Rooba
/
WinObjEx64
mirror of https://github.com/hfiref0x/WinObjEx64.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

1.8.4 

See "What Is New" section of readme for more info or for complete list of changes -changelog.txt in source directory.
(release candidate 1)
This commit is contained in:
hfiref0x 2020-02-22 12:11:11 +07:00
parent 956d02af45
commit e99d47d5b1
No known key found for this signature in database
GPG Key ID: 5A20EE3C6F09AF95
27 changed files with 2332 additions and 228 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Compiled/WinObjEx64.exe
View File

Binary file not shown.

4
Source/CHANGELOG.txt
View File

@ -1,3 +1,7 @@
v1.8.4
+ support of additional helper driver
+ fix Windows 7 regressions
v1.8.3
internal rearrange
ported to msvc 2019 (with backward compatibility to 2017)

8
Source/FILELIST.txt
View File

@ -3,6 +3,11 @@ winobjex64\aboutDlg.h
* About dialog routines including window dialog procedure
winobjex64\drvhelper.c
winobjex64\drvhelper.h
* Support for WinIo as additional memory read driver (mitigations enabled)
winobjex64\excepth.c
winobjex64\excepth.h
@ -188,9 +193,8 @@ shared\treelist\treelist.h
winobjex64\wine.h
winobjex64\wine.c
winobjex64\winedebug.h
* Wine support files
* Wine support header file
winobjex64\global.h

26
Source/Plugins/Sonar/ndis.h
View File

@ -1,6 +1,7 @@
/************************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2019, translated from Microsoft sources/symbols with help of pdbex
* (C) COPYRIGHT AUTHORS, 2019 - 2020
* Translated from Microsoft sources/symbols with help of pdbex
*
* TITLE: NDIS.H
*
@ -163,29 +164,6 @@ typedef enum _NDIS_OPEN_UNBIND_REASON
UnbindReasonPnPNotifyBinding = 7,
} NDIS_OPEN_UNBIND_REASON, *PNDIS_OPEN_UNBIND_REASON;
typedef enum _INTERFACE_TYPE {
InterfaceTypeUndefined = -1,
Internal,
Isa,
Eisa,
MicroChannel,
TurboChannel,
PCIBus,
VMEBus,
NuBus,
PCMCIABus,
CBus,
MPIBus,
MPSABus,
ProcessorInternal,
InternalPowerBus,
PNPISABus,
PNPBus,
Vmcs,
ACPIBus,
MaximumInterfaceType
} INTERFACE_TYPE, *PINTERFACE_TYPE;
typedef enum _NDIS_INTERFACE_TYPE
{
NdisInterfaceInternal = Internal,

260
Source/Shared/ntos/halamd64.h Normal file
View File

@ -0,0 +1,260 @@
/************************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2014 - 2020
* Taken from publicly available Microsoft sources or mentioned elsewhere.
*
* TITLE: HALAMD64.H
*
* VERSION: 1.11
*
* DATE: 12 Feb 2020
*
* Common header file for the ntos HAL AMD64 definitions.
*
* Depends on: Windows.h
*
* Include: Windows.h
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
************************************************************************************/
#ifndef HALAMD64_RTL
#define HALAMD64_RTL
#pragma warning(push)
#pragma warning(disable: 4214)
//
// HALAMD64_RTL HEADER BEGIN
//
#pragma pack(push,2)
typedef struct _FAR_JMP_16 {
UCHAR OpCode; // = 0xe9
USHORT Offset;
} FAR_JMP_16;
typedef struct _FAR_TARGET_32 {
ULONG Offset;
USHORT Selector;
} FAR_TARGET_32;
typedef struct _PSEUDO_DESCRIPTOR_32 {
USHORT Limit;
ULONG Base;
} PSEUDO_DESCRIPTOR_32;
#pragma pack(pop)
typedef union _KGDTENTRY64 {
struct {
USHORT LimitLow;
USHORT BaseLow;
union {
struct {
UCHAR BaseMiddle;
UCHAR Flags1;
UCHAR Flags2;
UCHAR BaseHigh;
} Bytes;
struct {
ULONG BaseMiddle : 8;
ULONG Type : 5;
ULONG Dpl : 2;
ULONG Present : 1;
ULONG LimitHigh : 4;
ULONG System : 1;
ULONG LongMode : 1;
ULONG DefaultBig : 1;
ULONG Granularity : 1;
ULONG BaseHigh : 8;
} Bits;
};
ULONG BaseUpper;
ULONG MustBeZero;
};
ULONG64 Alignment;
} KGDTENTRY64, * PKGDTENTRY64;
typedef union _KIDTENTRY64 {
struct {
USHORT OffsetLow;
USHORT Selector;
USHORT IstIndex : 3;
USHORT Reserved0 : 5;
USHORT Type : 5;
USHORT Dpl : 2;
USHORT Present : 1;
USHORT OffsetMiddle;
ULONG OffsetHigh;
ULONG Reserved1;
};
ULONG64 Alignment;
} KIDTENTRY64, * PKIDTENTRY64;
typedef union _KGDT_BASE {
struct {
USHORT BaseLow;
UCHAR BaseMiddle;
UCHAR BaseHigh;
ULONG BaseUpper;
};
ULONG64 Base;
} KGDT_BASE, * PKGDT_BASE;
typedef union _KGDT_LIMIT {
struct {
USHORT LimitLow;
USHORT LimitHigh : 4;
USHORT MustBeZero : 12;
};
ULONG Limit;
} KGDT_LIMIT, * PKGDT_LIMIT;
#define PSB_GDT32_MAX 3
typedef struct _KDESCRIPTOR {
USHORT Pad[3];
USHORT Limit;
PVOID Base;
} KDESCRIPTOR, * PKDESCRIPTOR;
typedef struct _KDESCRIPTOR32 {
USHORT Pad[3];
USHORT Limit;
ULONG Base;
} KDESCRIPTOR32, * PKDESCRIPTOR32;
typedef struct _KSPECIAL_REGISTERS {
ULONG64 Cr0;
ULONG64 Cr2;
ULONG64 Cr3;
ULONG64 Cr4;
ULONG64 KernelDr0;
ULONG64 KernelDr1;
ULONG64 KernelDr2;
ULONG64 KernelDr3;
ULONG64 KernelDr6;
ULONG64 KernelDr7;
KDESCRIPTOR Gdtr;
KDESCRIPTOR Idtr;
USHORT Tr;
USHORT Ldtr;
ULONG MxCsr;
ULONG64 DebugControl;
ULONG64 LastBranchToRip;
ULONG64 LastBranchFromRip;
ULONG64 LastExceptionToRip;
ULONG64 LastExceptionFromRip;
ULONG64 Cr8;
ULONG64 MsrGsBase;
ULONG64 MsrGsSwap;
ULONG64 MsrStar;
ULONG64 MsrLStar;
ULONG64 MsrCStar;
ULONG64 MsrSyscallMask;
} KSPECIAL_REGISTERS, * PKSPECIAL_REGISTERS;
typedef struct _KPROCESSOR_STATE {
KSPECIAL_REGISTERS SpecialRegisters;
CONTEXT ContextFrame;
} KPROCESSOR_STATE, * PKPROCESSOR_STATE;
typedef struct _PROCESSOR_START_BLOCK* PPROCESSOR_START_BLOCK;
typedef struct _PROCESSOR_START_BLOCK {
//
// The block starts with a jmp instruction to the end of the block
//
FAR_JMP_16 Jmp;
//
// Completion flag is set to non-zero when the target processor has
// started
//
ULONG CompletionFlag;
//
// Pseudo descriptors for GDT and IDT.
//
PSEUDO_DESCRIPTOR_32 Gdt32;
PSEUDO_DESCRIPTOR_32 Idt32;
//
// The temporary 32-bit GDT itself resides here.
//
KGDTENTRY64 Gdt[PSB_GDT32_MAX + 1];
//
// Physical address of the 64-bit top-level identity-mapped page table.
//
ULONG64 TiledCr3;
//
// Far jump target from Rm to Pm code
//
FAR_TARGET_32 PmTarget;
//
// Far jump target from Pm to Lm code
//
FAR_TARGET_32 LmIdentityTarget;
//
// Address of LmTarget
//
PVOID LmTarget;
//
// Linear address of this structure
//
PPROCESSOR_START_BLOCK SelfMap;
//
// Contents of the PAT msr
//
ULONG64 MsrPat;
//
// Contents of the EFER msr
//
ULONG64 MsrEFER;
//
// Initial processor state for the processor to be started
//
KPROCESSOR_STATE ProcessorState;
} PROCESSOR_START_BLOCK;
#pragma warning(pop)
//
// HALAMD64_RTL HEADER END
//
#endif HALAMD64_RTL

241
Source/Shared/ntos/ntos.h
View File

@ -5,9 +5,9 @@
*
* TITLE: NTOS.H
*
* VERSION: 1.126
* VERSION: 1.131
*
* DATE: 22 Jan 2020
* DATE: 17 Feb 2020
*
* Common header file for the ntos API functions and definitions.
*
@ -88,6 +88,7 @@ typedef ULONGLONG REGHANDLE, *PREGHANDLE;
typedef PVOID *PDEVICE_MAP;
typedef PVOID PHEAD;
typedef struct _IO_TIMER* PIO_TIMER;
typedef LARGE_INTEGER PHYSICAL_ADDRESS;
#ifndef _WIN32_WINNT_WIN10
#define _WIN32_WINNT_WIN10 0x0A00
@ -494,6 +495,31 @@ typedef struct _IO_STATUS_BLOCK {
ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
#ifndef INTERFACE_TYPE
typedef enum _INTERFACE_TYPE {
InterfaceTypeUndefined = -1,
Internal,
Isa,
Eisa,
MicroChannel,
TurboChannel,
PCIBus,
VMEBus,
NuBus,
PCMCIABus,
CBus,
MPIBus,
MPSABus,
ProcessorInternal,
InternalPowerBus,
PNPISABus,
PNPBus,
Vmcs,
ACPIBus,
MaximumInterfaceType
} INTERFACE_TYPE, * PINTERFACE_TYPE;
#endif
/*
** FileCache and MemoryList START
*/
@ -6192,8 +6218,8 @@ NTSYSAPI
VOID
NTAPI
RtlInitString(
_Inout_ PSTRING DestinationString,
_In_ PCSZ SourceString);
_Out_ PSTRING DestinationString,
_In_opt_ PCSZ SourceString);
NTSYSAPI
VOID
@ -6985,6 +7011,118 @@ RtlGetSaclSecurityDescriptor(
_Out_ PACL *Sacl,
_Out_ PBOOLEAN SaclDefaulted);
NTSYSAPI
NTSTATUS
NTAPI
RtlCreateSecurityDescriptor(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_ ULONG Revision);
NTSYSAPI
NTSTATUS
NTAPI
RtlSetOwnerSecurityDescriptor(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_ PSID Owner,
_In_ BOOLEAN OwnerDefaulted);
NTSYSAPI
NTSTATUS
NTAPI
RtlCopySecurityDescriptor(
_In_ PSECURITY_DESCRIPTOR InputSecurityDescriptor,
_Out_ PSECURITY_DESCRIPTOR* OutputSecurityDescriptor);
NTSYSAPI
NTSTATUS
NTAPI
RtlMakeSelfRelativeSD(
_In_ PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor,
_Out_writes_bytes_(*BufferLength) PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,
_Inout_ PULONG BufferLength);
NTSYSAPI
NTSTATUS
NTAPI
RtlAbsoluteToSelfRelativeSD(
_In_ PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor,
_Out_writes_bytes_to_opt_(*BufferLength, *BufferLength) PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,
_Inout_ PULONG BufferLength);
NTSYSAPI
NTSTATUS
NTAPI
RtlSelfRelativeToAbsoluteSD(
_In_ PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,
_Out_writes_bytes_to_opt_(*AbsoluteSecurityDescriptorSize, *AbsoluteSecurityDescriptorSize) PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor,
_Inout_ PULONG AbsoluteSecurityDescriptorSize,
_Out_writes_bytes_to_opt_(*DaclSize, *DaclSize) PACL Dacl,
_Inout_ PULONG DaclSize,
_Out_writes_bytes_to_opt_(*SaclSize, *SaclSize) PACL Sacl,
_Inout_ PULONG SaclSize,
_Out_writes_bytes_to_opt_(*OwnerSize, *OwnerSize) PSID Owner,
_Inout_ PULONG OwnerSize,
_Out_writes_bytes_to_opt_(*PrimaryGroupSize, *PrimaryGroupSize) PSID PrimaryGroup,
_Inout_ PULONG PrimaryGroupSize);
NTSYSAPI
NTSTATUS
NTAPI
RtlSetDaclSecurityDescriptor(
_Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_ BOOLEAN DaclPresent,
_In_opt_ PACL Dacl,
_In_opt_ BOOLEAN DaclDefaulted);
NTSYSAPI
NTSTATUS
NTAPI
RtlGetDaclSecurityDescriptor(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_Out_ PBOOLEAN DaclPresent,
_Out_ PACL* Dacl,
_Out_ PBOOLEAN DaclDefaulted);
NTSYSAPI
NTSTATUS
NTAPI
RtlSetSaclSecurityDescriptor(
_Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_ BOOLEAN SaclPresent,
_In_opt_ PACL Sacl,
_In_opt_ BOOLEAN SaclDefaulted);
NTSYSAPI
NTSTATUS
NTAPI
RtlGetSaclSecurityDescriptor(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_Out_ PBOOLEAN SaclPresent,
_Out_ PACL* Sacl,
_Out_ PBOOLEAN SaclDefaulted);
NTSYSAPI
ULONG
NTAPI
RtlLengthSecurityDescriptor(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor);
_Check_return_
NTSYSAPI
BOOLEAN
NTAPI
RtlValidSecurityDescriptor(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor);
_Check_return_
NTSYSAPI
BOOLEAN
NTAPI
RtlValidRelativeSecurityDescriptor(
_In_reads_bytes_(SecurityDescriptorLength) PSECURITY_DESCRIPTOR SecurityDescriptorInput,
_In_ ULONG SecurityDescriptorLength,
_In_ SECURITY_INFORMATION RequiredInformation);
NTSYSAPI
NTSTATUS
NTAPI
@ -7176,25 +7314,26 @@ RtlAddMandatoryAce(
_In_ UCHAR AceType,
_In_ ACCESS_MASK AccessMask);
NTSYSAPI
PVOID
NTAPI
RtlFindAceByType(
_In_ PACL pAcl,
_In_ UCHAR AceType,
_Out_opt_ PULONG pIndex);
NTSYSAPI
BOOLEAN
NTAPI
RtlOwnerAcesPresent(
_In_ PACL pAcl);
NTSYSAPI
NTSTATUS
NTAPI
RtlDefaultNpAcl(
_Out_ PACL *Acl);
NTSYSAPI
ULONG
NTAPI
RtlLengthSecurityDescriptor(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor);
NTSYSAPI
VOID
NTAPI
RtlMapGenericMask(
_In_ PACCESS_MASK AccessMask,
_In_ PGENERIC_MAPPING GenericMapping);
NTSYSAPI
BOOLEAN
NTAPI
@ -7319,29 +7458,10 @@ RtlCreateServiceSid(
_Out_writes_bytes_opt_(*ServiceSidLength) PSID ServiceSid,
_Inout_ PULONG ServiceSidLength);
NTSYSAPI
NTSTATUS
NTAPI
RtlCreateSecurityDescriptor(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_ ULONG Revision);
NTSYSAPI
NTSTATUS
NTAPI
RtlSetOwnerSecurityDescriptor(
_In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_ PSID Owner,
_In_ BOOLEAN OwnerDefaulted);
NTSYSAPI
NTSTATUS
NTAPI
RtlCopySecurityDescriptor(
_In_ PSECURITY_DESCRIPTOR InputSecurityDescriptor,
_Out_ PSECURITY_DESCRIPTOR *OutputSecurityDescriptor);
FORCEINLINE LUID NTAPI RtlConvertLongToLuid(
FORCEINLINE
LUID
NTAPI
RtlConvertLongToLuid(
_In_ LONG Long
)
{
@ -7354,6 +7474,20 @@ FORCEINLINE LUID NTAPI RtlConvertLongToLuid(
return(TempLuid);
}
FORCEINLINE
LUID
RtlConvertUlongToLuid(
_In_ ULONG Ulong
)
{
LUID tempLuid;
tempLuid.LowPart = Ulong;
tempLuid.HighPart = 0;
return tempLuid;
}
NTSYSAPI
ULONG
NTAPI
@ -7383,6 +7517,33 @@ RtlAdjustPrivilege(
_In_ BOOLEAN Client,
_Out_ PBOOLEAN WasEnabled);
NTSYSAPI
BOOLEAN
NTAPI
RtlAreAllAccessesGranted(
_In_ ACCESS_MASK GrantedAccess,
_In_ ACCESS_MASK DesiredAccess);
NTSYSAPI
BOOLEAN
NTAPI
RtlAreAnyAccessesGranted(
_In_ ACCESS_MASK GrantedAccess,
_In_ ACCESS_MASK DesiredAccess);
NTSYSAPI
VOID
NTAPI
RtlMapGenericMask(
_In_ PACCESS_MASK AccessMask,
_In_ PGENERIC_MAPPING GenericMapping);
NTSYSAPI
NTSTATUS
NTAPI
RtlImpersonateSelf(
_In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel);
/************************************************************************************
*
* RTL Version API.

