diff --git a/Compiled/WinObjEx64.exe b/Compiled/WinObjEx64.exe
index 8ebf3f8..1f5808b 100644
Binary files a/Compiled/WinObjEx64.exe and b/Compiled/WinObjEx64.exe differ
diff --git a/Source/CHANGELOG.txt b/Source/CHANGELOG.txt
index 38a8820..b9ef707 100644
--- a/Source/CHANGELOG.txt
+++ b/Source/CHANGELOG.txt
@@ -1,3 +1,7 @@
+v1.8.4
++ support of additional helper driver
++ fix Windows 7 regressions
+
v1.8.3
internal rearrange
ported to msvc 2019 (with backward compatibility to 2017)
diff --git a/Source/FILELIST.txt b/Source/FILELIST.txt
index 563b2bf..a81a0c0 100644
--- a/Source/FILELIST.txt
+++ b/Source/FILELIST.txt
@@ -3,6 +3,11 @@ winobjex64\aboutDlg.h
* About dialog routines including window dialog procedure
+winobjex64\drvhelper.c
+winobjex64\drvhelper.h
+
+* Support for WinIo as additional memory read driver (mitigations enabled)
+
winobjex64\excepth.c
winobjex64\excepth.h
@@ -188,9 +193,8 @@ shared\treelist\treelist.h
winobjex64\wine.h
winobjex64\wine.c
-winobjex64\winedebug.h
-* Wine support files
+* Wine support header file
winobjex64\global.h
diff --git a/Source/Plugins/Sonar/ndis.h b/Source/Plugins/Sonar/ndis.h
index de77012..62d6b8b 100644
--- a/Source/Plugins/Sonar/ndis.h
+++ b/Source/Plugins/Sonar/ndis.h
@@ -1,6 +1,7 @@
/************************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2019, translated from Microsoft sources/symbols with help of pdbex
+* (C) COPYRIGHT AUTHORS, 2019 - 2020
+* Translated from Microsoft sources/symbols with help of pdbex
*
* TITLE: NDIS.H
*
@@ -163,29 +164,6 @@ typedef enum _NDIS_OPEN_UNBIND_REASON
UnbindReasonPnPNotifyBinding = 7,
} NDIS_OPEN_UNBIND_REASON, *PNDIS_OPEN_UNBIND_REASON;
-typedef enum _INTERFACE_TYPE {
- InterfaceTypeUndefined = -1,
- Internal,
- Isa,
- Eisa,
- MicroChannel,
- TurboChannel,
- PCIBus,
- VMEBus,
- NuBus,
- PCMCIABus,
- CBus,
- MPIBus,
- MPSABus,
- ProcessorInternal,
- InternalPowerBus,
- PNPISABus,
- PNPBus,
- Vmcs,
- ACPIBus,
- MaximumInterfaceType
-} INTERFACE_TYPE, *PINTERFACE_TYPE;
-
typedef enum _NDIS_INTERFACE_TYPE
{
NdisInterfaceInternal = Internal,
diff --git a/Source/Shared/ntos/halamd64.h b/Source/Shared/ntos/halamd64.h
new file mode 100644
index 0000000..3825a98
--- /dev/null
+++ b/Source/Shared/ntos/halamd64.h
@@ -0,0 +1,260 @@
+/************************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2014 - 2020
+* Taken from publicly available Microsoft sources or mentioned elsewhere.
+*
+* TITLE: HALAMD64.H
+*
+* VERSION: 1.11
+*
+* DATE: 12 Feb 2020
+*
+* Common header file for the ntos HAL AMD64 definitions.
+*
+* Depends on: Windows.h
+*
+* Include: Windows.h
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+************************************************************************************/
+
+#ifndef HALAMD64_RTL
+#define HALAMD64_RTL
+
+#pragma warning(push)
+#pragma warning(disable: 4214)
+
+//
+// HALAMD64_RTL HEADER BEGIN
+//
+
+#pragma pack(push,2)
+
+typedef struct _FAR_JMP_16 {
+ UCHAR OpCode; // = 0xe9
+ USHORT Offset;
+} FAR_JMP_16;
+
+typedef struct _FAR_TARGET_32 {
+ ULONG Offset;
+ USHORT Selector;
+} FAR_TARGET_32;
+
+typedef struct _PSEUDO_DESCRIPTOR_32 {
+ USHORT Limit;
+ ULONG Base;
+} PSEUDO_DESCRIPTOR_32;
+
+#pragma pack(pop)
+
+typedef union _KGDTENTRY64 {
+ struct {
+ USHORT LimitLow;
+ USHORT BaseLow;
+ union {
+ struct {
+ UCHAR BaseMiddle;
+ UCHAR Flags1;
+ UCHAR Flags2;
+ UCHAR BaseHigh;
+ } Bytes;
+
+ struct {
+ ULONG BaseMiddle : 8;
+ ULONG Type : 5;
+ ULONG Dpl : 2;
+ ULONG Present : 1;
+ ULONG LimitHigh : 4;
+ ULONG System : 1;
+ ULONG LongMode : 1;
+ ULONG DefaultBig : 1;
+ ULONG Granularity : 1;
+ ULONG BaseHigh : 8;
+ } Bits;
+ };
+
+ ULONG BaseUpper;
+ ULONG MustBeZero;
+ };
+
+ ULONG64 Alignment;
+} KGDTENTRY64, * PKGDTENTRY64;
+
+typedef union _KIDTENTRY64 {
+ struct {
+ USHORT OffsetLow;
+ USHORT Selector;
+ USHORT IstIndex : 3;
+ USHORT Reserved0 : 5;
+ USHORT Type : 5;
+ USHORT Dpl : 2;
+ USHORT Present : 1;
+ USHORT OffsetMiddle;
+ ULONG OffsetHigh;
+ ULONG Reserved1;
+ };
+
+ ULONG64 Alignment;
+} KIDTENTRY64, * PKIDTENTRY64;
+
+typedef union _KGDT_BASE {
+ struct {
+ USHORT BaseLow;
+ UCHAR BaseMiddle;
+ UCHAR BaseHigh;
+ ULONG BaseUpper;
+ };
+
+ ULONG64 Base;
+} KGDT_BASE, * PKGDT_BASE;
+
+typedef union _KGDT_LIMIT {
+ struct {
+ USHORT LimitLow;
+ USHORT LimitHigh : 4;
+ USHORT MustBeZero : 12;
+ };
+
+ ULONG Limit;
+} KGDT_LIMIT, * PKGDT_LIMIT;
+
+#define PSB_GDT32_MAX 3
+
+typedef struct _KDESCRIPTOR {
+ USHORT Pad[3];
+ USHORT Limit;
+ PVOID Base;
+} KDESCRIPTOR, * PKDESCRIPTOR;
+
+typedef struct _KDESCRIPTOR32 {
+ USHORT Pad[3];
+ USHORT Limit;
+ ULONG Base;
+} KDESCRIPTOR32, * PKDESCRIPTOR32;
+
+typedef struct _KSPECIAL_REGISTERS {
+ ULONG64 Cr0;
+ ULONG64 Cr2;
+ ULONG64 Cr3;
+ ULONG64 Cr4;
+ ULONG64 KernelDr0;
+ ULONG64 KernelDr1;
+ ULONG64 KernelDr2;
+ ULONG64 KernelDr3;
+ ULONG64 KernelDr6;
+ ULONG64 KernelDr7;
+ KDESCRIPTOR Gdtr;
+ KDESCRIPTOR Idtr;
+ USHORT Tr;
+ USHORT Ldtr;
+ ULONG MxCsr;
+ ULONG64 DebugControl;
+ ULONG64 LastBranchToRip;
+ ULONG64 LastBranchFromRip;
+ ULONG64 LastExceptionToRip;
+ ULONG64 LastExceptionFromRip;
+ ULONG64 Cr8;
+ ULONG64 MsrGsBase;
+ ULONG64 MsrGsSwap;
+ ULONG64 MsrStar;
+ ULONG64 MsrLStar;
+ ULONG64 MsrCStar;
+ ULONG64 MsrSyscallMask;
+} KSPECIAL_REGISTERS, * PKSPECIAL_REGISTERS;
+
+typedef struct _KPROCESSOR_STATE {
+ KSPECIAL_REGISTERS SpecialRegisters;
+ CONTEXT ContextFrame;
+} KPROCESSOR_STATE, * PKPROCESSOR_STATE;
+
+typedef struct _PROCESSOR_START_BLOCK* PPROCESSOR_START_BLOCK;
+
+typedef struct _PROCESSOR_START_BLOCK {
+
+ //
+ // The block starts with a jmp instruction to the end of the block
+ //
+
+ FAR_JMP_16 Jmp;
+
+ //
+ // Completion flag is set to non-zero when the target processor has
+ // started
+ //
+
+ ULONG CompletionFlag;
+
+ //
+ // Pseudo descriptors for GDT and IDT.
+ //
+
+ PSEUDO_DESCRIPTOR_32 Gdt32;
+ PSEUDO_DESCRIPTOR_32 Idt32;
+
+ //
+ // The temporary 32-bit GDT itself resides here.
+ //
+
+ KGDTENTRY64 Gdt[PSB_GDT32_MAX + 1];
+
+ //
+ // Physical address of the 64-bit top-level identity-mapped page table.
+ //
+
+ ULONG64 TiledCr3;
+
+ //
+ // Far jump target from Rm to Pm code
+ //
+
+ FAR_TARGET_32 PmTarget;
+
+ //
+ // Far jump target from Pm to Lm code
+ //
+
+ FAR_TARGET_32 LmIdentityTarget;
+
+ //
+ // Address of LmTarget
+ //
+
+ PVOID LmTarget;
+
+ //
+ // Linear address of this structure
+ //
+
+ PPROCESSOR_START_BLOCK SelfMap;
+
+ //
+ // Contents of the PAT msr
+ //
+
+ ULONG64 MsrPat;
+
+ //
+ // Contents of the EFER msr
+ //
+
+ ULONG64 MsrEFER;
+
+ //
+ // Initial processor state for the processor to be started
+ //
+
+ KPROCESSOR_STATE ProcessorState;
+
+} PROCESSOR_START_BLOCK;
+
+#pragma warning(pop)
+
+//
+// HALAMD64_RTL HEADER END
+//
+
+#endif HALAMD64_RTL
diff --git a/Source/Shared/ntos/ntos.h b/Source/Shared/ntos/ntos.h
index 59ea638..2668242 100644
--- a/Source/Shared/ntos/ntos.h
+++ b/Source/Shared/ntos/ntos.h
@@ -5,9 +5,9 @@
*
* TITLE: NTOS.H
*
-* VERSION: 1.126
+* VERSION: 1.131
*
-* DATE: 22 Jan 2020
+* DATE: 17 Feb 2020
*
* Common header file for the ntos API functions and definitions.
*
@@ -88,6 +88,7 @@ typedef ULONGLONG REGHANDLE, *PREGHANDLE;
typedef PVOID *PDEVICE_MAP;
typedef PVOID PHEAD;
typedef struct _IO_TIMER* PIO_TIMER;
+typedef LARGE_INTEGER PHYSICAL_ADDRESS;
#ifndef _WIN32_WINNT_WIN10
#define _WIN32_WINNT_WIN10 0x0A00
@@ -494,6 +495,31 @@ typedef struct _IO_STATUS_BLOCK {
ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
+#ifndef INTERFACE_TYPE
+typedef enum _INTERFACE_TYPE {
+ InterfaceTypeUndefined = -1,
+ Internal,
+ Isa,
+ Eisa,
+ MicroChannel,
+ TurboChannel,
+ PCIBus,
+ VMEBus,
+ NuBus,
+ PCMCIABus,
+ CBus,
+ MPIBus,
+ MPSABus,
+ ProcessorInternal,
+ InternalPowerBus,
+ PNPISABus,
+ PNPBus,
+ Vmcs,
+ ACPIBus,
+ MaximumInterfaceType
+} INTERFACE_TYPE, * PINTERFACE_TYPE;
+#endif
+
/*
** FileCache and MemoryList START
*/
@@ -6192,8 +6218,8 @@ NTSYSAPI
VOID
NTAPI
RtlInitString(
- _Inout_ PSTRING DestinationString,
- _In_ PCSZ SourceString);
+ _Out_ PSTRING DestinationString,
+ _In_opt_ PCSZ SourceString);
NTSYSAPI
VOID
@@ -6985,6 +7011,118 @@ RtlGetSaclSecurityDescriptor(
_Out_ PACL *Sacl,
_Out_ PBOOLEAN SaclDefaulted);
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlCreateSecurityDescriptor(
+ _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _In_ ULONG Revision);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSetOwnerSecurityDescriptor(
+ _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _In_ PSID Owner,
+ _In_ BOOLEAN OwnerDefaulted);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlCopySecurityDescriptor(
+ _In_ PSECURITY_DESCRIPTOR InputSecurityDescriptor,
+ _Out_ PSECURITY_DESCRIPTOR* OutputSecurityDescriptor);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlMakeSelfRelativeSD(
+ _In_ PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor,
+ _Out_writes_bytes_(*BufferLength) PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,
+ _Inout_ PULONG BufferLength);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlAbsoluteToSelfRelativeSD(
+ _In_ PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor,
+ _Out_writes_bytes_to_opt_(*BufferLength, *BufferLength) PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,
+ _Inout_ PULONG BufferLength);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSelfRelativeToAbsoluteSD(
+ _In_ PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor,
+ _Out_writes_bytes_to_opt_(*AbsoluteSecurityDescriptorSize, *AbsoluteSecurityDescriptorSize) PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor,
+ _Inout_ PULONG AbsoluteSecurityDescriptorSize,
+ _Out_writes_bytes_to_opt_(*DaclSize, *DaclSize) PACL Dacl,
+ _Inout_ PULONG DaclSize,
+ _Out_writes_bytes_to_opt_(*SaclSize, *SaclSize) PACL Sacl,
+ _Inout_ PULONG SaclSize,
+ _Out_writes_bytes_to_opt_(*OwnerSize, *OwnerSize) PSID Owner,
+ _Inout_ PULONG OwnerSize,
+ _Out_writes_bytes_to_opt_(*PrimaryGroupSize, *PrimaryGroupSize) PSID PrimaryGroup,
+ _Inout_ PULONG PrimaryGroupSize);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSetDaclSecurityDescriptor(
+ _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _In_ BOOLEAN DaclPresent,
+ _In_opt_ PACL Dacl,
+ _In_opt_ BOOLEAN DaclDefaulted);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlGetDaclSecurityDescriptor(
+ _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _Out_ PBOOLEAN DaclPresent,
+ _Out_ PACL* Dacl,
+ _Out_ PBOOLEAN DaclDefaulted);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSetSaclSecurityDescriptor(
+ _Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _In_ BOOLEAN SaclPresent,
+ _In_opt_ PACL Sacl,
+ _In_opt_ BOOLEAN SaclDefaulted);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlGetSaclSecurityDescriptor(
+ _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _Out_ PBOOLEAN SaclPresent,
+ _Out_ PACL* Sacl,
+ _Out_ PBOOLEAN SaclDefaulted);
+
+NTSYSAPI
+ULONG
+NTAPI
+RtlLengthSecurityDescriptor(
+ _In_ PSECURITY_DESCRIPTOR SecurityDescriptor);
+
+_Check_return_
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlValidSecurityDescriptor(
+ _In_ PSECURITY_DESCRIPTOR SecurityDescriptor);
+
+_Check_return_
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlValidRelativeSecurityDescriptor(
+ _In_reads_bytes_(SecurityDescriptorLength) PSECURITY_DESCRIPTOR SecurityDescriptorInput,
+ _In_ ULONG SecurityDescriptorLength,
+ _In_ SECURITY_INFORMATION RequiredInformation);
+
NTSYSAPI
NTSTATUS
NTAPI
@@ -7176,25 +7314,26 @@ RtlAddMandatoryAce(
_In_ UCHAR AceType,
_In_ ACCESS_MASK AccessMask);
+NTSYSAPI
+PVOID
+NTAPI
+RtlFindAceByType(
+ _In_ PACL pAcl,
+ _In_ UCHAR AceType,
+ _Out_opt_ PULONG pIndex);
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlOwnerAcesPresent(
+ _In_ PACL pAcl);
+
NTSYSAPI
NTSTATUS
NTAPI
RtlDefaultNpAcl(
_Out_ PACL *Acl);
-NTSYSAPI
-ULONG
-NTAPI
-RtlLengthSecurityDescriptor(
- _In_ PSECURITY_DESCRIPTOR SecurityDescriptor);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlMapGenericMask(
- _In_ PACCESS_MASK AccessMask,
- _In_ PGENERIC_MAPPING GenericMapping);
-
NTSYSAPI
BOOLEAN
NTAPI
@@ -7319,29 +7458,10 @@ RtlCreateServiceSid(
_Out_writes_bytes_opt_(*ServiceSidLength) PSID ServiceSid,
_Inout_ PULONG ServiceSidLength);
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlCreateSecurityDescriptor(
- _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
- _In_ ULONG Revision);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlSetOwnerSecurityDescriptor(
- _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
- _In_ PSID Owner,
- _In_ BOOLEAN OwnerDefaulted);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlCopySecurityDescriptor(
- _In_ PSECURITY_DESCRIPTOR InputSecurityDescriptor,
- _Out_ PSECURITY_DESCRIPTOR *OutputSecurityDescriptor);
-
-FORCEINLINE LUID NTAPI RtlConvertLongToLuid(
+FORCEINLINE
+LUID
+NTAPI
+RtlConvertLongToLuid(
_In_ LONG Long
)
{
@@ -7354,6 +7474,20 @@ FORCEINLINE LUID NTAPI RtlConvertLongToLuid(
return(TempLuid);
}
+FORCEINLINE
+LUID
+RtlConvertUlongToLuid(
+ _In_ ULONG Ulong
+)
+{
+ LUID tempLuid;
+
+ tempLuid.LowPart = Ulong;
+ tempLuid.HighPart = 0;
+
+ return tempLuid;
+}
+
NTSYSAPI
ULONG
NTAPI
@@ -7383,6 +7517,33 @@ RtlAdjustPrivilege(
_In_ BOOLEAN Client,
_Out_ PBOOLEAN WasEnabled);
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlAreAllAccessesGranted(
+ _In_ ACCESS_MASK GrantedAccess,
+ _In_ ACCESS_MASK DesiredAccess);
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlAreAnyAccessesGranted(
+ _In_ ACCESS_MASK GrantedAccess,
+ _In_ ACCESS_MASK DesiredAccess);
+
+NTSYSAPI
+VOID
+NTAPI
+RtlMapGenericMask(
+ _In_ PACCESS_MASK AccessMask,
+ _In_ PGENERIC_MAPPING GenericMapping);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlImpersonateSelf(
+ _In_ SECURITY_IMPERSONATION_LEVEL ImpersonationLevel);
+
/************************************************************************************
*
* RTL Version API.
