WIP: NtQueryObject / NtQueryInformationFile

.github/workflows/build.yml

@@ -31,9 +31,6 @@ jobs:
       # checkout USVFS and vcpkg
       - uses: actions/checkout@v4
       - uses: lukka/run-vcpkg@v11
-        with:
-          vcpkgGitCommitId: f61a294e765b257926ae9e9d85f96468a0af74e7
-          vcpkgJsonGlob: ${{ github.workspace }}/usvfs/vcpkg.json
 
       # configure
       - run: cmake --preset vs2022-windows-${{ matrix.arch }} -B build_${{ matrix.arch }} "-DCMAKE_INSTALL_PREFIX=install/${{ matrix.config }}"
@@ -140,6 +137,8 @@ jobs:
         if: always()
       - run: ./test/bin/usvfs_test_runner_${{ matrix.arch }}.exe
         if: always()
+      - run: ./test/bin/usvfs_global_test_runner_${{ matrix.arch }}.exe
+        if: always()
       - uses: actions/upload-artifact@master
         if: always()
         with:

include/usvfs/usvfs.h

@@ -144,7 +144,7 @@ DLLEXPORT BOOL WINAPI usvfsCreateVFSDump(LPSTR buffer, size_t *size);
  * file system
  * @param executableName  name of the executable
  */
-DLLEXPORT VOID WINAPI usvfsBlacklistExecutable(LPWSTR executableName);
+DLLEXPORT VOID WINAPI usvfsBlacklistExecutable(LPCWSTR executableName);
 
 /**
  * clears the executable blacklist
@@ -157,7 +157,7 @@ DLLEXPORT VOID WINAPI usvfsClearExecutableBlacklist();
  * not to be confused with file extensions
  * @param fileSuffix  a valid file suffix
  */
-DLLEXPORT VOID WINAPI usvfsAddSkipFileSuffix(LPWSTR fileSuffix);
+DLLEXPORT VOID WINAPI usvfsAddSkipFileSuffix(LPCWSTR fileSuffix);
 
 /**
  * clears the file suffix skip-list
@@ -172,7 +172,7 @@ DLLEXPORT VOID WINAPI usvfsClearSkipFileSuffixes();
  * will have the .git directory skipped during directory linking
  * @param directory  name of the directory
  */
-DLLEXPORT VOID WINAPI usvfsAddSkipDirectory(LPWSTR directory);
+DLLEXPORT VOID WINAPI usvfsAddSkipDirectory(LPCWSTR directory);
 
 /**
  * clears the directory skip-list
@@ -183,7 +183,7 @@ DLLEXPORT VOID WINAPI usvfsClearSkipDirectories();
  * adds a library to be force loaded when the given process is injected
  * @param
  */
-DLLEXPORT VOID WINAPI usvfsForceLoadLibrary(LPWSTR processName, LPWSTR libraryPath);
+DLLEXPORT VOID WINAPI usvfsForceLoadLibrary(LPCWSTR processName, LPCWSTR libraryPath);
 
 /**
  * clears all previous calls to ForceLoadLibrary

include/usvfs/usvfs_version.h

@@ -2,8 +2,8 @@
 
 #define USVFS_VERSION_MAJOR 0
 #define USVFS_VERSION_MINOR 5
-#define USVFS_VERSION_BUILD 6
-#define USVFS_VERSION_REVISION 2
+#define USVFS_VERSION_BUILD 7
+#define USVFS_VERSION_REVISION 0
 
 #define USVFS_BUILD_STRING ""
 #define USVFS_BUILD_WSTRING L""

src/shared/formatters.h

@@ -74,6 +74,16 @@ struct std::formatter<PCUNICODE_STRING, char> : std::formatter<std::string, char
   }
 };
 
