3
  • HI!

I bet more than a week and I can not form a complete picture of how you can get a list of kernel objects .My algorithm is as follows :

  • 1) Connecting NTDLL.dll (LoadLibrary)
  • 2) GetProcAddress (variable_Library_name, "NtQueryDirectoryObject") and the pre-announcement structures : _OBJDIR_INFORMATION, _OBJECT_ATTRIBUTES
  • 3) Trying to apply a function NtOpenDirectoryObject for a list of objects

Here is a piece of code that is responsible for the use of the function NtOpenDirectoryObject:

 OBJDIR_INFORMATION *ssinfo  =(OBJDIR_INFORMATION* ) HeapAlloc(GetProcessHeap(), 0, 0x800);
           ///////////////////////
                    HANDLE hFile,hThread,hMapFile;
  HMODULE hNtdll ,hKernel;
  DWORD dwThreadId;
  OBJECT_ATTRIBUTES obj;
  WCHAR  * uString=L"\\BaseNamedObjects";
  UNICODE_STRING str;
  DWORD i,a,iStrLen,b=0;
  char sObjName[30],sTmp[50];
  LPVOID lpMapAddress;
  FARPROC pWinExec,pExitThread;
  bool bFound;
  char* sCommand;
            /////////////////////////////////////////////////////////////////
            NtQueryDirectoryObject = (NTQUERYDIRECTORYOBJECT )GetProcAddress(hinstLib,"NtQueryDirectoryObject");
            InitializeObjectAttributes (&obj, &str, 0, 0, 00);
            NtOpenDirectoryObject(&hFile,0x20001,&obj);

The full code (including struct definitions) is at: http://pastebin.com/pDNb3GTn

When calling a function with parameters NtOpenDirectoryObject get an exception c0000005, which means that access is blocked .

tell me please, am I doing smth wrong, and where is my mistake. Is it possible to not to use the native api? Thank you for your help

nanofarad
  • 40,330
  • 4
  • 86
  • 117
Sleeeper
  • 179
  • 1
  • 9
  • 2
    For starters, the name you put in `WCHAR* uString` is never getting connected to `UNICODE_STRING str` so there is no name in the `OBJECT_ATTRIBUTES` object that you pass to `NtOpenDirectoryObject`. – nobody May 21 '14 at 16:37

1 Answers1

3

Exception c0000005 is an Access Violation. That does not mean that access was blocked. It means invalid memory was accessed, such as if a NULL/uninitialized pointer were accessed, or if you are not aligning data correctly and accessing something out of bounds of what you have allocated.

As Andrew mentioned, you are not initializing the UNICODE_STRING at all. Try this instead:

hNtdll = LoadLibrary("ntdll.dll");
NtOpenDirectoryObject = (NTOPENDIRECTORYOBJECT) GetProcAddress(hNtdll, "NtOpenDirectoryObject");
...
if (NtOpenDirectoryObject)
{ 
    // add these three lines
    str.Length = lstrlenW(uString) * sizeof(WCHAR);  
    str.MaximumLength = str.Length; 
    str.Buffer = uString;

    InitializeObjectAttributes (&obj, &str, 0, NULL, NULL);
    NtOpenDirectoryObject(&hFile, 0x20001, &obj);
}
Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
  • Andrew, Remy, thank you so much , I really stepped - rarely wrote using winapi, but now there is a new issue , I opened the object directory , and how to cycle through the list of all the named objects on the screen? I understand that I need to use another native function - NtQueryDirectoryObject, but how to iterate and display all objects - does not occur , because there are many directories . Can be recursively , but I do not understand how to implement it ... Or maybe try another function - GetKernelObjectSecurity? Many thanks in advance for your help , even uncomfortable somehow ... – Sleeeper May 22 '14 at 13:52
  • See the example in this article: http://www.drdobbs.com/using-nts-undocumented-object-manager-in/184416468 – Remy Lebeau May 22 '14 at 14:40
  • Remy, thanks a lot for example, I understood the logic, but there is such a question: how can connect to my project functions from the library ntddk.h, it does not connect this header file. Just need to use only the necessary functions without connecting them to the entire library of WDK. Here for example so I connected the NTOPENDIRECTORYOBJECT: http://pastebin.com/1NSLBbRa .Is it possible, for example, cause and declare NTSTATUS without ntddk.h and other functions too? In advance thank you very much ... – Sleeeper May 22 '14 at 20:30
  • Of course it is possible. If you don't have a header file for something, you will simple have to declare it manually in your own code. Search MSDN for declarations. – Remy Lebeau May 22 '14 at 22:23