Jump to content
DXRW4E

ZwOpenSymbolicLinkObject failing with STATUS_OBJECT_TYPE_MISMATCH

Recommended Posts

DXRW4E

does anyone know what I'm doing wrong here, or what's going on here because here http://doxygen.reactos.org/d4/df6/iorsrce_8c_a1fa7c3ef35807cc948edb0de839f8625.html everything looks Ok

#RequireAdmin

#Region ;Routines
Global Static $arDllCall

Global Const $OBJ_INHERIT            = 0x00000002 ;This handle can be inherited by child processes of the current process.
Global Const $OBJ_PERMANENT          = 0x00000010 ;This flag only applies to objects that are named within the object manager.
;                                                   By default, such objects are deleted when all open handles to them are closed.
;                                                   If this flag is specified, the object is not deleted when all open handles are closed.
;                                                   Drivers can use the ZwMakeTemporaryObject routine to make a permanent object non-permanent.
Global Const $OBJ_EXCLUSIVE          = 0x00000020 ;If this flag is set and the OBJECT_ATTRIBUTES structure is passed to a routine that
;                                                   creates an object, the object can be accessed exclusively. That is, once a process
;                                                   opens such a handle to the object, no other processes can open handles to this object.
;                                                   If this flag is set and the OBJECT_ATTRIBUTES structure is passed to a routine
;                                                   that creates an object handle, the caller is requesting exclusive access to the
;                                                   object for the process context that the handle was created in. This request can
;                                                   be granted only if the OBJ_EXCLUSIVE flag was set when the object was created.
Global Const $OBJ_CASE_INSENSITIVE   = 0x00000040 ;If this flag is specified, a case-insensitive comparison is used when matching the
;                                                   name pointed to by the ObjectName member against the names of existing objects.
;                                                   Otherwise, object names are compared using the default system settings.
Global Const $OBJ_OPENIF             = 0x00000080 ;If this flag is specified, by using the object handle, to a routine that creates objects
;                                                   and if that object already exists, the routine should open that object. Otherwise,
;                                                   the routine creating the object returns an NTSTATUS code of STATUS_OBJECT_NAME_COLLISION.
Global Const $OBJ_OPENLINK           = 0x00000100 ;If an object handle, with this flag set, is passed to a routine that opens objects and if
;                                                   the object is a symbolic link object, the routine should open the symbolic link object itself,
;                                                   rather than the object that the symbolic link refers to (which is the default behavior).
Global Const $OBJ_KERNEL_HANDLE      = 0x00000200 ;The handle is created in system process context and can only be accessed from kernel mode.
Global Const $OBJ_FORCE_ACCESS_CHECK = 0x00000400 ;The routine that opens the handle should enforce all access checks for the object,
;                                                   even if the handle is being opened in kernel mode.
Global Const $OBJ_VALID_ATTRIBUTES   = 0x000007F2 ;Reserved.
Global Const $OBJ_CASE_INSENSITIVE_KERNEL_HANDLE   = 0x00000240

Global Const $_STANDARD_RIGHTS_REQUIRED  = 0x000F0000
Global Const $SYMBOLIC_LINK_QUERY       = 0x0001
Global Const $SYMBOLIC_LINK_ALL_ACCESS  = 0x000F0001  ;; BitOR($_STANDARD_RIGHTS_REQUIRED, $SYMBOLIC_LINK_QUERY)

;~ Global Const $PUNICODE_STRING = DllStructGetPtr($tUNICODE_STRING)
;~ Global Const $sCurrentUserSid = (DllCall("Ntdll.dll", "LONG", "RtlFormatCurrentUserKeyPath", "STRUCT*", $tUNICODE_STRING) + @Error) ? "" : StringTrimLeft(DllStructGetData(DllStructCreate("WCHAR CurrentUserKeyPath[256]", DllStructGetData($tUNICODE_STRING, 3)), 1), 15) & String(DllCall("Ntdll.dll", "LONG", "RtlFreeUnicodeString", "STRUCT*", $tUNICODE_STRING))


