186 #define WIN_POOL_TAG_DIRECTORY 0x65726944 // Dire 191 #define WIN_POOL_TAG_DIRECTORY_7 0xe5726944 196 #define WIN_POOL_TAG_OBJECT 0x546a624f 201 #define WIN_POOL_TAG_OBJECT_7 0xd46a624f 219 #define HEADER_SIZE_CREATOR_INFO64 0x20 220 #define HEADER_SIZE_CREATOR_INFO32 0x10 221 #define HEADER_SIZE_CREATOR_INFO(is64) (is64) ? HEADER_SIZE_CREATOR_INFO64 : HEADER_SIZE_CREATOR_INFO32 223 #define HEADER_SIZE_NAME_INFO64 0x20 224 #define HEADER_SIZE_NAME_INFO32 0x10 225 #define HEADER_SIZE_NAME_INFO(is64) (is64) ? HEADER_SIZE_NAME_INFO64 : HEADER_SIZE_NAME_INFO32 227 #define HEADER_SIZE_HANDLE_INFO64 0x10 228 #define HEADER_SIZE_HANDLE_INFO32 0x08 229 #define HEADER_SIZE_HANDLE_INFO(is64) (is64) ? HEADER_SIZE_HANDLE_INFO64 : HEADER_SIZE_HANDLE_INFO32 231 #define HEADER_SIZE_QUOTA_INFO64 0x20 232 #define HEADER_SIZE_QUOTA_INFO32 0x10 233 #define HEADER_SIZE_QUOTA_INFO(is64) (is64) ? HEADER_SIZE_QUOTA_INFO64 : HEADER_SIZE_QUOTA_INFO32 235 #define HEADER_SIZE_PROC_INFO64 0x10 236 #define HEADER_SIZE_PROC_INFO32 0x08 237 #define HEADER_SIZE_PROC_INFO(is64) (is64) ? HEADER_SIZE_PROC_INFO64 : HEADER_SIZE_PROC_INFO32 241 #define ROOT_DIR_POOL_HEADER_OFF64 0x60 242 #define ROOT_DIR_POOL_HEADER_OFF32 0x30 247 #define TYPE_IDX_TYPE 2 250 #define OBJECT_DIR_ENTRY_COUNT 37 276 #define ROOT_HINT_PTR_COUNT 3 342 ERROR(
"[ERROR] Finished parsing the root directory, but not all drivers were found. " 343 "`Driver` @ 0x%016llx `FileSystem` @ 0x%016llx\n",
356 LOG(
"[WINOBJ] Search over. `Driver` @ 0x%016llx `FileSystem` @ 0x%016llx. Pending drivers = 0\n",
363 LOG(
"[WINOBJ] Search not over. `Driver` @ 0x%016llx `FileSystem` @ 0x%016llx. Pending drivers = %u\n",
377 if (gPossibleRootGvas[i].
Waiting)
402 WARNING(
"[WARNING] IntSwapMemRemoveTransaction failed for 0x%016llx (Handle %p): 0x%08x\n",
403 gPossibleRootGvas[i].
RootGva, gPossibleRootGvas[i].SwapHandle, status);
440 DWORD sizeToSubtract = 0;
442 DWORD creatorInfoSize;
464 ERROR(
"[ERROR] IntKernVirtMemRead failed for 0x%016llx: 0x%08x\n", infoMaskGva, status);
476 sizeToSubtract += creatorInfoSize;
483 status =
IntKernVirtMemRead(ObjectGva - sizeToSubtract,
sizeof(objNameInfo), &objNameInfo, NULL);
486 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
496 if (NULL != ParentDirGva)
505 status =
IntKernVirtMemRead(ObjectGva - sizeToSubtract,
sizeof(objNameInfo), &objNameInfo, NULL);
508 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
518 if (NULL != ParentDirGva)
573 PWINOBJ_SWAPCTX pSwapCtx = Context;
604 ERROR(
"[ERROR] IntWinDrvObjCreateDriverObject failed for 0x%016llx: 0x%08x\n", drvObjGva, status);
616 void *swapHandle = NULL;
619 if (NULL == pNextCtx)
624 pNextCtx->
Id = __LINE__;
639 ERROR(
"[ERROR] IntSwapMemReadData failoed: 0x%08x\n", status);
643 else if (NULL != swapHandle)
707 PWINOBJ_SWAPCTX pCtx = Context;
722 LOG(
"[NAMESPACE] Found `Driver` directory @ 0x%016llx\n", objectGva);
727 LOG(
"[NAMESPACE] Found `FileSystem` directory @ 0x%016llx\n", objectGva);
742 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
751 void *swapHandle = NULL;
754 if (NULL == pNextCtx)
759 pNextCtx->
