winsiderss · DartVanya · Sep 10, 2024 · Sep 11, 2024 · Sep 11, 2024 · Sep 11, 2024
@@ -30,6 +30,8 @@ KPHM_DEFINE_HANDLER(KphpCommsQueryInformationObject);
 KPHM_DEFINE_HANDLER(KphpCommsSetInformationObject);
 KPHM_DEFINE_HANDLER(KphpCommsOpenDriver);
 KPHM_DEFINE_HANDLER(KphpCommsQueryInformationDriver);
+KPHM_DEFINE_HANDLER(KphpCommsOpenDevice);
+KPHM_DEFINE_HANDLER(KphpCommsOpenObjectByTypeIndex);
 KPHM_DEFINE_HANDLER(KphpCommsQueryInformationProcess);
 KPHM_DEFINE_HANDLER(KphpCommsSetInformationProcess);
 KPHM_DEFINE_HANDLER(KphpCommsSetInformationThread);
@@ -117,6 +119,8 @@ const KPH_MESSAGE_HANDLER KphCommsMessageHandlers[] =
 { KphMsgStripProtectedProcessMasks,    KphpCommsStripProtectedProcessMasks,    KphpCommsRequireMaximum },
 { KphMsgQueryVirtualMemory,            KphpCommsQueryVirtualMemory,            KphpCommsQueryVirtualMemoryRequires },
 { KphMsgQueryHashInformationFile,      KphpCommsQueryHashInformationFile,      KphpCommsRequireMaximum },
+{ KphMsgOpenDevice,                    KphpCommsOpenDevice,                    KphpCommsRequireMaximum },
+{ KphMsgOpenObjectByTypeIndex,         KphpCommsOpenObjectByTypeIndex,         KphpCommsRequireMaximum }
 };
 const ULONG KphCommsMessageHandlerCount = ARRAYSIZE(KphCommsMessageHandlers);
 C_ASSERT(ARRAYSIZE(KphCommsMessageHandlers) == MaxKphMsgClient);
@@ -705,6 +709,61 @@ NTSTATUS KSIAPI KphpCommsQueryInformationDriver(
     return STATUS_SUCCESS;
 }
 
+_Function_class_(KPHM_HANDLER)
+_IRQL_requires_max_(PASSIVE_LEVEL)
+_Must_inspect_result_
+NTSTATUS KSIAPI KphpCommsOpenDevice(
+    _In_ PKPH_CLIENT Client,
+    _Inout_ PKPH_MESSAGE Message
+)
+{
+    PKPHM_OPEN_DEVICE msg;
+
+    KPH_PAGED_CODE_PASSIVE();
+    NT_ASSERT(ExGetPreviousMode() == UserMode);
+    NT_ASSERT(Message->Header.MessageId == KphMsgOpenDevice);
+
+    UNREFERENCED_PARAMETER(Client);
+
+    msg = &Message->User.OpenDevice;
+
+    msg->Status = KphOpenDevice(msg->DeviceHandle,
+        msg->DriverHandle,
+        msg->DesiredAccess,
+        msg->ObjectName,
+        msg->OpenLowest,
+        UserMode);
+
+    return STATUS_SUCCESS;
+}
+
+_Function_class_(KPHM_HANDLER)
+_IRQL_requires_max_(PASSIVE_LEVEL)
+_Must_inspect_result_
+NTSTATUS KSIAPI KphpCommsOpenObjectByTypeIndex(
+    _In_ PKPH_CLIENT Client,
+    _Inout_ PKPH_MESSAGE Message
+)
+{
+    PKPHM_OPEN_OBJECT msg;
+
+    KPH_PAGED_CODE_PASSIVE();
+    NT_ASSERT(ExGetPreviousMode() == UserMode);
+    NT_ASSERT(Message->Header.MessageId == KphMsgOpenObjectByTypeIndex);
+
+    UNREFERENCED_PARAMETER(Client);
+
+    msg = &Message->User.OpenObject;
+
+    msg->Status = KphOpenObjectByTypeIndex(msg->ObjectHandle,
+        msg->DesiredAccess,
+        msg->ObjectAttributes,
+        msg->TypeIndex,
+        UserMode);
+
+    return STATUS_SUCCESS;
+}
+
 _Function_class_(KPHM_REQUIRED_STATE)
 _IRQL_requires_max_(PASSIVE_LEVEL)
 _Must_inspect_result_