diff --git a/Source/WinObjEx64/Resource.rc b/Source/WinObjEx64/Resource.rc
index 844badd..b9aeb18 100644
Binary files a/Source/WinObjEx64/Resource.rc and b/Source/WinObjEx64/Resource.rc differ
diff --git a/Source/WinObjEx64/WinObjEx64.vcxproj b/Source/WinObjEx64/WinObjEx64.vcxproj
index 82d29a6..e3196a2 100644
--- a/Source/WinObjEx64/WinObjEx64.vcxproj
+++ b/Source/WinObjEx64/WinObjEx64.vcxproj
@@ -77,7 +77,7 @@
v142
true
Unicode
- false
+ Spectre
@@ -210,6 +210,10 @@
false
+
+
+ _UseOwnDriver;%(PreprocessorDefinitions)
+
@@ -225,10 +229,10 @@
Size
true
MultiThreaded
- Guard
$(SolutionDir)\Shared;$(ProjectDir);$(ProjectDir)\props;$(ProjectDir)\extras
CompileAsC
true
+ Guard
Windows
@@ -278,12 +282,12 @@
Speed
true
MultiThreaded
- Guard
true
All
CompileAsC
$(SolutionDir)\Shared;$(ProjectDir);$(ProjectDir)\props;$(ProjectDir)\extras
true
+ Guard
Windows
@@ -329,12 +333,12 @@
Speed
true
MultiThreaded
- Guard
true
All
CompileAsC
$(SolutionDir)\Shared;$(ProjectDir);$(ProjectDir)\props;$(ProjectDir)\extras
true
+ Guard
Windows
@@ -383,10 +387,10 @@
Size
true
MultiThreaded
- Guard
CompileAsC
$(SolutionDir)\Shared;$(ProjectDir);$(ProjectDir)\props;$(ProjectDir)\extras
true
+ Guard
Windows
@@ -449,6 +453,7 @@
+
@@ -479,6 +484,7 @@
+
@@ -490,11 +496,13 @@
+
+
@@ -538,6 +546,7 @@
+
diff --git a/Source/WinObjEx64/WinObjEx64.vcxproj.filters b/Source/WinObjEx64/WinObjEx64.vcxproj.filters
index e5bd209..410c693 100644
--- a/Source/WinObjEx64/WinObjEx64.vcxproj.filters
+++ b/Source/WinObjEx64/WinObjEx64.vcxproj.filters
@@ -40,6 +40,9 @@
{4d7e372d-ac61-4fa4-bbce-43b2b3e1e125}
+
+ {ae7f1c88-69d2-406e-a44a-9dddafd020c3}
+
@@ -216,6 +219,12 @@
treelist
+
+ Source Files
+
+
+ tinyaes
+
@@ -385,6 +394,15 @@
Header Files
+
+ Header Files
+
+
+ ntos
+
+
+ tinyaes
+
diff --git a/Source/WinObjEx64/aboutDlg.c b/Source/WinObjEx64/aboutDlg.c
index 12e4c08..3bcbb12 100644
--- a/Source/WinObjEx64/aboutDlg.c
+++ b/Source/WinObjEx64/aboutDlg.c
@@ -4,9 +4,9 @@
*
* TITLE: ABOUTDLG.C
*
-* VERSION: 1.83
+* VERSION: 1.84
*
-* DATE: 16 Jan 2020
+* DATE: 12 Feb 2020
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -537,6 +537,11 @@ VOID AboutDialogCollectGlobals(
AddParameterValueUlong(hwndOutput, TEXT("UseExperimentalFeatures"), g_WinObj.UseExperimentalFeatures);
AddParameterValueUlong(hwndOutput, TEXT("IsWine"), g_WinObj.IsWine);
+ //
+ // For MMIO usage.
+ //
+ AddParameterValueUlong(hwndOutput, TEXT("EnableFullMitigations"), g_WinObj.EnableFullMitigations);
+
//
// List other data.
//
diff --git a/Source/WinObjEx64/driver.rc b/Source/WinObjEx64/driver.rc
index 80de144..5aa8179 100644
--- a/Source/WinObjEx64/driver.rc
+++ b/Source/WinObjEx64/driver.rc
@@ -4,5 +4,9 @@ LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
#ifndef _UseOwnDriver
IDR_KDBGDRV SYS "..\\drvstore\\kldbgdrv.sys"
#else
+#ifdef _UseWinIo
+IDR_KDBGDRV SYS "..\\drvstore\\ene64drv.sys"
+#else
IDR_KDBGDRV SYS "..\\drvstore\\wodbgdrv.sys"
#endif
+#endif
diff --git a/Source/WinObjEx64/drvhelper.c b/Source/WinObjEx64/drvhelper.c
new file mode 100644
index 0000000..d63e030
--- /dev/null
+++ b/Source/WinObjEx64/drvhelper.c
@@ -0,0 +1,501 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2020
+*
+* TITLE: DRVHELPER.C
+*
+* VERSION: 1.84
+*
+* DATE: 18 Feb 2020
+*
+* WinIo based VM-through-PM reader, used only in private builds, WHQL.
+*
+* Note:
+*
+* WinObjEx64 apply multiple security mitigations when uses this driver.
+* WinIo is known to be vulnerable by design.
+*
+* MINIMUM SUPPORTED OS WINDOWS 7
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#include "global.h"
+#include "ntos/halamd64.h"
+
+#define PHY_ADDRESS_MASK 0x000ffffffffff000ull
+#define PHY_ADDRESS_MASK_2MB_PAGES 0x000fffffffe00000ull
+#define VADDR_ADDRESS_MASK_2MB_PAGES 0x00000000001fffffull
+#define VADDR_ADDRESS_MASK_4KB_PAGES 0x0000000000000fffull
+#define ENTRY_PRESENT_BIT 1
+#define ENTRY_PAGE_SIZE_BIT 0x0000000000000080ull
+
+#include "tinyaes/aes.h"
+
+//
+// AES key used by EneTechIo latest variants.
+//
+ULONG g_EneTechIoUnlockKey[4] = { 0x54454E45, 0x4E484345, 0x474F4C4F, 0x434E4959 };
+
+
+int PwEntryToPhyAddr(ULONG_PTR entry, ULONG_PTR* phyaddr)
+{
+ if (entry & ENTRY_PRESENT_BIT) {
+ *phyaddr = entry & PHY_ADDRESS_MASK;
+ return 1;
+ }
+
+ return 0;
+}
+
+NTSTATUS PwVirtualToPhysical(
+ _In_ HANDLE DeviceHandle,
+ _In_ provQueryPML4 QueryPML4Routine,
+ _In_ provReadPhysicalMemory ReadPhysicalMemoryRoutine,
+ _In_ ULONG_PTR VirtualAddress,
+ _Out_ ULONG_PTR* PhysicalAddress)
+{
+ NTSTATUS ntStatus;
+ ULONG_PTR pml4_cr3, selector, table, entry = 0;
+ INT r, shift;
+
+ ntStatus = QueryPML4Routine(DeviceHandle, &pml4_cr3);
+ if (!NT_SUCCESS(ntStatus))
+ return ntStatus;
+
+ table = pml4_cr3 & PHY_ADDRESS_MASK;
+
+ for (r = 0; r < 4; r++) {
+
+ shift = 39 - (r * 9);
+ selector = (VirtualAddress >> shift) & 0x1ff;
+
+ ntStatus = ReadPhysicalMemoryRoutine(DeviceHandle,
+ table + selector * 8,
+ &entry,
+ sizeof(ULONG_PTR));
+
+ if (!NT_SUCCESS(ntStatus))
+ return ntStatus;
+
+ if (PwEntryToPhyAddr(entry, &table) == 0)
+ return STATUS_INTERNAL_ERROR;
+
+ if ((r == 2) && ((entry & ENTRY_PAGE_SIZE_BIT) != 0)) {
+ table &= PHY_ADDRESS_MASK_2MB_PAGES;
+ table += VirtualAddress & VADDR_ADDRESS_MASK_2MB_PAGES;
+ *PhysicalAddress = table;
+ return STATUS_SUCCESS;
+ }
+ }
+
+ table += VirtualAddress & VADDR_ADDRESS_MASK_4KB_PAGES;
+ *PhysicalAddress = table;
+
+ return STATUS_SUCCESS;
+}
+
+/*
+* WinIoCallDriver
+*
+* Purpose:
+*
+* Call WinIo driver.
+*
+*/
+NTSTATUS WinIoCallDriver(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG IoControlCode,
+ _In_ PVOID InputBuffer,
+ _In_ ULONG InputBufferLength,
+ _In_opt_ PVOID OutputBuffer,
+ _In_opt_ ULONG OutputBufferLength)
+{
+ IO_STATUS_BLOCK ioStatus;
+
+ return NtDeviceIoControlFile(DeviceHandle,
+ NULL,
+ NULL,
+ NULL,
+ &ioStatus,
+ IoControlCode,
+ InputBuffer,
+ InputBufferLength,
+ OutputBuffer,
+ OutputBufferLength);
+}
+
+/*
+* WinIoMapMemory
+*
+* Purpose:
+*
+* Map physical memory through \Device\PhysicalMemory.
+*
+*/
+NTSTATUS WinIoMapMemory(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR PhysicalAddress,
+ _In_ ULONG NumberOfBytes,
+ _Out_ HANDLE* SectionHandle,
+ _Out_ PVOID* ReferencedObject,
+ _Out_ PVOID* MappedMemory)
+{
+ ULONG seconds;
+ NTSTATUS ntStatus;
+ AES_ctx ctx;
+ WINIO_PHYSICAL_MEMORY_INFO_EX request;
+
+ *SectionHandle = NULL;
+ *ReferencedObject = NULL;
+
+ RtlSecureZeroMemory(&ctx, sizeof(ctx));
+ AES_init_ctx(&ctx, (uint8_t*)&g_EneTechIoUnlockKey);
+
+ RtlSecureZeroMemory(&request, sizeof(request));
+ request.CommitSize = NumberOfBytes;
+ request.BusAddress = PhysicalAddress;
+
+ seconds = supGetTimeAsSecondsSince1970();
+
+ RtlCopyMemory(&request.EncryptedKey, (PVOID)&seconds, sizeof(seconds));
+ AES_ECB_encrypt(&ctx, (UCHAR*)&request.EncryptedKey);
+
+ ntStatus = WinIoCallDriver(DeviceHandle,
+ IOCTL_WINIO_MAP_USER_PHYSICAL_MEMORY,
+ &request,
+ sizeof(request),
+ &request,
+ sizeof(request));
+
+ if (NT_SUCCESS(ntStatus)) {
+ *SectionHandle = request.SectionHandle;
+ *ReferencedObject = request.ReferencedObject;
+ *MappedMemory = request.BaseAddress;
+ }
+
+ return ntStatus;
+}
+
+/*
+* WinIoUnmapMemory
+*
+* Purpose:
+*
+* Unmap previously mapped physical memory.
+*
+*/
+NTSTATUS WinIoUnmapMemory(
+ _In_ HANDLE DeviceHandle,
+ _In_ PVOID SectionToUnmap,
+ _In_ HANDLE SectionHandle,
+ _In_ PVOID ReferencedObject
+)
+{
+ ULONG seconds;
+ AES_ctx ctx;
+ WINIO_PHYSICAL_MEMORY_INFO_EX request;
+
+ RtlSecureZeroMemory(&ctx, sizeof(ctx));
+ AES_init_ctx(&ctx, (uint8_t*)&g_EneTechIoUnlockKey);
+
+ RtlSecureZeroMemory(&request, sizeof(request));
+ request.BaseAddress = SectionToUnmap;
+ request.ReferencedObject = ReferencedObject;
+ request.SectionHandle = SectionHandle;
+
+ seconds = supGetTimeAsSecondsSince1970();
+
+ RtlCopyMemory(&request.EncryptedKey, (PVOID)&seconds, sizeof(ULONG));
+ AES_ECB_encrypt(&ctx, (UCHAR*)&request.EncryptedKey);
+
+ return WinIoCallDriver(DeviceHandle,
+ IOCTL_WINIO_UNMAP_USER_PHYSICAL_MEMORY,
+ &request,
+ sizeof(request),
+ &request,
+ sizeof(request));
+
+}
+
+/*
+* WinIoGetPML4FromLowStub1M
+*
+* Purpose:
+*
+* Search for PML4 (CR3) entry in low stub.