Id = __LINE__;
774 ERROR(
"[ERROR] IntSwapMemReadData failed: 0x%08x\n", status);
778 else if (NULL != swapHandle)
793 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
802 void *swapHandle = NULL;
805 if (NULL == pNextCtx)
810 pNextCtx->
Id = __LINE__;
825 ERROR(
"[ERROR] IntSwapMemReadData failed: 0x%08x\n", status);
829 else if (NULL != swapHandle)
885 QWORD parentDirGva = 0;
886 QWORD nameBufferGva = 0;
888 PWINOBJ_SWAPCTX pDrvDirCtx;
889 PWINOBJ_SWAPCTX pCurrentCtx = Context;
906 ERROR(
"[ERROR] IntWinObjGetObjectNameInfo failed for 0x%016llx: 0x%08x\n", objectGva, status);
908 goto cleanup_and_exit;
915 goto cleanup_and_exit;
919 if (NULL == pDrvDirCtx)
922 goto cleanup_and_exit;
925 pDrvDirCtx->
Id = __LINE__;
940 ERROR(
"[ERROR] IntSwapMemReadData failed: 0x%08x\n", status);
944 else if (NULL != swapHandle)
1000 PWINOBJ_SWAPCTX pDrvDirCtx = NULL;
1001 PWINOBJ_SWAPCTX pCurrentCtx = Context;
1017 next = pEntry->
Chain;
1018 objectGva = pEntry->
Object;
1025 next = pEntry->
Chain;
1026 objectGva = pEntry->
Object;
1037 if (NULL == pDrvDirCtx)
1043 pDrvDirCtx->
Id = __LINE__;
1058 ERROR(
"[ERROR] IntSwapMemReadData failed: 0x%08x\n", status);
1062 else if (NULL != swapHandle)
1075 if (NULL == pDirEntryCtx)
1080 pDirEntryCtx->
Id = __LINE__;
1095 ERROR(
"[ERROR] IntSwapMemReadData failed: 0x%08x\n", status);
1103 else if (NULL != swapHandle)
1152 PROOT_SEARCH_CTX pCtx = Context;
1155 QWORD parentDirGva = 0;
1156 QWORD nameBufferGva = 0;
1157 WORD nameLength = 0;
1170 TRACE(
"[NAMESPACE] Skipping tag 0x%08x @ 0x%016llx for object 0x%016llx!\n",
1173 goto _check_state_and_exit;
1176 LOG(
"[NAMESPACE] Found tag 0x%08x @ 0x%016llx for object 0x%016llx!\n", tag, Gva, objGva);
1183 ERROR(
"[ERROR] IntWinObjGetObjectNameInfo failed for 0x%016llx: 0x%08x\n", objGva, status);
1184 goto _check_state_and_exit;
1187 if (0 != parentDirGva)
1189 TRACE(
"[NAMESPACE] Skipping object 0x%016llx because it's parent directory is not NULL\n", objGva);
1191 goto _check_state_and_exit;
1197 goto _check_state_and_exit;
1200 LOG(
"[NAMESPACE] Found Root Directory (`\\`) @ 0x%016llx!\n", objGva);
1213 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
1214 goto _check_state_and_exit;
1222 void *swapHandle = NULL;
1225 if (NULL == pDirEntryCtx)
1230 pDirEntryCtx->
Id = __LINE__;
1245 ERROR(
"[ERROR] IntSwapMemReadData failed: 0x%08x\n", status);
1252 else if (NULL != swapHandle)
1272 ERROR(
"[ERROR] IntKernVirtMemRead failed: 0x%08x\n", status);
1273 goto _check_state_and_exit;
1281 void *swapHandle = NULL;
1284 if (NULL == pDirEntryCtx)
1290 pDirEntryCtx->
Id = __LINE__;
1305 ERROR(
"[ERROR] IntSwapMemReadData failed: 0x%08x\n", status);
1312 else if (NULL != swapHandle)
1326 _check_state_and_exit:
1329 ERROR(
"[ERROR] Could not find ObpRootDirectoryObject!\n");
1345 _In_ PROOT_HINT Hint,
1367 WORD foundTypes = 0;
1368 const WORD expectedTypes = 1;
1377 if (NULL == PossibleRoot)
1396 if (0 == Hint->Pointers[i])
1406 ((Hint->Pointers[i] &
PAGE_MASK) == ((Hint->Pointers[i] - delta) & PAGE_MASK)))
1408 root = Hint->Pointers[i];
1431 if (root == Hint->Pointers[i])
