Rooba
/
WinObjEx64
mirror of https://github.com/hfiref0x/WinObjEx64.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

1.7.2 

symbolic link object dump
internal fixes after profiling
support for 19H1 SeCiCallbacks scan
added and updated more object type descriptions
This commit is contained in:
hfiref0x 2019-03-02 10:38:26 +07:00
parent b3b931f4a0
commit e1addb483d
No known key found for this signature in database
GPG Key ID: 5A20EE3C6F09AF95
47 changed files with 1734 additions and 1103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
Compiled/WHATSNEW.md → Compiled/WHATSNEW_170.md
View File

BIN
Compiled/WinObjEx64.chm
View File

Binary file not shown.

BIN
Compiled/WinObjEx64.exe
View File

Binary file not shown.

2
README.md
View File

@ -36,7 +36,7 @@ In order to build from source you need Microsoft Visual Studio 2013 U4 or Visual
# What is new
[Whats New in 1.7](https://github.com/hfiref0x/WinObjEx64/blob/master/Compiled/WHATSNEW.md)
[Whats New in 1.7](https://github.com/hfiref0x/WinObjEx64/blob/master/Compiled/WHATSNEW_170.md)
# Authors

6
Source/CHANGELOG.txt
View File

@ -1,3 +1,9 @@
v1.7.2
+ symbolic link object dump
+ internal fixes after profiling
+ support for 19H1 SeCiCallbacks scan
+ added and updated more object type descriptions
v1.7.1
+ SeCiCallbacks/g_CiCallbacks, DbgkLmdCallbacks added to the callbacks viewer
+ Session object view and access rights, merge pull request #8 #9

2
Source/FILELIST.txt
View File

@ -51,7 +51,7 @@ minirtl.h
msvcver.h - MS VisualC compiler versions header file
objects.c - known objects support functions
objects.h
objects.h - known objects table
propBasic.c - property sheet "Basic" handlers, including window procedures
propBasic.h

37
Source/TypesWithNoDesc.txt
View File

@ -1,23 +1,16 @@
CoverageSampler - new RS4 object, ETW
DmaAdapter
DmaDomain
IoCompletionReserve - same as IoCompletion except using reserve process allocated memory
RawInputManager - DirectX Kernel Subsystem object
UserApcReserve - same as NtQueueApc except using reserve process allocated memory
WaitCompletionPacket
Silo (r3 interface removed in 10240 release, object removed in TH2 builds)
NetworkNamespace - managed by NDIS.sys (renamed to NdisCmState in RS1)
VRegConfigurationContext - new RS1 object
VirtualKey - new RS1 object (not present in RS2)
PsSiloContextPaged - new RS1 object
PsSiloContextNonPaged - new RS1 object
RegistryTransaction - new RS1 object
CoreMessagining - new RS1 object
ActivityReference - new RS2 object
EtwSessionDemuxEntry - new Win10 object
DxgkCompositionObject - Dxgk
DxgkDisplayManagerObject - Dxgk
DxgkSharedBundleObject - Dxgk
DxgkSharedKeyedMutextObject - Dxgk
DxgkSharedProtectedSessionObject - Dxgk
ActivationObject - 19H1, win32k managed object
ActivityReference - new RS2 object
CoreMessagining - new RS1 object, win32k managed object
CoverageSampler - new RS4 object, ETW
EtwSessionDemuxEntry - new Win10 object
IoCompletionReserve - same as IoCompletion except using reserve process allocated memory
NetworkNamespace - managed by NDIS.sys (renamed to NdisCmState in RS1)
PsSiloContextNonPaged - new RS1 object
PsSiloContextPaged - new RS1 object
RawInputManager - win32k managed object
Silo (r3 interface removed in 10240 release, object removed in TH2 builds)
UserApcReserve - same as NtQueueApc except using reserve process allocated memory
VirtualKey - new RS1 object (not present in RS2)
VRegConfigurationContext - new RS1 object
WaitCompletionPacket

BIN
Source/WinObjEx64/Resource.rc
View File

Binary file not shown.

2
Source/WinObjEx64/WinObjEx64.vcxproj
View File

@ -190,7 +190,6 @@
<SetChecksum>true</SetChecksum>
<AdditionalOptions>/NOCOFFGRPINFO %(AdditionalOptions)</AdditionalOptions>
<LinkTimeCodeGeneration>UseFastLinkTimeCodeGeneration</LinkTimeCodeGeneration>
<ShowProgress>LinkVerboseLib</ShowProgress>
</Link>
<Manifest>
<SuppressStartupBanner>false</SuppressStartupBanner>
@ -522,6 +521,7 @@
<Image Include="rsrc\146.ico" />
<Image Include="rsrc\147.ico" />
<Image Include="rsrc\148.ico" />
<Image Include="rsrc\149.ico" />
<Image Include="rsrc\6001.ico" />
<Image Include="rsrc\6002.ico" />
<Image Include="rsrc\Bitmap_125.bmp" />

3
Source/WinObjEx64/WinObjEx64.vcxproj.filters
View File

@ -513,6 +513,9 @@
<Image Include="rsrc\mailslot.ico">
<Filter>Resource Files\graphics</Filter>
</Image>
<Image Include="rsrc\149.ico">
<Filter>Resource Files</Filter>
</Image>
</ItemGroup>
<ItemGroup>
<MASM Include="ntuser\StubNtUserOpenWindowStation.asm">

27
Source/WinObjEx64/aboutDlg.c
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2018
* (C) COPYRIGHT AUTHORS, 2015 - 2019
*
* TITLE: ABOUTDLG.C
*
* VERSION: 1.70
* VERSION: 1.72
*
* DATE: 03 Dec 2018
* DATE: 03 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -123,6 +123,7 @@ VOID AboutDialogInit(
if (supQuerySecureBootState(&bSecureBoot)) {
wsprintf(_strend(szBuffer), TEXT(" with%ws SecureBoot"), (bSecureBoot == TRUE) ? TEXT("") : TEXT("out"));
}
g_kdctx.IsSecureBoot = bSecureBoot;
}
}
else {
@ -144,10 +145,28 @@ VOID AboutDialogInit(
VOID AboutDialogCollectGlobals(
_In_ LPWSTR lpDestBuffer)
{
_strcpy(lpDestBuffer, TEXT("EnableExperimentalFeatures: "));
wsprintf(lpDestBuffer, TEXT("Winver: %u.%u.%u"),
g_WinObj.osver.dwMajorVersion,
g_WinObj.osver.dwMinorVersion,
g_WinObj.osver.dwBuildNumber);
_strcat(lpDestBuffer, TEXT("\r\n"));
_strcat(lpDestBuffer, TEXT("IsSecureBoot: "));
ultostr(g_kdctx.IsSecureBoot, _strend(lpDestBuffer));
_strcat(lpDestBuffer, TEXT("\r\n"));
_strcat(lpDestBuffer, TEXT("EnableExperimentalFeatures: "));
ultostr(g_WinObj.EnableExperimentalFeatures, _strend(lpDestBuffer));
_strcat(lpDestBuffer, TEXT("\r\n"));
_strcat(lpDestBuffer, TEXT("drvOpenLoadStatus: "));
ultostr(g_kdctx.drvOpenLoadStatus, _strend(lpDestBuffer));
if (g_kdctx.drvOpenLoadStatus == 0) {
_strcat(lpDestBuffer, TEXT(" (reported as OK)"));
}
_strcat(lpDestBuffer, TEXT("\r\n"));
_strcat(lpDestBuffer, TEXT("IsFullAdmin: "));
ultostr(g_kdctx.IsFullAdmin, _strend(lpDestBuffer));
_strcat(lpDestBuffer, TEXT("\r\n"));

6
Source/WinObjEx64/extapi.c
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2017 - 2018
* (C) COPYRIGHT AUTHORS, 2017 - 2019
*
* TITLE: EXTAPI.C
*
* VERSION: 1.70
* VERSION: 1.72
*
* DATE: 03 Dec 2018
* DATE: 06 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED

91
Source/WinObjEx64/extras/extrasCallbacks.c
View File

@ -4,9 +4,9 @@
*
* TITLE: EXTRASCALLBACKS.C
*
* VERSION: 1.71
* VERSION: 1.72
*
* DATE: 26 Jan 2019
* DATE: 28 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -188,8 +188,8 @@ static const BYTE CiCallbackIndexes_Win10RS3[CI_CALLBACK_NAMES_W10RS3_COUNT] = {
22 //CiGetBuildExpiryTime
};
#define CI_CALLBACK_NAMES_W10RS4_RS5_COUNT 24
static const BYTE CiCallbackIndexes_Win10RS4_RS5[CI_CALLBACK_NAMES_W10RS4_RS5_COUNT] = { //Windows 10 RS4/RS5
#define CI_CALLBACK_NAMES_W10RS4_19H1_COUNT 24
static const BYTE CiCallbackIndexes_Win10RS4_19H1[CI_CALLBACK_NAMES_W10RS4_19H1_COUNT] = { //Windows 10 RS4/RS5/19H1
0, //CiSetFileCache
1, //CiGetFileCache
2, //CiQueryInformation
@ -271,12 +271,10 @@ LPWSTR GetCiRoutineNameFromIndex(
case 17134:
case 17763:
Indexes = CiCallbackIndexes_Win10RS4_RS5;
ArrayCount = CI_CALLBACK_NAMES_W10RS4_RS5_COUNT;
break;
default:
return T_Unknown;
Indexes = CiCallbackIndexes_Win10RS4_19H1;
ArrayCount = CI_CALLBACK_NAMES_W10RS4_19H1_COUNT;
break;
}
if (Index >= ArrayCount)
@ -653,7 +651,8 @@ ULONG_PTR FindPopRegisteredPowerSettingCallbacks(
if (hs.len == 7) {
//
// lea rcx, PopRegisteredPowerSettingCallbacks
// mov [rbx + 8], rax
// mov [rbx + 8], rax |
// cmp [rax], rcx
//
if ((ptrCode[Index] == 0x48) &&
(ptrCode[Index + 1] == 0x8D) &&
@ -1299,6 +1298,10 @@ ULONG_PTR FindDbgkLmdCallbacks(
if (hs.len == 7) { //check if lea
//
// lea rcx, DbgkLmdCallbacks
//
if (((ptrCode[Index] == 0x4C) || (ptrCode[Index] == 0x48)) &&
(ptrCode[Index + 1] == 0x8D))
{
@ -2074,7 +2077,7 @@ VOID DumpObCallbacks(
sizeof(Registration),
NULL))
{
AltitudeSize = 8 + Registration.Altitude.Length;
AltitudeSize = 8 + (SIZE_T)Registration.Altitude.Length;
lpInfoBuffer = (LPWSTR)supHeapAlloc(AltitudeSize);
if (lpInfoBuffer) {
@ -2798,7 +2801,7 @@ VOID CallbacksList(
_In_ HWND hwndDlg,
_In_ HWND TreeList)
{
PRTL_PROCESS_MODULES Modules;
PRTL_PROCESS_MODULES Modules = NULL;
__try {
//
@ -2879,14 +2882,15 @@ VOID CallbacksList(
MessageBox(hwndDlg, TEXT("An exception occured during callback query"), NULL, MB_ICONERROR);
}
Modules = (PRTL_PROCESS_MODULES)supGetSystemInfo(SystemModuleInformation);
if (Modules == NULL) {
MessageBox(hwndDlg, TEXT("Could not allocate memory for modules list."), NULL, MB_ICONERROR);
return;
}
__try {
Modules = (PRTL_PROCESS_MODULES)supGetSystemInfo(SystemModuleInformation);
if (Modules == NULL) {
MessageBox(hwndDlg, TEXT("Could not allocate memory for modules list."), NULL, MB_ICONERROR);
__leave;
}
//
// List process callbacks.
//
@ -3117,8 +3121,10 @@ VOID CallbacksList(
}
__finally {
supHeapFree(Modules);
if (Modules) supHeapFree(Modules);
}
SetFocus(TreeList);
}
/*
@ -3142,6 +3148,9 @@ VOID CallbacksDialogHandlePopupMenu(
hMenu = CreatePopupMenu();
if (hMenu) {
InsertMenu(hMenu, 0, MF_BYCOMMAND, ID_OBJECT_COPY, T_COPYADDRESS);
InsertMenu(hMenu, 1, MF_BYPOSITION | MF_SEPARATOR, 0, NULL);
InsertMenu(hMenu, 2, MF_BYCOMMAND, ID_VIEW_REFRESH, T_VIEW_REFRESH);
TrackPopupMenu(hMenu, TPM_RIGHTBUTTON | TPM_LEFTALIGN, pt1.x, pt1.y, 0, hwndDlg, NULL);
DestroyMenu(hMenu);
}
@ -3210,6 +3219,42 @@ VOID CallbacksDialogCopyAddress(
}
}
/*
* CallbackDialogContentRefresh
*
* Purpose:
*
* Refresh callback list handler.
*
*/
VOID CallbackDialogContentRefresh(
_In_ HWND hwndDlg,
_In_ EXTRASCONTEXT *pDlgContext,
_In_ BOOL fResetContent
)
{
#ifndef _DEBUG
HWND hwndBanner = supDisplayLoadBanner(hwndDlg,
TEXT("Processing callbacks list, please wait"));
#endif
__try {
SetCapture(hwndDlg);
if (fResetContent) TreeList_ClearTree(pDlgContext->TreeList);
CallbacksList(hwndDlg, pDlgContext->TreeList);
}
__finally {
ReleaseCapture();
#ifndef _DEBUG
SendMessage(hwndBanner, WM_CLOSE, 0, 0);
#endif
}
}
/*
* CallbacksDialogProc
*
@ -3271,6 +3316,12 @@ INT_PTR CALLBACK CallbacksDialogProc(
CallbacksDialogCopyAddress(pDlgContext->TreeList);
}
break;
case ID_VIEW_REFRESH:
pDlgContext = (EXTRASCONTEXT*)GetProp(hwndDlg, T_DLGCONTEXT);
if (pDlgContext) {
CallbackDialogContentRefresh(hwndDlg, pDlgContext, TRUE);
}
break;
default:
break;
}
@ -3362,7 +3413,7 @@ VOID extrasCreateCallbacksDialog(
hdritem.pszText = TEXT("Additional Information");
TreeList_InsertHeaderItem(pDlgContext->TreeList, 2, &hdritem);
CallbacksList(hwndDlg, pDlgContext->TreeList);
CallbackDialogContentRefresh(hwndDlg, pDlgContext, FALSE);
}
SendMessage(hwndDlg, WM_SIZE, 0, 0);

12
Source/WinObjEx64/extras/extrasDrivers.c
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016 - 2018
* (C) COPYRIGHT AUTHORS, 2016 - 2019
*
* TITLE: EXTRASDRIVERS.C
*
* VERSION: 1.70
* VERSION: 1.72
*
* DATE: 30 Nov 2018
* DATE: 10 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -174,7 +174,7 @@ VOID DrvListDrivers(
)
{
BOOL bCond = FALSE;
INT index;
INT index, iImage;
ULONG i;
LVITEM lvitem;
WCHAR szBuffer[MAX_PATH + 1];
@ -187,6 +187,8 @@ VOID DrvListDrivers(
if (pModulesList == NULL)
break;
iImage = ObManagerGetImageIndexByTypeIndex(ObjectTypeDriver);
for (i = 0; i < pModulesList->NumberOfModules; i++) {
pModule = &pModulesList->Modules[i];
@ -199,7 +201,7 @@ VOID DrvListDrivers(
//LoadOrder
lvitem.mask = LVIF_TEXT | LVIF_IMAGE;
lvitem.iItem = MAXINT;
lvitem.iImage = ObjectTypeDriver; //imagelist id
lvitem.iImage = iImage;
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
ultostr(pModule->LoadOrderIndex, szBuffer);
lvitem.pszText = szBuffer;

10
Source/WinObjEx64/extras/extrasPN.c
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2018
* (C) COPYRIGHT AUTHORS, 2015 - 2019
*
* TITLE: EXTRASPN.C
*
* VERSION: 1.70
* VERSION: 1.72
*
* DATE: 30 Nov 2018
* DATE: 09 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -197,14 +197,14 @@ BOOL CALLBACK PNDlgEnumerateCallback(
(PVOID)Entry->ObjectAddress,
Entry->TypeIndex);
TypeName = g_ObjectTypes[ConvertedTypeIndex].Name;
TypeName = ObManagerGetNameByIndex(ConvertedTypeIndex);
//Name
RtlSecureZeroMemory(&lvitem, sizeof(lvitem));
lvitem.mask = LVIF_TEXT | LVIF_IMAGE | LVIF_PARAM;
lvitem.iSubItem = 0;
lvitem.iItem = MAXINT;
lvitem.iImage = ConvertedTypeIndex;
lvitem.iImage = ObManagerGetImageIndexByTypeIndex(ConvertedTypeIndex);
lvitem.pszText = Entry->ObjectName;
lvitem.lParam = (LPARAM)Entry;
index = ListView_InsertItem(PnDlgContext.ListView, &lvitem);

34
Source/WinObjEx64/extras/extrasPSList.c
View File

@ -4,9 +4,9 @@
*
* TITLE: EXTRASPSLIST.C
*
* VERSION: 1.71
* VERSION: 1.72
*
* DATE: 31 Jan 2019
* DATE: 04 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -304,25 +304,29 @@ HTREEITEM AddProcessEntryTreeList(
//
// 3. Store processes.
//
if (g_ExtApiSet.IsImmersiveProcess) {
if (g_ExtApiSet.IsImmersiveProcess(Entry->hProcess)) {
subitems.ColorFlags = TLF_BGCOLOR_SET;
subitems.BgColor = 0xeaea00;
fState = TVIF_STATE;
if (Entry->hProcess) {
if (g_ExtApiSet.IsImmersiveProcess) {
if (g_ExtApiSet.IsImmersiveProcess(Entry->hProcess)) {
subitems.ColorFlags = TLF_BGCOLOR_SET;
subitems.BgColor = 0xeaea00;
fState = TVIF_STATE;
}
}
}
//
// 4. Protected processes.
//
exbi.Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION);
if (NT_SUCCESS(NtQueryInformationProcess(Entry->hProcess, ProcessBasicInformation,
&exbi, sizeof(exbi), &r)))
{
if (exbi.IsProtectedProcess) {
subitems.ColorFlags = TLF_BGCOLOR_SET;
subitems.BgColor = 0xe6ffe6;
fState = TVIF_STATE;
if (Entry->hProcess) {
exbi.Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION);
if (NT_SUCCESS(NtQueryInformationProcess(Entry->hProcess, ProcessBasicInformation,
&exbi, sizeof(exbi), &r)))
{
if (exbi.IsProtectedProcess) {
subitems.ColorFlags = TLF_BGCOLOR_SET;
subitems.BgColor = 0xe6ffe6;
fState = TVIF_STATE;
}
}
}

