Jump to content
DXRW4E

ZwOpenSymbolicLinkObject failing with STATUS_OBJECT_TYPE_MISMATCH

Recommended Posts

does anyone know what I'm doing wrong here, or what's going on here because here http://doxygen.reactos.org/d4/df6/iorsrce_8c_a1fa7c3ef35807cc948edb0de839f8625.html everything looks Ok

#RequireAdmin

#Region ;Routines
Global Static $arDllCall

Global Const $OBJ_INHERIT            = 0x00000002 ;This handle can be inherited by child processes of the current process.
Global Const $OBJ_PERMANENT          = 0x00000010 ;This flag only applies to objects that are named within the object manager.
;                                                   By default, such objects are deleted when all open handles to them are closed.
;                                                   If this flag is specified, the object is not deleted when all open handles are closed.
;                                                   Drivers can use the ZwMakeTemporaryObject routine to make a permanent object non-permanent.
Global Const $OBJ_EXCLUSIVE          = 0x00000020 ;If this flag is set and the OBJECT_ATTRIBUTES structure is passed to a routine that
;                                                   creates an object, the object can be accessed exclusively. That is, once a process
;                                                   opens such a handle to the object, no other processes can open handles to this object.
;                                                   If this flag is set and the OBJECT_ATTRIBUTES structure is passed to a routine
;                                                   that creates an object handle, the caller is requesting exclusive access to the
;                                                   object for the process context that the handle was created in. This request can
;                                                   be granted only if the OBJ_EXCLUSIVE flag was set when the object was created.
Global Const $OBJ_CASE_INSENSITIVE   = 0x00000040 ;If this flag is specified, a case-insensitive comparison is used when matching the
;                                                   name pointed to by the ObjectName member against the names of existing objects.
;                                                   Otherwise, object names are compared using the default system settings.
Global Const $OBJ_OPENIF             = 0x00000080 ;If this flag is specified, by using the object handle, to a routine that creates objects
;                                                   and if that object already exists, the routine should open that object. Otherwise,
;                                                   the routine creating the object returns an NTSTATUS code of STATUS_OBJECT_NAME_COLLISION.
Global Const $OBJ_OPENLINK           = 0x00000100 ;If an object handle, with this flag set, is passed to a routine that opens objects and if
;                                                   the object is a symbolic link object, the routine should open the symbolic link object itself,
;                                                   rather than the object that the symbolic link refers to (which is the default behavior).
Global Const $OBJ_KERNEL_HANDLE      = 0x00000200 ;The handle is created in system process context and can only be accessed from kernel mode.
Global Const $OBJ_FORCE_ACCESS_CHECK = 0x00000400 ;The routine that opens the handle should enforce all access checks for the object,
;                                                   even if the handle is being opened in kernel mode.
Global Const $OBJ_VALID_ATTRIBUTES   = 0x000007F2 ;Reserved.
Global Const $OBJ_CASE_INSENSITIVE_KERNEL_HANDLE   = 0x00000240

Global Const $_STANDARD_RIGHTS_REQUIRED  = 0x000F0000
Global Const $SYMBOLIC_LINK_QUERY       = 0x0001
Global Const $SYMBOLIC_LINK_ALL_ACCESS  = 0x000F0001  ;; BitOR($_STANDARD_RIGHTS_REQUIRED, $SYMBOLIC_LINK_QUERY)

;~ Global Const $PUNICODE_STRING = DllStructGetPtr($tUNICODE_STRING)
;~ Global Const $sCurrentUserSid = (DllCall("Ntdll.dll", "LONG", "RtlFormatCurrentUserKeyPath", "STRUCT*", $tUNICODE_STRING) + @Error) ? "" : StringTrimLeft(DllStructGetData(DllStructCreate("WCHAR CurrentUserKeyPath[256]", DllStructGetData($tUNICODE_STRING, 3)), 1), 15) & String(DllCall("Ntdll.dll", "LONG", "RtlFreeUnicodeString", "STRUCT*", $tUNICODE_STRING))


