def enumerate_type():
"WIP: DO NOT USE"
size_needed = DWORD()
fsize = 8
fbuffer = ctypes.c_buffer(fsize)
try:
winproxy.NtQueryObject(None, gdef.ObjectTypesInformation, fbuffer, fsize, ctypes.byref(size_needed))
except WindowsError as e:
if e.code != STATUS_INFO_LENGTH_MISMATCH:
raise
else:
# We had enought memory ?
return
# Looks like the Wow64 syscall emulation is broken :D
# It write AFTER the buffer if we are a wow64 process :D
# So better allocate a standalone buffer (triggering a ACCESS_VIOLATION) that corrupting the heap
# This is a worst case scenario, as we allocation more space it should not happen !
size = size_needed.value + 0x200
size_needed.value = 0
with windows.current_process.allocated_memory(size, gdef.PAGE_READWRITE) as buffer_base:
winproxy.NtQueryObject(None, gdef.ObjectTypesInformation, buffer_base, size, ctypes.byref(size_needed))
# Cache some exceptions ?
# Parse the buffer data in-place as string are addr-dependant
types_info = gdef.OBJECT_TYPES_INFORMATION.from_address(buffer_base)
offset = ctypes.sizeof(gdef.PVOID) # Looks like the size of the struct is PTR aligned as the struct is follower by other stuff
for i in range(types_info.NumberOfTypes):
info = gdef.PUBLIC_OBJECT_TYPE_INFORMATION.from_address(buffer_base + offset)
yield info
offset += ctypes.sizeof(gdef.PUBLIC_OBJECT_TYPE_INFORMATION) + info.TypeName.MaximumLength
if offset % ctypes.sizeof(gdef.PVOID):
offset += ctypes.sizeof(gdef.PVOID) - (offset % ctypes.sizeof(gdef.PVOID))
# End-of ctx-manager
return
def _get_object_type(self):
lh = self.local_handle
xxx = gdef.PUBLIC_OBJECT_TYPE_INFORMATION()
size_needed = gdef.DWORD()
try:
winproxy.NtQueryObject(lh, gdef.ObjectTypeInformation, ctypes.byref(xxx), ctypes.sizeof(xxx), ctypes.byref(size_needed))
except WindowsError as e:
if e.code != gdef.STATUS_INFO_LENGTH_MISMATCH:
raise
size = size_needed.value
buffer = ctypes.c_buffer(size)
winproxy.NtQueryObject(lh, gdef.ObjectTypeInformation, buffer, size, ctypes.byref(size_needed))
xxx = gdef.PUBLIC_OBJECT_TYPE_INFORMATION.from_buffer_copy(buffer)
return xxx.TypeName.str
def _get_object_type(self):
lh = self.local_handle
xxx = EPUBLIC_OBJECT_TYPE_INFORMATION()
size_needed = DWORD()
try:
winproxy.NtQueryObject(lh, ObjectTypeInformation,
ctypes.byref(xxx), ctypes.sizeof(xxx),
ctypes.byref(size_needed))
except Exception as e:
size = size_needed.value
buffer = ctypes.c_buffer(size)
winproxy.NtQueryObject(lh, ObjectTypeInformation, buffer, size,
ctypes.byref(size_needed))
xxx = EPUBLIC_OBJECT_TYPE_INFORMATION.from_buffer_copy(buffer)
return xxx.TypeName.str
def _get_object_basic_infos(self):
pass
lh = self.local_handle
size_needed = DWORD()
basic_infos = PUBLIC_OBJECT_BASIC_INFORMATION()
winproxy.NtQueryObject(lh, ObjectBasicInformation, ctypes.byref(basic_infos), ctypes.sizeof(basic_infos), ctypes.byref(size_needed))
return basic_infos
def _get_object_name(self):
lh = self.local_handle
size_needed = DWORD()
yyy = ctypes.c_buffer(0x1000)
winproxy.NtQueryObject(lh, ObjectNameInformation, ctypes.byref(yyy),
ctypes.sizeof(yyy), ctypes.byref(size_needed))
return LSA_UNICODE_STRING.from_buffer_copy(yyy[:size_needed.value]).str
