hfiref0x / winobjex64 Goto Github PK
View Code? Open in Web Editor NEWWindows Object Explorer 64-bit
License: BSD 2-Clause "Simplified" License
Windows Object Explorer 64-bit
License: BSD 2-Clause "Simplified" License
Due to incorrect SCM API result parsing SCM processes are not correctly identified and thus not (all) appropriately marked in the Extras->Process list dialog. This will be fixed in next v1.8.8 release.
ID 20201001
Consider adding this to next version to the object properties.
http://redplait.blogspot.ru/2016/07/filterconnectionports.html
9600, 10586 structure seems the same
fltmgr!_FLT_SERVER_PORT_OBJECT
+0x000 FilterLink : _LIST_ENTRY
+0x010 ConnectNotify : Ptr64 long
+0x018 DisconnectNotify : Ptr64 void
+0x020 MessageNotify : Ptr64 long
+0x028 Filter : Ptr64 _FLT_FILTER
+0x030 Cookie : Ptr64 Void
+0x038 Flags : Uint4B
+0x03c NumberOfConnections : Int4B
+0x040 MaxConnections : Int4B
Object Explorer shows the content of "\" by calling NtQueryDirectoryObject
recursively.
This approach overlooks one particular directory - ??
(a.k.a. "local \DosDevices
"), which is not returned when querying the root directory, unlike the global version of \DosDevices
(GLOBAL??
).
This directory typically contains a symbolic link to Global
, network drives, subst drives and whatever else the user defined with DefineDosDevice
.
This information is also available under \Sessions\<SESSION_ID>\DosDevices\<LOGON_SESSION_ID>
, but getting there is more cumbersome and requires Administrator rights.
It can be added manually (I'm not familiar with the code, so apologies if something is horribly wrong):
diff --git a/Source/WinObjEx64/kldbg.c b/Source/WinObjEx64/kldbg.c
index 0d5b62e..1477191 100644
--- a/Source/WinObjEx64/kldbg.c
+++ b/Source/WinObjEx64/kldbg.c
@@ -70,6 +70,12 @@ static UNICODE_STRING g_usGlobalNamespace = {
OB_GLOBALNAMESPACE
};
+static UNICODE_STRING g_usLocalDevices = {
+ sizeof(OB_LOCALDEVICES) - sizeof(WCHAR),
+ sizeof(OB_LOCALDEVICES),
+ OB_LOCALDEVICES
+};
+
/*
* ObGetPredefinedUnicodeString
*
@@ -94,6 +100,8 @@ PUNICODE_STRING ObGetPredefinedUnicodeString(
case OBP_ROOT:
default:
return &g_usObjectsRootDirectory;
+ case OBP_LOCALDEVICES:
+ return &g_usLocalDevices;
}
}
diff --git a/Source/WinObjEx64/kldbg.h b/Source/WinObjEx64/kldbg.h
index 7cf596d..422ef1a 100644
--- a/Source/WinObjEx64/kldbg.h
+++ b/Source/WinObjEx64/kldbg.h
@@ -100,6 +100,7 @@
#define OBTYPES_DIRECTORY L"\\ObjectTypes"
#define OB_GLOBALROOT L"\\GLOBAL??\\GLOBALROOT"
#define OB_GLOBALNAMESPACE L"\\??"
+#define OB_LOCALDEVICES L"??"
