#include <Windows.h>
|
#include <winternl.h>
|
#include <ntstatus.h>
|
#include <cstdio>
|
|
#define ObjectNameInformation ((OBJECT_INFORMATION_CLASS)1)
|
|
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
|
for (ULONG i = 0; i < dwBytes; i += 16) {
|
printf("%.8x: ", i);
|
|
for (ULONG j = 0; j < 16; j++) {
|
if (i + j < dwBytes) {
|
printf("%.2x ", Data[i + j]);
|
}
|
else {
|
printf("?? ");
|
}
|
}
|
|
for (ULONG j = 0; j < 16; j++) {
|
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
|
printf("%c", Data[i + j]);
|
}
|
else {
|
printf(".");
|
}
|
}
|
|
printf("\n");
|
}
|
}
|
|
int main() {
|
BOOL wow64 = FALSE;
|
if (!IsWow64Process(GetCurrentProcess(), &wow64) || wow64) {
|
printf("The program has to be built for the native architecture of your OS (x86 or x64).\n");
|
return 1;
|
}
|
|
HANDLE hFile = CreateFile(L"C:\\Windows\\system32\\svchost.exe", FILE_READ_ATTRIBUTES, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
|
if (hFile == INVALID_HANDLE_VALUE) {
|
printf("CreateFile failed, %d\n", GetLastError());
|
return 1;
|
}
|
|
BYTE OutputBuffer[0x100];
|
ULONG ReturnLength;
|
ULONG MaximumLeakLength;
|
|
for (MaximumLeakLength = 0; MaximumLeakLength < sizeof(OutputBuffer); MaximumLeakLength++) {
|
NTSTATUS st = NtQueryObject(hFile, ObjectNameInformation, OutputBuffer, MaximumLeakLength, &ReturnLength);
|
if (st == STATUS_OBJECT_PATH_INVALID) {
|
MaximumLeakLength--;
|
break;
|
}
|
}
|
|
while (1) {
|
RtlZeroMemory(OutputBuffer, sizeof(OutputBuffer));
|
|
NTSTATUS st = NtQueryObject(hFile, ObjectNameInformation, OutputBuffer, MaximumLeakLength, &ReturnLength);
|
if (st != STATUS_BUFFER_OVERFLOW) {
|
printf("NtQueryObject failed, %x\n", st);
|
CloseHandle(hFile);
|
return 1;
|
}
|
|
PrintHex(OutputBuffer, MaximumLeakLength);
|
|
getchar();
|
}
|
|
CloseHandle(hFile);
|
return 0;
|
}
|