10
Source/WinObjEx64/extras/extrasSSDT.c
View File

@ -4,9 +4,9 @@
*
* TITLE: EXTRASSSDT.C
*
* VERSION: 1.71
* VERSION: 1.72
*
* DATE: 01 Feb 2019
* DATE: 10 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -333,7 +333,7 @@ VOID SdtOutputTable(
)
{
INT index, number;
ULONG i;
ULONG i, iImage;
EXTRASCONTEXT *Context = (EXTRASCONTEXT*)GetProp(hwndDlg, T_DLGCONTEXT);
LVITEM lvitem;
@ -365,6 +365,8 @@ VOID SdtOutputTable(
}
SetWindowText(hwndDlg, szBuffer);
iImage = ObManagerGetImageIndexByTypeIndex(ObjectTypeDevice);
//list table
for (i = 0; i < Count; i++) {
@ -373,7 +375,7 @@ VOID SdtOutputTable(
lvitem.mask = LVIF_TEXT | LVIF_IMAGE;
lvitem.iSubItem = 0;
lvitem.iItem = MAXINT;
lvitem.iImage = ObjectTypeDevice; //imagelist id
lvitem.iImage = iImage; //imagelist id
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
ultostr(Table[i].ServiceId, szBuffer);
lvitem.pszText = szBuffer;

30
Source/WinObjEx64/extras/extrasUSD.c
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2018
* (C) COPYRIGHT AUTHORS, 2015 - 2019
*
* TITLE: EXTRASUSD.C
*
* VERSION: 1.70
* VERSION: 1.72
*
* DATE: 30 Nov 2018
* DATE: 04 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -105,7 +105,7 @@ VOID UsdDumpSharedRegion(
break;
}
ObDumpUlong(
propObDumpUlong(
UsdTreeList,
h_tviRootItem,
TEXT("NtProductType"),
@ -116,7 +116,7 @@ VOID UsdDumpSharedRegion(
(COLORREF)0,
(COLORREF)0);
ObDumpByte(
propObDumpByte(
UsdTreeList,
h_tviRootItem,
TEXT("ProductTypeIsValid"),
@ -127,7 +127,7 @@ VOID UsdDumpSharedRegion(
TRUE);
//Version
ObDumpUlong(
propObDumpUlong(
UsdTreeList,
h_tviRootItem,
TEXT("NtMajorVersion"),
@ -138,7 +138,7 @@ VOID UsdDumpSharedRegion(
(COLORREF)0,
(COLORREF)0);
ObDumpUlong(
propObDumpUlong(
UsdTreeList,
h_tviRootItem,
TEXT("NtMinorVersion"),
@ -153,7 +153,7 @@ VOID UsdDumpSharedRegion(
// Prior to Windows 10 this field declared as reserved.
//
if (g_WinObj.osver.dwMajorVersion >= 10) {
ObDumpUlong(
propObDumpUlong(
UsdTreeList,
h_tviRootItem,
TEXT("NtBuildNumber"),
@ -234,7 +234,7 @@ VOID UsdDumpSharedRegion(
break;
}
ObDumpUlong(
propObDumpUlong(
UsdTreeList,
h_tviRootItem,
TEXT("AlternativeArchitecture"),
@ -292,7 +292,7 @@ VOID UsdDumpSharedRegion(
}
//KdDebuggerEnabled
ObDumpByte(
propObDumpByte(
UsdTreeList,
h_tviRootItem,
TEXT("KdDebuggerEnabled"),
@ -306,7 +306,7 @@ VOID UsdDumpSharedRegion(
if (g_NtBuildNumber < 9200) {
ObDumpByte(
propObDumpByte(
UsdTreeList,
h_tviRootItem,
TEXT("NXSupportPolicy"),
@ -342,7 +342,7 @@ VOID UsdDumpSharedRegion(
if (h_tviSubItem) {
ObDumpByte(
propObDumpByte(
UsdTreeList,
h_tviSubItem,
TEXT("NXSupportPolicy"),
@ -352,7 +352,7 @@ VOID UsdDumpSharedRegion(
(COLORREF)0,
FALSE);
ObDumpByte(
propObDumpByte(
UsdTreeList,
h_tviSubItem,
TEXT("SEHValidationPolicy"),
@ -363,7 +363,7 @@ VOID UsdDumpSharedRegion(
FALSE);
ObDumpByte(
propObDumpByte(
UsdTreeList,
h_tviSubItem,
TEXT("CurDirDevicesSkippedForDlls"),
@ -376,7 +376,7 @@ VOID UsdDumpSharedRegion(
}
//SafeBootMode
ObDumpByte(
propObDumpByte(
UsdTreeList,
h_tviRootItem,
TEXT("SafeBootMode"),

6
Source/WinObjEx64/global.h
View File

@ -4,9 +4,9 @@
*
* TITLE: GLOBAL.H
*
* VERSION: 1.71
* VERSION: 1.72
*
* DATE: 31 Jan 2019
* DATE: 06 Feb 2019
*
* Common header file for the Windows Object Explorer.
*
@ -67,6 +67,7 @@
#include <commctrl.h>
#include <Uxtheme.h>
#include <ntstatus.h>
#include "resource.h"
#include "wine.h"
#include <sddl.h>
#include "minirtl\minirtl.h"
@ -88,7 +89,6 @@
#include "excepth.h"
#include "extapi.h"
#include "tests\testunit.h"
#include "resource.h"
#if defined(__cplusplus)
#include <malloc.h>

257
Source/WinObjEx64/instdrv.c
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2017, portions (C) Mark Russinovich, FileMon
* (C) COPYRIGHT AUTHORS, 2015 - 2019, portions (C) Mark Russinovich, FileMon
*
* TITLE: INSTDRV.C
*
* VERSION: 1.50
* VERSION: 1.72
*
* DATE: 11 July 2017
* DATE: 04 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -27,14 +27,16 @@
BOOL scmInstallDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName,
_In_opt_ LPCTSTR ServiceExe
_In_opt_ LPCTSTR ServiceExe,
_Out_opt_ PDWORD lpStatus
)
{
DWORD resultStatus = ERROR_SUCCESS;
SC_HANDLE schService;
schService = CreateService(SchSCManager, // SCManager database
DriverName, // name of service
DriverName, // name to display
DriverName, // name of service
DriverName, // name to display
SERVICE_ALL_ACCESS, // desired access
SERVICE_KERNEL_DRIVER, // service type
SERVICE_DEMAND_START, // start type
@ -44,13 +46,18 @@ BOOL scmInstallDriver(
NULL, // no tag identifier
NULL, // no dependencies
NULL, // LocalSystem account
NULL // no password
);
if (schService == NULL) {
return FALSE;
NULL); // no password
if (schService) {
CloseServiceHandle(schService);
}
else {
resultStatus = GetLastError();
}
CloseServiceHandle(schService);
if (lpStatus)
*lpStatus = resultStatus;
return TRUE;
}
@ -64,23 +71,37 @@ BOOL scmInstallDriver(
*/
BOOL scmStartDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName
_In_ LPCTSTR DriverName,
_Out_opt_ PDWORD lpStatus
)
{
BOOL ret = FALSE;
DWORD resultStatus = ERROR_SUCCESS;
SC_HANDLE schService;
BOOL ret;
schService = OpenService(SchSCManager,
DriverName,
SERVICE_ALL_ACCESS
);
if (schService == NULL)
return FALSE;
SERVICE_ALL_ACCESS);
ret = StartService(schService, 0, NULL)
|| GetLastError() == ERROR_SERVICE_ALREADY_RUNNING;
if (schService) {
CloseServiceHandle(schService);
ret = StartService(schService, 0, NULL);
resultStatus = GetLastError();
if (resultStatus == ERROR_SERVICE_ALREADY_RUNNING) {
ret = TRUE;
resultStatus = ERROR_SUCCESS;
}
CloseServiceHandle(schService);
}
else {
resultStatus = GetLastError();
}
if (lpStatus)
*lpStatus = resultStatus;
return ret;
}
@ -95,34 +116,53 @@ BOOL scmStartDriver(
*/
BOOL scmOpenDevice(
_In_ LPCTSTR DriverName,
_Inout_opt_ PHANDLE lphDevice
_Out_opt_ PHANDLE lphDevice,
_Out_opt_ PDWORD lpStatus
)
{
TCHAR completeDeviceName[64];
HANDLE hDevice;
BOOL bResult = FALSE;
TCHAR completeDeviceName[64];
HANDLE hDevice;
RtlSecureZeroMemory(completeDeviceName, sizeof(completeDeviceName));
wsprintf(completeDeviceName, TEXT("\\\\.\\%s"), DriverName);
// assume failure
if (lphDevice)
*lphDevice = NULL;
hDevice = CreateFile(completeDeviceName,
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (hDevice == INVALID_HANDLE_VALUE)
return FALSE;
if (DriverName) {
RtlSecureZeroMemory(completeDeviceName, sizeof(completeDeviceName));
wsprintf(completeDeviceName, TEXT("\\\\.\\%s"), DriverName);
hDevice = CreateFile(completeDeviceName,
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (lpStatus)
*lpStatus = GetLastError();
bResult = (hDevice != INVALID_HANDLE_VALUE);
if (lphDevice) {
if (bResult) {
*lphDevice = hDevice;
}
}
else {
if (bResult)
CloseHandle(hDevice);
}
if (lphDevice) {
*lphDevice = hDevice;
}
else {
CloseHandle(hDevice);
if (lpStatus)
*lpStatus = ERROR_INVALID_PARAMETER;
}
return TRUE;
return bResult;
}
/*
@ -135,36 +175,46 @@ BOOL scmOpenDevice(
*/
BOOL scmStopDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName
_In_ LPCTSTR DriverName,
_Out_opt_ PDWORD lpStatus
)
{
BOOL ret;
INT iRetryCount;
DWORD resultStatus = ERROR_SUCCESS;
SC_HANDLE schService;
SERVICE_STATUS serviceStatus;
ret = FALSE;
schService = OpenService(SchSCManager, DriverName, SERVICE_ALL_ACCESS);
if (schService == NULL) {
return ret;
if (schService) {
iRetryCount = 5;
do {
SetLastError(ERROR_SUCCESS);
ret = ControlService(schService, SERVICE_CONTROL_STOP, &serviceStatus);
if (ret != FALSE) {
resultStatus = GetLastError();
break;
}
resultStatus = GetLastError();
if (resultStatus != ERROR_DEPENDENT_SERVICES_RUNNING)
break;
Sleep(1000);
iRetryCount--;
} while (iRetryCount);
CloseServiceHandle(schService);
}
else {
resultStatus = GetLastError();
}
iRetryCount = 5;
do {
SetLastError(0);
ret = ControlService(schService, SERVICE_CONTROL_STOP, &serviceStatus);
if (ret != FALSE)
break;
if (GetLastError() != ERROR_DEPENDENT_SERVICES_RUNNING)
break;
Sleep(1000);
iRetryCount--;
} while (iRetryCount);
CloseServiceHandle(schService);
if (lpStatus)
*lpStatus = resultStatus;
return ret;
}
@ -179,17 +229,27 @@ BOOL scmStopDriver(
*/
BOOL scmRemoveDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName
_In_ LPCTSTR DriverName,
_Out_opt_ PDWORD lpStatus
)
{
SC_HANDLE schService;
BOOL bResult = FALSE;
SC_HANDLE schService;
DWORD resultStatus = ERROR_SUCCESS;
schService = OpenService(SchSCManager, DriverName, SERVICE_ALL_ACCESS);
if (schService) {
bResult = DeleteService(schService);
resultStatus = GetLastError();
CloseServiceHandle(schService);
}
else {
resultStatus = GetLastError();
}
if (lpStatus)
*lpStatus = resultStatus;
return bResult;
}
@ -202,22 +262,33 @@ BOOL scmRemoveDriver(
*
*/
BOOL scmUnloadDeviceDriver(
_In_ LPCTSTR Name
_In_ LPCTSTR Name,
_Out_opt_ PDWORD lpStatus
)
{
SC_HANDLE schSCManager;
BOOL bResult = FALSE;
SC_HANDLE schSCManager;
if (Name == NULL) {
return bResult;
DWORD resultStatus = ERROR_SUCCESS;
if (Name) {
schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (schSCManager) {
scmStopDriver(schSCManager, Name, NULL);
bResult = scmRemoveDriver(schSCManager, Name, &resultStatus);
CloseServiceHandle(schSCManager);
}
else {
resultStatus = GetLastError();
}
}
else {
resultStatus = ERROR_INVALID_PARAMETER;
}
schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (schSCManager) {
scmStopDriver(schSCManager, Name);
bResult = scmRemoveDriver(schSCManager, Name);
CloseServiceHandle(schSCManager);
}
if (lpStatus)
*lpStatus = resultStatus;
return bResult;
}
@ -230,25 +301,45 @@ BOOL scmUnloadDeviceDriver(
*
*/
BOOL scmLoadDeviceDriver(
_In_ LPCTSTR Name,
_In_opt_ LPCTSTR Path,
_Inout_ PHANDLE lphDevice
_In_ LPCTSTR Name,
_In_opt_ LPCTSTR Path,
_Out_opt_ PHANDLE lphDevice,
_Out_opt_ PDWORD lpStatus
)
{
SC_HANDLE schSCManager;
BOOL bResult = FALSE;
SC_HANDLE schSCManager;
if (Name == NULL) {
return bResult;
DWORD statusResult = ERROR_SUCCESS;
//assume failure
if (lphDevice) {
*lphDevice = NULL;
}
schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (schSCManager) {
scmRemoveDriver(schSCManager, Name);
scmInstallDriver(schSCManager, Name, Path);
scmStartDriver(schSCManager, Name);
bResult = scmOpenDevice(Name, lphDevice);
CloseServiceHandle(schSCManager);
if (Name) {
schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (schSCManager) {
scmRemoveDriver(schSCManager, Name, NULL);
scmInstallDriver(schSCManager, Name, Path, NULL);
if (scmStartDriver(schSCManager, Name, &statusResult)) {
bResult = scmOpenDevice(Name, lphDevice, &statusResult);
}
CloseServiceHandle(schSCManager);
}
else {
statusResult = GetLastError();
}
}
else {
statusResult = ERROR_INVALID_PARAMETER;
}
if (lpStatus)
*lpStatus = statusResult;
return bResult;
}

38
Source/WinObjEx64/instdrv.h
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2016, portions (C) Mark Russinovich, FileMon
* (C) COPYRIGHT AUTHORS, 2015 - 2019, portions (C) Mark Russinovich, FileMon
*
* TITLE: INSTDRV.H
*
* VERSION: 1.44
* VERSION: 1.72
*
* DATE: 17 July 2016
* DATE: 04 Feb 2019
*
* Common header file for the program SCM usage.
*
@ -21,35 +21,35 @@
BOOL scmInstallDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName,
_In_opt_ LPCTSTR ServiceExe
);
_In_opt_ LPCTSTR ServiceExe,
_Out_opt_ PDWORD lpStatus);
BOOL scmStartDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName
);
_In_ LPCTSTR DriverName,
_Out_opt_ PDWORD lpStatus);
BOOL scmOpenDevice(
_In_ LPCTSTR DriverName,
_Inout_opt_ PHANDLE lphDevice
);
_Out_opt_ PHANDLE lphDevice,
_Out_opt_ PDWORD lpStatus);
BOOL scmStopDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName
);
_In_ LPCTSTR DriverName,
_Out_opt_ PDWORD lpStatus);
BOOL scmRemoveDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName
);
_In_ LPCTSTR DriverName,
_Out_opt_ PDWORD lpStatus);
BOOL scmUnloadDeviceDriver(
_In_ LPCTSTR Name
);
_In_ LPCTSTR Name,
_Out_opt_ PDWORD lpStatus);
BOOL scmLoadDeviceDriver(
_In_ LPCTSTR Name,
_In_opt_ LPCTSTR Path,
_Inout_ PHANDLE lphDevice
);
_In_ LPCTSTR Name,
_In_opt_ LPCTSTR Path,
_Out_opt_ PHANDLE lphDevice,
_Out_opt_ PDWORD lpStatus);