Func _NTAPI_InitializeObjectAttributes($sObjectName, $ulAttributes = $OBJ_CASE_INSENSITIVE_KERNEL_HANDLE, $hRootDirectory = Null, $pSecurityDescriptor = Null)
    Static $tObjectName = DllStructCreate("WCHAR ObjectName[256]"), $tUNICODE_STRING = DllStructCreate("USHORT Length;USHORT MaximumLength;PTR Buffer")
    Static $tOBJECT_ATTRIBUTES = DllStructCreate("ULONG Length;HANDLE RootDirectory;PTR ObjectName;ULONG Attributes;PTR SecurityDescriptor;PTR SecurityQualityOfService")
    Static $pObjectName = DllStructGetPtr($tObjectName, 1), $POBJECT_ATTRIBUTES = DllStructGetPtr($tOBJECT_ATTRIBUTES, 1), $PUNICODE_STRING = DllStructGetPtr($tUNICODE_STRING, 1)
    Local $aObjectName, $ulDesiredAccess = 0
    If Not $hRootDirectory Then
        $aObjectName = StringRegExp($sObjectName, "^\h*(?:\\+[^\\]+\\+)?+([^\W\d]*+)((?:32|64)?+(?!\w))\\*+(.*)", 1)
        If Not @Error Then
            Switch $aObjectName[0]
                Case "HKCR","HKEY_CLASSES_ROOT", "CLASSES_ROOT";, "MACHINE\SOFTWARE\Classes"
                    $sObjectName = "\Registry\Machine\SOFTWARE\Classes" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
                Case "HKCU", "HKEY_CURRENT_USER", "CURRENT_USER"
                    $sObjectName = "\Registry\User\CurrentUser" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
                Case "HKLM", "HKEY_LOCAL_MACHINE", "MACHINE"
                    $sObjectName = "\Registry\Machine" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
                Case "HKU", "HKEY_USERS", "USERS"
                    $sObjectName = "\Registry\User" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
                Case "HKCC", "HKEY_CURRENT_CONFIG" ;, "MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current"
                    $sObjectName = "\Registry\Machine\SYSTEM\CurrentControlSet\Hardware Profiles\Current" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
                Case "HKLS", "HKEY_CURRENT_USER_LOCAL_SETTINGS" ;, "CURRENT_USER\Software\Classes\Local Settings"
                    $sObjectName = "\Registry\User\CurrentUser\Software\Classes\Local Settings" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
            EndSwitch
            If $aObjectName[1] Then $ulDesiredAccess = $aObjectName[1] == "32" ? 0x200 : 0x100  ;;$KEY_WOW64_64KEY = 0x0100, $KEY_WOW64_32KEY = 0x0200
        EndIf
    EndIf
    DllStructSetData($tObjectName, 1, $sObjectName)  ;; "ObjectName"
    ;;;;$arDllCall = DllCall("Ntdll.dll", "LONG", "RtlInitUnicodeString", "STRUCT*", $tUNICODE_STRING, "STRUCT*", $tObjectName)
    $arDllCall = DllCall("Ntdll.dll", "LONG", "RtlInitUnicodeString", "PTR", $PUNICODE_STRING, "PTR", $pObjectName)
    If @Error Or $arDllCall[0] Then
        DllStructSetData($tUNICODE_STRING, 1, StringLen($sObjectName) * 2)  ;; "Length"
        DllStructSetData($tUNICODE_STRING, 2, DllStructGetData($tUNICODE_STRING, 1) + 2)  ;; "MaximumLength"
        DllStructSetData($tUNICODE_STRING, 3, $pObjectName) ;; "Buffer"
    EndIf
    DllStructSetData($tOBJECT_ATTRIBUTES, 1, DllStructGetSize($tOBJECT_ATTRIBUTES))  ;; "Length"
    DllStructSetData($tOBJECT_ATTRIBUTES, 2, $hRootDirectory)  ;; "RootDirectory"
    DllStructSetData($tOBJECT_ATTRIBUTES, 3, $PUNICODE_STRING)  ;; "ObjectName"
    DllStructSetData($tOBJECT_ATTRIBUTES, 4, $ulAttributes)  ;; "Attributes" ;; BitOR($ulAttributes, 576) ;; 576 = $OBJ_CASE_INSENSITIVE, $OBJ_KERNEL_HANDLE
    DllStructSetData($tOBJECT_ATTRIBUTES, 5, $pSecurityDescriptor)  ;; "SecurityDescriptor"
    DllStructSetData($tOBJECT_ATTRIBUTES, 6, Null)  ;; "SecurityQualityOfService"
    Return SetExtended($ulDesiredAccess, $POBJECT_ATTRIBUTES)
EndFunc


Func _NTAPI_ZwOpenKeyEx(Const ByRef $pObjectAttributes, $ulDesiredAccess = 0, $ulOpenOptions = 0)
    If Not $pObjectAttributes Then Return SetError(87, 87, 0)
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwOpenKeyEx", "HANDLE*", 0, "ULONG", $ulDesiredAccess, "PTR", $pObjectAttributes, "ULONG", $ulOpenOptions)
    If @Error Then Return SetError(1, -@Error, 0)
    Return SetError($arDllCall[0], 0, $arDllCall[1])
EndFunc


Func _NTAPI_ZwOpenSymbolicLinkObject(Const ByRef $pObjectAttributes, $ulDesiredAccess = 0)
    If Not $pObjectAttributes Then Return SetError(87, 87, 0)
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwOpenSymbolicLinkObject", "HANDLE*", 0, "ULONG", BitOR($ulDesiredAccess, $SYMBOLIC_LINK_QUERY), "PTR", $pObjectAttributes)
    If @Error Then Return SetError(1, -@Error, 0)
    Return SetError($arDllCall[0], 0, $arDllCall[1])
EndFunc


