diff --git a/Compiled/WHATSNEW.md b/Compiled/WHATSNEW_170.md
similarity index 100%
rename from Compiled/WHATSNEW.md
rename to Compiled/WHATSNEW_170.md
diff --git a/Compiled/WinObjEx64.chm b/Compiled/WinObjEx64.chm
index 10483fa..ad28be6 100644
Binary files a/Compiled/WinObjEx64.chm and b/Compiled/WinObjEx64.chm differ
diff --git a/Compiled/WinObjEx64.exe b/Compiled/WinObjEx64.exe
index c4fbce3..54fb44f 100644
Binary files a/Compiled/WinObjEx64.exe and b/Compiled/WinObjEx64.exe differ
diff --git a/README.md b/README.md
index 87a2ea4..3ac6b0b 100644
--- a/README.md
+++ b/README.md
@@ -36,7 +36,7 @@ In order to build from source you need Microsoft Visual Studio 2013 U4 or Visual
# What is new
-[Whats New in 1.7](https://github.com/hfiref0x/WinObjEx64/blob/master/Compiled/WHATSNEW.md)
+[Whats New in 1.7](https://github.com/hfiref0x/WinObjEx64/blob/master/Compiled/WHATSNEW_170.md)
# Authors
diff --git a/Source/CHANGELOG.txt b/Source/CHANGELOG.txt
index 38267a3..ecd3f7a 100644
--- a/Source/CHANGELOG.txt
+++ b/Source/CHANGELOG.txt
@@ -1,3 +1,9 @@
+v1.7.2
++ symbolic link object dump
++ internal fixes after profiling
++ support for 19H1 SeCiCallbacks scan
++ added and updated more object type descriptions
+
v1.7.1
+ SeCiCallbacks/g_CiCallbacks, DbgkLmdCallbacks added to the callbacks viewer
+ Session object view and access rights, merge pull request #8 #9
diff --git a/Source/FILELIST.txt b/Source/FILELIST.txt
index 87aadd9..5de8aa8 100644
--- a/Source/FILELIST.txt
+++ b/Source/FILELIST.txt
@@ -51,7 +51,7 @@ minirtl.h
msvcver.h - MS VisualC compiler versions header file
objects.c - known objects support functions
-objects.h
+objects.h - known objects table
propBasic.c - property sheet "Basic" handlers, including window procedures
propBasic.h
diff --git a/Source/TypesWithNoDesc.txt b/Source/TypesWithNoDesc.txt
index 55a79bc..87f55c1 100644
--- a/Source/TypesWithNoDesc.txt
+++ b/Source/TypesWithNoDesc.txt
@@ -1,23 +1,16 @@
-CoverageSampler - new RS4 object, ETW
-DmaAdapter
-DmaDomain
-IoCompletionReserve - same as IoCompletion except using reserve process allocated memory
-RawInputManager - DirectX Kernel Subsystem object
-UserApcReserve - same as NtQueueApc except using reserve process allocated memory
-WaitCompletionPacket
-Silo (r3 interface removed in 10240 release, object removed in TH2 builds)
-NetworkNamespace - managed by NDIS.sys (renamed to NdisCmState in RS1)
-VRegConfigurationContext - new RS1 object
-VirtualKey - new RS1 object (not present in RS2)
-PsSiloContextPaged - new RS1 object
-PsSiloContextNonPaged - new RS1 object
-RegistryTransaction - new RS1 object
-CoreMessagining - new RS1 object
-ActivityReference - new RS2 object
-EtwSessionDemuxEntry - new Win10 object
-DxgkCompositionObject - Dxgk
-DxgkDisplayManagerObject - Dxgk
-DxgkSharedBundleObject - Dxgk
-DxgkSharedKeyedMutextObject - Dxgk
-DxgkSharedProtectedSessionObject - Dxgk
ActivationObject - 19H1, win32k managed object
+ActivityReference - new RS2 object
+CoreMessagining - new RS1 object, win32k managed object
+CoverageSampler - new RS4 object, ETW
+EtwSessionDemuxEntry - new Win10 object
+IoCompletionReserve - same as IoCompletion except using reserve process allocated memory
+NetworkNamespace - managed by NDIS.sys (renamed to NdisCmState in RS1)
+PsSiloContextNonPaged - new RS1 object
+PsSiloContextPaged - new RS1 object
+RawInputManager - win32k managed object
+Silo (r3 interface removed in 10240 release, object removed in TH2 builds)
+UserApcReserve - same as NtQueueApc except using reserve process allocated memory
+VirtualKey - new RS1 object (not present in RS2)
+VRegConfigurationContext - new RS1 object
+WaitCompletionPacket
+
diff --git a/Source/WinObjEx64/Resource.rc b/Source/WinObjEx64/Resource.rc
index 212cf82..1930b59 100644
Binary files a/Source/WinObjEx64/Resource.rc and b/Source/WinObjEx64/Resource.rc differ
diff --git a/Source/WinObjEx64/WinObjEx64.vcxproj b/Source/WinObjEx64/WinObjEx64.vcxproj
index 96c3d42..86bbd0c 100644
--- a/Source/WinObjEx64/WinObjEx64.vcxproj
+++ b/Source/WinObjEx64/WinObjEx64.vcxproj
@@ -190,7 +190,6 @@
true
/NOCOFFGRPINFO %(AdditionalOptions)
UseFastLinkTimeCodeGeneration
- LinkVerboseLib
false
@@ -522,6 +521,7 @@
+
diff --git a/Source/WinObjEx64/WinObjEx64.vcxproj.filters b/Source/WinObjEx64/WinObjEx64.vcxproj.filters
index 9fa59ab..20b2cf2 100644
--- a/Source/WinObjEx64/WinObjEx64.vcxproj.filters
+++ b/Source/WinObjEx64/WinObjEx64.vcxproj.filters
@@ -513,6 +513,9 @@
Resource Files\graphics
+
+ Resource Files
+
diff --git a/Source/WinObjEx64/aboutDlg.c b/Source/WinObjEx64/aboutDlg.c
index b2e8c54..1962ef2 100644
--- a/Source/WinObjEx64/aboutDlg.c
+++ b/Source/WinObjEx64/aboutDlg.c
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2015 - 2018
+* (C) COPYRIGHT AUTHORS, 2015 - 2019
*
* TITLE: ABOUTDLG.C
*
-* VERSION: 1.70
+* VERSION: 1.72
*
-* DATE: 03 Dec 2018
+* DATE: 03 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -123,6 +123,7 @@ VOID AboutDialogInit(
if (supQuerySecureBootState(&bSecureBoot)) {
wsprintf(_strend(szBuffer), TEXT(" with%ws SecureBoot"), (bSecureBoot == TRUE) ? TEXT("") : TEXT("out"));
}
+ g_kdctx.IsSecureBoot = bSecureBoot;
}
}
else {
@@ -144,10 +145,28 @@ VOID AboutDialogInit(
VOID AboutDialogCollectGlobals(
_In_ LPWSTR lpDestBuffer)
{
- _strcpy(lpDestBuffer, TEXT("EnableExperimentalFeatures: "));
+ wsprintf(lpDestBuffer, TEXT("Winver: %u.%u.%u"),
+ g_WinObj.osver.dwMajorVersion,
+ g_WinObj.osver.dwMinorVersion,
+ g_WinObj.osver.dwBuildNumber);
+
+ _strcat(lpDestBuffer, TEXT("\r\n"));
+
+ _strcat(lpDestBuffer, TEXT("IsSecureBoot: "));
+ ultostr(g_kdctx.IsSecureBoot, _strend(lpDestBuffer));
+ _strcat(lpDestBuffer, TEXT("\r\n"));
+
+ _strcat(lpDestBuffer, TEXT("EnableExperimentalFeatures: "));
ultostr(g_WinObj.EnableExperimentalFeatures, _strend(lpDestBuffer));
_strcat(lpDestBuffer, TEXT("\r\n"));
+ _strcat(lpDestBuffer, TEXT("drvOpenLoadStatus: "));
+ ultostr(g_kdctx.drvOpenLoadStatus, _strend(lpDestBuffer));
+ if (g_kdctx.drvOpenLoadStatus == 0) {
+ _strcat(lpDestBuffer, TEXT(" (reported as OK)"));
+ }
+ _strcat(lpDestBuffer, TEXT("\r\n"));
+
_strcat(lpDestBuffer, TEXT("IsFullAdmin: "));
ultostr(g_kdctx.IsFullAdmin, _strend(lpDestBuffer));
_strcat(lpDestBuffer, TEXT("\r\n"));
diff --git a/Source/WinObjEx64/extapi.c b/Source/WinObjEx64/extapi.c
index 1b5eeea..0162fae 100644
--- a/Source/WinObjEx64/extapi.c
+++ b/Source/WinObjEx64/extapi.c
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2017 - 2018
+* (C) COPYRIGHT AUTHORS, 2017 - 2019
*
* TITLE: EXTAPI.C
*
-* VERSION: 1.70
+* VERSION: 1.72
*
-* DATE: 03 Dec 2018
+* DATE: 06 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
diff --git a/Source/WinObjEx64/extras/extrasCallbacks.c b/Source/WinObjEx64/extras/extrasCallbacks.c
index 5f27c85..f55b9e5 100644
--- a/Source/WinObjEx64/extras/extrasCallbacks.c
+++ b/Source/WinObjEx64/extras/extrasCallbacks.c
@@ -4,9 +4,9 @@
*
* TITLE: EXTRASCALLBACKS.C
*
-* VERSION: 1.71
+* VERSION: 1.72
*
-* DATE: 26 Jan 2019
+* DATE: 28 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -188,8 +188,8 @@ static const BYTE CiCallbackIndexes_Win10RS3[CI_CALLBACK_NAMES_W10RS3_COUNT] = {
22 //CiGetBuildExpiryTime
};
-#define CI_CALLBACK_NAMES_W10RS4_RS5_COUNT 24
-static const BYTE CiCallbackIndexes_Win10RS4_RS5[CI_CALLBACK_NAMES_W10RS4_RS5_COUNT] = { //Windows 10 RS4/RS5
+#define CI_CALLBACK_NAMES_W10RS4_19H1_COUNT 24
+static const BYTE CiCallbackIndexes_Win10RS4_19H1[CI_CALLBACK_NAMES_W10RS4_19H1_COUNT] = { //Windows 10 RS4/RS5/19H1
0, //CiSetFileCache
1, //CiGetFileCache
2, //CiQueryInformation
@@ -271,12 +271,10 @@ LPWSTR GetCiRoutineNameFromIndex(
case 17134:
case 17763:
- Indexes = CiCallbackIndexes_Win10RS4_RS5;
- ArrayCount = CI_CALLBACK_NAMES_W10RS4_RS5_COUNT;
- break;
-
default:
- return T_Unknown;
+ Indexes = CiCallbackIndexes_Win10RS4_19H1;
+ ArrayCount = CI_CALLBACK_NAMES_W10RS4_19H1_COUNT;
+ break;
}
if (Index >= ArrayCount)
@@ -653,7 +651,8 @@ ULONG_PTR FindPopRegisteredPowerSettingCallbacks(
if (hs.len == 7) {
//
// lea rcx, PopRegisteredPowerSettingCallbacks
- // mov [rbx + 8], rax
+ // mov [rbx + 8], rax |
+ // cmp [rax], rcx
//
if ((ptrCode[Index] == 0x48) &&
(ptrCode[Index + 1] == 0x8D) &&
@@ -1299,6 +1298,10 @@ ULONG_PTR FindDbgkLmdCallbacks(
if (hs.len == 7) { //check if lea
+ //
+ // lea rcx, DbgkLmdCallbacks
+ //
+
if (((ptrCode[Index] == 0x4C) || (ptrCode[Index] == 0x48)) &&
(ptrCode[Index + 1] == 0x8D))
{
@@ -2074,7 +2077,7 @@ VOID DumpObCallbacks(
sizeof(Registration),
NULL))
{
- AltitudeSize = 8 + Registration.Altitude.Length;
+ AltitudeSize = 8 + (SIZE_T)Registration.Altitude.Length;
lpInfoBuffer = (LPWSTR)supHeapAlloc(AltitudeSize);
if (lpInfoBuffer) {
@@ -2798,7 +2801,7 @@ VOID CallbacksList(
_In_ HWND hwndDlg,
_In_ HWND TreeList)
{
- PRTL_PROCESS_MODULES Modules;
+ PRTL_PROCESS_MODULES Modules = NULL;
__try {
//
@@ -2879,14 +2882,15 @@ VOID CallbacksList(
MessageBox(hwndDlg, TEXT("An exception occured during callback query"), NULL, MB_ICONERROR);
}
- Modules = (PRTL_PROCESS_MODULES)supGetSystemInfo(SystemModuleInformation);
- if (Modules == NULL) {
- MessageBox(hwndDlg, TEXT("Could not allocate memory for modules list."), NULL, MB_ICONERROR);
- return;
- }
-
__try {
+ Modules = (PRTL_PROCESS_MODULES)supGetSystemInfo(SystemModuleInformation);
+ if (Modules == NULL) {
+ MessageBox(hwndDlg, TEXT("Could not allocate memory for modules list."), NULL, MB_ICONERROR);
+ __leave;
+ }
+
+
//
// List process callbacks.
//
@@ -3117,8 +3121,10 @@ VOID CallbacksList(
}
__finally {
- supHeapFree(Modules);
+ if (Modules) supHeapFree(Modules);
}
+
+ SetFocus(TreeList);
}
/*
@@ -3142,6 +3148,9 @@ VOID CallbacksDialogHandlePopupMenu(
hMenu = CreatePopupMenu();
if (hMenu) {
InsertMenu(hMenu, 0, MF_BYCOMMAND, ID_OBJECT_COPY, T_COPYADDRESS);
+ InsertMenu(hMenu, 1, MF_BYPOSITION | MF_SEPARATOR, 0, NULL);
+ InsertMenu(hMenu, 2, MF_BYCOMMAND, ID_VIEW_REFRESH, T_VIEW_REFRESH);
+
TrackPopupMenu(hMenu, TPM_RIGHTBUTTON | TPM_LEFTALIGN, pt1.x, pt1.y, 0, hwndDlg, NULL);
DestroyMenu(hMenu);
}
@@ -3210,6 +3219,42 @@ VOID CallbacksDialogCopyAddress(
}
}
+/*
+* CallbackDialogContentRefresh
+*
+* Purpose:
+*
+* Refresh callback list handler.
+*
+*/
+VOID CallbackDialogContentRefresh(
+ _In_ HWND hwndDlg,
+ _In_ EXTRASCONTEXT *pDlgContext,
+ _In_ BOOL fResetContent
+)
+{
+#ifndef _DEBUG
+ HWND hwndBanner = supDisplayLoadBanner(hwndDlg,
+ TEXT("Processing callbacks list, please wait"));
+#endif
+
+ __try {
+
+ SetCapture(hwndDlg);
+
+ if (fResetContent) TreeList_ClearTree(pDlgContext->TreeList);
+
+ CallbacksList(hwndDlg, pDlgContext->TreeList);
+
+ }
+ __finally {
+ ReleaseCapture();
+#ifndef _DEBUG
+ SendMessage(hwndBanner, WM_CLOSE, 0, 0);
+#endif
+ }
+}
+
/*
* CallbacksDialogProc
*
@@ -3271,6 +3316,12 @@ INT_PTR CALLBACK CallbacksDialogProc(
CallbacksDialogCopyAddress(pDlgContext->TreeList);
}
break;
+ case ID_VIEW_REFRESH:
+ pDlgContext = (EXTRASCONTEXT*)GetProp(hwndDlg, T_DLGCONTEXT);
+ if (pDlgContext) {
+ CallbackDialogContentRefresh(hwndDlg, pDlgContext, TRUE);
+ }
+ break;
default:
break;
}
@@ -3362,7 +3413,7 @@ VOID extrasCreateCallbacksDialog(
hdritem.pszText = TEXT("Additional Information");
TreeList_InsertHeaderItem(pDlgContext->TreeList, 2, &hdritem);
- CallbacksList(hwndDlg, pDlgContext->TreeList);
+ CallbackDialogContentRefresh(hwndDlg, pDlgContext, FALSE);
}
SendMessage(hwndDlg, WM_SIZE, 0, 0);
diff --git a/Source/WinObjEx64/extras/extrasDrivers.c b/Source/WinObjEx64/extras/extrasDrivers.c
index f7f2313..de4edd0 100644
--- a/Source/WinObjEx64/extras/extrasDrivers.c
+++ b/Source/WinObjEx64/extras/extrasDrivers.c
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2016 - 2018
+* (C) COPYRIGHT AUTHORS, 2016 - 2019
*
* TITLE: EXTRASDRIVERS.C
*
-* VERSION: 1.70
+* VERSION: 1.72
*
-* DATE: 30 Nov 2018
+* DATE: 10 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -174,7 +174,7 @@ VOID DrvListDrivers(
)
{
BOOL bCond = FALSE;
- INT index;
+ INT index, iImage;
ULONG i;
LVITEM lvitem;
WCHAR szBuffer[MAX_PATH + 1];
@@ -187,6 +187,8 @@ VOID DrvListDrivers(
if (pModulesList == NULL)
break;
+ iImage = ObManagerGetImageIndexByTypeIndex(ObjectTypeDriver);
+
for (i = 0; i < pModulesList->NumberOfModules; i++) {
pModule = &pModulesList->Modules[i];
@@ -199,7 +201,7 @@ VOID DrvListDrivers(
//LoadOrder
lvitem.mask = LVIF_TEXT | LVIF_IMAGE;
lvitem.iItem = MAXINT;
- lvitem.iImage = ObjectTypeDriver; //imagelist id
+ lvitem.iImage = iImage;
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
ultostr(pModule->LoadOrderIndex, szBuffer);
lvitem.pszText = szBuffer;
diff --git a/Source/WinObjEx64/extras/extrasPN.c b/Source/WinObjEx64/extras/extrasPN.c
index c4661a6..117fd22 100644
--- a/Source/WinObjEx64/extras/extrasPN.c
+++ b/Source/WinObjEx64/extras/extrasPN.c
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2015 - 2018
+* (C) COPYRIGHT AUTHORS, 2015 - 2019
*
* TITLE: EXTRASPN.C
*
-* VERSION: 1.70
+* VERSION: 1.72
*
-* DATE: 30 Nov 2018
+* DATE: 09 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -197,14 +197,14 @@ BOOL CALLBACK PNDlgEnumerateCallback(
(PVOID)Entry->ObjectAddress,
Entry->TypeIndex);
- TypeName = g_ObjectTypes[ConvertedTypeIndex].Name;
+ TypeName = ObManagerGetNameByIndex(ConvertedTypeIndex);
//Name
RtlSecureZeroMemory(&lvitem, sizeof(lvitem));
lvitem.mask = LVIF_TEXT | LVIF_IMAGE | LVIF_PARAM;
lvitem.iSubItem = 0;
lvitem.iItem = MAXINT;
- lvitem.iImage = ConvertedTypeIndex;
+ lvitem.iImage = ObManagerGetImageIndexByTypeIndex(ConvertedTypeIndex);
lvitem.pszText = Entry->ObjectName;
lvitem.lParam = (LPARAM)Entry;
index = ListView_InsertItem(PnDlgContext.ListView, &lvitem);
diff --git a/Source/WinObjEx64/extras/extrasPSList.c b/Source/WinObjEx64/extras/extrasPSList.c
index 85bedf2..dc7bf71 100644
--- a/Source/WinObjEx64/extras/extrasPSList.c
+++ b/Source/WinObjEx64/extras/extrasPSList.c
@@ -4,9 +4,9 @@
*
* TITLE: EXTRASPSLIST.C
*
-* VERSION: 1.71
+* VERSION: 1.72
*
-* DATE: 31 Jan 2019
+* DATE: 04 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -304,25 +304,29 @@ HTREEITEM AddProcessEntryTreeList(
//
// 3. Store processes.
//
- if (g_ExtApiSet.IsImmersiveProcess) {
- if (g_ExtApiSet.IsImmersiveProcess(Entry->hProcess)) {
- subitems.ColorFlags = TLF_BGCOLOR_SET;
- subitems.BgColor = 0xeaea00;
- fState = TVIF_STATE;
+ if (Entry->hProcess) {
+ if (g_ExtApiSet.IsImmersiveProcess) {
+ if (g_ExtApiSet.IsImmersiveProcess(Entry->hProcess)) {
+ subitems.ColorFlags = TLF_BGCOLOR_SET;
+ subitems.BgColor = 0xeaea00;
+ fState = TVIF_STATE;
+ }
}
}
//
// 4. Protected processes.
//
- exbi.Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION);
- if (NT_SUCCESS(NtQueryInformationProcess(Entry->hProcess, ProcessBasicInformation,
- &exbi, sizeof(exbi), &r)))
- {
- if (exbi.IsProtectedProcess) {
- subitems.ColorFlags = TLF_BGCOLOR_SET;
- subitems.BgColor = 0xe6ffe6;
- fState = TVIF_STATE;
+ if (Entry->hProcess) {
+ exbi.Size = sizeof(PROCESS_EXTENDED_BASIC_INFORMATION);
+ if (NT_SUCCESS(NtQueryInformationProcess(Entry->hProcess, ProcessBasicInformation,
+ &exbi, sizeof(exbi), &r)))
+ {
+ if (exbi.IsProtectedProcess) {
+ subitems.ColorFlags = TLF_BGCOLOR_SET;
+ subitems.BgColor = 0xe6ffe6;
+ fState = TVIF_STATE;
+ }
}
}
diff --git a/Source/WinObjEx64/extras/extrasSSDT.c b/Source/WinObjEx64/extras/extrasSSDT.c
index 5cb60cb..e7e03b2 100644
--- a/Source/WinObjEx64/extras/extrasSSDT.c
+++ b/Source/WinObjEx64/extras/extrasSSDT.c
@@ -4,9 +4,9 @@
*
* TITLE: EXTRASSSDT.C
*
-* VERSION: 1.71
+* VERSION: 1.72
*
-* DATE: 01 Feb 2019
+* DATE: 10 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -333,7 +333,7 @@ VOID SdtOutputTable(
)
{
INT index, number;
- ULONG i;
+ ULONG i, iImage;
EXTRASCONTEXT *Context = (EXTRASCONTEXT*)GetProp(hwndDlg, T_DLGCONTEXT);
LVITEM lvitem;
@@ -365,6 +365,8 @@ VOID SdtOutputTable(
}
SetWindowText(hwndDlg, szBuffer);
+ iImage = ObManagerGetImageIndexByTypeIndex(ObjectTypeDevice);
+
//list table
for (i = 0; i < Count; i++) {
@@ -373,7 +375,7 @@ VOID SdtOutputTable(
lvitem.mask = LVIF_TEXT | LVIF_IMAGE;
lvitem.iSubItem = 0;
lvitem.iItem = MAXINT;
- lvitem.iImage = ObjectTypeDevice; //imagelist id
+ lvitem.iImage = iImage; //imagelist id
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
ultostr(Table[i].ServiceId, szBuffer);
lvitem.pszText = szBuffer;
diff --git a/Source/WinObjEx64/extras/extrasUSD.c b/Source/WinObjEx64/extras/extrasUSD.c
index 3633220..d177015 100644
--- a/Source/WinObjEx64/extras/extrasUSD.c
+++ b/Source/WinObjEx64/extras/extrasUSD.c
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2015 - 2018
+* (C) COPYRIGHT AUTHORS, 2015 - 2019
*
* TITLE: EXTRASUSD.C
*
-* VERSION: 1.70
+* VERSION: 1.72
*
-* DATE: 30 Nov 2018
+* DATE: 04 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -105,7 +105,7 @@ VOID UsdDumpSharedRegion(
break;
}
- ObDumpUlong(
+ propObDumpUlong(
UsdTreeList,
h_tviRootItem,
TEXT("NtProductType"),
@@ -116,7 +116,7 @@ VOID UsdDumpSharedRegion(
(COLORREF)0,
(COLORREF)0);
- ObDumpByte(
+ propObDumpByte(
UsdTreeList,
h_tviRootItem,
TEXT("ProductTypeIsValid"),
@@ -127,7 +127,7 @@ VOID UsdDumpSharedRegion(
TRUE);
//Version
- ObDumpUlong(
+ propObDumpUlong(
UsdTreeList,
h_tviRootItem,
TEXT("NtMajorVersion"),
@@ -138,7 +138,7 @@ VOID UsdDumpSharedRegion(
(COLORREF)0,
(COLORREF)0);
- ObDumpUlong(
+ propObDumpUlong(
UsdTreeList,
h_tviRootItem,
TEXT("NtMinorVersion"),
@@ -153,7 +153,7 @@ VOID UsdDumpSharedRegion(
// Prior to Windows 10 this field declared as reserved.
//
if (g_WinObj.osver.dwMajorVersion >= 10) {
- ObDumpUlong(
+ propObDumpUlong(
UsdTreeList,
h_tviRootItem,
TEXT("NtBuildNumber"),
@@ -234,7 +234,7 @@ VOID UsdDumpSharedRegion(
break;
}
- ObDumpUlong(
+ propObDumpUlong(
UsdTreeList,
h_tviRootItem,
TEXT("AlternativeArchitecture"),
@@ -292,7 +292,7 @@ VOID UsdDumpSharedRegion(
}
//KdDebuggerEnabled
- ObDumpByte(
+ propObDumpByte(
UsdTreeList,
h_tviRootItem,
TEXT("KdDebuggerEnabled"),
@@ -306,7 +306,7 @@ VOID UsdDumpSharedRegion(
if (g_NtBuildNumber < 9200) {
- ObDumpByte(
+ propObDumpByte(
UsdTreeList,
h_tviRootItem,
TEXT("NXSupportPolicy"),
@@ -342,7 +342,7 @@ VOID UsdDumpSharedRegion(
if (h_tviSubItem) {
- ObDumpByte(
+ propObDumpByte(
UsdTreeList,
h_tviSubItem,
TEXT("NXSupportPolicy"),
@@ -352,7 +352,7 @@ VOID UsdDumpSharedRegion(
(COLORREF)0,
FALSE);
- ObDumpByte(
+ propObDumpByte(
UsdTreeList,
h_tviSubItem,
TEXT("SEHValidationPolicy"),
@@ -363,7 +363,7 @@ VOID UsdDumpSharedRegion(
FALSE);
- ObDumpByte(
+ propObDumpByte(
UsdTreeList,
h_tviSubItem,
TEXT("CurDirDevicesSkippedForDlls"),
@@ -376,7 +376,7 @@ VOID UsdDumpSharedRegion(
}
//SafeBootMode
- ObDumpByte(
+ propObDumpByte(
UsdTreeList,
h_tviRootItem,
TEXT("SafeBootMode"),
diff --git a/Source/WinObjEx64/global.h b/Source/WinObjEx64/global.h
index f4272ed..4fc9846 100644
--- a/Source/WinObjEx64/global.h
+++ b/Source/WinObjEx64/global.h
@@ -4,9 +4,9 @@
*
* TITLE: GLOBAL.H
*
-* VERSION: 1.71
+* VERSION: 1.72
*
-* DATE: 31 Jan 2019
+* DATE: 06 Feb 2019
*
* Common header file for the Windows Object Explorer.
