show structures for common kernel object types

DiaHelper/DiaSymbol.cpp

@@ -164,6 +164,13 @@ bool DiaSymbol::IsVirtual() const {
 	m_spSym->get_virtual(&virt);
 	return virt;
 }
+
+UdtType DiaSymbol::UdtKind() const {
+	DWORD kind;
+	m_spSym->get_udtKind(&kind);
+	return UdtType(kind);
+}
+
 std::wstring DiaSymbol::SimpleTypeToString(SimpleType type) {
 	switch (type) {
 		case SimpleType::Void: return L"Void";

ObjExp/ObjExp.rc

@@ -306,6 +306,14 @@ IDI_THREAD_ZOMBIE       ICON                    "res\\threads-zombie.ico"
 
 IDI_INFO                ICON                    "res\\Info.ico"
 
+IDI_BITFIELD            ICON                    "res\\bitfield.ico"
+
+IDI_ENUM                ICON                    "res\\enum.ico"
+
+IDI_FIELD               ICON                    "res\\field.ico"
+
+IDI_UNION               ICON                    "res\\union.ico"
+
 
 /////////////////////////////////////////////////////////////////////////////
 //

ObjExp/ObjExp.vcxproj

@@ -299,6 +299,7 @@
   <ItemGroup>
     <Image Include="res\alpc.ico" />
     <Image Include="res\atom.ico" />
+    <Image Include="res\bitfield.ico" />
     <Image Include="res\briefcase.ico" />
     <Image Include="res\callback.ico" />
     <Image Include="res\car.ico" />
@@ -316,11 +317,13 @@
     <Image Include="res\desktop.ico" />
     <Image Include="res\device.ico" />
     <Image Include="res\directx.ico" />
+    <Image Include="res\enum.ico" />
     <Image Include="res\etw.ico" />
     <Image Include="res\etwreg.ico" />
     <Image Include="res\event-key.ico" />
     <Image Include="res\event.ico" />
     <Image Include="res\eventpair.ico" />
+    <Image Include="res\field.ico" />
     <Image Include="res\file.ico" />
     <Image Include="res\find.ico" />
     <Image Include="res\folder.ico" />
@@ -361,6 +364,7 @@
     <Image Include="res\token.ico" />
     <Image Include="res\type.ico" />
     <Image Include="res\types.ico" />
+    <Image Include="res\union.ico" />
     <Image Include="res\user.ico" />
     <Image Include="res\view.ico" />
     <Image Include="res\windowstation.ico" />

ObjExp/ObjExp.vcxproj.filters

@@ -438,6 +438,18 @@
     <Image Include="res\Info.ico">
       <Filter>Resource Files\Icons</Filter>
     </Image>
+    <Image Include="res\union.ico">
+      <Filter>Resource Files</Filter>
+    </Image>
+    <Image Include="res\bitfield.ico">
+      <Filter>Resource Files\Icons</Filter>
+    </Image>
+    <Image Include="res\enum.ico">
+      <Filter>Resource Files\Icons</Filter>
+    </Image>
+    <Image Include="res\field.ico">
+      <Filter>Resource Files\Icons</Filter>
+    </Image>
   </ItemGroup>
   <ItemGroup>
     <None Include="packages.config" />

ObjExp/ObjectHelpers.cpp

@@ -26,11 +26,15 @@ UINT ObjectHelpers::ShowObjectProperties(HANDLE hObject, PCWSTR typeName, PCWSTR
 		page2.Create(::GetActiveWindow());
 		dlg.AddPage(L"Handles", page2);
 	}
-	auto sym = SymbolManager::Get().GetSymbol(L"_ALPC_PORT");
-	CStructPage page3(hObject, sym);
-	page3.Create(::GetActiveWindow());
-	dlg.AddPage(L"Object", page3);
-
+	CStructPage page3(hObject);
+	if(auto it = KernelTypes.find(typeName); it != KernelTypes.end()) {
+		auto sym = SymbolManager::Get().GetSymbol(it->second);
+		if (sym) {
+			page3.SetSymbol(std::move(sym));
+			page3.Create(::GetActiveWindow());
+			dlg.AddPage(L"Object", page3);
+		}
+	}
 	dlg.DoModal();
 
 	return 0;