+*
+*/
+ULONG_PTR WinIoGetPML4FromLowStub1M(
+ _In_ ULONG_PTR pbLowStub1M)
+{
+ ULONG offset = 0;
+ ULONG_PTR PML4 = 0;
+ ULONG cr3_offset = FIELD_OFFSET(PROCESSOR_START_BLOCK, ProcessorState) +
+ FIELD_OFFSET(KSPECIAL_REGISTERS, Cr3);
+
+ SetLastError(ERROR_EXCEPTION_IN_SERVICE);
+
+ __try {
+
+ while (offset < 0x100000) {
+
+ offset += 0x1000;
+
+ if (0x00000001000600E9 != (0xffffffffffff00ff & *(UINT64*)(pbLowStub1M + offset))) //PROCESSOR_START_BLOCK->Jmp
+ continue;
+
+ if (0xfffff80000000000 != (0xfffff80000000003 & *(UINT64*)(pbLowStub1M + offset + FIELD_OFFSET(PROCESSOR_START_BLOCK, LmTarget))))
+ continue;
+
+ if (0xffffff0000000fff & *(UINT64*)(pbLowStub1M + offset + cr3_offset))
+ continue;
+
+ PML4 = *(UINT64*)(pbLowStub1M + offset + cr3_offset);
+ break;
+ }
+
+ }
+ __except (EXCEPTION_EXECUTE_HANDLER) {
+ return 0;
+ }
+
+ SetLastError(ERROR_SUCCESS);
+
+ return PML4;
+}
+
+/*
+* WinIoQueryPML4Value
+*
+* Purpose:
+*
+* Locate PML4.
+*
+*/
+NTSTATUS WINAPI WinIoQueryPML4Value(
+ _In_ HANDLE DeviceHandle,
+ _Out_ ULONG_PTR* Value)
+{
+ NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
+ ULONG_PTR PML4 = 0;
+
+ PVOID pbLowStub1M = NULL;
+ PVOID refObject = NULL;
+ HANDLE sectionHandle = NULL;
+
+ *Value = 0;
+
+ do {
+
+ ntStatus = WinIoMapMemory(DeviceHandle,
+ 0ULL,
+ 0x100000,
+ §ionHandle,
+ &refObject,
+ &pbLowStub1M);
+
+ if (!NT_SUCCESS(ntStatus))
+ break;
+
+ if (pbLowStub1M == NULL) {
+ ntStatus = STATUS_INTERNAL_ERROR;
+ break;
+ }
+
+ PML4 = WinIoGetPML4FromLowStub1M((ULONG_PTR)pbLowStub1M);
+ if (PML4)
+ *Value = PML4;
+ else
+ *Value = 0;
+
+ WinIoUnmapMemory(DeviceHandle,
+ (PVOID)pbLowStub1M,
+ sectionHandle,
+ refObject);
+
+ ntStatus = (PML4 != 0) ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL;
+
+ } while (FALSE);
+
+ return ntStatus;
+}
+
+/*
+* WinIoReadPhysicalMemory
+*
+* Purpose:
+*
+* Read physical memory through mapping.
+*
+*/
+NTSTATUS WINAPI WinIoReadPhysicalMemory(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR PhysicalAddress,
+ _In_reads_bytes_(NumberOfBytes) PVOID Buffer,
+ _In_ ULONG NumberOfBytes)
+{
+ NTSTATUS ntStatus;
+ PVOID mappedSection = NULL;
+
+ PVOID refObject = NULL;
+ HANDLE sectionHandle = NULL;
+
+ //
+ // Map physical memory section.
+ //
+ ntStatus = WinIoMapMemory(DeviceHandle,
+ PhysicalAddress,
+ NumberOfBytes,
+ §ionHandle,
+ &refObject,
+ &mappedSection);
+
+ if (NT_SUCCESS(ntStatus)) {
+
+ __try {
+
+ RtlCopyMemory(Buffer, mappedSection, NumberOfBytes);
+
+ }
+ __except (EXCEPTION_EXECUTE_HANDLER)
+ {
+ ntStatus = GetExceptionCode();
+ }
+
+ //
+ // Unmap physical memory section.
+ //
+ WinIoUnmapMemory(DeviceHandle,
+ mappedSection,
+ sectionHandle,
+ refObject);
+
+ }
+
+ return ntStatus;
+}
+
+/*
+* WinIoVirtualToPhysical
+*
+* Purpose:
+*
+* Translate virtual address to the physical.
+*
+*/
+NTSTATUS WINAPI WinIoVirtualToPhysical(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR VirtualAddress,
+ _Out_ ULONG_PTR* PhysicalAddress)
+{
+ if (PhysicalAddress)
+ *PhysicalAddress = 0;
+ else {
+ return STATUS_INVALID_PARAMETER_3;
+ }
+
+ return PwVirtualToPhysical(DeviceHandle,
+ WinIoQueryPML4Value,
+ WinIoReadPhysicalMemory,
+ VirtualAddress,
+ PhysicalAddress);
+}
+
+/*
+* WinIoReadKernelVirtualMemory
+*
+* Purpose:
+*
+* Read virtual memory.
+*
+*/
+NTSTATUS WINAPI WinIoReadKernelVirtualMemory(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR Address,
+ _Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
+ _In_ ULONG NumberOfBytes)
+{
+ NTSTATUS ntStatus;
+ ULONG_PTR physicalAddress = 0;
+
+ ntStatus = WinIoVirtualToPhysical(DeviceHandle,
+ Address,
+ &physicalAddress);
+
+ if (NT_SUCCESS(ntStatus)) {
+
+ ntStatus = WinIoReadPhysicalMemory(DeviceHandle,
+ physicalAddress,
+ Buffer,
+ NumberOfBytes);
+
+ }
+
+ return ntStatus;
+}
+
+/*
+* WinIoReadSystemMemoryEx
+*
+* Purpose:
+*
+* Read kernel virtual memory.
+*
+*/
+BOOL WinIoReadSystemMemoryEx(
+ _In_ ULONG_PTR Address,
+ _Inout_ PVOID Buffer,
+ _In_ ULONG BufferSize,
+ _Out_opt_ PULONG NumberOfBytesRead
+)
+{
+ BOOL bResult = FALSE;
+ IO_STATUS_BLOCK iost;
+ NTSTATUS ntStatus;
+ PVOID lockedBuffer = NULL;
+
+ if (NumberOfBytesRead)
+ *NumberOfBytesRead = 0;
+
+ lockedBuffer = supVirtualAlloc(BufferSize);
+ if (lockedBuffer) {
+
+ if (VirtualLock(lockedBuffer, BufferSize)) {
+
+ ntStatus = WinIoReadKernelVirtualMemory(g_kdctx.DeviceHandle,
+ Address,
+ lockedBuffer,
+ BufferSize);
+
+ if (!NT_SUCCESS(ntStatus)) {
+
+ iost.Status = ntStatus;
+ iost.Information = 0;
+
+ if (g_kdctx.ShowKdError)
+ kdShowError(BufferSize, ntStatus, &iost);
+ else
+ SetLastError(RtlNtStatusToDosError(ntStatus));
+ }
+ else {
+ if (NumberOfBytesRead)
+ *NumberOfBytesRead = BufferSize;
+
+ RtlCopyMemory(Buffer, lockedBuffer, BufferSize);
+
+ bResult = TRUE;
+ }
+
+ VirtualUnlock(lockedBuffer, BufferSize);
+ }
+
+ supVirtualFree(lockedBuffer);
+ }
+
+ return bResult;
+}
diff --git a/Source/WinObjEx64/drvhelper.h b/Source/WinObjEx64/drvhelper.h
new file mode 100644
index 0000000..e694289
--- /dev/null
+++ b/Source/WinObjEx64/drvhelper.h
@@ -0,0 +1,64 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2020
+*
+* TITLE: DRVHELPER.H
+*
+* VERSION: 1.84
+*
+* DATE: 14 Feb 2019
+*
+* Common header file for the Kernel Driver Helper support.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#pragma once
+
+#define FILE_DEVICE_WINIO (DWORD)0x00008010
+
+#define WINIO_IOCTL_INDEX (DWORD)0x810
+
+#define WINIO_MAP_FUNCID (DWORD)WINIO_IOCTL_INDEX
+#define WINIO_UNMAP_FUNCID (DWORD)WINIO_IOCTL_INDEX + 1
+
+#define IOCTL_WINIO_MAP_USER_PHYSICAL_MEMORY \
+ CTL_CODE(FILE_DEVICE_WINIO, WINIO_MAP_FUNCID, METHOD_BUFFERED, FILE_ANY_ACCESS)
+
+#define IOCTL_WINIO_UNMAP_USER_PHYSICAL_MEMORY \
+ CTL_CODE(FILE_DEVICE_WINIO, WINIO_UNMAP_FUNCID, METHOD_BUFFERED, FILE_ANY_ACCESS)
+
+typedef struct _WINIO_PHYSICAL_MEMORY_INFO_EX {
+ ULONG_PTR CommitSize;
+ ULONG_PTR BusAddress;
+ HANDLE SectionHandle;
+ PVOID BaseAddress;
+ PVOID ReferencedObject;
+ UCHAR EncryptedKey[16];
+} WINIO_PHYSICAL_MEMORY_INFO_EX, * PWINIO_PHYSICAL_MEMORY_INFO_EX;
+
+//
+// Prototype for read physical memory function.
+//
+typedef NTSTATUS(WINAPI* provReadPhysicalMemory)(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR PhysicalAddress,
+ _In_ PVOID Buffer,
+ _In_ ULONG NumberOfBytes);
+
+//
+// Prototype for query PML4 value function.
+//
+typedef NTSTATUS(WINAPI* provQueryPML4)(
+ _In_ HANDLE DeviceHandle,
+ _Out_ ULONG_PTR* Value);
+
+BOOL WinIoReadSystemMemoryEx(
+ _In_ ULONG_PTR Address,
+ _Inout_ PVOID Buffer,
+ _In_ ULONG BufferSize,
+ _Out_opt_ PULONG NumberOfBytesRead);
diff --git a/Source/WinObjEx64/extras/extrasPSList.c b/Source/WinObjEx64/extras/extrasPSList.c
index 3e19977..f5811b2 100644
--- a/Source/WinObjEx64/extras/extrasPSList.c
+++ b/Source/WinObjEx64/extras/extrasPSList.c
@@ -4,9 +4,9 @@
*
* TITLE: EXTRASPSLIST.C
*
-* VERSION: 1.83
+* VERSION: 1.84
*
-* DATE: 05 Jan 2020
+* DATE: 20 Feb 2020
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -1010,17 +1010,32 @@ DWORD WINAPI CreateProcessListProc(
if (bRefresh) {
RtlDestroyHeap(g_PsListHeap);
g_PsListHeap = RtlCreateHeap(HEAP_GROWABLE, NULL, 0, 0, NULL, NULL);
- if (g_PsListHeap == NULL)
+ if (g_PsListHeap == NULL) {
+
+ MessageBox(PsDlgContext.hwndDlg,
+ TEXT("Could not allocate heap for process enumeration"),
+ NULL,
+ MB_ICONERROR);
+
__leave;
+ }
}
ServiceEnumType = SERVICE_WIN32 | SERVICE_INTERACTIVE_PROCESS;
- if (g_NtBuildNumber >= NT_WIN10_THRESHOLD1)
+ if (g_NtBuildNumber >= NT_WIN10_THRESHOLD1) {
ServiceEnumType |= SERVICE_USER_SERVICE | SERVICE_USERSERVICE_INSTANCE;
+ }
+
+ if (!supCreateSCMSnapshot(ServiceEnumType, &ServicesList)) {
+
+ MessageBox(PsDlgContext.hwndDlg,
+ TEXT("Error building services list"),
+ NULL,
+ MB_ICONERROR);
- if (!supCreateSCMSnapshot(ServiceEnumType, &ServicesList))
__leave;
+ }
RtlQuickSort(ServicesList.Entries,
ServicesList.NumberOfEntries,
@@ -1028,10 +1043,27 @@ DWORD WINAPI CreateProcessListProc(
PsxSCMLookupCallback);
InfoBuffer = supGetSystemInfo(SystemProcessInformation, NULL);
- if (InfoBuffer == NULL)
- __leave;
+ if (InfoBuffer == NULL) {
+
+ MessageBox(PsDlgContext.hwndDlg,
+ TEXT("Error query process list"),
+ NULL,
+ MB_ICONERROR);
+
+ __leave;
+ }
+
+ if (!supPHLCreate(&g_PsListHead,
+ (PBYTE)InfoBuffer,
+ &nProcesses,
+ &nThreads))
+ {
+
+ MessageBox(PsDlgContext.hwndDlg,
+ TEXT("Error building handle list"),
+ NULL,
+ MB_ICONERROR);
- if (!supPHLCreate(&g_PsListHead, (PBYTE)InfoBuffer, &nProcesses, &nThreads)) {
__leave;
}
diff --git a/Source/WinObjEx64/global.h b/Source/WinObjEx64/global.h
index a659b06..be0bd04 100644
--- a/Source/WinObjEx64/global.h
+++ b/Source/WinObjEx64/global.h
@@ -4,9 +4,9 @@
*
* TITLE: GLOBAL.H
*
-* VERSION: 1.83
+* VERSION: 1.84
*
-* DATE: 16 Jan 2020
+* DATE: 13 Feb 2020
*
* Common header file for the Windows Object Explorer.
