1.9.3

For a complete list of changes see changelog.txt in the sources directory.
hfiref0x · May 16, 2022 · 5a41727 · 5a41727
1 parent 143f082
commit 5a41727
Show file tree

Hide file tree

Showing 8 changed files with 63 additions and 14 deletions.
diff --git a/Compiled/WinObjEx64.chm b/Compiled/WinObjEx64.chm
diff --git a/Compiled/WinObjEx64.exe b/Compiled/WinObjEx64.exe
diff --git a/Source/CHANGELOG.txt b/Source/CHANGELOG.txt
@@ -1,7 +1,8 @@
 v1.9.3
 updated SeCiCallbacks search for newest Windows versions
-fixed win32k ApiSet resolving for Win10 21H2
-fixed ObCallbacks enumeration issues
+added Windows Server 2022 support
+fix win32k ApiSet resolving for Win10 21H2
+fix ObCallbacks enumeration issues
 support for various kernel driver helpers
 ported to msvc 2022 (with backward compatibility to 2019)
 bugfixes

diff --git a/Source/Shared/ntos/ntbuilds.h b/Source/Shared/ntos/ntbuilds.h
@@ -4,9 +4,9 @@
 *
 *  TITLE:       NTBUILDS.H
 *
-*  VERSION:     1.10
+*  VERSION:     1.11
 *
-*  DATE:        13 May 2022
+*  DATE:        15 May 2022
 *
 *  Windows NT builds definition file.
 *
@@ -73,6 +73,9 @@
 // Windows 10 21H2
 #define NT_WIN10_21H2           19044
 
+// Windows Server 2022
+#define NT_WINSRV_21H1          20348
+
 // Windows 11 21H2
 #define NT_WIN11_21H2           22000
 

diff --git a/Source/WinObjEx64/extras/extrasCallbacks.c b/Source/WinObjEx64/extras/extrasCallbacks.c
@@ -32,6 +32,7 @@
 #define CBT_SIZE_19HX         0xD0
 #define CBT_SIZE_VB_V1        0xD0
 #define CBT_SIZE_VB_V2        0xE8
+#define CBT_SIZE_FE_V1        0xF8
 #define CBT_SIZE_CO_V1        0x100
 #define CBT_SIZE_NI_V1        0xF8
 #define CBT_SIZE_CU_V1        0xF8
@@ -59,6 +60,8 @@ CBT_MAPPING g_CbtMapping[] = {
     { NT_WIN10_21H2, NTDDI_WIN10_VB, CBT_SIZE_VB_V1 },
     { NT_WIN10_21H2, NTDDI_WIN10_VB, CBT_SIZE_VB_V2 },
 
+    { NT_WINSRV_21H1, NTDDI_WIN10_FE, CBT_SIZE_FE_V1 },
+
     { NT_WIN11_21H2, NTDDI_WIN10_CO, CBT_SIZE_CO_V1 },
     { NT_WIN11_22H2, NTDDI_WIN10_NI, CBT_SIZE_NI_V1 },
     { NTX_WIN11_ADB, NTDDI_WIN10_CU, CBT_SIZE_CU_V1 }
@@ -564,6 +567,41 @@ static const BYTE CiCallbackIndexes_Win1021H2_V2[] = {
     Id_CiDeleteCodeIntegrityOriginClaimForFileObject
 };
 