268
Source/WinObjEx64/kldbg.c
View File

@ -4,9 +4,9 @@
*
* TITLE: KLDBG.C, based on KDSubmarine by Evilcry
*
* VERSION: 1.71
* VERSION: 1.72
*
* DATE: 19 Jan 2019
* DATE: 22 Feb 2019
*
* MINIMUM SUPPORTED OS WINDOWS 7
*
@ -434,6 +434,50 @@ NTSTATUS ObEnumerateBoundaryDescriptorEntries(
return (TotalItems != BoundaryDescriptor->Items) ? STATUS_INVALID_PARAMETER : STATUS_SUCCESS;
}
/*
* ObpDumpObjectWithSpecifiedSize
*
* Purpose:
*
* Return dumped object version aware.
*
* Use supVirtualFree to free returned buffer.
*
*/
_Success_(return != NULL)
PVOID ObpDumpObjectWithSpecifiedSize(
_In_ ULONG_PTR ObjectAddress,
_In_ ULONG ObjectSize,
_In_ ULONG ObjectVersion,
_Out_ PULONG ReadSize,
_Out_ PULONG ReadVersion
)
{
PVOID ObjectBuffer = NULL;
ULONG BufferSize = ALIGN_UP_BY(ObjectSize, PAGE_SIZE);
ObjectBuffer = supVirtualAlloc(BufferSize);
if (ObjectBuffer == NULL) {
return NULL;
}
if (!kdReadSystemMemory(
ObjectAddress,
ObjectBuffer,
(ULONG)ObjectSize))
{
supVirtualFree(ObjectBuffer);
return NULL;
}
if (ReadSize)
*ReadSize = ObjectSize;
if (ReadVersion)
*ReadVersion = ObjectVersion;
return ObjectBuffer;
}
/*
* ObDumpObjectTypeVersionAware
*
@ -444,17 +488,19 @@ NTSTATUS ObEnumerateBoundaryDescriptorEntries(
* Use supVirtualFree to free returned buffer.
*
*/
_Success_(return != NULL)
PVOID ObDumpObjectTypeVersionAware(
_In_ ULONG_PTR ObjectAddress,
_Out_ PULONG Size,
_Out_ PULONG Version
)
{
PVOID ObjectBuffer = NULL;
ULONG ObjectSize = 0, BufferSize = 0;
ULONG ObjectSize = 0;
ULONG ObjectVersion = 0;
//assume failure
if (Size) *Size = 0;
if (Version) *Version = 0;
switch (g_NtBuildNumber) {
case 7600:
case 7601:
@ -478,28 +524,11 @@ PVOID ObDumpObjectTypeVersionAware(
break;
}
BufferSize = ALIGN_UP_BY(ObjectSize, PAGE_SIZE);
ObjectBuffer = supVirtualAlloc(BufferSize);
if (ObjectBuffer == NULL) {
return NULL;
}
if (!kdReadSystemMemory(
ObjectAddress,
ObjectBuffer,
(ULONG)ObjectSize))
{
supVirtualFree(ObjectBuffer);
return NULL;
}
if (Size)
*Size = ObjectSize;
if (Version)
*Version = ObjectVersion;
return ObjectBuffer;
return ObpDumpObjectWithSpecifiedSize(ObjectAddress,
ObjectSize,
ObjectVersion,
Size,
Version);
}
/*
@ -512,17 +541,19 @@ PVOID ObDumpObjectTypeVersionAware(
* Use supVirtualFree to free returned buffer.
*
*/
_Success_(return != NULL)
PVOID ObDumpAlpcPortObjectVersionAware(
_In_ ULONG_PTR ObjectAddress,
_Out_ PULONG Size,
_Out_ PULONG Version
)
{
PVOID ObjectBuffer = NULL;
ULONG ObjectSize = 0, BufferSize = 0;
ULONG ObjectSize = 0;
ULONG ObjectVersion = 0;
//assume failure
if (Size) *Size = 0;
if (Version) *Version = 0;
switch (g_NtBuildNumber) {
case 7600:
case 7601:
@ -543,42 +574,26 @@ PVOID ObDumpAlpcPortObjectVersionAware(
break;
}
BufferSize = ALIGN_UP_BY(ObjectSize, PAGE_SIZE);
ObjectBuffer = supVirtualAlloc(BufferSize);
if (ObjectBuffer == NULL) {
return NULL;
}
if (!kdReadSystemMemory(
ObjectAddress,
ObjectBuffer,
(ULONG)ObjectSize))
{
supVirtualFree(ObjectBuffer);
return NULL;
}
if (Size)
*Size = ObjectSize;
if (Version)
*Version = ObjectVersion;
return ObjectBuffer;
return ObpDumpObjectWithSpecifiedSize(ObjectAddress,
ObjectSize,
ObjectVersion,
Size,
Version);
}
/*
* ObDumpDirectoryObjectVersionAware
* ObxDumpDirectoryObjectVersionAware
*
* Purpose:
*
* Return dumped OBJECT_DIRECTORY object version aware.
*
* Use supHeapFree to free returned buffer.
* Use supVirtualFree to free returned buffer.
*
* Note: Currently unused.
*
*/
_Success_(return != NULL)
PVOID ObDumpDirectoryObjectVersionAware(
PVOID ObxDumpDirectoryObjectVersionAware(
_In_ ULONG_PTR ObjectAddress,
_Out_ PULONG Size,
_Out_ PULONG Version
@ -586,7 +601,10 @@ PVOID ObDumpDirectoryObjectVersionAware(
{
ULONG ObjectVersion;
ULONG ObjectSize = 0;
PVOID ObjectPtr;
//assume failure
if (Size) *Size = 0;
if (Version) *Version = 0;
switch (g_NtBuildNumber) {
@ -611,24 +629,64 @@ PVOID ObDumpDirectoryObjectVersionAware(
break;
}
ObjectPtr = supHeapAlloc(ObjectSize);
if (ObjectPtr == NULL)
return NULL;
if (!kdReadSystemMemoryEx(
ObjectAddress,
ObjectPtr,
return ObpDumpObjectWithSpecifiedSize(ObjectAddress,
ObjectSize,
NULL))
{
supHeapFree(ObjectPtr);
return NULL;
ObjectVersion,
Size,
Version);
}
/*
* ObDumpSymbolicLinkObjectVersionAware
*
* Purpose:
*
* Return dumped OBJEC_SYMBOLIC_LINK object version aware.
*
* Use supVirtualFree to free returned buffer.
*
*/
PVOID ObDumpSymbolicLinkObjectVersionAware(
_In_ ULONG_PTR ObjectAddress,
_Out_ PULONG Size,
_Out_ PULONG Version
)
{
ULONG ObjectSize = 0;
ULONG ObjectVersion = 0;
//assume failure
if (Size) *Size = 0;
if (Version) *Version = 0;
switch (g_NtBuildNumber) {
case 7600:
case 7601:
case 9200:
case 9600:
ObjectSize = sizeof(OBJECT_SYMBOLIC_LINK_V1);
ObjectVersion = 1;
break;
case 10240:
case 10586:
ObjectSize = sizeof(OBJECT_SYMBOLIC_LINK_V2);
ObjectVersion = 2;
break;
case 14393:
ObjectSize = sizeof(OBJECT_SYMBOLIC_LINK_V3);
ObjectVersion = 3;
break;
default:
ObjectSize = sizeof(OBJECT_SYMBOLIC_LINK_V4);
ObjectVersion = 4;
break;
}
*Version = ObjectVersion;
*Size = ObjectSize;
return ObjectPtr;
return ObpDumpObjectWithSpecifiedSize(ObjectAddress,
ObjectSize,
ObjectVersion,
Size,
Version);
}
/*
@ -760,7 +818,7 @@ UCHAR ObpFindHeaderCookie(
*
* Limitation:
*
* OS dependent, Windows 10 (14393 - 17763).
* OS dependent, Windows 10 (RS1 - 19H1).
*
*/
PVOID ObFindPrivateNamespaceLookupTable2(
@ -2770,6 +2828,11 @@ VOID kdInit(
g_kdctx.ShowKdError = TRUE;
//
// Default driver load status.
//
g_kdctx.drvOpenLoadStatus = ERROR_NOT_CAPABLE;
InitializeListHead(&g_kdctx.ObCollection.ListHead);
//
@ -2831,7 +2894,7 @@ VOID kdInit(
//
// Try to open existing device.
//
if (scmOpenDevice(KLDBGDRV, &g_kdctx.hDevice) == FALSE) {
if (scmOpenDevice(KLDBGDRV, &g_kdctx.hDevice, &g_kdctx.drvOpenLoadStatus) == FALSE) {
//
// No such device exist, construct filepath and check if driver already present.
@ -2850,7 +2913,8 @@ VOID kdInit(
//
// Load service driver and open handle for it.
//
g_kdctx.IsOurLoad = scmLoadDeviceDriver(KLDBGDRV, szDrvPath, &g_kdctx.hDevice);
g_kdctx.drvOpenLoadStatus = ERROR_SUCCESS;
g_kdctx.IsOurLoad = scmLoadDeviceDriver(KLDBGDRV, szDrvPath, &g_kdctx.hDevice, &g_kdctx.drvOpenLoadStatus);
}
}
@ -2884,8 +2948,9 @@ ULONG_PTR KdFindCiCallbacks(
ULONG_PTR Address = 0, Result = 0;
PBYTE Signature = NULL, ptrCode = NULL, MatchingPattern = NULL;
ULONG SignatureSize = 0;
PBYTE Signature = NULL, ptrCode = NULL, InstructionMatchPattern = NULL;
ULONG SignatureSize = 0, InstructionMatchLength;
ULONG InstructionExactMatchLength;
PVOID SectionBase;
ULONG SectionSize = 0, Index;
@ -2909,62 +2974,65 @@ ULONG_PTR KdFindCiCallbacks(
if ((SectionBase == 0) || (SectionSize == 0))
break;
MatchingPattern = SeCiCallbacksMatchingPattern; //default matching pattern
InstructionMatchPattern = SeCiCallbacksMatchingPattern; //default matching pattern
InstructionMatchLength = 7; //lea
InstructionExactMatchLength = RTL_NUMBER_OF(SeCiCallbacksMatchingPattern);
switch (g_NtBuildNumber) {
case 7601:
Signature = g_CiCallbacksPattern_7601;
SignatureSize = sizeof(g_CiCallbacksPattern_7601);
MatchingPattern = g_CiCallbacksMatchingPattern;
InstructionMatchPattern = g_CiCallbacksMatchingPattern;
InstructionExactMatchLength = RTL_NUMBER_OF(g_CiCallbacksMatchingPattern);
break;
case 9200:
case 9600:
Signature = SeCiCallbacksPattern_9200_9600;
SignatureSize = sizeof(SeCiCallbacksPattern_9200_9600);
MatchingPattern = SeCiCallbacksMatchingPattern;
break;
case 10240:
case 10586:
Signature = SeCiCallbacksPattern_10240_10586;
SignatureSize = sizeof(SeCiCallbacksPattern_10240_10586);
MatchingPattern = SeCiCallbacksMatchingPattern;
break;
case 14393:
Signature = SeCiCallbacksPattern_14393;
SignatureSize = sizeof(SeCiCallbacksPattern_14393);
MatchingPattern = SeCiCallbacksMatchingPattern;
break;
case 15063:
case 16299:
Signature = SeCiCallbacksPattern_15063_16299;
SignatureSize = sizeof(SeCiCallbacksPattern_15063_16299);
MatchingPattern = SeCiCallbacksMatchingPattern;
break;
case 17134:
case 17763:
Signature = SeCiCallbacksPattern_17134_17763;
SignatureSize = sizeof(SeCiCallbacksPattern_17134_17763);
MatchingPattern = SeCiCallbacksMatchingPattern;
break;
default:
Signature = SeCiCallbacksPattern_19H1;
SignatureSize = sizeof(SeCiCallbacksPattern_19H1);
InstructionMatchPattern = SeCiCallbacksMatchingPattern_19H1;
InstructionMatchLength = 10; //mov
InstructionExactMatchLength = RTL_NUMBER_OF(SeCiCallbacksMatchingPattern_19H1);
break;
}
if ((SignatureSize) && (Signature)) {
//if ((SignatureSize) && (Signature)) {
ptrCode = (PBYTE)supFindPattern(
(PBYTE)SectionBase,
SectionSize,
Signature,
SignatureSize);
}
ptrCode = (PBYTE)supFindPattern(
(PBYTE)SectionBase,
SectionSize,
Signature,
SignatureSize);
//}
if (ptrCode == NULL)
break;
@ -2994,14 +3062,18 @@ ULONG_PTR KdFindCiCallbacks(
break;
//
// mov cs:g_CiCallbacks, rax (for Windows 7)
// lea rcx, SeCiCallbacks (for everything else)
// lea rcx, SeCiCallbacks (for 8/10 TH/RS)
// mov cs:SeCiCallbacks (19H1)
//
if (hs.len == 7) {
if ((ptrCode[Index] == MatchingPattern[0]) &&
(ptrCode[Index + 1] == MatchingPattern[1]) &&
(ptrCode[Index + 2] == MatchingPattern[2]))
if (hs.len == InstructionMatchLength) {
//
// Match block found.
//
if (RtlCompareMemory((VOID*)&ptrCode[Index], (VOID*)InstructionMatchPattern,
InstructionExactMatchLength) == InstructionExactMatchLength)
{
Rel = *(PLONG)(ptrCode + Index + 3);
Rel = *(PLONG)(ptrCode + Index + InstructionExactMatchLength);
break;
}
}
@ -3055,7 +3127,7 @@ VOID kdShutdown(
// Windbg recreates service and drops file everytime when kernel debug starts.
//
if (g_kdctx.IsOurLoad) {
scmUnloadDeviceDriver(KLDBGDRV);
scmUnloadDeviceDriver(KLDBGDRV, NULL);
//
// Driver file is no longer needed.

15
Source/WinObjEx64/kldbg.h
View File

@ -4,9 +4,9 @@
*
* TITLE: KLDBG.H
*
* VERSION: 1.71
* VERSION: 1.72
*
* DATE: 26 Jan 2019
* DATE: 04 Feb 2019
*
* Common header file for the Kernel Debugger Driver support.
*
@ -60,6 +60,9 @@ typedef struct _KLDBGCONTEXT {
//are we under Wine
BOOL IsWine;
//secureboot enabled?
BOOL IsSecureBoot;
//system object header cookie (win10+)
UCHAR ObHeaderCookie;
@ -83,6 +86,9 @@ typedef struct _KLDBGCONTEXT {
//ntoskrnl mapped image
PVOID NtOsImageMap;
//win32 error value from SCM
ULONG drvOpenLoadStatus;
//syscall tables related info
ULONG KiServiceLimit;
ULONG W32pServiceLimit;
@ -214,20 +220,17 @@ UCHAR ObDecodeTypeIndex(
_In_ PVOID Object,
_In_ UCHAR EncodedTypeIndex);
_Success_(return != NULL)
PVOID ObDumpObjectTypeVersionAware(
_In_ ULONG_PTR ObjectAddress,
_Out_ PULONG Size,
_Out_ PULONG Version);
_Success_(return != NULL)
PVOID ObDumpAlpcPortObjectVersionAware(
_In_ ULONG_PTR ObjectAddress,
_Out_ PULONG Size,
_Out_ PULONG Version);
_Success_(return != NULL)
PVOID ObDumpDirectoryObjectVersionAware(
PVOID ObDumpSymbolicLinkObjectVersionAware(
_In_ ULONG_PTR ObjectAddress,
_Out_ PULONG Size,
_Out_ PULONG Version);

12
Source/WinObjEx64/kldbg_patterns.h
View File

@ -4,9 +4,9 @@
*
* TITLE: KLDBG_PATTERNS.H
*
* VERSION: 1.71
* VERSION: 1.72
*
* DATE: 19 Jan 2019
* DATE: 03 Feb 2019
*
* Header with search patterns used by KLDBG.
*
@ -82,6 +82,9 @@ BYTE LeaPattern_KeServiceDescriptorTableShadow[] = {
+++*/
//Windows 8/8.1
BYTE SeCiCallbacksPattern_9200_9600[] = { 0x48, 0x83, 0xEC, 0x20, 0xBF, 0x06, 0x00, 0x00, 0x00 };
//Windows 10 TH1/TH2
BYTE SeCiCallbacksPattern_10240_10586[] = { 0x48, 0x83, 0xEC, 0x20, 0xBB, 0x98, 0x00, 0x00, 0x00 };
@ -94,10 +97,11 @@ BYTE SeCiCallbacksPattern_15063_16299[] = { 0x48, 0x83, 0xEC, 0x20, 0xBB, 0xC0,
//Windows 10 RS4/RS5
BYTE SeCiCallbacksPattern_17134_17763[] = { 0x48, 0x83, 0xEC, 0x20, 0xBB, 0xD0, 0x00, 0x00, 0x00 };
//Windows 8/8.1
BYTE SeCiCallbacksPattern_9200_9600[] = { 0x48, 0x83, 0xEC, 0x20, 0xBF, 0x06, 0x00, 0x00, 0x00 };
BYTE SeCiCallbacksPattern_19H1[] = { 0x41, 0xB8, 0xC4, 0x00, 0x00, 0x00, 0xBF, 0x06, 0x00, 0x00, 0x00 };
// Instruction match pattern
BYTE SeCiCallbacksMatchingPattern[] = { 0x48, 0x8D, 0x0D };
BYTE SeCiCallbacksMatchingPattern_19H1[] = { 0xC7, 0x05 };
//Windows 7
BYTE g_CiCallbacksPattern_7601[] = { 0x8D, 0x7B, 0x06, 0x48, 0x89, 0x05 };

22
Source/WinObjEx64/list.c
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2018
* (C) COPYRIGHT AUTHORS, 2015 - 2019
*
* TITLE: LIST.C
*
* VERSION: 1.70
* VERSION: 1.72
*
* DATE: 30 Nov 2018
* DATE: 09 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -265,7 +265,7 @@ VOID ListObjectDirectoryTree(
if (0 == _strncmpi(
objinf->TypeName.Buffer,
g_ObjectTypes[ObjectTypeDirectory].Name,
OBTYPE_NAME_DIRECTORY,
objinf->TypeName.Length / sizeof(WCHAR)))
{
ListObjectDirectoryTree(
@ -320,7 +320,7 @@ VOID AddListViewItem(
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
//check SymbolicLink
if (_strncmpi(objinf->TypeName.Buffer, g_ObjectTypes[ObjectTypeSymbolicLink].Name, cch) == 0) {
if (_strncmpi(objinf->TypeName.Buffer, OBTYPE_NAME_SYMBOLIC_LINK, cch) == 0) {
bFound = supQueryLinkTarget(hObjectRootDirectory,
&objinf->Name,
@ -331,7 +331,7 @@ VOID AddListViewItem(
}
//check Section
if (_strncmpi(objinf->TypeName.Buffer, g_ObjectTypes[ObjectTypeSection].Name, cch) == 0) {
if (_strncmpi(objinf->TypeName.Buffer, OBTYPE_NAME_SECTION, cch) == 0) {
bFound = supQuerySectionFileInfo(hObjectRootDirectory,
&objinf->Name,
@ -342,7 +342,7 @@ VOID AddListViewItem(
}
//check Driver
if (_strncmpi(objinf->TypeName.Buffer, g_ObjectTypes[ObjectTypeDriver].Name, cch) == 0) {
if (_strncmpi(objinf->TypeName.Buffer, OBTYPE_NAME_DRIVER, cch) == 0) {
bFound = supQueryDriverDescription(
objinf->Name.Buffer,
@ -353,7 +353,7 @@ VOID AddListViewItem(
}
//check Device
if (_strncmpi(objinf->TypeName.Buffer, g_ObjectTypes[ObjectTypeDevice].Name, cch) == 0) {
if (_strncmpi(objinf->TypeName.Buffer, OBTYPE_NAME_DEVICE, cch) == 0) {
bFound = supQueryDeviceDescription(
objinf->Name.Buffer,
@ -364,7 +364,7 @@ VOID AddListViewItem(
}
//check WindowStation
if (_strncmpi(objinf->TypeName.Buffer, g_ObjectTypes[ObjectTypeWinstation].Name, cch) == 0) {
if (_strncmpi(objinf->TypeName.Buffer, OBTYPE_NAME_WINSTATION, cch) == 0) {
bFound = supQueryWinstationDescription(
objinf->Name.Buffer,
@ -375,7 +375,7 @@ VOID AddListViewItem(
}
//check Type
if (_strncmpi(objinf->TypeName.Buffer, g_ObjectTypes[ObjectTypeType].Name, cch) == 0) {
if (_strncmpi(objinf->TypeName.Buffer, OBTYPE_NAME_TYPE, cch) == 0) {
bFound = supQueryTypeInfo(
objinf->Name.Buffer,
@ -551,7 +551,7 @@ VOID FindObject(
*List = tmp;
};
if (_strcmpi(objinf->TypeName.Buffer, g_ObjectTypes[ObjectTypeDirectory].Name) == 0) {
if (_strcmpi(objinf->TypeName.Buffer, OBTYPE_NAME_DIRECTORY) == 0) {
newdir = (LPWSTR)supHeapAlloc((sdlen + 4) * sizeof(WCHAR) + objinf->Name.Length);
if (newdir != NULL) {