BIN
Source/WinObjEx64/Resource.rc
View File

Binary file not shown.

19
Source/WinObjEx64/WinObjEx64.vcxproj
View File

@ -77,7 +77,7 @@
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<SpectreMitigation>false</SpectreMitigation>
<SpectreMitigation>Spectre</SpectreMitigation>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
@ -210,6 +210,10 @@
<Bscmake>
<SuppressStartupBanner>false</SuppressStartupBanner>
</Bscmake>
<ResourceCompile />
<ResourceCompile>
<PreprocessorDefinitions>_UseOwnDriver;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
@ -225,10 +229,10 @@
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<ControlFlowGuard>Guard</ControlFlowGuard>
<AdditionalIncludeDirectories>$(SolutionDir)\Shared;$(ProjectDir);$(ProjectDir)\props;$(ProjectDir)\extras</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
<EnablePREfast>true</EnablePREfast>
<ControlFlowGuard>Guard</ControlFlowGuard>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
@ -278,12 +282,12 @@
<FavorSizeOrSpeed>Speed</FavorSizeOrSpeed>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<ControlFlowGuard>Guard</ControlFlowGuard>
<ExpandAttributedSource>true</ExpandAttributedSource>
<AssemblerOutput>All</AssemblerOutput>
<CompileAs>CompileAsC</CompileAs>
<AdditionalIncludeDirectories>$(SolutionDir)\Shared;$(ProjectDir);$(ProjectDir)\props;$(ProjectDir)\extras</AdditionalIncludeDirectories>
<EnablePREfast>true</EnablePREfast>
<ControlFlowGuard>Guard</ControlFlowGuard>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
@ -329,12 +333,12 @@
<FavorSizeOrSpeed>Speed</FavorSizeOrSpeed>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<ControlFlowGuard>Guard</ControlFlowGuard>
<ExpandAttributedSource>true</ExpandAttributedSource>
<AssemblerOutput>All</AssemblerOutput>
<CompileAs>CompileAsC</CompileAs>
<AdditionalIncludeDirectories>$(SolutionDir)\Shared;$(ProjectDir);$(ProjectDir)\props;$(ProjectDir)\extras</AdditionalIncludeDirectories>
<EnablePREfast>true</EnablePREfast>
<ControlFlowGuard>Guard</ControlFlowGuard>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
@ -383,10 +387,10 @@
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<StringPooling>true</StringPooling>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<ControlFlowGuard>Guard</ControlFlowGuard>
<CompileAs>CompileAsC</CompileAs>
<AdditionalIncludeDirectories>$(SolutionDir)\Shared;$(ProjectDir);$(ProjectDir)\props;$(ProjectDir)\extras</AdditionalIncludeDirectories>
<EnablePREfast>true</EnablePREfast>
<ControlFlowGuard>Guard</ControlFlowGuard>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
@ -449,6 +453,7 @@
<ClCompile Include="..\Shared\ntos\ntldr.c" />
<ClCompile Include="..\Shared\treelist\treelist.c" />
<ClCompile Include="aboutDlg.c" />
<ClCompile Include="drvhelper.c" />
<ClCompile Include="excepth.c" />
<ClCompile Include="extapi.c" />
<ClCompile Include="extras\extras.c" />
@ -479,6 +484,7 @@
<ClCompile Include="props\propType.c" />
<ClCompile Include="sup.c" />
<ClCompile Include="tests\testunit.c" />
<ClCompile Include="tinyaes\aes.c" />
<ClCompile Include="wine.c" />
</ItemGroup>
<ItemGroup>
@ -490,11 +496,13 @@
<ClInclude Include="..\Shared\minirtl\minirtl.h" />
<ClInclude Include="..\Shared\minirtl\rtltypes.h" />
<ClInclude Include="..\Shared\ntos\apisetx.h" />
<ClInclude Include="..\Shared\ntos\halamd64.h" />
<ClInclude Include="..\Shared\ntos\ntalpc.h" />
<ClInclude Include="..\Shared\ntos\ntldr.h" />
<ClInclude Include="..\Shared\ntos\ntos.h" />
<ClInclude Include="..\Shared\treelist\treelist.h" />
<ClInclude Include="aboutDlg.h" />
<ClInclude Include="drvhelper.h" />
<ClInclude Include="excepth.h" />
<ClInclude Include="extapi.h" />
<ClInclude Include="extdef.h" />
@ -538,6 +546,7 @@
<ClInclude Include="sup.h" />
<ClInclude Include="supConsts.h" />
<ClInclude Include="tests\testunit.h" />
<ClInclude Include="tinyaes\aes.h" />
<ClInclude Include="ui.h" />
<ClInclude Include="wine.h" />
<ClInclude Include="winedebug.h" />

18
Source/WinObjEx64/WinObjEx64.vcxproj.filters
View File

@ -40,6 +40,9 @@
<Filter Include="ntuser">
<UniqueIdentifier>{4d7e372d-ac61-4fa4-bbce-43b2b3e1e125}</UniqueIdentifier>
</Filter>
<Filter Include="tinyaes">
<UniqueIdentifier>{ae7f1c88-69d2-406e-a44a-9dddafd020c3}</UniqueIdentifier>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="aboutDlg.c">
@ -216,6 +219,12 @@
<ClCompile Include="..\Shared\treelist\treelist.c">
<Filter>treelist</Filter>
</ClCompile>
<ClCompile Include="drvhelper.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="tinyaes\aes.c">
<Filter>tinyaes</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="Resource.rc">
@ -385,6 +394,15 @@
<ClInclude Include="winedebug.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="drvhelper.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="..\Shared\ntos\halamd64.h">
<Filter>ntos</Filter>
</ClInclude>
<ClInclude Include="tinyaes\aes.h">
<Filter>tinyaes</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<Image Include="rsrc\pipe.ico">

9
Source/WinObjEx64/aboutDlg.c
View File

@ -4,9 +4,9 @@
*
* TITLE: ABOUTDLG.C
*
* VERSION: 1.83
* VERSION: 1.84
*
* DATE: 16 Jan 2020
* DATE: 12 Feb 2020
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -537,6 +537,11 @@ VOID AboutDialogCollectGlobals(
AddParameterValueUlong(hwndOutput, TEXT("UseExperimentalFeatures"), g_WinObj.UseExperimentalFeatures);
AddParameterValueUlong(hwndOutput, TEXT("IsWine"), g_WinObj.IsWine);
//
// For MMIO usage.
//
AddParameterValueUlong(hwndOutput, TEXT("EnableFullMitigations"), g_WinObj.EnableFullMitigations);
//
// List other data.
//

4
Source/WinObjEx64/driver.rc
View File

@ -4,5 +4,9 @@ LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
#ifndef _UseOwnDriver
IDR_KDBGDRV SYS "..\\drvstore\\kldbgdrv.sys"
#else
#ifdef _UseWinIo
IDR_KDBGDRV SYS "..\\drvstore\\ene64drv.sys"
#else
IDR_KDBGDRV SYS "..\\drvstore\\wodbgdrv.sys"
#endif
#endif