Func _NTAPI_ZwQuerySymbolicLinkObject($hLinkHandle, $iBuffer = 65534) ;; MaximumLength Limit = 65534
    Local $tLinkTarget = DllStructCreate("WCHAR LinkTarget[" & $iBuffer / 2 & "]"), $tUNICODE_STRING = DllStructCreate("USHORT Length;USHORT MaximumLength;PTR Buffer")
    $arDllCall = DllCall("Ntdll.dll", "LONG", "RtlInitUnicodeString", "STRUCT*", $tUNICODE_STRING, "STRUCT*", $tLinkTarget)
    If @Error Or $arDllCall[0] Then
        DllStructSetData($tUNICODE_STRING, 1, 0)  ;; "Length"
        DllStructSetData($tUNICODE_STRING, 2, $iBuffer)  ;; "MaximumLength"
        DllStructSetData($tUNICODE_STRING, 3, DllStructGetPtr($tLinkTarget, 1)) ;; "Buffer"
    Else
        DllStructSetData($tUNICODE_STRING, 2, $iBuffer)  ;; "MaximumLength"
    EndIf
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwQuerySymbolicLinkObject", "HANDLE", $hLinkHandle, "STRUCT*", $tUNICODE_STRING, "ULONG*", 0)
    If @Error Then Return SetError(1, -@Error, 0)
    If $arDllCall[3] > $iBuffer Then
        Local $sLinkTarget = _NTAPI_ZwQuerySymbolicLinkObject($hLinkHandle, $arDllCall[3])
        Return SetError(@Error, @Extended, $sLinkTarget)
    EndIf
    Return SetError($arDllCall[0], $arDllCall[3], DllStructGetData($tLinkTarget, 1))
EndFunc


Func _NTAPI_ZwQueryObject(Const ByRef $hObject, $iObjectInformationClass = 0)
    Static $tagPUBLIC_OBJECT_BASIC_INFORMATION = "ULONG Attributes;ULONG GrantedAccess;ULONG HandleCount;ULONG PointerCount;ULONG Reserved[10]"
    Static $tagPUBLIC_OBJECT_TYPE_INFORMATION = "STRUCT;USHORT Length;USHORT MaximumLength;PTR Buffer;ENDSTRUCT;ULONG Reserved[22]"
    If Not $hObject Or ($iObjectInformationClass <> 0 And $iObjectInformationClass <> 2) Then Return SetError(87, 87, 0)
    Local $tObjectInformation = $iObjectInformationClass ? DllStructCreate($tagPUBLIC_OBJECT_TYPE_INFORMATION) : DllStructCreate($tagPUBLIC_OBJECT_BASIC_INFORMATION)
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwQueryObject", "HANDLE", $hObject, "INT", $iObjectInformationClass, "STRUCT*", $tObjectInformation, "ULONG", DllStructGetSize($tObjectInformation), "ULONG*", 0)
    If @Error Then Return SetError(1, -@Error, 0)
    If $arDllCall[0] = 0xC0000004 Then $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwQueryObject", "HANDLE", $hObject, "INT", $iObjectInformationClass, "STRUCT*", $tObjectInformation, "ULONG", $arDllCall[5], "ULONG*", 0)
    Return SetError($arDllCall[0], 0, $tObjectInformation)
EndFunc


Func _NTAPI_ZwClose(Const ByRef $hKeyHandle)
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwClose", "HANDLE", $hKeyHandle)
    If @Error Then Return SetError(1, -@Error, 0)
    Return SetError($arDllCall[0], 0, 0)
EndFunc


Func _NTAPI_GetRegKeyNameByHandleEx(Const ByRef $hKeyHandle)
    Local $tKEY_INFORMATION_CLASS = DllStructCreate("ULONG;WCHAR[4096]")
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwQueryKey", "ULONG_PTR", $hKeyHandle, "INT", 3, "STRUCT*", $tKEY_INFORMATION_CLASS, "ULONG", DllStructGetSize($tKEY_INFORMATION_CLASS), "ULONG*", 0)
    If @Error Then Return SetError(@Error, 1, 0)
    If $arDllCall[5] > $arDllCall[4] Then ;;Or $arDllCall[0] = $STATUS_BUFFER_OVERFLOW Or $arDllCall[0] = $STATUS_BUFFER_TOO_SMALL
        $tKEY_INFORMATION_CLASS = DllStructCreate("ULONG;WCHAR[" & $arDllCall[5] & "]")
        $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwQueryKey", "ULONG_PTR", $hKeyHandle, "INT", 3, "STRUCT*", $tKEY_INFORMATION_CLASS, "ULONG", DllStructGetSize($tKEY_INFORMATION_CLASS), "ULONG*", 0)
    EndIf
    Return SetError($arDllCall[0], ($arDllCall[5] / 2) - 2, DllStructGetData($tKEY_INFORMATION_CLASS, 2))
EndFunc


;~ Func _WinAPI_GetFileObjectNameByPath($sFilePath, $iFlags = 0)
;~  Static $aRoot
;~  $aRoot = StringRegExp($sFilePath, "(?i)^\h*(?:\\+DosDevices\\+)?([a-z]\:)(.*)", 1)
;~  If @Error Then Return SetError(1, 0, "")
;~  $arDllCall = DllCall($hKernel32DLL, "DWORD", "QueryDosDeviceW", "WSTR", $aRoot[0], "WSTR", "", "DWORD", 0x8000)
;~  If @Error Or Not $arDllCall[2] Then Return SetError(2, 0, ($iFlags ? $sFilePath : ""))
;~  $sFilePath = $arDllCall[2] & $aRoot[1]
;~  Return $sFilePath
;~ EndFunc   ;==>_WinAPI_GetFileRootByObjectName