+template <>
+struct std::formatter<UNICODE_STRING, char> : std::formatter<std::string, char>
+{
+  template <class FmtContext>
+  FmtContext::iterator format(UNICODE_STRING v, FmtContext& ctx) const
+  {
+    return std::formatter<std::string, char>::format(usvfs::log::to_string(&v), ctx);
+  }
+};
+
 template <class Pointer>
   requires (std::is_pointer_v<Pointer>
     && !std::is_same_v<Pointer, const char*>

src/shared/ntdll_declarations.cpp

@@ -27,6 +27,9 @@ NtQueryDirectoryFile_type NtQueryDirectoryFile;
 NtQueryDirectoryFileEx_type NtQueryDirectoryFileEx;
 NtQueryFullAttributesFile_type NtQueryFullAttributesFile;
 NtQueryAttributesFile_type NtQueryAttributesFile;
+NtQueryObject_type NtQueryObject;
+NtQueryInformationFile_type NtQueryInformationFile;
+NtQueryInformationByName_type NtQueryInformationByName;
 NtOpenFile_type NtOpenFile;
 NtCreateFile_type NtCreateFile;
 NtClose_type NtClose;
@@ -46,6 +49,9 @@ void ntdll_declarations_init() {
     LOAD_EXT(ntDLLMod, NtQueryDirectoryFileEx);
     LOAD_EXT(ntDLLMod, NtQueryFullAttributesFile);
     LOAD_EXT(ntDLLMod, NtQueryAttributesFile);
+    LOAD_EXT(ntDLLMod, NtQueryObject);
+    LOAD_EXT(ntDLLMod, NtQueryInformationFile);
+    LOAD_EXT(ntDLLMod, NtQueryInformationByName);
     LOAD_EXT(ntDLLMod, NtCreateFile);
     LOAD_EXT(ntDLLMod, NtOpenFile);
     LOAD_EXT(ntDLLMod, NtClose);

src/shared/ntdll_declarations.h

@@ -116,13 +116,80 @@ typedef struct _FILE_ID_BOTH_DIR_INFORMATION {
   WCHAR FileName[1];
 } FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;
 
+typedef struct _FILE_BASIC_INFORMATION
+{
+  LARGE_INTEGER CreationTime;
+  LARGE_INTEGER LastAccessTime;
+  LARGE_INTEGER LastWriteTime;
+  LARGE_INTEGER ChangeTime;
+  ULONG FileAttributes;
+} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;
+
+typedef struct _FILE_STANDARD_INFORMATION
+{
+  LARGE_INTEGER AllocationSize;
+  LARGE_INTEGER EndOfFile;
+  ULONG NumberOfLinks;
+  BOOLEAN DeletePending;
+  BOOLEAN Directory;
+} FILE_STANDARD_INFORMATION, *PFILE_STANDARD_INFORMATION;
+
 typedef struct _FILE_NAMES_INFORMATION {
   ULONG NextEntryOffset;
   ULONG FileIndex;
   ULONG FileNameLength;
   WCHAR FileName[1];
 } FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION;
 
+typedef struct _FILE_INTERNAL_INFORMATION
+{
+  LARGE_INTEGER IndexNumber;
+} FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION;
+
+typedef struct _FILE_EA_INFORMATION
+{
+  ULONG EaSize;
+} FILE_EA_INFORMATION, *PFILE_EA_INFORMATION;
+
+typedef struct _FILE_ACCESS_INFORMATION
+{
+  ACCESS_MASK AccessFlags;
+} FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION;
+
+typedef struct _FILE_POSITION_INFORMATION
+{
+  LARGE_INTEGER CurrentByteOffset;
+} FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION;
+
+typedef struct _FILE_MODE_INFORMATION
+{
+  ULONG Mode;
+} FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION;
+
+typedef struct _FILE_ALIGNMENT_INFORMATION
+{
+  ULONG AlignmentRequirement;
+} FILE_ALIGNMENT_INFORMATION, *PFILE_ALIGNMENT_INFORMATION;
+
+typedef struct _FILE_NAME_INFORMATION
+{
+  ULONG FileNameLength;
+  WCHAR FileName[1];
+} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
+
+typedef struct _FILE_ALL_INFORMATION
+{
+  FILE_BASIC_INFORMATION BasicInformation;
+  FILE_STANDARD_INFORMATION StandardInformation;
+  FILE_INTERNAL_INFORMATION InternalInformation;
+  FILE_EA_INFORMATION EaInformation;
+  FILE_ACCESS_INFORMATION AccessInformation;
+  FILE_POSITION_INFORMATION PositionInformation;
+  FILE_MODE_INFORMATION ModeInformation;
+  FILE_ALIGNMENT_INFORMATION AlignmentInformation;
+  FILE_NAME_INFORMATION NameInformation;
+} FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION;
+
 typedef struct _FILE_OBJECTID_INFORMATION {
   LONGLONG FileReference;
   UCHAR ObjectId[16];
@@ -142,10 +209,11 @@ typedef struct _FILE_REPARSE_POINT_INFORMATION {
 } FILE_REPARSE_POINT_INFORMATION, *PFILE_REPARSE_POINT_INFORMATION;
 
