private static string FormatText(NtHandle ent)
{
string size = String.Empty;
try
{
using (NtSection section = NtSection.DuplicateFrom(ent.ProcessId, new IntPtr(ent.Handle), SectionAccessRights.Query))
{
size = section.Size.ToString();
}
}
catch (NtException)
{
size = "Unknown";
}
StringBuilder builder = new StringBuilder();
NtType section_type = NtType.GetTypeByName("section");
if (section_type.HasReadPermission(ent.GrantedAccess))
{
builder.Append("R");
}
if (section_type.HasWritePermission(ent.GrantedAccess))
{
builder.Append("W");
}
return(String.Format("[{0}/0x{0:X}] {1} Size: {2} Access: {3}", ent.Handle, ent.Name, size, builder.ToString()));
}
private static NtResult <NtSection> CreateSection(int session_id, bool throw_on_error)
{
using (var obja = CreateObjectAttributes(session_id, SECTION_NAME)) {
return(NtSection.Create(obja, SectionAccessRights.MaximumAllowed, new LargeInteger(64 * 1024),
MemoryAllocationProtect.ReadWrite, SectionAttributes.Commit, null, throw_on_error));
}
}
private static NtSection OpenSection(string name, bool read_only)
{
SectionAccessRights access = SectionAccessRights.MapRead;
if (!read_only)
{
access |= SectionAccessRights.MapWrite;
}
return(NtSection.Open(name, null, access));
}
static void ViewSection(NtSection section, bool read_only)
{
read_only = read_only || !section.IsAccessGranted(SectionAccessRights.MapWrite);
using (var map = read_only ? section.MapRead() : section.MapReadWrite())
{
using (SectionEditorForm frm = new SectionEditorForm(map, GetName(section, map), read_only))
{
Application.Run(frm);
}
}
}
private Win32DebugConsole(int session_id, NtEvent buffer_ready, NtEvent data_ready,
NtSection buffer, NtMappedSection mapped_buffer)
{
_session_id = session_id;
_buffer_ready = buffer_ready;
_data_ready = data_ready;
_buffer = buffer;
_mapped_buffer = mapped_buffer;
_data_ready_wait = data_ready.DuplicateAsWaitHandle();
_symlinks = new Dictionary <int, DisposableList <NtSymbolicLink> >();
}
static NtSection CreateSection(string file_path, string name, NtDirectory root)
{
using (var file = NtFile.Open(NtFileUtils.DosFileNameToNt(file_path), null,
FileAccessRights.GenericRead | FileAccessRights.GenericExecute,
FileShareMode.Read | FileShareMode.Delete, FileOpenOptions.NonDirectoryFile))
{
using (var obja = CreateObjectAttributes(name, root))
{
return(NtSection.Create(obja, SectionAccessRights.MaximumAllowed,
null, MemoryAllocationProtect.ExecuteRead, SectionAttributes.Image, file));
}
}
}
/// <summary>
/// Get the signing level for an image file.
