def enumerate_type(): "WIP: DO NOT USE" size_needed = DWORD() fsize = 8 fbuffer = ctypes.c_buffer(fsize) try: winproxy.NtQueryObject(None, gdef.ObjectTypesInformation, fbuffer, fsize, ctypes.byref(size_needed)) except WindowsError as e: if e.code != STATUS_INFO_LENGTH_MISMATCH: raise else: # We had enought memory ? return # Looks like the Wow64 syscall emulation is broken :D # It write AFTER the buffer if we are a wow64 process :D # So better allocate a standalone buffer (triggering a ACCESS_VIOLATION) that corrupting the heap # This is a worst case scenario, as we allocation more space it should not happen ! size = size_needed.value + 0x200 size_needed.value = 0 with windows.current_process.allocated_memory(size, gdef.PAGE_READWRITE) as buffer_base: winproxy.NtQueryObject(None, gdef.ObjectTypesInformation, buffer_base, size, ctypes.byref(size_needed)) # Cache some exceptions ? # Parse the buffer data in-place as string are addr-dependant types_info = gdef.OBJECT_TYPES_INFORMATION.from_address(buffer_base) offset = ctypes.sizeof(gdef.PVOID) # Looks like the size of the struct is PTR aligned as the struct is follower by other stuff for i in range(types_info.NumberOfTypes): info = gdef.PUBLIC_OBJECT_TYPE_INFORMATION.from_address(buffer_base + offset) yield info offset += ctypes.sizeof(gdef.PUBLIC_OBJECT_TYPE_INFORMATION) + info.TypeName.MaximumLength if offset % ctypes.sizeof(gdef.PVOID): offset += ctypes.sizeof(gdef.PVOID) - (offset % ctypes.sizeof(gdef.PVOID)) # End-of ctx-manager return
def _get_object_type(self): lh = self.local_handle xxx = gdef.PUBLIC_OBJECT_TYPE_INFORMATION() size_needed = gdef.DWORD() try: winproxy.NtQueryObject(lh, gdef.ObjectTypeInformation, ctypes.byref(xxx), ctypes.sizeof(xxx), ctypes.byref(size_needed)) except WindowsError as e: if e.code != gdef.STATUS_INFO_LENGTH_MISMATCH: raise size = size_needed.value buffer = ctypes.c_buffer(size) winproxy.NtQueryObject(lh, gdef.ObjectTypeInformation, buffer, size, ctypes.byref(size_needed)) xxx = gdef.PUBLIC_OBJECT_TYPE_INFORMATION.from_buffer_copy(buffer) return xxx.TypeName.str
def _get_object_type(self): lh = self.local_handle xxx = EPUBLIC_OBJECT_TYPE_INFORMATION() size_needed = DWORD() try: winproxy.NtQueryObject(lh, ObjectTypeInformation, ctypes.byref(xxx), ctypes.sizeof(xxx), ctypes.byref(size_needed)) except Exception as e: size = size_needed.value buffer = ctypes.c_buffer(size) winproxy.NtQueryObject(lh, ObjectTypeInformation, buffer, size, ctypes.byref(size_needed)) xxx = EPUBLIC_OBJECT_TYPE_INFORMATION.from_buffer_copy(buffer) return xxx.TypeName.str
def _get_object_basic_infos(self): pass lh = self.local_handle size_needed = DWORD() basic_infos = PUBLIC_OBJECT_BASIC_INFORMATION() winproxy.NtQueryObject(lh, ObjectBasicInformation, ctypes.byref(basic_infos), ctypes.sizeof(basic_infos), ctypes.byref(size_needed)) return basic_infos
def _get_object_name(self): lh = self.local_handle size_needed = DWORD() yyy = ctypes.c_buffer(0x1000) winproxy.NtQueryObject(lh, ObjectNameInformation, ctypes.byref(yyy), ctypes.sizeof(yyy), ctypes.byref(size_needed)) return LSA_UNICODE_STRING.from_buffer_copy(yyy[:size_needed.value]).str