Merge pull request x64dbg#668 from torusrxxx/patch-2

Handles view

Author: mrexodia

src/bridge/_global.cpp

@@ -24,3 +24,7 @@ DBGGETBPLIST _dbg_getbplist;
 DBGDBGCMDEXECDIRECT _dbg_dbgcmddirectexec;
 DBGGETBRANCHDESTINATION _dbg_getbranchdestination;
 DBGSENDMESSAGE _dbg_sendmessage;
+DBGGETHANDLECOUNT _dbg_gethandlecount;
+DBGENUMHANDLES _dbg_enumhandles;
+DBGGETHANDLENAME _dbg_gethandlename;
+DBGGETPROCESSINFORMATION _dbg_getProcessInformation;

src/bridge/_global.h

@@ -36,6 +36,11 @@ typedef bool (*DBGDBGCMDEXECDIRECT)(const char* cmd);
 typedef duint(*DBGGETBRANCHDESTINATION)(duint addr);
 typedef duint(*DBGSENDMESSAGE)(DBGMSG type, void* param1, void* param2);
 
+typedef long (*DBGGETHANDLECOUNT)();
+typedef long (*DBGENUMHANDLES)(duint* handles, unsigned char* typeNumbers, unsigned int* grantedAccess, unsigned int maxcount);
+typedef bool(*DBGGETHANDLENAME)(char *name, char* typeName, size_t buffersize, duint remotehandle);
+typedef PROCESS_INFORMATION* (*DBGGETPROCESSINFORMATION)();
+
 //DBG functions
 extern DBGDBGINIT _dbg_dbginit;
 extern DBGMEMFINDBASEADDR _dbg_memfindbaseaddr;
@@ -57,5 +62,9 @@ extern DBGGETBPLIST _dbg_getbplist;
 extern DBGDBGCMDEXECDIRECT _dbg_dbgcmddirectexec;
 extern DBGGETBRANCHDESTINATION _dbg_getbranchdestination;
 extern DBGSENDMESSAGE _dbg_sendmessage;
+extern DBGGETHANDLECOUNT _dbg_gethandlecount;
+extern DBGENUMHANDLES _dbg_enumhandles;
+extern DBGGETHANDLENAME _dbg_gethandlename;
+extern DBGGETPROCESSINFORMATION _dbg_getProcessInformation;
 
 #endif // _GLOBAL_H

src/bridge/bridgemain.cpp

@@ -83,6 +83,10 @@ BRIDGE_IMPEXP const char* BridgeInit()
     LOADEXPORT(_dbg_dbgcmddirectexec);
     LOADEXPORT(_dbg_getbranchdestination);
     LOADEXPORT(_dbg_sendmessage);
+    LOADEXPORT(_dbg_gethandlecount);
+    LOADEXPORT(_dbg_gethandlename);
+    LOADEXPORT(_dbg_enumhandles);
+    LOADEXPORT(_dbg_getProcessInformation);
     return 0;
 }
 
@@ -846,6 +850,26 @@ BRIDGE_IMPEXP ARGTYPE DbgGetArgTypeAt(duint addr)
     return ARG_NONE;
 }
 
+BRIDGE_IMPEXP long DbgGetHandleCount()
+{
+    return _dbg_gethandlecount();
+}
+
+BRIDGE_IMPEXP long DbgEnumHandles(duint* handles, unsigned char* typeNumbers, unsigned int* grantedAccess, unsigned int maxcount)
+{
+    return _dbg_enumhandles(handles, typeNumbers, grantedAccess, maxcount);
+}
+
+BRIDGE_IMPEXP bool DbgGetHandleName(char *name, char* typeName, size_t buffersize, duint remotehandle)
+{
+    return _dbg_gethandlename(name, typeName, buffersize, remotehandle);
+}
+
+BRIDGE_IMPEXP PROCESS_INFORMATION* DbgGetProcessInformation()
+{
+    return _dbg_getProcessInformation();
+}
+
 BRIDGE_IMPEXP void GuiDisasmAt(duint addr, duint cip)
 {
     _gui_sendmessage(GUI_DISASSEMBLE_AT, (void*)addr, (void*)cip);