501
Source/WinObjEx64/drvhelper.c Normal file
View File

@ -0,0 +1,501 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2020
*
* TITLE: DRVHELPER.C
*
* VERSION: 1.84
*
* DATE: 18 Feb 2020
*
* WinIo based VM-through-PM reader, used only in private builds, WHQL.
*
* Note:
*
* WinObjEx64 apply multiple security mitigations when uses this driver.
* WinIo is known to be vulnerable by design.
*
* MINIMUM SUPPORTED OS WINDOWS 7
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
#include "ntos/halamd64.h"
#define PHY_ADDRESS_MASK 0x000ffffffffff000ull
#define PHY_ADDRESS_MASK_2MB_PAGES 0x000fffffffe00000ull
#define VADDR_ADDRESS_MASK_2MB_PAGES 0x00000000001fffffull
#define VADDR_ADDRESS_MASK_4KB_PAGES 0x0000000000000fffull
#define ENTRY_PRESENT_BIT 1
#define ENTRY_PAGE_SIZE_BIT 0x0000000000000080ull
#include "tinyaes/aes.h"
//
// AES key used by EneTechIo latest variants.
//
ULONG g_EneTechIoUnlockKey[4] = { 0x54454E45, 0x4E484345, 0x474F4C4F, 0x434E4959 };
int PwEntryToPhyAddr(ULONG_PTR entry, ULONG_PTR* phyaddr)
{
if (entry & ENTRY_PRESENT_BIT) {
*phyaddr = entry & PHY_ADDRESS_MASK;
return 1;
}
return 0;
}
NTSTATUS PwVirtualToPhysical(
_In_ HANDLE DeviceHandle,
_In_ provQueryPML4 QueryPML4Routine,
_In_ provReadPhysicalMemory ReadPhysicalMemoryRoutine,
_In_ ULONG_PTR VirtualAddress,
_Out_ ULONG_PTR* PhysicalAddress)
{
NTSTATUS ntStatus;
ULONG_PTR pml4_cr3, selector, table, entry = 0;
INT r, shift;
ntStatus = QueryPML4Routine(DeviceHandle, &pml4_cr3);
if (!NT_SUCCESS(ntStatus))
return ntStatus;
table = pml4_cr3 & PHY_ADDRESS_MASK;
for (r = 0; r < 4; r++) {
shift = 39 - (r * 9);
selector = (VirtualAddress >> shift) & 0x1ff;
ntStatus = ReadPhysicalMemoryRoutine(DeviceHandle,
table + selector * 8,
&entry,
sizeof(ULONG_PTR));
if (!NT_SUCCESS(ntStatus))
return ntStatus;
if (PwEntryToPhyAddr(entry, &table) == 0)
return STATUS_INTERNAL_ERROR;
if ((r == 2) && ((entry & ENTRY_PAGE_SIZE_BIT) != 0)) {
table &= PHY_ADDRESS_MASK_2MB_PAGES;
table += VirtualAddress & VADDR_ADDRESS_MASK_2MB_PAGES;
*PhysicalAddress = table;
return STATUS_SUCCESS;
}
}
table += VirtualAddress & VADDR_ADDRESS_MASK_4KB_PAGES;
*PhysicalAddress = table;
return STATUS_SUCCESS;
}
/*
* WinIoCallDriver
*
* Purpose:
*
* Call WinIo driver.
*
*/
NTSTATUS WinIoCallDriver(
_In_ HANDLE DeviceHandle,
_In_ ULONG IoControlCode,
_In_ PVOID InputBuffer,
_In_ ULONG InputBufferLength,
_In_opt_ PVOID OutputBuffer,
_In_opt_ ULONG OutputBufferLength)
{
IO_STATUS_BLOCK ioStatus;
return NtDeviceIoControlFile(DeviceHandle,
NULL,
NULL,
NULL,
&ioStatus,
IoControlCode,
InputBuffer,
InputBufferLength,
OutputBuffer,
OutputBufferLength);
}
/*
* WinIoMapMemory
*
* Purpose:
*
* Map physical memory through \Device\PhysicalMemory.
*
*/
NTSTATUS WinIoMapMemory(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR PhysicalAddress,
_In_ ULONG NumberOfBytes,
_Out_ HANDLE* SectionHandle,
_Out_ PVOID* ReferencedObject,
_Out_ PVOID* MappedMemory)
{
ULONG seconds;
NTSTATUS ntStatus;
AES_ctx ctx;
WINIO_PHYSICAL_MEMORY_INFO_EX request;
*SectionHandle = NULL;
*ReferencedObject = NULL;
RtlSecureZeroMemory(&ctx, sizeof(ctx));
AES_init_ctx(&ctx, (uint8_t*)&g_EneTechIoUnlockKey);
RtlSecureZeroMemory(&request, sizeof(request));
request.CommitSize = NumberOfBytes;
request.BusAddress = PhysicalAddress;
seconds = supGetTimeAsSecondsSince1970();
RtlCopyMemory(&request.EncryptedKey, (PVOID)&seconds, sizeof(seconds));
AES_ECB_encrypt(&ctx, (UCHAR*)&request.EncryptedKey);
ntStatus = WinIoCallDriver(DeviceHandle,
IOCTL_WINIO_MAP_USER_PHYSICAL_MEMORY,
&request,
sizeof(request),
&request,
sizeof(request));
if (NT_SUCCESS(ntStatus)) {
*SectionHandle = request.SectionHandle;
*ReferencedObject = request.ReferencedObject;
*MappedMemory = request.BaseAddress;
}
return ntStatus;
}
/*
* WinIoUnmapMemory
*
* Purpose:
*
* Unmap previously mapped physical memory.
*
*/
NTSTATUS WinIoUnmapMemory(
_In_ HANDLE DeviceHandle,
_In_ PVOID SectionToUnmap,
_In_ HANDLE SectionHandle,
_In_ PVOID ReferencedObject
)
{
ULONG seconds;
AES_ctx ctx;
WINIO_PHYSICAL_MEMORY_INFO_EX request;
RtlSecureZeroMemory(&ctx, sizeof(ctx));
AES_init_ctx(&ctx, (uint8_t*)&g_EneTechIoUnlockKey);
RtlSecureZeroMemory(&request, sizeof(request));
request.BaseAddress = SectionToUnmap;
request.ReferencedObject = ReferencedObject;
request.SectionHandle = SectionHandle;
seconds = supGetTimeAsSecondsSince1970();
RtlCopyMemory(&request.EncryptedKey, (PVOID)&seconds, sizeof(ULONG));
AES_ECB_encrypt(&ctx, (UCHAR*)&request.EncryptedKey);
return WinIoCallDriver(DeviceHandle,
IOCTL_WINIO_UNMAP_USER_PHYSICAL_MEMORY,
&request,
sizeof(request),
&request,
sizeof(request));
}
/*
* WinIoGetPML4FromLowStub1M
*
* Purpose:
*
* Search for PML4 (CR3) entry in low stub.
*
*/
ULONG_PTR WinIoGetPML4FromLowStub1M(
_In_ ULONG_PTR pbLowStub1M)
{
ULONG offset = 0;
ULONG_PTR PML4 = 0;
ULONG cr3_offset = FIELD_OFFSET(PROCESSOR_START_BLOCK, ProcessorState) +
FIELD_OFFSET(KSPECIAL_REGISTERS, Cr3);
SetLastError(ERROR_EXCEPTION_IN_SERVICE);
__try {
while (offset < 0x100000) {
offset += 0x1000;
if (0x00000001000600E9 != (0xffffffffffff00ff & *(UINT64*)(pbLowStub1M + offset))) //PROCESSOR_START_BLOCK->Jmp
continue;
if (0xfffff80000000000 != (0xfffff80000000003 & *(UINT64*)(pbLowStub1M + offset + FIELD_OFFSET(PROCESSOR_START_BLOCK, LmTarget))))
continue;
if (0xffffff0000000fff & *(UINT64*)(pbLowStub1M + offset + cr3_offset))
continue;
PML4 = *(UINT64*)(pbLowStub1M + offset + cr3_offset);
break;
}
}
__except (EXCEPTION_EXECUTE_HANDLER) {
return 0;
}
SetLastError(ERROR_SUCCESS);
return PML4;
}
/*
* WinIoQueryPML4Value
*
* Purpose:
*
* Locate PML4.
*
*/
NTSTATUS WINAPI WinIoQueryPML4Value(
_In_ HANDLE DeviceHandle,
_Out_ ULONG_PTR* Value)
{
NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
ULONG_PTR PML4 = 0;
PVOID pbLowStub1M = NULL;
PVOID refObject = NULL;
HANDLE sectionHandle = NULL;
*Value = 0;
do {
ntStatus = WinIoMapMemory(DeviceHandle,
0ULL,
0x100000,
&sectionHandle,
&refObject,
&pbLowStub1M);
if (!NT_SUCCESS(ntStatus))
break;
if (pbLowStub1M == NULL) {
ntStatus = STATUS_INTERNAL_ERROR;
break;
}
PML4 = WinIoGetPML4FromLowStub1M((ULONG_PTR)pbLowStub1M);
if (PML4)
*Value = PML4;
else
*Value = 0;
WinIoUnmapMemory(DeviceHandle,
(PVOID)pbLowStub1M,
sectionHandle,
refObject);
ntStatus = (PML4 != 0) ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL;
} while (FALSE);
return ntStatus;
}
/*
* WinIoReadPhysicalMemory
*
* Purpose:
*
* Read physical memory through mapping.
*
*/
NTSTATUS WINAPI WinIoReadPhysicalMemory(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR PhysicalAddress,
_In_reads_bytes_(NumberOfBytes) PVOID Buffer,
_In_ ULONG NumberOfBytes)
{
NTSTATUS ntStatus;
PVOID mappedSection = NULL;
PVOID refObject = NULL;
HANDLE sectionHandle = NULL;
//
// Map physical memory section.
//
ntStatus = WinIoMapMemory(DeviceHandle,
PhysicalAddress,
NumberOfBytes,
&sectionHandle,
&refObject,
&mappedSection);
if (NT_SUCCESS(ntStatus)) {
__try {
RtlCopyMemory(Buffer, mappedSection, NumberOfBytes);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
ntStatus = GetExceptionCode();
}
//
// Unmap physical memory section.
//
WinIoUnmapMemory(DeviceHandle,
mappedSection,
sectionHandle,
refObject);
}
return ntStatus;
}
/*
* WinIoVirtualToPhysical
*
* Purpose:
*
* Translate virtual address to the physical.
*
*/
NTSTATUS WINAPI WinIoVirtualToPhysical(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR VirtualAddress,
_Out_ ULONG_PTR* PhysicalAddress)
{
if (PhysicalAddress)
*PhysicalAddress = 0;
else {
return STATUS_INVALID_PARAMETER_3;
}
return PwVirtualToPhysical(DeviceHandle,
WinIoQueryPML4Value,
WinIoReadPhysicalMemory,
VirtualAddress,
PhysicalAddress);
}
/*
* WinIoReadKernelVirtualMemory
*
* Purpose:
*
* Read virtual memory.
*
*/
NTSTATUS WINAPI WinIoReadKernelVirtualMemory(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR Address,
_Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
_In_ ULONG NumberOfBytes)
{
NTSTATUS ntStatus;
ULONG_PTR physicalAddress = 0;
ntStatus = WinIoVirtualToPhysical(DeviceHandle,
Address,
&physicalAddress);
if (NT_SUCCESS(ntStatus)) {
ntStatus = WinIoReadPhysicalMemory(DeviceHandle,
physicalAddress,
Buffer,
NumberOfBytes);
}
return ntStatus;
}
/*
* WinIoReadSystemMemoryEx
*
* Purpose:
*
* Read kernel virtual memory.
*
*/
BOOL WinIoReadSystemMemoryEx(
_In_ ULONG_PTR Address,
_Inout_ PVOID Buffer,
_In_ ULONG BufferSize,
_Out_opt_ PULONG NumberOfBytesRead
)
{
BOOL bResult = FALSE;
IO_STATUS_BLOCK iost;
NTSTATUS ntStatus;
PVOID lockedBuffer = NULL;
if (NumberOfBytesRead)
*NumberOfBytesRead = 0;
lockedBuffer = supVirtualAlloc(BufferSize);
if (lockedBuffer) {
if (VirtualLock(lockedBuffer, BufferSize)) {
ntStatus = WinIoReadKernelVirtualMemory(g_kdctx.DeviceHandle,
Address,
lockedBuffer,
BufferSize);
if (!NT_SUCCESS(ntStatus)) {
iost.Status = ntStatus;
iost.Information = 0;
if (g_kdctx.ShowKdError)
kdShowError(BufferSize, ntStatus, &iost);
else
SetLastError(RtlNtStatusToDosError(ntStatus));
}
else {
if (NumberOfBytesRead)
*NumberOfBytesRead = BufferSize;
RtlCopyMemory(Buffer, lockedBuffer, BufferSize);
bResult = TRUE;
}
VirtualUnlock(lockedBuffer, BufferSize);
}
supVirtualFree(lockedBuffer);
}
return bResult;
}

64
Source/WinObjEx64/drvhelper.h Normal file
View File

@ -0,0 +1,64 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2020
*
* TITLE: DRVHELPER.H
*
* VERSION: 1.84
*
* DATE: 14 Feb 2019
*
* Common header file for the Kernel Driver Helper support.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
#define FILE_DEVICE_WINIO (DWORD)0x00008010
#define WINIO_IOCTL_INDEX (DWORD)0x810
#define WINIO_MAP_FUNCID (DWORD)WINIO_IOCTL_INDEX
#define WINIO_UNMAP_FUNCID (DWORD)WINIO_IOCTL_INDEX + 1
#define IOCTL_WINIO_MAP_USER_PHYSICAL_MEMORY \
CTL_CODE(FILE_DEVICE_WINIO, WINIO_MAP_FUNCID, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_WINIO_UNMAP_USER_PHYSICAL_MEMORY \
CTL_CODE(FILE_DEVICE_WINIO, WINIO_UNMAP_FUNCID, METHOD_BUFFERED, FILE_ANY_ACCESS)
typedef struct _WINIO_PHYSICAL_MEMORY_INFO_EX {
ULONG_PTR CommitSize;
ULONG_PTR BusAddress;
HANDLE SectionHandle;
PVOID BaseAddress;
PVOID ReferencedObject;
UCHAR EncryptedKey[16];
} WINIO_PHYSICAL_MEMORY_INFO_EX, * PWINIO_PHYSICAL_MEMORY_INFO_EX;
//
// Prototype for read physical memory function.
//
typedef NTSTATUS(WINAPI* provReadPhysicalMemory)(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR PhysicalAddress,
_In_ PVOID Buffer,
_In_ ULONG NumberOfBytes);
//
// Prototype for query PML4 value function.
//
typedef NTSTATUS(WINAPI* provQueryPML4)(
_In_ HANDLE DeviceHandle,
_Out_ ULONG_PTR* Value);
BOOL WinIoReadSystemMemoryEx(
_In_ ULONG_PTR Address,
_Inout_ PVOID Buffer,
_In_ ULONG BufferSize,
_Out_opt_ PULONG NumberOfBytesRead);

48
Source/WinObjEx64/extras/extrasPSList.c
View File

@ -4,9 +4,9 @@
*
* TITLE: EXTRASPSLIST.C
*
* VERSION: 1.83
* VERSION: 1.84
*
* DATE: 05 Jan 2020
* DATE: 20 Feb 2020
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -1010,17 +1010,32 @@ DWORD WINAPI CreateProcessListProc(
if (bRefresh) {
RtlDestroyHeap(g_PsListHeap);
g_PsListHeap = RtlCreateHeap(HEAP_GROWABLE, NULL, 0, 0, NULL, NULL);
if (g_PsListHeap == NULL)
if (g_PsListHeap == NULL) {
MessageBox(PsDlgContext.hwndDlg,
TEXT("Could not allocate heap for process enumeration"),
NULL,
MB_ICONERROR);
__leave;
}
}
ServiceEnumType = SERVICE_WIN32 | SERVICE_INTERACTIVE_PROCESS;
if (g_NtBuildNumber >= NT_WIN10_THRESHOLD1)
if (g_NtBuildNumber >= NT_WIN10_THRESHOLD1) {
ServiceEnumType |= SERVICE_USER_SERVICE | SERVICE_USERSERVICE_INSTANCE;
}
if (!supCreateSCMSnapshot(ServiceEnumType, &ServicesList)) {
MessageBox(PsDlgContext.hwndDlg,
TEXT("Error building services list"),
NULL,
MB_ICONERROR);
if (!supCreateSCMSnapshot(ServiceEnumType, &ServicesList))
__leave;
}
RtlQuickSort(ServicesList.Entries,
ServicesList.NumberOfEntries,
@ -1028,10 +1043,27 @@ DWORD WINAPI CreateProcessListProc(
PsxSCMLookupCallback);
InfoBuffer = supGetSystemInfo(SystemProcessInformation, NULL);
if (InfoBuffer == NULL)
__leave;
if (InfoBuffer == NULL) {
MessageBox(PsDlgContext.hwndDlg,
TEXT("Error query process list"),
NULL,
MB_ICONERROR);
__leave;
}
if (!supPHLCreate(&g_PsListHead,
(PBYTE)InfoBuffer,
&nProcesses,
&nThreads))
{
MessageBox(PsDlgContext.hwndDlg,
TEXT("Error building handle list"),
NULL,
MB_ICONERROR);
if (!supPHLCreate(&g_PsListHead, (PBYTE)InfoBuffer, &nProcesses, &nThreads)) {
__leave;
}

7
Source/WinObjEx64/global.h
View File

@ -4,9 +4,9 @@
*
* TITLE: GLOBAL.H
*
* VERSION: 1.83
* VERSION: 1.84
*
* DATE: 16 Jan 2020
* DATE: 13 Feb 2020
*
* Common header file for the Windows Object Explorer.
*
@ -79,6 +79,7 @@
#include "objects.h"
#include "kldbg.h"
#include "drvhelper.h"
#include "ui.h"
#include "sup.h"
#include "supConsts.h"
@ -93,7 +94,6 @@
#include <malloc.h>
#endif
typedef int(__cdecl *pswprintf_s)(
wchar_t *buffer,
size_t sizeOfBuffer,
@ -118,6 +118,7 @@ extern ULONG g_CurrentDPI;
typedef struct _WINOBJ_GLOBALS {
BOOLEAN UseExperimentalFeatures;
BOOLEAN IsWine;
BOOLEAN EnableFullMitigations;
HINSTANCE hInstance;
HANDLE Heap;
LPWSTR CurrentObjectPath;

