Rooba
/
WinObjEx64
mirror of https://github.com/hfiref0x/WinObjEx64.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

1.8.4 

184 release
This commit is contained in:
hfiref0x 2020-02-29 12:36:03 +07:00
parent cb9524f028
commit d724aca52a
No known key found for this signature in database
GPG Key ID: 5A20EE3C6F09AF95
21 changed files with 341 additions and 234 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Compiled/WinObjEx64.chm
View File

Binary file not shown.

BIN
Compiled/WinObjEx64.exe
View File

Binary file not shown.

BIN
Compiled/plugins/ApiSetView.dll
View File

Binary file not shown.

BIN
Compiled/plugins/ExamplePlugin.dll
View File

Binary file not shown.

BIN
Compiled/plugins/Sonar.dll
View File

Binary file not shown.

4
Source/FILELIST.txt
View File

@ -87,6 +87,10 @@ winobjex64\kldbg_pattern.h
* Signature patterns used to find undocumented stuff
winobjex64\ksymbols.h
* Header file for kernel symbol names
winobjex64\list.c
winobjex64\list.h

BIN
Source/Plugins/Sonar/Resource.rc
View File

Binary file not shown.

4
Source/Plugins/Sonar/main.c
View File

@ -6,7 +6,7 @@
*
* VERSION: 1.03
*
* DATE: 05 Jan 2020
* DATE: 24 Feb 2020
*
* WinObjEx64 Sonar plugin.
*
@ -25,7 +25,7 @@ ULONG g_CurrentDPI;
int y_splitter_pos = 300, y_capture_pos = 0, y_splitter_max = 0;
#define SONAR_MAX_TESTED_BUILD 19037
#define SONAR_MAX_TESTED_BUILD 19569
#define PROTOCOLLIST_COLUMN_COUNT 3

16
Source/Plugins/Sonar/ndis.h
View File

@ -5,9 +5,9 @@
*
* TITLE: NDIS.H
*
* VERSION: 1.01
* VERSION: 1.02
*
* DATE: 28 Sep 2019
* DATE: 24 Feb 2019
*
* Common header file for the NDIS related definitions/structures.
*
@ -671,7 +671,7 @@ typedef struct _NDIS_OPEN_BLOCK_14393_17134
/* 0x0480 */ PVOID CoOidRequestHandler;
} NDIS_OPEN_BLOCK_14393_17134, *PNDIS_OPEN_BLOCK_14393_17134; /* size: 0x0488 */
typedef struct _NDIS_OPEN_BLOCK_17763_18363
typedef struct _NDIS_OPEN_BLOCK_17763_19569
{
/* 0x0000 */ long Padding_297[240];
/* 0x03c0 */ struct _NDIS_CO_AF_BLOCK* NextAf;
@ -691,7 +691,7 @@ typedef struct _NDIS_OPEN_BLOCK_17763_18363
/* 0x0438 */ PVOID MiniportCoOidRequestHandler;
/* 0x0440 */ PVOID CoOidRequestCompleteHandler;
/* 0x0448 */ PVOID CoOidRequestHandler;
} NDIS_OPEN_BLOCK_17763_18363, *PNDIS_OPEN_BLOCK_17763_18363; /* size: 0x0450 */
} NDIS_OPEN_BLOCK_17763_19569, *PNDIS_OPEN_BLOCK_17763_19569; /* size: 0x0450 */
typedef struct _NDIS_COMMON_OPEN_BLOCK_9600_10586
{
@ -986,7 +986,7 @@ typedef struct _NDIS_COMMON_OPEN_BLOCK_14393_17134
/* 0x03f0 */ KEVENT* WaitNetPnpEvent;
} NDIS_COMMON_OPEN_BLOCK_14393_17134, *PNDIS_COMMON_OPEN_BLOCK_14393_17134; /* size: 0x03f8 */
typedef struct _NDIS_COMMON_OPEN_BLOCK_17763_18363
typedef struct _NDIS_COMMON_OPEN_BLOCK_17763_19569
{
union
{
@ -1121,7 +1121,7 @@ typedef struct _NDIS_COMMON_OPEN_BLOCK_17763_18363
/* 0x0390 */ KEVENT* WaitNetPnpEvent;
/* 0x0398 */ PKTMON_COMPONENT_CONTEXT PktMonComp;
/* 0x03a8 */ PKTMON_EDGE_CONTEXT PktMonEdge;
} NDIS_COMMON_OPEN_BLOCK_17763_18363, *PNDIS_COMMON_OPEN_BLOCK_17763_18363; /* size: 0x03c0 */
} NDIS_COMMON_OPEN_BLOCK_17763_19569, *PNDIS_COMMON_OPEN_BLOCK_17763_19569; /* size: 0x03c0 */
typedef struct _NDIS_PROTOCOL_BLOCK_7601 {
NDIS_OBJECT_HEADER Header;
@ -1533,7 +1533,7 @@ typedef struct _NDIS_PROTOCOL_BLOCK_17763
/* 0x0340 */ PVOID NotifyBindCompleteWorkItem; //class pointer
} NDIS_PROTOCOL_BLOCK_17763, *PNDIS_PROTOCOL_BLOCK_17763; /* size: 0x0378 */
typedef struct _NDIS_PROTOCOL_BLOCK_18362_18363
typedef struct _NDIS_PROTOCOL_BLOCK_18362_19569
{
/* 0x0000 */ NDIS_OBJECT_HEADER Header;
/* 0x0004 */ long Padding_126;
@ -1625,7 +1625,7 @@ typedef struct _NDIS_PROTOCOL_BLOCK_18362_18363
/* 0x0328 */ UNICODE_STRING ImageName;
/* 0x0338 */ PVOID Bind; //class pointer
/* 0x0340 */ PVOID NotifyBindCompleteWorkItem; //class pointer
} NDIS_PROTOCOL_BLOCK_18362_18363, *PNDIS_PROTOCOL_BLOCK_18362_18363; /* size: 0x0378 */
} NDIS_PROTOCOL_BLOCK_18362_19569, *PNDIS_PROTOCOL_BLOCK_18362_18363; /* size: 0x0378 */
//

