diff --git a/src/bin/file_object_scan.rs b/src/bin/file_object_scan.rs index ee993f6..11519e4 100644 --- a/src/bin/file_object_scan.rs +++ b/src/bin/file_object_scan.rs @@ -40,13 +40,14 @@ fn main() -> Result<(), Box> { println!("pool: 0x{:x} | file object: 0x{:x} | offsetby: 0x{:x}", pool_addr, fob_addr, fob_addr - pool_addr); if read_ok == 0 { println!(" [NOT READABLE]"); - return Ok(true); } - if let Ok(filename) = driver.get_unicode_string(fob_addr + fob_filename_offset, true) { + else if let Ok(filename) = driver.get_unicode_string(fob_addr + fob_filename_offset, true) { println!(" {}", filename); - return Ok(true); } - Ok(false) + else { + println!(" [NOT A VALID _UNICODE_STRING]"); + } + Ok(true) })?; println!("NtUnloadDriver() -> 0x{:x}", driver.shutdown()); diff --git a/src/ioctl_protocol.rs b/src/ioctl_protocol.rs index 26113a5..8661777 100644 --- a/src/ioctl_protocol.rs +++ b/src/ioctl_protocol.rs @@ -36,7 +36,23 @@ impl OffsetData { large_page_size_offset: pdb_store.get_offset("PoolBigPageTableSize").unwrap_or(0u64), pool_chunk_size: pdb_store.get_offset("_POOL_HEADER.struct_size").unwrap_or(0u64), }, + WindowsVersion::Windows10_2019 | + WindowsVersion::Windows10_2018 => Self { + eprocess_name_offset: pdb_store.get_offset("_EPROCESS.ImageFileName").unwrap_or(0u64), + eprocess_link_offset: pdb_store.get_offset("_EPROCESS.ActiveProcessLinks").unwrap_or(0u64), + list_blink_offset: pdb_store.get_offset("_LIST_ENTRY.Blink").unwrap_or(0u64), + process_head_offset: pdb_store.get_offset("PsActiveProcessHead").unwrap_or(0u64), + mistate_offset: pdb_store.get_offset("MiState").unwrap_or(0u64), + hardware_offset: pdb_store.get_offset("_MI_SYSTEM_INFORMATION.Hardware").unwrap_or(0u64), + system_node_offset: pdb_store.get_offset("_MI_HARDWARE_STATE.SystemNodeInformation").unwrap_or(0u64), + first_va_offset: pdb_store.get_offset("_MI_SYSTEM_NODE_INFORMATION.NonPagedPoolFirstVa").unwrap_or(0u64), + last_va_offset: pdb_store.get_offset("_MI_SYSTEM_NODE_INFORMATION.NonPagedPoolLastVa").unwrap_or(0u64), + large_page_table_offset: pdb_store.get_offset("PoolBigPageTable").unwrap_or(0u64), + large_page_size_offset: pdb_store.get_offset("PoolBigPageTableSize").unwrap_or(0u64), + pool_chunk_size: pdb_store.get_offset("_POOL_HEADER.struct_size").unwrap_or(0u64), + }, // TODO: Add other version of Windows here + // TODO: Warn user of unknown windows version, because BSOD will occur _ => Self { eprocess_name_offset: 0u64, eprocess_link_offset: 0u64,