Object Manager Plus

[DartVanya]

• Implement properties support for Object Manager

  • Standard System Informer handle properties window for Windows objects (including Directories).
  • Add support for missing object types: Device, EventPair, Timer, Semaphore, FilterConnectionPort
  • [System Informer] Add target link info for Symbolic links
  • Fix Directory handles leaking
  • [ET Plugin] Add Windows Object tab to properties window: object attributes and creation time.

• Enhanced Object Manager

  • [System Informer] Add GeneralCallbackHandlePropertiesWindowPreOpen, calls on WM_INITDIALOG and allows plugins to customize general handle properties tab.
  • Display real handles count and hide irrelevant access entry. Show object address
  • Add Symbolic Link Target column
  • Enhanced navigation to symlink: focus to target in ListView.

• Defied WinObj: search, statusbar, refresh

  • Implements search using standard SI searchbox: searches all 3 columns (name, type, target)
  • Status bar (pseudo) with fullpath to selected object (can copy on righclick menu), current directory object count
  • Refresh button - full rebuild of tree and current directory list

• [System Informer, Plugins] Fixed WM_KEYDOWN forwarding (both for PH and plugins), broken by 5bf7f29#diff-22c39c7de8c6ce2547b9cda41005993a982b12b5f4d567a14ce7e38534c2bf77L1789

  • Fixed Ctrl+K to search box in PE VIew

• Add target resolving for Device and ALPC port

  • Renamed Symbolic Link Target column to Target
  • Implemented (experimental) asynchronous resolver for Device and ALPC port targets.
    • Resolving Device driver target. Added menu Go to device driver
    • Resolving ALPC server process target. Added menu Go to process...

• Add target resolving for Mutant, fix search

  • Improve resolver. Added mutant client owner to target and menu Go to thread...
  • Improve filter: it now stay when changing directory. If selected entry match it stay selected and visible when performing search.
  • Tri-state column sort now saved and loaded from settings (ObjectManagerWindowListSort). Sort now works correctly on directory or filter change.
  • Enter - open properties, Ctrl+Enter - open security, Shift+Enter or Shift+Dblclk on symlink opens its properties.

• Support for open symlink target in explorer

• Show Job process list in target column

• Add CpuPartition type support and icons for more types

  • Add icon for Job, Semaphore, FilterConnectionPort, CpuPartition, Partition

New Object Handles page in properties

• Old Windows Object page entries moved to general page in "Basic information" block. Windows Object replaced with Handles page.
• Menu - Go to process... supported
• Now opens real objects for ALPC Port, FilterConnectionPort, Key (\REGISTRY) using new method (credits to https://github.com/zodiacon/ObjectExplorer)
• Show additional handles for ALPC Port, Device, Key (match by object name). Extra entries will be highlight with ColorInheritHandles)

[phlib, kphlib] Add PhOpenDevice. And Oject Manager Plus FINAL

• My first attempt in kernel programming. Add PhOpenDevice -> KphOpenDevice. Opens Device object handle and optional Device Driver handle. Can open lowest or topmost device from stack.
• Propertines - Device driver info: show topmost and lowest drivers in stack
• [Theme General] ListVew: fix text readability for hot and selected colored items.
  TreeNew: significantly improve visibility of selected item.

Support for multiple non-modal object properties windows

• Add GeneralCallbackHandlePropertiesUninitializing. Save and load properties window position to/from ObjectManagerPropertiesWindowPosition setting
• Resolving of Driver Image into Target column, menu - Open file location. Show Driver Image in properties.

Add KphOpenObjectByTypeIndex

• [Experimental]. Can open any object types like Callback, Type, etc.
• New icons for Callback, KeyedEvent, Type, Semaphore

[jxy-s]

Awesome work! I'll help give an in-depth review when I have some cycles. Some initial feedback on the video you provided (thanks for that it's very helpful). I wonder if it makes sense to change the "Symbolic Link Target" column to a more generic "Target" column to show information/names of things more broadly? I'm thinking, for example, you could show the name for named object or the device for filter ports. Instead of only showing symbol link names.

[DartVanya]

Awesome work! I'll help give an in-depth review when I have some cycles. Some initial feedback on the video you provided (thanks for that it's very helpful). I wonder if it makes sense to change the "Symbolic Link Target" column to a more generic "Target" column to show information/names of things more broadly? I'm thinking, for example, you could show the name for named object or the device for filter ports. Instead of only showing symbol link names.