Func _NTAPI_InitializeObjectAttributes($sObjectName, $ulAttributes = $OBJ_CASE_INSENSITIVE_KERNEL_HANDLE, $hRootDirectory = Null, $pSecurityDescriptor = Null)
    Static $tObjectName = DllStructCreate("WCHAR ObjectName[256]"), $tUNICODE_STRING = DllStructCreate("USHORT Length;USHORT MaximumLength;PTR Buffer")
    Static $tOBJECT_ATTRIBUTES = DllStructCreate("ULONG Length;HANDLE RootDirectory;PTR ObjectName;ULONG Attributes;PTR SecurityDescriptor;PTR SecurityQualityOfService")
    Static $pObjectName = DllStructGetPtr($tObjectName, 1), $POBJECT_ATTRIBUTES = DllStructGetPtr($tOBJECT_ATTRIBUTES, 1), $PUNICODE_STRING = DllStructGetPtr($tUNICODE_STRING, 1)
    Local $aObjectName, $ulDesiredAccess = 0
    If Not $hRootDirectory Then
        $aObjectName = StringRegExp($sObjectName, "^\h*(?:\\+[^\\]+\\+)?+([^\W\d]*+)((?:32|64)?+(?!\w))\\*+(.*)", 1)
        If Not @Error Then
            Switch $aObjectName[0]
                Case "HKCR","HKEY_CLASSES_ROOT", "CLASSES_ROOT";, "MACHINE\SOFTWARE\Classes"
                    $sObjectName = "\Registry\Machine\SOFTWARE\Classes" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
                Case "HKCU", "HKEY_CURRENT_USER", "CURRENT_USER"
                    $sObjectName = "\Registry\User\CurrentUser" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
                Case "HKLM", "HKEY_LOCAL_MACHINE", "MACHINE"
                    $sObjectName = "\Registry\Machine" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
                Case "HKU", "HKEY_USERS", "USERS"
                    $sObjectName = "\Registry\User" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
                Case "HKCC", "HKEY_CURRENT_CONFIG" ;, "MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current"
                    $sObjectName = "\Registry\Machine\SYSTEM\CurrentControlSet\Hardware Profiles\Current" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
                Case "HKLS", "HKEY_CURRENT_USER_LOCAL_SETTINGS" ;, "CURRENT_USER\Software\Classes\Local Settings"
                    $sObjectName = "\Registry\User\CurrentUser\Software\Classes\Local Settings" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
            EndSwitch
            If $aObjectName[1] Then $ulDesiredAccess = $aObjectName[1] == "32" ? 0x200 : 0x100  ;;$KEY_WOW64_64KEY = 0x0100, $KEY_WOW64_32KEY = 0x0200
        EndIf
    EndIf
    DllStructSetData($tObjectName, 1, $sObjectName)  ;; "ObjectName"
    ;;;;$arDllCall = DllCall("Ntdll.dll", "LONG", "RtlInitUnicodeString", "STRUCT*", $tUNICODE_STRING, "STRUCT*", $tObjectName)
    $arDllCall = DllCall("Ntdll.dll", "LONG", "RtlInitUnicodeString", "PTR", $PUNICODE_STRING, "PTR", $pObjectName)
    If @Error Or $arDllCall[0] Then
        DllStructSetData($tUNICODE_STRING, 1, StringLen($sObjectName) * 2)  ;; "Length"
        DllStructSetData($tUNICODE_STRING, 2, DllStructGetData($tUNICODE_STRING, 1) + 2)  ;; "MaximumLength"
        DllStructSetData($tUNICODE_STRING, 3, $pObjectName) ;; "Buffer"
    EndIf
    DllStructSetData($tOBJECT_ATTRIBUTES, 1, DllStructGetSize($tOBJECT_ATTRIBUTES))  ;; "Length"
    DllStructSetData($tOBJECT_ATTRIBUTES, 2, $hRootDirectory)  ;; "RootDirectory"
    DllStructSetData($tOBJECT_ATTRIBUTES, 3, $PUNICODE_STRING)  ;; "ObjectName"
    DllStructSetData($tOBJECT_ATTRIBUTES, 4, $ulAttributes)  ;; "Attributes" ;; BitOR($ulAttributes, 576) ;; 576 = $OBJ_CASE_INSENSITIVE, $OBJ_KERNEL_HANDLE
    DllStructSetData($tOBJECT_ATTRIBUTES, 5, $pSecurityDescriptor)  ;; "SecurityDescriptor"
    DllStructSetData($tOBJECT_ATTRIBUTES, 6, Null)  ;; "SecurityQualityOfService"
    Return SetExtended($ulDesiredAccess, $POBJECT_ATTRIBUTES)
EndFunc


Func _NTAPI_ZwOpenKeyEx(Const ByRef $pObjectAttributes, $ulDesiredAccess = 0, $ulOpenOptions = 0)
    If Not $pObjectAttributes Then Return SetError(87, 87, 0)
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwOpenKeyEx", "HANDLE*", 0, "ULONG", $ulDesiredAccess, "PTR", $pObjectAttributes, "ULONG", $ulOpenOptions)
    If @Error Then Return SetError(1, -@Error, 0)
    Return SetError($arDllCall[0], 0, $arDllCall[1])
EndFunc


Func _NTAPI_ZwOpenSymbolicLinkObject(Const ByRef $pObjectAttributes, $ulDesiredAccess = 0)
    If Not $pObjectAttributes Then Return SetError(87, 87, 0)
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwOpenSymbolicLinkObject", "HANDLE*", 0, "ULONG", BitOR($ulDesiredAccess, $SYMBOLIC_LINK_QUERY), "PTR", $pObjectAttributes)
    If @Error Then Return SetError(1, -@Error, 0)
    Return SetError($arDllCall[0], 0, $arDllCall[1])
EndFunc


