Skip to content

optimized #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
yueryang wants to merge 11 commits into
base: main
Choose a base branch
from
Open

optimized #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
5dc44b3
optimized
yueryang Jul 29, 2022
1ef473c
Update FileDelete.vcxproj
yueryang Jul 29, 2022
2dc0ef0
Update FileDeleteCom.vcxproj
yueryang Jul 29, 2022
ad6cfc3
Update FileDeleteCom.vcxproj
yueryang Jul 29, 2022
bfd637a
Delete FileDelete.inf
yueryang Jul 29, 2022
dd7b18c
Update FileDeleteCom.vcxproj
yueryang Jul 29, 2022
ca36ac7
Update FileDeleteCom.vcxproj
yueryang Jul 29, 2022
972f915
Delete FileDelete.vcxproj
yueryang Jul 29, 2022
f41976c
Delete FileDeleteCom.vcxproj
yueryang Jul 29, 2022
989778f
Update ProcessReference.cpp
yueryang Jul 29, 2022
a96a80a
Update handle.cpp
yueryang Jul 29, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 0 additions & 32 deletions FileDelete/FileDelete/FileDelete.inf
View file
Open in desktop

This file was deleted.

163 changes: 0 additions & 163 deletions FileDelete/FileDelete/FileDelete.vcxproj
View file
Open in desktop

This file was deleted.

12 changes: 9 additions & 3 deletions FileDelete/FileDelete/ProcessReference.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,17 @@ ProcessReference::~ProcessReference() {

}

NTSTATUS ProcessReference::init(size_t pid, bool attach) {
NTSTATUS ProcessReference::init(size_t pid, bool attach)
{
CHECK(PsLookupProcessByProcessId(reinterpret_cast<HANDLE>(pid), &m_process));
m_attach = attach;
if (attach) {
m_apc_state = (KAPC_STATE*)ExAllocatePool(NonPagedPool, sizeof(KAPC_STATE));
if (attach)
{
m_apc_state = (KAPC_STATE*)ExAllocatePool2(NonPagedPool, sizeof(KAPC_STATE), '2cba');
Copy link
Copy Markdown
Owner

@Rhydon1337 Rhydon1337 Jul 29, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain please why this is necessary?

Copy link
Copy Markdown
Owner

@Rhydon1337 Rhydon1337 Aug 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ExAllocatePool2 and ExAllocatePoolZero are both functions that are supported from new versions of windows.
ExAllocatePoolWithTag is maybe deprecated in the new WDK toolset but there is background compatibility in the windows kernel, you should compile with WDK from from lower version.
Please use ExAllocatePoolWithTag

Copy link
Copy Markdown
Author

@yueryang yueryang Aug 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's OK in an older version.

if (NULL == m_apc_state)
m_apc_state = (KAPC_STATE*)ExAllocatePoolZero(NonPagedPool, sizeof(KAPC_STATE), '2cba');
if (NULL == m_apc_state)
return STATUS_MEMORY_NOT_ALLOCATED;
KeStackAttachProcess(m_process, m_apc_state);
}
return STATUS_SUCCESS;
Expand Down
18 changes: 11 additions & 7 deletions FileDelete/FileDelete/handle.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,21 +5,25 @@ extern "C" NTSTATUS NTAPI ZwQuerySystemInformation(IN size_t SystemInformationCl
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL);

SYSTEM_HANDLE_INFORMATION* get_all_handles() {
SYSTEM_HANDLE_INFORMATION* get_all_handles()
{
size_t handles_allocation_size = 0;
PVOID handles_pool = nullptr;

while (true) {
for (;;)
{
handles_allocation_size += 0x10000;
handles_pool = ExAllocatePool(PagedPool, handles_allocation_size);
handles_pool = ExAllocatePool2(PagedPool, handles_allocation_size, '1cba');
Copy link
Copy Markdown
Owner

@Rhydon1337 Rhydon1337 Jul 29, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain please why this is necessary?

Copy link
Copy Markdown
Author

@yueryang yueryang Jul 29, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good question. Generally speaking, Microsoft Windows is updating its document all the time. Judging whether it succeeds in allocating pools is always required. Other changes could be ignored if using an old version wdk.

According to the Microsoft document, ExAllocatePool is obsolete and has been deprecated in Windows 10, version 2004. It has been replaced by ExAllocatePool2. From then on, Microsoft always encourages developers to have a tag while allocating a pool. The following image prevents me to build it when regarding warnings as errors in kernel mode.

image

After my testing, ExAllocatePool2 is not always successful, but ExAllocatePoolZero on my system could succeed. I have no good ideas on this point. Maybe it is better to judge which one to use first according to the system.
image

The same as the ProcessReference.cpp.
Many Thanks.

Copy link
Copy Markdown
Owner

@Rhydon1337 Rhydon1337 Jul 29, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool :)
Why you didn't choose ExAllocatePoolWithTag?
Because ExAllocatePool2 is supported only from new windows version.

Copy link
Copy Markdown
Author

@yueryang yueryang Jul 29, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ExAllocatePoolWithTag is also replaced by ExAllocatePool2.
I don't know why Microsoft would like to do this. Maybe it is safer to use the new API.
Click here to see related documents.

Copy link
Copy Markdown
Owner

@Rhydon1337 Rhydon1337 Aug 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ExAllocatePool2 and ExAllocatePoolZero are both functions that are supported from new versions of windows.
ExAllocatePoolWithTag is maybe deprecated in the new WDK toolset but there is background compatibility in the windows kernel, you should compile with WDK from from lower version.
Please use ExAllocatePoolWithTag

if (NULL == handles_pool)
handles_pool = ExAllocatePoolZero(PagedPool, handles_allocation_size, '1cba');
if (NULL == handles_pool)
break;

auto status = ZwQuerySystemInformation(SystemHandleInformation, handles_pool, (ULONG)handles_allocation_size, nullptr);
if (status == STATUS_INFO_LENGTH_MISMATCH) {
if (status == STATUS_INFO_LENGTH_MISMATCH)
ExFreePool(handles_pool);
}
else {
else
break;
}
}
return (SYSTEM_HANDLE_INFORMATION*)handles_pool;
}
Loading