+//
+// Windows Server 2022
+//
+static const BYTE CiCallbacksIndexes_WinSrv21H2[] = {
+    Id_CiSetFileCache,
+    Id_CiGetFileCache,
+    Id_CiQueryInformation,
+    Id_CiValidateImageHeader,
+    Id_CiValidateImageData,
+    Id_CiHashMemory,
+    Id_KappxIsPackageFile,
+    Id_CiCompareSigningLevels,
+    Id_CiValidateFileAsImageType,
+    Id_CiRegisterSigningInformation,
+    Id_CiUnregisterSigningInformation,
+    Id_CiInitializePolicy,
+    Id_CiReleaseContext,
+    Id_XciUnknownCallback,
+    Id_CiGetStrongImageReference,
+    Id_CiHvciSetImageBaseAddress,
+    Id_CipQueryPolicyInformation,
+    Id_CiValidateDynamicCodePages,
+    Id_CiQuerySecurityPolicy,
+    Id_CiRevalidateImage,
+    Id_CiSetInformation,
+    Id_CiSetInformationProcess,
+    Id_CiGetBuildExpiryTime,
+    Id_CiCheckProcessDebugAccessPolicy,
+    Id_CiGetCodeIntegrityOriginClaimForFileObject,
+    Id_CiDeleteCodeIntegrityOriginClaimMembers,
+    Id_CiDeleteCodeIntegrityOriginClaimForFileObject,
+    Id_CiHvciReportMmIncompatibility,
+    Id_CiCompareExistingSePool
+};
+
 //
 // Windows 11 21H2
 //
@@ -716,10 +754,16 @@ LPWSTR GetCiRoutineNameFromIndex(
         }
         break;
 
+    case NT_WINSRV_21H1:
+        Indexes = CiCallbacksIndexes_WinSrv21H2;
+        ArrayCount = RTL_NUMBER_OF(CiCallbacksIndexes_WinSrv21H2);
+        break;
+
     case NT_WIN11_21H2:
         Indexes = CiCallbackIndexes_Win11;
         ArrayCount = RTL_NUMBER_OF(CiCallbackIndexes_Win11);
         break;
+
     case NT_WIN11_22H2:
     case NTX_WIN11_ADB:
     default:

diff --git a/Source/WinObjEx64/extras/extrasSSDT.c b/Source/WinObjEx64/extras/extrasSSDT.c
@@ -6,7 +6,7 @@
 *
 *  VERSION:     1.93
 *
-*  DATE:        11 May 2022
+*  DATE:        15 May 2022
 *
 * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
 * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -1110,7 +1110,7 @@ NTSTATUS SdtResolveServiceEntryModule(
             ApiSetReference = ApiSetExtractReferenceFromAdapter(FunctionPtr);
             if (ApiSetReference) {
 
-                if (g_NtBuildNumber >= NT_WIN11_21H2)
+                if (g_NtBuildNumber >= NT_WINSRV_21H1)
                     ApiSetTableEntrySize = sizeof(W32K_API_SET_TABLE_ENTRY_V2);
                 else
                     ApiSetTableEntrySize = sizeof(W32K_API_SET_TABLE_ENTRY);

diff --git a/Source/WinObjEx64/kldbg.c b/Source/WinObjEx64/kldbg.c
@@ -821,6 +821,7 @@ PVOID ObDumpSymbolicLinkObjectVersionAware(
         objectSize = sizeof(OBJECT_SYMBOLIC_LINK_V4);
         objectVersion = OBVERSION_OBJECT_SYMBOLIC_LINK_V4;
         break;
+    case NT_WINSRV_21H1:
     case NT_WIN11_21H2:
     case NT_WIN11_22H2:
     default:
@@ -961,7 +962,7 @@ PVOID ObDumpFltFilterObjectVersionAware(
         objectVersion = OBVERSION_FLT_FILTER_V2;
     }
     else if (g_NtBuildNumber >= NT_WIN10_THRESHOLD1 &&
-        g_NtBuildNumber < NT_WIN11_21H2)
+        g_NtBuildNumber < NT_WINSRV_21H1)
     {
         objectSize = sizeof(FLT_FILTER_V3);
         objectVersion = OBVERSION_FLT_FILTER_V3;

