From a5f6bc3370f21dadab3ed0713e97c570a35fed49 Mon Sep 17 00:00:00 2001
From: hfiref0x <hfiref0x@users.noreply.github.com>
Date: Sun, 30 Jul 2023 11:11:36 +0700
Subject: [PATCH] 2.0.3

Remove unused vars
---
 Compiled/WinObjEx64.exe      | Bin 785920 -> 785920 bytes
 LICENSE.md                   |   2 +-
 README.md                    |   4 +--
 Source/WinObjEx64/sup/w32k.c |  22 ++++++---------
 Source/WinObjEx64/sup/w32k.h |  51 ++++++++++++++++++++++++++++++++++-
 WinObjEx64.sha256            |   6 ++---
 6 files changed, 64 insertions(+), 21 deletions(-)

diff --git a/Compiled/WinObjEx64.exe b/Compiled/WinObjEx64.exe
index 66c97a5414fefd08535330d568ed802da7f7d150..cfdb224144cf43ab039771032cb15b5be0a142f9 100644
GIT binary patch
delta 114
zcmZqpqu=mHe}e!cv&zGxlZ6?5nfe8rlNj5R7(ti`h?#+yWqT4MtFpDQrGk-xkuie;
z0|SGRp_PG=m4W&6gv+cV?Q3jUx395bJCV!@G$sWo&A>PPU<F5W+d{Ush3st$IocL-
Mwk_mZwvam(0FSgH<NyEw

delta 114
zcmZqpqu=mHe}e!cbJC>4lZ6?5nK<&BlNj5R7(ti`h?#+yWqT4MtFpDQg@TcRkuie;
z0|SGBft7)=m9fe6gv+cV?Q3jUx395bJCV!@G$sWo&A>PPU<F5W+d{Ush3st$IocL-
Mwk_mZwvam(0Cl?}k^lez

diff --git a/LICENSE.md b/LICENSE.md
index 753ed29..6e0fc28 100644
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -1,4 +1,4 @@
-Copyright (c) 2015 - 2023, WinObjEx64 Project 
+Copyright (c) 2015 - 2023, WinObjEx64 Project, hfiref0x
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:
diff --git a/README.md b/README.md
index fde9ece..4af730b 100644
--- a/README.md
+++ b/README.md
@@ -229,7 +229,7 @@ In order to build from source you need Microsoft Visual Studio 2015 and later ve
   * If v140 then select 8.1;
   * If v141 and above then select 10.
 * Minimum required Windows SDK version 8.1
-* Recommended Windows SDK version 10.0.19041
+* Recommended Windows SDK version 10.0.19041 and above
  
  
 # What is new
@@ -241,6 +241,6 @@ In order to build from source you need Microsoft Visual Studio 2015 and later ve
 # Authors
 
 
-(c) 2015 - 2023 WinObjEx64 Project
+(c) 2015 - 2023 WinObjEx64 Project, hfiref0x
 
 Original WinObjEx (c) 2003 - 2005 Four-F
diff --git a/Source/WinObjEx64/sup/w32k.c b/Source/WinObjEx64/sup/w32k.c
index c344042..4772a16 100644
--- a/Source/WinObjEx64/sup/w32k.c
+++ b/Source/WinObjEx64/sup/w32k.c
@@ -624,7 +624,7 @@ NTSTATUS SdtResolveModuleFromImportThunk(
     ULONG importSize;
     PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor, pIID;
     PIMAGE_IMPORT_BY_NAME pImageImportByName;
-    PIMAGE_THUNK_DATA pOgFirstThunk, pFirstThunk, pFuncThunk;
+    PIMAGE_THUNK_DATA pOrigFirstThunk, pFirstThunk, pFuncThunk;
 
     hde64s hs;
     LONG32 rel;
@@ -648,12 +648,12 @@ NTSTATUS SdtResolveModuleFromImportThunk(
 
         for (pIID = pImportDescriptor; pIID->Name != 0; pIID++) {
 
-            pOgFirstThunk = (PIMAGE_THUNK_DATA)RtlOffsetToPointer(Context->KernelModule, pIID->OriginalFirstThunk);
+            pOrigFirstThunk = (PIMAGE_THUNK_DATA)RtlOffsetToPointer(Context->KernelModule, pIID->OriginalFirstThunk);
             pFirstThunk = (PIMAGE_THUNK_DATA)RtlOffsetToPointer(Context->KernelModule, pIID->FirstThunk);
 