src/bridge/bridgemain.h

@@ -352,7 +352,7 @@ typedef struct
     duint start; //OUT
     duint end; //OUT
 } LOOP;
-
+#ifndef _NO_ADDRINFO
 typedef struct
 {
     int flags; //ADDRINFOFLAGS (IN)
@@ -363,7 +363,7 @@ typedef struct
     FUNCTION function;
     LOOP loop;
 } ADDRINFO;
-
+#endif
 struct SYMBOLINFO_
 {
     duint addr;
@@ -725,6 +725,11 @@ BRIDGE_IMPEXP bool DbgWinEventGlobal(MSG* message);
 BRIDGE_IMPEXP bool DbgIsRunning();
 BRIDGE_IMPEXP duint DbgGetTimeWastedCounter();
 BRIDGE_IMPEXP ARGTYPE DbgGetArgTypeAt(duint addr);
+BRIDGE_IMPEXP long DbgGetHandleCount();
+BRIDGE_IMPEXP long DbgEnumHandles(duint* handles, unsigned char* typeNumbers, unsigned int* grantedAccess, unsigned int maxcount);
+BRIDGE_IMPEXP bool DbgGetHandleName(char* name, char* typeName, size_t buffersize, duint remotehandle);
+BRIDGE_IMPEXP bool DbgGetHandleInfo(duint remotehandle, duint* refcount, duint* access);
+BRIDGE_IMPEXP PROCESS_INFORMATION* DbgGetProcessInformation();
 
 //Gui defines
 #define GUI_PLUGIN_MENU 0

src/dbg/_exports.cpp

@@ -366,6 +366,17 @@ extern "C" DLL_EXPORT bool _dbg_addrinfoset(duint addr, ADDRINFO* addrinfo)
     return retval;
 }
 
+
+extern "C" DLL_EXPORT long _dbg_gethandlecount()
+{
+    return HandlerGetActiveHandleCount(fdProcessInfo->dwProcessId);
+}
+
+extern "C" DLL_EXPORT PROCESS_INFORMATION* _dbg_getProcessInformation()
+{
+    return fdProcessInfo;
+}
+
 extern "C" DLL_EXPORT int _dbg_bpgettypeat(duint addr)
 {
     static duint cacheAddr;

src/dbg/_exports.h

@@ -18,6 +18,10 @@ DLL_EXPORT bool _dbg_isdebugging();
 DLL_EXPORT bool _dbg_isjumpgoingtoexecute(duint addr);
 DLL_EXPORT bool _dbg_addrinfoget(duint addr, SEGMENTREG segment, ADDRINFO* addrinfo);
 DLL_EXPORT bool _dbg_addrinfoset(duint addr, ADDRINFO* addrinfo);
+DLL_EXPORT long _dbg_gethandlecount();
+DLL_EXPORT long _dbg_enumhandles(duint* handles, unsigned char* typeNumbers, unsigned int* grantedAccess, unsigned int maxcount);
+DLL_EXPORT bool _dbg_gethandlename(char *name, char* typeName, size_t buffersize, duint remotehandle);
+DLL_EXPORT PROCESS_INFORMATION* _dbg_getProcessInformation();
 DLL_EXPORT int _dbg_bpgettypeat(duint addr);
 DLL_EXPORT bool _dbg_getregdump(REGDUMP* regdump);
 DLL_EXPORT bool _dbg_valtostring(const char* string, duint value);

src/dbg/debugger.cpp

@@ -53,6 +53,7 @@ char szSymbolCachePath[MAX_PATH] = "";
 char sqlitedb[deflen] = "";
 PROCESS_INFORMATION* fdProcessInfo = &g_pi;
 HANDLE hActiveThread;
+HANDLE hProcessToken;
 bool bUndecorateSymbolNames = true;
 bool bEnableSourceDebugging = true;
 
@@ -1860,6 +1861,9 @@ static void debugLoopFunction(void* lpParameter, bool attach)
         //set script variables
         varset("$hp", (duint)fdProcessInfo->hProcess, true);
         varset("$pid", fdProcessInfo->dwProcessId, true);
+
+        if (!OpenProcessToken(fdProcessInfo->hProcess, TOKEN_ALL_ACCESS, &hProcessToken))
+            hProcessToken = 0;
     }
 