diff --git a/WinObjEx64.sha256 b/WinObjEx64.sha256
@@ -3,8 +3,8 @@ e192abb83dded0fe227f3fe69cb0ac7aaa197941917afd497b4cf8796a03e041 *Compiled\WHATS
 fa001b1ac9bbbb6c954d5dd609de60fa2b0277a6cfe35f6428591e4b4b1e8453 *Compiled\WHATSNEW_180.md
 764927e79e6226e9a5185b0672b5b6422c27f6c4955afa45b6e3032a766797e4 *Compiled\WHATSNEW_187.md
 d3c54e144f4ea198d761a0c89764d6cd39da19c0aa51661a9f37135e4f842a85 *Compiled\WHATSNEW_190.md
-5e4e1ffe4b44b198d8941e1d633ec7095a12aacbedc78c2d5474eadb69b05de0 *Compiled\WinObjEx64.chm
-2978e252bd179ab1c579053aee623922bdbdb80b293423f9e443a9d79c98618c *Compiled\WinObjEx64.exe
+85ea539802640fce924ee0dda14d9a0ed3e786f5ca131c4ae0815f7beeba69f8 *Compiled\WinObjEx64.chm
+6f5110d724a0b88251003f2845a8dec2dfd73cc68e9506c2c07ea14049cfbca0 *Compiled\WinObjEx64.exe
 ed5cef250f9734689aa07c111ca1b2a639d307c27925ce6a45d3c3ca7b050782 *Compiled\plugins\ApiSetView.dll
 57267abde07d6f1a47633cc7b8a4f4b17ec902f16db1358b218f38e7e0e020de *Compiled\plugins\ExamplePlugin.dll
 98bfaf17e411c56e3192467c506024ae25a60e304fd595fcdd12f3208bddf1c2 *Compiled\plugins\ImageScope.dll
@@ -38,7 +38,7 @@ cb66fca90766db12474ce057436364dabaf3e948f6ffa7e9651f869656f0b33c *Screenshots\Vi
 ef65a909e8d9bc7ec94ecbc0f465f24a7968d6675eadf7f25f6414c66d6b28be *Screenshots\ViewingTypeInformation.png
 db0ab26d20a62ba7c9c844e916e88168b72a7e52932d3483eb2d0a2e535b75a8 *Screenshots\ViewingUserSharedData.png
 9e2b64f390c609172c5791dd138a748d31bf4d2cc839f01dbd514afe1cdfd083 *Screenshots\W32pServiceTableView.png
-748027fa2c6d886cb1ee739f9f643b19aa2b667b3bdf9e9642bb93601d40ef11 *Source\CHANGELOG.txt
+fee4d907e7334c03234ce4a359185d9030d626195bcb36a607de0b1ca185da27 *Source\CHANGELOG.txt
 a44ef414ebf68889488938116fa7e51dc484b038b9c0a247d2b872d5b00e4692 *Source\FILELIST.txt
 fb5db833eb13f6c7812cf9b8ca2b2e4f60b9133b700edd2065c3431c41509911 *Source\TypesWithNoDesc.txt
 89f58de2ad50d5abba574acb90cc06454322a83bf0f4cc0da7e77201fde10d18 *Source\WinObjEx64.sln
@@ -122,7 +122,7 @@ c902616e5949b38a2700741c775417f9a52270a469864d9ef033664682bdc458 *Source\Shared\
 7a58407999eb9aa3713de75b58a5d7ac6b8a08edbcc78322c26186ad138b8f79 *Source\Shared\ntos\apisetx.h
 8acab5c8b8b339bdaf8e7b7d06f2cd6b10d24f889ef92462e4e53abbc5dc5341 *Source\Shared\ntos\halamd64.h
 ffac2569a1dd61c400cda45839c7314bdd99cfcb5c17d503807db34c168628d2 *Source\Shared\ntos\ntalpc.h
-baf7ca110fcdf8d039b8d81f86db8b9682d6525c3169766d59518d8237fcc0f7 *Source\Shared\ntos\ntbuilds.h
+5466a593ef80249a2517395e666b6cf35e21d4b8c05ec6dc9abb544746301651 *Source\Shared\ntos\ntbuilds.h
 69a2ac18f7ae51f231ff70195e914fdf1331564d7e109d052d8c0e6f2c6760a4 *Source\Shared\ntos\ntldr.c
 083d71cbe45e72854cfc45e20b85ec805c8dd66f18c3a111236195a980c44333 *Source\Shared\ntos\ntldr.h
 e5d1529d60c32c706a138054683ab83836d46f53ddaac6f628556dcc5c34dc52 *Source\Shared\ntos\ntos.h