ObjExp/ObjectHelpers.h

@@ -1,8 +1,28 @@
 #pragma once
 
+#include <map>
+
 struct ObjectHelpers abstract final {
 	static UINT ShowObjectProperties(HANDLE hObject, PCWSTR typeName, PCWSTR name = nullptr, PCWSTR target = nullptr, DWORD handleCount = 0);
 	static std::vector<std::pair<CString, CString>> GetSimpleProps(HANDLE hObject, PCWSTR type, PCWSTR name, PCWSTR target = nullptr);
 	static bool IsNamedObjectType(USHORT index);
+
+	inline static std::map<CString, CString> KernelTypes{
+		{ L"ALPC Port", L"_ALPC_PORT" },
+		{ L"Process", L"_EPROCESS" },
+		{ L"Semaphore", L"_KSEMAPHORE" },
+		{ L"Job", L"_EJOB" },
+		{ L"Mutant", L"_KMUTANT" },
+		{ L"Event", L"_KEVENT" },
+		{ L"Thread", L"_ETHREAD" },
+		{ L"Section", L"_SECTION" },
+		{ L"File", L"_FILE_OBJECT" },
+		{ L"Type", L"_OBJECT_TYPE" },
+		{ L"Key", L"_CM_KEY_BODY" },
+		{ L"Token", L"_TOKEN" },
+		{ L"SymbolicLink", L"_OBJECT_SYMBOLIC_LINK" },
+		{ L"Driver", L"_DRIVER_OBJECT" },
+		{ L"Device", L"_DEVICE_OBJECT" },
+	};
 };
 

ObjExp/StructurePage.cpp

@@ -1,31 +1,39 @@
 #include "pch.h"
 #include "StructurePage.h"
-#include "DiaHelper.h"
 #include "SymbolToTreeView.h"
 #include "TreeListView.h"
 
-CStructPage::CStructPage(HANDLE hObject, DiaSymbol const& sym) : m_hObject(hObject), m_Object(sym) {
+CStructPage::CStructPage(HANDLE hObject) : m_hObject(hObject), m_Object(DiaSymbol::Empty) {
+}
+
+void CStructPage::SetSymbol(DiaSymbol sym, PVOID address) {
+    m_Object = std::move(sym);
+    m_Address = address;
 }
 
 LRESULT CStructPage::OnInitDialog(UINT, WPARAM, LPARAM, BOOL&) {
-    InitDynamicLayout();
+    InitDynamicLayout(false);
 
     m_Tree.SubclassWindow(GetDlgItem(IDC_TREE));
-    auto header = m_Tree.GetHeaderControl();
-    HDITEM col = { 0 };
-    col.mask = HDI_FORMAT | HDI_TEXT | HDI_WIDTH;
-    col.fmt = HDF_LEFT;
-    col.cxy = 150;
-    col.pszText = (PWSTR)_T("Member");
-    header.InsertItem(0, &col);
-    col.cxy = 150;
-    col.pszText = (PWSTR)_T("Type");
-    header.InsertItem(1, &col);
-    col.cxy = 150;
-    col.pszText = (PWSTR)_T("Value");
-    header.InsertItem(2, &col);
-
-    SymbolToTreeView::FillTreeView(m_Tree, TVI_ROOT, m_Object);
+    m_Tree.AddColumn(L"Member", 200);
+    m_Tree.AddColumn(L"Type", 180);
+    m_Tree.AddColumn(L"Value", 150);
+    m_Tree.AddColumn(L"Details", 150);
+    m_font.CreatePointFont(100, L"Consolas");
+    m_Tree.GetTreeControl().SetFont(m_font);
+
+    CImageList images;
+    images.Create(16, 16, ILC_COLOR32, 8, 0);
+    UINT icons[] = { IDI_STRUCT, IDI_UNION, IDI_FIELD, IDI_ENUM, IDI_BITFIELD };
+    for (auto icon : icons)
+        images.AddIcon(AtlLoadIconImage(icon, 0, 16, 16));
+    m_Tree.GetTreeControl().SetImageList(images);
+
+    auto hRoot = m_Tree.GetTreeControl().InsertItem(m_Object.Name().c_str(), 0, 0, TVI_ROOT, TVI_LAST);
+    SymbolToTreeView::FillTreeView(m_Tree, hRoot, m_Object);
+    m_Tree.GetTreeControl().Expand(hRoot, TVE_EXPAND);
 