     //set custom handlers
@@ -1933,6 +1937,8 @@ static void debugLoopFunction(void* lpParameter, bool attach)
     dputs("Debugging stopped!");
     varset("$hp", (duint)0, true);
     varset("$pid", (duint)0, true);
+    if(hProcessToken)
+        CloseHandle(hProcessToken);
     unlock(WAITID_STOP); //we are done
     pDebuggedEntry = 0;
     pDebuggedBase = 0;

src/dbg/debugger.h

@@ -110,6 +110,7 @@ bool cbSetModuleBreakpoints(const BREAKPOINT* bp);
 //variables
 extern PROCESS_INFORMATION* fdProcessInfo;
 extern HANDLE hActiveThread;
+extern HANDLE hProcessToken;
 extern char szFileName[MAX_PATH];
 extern char szSymbolCachePath[MAX_PATH];
 extern bool bUndecorateSymbolNames;

src/dbg/enumhandles.cpp

@@ -0,0 +1,122 @@
+#include "_global.h"
+#include "debugger.h"
+#include "TitanEngine\TitanEngine.h"
+
+struct SYSTEM_HANDLE_INFORMATION{
+    ULONG ProcessId;
+    UCHAR ObjectTypeNumber;
+    UCHAR Flags;
+    USHORT Handle;
+    PVOID Object;
+    DWORD GrantedAccess;
+};
+
+struct OBJECT_TYPE_INFORMATION
+{
+    UNICODE_STRING Name;
+    ULONG TotalNumberOfObjects;
+    ULONG TotalNumberOfHandles;
+    ULONG TotalPagedPoolUsage;
+    ULONG TotalNonPagedPoolUsage;
+    ULONG TotalNamePoolUsage;
+    ULONG TotalHandleTableUsage;
+    ULONG HighWaterNumberOfObjects;
+    ULONG HighWaterNumberOfHandles;
+    ULONG HighWaterPagedPoolUsage;
+    ULONG HighWaterNonPagedPoolUsage;
+    ULONG HighWaterNamePoolUsage;
+    ULONG HighWaterHandleTableUsage;
+    ULONG InvalidAttributes;
+    GENERIC_MAPPING GenericMapping;
+    ULONG ValidAccess;
+    BOOLEAN SecurityRequired;
+    BOOLEAN MaintainHandleCount;
+    USHORT MaintainTypeList;
+    DWORD PoolType;
+    ULONG PagedPoolUsage;
+    ULONG NonPagedPoolUsage;
+};
+
+struct MYHANDLES{
+    DWORD_PTR HandleCount;
+    SYSTEM_HANDLE_INFORMATION Handles[1];
+};
+
+#ifdef _WIN64
+DWORD (*NtQuerySystemInformation)(DWORD SystemInfoClass, void* SystemInfo, DWORD SystemInfoSize, DWORD* ReturnedSize) = nullptr;
+#else //x86
+DWORD(__stdcall *NtQuerySystemInformation)(DWORD SystemInfoClass, void* SystemInfo, DWORD SystemInfoSize, DWORD* ReturnedSize) = nullptr;
+#endif //_WIN64
+#ifdef _WIN64
+DWORD (*NtQueryObject)(HANDLE ObjectHandle, ULONG ObjectInformationClass, PVOID ObjectInformation, ULONG ObjectInformationLength, PULONG ReturnLength) = nullptr;
+#else //x86
+DWORD(__stdcall *NtQueryObject)(HANDLE ObjectHandle, ULONG ObjectInformationClass, PVOID ObjectInformation, ULONG ObjectInformationLength, PULONG ReturnLength) = nullptr;
+#endif //_WIN64
+
+extern "C" DLL_EXPORT long _dbg_enumhandles(duint* handles, unsigned char* typeNumbers, unsigned int* grantedAccess, unsigned int maxcount)