13
Source/Plugins/Sonar/query.c
View File

@ -6,7 +6,7 @@
*
* VERSION: 1.03
*
* DATE: 13 Oct 2019
* DATE: 24 Feb 2020
*
* Query NDIS specific data.
*
@ -48,7 +48,8 @@ NdisDeregisterProtocol
48 8B 3D A2 CE FA FF mov rdi, cs:ndisProtocolList
18995
48 8B 3D BA 92 FA FF mov rdi, cs:ndisProtocolList
19569
48 8B 3D C2 5A FA FF mov rdi, cs:ndisProtocolList
*/
#define HDE_F_ERROR 0x00001000
@ -282,7 +283,7 @@ PVOID DumpProtocolBlockVersionAware(
case NT_WIN10_19H1:
case NT_WIN10_19H2:
default:
ObjectSize = sizeof(NDIS_PROTOCOL_BLOCK_18362_18363);
ObjectSize = sizeof(NDIS_PROTOCOL_BLOCK_18362_19569);
ObjectVersion = 5;
break;
@ -344,7 +345,7 @@ PVOID DumpOpenBlockVersionAware(
case NT_WIN10_19H1:
case NT_WIN10_19H2:
default:
ObjectSize = sizeof(NDIS_OPEN_BLOCK_17763_18363);
ObjectSize = sizeof(NDIS_OPEN_BLOCK_17763_19569);
ObjectVersion = 5;
break;
}
@ -461,7 +462,7 @@ ULONG GetNextProtocolOffset(
case NT_WIN10_19H1:
case NT_WIN10_19H2:
default:
Offset = FIELD_OFFSET(NDIS_PROTOCOL_BLOCK_18362_18363, NextProtocol);
Offset = FIELD_OFFSET(NDIS_PROTOCOL_BLOCK_18362_19569, NextProtocol);
break;
}
@ -1037,7 +1038,7 @@ BOOL CreateCompatibleOpenBlock(
OpenBlock->Handlers.WTransferDataHandler = BlockRef->u1.Versions.u_v4.v4c->WTransferDataHandler;
break;
case 5: //17763..18363
case 5: //17763..19569
OpenBlock->ProtocolNextOpen = BlockRef->u1.Versions.u_v5.v5c->ProtocolNextOpen;
OpenBlock->BindDeviceName = BlockRef->u1.Versions.u_v5.v5c->BindDeviceName;
OpenBlock->RootDeviceName = BlockRef->u1.Versions.u_v5.v5c->RootDeviceName;

10
Source/Plugins/Sonar/query.h
View File

@ -6,7 +6,7 @@
*
* VERSION: 1.03
*
* DATE: 13 Dec 2019
* DATE: 24 Feb 2020
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -61,7 +61,7 @@
#define NT_WIN10_19H2 18363
// Windows 10 20H1
#define NTX_WIN10_20H1 19037
#define NTX_WIN10_20H1 19041
// Windows 10 20H2
#define NTX_WIN10_20H2 19550
@ -73,7 +73,7 @@ typedef struct _PROTOCOL_BLOCK_VERSIONS {
NDIS_PROTOCOL_BLOCK_9200 *v2;
NDIS_PROTOCOL_BLOCK_9600_17134 *v3;
NDIS_PROTOCOL_BLOCK_17763 *v4;
NDIS_PROTOCOL_BLOCK_18362_18363 *v5;
NDIS_PROTOCOL_BLOCK_18362_19569 *v5;
} Versions;
PVOID Ref;
} u1;
@ -93,8 +93,8 @@ typedef struct _OPEN_BLOCK_VERSIONS {
NDIS_OPEN_BLOCK_14393_17134 *v4;
} u_v4;
union {
NDIS_COMMON_OPEN_BLOCK_17763_18363 *v5c;
NDIS_OPEN_BLOCK_17763_18363 *v5;
NDIS_COMMON_OPEN_BLOCK_17763_19569 *v5c;
NDIS_OPEN_BLOCK_17763_19569 *v5;
} u_v5;
} Versions;
PVOID Ref;

52
Source/Shared/ntos/ntos.h
View File

@ -5,9 +5,9 @@
*
* TITLE: NTOS.H
*
* VERSION: 1.131
* VERSION: 1.132
*
* DATE: 17 Feb 2020
* DATE: 24 Feb 2020
*
* Common header file for the ntos API functions and definitions.
*
@ -6294,26 +6294,6 @@ RtlPrefixUnicodeString(
_In_ PCUNICODE_STRING String2,
_In_ BOOLEAN CaseInSensitive);
NTSYSAPI
NTSTATUS
NTAPI
RtlExpandEnvironmentStrings(
_In_opt_ PVOID Environment,
_In_reads_(SrcLength) PWSTR Src,
_In_ SIZE_T SrcLength,
_Out_writes_opt_(DstLength) PWSTR Dst,
_In_ SIZE_T DstLength,
_Out_opt_ PSIZE_T ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
RtlExpandEnvironmentStrings_U(
_In_opt_ PVOID Environment,
_In_ PCUNICODE_STRING Source,
_Out_ PUNICODE_STRING Destination,
_Out_opt_ PULONG ReturnedLength);
NTSYSAPI
NTSTATUS
NTAPI
@ -6713,6 +6693,26 @@ RtlCreateEnvironmentEx(
_Out_ PVOID *Environment,
_In_ ULONG Flags);
NTSYSAPI
NTSTATUS
NTAPI
RtlExpandEnvironmentStrings(
_In_opt_ PVOID Environment,
_In_reads_(SrcLength) PWSTR Src,
_In_ SIZE_T SrcLength,
_Out_writes_opt_(DstLength) PWSTR Dst,
_In_ SIZE_T DstLength,
_Out_opt_ PSIZE_T ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
RtlExpandEnvironmentStrings_U(
_In_opt_ PVOID Environment,
_In_ PCUNICODE_STRING Source,
_Out_ PUNICODE_STRING Destination,
_Out_opt_ PULONG ReturnedLength);
NTSYSAPI
NTSTATUS
NTAPI
@ -6728,6 +6728,14 @@ RtlQueryEnvironmentVariable_U(
_In_ PUNICODE_STRING Name,
_Out_ PUNICODE_STRING Value);
NTSYSAPI
NTSTATUS
NTAPI
RtlSetEnvironmentVariable(
_Inout_opt_ PVOID* Environment,
_In_ PUNICODE_STRING Name,
_In_opt_ PUNICODE_STRING Value);
NTSYSAPI
NTSTATUS
NTAPI

1
Source/WinObjEx64/WinObjEx64.vcxproj
View File

@ -451,6 +451,7 @@
<ClInclude Include="hde\table64.h" />
<ClInclude Include="instdrv.h" />
<ClInclude Include="kldbg.h" />
<ClInclude Include="ksymbols.h" />
<ClInclude Include="list.h" />
<ClInclude Include="msvcver.h" />
<ClInclude Include="objects.h" />

3
Source/WinObjEx64/WinObjEx64.vcxproj.filters
View File

@ -403,6 +403,9 @@
<ClInclude Include="tinyaes\aes.h">
<Filter>tinyaes</Filter>
</ClInclude>
<ClInclude Include="ksymbols.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<Image Include="rsrc\pipe.ico">