*
@@ -67,6 +67,7 @@
#include
#include
#include
+#include "resource.h"
#include "wine.h"
#include
#include "minirtl\minirtl.h"
@@ -88,7 +89,6 @@
#include "excepth.h"
#include "extapi.h"
#include "tests\testunit.h"
-#include "resource.h"
#if defined(__cplusplus)
#include
diff --git a/Source/WinObjEx64/instdrv.c b/Source/WinObjEx64/instdrv.c
index c64e628..e3966d4 100644
--- a/Source/WinObjEx64/instdrv.c
+++ b/Source/WinObjEx64/instdrv.c
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2015 - 2017, portions (C) Mark Russinovich, FileMon
+* (C) COPYRIGHT AUTHORS, 2015 - 2019, portions (C) Mark Russinovich, FileMon
*
* TITLE: INSTDRV.C
*
-* VERSION: 1.50
+* VERSION: 1.72
*
-* DATE: 11 July 2017
+* DATE: 04 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -27,14 +27,16 @@
BOOL scmInstallDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName,
- _In_opt_ LPCTSTR ServiceExe
+ _In_opt_ LPCTSTR ServiceExe,
+ _Out_opt_ PDWORD lpStatus
)
{
+ DWORD resultStatus = ERROR_SUCCESS;
SC_HANDLE schService;
schService = CreateService(SchSCManager, // SCManager database
- DriverName, // name of service
- DriverName, // name to display
+ DriverName, // name of service
+ DriverName, // name to display
SERVICE_ALL_ACCESS, // desired access
SERVICE_KERNEL_DRIVER, // service type
SERVICE_DEMAND_START, // start type
@@ -44,13 +46,18 @@ BOOL scmInstallDriver(
NULL, // no tag identifier
NULL, // no dependencies
NULL, // LocalSystem account
- NULL // no password
- );
- if (schService == NULL) {
- return FALSE;
+ NULL); // no password
+
+ if (schService) {
+ CloseServiceHandle(schService);
+ }
+ else {
+ resultStatus = GetLastError();
}
- CloseServiceHandle(schService);
+ if (lpStatus)
+ *lpStatus = resultStatus;
+
return TRUE;
}
@@ -64,23 +71,37 @@ BOOL scmInstallDriver(
*/
BOOL scmStartDriver(
_In_ SC_HANDLE SchSCManager,
- _In_ LPCTSTR DriverName
+ _In_ LPCTSTR DriverName,
+ _Out_opt_ PDWORD lpStatus
)
{
+ BOOL ret = FALSE;
+ DWORD resultStatus = ERROR_SUCCESS;
SC_HANDLE schService;
- BOOL ret;
schService = OpenService(SchSCManager,
DriverName,
- SERVICE_ALL_ACCESS
- );
- if (schService == NULL)
- return FALSE;
+ SERVICE_ALL_ACCESS);
- ret = StartService(schService, 0, NULL)
- || GetLastError() == ERROR_SERVICE_ALREADY_RUNNING;
+ if (schService) {
- CloseServiceHandle(schService);
+ ret = StartService(schService, 0, NULL);
+
+ resultStatus = GetLastError();
+
+ if (resultStatus == ERROR_SERVICE_ALREADY_RUNNING) {
+ ret = TRUE;
+ resultStatus = ERROR_SUCCESS;
+ }
+
+ CloseServiceHandle(schService);
+ }
+ else {
+ resultStatus = GetLastError();
+ }
+
+ if (lpStatus)
+ *lpStatus = resultStatus;
return ret;
}
@@ -95,34 +116,53 @@ BOOL scmStartDriver(
*/
BOOL scmOpenDevice(
_In_ LPCTSTR DriverName,
- _Inout_opt_ PHANDLE lphDevice
+ _Out_opt_ PHANDLE lphDevice,
+ _Out_opt_ PDWORD lpStatus
)
{
- TCHAR completeDeviceName[64];
- HANDLE hDevice;
+ BOOL bResult = FALSE;
+ TCHAR completeDeviceName[64];
+ HANDLE hDevice;
- RtlSecureZeroMemory(completeDeviceName, sizeof(completeDeviceName));
- wsprintf(completeDeviceName, TEXT("\\\\.\\%s"), DriverName);
+ // assume failure
+ if (lphDevice)
+ *lphDevice = NULL;
- hDevice = CreateFile(completeDeviceName,
- GENERIC_READ | GENERIC_WRITE,
- 0,
- NULL,
- OPEN_EXISTING,
- FILE_ATTRIBUTE_NORMAL,
- NULL
- );
- if (hDevice == INVALID_HANDLE_VALUE)
- return FALSE;
+ if (DriverName) {
+
+ RtlSecureZeroMemory(completeDeviceName, sizeof(completeDeviceName));
+ wsprintf(completeDeviceName, TEXT("\\\\.\\%s"), DriverName);
+
+ hDevice = CreateFile(completeDeviceName,
+ GENERIC_READ | GENERIC_WRITE,
+ 0,
+ NULL,
+ OPEN_EXISTING,
+ FILE_ATTRIBUTE_NORMAL,
+ NULL);
+
+ if (lpStatus)
+ *lpStatus = GetLastError();
+
+ bResult = (hDevice != INVALID_HANDLE_VALUE);
+
+ if (lphDevice) {
+ if (bResult) {
+ *lphDevice = hDevice;
+ }
+ }
+ else {
+ if (bResult)
+ CloseHandle(hDevice);
+ }
- if (lphDevice) {
- *lphDevice = hDevice;
}
else {
- CloseHandle(hDevice);
+ if (lpStatus)
+ *lpStatus = ERROR_INVALID_PARAMETER;
}
- return TRUE;
+ return bResult;
}
/*
@@ -135,36 +175,46 @@ BOOL scmOpenDevice(
*/
BOOL scmStopDriver(
_In_ SC_HANDLE SchSCManager,
- _In_ LPCTSTR DriverName
+ _In_ LPCTSTR DriverName,
+ _Out_opt_ PDWORD lpStatus
)
{
BOOL ret;
INT iRetryCount;
+ DWORD resultStatus = ERROR_SUCCESS;
SC_HANDLE schService;
SERVICE_STATUS serviceStatus;
ret = FALSE;
schService = OpenService(SchSCManager, DriverName, SERVICE_ALL_ACCESS);
- if (schService == NULL) {
- return ret;
+ if (schService) {
+
+ iRetryCount = 5;
+ do {
+ SetLastError(ERROR_SUCCESS);
+
+ ret = ControlService(schService, SERVICE_CONTROL_STOP, &serviceStatus);
+ if (ret != FALSE) {
+ resultStatus = GetLastError();
+ break;
+ }
+
+ resultStatus = GetLastError();
+ if (resultStatus != ERROR_DEPENDENT_SERVICES_RUNNING)
+ break;
+
+ Sleep(1000);
+ iRetryCount--;
+ } while (iRetryCount);
+
+ CloseServiceHandle(schService);
+ }
+ else {
+ resultStatus = GetLastError();
}
- iRetryCount = 5;
- do {
- SetLastError(0);
-
- ret = ControlService(schService, SERVICE_CONTROL_STOP, &serviceStatus);
- if (ret != FALSE)
- break;
-
- if (GetLastError() != ERROR_DEPENDENT_SERVICES_RUNNING)
- break;
-
- Sleep(1000);
- iRetryCount--;
- } while (iRetryCount);
-
- CloseServiceHandle(schService);
+ if (lpStatus)
+ *lpStatus = resultStatus;
return ret;
}
@@ -179,17 +229,27 @@ BOOL scmStopDriver(
*/
BOOL scmRemoveDriver(
_In_ SC_HANDLE SchSCManager,
- _In_ LPCTSTR DriverName
+ _In_ LPCTSTR DriverName,
+ _Out_opt_ PDWORD lpStatus
)
{
- SC_HANDLE schService;
BOOL bResult = FALSE;
+ SC_HANDLE schService;
+ DWORD resultStatus = ERROR_SUCCESS;
schService = OpenService(SchSCManager, DriverName, SERVICE_ALL_ACCESS);
if (schService) {
bResult = DeleteService(schService);
+ resultStatus = GetLastError();
CloseServiceHandle(schService);
}
+ else {
+ resultStatus = GetLastError();
+ }
+
+ if (lpStatus)
+ *lpStatus = resultStatus;
+
return bResult;
}
@@ -202,22 +262,33 @@ BOOL scmRemoveDriver(
*
*/
BOOL scmUnloadDeviceDriver(
- _In_ LPCTSTR Name
+ _In_ LPCTSTR Name,
+ _Out_opt_ PDWORD lpStatus
)
{
- SC_HANDLE schSCManager;
BOOL bResult = FALSE;
+ SC_HANDLE schSCManager;
- if (Name == NULL) {
- return bResult;
+ DWORD resultStatus = ERROR_SUCCESS;
+
+ if (Name) {
+ schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
+ if (schSCManager) {
+ scmStopDriver(schSCManager, Name, NULL);
+ bResult = scmRemoveDriver(schSCManager, Name, &resultStatus);
+ CloseServiceHandle(schSCManager);
+ }
+ else {
+ resultStatus = GetLastError();
+ }
+ }
+ else {
+ resultStatus = ERROR_INVALID_PARAMETER;
}
- schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
- if (schSCManager) {
- scmStopDriver(schSCManager, Name);
- bResult = scmRemoveDriver(schSCManager, Name);
- CloseServiceHandle(schSCManager);
- }
+ if (lpStatus)
+ *lpStatus = resultStatus;
+
return bResult;
}
@@ -230,25 +301,45 @@ BOOL scmUnloadDeviceDriver(
*
*/
BOOL scmLoadDeviceDriver(
- _In_ LPCTSTR Name,
- _In_opt_ LPCTSTR Path,
- _Inout_ PHANDLE lphDevice
+ _In_ LPCTSTR Name,
+ _In_opt_ LPCTSTR Path,
+ _Out_opt_ PHANDLE lphDevice,
+ _Out_opt_ PDWORD lpStatus
)
{
- SC_HANDLE schSCManager;
BOOL bResult = FALSE;
+ SC_HANDLE schSCManager;
- if (Name == NULL) {
- return bResult;
+ DWORD statusResult = ERROR_SUCCESS;
+
+ //assume failure
+ if (lphDevice) {
+ *lphDevice = NULL;
}
- schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
- if (schSCManager) {
- scmRemoveDriver(schSCManager, Name);
- scmInstallDriver(schSCManager, Name, Path);
- scmStartDriver(schSCManager, Name);
- bResult = scmOpenDevice(Name, lphDevice);
- CloseServiceHandle(schSCManager);
+ if (Name) {
+ schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
+ if (schSCManager) {
+
+ scmRemoveDriver(schSCManager, Name, NULL);
+
+ scmInstallDriver(schSCManager, Name, Path, NULL);
+
+ if (scmStartDriver(schSCManager, Name, &statusResult)) {
+ bResult = scmOpenDevice(Name, lphDevice, &statusResult);
+ }
+ CloseServiceHandle(schSCManager);
+ }
+ else {
+ statusResult = GetLastError();
+ }
}
+ else {
+ statusResult = ERROR_INVALID_PARAMETER;
+ }
+
+ if (lpStatus)
+ *lpStatus = statusResult;
+
return bResult;
}
diff --git a/Source/WinObjEx64/instdrv.h b/Source/WinObjEx64/instdrv.h
index 5b49f40..e27a8a0 100644
--- a/Source/WinObjEx64/instdrv.h
+++ b/Source/WinObjEx64/instdrv.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2015 - 2016, portions (C) Mark Russinovich, FileMon
+* (C) COPYRIGHT AUTHORS, 2015 - 2019, portions (C) Mark Russinovich, FileMon
*
* TITLE: INSTDRV.H
*
-* VERSION: 1.44
+* VERSION: 1.72
*
-* DATE: 17 July 2016
+* DATE: 04 Feb 2019
*
* Common header file for the program SCM usage.
*
@@ -21,35 +21,35 @@
BOOL scmInstallDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName,
- _In_opt_ LPCTSTR ServiceExe
-);
+ _In_opt_ LPCTSTR ServiceExe,
+ _Out_opt_ PDWORD lpStatus);
BOOL scmStartDriver(
_In_ SC_HANDLE SchSCManager,
- _In_ LPCTSTR DriverName
-);
+ _In_ LPCTSTR DriverName,
+ _Out_opt_ PDWORD lpStatus);
BOOL scmOpenDevice(
_In_ LPCTSTR DriverName,
- _Inout_opt_ PHANDLE lphDevice
-);
+ _Out_opt_ PHANDLE lphDevice,
+ _Out_opt_ PDWORD lpStatus);
BOOL scmStopDriver(
_In_ SC_HANDLE SchSCManager,
- _In_ LPCTSTR DriverName
-);
+ _In_ LPCTSTR DriverName,
+ _Out_opt_ PDWORD lpStatus);
BOOL scmRemoveDriver(
_In_ SC_HANDLE SchSCManager,
- _In_ LPCTSTR DriverName
-);
+ _In_ LPCTSTR DriverName,
+ _Out_opt_ PDWORD lpStatus);
BOOL scmUnloadDeviceDriver(
- _In_ LPCTSTR Name
-);
+ _In_ LPCTSTR Name,
+ _Out_opt_ PDWORD lpStatus);
BOOL scmLoadDeviceDriver(
- _In_ LPCTSTR Name,
- _In_opt_ LPCTSTR Path,
- _Inout_ PHANDLE lphDevice
-);
+ _In_ LPCTSTR Name,
+ _In_opt_ LPCTSTR Path,
+ _Out_opt_ PHANDLE lphDevice,
+ _Out_opt_ PDWORD lpStatus);
diff --git a/Source/WinObjEx64/kldbg.c b/Source/WinObjEx64/kldbg.c
index d66cfc8..4a28d69 100644
--- a/Source/WinObjEx64/kldbg.c
+++ b/Source/WinObjEx64/kldbg.c
@@ -4,9 +4,9 @@
*
* TITLE: KLDBG.C, based on KDSubmarine by Evilcry
*
-* VERSION: 1.71
+* VERSION: 1.72
*
-* DATE: 19 Jan 2019
+* DATE: 22 Feb 2019
*
* MINIMUM SUPPORTED OS WINDOWS 7
*
@@ -434,6 +434,50 @@ NTSTATUS ObEnumerateBoundaryDescriptorEntries(
return (TotalItems != BoundaryDescriptor->Items) ? STATUS_INVALID_PARAMETER : STATUS_SUCCESS;
}
+/*
+* ObpDumpObjectWithSpecifiedSize
+*
+* Purpose:
+*
+* Return dumped object version aware.
+*
+* Use supVirtualFree to free returned buffer.
+*
+*/
+_Success_(return != NULL)
+PVOID ObpDumpObjectWithSpecifiedSize(
+ _In_ ULONG_PTR ObjectAddress,
+ _In_ ULONG ObjectSize,
+ _In_ ULONG ObjectVersion,
+ _Out_ PULONG ReadSize,
+ _Out_ PULONG ReadVersion
+)
+{
+ PVOID ObjectBuffer = NULL;
+ ULONG BufferSize = ALIGN_UP_BY(ObjectSize, PAGE_SIZE);
+
+ ObjectBuffer = supVirtualAlloc(BufferSize);
+ if (ObjectBuffer == NULL) {
+ return NULL;
+ }
+
+ if (!kdReadSystemMemory(
+ ObjectAddress,
+ ObjectBuffer,
+ (ULONG)ObjectSize))
+ {
+ supVirtualFree(ObjectBuffer);
+ return NULL;
+ }
+
+ if (ReadSize)
+ *ReadSize = ObjectSize;
+ if (ReadVersion)
+ *ReadVersion = ObjectVersion;
+
+ return ObjectBuffer;
+}
+
/*
* ObDumpObjectTypeVersionAware
*
@@ -444,17 +488,19 @@ NTSTATUS ObEnumerateBoundaryDescriptorEntries(
* Use supVirtualFree to free returned buffer.
*
*/
-_Success_(return != NULL)
PVOID ObDumpObjectTypeVersionAware(
_In_ ULONG_PTR ObjectAddress,
_Out_ PULONG Size,
_Out_ PULONG Version
)
{
- PVOID ObjectBuffer = NULL;
- ULONG ObjectSize = 0, BufferSize = 0;
+ ULONG ObjectSize = 0;
ULONG ObjectVersion = 0;
+ //assume failure
+ if (Size) *Size = 0;
+ if (Version) *Version = 0;
+
switch (g_NtBuildNumber) {
case 7600:
case 7601:
@@ -478,28 +524,11 @@ PVOID ObDumpObjectTypeVersionAware(
break;
}
- BufferSize = ALIGN_UP_BY(ObjectSize, PAGE_SIZE);
- ObjectBuffer = supVirtualAlloc(BufferSize);
- if (ObjectBuffer == NULL) {
- return NULL;
- }
-
- if (!kdReadSystemMemory(
- ObjectAddress,
- ObjectBuffer,
- (ULONG)ObjectSize))
- {
- supVirtualFree(ObjectBuffer);
- return NULL;
- }
-
- if (Size)
- *Size = ObjectSize;
-
- if (Version)
- *Version = ObjectVersion;
-
- return ObjectBuffer;
+ return ObpDumpObjectWithSpecifiedSize(ObjectAddress,
+ ObjectSize,
+ ObjectVersion,
+ Size,
+ Version);
}
/*
@@ -512,17 +541,19 @@ PVOID ObDumpObjectTypeVersionAware(
* Use supVirtualFree to free returned buffer.
*
*/
-_Success_(return != NULL)
PVOID ObDumpAlpcPortObjectVersionAware(
_In_ ULONG_PTR ObjectAddress,
_Out_ PULONG Size,
_Out_ PULONG Version
)
{
- PVOID ObjectBuffer = NULL;
- ULONG ObjectSize = 0, BufferSize = 0;
+ ULONG ObjectSize = 0;
ULONG ObjectVersion = 0;
+ //assume failure
+ if (Size) *Size = 0;
+ if (Version) *Version = 0;
+
switch (g_NtBuildNumber) {
case 7600:
case 7601:
@@ -543,42 +574,26 @@ PVOID ObDumpAlpcPortObjectVersionAware(
break;
}
- BufferSize = ALIGN_UP_BY(ObjectSize, PAGE_SIZE);
- ObjectBuffer = supVirtualAlloc(BufferSize);
- if (ObjectBuffer == NULL) {
- return NULL;
- }
-
- if (!kdReadSystemMemory(
- ObjectAddress,
- ObjectBuffer,
- (ULONG)ObjectSize))
- {
- supVirtualFree(ObjectBuffer);
- return NULL;
- }
-
- if (Size)
- *Size = ObjectSize;
-
- if (Version)
- *Version = ObjectVersion;
-
- return ObjectBuffer;
+ return ObpDumpObjectWithSpecifiedSize(ObjectAddress,
+ ObjectSize,
+ ObjectVersion,
+ Size,
+ Version);
}
/*
-* ObDumpDirectoryObjectVersionAware
+* ObxDumpDirectoryObjectVersionAware
*
* Purpose:
*
* Return dumped OBJECT_DIRECTORY object version aware.
*
-* Use supHeapFree to free returned buffer.
+* Use supVirtualFree to free returned buffer.
+*
+* Note: Currently unused.
*
*/
-_Success_(return != NULL)
-PVOID ObDumpDirectoryObjectVersionAware(
+PVOID ObxDumpDirectoryObjectVersionAware(
_In_ ULONG_PTR ObjectAddress,
_Out_ PULONG Size,
_Out_ PULONG Version
@@ -586,7 +601,10 @@ PVOID ObDumpDirectoryObjectVersionAware(
{
ULONG ObjectVersion;
ULONG ObjectSize = 0;
- PVOID ObjectPtr;
+
+ //assume failure
+ if (Size) *Size = 0;
+ if (Version) *Version = 0;
switch (g_NtBuildNumber) {
@@ -611,24 +629,64 @@ PVOID ObDumpDirectoryObjectVersionAware(
break;
}
- ObjectPtr = supHeapAlloc(ObjectSize);
- if (ObjectPtr == NULL)
- return NULL;
-
- if (!kdReadSystemMemoryEx(
- ObjectAddress,
- ObjectPtr,
+ return ObpDumpObjectWithSpecifiedSize(ObjectAddress,
ObjectSize,
- NULL))
- {
- supHeapFree(ObjectPtr);
- return NULL;
+ ObjectVersion,
+ Size,
+ Version);
+}
+
+/*
+* ObDumpSymbolicLinkObjectVersionAware
+*
+* Purpose:
+*
+* Return dumped OBJEC_SYMBOLIC_LINK object version aware.
+*
+* Use supVirtualFree to free returned buffer.
+*
+*/
+PVOID ObDumpSymbolicLinkObjectVersionAware(
+ _In_ ULONG_PTR ObjectAddress,
+ _Out_ PULONG Size,
+ _Out_ PULONG Version
+)
+{
+ ULONG ObjectSize = 0;
+ ULONG ObjectVersion = 0;
+
+ //assume failure
+ if (Size) *Size = 0;
+ if (Version) *Version = 0;
+
+ switch (g_NtBuildNumber) {
+ case 7600:
+ case 7601:
+ case 9200:
+ case 9600:
+ ObjectSize = sizeof(OBJECT_SYMBOLIC_LINK_V1);
+ ObjectVersion = 1;
+ break;
+ case 10240:
+ case 10586:
+ ObjectSize = sizeof(OBJECT_SYMBOLIC_LINK_V2);
+ ObjectVersion = 2;
+ break;
+ case 14393:
+ ObjectSize = sizeof(OBJECT_SYMBOLIC_LINK_V3);
+ ObjectVersion = 3;
+ break;
+ default:
+ ObjectSize = sizeof(OBJECT_SYMBOLIC_LINK_V4);
+ ObjectVersion = 4;
+ break;
}
- *Version = ObjectVersion;
- *Size = ObjectSize;
-
- return ObjectPtr;
+ return ObpDumpObjectWithSpecifiedSize(ObjectAddress,
+ ObjectSize,
+ ObjectVersion,
+ Size,
+ Version);
}
/*
@@ -760,7 +818,7 @@ UCHAR ObpFindHeaderCookie(
*
* Limitation:
*
-* OS dependent, Windows 10 (14393 - 17763).
+* OS dependent, Windows 10 (RS1 - 19H1).
*
*/
PVOID ObFindPrivateNamespaceLookupTable2(
@@ -2770,6 +2828,11 @@ VOID kdInit(
g_kdctx.ShowKdError = TRUE;
+ //
+ // Default driver load status.
+ //
+ g_kdctx.drvOpenLoadStatus = ERROR_NOT_CAPABLE;
+
InitializeListHead(&g_kdctx.ObCollection.ListHead);
//
@@ -2831,7 +2894,7 @@ VOID kdInit(
//
// Try to open existing device.
//
- if (scmOpenDevice(KLDBGDRV, &g_kdctx.hDevice) == FALSE) {
+ if (scmOpenDevice(KLDBGDRV, &g_kdctx.hDevice, &g_kdctx.drvOpenLoadStatus) == FALSE) {
//
// No such device exist, construct filepath and check if driver already present.
@@ -2850,7 +2913,8 @@ VOID kdInit(
//
// Load service driver and open handle for it.
//
- g_kdctx.IsOurLoad = scmLoadDeviceDriver(KLDBGDRV, szDrvPath, &g_kdctx.hDevice);
+ g_kdctx.drvOpenLoadStatus = ERROR_SUCCESS;
+ g_kdctx.IsOurLoad = scmLoadDeviceDriver(KLDBGDRV, szDrvPath, &g_kdctx.hDevice, &g_kdctx.drvOpenLoadStatus);
}
}
@@ -2884,8 +2948,9 @@ ULONG_PTR KdFindCiCallbacks(
ULONG_PTR Address = 0, Result = 0;
- PBYTE Signature = NULL, ptrCode = NULL, MatchingPattern = NULL;
- ULONG SignatureSize = 0;
+ PBYTE Signature = NULL, ptrCode = NULL, InstructionMatchPattern = NULL;
+ ULONG SignatureSize = 0, InstructionMatchLength;
+ ULONG InstructionExactMatchLength;
PVOID SectionBase;
ULONG SectionSize = 0, Index;
@@ -2909,62 +2974,65 @@ ULONG_PTR KdFindCiCallbacks(
if ((SectionBase == 0) || (SectionSize == 0))
break;
- MatchingPattern = SeCiCallbacksMatchingPattern; //default matching pattern
+ InstructionMatchPattern = SeCiCallbacksMatchingPattern; //default matching pattern
+ InstructionMatchLength = 7; //lea
+ InstructionExactMatchLength = RTL_NUMBER_OF(SeCiCallbacksMatchingPattern);
switch (g_NtBuildNumber) {
case 7601:
Signature = g_CiCallbacksPattern_7601;
SignatureSize = sizeof(g_CiCallbacksPattern_7601);
- MatchingPattern = g_CiCallbacksMatchingPattern;
+ InstructionMatchPattern = g_CiCallbacksMatchingPattern;
+ InstructionExactMatchLength = RTL_NUMBER_OF(g_CiCallbacksMatchingPattern);
break;
case 9200:
case 9600:
Signature = SeCiCallbacksPattern_9200_9600;
SignatureSize = sizeof(SeCiCallbacksPattern_9200_9600);
- MatchingPattern = SeCiCallbacksMatchingPattern;
break;
case 10240:
case 10586:
Signature = SeCiCallbacksPattern_10240_10586;
SignatureSize = sizeof(SeCiCallbacksPattern_10240_10586);
- MatchingPattern = SeCiCallbacksMatchingPattern;
break;
case 14393:
Signature = SeCiCallbacksPattern_14393;
SignatureSize = sizeof(SeCiCallbacksPattern_14393);
- MatchingPattern = SeCiCallbacksMatchingPattern;
break;
case 15063:
case 16299:
Signature = SeCiCallbacksPattern_15063_16299;
SignatureSize = sizeof(SeCiCallbacksPattern_15063_16299);
- MatchingPattern = SeCiCallbacksMatchingPattern;
break;
case 17134:
case 17763:
Signature = SeCiCallbacksPattern_17134_17763;
SignatureSize = sizeof(SeCiCallbacksPattern_17134_17763);
- MatchingPattern = SeCiCallbacksMatchingPattern;
break;
default:
+ Signature = SeCiCallbacksPattern_19H1;
+ SignatureSize = sizeof(SeCiCallbacksPattern_19H1);
+ InstructionMatchPattern = SeCiCallbacksMatchingPattern_19H1;
+ InstructionMatchLength = 10; //mov
+ InstructionExactMatchLength = RTL_NUMBER_OF(SeCiCallbacksMatchingPattern_19H1);
break;
}
- if ((SignatureSize) && (Signature)) {
+ //if ((SignatureSize) && (Signature)) {
- ptrCode = (PBYTE)supFindPattern(
- (PBYTE)SectionBase,
- SectionSize,
- Signature,
- SignatureSize);
- }
+ ptrCode = (PBYTE)supFindPattern(
+ (PBYTE)SectionBase,
+ SectionSize,
+ Signature,
+ SignatureSize);
+ //}
if (ptrCode == NULL)
break;
@@ -2994,14 +3062,18 @@ ULONG_PTR KdFindCiCallbacks(
break;
//
// mov cs:g_CiCallbacks, rax (for Windows 7)
- // lea rcx, SeCiCallbacks (for everything else)
+ // lea rcx, SeCiCallbacks (for 8/10 TH/RS)
+ // mov cs:SeCiCallbacks (19H1)
//
- if (hs.len == 7) {
- if ((ptrCode[Index] == MatchingPattern[0]) &&
- (ptrCode[Index + 1] == MatchingPattern[1]) &&
- (ptrCode[Index + 2] == MatchingPattern[2]))
+ if (hs.len == InstructionMatchLength) {
+
+ //
+ // Match block found.
+ //
+ if (RtlCompareMemory((VOID*)&ptrCode[Index], (VOID*)InstructionMatchPattern,
+ InstructionExactMatchLength) == InstructionExactMatchLength)
{
- Rel = *(PLONG)(ptrCode + Index + 3);
+ Rel = *(PLONG)(ptrCode + Index + InstructionExactMatchLength);
break;
}
}
@@ -3055,7 +3127,7 @@ VOID kdShutdown(
// Windbg recreates service and drops file everytime when kernel debug starts.
//
if (g_kdctx.IsOurLoad) {
- scmUnloadDeviceDriver(KLDBGDRV);
+ scmUnloadDeviceDriver(KLDBGDRV, NULL);
//
// Driver file is no longer needed.
diff --git a/Source/WinObjEx64/kldbg.h b/Source/WinObjEx64/kldbg.h
index b2ab827..64396dc 100644
--- a/Source/WinObjEx64/kldbg.h
+++ b/Source/WinObjEx64/kldbg.h
@@ -4,9 +4,9 @@
*
* TITLE: KLDBG.H
*
-* VERSION: 1.71
+* VERSION: 1.72
*
-* DATE: 26 Jan 2019
+* DATE: 04 Feb 2019
*
* Common header file for the Kernel Debugger Driver support.
*
@@ -60,6 +60,9 @@ typedef struct _KLDBGCONTEXT {
//are we under Wine
BOOL IsWine;
+ //secureboot enabled?
+ BOOL IsSecureBoot;
+
//system object header cookie (win10+)
UCHAR ObHeaderCookie;
@@ -83,6 +86,9 @@ typedef struct _KLDBGCONTEXT {
//ntoskrnl mapped image
PVOID NtOsImageMap;
+ //win32 error value from SCM
+ ULONG drvOpenLoadStatus;
+
//syscall tables related info
ULONG KiServiceLimit;
ULONG W32pServiceLimit;
@@ -214,20 +220,17 @@ UCHAR ObDecodeTypeIndex(
_In_ PVOID Object,
_In_ UCHAR EncodedTypeIndex);
-_Success_(return != NULL)
PVOID ObDumpObjectTypeVersionAware(
_In_ ULONG_PTR ObjectAddress,
_Out_ PULONG Size,
_Out_ PULONG Version);
-_Success_(return != NULL)
PVOID ObDumpAlpcPortObjectVersionAware(
_In_ ULONG_PTR ObjectAddress,
_Out_ PULONG Size,
_Out_ PULONG Version);
-_Success_(return != NULL)
-PVOID ObDumpDirectoryObjectVersionAware(
+PVOID ObDumpSymbolicLinkObjectVersionAware(
_In_ ULONG_PTR ObjectAddress,
_Out_ PULONG Size,
_Out_ PULONG Version);
diff --git a/Source/WinObjEx64/kldbg_patterns.h b/Source/WinObjEx64/kldbg_patterns.h
index 3edb90b..33dba61 100644
--- a/Source/WinObjEx64/kldbg_patterns.h
+++ b/Source/WinObjEx64/kldbg_patterns.h
@@ -4,9 +4,9 @@
*
* TITLE: KLDBG_PATTERNS.H
*
-* VERSION: 1.71
+* VERSION: 1.72
*
-* DATE: 19 Jan 2019
+* DATE: 03 Feb 2019
*
* Header with search patterns used by KLDBG.
*
@@ -82,6 +82,9 @@ BYTE LeaPattern_KeServiceDescriptorTableShadow[] = {
+++*/
+//Windows 8/8.1
+BYTE SeCiCallbacksPattern_9200_9600[] = { 0x48, 0x83, 0xEC, 0x20, 0xBF, 0x06, 0x00, 0x00, 0x00 };
+
//Windows 10 TH1/TH2
BYTE SeCiCallbacksPattern_10240_10586[] = { 0x48, 0x83, 0xEC, 0x20, 0xBB, 0x98, 0x00, 0x00, 0x00 };
@@ -94,10 +97,11 @@ BYTE SeCiCallbacksPattern_15063_16299[] = { 0x48, 0x83, 0xEC, 0x20, 0xBB, 0xC0,
//Windows 10 RS4/RS5
BYTE SeCiCallbacksPattern_17134_17763[] = { 0x48, 0x83, 0xEC, 0x20, 0xBB, 0xD0, 0x00, 0x00, 0x00 };
-//Windows 8/8.1
-BYTE SeCiCallbacksPattern_9200_9600[] = { 0x48, 0x83, 0xEC, 0x20, 0xBF, 0x06, 0x00, 0x00, 0x00 };
+BYTE SeCiCallbacksPattern_19H1[] = { 0x41, 0xB8, 0xC4, 0x00, 0x00, 0x00, 0xBF, 0x06, 0x00, 0x00, 0x00 };
+// Instruction match pattern
BYTE SeCiCallbacksMatchingPattern[] = { 0x48, 0x8D, 0x0D };
+BYTE SeCiCallbacksMatchingPattern_19H1[] = { 0xC7, 0x05 };
//Windows 7
BYTE g_CiCallbacksPattern_7601[] = { 0x8D, 0x7B, 0x06, 0x48, 0x89, 0x05 };
diff --git a/Source/WinObjEx64/list.c b/Source/WinObjEx64/list.c
index 2d1bd4d..bcc8777 100644
--- a/Source/WinObjEx64/list.c
+++ b/Source/WinObjEx64/list.c
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2015 - 2018
+* (C) COPYRIGHT AUTHORS, 2015 - 2019
*
* TITLE: LIST.C
*
-* VERSION: 1.70
+* VERSION: 1.72
*
-* DATE: 30 Nov 2018
+* DATE: 09 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -265,7 +265,7 @@ VOID ListObjectDirectoryTree(
if (0 == _strncmpi(
objinf->TypeName.Buffer,
- g_ObjectTypes[ObjectTypeDirectory].Name,
+ OBTYPE_NAME_DIRECTORY,
objinf->TypeName.Length / sizeof(WCHAR)))
{
ListObjectDirectoryTree(
@@ -320,7 +320,7 @@ VOID AddListViewItem(
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
//check SymbolicLink
- if (_strncmpi(objinf->TypeName.Buffer, g_ObjectTypes[ObjectTypeSymbolicLink].Name, cch) == 0) {
+ if (_strncmpi(objinf->TypeName.Buffer, OBTYPE_NAME_SYMBOLIC_LINK, cch) == 0) {
bFound = supQueryLinkTarget(hObjectRootDirectory,
&objinf->Name,
@@ -331,7 +331,7 @@ VOID AddListViewItem(
}
//check Section
- if (_strncmpi(objinf->TypeName.Buffer, g_ObjectTypes[ObjectTypeSection].Name, cch) == 0) {
+ if (_strncmpi(objinf->TypeName.Buffer, OBTYPE_NAME_SECTION, cch) == 0) {
bFound = supQuerySectionFileInfo(hObjectRootDirectory,
&objinf->Name,
@@ -342,7 +342,7 @@ VOID AddListViewItem(
}
//check Driver
- if (_strncmpi(objinf->TypeName.Buffer, g_ObjectTypes[ObjectTypeDriver].Name, cch) == 0) {
+ if (_strncmpi(objinf->TypeName.Buffer, OBTYPE_NAME_DRIVER, cch) == 0) {
bFound = supQueryDriverDescription(
objinf->Name.Buffer,
@@ -353,7 +353,7 @@ VOID AddListViewItem(
}
//check Device
- if (_strncmpi(objinf->TypeName.Buffer, g_ObjectTypes[ObjectTypeDevice].Name, cch) == 0) {
+ if (_strncmpi(objinf->TypeName.Buffer, OBTYPE_NAME_DEVICE, cch) == 0) {
bFound = supQueryDeviceDescription(
objinf->Name.Buffer,
@@ -364,7 +364,7 @@ VOID AddListViewItem(
}
//check WindowStation
- if (_strncmpi(objinf->TypeName.Buffer, g_ObjectTypes[ObjectTypeWinstation].Name, cch) == 0) {
+ if (_strncmpi(objinf->TypeName.Buffer, OBTYPE_NAME_WINSTATION, cch) == 0) {
bFound = supQueryWinstationDescription(
objinf->Name.Buffer,
@@ -375,7 +375,7 @@ VOID AddListViewItem(
}
//check Type
- if (_strncmpi(objinf->TypeName.Buffer, g_ObjectTypes[ObjectTypeType].Name, cch) == 0) {
+ if (_strncmpi(objinf->TypeName.Buffer, OBTYPE_NAME_TYPE, cch) == 0) {
bFound = supQueryTypeInfo(
objinf->Name.Buffer,
@@ -551,7 +551,7 @@ VOID FindObject(
*List = tmp;
};
- if (_strcmpi(objinf->TypeName.Buffer, g_ObjectTypes[ObjectTypeDirectory].Name) == 0) {
+ if (_strcmpi(objinf->TypeName.Buffer, OBTYPE_NAME_DIRECTORY) == 0) {
newdir = (LPWSTR)supHeapAlloc((sdlen + 4) * sizeof(WCHAR) + objinf->Name.Length);
if (newdir != NULL) {
diff --git a/Source/WinObjEx64/main.c b/Source/WinObjEx64/main.c
index c3c3d77..3476147 100644
--- a/Source/WinObjEx64/main.c
+++ b/Source/WinObjEx64/main.c
@@ -4,9 +4,9 @@
*
* TITLE: MAIN.C
*
-* VERSION: 1.71
+* VERSION: 1.72
*
-* DATE: 19 Jan 2019
+* DATE: 10 Feb 2019
*
* Program entry point and main window handler.