/// </summary>
/// <param name="path">The path to the image file.</param>
/// <returns>The signing level.</returns>
public static SigningLevel GetSigningLevel(string path)
{
using (var file = NtFile.Open(path, null, FileAccessRights.Execute, FileShareMode.Read | FileShareMode.Delete, FileOpenOptions.NonDirectoryFile))
{
using (var sect = NtSection.CreateImageSection(file))
{
using (var map = sect.MapRead())
{
return(map.ImageSigningLevel);
}
}
}
}
public NtMappedSection OpenMappedFile(bool writable)
{
SectionAccessRights accessRights = SectionAccessRights.MapRead;
if (writable)
{
accessRights |= SectionAccessRights.MapWrite;
}
using (NtSection section = NtSection.DuplicateFrom(_ent.ProcessId, new IntPtr(_ent.Handle), accessRights))
{
return(section.Map(writable ? ProtectionType.ReadWrite : ProtectionType.ReadOnly));
}
}
public static bool ChangeLogPathInSection(string path, out string previousPath)
{
previousPath = null;
// open and map section RW
NtSection section = null;
foreach (string name in PulseSharedSectionNames)
{
if (section != null)
{
break;
}
try {
section = NtSection.Open(name, null, SectionAccessRights.MapRead | SectionAccessRights.MapWrite);
} catch {}
}
if (section == null)
{
return(false);
}
NtMappedSection map = null;
try {
map = section.MapReadWrite();
} catch {
return(false);
}
if (map == null)
{
return(false);
}
// read the old path and write the new one
try {
byte[] buf = new byte[LogPathMaxLength];
map.ReadArray(LogPathOffset, buf, 0, LogPathMaxLength);
previousPath = BytesToString(buf);
buf = StringToBytes(path + '\0');
if (buf.Length > LogPathMaxLength)
{
return(false);
}
map.WriteArray(LogPathOffset, buf, 0, buf.Length);
} catch {
return(false);
}
return(true);
}
static NtSection RemapFileAsRW()
{
string base_path = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData), "luafv_" + Guid.NewGuid());
Console.WriteLine("Base Path: {0}", base_path);
DirectorySecurity dir_sd = new DirectorySecurity();
Directory.CreateDirectory(base_path);
string target_path = NtFileUtils.DosFileNameToNt(Path.Combine(base_path, "dummy.txt"));
string license_file = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "license.rtf");
Console.WriteLine("Trying to map {0} R/W", license_file);
NtFile.CreateHardlink(NtFileUtils.DosFileNameToNt(license_file), target_path);
using (var oplock_file = NtFile.Open(target_path, null, FileAccessRights.ReadAttributes, FileShareMode.All, FileOpenOptions.NonDirectoryFile))
{
var oplock = oplock_file.RequestOplockAsync(OplockLevelCache.Read | OplockLevelCache.Write, RequestOplockInputFlag.Request);
Console.WriteLine("Started oplock");
SetVirtualization(true);
Console.WriteLine("Opening file");
using (var file = NtFile.Open(target_path, null, FileAccessRights.GenericRead
| FileAccessRights.GenericWrite, FileShareMode.All,
FileOpenOptions.NonDirectoryFile | FileOpenOptions.CompleteIfOplocked))
{
SetVirtualization(false);
Console.WriteLine("{0} {1}", NtProcess.Current.ProcessId, file.Handle.DangerousGetHandle());
Console.WriteLine("{0} {1}", file.FullPath, file.GrantedAccess);
CreateVirtualStoreFile(target_path, GetDummyBuffer());
var async_read = file.ReadAsync(1, 0);
if (!oplock.Wait(10000))
{
throw new Exception("Oplock Timed Out");
}
Console.WriteLine("Oplock Fired");
EaBuffer ea = new EaBuffer();
ea.AddEntry("Hello", new byte[16], EaBufferEntryFlags.None);
// Set EA to force the delayed virtualization to complete without triggering oplock.
Console.WriteLine("Setting EA");
file.SetEa(ea);
Console.WriteLine("File now {0}", file.FullPath);
oplock_file.Close();
Console.WriteLine("Closed oplock_file");
if (!async_read.Wait(10000))
{
throw new Exception("Async Read Timed Out");
}
Console.WriteLine("Read Complete");
return NtSection.Create(null, SectionAccessRights.MaximumAllowed, null,
MemoryAllocationProtect.ReadWrite, SectionAttributes.Commit, file);
}
}
}
private void openNamedSectionToolStripMenuItem_Click(object sender, EventArgs e)
{
using (NamedObjectForm frm = new NamedObjectForm("Section"))
{
if (frm.ShowDialog(this) == DialogResult.OK)
{
using (NtSection handle = (NtSection)frm.ObjectHandle)
{
NtMappedSection mapped_file = handle.Map(frm.ReadOnly ? MemoryAllocationProtect.ReadOnly : MemoryAllocationProtect.ReadWrite);
SectionEditorForm c = new SectionEditorForm(mapped_file, frm.ObjectName, frm.ReadOnly);
c.Show(dockPanel, DockState.Document);
}
}
}
}
static string GetName(NtSection section, NtMappedSection map)
{
string name = String.Empty;
try
{
name = map.FullPath;
if (string.IsNullOrEmpty(name))
{
name = section.FullPath;
}
}
catch (NtException)
{
}
return(string.IsNullOrEmpty(name) ?