366
Source/WinObjEx64/extras/extrasSSDT.c
View File

@ -4,9 +4,9 @@
*
* TITLE: EXTRASSSDT.C
*
* VERSION: 1.83
* VERSION: 1.84
*
* DATE: 13 Jan 2020
* DATE: 28 Feb 2020
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -369,18 +369,17 @@ INT_PTR CALLBACK SdtDialogProc(
}
/*
* SdtOutputTable
* SdtListOutputTable
*
* Purpose:
*
* Output dumped and converted syscall table to listview.
*
*/
VOID SdtOutputTable(
VOID SdtListOutputTable(
_In_ HWND hwndDlg,
_In_ PRTL_PROCESS_MODULES Modules,
_In_ PSERVICETABLEENTRY Table,
_In_ ULONG Count
_In_ PSDT_TABLE SdtTableEntry
)
{
INT lvIndex, moduleIndex;
@ -390,30 +389,27 @@ VOID SdtOutputTable(
LVITEM lvItem;
WCHAR szBuffer[MAX_PATH + 1];
szBuffer[0] = 0;
LPWSTR lpBaseName, lpBaseLimit;
switch (Context->DialogMode) {
case SST_Ntos:
_strcpy(szBuffer, TEXT("KiServiceTable 0x"));
u64tohex(g_kdctx.KeServiceDescriptorTable.Base, _strend(szBuffer));
_strcat(szBuffer, TEXT(" / KiServiceLimit 0x"));
ultohex(g_kdctx.KeServiceDescriptorTable.Limit, _strend(szBuffer));
_strcat(szBuffer, TEXT(" ("));
ultostr(g_kdctx.KeServiceDescriptorTable.Limit, _strend(szBuffer));
_strcat(szBuffer, TEXT(")"));
break;
case SST_Win32k:
_strcpy(szBuffer, TEXT("W32pServiceTable 0x"));
u64tohex(g_kdctx.KeServiceDescriptorTableShadow.Base, _strend(szBuffer));
_strcat(szBuffer, TEXT(" / W32pServiceLimit 0x"));
ultohex(g_kdctx.KeServiceDescriptorTableShadow.Limit, _strend(szBuffer));
_strcat(szBuffer, TEXT(" ("));
ultostr(g_kdctx.KeServiceDescriptorTableShadow.Limit, _strend(szBuffer));
_strcat(szBuffer, TEXT(")"));
break;
default:
break;
if (Context->DialogMode == SST_Ntos) {
lpBaseName = KSW_KiServiceTable;
lpBaseLimit = KSW_KiServiceLimit;
}
else if (Context->DialogMode == SST_Win32k) {
lpBaseName = KSW_W32pServiceTable;
lpBaseLimit = KSW_W32pServiceLimit;
}
else
return;
RtlStringCchPrintfSecure(szBuffer,
MAX_PATH,
TEXT("%ws 0x%p / %ws %lu (0x%lX)"),
lpBaseName,
(PVOID)SdtTableEntry->Base,
lpBaseLimit,
SdtTableEntry->Limit,
SdtTableEntry->Limit);
SetWindowText(Context->StatusBar, szBuffer);
@ -422,10 +418,10 @@ VOID SdtOutputTable(
ListView_DeleteAllItems(Context->ListView);
//list table
for (i = 0; i < Count; i++) {
for (i = 0; i < SdtTableEntry->Limit; i++) {
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
ultostr(Table[i].ServiceId, szBuffer);
ultostr(SdtTableEntry->Table[i].ServiceId, szBuffer);
//ServiceId
RtlSecureZeroMemory(&lvItem, sizeof(lvItem));
@ -438,7 +434,7 @@ VOID SdtOutputTable(
//Name
lvItem.mask = LVIF_TEXT;
lvItem.iSubItem = 1;
lvItem.pszText = (LPWSTR)Table[i].Name;
lvItem.pszText = (LPWSTR)SdtTableEntry->Table[i].Name;
lvItem.iItem = lvIndex;
ListView_SetItem(Context->ListView, &lvItem);
@ -446,7 +442,7 @@ VOID SdtOutputTable(
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
szBuffer[0] = L'0';
szBuffer[1] = L'x';
u64tohex(Table[i].Address, &szBuffer[2]);
u64tohex(SdtTableEntry->Table[i].Address, &szBuffer[2]);
lvItem.iSubItem = 2;
lvItem.pszText = szBuffer;
@ -455,7 +451,7 @@ VOID SdtOutputTable(
//Module
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
moduleIndex = supFindModuleEntryByAddress(Modules, (PVOID)Table[i].Address);
moduleIndex = supFindModuleEntryByAddress(Modules, (PVOID)SdtTableEntry->Table[i].Address);
if (moduleIndex == (ULONG)-1) {
_strcpy(szBuffer, TEXT("Unknown Module"));
}
@ -477,21 +473,21 @@ VOID SdtOutputTable(
}
/*
* SdtListTable
* SdtListCreateTable
*
* Purpose:
*
* KiServiceTable query and list routine.
* KiServiceTable dump routine.
*
*/
VOID SdtListTable(
_In_ HWND hwndDlg
BOOL SdtListCreateTable(
_In_ BOOLEAN bForceUnknown
)
{
BOOL bResult = FALSE;
ULONG EntrySize = 0;
SIZE_T memIO;
PUTable TableDump = NULL;
PRTL_PROCESS_MODULES pModules = NULL;
PBYTE Module = NULL;
PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;
PDWORD ExportNames, ExportFunctions;
@ -503,13 +499,6 @@ VOID SdtListTable(
PVOID ServicePtr;
ULONG ServiceId, i;
#ifndef _DEBUG
HWND hwndBanner;
hwndBanner = supDisplayLoadBanner(hwndDlg,
TEXT("Loading service table dump, please wait"));
#endif
__try {
if ((g_kdctx.KeServiceDescriptorTable.Base == 0) ||
@ -524,10 +513,6 @@ VOID SdtListTable(
}
}
pModules = (PRTL_PROCESS_MODULES)supGetSystemInfo(SystemModuleInformation, NULL);
if (pModules == NULL)
__leave;
//
// If table empty, dump and prepare table
//
@ -570,6 +555,8 @@ VOID SdtListTable(
__leave;
}
KiServiceTable.Base = g_kdctx.KeServiceDescriptorTable.Base;
//
// Walk for Nt stubs.
//
@ -609,14 +596,16 @@ VOID SdtListTable(
//
// This will produce incorrect result if more like that services will be added.
//
for (i = 0; i < g_kdctx.KeServiceDescriptorTable.Limit; i++) {
if (TableDump[i] != 0) {
ServiceEntry = &KiServiceTable.Table[KiServiceTable.Limit];
ServiceEntry->ServiceId = i;
ServiceEntry->Address = TableDump[i];
_strcpy(ServiceEntry->Name, L"NtQuerySystemTime");
KiServiceTable.Limit += 1;
break;
if (bForceUnknown) {
for (i = 0; i < g_kdctx.KeServiceDescriptorTable.Limit; i++) {
if (TableDump[i] != 0) {
ServiceEntry = &KiServiceTable.Table[KiServiceTable.Limit];
ServiceEntry->ServiceId = i;
ServiceEntry->Address = TableDump[i];
_strcpy(ServiceEntry->Name, TEXT("NtQuerySystemTime"));
KiServiceTable.Limit += 1;
break;
}
}
}
@ -624,27 +613,17 @@ VOID SdtListTable(
TableDump = NULL;
}
SdtOutputTable(
hwndDlg,
pModules,
KiServiceTable.Table,
KiServiceTable.Limit);
bResult = TRUE;
}
__finally {
#ifndef _DEBUG
SendMessage(hwndBanner, WM_CLOSE, 0, 0);
#endif
if (pModules) {
supHeapFree(pModules);
}
if (TableDump) {
supHeapFree(TableDump);
}
}
return bResult;
}
//
@ -1016,29 +995,31 @@ NTSTATUS SdtResolveServiceEntryModule(
}
/*
* SdtListTableShadow
* SdtListCreateTableShadow
*
* Purpose:
*
* W32pServiceTable query and list routine.
* W32pServiceTable create table routine.