Local $hKeyHandle, $hKeyHandle2, $pObjectAttributes, $ulDesiredAccess, $hLinkHandle, $sLinkTarget

$pObjectAttributes = _NTAPI_InitializeObjectAttributes("HKLM\SYSTEM\ControlSet001\Hardware Profiles\Current", $OBJ_CASE_INSENSITIVE + $OBJ_KERNEL_HANDLE + $OBJ_OPENLINK)
;$pObjectAttributes = _NTAPI_InitializeObjectAttributes(_WinAPI_GetFileObjectNameByPath(@DesktopDir & "\LinkFolder"), $OBJ_CASE_INSENSITIVE_KERNEL_HANDLE)
$ulDesiredAccess = @Extended + $_STANDARD_RIGHTS_REQUIRED
$hKeyHandle = _NTAPI_ZwOpenKeyEx($pObjectAttributes, $ulDesiredAccess, 8)
 ;
$pObjectAttributes = _NTAPI_InitializeObjectAttributes("HKLM\SYSTEM\ControlSet001\Hardware Profiles\Current", $OBJ_CASE_INSENSITIVE + $OBJ_KERNEL_HANDLE)
$ulDesiredAccess = @Extended + $_STANDARD_RIGHTS_REQUIRED
$hKeyHandle2 = _NTAPI_ZwOpenKeyEx($pObjectAttributes, $ulDesiredAccess)
MsgBox(0, $hKeyHandle & " - " & $hKeyHandle2, _NTAPI_GetRegKeyNameByHandleEx($hKeyHandle) & @LF & _NTAPI_GetRegKeyNameByHandleEx($hKeyHandle2))


$pObjectAttributes = _NTAPI_InitializeObjectAttributes("HKLM\SYSTEM\ControlSet001\Hardware Profiles\Current", $OBJ_CASE_INSENSITIVE + $OBJ_KERNEL_HANDLE + $OBJ_OPENLINK)
$hLinkHandle = _NTAPI_ZwOpenSymbolicLinkObject($pObjectAttributes, $ulDesiredAccess)
MsgBox(0, Hex(@Error), $hLinkHandle)
;;
;; MessageId: STATUS_OBJECT_TYPE_MISMATCH
;;
;; MessageText:
;;
;; {Wrong Type}
;; There is a mismatch between the type of object required by the requested operation and the type of object that is specified in the request.
;;
;; $STATUS_OBJECT_TYPE_MISMATCH = 0xC0000024 ;; (-1073741788)
If $hLinkHandle Then
    $sLinkTarget = _NTAPI_ZwQuerySymbolicLinkObject($hLinkHandle)
    MsgBox(0, "1 - " & Hex(@Error), $sLinkTarget)
Else
    $sLinkTarget = _NTAPI_ZwQuerySymbolicLinkObject($hKeyHandle)
    MsgBox(0, "2 - " & Hex(@Error), $sLinkTarget)
EndIf

Local $ObjectBasicInformation = 0, $ObjectTypeInformation = 2, $tObjectInformation
If $hKeyHandle Then
    $tObjectInformation = _NTAPI_ZwQueryObject($hKeyHandle, $ObjectBasicInformation)
    MsgBox(0, Hex(@Error), _
    "Attributes    - " & DllStructGetData($tObjectInformation, 1) & " - " & Hex(DllStructGetData($tObjectInformation, 1), 8) & @LF & _
    "GrantedAccess - " & DllStructGetData($tObjectInformation, 2) & " - " & Hex(DllStructGetData($tObjectInformation, 2), 8) & @LF & _
    "HandleCount   - " & DllStructGetData($tObjectInformation, 3) & " - " & Hex(DllStructGetData($tObjectInformation, 3), 8) & @LF & _
    "PointerCount  - " & DllStructGetData($tObjectInformation, 4) & " - " & Hex(DllStructGetData($tObjectInformation, 4), 8) & @LF & _
    "Reserved1     - " & DllStructGetData($tObjectInformation, 5, 1) & " - " & Hex(DllStructGetData($tObjectInformation, 5, 1), 8) & @LF & _
    "Reserved2     - " & DllStructGetData($tObjectInformation, 5, 2) & " - " & Hex(DllStructGetData($tObjectInformation, 5, 2), 8) & @LF & _
    "Reserved3     - " & DllStructGetData($tObjectInformation, 5, 3) & " - " & Hex(DllStructGetData($tObjectInformation, 5, 3), 8) & @LF & _
    "Reserved4     - " & DllStructGetData($tObjectInformation, 5, 4) & " - " & Hex(DllStructGetData($tObjectInformation, 5, 4), 8) & @LF & _
    "Reserved5     - " & DllStructGetData($tObjectInformation, 5, 5) & " - " & Hex(DllStructGetData($tObjectInformation, 5, 5), 8) & @LF & _
    "Reserved6     - " & DllStructGetData($tObjectInformation, 5, 6) & " - " & Hex(DllStructGetData($tObjectInformation, 5, 6), 8) & @LF & _
    "Reserved7     - " & DllStructGetData($tObjectInformation, 5, 7) & " - " & Hex(DllStructGetData($tObjectInformation, 5, 7), 8) & @LF & _
    "Reserved8     - " & DllStructGetData($tObjectInformation, 5, 8) & " - " & Hex(DllStructGetData($tObjectInformation, 5, 8), 8) & @LF & _
    "Reserved9     - " & DllStructGetData($tObjectInformation, 5, 9) & " - " & Hex(DllStructGetData($tObjectInformation, 5, 9), 8) & @LF & _
    "Reserved10    - " & DllStructGetData($tObjectInformation, 5, 10) & " - " & Hex(DllStructGetData($tObjectInformation, 5, 10), 8) )