*
@@ -173,7 +173,7 @@ VOID MainWindowHandleObjectTreeProp(
propCreateDialog(
hwnd,
szBuffer,
- g_ObjectTypes[ObjectTypeDirectory].Name,
+ OBTYPE_NAME_DIRECTORY,
NULL,
NULL);
}
@@ -863,7 +863,8 @@ BOOL MainWindowDlgMsgHandler(
* Initialize global variables.
*
*/
-BOOL WinObjInitGlobals()
+BOOL WinObjInitGlobals(
+ _In_ BOOL IsWine)
{
SIZE_T cch;
BOOL bResult = FALSE, bCond = FALSE;
@@ -894,7 +895,9 @@ BOOL WinObjInitGlobals()
if (g_WinObj.Heap == NULL)
break;
- RtlSetHeapInformation(g_WinObj.Heap, HeapEnableTerminationOnCorruption, NULL, 0);
+ if (IsWine == FALSE) {
+ RtlSetHeapInformation(g_WinObj.Heap, HeapEnableTerminationOnCorruption, NULL, 0);
+ }
RtlInitializeCriticalSection(&g_WinObj.Lock);
//
@@ -963,14 +966,22 @@ UINT WinObjExMain()
HANDLE hToken;
HIMAGELIST TreeViewImages;
- if (!WinObjInitGlobals())
+ IsWine = supIsWine();
+
+ //
+ // wine 1.6 xenial does not suport this routine.
+ //
+ if (IsWine == FALSE) {
+ RtlSetHeapInformation(NULL, HeapEnableTerminationOnCorruption, NULL, 0);
+ }
+
+ if (!WinObjInitGlobals(IsWine))
return ERROR_APP_INIT_FAILURE;
// do not move anywhere
IsFullAdmin = supUserIsFullAdmin();
// check compatibility
- IsWine = supIsWine();
if (IsWine != FALSE) {
IsFullAdmin = FALSE;
}
@@ -1239,6 +1250,9 @@ UINT WinObjExMain()
//
g_ListViewImages = ObManagerLoadImageList();
if (g_ListViewImages) {
+ //
+ // Append two column sorting images to the end of the listview imagelist.
+ //
hIcon = (HICON)LoadImage(g_WinObj.hInstance, MAKEINTRESOURCE(IDI_ICON_SORTUP), IMAGE_ICON, 0, 0, LR_DEFAULTCOLOR);
if (hIcon) {
ImageList_ReplaceIcon(g_ListViewImages, -1, hIcon);
diff --git a/Source/WinObjEx64/msvcver.h b/Source/WinObjEx64/msvcver.h
index 889a659..bede39c 100644
--- a/Source/WinObjEx64/msvcver.h
+++ b/Source/WinObjEx64/msvcver.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2018
+* (C) COPYRIGHT AUTHORS, 2018 - 2019
*
* TITLE: MSVCVER.H
*
-* VERSION: 1.70
+* VERSION: 1.72
*
-* DATE: 30 Nov 2018
+* DATE: 04 Feb 2019
*
* Visual Studio compiler version determination.
*
@@ -18,11 +18,11 @@
*******************************************************************************/
#pragma once
-/*#define _MSC_VER 1810
-#define _MSC_FULL_VER 180040629*/
-#if defined _MSC_VER && _MSC_FULL_VER
- #if (_MSC_VER >= 1910) //2017 all variants (too many to list)
+#if defined _MSC_VER && _MSC_FULL_VER
+ #if (_MSC_VER >= 1920) //2019 all variants (will be too many to list)
+ #define VC_VER L"MSVC 2019"
+ #elif (_MSC_VER >= 1910) //2017 all variants (too many to list)
#define VC_VER L"MSVC 2017"
#elif (_MSC_VER == 1900) //2015
#if (_MSC_FULL_VER == 190023026) //2015 RTM
diff --git a/Source/WinObjEx64/ntos/ntos.h b/Source/WinObjEx64/ntos/ntos.h
index 58402a0..b499034 100644
--- a/Source/WinObjEx64/ntos/ntos.h
+++ b/Source/WinObjEx64/ntos/ntos.h
@@ -4,9 +4,9 @@
*
* TITLE: NTOS.H
*
-* VERSION: 1.100
+* VERSION: 1.104
*
-* DATE: 26 Jan 2019
+* DATE: 26 Feb 2019
*
* Common header file for the ntos API functions and definitions.
*
@@ -28,6 +28,7 @@
#ifndef NTOS_RTL
#define NTOS_RTL
+
//
// NTOS_RTL HEADER BEGIN
//
@@ -39,6 +40,7 @@ extern "C" {
#pragma comment(lib, "ntdll.lib")
#pragma warning(push)
+#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union
#pragma warning(disable: 4214) // nonstandard extension used : bit field types other than int
#ifndef PAGE_SIZE
@@ -203,6 +205,21 @@ typedef PVOID PHEAD;
#define CALLBACK_MODIFY_STATE 0x0001
#define CALLBACK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|CALLBACK_MODIFY_STATE )
+//
+// CompositionSurface Access Rights
+//
+#ifndef COMPOSITIONSURFACE_READ
+#define COMPOSITIONSURFACE_READ 0x0001L
+#endif
+
+#ifndef COMPOSITIONSURFACE_WRITE
+#define COMPOSITIONSURFACE_WRITE 0x0002L
+#endif
+
+#ifndef COMPOSITIONSURFACE_ALL_ACCESS
+#define COMPOSITIONSURFACE_ALL_ACCESS (COMPOSITIONSURFACE_READ | COMPOSITIONSURFACE_WRITE)
+#endif
+
//
// Debug Object Access Rights
//
@@ -286,22 +303,22 @@ typedef PVOID PHEAD;
//
#define THREAD_ALERT (0x0004)
-#define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001
-#define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002
-#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004
+#define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001
+#define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002
+#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004
#define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010
-#define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020
-#define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080
+#define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020
+#define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080
//
// Worker Factory Object Access Rights
//
-#define WORKER_FACTORY_RELEASE_WORKER 0x0001
-#define WORKER_FACTORY_WAIT 0x0002
-#define WORKER_FACTORY_SET_INFORMATION 0x0004
-#define WORKER_FACTORY_QUERY_INFORMATION 0x0008
-#define WORKER_FACTORY_READY_WORKER 0x0010
-#define WORKER_FACTORY_SHUTDOWN 0x0020
+#define WORKER_FACTORY_RELEASE_WORKER 0x0001
+#define WORKER_FACTORY_WAIT 0x0002
+#define WORKER_FACTORY_SET_INFORMATION 0x0004
+#define WORKER_FACTORY_QUERY_INFORMATION 0x0008
+#define WORKER_FACTORY_READY_WORKER 0x0010
+#define WORKER_FACTORY_SHUTDOWN 0x0020
#define WORKER_FACTORY_ALL_ACCESS ( \
STANDARD_RIGHTS_REQUIRED | \
@@ -334,6 +351,7 @@ typedef PVOID PHEAD;
#define TRACELOG_CREATE_INPROC 0x0200
#define TRACELOG_ACCESS_REALTIME 0x0400
#define TRACELOG_REGISTER_GUIDS 0x0800
+#define TRACELOG_JOIN_GROUP 0x1000
//
// Memory Partition Object Access Rights
@@ -524,7 +542,7 @@ typedef enum _KWAIT_REASON {
WrDelayExecution,
WrSuspended,
WrUserRequest,
- WrEventPair,
+ WrEventPair, //has no effect after 7
WrQueue,
WrLpcReceive,
WrLpcReply,
@@ -549,6 +567,7 @@ typedef enum _KWAIT_REASON {
WrRundown,
WrAlertByThreadId,
WrDeferredPreempt,
+ WrPhysicalFault,
MaximumWaitReason
} KWAIT_REASON;
@@ -5072,88 +5091,6 @@ __inline struct _PEB * NtCurrentPeb() { return NtCurrentTeb()->ProcessEnvironmen
** PEB/TEB END
*/
-/*
-** ALPC START
-*/
-
-typedef struct _PORT_MESSAGE {
- union {
- struct {
- CSHORT DataLength;
- CSHORT TotalLength;
- } s1;
- ULONG Length;
- } u1;
- union {
- struct {
- CSHORT Type;
- CSHORT DataInfoOffset;
- } s2;
- ULONG ZeroInit;
- } u2;
- union {
- CLIENT_ID ClientId;
- double DoNotUseThisField; // Force quadword alignment
- } u3;
- ULONG MessageId;
- union {
- ULONG ClientViewSize; // Only valid on LPC_CONNECTION_REQUEST message
- ULONG CallbackId; // Only valid on LPC_REQUEST message
- } u4;
- UCHAR Reserved[8];
-} PORT_MESSAGE, *PPORT_MESSAGE;
-
-// end_ntsrv
-
-typedef struct _PORT_DATA_ENTRY {
- PVOID Base;
- ULONG Size;
-} PORT_DATA_ENTRY, *PPORT_DATA_ENTRY;
-
-typedef struct _PORT_DATA_INFORMATION {
- ULONG CountDataEntries;
- PORT_DATA_ENTRY DataEntries[1];
-} PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION;
-
-#define LPC_REQUEST 1
-#define LPC_REPLY 2
-#define LPC_DATAGRAM 3
-#define LPC_LOST_REPLY 4
-#define LPC_PORT_CLOSED 5
-#define LPC_CLIENT_DIED 6
-#define LPC_EXCEPTION 7
-#define LPC_DEBUG_EVENT 8
-#define LPC_ERROR_EVENT 9
-#define LPC_CONNECTION_REQUEST 10
-
-#define PORT_VALID_OBJECT_ATTRIBUTES (OBJ_CASE_INSENSITIVE)
-#define PORT_MAXIMUM_MESSAGE_LENGTH 256
-
-typedef struct _LPC_CLIENT_DIED_MSG {
- PORT_MESSAGE PortMsg;
- LARGE_INTEGER CreateTime;
-} LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG;
-
-//#pragma pack(push, 1)
-typedef struct _PORT_VIEW {
- ULONG Length;
- HANDLE SectionHandle;
- ULONG SectionOffset;
- SIZE_T ViewSize;
- PVOID ViewBase;
- PVOID ViewRemoteBase;
-} PORT_VIEW, *PPORT_VIEW;
-
-typedef struct _REMOTE_PORT_VIEW {
- ULONG Length;
- SIZE_T ViewSize;
- PVOID ViewBase;
-} REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW;
-//#pragma pack(pop)
-/*
-** ALPC END
-*/
-
/*
** MITIGATION POLICY START
*/
@@ -5283,6 +5220,19 @@ typedef struct tagPROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10 {
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10, *PPROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10;
+typedef struct _PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10 {
+ union {
+ DWORD Flags;
+ struct {
+ DWORD SmtBranchTargetIsolation : 1;
+ DWORD IsolateSecurityDomain : 1;
+ DWORD DisablePageCombine : 1;
+ DWORD SpeculativeStoreBypassDisable : 1;
+ DWORD ReservedFlags : 28;
+ } DUMMYSTRUCTNAME;
+ } DUMMYUNIONNAME;
+} PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10, *PPROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10;
+
typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION {
PROCESS_MITIGATION_POLICY Policy;
union
@@ -5299,6 +5249,7 @@ typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION {
PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY_W10 SystemCallFilterPolicy;
PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY_W10 PayloadRestrictionPolicy;
PROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10 ChildProcessPolicy;
+ PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10 SideChannelIsolationPolicy;
};
} PROCESS_MITIGATION_POLICY_INFORMATION, *PPROCESS_MITIGATION_POLICY_INFORMATION;
@@ -8633,6 +8584,41 @@ NtDeletePrivateNamespace(
*
************************************************************************************/
+typedef struct _OBJECT_SYMBOLIC_LINK_V1 { //pre Win10 TH1
+ LARGE_INTEGER CreationTime;
+ UNICODE_STRING LinkTarget;
+ ULONG DosDeviceDriveIndex;
+} OBJECT_SYMBOLIC_LINK_V1, *POBJECT_SYMBOLIC_LINK_V1;
+
+typedef struct _OBJECT_SYMBOLIC_LINK_V2 { //Win10 TH1/TH2
+ LARGE_INTEGER CreationTime;
+ UNICODE_STRING LinkTarget;
+ ULONG DosDeviceDriveIndex;
+ ULONG Flags;
+} OBJECT_SYMBOLIC_LINK_V2, *POBJECT_SYMBOLIC_LINK_V2;
+
+typedef struct _OBJECT_SYMBOLIC_LINK_V3 { //Win10 RS1
+ LARGE_INTEGER CreationTime;
+ UNICODE_STRING LinkTarget;
+ ULONG DosDeviceDriveIndex;
+ ULONG Flags;
+ ULONG AccessMask;
+} OBJECT_SYMBOLIC_LINK_V3, *POBJECT_SYMBOLIC_LINK_V3;
+
+typedef struct _OBJECT_SYMBOLIC_LINK_V4 { //Win10 RS2+
+ LARGE_INTEGER CreationTime;
+ union {
+ UNICODE_STRING LinkTarget;
+ struct {
+ PVOID Callback;
+ PVOID CallbackContext;
+ };
+ } u1;
+ ULONG DosDeviceDriveIndex;
+ ULONG Flags;
+ ULONG AccessMask;
+} OBJECT_SYMBOLIC_LINK_V4, *POBJECT_SYMBOLIC_LINK_V4;
+
NTSYSAPI
NTSTATUS
NTAPI
@@ -8712,7 +8698,7 @@ NtCreateMailslotFile(
_In_ ULONG MaximumMessageSize,
_In_ PLARGE_INTEGER ReadTimeout);
-NTSYSCALLAPI
+NTSYSAPI
NTSTATUS
NTAPI
NtDeviceIoControlFile(
@@ -8984,7 +8970,8 @@ NtLoadDriver(
NTSYSAPI
NTSTATUS
-NTAPI NtUnloadDriver(
+NTAPI
+NtUnloadDriver(
_In_ PUNICODE_STRING DriverServiceName);
NTSYSAPI
@@ -9069,6 +9056,21 @@ NtCreateSection(
_In_ ULONG AllocationAttributes,
_In_opt_ HANDLE FileHandle);
+//taken from ph2
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtCreateSectionEx(
+ _Out_ PHANDLE SectionHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_opt_ PLARGE_INTEGER MaximumSize,
+ _In_ ULONG SectionPageProtection,
+ _In_ ULONG AllocationAttributes,
+ _In_opt_ HANDLE FileHandle,
+ _In_ PMEM_EXTENDED_PARAMETER ExtendedParameters,
+ _In_ ULONG ExtendedParameterCount);
+
NTSYSAPI
NTSTATUS
NTAPI
@@ -9083,7 +9085,7 @@ NTAPI
NtMapViewOfSection(
_In_ HANDLE SectionHandle,
_In_ HANDLE ProcessHandle,
- _Inout_ PVOID *BaseAddress,
+ _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress,
_In_ ULONG_PTR ZeroBits,
_In_ SIZE_T CommitSize,
_Inout_opt_ PLARGE_INTEGER SectionOffset,
@@ -9092,22 +9094,12 @@ NtMapViewOfSection(
_In_ ULONG AllocationType,
_In_ ULONG Win32Protect);
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQuerySection(
- _In_ HANDLE SectionHandle,
- _In_ SECTION_INFORMATION_CLASS SectionInformationClass,
- _Out_ PVOID SectionInformation,
- _In_ SIZE_T SectionInformationLength,
- _Out_opt_ PSIZE_T ReturnLength);
-
NTSYSAPI
NTSTATUS
NTAPI
NtUnmapViewOfSection(
_In_ HANDLE ProcessHandle,
- _In_ PVOID BaseAddress);
+ _In_opt_ PVOID BaseAddress);
NTSYSAPI
NTSTATUS
@@ -9117,6 +9109,16 @@ NtUnmapViewOfSectionEx(
_In_opt_ PVOID BaseAddress,
_In_ ULONG Flags);
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtQuerySection(
+ _In_ HANDLE SectionHandle,
+ _In_ SECTION_INFORMATION_CLASS SectionInformationClass,
+ _Out_writes_bytes_(SectionInformationLength) PVOID SectionInformation,
+ _In_ SIZE_T SectionInformationLength,
+ _Out_opt_ PSIZE_T ReturnLength);
+
NTSYSAPI
NTSTATUS
NTAPI
@@ -9156,6 +9158,13 @@ NtFreeUserPhysicalPages(
_Inout_ PULONG_PTR NumberOfPages,
_In_reads_(*NumberOfPages) PULONG_PTR UserPfnArray);
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtAreMappedFilesTheSame(
+ _In_ PVOID File1MappedAsAnImage,
+ _In_ PVOID File2MappedAsFile);
+
NTSYSAPI
NTSTATUS
NTAPI
@@ -9234,6 +9243,39 @@ NtAccessCheckByTypeResultList(
_Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
_Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus);
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtOpenObjectAuditAlarm(
+ _In_ PUNICODE_STRING SubsystemName,
+ _In_opt_ PVOID HandleId,
+ _In_ PUNICODE_STRING ObjectTypeName,
+ _In_ PUNICODE_STRING ObjectName,
+ _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _In_ HANDLE ClientToken,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ ACCESS_MASK GrantedAccess,
+ _In_opt_ PPRIVILEGE_SET Privileges,
+ _In_ BOOLEAN ObjectCreation,
+ _In_ BOOLEAN AccessGranted,
+ _Out_ PBOOLEAN GenerateOnClose);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtCloseObjectAuditAlarm(
+ _In_ PUNICODE_STRING SubsystemName,
+ _In_opt_ PVOID HandleId,
+ _In_ BOOLEAN GenerateOnClose);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtDeleteObjectAuditAlarm(
+ _In_ PUNICODE_STRING SubsystemName,
+ _In_opt_ PVOID HandleId,
+ _In_ BOOLEAN GenerateOnClose);
+
NTSYSAPI
NTSTATUS
NTAPI
@@ -9747,14 +9789,52 @@ NtTerminateJobObject(
*
************************************************************************************/
+//taken from ph2
+
+typedef enum _IO_SESSION_EVENT {
+ IoSessionEventIgnore,
+ IoSessionEventCreated,
+ IoSessionEventTerminated,
+ IoSessionEventConnected,
+ IoSessionEventDisconnected,
+ IoSessionEventLogon,
+ IoSessionEventLogoff,
+ IoSessionEventMax
+} IO_SESSION_EVENT;
+
+typedef enum _IO_SESSION_STATE {
+ IoSessionStateCreated,
+ IoSessionStateInitialized,
+ IoSessionStateConnected,
+ IoSessionStateDisconnected,
+ IoSessionStateDisconnectedLoggedOn,
+ IoSessionStateLoggedOn,
+ IoSessionStateLoggedOff,
+ IoSessionStateTerminated,
+ IoSessionStateMax
+} IO_SESSION_STATE;
+
NTSYSAPI
-NTSTATUS
-NTAPI
+NTSTATUS
+NTAPI
NtOpenSession(
_Out_ PHANDLE SessionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes);
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtNotifyChangeSession(
+ _In_ HANDLE SessionHandle,
+ _In_ ULONG ChangeSequenceNumber,
+ _In_ PLARGE_INTEGER ChangeTimeStamp,
+ _In_ IO_SESSION_EVENT Event,
+ _In_ IO_SESSION_STATE NewState,
+ _In_ IO_SESSION_STATE PreviousState,
+ _In_reads_bytes_opt_(PayloadSize) PVOID Payload,
+ _In_ ULONG PayloadSize);
+
/************************************************************************************
*
* IO Completion API.
@@ -10305,6 +10385,77 @@ NtCreatePagingFile(
*
************************************************************************************/
+typedef struct _PORT_VIEW {
+ ULONG Length;
+ HANDLE SectionHandle;
+ ULONG SectionOffset;
+ SIZE_T ViewSize;
+ PVOID ViewBase;
+ PVOID ViewRemoteBase;
+} PORT_VIEW, *PPORT_VIEW;
+
+typedef struct _REMOTE_PORT_VIEW {
+ ULONG Length;
+ SIZE_T ViewSize;
+ PVOID ViewBase;
+} REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW;
+
+typedef struct _PORT_MESSAGE {
+ union {
+ struct {
+ CSHORT DataLength;
+ CSHORT TotalLength;
+ } s1;
+ ULONG Length;
+ } u1;
+ union {
+ struct {
+ CSHORT Type;
+ CSHORT DataInfoOffset;
+ } s2;
+ ULONG ZeroInit;
+ } u2;
+ union {
+ CLIENT_ID ClientId;
+ double DoNotUseThisField; // Force quadword alignment
+ } u3;
+ ULONG MessageId;
+ union {
+ ULONG ClientViewSize; // Only valid on LPC_CONNECTION_REQUEST message
+ ULONG CallbackId; // Only valid on LPC_REQUEST message
+ } u4;
+ UCHAR Reserved[8];
+} PORT_MESSAGE, *PPORT_MESSAGE;
+
+typedef struct _PORT_DATA_ENTRY {
+ PVOID Base;
+ ULONG Size;
+} PORT_DATA_ENTRY, *PPORT_DATA_ENTRY;
+
+typedef struct _PORT_DATA_INFORMATION {
+ ULONG CountDataEntries;
+ PORT_DATA_ENTRY DataEntries[1];
+} PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION;
+
+#define LPC_REQUEST 1
+#define LPC_REPLY 2
+#define LPC_DATAGRAM 3
+#define LPC_LOST_REPLY 4
+#define LPC_PORT_CLOSED 5
+#define LPC_CLIENT_DIED 6
+#define LPC_EXCEPTION 7
+#define LPC_DEBUG_EVENT 8
+#define LPC_ERROR_EVENT 9
+#define LPC_CONNECTION_REQUEST 10
+
+#define PORT_VALID_OBJECT_ATTRIBUTES (OBJ_CASE_INSENSITIVE)
+#define PORT_MAXIMUM_MESSAGE_LENGTH 256
+
+typedef struct _LPC_CLIENT_DIED_MSG {
+ PORT_MESSAGE PortMsg;
+ LARGE_INTEGER CreateTime;
+} LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG;
+
NTSYSAPI
NTSTATUS
NTAPI
diff --git a/Source/WinObjEx64/objects.c b/Source/WinObjEx64/objects.c
index 73342b3..f8f3647 100644
--- a/Source/WinObjEx64/objects.c
+++ b/Source/WinObjEx64/objects.c
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2017 - 2018
+* (C) COPYRIGHT AUTHORS, 2017 - 2019
*
* TITLE: OBJECTS.C
*
-* VERSION: 1.70
+* VERSION: 1.72
*
-* DATE: 30 Nov 2018
+* DATE: 13 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -17,6 +17,28 @@
#include "global.h"
+/*
+* ObManagerComparerName
+*
+* Purpose:
+*
+* Support comparer routine to work with objects array.
+*
+*/
+INT ObManagerComparerName(
+ _In_ PCVOID FirstObject,
+ _In_ PCVOID SecondObject
+)
+{
+ WOBJ_TYPE_DESC *firstObject = (WOBJ_TYPE_DESC*)FirstObject;
+ WOBJ_TYPE_DESC *secondObject = (WOBJ_TYPE_DESC*)SecondObject;
+
+ if (firstObject == secondObject)
+ return 0;
+
+ return (_strcmpi(firstObject->Name, secondObject->Name));
+}
+
/*
* ObManagerGetNameByIndex
*
@@ -24,16 +46,19 @@
*
* Returns object name by index of known type.
*
-*
*/
LPWSTR ObManagerGetNameByIndex(
_In_ ULONG TypeIndex
)
{
- if (TypeIndex >= ObjectTypeMax)
- return g_ObjectTypes[ObjectTypeUnknown].Name;
+ ULONG nIndex;
- return g_ObjectTypes[TypeIndex].Name;
+ for (nIndex = TYPE_FIRST; nIndex < TYPE_LAST; nIndex++) {
+ if (g_ObjectTypes[nIndex].Index == (WOBJ_OBJECT_TYPE)TypeIndex)
+ return g_ObjectTypes[nIndex].Name;
+ }
+
+ return OBTYPE_NAME_UNKNOWN;
}
/*
@@ -49,10 +74,48 @@ UINT ObManagerGetImageIndexByTypeIndex(
_In_ ULONG TypeIndex
)
{
- if (TypeIndex >= ObjectTypeMax)
- return ObjectTypeUnknown;
+ ULONG nIndex;
- return g_ObjectTypes[TypeIndex].ImageIndex;
+ for (nIndex = TYPE_FIRST; nIndex < TYPE_LAST; nIndex++) {
+ if (g_ObjectTypes[nIndex].Index == (WOBJ_OBJECT_TYPE)TypeIndex)
+ return g_ObjectTypes[nIndex].ImageIndex;
+ }
+
+ return ObjectTypeUnknown;
+}
+
+/*
+* ObManagerGetEntryByTypeName
+*
+* Purpose:
+*
+* Returns object description entry by type name.
+*
+*/
+WOBJ_TYPE_DESC *ObManagerGetEntryByTypeName(
+ _In_opt_ LPCWSTR lpTypeName
+)
+{
+ WOBJ_TYPE_DESC SearchItem;
+ WOBJ_TYPE_DESC *Result;
+
+ if (lpTypeName == NULL) {
+ return &g_TypeUnknown;
+ }
+
+ SearchItem.Name = (LPWSTR)lpTypeName;
+
+ Result = (WOBJ_TYPE_DESC*)supBSearch((PCVOID)&SearchItem,
+ (PCVOID)&g_ObjectTypes,
+ RTL_NUMBER_OF(g_ObjectTypes),
+ sizeof(WOBJ_TYPE_DESC),
+ ObManagerComparerName);
+
+ if (Result == NULL) {
+ Result = &g_TypeUnknown;
+ }
+
+ return Result;
}
/*
@@ -64,41 +127,30 @@ UINT ObManagerGetImageIndexByTypeIndex(
*
*/
UINT ObManagerGetIndexByTypeName(
- _In_ LPCWSTR lpTypeName
+ _In_opt_ LPCWSTR lpTypeName
)
{
- UINT nIndex;
+ WOBJ_TYPE_DESC SearchItem;
+ WOBJ_TYPE_DESC *Result;
if (lpTypeName == NULL) {
return ObjectTypeUnknown;
}
- for (nIndex = TYPE_FIRST; nIndex < TYPE_LAST; nIndex++) {
- if (_strcmpi(lpTypeName, g_ObjectTypes[nIndex].Name) == 0)
- return nIndex;
- }
+ SearchItem.Name = (LPWSTR)lpTypeName;
- //
- // In Win8 the following Win32k object was named
- // CompositionSurface, in Win8.1 MS renamed it to
- // Composition, handle this.
- //
- if (_strcmpi(lpTypeName, L"CompositionSurface") == 0) {
- return ObjectTypeComposition;
- }
+ Result = (WOBJ_TYPE_DESC*)supBSearch((PCVOID)&SearchItem,
+ (PCVOID)&g_ObjectTypes,
+ RTL_NUMBER_OF(g_ObjectTypes),
+ sizeof(WOBJ_TYPE_DESC),
+ ObManagerComparerName);
- //
- // In Win10 TH1 the following ntos object was named
- // NetworkNamespace, later in Win10 updates MS renamed it to
- // NdisCmState, handle this.
- //
- /*
- if (_strcmpi(lpTypeName, L"NetworkNamespace") == 0) {
- return ObjectTypeNdisCmState;
+ if (Result) {
+ return Result->Index;
+ }
+ else {
+ return ObjectTypeUnknown;
}
- */
-
- return ObjectTypeUnknown;
}
/*
@@ -110,41 +162,61 @@ UINT ObManagerGetIndexByTypeName(
*
*/
UINT ObManagerGetImageIndexByTypeName(
- _In_ LPCWSTR lpTypeName
+ _In_opt_ LPCWSTR lpTypeName
)
{
- UINT nIndex;
+ WOBJ_TYPE_DESC SearchItem;
+ WOBJ_TYPE_DESC *Result;
if (lpTypeName == NULL) {
return ObjectTypeUnknown;
}
- for (nIndex = TYPE_FIRST; nIndex < TYPE_LAST; nIndex++) {
- if (_strcmpi(lpTypeName, g_ObjectTypes[nIndex].Name) == 0)
- return g_ObjectTypes[nIndex].ImageIndex;
+ SearchItem.Name = (LPWSTR)lpTypeName;
+
+ Result = (WOBJ_TYPE_DESC*)supBSearch((PCVOID)&SearchItem,
+ (PCVOID)&g_ObjectTypes,
+ RTL_NUMBER_OF(g_ObjectTypes),
+ sizeof(WOBJ_TYPE_DESC),
+ ObManagerComparerName);
+
+ if (Result) {
+ return Result->ImageIndex;
+ }
+ else {
+ return ObjectTypeUnknown;
+ }
+}
+
+/*
+* ObManagerLoadImageForType
+*
+* Purpose:
+*
+* Load image of the given id.
+*
+*/
+INT ObManagerLoadImageForType(
+ _In_ HIMAGELIST ImageList,
+ _In_ INT ResourceImageId
+)
+{
+ INT ImageIndex = I_IMAGENONE;
+ HICON hIcon;
+
+ hIcon = (HICON)LoadImage(g_WinObj.hInstance,
+ MAKEINTRESOURCE(ResourceImageId),
+ IMAGE_ICON,
+ 16,
+ 16,
+ LR_DEFAULTCOLOR);
+
+ if (hIcon) {
+ ImageIndex = ImageList_ReplaceIcon(ImageList, -1, hIcon);
+ DestroyIcon(hIcon);
}
- //
- // In Win8 the following Win32k object was named
- // CompositionSurface, in Win8.1 MS renamed it to
- // Composition, handle this.
- //
- if (_strcmpi(lpTypeName, L"CompositionSurface") == 0) {
- return g_ObjectTypes[ObjectTypeComposition].ImageIndex;
- }
-
- //
- // In Win10 TH1 the following ntos object was named
- // NetworkNamespace, later in Win10 updates MS renamed it to
- // NdisCmState, handle this.
- //
- /*
- if (_strcmpi(lpTypeName, L"NetworkNamespace") == 0) {
- return g_ObjectTypes[ObjectTypeComposition].ImageIndex;
- }
- */
-
- return ObjectTypeUnknown;
+ return ImageIndex;
}
/*
@@ -159,64 +231,28 @@ HIMAGELIST ObManagerLoadImageList(
VOID
)
{
- UINT i, imageIndex;
- HIMAGELIST list;
- HICON hIcon;
+ UINT i;
+ HIMAGELIST ImageList;
- list = ImageList_Create(
- 16,
- 16,
+ ImageList = ImageList_Create(
+ 16,
+ 16,
ILC_COLOR32 | ILC_MASK,
- TYPE_LAST,
+ TYPE_LAST,
8);
- if (list) {
- for (i = TYPE_FIRST; i <= TYPE_LAST; i++) {
-
- imageIndex = TYPE_RESOURCE_IMAGE_INDEX_START + g_ObjectTypes[i].ImageIndex;
-
- hIcon = (HICON)LoadImage(g_WinObj.hInstance,
- MAKEINTRESOURCE(imageIndex),
- IMAGE_ICON,
- 16,
- 16,
- LR_DEFAULTCOLOR);
+ if (ImageList) {
+
+ for (i = TYPE_FIRST; i < TYPE_LAST; i++) {
+
+ g_ObjectTypes[i].ImageIndex = ObManagerLoadImageForType(ImageList,
+ g_ObjectTypes[i].ResourceImageId);
- if (hIcon) {
- ImageList_ReplaceIcon(list, -1, hIcon);
- DestroyIcon(hIcon);
- }
}
+
+ g_TypeUnknown.ImageIndex = ObManagerLoadImageForType(ImageList,
+ g_TypeUnknown.ResourceImageId);
+
}
- return list;
+ return ImageList;
}
-
-//
-// Future use
-//
-/*
-
-Usually none of these object types identities present in object directory.
-
-ActivationObject
-ActivityReference
-CoreMessagining
-DmaAdapter
-DmaDomain
-DxgkDisplayManagerObject
-DxgkSharedBundleObject
-DxgkSharedProtectedSessionObject
-EnergyTracker
-EtwSessionDemuxEntry
-IoCompletionReserve
-NdisCmState
-PsSiloContextNonPaged
-PsSiloContextPaged
-RawInputManager
-RegistryTransaction
-UserApcReserve
-VirtualKey
-VRegConfigurationContext
-WaitCompletionPacket
-
-*/
diff --git a/Source/WinObjEx64/objects.h b/Source/WinObjEx64/objects.h
index c6e140a..376836d 100644
--- a/Source/WinObjEx64/objects.h
+++ b/Source/WinObjEx64/objects.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2015 - 2018
+* (C) COPYRIGHT AUTHORS, 2015 - 2019
*
* TITLE: OBJECTS.H
*
-* VERSION: 1.60
+* VERSION: 1.72
*
-* DATE: 24 Oct 2018
+* DATE: 13 Feb 2019
*
* Header file for internal Windows object types handling.