134
Source/WinObjEx64/kldbg.c
View File

@ -4,9 +4,9 @@
*
* TITLE: KLDBG.C, based on KDSubmarine by Evilcry
*
* VERSION: 1.83
* VERSION: 1.84
*
* DATE: 24 Jan 2020
* DATE: 15 Feb 2020
*
* MINIMUM SUPPORTED OS WINDOWS 7
*
@ -35,6 +35,11 @@ NOTIFICATION_CALLBACKS g_SystemCallbacks;
UCHAR ObpInfoMaskToOffset[0x100];
NTSTATUS kdOpenDeviceDriver(
_In_ LPCWSTR DriverName,
_In_ ACCESS_MASK DesiredAccess,
_Out_ PHANDLE DeviceHandle);
/*
* ObFindAddress
@ -2509,14 +2514,14 @@ VOID kdShowError(
}
/*
* kdReadSystemMemoryEx
* kdpReadSystemMemoryEx
*
* Purpose:
*
* Wrapper around SysDbgReadVirtual request to the KLDBGDRV
*
*/
BOOL kdReadSystemMemoryEx(
BOOL kdpReadSystemMemoryEx(
_In_ ULONG_PTR Address,
_Inout_ PVOID Buffer,
_In_ ULONG BufferSize,
@ -2881,12 +2886,16 @@ NTSTATUS kdLoadDeviceDriver(
_In_ LPCWSTR DriverPath
)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
NTSTATUS status;
DWORD dwData, dwResult;
HKEY keyHandle = NULL;
SIZE_T keyOffset;
UNICODE_STRING driverServiceName, driverImagePath;
HANDLE deviceHandle = NULL;
ULONG sdLength = 0;
PSECURITY_DESCRIPTOR driverSD = NULL;
WCHAR szBuffer[MAX_PATH + 1];
if (DriverName == NULL)
@ -2894,12 +2903,17 @@ NTSTATUS kdLoadDeviceDriver(
if (DriverPath == NULL)
return STATUS_INVALID_PARAMETER_2;
status = supCreateSystemAdminAccessSD(&driverSD, &sdLength);
if (!NT_SUCCESS(status))
return status;
RtlInitEmptyUnicodeString(&driverImagePath, NULL, 0);
if (!RtlDosPathNameToNtPathName_U(DriverPath,
&driverImagePath,
NULL,
NULL))
{
supHeapFree(driverSD);
return STATUS_INVALID_PARAMETER_2;
}
@ -2993,6 +3007,15 @@ NTSTATUS kdLoadDeviceDriver(
if (supEnablePrivilege(SE_LOAD_DRIVER_PRIVILEGE, TRUE)) {
RtlInitUnicodeString(&driverServiceName, szBuffer);
status = NtLoadDriver(&driverServiceName);
status = kdOpenDeviceDriver(KLDBGDRV, WRITE_DAC, &deviceHandle);
if (NT_SUCCESS(status)) {
status = NtSetSecurityObject(deviceHandle,
DACL_SECURITY_INFORMATION,
driverSD);
NtClose(deviceHandle);
}
supEnablePrivilege(SE_LOAD_DRIVER_PRIVILEGE, FALSE);
}
else {
@ -3000,6 +3023,7 @@ NTSTATUS kdLoadDeviceDriver(
}
Cleanup:
supHeapFree(driverSD);
RtlFreeUnicodeString(&driverImagePath);
return status;
}
@ -3068,6 +3092,7 @@ NTSTATUS kdUnloadDeviceDriver(
*/
NTSTATUS kdOpenDeviceDriver(
_In_ LPCWSTR DriverName,
_In_ ACCESS_MASK DesiredAccess,
_Out_ PHANDLE DeviceHandle
)
{
@ -3101,7 +3126,7 @@ NTSTATUS kdOpenDeviceDriver(
InitializeObjectAttributes(&obja, &usDeviceLink, OBJ_CASE_INSENSITIVE, NULL, NULL);
status = NtCreateFile(DeviceHandle,
GENERIC_READ | GENERIC_WRITE,
DesiredAccess,
&obja,
&iost,
NULL,
@ -3206,7 +3231,7 @@ VOID kdInit(
#else
if (!NT_SUCCESS(kdOpenDeviceDriver(KLDBGDRV, &g_kdctx.DeviceHandle))) {
if (!NT_SUCCESS(kdOpenDeviceDriver(KLDBGDRV, GENERIC_READ | GENERIC_WRITE, &g_kdctx.DeviceHandle))) {
#endif /* _USE_OWN_DRIVER */
@ -3240,12 +3265,16 @@ VOID kdInit(
g_kdctx.IsOurLoad = NT_SUCCESS(kdLoadDeviceDriver(KLDBGDRV, szDrvPath));
if (g_kdctx.IsOurLoad) {
g_kdctx.DriverOpenLoadStatus = kdOpenDeviceDriver(KLDBGDRV, &g_kdctx.DeviceHandle);
g_kdctx.DriverOpenLoadStatus = kdOpenDeviceDriver(KLDBGDRV,
GENERIC_READ | GENERIC_WRITE, &g_kdctx.DeviceHandle);
}
#endif /* _USE_OWN_DRIVER */
}
else {
g_kdctx.DriverOpenLoadStatus = STATUS_SUCCESS;
}
}
@ -3264,6 +3293,63 @@ VOID kdInit(
}
}
/*
* kdpRemoveDriverFile
*
* Purpose:
*
* Delete driver file.
*
*/
VOID kdpRemoveDriverFile()
{
WCHAR szDrvPath[MAX_PATH * 2];
//
// Driver file is no longer needed - remove it from disk.
//
RtlSecureZeroMemory(&szDrvPath, sizeof(szDrvPath));
_strcpy(szDrvPath, g_WinObj.szSystemDirectory);
_strcat(szDrvPath, KLDBGDRVSYS);
DeleteFile(szDrvPath);
}
/*
* kdpUnloadWindbgDriver
*
* Purpose:
*
* Unload driver, unregister and remove service and delete driver file.
*
*/
VOID kdpUnloadWindbgDriver()
{
//
// If we loaded Windbg driver - unload it, otherwise leave it as is.
//
if (g_kdctx.IsOurLoad) {
//
// Windbg recreates service and drops file everytime when kernel debug starts.
//
scmUnloadDeviceDriver(KLDBGDRV, NULL);
kdpRemoveDriverFile();
}
}
/*
* kdpUnloadHelperDriver
*
* Purpose:
*
* Unload helper driver, delete registry entry and delete driver file.
*
*/
VOID kdpUnloadHelperDriver()
{
kdUnloadDeviceDriver(KLDBGDRV, TRUE);
kdpRemoveDriverFile();
}
/*
* kdShutdown
*
@ -3278,39 +3364,25 @@ VOID kdShutdown(
VOID
)
{
WCHAR szDrvPath[MAX_PATH * 2];
//
// Close device handle and make it invalid.
//
if (g_kdctx.DeviceHandle) {
CloseHandle(g_kdctx.DeviceHandle);
g_kdctx.DeviceHandle = NULL;
}
//
// Destroy collection if present.
//
ObCollectionDestroy(&g_kdctx.ObCollection);
RtlDeleteCriticalSection(&g_kdctx.ObCollectionLock);
//
// Driver was loaded, unload it.
// Windbg recreates service and drops file everytime when kernel debug starts.
//
if (g_kdctx.IsOurLoad) {
#ifndef _USE_OWN_DRIVER
scmUnloadDeviceDriver(KLDBGDRV, NULL);
kdpUnloadWindbgDriver();
#else
kdUnloadDeviceDriver(KLDBGDRV, TRUE);
#endif /* _USE_OWN_DRIVER */
//
// Driver file is no longer needed - remove it from disk.
//
RtlSecureZeroMemory(&szDrvPath, sizeof(szDrvPath));
_strcpy(szDrvPath, g_WinObj.szSystemDirectory);
_strcat(szDrvPath, KLDBGDRVSYS);
DeleteFile(szDrvPath);
}
kdpUnloadHelperDriver();
#endif
if (g_kdctx.NtOsImageMap) {
FreeLibrary((HMODULE)g_kdctx.NtOsImageMap);

27
Source/WinObjEx64/kldbg.h
View File

@ -4,9 +4,9 @@
*
* TITLE: KLDBG.H
*
* VERSION: 1.83
* VERSION: 1.84
*
* DATE: 13 Jan 2019
* DATE: 18 Feb 2019
*
* Common header file for the Kernel Debugger Driver support.
*
@ -20,9 +20,14 @@
#define IOCTL_KD_PASS_THROUGH CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1, METHOD_NEITHER, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
#ifdef _USE_OWN_DRIVER
#ifdef _USE_OWN_DRIVER
#ifdef _USE_WINIO
#define KLDBGDRV L"EneTechIo"
#define KLDBGDRVSYS L"\\drivers\\ene64drv.sys"
#else
#define KLDBGDRV L"wodbgdrv"
#define KLDBGDRVSYS L"\\drivers\\wodbgdrv.sys"
#endif
#else
#define KLDBGDRV L"kldbgdrv"
#define KLDBGDRVSYS L"\\drivers\\kldbgdrv.sys"
@ -202,10 +207,10 @@ typedef struct _OBJREF {
#define NT_WIN10_19H2 18363
// Windows 10 20H1
#define NTX_WIN10_20H1 19037
#define NTX_WIN10_20H1 19037
// Windows 10 20H2
#define NTX_WIN10_20H2 19536
#define NTX_WIN10_20H2 19536
//
// Defines for boundary descriptors
@ -360,12 +365,22 @@ BOOL kdFindKiServiceTable(
ULONG_PTR kdQueryWin32kApiSetTable(
_In_ HMODULE hWin32k);
BOOL kdReadSystemMemoryEx(
BOOL kdpReadSystemMemoryEx(
_In_ ULONG_PTR Address,
_Inout_ PVOID Buffer,
_In_ ULONG BufferSize,
_Out_opt_ PULONG NumberOfBytesRead);
#ifdef _USE_OWN_DRIVER
#ifdef _USE_WINIO
#define kdReadSystemMemoryEx WinIoReadSystemMemoryEx
#else
#define kdReadSystemMemoryEx kdpReadSystemMemoryEx
#endif
#else
#define kdReadSystemMemoryEx kdpReadSystemMemoryEx
#endif
#define kdReadSystemMemory(Address, Buffer, BufferSize) \
kdReadSystemMemoryEx(Address, Buffer, BufferSize, NULL)

9
Source/WinObjEx64/main.c
View File

@ -930,6 +930,15 @@ INT WinObjInitGlobals(
do {
RtlSecureZeroMemory(&g_WinObj, sizeof(g_WinObj));
#ifdef _USE_OWN_DRIVER
//
// The quality of MMIO driver is outstanding, try to reduce possible impact.
//
g_WinObj.EnableFullMitigations = TRUE;
#else
g_WinObj.EnableFullMitigations = FALSE;
#endif
g_WinObj.IsWine = IsWine;
//

5
Source/WinObjEx64/plugmngr.c
View File

@ -291,6 +291,11 @@ DWORD WINAPI PluginManagerWorkerThread(
FindClose(hFile);
}
//
// Must be called after plugin manager startup as plugins are not signed by MS.
//
supSetProcessMitigationImagesPolicy();
ExitThread(0);
}

29
Source/WinObjEx64/props/propObjectDump.c
View File

@ -4,9 +4,9 @@
*
* TITLE: PROPOBJECTDUMP.C
*
* VERSION: 1.83
* VERSION: 1.84
*
* DATE: 26 Jan 2020
* DATE: 12 Feb 2020
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -3050,8 +3050,8 @@ VOID propObxDumpAlpcPortCommunicationInfo(
)
{
HTREEITEM h_tviSubItem;
PBYTE Buffer = NULL;
ULONG BufferSize = 0;
PBYTE dumpBuffer = NULL;
ULONG bufferSize = 0, readSize = 0;
union {
union {
@ -3064,28 +3064,29 @@ VOID propObxDumpAlpcPortCommunicationInfo(
if ((StructureVersion == 0) || (StructureVersion > 2)) return;
if (StructureVersion == 1) {
BufferSize = sizeof(ALPC_COMMUNICATION_INFO_V1);
bufferSize = sizeof(ALPC_COMMUNICATION_INFO_V1);
}
else {
BufferSize = sizeof(ALPC_COMMUNICATION_INFO_V2);
bufferSize = sizeof(ALPC_COMMUNICATION_INFO_V2);
}
BufferSize = ALIGN_UP_BY(BufferSize, PAGE_SIZE);
Buffer = (PBYTE)supVirtualAlloc(BufferSize);
if (Buffer == NULL)
readSize = bufferSize;
bufferSize = ALIGN_UP_BY(bufferSize, PAGE_SIZE);
dumpBuffer = (PBYTE)supVirtualAlloc(bufferSize);
if (dumpBuffer == NULL)
return;
if (!kdReadSystemMemoryEx(
StructureAddress,
Buffer,
BufferSize,
dumpBuffer,
readSize,
NULL))
{
supVirtualFree(Buffer);
supVirtualFree(dumpBuffer);
return;
}
AlpcPortCommunicationInfo.Ref = Buffer;
AlpcPortCommunicationInfo.Ref = dumpBuffer;
//
// Dump version unaffected fields.
@ -3186,7 +3187,7 @@ VOID propObxDumpAlpcPortCommunicationInfo(
0,
0);
}
supVirtualFree(Buffer);
supVirtualFree(dumpBuffer);
}
/*

