aboutsummaryrefslogtreecommitdiff
path: root/Exfiltration/mimikatz-1.0/driver/notify_object.h
blob: 96d551768efe8121d78d029b613818d2cec14537 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

#pragma once
#include "notify.h"

#define OBJECT_HASH_TABLE_SIZE 37

typedef struct _OBJECT_DIRECTORY_ENTRY {
	struct	_OBJECT_DIRECTORY_ENTRY *NextEntry;
	PVOID	Object;
	ULONG	HashValue;	// pas en NT5
} OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY;

typedef struct _OBJECT_DIRECTORY {
	POBJECT_DIRECTORY_ENTRY	HashBuckets[OBJECT_HASH_TABLE_SIZE];
	EX_PUSH_LOCK			Lock;
	PVOID					DeviceMap;
	ULONG					SessionId;
	PVOID					NamespaceEntry; // a partir de là, différent en NT5, mais pas utilisé...
	ULONG					Flags;
} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;

typedef struct _OBJECT_TYPE_INITIALIZER	// NT6, décaler ULONG en NT5x86 (compensé par l'alignement en x64)
{
	SHORT Length;
	UCHAR ObjectTypeFlags;
	ULONG ObjectTypeCode;
	ULONG InvalidAttributes;
	GENERIC_MAPPING GenericMapping;
	ACCESS_MASK ValidAccessMask;
	ULONG RetainAccess;
	POOL_TYPE PoolType;
	ULONG DefaultPagedPoolCharge;
	ULONG DefaultNonPagedPoolCharge;
	PVOID DumpProcedure;
	PVOID OpenProcedure;
	PVOID CloseProcedure;
	PVOID DeleteProcedure;
	PVOID ParseProcedure;
	PVOID SecurityProcedure;
	PVOID QueryNameProcedure;
	PVOID OkayToCloseProcedure;
} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;

typedef struct _OBJECT_TYPE {
	LIST_ENTRY				TypeList;
	UNICODE_STRING			Name;
	PVOID					DefaultObject;
	UCHAR					Index;
	ULONG					TotalNumberOfObjects;
	ULONG					TotalNumberOfHandles;
	ULONG					HighWaterNumberOfObjects;
	ULONG					HighWaterNumberOfHandles;
	OBJECT_TYPE_INITIALIZER	TypeInfo;
	EX_PUSH_LOCK			TypeLock;
	ULONG					Key;
	LIST_ENTRY				CallbackList;
} OBJECT_TYPE, *POBJECT_TYPE;

typedef struct _OBJECT_CALLBACK_ENTRY {
	LIST_ENTRY CallbackList;
	OB_OPERATION Operations;
	ULONG Active;
	/*OB_HANDLE*/ PVOID Handle;
	POBJECT_TYPE ObjectType;
	POB_PRE_OPERATION_CALLBACK  PreOperation;
	POB_POST_OPERATION_CALLBACK PostOperation;
} OBJECT_CALLBACK_ENTRY, *POBJECT_CALLBACK_ENTRY;

typedef enum _KIWI_NOTIF_OBJECT_ACTION
{
	ListNotif,
	ClearNotif
} KIWI_NOTIF_OBJECT_ACTION;

POBJECT_DIRECTORY * ObpTypeDirectoryObject;

NTSTATUS getObpTypeDirectoryObject();
NTSTATUS kListNotifyObjects(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining);
NTSTATUS kClearNotifyObjects(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining);
NTSTATUS listNotifyOrClearObjects(LPWSTR pszDest, size_t cbDest, LPWSTR *ppszDestEnd, size_t *pcbRemaining, KIWI_NOTIF_OBJECT_ACTION action);
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-26 03:18:33 +0000