     return 0;
 }
+
+

ObjExp/StructurePage.h

@@ -5,8 +5,7 @@
 #include "ResourceManager.h"
 #include "ObjectManager.h"
 #include "TreeListView.h"
-
-class DiaSymbol;
+#include "DiaHelper.h"
 
 class CStructPage :
 	public CDialogImpl<CStructPage>,
@@ -15,11 +14,9 @@ class CStructPage :
 public:
 	enum { IDD = IDD_STRUCT };
 
-	CStructPage(HANDLE hObject, DiaSymbol const& sym);
+	explicit CStructPage(HANDLE hObject);
 
-	//CString GetColumnText(HWND, int row, int col) const;
-	//void DoSort(SortInfo const* si);
-	//int GetRowImage(HWND, int, int) const;
+	void SetSymbol(DiaSymbol sym, PVOID address = nullptr);
 
 	BEGIN_MSG_MAP(CStructPage)
 		MESSAGE_HANDLER(WM_INITDIALOG, OnInitDialog)
@@ -33,15 +30,12 @@ class CStructPage :
 
 	LRESULT OnInitDialog(UINT /*uMsg*/, WPARAM /*wParam*/, LPARAM /*lParam*/, BOOL& /*bHandled*/);
 
-	enum class ColumnType {
-		PID, Handle, ProcessName, Attributes, Access, DecodedAccess,
-	};
-
 private:
-	DiaSymbol const& m_Object;
+	DiaSymbol m_Object;
+	PVOID m_Address;
 	HANDLE m_hObject;
-	CString m_TypeName;
 	CTreeListView m_Tree;
+	CFont m_font;
 };
 
 

ObjExp/SymbolToTreeView.cpp

@@ -2,16 +2,23 @@
 #include "SymbolToTreeView.h"
 #include "TreeListView.h"
 
-void SymbolToTreeView::FillTreeView(CTreeListView& tv, HTREEITEM hRoot, DiaSymbol const& sym, ITreeViewFillCallback* cb) {
+void SymbolToTreeView::FillTreeView(CTreeListView& tv, HTREEITEM hRoot, DiaSymbol const& sym, PVOID address) {
 	for (auto member : sym.FindChildren()) {
-		//auto name = member.Name() + L" (" + member.TypeName() + L")";
-		int image = -1;
-		if (cb)
-			image = cb->GetImageForSymbol(sym);
+		int image = 2;
+		if (member.Location() == LocationKind::BitField)
+			image = 4;
+		else {
+			switch (member.Type().Tag()) {
+				case SymbolTag::UDT: 
+					image = member.Type().UdtKind() == UdtType::Union ? 1 : 0;
+					break;
+				case SymbolTag::Enum: 
+					image = 3; 
+					break;
+			}
+		}
 		auto hItem = tv.GetTreeControl().InsertItem(member.Name().c_str(), image, image, hRoot, TVI_LAST);
 		tv.SetSubItemText(hItem, 1, member.TypeName().c_str());
-		if(cb)
-			tv.SetSubItemText(hItem, 2, cb->GetValue(member).c_str());
 		if (member.Type().Tag() == SymbolTag::UDT) {
 			FillTreeView(tv, hItem, member.Type());
 		}

ObjExp/SymbolToTreeView.h

@@ -2,15 +2,10 @@
 
 #include "DiaHelper.h"
 
-struct ITreeViewFillCallback {
-	virtual int GetImageForSymbol(DiaSymbol const& sym) = 0;
-	virtual std::wstring GetValue(DiaSymbol const& sym) = 0;
-};
-
 class CTreeListView;
 
 class SymbolToTreeView {
 public:
-	static void FillTreeView(CTreeListView& tv, HTREEITEM hRoot, DiaSymbol const& sym, ITreeViewFillCallback* cb = nullptr);
+	static void FillTreeView(CTreeListView& tv, HTREEITEM hRoot, DiaSymbol const& sym, PVOID address = nullptr);
 };
 