*
* Note: This code only for Windows 10 RS1+
*
*/
VOID SdtListTableShadow(
_In_ HWND hwndDlg
BOOL SdtListCreateTableShadow(
_In_ PRTL_PROCESS_MODULES pModules,
_Out_ PULONG Status
)
{
BOOLEAN NeedApiSetResolve = (g_NtBuildNumber > 18885);
BOOLEAN Win32kApiSetTableExpected = (g_NtBuildNumber > 18935);
NTSTATUS Status;
NTSTATUS ntStatus;
BOOL bResult = FALSE;
ULONG w32u_limit, w32k_limit, c;
HMODULE w32u = NULL, w32k = NULL, DllModule, forwdll;
PBYTE fptr;
PULONG pServiceLimit, pServiceTable;
LPCSTR ModuleName, FunctionName, ForwarderDot, ForwarderFunctionName;
HANDLE EnumerationHeap = NULL;
ULONG_PTR Win32kBase = 0;
ULONG_PTR Win32kBase = 0, kernelWin32kBase = 0;
PSERVICETABLEENTRY ServiceEntry;
PWIN32_SHADOWTABLE table, itable;
@ -1050,7 +1031,6 @@ VOID SdtListTableShadow(
ULONG ApiSetSchemaVersion = 0;
PRTL_PROCESS_MODULE_INFORMATION Module, ForwardModule;
PRTL_PROCESS_MODULES pModules = NULL;
LOAD_MODULE_ENTRY LoadedModulesHead;
PLOAD_MODULE_ENTRY ModuleEntry = NULL, PreviousEntry = NULL;
@ -1060,27 +1040,13 @@ VOID SdtListTableShadow(
WCHAR szBuffer[MAX_PATH * 2];
CHAR szForwarderModuleName[MAX_PATH];
#ifndef _DEBUG
HWND hwndBanner;
hwndBanner = supDisplayLoadBanner(hwndDlg,
TEXT("Loading service table dump, please wait"));
#endif
LoadedModulesHead.Next = NULL;
LoadedModulesHead.hModule = NULL;
*Status = STATUS_SUCCESS;
__try {
//
// Query modules list.
//
pModules = (PRTL_PROCESS_MODULES)supGetSystemInfo(SystemModuleInformation, NULL);
if (pModules == NULL) {
MessageBox(hwndDlg, TEXT("Could not allocate memory for Modules list"), NULL, MB_ICONERROR);
__leave;
}
//
// Check if table already built.
@ -1095,7 +1061,7 @@ VOID SdtListTableShadow(
"win32k.sys");
if (Module == NULL) {
MessageBox(hwndDlg, TEXT("Could not find win32k module"), NULL, MB_ICONERROR);
*Status = ErrShadowWin32kNotFound;
__leave;
}
@ -1106,7 +1072,7 @@ VOID SdtListTableShadow(
//
EnumerationHeap = RtlCreateHeap(HEAP_GROWABLE, NULL, 0, 0, NULL, NULL);
if (EnumerationHeap == NULL) {
MessageBox(hwndDlg, TEXT("Could not allocate memory"), NULL, MB_ICONERROR);
*Status = ErrShadowMemAllocFail;
__leave;
}
@ -1115,7 +1081,7 @@ VOID SdtListTableShadow(
//
w32u = LoadLibraryEx(TEXT("win32u.dll"), NULL, 0);
if (w32u == NULL) {
MessageBox(hwndDlg, TEXT("Could not load win32u.dll"), NULL, MB_ICONERROR);
*Status = ErrShadowWin32uLoadFail;
__leave;
}
@ -1128,7 +1094,7 @@ VOID SdtListTableShadow(
_strcat(szBuffer, TEXT("\\win32k.sys"));
w32k = LoadLibraryEx(szBuffer, NULL, DONT_RESOLVE_DLL_REFERENCES);
if (w32k == NULL) {
MessageBox(hwndDlg, TEXT("Could not load win32k.sys"), NULL, MB_ICONERROR);
*Status = ErrShadowWin32kLoadFail;
__leave;
}
@ -1138,19 +1104,16 @@ VOID SdtListTableShadow(
//
Win32kApiSetTable = kdQueryWin32kApiSetTable(w32k);
if (Win32kApiSetTable == 0) {
MessageBox(hwndDlg,
TEXT("Win32kApiSetTable was not found, win32k adapters targets will not be determinated."),
NULL,
MB_ICONINFORMATION);
*Status = ErrShadowApiSetNotFound;
}
}
//
// Query win32k!W32pServiceLimit.
//
pServiceLimit = (PULONG)GetProcAddress(w32k, "W32pServiceLimit");
pServiceLimit = (PULONG)GetProcAddress(w32k, KSA_W32pServiceLimit);
if (pServiceLimit == NULL) {
MessageBox(hwndDlg, TEXT("W32pServiceLimit not found in win32k module"), NULL, MB_ICONERROR);
*Status = ErrShadowW32pServiceLimitNotFound;
__leave;
}
@ -1159,7 +1122,7 @@ VOID SdtListTableShadow(
//
w32k_limit = *pServiceLimit;
if (w32k_limit != w32u_limit) {
MessageBox(hwndDlg, TEXT("Not all services found in win32u"), NULL, MB_ICONERROR);
*Status = ErrShadowWin32uMismatch;
__leave;
}
@ -1167,8 +1130,8 @@ VOID SdtListTableShadow(
// Query win32k!W32pServiceTable.
//
RtlSecureZeroMemory(&rfn, sizeof(RESOLVE_INFO));
if (!NT_SUCCESS(NtRawGetProcAddress(w32k, "W32pServiceTable", &rfn))) {
MessageBox(hwndDlg, TEXT("W32pServiceTable not found in win32k module"), NULL, MB_ICONERROR);
if (!NT_SUCCESS(NtRawGetProcAddress(w32k, KSA_W32pServiceTable, &rfn))) {
*Status = ErrShadowW32pServiceTableNotFound;
__leave;
}
@ -1178,7 +1141,7 @@ VOID SdtListTableShadow(
if (NeedApiSetResolve) {
if (!NtLdrApiSetLoadFromPeb(&ApiSetSchemaVersion, (PVOID*)&ApiSetMap)) {
MessageBox(hwndDlg, TEXT("ApiSetSchema map not found"), NULL, MB_ICONERROR);
*Status = ErrShadowApiSetSchemaMapNotFound;
__leave;
}
@ -1186,7 +1149,7 @@ VOID SdtListTableShadow(
// Windows 10+ uses modern ApiSetSchema version, everything else not supported.
//
if (ApiSetSchemaVersion != 6) {
MessageBox(hwndDlg, TEXT("ApiSetSchema version is unknown"), NULL, MB_ICONERROR);
*Status = ErrShadowApiSetSchemaVerUnknown;
__leave;
}
}
@ -1194,8 +1157,7 @@ VOID SdtListTableShadow(
//
// Set global variables.
//
g_kdctx.KeServiceDescriptorTableShadow.Limit = w32k_limit;
g_kdctx.KeServiceDescriptorTableShadow.Base = Win32kBase + (ULONG_PTR)rfn.Function - (ULONG_PTR)w32k;
kernelWin32kBase = Win32kBase + (ULONG_PTR)rfn.Function - (ULONG_PTR)w32k;
//
// Insert SystemRoot\System32\Drivers to the loader directories search list.
@ -1223,7 +1185,7 @@ VOID SdtListTableShadow(
DllModule = NULL;
RtlSecureZeroMemory(&ResolvedModuleName, sizeof(ResolvedModuleName));
Status = SdtResolveServiceEntryModule(fptr,
ntStatus = SdtResolveServiceEntryModule(fptr,
w32k,
ApiSetMap,
Win32kApiSetTable,
@ -1232,23 +1194,23 @@ VOID SdtListTableShadow(
&ResolvedModuleName,
&FunctionName);
if (!NT_SUCCESS(Status)) {
if (!NT_SUCCESS(ntStatus)) {
//
// Most of this errors are not critical and ok.
//
switch (Status) {
switch (ntStatus) {
case STATUS_INTERNAL_ERROR:
DbgPrint("SdtListTableShadow, HDE Error\r\n");
DbgPrint("SdtListCreateTableShadow, HDE Error\r\n");
break;
case STATUS_APISET_NOT_HOSTED:
//
// Corresponding apiset not found.
//
DbgPrint("SdtListTableShadow not an apiset adapter for %s\r\n",