*
@@ -18,20 +18,6 @@
*******************************************************************************/
#pragma once
-//
-// Description Resource Id string table starting index
-//
-// Actual id = TYPE_DESCRIPTION_START_INDEX + TYPE_*
-//
-#define TYPE_DESCRIPTION_START_INDEX 100
-
-//
-// Image Resource Id table starting index
-//
-// Actual id = TYPE_RESOURCE_IMAGE_INDEX_START + ObjectType.ImageIndex
-//
-#define TYPE_RESOURCE_IMAGE_INDEX_START 300
-
//
// Object Type Indexes Used By Program Only
// NOT RELATED TO REAL OBJECTS INDEXES
@@ -85,88 +71,138 @@ typedef enum _WOBJ_OBJECT_TYPE {
ObjectTypeDxgkSharedSwapChain = 44,
ObjectTypeDxgkSharedSyncObject = 45,
ObjectTypeDxgkCurrentDxgProcessObject = 46,
- ObjectTypeMemoryPartition = 47,
- ObjectTypeUnknown = 48,
+ ObjectTypeDxgkDisplayManager = 47,
+ ObjectTypeDxgkSharedBundle = 48,
+ ObjectTypeDxgkSharedProtectedSession = 49,
+ ObjectTypeDxgkComposition = 50,
+ ObjectTypeDxgkSharedKeyedMutext = 51,
+ ObjectTypeMemoryPartition = 52,
+ ObjectTypeRegistryTransaction = 53,
+ ObjectTypeDmaAdapter = 54,
+ ObjectTypeDmaDomain = 55,
+ ObjectTypeUnknown = 56,
ObjectTypeMax
} WOBJ_OBJECT_TYPE;
typedef struct _WOBJ_TYPE_DESC {
LPWSTR Name;
- WOBJ_OBJECT_TYPE Index;
- WOBJ_OBJECT_TYPE ImageIndex; //different object types may share same images (e.g. Dxgk*)
+ WOBJ_OBJECT_TYPE Index; //object type
+ INT ResourceImageId; //resouce id for icon
+ INT ResourceStringId; //resource id in stringtable
+ INT ImageIndex; //individual image id for each object type (maybe the same for few objects)
} WOBJ_TYPE_DESC, *PWOBJ_TYPE_DESC;
//
// ImageList icon index used from range TYPE_FIRST - TYPE_LAST
//
-#define TYPE_FIRST ObjectTypeDevice
+#define TYPE_FIRST 0
#define TYPE_LAST ObjectTypeUnknown
-#define DIRECTX_SHARED_IMAGE_INDEX ObjectTypeDxgkSharedResource
+#define OBTYPE_NAME_DESKTOP L"Desktop"
+#define OBTYPE_NAME_DEVICE L"Device"
+#define OBTYPE_NAME_DRIVER L"Driver"
+#define OBTYPE_NAME_DIRECTORY L"Directory"
+#define OBTYPE_NAME_SECTION L"Section"
+#define OBTYPE_NAME_SYMBOLIC_LINK L"SymbolicLink"
+#define OBTYPE_NAME_TYPE L"Type"
+#define OBTYPE_NAME_WINSTATION L"WindowStation"
+#define OBTYPE_NAME_UNKNOWN L""
-static const WOBJ_TYPE_DESC g_ObjectTypes[] = {
- { L"Device", ObjectTypeDevice, ObjectTypeDevice },
- { L"Driver", ObjectTypeDriver, ObjectTypeDriver },
- { L"Section", ObjectTypeSection, ObjectTypeSection },
- { L"ALPC Port", ObjectTypePort, ObjectTypePort },
- { L"SymbolicLink", ObjectTypeSymbolicLink, ObjectTypeSymbolicLink },
- { L"Key", ObjectTypeKey, ObjectTypeKey },
- { L"Event", ObjectTypeEvent, ObjectTypeEvent },
- { L"Job", ObjectTypeJob, ObjectTypeJob },
- { L"Mutant", ObjectTypeMutant, ObjectTypeMutant },
- { L"KeyedEvent", ObjectTypeKeyedEvent, ObjectTypeKeyedEvent },
- { L"Type", ObjectTypeType, ObjectTypeType },
- { L"Directory", ObjectTypeDirectory, ObjectTypeDirectory },
- { L"WindowStation", ObjectTypeWinstation, ObjectTypeWinstation },
- { L"Callback", ObjectTypeCallback, ObjectTypeCallback },
- { L"Semaphore", ObjectTypeSemaphore, ObjectTypeSemaphore },
- { L"WaitablePort", ObjectTypeWaitablePort, ObjectTypeWaitablePort },
- { L"Timer", ObjectTypeTimer, ObjectTypeTimer },
- { L"Session", ObjectTypeSession, ObjectTypeSession },
- { L"Controller", ObjectTypeController, ObjectTypeController },
- { L"Profile", ObjectTypeProfile, ObjectTypeProfile },
- { L"EventPair", ObjectTypeEventPair, ObjectTypeEventPair },
- { L"Desktop", ObjectTypeDesktop, ObjectTypeDesktop },
- { L"File", ObjectTypeFile, ObjectTypeFile },
- { L"WMIGuid", ObjectTypeWMIGuid, ObjectTypeWMIGuid },
- { L"DebugObject", ObjectTypeDebugObject, ObjectTypeDebugObject },
- { L"IoCompletion", ObjectTypeIoCompletion, ObjectTypeIoCompletion },
- { L"Process", ObjectTypeProcess, ObjectTypeProcess },
- { L"Adapter", ObjectTypeAdapter, ObjectTypeAdapter },
- { L"Token", ObjectTypeToken, ObjectTypeToken },
- { L"EtwRegistration", ObjectTypeETWRegistration, ObjectTypeETWRegistration },
- { L"Thread", ObjectTypeThread, ObjectTypeThread },
- { L"TmTx", ObjectTypeTmTx, ObjectTypeTmTx },
- { L"TmTm", ObjectTypeTmTm, ObjectTypeTmTm },
- { L"TmRm", ObjectTypeTmRm, ObjectTypeTmRm },
- { L"TmEn", ObjectTypeTmEn, ObjectTypeTmEn },
- { L"PcwObject", ObjectTypePcwObject, ObjectTypePcwObject },
- { L"FilterConnectionPort", ObjectTypeFltConnPort, ObjectTypeFltConnPort },
- { L"FilterCommunicationPort", ObjectTypeFltComnPort, ObjectTypeFltComnPort },
- { L"PowerRequest", ObjectTypePowerRequest, ObjectTypePowerRequest },
- { L"EtwConsumer", ObjectTypeETWConsumer, ObjectTypeETWConsumer },
- { L"TpWorkerFactory", ObjectTypeTpWorkerFactory, ObjectTypeTpWorkerFactory },
- { L"Composition", ObjectTypeComposition, ObjectTypeComposition },
- { L"IRTimer", ObjectTypeIRTimer, ObjectTypeIRTimer },
- { L"DxgkSharedResource", ObjectTypeDxgkSharedResource, DIRECTX_SHARED_IMAGE_INDEX },
- { L"DxgkSharedSwapChainObject", ObjectTypeDxgkSharedSwapChain, DIRECTX_SHARED_IMAGE_INDEX },
- { L"DxgkSharedSyncObject", ObjectTypeDxgkSharedSyncObject, DIRECTX_SHARED_IMAGE_INDEX },
- { L"DxgkCurrentDxgProcessObject", ObjectTypeDxgkCurrentDxgProcessObject, DIRECTX_SHARED_IMAGE_INDEX },
- { L"Partition", ObjectTypeMemoryPartition, ObjectTypeMemoryPartition },
- { L"", ObjectTypeUnknown, ObjectTypeUnknown }
+static WOBJ_TYPE_DESC g_TypeUnknown = { OBTYPE_NAME_UNKNOWN, ObjectTypeUnknown, IDI_ICON_UNKNOWN, IDS_DESC_UNKNOWN };
+
+//
+// Handled object types.
+//
+// Sorted in alphabetical order.
+//
+static WOBJ_TYPE_DESC g_ObjectTypes[] = {
+ //{ L"ActivationObject", ObjectTypeActivationObject, IDI_ICON_ACTIVATIONOBJECT, IDS_DESC_ACTIVATIONOBJECT },
+ //{ L"ActivityReference", ObjectTypeActivityReference, IDI_ICON_ACTIVITYREFERENCE, IDS_DESC_ACTIVITYREFERENCE },
+ { L"Adapter", ObjectTypeAdapter, IDI_ICON_ADAPTER, IDS_DESC_ADAPTER },
+ { L"ALPC Port", ObjectTypePort, IDI_ICON_PORT, IDS_DESC_PORT },
+ { L"Callback", ObjectTypeCallback, IDI_ICON_CALLBACK, IDS_DESC_CALLBACK },
+ { L"Composition", ObjectTypeComposition, IDI_ICON_COMPOSITION, IDS_DESC_COMPOSITION },
+ { L"Controller", ObjectTypeController, IDI_ICON_CONTROLLER, IDS_DESC_CONTROLLER },
+ //{ L"CoreMessaging", ObjectTypeCoreMessaging, IDI_ICON_COREMESSAGING, IDS_DESC_COREMESSAGING },
+ //{ L"CoverageSampler", ObjectTypeCoverageSampler, IDI_ICON_COVERAGESAMPLER, IDS_DESC_COVERAGESAMPLER },
+ { L"DebugObject", ObjectTypeDebugObject, IDI_ICON_DEBUGOBJECT, IDS_DESC_DEBUGOBJECT },
+ { OBTYPE_NAME_DESKTOP, ObjectTypeDesktop, IDI_ICON_DESKTOP, IDS_DESC_DESKTOP },
+ { OBTYPE_NAME_DEVICE, ObjectTypeDevice, IDI_ICON_DEVICE, IDS_DESC_DEVICE },
+ { OBTYPE_NAME_DIRECTORY, ObjectTypeDirectory, IDI_ICON_DIRECTORY, IDS_DESC_DIRECTORY },
+ { L"DmaAdapter", ObjectTypeDmaAdapter, IDI_ICON_HALDMA, IDS_DESC_DMAADAPTER },
+ { L"DmaDomain", ObjectTypeDmaDomain, IDI_ICON_HALDMA, IDS_DESC_DMADOMAIN },
+ { OBTYPE_NAME_DRIVER, ObjectTypeDriver, IDI_ICON_DRIVER, IDS_DESC_DRIVER },
+ { L"DxgkCompositionObject", ObjectTypeDxgkComposition, IDI_ICON_DXOBJECT, IDS_DESC_DXGK_COMPOSITION_OBJECT },
+ { L"DxgkCurrentDxgProcessObject", ObjectTypeDxgkCurrentDxgProcessObject, IDI_ICON_DXOBJECT, IDS_DESC_DXGK_CURRENT_DXG_PROCESS_OBJECT },
+ { L"DxgkDisplayManagerObject", ObjectTypeDxgkDisplayManager, IDI_ICON_DXOBJECT, IDS_DESC_DXGK_DISPLAY_MANAGER_OBJECT },
+ { L"DxgkSharedBundleObject", ObjectTypeDxgkSharedBundle, IDI_ICON_DXOBJECT, IDS_DESC_DXGK_SHARED_BUNDLE_OBJECT },
+ { L"DxgkSharedKeyedMutextObject", ObjectTypeDxgkSharedKeyedMutext, IDI_ICON_DXOBJECT, IDS_DESC_DXGK_SHARED_KEYED_MUTEX_OBJECT},
+ { L"DxgkSharedProtectedSessionObject", ObjectTypeDxgkSharedProtectedSession, IDI_ICON_DXOBJECT, IDS_DESC_DXGK_SHARED_PROTECTED_SESSION_OBJECT },
+ { L"DxgkSharedResource", ObjectTypeDxgkSharedResource, IDI_ICON_DXOBJECT, IDS_DESC_DXGKSHAREDRES },
+ { L"DxgkSharedSwapChainObject", ObjectTypeDxgkSharedSwapChain, IDI_ICON_DXOBJECT, IDS_DESC_DXGKSHAREDSWAPCHAIN },
+ { L"DxgkSharedSyncObject", ObjectTypeDxgkSharedSyncObject, IDI_ICON_DXOBJECT, IDS_DESC_DXGKSHAREDSYNC },
+ { L"EtwConsumer", ObjectTypeETWConsumer, IDI_ICON_ETWCONSUMER, IDS_DESC_ETWCONSUMER },
+ { L"EtwRegistration", ObjectTypeETWRegistration, IDI_ICON_ETWREGISTRATION, IDS_DESC_ETWREGISTRATION },
+ // { L"EtwSessionDemuxEntry", ObjectTypeEtwSessionDemuxEntry, IDI_ICON_ETWSESSIONDEMUXENTRY, IDS_DESC_ETWSESSIONDEMUXENTRY },
+ { L"Event", ObjectTypeEvent, IDI_ICON_EVENT, IDS_DESC_EVENT },
+ { L"EventPair", ObjectTypeEventPair, IDI_ICON_EVENTPAIR, IDS_DESC_EVENTPAIR },
+ { L"File", ObjectTypeFile, IDI_ICON_FILE, IDS_DESC_FILE },
+ { L"FilterCommunicationPort", ObjectTypeFltComnPort, IDI_ICON_FLTCOMMPORT, IDS_DESC_FLT_COMM_PORT },
+ { L"FilterConnectionPort", ObjectTypeFltConnPort, IDI_ICON_FLTCONNPORT, IDS_DESC_FLT_CONN_PORT },
+ { L"IoCompletion", ObjectTypeIoCompletion, IDI_ICON_IOCOMPLETION, IDS_DESC_IOCOMPLETION },
+ //{ L"IoCompletionReserve", ObjectTypeIoCompletionReserve, IDI_ICON_IOCOMPLETION_RESERVE, IDS_DESC_IOCOMPLETION_RESERVE },
+ { L"IRTimer", ObjectTypeIRTimer, IDI_ICON_IRTIMER, IDS_DESC_IRTIMER },
+ { L"Job", ObjectTypeJob, IDI_ICON_JOB, IDS_DESC_JOB },
+ { L"Key", ObjectTypeKey, IDI_ICON_KEY, IDS_DESC_KEY },
+ { L"KeyedEvent", ObjectTypeKeyedEvent, IDI_ICON_KEYEDEVENT, IDS_DESC_KEYEDEVENT },
+ { L"Mutant", ObjectTypeMutant, IDI_ICON_MUTANT, IDS_DESC_MUTANT },
+ //{ L"NdisCmState", ObjectTypeNdisCmState, IDI_ICON_NDISCMSTATE, IDS_DESC_NDISCMSTATE },
+ { L"Partition", ObjectTypeMemoryPartition, IDI_ICON_MEMORYPARTITION, IDS_DESC_MEMORY_PARTITION },
+ { L"PcwObject", ObjectTypePcwObject, IDI_ICON_PCWOBJECT, IDS_DESC_PCWOBJECT },
+ { L"PowerRequest", ObjectTypePowerRequest, IDI_ICON_POWERREQUEST, IDS_DESC_POWERREQUEST },
+ { L"Process", ObjectTypeProcess, IDI_ICON_PROCESS, IDS_DESC_PROCESS },
+ { L"Profile", ObjectTypeProfile, IDI_ICON_PROFILE, IDS_DESC_PROFILE },
+ //{ L"PsSiloContextNonPaged", ObjectTypePsSiloContextNonPaged, IDI_ICON_PSSILOCONTEXT, IDS_DESC_PSSILOCONTEXTNP },
+ //{ L"PsSiloContextPaged", ObjectTypePsSiloContextPaged, IDI_ICON_PSSILOCONTEXT, IDS_DESC_PSSILOCONTEXT },
+ //{ L"RawInputManager", ObjectTypeRawInputManager, IDI_ICON_RAWINPUTMANAGER, IDS_DESC_RAW_INPUT_MANAGER },
+ { L"RegistryTransaction", ObjectTypeRegistryTransaction, IDI_ICON_KEY, IDS_DESC_REGISTRY_TRANSACTION },
+ { OBTYPE_NAME_SECTION, ObjectTypeSection, IDI_ICON_SECTION, IDS_DESC_SECTION },
+ { L"Semaphore", ObjectTypeSemaphore, IDI_ICON_SEMAPHORE, IDS_DESC_SEMAPHORE },
+ { L"Session", ObjectTypeSession, IDI_ICON_SESSION, IDS_DESC_SESSION },
+ { L"SymbolicLink", ObjectTypeSymbolicLink, IDI_ICON_SYMLINK, IDS_DESC_SYMLINK },
+ { L"Thread", ObjectTypeThread, IDI_ICON_THREAD, IDS_DESC_THREAD },
+ { L"Timer", ObjectTypeTimer, IDI_ICON_TIMER, IDS_DESC_TIMER },
+ { L"TmEn", ObjectTypeTmEn, IDI_ICON_TMEN, IDS_DESC_TMEN },
+ { L"TmRm", ObjectTypeTmRm, IDI_ICON_TMRM, IDS_DESC_TMRM },
+ { L"TmTm", ObjectTypeTmTm, IDI_ICON_TMTM, IDS_DESC_TMTM },
+ { L"TmTx", ObjectTypeTmTx, IDI_ICON_TMTX, IDS_DESC_TMTX },
+ { L"Token", ObjectTypeToken, IDI_ICON_TOKEN, IDS_DESC_TOKEN },
+ { L"TpWorkerFactory", ObjectTypeTpWorkerFactory, IDI_ICON_TPWORKERFACTORY,IDS_DESC_TPWORKERFACTORY },
+ { OBTYPE_NAME_TYPE, ObjectTypeType, IDI_ICON_TYPE, IDS_DESC_TYPE },
+ //{ L"UserApcReserve", ObjectTypeUserApcReserve, IDI_ICON_USERAPCRESERVE, IDS_DESC_USERAPCRESERVE },
+ //{ L"VirtualKey", ObjectTypeVirtualKey, IDI_ICON_VIRTUALKEY, IDS_DESC_VIRTUALKEY },
+ //{ L"VRegConfigurationContext", ObjectTypeVREGCFGCTX, IDI_ICON_VREGCFGCTX, IDS_DESC_VREGCFGCTX },
+ { L"WaitablePort", ObjectTypeWaitablePort, IDI_ICON_WAITABLEPORT, IDS_DESC_WAITABLEPORT },
+ //{ L"WaitCompletionPacket", ObjectTypeWaitCompletionPacket, IDI_ICON_WAITCOMPLETIONPACKET, IDS_DESC_WAITCOMPLETIONPACKET },
+ { OBTYPE_NAME_WINSTATION, ObjectTypeWinstation, IDI_ICON_WINSTATION, IDS_DESC_WINSTATION },
+ { L"WmiGuid", ObjectTypeWMIGuid, IDI_ICON_WMIGUID, IDS_DESC_WMIGUID }
};
HIMAGELIST ObManagerLoadImageList(
VOID);
+UINT ObManagerGetImageIndexByTypeIndex(
+ _In_ ULONG TypeIndex);
+
+UINT ObManagerGetImageIndexByTypeName(
+ _In_opt_ LPCWSTR lpTypeName);
+
+
UINT ObManagerGetIndexByTypeName(
- _In_ LPCWSTR lpTypeName);
+ _In_opt_ LPCWSTR lpTypeName);
LPWSTR ObManagerGetNameByIndex(
_In_ ULONG TypeIndex);
-UINT ObManagerGetImageIndexByTypeName(
- _In_ LPCWSTR lpTypeName);
-
-UINT ObManagerGetImageIndexByTypeIndex(
- _In_ ULONG TypeIndex);
+WOBJ_TYPE_DESC *ObManagerGetEntryByTypeName(
+ _In_opt_ LPCWSTR lpTypeName);
diff --git a/Source/WinObjEx64/props/propBasic.c b/Source/WinObjEx64/props/propBasic.c
index 385f067..f87c055 100644
--- a/Source/WinObjEx64/props/propBasic.c
+++ b/Source/WinObjEx64/props/propBasic.c
@@ -4,9 +4,9 @@
*
* TITLE: PROPBASIC.C
*
-* VERSION: 1.71
+* VERSION: 1.72
*
-* DATE: 26 Jan 2019
+* DATE: 09 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -576,7 +576,7 @@ VOID propBasicQuerySymlink(
SystemTime.Minute,
SystemTime.Second,
SystemTime.Day,
- Months[SystemTime.Month - 1],
+ g_szMonths[SystemTime.Month - 1],
SystemTime.Year);
SetDlgItemText(hwndDlg, ID_OBJECT_SYMLINK_CREATION, szBuffer);
@@ -665,7 +665,7 @@ VOID propBasicQueryKey(
SystemTime.Minute,
SystemTime.Second,
SystemTime.Day,
- Months[SystemTime.Month - 1],
+ g_szMonths[SystemTime.Month - 1],
SystemTime.Year);
SetDlgItemText(hwndDlg, ID_KEYLASTWRITE, szBuffer);
@@ -1736,7 +1736,7 @@ INT_PTR CALLBACK BasicPropDialogProc(
hDc = BeginPaint(hwndDlg, &Paint);
if (hDc) {
- ImageList_Draw(g_ListViewImages, Context->TypeIndex, hDc, 24, 34,
+ ImageList_Draw(g_ListViewImages, Context->TypeDescription->ImageIndex, hDc, 24, 34,
ILD_NORMAL | ILD_TRANSPARENT);
EndPaint(hwndDlg, &Paint);
diff --git a/Source/WinObjEx64/props/propBasicConsts.h b/Source/WinObjEx64/props/propBasicConsts.h
index cc8ebf1..571fc71 100644
--- a/Source/WinObjEx64/props/propBasicConsts.h
+++ b/Source/WinObjEx64/props/propBasicConsts.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2015 - 2018
+* (C) COPYRIGHT AUTHORS, 2015 - 2019
*
* TITLE: PROPBASICCONSTS.H
*
-* VERSION: 1.60
+* VERSION: 1.72
*
-* DATE: 25 Oct 2018
+* DATE: 04 Feb 2019
*
* Consts header file for Basic property sheet.
*
@@ -18,22 +18,6 @@
*******************************************************************************/
#pragma once
-//Calendar
-LPCWSTR Months[12] = {
- L"Jan",
- L"Feb",
- L"Mar",
- L"Apr",
- L"May",
- L"Jun",
- L"Jul",
- L"Aug",
- L"Sep",
- L"Oct",
- L"Nov",
- L"Dec"
-};
-
//OBJECT_HEADER Flags
LPCWSTR T_ObjectFlags[8] = {
L"NewObject",
diff --git a/Source/WinObjEx64/props/propDesktop.c b/Source/WinObjEx64/props/propDesktop.c
index ca94d22..347e8fc 100644
--- a/Source/WinObjEx64/props/propDesktop.c
+++ b/Source/WinObjEx64/props/propDesktop.c
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2015 - 2018
+* (C) COPYRIGHT AUTHORS, 2015 - 2019
*
* TITLE: PROPDESKTOP.C
*
-* VERSION: 1.70
+* VERSION: 1.72
*
-* DATE: 30 Nov 2018
+* DATE: 09 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -407,7 +407,7 @@ VOID DesktopListHandleNotify(
propCreateDialog(
hwndDlg,
lpName,
- g_ObjectTypes[ObjectTypeDesktop].Name,
+ OBTYPE_NAME_DESKTOP,
NULL,
NULL);
diff --git a/Source/WinObjEx64/props/propDlg.c b/Source/WinObjEx64/props/propDlg.c
index 655511e..0f19483 100644
--- a/Source/WinObjEx64/props/propDlg.c
+++ b/Source/WinObjEx64/props/propDlg.c
@@ -4,9 +4,9 @@
*
* TITLE: PROPDLG.C
*
-* VERSION: 1.71
+* VERSION: 1.72
*
-* DATE: 01 Feb 2019
+* DATE: 09 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -267,6 +267,13 @@ PPROP_OBJECT_INFO propContextCreate(
if (Context == NULL)
return NULL;
+ Context->TypeDescription = ObManagerGetEntryByTypeName(lpObjectType);
+
+ //
+ // Use the same type descriptor by default for shadow.
+ //
+ Context->ShadowTypeDescription = Context->TypeDescription;
+
//
// Copy object name if given.
//
@@ -321,14 +328,9 @@ PPROP_OBJECT_INFO propContextCreate(
// Query actual type index for case when user will browse Type object info.
//
if (Context->lpObjectName) {
- Context->RealTypeIndex = ObManagerGetIndexByTypeName(Context->lpObjectName);
+ Context->ShadowTypeDescription = ObManagerGetEntryByTypeName(Context->lpObjectName);
}
- }
- else {
- //
- // Use the same type index for everything else.
- //
- Context->RealTypeIndex = Context->TypeIndex;
+
}
}
@@ -598,6 +600,7 @@ VOID propCreateDialog(
case ObjectTypeFltConnPort:
case ObjectTypeType:
case ObjectTypeCallback:
+ case ObjectTypeSymbolicLink:
RtlSecureZeroMemory(&Page, sizeof(Page));
Page.dwSize = sizeof(PROPSHEETPAGE);
Page.dwFlags = PSP_DEFAULT | PSP_USETITLE;
diff --git a/Source/WinObjEx64/props/propObjectDump.c b/Source/WinObjEx64/props/propObjectDump.c
index 35de0b8..56081c6 100644
--- a/Source/WinObjEx64/props/propObjectDump.c
+++ b/Source/WinObjEx64/props/propObjectDump.c
@@ -4,9 +4,9 @@
*
* TITLE: PROPOBJECTDUMP.C
*
-* VERSION: 1.71
+* VERSION: 1.72
*
-* DATE: 01 Feb 2019
+* DATE: 04 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -27,14 +27,14 @@ HWND g_TreeList;
ATOM g_TreeListAtom;
/*
-* ObDumpShowError
+* propObDumpShowError
*
* Purpose:
*
* Hide all windows for given hwnd and display error text.
*
*/
-VOID ObDumpShowError(
+VOID propObDumpShowError(
_In_ HWND hwndDlg
)
{
@@ -47,14 +47,14 @@ VOID ObDumpShowError(
}
/*
-* ObDumpShowMessage
+* propObDumpShowMessage
*
* Purpose:
*
* Hide all windows for given hwnd and display message text.
*
*/
-VOID ObDumpShowMessage(
+VOID propObDumpShowMessage(
_In_ HWND hwndDlg,
_In_ LPWSTR lpMessageText
)
@@ -69,14 +69,14 @@ VOID ObDumpShowMessage(
}
/*
-* ObDumpAddress
+* propObDumpAddress
*
* Purpose:
*
* Dump given Address to the treelist.
*
*/
-VOID ObDumpAddress(
+VOID propObDumpAddress(
_In_ HWND TreeList,
_In_ HTREEITEM hParent,
_In_ LPWSTR lpszName,
@@ -125,14 +125,14 @@ VOID ObDumpAddress(
}
/*
-* ObDumpAddressWithModule
+* propObDumpAddressWithModule
*
* Purpose:
*
* Dump given Address to the treelist with module check.
*
*/
-VOID ObDumpAddressWithModule(
+VOID propObDumpAddressWithModule(
_In_ HTREEITEM hParent,
_In_ LPWSTR lpszName,
_In_opt_ PVOID Address,
@@ -187,14 +187,14 @@ VOID ObDumpAddressWithModule(
}
/*
-* ObDumpPushLock
+* propObDumpPushLock
*
* Purpose:
*
* Dump EX_PUSH_LOCK to the treelist.
*
*/
-VOID ObDumpPushLock(
+VOID propObDumpPushLock(
_In_ HWND TreeList,
_In_ HTREEITEM hParent,
_In_ PVOID PushLockPtr,
@@ -218,11 +218,11 @@ VOID ObDumpPushLock(
TEXT("Lock"),
&subitems);
- ObDumpAddress(TreeList, h_tviSubItem, TEXT("Ptr"), NULL, PushLockPtr, BgColor, FontColor);
+ propObDumpAddress(TreeList, h_tviSubItem, TEXT("Ptr"), NULL, PushLockPtr, BgColor, FontColor);
}
/*
-* ObDumpByte
+* propObDumpByte
*
* Purpose:
*
@@ -231,7 +231,7 @@ VOID ObDumpPushLock(
* You must handle BOOLEAN differently.
*
*/
-VOID ObDumpByte(
+VOID propObDumpByte(
_In_ HWND TreeList,
_In_ HTREEITEM hParent,
_In_ LPWSTR lpszName,
@@ -283,14 +283,14 @@ VOID ObDumpByte(
}
/*
-* ObDumpSetString
+* propObDumpSetString
*
* Purpose:
*
* Put string to the treelist.
*
*/
-VOID ObDumpSetString(
+VOID propObDumpSetString(
_In_ HWND TreeList,
_In_ HTREEITEM hParent,
_In_ LPWSTR lpszName,
@@ -332,14 +332,14 @@ VOID ObDumpSetString(
}
/*
-* ObDumpUlong
+* propObDumpUlong
*
* Purpose:
*
* Dump ULONG 4 bytes / USHORT 2 bytes to the treelist.
*
*/
-VOID ObDumpUlong(
+VOID propObDumpUlong(
_In_ HWND TreeList,
_In_ HTREEITEM hParent,
_In_ LPWSTR lpszName,
@@ -405,14 +405,14 @@ VOID ObDumpUlong(
}
/*
-* ObDumpUlong64
+* propObDumpUlong64
*
* Purpose:
*
* Dump ULONG 8 byte to the treelist.
*
*/
-VOID ObDumpUlong64(
+VOID propObDumpUlong64(
_In_ HWND TreeList,
_In_ HTREEITEM hParent,
_In_ LPWSTR lpszName,
@@ -464,14 +464,14 @@ VOID ObDumpUlong64(
}
/*
-* ObDumpULargeInteger
+* propObDumpULargeInteger
*
* Purpose:
*
* Dump ULARGE_INTEGER members to the treelist.
*
*/
-VOID ObDumpULargeInteger(
+VOID propObDumpULargeInteger(
_In_ HWND TreeList,
_In_ HTREEITEM hParent,
_In_ LPWSTR ListEntryName,
@@ -535,14 +535,14 @@ VOID ObDumpULargeInteger(
}
/*
-* ObDumpListEntry
+* propObDumpListEntry
*
* Purpose:
*
* Dump LIST_ENTRY members to the treelist.
*
*/
-VOID ObDumpListEntry(
+VOID propObDumpListEntry(
_In_ HWND TreeList,
_In_ HTREEITEM hParent,
_In_ LPWSTR ListEntryName,
@@ -616,7 +616,7 @@ VOID ObDumpListEntry(
}
/*
-* ObDumpUnicodeString
+* propObDumpUnicodeString
*
* Purpose:
*
@@ -624,7 +624,8 @@ VOID ObDumpListEntry(
* Support PUNICODE_STRING, address must point to kernel memory.