ObjExp/TreeListView.h

@@ -401,6 +401,17 @@ class ATL_NO_VTABLE CTreeListViewImpl :
 		_Init();
 		return 0;
 	}
+
+	bool AddColumn(PCWSTR text, int width, DWORD format = HDF_LEFT) {
+		auto header = GetHeaderControl();
+		HDITEM col;
+		col.mask = HDI_FORMAT | HDI_TEXT | HDI_WIDTH;
+		col.fmt = format;
+		col.cxy = width;
+		col.pszText = (PWSTR)text;
+		return header.InsertItem(header.GetItemCount(), &col);
+	}
+
 	LRESULT OnSettingChange(UINT /*uMsg*/, WPARAM /*wParam*/, LPARAM /*lParam*/, BOOL& /*bHandled*/) {
 		if (!m_fontHeader.IsNull()) m_fontHeader.DeleteObject();
 		NONCLIENTMETRICS ncm = { 0 };
@@ -418,14 +429,17 @@ class ATL_NO_VTABLE CTreeListViewImpl :
 		m_ctrlTree.SetFocus();
 		return 0;
 	}
+
 	LRESULT OnSize(UINT /*uMsg*/, WPARAM /*wParam*/, LPARAM /*lParam*/, BOOL& /*bHandled*/) {
 		T* pT = static_cast<T*>(this);
 		pT->UpdateLayout();
 		return 0;
 	}
+
 	LRESULT OnEraseBkGnd(UINT /*uMsg*/, WPARAM /*wParam*/, LPARAM /*lParam*/, BOOL& /*bHandled*/) {
 		return 1; // Children fill entire client area
 	}
+
 	LPARAM OnHScroll(UINT /*uMsg*/, WPARAM wParam, LPARAM /*lParam*/, BOOL& /*bHandled*/) {
 		// Thanks to Oleg Reabciuc for providing the horizontal scrolling
 		// support for this control
@@ -446,7 +460,7 @@ class ATL_NO_VTABLE CTreeListViewImpl :
 		int nScrollMax;                         // Maximum scrolling value
 		p->GetScrollRange(SB_HORZ, &nScrollMin, &nScrollMax);
 
-		// Check which kind of scoll is wanted
+		// Check which kind of scroll is wanted
 		switch (nSBCode) {
 			case SB_LEFT:                          // Scoll to left most position
 				nCurPos = 0;
@@ -929,5 +943,3 @@ class CTreeListView : public CTreeListViewImpl<CTreeListView> {
 public:
 	DECLARE_WND_CLASS(L"WTL_TreeListView")
 };
-
-

ObjExp/resource.h

@@ -78,6 +78,11 @@
 #define IDD_STRUCT                      278
 #define IDI_INFO                        280
 #define IDR_DRIVER                      282
+#define IDI_BITFIELD                    283
+#define IDI_ENUM                        284
+#define IDI_FIELD                       285
+#define IDI_ICON4                       286
+#define IDI_UNION                       286
 #define IDC_TYPE                        1000
 #define IDC_NAME                        1001
 #define IDC_HANDLES                     1002
@@ -106,7 +111,6 @@
 #define IDC_SYSLINK                     1028
 #define IDC_VERSION                     1029
 #define IDC_COPYRIGHT                   1030
-#define IDC_TREE1                       1034
 #define IDC_TREE                        1034
 #define ID_WINDOW_CLOSE                 32772
 #define ID_WINDOW_CLOSE_ALL             32773
@@ -157,7 +161,7 @@
 // 
 #ifdef APSTUDIO_INVOKED
 #ifndef APSTUDIO_READONLY_SYMBOLS
-#define _APS_NEXT_RESOURCE_VALUE        283
+#define _APS_NEXT_RESOURCE_VALUE        287
 #define _APS_NEXT_COMMAND_VALUE         32821
 #define _APS_NEXT_CONTROL_VALUE         1035
 #define _APS_NEXT_SYMED_VALUE           101