+{
+    MYHANDLES* myhandles = (MYHANDLES*)emalloc(16384, "_dbg_enumhandles");
+    DWORD size = 16384;
+    DWORD errcode = 0xC0000004;
+    if (NtQuerySystemInformation == nullptr) 
+        *(FARPROC*)&NtQuerySystemInformation = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtQuerySystemInformation");
+    while (errcode == 0xC0000004)
+    {
+        errcode = NtQuerySystemInformation(16, myhandles, size, &size);
+        if (errcode == 0xC0000004)
+        {
+            myhandles = (MYHANDLES*)erealloc(myhandles, size + 16384, "_dbg_enumhandles");
+            size += 16384;
+        }
+        else
+        {
+            break;
+        }
+    }
+    if (errcode != 0)
+    {
+        efree(myhandles, "_dbg_enumhandles");
+        return 0;
+    }
+    else
+    {
+        unsigned int j = 0;
+        for (unsigned int i = 0; i < myhandles->HandleCount; i++)
+        {
+            DWORD pid = fdProcessInfo->dwProcessId;
+            if (myhandles->Handles[i].ProcessId == pid)
+            {
+                handles[j] = myhandles->Handles[j].Handle;
+                typeNumbers[j] = myhandles->Handles[j].ObjectTypeNumber;
+                grantedAccess[j] = myhandles->Handles[j].GrantedAccess;
+                if (++j == maxcount) break;
+            }
+        }
+        efree(myhandles, "_dbg_enumhandles");
+        return j;
+    }
+}
+
+extern "C" DLL_EXPORT bool _dbg_gethandlename(char *name, char* typeName, size_t buffersize, duint remotehandle)
+{
+    HANDLE hLocalHandle;
+    if (typeName && DuplicateHandle(fdProcessInfo->hProcess, (HANDLE)remotehandle, GetCurrentProcess(), &hLocalHandle, DUPLICATE_SAME_ACCESS, FALSE, 0))
+    {
+        OBJECT_TYPE_INFORMATION* objectTypeInfo = (OBJECT_TYPE_INFORMATION*)emalloc(128, "_dbg_gethandlename");
+        if (NtQueryObject == nullptr)
+            *(FARPROC*)&NtQueryObject = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtQueryObject");
+        if (NtQueryObject(hLocalHandle, 2, objectTypeInfo, 128, NULL) >= 0)
+            strcpy_s(typeName, buffersize, StringUtils::Utf16ToUtf8(objectTypeInfo->Name.Buffer).c_str());
+        efree(objectTypeInfo, "_dbg_gethandlename");
+        CloseHandle(hLocalHandle);
+    }
+    wchar_t *buffer;
+    buffer = (wchar_t*)HandlerGetHandleNameW(fdProcessInfo->hProcess, fdProcessInfo->dwProcessId, (HANDLE)remotehandle, false);
+    if (buffer)
+    {
+        strcpy_s(name, buffersize, StringUtils::Utf16ToUtf8(buffer).c_str());
+        VirtualFree(buffer, 0, MEM_RELEASE);
+        return true;
+    }
+    return true;
+}