*
@@ -79,6 +79,7 @@
#include "objects.h"
#include "kldbg.h"
+#include "drvhelper.h"
#include "ui.h"
#include "sup.h"
#include "supConsts.h"
@@ -93,7 +94,6 @@
#include
#endif
-
typedef int(__cdecl *pswprintf_s)(
wchar_t *buffer,
size_t sizeOfBuffer,
@@ -118,6 +118,7 @@ extern ULONG g_CurrentDPI;
typedef struct _WINOBJ_GLOBALS {
BOOLEAN UseExperimentalFeatures;
BOOLEAN IsWine;
+ BOOLEAN EnableFullMitigations;
HINSTANCE hInstance;
HANDLE Heap;
LPWSTR CurrentObjectPath;
diff --git a/Source/WinObjEx64/kldbg.c b/Source/WinObjEx64/kldbg.c
index d062c6d..437d1fb 100644
--- a/Source/WinObjEx64/kldbg.c
+++ b/Source/WinObjEx64/kldbg.c
@@ -4,9 +4,9 @@
*
* TITLE: KLDBG.C, based on KDSubmarine by Evilcry
*
-* VERSION: 1.83
+* VERSION: 1.84
*
-* DATE: 24 Jan 2020
+* DATE: 15 Feb 2020
*
* MINIMUM SUPPORTED OS WINDOWS 7
*
@@ -35,6 +35,11 @@ NOTIFICATION_CALLBACKS g_SystemCallbacks;
UCHAR ObpInfoMaskToOffset[0x100];
+NTSTATUS kdOpenDeviceDriver(
+ _In_ LPCWSTR DriverName,
+ _In_ ACCESS_MASK DesiredAccess,
+ _Out_ PHANDLE DeviceHandle);
+
/*
* ObFindAddress
@@ -2509,14 +2514,14 @@ VOID kdShowError(
}
/*
-* kdReadSystemMemoryEx
+* kdpReadSystemMemoryEx
*
* Purpose:
*
* Wrapper around SysDbgReadVirtual request to the KLDBGDRV
*
*/
-BOOL kdReadSystemMemoryEx(
+BOOL kdpReadSystemMemoryEx(
_In_ ULONG_PTR Address,
_Inout_ PVOID Buffer,
_In_ ULONG BufferSize,
@@ -2881,12 +2886,16 @@ NTSTATUS kdLoadDeviceDriver(
_In_ LPCWSTR DriverPath
)
{
- NTSTATUS status = STATUS_UNSUCCESSFUL;
+ NTSTATUS status;
DWORD dwData, dwResult;
HKEY keyHandle = NULL;
SIZE_T keyOffset;
UNICODE_STRING driverServiceName, driverImagePath;
+ HANDLE deviceHandle = NULL;
+ ULONG sdLength = 0;
+ PSECURITY_DESCRIPTOR driverSD = NULL;
+
WCHAR szBuffer[MAX_PATH + 1];
if (DriverName == NULL)
@@ -2894,12 +2903,17 @@ NTSTATUS kdLoadDeviceDriver(
if (DriverPath == NULL)
return STATUS_INVALID_PARAMETER_2;
+ status = supCreateSystemAdminAccessSD(&driverSD, &sdLength);
+ if (!NT_SUCCESS(status))
+ return status;
+
RtlInitEmptyUnicodeString(&driverImagePath, NULL, 0);
if (!RtlDosPathNameToNtPathName_U(DriverPath,
&driverImagePath,
NULL,
NULL))
{
+ supHeapFree(driverSD);
return STATUS_INVALID_PARAMETER_2;
}
@@ -2993,6 +3007,15 @@ NTSTATUS kdLoadDeviceDriver(
if (supEnablePrivilege(SE_LOAD_DRIVER_PRIVILEGE, TRUE)) {
RtlInitUnicodeString(&driverServiceName, szBuffer);
status = NtLoadDriver(&driverServiceName);
+
+ status = kdOpenDeviceDriver(KLDBGDRV, WRITE_DAC, &deviceHandle);
+ if (NT_SUCCESS(status)) {
+ status = NtSetSecurityObject(deviceHandle,
+ DACL_SECURITY_INFORMATION,
+ driverSD);
+ NtClose(deviceHandle);
+ }
+
supEnablePrivilege(SE_LOAD_DRIVER_PRIVILEGE, FALSE);
}
else {
@@ -3000,6 +3023,7 @@ NTSTATUS kdLoadDeviceDriver(
}
Cleanup:
+ supHeapFree(driverSD);
RtlFreeUnicodeString(&driverImagePath);
return status;
}
@@ -3068,6 +3092,7 @@ NTSTATUS kdUnloadDeviceDriver(
*/
NTSTATUS kdOpenDeviceDriver(
_In_ LPCWSTR DriverName,
+ _In_ ACCESS_MASK DesiredAccess,
_Out_ PHANDLE DeviceHandle
)
{
@@ -3101,7 +3126,7 @@ NTSTATUS kdOpenDeviceDriver(
InitializeObjectAttributes(&obja, &usDeviceLink, OBJ_CASE_INSENSITIVE, NULL, NULL);
status = NtCreateFile(DeviceHandle,
- GENERIC_READ | GENERIC_WRITE,
+ DesiredAccess,
&obja,
&iost,
NULL,
@@ -3206,7 +3231,7 @@ VOID kdInit(
#else
- if (!NT_SUCCESS(kdOpenDeviceDriver(KLDBGDRV, &g_kdctx.DeviceHandle))) {
+ if (!NT_SUCCESS(kdOpenDeviceDriver(KLDBGDRV, GENERIC_READ | GENERIC_WRITE, &g_kdctx.DeviceHandle))) {
#endif /* _USE_OWN_DRIVER */
@@ -3240,12 +3265,16 @@ VOID kdInit(
g_kdctx.IsOurLoad = NT_SUCCESS(kdLoadDeviceDriver(KLDBGDRV, szDrvPath));
if (g_kdctx.IsOurLoad) {
- g_kdctx.DriverOpenLoadStatus = kdOpenDeviceDriver(KLDBGDRV, &g_kdctx.DeviceHandle);
+ g_kdctx.DriverOpenLoadStatus = kdOpenDeviceDriver(KLDBGDRV,
+ GENERIC_READ | GENERIC_WRITE, &g_kdctx.DeviceHandle);
}
#endif /* _USE_OWN_DRIVER */
}
+ else {
+ g_kdctx.DriverOpenLoadStatus = STATUS_SUCCESS;
+ }
}
@@ -3264,6 +3293,63 @@ VOID kdInit(
}
}
+/*
+* kdpRemoveDriverFile
+*
+* Purpose:
+*
+* Delete driver file.
+*
+*/
+VOID kdpRemoveDriverFile()
+{
+ WCHAR szDrvPath[MAX_PATH * 2];
+
+ //
+ // Driver file is no longer needed - remove it from disk.
+ //
+ RtlSecureZeroMemory(&szDrvPath, sizeof(szDrvPath));
+ _strcpy(szDrvPath, g_WinObj.szSystemDirectory);
+ _strcat(szDrvPath, KLDBGDRVSYS);
+ DeleteFile(szDrvPath);
+}
+
+/*
+* kdpUnloadWindbgDriver
+*
+* Purpose:
+*
+* Unload driver, unregister and remove service and delete driver file.
+*
+*/
+VOID kdpUnloadWindbgDriver()
+{
+ //
+ // If we loaded Windbg driver - unload it, otherwise leave it as is.
+ //
+ if (g_kdctx.IsOurLoad) {
+ //
+ // Windbg recreates service and drops file everytime when kernel debug starts.
+ //
+ scmUnloadDeviceDriver(KLDBGDRV, NULL);
+ kdpRemoveDriverFile();
+ }
+}
+
+/*
+* kdpUnloadHelperDriver
+*
+* Purpose:
+*
+* Unload helper driver, delete registry entry and delete driver file.
+*
+*/
+VOID kdpUnloadHelperDriver()
+{
+ kdUnloadDeviceDriver(KLDBGDRV, TRUE);
+ kdpRemoveDriverFile();
+}
+
/*
* kdShutdown
*
@@ -3278,39 +3364,25 @@ VOID kdShutdown(
VOID
)
{
- WCHAR szDrvPath[MAX_PATH * 2];
-
+ //
+ // Close device handle and make it invalid.
+ //
if (g_kdctx.DeviceHandle) {
CloseHandle(g_kdctx.DeviceHandle);
g_kdctx.DeviceHandle = NULL;
}
+ //
+ // Destroy collection if present.
+ //
ObCollectionDestroy(&g_kdctx.ObCollection);
RtlDeleteCriticalSection(&g_kdctx.ObCollectionLock);
- //
- // Driver was loaded, unload it.
- // Windbg recreates service and drops file everytime when kernel debug starts.
- //
- if (g_kdctx.IsOurLoad) {
#ifndef _USE_OWN_DRIVER
-
- scmUnloadDeviceDriver(KLDBGDRV, NULL);
-
+ kdpUnloadWindbgDriver();
#else
-
- kdUnloadDeviceDriver(KLDBGDRV, TRUE);
-
-#endif /* _USE_OWN_DRIVER */
-
- //
- // Driver file is no longer needed - remove it from disk.
- //
- RtlSecureZeroMemory(&szDrvPath, sizeof(szDrvPath));
- _strcpy(szDrvPath, g_WinObj.szSystemDirectory);
- _strcat(szDrvPath, KLDBGDRVSYS);
- DeleteFile(szDrvPath);
- }
+ kdpUnloadHelperDriver();
+#endif
if (g_kdctx.NtOsImageMap) {
FreeLibrary((HMODULE)g_kdctx.NtOsImageMap);
diff --git a/Source/WinObjEx64/kldbg.h b/Source/WinObjEx64/kldbg.h
index 1c48fab..00fa868 100644
--- a/Source/WinObjEx64/kldbg.h
+++ b/Source/WinObjEx64/kldbg.h
@@ -4,9 +4,9 @@
*
* TITLE: KLDBG.H
*
-* VERSION: 1.83
+* VERSION: 1.84
*
-* DATE: 13 Jan 2019
+* DATE: 18 Feb 2019
*
* Common header file for the Kernel Debugger Driver support.
*
@@ -20,9 +20,14 @@
#define IOCTL_KD_PASS_THROUGH CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1, METHOD_NEITHER, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
-#ifdef _USE_OWN_DRIVER
+#ifdef _USE_OWN_DRIVER
+#ifdef _USE_WINIO
+#define KLDBGDRV L"EneTechIo"
+#define KLDBGDRVSYS L"\\drivers\\ene64drv.sys"
+#else
#define KLDBGDRV L"wodbgdrv"
#define KLDBGDRVSYS L"\\drivers\\wodbgdrv.sys"
+#endif
#else
#define KLDBGDRV L"kldbgdrv"
#define KLDBGDRVSYS L"\\drivers\\kldbgdrv.sys"
@@ -202,10 +207,10 @@ typedef struct _OBJREF {
#define NT_WIN10_19H2 18363
// Windows 10 20H1
-#define NTX_WIN10_20H1 19037
+#define NTX_WIN10_20H1 19037
// Windows 10 20H2
-#define NTX_WIN10_20H2 19536
+#define NTX_WIN10_20H2 19536
//
// Defines for boundary descriptors
@@ -360,12 +365,22 @@ BOOL kdFindKiServiceTable(
ULONG_PTR kdQueryWin32kApiSetTable(
_In_ HMODULE hWin32k);
-BOOL kdReadSystemMemoryEx(
+BOOL kdpReadSystemMemoryEx(
_In_ ULONG_PTR Address,
_Inout_ PVOID Buffer,
_In_ ULONG BufferSize,
_Out_opt_ PULONG NumberOfBytesRead);
+#ifdef _USE_OWN_DRIVER
+#ifdef _USE_WINIO
+#define kdReadSystemMemoryEx WinIoReadSystemMemoryEx
+#else
+#define kdReadSystemMemoryEx kdpReadSystemMemoryEx
+#endif
+#else
+#define kdReadSystemMemoryEx kdpReadSystemMemoryEx
+#endif
+
#define kdReadSystemMemory(Address, Buffer, BufferSize) \
kdReadSystemMemoryEx(Address, Buffer, BufferSize, NULL)
diff --git a/Source/WinObjEx64/main.c b/Source/WinObjEx64/main.c
index eeba252..576b14a 100644
--- a/Source/WinObjEx64/main.c
+++ b/Source/WinObjEx64/main.c
@@ -930,6 +930,15 @@ INT WinObjInitGlobals(
do {
RtlSecureZeroMemory(&g_WinObj, sizeof(g_WinObj));
+#ifdef _USE_OWN_DRIVER
+ //
+ // The quality of MMIO driver is outstanding, try to reduce possible impact.
+ //
+ g_WinObj.EnableFullMitigations = TRUE;
+#else
+ g_WinObj.EnableFullMitigations = FALSE;
+#endif
+
g_WinObj.IsWine = IsWine;
//
diff --git a/Source/WinObjEx64/plugmngr.c b/Source/WinObjEx64/plugmngr.c
index c86e0a7..c0146cb 100644
--- a/Source/WinObjEx64/plugmngr.c
+++ b/Source/WinObjEx64/plugmngr.c
@@ -291,6 +291,11 @@ DWORD WINAPI PluginManagerWorkerThread(
FindClose(hFile);
}
+ //
+ // Must be called after plugin manager startup as plugins are not signed by MS.
+ //
+ supSetProcessMitigationImagesPolicy();
+
ExitThread(0);
}
diff --git a/Source/WinObjEx64/props/propObjectDump.c b/Source/WinObjEx64/props/propObjectDump.c
index 050e4ea..056745a 100644
--- a/Source/WinObjEx64/props/propObjectDump.c
+++ b/Source/WinObjEx64/props/propObjectDump.c
@@ -4,9 +4,9 @@
*
* TITLE: PROPOBJECTDUMP.C
*
-* VERSION: 1.83
+* VERSION: 1.84
*
-* DATE: 26 Jan 2020
+* DATE: 12 Feb 2020
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -3050,8 +3050,8 @@ VOID propObxDumpAlpcPortCommunicationInfo(
)
{
HTREEITEM h_tviSubItem;
- PBYTE Buffer = NULL;
- ULONG BufferSize = 0;
+ PBYTE dumpBuffer = NULL;
+ ULONG bufferSize = 0, readSize = 0;
union {
union {
@@ -3064,28 +3064,29 @@ VOID propObxDumpAlpcPortCommunicationInfo(
if ((StructureVersion == 0) || (StructureVersion > 2)) return;
if (StructureVersion == 1) {
- BufferSize = sizeof(ALPC_COMMUNICATION_INFO_V1);
+ bufferSize = sizeof(ALPC_COMMUNICATION_INFO_V1);
}
else {
- BufferSize = sizeof(ALPC_COMMUNICATION_INFO_V2);
+ bufferSize = sizeof(ALPC_COMMUNICATION_INFO_V2);
}
- BufferSize = ALIGN_UP_BY(BufferSize, PAGE_SIZE);
- Buffer = (PBYTE)supVirtualAlloc(BufferSize);
- if (Buffer == NULL)
+ readSize = bufferSize;
+ bufferSize = ALIGN_UP_BY(bufferSize, PAGE_SIZE);
+ dumpBuffer = (PBYTE)supVirtualAlloc(bufferSize);
+ if (dumpBuffer == NULL)
return;
if (!kdReadSystemMemoryEx(
StructureAddress,
- Buffer,
- BufferSize,
+ dumpBuffer,
+ readSize,
NULL))
{
- supVirtualFree(Buffer);
+ supVirtualFree(dumpBuffer);
return;
}
- AlpcPortCommunicationInfo.Ref = Buffer;
+ AlpcPortCommunicationInfo.Ref = dumpBuffer;
//
// Dump version unaffected fields.
@@ -3186,7 +3187,7 @@ VOID propObxDumpAlpcPortCommunicationInfo(
0,
0);
}
- supVirtualFree(Buffer);
+ supVirtualFree(dumpBuffer);
}
/*
diff --git a/Source/WinObjEx64/sup.c b/Source/WinObjEx64/sup.c
index cb75752..a27d10b 100644
--- a/Source/WinObjEx64/sup.c
+++ b/Source/WinObjEx64/sup.c
@@ -4,9 +4,9 @@
*
* TITLE: SUP.C
*
-* VERSION: 1.83
+* VERSION: 1.84
*
-* DATE: 26 Jan 2020
+* DATE: 18 Feb 2020
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -516,7 +516,6 @@ BOOL supDumpSyscallTableConverted(
*Table = NULL;
memIO = ServiceLimit * sizeof(ULONG);
-
ServiceTableDumped = (PULONG)supHeapAlloc(memIO);
if (ServiceTableDumped) {
bytesRead = 0;
@@ -1203,7 +1202,7 @@ VOID supRunAsAdmin(
)
{
SHELLEXECUTEINFO shinfo;
- WCHAR szPath[MAX_PATH + 1];
+ WCHAR szPath[MAX_PATH + 1];
RtlSecureZeroMemory(&szPath, sizeof(szPath));
if (GetModuleFileName(NULL, szPath, MAX_PATH)) {
@@ -1363,7 +1362,7 @@ BOOL supIsSymbolicLinkObject(
)
{
LVITEM lvItem;
-
+
lvItem.mask = LVIF_PARAM;
lvItem.iItem = iItem;
lvItem.iSubItem = 0;
@@ -1537,6 +1536,105 @@ BOOL supxQueryKnownDllsLink(
return bResult;
}
+/*
+* supSetProcessMitigationImagesPolicy
+*
+* Purpose:
+*
+* Enable images policy mitigation.