    $tObjectInformation = _NTAPI_ZwQueryObject($hKeyHandle, $ObjectTypeInformation)
    MsgBox(0, Hex(@Error), _
    "TypeName - " & DllStructGetData(DllStructCreate("WCHAR ObjectName[256]", DllStructGetData($tObjectInformation, 3)), 1) & @LF & _
    "TypeName Length - " & DllStructGetData($tObjectInformation, 1) & @LF & _
    "TypeName MaximumLength - " & DllStructGetData($tObjectInformation, 2) & @LF & _
    "TypeName Buffer - " & DllStructGetData($tObjectInformation, 3) & @LF & _
    "Reserved1  - " & DllStructGetData($tObjectInformation, 4, 1) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 1), 8) & @LF & _
    "Reserved2  - " & DllStructGetData($tObjectInformation, 4, 2) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 2), 8) & @LF & _
    "Reserved3  - " & DllStructGetData($tObjectInformation, 4, 3) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 3), 8) & @LF & _
    "Reserved4  - " & DllStructGetData($tObjectInformation, 4, 4) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 4), 8) & @LF & _
    "Reserved5  - " & DllStructGetData($tObjectInformation, 4, 5) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 5), 8) & @LF & _
    "Reserved6  - " & DllStructGetData($tObjectInformation, 4, 6) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 6), 8) & @LF & _
    "Reserved7  - " & DllStructGetData($tObjectInformation, 4, 7) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 7), 8) & @LF & _
    "Reserved8  - " & DllStructGetData($tObjectInformation, 4, 8) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 8), 8) & @LF & _
    "Reserved9  - " & DllStructGetData($tObjectInformation, 4, 9) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 9), 8) & @LF & _
    "Reserved10 - " & DllStructGetData($tObjectInformation, 4, 10) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 10), 8) & @LF & _
    "Reserved11 - " & DllStructGetData($tObjectInformation, 4, 11) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 11), 8) & @LF & _
    "Reserved12 - " & DllStructGetData($tObjectInformation, 4, 12) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 12), 8) & @LF & _
    "Reserved13 - " & DllStructGetData($tObjectInformation, 4, 13) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 13), 8) & @LF & _
    "Reserved14 - " & DllStructGetData($tObjectInformation, 4, 14) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 14), 8) & @LF & _
    "Reserved15 - " & DllStructGetData($tObjectInformation, 4, 15) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 15), 8) & @LF & _
    "Reserved16 - " & DllStructGetData($tObjectInformation, 4, 16) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 16), 8) & @LF & _
    "Reserved17 - " & DllStructGetData($tObjectInformation, 4, 17) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 17), 8) & @LF & _
    "Reserved18 - " & DllStructGetData($tObjectInformation, 4, 18) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 18), 8) & @LF & _
    "Reserved19 - " & DllStructGetData($tObjectInformation, 4, 19) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 19), 8) & @LF & _
    "Reserved20 - " & DllStructGetData($tObjectInformation, 4, 20) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 20), 8) & @LF & _
    "Reserved21 - " & DllStructGetData($tObjectInformation, 4, 21) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 21), 8) & @LF & _
    "Reserved22 - " & DllStructGetData($tObjectInformation, 4, 46) & " - " & Hex(DllStructGetData($tObjectInformation, 4, 22), 8) )
EndIf

_NTAPI_ZwClose($hKeyHandle)
_NTAPI_ZwClose($hKeyHandle2)

#EndRegion ; Routines

Ciao.

Edited by DXRW4E

apps-odrive.pngdrive_app_badge.png box-logo.png new_logo.png MEGA_Logo.png

Share this post


Link to post
Share on other sites
DXRW4E

however, this seems OK, but it is not clear yet why does not work the Registry Object

 