#define OBJECT_SHIFT 8
@@ -135,6 +136,7 @@ typedef ULONG_PTR *PUTable;
#define OBP_OBTYPES 2
#define OBP_GLOBAL 3
#define OBP_GLOBALNAMESPACE 4
+#define OBP_LOCALDEVICES 5
//enum with information flags used by ObGetObjectHeaderOffset
typedef enum _OBJ_HEADER_INFO_FLAG {
diff --git a/Source/WinObjEx64/list.c b/Source/WinObjEx64/list.c
index aa83f34..d9d2c4e 100644
--- a/Source/WinObjEx64/list.c
+++ b/Source/WinObjEx64/list.c
@@ -346,6 +346,12 @@ VOID xxxListObjectDirectoryTree(
} while (TRUE);
+ xxxListObjectDirectoryTree(HeapHandle,
+ ObGetPredefinedUnicodeString(OBP_LOCALDEVICES),
+ directoryHandle,
+ ViewRootHandle,
+ prevItem);
+
NtClose(directoryHandle);
}
The result:
Links:
https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/local-and-global-ms-dos-device-names
https://www.osronline.com/article.cfm%5Earticle=381.htm
https://superuser.com/questions/884347/win32-and-the-global-namespace
https://stackoverflow.com/questions/4686897/sessions-window-stations-and-desktops
20210601 Fixed in 1.9.1
MmUnloadedDrivers cannot be found using existing pattern because it is no longer unique.
21996 MiRememberUnloadedDriver
PAGE:00000001407FA273 BA D0 07 00 00 mov edx, 7D0h
PAGE:00000001407FA278 B9 40 00 00 00 mov ecx, 40h
PAGE:00000001407FA27D 41 B8 4D 6D 44 54 mov r8d, 54446D4Dh
PAGE:00000001407FA283 E8 68 A0 AF FF call MiAllocatePool
PAGE:00000001407FA288 48 89 05 09 F9 42 00 mov cs:MmUnloadedDrivers, rax
Prior duplicate code MiCreatePebOrTeb
PAGE:00000001406B15A0 BA D0 07 00 00 mov edx, 7D0h
PAGE:00000001406B15A5 EB DF jmp short loc_1406B1586
This plugin is currently in a beta stage. It may crash WinObjEx64 while running. This will be fixed in the next 1.8.7 patch.
Identified as: Win32/Spallowz.A!cl
Category: Trojan
Description: This program is dangerous and executes commands from an attacker.
Recommended action: Remove this software immediately.
Items:
file:C:\ProgramData\Microsoft\Windows Defender\Scans\FilesStash\260A5552-CCD4-7324-ECB2-4F4BC7C2A253_1d1ce1b1363ccb0
file:C:\Users\Alex\Desktop\WinObjEx64.exe
webfile:C:\ProgramData\Microsoft\Windows Defender\LocalCopy{9D978906-6B4F-4B93-8A83-89B5389F0367}-260A5552-CCD4-7324-ECB2-4F4BC7C2A253_1d1ce1b1363ccb0|chrome.exe
webfile:C:\ProgramData\Microsoft\Windows Defender\Scans\FilesStash\260A5552-CCD4-7324-ECB2-4F4BC7C2A253_1d1ce1b1363ccb0|https://raw.githubusercontent.com/hfiref0x/WinObjEx64/master/Compiled/WinObjEx64.exe|chrome.exe
webfile:C:\Users\Alex\Desktop\WinObjEx64.exe|https://raw.githubusercontent.com/hfiref0x/WinObjEx64/master/Compiled/WinObjEx64.exe|chrome.exeGet more information about this item online.
To open handle for pipe created with open mode PIPE_ACCESS_INBOUND we need specify GENERIC_WRITE | FILE_READ_ATTRIBUTES access right https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea
PR - #17
Hey bro! Your software is too complicated for me and I only used RKU, but thank you for your code! respectfully: TrashGen
Where to find this own driver that is referenced in the sources?
Would be nice to not have to boot the system in debug mode.
If WinObjEx64 is run as admin from the user account without administrative privileges and "Jump To File" function is used for the files and directories which are "protected" (e.g. windows or system32) the SHOpenFolderAndSelectItems API will fail and return CONNECT_E_CANNOTCONNECT (0x80040202) thus resulting in supJumpToFile routine do nothing. Internally SHOpenFolderAndSelectItems calls SHGetIDispatchForFolder undocumented routine from shdocvw.dll which fails with above mentioned error code and causes calling function to return that error code as well. Windows Error Log does corresponding entry for this case with source "DistributedCOM".
This behavior is not seen to be Microsoft documented. In WinObjEx64 this will be fixed with workaround in next v1.8.8 release.