*
*/
-VOID ObDumpUnicodeString(
+VOID propObDumpUnicodeString(
+ _In_ HWND TreeList,
_In_ HTREEITEM hParent,
_In_ LPWSTR StringName,
_In_opt_ PUNICODE_STRING pString,
@@ -651,8 +652,8 @@ VOID ObDumpUnicodeString(
else {
//pString->Buffer need to be dumped
RtlSecureZeroMemory(&szValue, sizeof(szValue));
- szValue[0] = L'0';
- szValue[1] = L'x';
+ szValue[0] = TEXT('0');
+ szValue[1] = TEXT('x');
u64tohex((ULONG_PTR)pString, &szValue[2]);
subitems.Text[0] = szValue;
subitems.Text[1] = T_PUNICODE_STRING;
@@ -673,7 +674,7 @@ VOID ObDumpUnicodeString(
}
h_tviSubItem = TreeListAddItem(
- g_TreeList,
+ TreeList,
hParent,
TVIF_TEXT | TVIF_STATE,
TVIS_EXPANDED,
@@ -696,7 +697,7 @@ VOID ObDumpUnicodeString(
subitems.Text[0] = szValue;
TreeListAddItem(
- g_TreeList,
+ TreeList,
h_tviSubItem,
TVIF_TEXT | TVIF_STATE,
0,
@@ -714,12 +715,12 @@ VOID ObDumpUnicodeString(
subitems.Text[0] = szValue;
TreeListAddItem(
- g_TreeList,
+ TreeList,
h_tviSubItem,
TVIF_TEXT | TVIF_STATE,
0,
0,
- L"MaximumLength",
+ TEXT("MaximumLength"),
&subitems);
//
@@ -734,8 +735,8 @@ VOID ObDumpUnicodeString(
}
else {
RtlSecureZeroMemory(&szValue, sizeof(szValue));
- szValue[0] = L'0';
- szValue[1] = L'x';
+ szValue[0] = TEXT('0');
+ szValue[1] = TEXT('x');
u64tohex((ULONG_PTR)uStr.Buffer, &szValue[2]);
subitems.Text[0] = szValue;
@@ -754,12 +755,12 @@ VOID ObDumpUnicodeString(
}
TreeListAddItem(
- g_TreeList,
+ TreeList,
h_tviSubItem,
TVIF_TEXT | TVIF_STATE,
0,
0,
- L"Buffer",
+ TEXT("Buffer"),
&subitems);
if (lpObjectName) {
@@ -768,14 +769,14 @@ VOID ObDumpUnicodeString(
}
/*
-* ObDumpDispatcherHeader
+* propObDumpDispatcherHeader
*
* Purpose:
*
* Dump DISPATCHER_HEADER members to the treelist.
*
*/
-VOID ObDumpDispatcherHeader(
+VOID propObDumpDispatcherHeader(
_In_ HTREEITEM hParent,
_In_ DISPATCHER_HEADER *Header,
_In_opt_ LPWSTR lpDescType,
@@ -797,29 +798,29 @@ VOID ObDumpDispatcherHeader(
if (h_tviSubItem) {
//Header->Type
- ObDumpUlong(g_TreeList, h_tviSubItem, L"Type", lpDescType, Header->Type, TRUE, TRUE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviSubItem, L"Type", lpDescType, Header->Type, TRUE, TRUE, 0, 0);
//Header->Absolute
- ObDumpUlong(g_TreeList, h_tviSubItem, L"Absolute", NULL, Header->Absolute, TRUE, TRUE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviSubItem, L"Absolute", NULL, Header->Absolute, TRUE, TRUE, 0, 0);
//Header->Size
- ObDumpUlong(g_TreeList, h_tviSubItem, L"Size", lpDescSize, Header->Size, TRUE, TRUE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviSubItem, L"Size", lpDescSize, Header->Size, TRUE, TRUE, 0, 0);
//Header->Inserted
- ObDumpByte(g_TreeList, h_tviSubItem, L"Inserted", NULL, Header->Inserted, 0, 0, TRUE);
+ propObDumpByte(g_TreeList, h_tviSubItem, L"Inserted", NULL, Header->Inserted, 0, 0, TRUE);
//Header->SignalState
- ObDumpUlong(g_TreeList, h_tviSubItem, L"SignalState", lpDescSignalState, Header->SignalState, TRUE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviSubItem, L"SignalState", lpDescSignalState, Header->SignalState, TRUE, FALSE, 0, 0);
//Header->WaitListHead
- ObDumpListEntry(g_TreeList, h_tviSubItem, L"WaitListHead", &Header->WaitListHead);
+ propObDumpListEntry(g_TreeList, h_tviSubItem, L"WaitListHead", &Header->WaitListHead);
}
}
/*
-* ObDumpSqos
+* propObDumpSqos
*
* Purpose:
*
* Dump SECURITY_QUALITY_OF_SERVICE to the treelist.
*
*/
-VOID ObDumpSqos(
+VOID propObDumpSqos(
_In_ HWND TreeList,
_In_ HTREEITEM hParent,
_In_ SECURITY_QUALITY_OF_SERVICE *SecurityQos
@@ -842,7 +843,7 @@ VOID ObDumpSqos(
TEXT("SecurityQos"),
&subitems);
- ObDumpUlong(
+ propObDumpUlong(
TreeList,
h_tviSubItem,
TEXT("Length"),
@@ -871,7 +872,7 @@ VOID ObDumpSqos(
break;
}
- ObDumpUlong(
+ propObDumpUlong(
TreeList,
h_tviSubItem,
TEXT("ImpersonationLevel"),
@@ -887,7 +888,7 @@ VOID ObDumpSqos(
else
lpType = TEXT("SECURITY_STATIC_TRACKING");
- ObDumpByte(
+ propObDumpByte(
TreeList,
h_tviSubItem,
TEXT("ContextTrackingMode"),
@@ -897,7 +898,7 @@ VOID ObDumpSqos(
0,
TRUE);
- ObDumpByte(
+ propObDumpByte(
g_TreeList,
h_tviSubItem,
TEXT("EffectiveOnly"),
@@ -909,14 +910,14 @@ VOID ObDumpSqos(
}
/*
-* ObDumpDriverObject
+* propObDumpDriverObject
*
* Purpose:
*
* Dump DRIVER_OBJECT members to the treelist.
*
*/
-VOID ObDumpDriverObject(
+VOID propObDumpDriverObject(
_In_ PROP_OBJECT_INFO *Context,
_In_ HWND hwndDlg
)
@@ -978,14 +979,14 @@ VOID ObDumpDriverObject(
//any errors - abort
if (!bOkay) {
- ObDumpShowError(hwndDlg);
+ propObDumpShowError(hwndDlg);
return;
}
g_TreeList = 0;
g_TreeListAtom = 0;
if (!supInitTreeListForDump(hwndDlg, &g_TreeListAtom, &g_TreeList)) {
- ObDumpShowError(hwndDlg);
+ propObDumpShowError(hwndDlg);
return;
}
@@ -1009,7 +1010,7 @@ VOID ObDumpDriverObject(
lpType = TEXT("! Must be IO_TYPE_DRIVER");
BgColor = CLR_WARN;
}
- ObDumpUlong(g_TreeList, h_tviRootItem, TEXT("Type"), lpType, drvObject.Type, TRUE, TRUE, BgColor, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, TEXT("Type"), lpType, drvObject.Type, TRUE, TRUE, BgColor, 0);
//Size
BgColor = 0;
@@ -1018,7 +1019,7 @@ VOID ObDumpDriverObject(
lpType = TEXT("! Must be sizeof(DRIVER_OBJECT)");
BgColor = CLR_WARN;
}
- ObDumpUlong(g_TreeList, h_tviRootItem, TEXT("Size"), lpType, drvObject.Size, TRUE, TRUE, BgColor, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, TEXT("Size"), lpType, drvObject.Size, TRUE, TRUE, BgColor, 0);
//DeviceObject
lpType = NULL;
@@ -1038,7 +1039,7 @@ VOID ObDumpDriverObject(
BgColor = CLR_LGRY;
}
}
- ObDumpAddress(g_TreeList, h_tviRootItem, TEXT("DeviceObject"), lpType, drvObject.DeviceObject, BgColor, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, TEXT("DeviceObject"), lpType, drvObject.DeviceObject, BgColor, 0);
//Flags
RtlSecureZeroMemory(&szValue1, sizeof(szValue1));
@@ -1085,35 +1086,35 @@ VOID ObDumpDriverObject(
}
else {
//add named entry with zero data
- ObDumpUlong(g_TreeList, h_tviRootItem, T_FLAGS, NULL, 0, TRUE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, T_FLAGS, NULL, 0, TRUE, FALSE, 0, 0);
}
//DriverStart
- ObDumpAddress(g_TreeList, h_tviRootItem, TEXT("DriverStart"), NULL, drvObject.DriverStart, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, TEXT("DriverStart"), NULL, drvObject.DriverStart, 0, 0);
//DriverSection
- ObDumpAddress(g_TreeList, h_tviRootItem, TEXT("DriverSection"), TEXT("PLDR_DATA_TABLE_ENTRY"), drvObject.DriverSection, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, TEXT("DriverSection"), TEXT("PLDR_DATA_TABLE_ENTRY"), drvObject.DriverSection, 0, 0);
//DriverExtension
- ObDumpAddress(g_TreeList, h_tviRootItem, TEXT("DriverExtension"), TEXT("PDRIVER_EXTENSION"), drvObject.DriverExtension, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, TEXT("DriverExtension"), TEXT("PDRIVER_EXTENSION"), drvObject.DriverExtension, 0, 0);
//DriverName
- ObDumpUnicodeString(h_tviRootItem, TEXT("DriverName"), &drvObject.DriverName, FALSE);
+ propObDumpUnicodeString(g_TreeList, h_tviRootItem, TEXT("DriverName"), &drvObject.DriverName, FALSE);
//HardwareDatabase
- ObDumpUnicodeString(h_tviRootItem, TEXT("HardwareDatabase"), drvObject.HardwareDatabase, TRUE);
+ propObDumpUnicodeString(g_TreeList, h_tviRootItem, TEXT("HardwareDatabase"), drvObject.HardwareDatabase, TRUE);
//FastIoDispatch
- ObDumpAddress(g_TreeList, h_tviRootItem, TEXT("FastIoDispatch"), TEXT("PFAST_IO_DISPATCH"), drvObject.FastIoDispatch, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, TEXT("FastIoDispatch"), TEXT("PFAST_IO_DISPATCH"), drvObject.FastIoDispatch, 0, 0);
//DriverInit
- ObDumpAddress(g_TreeList, h_tviRootItem, TEXT("DriverInit"), NULL, drvObject.DriverInit, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, TEXT("DriverInit"), NULL, drvObject.DriverInit, 0, 0);
//DriverStartIo
- ObDumpAddress(g_TreeList, h_tviRootItem, TEXT("DriverStartIo"), NULL, drvObject.DriverStartIo, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, TEXT("DriverStartIo"), NULL, drvObject.DriverStartIo, 0, 0);
//DriverUnload
- ObDumpAddress(g_TreeList, h_tviRootItem, TEXT("DriverUnload"), NULL, drvObject.DriverUnload, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, TEXT("DriverUnload"), NULL, drvObject.DriverUnload, 0, 0);
//MajorFunction
RtlSecureZeroMemory(&szValue1, sizeof(szValue1));
@@ -1148,7 +1149,7 @@ VOID ObDumpDriverObject(
if (g_kdctx.IopInvalidDeviceRequest) {
if ((ULONG_PTR)drvObject.MajorFunction[i] == (ULONG_PTR)g_kdctx.IopInvalidDeviceRequest) {
- ObDumpAddress(
+ propObDumpAddress(
g_TreeList,
h_tviSubItem,
T_IRP_MJ_FUNCTION[i],
@@ -1162,7 +1163,7 @@ VOID ObDumpDriverObject(
}
//DRIVER_OBJECT->MajorFunction[i]
- ObDumpAddressWithModule(h_tviSubItem, T_IRP_MJ_FUNCTION[i], drvObject.MajorFunction[i],
+ propObDumpAddressWithModule(h_tviSubItem, T_IRP_MJ_FUNCTION[i], drvObject.MajorFunction[i],
pModules, ldrEntry.DllBase, ldrEntry.SizeOfImage);
}
@@ -1183,55 +1184,55 @@ VOID ObDumpDriverObject(
NULL);
//InLoadOrderLinks
- ObDumpListEntry(g_TreeList, h_tviRootItem, TEXT("InLoadOrderLinks"), &ldrEntry.InLoadOrderLinks);
+ propObDumpListEntry(g_TreeList, h_tviRootItem, TEXT("InLoadOrderLinks"), &ldrEntry.InLoadOrderLinks);
//InMemoryOrderLinks
- ObDumpListEntry(g_TreeList, h_tviRootItem, TEXT("InMemoryOrderLinks"), &ldrEntry.InMemoryOrderLinks);
+ propObDumpListEntry(g_TreeList, h_tviRootItem, TEXT("InMemoryOrderLinks"), &ldrEntry.InMemoryOrderLinks);
//InInitializationOrderLinks/InProgressLinks
lpType = TEXT("InInitializationOrderLinks");
if (g_NtBuildNumber >= 9600) {
lpType = TEXT("InProgressLinks");
}
- ObDumpListEntry(g_TreeList, h_tviRootItem, lpType, &ldrEntry.DUMMYUNION0.InInitializationOrderLinks);
+ propObDumpListEntry(g_TreeList, h_tviRootItem, lpType, &ldrEntry.DUMMYUNION0.InInitializationOrderLinks);
//DllBase
- ObDumpAddress(g_TreeList, h_tviRootItem, TEXT("DllBase"), NULL, ldrEntry.DllBase, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, TEXT("DllBase"), NULL, ldrEntry.DllBase, 0, 0);
//EntryPoint
- ObDumpAddress(g_TreeList, h_tviRootItem, TEXT("EntryPoint"), NULL, ldrEntry.EntryPoint, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, TEXT("EntryPoint"), NULL, ldrEntry.EntryPoint, 0, 0);
//SizeOfImage
- ObDumpUlong(g_TreeList, h_tviRootItem, TEXT("SizeOfImage"), NULL, ldrEntry.SizeOfImage, TRUE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, TEXT("SizeOfImage"), NULL, ldrEntry.SizeOfImage, TRUE, FALSE, 0, 0);
//FullDllName
- ObDumpUnicodeString(h_tviRootItem, TEXT("FullDllName"), &ldrEntry.FullDllName, FALSE);
+ propObDumpUnicodeString(g_TreeList, h_tviRootItem, TEXT("FullDllName"), &ldrEntry.FullDllName, FALSE);
//BaseDllName
- ObDumpUnicodeString(h_tviRootItem, TEXT("BaseDllName"), &ldrEntry.BaseDllName, FALSE);
+ propObDumpUnicodeString(g_TreeList, h_tviRootItem, TEXT("BaseDllName"), &ldrEntry.BaseDllName, FALSE);
//Flags
- ObDumpUlong(g_TreeList, h_tviRootItem, T_FLAGS, NULL, ldrEntry.ENTRYFLAGSUNION.Flags, TRUE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, T_FLAGS, NULL, ldrEntry.ENTRYFLAGSUNION.Flags, TRUE, FALSE, 0, 0);
//LoadCount
lpType = TEXT("ObsoleteLoadCount");
if (g_NtBuildNumber < 9200) {
lpType = TEXT("LoadCount");
}
- ObDumpUlong(g_TreeList, h_tviRootItem, lpType, NULL, ldrEntry.ObsoleteLoadCount, TRUE, TRUE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, lpType, NULL, ldrEntry.ObsoleteLoadCount, TRUE, TRUE, 0, 0);
//TlsIndex
- ObDumpUlong(g_TreeList, h_tviRootItem, TEXT("TlsIndex"), NULL, ldrEntry.TlsIndex, TRUE, TRUE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, TEXT("TlsIndex"), NULL, ldrEntry.TlsIndex, TRUE, TRUE, 0, 0);
//SectionPointer
- ObDumpAddress(g_TreeList, h_tviRootItem, TEXT("SectionPointer"), NULL, ldrEntry.DUMMYUNION1.SectionPointer, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, TEXT("SectionPointer"), NULL, ldrEntry.DUMMYUNION1.SectionPointer, 0, 0);
//CheckSum
- ObDumpUlong(g_TreeList, h_tviRootItem, TEXT("CheckSum"), NULL, ldrEntry.DUMMYUNION1.CheckSum, TRUE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, TEXT("CheckSum"), NULL, ldrEntry.DUMMYUNION1.CheckSum, TRUE, FALSE, 0, 0);
//LoadedImports
if (g_NtBuildNumber < 9200) {
- ObDumpAddress(g_TreeList, h_tviRootItem, TEXT("LoadedImports"), NULL, ldrEntry.DUMMYUNION2.LoadedImports, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, TEXT("LoadedImports"), NULL, ldrEntry.DUMMYUNION2.LoadedImports, 0, 0);
}
} //LDR_DATA_TABLE_ENTRY
@@ -1270,7 +1271,7 @@ VOID ObDumpDriverObject(
BgColor = CLR_WARN;
bOkay = FALSE;//<-set flag invalid structure
}
- ObDumpUlong(g_TreeList, h_tviRootItem, TEXT("SizeOfFastIoDispatch"), lpType, fastIoDispatch.SizeOfFastIoDispatch, TRUE, FALSE, BgColor, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, TEXT("SizeOfFastIoDispatch"), lpType, fastIoDispatch.SizeOfFastIoDispatch, TRUE, FALSE, BgColor, 0);
//valid structure
if (bOkay) {
@@ -1279,7 +1280,7 @@ VOID ObDumpDriverObject(
if (pObj == NULL) {
continue;
}
- ObDumpAddressWithModule(h_tviRootItem, T_FAST_IO_DISPATCH[i], pObj,
+ propObDumpAddressWithModule(h_tviRootItem, T_FAST_IO_DISPATCH[i], pObj,
pModules, ldrEntry.DllBase, ldrEntry.SizeOfImage);
}
}
@@ -1337,17 +1338,17 @@ VOID ObDumpDriverObject(
}
}
- ObDumpAddress(g_TreeList, h_tviRootItem, TEXT("DriverObject"), lpType, drvExtension.DriverObject, BgColor, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, TEXT("DriverObject"), lpType, drvExtension.DriverObject, BgColor, 0);
//AddDevice
- ObDumpAddressWithModule(h_tviRootItem, TEXT("AddDevice"), drvExtension.AddDevice,
+ propObDumpAddressWithModule(h_tviRootItem, TEXT("AddDevice"), drvExtension.AddDevice,
pModules, ldrEntry.DllBase, ldrEntry.SizeOfImage);
//Count
- ObDumpUlong(g_TreeList, h_tviRootItem, TEXT("Count"), NULL, drvExtension.Count, FALSE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, TEXT("Count"), NULL, drvExtension.Count, FALSE, FALSE, 0, 0);
//ServiceKeyName
- ObDumpUnicodeString(h_tviRootItem, TEXT("ServiceKeyName"), &drvExtension.ServiceKeyName, FALSE);
+ propObDumpUnicodeString(g_TreeList, h_tviRootItem, TEXT("ServiceKeyName"), &drvExtension.ServiceKeyName, FALSE);
}
}
//
@@ -1364,14 +1365,14 @@ VOID ObDumpDriverObject(
}
/*
-* ObDumpDeviceObject
+* propObDumpDeviceObject
*
* Purpose:
*
* Dump DEVICE_OBJECT members to the treelist.
*
*/
-VOID ObDumpDeviceObject(
+VOID propObDumpDeviceObject(
_In_ PROP_OBJECT_INFO *Context,
_In_ HWND hwndDlg
)
@@ -1404,14 +1405,14 @@ VOID ObDumpDeviceObject(
sizeof(devObject),
NULL))
{
- ObDumpShowError(hwndDlg);
+ propObDumpShowError(hwndDlg);
return;
}
g_TreeList = 0;
g_TreeListAtom = 0;
if (!supInitTreeListForDump(hwndDlg, &g_TreeListAtom, &g_TreeList)) {
- ObDumpShowError(hwndDlg);
+ propObDumpShowError(hwndDlg);
return;
}
@@ -1429,13 +1430,13 @@ VOID ObDumpDeviceObject(
lpType = L"! Must be IO_TYPE_DEVICE";
BgColor = CLR_WARN;
}
- ObDumpUlong(g_TreeList, h_tviRootItem, L"Type", lpType, devObject.Type, TRUE, TRUE, BgColor, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, L"Type", lpType, devObject.Type, TRUE, TRUE, BgColor, 0);
//Size
- ObDumpUlong(g_TreeList, h_tviRootItem, L"Size", NULL, devObject.Size, TRUE, TRUE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, L"Size", NULL, devObject.Size, TRUE, TRUE, 0, 0);
//ReferenceCount
- ObDumpUlong(g_TreeList, h_tviRootItem, L"ReferenceCount", NULL, devObject.ReferenceCount, FALSE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, L"ReferenceCount", NULL, devObject.ReferenceCount, FALSE, FALSE, 0, 0);
//DriverObject
lpType = NULL;
@@ -1453,7 +1454,7 @@ VOID ObDumpDeviceObject(
lpType = T_REFNOTFOUND;
BgColor = CLR_INVL; //object can be outside directory so we don't know about it
}
- ObDumpAddress(g_TreeList, h_tviRootItem, L"DriverObject", lpType, devObject.DriverObject, BgColor, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, L"DriverObject", lpType, devObject.DriverObject, BgColor, 0);
//NextDevice
lpType = NULL;
@@ -1469,7 +1470,7 @@ VOID ObDumpDeviceObject(
else {
lpType = NULL;
}
- ObDumpAddress(g_TreeList, h_tviRootItem, L"NextDevice", lpType, devObject.NextDevice, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, L"NextDevice", lpType, devObject.NextDevice, 0, 0);
//AttachedDevice
lpType = NULL;
@@ -1485,14 +1486,14 @@ VOID ObDumpDeviceObject(
else {
lpType = NULL;
}
- ObDumpAddress(g_TreeList, h_tviRootItem, L"AttachedDevice", lpType, devObject.AttachedDevice, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, L"AttachedDevice", lpType, devObject.AttachedDevice, 0, 0);
//CurrentIrp
- ObDumpAddress(g_TreeList, h_tviRootItem, L"CurrentIrp", NULL, devObject.CurrentIrp, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, L"CurrentIrp", NULL, devObject.CurrentIrp, 0, 0);
//Timer
lpType = L"PIO_TIMER";
- ObDumpAddress(g_TreeList, h_tviRootItem, L"Timer", lpType, devObject.Timer, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, L"Timer", lpType, devObject.Timer, 0, 0);
//Flags
RtlSecureZeroMemory(&szValue1, sizeof(szValue1));
@@ -1533,7 +1534,7 @@ VOID ObDumpDeviceObject(
}
else {
//add named entry with zero data
- ObDumpUlong(g_TreeList, h_tviRootItem, T_FLAGS, NULL, 0, TRUE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, T_FLAGS, NULL, 0, TRUE, FALSE, 0, 0);
}
//Characteristics
@@ -1577,15 +1578,15 @@ VOID ObDumpDeviceObject(
}
else {
//add zero value
- ObDumpUlong(g_TreeList, h_tviRootItem, T_CHARACTERISTICS, NULL, 0, TRUE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, T_CHARACTERISTICS, NULL, 0, TRUE, FALSE, 0, 0);
}
//Vpb
lpType = L"PVPB";
- ObDumpAddress(g_TreeList, h_tviRootItem, L"Vpb", lpType, devObject.Vpb, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, L"Vpb", lpType, devObject.Vpb, 0, 0);
//DeviceExtension
- ObDumpAddress(g_TreeList, h_tviRootItem, L"DeviceExtension", NULL, devObject.DeviceExtension, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, L"DeviceExtension", NULL, devObject.DeviceExtension, 0, 0);
//DeviceType
lpType = NULL;
@@ -1595,10 +1596,10 @@ VOID ObDumpDeviceObject(
break;
}
}
- ObDumpUlong(g_TreeList, h_tviRootItem, L"DeviceType", lpType, devObject.DeviceType, TRUE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, L"DeviceType", lpType, devObject.DeviceType, TRUE, FALSE, 0, 0);
//StackSize
- ObDumpUlong(g_TreeList, h_tviRootItem, L"StackSize", NULL, devObject.StackSize, FALSE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, L"StackSize", NULL, devObject.StackSize, FALSE, FALSE, 0, 0);
//Queue
h_tviSubItem = TreeListAddItem(g_TreeList, h_tviRootItem, TVIF_TEXT | TVIF_STATE, 0,
@@ -1613,35 +1614,35 @@ VOID ObDumpDeviceObject(
TVIS_EXPANDED, L"WaitQueueEntry", NULL);
//Queue->Wcb->WaitQueueEntry->DeviceListEntry
- ObDumpListEntry(g_TreeList, h_tviWaitEntry, L"DeviceListEntry", &devObject.Queue.Wcb.WaitQueueEntry.DeviceListEntry);
+ propObDumpListEntry(g_TreeList, h_tviWaitEntry, L"DeviceListEntry", &devObject.Queue.Wcb.WaitQueueEntry.DeviceListEntry);
//Queue->Wcb->WaitQueueEntry->SortKey
- ObDumpUlong(g_TreeList, h_tviWaitEntry, L"SortKey", NULL, devObject.Queue.Wcb.WaitQueueEntry.SortKey, TRUE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviWaitEntry, L"SortKey", NULL, devObject.Queue.Wcb.WaitQueueEntry.SortKey, TRUE, FALSE, 0, 0);
//Queue->Wcb->WaitQueueEntry->Inserted
- ObDumpByte(g_TreeList, h_tviWaitEntry, L"Inserted", NULL, devObject.Queue.Wcb.WaitQueueEntry.Inserted, 0, 0, TRUE);
+ propObDumpByte(g_TreeList, h_tviWaitEntry, L"Inserted", NULL, devObject.Queue.Wcb.WaitQueueEntry.Inserted, 0, 0, TRUE);
//Queue->Wcb->DmaWaitEntry
- ObDumpListEntry(g_TreeList, h_tviWcb, L"DmaWaitEntry", &devObject.Queue.Wcb.DmaWaitEntry);
+ propObDumpListEntry(g_TreeList, h_tviWcb, L"DmaWaitEntry", &devObject.Queue.Wcb.DmaWaitEntry);
//Queue->Wcb->NumberOfChannels
- ObDumpUlong(g_TreeList, h_tviWcb, L"NumberOfChannels", NULL, devObject.Queue.Wcb.NumberOfChannels, FALSE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviWcb, L"NumberOfChannels", NULL, devObject.Queue.Wcb.NumberOfChannels, FALSE, FALSE, 0, 0);
//Queue->Wcb->SyncCallback
- ObDumpUlong(g_TreeList, h_tviWcb, L"SyncCallback", NULL, devObject.Queue.Wcb.SyncCallback, FALSE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviWcb, L"SyncCallback", NULL, devObject.Queue.Wcb.SyncCallback, FALSE, FALSE, 0, 0);
//Queue->Wcb->DmaContext
- ObDumpUlong(g_TreeList, h_tviWcb, L"DmaContext", NULL, devObject.Queue.Wcb.DmaContext, FALSE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviWcb, L"DmaContext", NULL, devObject.Queue.Wcb.DmaContext, FALSE, FALSE, 0, 0);
//Queue->Wcb->DeviceRoutine
lpType = L"PDRIVER_CONTROL";
- ObDumpAddress(g_TreeList, h_tviWcb, L"DeviceRoutine", lpType, devObject.Queue.Wcb.DeviceRoutine, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviWcb, L"DeviceRoutine", lpType, devObject.Queue.Wcb.DeviceRoutine, 0, 0);
//Queue->Wcb->DeviceContext
- ObDumpAddress(g_TreeList, h_tviWcb, L"DeviceContext", NULL, devObject.Queue.Wcb.DeviceContext, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviWcb, L"DeviceContext", NULL, devObject.Queue.Wcb.DeviceContext, 0, 0);
//Queue->Wcb->NumberOfMapRegisters
- ObDumpUlong(g_TreeList, h_tviWcb, L"DeviceContext", NULL, devObject.Queue.Wcb.NumberOfMapRegisters, FALSE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviWcb, L"DeviceContext", NULL, devObject.Queue.Wcb.NumberOfMapRegisters, FALSE, FALSE, 0, 0);
//Queue->Wcb->DeviceObject
lpType = NULL;
@@ -1661,14 +1662,14 @@ VOID ObDumpDeviceObject(
BgColor = CLR_LGRY;
}
}
- ObDumpAddress(g_TreeList, h_tviWcb, L"DeviceObject", lpType, devObject.Queue.Wcb.DeviceObject, BgColor, 0);
+ propObDumpAddress(g_TreeList, h_tviWcb, L"DeviceObject", lpType, devObject.Queue.Wcb.DeviceObject, BgColor, 0);
//Queue->Wcb->CurrentIrp
- ObDumpAddress(g_TreeList, h_tviWcb, L"CurrentIrp", NULL, devObject.Queue.Wcb.CurrentIrp, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviWcb, L"CurrentIrp", NULL, devObject.Queue.Wcb.CurrentIrp, 0, 0);
//Queue->Wcb->BufferChainingDpc
lpType = T_PKDPC;
- ObDumpAddress(g_TreeList, h_tviWcb, L"BufferChainingDpc", lpType, devObject.Queue.Wcb.BufferChainingDpc, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviWcb, L"BufferChainingDpc", lpType, devObject.Queue.Wcb.BufferChainingDpc, 0, 0);
//AlignmentRequirement
lpType = NULL;
@@ -1678,7 +1679,7 @@ VOID ObDumpDeviceObject(
break;
}
}
- ObDumpUlong(g_TreeList, h_tviRootItem, L"AlignmentRequirement", lpType, devObject.AlignmentRequirement, TRUE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, L"AlignmentRequirement", lpType, devObject.AlignmentRequirement, TRUE, FALSE, 0, 0);
//DeviceQueue
h_tviSubItem = TreeListAddItem(g_TreeList, h_tviRootItem, TVIF_TEXT | TVIF_STATE, 0,
@@ -1686,22 +1687,22 @@ VOID ObDumpDeviceObject(
//DeviceQueue->Type
lpType = L"KOBJECTS";
- ObDumpUlong(g_TreeList, h_tviSubItem, L"Type", lpType, devObject.DeviceQueue.Type, TRUE, TRUE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviSubItem, L"Type", lpType, devObject.DeviceQueue.Type, TRUE, TRUE, 0, 0);
//DeviceQueue->Size
- ObDumpUlong(g_TreeList, h_tviSubItem, L"Size", NULL, devObject.DeviceQueue.Size, TRUE, TRUE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviSubItem, L"Size", NULL, devObject.DeviceQueue.Size, TRUE, TRUE, 0, 0);
//DeviceQueue->DeviceListHead
- ObDumpListEntry(g_TreeList, h_tviSubItem, L"DeviceListHead", &devObject.DeviceQueue.DeviceListHead);
+ propObDumpListEntry(g_TreeList, h_tviSubItem, L"DeviceListHead", &devObject.DeviceQueue.DeviceListHead);
//DeviceQueue->Lock
- ObDumpAddress(g_TreeList, h_tviSubItem, L"Lock", NULL, (PVOID)devObject.DeviceQueue.Lock, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviSubItem, L"Lock", NULL, (PVOID)devObject.DeviceQueue.Lock, 0, 0);
//DeviceQueue->Busy
- ObDumpByte(g_TreeList, h_tviSubItem, L"Busy", NULL, devObject.DeviceQueue.Busy, 0, 0, TRUE);
+ propObDumpByte(g_TreeList, h_tviSubItem, L"Busy", NULL, devObject.DeviceQueue.Busy, 0, 0, TRUE);
//DeviceQueue->Hint
- ObDumpAddress(g_TreeList, h_tviSubItem, L"Hint", NULL, (PVOID)devObject.DeviceQueue.Hint, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviSubItem, L"Hint", NULL, (PVOID)devObject.DeviceQueue.Hint, 0, 0);
//
//DEVICE_OBJECT->Dpc
@@ -1712,57 +1713,57 @@ VOID ObDumpDeviceObject(
lpType = NULL;
if (devObject.Dpc.Type == DPC_NORMAL) lpType = L"DPC_NORMAL";
if (devObject.Dpc.Type == DPC_THREADED) lpType = L"DPC_THREADED";
- ObDumpUlong(g_TreeList, h_tviSubItem, L"Type", lpType, devObject.Dpc.Type, TRUE, TRUE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviSubItem, L"Type", lpType, devObject.Dpc.Type, TRUE, TRUE, 0, 0);
lpType = NULL;
if (devObject.Dpc.Importance == LowImportance) lpType = L"LowImportance";
if (devObject.Dpc.Importance == MediumImportance) lpType = L"MediumImportance";
if (devObject.Dpc.Importance == HighImportance) lpType = L"HighImportance";
- ObDumpUlong(g_TreeList, h_tviSubItem, L"Importance", lpType, devObject.Dpc.Importance, TRUE, TRUE, 0, 0);
- ObDumpUlong(g_TreeList, h_tviSubItem, L"Number", NULL, devObject.Dpc.Number, TRUE, TRUE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviSubItem, L"Importance", lpType, devObject.Dpc.Importance, TRUE, TRUE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviSubItem, L"Number", NULL, devObject.Dpc.Number, TRUE, TRUE, 0, 0);
//Dpc->DpcListEntry
- ObDumpAddress(g_TreeList, h_tviSubItem, L"DpcListEntry", NULL, (PVOID)devObject.Dpc.DpcListEntry.Next, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviSubItem, L"DpcListEntry", NULL, (PVOID)devObject.Dpc.DpcListEntry.Next, 0, 0);
//Dpc->ProcessorHistory
- ObDumpAddress(g_TreeList, h_tviSubItem, L"ProcessorHistory", NULL, (PVOID)devObject.Dpc.ProcessorHistory, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviSubItem, L"ProcessorHistory", NULL, (PVOID)devObject.Dpc.ProcessorHistory, 0, 0);
//Dpc->DeferredRoutine
- ObDumpAddress(g_TreeList, h_tviSubItem, L"DeferredRoutine", NULL, devObject.Dpc.DeferredRoutine, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviSubItem, L"DeferredRoutine", NULL, devObject.Dpc.DeferredRoutine, 0, 0);
//Dpc->DeferredContext
- ObDumpAddress(g_TreeList, h_tviSubItem, L"DeferredContext", NULL, devObject.Dpc.DeferredContext, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviSubItem, L"DeferredContext", NULL, devObject.Dpc.DeferredContext, 0, 0);
//Dpc->SystemArgument1
- ObDumpAddress(g_TreeList, h_tviSubItem, L"SystemArgument1", NULL, devObject.Dpc.SystemArgument1, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviSubItem, L"SystemArgument1", NULL, devObject.Dpc.SystemArgument1, 0, 0);
//Dpc->SystemArgument2
- ObDumpAddress(g_TreeList, h_tviSubItem, L"SystemArgument2", NULL, devObject.Dpc.SystemArgument2, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviSubItem, L"SystemArgument2", NULL, devObject.Dpc.SystemArgument2, 0, 0);
//ActiveThreadCount
- ObDumpUlong(g_TreeList, h_tviRootItem, L"ActiveThreadCount", NULL, devObject.ActiveThreadCount, FALSE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, L"ActiveThreadCount", NULL, devObject.ActiveThreadCount, FALSE, FALSE, 0, 0);
//SecurityDescriptor
lpType = L"PSECURITY_DESCRIPTOR";
- ObDumpAddress(g_TreeList, h_tviRootItem, L"SecurityDescriptor", lpType, devObject.SecurityDescriptor, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, L"SecurityDescriptor", lpType, devObject.SecurityDescriptor, 0, 0);
//DeviceLock
h_tviWaitEntry = TreeListAddItem(g_TreeList, h_tviRootItem, TVIF_TEXT | TVIF_STATE, 0,
TVIS_EXPANDED, L"DeviceLock", NULL);
//DeviceLock->Header
- ObDumpDispatcherHeader(h_tviWaitEntry, &devObject.DeviceLock.Header, NULL, NULL, NULL);
+ propObDumpDispatcherHeader(h_tviWaitEntry, &devObject.DeviceLock.Header, NULL, NULL, NULL);
//SectorSize
- ObDumpUlong(g_TreeList, h_tviRootItem, L"SectorSize", NULL, devObject.SectorSize, TRUE, TRUE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, L"SectorSize", NULL, devObject.SectorSize, TRUE, TRUE, 0, 0);
//Spare
- ObDumpUlong(g_TreeList, h_tviRootItem, L"Spare1", NULL, devObject.Spare1, TRUE, TRUE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, L"Spare1", NULL, devObject.Spare1, TRUE, TRUE, 0, 0);
//DeviceObjectExtension
lpType = L"PDEVOBJ_EXTENSION";
- ObDumpAddress(g_TreeList, h_tviRootItem, L"DeviceObjectExtension", lpType, devObject.DeviceObjectExtension, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, L"DeviceObjectExtension", lpType, devObject.DeviceObjectExtension, 0, 0);
//Reserved
- ObDumpAddress(g_TreeList, h_tviRootItem, L"Reserved", NULL, devObject.Reserved, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, L"Reserved", NULL, devObject.Reserved, 0, 0);
//
//DEVOBJ_EXTENSION
@@ -1791,9 +1792,9 @@ VOID ObDumpDeviceObject(
BgColor = CLR_WARN;
}
//Type
- ObDumpUlong(g_TreeList, h_tviRootItem, L"Type", lpType, devObjExt.Type, TRUE, TRUE, BgColor, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, L"Type", lpType, devObjExt.Type, TRUE, TRUE, BgColor, 0);
//Size
- ObDumpUlong(g_TreeList, h_tviRootItem, L"Size", NULL, devObjExt.Size, TRUE, TRUE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, L"Size", NULL, devObjExt.Size, TRUE, TRUE, 0, 0);
//DeviceObject
lpType = NULL;
@@ -1813,21 +1814,21 @@ VOID ObDumpDeviceObject(
BgColor = CLR_LGRY;
}
}
- ObDumpAddress(g_TreeList, h_tviRootItem, L"DeviceObject", lpType, devObjExt.DeviceObject, BgColor, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, L"DeviceObject", lpType, devObjExt.DeviceObject, BgColor, 0);
//PowerFlags
- ObDumpUlong(g_TreeList, h_tviRootItem, L"PowerFlags", NULL, devObjExt.PowerFlags, TRUE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, L"PowerFlags", NULL, devObjExt.PowerFlags, TRUE, FALSE, 0, 0);
//Dope
lpType = L"PDEVICE_OBJECT_POWER_EXTENSION";
- ObDumpAddress(g_TreeList, h_tviRootItem, L"Dope", lpType, devObjExt.Dope, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, L"Dope", lpType, devObjExt.Dope, 0, 0);
//ExtensionFlags
- ObDumpUlong(g_TreeList, h_tviRootItem, L"ExtensionFlags", NULL, devObjExt.ExtensionFlags, TRUE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, L"ExtensionFlags", NULL, devObjExt.ExtensionFlags, TRUE, FALSE, 0, 0);
//DeviceNode
lpType = L"PDEVICE_NODE";
- ObDumpAddress(g_TreeList, h_tviRootItem, L"DeviceNode", lpType, devObjExt.DeviceNode, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, L"DeviceNode", lpType, devObjExt.DeviceNode, 0, 0);
//AttachedTo
lpType = NULL;
@@ -1847,7 +1848,7 @@ VOID ObDumpDeviceObject(
BgColor = CLR_LGRY;
}
}
- ObDumpAddress(g_TreeList, h_tviRootItem, L"AttachedTo", lpType, devObjExt.AttachedTo, BgColor, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, L"AttachedTo", lpType, devObjExt.AttachedTo, BgColor, 0);
}
}
__except (exceptFilter(GetExceptionCode(), GetExceptionInformation())) {
@@ -1856,14 +1857,14 @@ VOID ObDumpDeviceObject(
}
/*
-* ObxDumpSessionIdVersionAware
+* propObDumpSessionIdVersionAware
*
* Purpose:
*
* Dump OBJECT_DIRECTORY SessionId.