Func _NTAPI_ZwQuerySymbolicLinkObject($hLinkHandle, $iBuffer = 65534) ;; MaximumLength Limit = 65534
    Local $tLinkTarget = DllStructCreate("WCHAR LinkTarget[" & $iBuffer / 2 & "]"), $tUNICODE_STRING = DllStructCreate("USHORT Length;USHORT MaximumLength;PTR Buffer")
    $arDllCall = DllCall("Ntdll.dll", "LONG", "RtlInitUnicodeString", "STRUCT*", $tUNICODE_STRING, "STRUCT*", $tLinkTarget)
    If @Error Or $arDllCall[0] Then
        DllStructSetData($tUNICODE_STRING, 1, 0)  ;; "Length"
        DllStructSetData($tUNICODE_STRING, 2, $iBuffer)  ;; "MaximumLength"
        DllStructSetData($tUNICODE_STRING, 3, DllStructGetPtr($tLinkTarget, 1)) ;; "Buffer"
    Else
        DllStructSetData($tUNICODE_STRING, 2, $iBuffer)  ;; "MaximumLength"
    EndIf
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwQuerySymbolicLinkObject", "HANDLE", $hLinkHandle, "STRUCT*", $tUNICODE_STRING, "ULONG*", 0)
    If @Error Then Return SetError(1, -@Error, 0)
    If $arDllCall[3] > $iBuffer Then
        Local $sLinkTarget = _NTAPI_ZwQuerySymbolicLinkObject($hLinkHandle, $arDllCall[3])
        Return SetError(@Error, @Extended, $sLinkTarget)
    EndIf
    Return SetError($arDllCall[0], $arDllCall[3], DllStructGetData($tLinkTarget, 1))
EndFunc


Func _NTAPI_ZwQueryObject(Const ByRef $hObject, $iObjectInformationClass = 0)
    Static $tagPUBLIC_OBJECT_BASIC_INFORMATION = "ULONG Attributes;ULONG GrantedAccess;ULONG HandleCount;ULONG PointerCount;ULONG Reserved[10]"
    Static $tagPUBLIC_OBJECT_TYPE_INFORMATION = "STRUCT;USHORT Length;USHORT MaximumLength;PTR Buffer;ENDSTRUCT;ULONG Reserved[22]"
    If Not $hObject Or ($iObjectInformationClass <> 0 And $iObjectInformationClass <> 2) Then Return SetError(87, 87, 0)
    Local $tObjectInformation = $iObjectInformationClass ? DllStructCreate($tagPUBLIC_OBJECT_TYPE_INFORMATION) : DllStructCreate($tagPUBLIC_OBJECT_BASIC_INFORMATION)
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwQueryObject", "HANDLE", $hObject, "INT", $iObjectInformationClass, "STRUCT*", $tObjectInformation, "ULONG", DllStructGetSize($tObjectInformation), "ULONG*", 0)
    If @Error Then Return SetError(1, -@Error, 0)
    If $arDllCall[0] = 0xC0000004 Then $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwQueryObject", "HANDLE", $hObject, "INT", $iObjectInformationClass, "STRUCT*", $tObjectInformation, "ULONG", $arDllCall[5], "ULONG*", 0)
    Return SetError($arDllCall[0], 0, $tObjectInformation)
EndFunc


Func _NTAPI_ZwClose(Const ByRef $hKeyHandle)
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwClose", "HANDLE", $hKeyHandle)
    If @Error Then Return SetError(1, -@Error, 0)
    Return SetError($arDllCall[0], 0, 0)
EndFunc


Func _NTAPI_GetRegKeyNameByHandleEx(Const ByRef $hKeyHandle)
    Local $tKEY_INFORMATION_CLASS = DllStructCreate("ULONG;WCHAR[4096]")
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwQueryKey", "ULONG_PTR", $hKeyHandle, "INT", 3, "STRUCT*", $tKEY_INFORMATION_CLASS, "ULONG", DllStructGetSize($tKEY_INFORMATION_CLASS), "ULONG*", 0)
    If @Error Then Return SetError(@Error, 1, 0)
    If $arDllCall[5] > $arDllCall[4] Then ;;Or $arDllCall[0] = $STATUS_BUFFER_OVERFLOW Or $arDllCall[0] = $STATUS_BUFFER_TOO_SMALL
        $tKEY_INFORMATION_CLASS = DllStructCreate("ULONG;WCHAR[" & $arDllCall[5] & "]")
        $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwQueryKey", "ULONG_PTR", $hKeyHandle, "INT", 3, "STRUCT*", $tKEY_INFORMATION_CLASS, "ULONG", DllStructGetSize($tKEY_INFORMATION_CLASS), "ULONG*", 0)
    EndIf
    Return SetError($arDllCall[0], ($arDllCall[5] / 2) - 2, DllStructGetData($tKEY_INFORMATION_CLASS, 2))
EndFunc


;~ Func _WinAPI_GetFileObjectNameByPath($sFilePath, $iFlags = 0)
;~  Static $aRoot
;~  $aRoot = StringRegExp($sFilePath, "(?i)^\h*(?:\\+DosDevices\\+)?([a-z]\:)(.*)", 1)
;~  If @Error Then Return SetError(1, 0, "")
;~  $arDllCall = DllCall($hKernel32DLL, "DWORD", "QueryDosDeviceW", "WSTR", $aRoot[0], "WSTR", "", "DWORD", 0x8000)
;~  If @Error Or Not $arDllCall[2] Then Return SetError(2, 0, ($iFlags ? $sFilePath : ""))
;~  $sFilePath = $arDllCall[2] & $aRoot[1]
;~  Return $sFilePath
;~ EndFunc   ;==>_WinAPI_GetFileRootByObjectName