 // copied from ntstatus.h
-#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
-#define STATUS_BUFFER_OVERFLOW ((NTSTATUS)0x80000005L)
-#define STATUS_NO_MORE_FILES ((NTSTATUS)0x80000006L)
-#define STATUS_NO_SUCH_FILE ((NTSTATUS)0xC000000FL)
+#define STATUS_SUCCESS               ((NTSTATUS)0x00000000L)
+#define STATUS_BUFFER_OVERFLOW       ((NTSTATUS)0x80000005L)
+#define STATUS_NO_MORE_FILES         ((NTSTATUS)0x80000006L)
+#define STATUS_INFO_LENGTH_MISMATCH  ((NTSTATUS)0xC0000004L)
+#define STATUS_NO_SUCH_FILE          ((NTSTATUS)0xC000000FL)
 
 #define SL_RESTART_SCAN                 0x01
 #define SL_RETURN_SINGLE_ENTRY          0x02
@@ -158,13 +226,17 @@ typedef enum _FILE_INFORMATION_CLASS {
   FileDirectoryInformation       = 1,
   FileFullDirectoryInformation   = 2,
   FileBothDirectoryInformation   = 3,
+  FileStandardInformation        = 5,
+  FileNameInformation            = 9,
+  FileRenameInformation          = 10,
   FileNamesInformation           = 12,
+  FileAllInformation             = 18,
   FileObjectIdInformation        = 29,
   FileReparsePointInformation    = 33,
   FileIdBothDirectoryInformation = 37,
-  FileIdFullDirectoryInformation = 38
-} FILE_INFORMATION_CLASS,
-    *PFILE_INFORMATION_CLASS;
+  FileIdFullDirectoryInformation = 38,
+  FileNormalizedNameInformation  = 48,
+} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
 
 typedef enum _MODE { KernelMode, UserMode, MaximumMode } MODE;
 
@@ -253,6 +325,18 @@ typedef struct _OBJECT_HANDLE_INFORMATION {
   ACCESS_MASK GrantedAccess;
 } OBJECT_HANDLE_INFORMATION, *POBJECT_HANDLE_INFORMATION;
 
+typedef struct _OBJECT_NAME_INFORMATION
+{
+  UNICODE_STRING Name;
+} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
+
+typedef enum _OBJECT_INFORMATION_CLASS
+{
+  ObjectBasicInformation = 0,
+  ObjectNameInformation  = 1,
+  ObjectTypeInformation  = 2
+} OBJECT_INFORMATION_CLASS;
+
 typedef struct _RTL_RELATIVE_NAME {
   UNICODE_STRING RelativeName;
   HANDLE         ContainingDirectory;
@@ -269,14 +353,6 @@ typedef struct _FILE_NETWORK_OPEN_INFORMATION {
   ULONG FileAttributes;
 } FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION;
 
-typedef struct _FILE_BASIC_INFORMATION {
-  LARGE_INTEGER CreationTime;
-  LARGE_INTEGER LastAccessTime;
-  LARGE_INTEGER LastWriteTime;
-  LARGE_INTEGER ChangeTime;
-  ULONG         FileAttributes;
-} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;
-
 #define FILE_DIRECTORY_FILE                       0x00000001
 #define FILE_WRITE_THROUGH                        0x00000002
 #define FILE_SEQUENTIAL_ONLY                      0x00000004
@@ -302,55 +378,67 @@ typedef struct _FILE_BASIC_INFORMATION {
 #define FILE_OPEN_FOR_FREE_SPACE_QUERY            0x00800000
 #define FILE_CONTAINS_EXTENDED_CREATE_INFORMATION 0x10000000
 