400
Source/WinObjEx64/sup.c
View File

@ -4,9 +4,9 @@
*
* TITLE: SUP.C
*
* VERSION: 1.83
* VERSION: 1.84
*
* DATE: 26 Jan 2020
* DATE: 18 Feb 2020
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -516,7 +516,6 @@ BOOL supDumpSyscallTableConverted(
*Table = NULL;
memIO = ServiceLimit * sizeof(ULONG);
ServiceTableDumped = (PULONG)supHeapAlloc(memIO);
if (ServiceTableDumped) {
bytesRead = 0;
@ -1203,7 +1202,7 @@ VOID supRunAsAdmin(
)
{
SHELLEXECUTEINFO shinfo;
WCHAR szPath[MAX_PATH + 1];
WCHAR szPath[MAX_PATH + 1];
RtlSecureZeroMemory(&szPath, sizeof(szPath));
if (GetModuleFileName(NULL, szPath, MAX_PATH)) {
@ -1363,7 +1362,7 @@ BOOL supIsSymbolicLinkObject(
)
{
LVITEM lvItem;
lvItem.mask = LVIF_PARAM;
lvItem.iItem = iItem;
lvItem.iSubItem = 0;
@ -1537,6 +1536,105 @@ BOOL supxQueryKnownDllsLink(
return bResult;
}
/*
* supSetProcessMitigationImagesPolicy
*
* Purpose:
*
* Enable images policy mitigation.
*
* N.B. Must be called after plugin manager initialization.
*
*/
VOID supSetProcessMitigationImagesPolicy()
{
PROCESS_MITIGATION_POLICY_INFORMATION policyInfo;
if (g_WinObj.EnableFullMitigations) {
policyInfo.Policy = (PROCESS_MITIGATION_POLICY)ProcessSignaturePolicy;
policyInfo.SignaturePolicy.Flags = 0;
policyInfo.SignaturePolicy.MicrosoftSignedOnly = TRUE;
policyInfo.SignaturePolicy.MitigationOptIn = TRUE;
NtSetInformationProcess(NtCurrentProcess(),
ProcessMitigationPolicy,
&policyInfo,
sizeof(PROCESS_MITIGATION_POLICY_INFORMATION));
policyInfo.Policy = (PROCESS_MITIGATION_POLICY)ProcessImageLoadPolicy;
policyInfo.ImageLoadPolicy.Flags = 0;
policyInfo.ImageLoadPolicy.PreferSystem32Images = TRUE;
policyInfo.ImageLoadPolicy.NoLowMandatoryLabelImages = TRUE;
NtSetInformationProcess(NtCurrentProcess(),
ProcessMitigationPolicy,
&policyInfo,
sizeof(PROCESS_MITIGATION_POLICY_INFORMATION));
}
}
/*
* supxSetProcessMitigationPolicies
*
* Purpose:
*
* Enable mitigations.
*
*/
VOID supxSetProcessMitigationPolicies()
{
PROCESS_MITIGATION_POLICY_INFORMATION policyInfo;
if (g_WinObj.EnableFullMitigations) {
policyInfo.Policy = (PROCESS_MITIGATION_POLICY)ProcessExtensionPointDisablePolicy;
policyInfo.ExtensionPointDisablePolicy.Flags = 0;
policyInfo.ExtensionPointDisablePolicy.DisableExtensionPoints = TRUE;
NtSetInformationProcess(NtCurrentProcess(),
ProcessMitigationPolicy,
&policyInfo,
sizeof(PROCESS_MITIGATION_POLICY_INFORMATION));
policyInfo.Policy = (PROCESS_MITIGATION_POLICY)ProcessASLRPolicy;
policyInfo.ASLRPolicy.Flags = 0;
policyInfo.ASLRPolicy.EnableHighEntropy = TRUE;
policyInfo.ASLRPolicy.EnableBottomUpRandomization = TRUE;
policyInfo.ASLRPolicy.EnableForceRelocateImages = TRUE;
NtSetInformationProcess(NtCurrentProcess(),
ProcessMitigationPolicy,
&policyInfo,
sizeof(PROCESS_MITIGATION_POLICY_INFORMATION));
policyInfo.Policy = (PROCESS_MITIGATION_POLICY)ProcessDynamicCodePolicy;
policyInfo.DynamicCodePolicy.Flags = 0;
policyInfo.DynamicCodePolicy.ProhibitDynamicCode = TRUE;
NtSetInformationProcess(NtCurrentProcess(),
ProcessMitigationPolicy,
&policyInfo,
sizeof(PROCESS_MITIGATION_POLICY_INFORMATION));
/*
Enabled by settings for Release variants
policyInfo.Policy = (PROCESS_MITIGATION_POLICY)ProcessControlFlowGuardPolicy;
policyInfo.ControlFlowGuardPolicy.Flags = 0;
policyInfo.ControlFlowGuardPolicy.EnableControlFlowGuard = TRUE;
NtSetInformationProcess(NtCurrentProcess(),
ProcessMitigationPolicy,
&policyInfo,
sizeof(PROCESS_MITIGATION_POLICY_INFORMATION));
*/
}
}
/*
* supInit
*
@ -1553,6 +1651,8 @@ VOID supInit(
{
NTSTATUS status;
supxSetProcessMitigationPolicies();
#pragma warning(push)
#pragma warning(disable: 6031)
CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE);
@ -1704,11 +1804,11 @@ BOOL supQueryLinkTarget(
return bResult;
}
InitializeObjectAttributes(&objectAttr,
InitializeObjectAttributes(&objectAttr,
ObjectName, OBJ_CASE_INSENSITIVE, RootDirectoryHandle, NULL);
ntStatus = NtOpenSymbolicLinkObject(&linkHandle,
SYMBOLIC_LINK_QUERY,
ntStatus = NtOpenSymbolicLinkObject(&linkHandle,
SYMBOLIC_LINK_QUERY,
&objectAttr);
if (!NT_SUCCESS(ntStatus) || (linkHandle == NULL)) {
@ -1724,8 +1824,8 @@ BOOL supQueryLinkTarget(
infoUString.Length = (USHORT)cLength;
infoUString.MaximumLength = (USHORT)(cLength + sizeof(UNICODE_NULL));
ntStatus = NtQuerySymbolicLinkObject(linkHandle,
&infoUString,
ntStatus = NtQuerySymbolicLinkObject(linkHandle,
&infoUString,
NULL);
bResult = (NT_SUCCESS(ntStatus));
@ -1963,6 +2063,72 @@ BOOL supQueryProcessNameByEPROCESS(
return bFound;
}
/*
* supxEnumServicesStatus
*
* Purpose:
*
* Enumerate services status to the buffer.
*
*/
BOOL supxEnumServicesStatus(
_In_ SC_HANDLE schSCManager,
_In_ ULONG ServiceType,
_Out_ PBYTE *Services,
_Out_ DWORD *ServicesReturned
)
{
BOOL bResult = FALSE;
LPBYTE servicesBuffer = NULL;
DWORD dwSize = PAGE_SIZE, dwBytesNeeded = 0, dwServicesReturned = 0, c = 0;
DWORD dwLastError = ERROR_SUCCESS;
*Services = NULL;
*ServicesReturned = 0;
do {
servicesBuffer = (LPBYTE)supVirtualAlloc(dwSize);
if (servicesBuffer != NULL) {
bResult = EnumServicesStatusEx(
schSCManager,
SC_ENUM_PROCESS_INFO,
ServiceType,
SERVICE_STATE_ALL,
servicesBuffer,
dwSize,
&dwBytesNeeded,
&dwServicesReturned,
NULL,
NULL);
dwLastError = GetLastError();
}
else {
return FALSE;
}
if (dwLastError == ERROR_MORE_DATA) {
supVirtualFree(servicesBuffer);
servicesBuffer = NULL;
dwSize += dwBytesNeeded;
c++;
if (c >= 20) {
break;
}
}
else {
*ServicesReturned = dwServicesReturned;
*Services = servicesBuffer;
break;
}
} while (dwLastError == ERROR_MORE_DATA);
return bResult;
}
/*
* supCreateSCMSnapshot
*
@ -1980,7 +2146,7 @@ BOOL supCreateSCMSnapshot(
{
BOOL bResult = FALSE;
SC_HANDLE schSCManager;
DWORD dwBytesNeeded = 0, dwServicesReturned = 0, dwSize;
DWORD dwServicesReturned = 0;
PVOID Services = NULL;
do {
@ -1991,58 +2157,14 @@ BOOL supCreateSCMSnapshot(
if (schSCManager == NULL)
break;
//
// Query required memory size for snapshot.
//
dwSize = PAGE_SIZE;
Services = supVirtualAlloc(dwSize);
if (Services == NULL)
break;
bResult = EnumServicesStatusEx(
schSCManager,
SC_ENUM_PROCESS_INFO,
bResult = supxEnumServicesStatus(schSCManager,
ServiceType,
SERVICE_STATE_ALL,
(LPBYTE)Services,
dwSize,
&dwBytesNeeded,
&dwServicesReturned,
NULL,
NULL);
if (bResult == FALSE) {
if (GetLastError() == ERROR_MORE_DATA) {
//
// Allocate required buffer.
//
supVirtualFree(Services);
dwSize = (DWORD)ALIGN_UP_BY(dwBytesNeeded + sizeof(ENUM_SERVICE_STATUS_PROCESS), PAGE_SIZE);
Services = supVirtualAlloc(dwSize);
if (Services == NULL)
break;
bResult = EnumServicesStatusEx(
schSCManager,
SC_ENUM_PROCESS_INFO,
ServiceType,
SERVICE_STATE_ALL,
(LPBYTE)Services,
dwSize,
&dwBytesNeeded,
&dwServicesReturned,
NULL,
NULL);
if (!bResult) {
supVirtualFree(Services);
Services = NULL;
dwServicesReturned = 0;
break;
}
} //ERROR_MORE_DATA
} //bResult == FALSE;
(PBYTE*)&Services,
&dwServicesReturned);
if (!bResult)
break;
CloseServiceHandle(schSCManager);
} while (FALSE);
@ -6538,7 +6660,159 @@ ULONG supHashString(
*
*/
ULONG supHashUnicodeString(
_In_ CONST UNICODE_STRING* String)
_In_ CONST UNICODE_STRING * String)
{
return supHashString(String->Buffer, String->Length / sizeof(WCHAR));
}
/*
* supCreateSystemAdminAccessSD
*
* Purpose:
*
* Create security descriptor with Admin/System ACL set.
*
*/
NTSTATUS supCreateSystemAdminAccessSD(
_Out_ PSECURITY_DESCRIPTOR* SecurityDescriptor,
_Out_opt_ PULONG Length
)
{
NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
PSID admSid = NULL;
PSID sysSid = NULL;
PACL sysAcl = NULL;
ULONG daclSize = 0;
PSECURITY_DESCRIPTOR securityDescriptor;
SID_IDENTIFIER_AUTHORITY sidAuthority = SECURITY_NT_AUTHORITY;
*SecurityDescriptor = NULL;
if (Length)
*Length = 0;
do {
securityDescriptor = (PSECURITY_DESCRIPTOR)supHeapAlloc(sizeof(SECURITY_DESCRIPTOR));
if (securityDescriptor == NULL) {
ntStatus = STATUS_MEMORY_NOT_ALLOCATED;
break;
}
admSid = (PSID)supHeapAlloc(RtlLengthRequiredSid(2));
if (admSid == NULL) {
ntStatus = STATUS_MEMORY_NOT_ALLOCATED;
break;
}
sysSid = (PSID)supHeapAlloc(RtlLengthRequiredSid(1));
if (sysSid == NULL) {
ntStatus = STATUS_MEMORY_NOT_ALLOCATED;
break;
}
ntStatus = RtlInitializeSid(admSid, &sidAuthority, 2);
if (NT_SUCCESS(ntStatus)) {
*RtlSubAuthoritySid(admSid, 0) = SECURITY_BUILTIN_DOMAIN_RID;
*RtlSubAuthoritySid(admSid, 1) = DOMAIN_ALIAS_RID_ADMINS;
}
else {
break;
}
ntStatus = RtlInitializeSid(sysSid, &sidAuthority, 1);
if (NT_SUCCESS(ntStatus)) {
*RtlSubAuthoritySid(sysSid, 0) = SECURITY_LOCAL_SYSTEM_RID;
}
else {
break;
}
daclSize = sizeof(ACL) +
(2 * sizeof(ACCESS_ALLOWED_ACE)) +
RtlLengthSid(admSid) + RtlLengthSid(sysSid) +
SECURITY_DESCRIPTOR_MIN_LENGTH;
sysAcl = (PACL)supHeapAlloc(daclSize);
if (sysAcl == NULL) {
ntStatus = STATUS_MEMORY_NOT_ALLOCATED;
break;
}
ntStatus = RtlCreateAcl(sysAcl, daclSize - SECURITY_DESCRIPTOR_MIN_LENGTH, (ULONG)ACL_REVISION);
if (!NT_SUCCESS(ntStatus))
break;
ntStatus = RtlAddAccessAllowedAce(sysAcl,
ACL_REVISION,
GENERIC_ALL,
sysSid);
if (!NT_SUCCESS(ntStatus))
break;
ntStatus = RtlAddAccessAllowedAce(sysAcl,
ACL_REVISION,
GENERIC_ALL,
admSid);
if (!NT_SUCCESS(ntStatus))
break;
ntStatus = RtlCreateSecurityDescriptor(securityDescriptor,
SECURITY_DESCRIPTOR_REVISION1);
if (!NT_SUCCESS(ntStatus))
break;
ntStatus = RtlSetDaclSecurityDescriptor(securityDescriptor,
TRUE,
sysAcl,
FALSE);
if (!NT_SUCCESS(ntStatus))
break;
if (!RtlValidSecurityDescriptor(securityDescriptor))
break;
*SecurityDescriptor = securityDescriptor;
if (Length)
*Length = RtlLengthSecurityDescriptor(securityDescriptor);
} while (FALSE);
if (admSid != NULL) supHeapFree(admSid);
if (sysSid != NULL) supHeapFree(sysSid);
if (sysAcl != NULL) supHeapFree(sysAcl);
if (!NT_SUCCESS(ntStatus)) {
if (securityDescriptor != NULL)
supHeapFree(securityDescriptor);
}
return ntStatus;
}
/*
* supGetTimeAsSecondsSince1970
*
* Purpose:
*
* Return seconds since 1970.
*
*/
ULONG supGetTimeAsSecondsSince1970(
VOID
)
{
LARGE_INTEGER fileTime;
ULONG seconds = 0;
GetSystemTimeAsFileTime((PFILETIME)&fileTime);
RtlTimeToSecondsSince1970(&fileTime, &seconds);
return seconds;
}