Local $hKeyHandle, $hKeyHandle2, $pObjectAttributes, $ulDesiredAccess, $hLinkHandle, $sLinkTarget

$pObjectAttributes = _NTAPI_InitializeObjectAttributes("HKLM\SYSTEM\ControlSet001\Hardware Profiles\Current", $OBJ_CASE_INSENSITIVE + $OBJ_KERNEL_HANDLE + $OBJ_OPENLINK)
;$pObjectAttributes = _NTAPI_InitializeObjectAttributes(_WinAPI_GetFileObjectNameByPath(@DesktopDir & "\LinkFolder"), $OBJ_CASE_INSENSITIVE_KERNEL_HANDLE)
$ulDesiredAccess = @Extended + $_STANDARD_RIGHTS_REQUIRED
$hKeyHandle = _NTAPI_ZwOpenKeyEx($pObjectAttributes, $ulDesiredAccess, 8)
 ;
$pObjectAttributes = _NTAPI_InitializeObjectAttributes("HKLM\SYSTEM\ControlSet001\Hardware Profiles\Current", $OBJ_CASE_INSENSITIVE + $OBJ_KERNEL_HANDLE)
$ulDesiredAccess = @Extended + $_STANDARD_RIGHTS_REQUIRED
$hKeyHandle2 = _NTAPI_ZwOpenKeyEx($pObjectAttributes, $ulDesiredAccess)
MsgBox(0, $hKeyHandle & " - " & $hKeyHandle2, _NTAPI_GetRegKeyNameByHandleEx($hKeyHandle) & @LF & _NTAPI_GetRegKeyNameByHandleEx($hKeyHandle2))


$pObjectAttributes = _NTAPI_InitializeObjectAttributes("HKLM\SYSTEM\ControlSet001\Hardware Profiles\Current", $OBJ_CASE_INSENSITIVE + $OBJ_KERNEL_HANDLE + $OBJ_OPENLINK)
$hLinkHandle = _NTAPI_ZwOpenSymbolicLinkObject($pObjectAttributes, $ulDesiredAccess)
MsgBox(0, Hex(@Error), $hLinkHandle)
;;
;; MessageId: STATUS_OBJECT_TYPE_MISMATCH
;;
;; MessageText:
;;
;; {Wrong Type}
;; There is a mismatch between the type of object required by the requested operation and the type of object that is specified in the request.
;;
;; $STATUS_OBJECT_TYPE_MISMATCH = 0xC0000024 ;; (-1073741788)
If $hLinkHandle Then
    $sLinkTarget = _NTAPI_ZwQuerySymbolicLinkObject($hLinkHandle)
    MsgBox(0, "1 - " & Hex(@Error), $sLinkTarget)
Else
    $sLinkTarget = _NTAPI_ZwQuerySymbolicLinkObject($hKeyHandle)
    MsgBox(0, "2 - " & Hex(@Error), $sLinkTarget)
EndIf

Local $ObjectBasicInformation = 0, $ObjectTypeInformation = 2, $tObjectInformation
If $hKeyHandle Then
    $tObjectInformation = _NTAPI_ZwQueryObject($hKeyHandle, $ObjectBasicInformation)
    MsgBox(0, Hex(@Error), _
    "Attributes    - " & DllStructGetData($tObjectInformation, 1) & " - " & Hex(DllStructGetData($tObjectInformation, 1), 8) & @LF & _
    "GrantedAccess - " & DllStructGetData($tObjectInformation, 2) & " - " & Hex(DllStructGetData($tObjectInformation, 2), 8) & @LF & _
    "HandleCount   - " & DllStructGetData($tObjectInformation, 3) & " - " & Hex(DllStructGetData($tObjectInformation, 3), 8) & @LF & _
    "PointerCount  - " & DllStructGetData($tObjectInformation, 4) & " - " & Hex(DllStructGetData($tObjectInformation, 4), 8) & @LF & _
    "Reserved1     - " & DllStructGetData($tObjectInformation, 5, 1) & " - " & Hex(DllStructGetData($tObjectInformation, 5, 1), 8) & @LF & _
    "Reserved2     - " & DllStructGetData($tObjectInformation, 5, 2) & " - " & Hex(DllStructGetData($tObjectInformation, 5, 2), 8) & @LF & _
    "Reserved3     - " & DllStructGetData($tObjectInformation, 5, 3) & " - " & Hex(DllStructGetData($tObjectInformation, 5, 3), 8) & @LF & _
    "Reserved4     - " & DllStructGetData($tObjectInformation, 5, 4) & " - " & Hex(DllStructGetData($tObjectInformation, 5, 4), 8) & @LF & _
    "Reserved5     - " & DllStructGetData($tObjectInformation, 5, 5) & " - " & Hex(DllStructGetData($tObjectInformation, 5, 5), 8) & @LF & _
    "Reserved6     - " & DllStructGetData($tObjectInformation, 5, 6) & " - " & Hex(DllStructGetData($tObjectInformation, 5, 6), 8) & @LF & _
    "Reserved7     - " & DllStructGetData($tObjectInformation, 5, 7) & " - " & Hex(DllStructGetData($tObjectInformation, 5, 7), 8) & @LF & _
    "Reserved8     - " & DllStructGetData($tObjectInformation, 5, 8) & " - " & Hex(DllStructGetData($tObjectInformation, 5, 8), 8) & @LF & _
    "Reserved9     - " & DllStructGetData($tObjectInformation, 5, 9) & " - " & Hex(DllStructGetData($tObjectInformation, 5, 9), 8) & @LF & _
    "Reserved10    - " & DllStructGetData($tObjectInformation, 5, 10) & " - " & Hex(DllStructGetData($tObjectInformation, 5, 10), 8) )