28
Source/WinObjEx64/main.c
View File

@ -4,9 +4,9 @@
*
* TITLE: MAIN.C
*
* VERSION: 1.71
* VERSION: 1.72
*
* DATE: 19 Jan 2019
* DATE: 10 Feb 2019
*
* Program entry point and main window handler.
*
@ -173,7 +173,7 @@ VOID MainWindowHandleObjectTreeProp(
propCreateDialog(
hwnd,
szBuffer,
g_ObjectTypes[ObjectTypeDirectory].Name,
OBTYPE_NAME_DIRECTORY,
NULL,
NULL);
}
@ -863,7 +863,8 @@ BOOL MainWindowDlgMsgHandler(
* Initialize global variables.
*
*/
BOOL WinObjInitGlobals()
BOOL WinObjInitGlobals(
_In_ BOOL IsWine)
{
SIZE_T cch;
BOOL bResult = FALSE, bCond = FALSE;
@ -894,7 +895,9 @@ BOOL WinObjInitGlobals()
if (g_WinObj.Heap == NULL)
break;
RtlSetHeapInformation(g_WinObj.Heap, HeapEnableTerminationOnCorruption, NULL, 0);
if (IsWine == FALSE) {
RtlSetHeapInformation(g_WinObj.Heap, HeapEnableTerminationOnCorruption, NULL, 0);
}
RtlInitializeCriticalSection(&g_WinObj.Lock);
//
@ -963,14 +966,22 @@ UINT WinObjExMain()
HANDLE hToken;
HIMAGELIST TreeViewImages;
if (!WinObjInitGlobals())
IsWine = supIsWine();
//
// wine 1.6 xenial does not suport this routine.
//
if (IsWine == FALSE) {
RtlSetHeapInformation(NULL, HeapEnableTerminationOnCorruption, NULL, 0);
}
if (!WinObjInitGlobals(IsWine))
return ERROR_APP_INIT_FAILURE;
// do not move anywhere
IsFullAdmin = supUserIsFullAdmin();
// check compatibility
IsWine = supIsWine();
if (IsWine != FALSE) {
IsFullAdmin = FALSE;
}
@ -1239,6 +1250,9 @@ UINT WinObjExMain()
//
g_ListViewImages = ObManagerLoadImageList();
if (g_ListViewImages) {
//
// Append two column sorting images to the end of the listview imagelist.
//
hIcon = (HICON)LoadImage(g_WinObj.hInstance, MAKEINTRESOURCE(IDI_ICON_SORTUP), IMAGE_ICON, 0, 0, LR_DEFAULTCOLOR);
if (hIcon) {
ImageList_ReplaceIcon(g_ListViewImages, -1, hIcon);

14
Source/WinObjEx64/msvcver.h
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2018
* (C) COPYRIGHT AUTHORS, 2018 - 2019
*
* TITLE: MSVCVER.H
*
* VERSION: 1.70
* VERSION: 1.72
*
* DATE: 30 Nov 2018
* DATE: 04 Feb 2019
*
* Visual Studio compiler version determination.
*
@ -18,11 +18,11 @@
*******************************************************************************/
#pragma once
/*#define _MSC_VER 1810
#define _MSC_FULL_VER 180040629*/
#if defined _MSC_VER && _MSC_FULL_VER
#if (_MSC_VER >= 1910) //2017 all variants (too many to list)
#if defined _MSC_VER && _MSC_FULL_VER
#if (_MSC_VER >= 1920) //2019 all variants (will be too many to list)
#define VC_VER L"MSVC 2019"
#elif (_MSC_VER >= 1910) //2017 all variants (too many to list)
#define VC_VER L"MSVC 2017"
#elif (_MSC_VER == 1900) //2015
#if (_MSC_FULL_VER == 190023026) //2015 RTM

375
Source/WinObjEx64/ntos/ntos.h
View File

@ -4,9 +4,9 @@
*
* TITLE: NTOS.H
*
* VERSION: 1.100
* VERSION: 1.104
*
* DATE: 26 Jan 2019
* DATE: 26 Feb 2019
*
* Common header file for the ntos API functions and definitions.
*
@ -28,6 +28,7 @@
#ifndef NTOS_RTL
#define NTOS_RTL
//
// NTOS_RTL HEADER BEGIN
//
@ -39,6 +40,7 @@ extern "C" {
#pragma comment(lib, "ntdll.lib")
#pragma warning(push)
#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union
#pragma warning(disable: 4214) // nonstandard extension used : bit field types other than int
#ifndef PAGE_SIZE
@ -203,6 +205,21 @@ typedef PVOID PHEAD;
#define CALLBACK_MODIFY_STATE 0x0001
#define CALLBACK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|CALLBACK_MODIFY_STATE )
//
// CompositionSurface Access Rights
//
#ifndef COMPOSITIONSURFACE_READ
#define COMPOSITIONSURFACE_READ 0x0001L
#endif
#ifndef COMPOSITIONSURFACE_WRITE
#define COMPOSITIONSURFACE_WRITE 0x0002L
#endif
#ifndef COMPOSITIONSURFACE_ALL_ACCESS
#define COMPOSITIONSURFACE_ALL_ACCESS (COMPOSITIONSURFACE_READ | COMPOSITIONSURFACE_WRITE)
#endif
//
// Debug Object Access Rights
//
@ -286,22 +303,22 @@ typedef PVOID PHEAD;
//
#define THREAD_ALERT (0x0004)
#define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001
#define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002
#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004
#define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001
#define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002
#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004
#define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010
#define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020
#define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080
#define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020
#define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080
//
// Worker Factory Object Access Rights
//
#define WORKER_FACTORY_RELEASE_WORKER 0x0001
#define WORKER_FACTORY_WAIT 0x0002
#define WORKER_FACTORY_SET_INFORMATION 0x0004
#define WORKER_FACTORY_QUERY_INFORMATION 0x0008
#define WORKER_FACTORY_READY_WORKER 0x0010
#define WORKER_FACTORY_SHUTDOWN 0x0020
#define WORKER_FACTORY_RELEASE_WORKER 0x0001
#define WORKER_FACTORY_WAIT 0x0002
#define WORKER_FACTORY_SET_INFORMATION 0x0004
#define WORKER_FACTORY_QUERY_INFORMATION 0x0008
#define WORKER_FACTORY_READY_WORKER 0x0010
#define WORKER_FACTORY_SHUTDOWN 0x0020
#define WORKER_FACTORY_ALL_ACCESS ( \
STANDARD_RIGHTS_REQUIRED | \
@ -334,6 +351,7 @@ typedef PVOID PHEAD;
#define TRACELOG_CREATE_INPROC 0x0200
#define TRACELOG_ACCESS_REALTIME 0x0400
#define TRACELOG_REGISTER_GUIDS 0x0800
#define TRACELOG_JOIN_GROUP 0x1000
//
// Memory Partition Object Access Rights
@ -524,7 +542,7 @@ typedef enum _KWAIT_REASON {
WrDelayExecution,
WrSuspended,
WrUserRequest,
WrEventPair,
WrEventPair, //has no effect after 7
WrQueue,
WrLpcReceive,
WrLpcReply,
@ -549,6 +567,7 @@ typedef enum _KWAIT_REASON {
WrRundown,
WrAlertByThreadId,
WrDeferredPreempt,
WrPhysicalFault,
MaximumWaitReason
} KWAIT_REASON;
@ -5072,88 +5091,6 @@ __inline struct _PEB * NtCurrentPeb() { return NtCurrentTeb()->ProcessEnvironmen
** PEB/TEB END
*/
/*
** ALPC START
*/
typedef struct _PORT_MESSAGE {
union {
struct {
CSHORT DataLength;
CSHORT TotalLength;
} s1;
ULONG Length;
} u1;
union {
struct {
CSHORT Type;
CSHORT DataInfoOffset;
} s2;
ULONG ZeroInit;
} u2;
union {
CLIENT_ID ClientId;
double DoNotUseThisField; // Force quadword alignment
} u3;
ULONG MessageId;
union {
ULONG ClientViewSize; // Only valid on LPC_CONNECTION_REQUEST message
ULONG CallbackId; // Only valid on LPC_REQUEST message
} u4;
UCHAR Reserved[8];
} PORT_MESSAGE, *PPORT_MESSAGE;
// end_ntsrv
typedef struct _PORT_DATA_ENTRY {
PVOID Base;
ULONG Size;
} PORT_DATA_ENTRY, *PPORT_DATA_ENTRY;
typedef struct _PORT_DATA_INFORMATION {
ULONG CountDataEntries;
PORT_DATA_ENTRY DataEntries[1];
} PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION;
#define LPC_REQUEST 1
#define LPC_REPLY 2
#define LPC_DATAGRAM 3
#define LPC_LOST_REPLY 4
#define LPC_PORT_CLOSED 5
#define LPC_CLIENT_DIED 6
#define LPC_EXCEPTION 7
#define LPC_DEBUG_EVENT 8
#define LPC_ERROR_EVENT 9
#define LPC_CONNECTION_REQUEST 10
#define PORT_VALID_OBJECT_ATTRIBUTES (OBJ_CASE_INSENSITIVE)
#define PORT_MAXIMUM_MESSAGE_LENGTH 256
typedef struct _LPC_CLIENT_DIED_MSG {
PORT_MESSAGE PortMsg;
LARGE_INTEGER CreateTime;
} LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG;
//#pragma pack(push, 1)
typedef struct _PORT_VIEW {
ULONG Length;
HANDLE SectionHandle;
ULONG SectionOffset;
SIZE_T ViewSize;
PVOID ViewBase;
PVOID ViewRemoteBase;
} PORT_VIEW, *PPORT_VIEW;
typedef struct _REMOTE_PORT_VIEW {
ULONG Length;
SIZE_T ViewSize;
PVOID ViewBase;
} REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW;
//#pragma pack(pop)
/*
** ALPC END
*/
/*
** MITIGATION POLICY START
*/
@ -5283,6 +5220,19 @@ typedef struct tagPROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10 {
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10, *PPROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10;
typedef struct _PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10 {
union {
DWORD Flags;
struct {
DWORD SmtBranchTargetIsolation : 1;
DWORD IsolateSecurityDomain : 1;
DWORD DisablePageCombine : 1;
DWORD SpeculativeStoreBypassDisable : 1;
DWORD ReservedFlags : 28;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10, *PPROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10;
typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION {
PROCESS_MITIGATION_POLICY Policy;
union
@ -5299,6 +5249,7 @@ typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION {
PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY_W10 SystemCallFilterPolicy;
PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY_W10 PayloadRestrictionPolicy;
PROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10 ChildProcessPolicy;
PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10 SideChannelIsolationPolicy;
};
} PROCESS_MITIGATION_POLICY_INFORMATION, *PPROCESS_MITIGATION_POLICY_INFORMATION;
@ -8633,6 +8584,41 @@ NtDeletePrivateNamespace(
*
************************************************************************************/
typedef struct _OBJECT_SYMBOLIC_LINK_V1 { //pre Win10 TH1
LARGE_INTEGER CreationTime;
UNICODE_STRING LinkTarget;
ULONG DosDeviceDriveIndex;
} OBJECT_SYMBOLIC_LINK_V1, *POBJECT_SYMBOLIC_LINK_V1;
typedef struct _OBJECT_SYMBOLIC_LINK_V2 { //Win10 TH1/TH2
LARGE_INTEGER CreationTime;
UNICODE_STRING LinkTarget;
ULONG DosDeviceDriveIndex;
ULONG Flags;
} OBJECT_SYMBOLIC_LINK_V2, *POBJECT_SYMBOLIC_LINK_V2;
typedef struct _OBJECT_SYMBOLIC_LINK_V3 { //Win10 RS1
LARGE_INTEGER CreationTime;
UNICODE_STRING LinkTarget;
ULONG DosDeviceDriveIndex;
ULONG Flags;
ULONG AccessMask;
} OBJECT_SYMBOLIC_LINK_V3, *POBJECT_SYMBOLIC_LINK_V3;
typedef struct _OBJECT_SYMBOLIC_LINK_V4 { //Win10 RS2+
LARGE_INTEGER CreationTime;
union {
UNICODE_STRING LinkTarget;
struct {
PVOID Callback;
PVOID CallbackContext;
};
} u1;
ULONG DosDeviceDriveIndex;
ULONG Flags;
ULONG AccessMask;
} OBJECT_SYMBOLIC_LINK_V4, *POBJECT_SYMBOLIC_LINK_V4;
NTSYSAPI
NTSTATUS
NTAPI
@ -8712,7 +8698,7 @@ NtCreateMailslotFile(
_In_ ULONG MaximumMessageSize,
_In_ PLARGE_INTEGER ReadTimeout);
NTSYSCALLAPI
NTSYSAPI
NTSTATUS
NTAPI
NtDeviceIoControlFile(
@ -8984,7 +8970,8 @@ NtLoadDriver(
NTSYSAPI
NTSTATUS
NTAPI NtUnloadDriver(
NTAPI
NtUnloadDriver(
_In_ PUNICODE_STRING DriverServiceName);
NTSYSAPI
@ -9069,6 +9056,21 @@ NtCreateSection(
_In_ ULONG AllocationAttributes,
_In_opt_ HANDLE FileHandle);
//taken from ph2
NTSYSAPI
NTSTATUS
NTAPI
NtCreateSectionEx(
_Out_ PHANDLE SectionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ PLARGE_INTEGER MaximumSize,
_In_ ULONG SectionPageProtection,
_In_ ULONG AllocationAttributes,
_In_opt_ HANDLE FileHandle,
_In_ PMEM_EXTENDED_PARAMETER ExtendedParameters,
_In_ ULONG ExtendedParameterCount);
NTSYSAPI
NTSTATUS
NTAPI
@ -9083,7 +9085,7 @@ NTAPI
NtMapViewOfSection(
_In_ HANDLE SectionHandle,
_In_ HANDLE ProcessHandle,
_Inout_ PVOID *BaseAddress,
_Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress,
_In_ ULONG_PTR ZeroBits,
_In_ SIZE_T CommitSize,
_Inout_opt_ PLARGE_INTEGER SectionOffset,
@ -9092,22 +9094,12 @@ NtMapViewOfSection(
_In_ ULONG AllocationType,
_In_ ULONG Win32Protect);
NTSYSAPI
NTSTATUS
NTAPI
NtQuerySection(
_In_ HANDLE SectionHandle,
_In_ SECTION_INFORMATION_CLASS SectionInformationClass,
_Out_ PVOID SectionInformation,
_In_ SIZE_T SectionInformationLength,
_Out_opt_ PSIZE_T ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
NtUnmapViewOfSection(
_In_ HANDLE ProcessHandle,
_In_ PVOID BaseAddress);
_In_opt_ PVOID BaseAddress);
NTSYSAPI
NTSTATUS
@ -9117,6 +9109,16 @@ NtUnmapViewOfSectionEx(
_In_opt_ PVOID BaseAddress,
_In_ ULONG Flags);
NTSYSAPI
NTSTATUS
NTAPI
NtQuerySection(
_In_ HANDLE SectionHandle,
_In_ SECTION_INFORMATION_CLASS SectionInformationClass,
_Out_writes_bytes_(SectionInformationLength) PVOID SectionInformation,
_In_ SIZE_T SectionInformationLength,
_Out_opt_ PSIZE_T ReturnLength);
NTSYSAPI
NTSTATUS
NTAPI
@ -9156,6 +9158,13 @@ NtFreeUserPhysicalPages(
_Inout_ PULONG_PTR NumberOfPages,
_In_reads_(*NumberOfPages) PULONG_PTR UserPfnArray);
NTSYSAPI
NTSTATUS
NTAPI
NtAreMappedFilesTheSame(
_In_ PVOID File1MappedAsAnImage,
_In_ PVOID File2MappedAsFile);
NTSYSAPI
NTSTATUS
NTAPI
@ -9234,6 +9243,39 @@ NtAccessCheckByTypeResultList(
_Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
_Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenObjectAuditAlarm(
_In_ PUNICODE_STRING SubsystemName,
_In_opt_ PVOID HandleId,
_In_ PUNICODE_STRING ObjectTypeName,
_In_ PUNICODE_STRING ObjectName,
_In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_ HANDLE ClientToken,
_In_ ACCESS_MASK DesiredAccess,
_In_ ACCESS_MASK GrantedAccess,
_In_opt_ PPRIVILEGE_SET Privileges,
_In_ BOOLEAN ObjectCreation,
_In_ BOOLEAN AccessGranted,
_Out_ PBOOLEAN GenerateOnClose);
NTSYSAPI
NTSTATUS
NTAPI
NtCloseObjectAuditAlarm(
_In_ PUNICODE_STRING SubsystemName,
_In_opt_ PVOID HandleId,
_In_ BOOLEAN GenerateOnClose);
NTSYSAPI
NTSTATUS
NTAPI
NtDeleteObjectAuditAlarm(
_In_ PUNICODE_STRING SubsystemName,
_In_opt_ PVOID HandleId,
_In_ BOOLEAN GenerateOnClose);
NTSYSAPI
NTSTATUS
NTAPI
@ -9747,14 +9789,52 @@ NtTerminateJobObject(
*
************************************************************************************/
//taken from ph2
typedef enum _IO_SESSION_EVENT {
IoSessionEventIgnore,
IoSessionEventCreated,
IoSessionEventTerminated,
IoSessionEventConnected,
IoSessionEventDisconnected,
IoSessionEventLogon,
IoSessionEventLogoff,
IoSessionEventMax
} IO_SESSION_EVENT;
typedef enum _IO_SESSION_STATE {
IoSessionStateCreated,
IoSessionStateInitialized,
IoSessionStateConnected,
IoSessionStateDisconnected,
IoSessionStateDisconnectedLoggedOn,
IoSessionStateLoggedOn,
IoSessionStateLoggedOff,
IoSessionStateTerminated,
IoSessionStateMax
} IO_SESSION_STATE;
NTSYSAPI
NTSTATUS
NTAPI
NTSTATUS
NTAPI
NtOpenSession(
_Out_ PHANDLE SessionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes);
NTSYSAPI
NTSTATUS
NTAPI
NtNotifyChangeSession(
_In_ HANDLE SessionHandle,
_In_ ULONG ChangeSequenceNumber,
_In_ PLARGE_INTEGER ChangeTimeStamp,
_In_ IO_SESSION_EVENT Event,
_In_ IO_SESSION_STATE NewState,
_In_ IO_SESSION_STATE PreviousState,
_In_reads_bytes_opt_(PayloadSize) PVOID Payload,
_In_ ULONG PayloadSize);
/************************************************************************************
*
* IO Completion API.
@ -10305,6 +10385,77 @@ NtCreatePagingFile(
*
************************************************************************************/
typedef struct _PORT_VIEW {
ULONG Length;
HANDLE SectionHandle;
ULONG SectionOffset;
SIZE_T ViewSize;
PVOID ViewBase;
PVOID ViewRemoteBase;
} PORT_VIEW, *PPORT_VIEW;
typedef struct _REMOTE_PORT_VIEW {
ULONG Length;
SIZE_T ViewSize;
PVOID ViewBase;
} REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW;
typedef struct _PORT_MESSAGE {
union {
struct {
CSHORT DataLength;
CSHORT TotalLength;
} s1;
ULONG Length;
} u1;
union {
struct {
CSHORT Type;
CSHORT DataInfoOffset;
} s2;
ULONG ZeroInit;
} u2;
union {
CLIENT_ID ClientId;
double DoNotUseThisField; // Force quadword alignment
} u3;
ULONG MessageId;
union {
ULONG ClientViewSize; // Only valid on LPC_CONNECTION_REQUEST message
ULONG CallbackId; // Only valid on LPC_REQUEST message
} u4;
UCHAR Reserved[8];
} PORT_MESSAGE, *PPORT_MESSAGE;
typedef struct _PORT_DATA_ENTRY {
PVOID Base;
ULONG Size;
} PORT_DATA_ENTRY, *PPORT_DATA_ENTRY;
typedef struct _PORT_DATA_INFORMATION {
ULONG CountDataEntries;
PORT_DATA_ENTRY DataEntries[1];
} PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION;
#define LPC_REQUEST 1
#define LPC_REPLY 2
#define LPC_DATAGRAM 3
#define LPC_LOST_REPLY 4
#define LPC_PORT_CLOSED 5
#define LPC_CLIENT_DIED 6
#define LPC_EXCEPTION 7
#define LPC_DEBUG_EVENT 8
#define LPC_ERROR_EVENT 9
#define LPC_CONNECTION_REQUEST 10
#define PORT_VALID_OBJECT_ATTRIBUTES (OBJ_CASE_INSENSITIVE)
#define PORT_MAXIMUM_MESSAGE_LENGTH 256
typedef struct _LPC_CLIENT_DIED_MSG {
PORT_MESSAGE PortMsg;
LARGE_INTEGER CreateTime;
} LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG;
NTSYSAPI
NTSTATUS
NTAPI