+*
+* N.B. Must be called after plugin manager initialization.
+*
+*/
+VOID supSetProcessMitigationImagesPolicy()
+{
+ PROCESS_MITIGATION_POLICY_INFORMATION policyInfo;
+
+ if (g_WinObj.EnableFullMitigations) {
+
+ policyInfo.Policy = (PROCESS_MITIGATION_POLICY)ProcessSignaturePolicy;
+ policyInfo.SignaturePolicy.Flags = 0;
+ policyInfo.SignaturePolicy.MicrosoftSignedOnly = TRUE;
+ policyInfo.SignaturePolicy.MitigationOptIn = TRUE;
+
+ NtSetInformationProcess(NtCurrentProcess(),
+ ProcessMitigationPolicy,
+ &policyInfo,
+ sizeof(PROCESS_MITIGATION_POLICY_INFORMATION));
+
+ policyInfo.Policy = (PROCESS_MITIGATION_POLICY)ProcessImageLoadPolicy;
+ policyInfo.ImageLoadPolicy.Flags = 0;
+ policyInfo.ImageLoadPolicy.PreferSystem32Images = TRUE;
+ policyInfo.ImageLoadPolicy.NoLowMandatoryLabelImages = TRUE;
+
+ NtSetInformationProcess(NtCurrentProcess(),
+ ProcessMitigationPolicy,
+ &policyInfo,
+ sizeof(PROCESS_MITIGATION_POLICY_INFORMATION));
+
+ }
+}
+
+/*
+* supxSetProcessMitigationPolicies
+*
+* Purpose:
+*
+* Enable mitigations.
+*
+*/
+VOID supxSetProcessMitigationPolicies()
+{
+ PROCESS_MITIGATION_POLICY_INFORMATION policyInfo;
+
+ if (g_WinObj.EnableFullMitigations) {
+
+ policyInfo.Policy = (PROCESS_MITIGATION_POLICY)ProcessExtensionPointDisablePolicy;
+ policyInfo.ExtensionPointDisablePolicy.Flags = 0;
+ policyInfo.ExtensionPointDisablePolicy.DisableExtensionPoints = TRUE;
+
+ NtSetInformationProcess(NtCurrentProcess(),
+ ProcessMitigationPolicy,
+ &policyInfo,
+ sizeof(PROCESS_MITIGATION_POLICY_INFORMATION));
+
+ policyInfo.Policy = (PROCESS_MITIGATION_POLICY)ProcessASLRPolicy;
+ policyInfo.ASLRPolicy.Flags = 0;
+ policyInfo.ASLRPolicy.EnableHighEntropy = TRUE;
+ policyInfo.ASLRPolicy.EnableBottomUpRandomization = TRUE;
+ policyInfo.ASLRPolicy.EnableForceRelocateImages = TRUE;
+
+ NtSetInformationProcess(NtCurrentProcess(),
+ ProcessMitigationPolicy,
+ &policyInfo,
+ sizeof(PROCESS_MITIGATION_POLICY_INFORMATION));
+
+ policyInfo.Policy = (PROCESS_MITIGATION_POLICY)ProcessDynamicCodePolicy;
+ policyInfo.DynamicCodePolicy.Flags = 0;
+ policyInfo.DynamicCodePolicy.ProhibitDynamicCode = TRUE;
+
+ NtSetInformationProcess(NtCurrentProcess(),
+ ProcessMitigationPolicy,
+ &policyInfo,
+ sizeof(PROCESS_MITIGATION_POLICY_INFORMATION));
+
+ /*
+
+ Enabled by settings for Release variants
+
+ policyInfo.Policy = (PROCESS_MITIGATION_POLICY)ProcessControlFlowGuardPolicy;
+ policyInfo.ControlFlowGuardPolicy.Flags = 0;
+ policyInfo.ControlFlowGuardPolicy.EnableControlFlowGuard = TRUE;
+
+ NtSetInformationProcess(NtCurrentProcess(),
+ ProcessMitigationPolicy,
+ &policyInfo,
+ sizeof(PROCESS_MITIGATION_POLICY_INFORMATION));
+ */
+
+ }
+}
+
/*
* supInit
*
@@ -1553,6 +1651,8 @@ VOID supInit(
{
NTSTATUS status;
+ supxSetProcessMitigationPolicies();
+
#pragma warning(push)
#pragma warning(disable: 6031)
CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE);
@@ -1704,11 +1804,11 @@ BOOL supQueryLinkTarget(
return bResult;
}
- InitializeObjectAttributes(&objectAttr,
+ InitializeObjectAttributes(&objectAttr,
ObjectName, OBJ_CASE_INSENSITIVE, RootDirectoryHandle, NULL);
-
- ntStatus = NtOpenSymbolicLinkObject(&linkHandle,
- SYMBOLIC_LINK_QUERY,
+
+ ntStatus = NtOpenSymbolicLinkObject(&linkHandle,
+ SYMBOLIC_LINK_QUERY,
&objectAttr);
if (!NT_SUCCESS(ntStatus) || (linkHandle == NULL)) {
@@ -1724,8 +1824,8 @@ BOOL supQueryLinkTarget(
infoUString.Length = (USHORT)cLength;
infoUString.MaximumLength = (USHORT)(cLength + sizeof(UNICODE_NULL));
- ntStatus = NtQuerySymbolicLinkObject(linkHandle,
- &infoUString,
+ ntStatus = NtQuerySymbolicLinkObject(linkHandle,
+ &infoUString,
NULL);
bResult = (NT_SUCCESS(ntStatus));
@@ -1963,6 +2063,72 @@ BOOL supQueryProcessNameByEPROCESS(
return bFound;
}
+/*
+* supxEnumServicesStatus
+*
+* Purpose:
+*
+* Enumerate services status to the buffer.
+*
+*/
+BOOL supxEnumServicesStatus(
+ _In_ SC_HANDLE schSCManager,
+ _In_ ULONG ServiceType,
+ _Out_ PBYTE *Services,
+ _Out_ DWORD *ServicesReturned
+)
+{
+ BOOL bResult = FALSE;
+ LPBYTE servicesBuffer = NULL;
+ DWORD dwSize = PAGE_SIZE, dwBytesNeeded = 0, dwServicesReturned = 0, c = 0;
+ DWORD dwLastError = ERROR_SUCCESS;
+
+ *Services = NULL;
+ *ServicesReturned = 0;
+
+ do {
+ servicesBuffer = (LPBYTE)supVirtualAlloc(dwSize);
+ if (servicesBuffer != NULL) {
+
+ bResult = EnumServicesStatusEx(
+ schSCManager,
+ SC_ENUM_PROCESS_INFO,
+ ServiceType,
+ SERVICE_STATE_ALL,
+ servicesBuffer,
+ dwSize,
+ &dwBytesNeeded,
+ &dwServicesReturned,
+ NULL,
+ NULL);
+
+ dwLastError = GetLastError();
+
+ }
+ else {
+ return FALSE;
+ }
+
+ if (dwLastError == ERROR_MORE_DATA) {
+ supVirtualFree(servicesBuffer);
+ servicesBuffer = NULL;
+ dwSize += dwBytesNeeded;
+ c++;
+ if (c >= 20) {
+ break;
+ }
+ }
+ else {
+ *ServicesReturned = dwServicesReturned;
+ *Services = servicesBuffer;
+ break;
+ }
+
+ } while (dwLastError == ERROR_MORE_DATA);
+
+ return bResult;
+}
+
/*
* supCreateSCMSnapshot
*
@@ -1980,7 +2146,7 @@ BOOL supCreateSCMSnapshot(
{
BOOL bResult = FALSE;
SC_HANDLE schSCManager;
- DWORD dwBytesNeeded = 0, dwServicesReturned = 0, dwSize;
+ DWORD dwServicesReturned = 0;
PVOID Services = NULL;
do {
@@ -1991,58 +2157,14 @@ BOOL supCreateSCMSnapshot(
if (schSCManager == NULL)
break;
- //
- // Query required memory size for snapshot.
- //
- dwSize = PAGE_SIZE;
- Services = supVirtualAlloc(dwSize);
- if (Services == NULL)
- break;
-
- bResult = EnumServicesStatusEx(
- schSCManager,
- SC_ENUM_PROCESS_INFO,
+ bResult = supxEnumServicesStatus(schSCManager,
ServiceType,
- SERVICE_STATE_ALL,
- (LPBYTE)Services,
- dwSize,
- &dwBytesNeeded,
- &dwServicesReturned,
- NULL,
- NULL);
-
- if (bResult == FALSE) {
- if (GetLastError() == ERROR_MORE_DATA) {
- //
- // Allocate required buffer.
- //
- supVirtualFree(Services);
- dwSize = (DWORD)ALIGN_UP_BY(dwBytesNeeded + sizeof(ENUM_SERVICE_STATUS_PROCESS), PAGE_SIZE);
- Services = supVirtualAlloc(dwSize);
- if (Services == NULL)
- break;
-
- bResult = EnumServicesStatusEx(
- schSCManager,
- SC_ENUM_PROCESS_INFO,
- ServiceType,
- SERVICE_STATE_ALL,
- (LPBYTE)Services,
- dwSize,
- &dwBytesNeeded,
- &dwServicesReturned,
- NULL,
- NULL);
-
- if (!bResult) {
- supVirtualFree(Services);
- Services = NULL;
- dwServicesReturned = 0;
- break;
- }
- } //ERROR_MORE_DATA
- } //bResult == FALSE;
+ (PBYTE*)&Services,
+ &dwServicesReturned);
+ if (!bResult)
+ break;
+
CloseServiceHandle(schSCManager);
} while (FALSE);
@@ -6538,7 +6660,159 @@ ULONG supHashString(
*
*/
ULONG supHashUnicodeString(
- _In_ CONST UNICODE_STRING* String)
+ _In_ CONST UNICODE_STRING * String)
{
return supHashString(String->Buffer, String->Length / sizeof(WCHAR));
}
+
+/*
+* supCreateSystemAdminAccessSD
+*
+* Purpose:
+*
+* Create security descriptor with Admin/System ACL set.
+*
+*/
+NTSTATUS supCreateSystemAdminAccessSD(
+ _Out_ PSECURITY_DESCRIPTOR* SecurityDescriptor,
+ _Out_opt_ PULONG Length
+)
+{
+ NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
+ PSID admSid = NULL;
+ PSID sysSid = NULL;
+ PACL sysAcl = NULL;
+ ULONG daclSize = 0;
+
+ PSECURITY_DESCRIPTOR securityDescriptor;
+
+ SID_IDENTIFIER_AUTHORITY sidAuthority = SECURITY_NT_AUTHORITY;
+
+ *SecurityDescriptor = NULL;
+
+ if (Length)
+ *Length = 0;
+
+ do {
+
+ securityDescriptor = (PSECURITY_DESCRIPTOR)supHeapAlloc(sizeof(SECURITY_DESCRIPTOR));
+ if (securityDescriptor == NULL) {
+ ntStatus = STATUS_MEMORY_NOT_ALLOCATED;
+ break;
+ }
+
+ admSid = (PSID)supHeapAlloc(RtlLengthRequiredSid(2));
+ if (admSid == NULL) {
+ ntStatus = STATUS_MEMORY_NOT_ALLOCATED;
+ break;
+ }
+
+ sysSid = (PSID)supHeapAlloc(RtlLengthRequiredSid(1));
+ if (sysSid == NULL) {
+ ntStatus = STATUS_MEMORY_NOT_ALLOCATED;
+ break;
+ }
+
+ ntStatus = RtlInitializeSid(admSid, &sidAuthority, 2);
+ if (NT_SUCCESS(ntStatus)) {
+ *RtlSubAuthoritySid(admSid, 0) = SECURITY_BUILTIN_DOMAIN_RID;
+ *RtlSubAuthoritySid(admSid, 1) = DOMAIN_ALIAS_RID_ADMINS;
+ }
+ else {
+ break;
+ }
+
+ ntStatus = RtlInitializeSid(sysSid, &sidAuthority, 1);
+ if (NT_SUCCESS(ntStatus)) {
+ *RtlSubAuthoritySid(sysSid, 0) = SECURITY_LOCAL_SYSTEM_RID;
+ }
+ else {
+ break;
+ }
+
+ daclSize = sizeof(ACL) +
+ (2 * sizeof(ACCESS_ALLOWED_ACE)) +
+ RtlLengthSid(admSid) + RtlLengthSid(sysSid) +
+ SECURITY_DESCRIPTOR_MIN_LENGTH;
+
+ sysAcl = (PACL)supHeapAlloc(daclSize);
+ if (sysAcl == NULL) {
+ ntStatus = STATUS_MEMORY_NOT_ALLOCATED;
+ break;
+ }
+
+ ntStatus = RtlCreateAcl(sysAcl, daclSize - SECURITY_DESCRIPTOR_MIN_LENGTH, (ULONG)ACL_REVISION);
+ if (!NT_SUCCESS(ntStatus))
+ break;
+
+ ntStatus = RtlAddAccessAllowedAce(sysAcl,
+ ACL_REVISION,
+ GENERIC_ALL,
+ sysSid);
+
+ if (!NT_SUCCESS(ntStatus))
+ break;
+
+ ntStatus = RtlAddAccessAllowedAce(sysAcl,
+ ACL_REVISION,
+ GENERIC_ALL,
+ admSid);
+
+ if (!NT_SUCCESS(ntStatus))
+ break;
+
+ ntStatus = RtlCreateSecurityDescriptor(securityDescriptor,
+ SECURITY_DESCRIPTOR_REVISION1);
+
+ if (!NT_SUCCESS(ntStatus))
+ break;
+
+ ntStatus = RtlSetDaclSecurityDescriptor(securityDescriptor,
+ TRUE,
+ sysAcl,
+ FALSE);
+
+ if (!NT_SUCCESS(ntStatus))
+ break;
+
+ if (!RtlValidSecurityDescriptor(securityDescriptor))
+ break;
+
+ *SecurityDescriptor = securityDescriptor;
+
+ if (Length)
+ *Length = RtlLengthSecurityDescriptor(securityDescriptor);
+
+ } while (FALSE);
+
+ if (admSid != NULL) supHeapFree(admSid);
+ if (sysSid != NULL) supHeapFree(sysSid);
+ if (sysAcl != NULL) supHeapFree(sysAcl);
+
+ if (!NT_SUCCESS(ntStatus)) {
+ if (securityDescriptor != NULL)
+ supHeapFree(securityDescriptor);
+ }
+
+ return ntStatus;
+}
+
+/*
+* supGetTimeAsSecondsSince1970
+*
+* Purpose:
+*
+* Return seconds since 1970.
+*
+*/
+ULONG supGetTimeAsSecondsSince1970(
+ VOID
+)
+{
+ LARGE_INTEGER fileTime;
+ ULONG seconds = 0;
+
+ GetSystemTimeAsFileTime((PFILETIME)&fileTime);
+ RtlTimeToSecondsSince1970(&fileTime, &seconds);
+ return seconds;
+}
diff --git a/Source/WinObjEx64/sup.h b/Source/WinObjEx64/sup.h
index 9aa0481..33eef1e 100644
--- a/Source/WinObjEx64/sup.h
+++ b/Source/WinObjEx64/sup.h
@@ -4,9 +4,9 @@
*
* TITLE: SUP.H
*
-* VERSION: 1.83
+* VERSION: 1.84
*
-* DATE: 05 Jan 2020
+* DATE: 15 Feb 2020
*
* Common header file for the program support routines.