13
Source/WinObjEx64/sup.h
View File

@ -4,9 +4,9 @@
*
* TITLE: SUP.H
*
* VERSION: 1.83
* VERSION: 1.84
*
* DATE: 05 Jan 2020
* DATE: 15 Feb 2020
*
* Common header file for the program support routines.
*
@ -677,3 +677,12 @@ ULONG supHashString(
ULONG supHashUnicodeString(
_In_ CONST UNICODE_STRING* String);
NTSTATUS supCreateSystemAdminAccessSD(
_Out_ PSECURITY_DESCRIPTOR* SelfRelativeSD,
_Out_opt_ PULONG Length);
VOID supSetProcessMitigationImagesPolicy();
ULONG supGetTimeAsSecondsSince1970(
VOID);

5
Source/WinObjEx64/tests/testunit.c
View File

@ -4,9 +4,9 @@
*
* TITLE: TESTUNIT.C
*
* VERSION: 1.83
* VERSION: 1.84
*
* DATE: 05 Jan 2020
* DATE: 12 Feb 2020
*
* Test code used while debug.
*
@ -734,6 +734,7 @@ VOID PreHashTypes()
ObManagerTest();
}
VOID TestCall()
{

576
Source/WinObjEx64/tinyaes/aes.c Normal file
View File

@ -0,0 +1,576 @@
/*
Modified to compile with WinObjEx64.
*/
/*
This is an implementation of the AES algorithm, specifically ECB, CTR and CBC mode.
Block size can be chosen in aes.h - available choices are AES128, AES192, AES256.
The implementation is verified against the test vectors in:
National Institute of Standards and Technology Special Publication 800-38A 2001 ED
ECB-AES128
----------
plain-text:
6bc1bee22e409f96e93d7e117393172a
ae2d8a571e03ac9c9eb76fac45af8e51
30c81c46a35ce411e5fbc1191a0a52ef
f69f2445df4f9b17ad2b417be66c3710
key:
2b7e151628aed2a6abf7158809cf4f3c
resulting cipher
3ad77bb40d7a3660a89ecaf32466ef97
f5d3d58503b9699de785895a96fdbaaf
43b1cd7f598ece23881b00e3ed030688
7b0c785e27e8ad3f8223207104725dd4
NOTE: String length must be evenly divisible by 16byte (str_len % 16 == 0)
You should pad the end of the string with zeros if this is not the case.
For AES192/256 the key size is proportionally larger.
*/
/*****************************************************************************/
/* Includes: */
/*****************************************************************************/
#include <windows.h> // CBC mode, for memset
#include "aes.h"
/*****************************************************************************/
/* Defines: */
/*****************************************************************************/
// The number of columns comprising a state in AES. This is a constant in AES. Value=4
#define Nb 4
#if defined(AES256) && (AES256 == 1)
#define Nk 8
#define Nr 14
#elif defined(AES192) && (AES192 == 1)
#define Nk 6
#define Nr 12
#else
#define Nk 4 // The number of 32 bit words in a key.
#define Nr 10 // The number of rounds in AES Cipher.
#endif
// jcallan@github points out that declaring Multiply as a function
// reduces code size considerably with the Keil ARM compiler.
// See this link for more information: https://github.com/kokke/tiny-AES-C/pull/3
#ifndef MULTIPLY_AS_A_FUNCTION
#define MULTIPLY_AS_A_FUNCTION 0
#endif
/*****************************************************************************/
/* Private variables: */
/*****************************************************************************/
// state - array holding the intermediate results during decryption.
typedef uint8_t state_t[4][4];
// The lookup-tables are marked const so they can be placed in read-only storage instead of RAM
// The numbers below can be computed dynamically trading ROM for RAM -
// This can be useful in (embedded) bootloader applications, where ROM is often limited.
static const uint8_t sbox[256] = {
//0 1 2 3 4 5 6 7 8 9 A B C D E F
0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 };
static const uint8_t rsbox[256] = {
0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d };
// The round constant word array, Rcon[i], contains the values given by
// x to the power (i-1) being powers of x (x is denoted as {02}) in the field GF(2^8)
static const uint8_t Rcon[11] = {
0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36 };
/*
* Jordan Goulder points out in PR #12 (https://github.com/kokke/tiny-AES-C/pull/12),
* that you can remove most of the elements in the Rcon array, because they are unused.
*
* From Wikipedia's article on the Rijndael key schedule @ https://en.wikipedia.org/wiki/Rijndael_key_schedule#Rcon
*
* "Only the first some of these constants are actually used up to rcon[10] for AES-128 (as 11 round keys are needed),
* up to rcon[8] for AES-192, up to rcon[7] for AES-256. rcon[0] is not used in AES algorithm."
*/
/*****************************************************************************/
/* Private functions: */
/*****************************************************************************/
/*
static uint8_t getSBoxValue(uint8_t num)
{
return sbox[num];
}
*/
#define getSBoxValue(num) (sbox[(num)])
/*
static uint8_t getSBoxInvert(uint8_t num)
{
return rsbox[num];
}
*/
#define getSBoxInvert(num) (rsbox[(num)])
// This function produces Nb(Nr+1) round keys. The round keys are used in each round to decrypt the states.
static void KeyExpansion(uint8_t* RoundKey, const uint8_t* Key)
{
unsigned i, j, k;
uint8_t tempa[4]; // Used for the column/row operations
// The first round key is the key itself.
for (i = 0; i < Nk; ++i)
{
RoundKey[(i * 4) + 0] = Key[(i * 4) + 0];
RoundKey[(i * 4) + 1] = Key[(i * 4) + 1];
RoundKey[(i * 4) + 2] = Key[(i * 4) + 2];
RoundKey[(i * 4) + 3] = Key[(i * 4) + 3];
}
// All other round keys are found from the previous round keys.
for (i = Nk; i < Nb * (Nr + 1); ++i)
{
{
k = (i - 1) * 4;
tempa[0]=RoundKey[k + 0];
tempa[1]=RoundKey[k + 1];
tempa[2]=RoundKey[k + 2];
tempa[3]=RoundKey[k + 3];
}
if (i % Nk == 0)
{
// This function shifts the 4 bytes in a word to the left once.
// [a0,a1,a2,a3] becomes [a1,a2,a3,a0]
// Function RotWord()
{
const uint8_t u8tmp = tempa[0];
tempa[0] = tempa[1];
tempa[1] = tempa[2];
tempa[2] = tempa[3];
tempa[3] = u8tmp;
}
// SubWord() is a function that takes a four-byte input word and
// applies the S-box to each of the four bytes to produce an output word.
// Function Subword()
{
tempa[0] = getSBoxValue(tempa[0]);
tempa[1] = getSBoxValue(tempa[1]);
tempa[2] = getSBoxValue(tempa[2]);
tempa[3] = getSBoxValue(tempa[3]);
}
tempa[0] = tempa[0] ^ Rcon[i/Nk];
}
#if defined(AES256) && (AES256 == 1)
if (i % Nk == 4)
{
// Function Subword()
{
tempa[0] = getSBoxValue(tempa[0]);
tempa[1] = getSBoxValue(tempa[1]);
tempa[2] = getSBoxValue(tempa[2]);
tempa[3] = getSBoxValue(tempa[3]);
}
}
#endif
j = i * 4; k=(i - Nk) * 4;
RoundKey[j + 0] = RoundKey[k + 0] ^ tempa[0];
RoundKey[j + 1] = RoundKey[k + 1] ^ tempa[1];
RoundKey[j + 2] = RoundKey[k + 2] ^ tempa[2];
RoundKey[j + 3] = RoundKey[k + 3] ^ tempa[3];
}
}
void AES_init_ctx(AES_ctx* ctx, const uint8_t* key)
{
KeyExpansion(ctx->RoundKey, key);
}
#if (defined(CBC) && (CBC == 1)) || (defined(CTR) && (CTR == 1))
void AES_init_ctx_iv(AES_ctx* ctx, const uint8_t* key, const uint8_t* iv)
{
KeyExpansion(ctx->RoundKey, key);
memcpy (ctx->Iv, iv, AES_BLOCKLEN);
}
void AES_ctx_set_iv(AES_ctx* ctx, const uint8_t* iv)
{
memcpy (ctx->Iv, iv, AES_BLOCKLEN);
}
#endif
// This function adds the round key to state.
// The round key is added to the state by an XOR function.
static void AddRoundKey(uint8_t round, state_t* state, const uint8_t* RoundKey)
{
uint8_t i,j;
for (i = 0; i < 4; ++i)
{
for (j = 0; j < 4; ++j)
{
(*state)[i][j] ^= RoundKey[(round * Nb * 4) + (i * Nb) + j];
}
}
}
// The SubBytes Function Substitutes the values in the
// state matrix with values in an S-box.
static void SubBytes(state_t* state)
{
uint8_t i, j;
for (i = 0; i < 4; ++i)
{
for (j = 0; j < 4; ++j)
{
(*state)[j][i] = getSBoxValue((*state)[j][i]);
}
}
}
// The ShiftRows() function shifts the rows in the state to the left.
// Each row is shifted with different offset.
// Offset = Row number. So the first row is not shifted.
static void ShiftRows(state_t* state)
{
uint8_t temp;
// Rotate first row 1 columns to left
temp = (*state)[0][1];
(*state)[0][1] = (*state)[1][1];
(*state)[1][1] = (*state)[2][1];
(*state)[2][1] = (*state)[3][1];
(*state)[3][1] = temp;
// Rotate second row 2 columns to left
temp = (*state)[0][2];
(*state)[0][2] = (*state)[2][2];
(*state)[2][2] = temp;
temp = (*state)[1][2];
(*state)[1][2] = (*state)[3][2];
(*state)[3][2] = temp;
// Rotate third row 3 columns to left
temp = (*state)[0][3];
(*state)[0][3] = (*state)[3][3];
(*state)[3][3] = (*state)[2][3];
(*state)[2][3] = (*state)[1][3];
(*state)[1][3] = temp;
}
static uint8_t xtime(uint8_t x)
{
return ((x<<1) ^ (((x>>7) & 1) * 0x1b));
}
// MixColumns function mixes the columns of the state matrix
static void MixColumns(state_t* state)
{
uint8_t i;
uint8_t Tmp, Tm, t;
for (i = 0; i < 4; ++i)
{
t = (*state)[i][0];
Tmp = (*state)[i][0] ^ (*state)[i][1] ^ (*state)[i][2] ^ (*state)[i][3] ;
Tm = (*state)[i][0] ^ (*state)[i][1] ; Tm = xtime(Tm); (*state)[i][0] ^= Tm ^ Tmp ;
Tm = (*state)[i][1] ^ (*state)[i][2] ; Tm = xtime(Tm); (*state)[i][1] ^= Tm ^ Tmp ;
Tm = (*state)[i][2] ^ (*state)[i][3] ; Tm = xtime(Tm); (*state)[i][2] ^= Tm ^ Tmp ;
Tm = (*state)[i][3] ^ t ; Tm = xtime(Tm); (*state)[i][3] ^= Tm ^ Tmp ;
}
}
// Multiply is used to multiply numbers in the field GF(2^8)
// Note: The last call to xtime() is unneeded, but often ends up generating a smaller binary
// The compiler seems to be able to vectorize the operation better this way.
// See https://github.com/kokke/tiny-AES-c/pull/34
#if MULTIPLY_AS_A_FUNCTION
static uint8_t Multiply(uint8_t x, uint8_t y)
{
return (((y & 1) * x) ^
((y>>1 & 1) * xtime(x)) ^
((y>>2 & 1) * xtime(xtime(x))) ^
((y>>3 & 1) * xtime(xtime(xtime(x)))) ^
((y>>4 & 1) * xtime(xtime(xtime(xtime(x)))))); /* this last call to xtime() can be omitted */
}
#else
#define Multiply(x, y) \
( ((y & 1) * x) ^ \
((y>>1 & 1) * xtime(x)) ^ \
((y>>2 & 1) * xtime(xtime(x))) ^ \
((y>>3 & 1) * xtime(xtime(xtime(x)))) ^ \
((y>>4 & 1) * xtime(xtime(xtime(xtime(x)))))) \
#endif
#if (defined(CBC) && CBC == 1) || (defined(ECB) && ECB == 1)
// MixColumns function mixes the columns of the state matrix.
// The method used to multiply may be difficult to understand for the inexperienced.
// Please use the references to gain more information.
static void InvMixColumns(state_t* state)
{
int i;
uint8_t a, b, c, d;
for (i = 0; i < 4; ++i)
{
a = (*state)[i][0];
b = (*state)[i][1];
c = (*state)[i][2];
d = (*state)[i][3];
(*state)[i][0] = Multiply(a, 0x0e) ^ Multiply(b, 0x0b) ^ Multiply(c, 0x0d) ^ Multiply(d, 0x09);
(*state)[i][1] = Multiply(a, 0x09) ^ Multiply(b, 0x0e) ^ Multiply(c, 0x0b) ^ Multiply(d, 0x0d);
(*state)[i][2] = Multiply(a, 0x0d) ^ Multiply(b, 0x09) ^ Multiply(c, 0x0e) ^ Multiply(d, 0x0b);
(*state)[i][3] = Multiply(a, 0x0b) ^ Multiply(b, 0x0d) ^ Multiply(c, 0x09) ^ Multiply(d, 0x0e);
}
}
// The SubBytes Function Substitutes the values in the
// state matrix with values in an S-box.
static void InvSubBytes(state_t* state)
{
uint8_t i, j;
for (i = 0; i < 4; ++i)
{
for (j = 0; j < 4; ++j)
{
(*state)[j][i] = getSBoxInvert((*state)[j][i]);
}
}
}
static void InvShiftRows(state_t* state)
{
uint8_t temp;
// Rotate first row 1 columns to right
temp = (*state)[3][1];
(*state)[3][1] = (*state)[2][1];
(*state)[2][1] = (*state)[1][1];
(*state)[1][1] = (*state)[0][1];
(*state)[0][1] = temp;
// Rotate second row 2 columns to right
temp = (*state)[0][2];
(*state)[0][2] = (*state)[2][2];
(*state)[2][2] = temp;
temp = (*state)[1][2];
(*state)[1][2] = (*state)[3][2];
(*state)[3][2] = temp;
// Rotate third row 3 columns to right
temp = (*state)[0][3];
(*state)[0][3] = (*state)[1][3];
(*state)[1][3] = (*state)[2][3];
(*state)[2][3] = (*state)[3][3];
(*state)[3][3] = temp;
}
#endif // #if (defined(CBC) && CBC == 1) || (defined(ECB) && ECB == 1)
// Cipher is the main function that encrypts the PlainText.
static void Cipher(state_t* state, const uint8_t* RoundKey)
{
uint8_t round = 0;
// Add the First round key to the state before starting the rounds.
AddRoundKey(0, state, RoundKey);
// There will be Nr rounds.
// The first Nr-1 rounds are identical.
// These Nr-1 rounds are executed in the loop below.
for (round = 1; round < Nr; ++round)
{
SubBytes(state);
ShiftRows(state);
MixColumns(state);
AddRoundKey(round, state, RoundKey);
}
// The last round is given below.
// The MixColumns function is not here in the last round.
SubBytes(state);
ShiftRows(state);
AddRoundKey(Nr, state, RoundKey);
}
#if (defined(CBC) && CBC == 1) || (defined(ECB) && ECB == 1)
static void InvCipher(state_t* state, const uint8_t* RoundKey)
{
uint8_t round = 0;
// Add the First round key to the state before starting the rounds.
AddRoundKey(Nr, state, RoundKey);
// There will be Nr rounds.
// The first Nr-1 rounds are identical.
// These Nr-1 rounds are executed in the loop below.
for (round = (Nr - 1); round > 0; --round)
{
InvShiftRows(state);
InvSubBytes(state);
AddRoundKey(round, state, RoundKey);
InvMixColumns(state);
}
// The last round is given below.
// The MixColumns function is not here in the last round.
InvShiftRows(state);
InvSubBytes(state);
AddRoundKey(0, state, RoundKey);
}
#endif // #if (defined(CBC) && CBC == 1) || (defined(ECB) && ECB == 1)
/*****************************************************************************/
/* Public functions: */
/*****************************************************************************/
#if defined(ECB) && (ECB == 1)
void AES_ECB_encrypt(const AES_ctx* ctx, uint8_t* buf)
{
// The next function call encrypts the PlainText with the Key using AES algorithm.
Cipher((state_t*)buf, ctx->RoundKey);
}
void AES_ECB_decrypt(const AES_ctx* ctx, uint8_t* buf)
{
// The next function call decrypts the PlainText with the Key using AES algorithm.
InvCipher((state_t*)buf, ctx->RoundKey);
}
#endif // #if defined(ECB) && (ECB == 1)
#if defined(CBC) && (CBC == 1)
static void XorWithIv(uint8_t* buf, const uint8_t* Iv)
{
uint8_t i;
for (i = 0; i < AES_BLOCKLEN; ++i) // The block in AES is always 128bit no matter the key size
{
buf[i] ^= Iv[i];
}
}
void AES_CBC_encrypt_buffer(AES_ctx *ctx, uint8_t* buf, uint32_t length)
{
uintptr_t i;
uint8_t *Iv = ctx->Iv;
for (i = 0; i < length; i += AES_BLOCKLEN)
{
XorWithIv(buf, Iv);
Cipher((state_t*)buf, ctx->RoundKey);
Iv = buf;
buf += AES_BLOCKLEN;
//printf("Step %d - %d", i/16, i);
}
/* store Iv in ctx for next call */
memcpy(ctx->Iv, Iv, AES_BLOCKLEN);
}
void AES_CBC_decrypt_buffer(AES_ctx* ctx, uint8_t* buf, uint32_t length)
{
uintptr_t i;
uint8_t storeNextIv[AES_BLOCKLEN];
for (i = 0; i < length; i += AES_BLOCKLEN)
{
memcpy(storeNextIv, buf, AES_BLOCKLEN);
InvCipher((state_t*)buf, ctx->RoundKey);
XorWithIv(buf, ctx->Iv);
memcpy(ctx->Iv, storeNextIv, AES_BLOCKLEN);
buf += AES_BLOCKLEN;
}
}
#endif // #if defined(CBC) && (CBC == 1)
#if defined(CTR) && (CTR == 1)
/* Symmetrical operation: same function for encrypting as for decrypting. Note any IV/nonce should never be reused with the same key */
void AES_CTR_xcrypt_buffer(AES_ctx* ctx, uint8_t* buf, uint32_t length)
{
uint8_t buffer[AES_BLOCKLEN];
unsigned i;
int bi;
for (i = 0, bi = AES_BLOCKLEN; i < length; ++i, ++bi)
{
if (bi == AES_BLOCKLEN) /* we need to regen xor compliment in buffer */
{
memcpy(buffer, ctx->Iv, AES_BLOCKLEN);
Cipher((state_t*)buffer,ctx->RoundKey);
/* Increment Iv and handle overflow */
for (bi = (AES_BLOCKLEN - 1); bi >= 0; --bi)
{
/* inc will overflow */
if (ctx->Iv[bi] == 255)
{
ctx->Iv[bi] = 0;
continue;
}
ctx->Iv[bi] += 1;
break;
}
bi = 0;
}
buf[i] = (buf[i] ^ buffer[bi]);
}
}
#endif // #if defined(CTR) && (CTR == 1)