@@ -25,6 +25,7 @@ PSE_UNREGISTER_IMAGE_VERIFICATION_CALLBACK KphSeUnregisterImageVerificationCallb
 PCI_VALIDATE_FILE_OBJECT KphDynCiValidateFileObject = NULL;
 PCI_FREE_POLICY_INFO KphDynCiFreePolicyInfo = NULL;
 PLXP_THREAD_GET_CURRENT KphDynLxpThreadGetCurrent = NULL;
+POBJECT_TYPE* KphDynObTypeIndexTable = NULL;
 KPH_PROTECTED_DATA_SECTION_POP();
 
 KPH_PAGED_FILE();
@@ -49,6 +50,46 @@ VOID KphDynamicImport(
     KphDynCiValidateFileObject = (PCI_VALIDATE_FILE_OBJECT)KphGetRoutineAddress(L"ci.dll", "CiValidateFileObject");
     KphDynCiFreePolicyInfo = (PCI_FREE_POLICY_INFO)KphGetRoutineAddress(L"ci.dll", "CiFreePolicyInfo");
     KphDynLxpThreadGetCurrent = (PLXP_THREAD_GET_CURRENT)KphGetRoutineAddress(L"lxcore.sys", "LxpThreadGetCurrent");
+
+#ifdef _WIN64
+    __try
+    {
+        // ObGetObjectType have equal machine code on 10.0.10240 - 10.0.22631
+        //
+        // nt!ObGetObjectType+0x1C      488d0d[????????]   lea     rcx,[nt!ObTypeIndexTable]
+        // lea  rcx, [rip + off32]
+        PUCHAR rip;
+
+        rip = (PUCHAR)ObGetObjectType + 0x1C;
+
+        if ((*(PULONG)rip & 0xFFFFFF) == 0x0D8D48)
+        {
+            PVOID ObTypeIndexTableDecoded;
+            OBJECT_TYPES_INFORMATION typesInfo = { 0 };
+
+            rip += 3;
+
+            ObTypeIndexTableDecoded = (PVOID)(rip + sizeof(LONG) + *(PLONG)rip);
+
+            if (ZwQueryObject(NULL,
+                ObjectTypesInformation,
+                &typesInfo,
+                sizeof(typesInfo),
+                NULL) == STATUS_INFO_LENGTH_MISMATCH)
+            {
+                if (typesInfo.NumberOfTypes >= 2 && typesInfo.NumberOfTypes < 0x100 && 
+                    NT_SUCCESS(KphValidateAddressForSystemModules(ObTypeIndexTableDecoded, typesInfo.NumberOfTypes * sizeof(POBJECT_TYPE))))
+                {
+                    KphDynObTypeIndexTable = ObTypeIndexTableDecoded;
+                }
+            }
+        }
+    }
+    __except (EXCEPTION_EXECUTE_HANDLER)
+    {
+        KphDynObTypeIndexTable = NULL;
+    }
+#endif // _WIN64
 }
 
 /**

@@ -559,6 +559,7 @@ extern PSE_UNREGISTER_IMAGE_VERIFICATION_CALLBACK KphSeUnregisterImageVerificati
 extern PCI_VALIDATE_FILE_OBJECT KphDynCiValidateFileObject;
 extern PCI_FREE_POLICY_INFO KphDynCiFreePolicyInfo;
 extern PLXP_THREAD_GET_CURRENT KphDynLxpThreadGetCurrent;
+extern POBJECT_TYPE* KphDynObTypeIndexTable;
 
 _IRQL_requires_max_(PASSIVE_LEVEL)
 VOID KphDynamicImport(
@@ -786,6 +787,16 @@ NTSTATUS KphCompareObjects(
     _In_ KPROCESSOR_MODE AccessMode
     );
 
+_IRQL_requires_max_(PASSIVE_LEVEL)
+_Must_inspect_result_
+NTSTATUS KphOpenObjectByTypeIndex(
+    _Out_ PHANDLE ObjectHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_ ULONG TypeIndex,
+    _In_ KPROCESSOR_MODE AccessMode
+);
+
 // process
 