264
Source/WinObjEx64/objects.c
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2017 - 2018
* (C) COPYRIGHT AUTHORS, 2017 - 2019
*
* TITLE: OBJECTS.C
*
* VERSION: 1.70
* VERSION: 1.72
*
* DATE: 30 Nov 2018
* DATE: 13 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -17,6 +17,28 @@
#include "global.h"
/*
* ObManagerComparerName
*
* Purpose:
*
* Support comparer routine to work with objects array.
*
*/
INT ObManagerComparerName(
_In_ PCVOID FirstObject,
_In_ PCVOID SecondObject
)
{
WOBJ_TYPE_DESC *firstObject = (WOBJ_TYPE_DESC*)FirstObject;
WOBJ_TYPE_DESC *secondObject = (WOBJ_TYPE_DESC*)SecondObject;
if (firstObject == secondObject)
return 0;
return (_strcmpi(firstObject->Name, secondObject->Name));
}
/*
* ObManagerGetNameByIndex
*
@ -24,16 +46,19 @@
*
* Returns object name by index of known type.
*
*
*/
LPWSTR ObManagerGetNameByIndex(
_In_ ULONG TypeIndex
)
{
if (TypeIndex >= ObjectTypeMax)
return g_ObjectTypes[ObjectTypeUnknown].Name;
ULONG nIndex;
return g_ObjectTypes[TypeIndex].Name;
for (nIndex = TYPE_FIRST; nIndex < TYPE_LAST; nIndex++) {
if (g_ObjectTypes[nIndex].Index == (WOBJ_OBJECT_TYPE)TypeIndex)
return g_ObjectTypes[nIndex].Name;
}
return OBTYPE_NAME_UNKNOWN;
}
/*
@ -49,10 +74,48 @@ UINT ObManagerGetImageIndexByTypeIndex(
_In_ ULONG TypeIndex
)
{
if (TypeIndex >= ObjectTypeMax)
return ObjectTypeUnknown;
ULONG nIndex;
return g_ObjectTypes[TypeIndex].ImageIndex;
for (nIndex = TYPE_FIRST; nIndex < TYPE_LAST; nIndex++) {
if (g_ObjectTypes[nIndex].Index == (WOBJ_OBJECT_TYPE)TypeIndex)
return g_ObjectTypes[nIndex].ImageIndex;
}
return ObjectTypeUnknown;
}
/*
* ObManagerGetEntryByTypeName
*
* Purpose:
*
* Returns object description entry by type name.
*
*/
WOBJ_TYPE_DESC *ObManagerGetEntryByTypeName(
_In_opt_ LPCWSTR lpTypeName
)
{
WOBJ_TYPE_DESC SearchItem;
WOBJ_TYPE_DESC *Result;
if (lpTypeName == NULL) {
return &g_TypeUnknown;
}
SearchItem.Name = (LPWSTR)lpTypeName;
Result = (WOBJ_TYPE_DESC*)supBSearch((PCVOID)&SearchItem,
(PCVOID)&g_ObjectTypes,
RTL_NUMBER_OF(g_ObjectTypes),
sizeof(WOBJ_TYPE_DESC),
ObManagerComparerName);
if (Result == NULL) {
Result = &g_TypeUnknown;
}
return Result;
}
/*
@ -64,41 +127,30 @@ UINT ObManagerGetImageIndexByTypeIndex(
*
*/
UINT ObManagerGetIndexByTypeName(
_In_ LPCWSTR lpTypeName
_In_opt_ LPCWSTR lpTypeName
)
{
UINT nIndex;
WOBJ_TYPE_DESC SearchItem;
WOBJ_TYPE_DESC *Result;
if (lpTypeName == NULL) {
return ObjectTypeUnknown;
}
for (nIndex = TYPE_FIRST; nIndex < TYPE_LAST; nIndex++) {
if (_strcmpi(lpTypeName, g_ObjectTypes[nIndex].Name) == 0)
return nIndex;
}
SearchItem.Name = (LPWSTR)lpTypeName;
//
// In Win8 the following Win32k object was named
// CompositionSurface, in Win8.1 MS renamed it to
// Composition, handle this.
//
if (_strcmpi(lpTypeName, L"CompositionSurface") == 0) {
return ObjectTypeComposition;
}
Result = (WOBJ_TYPE_DESC*)supBSearch((PCVOID)&SearchItem,
(PCVOID)&g_ObjectTypes,
RTL_NUMBER_OF(g_ObjectTypes),
sizeof(WOBJ_TYPE_DESC),
ObManagerComparerName);
//
// In Win10 TH1 the following ntos object was named
// NetworkNamespace, later in Win10 updates MS renamed it to
// NdisCmState, handle this.
//
/*
if (_strcmpi(lpTypeName, L"NetworkNamespace") == 0) {
return ObjectTypeNdisCmState;
if (Result) {
return Result->Index;
}
else {
return ObjectTypeUnknown;
}
*/
return ObjectTypeUnknown;
}
/*
@ -110,41 +162,61 @@ UINT ObManagerGetIndexByTypeName(
*
*/
UINT ObManagerGetImageIndexByTypeName(
_In_ LPCWSTR lpTypeName
_In_opt_ LPCWSTR lpTypeName
)
{
UINT nIndex;
WOBJ_TYPE_DESC SearchItem;
WOBJ_TYPE_DESC *Result;
if (lpTypeName == NULL) {
return ObjectTypeUnknown;
}
for (nIndex = TYPE_FIRST; nIndex < TYPE_LAST; nIndex++) {
if (_strcmpi(lpTypeName, g_ObjectTypes[nIndex].Name) == 0)
return g_ObjectTypes[nIndex].ImageIndex;
SearchItem.Name = (LPWSTR)lpTypeName;
Result = (WOBJ_TYPE_DESC*)supBSearch((PCVOID)&SearchItem,
(PCVOID)&g_ObjectTypes,
RTL_NUMBER_OF(g_ObjectTypes),
sizeof(WOBJ_TYPE_DESC),
ObManagerComparerName);
if (Result) {
return Result->ImageIndex;
}
else {
return ObjectTypeUnknown;
}
}
/*
* ObManagerLoadImageForType
*
* Purpose:
*
* Load image of the given id.
*
*/
INT ObManagerLoadImageForType(
_In_ HIMAGELIST ImageList,
_In_ INT ResourceImageId
)
{
INT ImageIndex = I_IMAGENONE;
HICON hIcon;
hIcon = (HICON)LoadImage(g_WinObj.hInstance,
MAKEINTRESOURCE(ResourceImageId),
IMAGE_ICON,
16,
16,
LR_DEFAULTCOLOR);
if (hIcon) {
ImageIndex = ImageList_ReplaceIcon(ImageList, -1, hIcon);
DestroyIcon(hIcon);
}
//
// In Win8 the following Win32k object was named
// CompositionSurface, in Win8.1 MS renamed it to
// Composition, handle this.
//
if (_strcmpi(lpTypeName, L"CompositionSurface") == 0) {
return g_ObjectTypes[ObjectTypeComposition].ImageIndex;
}
//
// In Win10 TH1 the following ntos object was named
// NetworkNamespace, later in Win10 updates MS renamed it to
// NdisCmState, handle this.
//
/*
if (_strcmpi(lpTypeName, L"NetworkNamespace") == 0) {
return g_ObjectTypes[ObjectTypeComposition].ImageIndex;
}
*/
return ObjectTypeUnknown;
return ImageIndex;
}
/*
@ -159,64 +231,28 @@ HIMAGELIST ObManagerLoadImageList(
VOID
)
{
UINT i, imageIndex;
HIMAGELIST list;
HICON hIcon;
UINT i;
HIMAGELIST ImageList;
list = ImageList_Create(
16,
16,
ImageList = ImageList_Create(
16,
16,
ILC_COLOR32 | ILC_MASK,
TYPE_LAST,
TYPE_LAST,
8);
if (list) {
for (i = TYPE_FIRST; i <= TYPE_LAST; i++) {
imageIndex = TYPE_RESOURCE_IMAGE_INDEX_START + g_ObjectTypes[i].ImageIndex;
hIcon = (HICON)LoadImage(g_WinObj.hInstance,
MAKEINTRESOURCE(imageIndex),
IMAGE_ICON,
16,
16,
LR_DEFAULTCOLOR);
if (ImageList) {
for (i = TYPE_FIRST; i < TYPE_LAST; i++) {
g_ObjectTypes[i].ImageIndex = ObManagerLoadImageForType(ImageList,
g_ObjectTypes[i].ResourceImageId);
if (hIcon) {
ImageList_ReplaceIcon(list, -1, hIcon);
DestroyIcon(hIcon);
}
}
g_TypeUnknown.ImageIndex = ObManagerLoadImageForType(ImageList,
g_TypeUnknown.ResourceImageId);
}
return list;
return ImageList;
}
//
// Future use
//
/*
Usually none of these object types identities present in object directory.
ActivationObject
ActivityReference
CoreMessagining
DmaAdapter
DmaDomain
DxgkDisplayManagerObject
DxgkSharedBundleObject
DxgkSharedProtectedSessionObject
EnergyTracker
EtwSessionDemuxEntry
IoCompletionReserve
NdisCmState
PsSiloContextNonPaged
PsSiloContextPaged
RawInputManager
RegistryTransaction
UserApcReserve
VirtualKey
VRegConfigurationContext
WaitCompletionPacket
*/