1433 LOG(
"[NAMESPACE] Found possible root @ 0x%016llx = 0x%016llx\n",
1438 LOG(
"[NAMESPACE] Found type @ 0x%016llx = 0x%016llx\n",
1443 *PossibleRoot = root;
1547 TRACE(
"[INFO] IntWinObjGetPoolHeaderForObject failed for 0x%016llx: 0x%08x\n", Gva, status);
1603 if (NULL == PoolHeader)
1629 TRACE(
"[INFO] IntKernVirtMemRead failed for 0x%016llx: 0x%08x\n", ObjectGva - delta, status);
1644 memset(gPossibleRootGvas, 0,
sizeof(gPossibleRootGvas));
1683 ERROR(
"[ERROR] IntPeGetSectionHeadersByName failed for `.data`: 0x%08x\n", status);
1688 for (
size_t i = 0; i < pageCount; i++)
1697 ERROR(
"[ERROR] IntVirtMemMap failed for 0x%016llx: 0x%08x\n", targetGva, status);
1701 if (i == pageCount - 1)
1710 for (
DWORD j = 0; j < ptrCount; j++)
1726 else if (i < ptrCount - 1)
1744 ERROR(
"[ERROR] IntKernVirtMemRead failed for 0x%016llx: 0x%08x\n", hint.
FoundAt, status);
1752 ERROR(
"[ERROR] IntWinObjFindRootDirectory for 0x%016llx: 0x%08x\n", hint.
FoundAt, status);
1863 WARNING(
"[WARNING] A find for drivers namespace is already in progress... " 1864 "root = %u, pending = %u, found = %u\n",
1877 TRACE(
"[NAMESPACE] Kernel buffer not present, will fetch objects directly from memory!\n");
1882 ERROR(
"[ERROR] IntWinGuestFindDriversNamespaceNoBuffer failed: 0x%08x\n", status);
1893 ERROR(
"[ERROR] IntPeGetSectionHeadersByName failed for `.data`: 0x%08x\n", status);
1899 for (
DWORD i = 0; i < ptrCount; i++)
1908 ERROR(
"[CRITICAL ERROR] RVA 0x%08x is outside the kernel buffer (size = 0x%08x)\n",
1924 ERROR(
"[ERROR] IntWinObjFindRootDirectory for 0x%016llx: 0x%08x\n", hint.
FoundAt, status);
1944 WARNING(
"[WINOBJ] Found 0 possible root pointers inside the kernel buffer, will retry without it!\n");
1950 LOG(
"[NAMESPACE] Will check %d possible root pointers...\n",
gRootCount);
1957 TRACE(
"[NAMESPACE] Trying 0x%016llx (%d) with 0x%016llx...\n",
1966 &gPossibleRootGvas[i],
1973 ERROR(
"[ERROR] IntSwapMemReadData failed for 0x%016llx: 0x%08x\n", root - poolHeaderOffset, status);
1989 ERROR(
"[ERROR] Could not find ObpRootDirectoryObject!\n");
2025 TRACE(
"[WINOBJ] No swap handles are present, nothing to clean\n");
2030 while (entry != &gSwapHandles)
2035 entry = entry->
Flink;
2037 TRACE(
"[WINOBJ] Removing swap handle %p for %llx ID = %u\n",
2045 ERROR(
"[ERROR] IntSwapMemRemoveTransaction failed: 0x%08x\n", status);
2052 TRACE(
"[WINOBJ] Queued transactions removed: %d\n", remCount);
DWORD Id
The ID of this object (used for debugging).
#define CONTAINING_RECORD(List, Type, Member)
#define ROUND_UP(what, to)
static DWORD gFoundDrivers
The number of found driver objects.
void IntGuestSetIntroErrorState(INTRO_ERROR_STATE State, INTRO_ERROR_CONTEXT *Context)
Updates the value of the gErrorState and the value of the gErrorStateContext.
INTSTATUS IntVirtMemUnmap(void **HostPtr)
Unmaps a memory range previously mapped with IntVirtMemMap.
static INTSTATUS IntWinObjParseDriverDirectory(WINOBJ_SWAPCTX *Context, QWORD Cr3, QWORD Gva, QWORD Gpa, void *Data, DWORD DataSize, DWORD Flags)
This callback is invoked for namespace entries that may represent driver directories.