DbgPrint("SdtListCreateTableShadow not an apiset adapter for %s\r\n",
itable->Name);
break;
@ -1256,7 +1218,7 @@ VOID SdtListTableShadow(
//
// ApiSet extension present but empty.
//
DbgPrint("SdtListTableShadow, extension contains a host for a non-existent apiset %s\r\n",
DbgPrint("SdtListCreateTableShadow, extension contains a host for a non-existent apiset %s\r\n",
itable->Name);
break;
@ -1264,13 +1226,13 @@ VOID SdtListTableShadow(
//
// Not a critical issue. This mean we cannot pass this service next to forwarder lookup code.
//
DbgPrint("SdtListTableShadow, could not resolve function name in module for service id %lu, service name %s\r\n",
DbgPrint("SdtListCreateTableShadow, could not resolve function name in module for service id %lu, service name %s\r\n",
itable->Index,
itable->Name);
break;
case STATUS_DRIVER_UNABLE_TO_LOAD:
DbgPrint("SdtListTableShadow, could not load import dll %s\r\n", ResolvedModuleName.Buffer);
DbgPrint("SdtListCreateTableShadow, could not load import dll %s\r\n", ResolvedModuleName.Buffer);
break;
default:
@ -1300,7 +1262,7 @@ VOID SdtListTableShadow(
}
if (!NT_SUCCESS(NtRawGetProcAddress(DllModule, FunctionName, &rfn))) {
DbgPrint("SdtListTableShadow: Could not resolve function %s address\r\n", FunctionName);
DbgPrint("SdtListCreateTableShadow: Could not resolve function %s address\r\n", FunctionName);
break;
}
@ -1352,7 +1314,7 @@ VOID SdtListTableShadow(
}
else {
OutputDebugString(TEXT("SdtListTableShadow, could not load forwarded module\r\n"));
OutputDebugString(TEXT("SdtListCreateTableShadow, could not load forwarded module\r\n"));
}
} // if (ForwarderFunctionName)
@ -1387,6 +1349,7 @@ VOID SdtListTableShadow(
if (W32pServiceTable.Table) {
W32pServiceTable.Allocated = TRUE;
W32pServiceTable.Base = kernelWin32kBase;
//
// Convert table to output format.
@ -1440,19 +1403,7 @@ VOID SdtListTableShadow(
} // if (W32pServiceTable.Allocated == FALSE)
//
// Output shadow table if available.
//
if (W32pServiceTable.Allocated) {
SdtOutputTable(
hwndDlg,
pModules,
W32pServiceTable.Table,
W32pServiceTable.Limit);
}
bResult = W32pServiceTable.Allocated;
}
__finally {
@ -1470,16 +1421,13 @@ VOID SdtListTableShadow(
{
FreeLibrary(ModuleEntry->hModule);
}
if (pModules) supHeapFree(pModules);
if (EnumerationHeap) RtlDestroyHeap(EnumerationHeap);
if (w32u) FreeLibrary(w32u);
if (w32k) FreeLibrary(w32k);
#ifndef _DEBUG
SendMessage(hwndBanner, WM_CLOSE, 0, 0);
#endif
}
return bResult;
}
/*
@ -1496,39 +1444,131 @@ VOID SdtListCreate(
_In_ EXTRASCONTEXT * pDlgContext
)
{
BOOL bSuccess = FALSE;
ULONG returnStatus;
EXTRASCALLBACK CallbackParam;
PRTL_PROCESS_MODULES pModules = NULL;
LPWSTR lpErrorMsg = TEXT("Unknown error");
switch (pDlgContext->DialogMode) {
#ifndef _DEBUG
HWND hwndBanner;
case SST_Ntos:
if (fRescan) {
if (KiServiceTable.Allocated) {
KiServiceTable.Allocated = FALSE;
supHeapFree(KiServiceTable.Table);
KiServiceTable.Limit = 0;
hwndBanner = supDisplayLoadBanner(hwndDlg,
TEXT("Loading service table dump, please wait"));
#endif
__try {
pModules = (PRTL_PROCESS_MODULES)supGetSystemInfo(SystemModuleInformation, NULL);
if (pModules == NULL) {
MessageBox(hwndDlg, TEXT("Could not allocate memory for kernel modules list"), NULL, MB_ICONERROR);
__leave;
}
if (pDlgContext->DialogMode == SST_Ntos) {
if (fRescan) {
if (KiServiceTable.Allocated) {
KiServiceTable.Allocated = FALSE;
supHeapFree(KiServiceTable.Table);
KiServiceTable.Limit = 0;
}
}
bSuccess = SdtListCreateTable(TRUE);
if (bSuccess) {
SdtListOutputTable(hwndDlg, pModules, &KiServiceTable);
}
}
else if (pDlgContext->DialogMode == SST_Win32k) {
if (fRescan) {
if (W32pServiceTable.Allocated) {
W32pServiceTable.Allocated = FALSE;
supHeapFree(W32pServiceTable.Table);
W32pServiceTable.Limit = 0;
}
}
bSuccess = SdtListCreateTableShadow(pModules, &returnStatus);
if (bSuccess) {
if (returnStatus == ErrShadowApiSetNotFound)
MessageBox(hwndDlg, T_ERRSHADOW_APISETTABLE_NOT_FOUND, PROGRAM_NAME, MB_ICONINFORMATION);
SdtListOutputTable(hwndDlg, pModules, &W32pServiceTable);
}
else {
#ifndef _DEBUG
SendMessage(hwndBanner, WM_CLOSE, 0, 0);
#endif
switch (returnStatus) {
case ErrShadowWin32kNotFound:
lpErrorMsg = T_ERRSHADOW_WIN32K_NOT_FOUND;
break;
case ErrShadowMemAllocFail:
lpErrorMsg = T_ERRSHADOW_MEMORY_NOT_ALLOCATED;
break;
case ErrShadowWin32uLoadFail:
lpErrorMsg = T_ERRSHADOW_WIN32U_LOAD_FAILED;
break;
case ErrShadowWin32kLoadFail:
lpErrorMsg = T_ERRSHADOW_WIN32K_LOAD_FAILED;
break;
case ErrShadowW32pServiceLimitNotFound:
lpErrorMsg = T_ERRSHADOW_WIN32KLIMIT_NOT_FOUND;
break;
case ErrShadowWin32uMismatch:
lpErrorMsg = T_ERRSHADOW_WIN32U_MISMATCH;
break;
case ErrShadowW32pServiceTableNotFound:
lpErrorMsg = T_ERRSHADOW_TABLE_NOT_FOUND;
break;
case ErrShadowApiSetSchemaMapNotFound:
lpErrorMsg = T_ERRSHADOW_APISETMAP_NOT_FOUND;
break;
case ErrShadowApiSetSchemaVerUnknown:
lpErrorMsg = T_ERRSHADOW_APISET_VER_UNKNOWN;
break;
default:
break;
}
MessageBox(hwndDlg, lpErrorMsg, NULL, MB_ICONERROR);
}
}
SdtListTable(hwndDlg);
break;
case SST_Win32k:
if (fRescan) {
if (W32pServiceTable.Allocated) {
W32pServiceTable.Allocated = FALSE;
supHeapFree(W32pServiceTable.Table);
W32pServiceTable.Limit = 0;
}
}
SdtListTableShadow(hwndDlg);
break;
default:
break;
}
__finally {
if (pModules)
supHeapFree(pModules);
#ifndef _DEBUG
SendMessage(hwndBanner, WM_CLOSE, 0, 0);
#endif
}
CallbackParam.lParam = 0;
CallbackParam.Value = pDlgContext->DialogMode;
ListView_SortItemsEx(pDlgContext->ListView, &SdtDlgCompareFunc, (LPARAM)&CallbackParam);
SetFocus(pDlgContext->ListView);
if (bSuccess) {
CallbackParam.lParam = 0;
CallbackParam.Value = pDlgContext->DialogMode;
ListView_SortItemsEx(pDlgContext->ListView, &SdtDlgCompareFunc, (LPARAM)&CallbackParam);
SetFocus(pDlgContext->ListView);
}
}
/*

