Fix missing handle type when NtQueryObject has been hooked by kernel

dmex · dmex · commit aefc62d7c773 · 2018-10-09T15:16:24.000+11:00
diff --git a/ProcessHacker/hndlprv.c b/ProcessHacker/hndlprv.c
@@ -625,6 +625,19 @@ VOID PhHandleProviderUpdate(
                 NULL
                 );
 
+            // HACK: Some security products block NtQueryObject with ObjectTypeInformation and return an invalid type
+            // so we need to lookup the TypeName using the TypeIndex. We should improve PhGetHandleInformationEx for this case
+            // but for now we'll preserve backwards compat by doing the lookup here. (dmex)
+            if (PhIsNullOrEmptyString(handleItem->TypeName))
+            {
+                PPH_STRING typeName;
+
+                if (typeName = PhGetObjectTypeName(handleItem->TypeIndex))
+                {
+                    PhMoveReference(&handleItem->TypeName, typeName);
+                }
+            }
+
             if (handleItem->TypeName && PhEqualString2(handleItem->TypeName, L"File", TRUE) && KphIsConnected())
             {
                 KPH_FILE_OBJECT_INFORMATION objectInfo;