    $tObjectInformation = _NTAPI_ZwQueryObject($hKeyHandle, $ObjectTypeInformation)
    MsgBox(0, Hex(@Error), _
    "TypeName - " & DllStructGetData(DllStructCreate("WCHAR ObjectName[256]", DllStructGetData($tObjectInformation, 3)), 1) & @LF & _
    "TypeName Length - " & DllStructGetData($tObjectInformation, 1) & @LF & _
    "TypeName MaximumLength - " & DllStructGetData($tObjectInformation, 2) & @LF & _
    "TypeName Buffer - " & DllStructGetData($tObjectInformation, 3) & @LF & _
    "Reserved1  - " & DllStructGetData($tObjectInformation, 4, 1) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 1), 8) & @LF & _
    "Reserved2  - " & DllStructGetData($tObjectInformation, 4, 2) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 2), 8) & @LF & _
    "Reserved3  - " & DllStructGetData($tObjectInformation, 4, 3) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 3), 8) & @LF & _
    "Reserved4  - " & DllStructGetData($tObjectInformation, 4, 4) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 4), 8) & @LF & _
    "Reserved5  - " & DllStructGetData($tObjectInformation, 4, 5) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 5), 8) & @LF & _
    "Reserved6  - " & DllStructGetData($tObjectInformation, 4, 6) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 6), 8) & @LF & _
    "Reserved7  - " & DllStructGetData($tObjectInformation, 4, 7) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 7), 8) & @LF & _
    "Reserved8  - " & DllStructGetData($tObjectInformation, 4, 8) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 8), 8) & @LF & _
    "Reserved9  - " & DllStructGetData($tObjectInformation, 4, 9) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 9), 8) & @LF & _
    "Reserved10 - " & DllStructGetData($tObjectInformation, 4, 10) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 10), 8) & @LF & _
    "Reserved11 - " & DllStructGetData($tObjectInformation, 4, 11) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 11), 8) & @LF & _
    "Reserved12 - " & DllStructGetData($tObjectInformation, 4, 12) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 12), 8) & @LF & _
    "Reserved13 - " & DllStructGetData($tObjectInformation, 4, 13) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 13), 8) & @LF & _
    "Reserved14 - " & DllStructGetData($tObjectInformation, 4, 14) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 14), 8) & @LF & _
    "Reserved15 - " & DllStructGetData($tObjectInformation, 4, 15) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 15), 8) & @LF & _
    "Reserved16 - " & DllStructGetData($tObjectInformation, 4, 16) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 16), 8) & @LF & _
    "Reserved17 - " & DllStructGetData($tObjectInformation, 4, 17) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 17), 8) & @LF & _
    "Reserved18 - " & DllStructGetData($tObjectInformation, 4, 18) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 18), 8) & @LF & _
    "Reserved19 - " & DllStructGetData($tObjectInformation, 4, 19) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 19), 8) & @LF & _
    "Reserved20 - " & DllStructGetData($tObjectInformation, 4, 20) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 20), 8) & @LF & _
    "Reserved21 - " & DllStructGetData($tObjectInformation, 4, 21) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 21), 8) & @LF & _
    "Reserved22 - " & DllStructGetData($tObjectInformation, 4, 46) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 22), 8) )
EndIf

_NTAPI_ZwClose($hKeyHandle)
_NTAPI_ZwClose($hKeyHandle2)

#EndRegion ; Routines

Ciao.

Edited by DXRW4E

Share this post


Link to post
Share on other sites

however, this seems OK, but it is not clear yet why does not work the Registry Object

 