194
Source/WinObjEx64/objects.h
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2018
* (C) COPYRIGHT AUTHORS, 2015 - 2019
*
* TITLE: OBJECTS.H
*
* VERSION: 1.60
* VERSION: 1.72
*
* DATE: 24 Oct 2018
* DATE: 13 Feb 2019
*
* Header file for internal Windows object types handling.
*
@ -18,20 +18,6 @@
*******************************************************************************/
#pragma once
//
// Description Resource Id string table starting index
//
// Actual id = TYPE_DESCRIPTION_START_INDEX + TYPE_*
//
#define TYPE_DESCRIPTION_START_INDEX 100
//
// Image Resource Id table starting index
//
// Actual id = TYPE_RESOURCE_IMAGE_INDEX_START + ObjectType.ImageIndex
//
#define TYPE_RESOURCE_IMAGE_INDEX_START 300
//
// Object Type Indexes Used By Program Only
// NOT RELATED TO REAL OBJECTS INDEXES
@ -85,88 +71,138 @@ typedef enum _WOBJ_OBJECT_TYPE {
ObjectTypeDxgkSharedSwapChain = 44,
ObjectTypeDxgkSharedSyncObject = 45,
ObjectTypeDxgkCurrentDxgProcessObject = 46,
ObjectTypeMemoryPartition = 47,
ObjectTypeUnknown = 48,
ObjectTypeDxgkDisplayManager = 47,
ObjectTypeDxgkSharedBundle = 48,
ObjectTypeDxgkSharedProtectedSession = 49,
ObjectTypeDxgkComposition = 50,
ObjectTypeDxgkSharedKeyedMutext = 51,
ObjectTypeMemoryPartition = 52,
ObjectTypeRegistryTransaction = 53,
ObjectTypeDmaAdapter = 54,
ObjectTypeDmaDomain = 55,
ObjectTypeUnknown = 56,
ObjectTypeMax
} WOBJ_OBJECT_TYPE;
typedef struct _WOBJ_TYPE_DESC {
LPWSTR Name;
WOBJ_OBJECT_TYPE Index;
WOBJ_OBJECT_TYPE ImageIndex; //different object types may share same images (e.g. Dxgk*)
WOBJ_OBJECT_TYPE Index; //object type
INT ResourceImageId; //resouce id for icon
INT ResourceStringId; //resource id in stringtable
INT ImageIndex; //individual image id for each object type (maybe the same for few objects)
} WOBJ_TYPE_DESC, *PWOBJ_TYPE_DESC;
//
// ImageList icon index used from range TYPE_FIRST - TYPE_LAST
//
#define TYPE_FIRST ObjectTypeDevice
#define TYPE_FIRST 0
#define TYPE_LAST ObjectTypeUnknown
#define DIRECTX_SHARED_IMAGE_INDEX ObjectTypeDxgkSharedResource
#define OBTYPE_NAME_DESKTOP L"Desktop"
#define OBTYPE_NAME_DEVICE L"Device"
#define OBTYPE_NAME_DRIVER L"Driver"
#define OBTYPE_NAME_DIRECTORY L"Directory"
#define OBTYPE_NAME_SECTION L"Section"
#define OBTYPE_NAME_SYMBOLIC_LINK L"SymbolicLink"
#define OBTYPE_NAME_TYPE L"Type"
#define OBTYPE_NAME_WINSTATION L"WindowStation"
#define OBTYPE_NAME_UNKNOWN L""
static const WOBJ_TYPE_DESC g_ObjectTypes[] = {
{ L"Device", ObjectTypeDevice, ObjectTypeDevice },
{ L"Driver", ObjectTypeDriver, ObjectTypeDriver },
{ L"Section", ObjectTypeSection, ObjectTypeSection },
{ L"ALPC Port", ObjectTypePort, ObjectTypePort },
{ L"SymbolicLink", ObjectTypeSymbolicLink, ObjectTypeSymbolicLink },
{ L"Key", ObjectTypeKey, ObjectTypeKey },
{ L"Event", ObjectTypeEvent, ObjectTypeEvent },
{ L"Job", ObjectTypeJob, ObjectTypeJob },
{ L"Mutant", ObjectTypeMutant, ObjectTypeMutant },
{ L"KeyedEvent", ObjectTypeKeyedEvent, ObjectTypeKeyedEvent },
{ L"Type", ObjectTypeType, ObjectTypeType },
{ L"Directory", ObjectTypeDirectory, ObjectTypeDirectory },
{ L"WindowStation", ObjectTypeWinstation, ObjectTypeWinstation },
{ L"Callback", ObjectTypeCallback, ObjectTypeCallback },
{ L"Semaphore", ObjectTypeSemaphore, ObjectTypeSemaphore },
{ L"WaitablePort", ObjectTypeWaitablePort, ObjectTypeWaitablePort },
{ L"Timer", ObjectTypeTimer, ObjectTypeTimer },
{ L"Session", ObjectTypeSession, ObjectTypeSession },
{ L"Controller", ObjectTypeController, ObjectTypeController },
{ L"Profile", ObjectTypeProfile, ObjectTypeProfile },
{ L"EventPair", ObjectTypeEventPair, ObjectTypeEventPair },
{ L"Desktop", ObjectTypeDesktop, ObjectTypeDesktop },
{ L"File", ObjectTypeFile, ObjectTypeFile },
{ L"WMIGuid", ObjectTypeWMIGuid, ObjectTypeWMIGuid },
{ L"DebugObject", ObjectTypeDebugObject, ObjectTypeDebugObject },
{ L"IoCompletion", ObjectTypeIoCompletion, ObjectTypeIoCompletion },
{ L"Process", ObjectTypeProcess, ObjectTypeProcess },
{ L"Adapter", ObjectTypeAdapter, ObjectTypeAdapter },
{ L"Token", ObjectTypeToken, ObjectTypeToken },
{ L"EtwRegistration", ObjectTypeETWRegistration, ObjectTypeETWRegistration },
{ L"Thread", ObjectTypeThread, ObjectTypeThread },
{ L"TmTx", ObjectTypeTmTx, ObjectTypeTmTx },
{ L"TmTm", ObjectTypeTmTm, ObjectTypeTmTm },
{ L"TmRm", ObjectTypeTmRm, ObjectTypeTmRm },
{ L"TmEn", ObjectTypeTmEn, ObjectTypeTmEn },
{ L"PcwObject", ObjectTypePcwObject, ObjectTypePcwObject },
{ L"FilterConnectionPort", ObjectTypeFltConnPort, ObjectTypeFltConnPort },
{ L"FilterCommunicationPort", ObjectTypeFltComnPort, ObjectTypeFltComnPort },
{ L"PowerRequest", ObjectTypePowerRequest, ObjectTypePowerRequest },
{ L"EtwConsumer", ObjectTypeETWConsumer, ObjectTypeETWConsumer },
{ L"TpWorkerFactory", ObjectTypeTpWorkerFactory, ObjectTypeTpWorkerFactory },
{ L"Composition", ObjectTypeComposition, ObjectTypeComposition },
{ L"IRTimer", ObjectTypeIRTimer, ObjectTypeIRTimer },
{ L"DxgkSharedResource", ObjectTypeDxgkSharedResource, DIRECTX_SHARED_IMAGE_INDEX },
{ L"DxgkSharedSwapChainObject", ObjectTypeDxgkSharedSwapChain, DIRECTX_SHARED_IMAGE_INDEX },
{ L"DxgkSharedSyncObject", ObjectTypeDxgkSharedSyncObject, DIRECTX_SHARED_IMAGE_INDEX },
{ L"DxgkCurrentDxgProcessObject", ObjectTypeDxgkCurrentDxgProcessObject, DIRECTX_SHARED_IMAGE_INDEX },
{ L"Partition", ObjectTypeMemoryPartition, ObjectTypeMemoryPartition },
{ L"", ObjectTypeUnknown, ObjectTypeUnknown }
static WOBJ_TYPE_DESC g_TypeUnknown = { OBTYPE_NAME_UNKNOWN, ObjectTypeUnknown, IDI_ICON_UNKNOWN, IDS_DESC_UNKNOWN };
//
// Handled object types.
//
// Sorted in alphabetical order.
//
static WOBJ_TYPE_DESC g_ObjectTypes[] = {
//{ L"ActivationObject", ObjectTypeActivationObject, IDI_ICON_ACTIVATIONOBJECT, IDS_DESC_ACTIVATIONOBJECT },
//{ L"ActivityReference", ObjectTypeActivityReference, IDI_ICON_ACTIVITYREFERENCE, IDS_DESC_ACTIVITYREFERENCE },
{ L"Adapter", ObjectTypeAdapter, IDI_ICON_ADAPTER, IDS_DESC_ADAPTER },
{ L"ALPC Port", ObjectTypePort, IDI_ICON_PORT, IDS_DESC_PORT },
{ L"Callback", ObjectTypeCallback, IDI_ICON_CALLBACK, IDS_DESC_CALLBACK },
{ L"Composition", ObjectTypeComposition, IDI_ICON_COMPOSITION, IDS_DESC_COMPOSITION },
{ L"Controller", ObjectTypeController, IDI_ICON_CONTROLLER, IDS_DESC_CONTROLLER },
//{ L"CoreMessaging", ObjectTypeCoreMessaging, IDI_ICON_COREMESSAGING, IDS_DESC_COREMESSAGING },
//{ L"CoverageSampler", ObjectTypeCoverageSampler, IDI_ICON_COVERAGESAMPLER, IDS_DESC_COVERAGESAMPLER },
{ L"DebugObject", ObjectTypeDebugObject, IDI_ICON_DEBUGOBJECT, IDS_DESC_DEBUGOBJECT },
{ OBTYPE_NAME_DESKTOP, ObjectTypeDesktop, IDI_ICON_DESKTOP, IDS_DESC_DESKTOP },
{ OBTYPE_NAME_DEVICE, ObjectTypeDevice, IDI_ICON_DEVICE, IDS_DESC_DEVICE },
{ OBTYPE_NAME_DIRECTORY, ObjectTypeDirectory, IDI_ICON_DIRECTORY, IDS_DESC_DIRECTORY },
{ L"DmaAdapter", ObjectTypeDmaAdapter, IDI_ICON_HALDMA, IDS_DESC_DMAADAPTER },
{ L"DmaDomain", ObjectTypeDmaDomain, IDI_ICON_HALDMA, IDS_DESC_DMADOMAIN },
{ OBTYPE_NAME_DRIVER, ObjectTypeDriver, IDI_ICON_DRIVER, IDS_DESC_DRIVER },
{ L"DxgkCompositionObject", ObjectTypeDxgkComposition, IDI_ICON_DXOBJECT, IDS_DESC_DXGK_COMPOSITION_OBJECT },
{ L"DxgkCurrentDxgProcessObject", ObjectTypeDxgkCurrentDxgProcessObject, IDI_ICON_DXOBJECT, IDS_DESC_DXGK_CURRENT_DXG_PROCESS_OBJECT },
{ L"DxgkDisplayManagerObject", ObjectTypeDxgkDisplayManager, IDI_ICON_DXOBJECT, IDS_DESC_DXGK_DISPLAY_MANAGER_OBJECT },
{ L"DxgkSharedBundleObject", ObjectTypeDxgkSharedBundle, IDI_ICON_DXOBJECT, IDS_DESC_DXGK_SHARED_BUNDLE_OBJECT },
{ L"DxgkSharedKeyedMutextObject", ObjectTypeDxgkSharedKeyedMutext, IDI_ICON_DXOBJECT, IDS_DESC_DXGK_SHARED_KEYED_MUTEX_OBJECT},
{ L"DxgkSharedProtectedSessionObject", ObjectTypeDxgkSharedProtectedSession, IDI_ICON_DXOBJECT, IDS_DESC_DXGK_SHARED_PROTECTED_SESSION_OBJECT },
{ L"DxgkSharedResource", ObjectTypeDxgkSharedResource, IDI_ICON_DXOBJECT, IDS_DESC_DXGKSHAREDRES },
{ L"DxgkSharedSwapChainObject", ObjectTypeDxgkSharedSwapChain, IDI_ICON_DXOBJECT, IDS_DESC_DXGKSHAREDSWAPCHAIN },
{ L"DxgkSharedSyncObject", ObjectTypeDxgkSharedSyncObject, IDI_ICON_DXOBJECT, IDS_DESC_DXGKSHAREDSYNC },
{ L"EtwConsumer", ObjectTypeETWConsumer, IDI_ICON_ETWCONSUMER, IDS_DESC_ETWCONSUMER },
{ L"EtwRegistration", ObjectTypeETWRegistration, IDI_ICON_ETWREGISTRATION, IDS_DESC_ETWREGISTRATION },
// { L"EtwSessionDemuxEntry", ObjectTypeEtwSessionDemuxEntry, IDI_ICON_ETWSESSIONDEMUXENTRY, IDS_DESC_ETWSESSIONDEMUXENTRY },
{ L"Event", ObjectTypeEvent, IDI_ICON_EVENT, IDS_DESC_EVENT },
{ L"EventPair", ObjectTypeEventPair, IDI_ICON_EVENTPAIR, IDS_DESC_EVENTPAIR },
{ L"File", ObjectTypeFile, IDI_ICON_FILE, IDS_DESC_FILE },
{ L"FilterCommunicationPort", ObjectTypeFltComnPort, IDI_ICON_FLTCOMMPORT, IDS_DESC_FLT_COMM_PORT },
{ L"FilterConnectionPort", ObjectTypeFltConnPort, IDI_ICON_FLTCONNPORT, IDS_DESC_FLT_CONN_PORT },
{ L"IoCompletion", ObjectTypeIoCompletion, IDI_ICON_IOCOMPLETION, IDS_DESC_IOCOMPLETION },
//{ L"IoCompletionReserve", ObjectTypeIoCompletionReserve, IDI_ICON_IOCOMPLETION_RESERVE, IDS_DESC_IOCOMPLETION_RESERVE },
{ L"IRTimer", ObjectTypeIRTimer, IDI_ICON_IRTIMER, IDS_DESC_IRTIMER },
{ L"Job", ObjectTypeJob, IDI_ICON_JOB, IDS_DESC_JOB },
{ L"Key", ObjectTypeKey, IDI_ICON_KEY, IDS_DESC_KEY },
{ L"KeyedEvent", ObjectTypeKeyedEvent, IDI_ICON_KEYEDEVENT, IDS_DESC_KEYEDEVENT },
{ L"Mutant", ObjectTypeMutant, IDI_ICON_MUTANT, IDS_DESC_MUTANT },
//{ L"NdisCmState", ObjectTypeNdisCmState, IDI_ICON_NDISCMSTATE, IDS_DESC_NDISCMSTATE },
{ L"Partition", ObjectTypeMemoryPartition, IDI_ICON_MEMORYPARTITION, IDS_DESC_MEMORY_PARTITION },
{ L"PcwObject", ObjectTypePcwObject, IDI_ICON_PCWOBJECT, IDS_DESC_PCWOBJECT },
{ L"PowerRequest", ObjectTypePowerRequest, IDI_ICON_POWERREQUEST, IDS_DESC_POWERREQUEST },
{ L"Process", ObjectTypeProcess, IDI_ICON_PROCESS, IDS_DESC_PROCESS },
{ L"Profile", ObjectTypeProfile, IDI_ICON_PROFILE, IDS_DESC_PROFILE },
//{ L"PsSiloContextNonPaged", ObjectTypePsSiloContextNonPaged, IDI_ICON_PSSILOCONTEXT, IDS_DESC_PSSILOCONTEXTNP },
//{ L"PsSiloContextPaged", ObjectTypePsSiloContextPaged, IDI_ICON_PSSILOCONTEXT, IDS_DESC_PSSILOCONTEXT },
//{ L"RawInputManager", ObjectTypeRawInputManager, IDI_ICON_RAWINPUTMANAGER, IDS_DESC_RAW_INPUT_MANAGER },
{ L"RegistryTransaction", ObjectTypeRegistryTransaction, IDI_ICON_KEY, IDS_DESC_REGISTRY_TRANSACTION },
{ OBTYPE_NAME_SECTION, ObjectTypeSection, IDI_ICON_SECTION, IDS_DESC_SECTION },
{ L"Semaphore", ObjectTypeSemaphore, IDI_ICON_SEMAPHORE, IDS_DESC_SEMAPHORE },
{ L"Session", ObjectTypeSession, IDI_ICON_SESSION, IDS_DESC_SESSION },
{ L"SymbolicLink", ObjectTypeSymbolicLink, IDI_ICON_SYMLINK, IDS_DESC_SYMLINK },
{ L"Thread", ObjectTypeThread, IDI_ICON_THREAD, IDS_DESC_THREAD },
{ L"Timer", ObjectTypeTimer, IDI_ICON_TIMER, IDS_DESC_TIMER },
{ L"TmEn", ObjectTypeTmEn, IDI_ICON_TMEN, IDS_DESC_TMEN },
{ L"TmRm", ObjectTypeTmRm, IDI_ICON_TMRM, IDS_DESC_TMRM },
{ L"TmTm", ObjectTypeTmTm, IDI_ICON_TMTM, IDS_DESC_TMTM },
{ L"TmTx", ObjectTypeTmTx, IDI_ICON_TMTX, IDS_DESC_TMTX },
{ L"Token", ObjectTypeToken, IDI_ICON_TOKEN, IDS_DESC_TOKEN },
{ L"TpWorkerFactory", ObjectTypeTpWorkerFactory, IDI_ICON_TPWORKERFACTORY,IDS_DESC_TPWORKERFACTORY },
{ OBTYPE_NAME_TYPE, ObjectTypeType, IDI_ICON_TYPE, IDS_DESC_TYPE },
//{ L"UserApcReserve", ObjectTypeUserApcReserve, IDI_ICON_USERAPCRESERVE, IDS_DESC_USERAPCRESERVE },
//{ L"VirtualKey", ObjectTypeVirtualKey, IDI_ICON_VIRTUALKEY, IDS_DESC_VIRTUALKEY },
//{ L"VRegConfigurationContext", ObjectTypeVREGCFGCTX, IDI_ICON_VREGCFGCTX, IDS_DESC_VREGCFGCTX },
{ L"WaitablePort", ObjectTypeWaitablePort, IDI_ICON_WAITABLEPORT, IDS_DESC_WAITABLEPORT },
//{ L"WaitCompletionPacket", ObjectTypeWaitCompletionPacket, IDI_ICON_WAITCOMPLETIONPACKET, IDS_DESC_WAITCOMPLETIONPACKET },
{ OBTYPE_NAME_WINSTATION, ObjectTypeWinstation, IDI_ICON_WINSTATION, IDS_DESC_WINSTATION },
{ L"WmiGuid", ObjectTypeWMIGuid, IDI_ICON_WMIGUID, IDS_DESC_WMIGUID }
};
HIMAGELIST ObManagerLoadImageList(
VOID);
UINT ObManagerGetImageIndexByTypeIndex(
_In_ ULONG TypeIndex);
UINT ObManagerGetImageIndexByTypeName(
_In_opt_ LPCWSTR lpTypeName);
UINT ObManagerGetIndexByTypeName(
_In_ LPCWSTR lpTypeName);
_In_opt_ LPCWSTR lpTypeName);
LPWSTR ObManagerGetNameByIndex(
_In_ ULONG TypeIndex);
UINT ObManagerGetImageIndexByTypeName(
_In_ LPCWSTR lpTypeName);
UINT ObManagerGetImageIndexByTypeIndex(
_In_ ULONG TypeIndex);
WOBJ_TYPE_DESC *ObManagerGetEntryByTypeName(
_In_opt_ LPCWSTR lpTypeName);

10
Source/WinObjEx64/props/propBasic.c
View File

@ -4,9 +4,9 @@
*
* TITLE: PROPBASIC.C
*
* VERSION: 1.71
* VERSION: 1.72
*
* DATE: 26 Jan 2019
* DATE: 09 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -576,7 +576,7 @@ VOID propBasicQuerySymlink(
SystemTime.Minute,
SystemTime.Second,
SystemTime.Day,
Months[SystemTime.Month - 1],
g_szMonths[SystemTime.Month - 1],
SystemTime.Year);
SetDlgItemText(hwndDlg, ID_OBJECT_SYMLINK_CREATION, szBuffer);
@ -665,7 +665,7 @@ VOID propBasicQueryKey(
SystemTime.Minute,
SystemTime.Second,
SystemTime.Day,
Months[SystemTime.Month - 1],
g_szMonths[SystemTime.Month - 1],
SystemTime.Year);
SetDlgItemText(hwndDlg, ID_KEYLASTWRITE, szBuffer);
@ -1736,7 +1736,7 @@ INT_PTR CALLBACK BasicPropDialogProc(
hDc = BeginPaint(hwndDlg, &Paint);
if (hDc) {
ImageList_Draw(g_ListViewImages, Context->TypeIndex, hDc, 24, 34,
ImageList_Draw(g_ListViewImages, Context->TypeDescription->ImageIndex, hDc, 24, 34,
ILD_NORMAL | ILD_TRANSPARENT);
EndPaint(hwndDlg, &Paint);

22
Source/WinObjEx64/props/propBasicConsts.h
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2018
* (C) COPYRIGHT AUTHORS, 2015 - 2019
*
* TITLE: PROPBASICCONSTS.H
*
* VERSION: 1.60
* VERSION: 1.72
*
* DATE: 25 Oct 2018
* DATE: 04 Feb 2019
*
* Consts header file for Basic property sheet.
*
@ -18,22 +18,6 @@
*******************************************************************************/
#pragma once
//Calendar
LPCWSTR Months[12] = {
L"Jan",
L"Feb",
L"Mar",
L"Apr",
L"May",
L"Jun",
L"Jul",
L"Aug",
L"Sep",
L"Oct",
L"Nov",
L"Dec"
};
//OBJECT_HEADER Flags
LPCWSTR T_ObjectFlags[8] = {
L"NewObject",

8
Source/WinObjEx64/props/propDesktop.c
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2018
* (C) COPYRIGHT AUTHORS, 2015 - 2019
*
* TITLE: PROPDESKTOP.C
*
* VERSION: 1.70
* VERSION: 1.72
*
* DATE: 30 Nov 2018
* DATE: 09 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -407,7 +407,7 @@ VOID DesktopListHandleNotify(
propCreateDialog(
hwndDlg,
lpName,
g_ObjectTypes[ObjectTypeDesktop].Name,
OBTYPE_NAME_DESKTOP,
NULL,
NULL);

21
Source/WinObjEx64/props/propDlg.c
View File

@ -4,9 +4,9 @@
*
* TITLE: PROPDLG.C
*
* VERSION: 1.71
* VERSION: 1.72
*
* DATE: 01 Feb 2019
* DATE: 09 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -267,6 +267,13 @@ PPROP_OBJECT_INFO propContextCreate(
if (Context == NULL)
return NULL;
Context->TypeDescription = ObManagerGetEntryByTypeName(lpObjectType);
//
// Use the same type descriptor by default for shadow.
//
Context->ShadowTypeDescription = Context->TypeDescription;
//
// Copy object name if given.
//
@ -321,14 +328,9 @@ PPROP_OBJECT_INFO propContextCreate(
// Query actual type index for case when user will browse Type object info.
//
if (Context->lpObjectName) {
Context->RealTypeIndex = ObManagerGetIndexByTypeName(Context->lpObjectName);
Context->ShadowTypeDescription = ObManagerGetEntryByTypeName(Context->lpObjectName);
}
}
else {
//
// Use the same type index for everything else.
//
Context->RealTypeIndex = Context->TypeIndex;
}
}
@ -598,6 +600,7 @@ VOID propCreateDialog(
case ObjectTypeFltConnPort:
case ObjectTypeType:
case ObjectTypeCallback:
case ObjectTypeSymbolicLink:
RtlSecureZeroMemory(&Page, sizeof(Page));
Page.dwSize = sizeof(PROPSHEETPAGE);
Page.dwFlags = PSP_DEFAULT | PSP_USETITLE;

726
Source/WinObjEx64/props/propObjectDump.c
View File

File diff suppressed because it is too large Load Diff

52
Source/WinObjEx64/props/propObjectDump.h
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2018
* (C) COPYRIGHT AUTHORS, 2015 - 2019
*
* TITLE: PROPOBJECTDUMP.H
*
* VERSION: 1.70
* VERSION: 1.72
*
* DATE: 30 Nov 2018
* DATE: 04 Feb 2019
*
* Common header file for the object dump support.
*
@ -18,25 +18,13 @@
*******************************************************************************/
#pragma once
VOID ObDumpDriverObject(
_In_ PROP_OBJECT_INFO *Context,
_In_ HWND hwndDlg);
VOID ObDumpDeviceObject(
_In_ PROP_OBJECT_INFO *Context,
_In_ HWND hwndDlg);
VOID ObDumpDirectoryObject(
_In_ PROP_OBJECT_INFO *Context,
_In_ HWND hwndDlg);
INT_PTR CALLBACK ObjectDumpDialogProc(
_In_ HWND hwndDlg,
_In_ UINT uMsg,
_In_ WPARAM wParam,
_In_ LPARAM lParam);
VOID ObDumpUlong(
VOID propObDumpUlong(
_In_ HWND TreeList,
_In_ HTREEITEM hParent,
_In_ LPWSTR lpszName,
@ -47,7 +35,7 @@ VOID ObDumpUlong(
_In_opt_ COLORREF BgColor,
_In_opt_ COLORREF FontColor);
VOID ObDumpByte(
VOID propObDumpByte(
_In_ HWND TreeList,
_In_ HTREEITEM hParent,
_In_ LPWSTR lpszName,
@ -56,33 +44,3 @@ VOID ObDumpByte(
_In_opt_ COLORREF BgColor,
_In_opt_ COLORREF FontColor,
_In_ BOOL IsBool);
VOID ObDumpSetString(
_In_ HWND TreeList,
_In_ HTREEITEM hParent,
_In_ LPWSTR lpszName,
_In_opt_ LPWSTR lpszDesc,
_In_ LPWSTR lpszValue,
_In_opt_ COLORREF BgColor,
_In_opt_ COLORREF FontColor);
VOID ObDumpAddress(
_In_ HWND TreeList,
_In_ HTREEITEM hParent,
_In_ LPWSTR lpszName,
_In_opt_ LPWSTR lpszDesc,
_In_opt_ PVOID Address,
_In_ COLORREF BgColor,
_In_ COLORREF FontColor);
VOID ObDumpULargeInteger(
_In_ HWND TreeList,
_In_ HTREEITEM hParent,
_In_ LPWSTR ListEntryName,
_In_opt_ PULARGE_INTEGER Value);
VOID ObDumpListEntry(
_In_ HWND TreeList,
_In_ HTREEITEM hParent,
_In_ LPWSTR ListEntryName,
_In_opt_ PLIST_ENTRY ListEntry);