QWORD FileSystemDirectory
Guest virtual address of the FileSystem namespace directory.
#define OFFSET_OF(Type, Member)
WINDOWS_GUEST * gWinGuest
Global variable holding the state of a Windows guest.
void * SwapHandle
The swap handle used for this search. NULL if no page swap-in is needed.
QWORD SystemCr3
The Cr3 used to map the kernel.
#define INT_STATUS_SUCCESS
#define ROOT_DIR_POOL_HEADER_OFF64
The size of the headers before a Root Directory allocation on 64-bit Windows.
QWORD Chain
Gva to the next _OBJECT_DIRECTORY_ENTRY, may be NULL.
QWORD Object
Pointer to the object, may be NULL.
#define ROOT_DIR_POOL_HEADER_OFF32
The size of the headers before a Root Directory allocation on 32-bit Windows.
INTSTATUS IntSwapMemReadData(QWORD Cr3, QWORD VirtualAddress, DWORD Length, DWORD Options, void *Context, DWORD ContextTag, PFUNC_PagesReadCallback Callback, PFUNC_PreInjectCallback PreInject, void **SwapHandle)
Reads a region of guest virtual memory, and calls the indicated callback when all the data is availab...
struct _LIST_ENTRY * Flink
The _POOL_HEADER structure used by 32-bit guests.
static LIST_ENTRY gSwapHandles
List of all the swap handles used by the namespace parser.
#define INT_SUCCESS(Status)
static BOOLEAN IsListEmpty(const LIST_ENTRY *ListHead)
struct _ROOT_SEARCH_CTX * PROOT_SEARCH_CTX
A critical structure was not found inside the guest kernel.
void IntWinObjCleanup(void)
Cleans up any resources allocated by the object search.
INTSTATUS IntWinDrvObjCreateFromAddress(QWORD GuestAddress, BOOLEAN StaticDetected, PWIN_DRIVER_OBJECT *DriverObject)
Creates a new driver object.
static INTSTATUS IntWinObjHandleDirectoryEntryInMemory(WINOBJ_SWAPCTX *Context, QWORD Cr3, QWORD Gva, QWORD Gpa, void *Data, DWORD DataSize, DWORD Flags)
This callback is invoked for each object contained in the root namespace.
#define INT_STATUS_NOT_NEEDED_HINT
static INTSTATUS IntWinGuestFindDriversNamespaceNoBuffer(void)
Runs the driver object namespace search ignoring the gGuest.KernelBuffer and reading the data directl...
INTSTATUS IntPeGetSectionHeadersByName(QWORD ImageBase, BYTE *ImageBaseBuffer, PCHAR Name, DWORD NumberOfSectionHeadersAllocated, QWORD Cr3, IMAGE_SECTION_HEADER *SectionHeaders, DWORD *NumberOfSectionHeadersFilled)
Return all the section headers matching the indicated Name.
struct _ROOT_HINT * PROOT_HINT
#define HEADER_SIZE_CREATOR_INFO64
32-bit _OBJECT_HEADER_CREATOR_INFO size.
#define HpAllocWithTag(Len, Tag)
struct _WINOBJ_SWAPCTX * PWINOBJ_SWAPCTX
static DWORD gPendingDrivers
The count of pending driver objects to be checked.
DWORD Buffer
The guest virtual address at which the wide-character string is located.
int INTSTATUS
The status data type.
#define WIN_POOL_TAG_DIRECTORY_7
Allocation tag for the _OBJECT_DIRECTORY Windows 7 kernel structure.
#define HEADER_SIZE_CREATOR_INFO32
64-bit _OBJECT_HEADER_CREATOR_INFO size.
DWORD OSVersion
Os version.
#define INT_STATUS_NOT_FOUND
#define ROOT_HINT_PTR_COUNT
The number of hint pointers around a root candidate.
UNICODE_STRING64 Name
The object name.
struct _OBJECT_DIRECTORY_ENTRY32 OBJECT_DIRECTORY_ENTRY32
An OBJECT_DIRECTORY_ENTRY64 structure used by 32-bit guests.
UINT16 MaximumLength
The size, in bytes, allocated for Buffer.
static ROOT_SEARCH_CTX gPossibleRootGvas[32]
The possible addresses at which the root directory may be located.