-            for (; pOgFirstThunk->u1.AddressOfData; ++pOgFirstThunk, ++pFirstThunk) {
+            for (; pOrigFirstThunk->u1.AddressOfData; ++pOrigFirstThunk, ++pFirstThunk) {
                 pImageImportByName = (PIMAGE_IMPORT_BY_NAME)RtlOffsetToPointer(Context->KernelModule,
-                    pOgFirstThunk->u1.AddressOfData);
+                    pOrigFirstThunk->u1.AddressOfData);
 
                 if (pFirstThunk == pFuncThunk) {
                     pszDllName = (LPCSTR)RtlOffsetToPointer(Context->KernelModule, pIID->Name);
@@ -695,10 +695,9 @@ NTSTATUS SdtResolveServiceEntryModule(
     ULONG entrySize;
     NTSTATUS ntStatus = STATUS_DLL_NOT_FOUND;
     ULONG_PTR entryReference;
-    PWCHAR lpHostName;
     PVOID pvApiSetMap = NtCurrentPeb()->ApiSetMap;
     W32K_API_SET_TABLE_ENTRY* pvApiSetEntry = NULL;
-    UNICODE_STRING  usApiSetEntry;
+    UNICODE_STRING usApiSetEntry;
 
     //
     // See if this is new Win32kApiSetTable adapter.
@@ -725,9 +724,7 @@ NTSTATUS SdtResolveServiceEntryModule(
             //
             // Host is on the same offset for both V1/V2 versions.
             //
-            lpHostName = pvApiSetEntry->Host->HostName;
-
-            RtlInitUnicodeString(&usApiSetEntry, lpHostName);
+            RtlInitUnicodeString(&usApiSetEntry, pvApiSetEntry->Host->HostName);
 
             return ApiSetResolveAndLoadModule(
                 pvApiSetMap,
@@ -769,11 +766,10 @@ NTSTATUS SdtResolveServiceEntryModuleSessionAware(
 {
     BOOL bFound = FALSE;
     NTSTATUS resultStatus = STATUS_UNSUCCESSFUL;
+    PCHAR pStr;
     PBYTE ptrCode = FunctionPtr;
     ULONG hostOffset = 0, hostEntryOffset = 0;
     ULONG_PTR i, slotAddress, hostAddress, hostEntry, tableAddress, routineAddress;
-    PCHAR pStr;
-    HMODULE hModule = NULL;
     PRTL_PROCESS_MODULE_INFORMATION pModule;
     UNICODE_STRING usModuleName;
     hde64s hs;
@@ -923,9 +919,7 @@ NTSTATUS SdtResolveServiceEntryModuleSessionAware(
                     resultStatus = SdtLoadAndRememberModule(ModulesHead, &usModuleName, ModuleEntry, TRUE);
                     if (NT_SUCCESS(resultStatus)) {
 
-                        hModule = ModuleEntry->ImageBase;
-
-                        resultStatus = SdtResolveFunctionNameFromModuleExport(hModule,
+                        resultStatus = SdtResolveFunctionNameFromModuleExport(ModuleEntry->ImageBase,
                             (ULONG_PTR)pModule->ImageBase,
                             routineAddress,
                             &ServiceName->ExportName,
diff --git a/Source/WinObjEx64/sup/w32k.h b/Source/WinObjEx64/sup/w32k.h
index e989355..5946edf 100644
--- a/Source/WinObjEx64/sup/w32k.h
+++ b/Source/WinObjEx64/sup/w32k.h
@@ -6,7 +6,7 @@
 *
 *  VERSION:     2.03
 *
-*  DATE:        21 Jul 2023
+*  DATE:        26 Jul 2023
 *
 *  Common header file for the win32k support routines.
 *
@@ -46,6 +46,55 @@ typedef struct _SGD_GLOBALS {
     ULONG gAvailableSlots;
 } SGD_GLOBALS, * PSGD_GLOBALS;
 