7
Source/WinObjEx64/extras/extrasSSDT.h
View File

@ -4,9 +4,9 @@
*
* TITLE: EXTRASSSDT.H
*
* VERSION: 1.83
* VERSION: 1.84
*
* DATE: 08 Dec 2019
* DATE: 25 Feb 2019
*
* Common header file for Service Table dialog.
*
@ -25,8 +25,9 @@ typedef struct _SERVICETABLEENTRY {
} SERVICETABLEENTRY, *PSERVICETABLEENTRY;
typedef struct _SDT_TABLE {
ULONG Limit;
BOOL Allocated;
ULONG Limit;
ULONG_PTR Base;
PSERVICETABLEENTRY Table;
} SDT_TABLE, *PSDT_TABLE;

3
Source/WinObjEx64/global.h
View File

@ -6,7 +6,7 @@
*
* VERSION: 1.84
*
* DATE: 13 Feb 2020
* DATE: 29 Feb 2020
*
* Common header file for the Windows Object Explorer.
*
@ -77,6 +77,7 @@
#include <ntsecapi.h>
#undef _NTDEF_
#include "ksymbols.h"
#include "objects.h"
#include "kldbg.h"
#include "drvhelper.h"

7
Source/WinObjEx64/kldbg.h
View File

@ -6,7 +6,7 @@
*
* VERSION: 1.84
*
* DATE: 22 Feb 2019
* DATE: 24 Feb 2019
*
* Common header file for the Kernel Debugger Driver support.
*
@ -110,7 +110,6 @@ typedef struct _KLDBGCONTEXT {
//syscall tables related info
ULONG_PTR KeServiceDescriptorTableShadowPtr;
KSERVICE_TABLE_DESCRIPTOR KeServiceDescriptorTable;
KSERVICE_TABLE_DESCRIPTOR KeServiceDescriptorTableShadow;
//system range start
ULONG_PTR SystemRangeStart;
@ -200,10 +199,10 @@ typedef struct _OBJREF {
#define NT_WIN10_19H2 18363
// Windows 10 20H1
#define NTX_WIN10_20H1 19037
#define NTX_WIN10_20H1 19041
// Windows 10 20H2
#define NTX_WIN10_20H2 19536
#define NTX_WIN10_20H2 19569
//
// Defines for boundary descriptors

26
Source/WinObjEx64/ksymbols.h Normal file
View File

@ -0,0 +1,26 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2020
*
* TITLE: KSYMBOLS.H
*
* VERSION: 1.84
*
* DATE: 29 Feb 2020
*
* Header file for kernel symbol names.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
#define KSW_KiServiceTable L"KiServiceTable"
#define KSW_KiServiceLimit L"KiServiceLimit"
#define KSW_W32pServiceTable L"W32pServiceTable"
#define KSW_W32pServiceLimit L"W32pServiceLimit"
#define KSA_W32pServiceTable "W32pServiceTable"
#define KSA_W32pServiceLimit "W32pServiceLimit"

24
Source/WinObjEx64/ui.h
View File

@ -6,7 +6,7 @@
*
* VERSION: 1.84
*
* DATE: 22 Feb 2020
* DATE: 29 Feb 2020
*
* Common header file for the user interface.
*
@ -305,3 +305,25 @@ static LPCWSTR g_szMonths[12] = {
#define T_WOBJINIT_NOLISTWND TEXT("Could not create tree window, abort")
#define T_WOBJINIT_NOTREEWND TEXT("Could not create list window, abort")
#define T_WOBJINIT_NOTLBARWND TEXT("Could not create toolbar window, abort")
#define ErrShadowWin32kNotFound 1
#define ErrShadowMemAllocFail 2
#define ErrShadowWin32uLoadFail 3
#define ErrShadowWin32kLoadFail 4
#define ErrShadowApiSetNotFound 5
#define ErrShadowW32pServiceLimitNotFound 6
#define ErrShadowWin32uMismatch 7
#define ErrShadowW32pServiceTableNotFound 8
#define ErrShadowApiSetSchemaMapNotFound 9
#define ErrShadowApiSetSchemaVerUnknown 10
#define T_ERRSHADOW_WIN32K_NOT_FOUND TEXT("Could not find win32k module")
#define T_ERRSHADOW_MEMORY_NOT_ALLOCATED TEXT("Could not create heap for table")
#define T_ERRSHADOW_WIN32U_LOAD_FAILED TEXT("Could not load win32u.dll")
#define T_ERRSHADOW_WIN32K_LOAD_FAILED TEXT("Could not load win32k.sys")
#define T_ERRSHADOW_APISETTABLE_NOT_FOUND TEXT("Win32kApiSetTable was not found, win32k adapters targets will not be determinated")
#define T_ERRSHADOW_WIN32KLIMIT_NOT_FOUND TEXT("W32pServiceLimit not found in win32k module")
#define T_ERRSHADOW_WIN32U_MISMATCH TEXT("Not all services found in win32u")
#define T_ERRSHADOW_TABLE_NOT_FOUND TEXT("W32pServiceTable not found in win32k module")
#define T_ERRSHADOW_APISETMAP_NOT_FOUND TEXT("ApiSetSchema map not found")
#define T_ERRSHADOW_APISET_VER_UNKNOWN TEXT("ApiSetSchema version is unknown")