An OBJECT_DIRECTORY_ENTRY64 structure used by 32-bit guests.
struct _ROOT_HINT ROOT_HINT
Hint structure used to search for possible object namespace root directory entries.
Set if _OBJECT_HEADER_NAME_INFO is present.
Set if _OBJECT_HEADER_HANDLE_INFO is present.
QWORD Pointers[ROOT_HINT_PTR_COUNT]
Pointers around the candidate.
#define WIN_POOL_HEADER_SIZE64
The size of a pool header on 64-bit Windows.
static DWORD gRootCount
The number of valid entries inside the gPossibleRootGvas array.
INTSTATUS IntSwapMemRemoveTransaction(void *Transaction)
Remove a transaction.
An _OBJECT_TYPE structure used by 32-bit guests.
IM_FLG
Info Mask flags from the Object Header.
An _OBJECT_HEADER_NAME_INFO structure used by 32-bit guests.
static void IntWinObjCheckDrvDirSearchState(void)
Checks if the search is still going, or if it finished with success or with an error.
A context structure used to pass information between the various callbacks that search for an object...
static BOOLEAN RemoveEntryList(LIST_ENTRY *Entry)
Holds information about a driver object.
UINT16 Length
The length, in bytes, of the string in Buffer, not including the NULL terminator, if any...
BOOLEAN Guest64
True if this is a 64-bit guest, False if it is a 32-bit guest.
#define OBJECT_DIR_ENTRY_COUNT
The maximum number of entries in an object directory.
#define HEADER_SIZE_NAME_INFO64
32-bit _OBJECT_HEADER_NAME_INFO size.
struct _ROOT_SEARCH_CTX ROOT_SEARCH_CTX
A context structure used to pass information between the various callbacks that search for a Root Dir...
union _IMAGE_SECTION_HEADER::@209 Misc
struct _WINOBJ_SWAPCTX WINOBJ_SWAPCTX
A context structure used to pass information between the various callbacks that search for an object...
DWORD Directory
Pointer to the _OBJECT_DIRECTORY that owns this.
#define IS_KERNEL_POINTER_WIN(is64, p)
Checks if a guest virtual address resides inside the Windows kernel address space.
#define WIN_POOL_TAG_DIRECTORY
Allocation tag for the _OBJECT_DIRECTORY Windows kernel structure.
#define HpFreeAndNullWithTag(Add, Tag)
Set if _OBJECT_HEADER_PROCESS_INFO is present.
QWORD KernelVa
The guest virtual address at which the kernel image.
BYTE WordSize
Guest word size. Will be 4 for 32-bit guests and 8 for 64-bit guests.
Set if _OBJECT_HEADER_CREATOR_INFO is present.
static void InsertTailList(LIST_ENTRY *ListHead, LIST_ENTRY *Entry)
static void IntWinObjCancelRootTransactions(void)
Cancels any pending swap memory reads left for the root directory.
#define SWAPMEM_FLAG_ASYNC_CALL
static DWORD gDirEntriesToCheck
The number of directory entries left to check.
static void InitializeListHead(LIST_ENTRY *ListHead)
#define UNREFERENCED_PARAMETER(P)
INTSTATUS IntWinObjIsTypeObject(QWORD Gva)
Checks if the supplied guest memory location holds a valid type object.
DWORD KernelBufferSize
The size of the KernelBuffer.
INTSTATUS IntWinObjGetPoolHeaderForObject(QWORD ObjectGva, POOL_HEADER *PoolHeader)
Reads the _POOL_HEADER structure for a given kernel object.
#define WIN_POOL_TAG_OBJECT
Allocation tag for the _OBJECT_TYPE Windows kernel structure.
#define WIN_POOL_HEADER_SIZE32
The size of a pool header on 32-bit Windows.
#define WIN_POOL_TAG_OBJECT_7
Allocation tag for the _OBJECT_TYPE Windows 7 kernel structure.
WORD MaximumLength
The size, in bytes, allocated for Buffer.
static INTSTATUS IntWinObjHandleDriverDirectoryEntryInMemory(WINOBJ_SWAPCTX *Context, QWORD Cr3, QWORD Gva, QWORD Gpa, void *Data, DWORD DataSize, DWORD Flags)
This callback is invoked for namespace directory entries that may represent driver objects...
static INTSTATUS IntWinObjHandleObjectInMemory(WINOBJ_SWAPCTX *Context, QWORD Cr3, QWORD Gva, QWORD Gpa, void *Data, DWORD DataSize, DWORD Flags)
This callback is invoked for each object in an object directory entries list.
