsdDlgContext.TreeList, h_tviRootItem, - TVIF_TEXT | TVIF_STATE, - (UINT)0, - (UINT)0, TEXT("SuiteMask"), - &subitems); + pUserSharedData->SuiteMask, + USD_SuiteMasks, + RTL_NUMBER_OF(USD_SuiteMasks)); - if (h_tviSubItem) { - h_tviLast = NULL; - mask = pUserSharedData->SuiteMask; - for (i = 0; i < RTL_NUMBER_OF(SuiteMasks); i++) { - if (mask & SuiteMasks[i].dwValue) { - - RtlSecureZeroMemory(&subitems, sizeof(subitems)); - RtlSecureZeroMemory(&szValue, sizeof(szValue)); - szValue[0] = TEXT('0'); - szValue[1] = TEXT('x'); - ultohex(SuiteMasks[i].dwValue, &szValue[2]); - subitems.Text[0] = szValue; - subitems.Text[1] = SuiteMasks[i].lpDescription; - subitems.Count = 2; - - h_tviLast = supTreeListAddItem( - g_UsdDlgContext.TreeList, - h_tviSubItem, - TVIF_TEXT | TVIF_STATE, - (UINT)0, - (UINT)0, - (LPWSTR)T_EmptyString, - &subitems); - - mask &= ~SuiteMasks[i].dwValue; - } - } - - // - // Output dotted corner for suite mask. - // - if (h_tviLast) { - RtlSecureZeroMemory(&itemex, sizeof(itemex)); - - itemex.hItem = h_tviLast; - itemex.mask = TVIF_TEXT | TVIF_HANDLE; - itemex.pszText = T_EMPTY; - - TreeList_SetTreeItem(g_UsdDlgContext.TreeList, &itemex, NULL); - } - } - - // // KdDebuggerEnabled // propObDumpByte( @@ -464,60 +498,8 @@ VOID UsdDumpSharedRegion( // // Expanded to more values starting from Windows 8+ // + UsdDumpMitigationPolicies(h_tviRootItem, pUserSharedData); - RtlSecureZeroMemory(&subitems, sizeof(subitems)); - RtlSecureZeroMemory(szValue, sizeof(szValue)); - - RtlStringCchPrintfSecure(szValue, - MAX_PATH, - TEXT("0x%02X"), - pUserSharedData->MitigationPolicies); - - subitems.Text[0] = szValue; - subitems.Count = 1; - - h_tviSubItem = supTreeListAddItem( - g_UsdDlgContext.TreeList, - h_tviRootItem, - TVIF_TEXT | TVIF_STATE, - (UINT)0, - (UINT)0, - TEXT("MitigationPolicies"), - &subitems); - - if (h_tviSubItem) { - - propObDumpByte( - g_UsdDlgContext.TreeList, - h_tviSubItem, - TEXT("NXSupportPolicy"), - (LPWSTR)NULL, - pUserSharedData->NXSupportPolicy, - (COLORREF)0, - (COLORREF)0, - FALSE); - - propObDumpByte( - g_UsdDlgContext.TreeList, - h_tviSubItem, - TEXT("SEHValidationPolicy"), - (LPWSTR)NULL, - pUserSharedData->SEHValidationPolicy, - (COLORREF)0, - (COLORREF)0, - FALSE); - - - propObDumpByte( - g_UsdDlgContext.TreeList, - h_tviSubItem, - TEXT("CurDirDevicesSkippedForDlls"), - (LPWSTR)NULL, - pUserSharedData->CurDirDevicesSkippedForDlls, - (COLORREF)0, - (COLORREF)0, - FALSE); - } } // diff --git a/Source/WinObjEx64/kldbg.h b/Source/WinObjEx64/kldbg.h index 9c3b80d..7cf596d 100644 --- a/Source/WinObjEx64/kldbg.h +++ b/Source/WinObjEx64/kldbg.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2015 - 2023 +* (C) COPYRIGHT AUTHORS, 2015 - 2024 * * TITLE: KLDBG.H * -* VERSION: 2.03 +* VERSION: 2.05 * -* DATE: 21 Jul 2023 +* DATE: 12 Mar 2024 * * Common header file for the Kernel Debugger Driver support. * @@ -361,6 +361,7 @@ typedef struct _NOTIFICATION_CALLBACKS { ULONG_PTR KiNmiCallbackListHead; ULONG_PTR PspSiloMonitorList; ULONG_PTR EmpCallbackListHead; + ULONG_PTR PnpDeviceClassNotifyList; } NOTIFICATION_CALLBACKS, *PNOTIFICATION_CALLBACKS; // diff --git a/Source/WinObjEx64/ksymbols.h b/Source/WinObjEx64/ksymbols.h index 0c042d9..12409b5 100644 --- a/Source/WinObjEx64/ksymbols.h +++ b/Source/WinObjEx64/ksymbols.