*
*/
-VOID ObxDumpSessionIdVersionAware(
+VOID propObDumpSessionIdVersionAware(
HTREEITEM h_tviRootItem,
_In_ ULONG SessionId
)
@@ -1875,18 +1876,18 @@ VOID ObxDumpSessionIdVersionAware(
else
lpType = NULL;
- ObDumpUlong(g_TreeList, h_tviRootItem, TEXT("SessionId"), lpType, SessionId, TRUE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, TEXT("SessionId"), lpType, SessionId, TRUE, FALSE, 0, 0);
}
/*
-* ObDumpDirectoryObject
+* propObDumpDirectoryObject
*
* Purpose:
*
* Dump OBJECT_DIRECTORY members to the treelist.
*
*/
-VOID ObDumpDirectoryObject(
+VOID propObDumpDirectoryObject(
_In_ PROP_OBJECT_INFO *Context,
_In_ HWND hwndDlg
)
@@ -1955,7 +1956,7 @@ VOID ObDumpDirectoryObject(
ObjectSize,
NULL))
{
- ObDumpShowError(hwndDlg);
+ propObDumpShowError(hwndDlg);
return;
}
@@ -2007,7 +2008,7 @@ VOID ObDumpDirectoryObject(
g_TreeList = 0;
g_TreeListAtom = 0;
if (!supInitTreeListForDump(hwndDlg, &g_TreeListAtom, &g_TreeList)) {
- ObDumpShowError(hwndDlg);
+ propObDumpShowError(hwndDlg);
return;
}
@@ -2080,7 +2081,7 @@ VOID ObDumpDirectoryObject(
ChainLink.Flink = NULL;
lpType = TEXT("ChainLink");
if (dirEntry.ChainLink == NULL) {
- ObDumpAddress(g_TreeList, h_tviEntry, lpType, T_PLIST_ENTRY, NULL, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviEntry, lpType, T_PLIST_ENTRY, NULL, 0, 0);
}
else {
if (kdReadSystemMemoryEx(
@@ -2089,14 +2090,14 @@ VOID ObDumpDirectoryObject(
sizeof(ChainLink),
NULL))
{
- ObDumpListEntry(g_TreeList, h_tviEntry, lpType, &ChainLink);
+ propObDumpListEntry(g_TreeList, h_tviEntry, lpType, &ChainLink);
}
else {
- ObDumpAddress(g_TreeList, h_tviEntry, lpType, T_PLIST_ENTRY, dirEntry.ChainLink, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviEntry, lpType, T_PLIST_ENTRY, dirEntry.ChainLink, 0, 0);
}
}
- ObDumpAddress(g_TreeList, h_tviEntry, TEXT("Object"), NULL, dirEntry.Object, 0, 0);
- ObDumpUlong(g_TreeList, h_tviEntry, TEXT("HashValue"), NULL, dirEntry.HashValue, TRUE, FALSE, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviEntry, TEXT("Object"), NULL, dirEntry.Object, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviEntry, TEXT("HashValue"), NULL, dirEntry.HashValue, TRUE, FALSE, 0, 0);
}
}
}
@@ -2115,14 +2116,14 @@ VOID ObDumpDirectoryObject(
TEXT("Lock"),
&subitems);
- ObDumpAddress(g_TreeList, h_tviSubItem, TEXT("Ptr"), NULL, pCompatDirObject->Lock.Ptr, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviSubItem, TEXT("Ptr"), NULL, pCompatDirObject->Lock.Ptr, 0, 0);
//DeviceMap
- ObDumpAddress(g_TreeList, h_tviRootItem, TEXT("DeviceMap"), T_PDEVICE_MAP, pCompatDirObject->DeviceMap, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, TEXT("DeviceMap"), T_PDEVICE_MAP, pCompatDirObject->DeviceMap, 0, 0);
//ShadowDirectory
if (ObjectVersion != 1) {
- ObDumpAddress(g_TreeList, h_tviRootItem, TEXT("ShadowDirectory"), T_POBJECT_DIRECTORY, pCompatDirObject->ShadowDirectory, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, TEXT("ShadowDirectory"), T_POBJECT_DIRECTORY, pCompatDirObject->ShadowDirectory, 0, 0);
}
//
@@ -2134,26 +2135,26 @@ VOID ObDumpDirectoryObject(
//
if (ObjectVersion != 3) {
- ObxDumpSessionIdVersionAware(
+ propObDumpSessionIdVersionAware(
h_tviRootItem,
pCompatDirObject->SessionId);
}
- ObDumpAddress(g_TreeList, h_tviRootItem, TEXT("NamespaceEntry"), NULL, pCompatDirObject->NamespaceEntry, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, TEXT("NamespaceEntry"), NULL, pCompatDirObject->NamespaceEntry, 0, 0);
if (ObjectVersion == 3) {
- ObDumpAddress(g_TreeList, h_tviRootItem, TEXT("SessionObject"), NULL, pCompatDirObject->SessionObject, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, TEXT("SessionObject"), NULL, pCompatDirObject->SessionObject, 0, 0);
}
- ObDumpUlong(g_TreeList, h_tviRootItem, TEXT("Flags"), NULL, pCompatDirObject->Flags, TRUE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, TEXT("Flags"), NULL, pCompatDirObject->Flags, TRUE, FALSE, 0, 0);
//
// SessionId is the last member of OBJECT_DIRECTORY_V3
//
if (ObjectVersion == 3) {
- ObxDumpSessionIdVersionAware(
+ propObDumpSessionIdVersionAware(
h_tviRootItem,
pCompatDirObject->SessionId);
}
@@ -2165,14 +2166,14 @@ VOID ObDumpDirectoryObject(
}
/*
-* ObDumpSyncObject
+* propObDumpSyncObject
*
* Purpose:
*
* Dump KEVENT/KMUTANT/KSEMAPHORE/KTIMER members to the treelist.
*
*/
-VOID ObDumpSyncObject(
+VOID propObDumpSyncObject(
_In_ PROP_OBJECT_INFO *Context,
_In_ HWND hwndDlg
)
@@ -2216,7 +2217,7 @@ VOID ObDumpSyncObject(
Object = supHeapAlloc(ObjectSize);
if (Object == NULL) {
- ObDumpShowError(hwndDlg);
+ propObDumpShowError(hwndDlg);
return;
}
@@ -2227,7 +2228,7 @@ VOID ObDumpSyncObject(
ObjectSize,
NULL))
{
- ObDumpShowError(hwndDlg);
+ propObDumpShowError(hwndDlg);
supHeapFree(Object);
return;
}
@@ -2235,7 +2236,7 @@ VOID ObDumpSyncObject(
g_TreeList = 0;
g_TreeListAtom = 0;
if (!supInitTreeListForDump(hwndDlg, &g_TreeListAtom, &g_TreeList)) {
- ObDumpShowError(hwndDlg);
+ propObDumpShowError(hwndDlg);
supHeapFree(Object);
return;
}
@@ -2331,7 +2332,7 @@ VOID ObDumpSyncObject(
}
if (Header == NULL) {
- ObDumpShowError(hwndDlg);
+ propObDumpShowError(hwndDlg);
supHeapFree(Object);
return;
}
@@ -2346,32 +2347,32 @@ VOID ObDumpSyncObject(
NULL);
//Header
- ObDumpDispatcherHeader(h_tviRootItem, Header, lpDescType, lpDesc1, lpDesc2);
+ propObDumpDispatcherHeader(h_tviRootItem, Header, lpDescType, lpDesc1, lpDesc2);
//type specific values
switch (Context->TypeIndex) {
case ObjectTypeMutant:
if (Mutant) {
- ObDumpListEntry(g_TreeList, h_tviRootItem, L"MutantListEntry", &Mutant->MutantListEntry);
- ObDumpAddress(g_TreeList, h_tviRootItem, L"OwnerThread", T_PKTHREAD, Mutant->OwnerThread, 0, 0);
- ObDumpByte(g_TreeList, h_tviRootItem, L"Abandoned", NULL, Mutant->Abandoned, 0, 0, TRUE);
- ObDumpByte(g_TreeList, h_tviRootItem, L"ApcDisable", NULL, Mutant->ApcDisable, 0, 0, FALSE);
+ propObDumpListEntry(g_TreeList, h_tviRootItem, L"MutantListEntry", &Mutant->MutantListEntry);
+ propObDumpAddress(g_TreeList, h_tviRootItem, L"OwnerThread", T_PKTHREAD, Mutant->OwnerThread, 0, 0);
+ propObDumpByte(g_TreeList, h_tviRootItem, L"Abandoned", NULL, Mutant->Abandoned, 0, 0, TRUE);
+ propObDumpByte(g_TreeList, h_tviRootItem, L"ApcDisable", NULL, Mutant->ApcDisable, 0, 0, FALSE);
}
break;
case ObjectTypeSemaphore:
if (Semaphore) {
- ObDumpUlong(g_TreeList, h_tviRootItem, L"Limit", NULL, Semaphore->Limit, TRUE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, L"Limit", NULL, Semaphore->Limit, TRUE, FALSE, 0, 0);
}
break;
case ObjectTypeTimer:
if (Timer) {
- ObDumpULargeInteger(g_TreeList, h_tviRootItem, L"DueTime", &Timer->DueTime); //dumped as hex, not important
- ObDumpListEntry(g_TreeList, h_tviRootItem, L"TimerListEntry", &Timer->TimerListEntry);
- ObDumpAddress(g_TreeList, h_tviRootItem, L"Dpc", T_PKDPC, Timer->Dpc, 0, 0);
- ObDumpUlong(g_TreeList, h_tviRootItem, L"Processor", NULL, Timer->Processor, TRUE, FALSE, 0, 0);
- ObDumpUlong(g_TreeList, h_tviRootItem, L"Period", NULL, Timer->Period, TRUE, FALSE, 0, 0);
+ propObDumpULargeInteger(g_TreeList, h_tviRootItem, L"DueTime", &Timer->DueTime); //dumped as hex, not important
+ propObDumpListEntry(g_TreeList, h_tviRootItem, L"TimerListEntry", &Timer->TimerListEntry);
+ propObDumpAddress(g_TreeList, h_tviRootItem, L"Dpc", T_PKDPC, Timer->Dpc, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, L"Processor", NULL, Timer->Processor, TRUE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, L"Period", NULL, Timer->Period, TRUE, FALSE, 0, 0);
}
break;
@@ -2385,14 +2386,14 @@ VOID ObDumpSyncObject(
}
/*
-* ObDumpObjectTypeFlags
+* propObDumpObjectTypeFlags
*
* Purpose:
*
* Dump ObjectTypeFlags/ObjectTypeFlags2 bits to the treelist.
*
*/
-VOID ObDumpObjectTypeFlags(
+VOID propObDumpObjectTypeFlags(
_In_ LPWSTR EntryName,
_In_ UCHAR ObjectTypeFlags,
_In_ HTREEITEM h_tviSubItem,
@@ -2429,19 +2430,19 @@ VOID ObDumpObjectTypeFlags(
}
else {
if (SetEntry)
- ObDumpByte(g_TreeList, h_tviSubItem, EntryName, NULL, ObjectTypeFlags, 0, 0, FALSE);
+ propObDumpByte(g_TreeList, h_tviSubItem, EntryName, NULL, ObjectTypeFlags, 0, 0, FALSE);
}
}
/*
-* ObDumpObjectType
+* propObDumpObjectType
*
* Purpose:
*
* Dump OBJECT_TYPE members to the treelist.
*
*/
-VOID ObDumpObjectType(
+VOID propObDumpObjectType(
_In_ PROP_OBJECT_INFO *Context,
_In_ HWND hwndDlg
)
@@ -2542,28 +2543,28 @@ VOID ObDumpObjectType(
//
// This fields are structure version unaware.
//
- ObDumpListEntry(g_TreeList, h_tviRootItem, TEXT("TypeList"),
+ propObDumpListEntry(g_TreeList, h_tviRootItem, TEXT("TypeList"),
&ObjectType.Versions.ObjectTypeCompatible->TypeList);
- ObDumpUnicodeString(h_tviRootItem, TEXT("Name"),
+ propObDumpUnicodeString(g_TreeList, h_tviRootItem, TEXT("Name"),
&ObjectType.Versions.ObjectTypeCompatible->Name, FALSE);
- ObDumpAddress(g_TreeList, h_tviRootItem, TEXT("DefaultObject"), NULL,
+ propObDumpAddress(g_TreeList, h_tviRootItem, TEXT("DefaultObject"), NULL,
ObjectType.Versions.ObjectTypeCompatible->DefaultObject, 0, 0);
- ObDumpByte(g_TreeList, h_tviRootItem, T_TYPEINDEX, NULL,
+ propObDumpByte(g_TreeList, h_tviRootItem, T_TYPEINDEX, NULL,
ObjectType.Versions.ObjectTypeCompatible->Index, 0, 0, FALSE);
- ObDumpUlong(g_TreeList, h_tviRootItem, TEXT("TotalNumberOfObjects"), NULL,
+ propObDumpUlong(g_TreeList, h_tviRootItem, TEXT("TotalNumberOfObjects"), NULL,
ObjectType.Versions.ObjectTypeCompatible->TotalNumberOfObjects, TRUE, FALSE, 0, 0);
- ObDumpUlong(g_TreeList, h_tviRootItem, TEXT("TotalNumberOfHandles"), NULL,
+ propObDumpUlong(g_TreeList, h_tviRootItem, TEXT("TotalNumberOfHandles"), NULL,
ObjectType.Versions.ObjectTypeCompatible->TotalNumberOfHandles, TRUE, FALSE, 0, 0);
- ObDumpUlong(g_TreeList, h_tviRootItem, TEXT("HighWaterNumberOfObjects"), NULL,
+ propObDumpUlong(g_TreeList, h_tviRootItem, TEXT("HighWaterNumberOfObjects"), NULL,
ObjectType.Versions.ObjectTypeCompatible->HighWaterNumberOfObjects, TRUE, FALSE, 0, 0);
- ObDumpUlong(g_TreeList, h_tviRootItem, TEXT("HighWaterNumberOfHandles"), NULL,
+ propObDumpUlong(g_TreeList, h_tviRootItem, TEXT("HighWaterNumberOfHandles"), NULL,
ObjectType.Versions.ObjectTypeCompatible->HighWaterNumberOfHandles, TRUE, FALSE, 0, 0);
//
@@ -2576,13 +2577,13 @@ VOID ObDumpObjectType(
h_tviSubItem = TreeListAddItem(g_TreeList, h_tviRootItem, TVIF_TEXT | TVIF_STATE, 0,
0, TEXT("TypeInfo"), &TreeListSubitems);
- ObDumpUlong(g_TreeList, h_tviSubItem, T_LENGTH, NULL,
+ propObDumpUlong(g_TreeList, h_tviSubItem, T_LENGTH, NULL,
ObjectType.Versions.ObjectTypeCompatible->TypeInfo.Length, TRUE, TRUE, 0, 0);
//
// Dump Object Type Flags / Extended Object Type Flags
//
- ObDumpObjectTypeFlags(T_OBJECT_TYPE_FLAGS,
+ propObDumpObjectTypeFlags(T_OBJECT_TYPE_FLAGS,
ObjectType.Versions.ObjectTypeCompatible->TypeInfo.ObjectTypeFlags,
h_tviSubItem,
(LPWSTR*)T_ObjectTypeFlags,
@@ -2599,7 +2600,7 @@ VOID ObDumpObjectType(
lpType = T_OBJECT_TYPE_FLAGS;
}
- ObDumpObjectTypeFlags(lpType,
+ propObDumpObjectTypeFlags(lpType,
ObjectType.Versions.ObjectType_RS1->TypeInfo.ObjectTypeFlags2,
h_tviSubItem,
(LPWSTR*)T_ObjectTypeFlags2,
@@ -2610,10 +2611,10 @@ VOID ObDumpObjectType(
//
// Structure version independent fields.
//
- ObDumpUlong(g_TreeList, h_tviSubItem, TEXT("ObjectTypeCode"), NULL,
+ propObDumpUlong(g_TreeList, h_tviSubItem, TEXT("ObjectTypeCode"), NULL,
ObjectType.Versions.ObjectTypeCompatible->TypeInfo.ObjectTypeCode, TRUE, FALSE, 0, 0);
- ObDumpUlong(g_TreeList, h_tviSubItem, TEXT("InvalidAttributes"), NULL,
+ propObDumpUlong(g_TreeList, h_tviSubItem, TEXT("InvalidAttributes"), NULL,
ObjectType.Versions.ObjectTypeCompatible->TypeInfo.InvalidAttributes, TRUE, FALSE, 0, 0);
RtlSecureZeroMemory(&TreeListSubitems, sizeof(TreeListSubitems));
@@ -2622,21 +2623,21 @@ VOID ObDumpObjectType(
h_tviGenericMapping = TreeListAddItem(g_TreeList, h_tviSubItem, TVIF_TEXT | TVIF_STATE, 0,
0, TEXT("GenericMapping"), &TreeListSubitems);
- ObDumpUlong(g_TreeList, h_tviGenericMapping, TEXT("GenericRead"), NULL,
+ propObDumpUlong(g_TreeList, h_tviGenericMapping, TEXT("GenericRead"), NULL,
ObjectType.Versions.ObjectTypeCompatible->TypeInfo.GenericMapping.GenericRead, TRUE, FALSE, 0, 0);
- ObDumpUlong(g_TreeList, h_tviGenericMapping, TEXT("GenericWrite"), NULL,
+ propObDumpUlong(g_TreeList, h_tviGenericMapping, TEXT("GenericWrite"), NULL,
ObjectType.Versions.ObjectTypeCompatible->TypeInfo.GenericMapping.GenericWrite, TRUE, FALSE, 0, 0);
- ObDumpUlong(g_TreeList, h_tviGenericMapping, TEXT("GenericExecute"), NULL,
+ propObDumpUlong(g_TreeList, h_tviGenericMapping, TEXT("GenericExecute"), NULL,
ObjectType.Versions.ObjectTypeCompatible->TypeInfo.GenericMapping.GenericExecute, TRUE, FALSE, 0, 0);
- ObDumpUlong(g_TreeList, h_tviGenericMapping, TEXT("GenericAll"), NULL,
+ propObDumpUlong(g_TreeList, h_tviGenericMapping, TEXT("GenericAll"), NULL,
ObjectType.Versions.ObjectTypeCompatible->TypeInfo.GenericMapping.GenericAll, TRUE, FALSE, 0, 0);
- ObDumpUlong(g_TreeList, h_tviSubItem, TEXT("ValidAccessMask"), NULL,
+ propObDumpUlong(g_TreeList, h_tviSubItem, TEXT("ValidAccessMask"), NULL,
ObjectType.Versions.ObjectTypeCompatible->TypeInfo.ValidAccessMask, TRUE, FALSE, 0, 0);
- ObDumpUlong(g_TreeList, h_tviSubItem, TEXT("RetainAccess"), NULL,
+ propObDumpUlong(g_TreeList, h_tviSubItem, TEXT("RetainAccess"), NULL,
ObjectType.Versions.ObjectTypeCompatible->TypeInfo.RetainAccess, TRUE, FALSE, 0, 0);
//Pool Type
@@ -2648,13 +2649,13 @@ VOID ObDumpObjectType(
}
}
- ObDumpUlong(g_TreeList, h_tviSubItem, TEXT("PoolType"), lpType,
+ propObDumpUlong(g_TreeList, h_tviSubItem, TEXT("PoolType"), lpType,
ObjectType.Versions.ObjectTypeCompatible->TypeInfo.PoolType, TRUE, FALSE, 0, 0);
- ObDumpUlong(g_TreeList, h_tviSubItem, TEXT("DefaultPagedPoolCharge"), NULL,
+ propObDumpUlong(g_TreeList, h_tviSubItem, TEXT("DefaultPagedPoolCharge"), NULL,
ObjectType.Versions.ObjectTypeCompatible->TypeInfo.DefaultPagedPoolCharge, TRUE, FALSE, 0, 0);
- ObDumpUlong(g_TreeList, h_tviSubItem, TEXT("DefaultNonPagedPoolCharge"), NULL,
+ propObDumpUlong(g_TreeList, h_tviSubItem, TEXT("DefaultNonPagedPoolCharge"), NULL,
ObjectType.Versions.ObjectTypeCompatible->TypeInfo.DefaultNonPagedPoolCharge, TRUE, FALSE, 0, 0);
//
@@ -2676,11 +2677,11 @@ VOID ObDumpObjectType(
for (i = 0; i < MAX_KNOWN_OBJECT_TYPE_PROCEDURES; i++) {
if (TypeProcs[i]) {
- ObDumpAddressWithModule(h_tviSubItem, T_TYPEPROCEDURES[i], TypeProcs[i],
+ propObDumpAddressWithModule(h_tviSubItem, T_TYPEPROCEDURES[i], TypeProcs[i],
ModulesList, SelfDriverBase, SelfDriverSize);
}
else {
- ObDumpAddress(g_TreeList, h_tviSubItem, T_TYPEPROCEDURES[i], NULL, TypeProcs[i], 0, 0);
+ propObDumpAddress(g_TreeList, h_tviSubItem, T_TYPEPROCEDURES[i], NULL, TypeProcs[i], 0, 0);
}
}
@@ -2704,9 +2705,9 @@ VOID ObDumpObjectType(
break;
}
- ObDumpUlong(g_TreeList, h_tviSubItem, TEXT("WaitObjectFlagMask"), NULL, WaitObjectFlagMask, TRUE, FALSE, 0, 0);
- ObDumpUlong(g_TreeList, h_tviSubItem, TEXT("WaitObjectFlagOffset"), NULL, WaitObjectFlagOffset, TRUE, TRUE, 0, 0);
- ObDumpUlong(g_TreeList, h_tviSubItem, TEXT("WaitObjectPointerOffset"), NULL, WaitObjectPointerOffset, TRUE, TRUE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviSubItem, TEXT("WaitObjectFlagMask"), NULL, WaitObjectFlagMask, TRUE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviSubItem, TEXT("WaitObjectFlagOffset"), NULL, WaitObjectFlagOffset, TRUE, TRUE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviSubItem, TEXT("WaitObjectPointerOffset"), NULL, WaitObjectPointerOffset, TRUE, TRUE, 0, 0);
}
@@ -2739,9 +2740,9 @@ VOID ObDumpObjectType(
break;
}
- ObDumpPushLock(g_TreeList, h_tviRootItem, LockPtr, 0, 0);
- ObDumpUlong(g_TreeList, h_tviRootItem, TEXT("Key"), NULL, Key, TRUE, FALSE, 0, 0);
- ObDumpListEntry(g_TreeList, h_tviRootItem, TEXT("CallbackList"), pListEntry);
+ propObDumpPushLock(g_TreeList, h_tviRootItem, LockPtr, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, TEXT("Key"), NULL, Key, TRUE, FALSE, 0, 0);
+ propObDumpListEntry(g_TreeList, h_tviRootItem, TEXT("CallbackList"), pListEntry);
bOkay = TRUE;
@@ -2758,20 +2759,20 @@ VOID ObDumpObjectType(
// Show error message on failure.
//
if (bOkay == FALSE) {
- ObDumpShowError(hwndDlg);
+ propObDumpShowError(hwndDlg);
return;
}
}
/*
-* ObDumpQueueObject
+* propObDumpQueueObject
*
* Purpose:
*
* Dump KQUEUE members to the treelist.
*
*/
-VOID ObDumpQueueObject(
+VOID propObDumpQueueObject(
_In_ PROP_OBJECT_INFO *Context,
_In_ HWND hwndDlg
)
@@ -2795,14 +2796,14 @@ VOID ObDumpQueueObject(
sizeof(Queue),
NULL))
{
- ObDumpShowError(hwndDlg);
+ propObDumpShowError(hwndDlg);
return;
}
g_TreeList = 0;
g_TreeListAtom = 0;
if (!supInitTreeListForDump(hwndDlg, &g_TreeListAtom, &g_TreeList)) {
- ObDumpShowError(hwndDlg);
+ propObDumpShowError(hwndDlg);
return;
}
@@ -2821,19 +2822,19 @@ VOID ObDumpQueueObject(
NULL);
//Header
- ObDumpDispatcherHeader(h_tviRootItem, &Queue.Header, NULL, NULL, lpDesc2);
+ propObDumpDispatcherHeader(h_tviRootItem, &Queue.Header, NULL, NULL, lpDesc2);
//EntryListHead
- ObDumpListEntry(g_TreeList, h_tviRootItem, L"EntryListHead", &Queue.EntryListHead);
+ propObDumpListEntry(g_TreeList, h_tviRootItem, L"EntryListHead", &Queue.EntryListHead);
//CurrentCount
- ObDumpUlong(g_TreeList, h_tviRootItem, L"CurrentCount", NULL, Queue.CurrentCount, TRUE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, L"CurrentCount", NULL, Queue.CurrentCount, TRUE, FALSE, 0, 0);
//MaximumCount
- ObDumpUlong(g_TreeList, h_tviRootItem, L"MaximumCount", NULL, Queue.MaximumCount, TRUE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, L"MaximumCount", NULL, Queue.MaximumCount, TRUE, FALSE, 0, 0);
//ThreadListHead
- ObDumpListEntry(g_TreeList, h_tviRootItem, L"ThreadListHead", &Queue.ThreadListHead);
+ propObDumpListEntry(g_TreeList, h_tviRootItem, L"ThreadListHead", &Queue.ThreadListHead);
}
__except (exceptFilter(GetExceptionCode(), GetExceptionInformation())) {
@@ -2842,14 +2843,14 @@ VOID ObDumpQueueObject(
}
/*
-* ObDumpFltServerPort
+* propObDumpFltServerPort
*
* Purpose:
*
* Dump FLT_SERVER_PORT_OBJECT members to the treelist.