39
WinObjEx64.sha256
View File

@ -1,11 +1,11 @@
8e1c7d83f179b6bbf4b58f8197bd818b8a2306e6b3ecd901e9f51eae024277c9 *Compiled\WHATSNEW_170.md
e192abb83dded0fe227f3fe69cb0ac7aaa197941917afd497b4cf8796a03e041 *Compiled\WHATSNEW_173.md
fa001b1ac9bbbb6c954d5dd609de60fa2b0277a6cfe35f6428591e4b4b1e8453 *Compiled\WHATSNEW_180.md
6c3f0228938008ed3c45266ce38d3ecd98145c473e7a072c915eb2b7b8fa15f4 *Compiled\WinObjEx64.chm
ee64950d64a8e79bb87bbb56c2560636b3b25e5d2f5ce9f7bdd21efae856ac39 *Compiled\WinObjEx64.exe
fed1777aecfd299cfb130385dc146725829cd3aa82585d62cda72ea08829a52e *Compiled\plugins\ApiSetView.dll
ffa9ed459d2fcd27cb495da1494b2f8bbe5c1601c3d2aa4685e603907150f0d9 *Compiled\plugins\ExamplePlugin.dll
b41df9a5014f7a4d60354eebfd2447edf14a8a2facd38954999f2ff07b406c84 *Compiled\plugins\Sonar.dll
a2be8120b1177291f633a5c7ca80c7a5f98c9dae340105d44b2778c78664ffe7 *Compiled\WinObjEx64.chm
947bf327031f48e42cb2cea1c74f95e13e129551d10adbbc04307cd1c8eead4f *Compiled\WinObjEx64.exe
6a721a314fa7cb6843b5ad393bbbcc5226babb1853a9aa4b8092ebb3d50d53c5 *Compiled\plugins\ApiSetView.dll
79b1e709764ee1e1ff0da7f6264615c6a17252d098766bbdcf5c67b890c1cf4a *Compiled\plugins\ExamplePlugin.dll
a9342ebb0981c1f9fe50a3fdddb33656144eacfeb5c4b3e0fd9002c81b03d4dc *Compiled\plugins\Sonar.dll
0505a450a13d5b742df2395c90af4e3029b05ce2157ee68f0c9e18a580c88091 *Docs\Callbacks.pdf
fc01ac3fb19096e4b17d254898712c8e7c4e8715c3a24340b6f9926da7b3e8eb *Docs\Plugins.pdf
fba30e9030b549408da8e2efceb0d1aa0089d5c6621b664eba0b34b01a1a0a2e *Screenshots\ApiSetView.png
@ -30,7 +30,7 @@ ef65a909e8d9bc7ec94ecbc0f465f24a7968d6675eadf7f25f6414c66d6b28be *Screenshots\Vi
db0ab26d20a62ba7c9c844e916e88168b72a7e52932d3483eb2d0a2e535b75a8 *Screenshots\ViewingUserSharedData.png
9e2b64f390c609172c5791dd138a748d31bf4d2cc839f01dbd514afe1cdfd083 *Screenshots\W32pServiceTableView.png
3115fae1a35eaf46211b45039a6bfed8ba44835a14626a6412140a1b386cadf0 *Source\CHANGELOG.txt
6331b02a5e7279d4026068d446fdea840e1d92871b259edd4e93e19289be484f *Source\FILELIST.txt
5ab8df40cfcbd40fb3b57d71c6453717f204841a44f7c0873dc1d0304687d3c6 *Source\FILELIST.txt
55eed414926c47b0bfc5000eeabb882d77d78e17b5be94ca229e681f009b0740 *Source\TypesWithNoDesc.txt
5c3db7ba8efc8c21cc972f99e9ec048b927ebc1ff805bb85c931adb3421a9e05 *Source\WinObjEx64.sln
39a976ac4e1b76c2058815c5017bd3acceb69950286cfdf8c5704b7e31b8cca0 *Source\DrvStore\kldbgdrv.sys
@ -55,12 +55,12 @@ e953b026d0f383188c753487df0a4d879fa5da5ba82ac979aa877db84e89a060 *Source\Plugins
236d481aea59ebee048bbb52aefc935cd6789a4246dfb762bc92ebbe721d5a0d *Source\Plugins\ExamplePlugin\Resource.rc
6b2236b93693d4830feb90ee504ae03555d4882d4c301bea55f7980973b5fb32 *Source\Plugins\Sonar\export.def
e328a69e6393288544a5be3bd2e234b866831008cbbf2de6f9962c2bda8d793a *Source\Plugins\Sonar\global.h
d56dae2c69f555e48a57fe907fae54fc8352e34a73b1571cd7461ac8da9f27b3 *Source\Plugins\Sonar\main.c
678f11c35c64392c4a36dc47e06c63a3ad66e22819424e041bb7c20ce9890312 *Source\Plugins\Sonar\ndis.h
0b5d16d981af455a7176f9e91daff498bfabdbe81ceb3840ed13d922f45efe36 *Source\Plugins\Sonar\query.c
ed4ed02b7459f5f6c22d99c68f889a93a3bf84088c100f9f64d819d22ddab571 *Source\Plugins\Sonar\query.h
15a415352b119230a5dbdf83ff81d6bc095becb81e6527d4ca720d6fe63f526c *Source\Plugins\Sonar\main.c
4cfc93af2f0d67e8818e75abd0589b7f45bf13e817bfefc31c564c300ba7b94e *Source\Plugins\Sonar\ndis.h
41bf6a92b05d0cc1d6ecab6b479cfdde7282be425b9f36968a030a4e25b2626b *Source\Plugins\Sonar\query.c
ef5297f3303c71a55250f3b7ed961d5e9606ec6afa28307b5974d5b99409eb52 *Source\Plugins\Sonar\query.h
e9401523838c114fe616759d58d21e347f82bf47ff8ecdf11e9462e97c13305c *Source\Plugins\Sonar\resource.h
159d56bb46df272a5814d7ca630ce0258a71188c2ab5fe11676edb343c0809e9 *Source\Plugins\Sonar\Resource.rc
f273a44775c703299e6174c6f61f87ccb1ca004e0c06eea3424da907fbc87ab4 *Source\Plugins\Sonar\Resource.rc
84cb5b83cb96df3414ee0e5c374cc5bea40bcb7ceab702a7c30d124f391d1340 *Source\Plugins\Sonar\Sonar.vcxproj
eb12b2a3fb5d25eb2c88340e2c41b2711aaf57adf0c2a8658f931f6f70a76009 *Source\Plugins\Sonar\Sonar.vcxproj.filters
e953b026d0f383188c753487df0a4d879fa5da5ba82ac979aa877db84e89a060 *Source\Plugins\Sonar\Sonar.vcxproj.user
@ -97,7 +97,7 @@ dfa2b16aa3246a8aca662ea525770a4585618de35550aeb2dca40abd52d2afd9 *Source\Shared\
0cd425ef96247657ab55443c9b3bc9a90f0c18f634979942693553d0f764c601 *Source\Shared\ntos\ntalpc.h
2f35ba7b6b92421bded97e177f39f947e359c86fe1805758e69907f6673074d3 *Source\Shared\ntos\ntldr.c
72162367a2038cd58d7f89d6cad0fdf4f98c0bfa570fb36df8cce73e6a93b8f6 *Source\Shared\ntos\ntldr.h
f5a3e6730087c27936282bcefa1207da01ff340a63e24c38e5a4ddfef4423752 *Source\Shared\ntos\ntos.h