-typedef NTSTATUS(WINAPI *NtQueryDirectoryFile_type)(
+// Nt
+
+using NtQueryDirectoryFile_type = NTSTATUS(WINAPI *)(
     HANDLE, HANDLE, PIO_APC_ROUTINE, PVOID, PIO_STATUS_BLOCK, PVOID, ULONG,
     FILE_INFORMATION_CLASS, BOOLEAN, PUNICODE_STRING, BOOLEAN);
-
-typedef NTSTATUS(WINAPI *NtQueryDirectoryFileEx_type)(
+using NtQueryDirectoryFileEx_type = NTSTATUS(WINAPI *)(
     HANDLE, HANDLE, PIO_APC_ROUTINE, PVOID, PIO_STATUS_BLOCK, PVOID, ULONG,
     FILE_INFORMATION_CLASS, ULONG, PUNICODE_STRING);
 
-typedef NTSTATUS(WINAPI *NtQueryFullAttributesFile_type)(
+using NtQueryFullAttributesFile_type = NTSTATUS(WINAPI *)(
     POBJECT_ATTRIBUTES, PFILE_NETWORK_OPEN_INFORMATION);
-
-typedef NTSTATUS(WINAPI *NtQueryAttributesFile_type)(POBJECT_ATTRIBUTES,
+using NtQueryAttributesFile_type = NTSTATUS(WINAPI *)(POBJECT_ATTRIBUTES,
                                                      PFILE_BASIC_INFORMATION);
 
-typedef NTSTATUS(WINAPI *NtOpenFile_type)(PHANDLE, ACCESS_MASK,
+using NtQueryObject_type = NTSTATUS (WINAPI *)(
+  HANDLE Handle, OBJECT_INFORMATION_CLASS ObjectInformationClass,
+  PVOID ObjectInformation, ULONG ObjectInformationLength, PULONG ReturnLength);
+using NtQueryInformationFile_type = NTSTATUS(WINAPI*)(
+    HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation,
+    ULONG Length, FILE_INFORMATION_CLASS FileInformationClass);
+
+using NtQueryInformationByName_type = NTSTATUS(WINAPI*)(
+  HANDLE FileHandle, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation,
+  ULONG Length, FILE_INFORMATION_CLASS FileInformationClass);
+
+using NtOpenFile_type = NTSTATUS(WINAPI *)(PHANDLE, ACCESS_MASK,
                                           POBJECT_ATTRIBUTES, PIO_STATUS_BLOCK,
                                           ULONG, ULONG);
-
-typedef NTSTATUS(WINAPI *NtCreateFile_type)(PHANDLE, ACCESS_MASK,
+using NtCreateFile_type = NTSTATUS(WINAPI *)(PHANDLE, ACCESS_MASK,
                                             POBJECT_ATTRIBUTES,
                                             PIO_STATUS_BLOCK, PLARGE_INTEGER,
                                             ULONG, ULONG, ULONG, ULONG, PVOID,
                                             ULONG);
 
-typedef NTSTATUS(WINAPI *NtClose_type)(HANDLE);
-
-typedef NTSYSAPI BOOLEAN(NTAPI *RtlDoesFileExists_U_type)(PCWSTR);
-
-typedef NTSTATUS(NTAPI *RtlDosPathNameToRelativeNtPathName_U_WithStatus_type)(
-  PCWSTR DosFileName, PUNICODE_STRING NtFileName, PWSTR* FilePath, PRTL_RELATIVE_NAME RelativeName);
+using NtClose_type = NTSTATUS(WINAPI *)(HANDLE);
 
-typedef void (NTAPI *RtlReleaseRelativeName_type)(PRTL_RELATIVE_NAME RelativeName);
+using NtTerminateProcess_type = NTSTATUS(WINAPI *)(HANDLE ProcessHandle, NTSTATUS ExitStatus);
 