 _IRQL_requires_max_(PASSIVE_LEVEL)
@@ -866,6 +877,17 @@ NTSTATUS KphQueryInformationDriver(
     _In_ KPROCESSOR_MODE AccessMode
     );
 
+_IRQL_requires_max_(PASSIVE_LEVEL)
+_Must_inspect_result_
+NTSTATUS KphOpenDevice(
+    _Out_ PHANDLE DeviceHandle,
+    _Out_opt_ PHANDLE DriverHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ PUNICODE_STRING ObjectName,
+    _In_ BOOLEAN OpenLowest,
+    _In_ KPROCESSOR_MODE AccessMode
+    );
+
 // thread
 
 _IRQL_requires_max_(PASSIVE_LEVEL)

@@ -2372,6 +2372,62 @@ NTSTATUS KphOpenNamedObject(
     return status;
 }
 
+/**
+ * \brief Opens a named object by its type index from nt!ObTypeIndexTable.
+ *
+ * \param[out] ObjectHandle Set to the opened handle.
+ * \param[in] DesiredAccess Desires access to the object.
+ * \param[in] ObjectAttributes Attributes to open the object.
+ * \param[in] TypeIndex Type index of object to open.
+ * \param[in] AccessMode The mode in which to perform access checks.
+ *
+ * \return Successful or errant status.
+ */
+_IRQL_requires_max_(PASSIVE_LEVEL)
+_Must_inspect_result_
+NTSTATUS KphOpenObjectByTypeIndex(
+    _Out_ PHANDLE ObjectHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_ ULONG TypeIndex,
+    _In_ KPROCESSOR_MODE AccessMode
+)
+{
+    KPH_PAGED_CODE_PASSIVE();
+
+    if (!KphDynObTypeIndexTable)
+    {
+        return STATUS_NOINTERFACE;
+    }
+
+    if (AccessMode != KernelMode)
+    {
+        OBJECT_TYPES_INFORMATION typesInfo = { 0 };
+
+        if (ZwQueryObject(NULL,
+            ObjectTypesInformation,
+            &typesInfo,
+            sizeof(typesInfo),
+            NULL) == STATUS_INFO_LENGTH_MISMATCH)
+        {
+            if (TypeIndex < 2 || TypeIndex > typesInfo.NumberOfTypes)
+            {
+                return STATUS_INVALID_PARAMETER;
+            }
+        }
+        else
+        {
+            return STATUS_UNSUCCESSFUL;
+        }
+    }
+
+    return KphOpenNamedObject(ObjectHandle,
+                              DesiredAccess,
+                              ObjectAttributes,
+                              KphDynObTypeIndexTable[TypeIndex],
+                              AccessMode);
+}
+
 /**
  * \brief Duplicates an object.
  *

