diff --git a/Compiled/WinObjEx64.exe b/Compiled/WinObjEx64.exe index b2fba40..6d70c36 100644 Binary files a/Compiled/WinObjEx64.exe and b/Compiled/WinObjEx64.exe differ diff --git a/Source/Shared/ntos/ntbuilds.h b/Source/Shared/ntos/ntbuilds.h index ac07646..614c8d4 100644 --- a/Source/Shared/ntos/ntbuilds.h +++ b/Source/Shared/ntos/ntbuilds.h @@ -89,5 +89,5 @@ #define NT_WIN11_23H2 22631 // Windows 11 Active Development Branch -#define NT_WIN11_24H2 26120 //canary (24H2) +#define NT_WIN11_24H2 26100 //canary (24H2) #define NT_WIN11_25H2 26212 //canary (25H2) diff --git a/Source/WinObjEx64/Resource.rc b/Source/WinObjEx64/Resource.rc index 86a448a..5f6f534 100644 Binary files a/Source/WinObjEx64/Resource.rc and b/Source/WinObjEx64/Resource.rc differ diff --git a/Source/WinObjEx64/extras/extrasCallbacks.c b/Source/WinObjEx64/extras/extrasCallbacks.c index 1847c4c..1c69bdf 100644 --- a/Source/WinObjEx64/extras/extrasCallbacks.c +++ b/Source/WinObjEx64/extras/extrasCallbacks.c @@ -6,7 +6,7 @@ * * VERSION: 2.05 * -* DATE: 12 Apr 2024 +* DATE: 12 Jul 2024 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -1150,7 +1150,15 @@ OBEX_FINDCALLBACK_ROUTINE(FindCiCallbacks) return kvarAddress; } -BOOL IopFileSystemIsValidPattern( +/* +* IopFileSystemIsKnownPattern +* +* Purpose: +* +* Tests IoRegisterFileSystem function pattern to be known. +* +*/ +BOOL IopFileSystemIsKnownPattern( _In_ PBYTE Buffer, _In_ ULONG Offset, _In_ ULONG InstructionSize @@ -1158,42 +1166,229 @@ BOOL IopFileSystemIsValidPattern( { BOOL bResult = FALSE; - if (g_NtBuildNumber <= NT_WIN11_21H2) { - - // - // lea rdx, xxx - // - if ((Buffer[Offset] == 0x48) && - (Buffer[Offset + 1] == 0x8D) && - (Buffer[Offset + 2] == 0x0D) && - ((Buffer[Offset + InstructionSize] == 0x48) || (Buffer[Offset + InstructionSize] == 0xE9))) - { - bResult = TRUE; - } + BYTE inst3byte; + BYTE nextInstructionByte1, nextInstructionByte2; + if (g_NtBuildNumber <= NT_WIN11_21H2) { + inst3byte = 0x0D; + nextInstructionByte1 = 0x48; + nextInstructionByte2 = 0xE9; } else { //win11 22h1+ - // - // mov rcx, xxx - // - if ((Buffer[Offset] == 0x48) && - (Buffer[Offset + 1] == 0x8B) && - (Buffer[Offset + 2] == 0x0D) && - ( - (Buffer[Offset + InstructionSize] == 0x48) || - (Buffer[Offset + InstructionSize] == 0xE9) || - (Buffer[Offset + InstructionSize] == 0x8B)) - ) + switch (g_NtBuildNumber) { - bResult = TRUE; + case NT_WIN11_21H2: + inst3byte = 0x0D; + nextInstructionByte1 = 0x48; + nextInstructionByte2 = 0xE9; + break; + + case NT_WIN11_22H2: + case NT_WIN11_23H2: + inst3byte = 0x15; + nextInstructionByte1 = 0x0F; + nextInstructionByte2 = 0xE9; + break; + + case NT_WIN11_24H2: + default: + inst3byte = 0x15; + nextInstructionByte1 = 0x0F; + nextInstructionByte2 = 0xEB; + break; } + } + if ((Buffer[Offset] == 0x48) && + (Buffer[Offset + 1] == 0x8D) && + (Buffer[Offset + 2] == inst3byte) && + ((Buffer[Offset + InstructionSize] == nextInstructionByte1) || (Buffer[Offset + InstructionSize] == nextInstructionByte2))) + { + bResult = TRUE; } return bResult; } +/* +* LookupIopFileSystemQueueHeads_w7 +* +* Purpose: +* +* Windows 7 version of IoRegisterFileSystem listheads lookup. +* +*/ +ULONG LookupIopFileSystemQueueHeads_w7( + _In_ PBYTE Buffer, + _Inout_ ULONG_PTR* IopCdRomFileSystemQueueHead, + _Inout_ ULONG_PTR* IopDiskFileSystemQueueHead, + _Inout_ ULONG_PTR* IopTapeFileSystemQueueHead, + _Inout_ ULONG_PTR* IopNetworkFileSystemQueueHead +) +{ + ULONG Index, Count; + LONG Rel; + ULONG_PTR kvarAddress; + hde64s hs; + + PBYTE ptrCode = Buffer; + Index = 0; + Rel = 0; + Count = 0; + + do { + hde64_disasm(ptrCode + Index, &hs); + if (hs.flags & F_ERROR) + break; + + if (hs.len == 7) { + // + // lea rdx, xxx + // + if ((ptrCode[Index] == 0x48) && + (ptrCode[Index + 1] == 0x8D) && + (ptrCode[Index + 2] == 0x15)) + { + Rel = *(PLONG)(ptrCode + Index + 3); + if (Rel) { + + kvarAddress = kdAdjustAddressToNtOsBase((ULONG_PTR)ptrCode, Index, hs.len, Rel); + + if (kdAddressInNtOsImage((PVOID)kvarAddress)) { + + switch (Count) { + case 0: + *IopNetworkFileSystemQueueHead = kvarAddress; + break; + + case 1: + *IopCdRomFileSystemQueueHead = kvarAddress; + break; + + case 2: + *IopDiskFileSystemQueueHead = kvarAddress; + break; + + case 3: + *IopTapeFileSystemQueueHead = kvarAddress; + break; + } + Count += 1; + if (Count == 4) + break; + } + } + } + + } + + Index += hs.len; + + } while (Index < 512); + + return Count; +} + +/* +* LookupIopFileSystemQueueHeads_w8_11 +* +* Purpose: +* +* Windows 8-11 version of IoRegisterFileSystem listheads lookup. +* +*/ +ULONG LookupIopFileSystemQueueHeads_w8_11( + _In_ PBYTE Buffer, + _In_ BOOL Reorder, + _Inout_ ULONG_PTR* IopCdRomFileSystemQueueHead, + _Inout_ ULONG_PTR* IopDiskFileSystemQueueHead, + _Inout_ ULONG_PTR* IopTapeFileSystemQueueHead, + _Inout_ ULONG_PTR* IopNetworkFileSystemQueueHead +) +{ + ULONG Index, Count; + LONG Rel; + ULONG_PTR kvarAddress; + hde64s hs; + + PBYTE ptrCode = Buffer; + Index = 0; + Rel = 0; + Count = 0; + + do { + hde64_disasm(ptrCode + Index, &hs); + if (hs.flags & F_ERROR) + break; + + if (hs.len == 7) { + + if (IopFileSystemIsKnownPattern(ptrCode, Index, hs.len)) { + Rel = *(PLONG)(ptrCode + Index + 3); + if (Rel) { + + kvarAddress = kdAdjustAddressToNtOsBase((ULONG_PTR)ptrCode, Index, hs.len, Rel); + + if (kdAddressInNtOsImage((PVOID)kvarAddress)) { + + if (Reorder) + { + switch (Count) { + + case 0: + *IopNetworkFileSystemQueueHead = kvarAddress; + break; + + case 1: + *IopCdRomFileSystemQueueHead = kvarAddress; + break; + + case 2: + *IopDiskFileSystemQueueHead = kvarAddress; + break; + + case 3: + *IopTapeFileSystemQueueHead = kvarAddress; + break; + } + } + else { + + switch (Count) { + case 0: + *IopDiskFileSystemQueueHead = kvarAddress; + break; + + case 1: + *IopCdRomFileSystemQueueHead = kvarAddress; + break; + + case 2: + *IopNetworkFileSystemQueueHead = kvarAddress; + break; + + case 3: + *IopTapeFileSystemQueueHead = kvarAddress; + break; + } + } + Count += 1; + if (Count == 4) + break; + } + } + } + + } + + Index += hs.len; + + } while (Index < 512); + + return Count; +} + /* * FindIopFileSystemQueueHeads * @@ -1211,12 +1406,10 @@ BOOL FindIopFileSystemQueueHeads( _Out_ ULONG_PTR* IopNetworkFileSystemQueueHead ) { - BOOL bSymQuerySuccess = FALSE; - ULONG Index, Count; - LONG Rel = 0; + BOOL bSymQuerySuccess = FALSE, bReoder; + ULONG Count = 0; ULONG_PTR kvarAddress = 0; PBYTE ptrCode; - hde64s hs; // // Assume failure. @@ -1281,114 +1474,74 @@ BOOL FindIopFileSystemQueueHeads( if (ptrCode == NULL) return 0; - Index = 0; - Rel = 0; - Count = 0; - if (g_NtBuildNumber < NT_WIN8_RTM) { - do { - hde64_disasm(ptrCode + Index, &hs); - if (hs.flags & F_ERROR) - break; - - if (hs.len == 7) { - // - // lea rdx, xxx - // - if ((ptrCode[Index] == 0x48) && - (ptrCode[Index + 1] == 0x8D) && - (ptrCode[Index + 2] == 0x15)) - { - Rel = *(PLONG)(ptrCode + Index + 3); - if (Rel) { - - kvarAddress = kdAdjustAddressToNtOsBase((ULONG_PTR)ptrCode, Index, hs.len, Rel); - - if (kdAddressInNtOsImage((PVOID)kvarAddress)) { - - switch (Count) { - case 0: - *IopNetworkFileSystemQueueHead = kvarAddress; - break; - - case 1: - *IopCdRomFileSystemQueueHead = kvarAddress; - break; - - case 2: - *IopDiskFileSystemQueueHead = kvarAddress; - break; - - case 3: - *IopTapeFileSystemQueueHead = kvarAddress; - break; - } - Count += 1; - if (Count == 4) - break; - } - } - } - - } - - Index += hs.len; - - } while (Index < 512); - + Count = LookupIopFileSystemQueueHeads_w7(ptrCode, + IopCdRomFileSystemQueueHead, + IopDiskFileSystemQueueHead, + IopTapeFileSystemQueueHead, + IopNetworkFileSystemQueueHead); } else { - do { - hde64_disasm(ptrCode + Index, &hs); - if (hs.flags & F_ERROR) - break; - - if (hs.len == 7) { - - if (IopFileSystemIsValidPattern(ptrCode, Index, hs.len)) { - Rel = *(PLONG)(ptrCode + Index + 3); - if (Rel) { - - kvarAddress = kdAdjustAddressToNtOsBase((ULONG_PTR)ptrCode, Index, hs.len, Rel); - - if (kdAddressInNtOsImage((PVOID)kvarAddress)) { - - switch (Count) { - - case 0: - *IopDiskFileSystemQueueHead = kvarAddress; - break; + // + // Since WIN11 24H2 pointer usage in this function is reordered. + // + bReoder = (g_NtBuildNumber >= NT_WIN11_24H2); - case 1: - *IopCdRomFileSystemQueueHead = kvarAddress; - break; + Count = LookupIopFileSystemQueueHeads_w8_11(ptrCode, + bReoder, + IopCdRomFileSystemQueueHead, + IopDiskFileSystemQueueHead, + IopTapeFileSystemQueueHead, + IopNetworkFileSystemQueueHead); - case 