@@ -151,7 +151,7 @@ b99d842f28687ed582aa3e3f64931367a2c5af5c09f25c08d4c76b804ea3609f *Source\WinObjE
 73cf303d356bdb84cd7725fe31a11d4822500f86cb529220fb278e764652350d *Source\WinObjEx64\global.h
 efae658152f746d41a6e03d13b9035410cf90cd859140ecc744d2dfa3b773c2a *Source\WinObjEx64\hash.c
 e79c1a5016f2d227be91eb345f08f515902144c63e3b09403a2d99dc8e8e771a *Source\WinObjEx64\hash.h
-26e0f43194e6df10a17899fce011cecd3a681e3ce49abf4db07620d46d272738 *Source\WinObjEx64\kldbg.c
+5d6ce74c927dd5c83453a3e4b3afe445cea0f2166f685ca9e4a63b781962cfde *Source\WinObjEx64\kldbg.c
 9334002538cbb1acbc69bdec5699c7e6526e9ca51094518c2c1a2ba277b37396 *Source\WinObjEx64\kldbg.h
 1f0d722b6cd9b6d5c5f3ec1a7e110ce579c5d025a34a46a373a9d63cc9d85bbb *Source\WinObjEx64\kldbg_patterns.h
 27123a22007dd66a9dc7fc43428cfbe511d4ea5f7386319db151f3428ad4cc28 *Source\WinObjEx64\ksymbols.h
@@ -187,7 +187,7 @@ d519634f47890a27dfe69452e5b8d875d37f16f0b90ac17395d2de439114bc11 *Source\WinObjE
 7ab886ac9e571d7a2f6abc1739caca3083deed2b7b43e0555d06b075f1ae6d3d *Source\WinObjEx64\drivers\winio.h
 09658136195c72f423380fbe0067a71d96dc37f44575f61359d8697b5f0bf290 *Source\WinObjEx64\extras\extras.c
 78b3b28fe2d97bba5c26c886eb21bb40a25a3ce6dbb74fc56a3ea88be3e4d80b *Source\WinObjEx64\extras\extras.h
-a36d47ac587c25163c72cd5616a6ae48177c36424c414c9fbe778a8b51010124 *Source\WinObjEx64\extras\extrasCallbacks.c
+8025021b48ed415862ce75cff7857bbb985230022a7e351ca606b5709c6fe4c7 *Source\WinObjEx64\extras\extrasCallbacks.c
 8ad8cd16888a2104a4062c02671cb72c31d28bb644357d720238254507b291ea *Source\WinObjEx64\extras\extrasCallbacks.h
 ee85df23ea5d5a15e6f066113e923555283c1f78be2c62ed47a9ed4e1384c49a *Source\WinObjEx64\extras\extrasCallbacksPatterns.h
 855b538887257b2b74b05106aa00e29002665177579a60de14fb5d1cdfb9491d *Source\WinObjEx64\extras\extrasDrivers.c
@@ -200,7 +200,7 @@ bc729f15f0c144d62f203f48e2f2b1f5025a00dec320435486caffc355936006 *Source\WinObjE
 f13067275674be1c09101fc4fc83aaebd645cd5941f9b684eca456b233ab43e3 *Source\WinObjEx64\extras\extrasPSList.h
 9eedb67973d123b2f653d48eb0e4821379566b6d63cad232b87f15a95ce78745 *Source\WinObjEx64\extras\extrasSL.c
 cc193609496cab4b684e4d1b35ac2833a2da61cfaf7c87345e0a5b1f519cbbee *Source\WinObjEx64\extras\extrasSL.h
-96d1f096c2a04b5ab9b66f9e8b361037b86725728e9a78cf9a9a3e15acfd4a5b *Source\WinObjEx64\extras\extrasSSDT.c
+337ca24957169048f91cfa9ef317136071142738600ba536006723181a3ecc7c *Source\WinObjEx64\extras\extrasSSDT.c
 224c6c7075a98ea440834fc0e9743d0131fdcccdf2bb3eec941a92c20ddb7906 *Source\WinObjEx64\extras\extrasSSDT.h
 38373e28340e915afe34b7cea2bdc2c05704a0dd019728d7bbf5b3b51abfd0de *Source\WinObjEx64\extras\extrasUSD.c
 8cfdcc5659dd647e197dc77f37b4fc5ae7c2b7f6245e6249d3bf600f9afb1b5e *Source\WinObjEx64\extras\extrasUSD.h