@@ -345,3 +345,139 @@ NTSTATUS KphQueryInformationDriver(
 
     return status;
 }
+
+/**
+ * \brief Opens a device object.
+ *
+ * \param[out] DriverDevice Set to the opened handle to the device.
+ * \param[out_opt] DriverHandle Set to the opened handle to the device driver.
+ * \param[in] DesiredAccess Desired access to the driver object.
+ * \param[in] ObjectAttributes Object attributes for opening the driver object.
+ * \param[in] OpenLowest Open lowest (TRUE) or topmost (FALSE) device object in the stack
+ * \param[in] AccessMode The mode in which to perform access checks.
+ *
+ * \return Successful or errant status.
+ */
+_IRQL_requires_max_(PASSIVE_LEVEL)
+_Must_inspect_result_
+NTSTATUS KphOpenDevice(
+    _Out_ PHANDLE DeviceHandle,
+    _Out_opt_ PHANDLE DriverHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ PUNICODE_STRING ObjectName,
+    _In_ BOOLEAN OpenLowest,
+    _In_ KPROCESSOR_MODE AccessMode
+    )
+{
+    NTSTATUS status;
+    HANDLE deviceHandle;
+    HANDLE driverHandle;
+    PDEVICE_OBJECT DeviceObject;
+    PDEVICE_OBJECT LowerDevice;
+    PFILE_OBJECT FileObject;
+
+    KPH_PAGED_CODE_PASSIVE();
+
+    deviceHandle = NULL;
+    driverHandle = NULL;
+    DeviceObject = NULL;
+    FileObject = NULL;
+
+    if (AccessMode != KernelMode)
+    {
+        __try
+        {
+            ProbeOutputType(DeviceHandle, HANDLE);
+            if (DriverHandle)
+                ProbeOutputType(DriverHandle, HANDLE);
+        }
+        __except (EXCEPTION_EXECUTE_HANDLER)
+        {
+            status = GetExceptionCode();
+            goto Exit;
+        }
+    }
+
+    status = IoGetDeviceObjectPointer(ObjectName, DesiredAccess, &FileObject, &DeviceObject);
+
+    if (!NT_SUCCESS(status))
+    {
+        KphTracePrint(TRACE_LEVEL_VERBOSE,
+            GENERAL,
+            "IoGetDeviceObjectPointer failed: %!STATUS!",
+            status);
+
+        goto Exit;
+    }
+
+    ObReferenceObject(DeviceObject);
+
+    if (OpenLowest)
+    {
+        //while (LowerDevice = IoGetLowerDeviceObject(DeviceObject))
+            //    DeviceObject = LowerDevice;
+#pragma warning(suppress: 4706) // suppress assignment within conditional expression
+        if (LowerDevice = IoGetDeviceAttachmentBaseRef(DeviceObject))
+        {
+            ObDereferenceObject(DeviceObject);
+            DeviceObject = LowerDevice;
+        }
+    }
+
+    status = ObOpenObjectByPointer(DeviceObject, 0, NULL, DesiredAccess, *IoDeviceObjectType, AccessMode, &deviceHandle);
+
+    if (!NT_SUCCESS(status))
+    {
+        KphTracePrint(TRACE_LEVEL_VERBOSE,
+            GENERAL,
+            "ObOpenObjectByPointer failed: %!STATUS!",
+            status);
+        deviceHandle = NULL;
+
+        goto Exit;
+    }
+
+    if (DriverHandle && DeviceObject->DriverObject)
+    {
+        if (!NT_SUCCESS(ObOpenObjectByPointer(DeviceObject->DriverObject, 0, NULL,
+            DesiredAccess, *IoDriverObjectType, AccessMode, &driverHandle)))
+        {
+            driverHandle = NULL;
+            status = STATUS_NOT_ALL_ASSIGNED;
+        }  
+    }
+
+    if (AccessMode != KernelMode)
+    {
+        __try
+        {
+            *DeviceHandle = deviceHandle;
+            if (DriverHandle)
+                *DriverHandle = driverHandle;
+        }
+        __except (EXCEPTION_EXECUTE_HANDLER)
+        {
+            status = GetExceptionCode();
+        }
+    }
+    else
+    {
+        *DeviceHandle = deviceHandle;
+        if (DriverHandle)
+            *DriverHandle = driverHandle;
+    }
+
+Exit:
+
+    if (FileObject)
+    {
+        ObDereferenceObject(FileObject);
+    }
+
+    if (DeviceObject)
+    {
+        ObDereferenceObject(DeviceObject);
+    }
+
+    return status;
+}
diff --git a/SystemInformer/SystemInformer.def b/SystemInformer/SystemInformer.def
@@ -1125,3 +1125,17 @@ EXPORTS
     KsiLevel                                                                      @2036     NONAME
     KsiEnumerateProcessHandles                                                    @2037     NONAME
     KsiQueryHashInformationFile                                                   @2038     NONAME
+    KphQueryInformationObject                                                     @2040     NONAME
+    KphAlpcQueryInformation                                                       @2041     NONAME
+    KphDuplicateObject                                                            @2042     NONAME
+
+; phnative
+    PhGetDriverName                                                               @2043     NONAME
+    PhGetDriverImageFileName                                                      @2044     NONAME
+    PhEnumHandlesEx                                                               @2045     NONAME
+    PhGetObjectTypeNumber                                                         @2046     NONAME
+    PhOpenDevice                                                                  @2047     NONAME
+    PhOpenObjectByTypeIndex                                                       @2048     NONAME
+    PhGetObjectTypeIndexName                                                      @2049     NONAME
+    PhGetPnPDeviceName                                                            @2050     NONAME
+    PhFilterConnectCommunicationPort                                              @2051     NONAME