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2020 - 2023 +* (C) COPYRIGHT AUTHORS, 2020 - 2024 * * TITLE: KSYMBOLS.H * -* VERSION: 2.03 +* VERSION: 2.05 * -* DATE: 21 Jul 2023 +* DATE: 12 Mar 2024 * * Header file for kernel symbol names. * @@ -71,6 +71,8 @@ #define KVAR_EmpCallbackListHead L"EmpCallbackListHead" +#define KVAR_PnpDeviceClassNotifyList L"PnpDeviceClassNotifyList" + #define KVAR_Win32kApiSetTable L"Win32kApiSetTable" #define KFLD_UniqueProcessId L"UniqueProcessId" diff --git a/Source/WinObjEx64/props/propObjectDump.c b/Source/WinObjEx64/props/propObjectDump.c index 078efc4..610a5ff 100644 --- a/Source/WinObjEx64/props/propObjectDump.c +++ b/Source/WinObjEx64/props/propObjectDump.c @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2015 - 2023 +* (C) COPYRIGHT AUTHORS, 2015 - 2024 * * TITLE: PROPOBJECTDUMP.C * -* VERSION: 2.01 +* VERSION: 2.05 * -* DATE: 06 Feb 2023 +* DATE: 11 Mar 2024 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -34,6 +34,92 @@ typedef VOID(NTAPI* pfnObDumpRoutine)( _In_ HWND hwndDlg, \ _In_ HWND hwndTreeList) +/* +* propDumpEnumWithNames +* +* Purpose: +* +* Dump given enumeration to the treelist (simple output). +* +*/ +VOID propDumpEnumWithNames( + _In_ HWND TreeList, + _In_ HTREEITEM ParentItem, + _In_ LPWSTR EnumName, + _In_ ULONG EnumValue, + _In_ PVALUE_DESC EnumNames, + _In_ ULONG EnumNamesCount +) +{ + ULONG i, mask; + HTREEITEM h_tviSubItem, h_tviLast = NULL; + + TVITEMEX itemex; + + TL_SUBITEMS_FIXED subitems; + WCHAR szValue[MAX_PATH + 1]; + + RtlSecureZeroMemory(&subitems, sizeof(subitems)); + szValue[0] = TEXT('0'); + szValue[1] = TEXT('x'); + ultohex(EnumValue, &szValue[2]); + subitems.Text[0] = szValue; + subitems.Count = 1; + + h_tviSubItem = supTreeListAddItem( + TreeList, + ParentItem, + TVIF_TEXT | TVIF_STATE, + (UINT)0, + (UINT)0, + (LPWSTR)EnumName, + &subitems); + + if (h_tviSubItem) { + h_tviLast = NULL; + mask = EnumValue; + for (i = 0; i < EnumNamesCount; i++) { + if (mask & EnumNames->dwValue) { + RtlSecureZeroMemory(&subitems, sizeof(subitems)); + RtlSecureZeroMemory(&szValue, sizeof(szValue)); + szValue[0] = TEXT('0'); + szValue[1] = TEXT('x'); + ultohex(EnumNames->dwValue, &szValue[2]); + subitems.Text[0] = szValue; + subitems.Text[1] = EnumNames->lpDescription; + subitems.Count = 2; + + h_tviLast = supTreeListAddItem( + TreeList, + h_tviSubItem, + TVIF_TEXT | TVIF_STATE, + (UINT)0, + (UINT)0, + (LPWSTR)T_EmptyString, + &subitems); + + mask &= ~EnumNames->dwValue; + } + + EnumNames++; + } + } + + + // + // Output dotted corner. + // + if (h_tviLast) { + RtlSecureZeroMemory(&itemex, sizeof(itemex)); + + itemex.hItem = h_tviLast; + itemex.mask = TVIF_TEXT | TVIF_HANDLE; + itemex.pszText = T_EMPTY; + + TreeList_SetTreeItem(TreeList, &itemex, NULL); + } +} + /* * propObDumpGUID * diff --git a/Source/WinObjEx64/props/props.h b/Source/WinObjEx64/props/props.h index e92bdbf..df7625e 100644 --- a/Source/WinObjEx64/props/props.h +++ b/Source/WinObjEx64/props/props.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2015 - 2022 +* (C) COPYRIGHT AUTHORS, 2015 - 2024 * * TITLE: PROPS.H * -* VERSION: 2.00 +* VERSION: 2.05 * -* DATE: 19 Jun 2022 +* DATE: 11 Mar 2024 * * Common header file for properties dialog definitions. * @@ -177,3 +177,11 @@ VOID propObDumpUnicodeString( _In_ LPWSTR StringName, _In_ PUNICODE_STRING InputString, _In_ BOOLEAN IsKernelPointer); + +VOID propDumpEnumWithNames( + _In_ HWND TreeList, + _In_ HTREEITEM ParentItem, + _In_ LPWSTR EnumName, + _In_ ULONG EnumValue, + _In_ PVALUE_DESC EnumNames, + _In_ ULONG EnumNamesCount); diff --git a/Source/WinObjEx64/ui.h b/Source/WinObjEx64/ui.h index b6edfce..cd0c658 100644 --- a/Source/WinObjEx64/ui.h +++ b/Source/WinObjEx64/ui.h @@ -4,9 +4,9 @@ * * TITLE: UI.H * -* VERSION: 2.04 +* VERSION: 2.05 * -* DATE: 31 Jan 2024 +* DATE: 12 Mar 2024 * * Common header file for the user interface. * @@ -49,8 +49,8 @@ typedef HWND(WINAPI *pfnHtmlHelpW)( #define PROGRAM_MAJOR_VERSION 2 #define PROGRAM_MINOR_VERSION 0 -#define PROGRAM_REVISION_NUMBER 4 -#define PROGRAM_BUILD_NUMBER 2402 +#define PROGRAM_REVISION_NUMBER 5 +#define PROGRAM_BUILD_NUMBER 2403 #ifdef _USE_OWN_DRIVER #define PROGRAM_NAME L"Windows Object Explorer 64-bit (Non-public version)"