*
@@ -677,3 +677,12 @@ ULONG supHashString(
ULONG supHashUnicodeString(
_In_ CONST UNICODE_STRING* String);
+
+NTSTATUS supCreateSystemAdminAccessSD(
+ _Out_ PSECURITY_DESCRIPTOR* SelfRelativeSD,
+ _Out_opt_ PULONG Length);
+
+VOID supSetProcessMitigationImagesPolicy();
+
+ULONG supGetTimeAsSecondsSince1970(
+ VOID);
diff --git a/Source/WinObjEx64/tests/testunit.c b/Source/WinObjEx64/tests/testunit.c
index cd365eb..fb2e587 100644
--- a/Source/WinObjEx64/tests/testunit.c
+++ b/Source/WinObjEx64/tests/testunit.c
@@ -4,9 +4,9 @@
*
* TITLE: TESTUNIT.C
*
-* VERSION: 1.83
+* VERSION: 1.84
*
-* DATE: 05 Jan 2020
+* DATE: 12 Feb 2020
*
* Test code used while debug.
*
@@ -734,6 +734,7 @@ VOID PreHashTypes()
ObManagerTest();
}
+
VOID TestCall()
{
diff --git a/Source/WinObjEx64/tinyaes/aes.c b/Source/WinObjEx64/tinyaes/aes.c
new file mode 100644
index 0000000..6095d58
--- /dev/null
+++ b/Source/WinObjEx64/tinyaes/aes.c
@@ -0,0 +1,576 @@
+/*
+
+ Modified to compile with WinObjEx64.
+
+*/
+/*
+
+This is an implementation of the AES algorithm, specifically ECB, CTR and CBC mode.
+Block size can be chosen in aes.h - available choices are AES128, AES192, AES256.
+
+The implementation is verified against the test vectors in:
+ National Institute of Standards and Technology Special Publication 800-38A 2001 ED
+
+ECB-AES128
+----------
+
+ plain-text:
+ 6bc1bee22e409f96e93d7e117393172a
+ ae2d8a571e03ac9c9eb76fac45af8e51
+ 30c81c46a35ce411e5fbc1191a0a52ef
+ f69f2445df4f9b17ad2b417be66c3710
+
+ key:
+ 2b7e151628aed2a6abf7158809cf4f3c
+
+ resulting cipher
+ 3ad77bb40d7a3660a89ecaf32466ef97
+ f5d3d58503b9699de785895a96fdbaaf
+ 43b1cd7f598ece23881b00e3ed030688
+ 7b0c785e27e8ad3f8223207104725dd4
+
+
+NOTE: String length must be evenly divisible by 16byte (str_len % 16 == 0)
+ You should pad the end of the string with zeros if this is not the case.
+ For AES192/256 the key size is proportionally larger.
+
+*/
+
+
+/*****************************************************************************/
+/* Includes: */
+/*****************************************************************************/
+#include // CBC mode, for memset
+#include "aes.h"
+
+/*****************************************************************************/
+/* Defines: */
+/*****************************************************************************/
+// The number of columns comprising a state in AES. This is a constant in AES. Value=4
+#define Nb 4
+
+#if defined(AES256) && (AES256 == 1)
+ #define Nk 8
+ #define Nr 14
+#elif defined(AES192) && (AES192 == 1)
+ #define Nk 6
+ #define Nr 12
+#else
+ #define Nk 4 // The number of 32 bit words in a key.
+ #define Nr 10 // The number of rounds in AES Cipher.
+#endif
+
+// jcallan@github points out that declaring Multiply as a function
+// reduces code size considerably with the Keil ARM compiler.
+// See this link for more information: https://github.com/kokke/tiny-AES-C/pull/3
+#ifndef MULTIPLY_AS_A_FUNCTION
+ #define MULTIPLY_AS_A_FUNCTION 0
+#endif
+
+
+
+
+/*****************************************************************************/
+/* Private variables: */
+/*****************************************************************************/
+// state - array holding the intermediate results during decryption.
+typedef uint8_t state_t[4][4];
+
+
+
+// The lookup-tables are marked const so they can be placed in read-only storage instead of RAM
+// The numbers below can be computed dynamically trading ROM for RAM -
+// This can be useful in (embedded) bootloader applications, where ROM is often limited.
+static const uint8_t sbox[256] = {
+ //0 1 2 3 4 5 6 7 8 9 A B C D E F
+ 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
+ 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
+ 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
+ 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
+ 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
+ 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
+ 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
+ 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
+ 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
+ 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
+ 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
+ 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
+ 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
+ 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
+ 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
+ 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 };
+
+static const uint8_t rsbox[256] = {
+ 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
+ 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
+ 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
+ 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
+ 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
+ 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
+ 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
+ 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
+ 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
+ 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
+ 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
+ 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
+ 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
+ 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
+ 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
+ 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d };
+
+// The round constant word array, Rcon[i], contains the values given by
+// x to the power (i-1) being powers of x (x is denoted as {02}) in the field GF(2^8)
+static const uint8_t Rcon[11] = {
+ 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36 };
+
+/*
+ * Jordan Goulder points out in PR #12 (https://github.com/kokke/tiny-AES-C/pull/12),
+ * that you can remove most of the elements in the Rcon array, because they are unused.
+ *
+ * From Wikipedia's article on the Rijndael key schedule @ https://en.wikipedia.org/wiki/Rijndael_key_schedule#Rcon
+ *
+ * "Only the first some of these constants are actually used – up to rcon[10] for AES-128 (as 11 round keys are needed),
+ * up to rcon[8] for AES-192, up to rcon[7] for AES-256. rcon[0] is not used in AES algorithm."
+ */
+
+
+/*****************************************************************************/
+/* Private functions: */
+/*****************************************************************************/
+/*
+static uint8_t getSBoxValue(uint8_t num)
+{
+ return sbox[num];
+}
+*/
+#define getSBoxValue(num) (sbox[(num)])
+/*
+static uint8_t getSBoxInvert(uint8_t num)
+{
+ return rsbox[num];
+}
+*/
+#define getSBoxInvert(num) (rsbox[(num)])
+
+// This function produces Nb(Nr+1) round keys. The round keys are used in each round to decrypt the states.
+static void KeyExpansion(uint8_t* RoundKey, const uint8_t* Key)
+{
+ unsigned i, j, k;
+ uint8_t tempa[4]; // Used for the column/row operations
+
+ // The first round key is the key itself.
+ for (i = 0; i < Nk; ++i)
+ {
+ RoundKey[(i * 4) + 0] = Key[(i * 4) + 0];
+ RoundKey[(i * 4) + 1] = Key[(i * 4) + 1];
+ RoundKey[(i * 4) + 2] = Key[(i * 4) + 2];
+ RoundKey[(i * 4) + 3] = Key[(i * 4) + 3];
+ }
+
+ // All other round keys are found from the previous round keys.
+ for (i = Nk; i < Nb * (Nr + 1); ++i)
+ {
+ {
+ k = (i - 1) * 4;
+ tempa[0]=RoundKey[k + 0];
+ tempa[1]=RoundKey[k + 1];
+ tempa[2]=RoundKey[k + 2];
+ tempa[3]=RoundKey[k + 3];
+
+ }
+
+ if (i % Nk == 0)
+ {
+ // This function shifts the 4 bytes in a word to the left once.
+ // [a0,a1,a2,a3] becomes [a1,a2,a3,a0]
+
+ // Function RotWord()
+ {
+ const uint8_t u8tmp = tempa[0];
+ tempa[0] = tempa[1];
+ tempa[1] = tempa[2];
+ tempa[2] = tempa[3];
+ tempa[3] = u8tmp;
+ }
+
+ // SubWord() is a function that takes a four-byte input word and
+ // applies the S-box to each of the four bytes to produce an output word.
+
+ // Function Subword()
+ {
+ tempa[0] = getSBoxValue(tempa[0]);
+ tempa[1] = getSBoxValue(tempa[1]);
+ tempa[2] = getSBoxValue(tempa[2]);
+ tempa[3] = getSBoxValue(tempa[3]);
+ }
+
+ tempa[0] = tempa[0] ^ Rcon[i/Nk];
+ }
+#if defined(AES256) && (AES256 == 1)
+ if (i % Nk == 4)
+ {
+ // Function Subword()
+ {
+ tempa[0] = getSBoxValue(tempa[0]);
+ tempa[1] = getSBoxValue(tempa[1]);
+ tempa[2] = getSBoxValue(tempa[2]);
+ tempa[3] = getSBoxValue(tempa[3]);
+ }
+ }
+#endif
+ j = i * 4; k=(i - Nk) * 4;
+ RoundKey[j + 0] = RoundKey[k + 0] ^ tempa[0];
+ RoundKey[j + 1] = RoundKey[k + 1] ^ tempa[1];
+ RoundKey[j + 2] = RoundKey[k + 2] ^ tempa[2];
+ RoundKey[j + 3] = RoundKey[k + 3] ^ tempa[3];
+ }
+}
+
+void AES_init_ctx(AES_ctx* ctx, const uint8_t* key)
+{
+ KeyExpansion(ctx->RoundKey, key);
+}
+#if (defined(CBC) && (CBC == 1)) || (defined(CTR) && (CTR == 1))
+void AES_init_ctx_iv(AES_ctx* ctx, const uint8_t* key, const uint8_t* iv)
+{
+ KeyExpansion(ctx->RoundKey, key);
+ memcpy (ctx->Iv, iv, AES_BLOCKLEN);
+}
+void AES_ctx_set_iv(AES_ctx* ctx, const uint8_t* iv)
+{
+ memcpy (ctx->Iv, iv, AES_BLOCKLEN);
+}
+#endif
+
+// This function adds the round key to state.
+// The round key is added to the state by an XOR function.
+static void AddRoundKey(uint8_t round, state_t* state, const uint8_t* RoundKey)
+{
+ uint8_t i,j;
+ for (i = 0; i < 4; ++i)
+ {
+ for (j = 0; j < 4; ++j)
+ {
+ (*state)[i][j] ^= RoundKey[(round * Nb * 4) + (i * Nb) + j];
+ }
+ }
+}
+
+// The SubBytes Function Substitutes the values in the
+// state matrix with values in an S-box.
+static void SubBytes(state_t* state)
+{
+ uint8_t i, j;
+ for (i = 0; i < 4; ++i)
+ {
+ for (j = 0; j < 4; ++j)
+ {
+ (*state)[j][i] = getSBoxValue((*state)[j][i]);
+ }
+ }
+}
+
+// The ShiftRows() function shifts the rows in the state to the left.
+// Each row is shifted with different offset.
+// Offset = Row number. So the first row is not shifted.
+static void ShiftRows(state_t* state)
+{
+ uint8_t temp;
+
+ // Rotate first row 1 columns to left
+ temp = (*state)[0][1];
+ (*state)[0][1] = (*state)[1][1];
+ (*state)[1][1] = (*state)[2][1];
+ (*state)[2][1] = (*state)[3][1];
+ (*state)[3][1] = temp;
+
+ // Rotate second row 2 columns to left
+ temp = (*state)[0][2];
+ (*state)[0][2] = (*state)[2][2];
+ (*state)[2][2] = temp;
+
+ temp = (*state)[1][2];
+ (*state)[1][2] = (*state)[3][2];
+ (*state)[3][2] = temp;
+
+ // Rotate third row 3 columns to left
+ temp = (*state)[0][3];
+ (*state)[0][3] = (*state)[3][3];
+ (*state)[3][3] = (*state)[2][3];
+ (*state)[2][3] = (*state)[1][3];
+ (*state)[1][3] = temp;
+}
+
+static uint8_t xtime(uint8_t x)
+{
+ return ((x<<1) ^ (((x>>7) & 1) * 0x1b));
+}
+
+// MixColumns function mixes the columns of the state matrix
+static void MixColumns(state_t* state)
+{
+ uint8_t i;
+ uint8_t Tmp, Tm, t;
+ for (i = 0; i < 4; ++i)
+ {
+ t = (*state)[i][0];
+ Tmp = (*state)[i][0] ^ (*state)[i][1] ^ (*state)[i][2] ^ (*state)[i][3] ;
+ Tm = (*state)[i][0] ^ (*state)[i][1] ; Tm = xtime(Tm); (*state)[i][0] ^= Tm ^ Tmp ;
+ Tm = (*state)[i][1] ^ (*state)[i][2] ; Tm = xtime(Tm); (*state)[i][1] ^= Tm ^ Tmp ;
+ Tm = (*state)[i][2] ^ (*state)[i][3] ; Tm = xtime(Tm); (*state)[i][2] ^= Tm ^ Tmp ;
+ Tm = (*state)[i][3] ^ t ; Tm = xtime(Tm); (*state)[i][3] ^= Tm ^ Tmp ;
+ }
+}
+
+// Multiply is used to multiply numbers in the field GF(2^8)
+// Note: The last call to xtime() is unneeded, but often ends up generating a smaller binary
+// The compiler seems to be able to vectorize the operation better this way.
+// See https://github.com/kokke/tiny-AES-c/pull/34
+#if MULTIPLY_AS_A_FUNCTION
+static uint8_t Multiply(uint8_t x, uint8_t y)
+{
+ return (((y & 1) * x) ^
+ ((y>>1 & 1) * xtime(x)) ^
+ ((y>>2 & 1) * xtime(xtime(x))) ^
+ ((y>>3 & 1) * xtime(xtime(xtime(x)))) ^
+ ((y>>4 & 1) * xtime(xtime(xtime(xtime(x)))))); /* this last call to xtime() can be omitted */
+ }
+#else
+#define Multiply(x, y) \
+ ( ((y & 1) * x) ^ \
+ ((y>>1 & 1) * xtime(x)) ^ \
+ ((y>>2 & 1) * xtime(xtime(x))) ^ \
+ ((y>>3 & 1) * xtime(xtime(xtime(x)))) ^ \
+ ((y>>4 & 1) * xtime(xtime(xtime(xtime(x)))))) \
+
+#endif
+
+#if (defined(CBC) && CBC == 1) || (defined(ECB) && ECB == 1)
+// MixColumns function mixes the columns of the state matrix.
+// The method used to multiply may be difficult to understand for the inexperienced.
+// Please use the references to gain more information.
+static void InvMixColumns(state_t* state)
+{
+ int i;
+ uint8_t a, b, c, d;
+ for (i = 0; i < 4; ++i)
+ {
+ a = (*state)[i][0];
+ b = (*state)[i][1];
+ c = (*state)[i][2];
+ d = (*state)[i][3];
+
+ (*state)[i][0] = Multiply(a, 0x0e) ^ Multiply(b, 0x0b) ^ Multiply(c, 0x0d) ^ Multiply(d, 0x09);
+ (*state)[i][1] = Multiply(a, 0x09) ^ Multiply(b, 0x0e) ^ Multiply(c, 0x0b) ^ Multiply(d, 0x0d);
+ (*state)[i][2] = Multiply(a, 0x0d) ^ Multiply(b, 0x09) ^ Multiply(c, 0x0e) ^ Multiply(d, 0x0b);
+ (*state)[i][3] = Multiply(a, 0x0b) ^ Multiply(b, 0x0d) ^ Multiply(c, 0x09) ^ Multiply(d, 0x0e);
+ }
+}
+
+
+// The SubBytes Function Substitutes the values in the
+// state matrix with values in an S-box.