8
Source/WinObjEx64/props/propObjectDumpConsts.h
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2018
* (C) COPYRIGHT AUTHORS, 2015 - 2019
*
* TITLE: PROPOBJECTDUMPCONSTS.H
*
* VERSION: 1.70
* VERSION: 1.72
*
* DATE: 30 Nov 2018
* DATE: 04 Feb 2019
*
* Consts header file for Object Dump module.
*
@ -54,6 +54,8 @@
#define T_FLT_OBJECT L"FLT_OBJECT"
#define T_FLT_FILTER_FLAGS L"FLT_FILTER_FLAGS"
#define T_OBJECT_SYMBOLIC_LINK L"OBJECT_SYMBOLIC_LINK"
#define T_ALPC_PORT_OBJECT L"ALPC_PORT"
#define T_PALPC_PORT_OBJECT L"PALPC_PORT"
#define T_ALPC_HANDLE_TABLE L"ALPC_HANDLE_TABLE"

31
Source/WinObjEx64/props/propType.c
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2018
* (C) COPYRIGHT AUTHORS, 2015 - 2019
*
* TITLE: PROPTYPE.C
*
* VERSION: 1.70
* VERSION: 1.72
*
* DATE: 28 Dec 2018
* DATE: 22 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -466,7 +466,7 @@ VOID propSetTypeDecodedAttributes(
}
}
else {
propSetTypeDecodeValue(hListRights, dwFlags, Context->RealTypeIndex);
propSetTypeDecodeValue(hListRights, dwFlags, Context->ShadowTypeDescription->Index);
}
}
@ -622,7 +622,8 @@ VOID propSetTypeInfo(
)
{
BOOL bOkay;
INT i, nIndex;
WOBJ_OBJECT_TYPE RealTypeIndex;
INT i;
POBJINFO pObject = NULL;
LPCWSTR lpTypeDescription = NULL;
OBJECT_TYPE_COMPATIBLE ObjectTypeDump;
@ -633,22 +634,21 @@ VOID propSetTypeInfo(
return;
}
nIndex = Context->RealTypeIndex;
if ((Context->RealTypeIndex > ObjectTypeUnknown) ||
(Context->RealTypeIndex < ObjectTypeDevice))
{
nIndex = ObjectTypeUnknown;
RealTypeIndex = Context->ShadowTypeDescription->Index;
if ((RealTypeIndex > ObjectTypeUnknown)) {
RealTypeIndex = ObjectTypeUnknown;
}
//if type is not known set it description to it type name
if (nIndex == ObjectTypeUnknown) {
if (RealTypeIndex == ObjectTypeUnknown) {
lpTypeDescription = Context->lpObjectType;
}
else {
//set description
RtlSecureZeroMemory(&szType, sizeof(szType));
if (LoadString(
g_WinObj.hInstance,
TYPE_DESCRIPTION_START_INDEX + nIndex,
Context->TypeDescription->ResourceStringId,
szType,
(MAX_PATH * sizeof(WCHAR)) - sizeof(UNICODE_NULL)))
{
@ -657,6 +657,7 @@ VOID propSetTypeInfo(
else {
lpTypeDescription = Context->lpObjectType;
}
}
//check if we have object address and dump object
@ -681,14 +682,14 @@ VOID propSetTypeInfo(
}
//if type is not known set it description to it type name
if (Context->RealTypeIndex == ObjectTypeUnknown)
if (RealTypeIndex == ObjectTypeUnknown)
lpTypeDescription = Context->lpObjectName;
else {
//set description
RtlSecureZeroMemory(&szType, sizeof(szType));
if (LoadString(
g_WinObj.hInstance,
TYPE_DESCRIPTION_START_INDEX + Context->RealTypeIndex,
Context->ShadowTypeDescription->ResourceStringId,
szType,
(MAX_PATH * 2) - sizeof(UNICODE_NULL)))
{
@ -841,7 +842,7 @@ INT_PTR CALLBACK TypePropDialogProc(
if (Context) {
hDc = BeginPaint(hwndDlg, &Paint);
if (hDc) {
ImageList_Draw(g_ListViewImages, Context->RealTypeIndex, hDc, 24, 34,
ImageList_Draw(g_ListViewImages, Context->ShadowTypeDescription->ImageIndex, hDc, 24, 34,
ILD_NORMAL | ILD_TRANSPARENT);
EndPaint(hwndDlg, &Paint);
}

19
Source/WinObjEx64/props/propTypeConsts.h
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2018
* (C) COPYRIGHT AUTHORS, 2015 - 2019
*
* TITLE: PROPTYPECONSTS.H
*
* VERSION: 1.70
* VERSION: 1.72
*
* DATE: 30 Nov 2018
* DATE: 13 Feb 2019
*
* Consts header file for Type property sheet.
*
@ -332,7 +332,7 @@ static VALUE_DESC a_WinstaProp[MAX_KNOWN_WINSTA_ATTRIBUTES] = {
};
//Known WmiGuid Access Rights
#define MAX_KNOWN_WMIGUID_ATTRIBUTES 12
#define MAX_KNOWN_WMIGUID_ATTRIBUTES 13
static VALUE_DESC a_WmiGuidProp[MAX_KNOWN_WMIGUID_ATTRIBUTES] = {
{ L"WMIGUID_QUERY", WMIGUID_QUERY },
{ L"WMIGUID_SET", WMIGUID_SET },
@ -345,7 +345,8 @@ static VALUE_DESC a_WmiGuidProp[MAX_KNOWN_WMIGUID_ATTRIBUTES] = {
{ L"TRACELOG_ACCESS_KERNEL_LOGGER", TRACELOG_ACCESS_KERNEL_LOGGER },
{ L"TRACELOG_CREATE_INPROC", TRACELOG_CREATE_INPROC },
{ L"TRACELOG_ACCESS_REALTIME", TRACELOG_ACCESS_REALTIME },
{ L"TRACELOG_REGISTER_GUIDS", TRACELOG_REGISTER_GUIDS }
{ L"TRACELOG_REGISTER_GUIDS", TRACELOG_REGISTER_GUIDS },
{ L"TRACELOG_JOIN_GROUP", TRACELOG_JOIN_GROUP }
};
//Known TmTx Access Rights
@ -409,15 +410,15 @@ static VALUE_DESC a_TpwfProp[MAX_KNOWN_TPWORKERFACTORY_ATTRIBUTES] = {
//Known PcwObject Access Rights
#define MAX_KNOWN_PCWOBJECT_ATTRIBUTES 2
static VALUE_DESC a_PcwProp[MAX_KNOWN_PCWOBJECT_ATTRIBUTES] = {
{ L"PCW_READ", 0x0001L },
{ L"PCW_WRITE", 0x0002L }
{ L"PCW_QUERY_ACCESS", 0x0001L },
{ L"PCW_MODIFY_ACCESS", 0x0002L }
};
//Known Composition Access Rights
#define MAX_KNOWN_COMPOSITION_ATTRIBUTES 2
static VALUE_DESC a_CompositionProp[MAX_KNOWN_COMPOSITION_ATTRIBUTES] = {
{ L"COMPOSITIONSURFACE_READ", 0x0001L },
{ L"COMPOSITIONSURFACE_WRITE", 0x0002L }
{ L"COMPOSITIONSURFACE_READ", COMPOSITIONSURFACE_READ },
{ L"COMPOSITIONSURFACE_WRITE", COMPOSITIONSURFACE_WRITE }
};
//Known Memory Partition Access Rights

BIN
Source/WinObjEx64/resource.h
View File

Binary file not shown.

BIN
Source/WinObjEx64/rsrc/140.ico
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.5 KiB

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
Source/WinObjEx64/rsrc/141.ico
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.5 KiB

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
Source/WinObjEx64/rsrc/149.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.5 KiB

46
Source/WinObjEx64/sup.c
View File

@ -4,9 +4,9 @@
*
* TITLE: SUP.C
*
* VERSION: 1.71
* VERSION: 1.72
*
* DATE: 01 Feb 2019
* DATE: 09 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -1104,7 +1104,7 @@ BOOL supxIsSymlink(
WCHAR ItemText[MAX_PATH + 1];
RtlSecureZeroMemory(ItemText, sizeof(ItemText));
ListView_GetItemText(hwndList, iItem, 1, ItemText, MAX_PATH);
return (_strcmpi(ItemText, g_ObjectTypes[ObjectTypeSymbolicLink].Name) == 0);
return (_strcmpi(ItemText, OBTYPE_NAME_SYMBOLIC_LINK) == 0);
}
/*
@ -3480,7 +3480,6 @@ PSID supQueryProcessSid(
HANDLE hProcessToken = NULL;
PSID result = NULL;
if (NT_SUCCESS(NtOpenProcessToken(hProcess, TOKEN_QUERY, &hProcessToken))) {
result = supQueryTokenUserSid(hProcessToken);
@ -4384,3 +4383,42 @@ VOID supCopyTreeListSubItemValue(
return;
}
}
/*
* supBSearch
*
* Purpose:
*
* Binary search, https://github.com/torvalds/linux/blob/master/lib/bsearch.c
*
*/
PVOID supBSearch(
_In_ PCVOID key,
_In_ PCVOID base,
_In_ SIZE_T num,
_In_ SIZE_T size,
_In_ int(*cmp)(
_In_ PCVOID key,
_In_ PCVOID elt
)
)
{
const char *pivot;
int result;
while (num > 0) {
pivot = (char*)base + (num >> 1) * size;
result = cmp(key, pivot);
if (result == 0)
return (void *)pivot;
if (result > 0) {
base = pivot + size;
num--;
}
num >>= 1;
}
return NULL;
}

14
Source/WinObjEx64/sup.h
View File

@ -4,9 +4,9 @@
*
* TITLE: SUP.H
*
* VERSION: 1.71
* VERSION: 1.72
*
* DATE: 01 Feb 2019
* DATE: 09 Feb 2019
*
* Common header file for the program support routines.
*
@ -431,3 +431,13 @@ PSID supQueryProcessSid(
VOID supCopyTreeListSubItemValue(
_In_ HWND TreeList,
_In_ UINT ValueIndex);
PVOID supBSearch(
_In_ PCVOID key,
_In_ PCVOID base,
_In_ SIZE_T num,
_In_ SIZE_T size,
_In_ int(*cmp)(
_In_ PCVOID key,
_In_ PCVOID elt
));

26
Source/WinObjEx64/ui.h
View File

@ -4,9 +4,9 @@
*
* TITLE: UI.H
*
* VERSION: 1.71
* VERSION: 1.72
*
* DATE: 19 Jan 2019
* DATE: 09 Feb 2019
*
* Common header file for the user interface.
*
@ -33,7 +33,7 @@ typedef HWND(WINAPI *pfnHtmlHelpW)(
_In_ DWORD_PTR dwData
);
#define PROGRAM_VERSION L"1.7.1"
#define PROGRAM_VERSION L"1.7.2"
#ifdef _USE_OWN_DRIVER
#define PROGRAM_NAME L"Windows Object Explorer 64-bit (Non-public version)"
#else
@ -53,6 +53,7 @@ typedef HWND(WINAPI *pfnHtmlHelpW)(
#define T_COPYADDINFO L"Copy Additional Info Field Text"
#define T_SAVETOFILE L"Save list to File"
#define T_DUMPDRIVER L"Dump Driver"
#define T_VIEW_REFRESH L"Refresh"
typedef enum _WOBJ_DIALOGS_ID {
wobjFindDlgId = 0,
@ -110,13 +111,14 @@ typedef struct _PROP_OBJECT_INFO {
BOOL IsPrivateNamespaceObject;
BOOL IsType; //TRUE if selected object is object type
INT TypeIndex;
INT RealTypeIndex;//save index for type
DWORD ObjectFlags;//object specific flags
LPWSTR lpObjectName;
LPWSTR lpObjectType;
LPWSTR lpCurrentObjectPath;
LPWSTR lpDescription; //description from main list (3rd column)
ULONG_PTR Tag;
WOBJ_TYPE_DESC *TypeDescription;
WOBJ_TYPE_DESC *ShadowTypeDescription; //valid only for types, same as TypeDescription for everything else.
OBJINFO ObjectInfo; //object dump related structures
PROP_NAMESPACE_INFO NamespaceInfo;
} PROP_OBJECT_INFO, *PPROP_OBJECT_INFO;
@ -150,3 +152,19 @@ typedef struct _PROCEDURE_DESC {
//props used by ipc dialogs
#define T_IPCDLGCONTEXT TEXT("IpcDlgContext")
//Calendar
static LPCWSTR g_szMonths[12] = {
L"Jan",
L"Feb",
L"Mar",
L"Apr",
L"May",
L"Jun",
L"Jul",
L"Aug",
L"Sep",
L"Oct",
L"Nov",
L"Dec"
};