#define HEADER_SIZE_NAME_INFO32
64-bit _OBJECT_HEADER_NAME_INFO size.
#define SWAPMEM_OPT_BP_FAULT
If set, the #PF will be generated from an int3 detour. Use this when injecting kernel PFs...
QWORD RootGva
The guest linear address of the possible root directory.
QWORD Directory
Pointer to the _OBJECT_DIRECTORY that owns this.
Hint structure used to search for possible object namespace root directory entries.
__must_check INTSTATUS IntVirtMemMap(QWORD Gva, DWORD Length, QWORD Cr3, DWORD Flags, void **HostPtr)
Maps a guest virtual memory range inside Introcore virtual address space.
The _OBJECT_HEADER32 structure used by 64-bit guests.
MM Mm
Guest memory information, such as paging mode, system Cr3 value, etc.
GUEST_STATE gGuest
The current guest state.
QWORD ObpRootDirectoryObject
Guest virtual address of the ObpRootDirectoryObject.
BOOLEAN IntWinDrvObjIsValidDriverObject(QWORD DriverObjectAddress)
Checks if a guest memory area contains a valid _DRIVER_OBJECT structure.
#define CWSTRLEN(Wstring)
BOOLEAN Waiting
True if the callback for this context has not been invoked yet, False if it has been invoked...
DWORD Object
Pointer to the object, may be NULL.
An _OBJECT_HEADER_NAME_INFO structure used by 64-bit guests.
INTSTATUS IntKernVirtMemRead(QWORD KernelGva, DWORD Length, void *Buffer, DWORD *RetLength)
Reads data from a guest kernel virtual memory range.
static INTSTATUS IntWinObjGetObjectNameInfo(QWORD ObjectGva, QWORD *BufferGva, WORD *Length, QWORD *ParentDirGva)
Returns the name information for kernel objects that have one.
Set if _OBJECT_HEADER_QUOTA_INFO is present.
static BOOLEAN IntWinObjIsRootSearchOver(void)
QWORD DriverDirectory
Guest virtual address of the Driver namespace directory.
WORD Length
The length, in bytes, of the string in Buffer, not including the NULL terminator, if any...
QWORD ObjectGva
The guest linear address at which this object is locates.
A context structure used to pass information between the various callbacks that search for a Root Dir...
BYTE * KernelBuffer
A buffer containing the entire kernel image.
#define INT_STATUS_INVALID_PARAMETER_1
static void IntWinObjReinitGlobalState(void)
Resets the global search state.
An OBJECT_DIRECTORY_ENTRY64 structure used by 64-bit guests.
static int wstrncasecmp_len(const WCHAR *buf1, const WCHAR *buf2, size_t len_buf1, size_t len_buf2)
An _OBJECT_TYPE structure used by 64-bit guests.
LIST_ENTRY Link
Entry in the gSwapHandles list.
#define CRITICAL(fmt,...)
INTSTATUS IntWinObjFindRootDirectory(PROOT_HINT Hint, QWORD *PossibleRoot)
Returns a possible object namespace root directory.
BOOLEAN DisableOnReturn
Set to True if after returning from this event handler, introcore must be unloaded.
The _OBJECT_HEADER32 structure used by 32-bit guests.
UNICODE_STRING32 Name
The object name.
DWORD Chain
Gva to the next _OBJECT_DIRECTORY_ENTRY, may be NULL.
The _POOL_HEADER structure used by 64-bit guests.
INTSTATUS IntWinGuestFindDriversNamespace(void)
Runs the driver object namespace search.
QWORD Buffer
The guest virtual address at which the wide-character string is located.
#define INT_STATUS_INVALID_PARAMETER_2
static INTSTATUS IntWinObjHandleRootDirTagInMemory(ROOT_SEARCH_CTX *Context, QWORD Cr3, QWORD Gva, QWORD Gpa, void *Data, DWORD DataSize, DWORD Flags)
This callback is invoked for every candidate root directory namespace object.
struct _OBJECT_DIRECTORY_ENTRY64 OBJECT_DIRECTORY_ENTRY64
An OBJECT_DIRECTORY_ENTRY64 structure used by 64-bit guests.
static BOOLEAN gStop
Set to True when the search must be aborted.
#define INT_STATUS_INSUFFICIENT_RESOURCES
QWORD FoundAt
The address from which the candidate was extracted.
1.8.13