src/dbg/instruction.cpp

@@ -2390,4 +2390,85 @@ CMDRESULT cbInstrMnemonicbrief(int argc, char* argv[])
         return STATUS_ERROR;
     dputs(MnemonicHelp::getBriefDescription(argv[1]).c_str());
     return STATUS_CONTINUE;
-}
+}
+
+
+CMDRESULT cbGetPrivilegeState(int argc, char* argv[])
+{
+    TOKEN_PRIVILEGES* Privileges;
+    DWORD returnLength;
+    LUID luid;
+    if (LookupPrivilegeValueW(nullptr, StringUtils::Utf8ToUtf16(argv[1]).c_str(), &luid) == 0)
+    {
+        varset("$result", (duint)0, false);
+        return CMDRESULT::STATUS_CONTINUE;
+    }
+    Privileges = (TOKEN_PRIVILEGES*)emalloc(64 * 16 + 8, "_dbg_getprivilegestate");
+    if (GetTokenInformation(hProcessToken, TokenPrivileges, Privileges, 64 * 16 + 8, &returnLength) == 0)
+    {
+        if (returnLength > 4 * 1024 * 1024)
+        {
+            varset("$result", (duint)0, false);
+            return CMDRESULT::STATUS_CONTINUE;
+        }
+        Privileges = (TOKEN_PRIVILEGES*)erealloc(Privileges, returnLength, "_dbg_getprivilegestate");
+        if (GetTokenInformation(hProcessToken, TokenPrivileges, Privileges, returnLength, &returnLength) == 0)
+        {
+            efree(Privileges, "_dbg_getprivilegestate");
+            return STATUS_ERROR;
+        }
+    }
+    for (unsigned int i = 0; i < Privileges->PrivilegeCount; i++)
+    {
+        if (4 + sizeof(LUID_AND_ATTRIBUTES) * i > returnLength)
+        {
+            efree(Privileges, "_dbg_getprivilegestate");
+            return STATUS_ERROR;
+        }
+        if (memcmp(&Privileges->Privileges[i].Luid, &luid, sizeof(LUID)) == 0)
+        {
+            efree(Privileges, "_dbg_getprivilegestate");
+            varset("$result", (duint)(Privileges->Privileges[i].Attributes + 1), false); // 2=enabled, 3=default, 1=disabled
+            return STATUS_CONTINUE;
+        }
+    }
+    efree(Privileges, "_dbg_getprivilegestate");
+    varset("$result", (duint)0, false);
+    return STATUS_CONTINUE;
+}
+
+CMDRESULT cbEnablePrivilege(int argc, char* argv[])
+{
+    LUID luid;
+    if (LookupPrivilegeValueW(nullptr, StringUtils::Utf8ToUtf16(argv[1]).c_str(), &luid) == 0)
+    {
+        dprintf("Could not find the specified privilege: %s\n", argv[1]);
+        return CMDRESULT::STATUS_ERROR;
+    }
+    TOKEN_PRIVILEGES* Privilege;
+    Privilege = (TOKEN_PRIVILEGES*)emalloc(sizeof(LUID_AND_ATTRIBUTES) + 4, "_dbg_enableprivilege");
+    Privilege->PrivilegeCount = 1;
+    Privilege->Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+    Privilege->Privileges[0].Luid = luid;
+    bool ret = AdjustTokenPrivileges(hProcessToken, FALSE, Privilege, sizeof(LUID_AND_ATTRIBUTES) + 4, nullptr, nullptr) != NO_ERROR;
+    efree(Privilege, "_dbg_enableprivilege");
+    return ret ? CMDRESULT::STATUS_CONTINUE : CMDRESULT::STATUS_CONTINUE;
+}
+
+CMDRESULT cbDisablePrivilege(int argc, char* argv[])
+{
+    LUID luid;
+    if (LookupPrivilegeValueW(nullptr, StringUtils::Utf8ToUtf16(argv[1]).c_str(), &luid) == 0)
+    {
+        dprintf("Could not find the specified privilege: %s\n", argv[1]);
+        return CMDRESULT::STATUS_ERROR;
+    }
+    TOKEN_PRIVILEGES* Privilege;
+    Privilege = (TOKEN_PRIVILEGES*)emalloc(sizeof(LUID_AND_ATTRIBUTES) + 4, "_dbg_disableprivilege");
+    Privilege->PrivilegeCount = 1;
+    Privilege->Privileges[0].Attributes = 0;
+    Privilege->Privileges[0].Luid = luid;
+    bool ret = AdjustTokenPrivileges(hProcessToken, FALSE, Privilege, sizeof(LUID_AND_ATTRIBUTES) + 4, nullptr, nullptr) != NO_ERROR;
+    efree(Privilege, "_dbg_disableprivilege");
+    return ret ? CMDRESULT::STATUS_CONTINUE : CMDRESULT::STATUS_CONTINUE;
+}

src/dbg/instruction.h

@@ -82,4 +82,8 @@ CMDRESULT cbInstrSavedata(int argc, char* argv[]);
 CMDRESULT cbInstrMnemonichelp(int argc, char* argv[]);
 CMDRESULT cbInstrMnemonicbrief(int argc, char* argv[]);
 
+CMDRESULT cbGetPrivilegeState(int argc, char* argv[]);
+CMDRESULT cbEnablePrivilege(int argc, char* argv[]);
+CMDRESULT cbDisablePrivilege(int argc, char* argv[]);
+
 #endif // _INSTRUCTION_H

src/gui/Src/Gui/GotoDialog.cpp

@@ -93,7 +93,7 @@ void GotoDialog::expressionChanged(bool validExpression, bool validPointer, dsin
         QString addrText = QString(" %1").arg(va, sizeof(dsint) * 2, 16, QChar('0')).toUpper();
         if(va)
         {
-            ui->labelError->setText(tr("<font color='#00DD00'><b>Correct expression! -></b></font>") + addrText);
+            ui->labelError->setText(tr("<font color='#00DD00'><b>Correct expression! -&gt; </b></font>") + addrText);
             setOkEnabled(true);
             expressionText = expression;
         }
@@ -135,7 +135,7 @@ void GotoDialog::expressionChanged(bool validExpression, bool validPointer, dsin
                 addrText = QString(module) + "." + QString("%1").arg(addr, sizeof(dsint) * 2, 16, QChar('0')).toUpper();
             else
                 addrText = QString("%1").arg(addr, sizeof(dsint) * 2, 16, QChar('0')).toUpper();
-            ui->labelError->setText(tr("<font color='#00DD00'><b>Correct expression! -> </b></font>") + addrText);
+            ui->labelError->setText(tr("<font color='#00DD00'><b>Correct expression! -&gt; </b></font>") + addrText);
             setOkEnabled(true);
             expressionText = expression;
         }