89
WinObjEx64.sha256
View File

@ -1,6 +1,6 @@
8e1c7d83f179b6bbf4b58f8197bd818b8a2306e6b3ecd901e9f51eae024277c9 *Compiled\WHATSNEW.md
4a46067ec090efbe3dab6831884c9d17d54d9f3a8f957fcb4f59b3b8ba52c962 *Compiled\WinObjEx64.chm
991634ab2e46f44bf1eaaf32891f72532220ff882454042bff6d7a09718ff1d9 *Compiled\WinObjEx64.exe
8e1c7d83f179b6bbf4b58f8197bd818b8a2306e6b3ecd901e9f51eae024277c9 *Compiled\WHATSNEW_170.md
748407cda69ae83a1fca08b2452bcd67cd4f2bcde8cae5aa88ea49df9651216c *Compiled\WinObjEx64.chm
c57f43692e6798c364be17530a5317f6cd067601a7078572f0bf992e088796d2 *Compiled\WinObjEx64.exe
0505a450a13d5b742df2395c90af4e3029b05ce2157ee68f0c9e18a580c88091 *Docs\Callbacks.pdf
7e2b0bcb3a2f0947f1effed2306d0178e4ad28da6427d5d7735017630bfb960a *Screenshots\CallbackObjectView.png
1f1f748519bbb30d09b472bf89fa0c74bf32426010b2f06fc3a4c5defaa3ee10 *Screenshots\CallbacksView.png
@ -17,57 +17,57 @@ df0143ec4da2387e3aa1694145f8fb1f53cac46fb6e7d608cf9c49ca89bab1dc *Screenshots\Vi
ef65a909e8d9bc7ec94ecbc0f465f24a7968d6675eadf7f25f6414c66d6b28be *Screenshots\ViewingTypeInformation.png
89ac7dc1b82a69e0726ace4a604602ddc8d7b48f25d2ad36cdbad7d248991848 *Screenshots\ViewingUserSharedData.png
3e1712af4fa1c6e71d266c7884e26c5a519e5ae9deda552e78556bbfc0eb2c3a *Screenshots\W32pServiceTableView.png
d69a5fbaf3c3158e15f688ffe252d869bd29874d0002410272f0f25cbe2f4e58 *Source\CHANGELOG.txt
435dcdb066fded11143b91ff0aff340a8235107530f86d09abbd8e83154eb545 *Source\FileList.txt
a2c853517bb6199143e4ad19aac12ce642c63ddcf8c89f87753578ae422db16f *Source\TypesWithNoDesc.txt
f77fba50d1ccfa9cd83abb92e370f0ff884361483be74806884d667a9297ab99 *Source\CHANGELOG.txt
f8b207b25e99f1f414123b3bf1c9a3e419822fd6a74b7388ac264ec4ddd47e8d *Source\FILELIST.txt
55eed414926c47b0bfc5000eeabb882d77d78e17b5be94ca229e681f009b0740 *Source\TypesWithNoDesc.txt
c9f95efd2433985838f6a45acc77464e0e79ea088b6ccbc267fd76bfb87029a2 *Source\WinObjEx64.sln
39a976ac4e1b76c2058815c5017bd3acceb69950286cfdf8c5704b7e31b8cca0 *Source\drvstore\kldbgdrv.sys
b54346cdab9640b4a2a712b2757f0ee556790bf2b760f9f935bac728cea56064 *Source\WinObjEx64\aboutDlg.c
3fad58265a1eb1916ca0640e6b57c7729184f9eb92adf45b36bd5a4429602954 *Source\WinObjEx64\aboutDlg.c
dc5ad976533a91292022a15f741a95d04663849c34fced1432a830726341d51d *Source\WinObjEx64\aboutDlg.h
4ec2d4d3e73a5472aa235fe7032d5e5e04065ff87d9d8c2fe9df81b9815feb55 *Source\WinObjEx64\driver.rc
ba8dddb70f735eb298320c63a0a27ff8b0c0394c7f5b1ed002bccbc2f032b985 *Source\WinObjEx64\excepth.c
467f27b865de15a9b5b6ddfff46e4708eccb42ed6a242fe2b197d6d2929809c3 *Source\WinObjEx64\excepth.h
61a2525be8918f83d2d8b330f0c33d660021932f9f70db3e4e65244aba1527c9 *Source\WinObjEx64\extapi.c
4fb99303a81ea8c4dfe95e1e8638a2894f91e08972cf1ae0eca9048e7a9ff027 *Source\WinObjEx64\extapi.c
100c2f0dedfb35e356474d943635fea498a5cd9b3fc909d722e40c0ced3960d0 *Source\WinObjEx64\extapi.h
738fc0632dd9d1581ac87597e3f952cec3a8424a637e54d989847faa80c8ea5e *Source\WinObjEx64\findDlg.c
8cc5a4ba98d74221405a13cde0f357db970500a4b44c711b5fd97d30cce904e8 *Source\WinObjEx64\findDlg.h
f99ece56cf6280f34e7d4be584196c27ca372918ee5093bf1f6e9e867e81cb8c *Source\WinObjEx64\global.h
530b49b87a69ae214ebbb6ba5ca8d3f922b9772ee20e3907bcb48b1ac1c8084e *Source\WinObjEx64\instdrv.c
5ab4e6a630152e02897f0ff346dcf0ae22fdbf2092f1243b9a0ce4e10fadaddd *Source\WinObjEx64\instdrv.h
b345322eabe17a9c662c61a6fe60b0e72455e85ab319ce6b071b69ccc76ad47c *Source\WinObjEx64\kldbg.c
4c2280fd66d3596e738a7fcfbe6cf8a2a67762c8ecb406f0b0733d82d2677596 *Source\WinObjEx64\kldbg.h
cfc3495684b13e4dc5f502c51b984b45600c9d2e7b182eb7fbf33660155e1f2f *Source\WinObjEx64\kldbg_patterns.h
3b2cc0b4b892f5f928902645c3dc005e83192cf1cf484cf5c878c399297a82e0 *Source\WinObjEx64\list.c
603a09f06dddb67dfe124dcd50f1eed217797b814a11087bd40d0c562447ded3 *Source\WinObjEx64\global.h
9adbc81cfdcb542b403e88c3430d2f13851990263e0cbeb3890a098f313eef61 *Source\WinObjEx64\instdrv.c
9fdf8d26ea566d84e8907d7363f418263a2b9f3d5aa4df2f1211a28c29e0646b *Source\WinObjEx64\instdrv.h
b04efd24b370b02b091de165ec4ad56c2882902ed1f85b8920f9dc85fa2c0c60 *Source\WinObjEx64\kldbg.c
0b995bf2da74509ad1b8427434616f2f123b62e4581b46fe37fa3c1d23d3d3d4 *Source\WinObjEx64\kldbg.h
d8bf76d9d920f6ae72379ce7823d1dd7e0696af2cb238da84b5543eff9ab188a *Source\WinObjEx64\kldbg_patterns.h
dc42e005dd90e849a6c0a3f58de6cdb177849b4409fa8b7700feee98c5ef6032 *Source\WinObjEx64\list.c
6e82d0f095bdcf1676445ae46f9fb455164108a3ea242f83793e964158e47f4a *Source\WinObjEx64\list.h
0fafe52f7d949d9ed176428d08b3734cdd254dd60770aca08a0556ead9fa7089 *Source\WinObjEx64\main.c
d70817a4356fb5a18af13b8af2d6a8e17b19a8fcebe3cd2de8f1a16477f8f6a7 *Source\WinObjEx64\msvcver.h
ce4ff41bfeac1cef9339aa47939a8c3e2dee530b208e6f64c01d06dcdd274a7c *Source\WinObjEx64\objects.c
ab0e909baa2ca37b927c50ba073c2e2a0329a5505d1831e126cf705f1db11270 *Source\WinObjEx64\objects.h
d8c7e8cd5cec2393c04733de10aebf6e838142f7e4f13089cab704567a76efe9 *Source\WinObjEx64\resource.h
dceabde79d34813a02d21c1bd6d5f2e861ec549092e7a2fb0fb81bfd78da3c94 *Source\WinObjEx64\Resource.rc
7765f8e2a12d25913738c22c28120042ad61eb7ac5cedcdd720825f04a4da0b9 *Source\WinObjEx64\sup.c
678a829f397380c638490d528edbf3576dc6bdff1c7f0c932c4685ff1772dd3c *Source\WinObjEx64\sup.h
dfa933659ef14a453462ff9f428f4b624468964790b2cc38eafad8022acb73c2 *Source\WinObjEx64\main.c
5d2b9be96b42044e0f09a6a901c194934a1dc2d2e7cf14d65e6414b22ec89765 *Source\WinObjEx64\msvcver.h
ecc472d36f44c6db7571c203b6e543fab8da8a6e7e36d169cd4bb7c52c77b06a *Source\WinObjEx64\objects.c
448bf80a44f7cf7a142cbaa2f62586dff5276d1ebf4add3573bb40a87da1d58c *Source\WinObjEx64\objects.h
3dc0da2c01d407155e635387aad805ce4f6a33cd3d5fb1d98eba32d51f726f21 *Source\WinObjEx64\resource.h
381991cd3beb2b1f2ef61b5a7a86c5b5861e0f5d70fcc6e17d5c8701e4b3c4f6 *Source\WinObjEx64\Resource.rc
3dd9823d9e7751fa35ffd60da4a2ff053ec2f559467e74834b61da036aff8d5a *Source\WinObjEx64\sup.c
77031bcbb6a05b3665a70d7be02ff9b8f48c92bb8b3695bb93a58086823e1a81 *Source\WinObjEx64\sup.h
33d3b8fb0ea05c6fa998ea9527353a8d617a9411257098a40a4a39972527a711 *Source\WinObjEx64\supConsts.h
c338ebdb4ddbec272f3958afa05876c9f48b0bc66fb7d201c15a6f64f26d1296 *Source\WinObjEx64\ui.h
a9e1d6b0cb1b218c971a6d41ae64343d418c0279e988b59ddc61e5b7297b212e *Source\WinObjEx64\ui.h
5e975a2d43c51d73446039da0add1d51624fe3e97656cc559e73a39d553a7003 *Source\WinObjEx64\wine.h
c18b9f79e9b934f3c9473c73e3e740b5ecdb60a29478a176e12f4bfa4f773c27 *Source\WinObjEx64\WinObjEx64.vcxproj
260e90cfd24137412e50b6ca76e005758d68b23300e33525bb797f9e3f01018b *Source\WinObjEx64\WinObjEx64.vcxproj.filters
08fb2208b91067923cd91c810f7b3032a31b5c6f4888285ace9dcb41ed6b2cdb *Source\WinObjEx64\WinObjEx64.vcxproj
00f3e0ffdad0dfd20add96ce5c843a55b99a9234fa800c3913d9c531f95e9a5f *Source\WinObjEx64\WinObjEx64.vcxproj.filters
3f17b057283ed56debd29362433d0a97edf622e91005b2d15bca0cbb222e154f *Source\WinObjEx64\WinObjEx64.vcxproj.user
8f8df7e5603f6b86c0cf90977d46d966b7d1c27c1f82a1404afdd4b3e33450cf *Source\WinObjEx64\extras\extras.c
42ed73c850d44ad2d3be6e9c7a1b49ceb610a17e3895fbcc323433b991c994b2 *Source\WinObjEx64\extras\extras.h
35b76a831c46bcd60a43a98ea777a5869a96fd2345e2655071394b166e842d3e *Source\WinObjEx64\extras\extrasCallbacks.c
f67495f4109f7a7bf8e52f61b5d54c1102292f956a835bd9bb12281e59b39bb7 *Source\WinObjEx64\extras\extrasCallbacks.c
28618459665591661138fbceee04deb7b15349cf502d994ecebd2a8846d89589 *Source\WinObjEx64\extras\extrasCallbacks.h
49aded1f2d137161240c28e96d73e7bfee46c8005204c5ed5dceb03f691a8de4 *Source\WinObjEx64\extras\extrasDrivers.c
785f014543b3f3e1aac708b492d044d4af785754cbbd2e2ea52f8c6035659306 *Source\WinObjEx64\extras\extrasDrivers.c
48c930afb73678d4614bf2dbf0df9295b08a9af80a5f9c878eeb2bf9f53c6c95 *Source\WinObjEx64\extras\extrasDrivers.h
4ef4c9426010a9b0bc49cfc2c6e3efdec4b083bf085b7fe25995748ff86061d9 *Source\WinObjEx64\extras\extrasIPC.c
d21e27bf35c5add1eedec3234fb358fbbc4c585c3de22326ac9581b59a8983d0 *Source\WinObjEx64\extras\extrasIPC.h
a79123df6a08dead27d757985fab61f5eb784e619e375373523248fb24015e60 *Source\WinObjEx64\extras\extrasPN.c
e4babe73cff1674da165494e3fb5c06a985a98206cf0ec88febed3a83a013580 *Source\WinObjEx64\extras\extrasPN.c
64e75cbaa0ce129f674a9a441a3045f37e74f853f34fd93caac5533bb174a019 *Source\WinObjEx64\extras\extrasPN.h
2b70c9cedac01733cbc02e39d2597cf250062a4450c277feb16bad6d4b5273d6 *Source\WinObjEx64\extras\extrasPSList.c
addfa0d83e8f8710ee42e7a9bcfcae12616040c4672122bd4cd240d1e7129399 *Source\WinObjEx64\extras\extrasPSList.c
fa879292d7bd5850c0ea3912bdb7490e14fcd81d4deaa9ea8b450539143c43b4 *Source\WinObjEx64\extras\extrasPSList.h
456cc06a72b25d1bbbfc84ddc73484da008dac593245f538f89dd3b57b07b9fb *Source\WinObjEx64\extras\extrasSSDT.c
2b0611c856947a2c76412d66170b26f337f7cc0398553e253da72bfe9d6d8a0f *Source\WinObjEx64\extras\extrasSSDT.c
cb534bcebbee49f4f9178e5e291bb43edae6af77b15919532539eb19d3ee23ac *Source\WinObjEx64\extras\extrasSSDT.h
166b31d3f738086638d17b538063a4d0aaec2e04c81c0f0a4c4b22d2e6a74d43 *Source\WinObjEx64\extras\extrasUSD.c
50602cc27500bbdefe353ff2594c24e66386b263247471feb9065ef593cd9b87 *Source\WinObjEx64\extras\extrasUSD.c
fea8d9645bac11c7521f91a122947716b459a335cb25f0d649a0d201f661f78b *Source\WinObjEx64\extras\extrasUSD.h
16726c4330d7db5d56a5a11503314533b170783441c3f8282b66f126295a289e *Source\WinObjEx64\hde\hde64.c
e99aa4997bda14b534c614c3d8cb78a72c4aca91a1212c8b03ec605d1d75e36e *Source\WinObjEx64\hde\hde64.h
@ -101,29 +101,29 @@ ef1b18997ea473ac8d516ef60efc64b9175418b8f078e088d783fdaef2544969 *Source\WinObjE
52e3d39c69c43264b2f8d9bcdfce0f763a5e92d091eef59ea2a0294b4b19641c *Source\WinObjEx64\minirtl\_strstr.c
52a696ae714eb81033c477d1ec6c01389eef56c847609e89d360c2fb6899b4b6 *Source\WinObjEx64\minirtl\_strstri.c
0cd425ef96247657ab55443c9b3bc9a90f0c18f634979942693553d0f764c601 *Source\WinObjEx64\ntos\ntalpc.h
91c2d5ba57d5f65d37ed1f9bbe9f9cd71060ae1d064b4bc5db26c3241fec7421 *Source\WinObjEx64\ntos\ntos.h
09df22b5471ca1b87090aae217dfade6d8486cbea3096229467b033aff5ac963 *Source\WinObjEx64\ntos\ntos.h
14b0a442647904db5476d14a1d9710bd83587f168b4b182465e5902d24676870 *Source\WinObjEx64\ntuser\StubNtUserOpenWindowStation.asm
3f7f35063af9a91db94b944417e00d4746489caab81a355c19fd57e028017c08 *Source\WinObjEx64\props\propBasic.c
647f66b0d827147b98206bd824c5131692589a07d0eaba5e924eefc2c7e68cb5 *Source\WinObjEx64\props\propBasic.c
45e2088b0320c02cca2559f6e5183a4eb2a289021f5488d65ba6230e208557e9 *Source\WinObjEx64\props\propBasic.h
e6cfba260e739c3cef422969b9934b0134af39cd76ef0d0b0f318b1c8e065b22 *Source\WinObjEx64\props\propBasicConsts.h
b0e5ed0f9c9ac7eb2e60ee8c01df3eb0a6b6fffec78b3fc75b59d725babedaa0 *Source\WinObjEx64\props\propDesktop.c
7fe59b0060873ee0df0fb94b6b314c64368b993f976d866bd4cc0bfc05c6e08d *Source\WinObjEx64\props\propBasicConsts.h
8f2e93839c174ee9746c348646d7c7fc0e31df1d4e19398e0cd433bfb8dfc641 *Source\WinObjEx64\props\propDesktop.c
047e4d17c76908889af6e7e80da91b04a3707a190acc0f7d2b26e98bcf80e3b2 *Source\WinObjEx64\props\propDesktop.h
4a09cdf02a357b420044294cd1b53922b9a286008871354a365ade4206f34377 *Source\WinObjEx64\props\propDlg.c
f2e187d30e75a0f55e9813362f1e12703025c2de35ff4db8734efbb67ad014d8 *Source\WinObjEx64\props\propDlg.c
fe5617e6d4eb9eb3db061bc0cc4db37572a6f40217c477cafa1d732faecc5a6f *Source\WinObjEx64\props\propDlg.h
ebe54be6735690140fa6d3ed06c452a26e0321e9b13db7973042cca72a588f51 *Source\WinObjEx64\props\propDriver.c
8dd63e57115728cdea4c326e5cde9acfe6015b2b088ec36022cd9f81e216e179 *Source\WinObjEx64\props\propDriver.h
721bf384ee6ba44cb118a4bfde7ffba669024059e3120b8cae40e98228eba6df *Source\WinObjEx64\props\propDriverConsts.h
0bfda1b472921ce75e9ea44ee104aca4af4bb34d52405aaa02038b0829f67413 *Source\WinObjEx64\props\propObjectDump.c
b389838466982a5e42acd27fcb132a2ddc6cfc427a22340a03d4853e500d1a3f *Source\WinObjEx64\props\propObjectDump.h
1d4d6ad76c2bd770ff7d8a18fde927bac33c4be3b0a95fadca235f6cb2e10d2d *Source\WinObjEx64\props\propObjectDumpConsts.h
d5d4822f359a3a242ed57844660f1bf75ad70430dcfe18bd2f6ac712829174f9 *Source\WinObjEx64\props\propObjectDump.c
da1cf96a7d85faec3db810f5c4061a6322c252fcead01cbf8ac728e7deffee23 *Source\WinObjEx64\props\propObjectDump.h
5be336077afb54251046d0dde12b4cb7890bf591f869419bce202c160610852d *Source\WinObjEx64\props\propObjectDumpConsts.h
ef9b4c9033cc81077ee821a76b61522b0927bfb15e9867b4b50a320522e951c2 *Source\WinObjEx64\props\propProcess.c
7ce4c79b1d7a93691cc457d01836209b51f25addc07a0875888e01a6c9a77358 *Source\WinObjEx64\props\propProcess.h
ef9ccfb285825bffe0b6df592feba3163efc5d82e0f74fd8cf4367c6fef6e53c *Source\WinObjEx64\props\propSecurity.c
04a1b78030155ec6d59560472c09219e71ea98f79a4f3193016e6395876d8953 *Source\WinObjEx64\props\propSecurity.h
64527a569ee9f6254dfc8c39e3063ed93220077a3bab61179f64ce9c47ffe90e *Source\WinObjEx64\props\propSecurityConsts.h
a94c48527eb134e2891ca689a484c3b1012ff45d5058ebc4d0ccebb5ccce33b2 *Source\WinObjEx64\props\propType.c
f2024dac12d4ac5c674fe9f684401ca5c109518dcf0a340e350cecb73a57e3e4 *Source\WinObjEx64\props\propType.c
5e4fb7e44a7970c4ac6c29aefcc9aefc807444eefdd0cc1c9c9357693dfd64fd *Source\WinObjEx64\props\propType.h
e413d8fb74fcfc86cf95f09a3f19c9e567e6bde49abed19e12b3abb59d121acc *Source\WinObjEx64\props\propTypeConsts.h
74f6500dec478be0919045ddec9475491f5f6dd7e81923650136543ed98ea69c *Source\WinObjEx64\props\propTypeConsts.h
51f0d1a560dd77a7f3164ae2c8f9801d6a2902bd5cfd367db522199aca35b1ff *Source\WinObjEx64\rsrc\100.ico
eca976b7dd50ea206588610ccb938fbc437f7165c667e19239bf0d36d4af22f9 *Source\WinObjEx64\rsrc\101.ico
09ee2f9dfd3a4a4d8df268ed909588a94db0e97a1601ba8d4b7e6441a1626395 *Source\WinObjEx64\rsrc\102.ico
@ -164,8 +164,8 @@ e7c85ed89b5d857139145b13f4328bdd3a34fc035297c17fd3fe2d1736e4730c *Source\WinObjE
48e6428033026931e329efadc23570a1d4b7bf57fc36e0d62fdecf0925476765 *Source\WinObjEx64\rsrc\137.ico
c4ee9cbe0d348dbdf11863793740e6ae9c85e04697e14d55ee0d94d3c26075e2 *Source\WinObjEx64\rsrc\138.ico
d2972e9f2939e3994392ffc354cd6ff8cf34e840e78b82924e7bc7f2c4f0a30f *Source\WinObjEx64\rsrc\139.ico
8f9549bee6fd48ea84b863a5f435acb61a5d2ae8364c46569cc4500b4b191564 *Source\WinObjEx64\rsrc\140.ico
8f9549bee6fd48ea84b863a5f435acb61a5d2ae8364c46569cc4500b4b191564 *Source\WinObjEx64\rsrc\141.ico
29d2e06261583cce28344f0d07599fd515adbd03931ad5ba83e7b4c2072ba6ab *Source\WinObjEx64\rsrc\140.ico
29d2e06261583cce28344f0d07599fd515adbd03931ad5ba83e7b4c2072ba6ab *Source\WinObjEx64\rsrc\141.ico
d04ca5ee65eb7725a3471c7c92ce432b253de1545d70cf8b242c72253244bbae *Source\WinObjEx64\rsrc\142.ico
f78861d00d015c07a302f3c4ced26dca21ecfd06cc3032fa02fcc932debf72f5 *Source\WinObjEx64\rsrc\143.ico
1249a3e62e06a927ef8440f2044f4f7aa1f02b8596aa19d50ed9953837a2ff6d *Source\WinObjEx64\rsrc\144.ico
@ -173,6 +173,7 @@ f78861d00d015c07a302f3c4ced26dca21ecfd06cc3032fa02fcc932debf72f5 *Source\WinObjE
06c00255a15fad435aef3cfa8fdee90743b7c53b8941cb95ac71ef76ef3f7465 *Source\WinObjEx64\rsrc\146.ico
e618987e93fa0e7879425b24bf1a361f0b2e92bfddb6c391c117fa2829b09795 *Source\WinObjEx64\rsrc\147.ico
0ebed6c8cb501b590286cedc73ca7ef47d2f9bd94c0371f7edb9fb1581003fe6 *Source\WinObjEx64\rsrc\148.ico
bfda6e30ed8c80e98ec5cc7e975ce19db610d1ba8c85e96600878e381027e161 *Source\WinObjEx64\rsrc\149.ico
38d5b754af9e2dfcbe2161e6369651ff86c24ef223023225bc489de04232072e *Source\WinObjEx64\rsrc\6001.ico
15334c419dee330554a8549920b9241d865590cc7641722f7d31f8f612256d86 *Source\WinObjEx64\rsrc\6002.ico
335bc0b008ef6051ac45cca928176d60fdf6fe7e4c1550eedf78d0cc6b56ac2a *Source\WinObjEx64\rsrc\Bitmap_125.bmp