96
Source/WinObjEx64/tinyaes/aes.h Normal file
View File

@ -0,0 +1,96 @@
/*
Modified to compile with WinObjEx64.
*/
#ifndef _AES_H_
#define _AES_H_
#include <stdint.h>
// #define the macros below to 1/0 to enable/disable the mode of operation.
//
// CBC enables AES encryption in CBC-mode of operation.
// CTR enables encryption in counter-mode.
// ECB enables the basic ECB 16-byte block algorithm. All can be enabled simultaneously.
// The #ifndef-guard allows it to be configured before #include'ing or at compile time.
#ifndef CBC
#define CBC 1
#endif
#ifndef ECB
#define ECB 1
#endif
#ifndef CTR
#define CTR 1
#endif
#define AES128 1
//#define AES192 1
//#define AES256 1
#define AES_BLOCKLEN 16 //Block length in bytes AES is 128b block only
#if defined(AES256) && (AES256 == 1)
#define AES_KEYLEN 32
#define AES_keyExpSize 240
#elif defined(AES192) && (AES192 == 1)
#define AES_KEYLEN 24
#define AES_keyExpSize 208
#else
#define AES_KEYLEN 16 // Key length in bytes
#define AES_keyExpSize 176
#endif
typedef struct _AES_ctx
{
uint8_t RoundKey[AES_keyExpSize];
#if (defined(CBC) && (CBC == 1)) || (defined(CTR) && (CTR == 1))
uint8_t Iv[AES_BLOCKLEN];
#endif
} AES_ctx, PAES_ctx;
void AES_init_ctx(AES_ctx* ctx, const uint8_t* key);
#if (defined(CBC) && (CBC == 1)) || (defined(CTR) && (CTR == 1))
void AES_init_ctx_iv(AES_ctx* ctx, const uint8_t* key, const uint8_t* iv);
void AES_ctx_set_iv(AES_ctx* ctx, const uint8_t* iv);
#endif
#if defined(ECB) && (ECB == 1)
// buffer size is exactly AES_BLOCKLEN bytes;
// you need only AES_init_ctx as IV is not used in ECB
// NB: ECB is considered insecure for most uses
void AES_ECB_encrypt(const AES_ctx* ctx, uint8_t* buf);
void AES_ECB_decrypt(const AES_ctx* ctx, uint8_t* buf);
#endif // #if defined(ECB) && (ECB == !)
#if defined(CBC) && (CBC == 1)
// buffer size MUST be mutile of AES_BLOCKLEN;
// Suggest https://en.wikipedia.org/wiki/Padding_(cryptography)#PKCS7 for padding scheme
// NOTES: you need to set IV in ctx via AES_init_ctx_iv() or AES_ctx_set_iv()
// no IV should ever be reused with the same key
void AES_CBC_encrypt_buffer(AES_ctx* ctx, uint8_t* buf, uint32_t length);
void AES_CBC_decrypt_buffer(AES_ctx* ctx, uint8_t* buf, uint32_t length);
#endif // #if defined(CBC) && (CBC == 1)
#if defined(CTR) && (CTR == 1)
// Same function for encrypting as for decrypting.
// IV is incremented for every block, and used after encryption as XOR-compliment for output
// Suggesting https://en.wikipedia.org/wiki/Padding_(cryptography)#PKCS7 for padding scheme
// NOTES: you need to set IV in ctx with AES_init_ctx_iv() or AES_ctx_set_iv()
// no IV should ever be reused with the same key
void AES_CTR_xcrypt_buffer(AES_ctx* ctx, uint8_t* buf, uint32_t length);
#endif // #if defined(CTR) && (CTR == 1)
#endif //_AES_H_

10
Source/WinObjEx64/ui.h
View File

@ -4,9 +4,9 @@
*
* TITLE: UI.H
*
* VERSION: 1.83
* VERSION: 1.84
*
* DATE: 16 Jan 2020
* DATE: 22 Feb 2020
*
* Common header file for the user interface.
*
@ -26,7 +26,7 @@
#define DefaultSystemDpi 96
#define TreeListDumpObjWndPosX 12
#define TreeListDumpObjWndPosY 20
#define TreeListDumpObjWndScaleSub 4
#define TreeListDumpObjWndScaleSub 3
//
// ListView column counts
@ -56,8 +56,8 @@ typedef HWND(WINAPI *pfnHtmlHelpW)(
#define PROGRAM_MAJOR_VERSION 1
#define PROGRAM_MINOR_VERSION 8
#define PROGRAM_REVISION_NUMBER 3
#define PROGRAM_BUILD_NUMBER 2001
#define PROGRAM_REVISION_NUMBER 4
#define PROGRAM_BUILD_NUMBER 2004
#ifdef _USE_OWN_DRIVER
#define PROGRAM_NAME L"Windows Object Explorer 64-bit (Non-public version)"