ID 20201101
Describe the feature
Currently in order to build this one needs Visual Studio. Visual Studio is a non-free toolchain with telemetry. It'd be preferred to build it using Clang + MinGW-w64 stdlib.
In ordert o have cross-toolchain building it is preferred to set building with CMake. I have a set of toolchain files that can be helpful for cross-building from Debian machines.
The code can't be compiled for x86.
in propObjectDump.c I had to add #if defined(_AMD64_)
around the hint call because according to the WDM.h
for Build 14939 this field is only avaiable for x64.
typedef struct _KDEVICE_QUEUE {
CSHORT Type;
CSHORT Size;
LIST_ENTRY DeviceListHead;
KSPIN_LOCK Lock;
#if defined(_AMD64_)
union {
BOOLEAN Busy;
struct {
LONG64 Reserved : 8;
LONG64 Hint : 56;
};
};
#else
BOOLEAN Busy;
#endif
} KDEVICE_QUEUE, *PKDEVICE_QUEUE, *PRKDEVICE_QUEUE;
Now I still get this error:
propSecurity.c(471): error C2440: '=': cannot convert from 'void (__cdecl *)(IObjectSecurity *,HANDLE)' to 'PCLOSEOBJECTMETHOD'
For reference,
https://github.com/0mWindyBug/PnpNotifyResearch/tree/main
It looks like the same app to me. Did Sysinternals copy this app originally? Or is this a copy of the Sysinternals app?
OS: Windows 7 x64
WinObjEx64: 1.5.2
There are two window stations that are named WinSta0 that are situated in different locations:
The one, in which the interactive user works:
\Sessions\1\Windows\WindowStations\WinSta0
And the other, for services:
\Windows\WindowStations\WinSta0
These are two different window stations but WinObjEx64 shows them as if they are represented by the same object. As a result, it is not possible to view information and change security for the second window station and its desktops.
See for reference
https://github.com/swwwolf/wdbgark/blob/master/src/secicallbacks.cpp.
Assume support from 7 up to 10 19H1.
Callbacks array structure:
Callbacks names can be recovered from symbols. Since size of this array depends on Windows version as well as position of elements in this array it is better to hardcode these names.
This is combined list of feature requests, to remember.
These are requested by AIonescu. Both require kernel memory read.
Private requests made by URs (ID 20210405, ID 20210406, 20210509)
Private requests made by H.E. (ID 20210501, 20210502, 20210503, 20210504, 20210506, 20210507)
Private request made by RL (ID 20210505)
Describe the bug
Sometimes the "Run as LocalSystem" feature fails. It occurs because supxGetSystemToken
returns the first system token it finds, which might happen to be a token of a restricted service.
To Reproduce
Most frequently it happens when WinObjEx64 runs under an administrative account that does not have SeDebugPrivilege.
Screenshots
On the screenshot you can see that after supxGetSystemToken
returns a restricted token and supRunAsLocalSystem
impersonates it, the function silently fails because it is unable to change token's session ID without SeTcbPrivilege,
Environment
Tested it on Windows 7.
Additional context
In fact, the reason why without SeDebugPrivilege supxGetSystemToken
returns a restricted token (or even no token in some cases) is that you use PROCESS_QUERY_INFORMATION
instead of PROCESS_QUERY_LIMITED_INFORMATION
.
WinObjEx64/Source/WinObjEx64/sup.c
Lines 3697 to 3700 in 84a75c4
While administrators have high integrity, Mandatory Integrity Control prevents them from opening system processes for read and write access. This happens because PROCESS_QUERY_INFORMATION
is considered as a denied read access while PROCESS_QUERY_LIMITED_INFORMATION
is an allowed execute access. So, changing PROCESS_QUERY_INFORMATION
to PROCESS_QUERY_LIMITED_INFORMATION
might solve most of the problems and make this feature work even without SeDebugPrivilege.
Preferably, supxGetSystemToken
should not rely on any particular process order. You might just want to use winlogon's token, or, perhaps, add some checks to make sure you are using the right security context.
And showing an error message in case something went wrong would be useful.
]
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.