#RequireAdmin

#Region ;Routines
Global Static $arDllCall

Global Const $OBJ_INHERIT            = 0x00000002 ;This handle can be inherited by child processes of the current process.
Global Const $OBJ_PERMANENT          = 0x00000010 ;This flag only applies to objects that are named within the object manager.
;                                                   By default, such objects are deleted when all open handles to them are closed.
;                                                   If this flag is specified, the object is not deleted when all open handles are closed.
;                                                   Drivers can use the ZwMakeTemporaryObject routine to make a permanent object non-permanent.
Global Const $OBJ_EXCLUSIVE          = 0x00000020 ;If this flag is set and the OBJECT_ATTRIBUTES structure is passed to a routine that
;                                                   creates an object, the object can be accessed exclusively. That is, once a process
;                                                   opens such a handle to the object, no other processes can open handles to this object.
;                                                   If this flag is set and the OBJECT_ATTRIBUTES structure is passed to a routine
;                                                   that creates an object handle, the caller is requesting exclusive access to the
;                                                   object for the process context that the handle was created in. This request can
;                                                   be granted only if the OBJ_EXCLUSIVE flag was set when the object was created.
Global Const $OBJ_CASE_INSENSITIVE   = 0x00000040 ;If this flag is specified, a case-insensitive comparison is used when matching the
;                                                   name pointed to by the ObjectName member against the names of existing objects.
;                                                   Otherwise, object names are compared using the default system settings.
Global Const $OBJ_OPENIF             = 0x00000080 ;If this flag is specified, by using the object handle, to a routine that creates objects
;                                                   and if that object already exists, the routine should open that object. Otherwise,
;                                                   the routine creating the object returns an NTSTATUS code of STATUS_OBJECT_NAME_COLLISION.
Global Const $OBJ_OPENLINK           = 0x00000100 ;If an object handle, with this flag set, is passed to a routine that opens objects and if
;                                                   the object is a symbolic link object, the routine should open the symbolic link object itself,
;                                                   rather than the object that the symbolic link refers to (which is the default behavior).
Global Const $OBJ_KERNEL_HANDLE      = 0x00000200 ;The handle is created in system process context and can only be accessed from kernel mode.
Global Const $OBJ_FORCE_ACCESS_CHECK = 0x00000400 ;The routine that opens the handle should enforce all access checks for the object,
;                                                   even if the handle is being opened in kernel mode.
Global Const $OBJ_VALID_ATTRIBUTES   = 0x000007F2 ;Reserved.
Global Const $OBJ_CASE_INSENSITIVE_KERNEL_HANDLE   = 0x00000240

Global Const $_STANDARD_RIGHTS_REQUIRED  = 0x000F0000
Global Const $SYMBOLIC_LINK_QUERY       = 0x0001
Global Const $SYMBOLIC_LINK_ALL_ACCESS  = 0x000F0001  ;; BitOR($_STANDARD_RIGHTS_REQUIRED, $SYMBOLIC_LINK_QUERY)

;~ Global Const $PUNICODE_STRING = DllStructGetPtr($tUNICODE_STRING)
;~ Global Const $sCurrentUserSid = (DllCall("Ntdll.dll", "LONG", "RtlFormatCurrentUserKeyPath", "STRUCT*", $tUNICODE_STRING) + @Error) ? "" : StringTrimLeft(DllStructGetData(DllStructCreate("WCHAR CurrentUserKeyPath[256]", DllStructGetData($tUNICODE_STRING, 3)), 1), 15) & String(DllCall("Ntdll.dll", "LONG", "RtlFreeUnicodeString", "STRUCT*", $tUNICODE_STRING))


Func _NTAPI_InitializeObjectAttributes($sObjectName, $ulAttributes = $OBJ_CASE_INSENSITIVE_KERNEL_HANDLE, $hRootDirectory = Null, $pSecurityDescriptor = Null)
    Static $tObjectName = DllStructCreate("WCHAR ObjectName[256]"), $tUNICODE_STRING = DllStructCreate("USHORT Length;USHORT MaximumLength;PTR Buffer")
    Static $tOBJECT_ATTRIBUTES = DllStructCreate("ULONG Length;HANDLE RootDirectory;PTR ObjectName;ULONG Attributes;PTR SecurityDescriptor;PTR SecurityQualityOfService")
    Static $pObjectName = DllStructGetPtr($tObjectName, 1), $POBJECT_ATTRIBUTES = DllStructGetPtr($tOBJECT_ATTRIBUTES, 1), $PUNICODE_STRING = DllStructGetPtr($tUNICODE_STRING, 1)
    Local $aObjectName, $ulDesiredAccess = 0
    If Not $hRootDirectory Then
        $aObjectName = StringRegExp($sObjectName, "^\h*(?:\\+[^\\]+\\+)?+([^\W\d]*+)((?:32|64)?+(?!\w))\\*+(.*)", 1)
        If Not @Error Then
            Switch $aObjectName[0]
                Case "HKCR","HKEY_CLASSES_ROOT", "CLASSES_ROOT";, "MACHINE\SOFTWARE\Classes"
                    $sObjectName = "\Registry\Machine\SOFTWARE\Classes" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
                Case "HKCU", "HKEY_CURRENT_USER", "CURRENT_USER"
                    $sObjectName = "\Registry\User\CurrentUser" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
                Case "HKLM", "HKEY_LOCAL_MACHINE", "MACHINE"
                    $sObjectName = "\Registry\Machine" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
                Case "HKU", "HKEY_USERS", "USERS"
                    $sObjectName = "\Registry\User" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
                Case "HKCC", "HKEY_CURRENT_CONFIG" ;, "MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current"
                    $sObjectName = "\Registry\Machine\SYSTEM\CurrentControlSet\Hardware Profiles\Current" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
                Case "HKLS", "HKEY_CURRENT_USER_LOCAL_SETTINGS" ;, "CURRENT_USER\Software\Classes\Local Settings"
                    $sObjectName = "\Registry\User\CurrentUser\Software\Classes\Local Settings" & StringRegExpReplace($aObjectName[2], "^.", "\\$0")
            EndSwitch
            If $aObjectName[1] Then $ulDesiredAccess = $aObjectName[1] == "32" ? 0x200 : 0x100  ;;$KEY_WOW64_64KEY = 0x0100, $KEY_WOW64_32KEY = 0x0200
        EndIf
    EndIf
    DllStructSetData($tObjectName, 1, $sObjectName)  ;; "ObjectName"
    ;;;;$arDllCall = DllCall("Ntdll.dll", "LONG", "RtlInitUnicodeString", "STRUCT*", $tUNICODE_STRING, "STRUCT*", $tObjectName)
    $arDllCall = DllCall("Ntdll.dll", "LONG", "RtlInitUnicodeString", "PTR", $PUNICODE_STRING, "PTR", $pObjectName)
    If @Error Or $arDllCall[0] Then
        DllStructSetData($tUNICODE_STRING, 1, StringLen($sObjectName) * 2)  ;; "Length"
        DllStructSetData($tUNICODE_STRING, 2, DllStructGetData($tUNICODE_STRING, 1) + 2)  ;; "MaximumLength"
        DllStructSetData($tUNICODE_STRING, 3, $pObjectName) ;; "Buffer"
    EndIf
    DllStructSetData($tOBJECT_ATTRIBUTES, 1, DllStructGetSize($tOBJECT_ATTRIBUTES))  ;; "Length"
    DllStructSetData($tOBJECT_ATTRIBUTES, 2, $hRootDirectory)  ;; "RootDirectory"
    DllStructSetData($tOBJECT_ATTRIBUTES, 3, $PUNICODE_STRING)  ;; "ObjectName"
    DllStructSetData($tOBJECT_ATTRIBUTES, 4, $ulAttributes)  ;; "Attributes" ;; BitOR($ulAttributes, 576) ;; 576 = $OBJ_CASE_INSENSITIVE, $OBJ_KERNEL_HANDLE
    DllStructSetData($tOBJECT_ATTRIBUTES, 5, $pSecurityDescriptor)  ;; "SecurityDescriptor"
    DllStructSetData($tOBJECT_ATTRIBUTES, 6, Null)  ;; "SecurityQualityOfService"
    Return SetExtended($ulDesiredAccess, $POBJECT_ATTRIBUTES)
EndFunc