*
*/
-VOID ObDumpFltServerPort(
+VOID propObDumpFltServerPort(
_In_ PROP_OBJECT_INFO *Context,
_In_ HWND hwndDlg
)
@@ -2872,20 +2873,20 @@ VOID ObDumpFltServerPort(
sizeof(FltServerPortObject),
NULL))
{
- ObDumpShowError(hwndDlg);
+ propObDumpShowError(hwndDlg);
return;
}
g_TreeList = 0;
g_TreeListAtom = 0;
if (!supInitTreeListForDump(hwndDlg, &g_TreeListAtom, &g_TreeList)) {
- ObDumpShowError(hwndDlg);
+ propObDumpShowError(hwndDlg);
return;
}
pModules = (PRTL_PROCESS_MODULES)supGetSystemInfo(SystemModuleInformation);
if (pModules == NULL) {
- ObDumpShowError(hwndDlg);
+ propObDumpShowError(hwndDlg);
return;
}
@@ -2898,22 +2899,22 @@ VOID ObDumpFltServerPort(
T_FLT_SERVER_PORT_OBJECT,
NULL);
- ObDumpListEntry(g_TreeList, h_tviRootItem, L"FilterLink", &FltServerPortObject.FilterLink);
+ propObDumpListEntry(g_TreeList, h_tviRootItem, L"FilterLink", &FltServerPortObject.FilterLink);
- ObDumpAddressWithModule(h_tviRootItem, L"ConnectNotify",
+ propObDumpAddressWithModule(h_tviRootItem, L"ConnectNotify",
FltServerPortObject.ConnectNotify, pModules, NULL, 0);
- ObDumpAddressWithModule(h_tviRootItem, L"DisconnectNotify",
+ propObDumpAddressWithModule(h_tviRootItem, L"DisconnectNotify",
FltServerPortObject.DisconnectNotify, pModules, NULL, 0);
- ObDumpAddressWithModule(h_tviRootItem, L"MessageNotify",
+ propObDumpAddressWithModule(h_tviRootItem, L"MessageNotify",
FltServerPortObject.MessageNotify, pModules, NULL, 0);
- ObDumpAddress(g_TreeList, h_tviRootItem, L"Filter", T_PFLT_FILTER, FltServerPortObject.Filter, 0, 0);
- ObDumpAddress(g_TreeList, h_tviRootItem, L"Cookie", NULL, FltServerPortObject.Cookie, 0, 0);
- ObDumpUlong(g_TreeList, h_tviRootItem, L"Flags", NULL, FltServerPortObject.Flags, TRUE, FALSE, 0, 0);
- ObDumpUlong(g_TreeList, h_tviRootItem, L"NumberOfConnections", NULL, FltServerPortObject.NumberOfConnections, TRUE, FALSE, 0, 0);
- ObDumpUlong(g_TreeList, h_tviRootItem, L"MaxConnections", NULL, FltServerPortObject.MaxConnections, TRUE, FALSE, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, L"Filter", T_PFLT_FILTER, FltServerPortObject.Filter, 0, 0);
+ propObDumpAddress(g_TreeList, h_tviRootItem, L"Cookie", NULL, FltServerPortObject.Cookie, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, L"Flags", NULL, FltServerPortObject.Flags, TRUE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, L"NumberOfConnections", NULL, FltServerPortObject.NumberOfConnections, TRUE, FALSE, 0, 0);
+ propObDumpUlong(g_TreeList, h_tviRootItem, L"MaxConnections", NULL, FltServerPortObject.MaxConnections, TRUE, FALSE, 0, 0);
supHeapFree(pModules);
}
@@ -2923,14 +2924,14 @@ VOID ObDumpFltServerPort(
}
/*
-* ObDumpAlpcPortCommunicationInfo
+* propObxDumpAlpcPortCommunicationInfo
*
* Purpose:
*
* Dump ALPC_PORT->CommunicationInfo substructure to the treelist.
*
*/
-VOID ObDumpAlpcPortCommunicationInfo(
+VOID propObxDumpAlpcPortCommunicationInfo(
_In_ ULONG StructureVersion,
_In_ ULONG_PTR StructureAddress,
HTREEITEM h_tviRootItem
@@ -2977,7 +2978,7 @@ VOID ObDumpAlpcPortCommunicationInfo(
//
// Dump version unaffected fields.
//
- ObDumpAddress(
+ propObDumpAddress(
g_TreeList,
h_tviRootItem,
TEXT("ConnectionPort"),
@@ -2986,7 +2987,7 @@ VOID ObDumpAlpcPortCommunicationInfo(
0,
0);
- ObDumpAddress(
+ propObDumpAddress(
g_TreeList,
h_tviRootItem,
TEXT("ServerCommunicationPort"),
@@ -2995,7 +2996,7 @@ VOID ObDumpAlpcPortCommunicationInfo(
0,
0);
- ObDumpAddress(
+ propObDumpAddress(
g_TreeList,
h_tviRootItem,
TEXT("ClientCommunicationPort"),
@@ -3004,7 +3005,7 @@ VOID ObDumpAlpcPortCommunicationInfo(
0,
0);
- ObDumpListEntry(
+ propObDumpListEntry(
g_TreeList,
h_tviRootItem,
TEXT("CommunicationList"),
@@ -3022,7 +3023,7 @@ VOID ObDumpAlpcPortCommunicationInfo(
T_ALPC_HANDLE_TABLE,
NULL);
- ObDumpAddress(
+ propObDumpAddress(
g_TreeList,
h_tviSubItem,
TEXT("Handles"),
@@ -3031,7 +3032,7 @@ VOID ObDumpAlpcPortCommunicationInfo(
0,
0);
- ObDumpUlong(
+ propObDumpUlong(
g_TreeList,
h_tviSubItem,
TEXT("TotalHandles"),
@@ -3042,7 +3043,7 @@ VOID ObDumpAlpcPortCommunicationInfo(
0,
0);
- ObDumpUlong(
+ propObDumpUlong(
g_TreeList,
h_tviSubItem,
TEXT("Flags"),
@@ -3053,7 +3054,7 @@ VOID ObDumpAlpcPortCommunicationInfo(
0,
0);
- ObDumpPushLock(
+ propObDumpPushLock(
g_TreeList,
h_tviSubItem,
AlpcPortCommunicationInfo.u1.CommInfoV1->HandleTable.Lock.Ptr,
@@ -3064,7 +3065,7 @@ VOID ObDumpAlpcPortCommunicationInfo(
// Version specific field.
//
if (StructureVersion == 2) {
- ObDumpAddress(
+ propObDumpAddress(
g_TreeList,
h_tviRootItem,
TEXT("CloseMessage"),
@@ -3077,14 +3078,14 @@ VOID ObDumpAlpcPortCommunicationInfo(
}
/*
-* ObDumpAlpcPort
+* propObDumpAlpcPort
*
* Purpose:
*
* Dump ALPC_PORT members to the treelist.
*
*/
-VOID ObDumpAlpcPort(
+VOID propObDumpAlpcPort(
_In_ PROP_OBJECT_INFO *Context,
_In_ HWND hwndDlg
)
@@ -3115,14 +3116,14 @@ VOID ObDumpAlpcPort(
&ObjectVersion);
if (PortDumpBuffer == NULL) {
- ObDumpShowError(hwndDlg);
+ propObDumpShowError(hwndDlg);
return;
}
g_TreeList = 0;
g_TreeListAtom = 0;
if (!supInitTreeListForDump(hwndDlg, &g_TreeListAtom, &g_TreeList)) {
- ObDumpShowError(hwndDlg);
+ propObDumpShowError(hwndDlg);
supVirtualFree(PortDumpBuffer);
return;
}
@@ -3141,7 +3142,7 @@ VOID ObDumpAlpcPort(
//
// Dump AlpcPort->PortListEntry, same offset for every supported Windows.
//
- ObDumpListEntry(
+ propObDumpListEntry(
g_TreeList,
h_tviRootItem,
TEXT("PortListEntry"),
@@ -3170,7 +3171,7 @@ VOID ObDumpAlpcPort(
TEXT("CommunicationInfo"),
&subitems);
- ObDumpAlpcPortCommunicationInfo(
+ propObxDumpAlpcPortCommunicationInfo(
(ObjectVersion > 2) ? 2 : 1,
(ULONG_PTR)AlpcPort.u1.Port7600->CommunicationInfo,
h_tviSubItem);
@@ -3178,7 +3179,7 @@ VOID ObDumpAlpcPort(
//
// Dump AlpcPort->OwnerProcess, same offset for every supported Windows, however target structure is version aware.
//
- ObDumpAddress(
+ propObDumpAddress(
g_TreeList,
h_tviRootItem,
TEXT("Owner"),
@@ -3190,7 +3191,7 @@ VOID ObDumpAlpcPort(
//
// Dump AlpcPort->CompletionPort, same offset for every supported Windows.
//
- ObDumpAddress(
+ propObDumpAddress(
g_TreeList,
h_tviRootItem,
TEXT("CompletionPort"),
@@ -3202,7 +3203,7 @@ VOID ObDumpAlpcPort(
//
// Dump AlpcPort->CompletionKey, same offset for every supported Windows.
//
- ObDumpAddress(
+ propObDumpAddress(
g_TreeList,
h_tviRootItem,
TEXT("CompletionKey"),
@@ -3214,7 +3215,7 @@ VOID ObDumpAlpcPort(
//
// Dump AlpcPort->CompletionPacketLookaside, same offset for every supported Windows, however target structure is version aware.
//
- ObDumpAddress(
+ propObDumpAddress(
g_TreeList,
h_tviRootItem,
TEXT("CompletionPacketLookaside"),
@@ -3226,7 +3227,7 @@ VOID ObDumpAlpcPort(
//
// Dump AlpcPort->PortContext, same offset for every supported Windows.
//
- ObDumpAddress(
+ propObDumpAddress(
g_TreeList,
h_tviRootItem,
TEXT("PortContext"),
@@ -3239,7 +3240,7 @@ VOID ObDumpAlpcPort(
// Dump AlpcPort->StaticSecurity, same offset for every supported Windows.
//
/*
- ObDumpSqos(
+ propObDumpSqos(
g_TreeList,
h_tviRootItem,
&AlpcPort.u1.Port7600->StaticSecurity.SecurityQos);
@@ -3282,7 +3283,7 @@ VOID ObDumpAlpcPort(
if (PortAttributes) {
- ObDumpUlong(
+ propObDumpUlong(
g_TreeList,
h_tviSubItem,
T_FLAGS,
@@ -3293,12 +3294,12 @@ VOID ObDumpAlpcPort(
0,
0);
- ObDumpSqos(
+ propObDumpSqos(
g_TreeList,
h_tviSubItem,
&PortAttributes->SecurityQos);
- ObDumpUlong64(
+ propObDumpUlong64(
g_TreeList,
h_tviSubItem,
TEXT("MaxMessageLength"),
@@ -3308,7 +3309,7 @@ VOID ObDumpAlpcPort(
0,
0);
- ObDumpUlong64(
+ propObDumpUlong64(
g_TreeList,
h_tviSubItem,
TEXT("MemoryBandwidth"),
@@ -3318,7 +3319,7 @@ VOID ObDumpAlpcPort(
0,
0);
- ObDumpUlong64(
+ propObDumpUlong64(
g_TreeList,
h_tviSubItem,
TEXT("MaxPoolUsage"),
@@ -3328,7 +3329,7 @@ VOID ObDumpAlpcPort(
0,
0);
- ObDumpUlong64(
+ propObDumpUlong64(
g_TreeList,
h_tviSubItem,
TEXT("MaxSectionSize"),
@@ -3338,7 +3339,7 @@ VOID ObDumpAlpcPort(
0,
0);
- ObDumpUlong64(
+ propObDumpUlong64(
g_TreeList,
h_tviSubItem,
TEXT("MaxViewSize"),
@@ -3348,7 +3349,7 @@ VOID ObDumpAlpcPort(
0,
0);
- ObDumpUlong64(
+ propObDumpUlong64(
g_TreeList,
h_tviSubItem,
TEXT("MaxTotalSectionSize"),
@@ -3358,7 +3359,7 @@ VOID ObDumpAlpcPort(
0,
0);
- ObDumpUlong(
+ propObDumpUlong(
g_TreeList,
h_tviSubItem,
TEXT("DupObjectTypes"),
@@ -3408,7 +3409,7 @@ VOID ObDumpAlpcPort(
else {
c = GET_BIT(PortState.State, i);
}
- ObDumpByte(
+ propObDumpByte(
g_TreeList,
h_tviSubItem,
T_ALPC_PORT_STATE[i],
@@ -3423,14 +3424,14 @@ VOID ObDumpAlpcPort(
}
/*
-* ObDumpCallback
+* propObDumpCallback
*
* Purpose:
*
* Dump CALLBACK_OBJECT callback members to the treelist.
*
*/
-VOID ObDumpCallback(
+VOID propObDumpCallback(
_In_ PROP_OBJECT_INFO *Context,
_In_ HWND hwndDlg
)
@@ -3456,7 +3457,7 @@ VOID ObDumpCallback(
sizeof(ObjectDump),
NULL))
{
- ObDumpShowError(hwndDlg);
+ propObDumpShowError(hwndDlg);
return;
}
@@ -3464,7 +3465,7 @@ VOID ObDumpCallback(
// Verify object signature.
//
if (ObjectDump.Signature != EX_CALLBACK_SIGNATURE) {
- ObDumpShowError(hwndDlg);
+ propObDumpShowError(hwndDlg);
return;
}
@@ -3473,7 +3474,7 @@ VOID ObDumpCallback(
//
Modules = (PRTL_PROCESS_MODULES)supGetSystemInfo(SystemModuleInformation);
if (Modules == NULL) {
- ObDumpShowError(hwndDlg);
+ propObDumpShowError(hwndDlg);
return;
}
@@ -3483,7 +3484,7 @@ VOID ObDumpCallback(
g_TreeList = 0;
g_TreeListAtom = 0;
if (!supInitTreeListForDump(hwndDlg, &g_TreeListAtom, &g_TreeList)) {
- ObDumpShowError(hwndDlg);
+ propObDumpShowError(hwndDlg);
return;
}
@@ -3519,14 +3520,14 @@ VOID ObDumpCallback(
//
// Abort all output on error.
//
- ObDumpShowError(hwndDlg);
+ propObDumpShowError(hwndDlg);
break;
}
Count += 1;
ListEntry.Flink = CallbackRegistration.Link.Flink;
- ObDumpAddressWithModule(h_tviRootItem,
+ propObDumpAddressWithModule(h_tviRootItem,
Context->lpObjectName,
CallbackRegistration.CallbackFunction,
Modules,
@@ -3538,13 +3539,136 @@ VOID ObDumpCallback(
// If nothing found (or possible query error) output this message.
//
if (Count == 0) {
- ObDumpShowMessage(hwndDlg,
+ propObDumpShowMessage(hwndDlg,
TEXT("This object has no registered callbacks or there is an query error."));
}
supHeapFree(Modules);
}
+/*
+* propObDumpSymbolicLink
+*
+* Purpose:
+*
+* Dump OBJECT_SYMBOLIC_LINK members to the treelist.
+*
+*/
+VOID propObDumpSymbolicLink(
+ _In_ PROP_OBJECT_INFO *Context,
+ _In_ HWND hwndDlg
+)
+{
+ HTREEITEM h_tviRootItem;
+
+ PBYTE SymLinkDumpBuffer = NULL;
+
+ ULONG BufferSize = 0, ObjectVersion = 0;
+
+ TIME_FIELDS SystemTime;
+ TL_SUBITEMS_FIXED subitems;
+
+ union {
+ union {
+ OBJECT_SYMBOLIC_LINK_V1 *LinkV1;
+ OBJECT_SYMBOLIC_LINK_V2 *LinkV2;
+ OBJECT_SYMBOLIC_LINK_V3 *LinkV3;
+ OBJECT_SYMBOLIC_LINK_V4 *LinkV4;
+ } u1;
+ PBYTE Ref;
+ } SymbolicLink;
+
+ WCHAR szBuffer[MAX_PATH], szConvert[64];
+
+
+ SymLinkDumpBuffer = (PBYTE)ObDumpSymbolicLinkObjectVersionAware(
+ Context->ObjectInfo.ObjectAddress,
+ &BufferSize,
+ &ObjectVersion);
+
+ if (SymLinkDumpBuffer == NULL) {
+ propObDumpShowError(hwndDlg);
+ return;
+ }
+
+ SymbolicLink.Ref = SymLinkDumpBuffer;
+
+ //
+ // Prepare treelist for output.
+ //
+ g_TreeList = 0;
+ g_TreeListAtom = 0;
+ if (!supInitTreeListForDump(hwndDlg, &g_TreeListAtom, &g_TreeList)) {
+ propObDumpShowError(hwndDlg);
+ supVirtualFree(SymLinkDumpBuffer);
+ return;
+ }
+
+ //
+ // Add root item to the treelist in expanded state.
+ //
+ h_tviRootItem = TreeListAddItem(
+ g_TreeList,
+ NULL,
+ TVIF_TEXT | TVIF_STATE,
+ TVIS_EXPANDED,
+ TVIS_EXPANDED,
+ T_OBJECT_SYMBOLIC_LINK,
+ NULL);
+
+ //
+ // Output CreationTime.
+ //
+ FileTimeToLocalFileTime((PFILETIME)&SymbolicLink.u1.LinkV1->CreationTime, (PFILETIME)&SymbolicLink.u1.LinkV1->CreationTime);
+ RtlSecureZeroMemory(&SystemTime, sizeof(SystemTime));
+ RtlTimeToTimeFields((PLARGE_INTEGER)&SymbolicLink.u1.LinkV1->CreationTime, (PTIME_FIELDS)&SystemTime);
+
+ if (SystemTime.Month - 1 < 0) SystemTime.Month = 1;
+ if (SystemTime.Month > 12) SystemTime.Month = 12;
+
+ RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
+ wsprintf(szBuffer, FORMATTED_TIME_DATE_VALUE,
+ SystemTime.Hour,
+ SystemTime.Minute,
+ SystemTime.Second,
+ SystemTime.Day,
+ g_szMonths[SystemTime.Month - 1],
+ SystemTime.Year);
+
+ RtlSecureZeroMemory(&subitems, sizeof(subitems));
+
+ szConvert[0] = TEXT('0');
+ szConvert[1] = TEXT('x');
+ szConvert[2] = 0;
+ u64tohex((ULONG64)SymbolicLink.u1.LinkV1->CreationTime.QuadPart, &szConvert[2]);
+
+ subitems.Count = 2;
+ subitems.Text[0] = szConvert;
+ subitems.Text[1] = szBuffer;
+
+ TreeListAddItem(
+ g_TreeList,
+ h_tviRootItem,
+ TVIF_TEXT,
+ 0,
+ 0,
+ TEXT("CreationTime"),
+ &subitems);
+
+ propObDumpUnicodeString(g_TreeList, h_tviRootItem, TEXT("LinkTarget"), &SymbolicLink.u1.LinkV1->LinkTarget, FALSE);
+ propObDumpUlong(g_TreeList, h_tviRootItem, TEXT("DosDeviceDriveIndex"), NULL, SymbolicLink.u1.LinkV1->DosDeviceDriveIndex, TRUE, FALSE, 0, 0);
+
+ //
+ // Output new Windows 10 values.
+ //
+ if (ObjectVersion > 1)
+ propObDumpUlong(g_TreeList, h_tviRootItem, TEXT("Flags"), NULL, SymbolicLink.u1.LinkV2->Flags, TRUE, FALSE, 0, 0);
+ if (ObjectVersion > 2)
+ propObDumpUlong(g_TreeList, h_tviRootItem, TEXT("AccessMask"), NULL, SymbolicLink.u1.LinkV3->AccessMask, TRUE, FALSE, 0, 0);
+
+ supVirtualFree(SymLinkDumpBuffer);
+}
+
/*
* ObjectDumpHandlePopupMenu
*
@@ -3600,42 +3724,46 @@ INT_PTR ObjectDumpInitDialog(
switch (Context->TypeIndex) {
case ObjectTypeDirectory:
- ObDumpDirectoryObject(Context, hwndDlg);
+ propObDumpDirectoryObject(Context, hwndDlg);
break;
case ObjectTypeDriver:
- ObDumpDriverObject(Context, hwndDlg);
+ propObDumpDriverObject(Context, hwndDlg);
break;
case ObjectTypeDevice:
- ObDumpDeviceObject(Context, hwndDlg);
+ propObDumpDeviceObject(Context, hwndDlg);
break;
case ObjectTypeEvent:
case ObjectTypeMutant:
case ObjectTypeSemaphore:
case ObjectTypeTimer:
- ObDumpSyncObject(Context, hwndDlg);
+ propObDumpSyncObject(Context, hwndDlg);
break;
case ObjectTypePort:
- ObDumpAlpcPort(Context, hwndDlg);
+ propObDumpAlpcPort(Context, hwndDlg);
break;
case ObjectTypeIoCompletion:
- ObDumpQueueObject(Context, hwndDlg);
+ propObDumpQueueObject(Context, hwndDlg);
break;
case ObjectTypeFltConnPort:
- ObDumpFltServerPort(Context, hwndDlg);
+ propObDumpFltServerPort(Context, hwndDlg);
break;
case ObjectTypeCallback:
- ObDumpCallback(Context, hwndDlg);
+ propObDumpCallback(Context, hwndDlg);
+ break;
+
+ case ObjectTypeSymbolicLink:
+ propObDumpSymbolicLink(Context, hwndDlg);
break;
case ObjectTypeType:
- ObDumpObjectType(Context, hwndDlg);
+ propObDumpObjectType(Context, hwndDlg);
break;
}
}
diff --git a/Source/WinObjEx64/props/propObjectDump.h b/Source/WinObjEx64/props/propObjectDump.h
index 9924260..0f4ebce 100644
--- a/Source/WinObjEx64/props/propObjectDump.h
+++ b/Source/WinObjEx64/props/propObjectDump.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2015 - 2018
+* (C) COPYRIGHT AUTHORS, 2015 - 2019
*
* TITLE: PROPOBJECTDUMP.H
*
-* VERSION: 1.70
+* VERSION: 1.72
*
-* DATE: 30 Nov 2018
+* DATE: 04 Feb 2019
*
* Common header file for the object dump support.
*
@@ -18,25 +18,13 @@
*******************************************************************************/
#pragma once
-VOID ObDumpDriverObject(
- _In_ PROP_OBJECT_INFO *Context,
- _In_ HWND hwndDlg);
-
-VOID ObDumpDeviceObject(
- _In_ PROP_OBJECT_INFO *Context,
- _In_ HWND hwndDlg);
-
-VOID ObDumpDirectoryObject(
- _In_ PROP_OBJECT_INFO *Context,
- _In_ HWND hwndDlg);
-
INT_PTR CALLBACK ObjectDumpDialogProc(
_In_ HWND hwndDlg,
_In_ UINT uMsg,
_In_ WPARAM wParam,
_In_ LPARAM lParam);
-VOID ObDumpUlong(
+VOID propObDumpUlong(
_In_ HWND TreeList,
_In_ HTREEITEM hParent,
_In_ LPWSTR lpszName,
@@ -47,7 +35,7 @@ VOID ObDumpUlong(
_In_opt_ COLORREF BgColor,
_In_opt_ COLORREF FontColor);
-VOID ObDumpByte(
+VOID propObDumpByte(
_In_ HWND TreeList,
_In_ HTREEITEM hParent,
_In_ LPWSTR lpszName,
@@ -56,33 +44,3 @@ VOID ObDumpByte(
_In_opt_ COLORREF BgColor,
_In_opt_ COLORREF FontColor,
_In_ BOOL IsBool);
-
-VOID ObDumpSetString(
- _In_ HWND TreeList,
- _In_ HTREEITEM hParent,
- _In_ LPWSTR lpszName,
- _In_opt_ LPWSTR lpszDesc,
- _In_ LPWSTR lpszValue,
- _In_opt_ COLORREF BgColor,
- _In_opt_ COLORREF FontColor);
-
-VOID ObDumpAddress(
- _In_ HWND TreeList,
- _In_ HTREEITEM hParent,
- _In_ LPWSTR lpszName,
- _In_opt_ LPWSTR lpszDesc,
- _In_opt_ PVOID Address,
- _In_ COLORREF BgColor,
- _In_ COLORREF FontColor);
-
-VOID ObDumpULargeInteger(
- _In_ HWND TreeList,
- _In_ HTREEITEM hParent,
- _In_ LPWSTR ListEntryName,
- _In_opt_ PULARGE_INTEGER Value);
-
-VOID ObDumpListEntry(
- _In_ HWND TreeList,
- _In_ HTREEITEM hParent,
- _In_ LPWSTR ListEntryName,
- _In_opt_ PLIST_ENTRY ListEntry);
diff --git a/Source/WinObjEx64/props/propObjectDumpConsts.h b/Source/WinObjEx64/props/propObjectDumpConsts.h
index 9453130..ef2b15d 100644
--- a/Source/WinObjEx64/props/propObjectDumpConsts.h
+++ b/Source/WinObjEx64/props/propObjectDumpConsts.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2015 - 2018
+* (C) COPYRIGHT AUTHORS, 2015 - 2019
*
* TITLE: PROPOBJECTDUMPCONSTS.H
*
-* VERSION: 1.70
+* VERSION: 1.72
*
-* DATE: 30 Nov 2018
+* DATE: 04 Feb 2019
*
* Consts header file for Object Dump module.
*
@@ -54,6 +54,8 @@
#define T_FLT_OBJECT L"FLT_OBJECT"
#define T_FLT_FILTER_FLAGS L"FLT_FILTER_FLAGS"
+#define T_OBJECT_SYMBOLIC_LINK L"OBJECT_SYMBOLIC_LINK"
+
#define T_ALPC_PORT_OBJECT L"ALPC_PORT"
#define T_PALPC_PORT_OBJECT L"PALPC_PORT"
#define T_ALPC_HANDLE_TABLE L"ALPC_HANDLE_TABLE"
diff --git a/Source/WinObjEx64/props/propType.c b/Source/WinObjEx64/props/propType.c
index 405ac47..4b20ded 100644
--- a/Source/WinObjEx64/props/propType.c
+++ b/Source/WinObjEx64/props/propType.c
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2015 - 2018
+* (C) COPYRIGHT AUTHORS, 2015 - 2019
*
* TITLE: PROPTYPE.C
*
-* VERSION: 1.70
+* VERSION: 1.72
*
-* DATE: 28 Dec 2018
+* DATE: 22 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -466,7 +466,7 @@ VOID propSetTypeDecodedAttributes(
}
}
else {
- propSetTypeDecodeValue(hListRights, dwFlags, Context->RealTypeIndex);
+ propSetTypeDecodeValue(hListRights, dwFlags, Context->ShadowTypeDescription->Index);
}
}
@@ -622,7 +622,8 @@ VOID propSetTypeInfo(
)
{
BOOL bOkay;
- INT i, nIndex;
+ WOBJ_OBJECT_TYPE RealTypeIndex;
+ INT i;
POBJINFO pObject = NULL;
LPCWSTR lpTypeDescription = NULL;
OBJECT_TYPE_COMPATIBLE ObjectTypeDump;
@@ -633,22 +634,21 @@ VOID propSetTypeInfo(
return;
}
- nIndex = Context->RealTypeIndex;
- if ((Context->RealTypeIndex > ObjectTypeUnknown) ||
- (Context->RealTypeIndex < ObjectTypeDevice))
- {
- nIndex = ObjectTypeUnknown;
+ RealTypeIndex = Context->ShadowTypeDescription->Index;
+ if ((RealTypeIndex > ObjectTypeUnknown)) {
+ RealTypeIndex = ObjectTypeUnknown;
}
//if type is not known set it description to it type name
- if (nIndex == ObjectTypeUnknown) {
+ if (RealTypeIndex == ObjectTypeUnknown) {
lpTypeDescription = Context->lpObjectType;
}
else {
+ //set description
RtlSecureZeroMemory(&szType, sizeof(szType));
if (LoadString(
g_WinObj.hInstance,
- TYPE_DESCRIPTION_START_INDEX + nIndex,
+ Context->TypeDescription->ResourceStringId,
szType,
(MAX_PATH * sizeof(WCHAR)) - sizeof(UNICODE_NULL)))
{
@@ -657,6 +657,7 @@ VOID propSetTypeInfo(
else {
lpTypeDescription = Context->lpObjectType;
}
+
}
//check if we have object address and dump object
@@ -681,14 +682,14 @@ VOID propSetTypeInfo(
}
//if type is not known set it description to it type name
- if (Context->RealTypeIndex == ObjectTypeUnknown)
+ if (RealTypeIndex == ObjectTypeUnknown)
lpTypeDescription = Context->lpObjectName;
else {
//set description
RtlSecureZeroMemory(&szType, sizeof(szType));
if (LoadString(
g_WinObj.hInstance,
- TYPE_DESCRIPTION_START_INDEX + Context->RealTypeIndex,
+ Context->ShadowTypeDescription->ResourceStringId,
szType,
(MAX_PATH * 2) - sizeof(UNICODE_NULL)))
{
@@ -841,7 +842,7 @@ INT_PTR CALLBACK TypePropDialogProc(
if (Context) {
hDc = BeginPaint(hwndDlg, &Paint);
if (hDc) {
- ImageList_Draw(g_ListViewImages, Context->RealTypeIndex, hDc, 24, 34,
+ ImageList_Draw(g_ListViewImages, Context->ShadowTypeDescription->ImageIndex, hDc, 24, 34,
ILD_NORMAL | ILD_TRANSPARENT);
EndPaint(hwndDlg, &Paint);
}
diff --git a/Source/WinObjEx64/props/propTypeConsts.h b/Source/WinObjEx64/props/propTypeConsts.h
index 70b31c0..f5a86c0 100644
--- a/Source/WinObjEx64/props/propTypeConsts.h
+++ b/Source/WinObjEx64/props/propTypeConsts.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2015 - 2018
+* (C) COPYRIGHT AUTHORS, 2015 - 2019
*
* TITLE: PROPTYPECONSTS.H
*
-* VERSION: 1.70
+* VERSION: 1.72
*
-* DATE: 30 Nov 2018
+* DATE: 13 Feb 2019
*
* Consts header file for Type property sheet.