2: - *IopNetworkFileSystemQueueHead = kvarAddress; - break; + } - case 3: - *IopTapeFileSystemQueueHead = kvarAddress; - break; - } - Count += 1; - if (Count == 4) - break; - } - } - } + return (Count == 4); +} - } +/* +* IopFsNotifyChangeIsKnownPattern +* +* Purpose: +* +* Tests IoUnregisterFsRegistrationChange function pattern to be known. +* +*/ +BOOL IopFsNotifyChangeIsKnownPattern( + _In_ PBYTE Buffer, + _In_ ULONG Offset, + _In_ ULONG InstructionSize +) +{ + BOOL bResult = FALSE; - Index += hs.len; + BYTE nextInstructionByte1; - } while (Index < 512); + switch (g_NtBuildNumber) + { + case NT_WIN11_24H2: + nextInstructionByte1 = 0x48; + break; + default: + nextInstructionByte1 = 0xEB; + break; + } + // + // lea rax, IopFsNotifyChangeQueueHead + // jmp short / cmp rcx, rax + // + if ((Buffer[Offset] == 0x48) && + (Buffer[Offset + 1] == 0x8D) && + (Buffer[Offset + 2] == 0x05) && + (Buffer[Offset + InstructionSize] == nextInstructionByte1)) + { + bResult = TRUE; } - return (Count == 4); + return bResult; } /* @@ -1436,14 +1589,11 @@ OBEX_FINDCALLBACK_ROUTINE(FindIopFsNotifyChangeQueueHead) break; if (hs.len == 7) { - // - // lea rax, IopFsNotifyChangeQueueHead - // jmp short - // - if ((ptrCode[Index] == 0x48) && - (ptrCode[Index + 1] == 0x8D) && - (ptrCode[Index + 2] == 0x05) && - (ptrCode[Index + 7] == 0xEB)) + + if (IopFsNotifyChangeIsKnownPattern( + ptrCode, + Index, + hs.len)) { Rel = *(PLONG)(ptrCode + Index + 3); break; @@ -4829,8 +4979,7 @@ OBEX_DISPLAYCALLBACK_ROUTINE(DumpExHostCallbacks) } // read extension function table - if (g_NtBuildNumber < NT_WIN11_25H2) - { + if (g_NtBuildNumber < NT_WIN11_25H2) { NumberOfCallbacks = hostEntry.Versions.v1->HostParameters.HostInformation.FunctionCount; NotificationRoutine = hostEntry.Versions.v1->HostParameters.NotificationRoutine; FunctionTable = hostEntry.Versions.v1->FunctionTable; diff --git a/Source/WinObjEx64/extras/extrasDrivers.c b/Source/WinObjEx64/extras/extrasDrivers.c index 3a09b0b..0ac7a31 100644 --- a/Source/WinObjEx64/extras/extrasDrivers.c +++ b/Source/WinObjEx64/extras/extrasDrivers.c @@ -6,7 +6,7 @@ * * VERSION: 2.05 * -* DATE: 21 Apr 2024 +* DATE: 12 Jul 2024 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -846,7 +846,7 @@ VOID DrvListUnloadedDrivers( (PVOID)Context)) { _strcpy(szBuffer, TEXT("Could not resolve MmUnloadedDrivers")); - supStatusBarSetText(Context->StatusBar, 1, (LPWSTR)&szBuffer); + supStatusBarSetText(Context->StatusBar, 0, (LPWSTR)&szBuffer); return; } diff --git a/Source/WinObjEx64/kldbg.c b/Source/WinObjEx64/kldbg.c index ed92f06..31dc089 100644 --- a/Source/WinObjEx64/kldbg.c +++ b/Source/WinObjEx64/kldbg.c @@ -4,9 +4,9 @@ * * TITLE: KLDBG.C, based on KDSubmarine by Evilcry * -* VERSION: 2.03 +* VERSION: 2.05 * -* DATE: 22 Jul 