Func _NTAPI_ZwOpenKeyEx(Const ByRef $pObjectAttributes, $ulDesiredAccess = 0, $ulOpenOptions = 0)
    If Not $pObjectAttributes Then Return SetError(87, 87, 0)
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwOpenKeyEx", "HANDLE*", 0, "ULONG", $ulDesiredAccess, "PTR", $pObjectAttributes, "ULONG", $ulOpenOptions)
    If @Error Then Return SetError(1, -@Error, 0)
    Return SetError($arDllCall[0], 0, $arDllCall[1])
EndFunc


Func _NTAPI_ZwOpenSymbolicLinkObject(Const ByRef $pObjectAttributes, $ulDesiredAccess = 0)
    If Not $pObjectAttributes Then Return SetError(87, 87, 0)
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwOpenSymbolicLinkObject", "HANDLE*", 0, "ULONG", BitOR($ulDesiredAccess, $SYMBOLIC_LINK_QUERY), "PTR", $pObjectAttributes)
    If @Error Then Return SetError(1, -@Error, 0)
    Return SetError($arDllCall[0], 0, $arDllCall[1])
EndFunc


Func _NTAPI_ZwQuerySymbolicLinkObject($hLinkHandle, $iBuffer = 65534) ;; MaximumLength Limit = 65534
    Local $tLinkTarget = DllStructCreate("WCHAR LinkTarget[" & $iBuffer / 2 & "]"), $tUNICODE_STRING = DllStructCreate("USHORT Length;USHORT MaximumLength;PTR Buffer")
    $arDllCall = DllCall("Ntdll.dll", "LONG", "RtlInitUnicodeString", "STRUCT*", $tUNICODE_STRING, "STRUCT*", $tLinkTarget)
    If @Error Or $arDllCall[0] Then
        DllStructSetData($tUNICODE_STRING, 1, 0)  ;; "Length"
        DllStructSetData($tUNICODE_STRING, 2, $iBuffer)  ;; "MaximumLength"
        DllStructSetData($tUNICODE_STRING, 3, DllStructGetPtr($tLinkTarget, 1)) ;; "Buffer"
    Else
        DllStructSetData($tUNICODE_STRING, 2, $iBuffer)  ;; "MaximumLength"
    EndIf
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwQuerySymbolicLinkObject", "HANDLE", $hLinkHandle, "STRUCT*", $tUNICODE_STRING, "ULONG*", 0)
    If @Error Then Return SetError(1, -@Error, 0)
    If $arDllCall[3] > $iBuffer Then
        Local $sLinkTarget = _NTAPI_ZwQuerySymbolicLinkObject($hLinkHandle, $arDllCall[3])
        Return SetError(@Error, @Extended, $sLinkTarget)
    EndIf
    Return SetError($arDllCall[0], $arDllCall[3], DllStructGetData($tLinkTarget, 1))
EndFunc