*
@@ -332,7 +332,7 @@ static VALUE_DESC a_WinstaProp[MAX_KNOWN_WINSTA_ATTRIBUTES] = {
};
//Known WmiGuid Access Rights
-#define MAX_KNOWN_WMIGUID_ATTRIBUTES 12
+#define MAX_KNOWN_WMIGUID_ATTRIBUTES 13
static VALUE_DESC a_WmiGuidProp[MAX_KNOWN_WMIGUID_ATTRIBUTES] = {
{ L"WMIGUID_QUERY", WMIGUID_QUERY },
{ L"WMIGUID_SET", WMIGUID_SET },
@@ -345,7 +345,8 @@ static VALUE_DESC a_WmiGuidProp[MAX_KNOWN_WMIGUID_ATTRIBUTES] = {
{ L"TRACELOG_ACCESS_KERNEL_LOGGER", TRACELOG_ACCESS_KERNEL_LOGGER },
{ L"TRACELOG_CREATE_INPROC", TRACELOG_CREATE_INPROC },
{ L"TRACELOG_ACCESS_REALTIME", TRACELOG_ACCESS_REALTIME },
- { L"TRACELOG_REGISTER_GUIDS", TRACELOG_REGISTER_GUIDS }
+ { L"TRACELOG_REGISTER_GUIDS", TRACELOG_REGISTER_GUIDS },
+ { L"TRACELOG_JOIN_GROUP", TRACELOG_JOIN_GROUP }
};
//Known TmTx Access Rights
@@ -409,15 +410,15 @@ static VALUE_DESC a_TpwfProp[MAX_KNOWN_TPWORKERFACTORY_ATTRIBUTES] = {
//Known PcwObject Access Rights
#define MAX_KNOWN_PCWOBJECT_ATTRIBUTES 2
static VALUE_DESC a_PcwProp[MAX_KNOWN_PCWOBJECT_ATTRIBUTES] = {
- { L"PCW_READ", 0x0001L },
- { L"PCW_WRITE", 0x0002L }
+ { L"PCW_QUERY_ACCESS", 0x0001L },
+ { L"PCW_MODIFY_ACCESS", 0x0002L }
};
//Known Composition Access Rights
#define MAX_KNOWN_COMPOSITION_ATTRIBUTES 2
static VALUE_DESC a_CompositionProp[MAX_KNOWN_COMPOSITION_ATTRIBUTES] = {
- { L"COMPOSITIONSURFACE_READ", 0x0001L },
- { L"COMPOSITIONSURFACE_WRITE", 0x0002L }
+ { L"COMPOSITIONSURFACE_READ", COMPOSITIONSURFACE_READ },
+ { L"COMPOSITIONSURFACE_WRITE", COMPOSITIONSURFACE_WRITE }
};
//Known Memory Partition Access Rights
diff --git a/Source/WinObjEx64/resource.h b/Source/WinObjEx64/resource.h
index ada7c94..69fc3c8 100644
Binary files a/Source/WinObjEx64/resource.h and b/Source/WinObjEx64/resource.h differ
diff --git a/Source/WinObjEx64/rsrc/140.ico b/Source/WinObjEx64/rsrc/140.ico
index 8f41440..44c2512 100644
Binary files a/Source/WinObjEx64/rsrc/140.ico and b/Source/WinObjEx64/rsrc/140.ico differ
diff --git a/Source/WinObjEx64/rsrc/141.ico b/Source/WinObjEx64/rsrc/141.ico
index 8f41440..44c2512 100644
Binary files a/Source/WinObjEx64/rsrc/141.ico and b/Source/WinObjEx64/rsrc/141.ico differ
diff --git a/Source/WinObjEx64/rsrc/149.ico b/Source/WinObjEx64/rsrc/149.ico
new file mode 100644
index 0000000..9e3ea57
Binary files /dev/null and b/Source/WinObjEx64/rsrc/149.ico differ
diff --git a/Source/WinObjEx64/sup.c b/Source/WinObjEx64/sup.c
index f94d9a6..3baa464 100644
--- a/Source/WinObjEx64/sup.c
+++ b/Source/WinObjEx64/sup.c
@@ -4,9 +4,9 @@
*
* TITLE: SUP.C
*
-* VERSION: 1.71
+* VERSION: 1.72
*
-* DATE: 01 Feb 2019
+* DATE: 09 Feb 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -1104,7 +1104,7 @@ BOOL supxIsSymlink(
WCHAR ItemText[MAX_PATH + 1];
RtlSecureZeroMemory(ItemText, sizeof(ItemText));
ListView_GetItemText(hwndList, iItem, 1, ItemText, MAX_PATH);
- return (_strcmpi(ItemText, g_ObjectTypes[ObjectTypeSymbolicLink].Name) == 0);
+ return (_strcmpi(ItemText, OBTYPE_NAME_SYMBOLIC_LINK) == 0);
}
/*
@@ -3480,7 +3480,6 @@ PSID supQueryProcessSid(
HANDLE hProcessToken = NULL;
PSID result = NULL;
-
if (NT_SUCCESS(NtOpenProcessToken(hProcess, TOKEN_QUERY, &hProcessToken))) {
result = supQueryTokenUserSid(hProcessToken);
@@ -4384,3 +4383,42 @@ VOID supCopyTreeListSubItemValue(
return;
}
}
+
+/*
+* supBSearch
+*
+* Purpose:
+*
+* Binary search, https://github.com/torvalds/linux/blob/master/lib/bsearch.c
+*
+*/
+PVOID supBSearch(
+ _In_ PCVOID key,
+ _In_ PCVOID base,
+ _In_ SIZE_T num,
+ _In_ SIZE_T size,
+ _In_ int(*cmp)(
+ _In_ PCVOID key,
+ _In_ PCVOID elt
+ )
+)
+{
+ const char *pivot;
+ int result;
+
+ while (num > 0) {
+ pivot = (char*)base + (num >> 1) * size;
+ result = cmp(key, pivot);
+
+ if (result == 0)
+ return (void *)pivot;
+
+ if (result > 0) {
+ base = pivot + size;
+ num--;
+ }
+ num >>= 1;
+ }
+
+ return NULL;
+}
diff --git a/Source/WinObjEx64/sup.h b/Source/WinObjEx64/sup.h
index db00dec..4f35c42 100644
--- a/Source/WinObjEx64/sup.h
+++ b/Source/WinObjEx64/sup.h
@@ -4,9 +4,9 @@
*
* TITLE: SUP.H
*
-* VERSION: 1.71
+* VERSION: 1.72
*
-* DATE: 01 Feb 2019
+* DATE: 09 Feb 2019
*
* Common header file for the program support routines.
*
@@ -431,3 +431,13 @@ PSID supQueryProcessSid(
VOID supCopyTreeListSubItemValue(
_In_ HWND TreeList,
_In_ UINT ValueIndex);
+
+PVOID supBSearch(
+ _In_ PCVOID key,
+ _In_ PCVOID base,
+ _In_ SIZE_T num,
+ _In_ SIZE_T size,
+ _In_ int(*cmp)(
+ _In_ PCVOID key,
+ _In_ PCVOID elt
+ ));
diff --git a/Source/WinObjEx64/ui.h b/Source/WinObjEx64/ui.h
index d6ad2dd..32bbd74 100644
--- a/Source/WinObjEx64/ui.h
+++ b/Source/WinObjEx64/ui.h
@@ -4,9 +4,9 @@
*
* TITLE: UI.H
*
-* VERSION: 1.71
+* VERSION: 1.72
*
-* DATE: 19 Jan 2019
+* DATE: 09 Feb 2019
*
* Common header file for the user interface.
*
@@ -33,7 +33,7 @@ typedef HWND(WINAPI *pfnHtmlHelpW)(
_In_ DWORD_PTR dwData
);
-#define PROGRAM_VERSION L"1.7.1"
+#define PROGRAM_VERSION L"1.7.2"
#ifdef _USE_OWN_DRIVER
#define PROGRAM_NAME L"Windows Object Explorer 64-bit (Non-public version)"
#else
@@ -53,6 +53,7 @@ typedef HWND(WINAPI *pfnHtmlHelpW)(
#define T_COPYADDINFO L"Copy Additional Info Field Text"
#define T_SAVETOFILE L"Save list to File"
#define T_DUMPDRIVER L"Dump Driver"
+#define T_VIEW_REFRESH L"Refresh"
typedef enum _WOBJ_DIALOGS_ID {
wobjFindDlgId = 0,
@@ -110,13 +111,14 @@ typedef struct _PROP_OBJECT_INFO {
BOOL IsPrivateNamespaceObject;
BOOL IsType; //TRUE if selected object is object type
INT TypeIndex;
- INT RealTypeIndex;//save index for type
DWORD ObjectFlags;//object specific flags
LPWSTR lpObjectName;
LPWSTR lpObjectType;
LPWSTR lpCurrentObjectPath;
LPWSTR lpDescription; //description from main list (3rd column)
ULONG_PTR Tag;
+ WOBJ_TYPE_DESC *TypeDescription;
+ WOBJ_TYPE_DESC *ShadowTypeDescription; //valid only for types, same as TypeDescription for everything else.
OBJINFO ObjectInfo; //object dump related structures
PROP_NAMESPACE_INFO NamespaceInfo;
} PROP_OBJECT_INFO, *PPROP_OBJECT_INFO;
@@ -150,3 +152,19 @@ typedef struct _PROCEDURE_DESC {
//props used by ipc dialogs
#define T_IPCDLGCONTEXT TEXT("IpcDlgContext")
+
+//Calendar
+static LPCWSTR g_szMonths[12] = {
+ L"Jan",
+ L"Feb",
+ L"Mar",
+ L"Apr",
+ L"May",
+ L"Jun",
+ L"Jul",
+ L"Aug",
+ L"Sep",
+ L"Oct",
+ L"Nov",
+ L"Dec"
+};
diff --git a/WinObjEx64.sha256 b/WinObjEx64.sha256
index b0a58a9..a396a5a 100644
--- a/WinObjEx64.sha256
+++ b/WinObjEx64.sha256
@@ -1,6 +1,6 @@
-8e1c7d83f179b6bbf4b58f8197bd818b8a2306e6b3ecd901e9f51eae024277c9 *Compiled\WHATSNEW.md
-4a46067ec090efbe3dab6831884c9d17d54d9f3a8f957fcb4f59b3b8ba52c962 *Compiled\WinObjEx64.chm
-991634ab2e46f44bf1eaaf32891f72532220ff882454042bff6d7a09718ff1d9 *Compiled\WinObjEx64.exe
+8e1c7d83f179b6bbf4b58f8197bd818b8a2306e6b3ecd901e9f51eae024277c9 *Compiled\WHATSNEW_170.md
+748407cda69ae83a1fca08b2452bcd67cd4f2bcde8cae5aa88ea49df9651216c *Compiled\WinObjEx64.chm
+c57f43692e6798c364be17530a5317f6cd067601a7078572f0bf992e088796d2 *Compiled\WinObjEx64.exe
0505a450a13d5b742df2395c90af4e3029b05ce2157ee68f0c9e18a580c88091 *Docs\Callbacks.pdf
7e2b0bcb3a2f0947f1effed2306d0178e4ad28da6427d5d7735017630bfb960a *Screenshots\CallbackObjectView.png
1f1f748519bbb30d09b472bf89fa0c74bf32426010b2f06fc3a4c5defaa3ee10 *Screenshots\CallbacksView.png
@@ -17,57 +17,57 @@ df0143ec4da2387e3aa1694145f8fb1f53cac46fb6e7d608cf9c49ca89bab1dc *Screenshots\Vi
ef65a909e8d9bc7ec94ecbc0f465f24a7968d6675eadf7f25f6414c66d6b28be *Screenshots\ViewingTypeInformation.png
89ac7dc1b82a69e0726ace4a604602ddc8d7b48f25d2ad36cdbad7d248991848 *Screenshots\ViewingUserSharedData.png
3e1712af4fa1c6e71d266c7884e26c5a519e5ae9deda552e78556bbfc0eb2c3a *Screenshots\W32pServiceTableView.png
-d69a5fbaf3c3158e15f688ffe252d869bd29874d0002410272f0f25cbe2f4e58 *Source\CHANGELOG.txt
-435dcdb066fded11143b91ff0aff340a8235107530f86d09abbd8e83154eb545 *Source\FileList.txt
-a2c853517bb6199143e4ad19aac12ce642c63ddcf8c89f87753578ae422db16f *Source\TypesWithNoDesc.txt
+f77fba50d1ccfa9cd83abb92e370f0ff884361483be74806884d667a9297ab99 *Source\CHANGELOG.txt
+f8b207b25e99f1f414123b3bf1c9a3e419822fd6a74b7388ac264ec4ddd47e8d *Source\FILELIST.txt
+55eed414926c47b0bfc5000eeabb882d77d78e17b5be94ca229e681f009b0740 *Source\TypesWithNoDesc.txt
c9f95efd2433985838f6a45acc77464e0e79ea088b6ccbc267fd76bfb87029a2 *Source\WinObjEx64.sln
39a976ac4e1b76c2058815c5017bd3acceb69950286cfdf8c5704b7e31b8cca0 *Source\drvstore\kldbgdrv.sys
-b54346cdab9640b4a2a712b2757f0ee556790bf2b760f9f935bac728cea56064 *Source\WinObjEx64\aboutDlg.c
+3fad58265a1eb1916ca0640e6b57c7729184f9eb92adf45b36bd5a4429602954 *Source\WinObjEx64\aboutDlg.c
dc5ad976533a91292022a15f741a95d04663849c34fced1432a830726341d51d *Source\WinObjEx64\aboutDlg.h
4ec2d4d3e73a5472aa235fe7032d5e5e04065ff87d9d8c2fe9df81b9815feb55 *Source\WinObjEx64\driver.rc
ba8dddb70f735eb298320c63a0a27ff8b0c0394c7f5b1ed002bccbc2f032b985 *Source\WinObjEx64\excepth.c
467f27b865de15a9b5b6ddfff46e4708eccb42ed6a242fe2b197d6d2929809c3 *Source\WinObjEx64\excepth.h
-61a2525be8918f83d2d8b330f0c33d660021932f9f70db3e4e65244aba1527c9 *Source\WinObjEx64\extapi.c
+4fb99303a81ea8c4dfe95e1e8638a2894f91e08972cf1ae0eca9048e7a9ff027 *Source\WinObjEx64\extapi.c
100c2f0dedfb35e356474d943635fea498a5cd9b3fc909d722e40c0ced3960d0 *Source\WinObjEx64\extapi.h
738fc0632dd9d1581ac87597e3f952cec3a8424a637e54d989847faa80c8ea5e *Source\WinObjEx64\findDlg.c
8cc5a4ba98d74221405a13cde0f357db970500a4b44c711b5fd97d30cce904e8 *Source\WinObjEx64\findDlg.h
-f99ece56cf6280f34e7d4be584196c27ca372918ee5093bf1f6e9e867e81cb8c *Source\WinObjEx64\global.h
-530b49b87a69ae214ebbb6ba5ca8d3f922b9772ee20e3907bcb48b1ac1c8084e *Source\WinObjEx64\instdrv.c
-5ab4e6a630152e02897f0ff346dcf0ae22fdbf2092f1243b9a0ce4e10fadaddd *Source\WinObjEx64\instdrv.h
-b345322eabe17a9c662c61a6fe60b0e72455e85ab319ce6b071b69ccc76ad47c *Source\WinObjEx64\kldbg.c
-4c2280fd66d3596e738a7fcfbe6cf8a2a67762c8ecb406f0b0733d82d2677596 *Source\WinObjEx64\kldbg.h
-cfc3495684b13e4dc5f502c51b984b45600c9d2e7b182eb7fbf33660155e1f2f *Source\WinObjEx64\kldbg_patterns.h
-3b2cc0b4b892f5f928902645c3dc005e83192cf1cf484cf5c878c399297a82e0 *Source\WinObjEx64\list.c
+603a09f06dddb67dfe124dcd50f1eed217797b814a11087bd40d0c562447ded3 *Source\WinObjEx64\global.h
+9adbc81cfdcb542b403e88c3430d2f13851990263e0cbeb3890a098f313eef61 *Source\WinObjEx64\instdrv.c
+9fdf8d26ea566d84e8907d7363f418263a2b9f3d5aa4df2f1211a28c29e0646b *Source\WinObjEx64\instdrv.h
+b04efd24b370b02b091de165ec4ad56c2882902ed1f85b8920f9dc85fa2c0c60 *Source\WinObjEx64\kldbg.c
+0b995bf2da74509ad1b8427434616f2f123b62e4581b46fe37fa3c1d23d3d3d4 *Source\WinObjEx64\kldbg.h
+d8bf76d9d920f6ae72379ce7823d1dd7e0696af2cb238da84b5543eff9ab188a *Source\WinObjEx64\kldbg_patterns.h
+dc42e005dd90e849a6c0a3f58de6cdb177849b4409fa8b7700feee98c5ef6032 *Source\WinObjEx64\list.c
6e82d0f095bdcf1676445ae46f9fb455164108a3ea242f83793e964158e47f4a *Source\WinObjEx64\list.h
-0fafe52f7d949d9ed176428d08b3734cdd254dd60770aca08a0556ead9fa7089 *Source\WinObjEx64\main.c
-d70817a4356fb5a18af13b8af2d6a8e17b19a8fcebe3cd2de8f1a16477f8f6a7 *Source\WinObjEx64\msvcver.h
-ce4ff41bfeac1cef9339aa47939a8c3e2dee530b208e6f64c01d06dcdd274a7c *Source\WinObjEx64\objects.c
-ab0e909baa2ca37b927c50ba073c2e2a0329a5505d1831e126cf705f1db11270 *Source\WinObjEx64\objects.h
-d8c7e8cd5cec2393c04733de10aebf6e838142f7e4f13089cab704567a76efe9 *Source\WinObjEx64\resource.h
-dceabde79d34813a02d21c1bd6d5f2e861ec549092e7a2fb0fb81bfd78da3c94 *Source\WinObjEx64\Resource.rc
-7765f8e2a12d25913738c22c28120042ad61eb7ac5cedcdd720825f04a4da0b9 *Source\WinObjEx64\sup.c
-678a829f397380c638490d528edbf3576dc6bdff1c7f0c932c4685ff1772dd3c *Source\WinObjEx64\sup.h
+dfa933659ef14a453462ff9f428f4b624468964790b2cc38eafad8022acb73c2 *Source\WinObjEx64\main.c
+5d2b9be96b42044e0f09a6a901c194934a1dc2d2e7cf14d65e6414b22ec89765 *Source\WinObjEx64\msvcver.h
+ecc472d36f44c6db7571c203b6e543fab8da8a6e7e36d169cd4bb7c52c77b06a *Source\WinObjEx64\objects.c
+448bf80a44f7cf7a142cbaa2f62586dff5276d1ebf4add3573bb40a87da1d58c *Source\WinObjEx64\objects.h
+3dc0da2c01d407155e635387aad805ce4f6a33cd3d5fb1d98eba32d51f726f21 *Source\WinObjEx64\resource.h
+381991cd3beb2b1f2ef61b5a7a86c5b5861e0f5d70fcc6e17d5c8701e4b3c4f6 *Source\WinObjEx64\Resource.rc
+3dd9823d9e7751fa35ffd60da4a2ff053ec2f559467e74834b61da036aff8d5a *Source\WinObjEx64\sup.c
+77031bcbb6a05b3665a70d7be02ff9b8f48c92bb8b3695bb93a58086823e1a81 *Source\WinObjEx64\sup.h
33d3b8fb0ea05c6fa998ea9527353a8d617a9411257098a40a4a39972527a711 *Source\WinObjEx64\supConsts.h
-c338ebdb4ddbec272f3958afa05876c9f48b0bc66fb7d201c15a6f64f26d1296 *Source\WinObjEx64\ui.h
+a9e1d6b0cb1b218c971a6d41ae64343d418c0279e988b59ddc61e5b7297b212e *Source\WinObjEx64\ui.h
5e975a2d43c51d73446039da0add1d51624fe3e97656cc559e73a39d553a7003 *Source\WinObjEx64\wine.h
-c18b9f79e9b934f3c9473c73e3e740b5ecdb60a29478a176e12f4bfa4f773c27 *Source\WinObjEx64\WinObjEx64.vcxproj
-260e90cfd24137412e50b6ca76e005758d68b23300e33525bb797f9e3f01018b *Source\WinObjEx64\WinObjEx64.vcxproj.filters
+08fb2208b91067923cd91c810f7b3032a31b5c6f4888285ace9dcb41ed6b2cdb *Source\WinObjEx64\WinObjEx64.vcxproj
+00f3e0ffdad0dfd20add96ce5c843a55b99a9234fa800c3913d9c531f95e9a5f *Source\WinObjEx64\WinObjEx64.vcxproj.filters
3f17b057283ed56debd29362433d0a97edf622e91005b2d15bca0cbb222e154f *Source\WinObjEx64\WinObjEx64.vcxproj.user
8f8df7e5603f6b86c0cf90977d46d966b7d1c27c1f82a1404afdd4b3e33450cf *Source\WinObjEx64\extras\extras.c
42ed73c850d44ad2d3be6e9c7a1b49ceb610a17e3895fbcc323433b991c994b2 *Source\WinObjEx64\extras\extras.h
-35b76a831c46bcd60a43a98ea777a5869a96fd2345e2655071394b166e842d3e *Source\WinObjEx64\extras\extrasCallbacks.c
+f67495f4109f7a7bf8e52f61b5d54c1102292f956a835bd9bb12281e59b39bb7 *Source\WinObjEx64\extras\extrasCallbacks.c
28618459665591661138fbceee04deb7b15349cf502d994ecebd2a8846d89589 *Source\WinObjEx64\extras\extrasCallbacks.h
-49aded1f2d137161240c28e96d73e7bfee46c8005204c5ed5dceb03f691a8de4 *Source\WinObjEx64\extras\extrasDrivers.c
+785f014543b3f3e1aac708b492d044d4af785754cbbd2e2ea52f8c6035659306 *Source\WinObjEx64\extras\extrasDrivers.c
48c930afb73678d4614bf2dbf0df9295b08a9af80a5f9c878eeb2bf9f53c6c95 *Source\WinObjEx64\extras\extrasDrivers.h
4ef4c9426010a9b0bc49cfc2c6e3efdec4b083bf085b7fe25995748ff86061d9 *Source\WinObjEx64\extras\extrasIPC.c
d21e27bf35c5add1eedec3234fb358fbbc4c585c3de22326ac9581b59a8983d0 *Source\WinObjEx64\extras\extrasIPC.h
-a79123df6a08dead27d757985fab61f5eb784e619e375373523248fb24015e60 *Source\WinObjEx64\extras\extrasPN.c
+e4babe73cff1674da165494e3fb5c06a985a98206cf0ec88febed3a83a013580 *Source\WinObjEx64\extras\extrasPN.c
64e75cbaa0ce129f674a9a441a3045f37e74f853f34fd93caac5533bb174a019 *Source\WinObjEx64\extras\extrasPN.h
-2b70c9cedac01733cbc02e39d2597cf250062a4450c277feb16bad6d4b5273d6 *Source\WinObjEx64\extras\extrasPSList.c
+addfa0d83e8f8710ee42e7a9bcfcae12616040c4672122bd4cd240d1e7129399 *Source\WinObjEx64\extras\extrasPSList.c
fa879292d7bd5850c0ea3912bdb7490e14fcd81d4deaa9ea8b450539143c43b4 *Source\WinObjEx64\extras\extrasPSList.h
-456cc06a72b25d1bbbfc84ddc73484da008dac593245f538f89dd3b57b07b9fb *Source\WinObjEx64\extras\extrasSSDT.c
+2b0611c856947a2c76412d66170b26f337f7cc0398553e253da72bfe9d6d8a0f *Source\WinObjEx64\extras\extrasSSDT.c
cb534bcebbee49f4f9178e5e291bb43edae6af77b15919532539eb19d3ee23ac *Source\WinObjEx64\extras\extrasSSDT.h
-166b31d3f738086638d17b538063a4d0aaec2e04c81c0f0a4c4b22d2e6a74d43 *Source\WinObjEx64\extras\extrasUSD.c
+50602cc27500bbdefe353ff2594c24e66386b263247471feb9065ef593cd9b87 *Source\WinObjEx64\extras\extrasUSD.c
fea8d9645bac11c7521f91a122947716b459a335cb25f0d649a0d201f661f78b *Source\WinObjEx64\extras\extrasUSD.h
16726c4330d7db5d56a5a11503314533b170783441c3f8282b66f126295a289e *Source\WinObjEx64\hde\hde64.c
e99aa4997bda14b534c614c3d8cb78a72c4aca91a1212c8b03ec605d1d75e36e *Source\WinObjEx64\hde\hde64.h
@@ -101,29 +101,29 @@ ef1b18997ea473ac8d516ef60efc64b9175418b8f078e088d783fdaef2544969 *Source\WinObjE
52e3d39c69c43264b2f8d9bcdfce0f763a5e92d091eef59ea2a0294b4b19641c *Source\WinObjEx64\minirtl\_strstr.c
52a696ae714eb81033c477d1ec6c01389eef56c847609e89d360c2fb6899b4b6 *Source\WinObjEx64\minirtl\_strstri.c
0cd425ef96247657ab55443c9b3bc9a90f0c18f634979942693553d0f764c601 *Source\WinObjEx64\ntos\ntalpc.h
-91c2d5ba57d5f65d37ed1f9bbe9f9cd71060ae1d064b4bc5db26c3241fec7421 *Source\WinObjEx64\ntos\ntos.h
+09df22b5471ca1b87090aae217dfade6d8486cbea3096229467b033aff5ac963 *Source\WinObjEx64\ntos\ntos.h
14b0a442647904db5476d14a1d9710bd83587f168b4b182465e5902d24676870 *Source\WinObjEx64\ntuser\StubNtUserOpenWindowStation.asm
-3f7f35063af9a91db94b944417e00d4746489caab81a355c19fd57e028017c08 *Source\WinObjEx64\props\propBasic.c
+647f66b0d827147b98206bd824c5131692589a07d0eaba5e924eefc2c7e68cb5 *Source\WinObjEx64\props\propBasic.c
45e2088b0320c02cca2559f6e5183a4eb2a289021f5488d65ba6230e208557e9 *Source\WinObjEx64\props\propBasic.h
-e6cfba260e739c3cef422969b9934b0134af39cd76ef0d0b0f318b1c8e065b22 *Source\WinObjEx64\props\propBasicConsts.h
-b0e5ed0f9c9ac7eb2e60ee8c01df3eb0a6b6fffec78b3fc75b59d725babedaa0 *Source\WinObjEx64\props\propDesktop.c
+7fe59b0060873ee0df0fb94b6b314c64368b993f976d866bd4cc0bfc05c6e08d *Source\WinObjEx64\props\propBasicConsts.h
+8f2e93839c174ee9746c348646d7c7fc0e31df1d4e19398e0cd433bfb8dfc641 *Source\WinObjEx64\props\propDesktop.c
047e4d17c76908889af6e7e80da91b04a3707a190acc0f7d2b26e98bcf80e3b2 *Source\WinObjEx64\props\propDesktop.h
-4a09cdf02a357b420044294cd1b53922b9a286008871354a365ade4206f34377 *Source\WinObjEx64\props\propDlg.c
+f2e187d30e75a0f55e9813362f1e12703025c2de35ff4db8734efbb67ad014d8 *Source\WinObjEx64\props\propDlg.c
fe5617e6d4eb9eb3db061bc0cc4db37572a6f40217c477cafa1d732faecc5a6f *Source\WinObjEx64\props\propDlg.h
ebe54be6735690140fa6d3ed06c452a26e0321e9b13db7973042cca72a588f51 *Source\WinObjEx64\props\propDriver.c
8dd63e57115728cdea4c326e5cde9acfe6015b2b088ec36022cd9f81e216e179 *Source\WinObjEx64\props\propDriver.h
721bf384ee6ba44cb118a4bfde7ffba669024059e3120b8cae40e98228eba6df *Source\WinObjEx64\props\propDriverConsts.h
-0bfda1b472921ce75e9ea44ee104aca4af4bb34d52405aaa02038b0829f67413 *Source\WinObjEx64\props\propObjectDump.c
-b389838466982a5e42acd27fcb132a2ddc6cfc427a22340a03d4853e500d1a3f *Source\WinObjEx64\props\propObjectDump.h
-1d4d6ad76c2bd770ff7d8a18fde927bac33c4be3b0a95fadca235f6cb2e10d2d *Source\WinObjEx64\props\propObjectDumpConsts.h
+d5d4822f359a3a242ed57844660f1bf75ad70430dcfe18bd2f6ac712829174f9 *Source\WinObjEx64\props\propObjectDump.c
+da1cf96a7d85faec3db810f5c4061a6322c252fcead01cbf8ac728e7deffee23 *Source\WinObjEx64\props\propObjectDump.h
+5be336077afb54251046d0dde12b4cb7890bf591f869419bce202c160610852d *Source\WinObjEx64\props\propObjectDumpConsts.h
ef9b4c9033cc81077ee821a76b61522b0927bfb15e9867b4b50a320522e951c2 *Source\WinObjEx64\props\propProcess.c
7ce4c79b1d7a93691cc457d01836209b51f25addc07a0875888e01a6c9a77358 *Source\WinObjEx64\props\propProcess.h
ef9ccfb285825bffe0b6df592feba3163efc5d82e0f74fd8cf4367c6fef6e53c *Source\WinObjEx64\props\propSecurity.c
04a1b78030155ec6d59560472c09219e71ea98f79a4f3193016e6395876d8953 *Source\WinObjEx64\props\propSecurity.h
64527a569ee9f6254dfc8c39e3063ed93220077a3bab61179f64ce9c47ffe90e *Source\WinObjEx64\props\propSecurityConsts.h
-a94c48527eb134e2891ca689a484c3b1012ff45d5058ebc4d0ccebb5ccce33b2 *Source\WinObjEx64\props\propType.c
+f2024dac12d4ac5c674fe9f684401ca5c109518dcf0a340e350cecb73a57e3e4 *Source\WinObjEx64\props\propType.c
5e4fb7e44a7970c4ac6c29aefcc9aefc807444eefdd0cc1c9c9357693dfd64fd *Source\WinObjEx64\props\propType.h
-e413d8fb74fcfc86cf95f09a3f19c9e567e6bde49abed19e12b3abb59d121acc *Source\WinObjEx64\props\propTypeConsts.h
+74f6500dec478be0919045ddec9475491f5f6dd7e81923650136543ed98ea69c *Source\WinObjEx64\props\propTypeConsts.h
51f0d1a560dd77a7f3164ae2c8f9801d6a2902bd5cfd367db522199aca35b1ff *Source\WinObjEx64\rsrc\100.ico
eca976b7dd50ea206588610ccb938fbc437f7165c667e19239bf0d36d4af22f9 *Source\WinObjEx64\rsrc\101.ico
09ee2f9dfd3a4a4d8df268ed909588a94db0e97a1601ba8d4b7e6441a1626395 *Source\WinObjEx64\rsrc\102.ico
@@ -164,8 +164,8 @@ e7c85ed89b5d857139145b13f4328bdd3a34fc035297c17fd3fe2d1736e4730c *Source\WinObjE
48e6428033026931e329efadc23570a1d4b7bf57fc36e0d62fdecf0925476765 *Source\WinObjEx64\rsrc\137.ico
c4ee9cbe0d348dbdf11863793740e6ae9c85e04697e14d55ee0d94d3c26075e2 *Source\WinObjEx64\rsrc\138.ico
d2972e9f2939e3994392ffc354cd6ff8cf34e840e78b82924e7bc7f2c4f0a30f *Source\WinObjEx64\rsrc\139.ico
-8f9549bee6fd48ea84b863a5f435acb61a5d2ae8364c46569cc4500b4b191564 *Source\WinObjEx64\rsrc\140.ico
-8f9549bee6fd48ea84b863a5f435acb61a5d2ae8364c46569cc4500b4b191564 *Source\WinObjEx64\rsrc\141.ico
+29d2e06261583cce28344f0d07599fd515adbd03931ad5ba83e7b4c2072ba6ab *Source\WinObjEx64\rsrc\140.ico
+29d2e06261583cce28344f0d07599fd515adbd03931ad5ba83e7b4c2072ba6ab *Source\WinObjEx64\rsrc\141.ico
d04ca5ee65eb7725a3471c7c92ce432b253de1545d70cf8b242c72253244bbae *Source\WinObjEx64\rsrc\142.ico
f78861d00d015c07a302f3c4ced26dca21ecfd06cc3032fa02fcc932debf72f5 *Source\WinObjEx64\rsrc\143.ico
1249a3e62e06a927ef8440f2044f4f7aa1f02b8596aa19d50ed9953837a2ff6d *Source\WinObjEx64\rsrc\144.ico
@@ -173,6 +173,7 @@ f78861d00d015c07a302f3c4ced26dca21ecfd06cc3032fa02fcc932debf72f5 *Source\WinObjE
06c00255a15fad435aef3cfa8fdee90743b7c53b8941cb95ac71ef76ef3f7465 *Source\WinObjEx64\rsrc\146.ico
e618987e93fa0e7879425b24bf1a361f0b2e92bfddb6c391c117fa2829b09795 *Source\WinObjEx64\rsrc\147.ico
0ebed6c8cb501b590286cedc73ca7ef47d2f9bd94c0371f7edb9fb1581003fe6 *Source\WinObjEx64\rsrc\148.ico
+bfda6e30ed8c80e98ec5cc7e975ce19db610d1ba8c85e96600878e381027e161 *Source\WinObjEx64\rsrc\149.ico
38d5b754af9e2dfcbe2161e6369651ff86c24ef223023225bc489de04232072e *Source\WinObjEx64\rsrc\6001.ico
15334c419dee330554a8549920b9241d865590cc7641722f7d31f8f612256d86 *Source\WinObjEx64\rsrc\6002.ico
335bc0b008ef6051ac45cca928176d60fdf6fe7e4c1550eedf78d0cc6b56ac2a *Source\WinObjEx64\rsrc\Bitmap_125.bmp