#RequireAdmin

#Region ;Routines
Global Static $arDllCall

Global Const $OBJ_INHERIT            = 0x00000002 ;This handle can be inherited by child processes of the current process.
Global Const $OBJ_PERMANENT          = 0x00000010 ;This flag only applies to objects that are named within the object manager.
;                                                   By default, such objects are deleted when all open handles to them are closed.
;                                                   If this flag is specified, the object is not deleted when all open handles are closed.
;                                                   Drivers can use the ZwMakeTemporaryObject routine to make a permanent object non-permanent.
Global Const $OBJ_EXCLUSIVE          = 0x00000020 ;If this flag is set and the OBJECT_ATTRIBUTES structure is passed to a routine that
;                                                   creates an object, the object can be accessed exclusively. That is, once a process
;                                                   opens such a handle to the object, no other processes can open handles to this object.
;                                                   If this flag is set and the OBJECT_ATTRIBUTES structure is passed to a routine
;                                                   that creates an object handle, the caller is requesting exclusive access to the
;                                                   object for the process context that the handle was created in. This request can
;                                                   be granted only if the OBJ_EXCLUSIVE flag was set when the object was created.
Global Const $OBJ_CASE_INSENSITIVE   = 0x00000040 ;If this flag is specified, a case-insensitive comparison is used when matching the
;                                                   name pointed to by the ObjectName member against the names of existing objects.
;                                                   Otherwise, object names are compared using the default system settings.
Global Const $OBJ_OPENIF             = 0x00000080 ;If this flag is specified, by using the object handle, to a routine that creates objects
;                                                   and if that object already exists, the routine should open that object. Otherwise,
;                                                   the routine creating the object returns an NTSTATUS code of STATUS_OBJECT_NAME_COLLISION.
Global Const $OBJ_OPENLINK           = 0x00000100 ;If an object handle, with this flag set, is passed to a routine that opens objects and if
;                                                   the object is a symbolic link object, the routine should open the symbolic link object itself,
;                                                   rather than the object that the symbolic link refers to (which is the default behavior).
Global Const $OBJ_KERNEL_HANDLE      = 0x00000200 ;The handle is created in system process context and can only be accessed from kernel mode.
Global Const $OBJ_FORCE_ACCESS_CHECK = 0x00000400 ;The routine that opens the handle should enforce all access checks for the object,
;                                                   even if the handle is being opened in kernel mode.
Global Const $OBJ_VALID_ATTRIBUTES   = 0x000007F2 ;Reserved.
Global Const $OBJ_CASE_INSENSITIVE_KERNEL_HANDLE   = 0x00000240

Global Const $_STANDARD_RIGHTS_REQUIRED  = 0x000F0000
Global Const $SYMBOLIC_LINK_QUERY       = 0x0001
Global Const $SYMBOLIC_LINK_ALL_ACCESS  = 0x000F0001  ;; BitOR($_STANDARD_RIGHTS_REQUIRED, $SYMBOLIC_LINK_QUERY)

;~ Global Const $PUNICODE_STRING = DllStructGetPtr($tUNICODE_STRING)
;~ Global Const $sCurrentUserSid = (DllCall("Ntdll.dll", "LONG", "RtlFormatCurrentUserKeyPath", "STRUCT*", $tUNICODE_STRING) + @Error) ? "" : StringTrimLeft(DllStructGetData(DllStructCreate("WCHAR CurrentUserKeyPath[256]", DllStructGetData($tUNICODE_STRING, 3)), 1), 15) & String(DllCall("Ntdll.dll", "LONG", "RtlFreeUnicodeString", "STRUCT*", $tUNICODE_STRING))


