drakvuf_obj_ref_by_handle fix for Windows 10 vm. Used by memdump in s…

…et_information_thread_hook_cb
tklengyel · Feb 17, 2025 · 8c07d54 · 8c07d54
1 parent 168dac3
commit 8c07d54
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 15 deletions.
diff --git a/src/libdrakvuf/os.h b/src/libdrakvuf/os.h
@@ -323,6 +323,9 @@ typedef struct os_interface
     unicode_string_t* (*get_object_type_name)
     (drakvuf_t drakvuf, addr_t object);
 
+    bool (*get_object_type_index)
+    (drakvuf_t drakvuf, access_context_t* object_header_ctx, uint8_t* index);
+
 } os_interface_t;
 
 bool set_os_windows(drakvuf_t drakvuf);

diff --git a/src/libdrakvuf/win-handles.c b/src/libdrakvuf/win-handles.c
@@ -228,7 +228,6 @@ addr_t drakvuf_get_obj_by_handle(drakvuf_t drakvuf, addr_t process, uint64_t han
 
 /////////////////////////////////////////////////////////////////////////////////////////////
 
-
 bool drakvuf_obj_ref_by_handle( drakvuf_t drakvuf, drakvuf_trap_info_t* info, addr_t current_eprocess,
     addr_t handle, object_manager_object_t obj_type_arg, addr_t* obj_body_addr )
 {
@@ -248,23 +247,25 @@ bool drakvuf_obj_ref_by_handle( drakvuf_t drakvuf, drakvuf_trap_info_t* info, ad
         // Get TypeIndex from _OBJ_HEADER...
         ctx.addr = obj_addr + drakvuf->offsets[ OBJECT_HEADER_TYPEINDEX ] ;
 
-        if ( vmi_read_8( drakvuf->vmi, &ctx, &object_type ) == VMI_SUCCESS )
+        if (!drakvuf->osi.get_object_type_index(drakvuf, &ctx, &object_type))
+        {
+            return false;
+        }
+
+        if ( object_type == obj_type_arg )
         {
-            if ( object_type == obj_type_arg )
+            if ( object_type == OBJ_MANAGER_PROCESS_OBJECT )
+            {
+                // Object Body must be an _EPROCESS...
+                ret = drakvuf_is_process( drakvuf, info->regs->cr3, obj_addr + drakvuf->offsets[ OBJECT_HEADER_BODY ] );
+            }
+            else if ( object_type == OBJ_MANAGER_THREAD_OBJECT )
             {
-                if ( object_type == OBJ_MANAGER_PROCESS_OBJECT )
-                {
-                    // Object Body must be an _EPROCESS...
-                    ret = drakvuf_is_process( drakvuf, info->regs->cr3, obj_addr + drakvuf->offsets[ OBJECT_HEADER_BODY ] );
-                }
-                else if ( object_type == OBJ_MANAGER_THREAD_OBJECT )
-                {
-                    // Object Body must be an _ETHREAD...
-                    ret = drakvuf_is_thread( drakvuf, info->regs->cr3, obj_addr + drakvuf->offsets[ OBJECT_HEADER_BODY ] );
-                }
-                else // Other object types...
-                    ret = true ;
+                // Object Body must be an _ETHREAD...
+                ret = drakvuf_is_thread( drakvuf, info->regs->cr3, obj_addr + drakvuf->offsets[ OBJECT_HEADER_BODY ] );
             }
+            else // Other object types...
+                ret = true ;
         }
     }
 

diff --git a/src/libdrakvuf/win.c b/src/libdrakvuf/win.c
@@ -474,6 +474,30 @@ unicode_string_t* win_get_object_type_name(drakvuf_t drakvuf, addr_t object)
     return drakvuf_read_unicode_va(drakvuf, type + drakvuf->offsets[OBJECT_TYPE_NAME], 0);
 }
 
+bool win_get_object_type_index(drakvuf_t drakvuf, access_context_t* object_header_ctx, uint8_t* index)
+{
+    addr_t object_header_addr = object_header_ctx->addr;
+
+    if (VMI_SUCCESS != vmi_read_8(drakvuf->vmi, object_header_ctx, index))
+    {
+        return false;
+    }
+
+    // https://medium.com/@ashabdalhalim/a-light-on-windows-10s-object-header-typeindex-value-e8f907e7073a
+    // Due to security mitigations type_index no longer equals to index in ObTypeIndexTable array on win 10
+    // but calculated as following:
+    if (vmi_get_winver(drakvuf->vmi) == VMI_OS_WINDOWS_10)
+    {
+        *index = *index ^ ((object_header_addr >> 8) & 0xff) ^ drakvuf->ob_header_cookie;
+    }
+    else
+    {
+        return false;
+    }
+
+    return true;
+}
+
 static bool enumerate_directory(drakvuf_t drakvuf, addr_t directory, void (*visitor_func)(drakvuf_t drakvuf, const object_info_t* object_info, void* visitor_ctx), void* visitor_ctx)
 {
     // There is only 37 _OBJECT_DIRECTORY_ENTRY entries in object directory:
@@ -737,6 +761,7 @@ bool set_os_windows(drakvuf_t drakvuf)
     drakvuf->osi.get_kernel_symbol_va = win_get_kernel_symbol_va;
     drakvuf->osi.get_object_type_name = win_get_object_type_name;
     drakvuf->osi.get_object_name = win_get_object_name;
+    drakvuf->osi.get_object_type_index = win_get_object_type_index;
 
     return true;
 }
diff --git a/src/libdrakvuf/win.h b/src/libdrakvuf/win.h
@@ -225,4 +225,6 @@ bool win_get_kernel_symbol_va(drakvuf_t drakvuf, const char* function, addr_t* v
 unicode_string_t* win_get_object_name(drakvuf_t drakvuf, addr_t object);
 unicode_string_t* win_get_object_type_name(drakvuf_t drakvuf, addr_t object);
 
+bool win_get_object_type_index(drakvuf_t drakvuf, access_context_t* object_header_ctx, uint8_t* index);
+
 #endif