+//
+//  ApiSet layout 24H2
+//
+//  WIN32KSGD!gSessionGlobalSlots:
+//
+//  +------+
+//  | Slot |
+//  +------+------+------------+
+//  |  0   |  ... |  MaxSlot   |
+//  +------+------+------------+
+//
+//  where
+//
+//      MaxSlot - is the maximum allocated slot
+//
+//  slot selection scheme 
+//
+//      Current process SessionId - 1, i.e. 0 for SessionId 1
+// 
+// Each slot is a pointer to tagWIN32KSESSIONSTATE opaque structure which
+// holds multiple global variables for given session, 
+// including Win32kApiSetTable pointer (at +0x88 for 25905 24H2).
+// 
+// If current session id is zero then apiset will be resolved from 
+// WIN32KSGD!gLowSessionGlobalSlots instead.
+// 
+// Win32kApiSetTable layout is the same as pre Win11.
+// 
+// Array of host entries each contains another array of apiset table entries.
+//
+//   See W32K_API_SET_TABLE_ENTRY_V2. 
+// 
+// The difference between current implementation and what was in win10 pre 24H2
+// is that ApiSet data moved to the kernel memory and apisets are now session aware
+// which now allows them:
+//   1. Further services (session 0) isolation to reduce possible attack surfaces.
+//   2. Stop leaking kernel addresses through manual resolve in user mode.
+//
+// To walk 24H2 table you have to find the following offsets in the kernel table 
+// for given entry inside win32k:
+// 
+//      1. Offset to ApiSet host structure pointer
+//      2. Offset in the ApiSet host enties array
+//
+// Globally you must also find offset to apiset table pointer in tagWIN32KSESSIONSTATE 
+// as it can be subject of change.
+// 
+//
+
 typedef struct _SDT_CONTEXT {
     BOOL Initialized;
     BOOL ApiSetSessionAware;
diff --git a/WinObjEx64.sha256 b/WinObjEx64.sha256
index eb90524..6bc7477 100644
--- a/WinObjEx64.sha256
+++ b/WinObjEx64.sha256
@@ -5,7 +5,7 @@ fa001b1ac9bbbb6c954d5dd609de60fa2b0277a6cfe35f6428591e4b4b1e8453 *Compiled\WHATS
 d3c54e144f4ea198d761a0c89764d6cd39da19c0aa51661a9f37135e4f842a85 *Compiled\WHATSNEW_190.md
 c4205a94f6ed7ff8e26b318712acaab2d2d849fa97e7d92325d25cae49200c01 *Compiled\WHATSNEW_200.md
 5991b419a2b2f71de854e68d73cb7b8ab74b9df9ff8b0e57d0241cbf1b3fdc02 *Compiled\WinObjEx64.chm
-8647c91e8ee99ad494852f49c50d297e3b1a50d7fea13f340b2b774e5c22d6ce *Compiled\WinObjEx64.exe
+29ab051ec37379a1688cf755b4cbc4a8ebba31fbc322b1560438dad5aaf6a1f7 *Compiled\WinObjEx64.exe
 b7d674453e9734472f85bd4ca3c53651e0702f32b5a801fce014a74b4d255bae *Compiled\plugins\ApiSetView.dll
 24a64aa290d1c21deae5029db957df728041006ef69087ad947eee8d4482881c *Compiled\plugins\ExamplePlugin.dll
 50b4c0ad3b58ac10fb0e2d386ce92287f9e30e0580d9f5b4b99a191f08d5b8ef *Compiled\plugins\ImageScope.dll
@@ -285,8 +285,8 @@ d4876437f5ea4c307b3894ff6a4ccd10922a366167104bb78b1103ebadd4f483 *Source\WinObjE
 48ea7995ec7286192778943bef76d1f27607bf18cf1561334f894c81265ad86e *Source\WinObjEx64\sup\sup.c
 3ff7e64fd4df9fa434b3a7118b0ab0c28005e961f1b86de0ed68788680493394 *Source\WinObjEx64\sup\sup.h
 ccc88a804d4694e9ba3f97a5678d9595465e6f9afe0ec9b9613cf7c9808703a5 *Source\WinObjEx64\sup\sync.c
-5a0ee90455d4aea36d7053eb10fa9f966dbe0a52f39b3836ecfca5c6a793b186 *Source\WinObjEx64\sup\w32k.c
-c0c847ace55ec6eaa4ae1aea1232a08b21cab408de65327401885720d5f7b630 *Source\WinObjEx64\sup\w32k.h
+adbb19aaf6ce62866eaa21944b0e828a54b9538e2f24c1d2c19c504bc6a7faa7 *Source\WinObjEx64\sup\w32k.c
+cf94bbbf8b4fc4661b4bf8b1c1fcf39825502d61e76f6902260be798322a5322 *Source\WinObjEx64\sup\w32k.h
 11af5dbe0036bb3e36607e5446cf9ec07895e49fd5137b23933bbe3830293587 *Source\WinObjEx64\sup\wine.c
 0eaaa450c1e2b5c8448eb0bafd8cacc1c2d9edda30334223339a948ab1536b53 *Source\WinObjEx64\sup\wine.h
 f7cdd8b4ea86238b133446c109f7f6c2c01e911ee1e83ba7316825bbf87e66b6 *Source\WinObjEx64\tests\testunit.c