fa4c25d7dd31e3d8c39ce3caea902acbf45f7ffbc12af2b1618fe13ce4807d78 *Source\Shared\ntos\ntos.h
14b0a442647904db5476d14a1d9710bd83587f168b4b182465e5902d24676870 *Source\Shared\ntuser\StubNtUserOpenWindowStation.asm
97a3935877993ecf9a433568b22ee457aab530e53d8a4c3af0d40d02c1ad347b *Source\Shared\treelist\treelist.c
c5569b768244e86e1c961c28e6f11831f219953093c9e4cd35414e4008b3de80 *Source\Shared\treelist\treelist.h
@ -113,12 +113,13 @@ df88d2d3dc992aea7a6883cc162d5de2151b5a8ebb04c94f406297939849568e *Source\WinObjE
ac5f42d81b97903c6a388c1044d33c58e5f4d59d7582883c3b1977134a43dea5 *Source\WinObjEx64\extdef.h
2d79ed215d293b2976ac5bc1cf084d6f8183fb3c65b4b0e06cbb71c617bbeaf4 *Source\WinObjEx64\findDlg.c
8cc5a4ba98d74221405a13cde0f357db970500a4b44c711b5fd97d30cce904e8 *Source\WinObjEx64\findDlg.h
08af3e53d710c96de17c8e202d446df7a4235b84ea75426e782401541af0f7f8 *Source\WinObjEx64\global.h
76cbf66951f90da117263724273b536254a1996e7b13d3ddc4b9b70414725a9c *Source\WinObjEx64\global.h
b977fe65b7571a1f5e630b1f0af3f523e09cd153ec7f3b24d8df5f090ed4b33c *Source\WinObjEx64\instdrv.c
9fdf8d26ea566d84e8907d7363f418263a2b9f3d5aa4df2f1211a28c29e0646b *Source\WinObjEx64\instdrv.h
87441e7416412fc6d5f6dd402f9cb5d72ef240e654ea0045d8ea6ec33daa3e3d *Source\WinObjEx64\kldbg.c
1f089f7a5ceaa1fff056447dce0e93a45a9c9a2464b66b27ce968c8cbf03ac11 *Source\WinObjEx64\kldbg.h
0cd206cc230f1f4dd110ef2f30128aee3dc48439e6fa8f87dc46cb483e9c558d *Source\WinObjEx64\kldbg.h
9a8c79655737ead564c10cd5bc2dd8c616c9cb57c74f6a02f2210b2f2368e44d *Source\WinObjEx64\kldbg_patterns.h
c01b020555ba5e12d42780ed27e6d42f479a5cdc67b571ee6de2ddd1f8bf55ca *Source\WinObjEx64\ksymbols.h
95d7a0848b06bebcdfcf31edd297a81dcc6b3d29988b238a34a254d6d45cf8a7 *Source\WinObjEx64\list.c
b490a01e298d0567ae624c0d1aecd5921cd56f5cba3e9512c88053faec089799 *Source\WinObjEx64\list.h
4012c4b1675c73edf70fab1a3494067f8afbe909e80ba5c95ace45e363d7cc76 *Source\WinObjEx64\main.c
@ -132,12 +133,12 @@ cc857bf7b2bd66badddc9a8ea54a53b3af93da3989abf0494dc8a9d059a2d229 *Source\WinObjE
3d7aaca6e0cbc42fc544abcabb308d79285359464f5ab4b1738104178e30fdab *Source\WinObjEx64\sup.c
8be6751077fb0b50c39a348ece5cfbc3b1361196d1f2e71d9924788ef2e83a22 *Source\WinObjEx64\sup.h
cc4a635c99b8165437e3a441d8d65012170aedbc91c839497e03d58ef104a8fd *Source\WinObjEx64\supConsts.h
2af1d95ac1999984bfef3920829b306b7b2c41f889d91c683e5a7221d20a80c1 *Source\WinObjEx64\ui.h
37aac1fc88585399b8e93a74b8d6828da1207e58d3499505d92340457c968fa8 *Source\WinObjEx64\ui.h
94be7b80c1fd8bbc3208b8370962b8cc8827cacb1ccb8136023bf21fb5fccb69 *Source\WinObjEx64\wine.c
3d81ad5d6123ea2a980c53ceb59525dbbafd7f42a2438b1ba2de80b777df555d *Source\WinObjEx64\wine.h
48318790f345418b5b2e03ec624258701bdc9deadefc48aa27ee6266dc95caac *Source\WinObjEx64\winedebug.h
123bf465bf842b34e9f88dbbe8069d234df3f94811110ed4cd009b4ea0e7c89e *Source\WinObjEx64\WinObjEx64.vcxproj
e24519235833384334df1623617ba30dd4cfb17469284952e546c833c8f4cbe6 *Source\WinObjEx64\WinObjEx64.vcxproj.filters
3cfac154c764a3c1971340c4d2c35b7faaded7a9ced872bfa2ffeaa10b8a4c93 *Source\WinObjEx64\WinObjEx64.vcxproj
2d2e0e2736906992b8787639c4bfb0e1abcc83798cab88900fd78a50921897b5 *Source\WinObjEx64\WinObjEx64.vcxproj.filters
d9f508722dcd611b15bc3f5a4c39316ce00fbf712b879726eaee7652fcdc4fd9 *Source\WinObjEx64\WinObjEx64.vcxproj.user
277e9810d5f23dbb4b078b4a0b21ac11dce1e6924a2ec7aede31563ee00bd131 *Source\WinObjEx64\extras\extras.c
d3faf1ca46ea09c764964be6e34763739b293cf60117a6e796026f173fb4ed0c *Source\WinObjEx64\extras\extras.h
@ -154,8 +155,8 @@ d21e27bf35c5add1eedec3234fb358fbbc4c585c3de22326ac9581b59a8983d0 *Source\WinObjE
b7aa665c89b297d329f45e2a8b61fd379f778dcf01ae50c339f87da06bb0ff46 *Source\WinObjEx64\extras\extrasPSList.h
f5cd689fc8bf4722af5317e4f0e86df568c08129d34441ab2aad2bee54d4bdd1 *Source\WinObjEx64\extras\extrasSL.c
4244c8135ae3737d421d0cca525b786dbc3305670178cc2da5c56613248e7875 *Source\WinObjEx64\extras\extrasSL.h
effdcd407cad71cd90efd3c423352864e040c3a28e98542215a2521a02dffc46 *Source\WinObjEx64\extras\extrasSSDT.c
2294b524924fc59006ef92755490c595a4e5c2017a6b208c13bec999a67a2d3d *Source\WinObjEx64\extras\extrasSSDT.h
ef2c73263aea41f6866ca79738491407c43d96ec1046a4af11ec27fb56f66b13 *Source\WinObjEx64\extras\extrasSSDT.c
d973da33110032b795dda450f8284178036f8759171f3ac36596d5ea6063bc8d *Source\WinObjEx64\extras\extrasSSDT.h
eaa378b50d04dc67e13d3ff772b276adc0d3e6d842c7ae1a91a36df3e3cb6764 *Source\WinObjEx64\extras\extrasUSD.c
7930e7db71ab690c9ee95f9aaa5eee7ecb51023978677b85cf478cef5f58b5d8 *Source\WinObjEx64\extras\extrasUSD.h
16726c4330d7db5d56a5a11503314533b170783441c3f8282b66f126295a289e *Source\WinObjEx64\hde\hde64.c