Func _NTAPI_InitializeObjectAttributes($sObjectName, $ulAttributes = $OBJ_CASE_INSENSITIVE_KERNEL_HANDLE, $hRootDirectory = Null, $pSecurityDescriptor = Null)
    Static $tObjectName = DllStructCreate("WCHAR ObjectName[256]"), $tUNICODE_STRING = DllStructCreate("USHORT Length;USHORT MaximumLength;PTR Buffer")
    Static $tOBJECT_ATTRIBUTES = DllStructCreate("ULONG Length;HANDLE RootDirectory;PTR ObjectName;ULONG Attributes;PTR SecurityDescriptor;PTR SecurityQualityOfService")
    Static $pObjectName = DllStructGetPtr($tObjectName, 1), $POBJECT_ATTRIBUTES = DllStructGetPtr($tOBJECT_ATTRIBUTES, 1), $PUNICODE_STRING = DllStructGetPtr($tUNICODE_STRING, 1)
    Local $aObjectName, $ulDesiredAccess = 0
    If Not $hRootDirectory Then
        $aObjectName = StringRegExp($sObjectName, "^\h*(?:\\+[^\\]+\\+)?+([^\W\d]*+)((?:32|64)?+(?!\w))\\*+(.*)", 1)
        If Not @Error Then
            Switch $aObjectName[0]
                Case "HKCR","HKEY_CLASSES_ROOT", "CLASSES_ROOT";, "MACHINE\SOFTWARE\Classes"
                    $sObjectName = "\Registry\Machine\SOFTWARE\Classes" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
                Case "HKCU", "HKEY_CURRENT_USER", "CURRENT_USER"
                    $sObjectName = "\Registry\User\CurrentUser" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
                Case "HKLM", "HKEY_LOCAL_MACHINE", "MACHINE"
                    $sObjectName = "\Registry\Machine" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
                Case "HKU", "HKEY_USERS", "USERS"
                    $sObjectName = "\Registry\User" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
                Case "HKCC", "HKEY_CURRENT_CONFIG" ;, "MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current"
                    $sObjectName = "\Registry\Machine\SYSTEM\CurrentControlSet\Hardware Profiles\Current" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
                Case "HKLS", "HKEY_CURRENT_USER_LOCAL_SETTINGS" ;, "CURRENT_USER\Software\Classes\Local Settings"
                    $sObjectName = "\Registry\User\CurrentUser\Software\Classes\Local Settings" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
            EndSwitch
            If $aObjectName[1] Then $ulDesiredAccess = $aObjectName[1] == "32" ? 0x200 : 0x100  ;;$KEY_WOW64_64KEY = 0x0100, $KEY_WOW64_32KEY = 0x0200
        EndIf
    EndIf
    DllStructSetData($tObjectName, 1, $sObjectName)  ;; "ObjectName"
    ;;;;$arDllCall = DllCall("Ntdll.dll", "LONG", "RtlInitUnicodeString", "STRUCT*", $tUNICODE_STRING, "STRUCT*", $tObjectName)
    $arDllCall = DllCall("Ntdll.dll", "LONG", "RtlInitUnicodeString", "PTR", $PUNICODE_STRING, "PTR", $pObjectName)
    If @Error Or $arDllCall[0] Then
        DllStructSetData($tUNICODE_STRING, 1, StringLen($sObjectName) * 2)  ;; "Length"
        DllStructSetData($tUNICODE_STRING, 2, DllStructGetData($tUNICODE_STRING, 1) + 2)  ;; "MaximumLength"
        DllStructSetData($tUNICODE_STRING, 3, $pObjectName) ;; "Buffer"
    EndIf
    DllStructSetData($tOBJECT_ATTRIBUTES, 1, DllStructGetSize($tOBJECT_ATTRIBUTES))  ;; "Length"
    DllStructSetData($tOBJECT_ATTRIBUTES, 2, $hRootDirectory)  ;; "RootDirectory"
    DllStructSetData($tOBJECT_ATTRIBUTES, 3, $PUNICODE_STRING)  ;; "ObjectName"
    DllStructSetData($tOBJECT_ATTRIBUTES, 4, $ulAttributes)  ;; "Attributes" ;; BitOR($ulAttributes, 576) ;; 576 = $OBJ_CASE_INSENSITIVE, $OBJ_KERNEL_HANDLE
    DllStructSetData($tOBJECT_ATTRIBUTES, 5, $pSecurityDescriptor)  ;; "SecurityDescriptor"
    DllStructSetData($tOBJECT_ATTRIBUTES, 6, Null)  ;; "SecurityQualityOfService"
    Return SetExtended($ulDesiredAccess, $POBJECT_ATTRIBUTES)
EndFunc


Func _NTAPI_ZwOpenKeyEx(Const ByRef $pObjectAttributes, $ulDesiredAccess = 0, $ulOpenOptions = 0)
    If Not $pObjectAttributes Then Return SetError(87, 87, 0)
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwOpenKeyEx", "HANDLE*", 0, "ULONG", $ulDesiredAccess, "PTR", $pObjectAttributes, "ULONG", $ulOpenOptions)
    If @Error Then Return SetError(1, -@Error, 0)
    Return SetError($arDllCall[0], 0, $arDllCall[1])
EndFunc


Func _NTAPI_ZwOpenSymbolicLinkObject(Const ByRef $pObjectAttributes, $ulDesiredAccess = 0)
    If Not $pObjectAttributes Then Return SetError(87, 87, 0)
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwOpenSymbolicLinkObject", "HANDLE*", 0, "ULONG", BitOR($ulDesiredAccess, $SYMBOLIC_LINK_QUERY), "PTR", $pObjectAttributes)
    If @Error Then Return SetError(1, -@Error, 0)
    Return SetError($arDllCall[0], 0, $arDllCall[1])
EndFunc


Func _NTAPI_ZwQuerySymbolicLinkObject($hLinkHandle, $iBuffer = 65534) ;; MaximumLength Limit = 65534
    Local $tLinkTarget = DllStructCreate("WCHAR LinkTarget[" & $iBuffer / 2 & "]"), $tUNICODE_STRING = DllStructCreate("USHORT Length;USHORT MaximumLength;PTR Buffer")
    $arDllCall = DllCall("Ntdll.dll", "LONG", "RtlInitUnicodeString", "STRUCT*", $tUNICODE_STRING, "STRUCT*", $tLinkTarget)
    If @Error Or $arDllCall[0] Then
        DllStructSetData($tUNICODE_STRING, 1, 0)  ;; "Length"
        DllStructSetData($tUNICODE_STRING, 2, $iBuffer)  ;; "MaximumLength"
        DllStructSetData($tUNICODE_STRING, 3, DllStructGetPtr($tLinkTarget, 1)) ;; "Buffer"
    Else
        DllStructSetData($tUNICODE_STRING, 2, $iBuffer)  ;; "MaximumLength"
    EndIf
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwQuerySymbolicLinkObject", "HANDLE", $hLinkHandle, "STRUCT*", $tUNICODE_STRING, "ULONG*", 0)
    If @Error Then Return SetError(1, -@Error, 0)
    If $arDllCall[3] > $iBuffer Then
        Local $sLinkTarget = _NTAPI_ZwQuerySymbolicLinkObject($hLinkHandle, $arDllCall[3])
        Return SetError(@Error, @Extended, $sLinkTarget)
    EndIf
    Return SetError($arDllCall[0], $arDllCall[3], DllStructGetData($tLinkTarget, 1))
EndFunc