47
WinObjEx64.sha256
View File

@ -2,7 +2,7 @@
e192abb83dded0fe227f3fe69cb0ac7aaa197941917afd497b4cf8796a03e041 *Compiled\WHATSNEW_173.md
fa001b1ac9bbbb6c954d5dd609de60fa2b0277a6cfe35f6428591e4b4b1e8453 *Compiled\WHATSNEW_180.md
6c3f0228938008ed3c45266ce38d3ecd98145c473e7a072c915eb2b7b8fa15f4 *Compiled\WinObjEx64.chm
527222bba726c58afe2b282ff40e79b39b5ead0be803338703bc0e5cc51282fe *Compiled\WinObjEx64.exe
fc54e081db5df51257e602b96e562ee784eff93222059da2ee97e685a084b908 *Compiled\WinObjEx64.exe
fed1777aecfd299cfb130385dc146725829cd3aa82585d62cda72ea08829a52e *Compiled\plugins\ApiSetView.dll
ffa9ed459d2fcd27cb495da1494b2f8bbe5c1601c3d2aa4685e603907150f0d9 *Compiled\plugins\ExamplePlugin.dll
b41df9a5014f7a4d60354eebfd2447edf14a8a2facd38954999f2ff07b406c84 *Compiled\plugins\Sonar.dll
@ -29,8 +29,8 @@ cb66fca90766db12474ce057436364dabaf3e948f6ffa7e9651f869656f0b33c *Screenshots\Vi
ef65a909e8d9bc7ec94ecbc0f465f24a7968d6675eadf7f25f6414c66d6b28be *Screenshots\ViewingTypeInformation.png
db0ab26d20a62ba7c9c844e916e88168b72a7e52932d3483eb2d0a2e535b75a8 *Screenshots\ViewingUserSharedData.png
9e2b64f390c609172c5791dd138a748d31bf4d2cc839f01dbd514afe1cdfd083 *Screenshots\W32pServiceTableView.png
0bee5e0d7e6218111dd83c24f319871d29340aa0da8099ceaaba7f10efbbe531 *Source\CHANGELOG.txt
5e873ae10775f1af3fd37430e79f01f84c3ab397aafd4ff372d9611c5abb9d26 *Source\FILELIST.txt
3115fae1a35eaf46211b45039a6bfed8ba44835a14626a6412140a1b386cadf0 *Source\CHANGELOG.txt
6331b02a5e7279d4026068d446fdea840e1d92871b259edd4e93e19289be484f *Source\FILELIST.txt
55eed414926c47b0bfc5000eeabb882d77d78e17b5be94ca229e681f009b0740 *Source\TypesWithNoDesc.txt
cf2de90f489f8024a22720655097992373135aab5762d1c035ddf242f3096d35 *Source\WinObjEx64.sln
39a976ac4e1b76c2058815c5017bd3acceb69950286cfdf8c5704b7e31b8cca0 *Source\DrvStore\kldbgdrv.sys
@ -56,7 +56,7 @@ e953b026d0f383188c753487df0a4d879fa5da5ba82ac979aa877db84e89a060 *Source\Plugins
6b2236b93693d4830feb90ee504ae03555d4882d4c301bea55f7980973b5fb32 *Source\Plugins\Sonar\export.def
e328a69e6393288544a5be3bd2e234b866831008cbbf2de6f9962c2bda8d793a *Source\Plugins\Sonar\global.h
d56dae2c69f555e48a57fe907fae54fc8352e34a73b1571cd7461ac8da9f27b3 *Source\Plugins\Sonar\main.c
07d3b415ba3709191c1302aa1fe15c772273a19ff8a6045295210503db94ef0e *Source\Plugins\Sonar\ndis.h
678f11c35c64392c4a36dc47e06c63a3ad66e22819424e041bb7c20ce9890312 *Source\Plugins\Sonar\ndis.h
0b5d16d981af455a7176f9e91daff498bfabdbe81ceb3840ed13d922f45efe36 *Source\Plugins\Sonar\query.c
ed4ed02b7459f5f6c22d99c68f889a93a3bf84088c100f9f64d819d22ddab571 *Source\Plugins\Sonar\query.h
e9401523838c114fe616759d58d21e347f82bf47ff8ecdf11e9462e97c13305c *Source\Plugins\Sonar\resource.h
@ -93,16 +93,19 @@ ef1b18997ea473ac8d516ef60efc64b9175418b8f078e088d783fdaef2544969 *Source\Shared\
52e3d39c69c43264b2f8d9bcdfce0f763a5e92d091eef59ea2a0294b4b19641c *Source\Shared\minirtl\_strstr.c
52a696ae714eb81033c477d1ec6c01389eef56c847609e89d360c2fb6899b4b6 *Source\Shared\minirtl\_strstri.c
dfa2b16aa3246a8aca662ea525770a4585618de35550aeb2dca40abd52d2afd9 *Source\Shared\ntos\apisetx.h
9a6c05200edc97ff2f9c0fe3de4fc277c8781ba1a2bbceb8006f55589147c37a *Source\Shared\ntos\halamd64.h
0cd425ef96247657ab55443c9b3bc9a90f0c18f634979942693553d0f764c601 *Source\Shared\ntos\ntalpc.h
2f35ba7b6b92421bded97e177f39f947e359c86fe1805758e69907f6673074d3 *Source\Shared\ntos\ntldr.c
72162367a2038cd58d7f89d6cad0fdf4f98c0bfa570fb36df8cce73e6a93b8f6 *Source\Shared\ntos\ntldr.h
d831e0b0ca64447180f8d9e699c57e85ba7ffeb8dd20e8c893460c1a0ff76f15 *Source\Shared\ntos\ntos.h
f5a3e6730087c27936282bcefa1207da01ff340a63e24c38e5a4ddfef4423752 *Source\Shared\ntos\ntos.h
14b0a442647904db5476d14a1d9710bd83587f168b4b182465e5902d24676870 *Source\Shared\ntuser\StubNtUserOpenWindowStation.asm
97a3935877993ecf9a433568b22ee457aab530e53d8a4c3af0d40d02c1ad347b *Source\Shared\treelist\treelist.c
c5569b768244e86e1c961c28e6f11831f219953093c9e4cd35414e4008b3de80 *Source\Shared\treelist\treelist.h
56f1d7ee2b01bf4efe47de2d8642eadc00feba8b8851763d194b4605efdcad0f *Source\WinObjEx64\aboutDlg.c
26e0c642b93d4fa0d8732f766092b01e09c9478aa1b73e404ab7f21ca5b87d81 *Source\WinObjEx64\aboutDlg.c
dc5ad976533a91292022a15f741a95d04663849c34fced1432a830726341d51d *Source\WinObjEx64\aboutDlg.h
4ec2d4d3e73a5472aa235fe7032d5e5e04065ff87d9d8c2fe9df81b9815feb55 *Source\WinObjEx64\driver.rc
1e13f46a382beae952a291f05354919f4431b424908e9571960067ede23d9554 *Source\WinObjEx64\driver.rc
4633ebcb43b58cafe074341a426a2ef59eca1cbf5f9f7a0772d403ff5ae4ba3c *Source\WinObjEx64\drvhelper.c
0618df38c1e51fd79770d416befd53f9bfe4310d7a0ab5380a1464d5142c1217 *Source\WinObjEx64\drvhelper.h
24280d99d75a9fe2381701be27c2d4994b59ae415faf63d62c8aee66229f74f9 *Source\WinObjEx64\excepth.c
9cebcbf4709e61806e17cd3b2bcaf37a08eec7aa896213ddb9ec0d41c317db09 *Source\WinObjEx64\excepth.h
df88d2d3dc992aea7a6883cc162d5de2151b5a8ebb04c94f406297939849568e *Source\WinObjEx64\extapi.c
@ -110,31 +113,31 @@ df88d2d3dc992aea7a6883cc162d5de2151b5a8ebb04c94f406297939849568e *Source\WinObjE
ac5f42d81b97903c6a388c1044d33c58e5f4d59d7582883c3b1977134a43dea5 *Source\WinObjEx64\extdef.h
2d79ed215d293b2976ac5bc1cf084d6f8183fb3c65b4b0e06cbb71c617bbeaf4 *Source\WinObjEx64\findDlg.c
8cc5a4ba98d74221405a13cde0f357db970500a4b44c711b5fd97d30cce904e8 *Source\WinObjEx64\findDlg.h
edf6602b5edc0d9bc2882f68e3da43c93d1ffad3b33a4cfa7bcc441386a4f079 *Source\WinObjEx64\global.h
08af3e53d710c96de17c8e202d446df7a4235b84ea75426e782401541af0f7f8 *Source\WinObjEx64\global.h
b977fe65b7571a1f5e630b1f0af3f523e09cd153ec7f3b24d8df5f090ed4b33c *Source\WinObjEx64\instdrv.c
9fdf8d26ea566d84e8907d7363f418263a2b9f3d5aa4df2f1211a28c29e0646b *Source\WinObjEx64\instdrv.h
9d50d53ff091a5d9bca8a106657f62ec87045eb558be8326737a8e23e83e0e1b *Source\WinObjEx64\kldbg.c
d3f248b20232330eab697584bb6d22d7f7fdee5dcde3a87c2950481d791b5042 *Source\WinObjEx64\kldbg.h
3254d1fa3dea452272ef9893708fc3da923de69fafab28b5785bb15772bc0e0d *Source\WinObjEx64\kldbg.c
ef8dcbdd428cb7297616835b4e03c7b175edae1ec5fed50d092a1659f234aa5e *Source\WinObjEx64\kldbg.h
9a8c79655737ead564c10cd5bc2dd8c616c9cb57c74f6a02f2210b2f2368e44d *Source\WinObjEx64\kldbg_patterns.h
95d7a0848b06bebcdfcf31edd297a81dcc6b3d29988b238a34a254d6d45cf8a7 *Source\WinObjEx64\list.c
b490a01e298d0567ae624c0d1aecd5921cd56f5cba3e9512c88053faec089799 *Source\WinObjEx64\list.h
d0538aebb7b098746c3b818b6986252aee2a7d1fc5b24882ccb07c0c81b0a079 *Source\WinObjEx64\main.c
4012c4b1675c73edf70fab1a3494067f8afbe909e80ba5c95ace45e363d7cc76 *Source\WinObjEx64\main.c
5d2b9be96b42044e0f09a6a901c194934a1dc2d2e7cf14d65e6414b22ec89765 *Source\WinObjEx64\msvcver.h
614521ca9847274c929ccef3e19ee52f9adb57de6fc79ea6a520cf433069df5b *Source\WinObjEx64\objects.c
47f476e0778b726b0a9af5a5afeb3b155700a10c26bb45666c89a6c8c1707be6 *Source\WinObjEx64\objects.h
7a7ef81ca9f7cd9863558062aa907e57ccddfec4019e2a4963891de0d4d42eb7 *Source\WinObjEx64\plugmngr.c
35e441916f1bf16030583ea8c806779f7d256bf34b8dc0054e4a1033258e72b8 *Source\WinObjEx64\plugmngr.c
c605d067ec8d6438e5ec955f3658a595e5c669259b005ee2e26471f32e84960d *Source\WinObjEx64\plugmngr.h
2b158a0c496190c33b1ad8851978b09bc49a49926d5184880d6070e69c980f9d *Source\WinObjEx64\resource.h
56078226c9134a1d583e44d815094a225e836b7c6e3dde978495500d527ca25f *Source\WinObjEx64\Resource.rc
cc724dc78f6d71e119bdb0105cc52d332480fc497cda1ee79c62df3274c44762 *Source\WinObjEx64\sup.c
82331fc1bff3da9ce708f5a7ee972a7636a142c0be9833df1c1b8d7c36bf208b *Source\WinObjEx64\sup.h
cc857bf7b2bd66badddc9a8ea54a53b3af93da3989abf0494dc8a9d059a2d229 *Source\WinObjEx64\Resource.rc
3d7aaca6e0cbc42fc544abcabb308d79285359464f5ab4b1738104178e30fdab *Source\WinObjEx64\sup.c
8be6751077fb0b50c39a348ece5cfbc3b1361196d1f2e71d9924788ef2e83a22 *Source\WinObjEx64\sup.h
cc4a635c99b8165437e3a441d8d65012170aedbc91c839497e03d58ef104a8fd *Source\WinObjEx64\supConsts.h
4fdd97e22cc9a96286a2faaec808455eb5e1c0dbc62010567a6642740cad7d2e *Source\WinObjEx64\ui.h
2af1d95ac1999984bfef3920829b306b7b2c41f889d91c683e5a7221d20a80c1 *Source\WinObjEx64\ui.h
94be7b80c1fd8bbc3208b8370962b8cc8827cacb1ccb8136023bf21fb5fccb69 *Source\WinObjEx64\wine.c
3d81ad5d6123ea2a980c53ceb59525dbbafd7f42a2438b1ba2de80b777df555d *Source\WinObjEx64\wine.h
48318790f345418b5b2e03ec624258701bdc9deadefc48aa27ee6266dc95caac *Source\WinObjEx64\winedebug.h
b721490158e2fd022d404ce6895d2bcb0e788843638049b6f9a45e1cd381caac *Source\WinObjEx64\WinObjEx64.vcxproj
02889fe9112a2021892c427aea0446f43bb0da2131a6701c4c3bce6d5fd98ada *Source\WinObjEx64\WinObjEx64.vcxproj.filters
4684de385df6592457e8c5071593fcf709cd59b69fe9ffbedafb4d9fa8016b3f *Source\WinObjEx64\WinObjEx64.vcxproj
e24519235833384334df1623617ba30dd4cfb17469284952e546c833c8f4cbe6 *Source\WinObjEx64\WinObjEx64.vcxproj.filters
d9f508722dcd611b15bc3f5a4c39316ce00fbf712b879726eaee7652fcdc4fd9 *Source\WinObjEx64\WinObjEx64.vcxproj.user
277e9810d5f23dbb4b078b4a0b21ac11dce1e6924a2ec7aede31563ee00bd131 *Source\WinObjEx64\extras\extras.c
d3faf1ca46ea09c764964be6e34763739b293cf60117a6e796026f173fb4ed0c *Source\WinObjEx64\extras\extras.h
@ -147,7 +150,7 @@ d3faf1ca46ea09c764964be6e34763739b293cf60117a6e796026f173fb4ed0c *Source\WinObjE
d21e27bf35c5add1eedec3234fb358fbbc4c585c3de22326ac9581b59a8983d0 *Source\WinObjEx64\extras\extrasIPC.h
162e535515bc682b36b02a7fb0b1ace5507937a8770b4b89581b556cfeb0cd24 *Source\WinObjEx64\extras\extrasPN.c
64e75cbaa0ce129f674a9a441a3045f37e74f853f34fd93caac5533bb174a019 *Source\WinObjEx64\extras\extrasPN.h
461088010c4ba5b85ae970e1b87894e99897b36823fad308c85acd9ddec1084b *Source\WinObjEx64\extras\extrasPSList.c
2dede17ee9da4035a47ef006d2cc23663e9f5de12449de6e1e8c91c714452981 *Source\WinObjEx64\extras\extrasPSList.c
b7aa665c89b297d329f45e2a8b61fd379f778dcf01ae50c339f87da06bb0ff46 *Source\WinObjEx64\extras\extrasPSList.h
f5cd689fc8bf4722af5317e4f0e86df568c08129d34441ab2aad2bee54d4bdd1 *Source\WinObjEx64\extras\extrasSL.c
4244c8135ae3737d421d0cca525b786dbc3305670178cc2da5c56613248e7875 *Source\WinObjEx64\extras\extrasSL.h
@ -169,7 +172,7 @@ ee611560bd097cf394093dea2581b56e0b3e11d54638253cd5fae3509075634f *Source\WinObjE
63e0d91face043a963502c93382fc2ce6d3736ac64b874b7fd7b92ceda93802d *Source\WinObjEx64\props\propDriver.c
8dd63e57115728cdea4c326e5cde9acfe6015b2b088ec36022cd9f81e216e179 *Source\WinObjEx64\props\propDriver.h
721bf384ee6ba44cb118a4bfde7ffba669024059e3120b8cae40e98228eba6df *Source\WinObjEx64\props\propDriverConsts.h
7de0daea93e67563bc517b28e2294e964444e54fd20568f5029f43059a9df815 *Source\WinObjEx64\props\propObjectDump.c
612f2c5950f2664a95e5baa4cbf2b96bceaa838b4c02428e96c168c985429a39 *Source\WinObjEx64\props\propObjectDump.c
da1cf96a7d85faec3db810f5c4061a6322c252fcead01cbf8ac728e7deffee23 *Source\WinObjEx64\props\propObjectDump.h
f0c817c2a4011fcb1d09f8e9397291d22f79bcff6e62129a5fd97c5411c1a7b2 *Source\WinObjEx64\props\propObjectDumpConsts.h
dfb703240f301c52ed22ff6dd858551d02e5e78d95e529015bbde2d0742f7065 *Source\WinObjEx64\props\propProcess.c
@ -239,5 +242,7 @@ bf3105d704464eb6fdb0f722e0d9baec7f7951337826c9e774330ad8070a971b *Source\WinObjE
d4876437f5ea4c307b3894ff6a4ccd10922a366167104bb78b1103ebadd4f483 *Source\WinObjEx64\rsrc\mailslot.ico
4af9d3481fbe6423bb5b0187a3d5ea165b962aa0f53ce32502a85788c2575f94 *Source\WinObjEx64\rsrc\obex.manifest
9c908e205f42861f5ce840cf07886009fe7fad09352820508757ae8d8f6a34ae *Source\WinObjEx64\rsrc\pipe.ico
7a29a33ca1bcda43bbf9dcf89c4ad20f4740220b08020b1f780859df3b9d6917 *Source\WinObjEx64\tests\testunit.c
57694ad9a44570b2614ce32ffecd3e14c1de9f2f8d1fb13ad69cb650ac2c1124 *Source\WinObjEx64\tests\testunit.c
57fca251b667971a01557f1da9c1041f3011e27218022789919f7725fb4741fa *Source\WinObjEx64\tests\testunit.h
86663cc7ae93ccb0fe0a38c33ca45e7baeffc2d0ccf68580ff1b8c275ca63539 *Source\WinObjEx64\tinyaes\aes.c
bb61c3c80d2eeea55001ffabcdbf6245188c2fc86f8fad90bdc8d31917f5611a *Source\WinObjEx64\tinyaes\aes.h