Add target resolving for Device and ALPC port

• Renamed Symbolic Link Target column to Target
• Implemented (experimental) asynchronous resolver for Device and ALPC port targets.
  • Resolving Device driver target. Added menu Go to device driver
  • Resolving ALPC server process target. Added menu Go to server process
• Rewritten navigaton to symbolic links (and device drivers)

Add target resolving for Mutant, fix search

resolver_test.mp4

[jxy-s]

A few more things @DartVanya. I think we're very close to being able to merge 🚀 .

There is some formatting and style nits that I opted not to comment on. Mostly function close parenthesis is not correctly indented or mics style things here and there. I don't mind going to clean those up myself after merging. 👍

[jxy-s]

🤔 is this not going to leak the handle (and below)? Also, how did this ever work? PhSecurityInformation_Release passes the Context to the CloseObject and not the Handle? Maybe it was intended for PhpOpenSecurityStationHandle to set the output context pointer to the opened handle?

[DartVanya]

Handle is opened from PhStdGetObjectSecurity via OpenObject. After retrieving of security info by PhGetObjectSecurity Handle is closing by NtClose inside PhStdGetObjectSecurity. CloseObject only useful to free resources after security window closes (only Object Manager uses it). Previous PhpCloseSecurityDesktopHandle and PhpCloseSecurityStationHandle code hadn't effect since Context was NULL.

If Desktop handle was open by OpenDesktop, NtClose can't close it and returns STATUS_HANDLE_NOT_CLOSABLE (despite handle doesn't have the Protected attribute). But this doesn't happen if handle was duplicated (seems like it's a bug in Windows?). To fix this I added this code to PhStdGetObjectSecurity.

        if (NtClose(handle) == STATUS_HANDLE_NOT_CLOSABLE &&
            PhEqualString2(this->ObjectType, L"Desktop", TRUE))
        {
            CloseDesktop(handle);
        } 

Example of huge Desktop handles leak in current release build:

s14_14-16_tD9tS.mp4

[jxy-s]

I'm seeing this frequently in the PR, why the changes to pass the desktop window handle in these paths? It seems unnecessary given the documentation and SAL.

[DartVanya]

Recently @dmex also asked me about this. At your discretion, I can revert this.

I changed parrent from NULL to GetDesktopWindow() to not show double icon on this dialogs. It wasn't a problem for MessageBox, since it didn't have window icon.

Parrent NULL

Parrent Desktop

[jxy-s]

There are edits to tools/peview/searchbox.c here, but I don't see any changes to SystemInformer/searchbox.c? Unfortunately there is duplicated code somewhat between them. I'm not asking you do consolidate them. But I'm curious (and spot checking) that there are no changes to the complimentary file in SystemInformer/searchbox.c.

[jxy-s]

Just checking, this comment indicates that you intend to only do this on Windows 11 - but I don't see any restrictions to only Windows 11?

[DartVanya]

V

[jxy-s]

There is commented out code and comments throughout this file indicating intention to restrict certain changes depending on the operating system version. Spot checking that this is intended as it is?

[DartVanya]

V

[jxy-s]

There is commented out code and comments throughout this file indicating intention to restrict certain changes depending on the operating system version. Spot checking that this is intended as it is?

[DartVanya]

PhGetThemeClass and its underlying uxtheme\GetThemeClass are only available since Win11. I tried to find some workaround, but I couldn't make a correct implementation which will support TaskDialog and doesn't break other UI parts on Windows 10. It's very frustrating why Microsoft uses same theme PartId integers for different control types 😕

In general, TaskDialog theme currently unsupported in WindowsVersion < WINDOWS_11. Thats why I comment out this code, may be someone find solution for Win10. Currently I think what it is impossible to do without GetThemeClass.

[jxy-s]

Oddity here - this needs a check for KsiLevel() else an assert will trigger on the uninitialized free list. I want to eventually make it so the initialization of the driver isn't a requirement for trying to call the APIs, but that's not how it works today. Please add a check if KsiLevel() >= KphLevelMed before calling KphAlpcQueryInformation.

[DartVanya]

Alpc port and driver target resolving only enabled with BOOLEAN useKsi = KsiLevel() >= KphLevelMed;

        else if (entry->EtObjectType == EtObjectDevice ||       // allow resolving without driver for PhGetPnPDeviceName()
            entry->EtObjectType == EtObjectAlpcPort && useKsi ||
            entry->EtObjectType == EtObjectMutant ||
            entry->EtObjectType == EtObjectJob ||
            entry->EtObjectType == EtObjectDriver && useKsi)
        {
            entry->TargetIsResolving = TRUE;
        }

In this case, resolver code will not be queued.

    for (ULONG i = 0; i < Context->CurrentDirectoryList->Count; i++)
    {
        ...
        if (!entry->TargetIsResolving)
            continue;
        ...
    }