Func _NTAPI_ZwQueryObject(Const ByRef $hObject, $iObjectInformationClass = 0)
    Static $tagPUBLIC_OBJECT_BASIC_INFORMATION = "ULONG Attributes;ULONG GrantedAccess;ULONG HandleCount;ULONG PointerCount;ULONG Reserved[10]"
    Static $tagPUBLIC_OBJECT_TYPE_INFORMATION = "STRUCT;USHORT Length;USHORT MaximumLength;PTR Buffer;ENDSTRUCT;ULONG Reserved[22]"
    If Not $hObject Or ($iObjectInformationClass <> 0 And $iObjectInformationClass <> 2) Then Return SetError(87, 87, 0)
    Local $tObjectInformation = $iObjectInformationClass ? DllStructCreate($tagPUBLIC_OBJECT_TYPE_INFORMATION) : DllStructCreate($tagPUBLIC_OBJECT_BASIC_INFORMATION)
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwQueryObject", "HANDLE", $hObject, "INT", $iObjectInformationClass, "STRUCT*", $tObjectInformation, "ULONG", DllStructGetSize($tObjectInformation), "ULONG*", 0)
    If @Error Then Return SetError(1, -@Error, 0)
    If $arDllCall[0] = 0xC0000004 Then $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwQueryObject", "HANDLE", $hObject, "INT", $iObjectInformationClass, "STRUCT*", $tObjectInformation, "ULONG", $arDllCall[5], "ULONG*", 0)
    Return SetError($arDllCall[0], 0, $tObjectInformation)
EndFunc


Func _NTAPI_ZwClose(Const ByRef $hKeyHandle)
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwClose", "HANDLE", $hKeyHandle)
    If @Error Then Return SetError(1, -@Error, 0)
    Return SetError($arDllCall[0], 0, 0)
EndFunc


Func _NTAPI_GetRegKeyNameByHandleEx(Const ByRef $hKeyHandle)
    Local $tKEY_INFORMATION_CLASS = DllStructCreate("ULONG;WCHAR[4096]")
    $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwQueryKey", "ULONG_PTR", $hKeyHandle, "INT", 3, "STRUCT*", $tKEY_INFORMATION_CLASS, "ULONG", DllStructGetSize($tKEY_INFORMATION_CLASS), "ULONG*", 0)
    If @Error Then Return SetError(@Error, 1, 0)
    If $arDllCall[5] > $arDllCall[4] Then ;;Or $arDllCall[0] = $STATUS_BUFFER_OVERFLOW Or $arDllCall[0] = $STATUS_BUFFER_TOO_SMALL
        $tKEY_INFORMATION_CLASS = DllStructCreate("ULONG;WCHAR[" & $arDllCall[5] & "]")
        $arDllCall = DllCall("Ntdll.dll", "LONG", "ZwQueryKey", "ULONG_PTR", $hKeyHandle, "INT", 3, "STRUCT*", $tKEY_INFORMATION_CLASS, "ULONG", DllStructGetSize($tKEY_INFORMATION_CLASS), "ULONG*", 0)
    EndIf
    Return SetError($arDllCall[0], ($arDllCall[5] / 2) - 2, DllStructGetData($tKEY_INFORMATION_CLASS, 2))
EndFunc


;~ Func _WinAPI_GetFileObjectNameByPath($sFilePath, $iFlags = 0)
;~  Static $aRoot
;~  $aRoot = StringRegExp($sFilePath, "(?i)^\h*(?:\\+DosDevices\\+)?([a-z]\:)(.*)", 1)
;~  If @Error Then Return SetError(1, 0, "")
;~  $arDllCall = DllCall($hKernel32DLL, "DWORD", "QueryDosDeviceW", "WSTR", $aRoot[0], "WSTR", "", "DWORD", 0x8000)
;~  If @Error Or Not $arDllCall[2] Then Return SetError(2, 0, ($iFlags ? $sFilePath : ""))
;~  $sFilePath = $arDllCall[2] & $aRoot[1]
;~  Return $sFilePath
;~ EndFunc   ;==>_WinAPI_GetFileRootByObjectName


Local $hKeyHandle, $hKeyHandle2, $pObjectAttributes, $ulDesiredAccess, $hLinkHandle, $sLinkTarget

;;OKKKK
;;$pObjectAttributes = _NTAPI_InitializeObjectAttributes("\??\C:", $OBJ_CASE_INSENSITIVE + $OBJ_KERNEL_HANDLE)
$pObjectAttributes = _NTAPI_InitializeObjectAttributes("\DosDevices\C:", $OBJ_CASE_INSENSITIVE + $OBJ_KERNEL_HANDLE)
$hLinkHandle = _NTAPI_ZwOpenSymbolicLinkObject($pObjectAttributes, $ulDesiredAccess)
MsgBox(0, Hex(@Error), $hLinkHandle)
$sLinkTarget = _NTAPI_ZwQuerySymbolicLinkObject($hLinkHandle)
MsgBox(0, Hex(@Error), $sLinkTarget)


#EndRegion ; Routines
Ciao. Edited by DXRW4E

apps-odrive.pngdrive_app_badge.png box-logo.png new_logo.png MEGA_Logo.png

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×