+static void InvSubBytes(state_t* state)
+{
+ uint8_t i, j;
+ for (i = 0; i < 4; ++i)
+ {
+ for (j = 0; j < 4; ++j)
+ {
+ (*state)[j][i] = getSBoxInvert((*state)[j][i]);
+ }
+ }
+}
+
+static void InvShiftRows(state_t* state)
+{
+ uint8_t temp;
+
+ // Rotate first row 1 columns to right
+ temp = (*state)[3][1];
+ (*state)[3][1] = (*state)[2][1];
+ (*state)[2][1] = (*state)[1][1];
+ (*state)[1][1] = (*state)[0][1];
+ (*state)[0][1] = temp;
+
+ // Rotate second row 2 columns to right
+ temp = (*state)[0][2];
+ (*state)[0][2] = (*state)[2][2];
+ (*state)[2][2] = temp;
+
+ temp = (*state)[1][2];
+ (*state)[1][2] = (*state)[3][2];
+ (*state)[3][2] = temp;
+
+ // Rotate third row 3 columns to right
+ temp = (*state)[0][3];
+ (*state)[0][3] = (*state)[1][3];
+ (*state)[1][3] = (*state)[2][3];
+ (*state)[2][3] = (*state)[3][3];
+ (*state)[3][3] = temp;
+}
+#endif // #if (defined(CBC) && CBC == 1) || (defined(ECB) && ECB == 1)
+
+// Cipher is the main function that encrypts the PlainText.
+static void Cipher(state_t* state, const uint8_t* RoundKey)
+{
+ uint8_t round = 0;
+
+ // Add the First round key to the state before starting the rounds.
+ AddRoundKey(0, state, RoundKey);
+
+ // There will be Nr rounds.
+ // The first Nr-1 rounds are identical.
+ // These Nr-1 rounds are executed in the loop below.
+ for (round = 1; round < Nr; ++round)
+ {
+ SubBytes(state);
+ ShiftRows(state);
+ MixColumns(state);
+ AddRoundKey(round, state, RoundKey);
+ }
+
+ // The last round is given below.
+ // The MixColumns function is not here in the last round.
+ SubBytes(state);
+ ShiftRows(state);
+ AddRoundKey(Nr, state, RoundKey);
+}
+
+#if (defined(CBC) && CBC == 1) || (defined(ECB) && ECB == 1)
+static void InvCipher(state_t* state, const uint8_t* RoundKey)
+{
+ uint8_t round = 0;
+
+ // Add the First round key to the state before starting the rounds.
+ AddRoundKey(Nr, state, RoundKey);
+
+ // There will be Nr rounds.
+ // The first Nr-1 rounds are identical.
+ // These Nr-1 rounds are executed in the loop below.
+ for (round = (Nr - 1); round > 0; --round)
+ {
+ InvShiftRows(state);
+ InvSubBytes(state);
+ AddRoundKey(round, state, RoundKey);
+ InvMixColumns(state);
+ }
+
+ // The last round is given below.
+ // The MixColumns function is not here in the last round.
+ InvShiftRows(state);
+ InvSubBytes(state);
+ AddRoundKey(0, state, RoundKey);
+}
+#endif // #if (defined(CBC) && CBC == 1) || (defined(ECB) && ECB == 1)
+
+/*****************************************************************************/
+/* Public functions: */
+/*****************************************************************************/
+#if defined(ECB) && (ECB == 1)
+
+
+void AES_ECB_encrypt(const AES_ctx* ctx, uint8_t* buf)
+{
+ // The next function call encrypts the PlainText with the Key using AES algorithm.
+ Cipher((state_t*)buf, ctx->RoundKey);
+}
+
+void AES_ECB_decrypt(const AES_ctx* ctx, uint8_t* buf)
+{
+ // The next function call decrypts the PlainText with the Key using AES algorithm.
+ InvCipher((state_t*)buf, ctx->RoundKey);
+}
+
+
+#endif // #if defined(ECB) && (ECB == 1)
+
+
+
+
+
+#if defined(CBC) && (CBC == 1)
+
+
+static void XorWithIv(uint8_t* buf, const uint8_t* Iv)
+{
+ uint8_t i;
+ for (i = 0; i < AES_BLOCKLEN; ++i) // The block in AES is always 128bit no matter the key size
+ {
+ buf[i] ^= Iv[i];
+ }
+}
+
+void AES_CBC_encrypt_buffer(AES_ctx *ctx, uint8_t* buf, uint32_t length)
+{
+ uintptr_t i;
+ uint8_t *Iv = ctx->Iv;
+ for (i = 0; i < length; i += AES_BLOCKLEN)
+ {
+ XorWithIv(buf, Iv);
+ Cipher((state_t*)buf, ctx->RoundKey);
+ Iv = buf;
+ buf += AES_BLOCKLEN;
+ //printf("Step %d - %d", i/16, i);
+ }
+ /* store Iv in ctx for next call */
+ memcpy(ctx->Iv, Iv, AES_BLOCKLEN);
+}
+
+void AES_CBC_decrypt_buffer(AES_ctx* ctx, uint8_t* buf, uint32_t length)
+{
+ uintptr_t i;
+ uint8_t storeNextIv[AES_BLOCKLEN];
+ for (i = 0; i < length; i += AES_BLOCKLEN)
+ {
+ memcpy(storeNextIv, buf, AES_BLOCKLEN);
+ InvCipher((state_t*)buf, ctx->RoundKey);
+ XorWithIv(buf, ctx->Iv);
+ memcpy(ctx->Iv, storeNextIv, AES_BLOCKLEN);
+ buf += AES_BLOCKLEN;
+ }
+
+}
+
+#endif // #if defined(CBC) && (CBC == 1)
+
+
+
+#if defined(CTR) && (CTR == 1)
+
+/* Symmetrical operation: same function for encrypting as for decrypting. Note any IV/nonce should never be reused with the same key */
+void AES_CTR_xcrypt_buffer(AES_ctx* ctx, uint8_t* buf, uint32_t length)
+{
+ uint8_t buffer[AES_BLOCKLEN];
+
+ unsigned i;
+ int bi;
+ for (i = 0, bi = AES_BLOCKLEN; i < length; ++i, ++bi)
+ {
+ if (bi == AES_BLOCKLEN) /* we need to regen xor compliment in buffer */
+ {
+
+ memcpy(buffer, ctx->Iv, AES_BLOCKLEN);
+ Cipher((state_t*)buffer,ctx->RoundKey);
+
+ /* Increment Iv and handle overflow */
+ for (bi = (AES_BLOCKLEN - 1); bi >= 0; --bi)
+ {
+ /* inc will overflow */
+ if (ctx->Iv[bi] == 255)
+ {
+ ctx->Iv[bi] = 0;
+ continue;
+ }
+ ctx->Iv[bi] += 1;
+ break;
+ }
+ bi = 0;
+ }
+
+ buf[i] = (buf[i] ^ buffer[bi]);
+ }
+}
+
+#endif // #if defined(CTR) && (CTR == 1)
+
diff --git a/Source/WinObjEx64/tinyaes/aes.h b/Source/WinObjEx64/tinyaes/aes.h
new file mode 100644
index 0000000..7c3248c
--- /dev/null
+++ b/Source/WinObjEx64/tinyaes/aes.h
@@ -0,0 +1,96 @@
+/*
+
+ Modified to compile with WinObjEx64.
+
+*/
+
+#ifndef _AES_H_
+#define _AES_H_
+
+#include
+
+// #define the macros below to 1/0 to enable/disable the mode of operation.
+//
+// CBC enables AES encryption in CBC-mode of operation.
+// CTR enables encryption in counter-mode.
+// ECB enables the basic ECB 16-byte block algorithm. All can be enabled simultaneously.
+
+// The #ifndef-guard allows it to be configured before #include'ing or at compile time.
+#ifndef CBC
+ #define CBC 1
+#endif
+
+#ifndef ECB
+ #define ECB 1
+#endif
+
+#ifndef CTR
+ #define CTR 1
+#endif
+
+
+#define AES128 1
+//#define AES192 1
+//#define AES256 1
+
+#define AES_BLOCKLEN 16 //Block length in bytes AES is 128b block only
+
+#if defined(AES256) && (AES256 == 1)
+ #define AES_KEYLEN 32
+ #define AES_keyExpSize 240
+#elif defined(AES192) && (AES192 == 1)
+ #define AES_KEYLEN 24
+ #define AES_keyExpSize 208
+#else
+ #define AES_KEYLEN 16 // Key length in bytes
+ #define AES_keyExpSize 176
+#endif
+
+typedef struct _AES_ctx
+{
+ uint8_t RoundKey[AES_keyExpSize];
+#if (defined(CBC) && (CBC == 1)) || (defined(CTR) && (CTR == 1))
+ uint8_t Iv[AES_BLOCKLEN];
+#endif
+} AES_ctx, PAES_ctx;
+
+void AES_init_ctx(AES_ctx* ctx, const uint8_t* key);
+#if (defined(CBC) && (CBC == 1)) || (defined(CTR) && (CTR == 1))
+void AES_init_ctx_iv(AES_ctx* ctx, const uint8_t* key, const uint8_t* iv);
+void AES_ctx_set_iv(AES_ctx* ctx, const uint8_t* iv);
+#endif
+
+#if defined(ECB) && (ECB == 1)
+// buffer size is exactly AES_BLOCKLEN bytes;
+// you need only AES_init_ctx as IV is not used in ECB
+// NB: ECB is considered insecure for most uses
+void AES_ECB_encrypt(const AES_ctx* ctx, uint8_t* buf);
+void AES_ECB_decrypt(const AES_ctx* ctx, uint8_t* buf);
+
+#endif // #if defined(ECB) && (ECB == !)
+
+
+#if defined(CBC) && (CBC == 1)
+// buffer size MUST be mutile of AES_BLOCKLEN;
+// Suggest https://en.wikipedia.org/wiki/Padding_(cryptography)#PKCS7 for padding scheme
+// NOTES: you need to set IV in ctx via AES_init_ctx_iv() or AES_ctx_set_iv()
+// no IV should ever be reused with the same key
+void AES_CBC_encrypt_buffer(AES_ctx* ctx, uint8_t* buf, uint32_t length);
+void AES_CBC_decrypt_buffer(AES_ctx* ctx, uint8_t* buf, uint32_t length);
+
+#endif // #if defined(CBC) && (CBC == 1)
+
+
+#if defined(CTR) && (CTR == 1)
+
+// Same function for encrypting as for decrypting.
+// IV is incremented for every block, and used after encryption as XOR-compliment for output
+// Suggesting https://en.wikipedia.org/wiki/Padding_(cryptography)#PKCS7 for padding scheme
+// NOTES: you need to set IV in ctx with AES_init_ctx_iv() or AES_ctx_set_iv()
+// no IV should ever be reused with the same key
+void AES_CTR_xcrypt_buffer(AES_ctx* ctx, uint8_t* buf, uint32_t length);
+
+#endif // #if defined(CTR) && (CTR == 1)
+
+
+#endif //_AES_H_
diff --git a/Source/WinObjEx64/ui.h b/Source/WinObjEx64/ui.h
index 943ecf4..4ee010c 100644
--- a/Source/WinObjEx64/ui.h
+++ b/Source/WinObjEx64/ui.h
@@ -4,9 +4,9 @@
*
* TITLE: UI.H
*
-* VERSION: 1.83
+* VERSION: 1.84
*
-* DATE: 16 Jan 2020
+* DATE: 22 Feb 2020
*
* Common header file for the user interface.