Func _NTAPI_ZwQueryObject(Const ByRef $hObject, $iObjectInformationClass = 0)
    Static $tagPUBLIC_OBJECT_BASIC_INFORMATION = "ULONG Attributes;ULONG GrantedAccess;ULONG HandleCount;ULONG PointerCount;ULONG Reserved[10]"
    Static $tagPUBLIC_OBJECT_TYPE_INFORMATION = "STRUCT;USHORT Length;USHORT MaximumLength;PTR Buffer;ENDSTRUCT;ULONG Reserved[22]"
    If Not $hObject Or ($iObjectInformationClass <> 0 And $iObjectInformationClass <> 2) Then Return SetError(87, 87, 0)
    Local $tObjectInformation = $iObjectInformationClass ? DllStructCreate($tagPUBLIC_OBJECT_TYPE_INFORMATION) : DllStructCreate($tagPUBLIC_OBJECT_BASIC_INFORMATION)
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwQueryObject", "HANDLE", $hObject, "INT", $iObjectInformationClass, "STRUCT*", $tObjectInformation, "ULONG", DllStructGetSize($tObjectInformation), "ULONG*", 0)
    If @Error Then Return SetError(1, -@Error, 0)
    If $arDllCall[0] = 0xC0000004 Then $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwQueryObject", "HANDLE", $hObject, "INT", $iObjectInformationClass, "STRUCT*", $tObjectInformation, "ULONG", $arDllCall[5], "ULONG*", 0)
    Return SetError($arDllCall[0], 0, $tObjectInformation)
EndFunc


Func _NTAPI_ZwClose(Const ByRef $hKeyHandle)
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwClose", "HANDLE", $hKeyHandle)
    If @Error Then Return SetError(1, -@Error, 0)
    Return SetError($arDllCall[0], 0, 0)
EndFunc


Func _NTAPI_GetRegKeyNameByHandleEx(Const ByRef $hKeyHandle)
    Local $tKEY_INFORMATION_CLASS = DllStructCreate("ULONG;WCHAR[4096]")
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwQueryKey", "ULONG_PTR", $hKeyHandle, "INT", 3, "STRUCT*", $tKEY_INFORMATION_CLASS, "ULONG", DllStructGetSize($tKEY_INFORMATION_CLASS), "ULONG*", 0)
    If @Error Then Return SetError(@Error, 1, 0)
    If $arDllCall[5] > $arDllCall[4] Then ;;Or $arDllCall[0] = $STATUS_BUFFER_OVERFLOW Or $arDllCall[0] = $STATUS_BUFFER_TOO_SMALL
        $tKEY_INFORMATION_CLASS = DllStructCreate("ULONG;WCHAR[" & $arDllCall[5] & "]")
        $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwQueryKey", "ULONG_PTR", $hKeyHandle, "INT", 3, "STRUCT*", $tKEY_INFORMATION_CLASS, "ULONG", DllStructGetSize($tKEY_INFORMATION_CLASS), "ULONG*", 0)
    EndIf
    Return SetError($arDllCall[0], ($arDllCall[5] / 2) - 2, DllStructGetData($tKEY_INFORMATION_CLASS, 2))
EndFunc


;~ Func _WinAPI_GetFileObjectNameByPath($sFilePath, $iFlags = 0)
;~  Static $aRoot
;~  $aRoot = StringRegExp($sFilePath, "(?i)^\h*(?:\\+DosDevices\\+)?([a-z]\:)(.*)", 1)
;~  If @Error Then Return SetError(1, 0, "")
;~  $arDllCall = DllCall($hKernel32DLL, "DWORD", "QueryDosDeviceW", "WSTR", $aRoot[0], "WSTR", "", "DWORD", 0x8000)
;~  If @Error Or Not $arDllCall[2] Then Return SetError(2, 0, ($iFlags ? $sFilePath : ""))
;~  $sFilePath = $arDllCall[2] & $aRoot[1]
;~  Return $sFilePath
;~ EndFunc   ;==>_WinAPI_GetFileRootByObjectName


Local $hKeyHandle, $hKeyHandle2, $pObjectAttributes, $ulDesiredAccess, $hLinkHandle, $sLinkTarget

;;OKKKK
;;$pObjectAttributes = _NTAPI_InitializeObjectAttributes("\??\C:", $OBJ_CASE_INSENSITIVE + $OBJ_KERNEL_HANDLE)
$pObjectAttributes = _NTAPI_InitializeObjectAttributes("\DosDevices\C:", $OBJ_CASE_INSENSITIVE + $OBJ_KERNEL_HANDLE)
$hLinkHandle = _NTAPI_ZwOpenSymbolicLinkObject($pObjectAttributes, $ulDesiredAccess)
MsgBox(0, Hex(@Error), $hLinkHandle)
$sLinkTarget = _NTAPI_ZwQuerySymbolicLinkObject($hLinkHandle)
MsgBox(0, Hex(@Error), $sLinkTarget)


#EndRegion ; Routines
Ciao. Edited by DXRW4E

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...