$"Handle {section.Handle.DangerousGetHandle()} - 0x{map.DangerousGetHandle().ToInt64():X}" : name);
}
static void Main(string[] args)
{
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
NtToken.EnableDebugPrivilege();
try
{
if (args.Length == 0)
{
Application.Run(new MainForm());
}
else
{
if (args.Length < 3)
{
var handle = new SafeKernelObjectHandle(new IntPtr(int.Parse(args[0])), true);
using (var section = NtSection.FromHandle(handle))
{
bool read_only = args.Length > 1 ? args[1].Equals("--readonly") : !section.IsAccessGranted(SectionAccessRights.MapWrite);
using (var map = read_only ? section.MapRead() : section.MapReadWrite())
{
using (SectionEditorForm frm = new SectionEditorForm(map, GetName(section, map), read_only))
{
Application.Run(frm);
}
}
}
}
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
internal CreateUserProcessResult(SafeKernelObjectHandle process_handle, SafeKernelObjectHandle thread_handle,
ProcessCreateInfoData create_info,
SectionImageInformation image_info, ClientId client_id)
{
Process = new NtProcess(process_handle);
Thread = new NtThread(thread_handle);
ImageFile = new NtFile(new SafeKernelObjectHandle(create_info.Success.FileHandle, true));
SectionHandle = new NtSection(new SafeKernelObjectHandle(create_info.Success.SectionHandle, true));
ImageInfo = image_info;
ClientId = client_id;
CreateInfo = create_info;
CreateState = ProcessCreateState.Success;
}
static void Main(string[] args)
{
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
NtToken.EnableDebugPrivilege();
try
{
if (args.Length == 0)
{
Application.Run(new MainForm());
}
else
{
int handle = -1;
string text = String.Empty;
bool read_only = false;
bool delete_file = false;
string filename = string.Empty;
OptionSet opts = new OptionSet()
{
{ "handle=", "Specify an inherited handle to view.",
v => handle = int.Parse(v) },
{ "readonly", "Specify view section readonly", v => read_only = v != null },
{ "file=", "Specify a file to view", v => filename = v },
{ "delete", "Delete file after viewing", v => delete_file = v != null },
};
opts.Parse(args);
if (handle > 0)
{
using (var section = NtSection.FromHandle(new SafeKernelObjectHandle(new IntPtr(handle), true)))
{
read_only = read_only || !section.IsAccessGranted(SectionAccessRights.MapWrite);
using (var map = read_only ? section.MapRead() : section.MapReadWrite())
{
using (SectionEditorForm frm = new SectionEditorForm(map, GetName(section, map), read_only))
{
Application.Run(frm);
}
}
}
}
else if (File.Exists(filename))
{
try
{
using (var file = NtFile.Open(NtFileUtils.DosFileNameToNt(filename), null,
FileAccessRights.ReadData, FileShareMode.Read | FileShareMode.Delete, FileOpenOptions.NonDirectoryFile))
{
using (NtSection section = NtSection.CreateReadOnlyDataSection(file))
{
using (var map = section.MapRead())
{
using (SectionEditorForm frm = new SectionEditorForm(map, filename, true, file.Length))
{
Application.Run(frm);
}
}
}
}
}
finally
{
if (delete_file)
{
File.Delete(filename);
}
}
}
else
{
throw new Exception("Invalid command line arguments");
}
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message, "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
/// <summary>
/// Method to create an object from a set of object attributes.
/// </summary>
/// <param name="obj_attributes">The object attributes to create/open from.</param>
/// <returns>The newly created object.</returns>
protected override object CreateObject(ObjectAttributes obj_attributes)
{
return(NtSection.Create(obj_attributes, Access, Size, Protection, SectionAttributes, File));
}
/// <summary>
/// Method to create an object from a set of object attributes.
/// </summary>
/// <param name="obj_attributes">The object attributes to create/open from.</param>
/// <returns>The newly created object.</returns>
protected override object CreateObject(ObjectAttributes obj_attributes)
{
return(NtSection.Open(obj_attributes, Access));
}