2023 +* DATE: 12 Jul 2024 * * MINIMUM SUPPORTED OS WINDOWS 7 * @@ -3042,11 +3042,19 @@ BOOLEAN kdpQueryMmUnloadedDrivers( else { // - // Use 19041+ specific pattern as an array allocation code has been changed. + // Use 19041+ specific patterns as an array allocation code has been changed. // - - sigPattern = MiRememberUnloadedDriverPattern2; - sigSize = sizeof(MiRememberUnloadedDriverPattern2); + switch (g_NtBuildNumber) + { + case NT_WIN11_24H2: + sigPattern = MiRememberUnloadedDriverPattern24H2; + sigSize = sizeof(MiRememberUnloadedDriverPattern24H2); + break; + default: + sigPattern = MiRememberUnloadedDriverPattern2; + sigSize = sizeof(MiRememberUnloadedDriverPattern2); + break; + } } @@ -3756,8 +3764,8 @@ BOOL CALLBACK symCallbackProc( case CBA_DEFERRED_SYMBOL_LOAD_COMPLETE: case CBA_DEFERRED_SYMBOL_LOAD_FAILURE: - symCallbackReportEvent(ActionCode, - (PIMAGEHLP_DEFERRED_SYMBOL_LOAD)CallbackData, + symCallbackReportEvent(ActionCode, + (PIMAGEHLP_DEFERRED_SYMBOL_LOAD)CallbackData, (PFNSUPSYMCALLBACK)UserContext); break; @@ -3790,7 +3798,7 @@ BOOL symInit( if (g_kdctx.NtOsSymContext != NULL) return TRUE; - if (lpDbgHelpDll == NULL) { + if (lpDbgHelpDll == NULL) { szFileName[0] = 0; cch = GetCurrentDirectory(MAX_PATH, szFileName); @@ -3945,7 +3953,7 @@ VOID kdInit( if (supReadObexConfiguration(obexConfig)) { - if (obexConfig->SymbolsDbgHelpDllValid) + if (obexConfig->SymbolsDbgHelpDllValid) lpDbgHelpDll = obexConfig->szSymbolsDbgHelpDll; if (obexConfig->SymbolsPathValid) diff --git a/Source/WinObjEx64/kldbg_patterns.h b/Source/WinObjEx64/kldbg_patterns.h index 7954c30..1a1303f 100644 --- a/Source/WinObjEx64/kldbg_patterns.h +++ b/Source/WinObjEx64/kldbg_patterns.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2019 - 2022 +* (C) COPYRIGHT AUTHORS, 2019 - 2024 * * TITLE: KLDBG_PATTERNS.H * -* VERSION: 2.00 +* VERSION: 2.05 * -* DATE: 19 Jun 2022 +* DATE: 11 Jul 2024 * * Header with search patterns used by KLDBG. * @@ -135,3 +135,8 @@ BYTE MiRememberUnloadedDriverPattern2[] = { }; #define FIX_WIN10_THRESHOULD_REG 0xBF + +BYTE MiRememberUnloadedDriverPattern24H2[] = { + 0xBA, 0xD0, 0x07, 0x00, 0x00, // mov edx, 7D0h + 0x41, 0x8D, 0x4E, 0x40 // lea ecx, [r14+40h] +}; diff --git a/Source/WinObjEx64/ui.h b/Source/WinObjEx64/ui.h index 328e245..51c4899 100644 --- a/Source/WinObjEx64/ui.h +++ b/Source/WinObjEx64/ui.h @@ -6,7 +6,7 @@ * * VERSION: 2.05 * -* DATE: 31 May 2024 +* DATE: 12 Jul 2024 * * Common header file for the user interface. * @@ -50,7 +50,7 @@ typedef HWND(WINAPI *pfnHtmlHelpW)( #define PROGRAM_MAJOR_VERSION 2 #define PROGRAM_MINOR_VERSION 0 #define PROGRAM_REVISION_NUMBER 5 -#define PROGRAM_BUILD_NUMBER 2406 +#define PROGRAM_BUILD_NUMBER 2407 #ifdef _USE_OWN_DRIVER #define PROGRAM_NAME L"Windows Object Explorer 64-bit (Non-public version)"