-typedef NTSTATUS (NTAPI *RtlGetVersion_type)(PRTL_OSVERSIONINFOW);
+// Rtl
 
-typedef NTSTATUS(WINAPI *NtTerminateProcess_type)(HANDLE ProcessHandle, NTSTATUS ExitStatus);
+using RtlDoesFileExists_U_type = NTSYSAPI BOOLEAN(NTAPI *)(PCWSTR);
+using RtlDosPathNameToRelativeNtPathName_U_WithStatus_type = NTSTATUS(NTAPI *)(
+  PCWSTR DosFileName, PUNICODE_STRING NtFileName, PWSTR* FilePath, PRTL_RELATIVE_NAME RelativeName);
+using RtlReleaseRelativeName_type = void (NTAPI *)(PRTL_RELATIVE_NAME RelativeName);
+using RtlGetVersion_type = NTSTATUS (NTAPI *)(PRTL_OSVERSIONINFOW);
 
 extern NtQueryDirectoryFile_type NtQueryDirectoryFile;
 extern NtQueryDirectoryFileEx_type NtQueryDirectoryFileEx;
 extern NtQueryFullAttributesFile_type NtQueryFullAttributesFile;
 extern NtQueryAttributesFile_type NtQueryAttributesFile;
+extern NtQueryObject_type NtQueryObject;
+extern NtQueryInformationFile_type NtQueryInformationFile;
+extern NtQueryInformationByName_type NtQueryInformationByName;
 extern NtOpenFile_type NtOpenFile;
 extern NtCreateFile_type NtCreateFile;
 extern NtClose_type NtClose;
+extern NtTerminateProcess_type NtTerminateProcess;
 extern RtlDoesFileExists_U_type RtlDoesFileExists_U;
 extern RtlDosPathNameToRelativeNtPathName_U_WithStatus_type RtlDosPathNameToRelativeNtPathName_U_WithStatus;
 extern RtlReleaseRelativeName_type RtlReleaseRelativeName;
 extern RtlGetVersion_type RtlGetVersion;
-extern NtTerminateProcess_type NtTerminateProcess;
 
 // ensures ntdll functions have been initialized (only needed during static objects initialization)
 void ntdll_declarations_init();

src/shared/tree_container.h

@@ -437,7 +437,6 @@ class TreeContainer
 
     m_SHM.reset(shm);
     std::pair<TreeMeta*, SharedMemoryT::size_type> res = m_SHM->find<TreeMeta>("Meta");
-    bool lastUser = false;
 
     if (res.first == nullptr) {
       res.first = m_SHM->construct<TreeMeta>("Meta")(createEmpty(), m_SHM->get_segment_manager());

src/thooklib/hooklib.cpp

@@ -251,7 +251,7 @@ BOOL HookRIPIndirection(THookInfo &hookInfo, HookError *error)
     throw std::runtime_error("expected rip-relative addressing");
   }
 
-  uintptr_t chainNext = disasm().jumpTarget();
+  auto chainNext = disasm().jumpTarget();
   if (hookInfo.stub) {
     hookInfo.trampoline = TrampolinePool::instance().storeStub(hookInfo.replacementFunction
                                                                , reinterpret_cast<LPVOID>(hookInfo.originalFunction)
@@ -294,7 +294,7 @@ BOOL HookChainHook(THookInfo &hookInfo, LPBYTE jumpPos, HookError *error)
     throw std::runtime_error("failed to find jump in patch");
   }
 
-  uintptr_t chainTarget = disasm().jumpTarget();
+  auto chainTarget = disasm().jumpTarget();
 
   size_t size = ud_insn_len(disasm());
 

src/usvfs_dll/hookmanager.cpp

@@ -267,6 +267,9 @@ void HookManager::initHooks()
   installHook(ntdllMod, nullptr, "NtQueryAttributesFile", hook_NtQueryAttributesFile);
   installHook(ntdllMod, nullptr, "NtQueryDirectoryFile", hook_NtQueryDirectoryFile);
   installHook(ntdllMod, nullptr, "NtQueryDirectoryFileEx", hook_NtQueryDirectoryFileEx);
+  installHook(ntdllMod, nullptr, "NtQueryObject", hook_NtQueryObject);
+  installHook(ntdllMod, nullptr, "NtQueryInformationFile", hook_NtQueryInformationFile);
+  installHook(ntdllMod, nullptr, "NtQueryInformationByName", hook_NtQueryInformationByName);
   installHook(ntdllMod, nullptr, "NtOpenFile", hook_NtOpenFile);
   installHook(ntdllMod, nullptr, "NtCreateFile", hook_NtCreateFile);
   installHook(ntdllMod, nullptr, "NtClose", hook_NtClose);