*
@@ -26,7 +26,7 @@
#define DefaultSystemDpi 96
#define TreeListDumpObjWndPosX 12
#define TreeListDumpObjWndPosY 20
-#define TreeListDumpObjWndScaleSub 4
+#define TreeListDumpObjWndScaleSub 3
//
// ListView column counts
@@ -56,8 +56,8 @@ typedef HWND(WINAPI *pfnHtmlHelpW)(
#define PROGRAM_MAJOR_VERSION 1
#define PROGRAM_MINOR_VERSION 8
-#define PROGRAM_REVISION_NUMBER 3
-#define PROGRAM_BUILD_NUMBER 2001
+#define PROGRAM_REVISION_NUMBER 4
+#define PROGRAM_BUILD_NUMBER 2004
#ifdef _USE_OWN_DRIVER
#define PROGRAM_NAME L"Windows Object Explorer 64-bit (Non-public version)"
diff --git a/WinObjEx64.sha256 b/WinObjEx64.sha256
index 150a0ad..72da3f3 100644
--- a/WinObjEx64.sha256
+++ b/WinObjEx64.sha256
@@ -2,7 +2,7 @@
e192abb83dded0fe227f3fe69cb0ac7aaa197941917afd497b4cf8796a03e041 *Compiled\WHATSNEW_173.md
fa001b1ac9bbbb6c954d5dd609de60fa2b0277a6cfe35f6428591e4b4b1e8453 *Compiled\WHATSNEW_180.md
6c3f0228938008ed3c45266ce38d3ecd98145c473e7a072c915eb2b7b8fa15f4 *Compiled\WinObjEx64.chm
-527222bba726c58afe2b282ff40e79b39b5ead0be803338703bc0e5cc51282fe *Compiled\WinObjEx64.exe
+fc54e081db5df51257e602b96e562ee784eff93222059da2ee97e685a084b908 *Compiled\WinObjEx64.exe
fed1777aecfd299cfb130385dc146725829cd3aa82585d62cda72ea08829a52e *Compiled\plugins\ApiSetView.dll
ffa9ed459d2fcd27cb495da1494b2f8bbe5c1601c3d2aa4685e603907150f0d9 *Compiled\plugins\ExamplePlugin.dll
b41df9a5014f7a4d60354eebfd2447edf14a8a2facd38954999f2ff07b406c84 *Compiled\plugins\Sonar.dll
@@ -29,8 +29,8 @@ cb66fca90766db12474ce057436364dabaf3e948f6ffa7e9651f869656f0b33c *Screenshots\Vi
ef65a909e8d9bc7ec94ecbc0f465f24a7968d6675eadf7f25f6414c66d6b28be *Screenshots\ViewingTypeInformation.png
db0ab26d20a62ba7c9c844e916e88168b72a7e52932d3483eb2d0a2e535b75a8 *Screenshots\ViewingUserSharedData.png
9e2b64f390c609172c5791dd138a748d31bf4d2cc839f01dbd514afe1cdfd083 *Screenshots\W32pServiceTableView.png
-0bee5e0d7e6218111dd83c24f319871d29340aa0da8099ceaaba7f10efbbe531 *Source\CHANGELOG.txt
-5e873ae10775f1af3fd37430e79f01f84c3ab397aafd4ff372d9611c5abb9d26 *Source\FILELIST.txt
+3115fae1a35eaf46211b45039a6bfed8ba44835a14626a6412140a1b386cadf0 *Source\CHANGELOG.txt
+6331b02a5e7279d4026068d446fdea840e1d92871b259edd4e93e19289be484f *Source\FILELIST.txt
55eed414926c47b0bfc5000eeabb882d77d78e17b5be94ca229e681f009b0740 *Source\TypesWithNoDesc.txt
cf2de90f489f8024a22720655097992373135aab5762d1c035ddf242f3096d35 *Source\WinObjEx64.sln
39a976ac4e1b76c2058815c5017bd3acceb69950286cfdf8c5704b7e31b8cca0 *Source\DrvStore\kldbgdrv.sys
@@ -56,7 +56,7 @@ e953b026d0f383188c753487df0a4d879fa5da5ba82ac979aa877db84e89a060 *Source\Plugins
6b2236b93693d4830feb90ee504ae03555d4882d4c301bea55f7980973b5fb32 *Source\Plugins\Sonar\export.def
e328a69e6393288544a5be3bd2e234b866831008cbbf2de6f9962c2bda8d793a *Source\Plugins\Sonar\global.h
d56dae2c69f555e48a57fe907fae54fc8352e34a73b1571cd7461ac8da9f27b3 *Source\Plugins\Sonar\main.c
-07d3b415ba3709191c1302aa1fe15c772273a19ff8a6045295210503db94ef0e *Source\Plugins\Sonar\ndis.h
+678f11c35c64392c4a36dc47e06c63a3ad66e22819424e041bb7c20ce9890312 *Source\Plugins\Sonar\ndis.h
0b5d16d981af455a7176f9e91daff498bfabdbe81ceb3840ed13d922f45efe36 *Source\Plugins\Sonar\query.c
ed4ed02b7459f5f6c22d99c68f889a93a3bf84088c100f9f64d819d22ddab571 *Source\Plugins\Sonar\query.h
e9401523838c114fe616759d58d21e347f82bf47ff8ecdf11e9462e97c13305c *Source\Plugins\Sonar\resource.h
@@ -93,16 +93,19 @@ ef1b18997ea473ac8d516ef60efc64b9175418b8f078e088d783fdaef2544969 *Source\Shared\
52e3d39c69c43264b2f8d9bcdfce0f763a5e92d091eef59ea2a0294b4b19641c *Source\Shared\minirtl\_strstr.c
52a696ae714eb81033c477d1ec6c01389eef56c847609e89d360c2fb6899b4b6 *Source\Shared\minirtl\_strstri.c
dfa2b16aa3246a8aca662ea525770a4585618de35550aeb2dca40abd52d2afd9 *Source\Shared\ntos\apisetx.h
+9a6c05200edc97ff2f9c0fe3de4fc277c8781ba1a2bbceb8006f55589147c37a *Source\Shared\ntos\halamd64.h
0cd425ef96247657ab55443c9b3bc9a90f0c18f634979942693553d0f764c601 *Source\Shared\ntos\ntalpc.h
2f35ba7b6b92421bded97e177f39f947e359c86fe1805758e69907f6673074d3 *Source\Shared\ntos\ntldr.c
72162367a2038cd58d7f89d6cad0fdf4f98c0bfa570fb36df8cce73e6a93b8f6 *Source\Shared\ntos\ntldr.h
-d831e0b0ca64447180f8d9e699c57e85ba7ffeb8dd20e8c893460c1a0ff76f15 *Source\Shared\ntos\ntos.h
+f5a3e6730087c27936282bcefa1207da01ff340a63e24c38e5a4ddfef4423752 *Source\Shared\ntos\ntos.h
14b0a442647904db5476d14a1d9710bd83587f168b4b182465e5902d24676870 *Source\Shared\ntuser\StubNtUserOpenWindowStation.asm
97a3935877993ecf9a433568b22ee457aab530e53d8a4c3af0d40d02c1ad347b *Source\Shared\treelist\treelist.c
c5569b768244e86e1c961c28e6f11831f219953093c9e4cd35414e4008b3de80 *Source\Shared\treelist\treelist.h
-56f1d7ee2b01bf4efe47de2d8642eadc00feba8b8851763d194b4605efdcad0f *Source\WinObjEx64\aboutDlg.c
+26e0c642b93d4fa0d8732f766092b01e09c9478aa1b73e404ab7f21ca5b87d81 *Source\WinObjEx64\aboutDlg.c
dc5ad976533a91292022a15f741a95d04663849c34fced1432a830726341d51d *Source\WinObjEx64\aboutDlg.h
-4ec2d4d3e73a5472aa235fe7032d5e5e04065ff87d9d8c2fe9df81b9815feb55 *Source\WinObjEx64\driver.rc
+1e13f46a382beae952a291f05354919f4431b424908e9571960067ede23d9554 *Source\WinObjEx64\driver.rc
+4633ebcb43b58cafe074341a426a2ef59eca1cbf5f9f7a0772d403ff5ae4ba3c *Source\WinObjEx64\drvhelper.c
+0618df38c1e51fd79770d416befd53f9bfe4310d7a0ab5380a1464d5142c1217 *Source\WinObjEx64\drvhelper.h
24280d99d75a9fe2381701be27c2d4994b59ae415faf63d62c8aee66229f74f9 *Source\WinObjEx64\excepth.c
9cebcbf4709e61806e17cd3b2bcaf37a08eec7aa896213ddb9ec0d41c317db09 *Source\WinObjEx64\excepth.h
df88d2d3dc992aea7a6883cc162d5de2151b5a8ebb04c94f406297939849568e *Source\WinObjEx64\extapi.c
@@ -110,31 +113,31 @@ df88d2d3dc992aea7a6883cc162d5de2151b5a8ebb04c94f406297939849568e *Source\WinObjE
ac5f42d81b97903c6a388c1044d33c58e5f4d59d7582883c3b1977134a43dea5 *Source\WinObjEx64\extdef.h
2d79ed215d293b2976ac5bc1cf084d6f8183fb3c65b4b0e06cbb71c617bbeaf4 *Source\WinObjEx64\findDlg.c
8cc5a4ba98d74221405a13cde0f357db970500a4b44c711b5fd97d30cce904e8 *Source\WinObjEx64\findDlg.h
-edf6602b5edc0d9bc2882f68e3da43c93d1ffad3b33a4cfa7bcc441386a4f079 *Source\WinObjEx64\global.h
+08af3e53d710c96de17c8e202d446df7a4235b84ea75426e782401541af0f7f8 *Source\WinObjEx64\global.h
b977fe65b7571a1f5e630b1f0af3f523e09cd153ec7f3b24d8df5f090ed4b33c *Source\WinObjEx64\instdrv.c
9fdf8d26ea566d84e8907d7363f418263a2b9f3d5aa4df2f1211a28c29e0646b *Source\WinObjEx64\instdrv.h
-9d50d53ff091a5d9bca8a106657f62ec87045eb558be8326737a8e23e83e0e1b *Source\WinObjEx64\kldbg.c
-d3f248b20232330eab697584bb6d22d7f7fdee5dcde3a87c2950481d791b5042 *Source\WinObjEx64\kldbg.h
+3254d1fa3dea452272ef9893708fc3da923de69fafab28b5785bb15772bc0e0d *Source\WinObjEx64\kldbg.c
+ef8dcbdd428cb7297616835b4e03c7b175edae1ec5fed50d092a1659f234aa5e *Source\WinObjEx64\kldbg.h
9a8c79655737ead564c10cd5bc2dd8c616c9cb57c74f6a02f2210b2f2368e44d *Source\WinObjEx64\kldbg_patterns.h
95d7a0848b06bebcdfcf31edd297a81dcc6b3d29988b238a34a254d6d45cf8a7 *Source\WinObjEx64\list.c
b490a01e298d0567ae624c0d1aecd5921cd56f5cba3e9512c88053faec089799 *Source\WinObjEx64\list.h
-d0538aebb7b098746c3b818b6986252aee2a7d1fc5b24882ccb07c0c81b0a079 *Source\WinObjEx64\main.c
+4012c4b1675c73edf70fab1a3494067f8afbe909e80ba5c95ace45e363d7cc76 *Source\WinObjEx64\main.c
5d2b9be96b42044e0f09a6a901c194934a1dc2d2e7cf14d65e6414b22ec89765 *Source\WinObjEx64\msvcver.h
614521ca9847274c929ccef3e19ee52f9adb57de6fc79ea6a520cf433069df5b *Source\WinObjEx64\objects.c
47f476e0778b726b0a9af5a5afeb3b155700a10c26bb45666c89a6c8c1707be6 *Source\WinObjEx64\objects.h
-7a7ef81ca9f7cd9863558062aa907e57ccddfec4019e2a4963891de0d4d42eb7 *Source\WinObjEx64\plugmngr.c
+35e441916f1bf16030583ea8c806779f7d256bf34b8dc0054e4a1033258e72b8 *Source\WinObjEx64\plugmngr.c
c605d067ec8d6438e5ec955f3658a595e5c669259b005ee2e26471f32e84960d *Source\WinObjEx64\plugmngr.h
2b158a0c496190c33b1ad8851978b09bc49a49926d5184880d6070e69c980f9d *Source\WinObjEx64\resource.h
-56078226c9134a1d583e44d815094a225e836b7c6e3dde978495500d527ca25f *Source\WinObjEx64\Resource.rc
-cc724dc78f6d71e119bdb0105cc52d332480fc497cda1ee79c62df3274c44762 *Source\WinObjEx64\sup.c
-82331fc1bff3da9ce708f5a7ee972a7636a142c0be9833df1c1b8d7c36bf208b *Source\WinObjEx64\sup.h
+cc857bf7b2bd66badddc9a8ea54a53b3af93da3989abf0494dc8a9d059a2d229 *Source\WinObjEx64\Resource.rc
+3d7aaca6e0cbc42fc544abcabb308d79285359464f5ab4b1738104178e30fdab *Source\WinObjEx64\sup.c
+8be6751077fb0b50c39a348ece5cfbc3b1361196d1f2e71d9924788ef2e83a22 *Source\WinObjEx64\sup.h
cc4a635c99b8165437e3a441d8d65012170aedbc91c839497e03d58ef104a8fd *Source\WinObjEx64\supConsts.h
-4fdd97e22cc9a96286a2faaec808455eb5e1c0dbc62010567a6642740cad7d2e *Source\WinObjEx64\ui.h
+2af1d95ac1999984bfef3920829b306b7b2c41f889d91c683e5a7221d20a80c1 *Source\WinObjEx64\ui.h
94be7b80c1fd8bbc3208b8370962b8cc8827cacb1ccb8136023bf21fb5fccb69 *Source\WinObjEx64\wine.c
3d81ad5d6123ea2a980c53ceb59525dbbafd7f42a2438b1ba2de80b777df555d *Source\WinObjEx64\wine.h
48318790f345418b5b2e03ec624258701bdc9deadefc48aa27ee6266dc95caac *Source\WinObjEx64\winedebug.h
-b721490158e2fd022d404ce6895d2bcb0e788843638049b6f9a45e1cd381caac *Source\WinObjEx64\WinObjEx64.vcxproj
-02889fe9112a2021892c427aea0446f43bb0da2131a6701c4c3bce6d5fd98ada *Source\WinObjEx64\WinObjEx64.vcxproj.filters
+4684de385df6592457e8c5071593fcf709cd59b69fe9ffbedafb4d9fa8016b3f *Source\WinObjEx64\WinObjEx64.vcxproj
+e24519235833384334df1623617ba30dd4cfb17469284952e546c833c8f4cbe6 *Source\WinObjEx64\WinObjEx64.vcxproj.filters
d9f508722dcd611b15bc3f5a4c39316ce00fbf712b879726eaee7652fcdc4fd9 *Source\WinObjEx64\WinObjEx64.vcxproj.user
277e9810d5f23dbb4b078b4a0b21ac11dce1e6924a2ec7aede31563ee00bd131 *Source\WinObjEx64\extras\extras.c
d3faf1ca46ea09c764964be6e34763739b293cf60117a6e796026f173fb4ed0c *Source\WinObjEx64\extras\extras.h
@@ -147,7 +150,7 @@ d3faf1ca46ea09c764964be6e34763739b293cf60117a6e796026f173fb4ed0c *Source\WinObjE
d21e27bf35c5add1eedec3234fb358fbbc4c585c3de22326ac9581b59a8983d0 *Source\WinObjEx64\extras\extrasIPC.h
162e535515bc682b36b02a7fb0b1ace5507937a8770b4b89581b556cfeb0cd24 *Source\WinObjEx64\extras\extrasPN.c
64e75cbaa0ce129f674a9a441a3045f37e74f853f34fd93caac5533bb174a019 *Source\WinObjEx64\extras\extrasPN.h
-461088010c4ba5b85ae970e1b87894e99897b36823fad308c85acd9ddec1084b *Source\WinObjEx64\extras\extrasPSList.c
+2dede17ee9da4035a47ef006d2cc23663e9f5de12449de6e1e8c91c714452981 *Source\WinObjEx64\extras\extrasPSList.c
b7aa665c89b297d329f45e2a8b61fd379f778dcf01ae50c339f87da06bb0ff46 *Source\WinObjEx64\extras\extrasPSList.h
f5cd689fc8bf4722af5317e4f0e86df568c08129d34441ab2aad2bee54d4bdd1 *Source\WinObjEx64\extras\extrasSL.c
4244c8135ae3737d421d0cca525b786dbc3305670178cc2da5c56613248e7875 *Source\WinObjEx64\extras\extrasSL.h
@@ -169,7 +172,7 @@ ee611560bd097cf394093dea2581b56e0b3e11d54638253cd5fae3509075634f *Source\WinObjE
63e0d91face043a963502c93382fc2ce6d3736ac64b874b7fd7b92ceda93802d *Source\WinObjEx64\props\propDriver.c
8dd63e57115728cdea4c326e5cde9acfe6015b2b088ec36022cd9f81e216e179 *Source\WinObjEx64\props\propDriver.h
721bf384ee6ba44cb118a4bfde7ffba669024059e3120b8cae40e98228eba6df *Source\WinObjEx64\props\propDriverConsts.h
-7de0daea93e67563bc517b28e2294e964444e54fd20568f5029f43059a9df815 *Source\WinObjEx64\props\propObjectDump.c
+612f2c5950f2664a95e5baa4cbf2b96bceaa838b4c02428e96c168c985429a39 *Source\WinObjEx64\props\propObjectDump.c
da1cf96a7d85faec3db810f5c4061a6322c252fcead01cbf8ac728e7deffee23 *Source\WinObjEx64\props\propObjectDump.h
f0c817c2a4011fcb1d09f8e9397291d22f79bcff6e62129a5fd97c5411c1a7b2 *Source\WinObjEx64\props\propObjectDumpConsts.h
dfb703240f301c52ed22ff6dd858551d02e5e78d95e529015bbde2d0742f7065 *Source\WinObjEx64\props\propProcess.c
@@ -239,5 +242,7 @@ bf3105d704464eb6fdb0f722e0d9baec7f7951337826c9e774330ad8070a971b *Source\WinObjE
d4876437f5ea4c307b3894ff6a4ccd10922a366167104bb78b1103ebadd4f483 *Source\WinObjEx64\rsrc\mailslot.ico
4af9d3481fbe6423bb5b0187a3d5ea165b962aa0f53ce32502a85788c2575f94 *Source\WinObjEx64\rsrc\obex.manifest
9c908e205f42861f5ce840cf07886009fe7fad09352820508757ae8d8f6a34ae *Source\WinObjEx64\rsrc\pipe.ico
-7a29a33ca1bcda43bbf9dcf89c4ad20f4740220b08020b1f780859df3b9d6917 *Source\WinObjEx64\tests\testunit.c
+57694ad9a44570b2614ce32ffecd3e14c1de9f2f8d1fb13ad69cb650ac2c1124 *Source\WinObjEx64\tests\testunit.c
57fca251b667971a01557f1da9c1041f3011e27218022789919f7725fb4741fa *Source\WinObjEx64\tests\testunit.h
+86663cc7ae93ccb0fe0a38c33ca45e7baeffc2d0ccf68580ff1b8c275ca63539 *Source\WinObjEx64\tinyaes\aes.c
+bb61c3c80d2eeea55001ffabcdbf6245188c2fc86f8fad90bdc8d31917f5611a *Source\WinObjEx64\tinyaes\aes.h