A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #25313  by EP_X0FF
 Mon Feb 23, 2015 5:48 am
Windows Object Explorer 64-bit (WinObjEx64)

WinObjEx64 is an advanced utility that lets you explore the Windows Object Manager namespace. For certain object types, you can double-click on it or use the "Properties..." toolbar button to get more information, such as description, attributes, resource usage etc. WinObjEx64 let you view and edit object-related security information if you have required access rights.

System Requirements

WinObjEx64 does not require administrative privileges. However administrative privilege is required to view much of the namespace and to edit object-related security information.

WinObjEx64 works only on the following x64 Windows: Windows 7, Windows 8, Windows 8.1 and Windows 10, including Server variants.

WinObjEx64 does not work on Windows XP, Windows Vista is partially supported. We have no plans of their full support.

In order to use all program features Windows must be booted in the DEBUG mode.

Build

WinObjEx64 comes with full source code.
In order to build from source you need Microsoft Visual Studio 2013 U4 and later versions.

Authors

(c) 2015 WinObjEx64 Project
Original WinObjEx (c) 2003 - 2005 Four-F

Acknowledgements

We would like to thanks the following people for their contributions (in the alphabetical order):

Andrew Ivlev aka Four-F - author of the original x86-32 WinObjEx
Giuseppe Bonfa aka Evilcry - KDSubmarine author
Mark Russinovich - author of the original proof-of-concept tool WinObj
Microsoft WinDBG developers team

Source and compiled binary here
https://github.com/hfiref0x/WinObjEx64

Project files SHA1 https://github.com/hfiref0x/WinObjEx64/ ... /SHA1.hash
Copy:
Code: Select all
818bf9f0d4189347e9bd157a2810615109423e62 *Release\WinObjEx64.chm
957157318a64482f446b97c82afe786444b1b2ff *Release\WinObjEx64.exe
6f4df146c341d7f2dafbe5e3d1aee5f2c7b3488b *WinObjAdv\aboutDlg.c
d0e500c0092000d73fd711a5d20c35b69f4ac447 *WinObjAdv\aboutDlg.h
74fcc74b3d7d7a4467869a888dcd4f67797ca156 *WinObjAdv\excepth.c
2ba8ded754090338b733797accdb696162866e75 *WinObjAdv\excepth.h
fbad8de8cbc2eb1ed7612a495ac5e0206210d241 *WinObjAdv\findDlg.c
68449112b665b763729ef78fec2d7e2dd2bca653 *WinObjAdv\findDlg.h
08f9599cc724cda5a8148a09dc31655e1eefe345 *WinObjAdv\global.h
80c6e0253371e8debbf7389ffe954231ad5bf705 *WinObjAdv\instdrv.c
2a943159f01da7516f1a49c5bd1407a69835bbce *WinObjAdv\instdrv.h
0f68ede96ad12ad93f594525b98b3daf25e2383a *WinObjAdv\kldbg.c
1892a89b673214b71d08854f39ee55342ae72c88 *WinObjAdv\kldbg.h
37814686c9a82fdfdc568f2759cea117fc2a9952 *WinObjAdv\list.c
f26030f75546ec594fd5a87ee2fc82796480599d *WinObjAdv\list.h
9f98dd38d9b13f7572f59589973d3033d7d34fcb *WinObjAdv\main.c
e9cf1468a3ebcb67fcea1b86730a25e6669b096b *WinObjAdv\minirtl.c
500a94a62e9ba78c38833670302537cf6fb0e3d0 *WinObjAdv\minirtl.h
ef02d79e830000af6efbd0cb527eaa7a60efa917 *WinObjAdv\ntos.h
4c1698b624baaa52f6b2ff2c536b9df644e52820 *WinObjAdv\obex.manifest
92c7dfb2face6bc570fb63ee123702ebf30764f4 *WinObjAdv\propBasic.c
ff406cb1a50504533e367eca67e759f044ddd5ab *WinObjAdv\propBasic.h
a00e7fa470faad601bde2219e596c20c2294acd0 *WinObjAdv\propBasicConsts.h
4328cb76fcb70930fe8be27e7c89ad768273224f *WinObjAdv\propDesktop.c
cf5e6d7616c776aff3bcf6ec7698fb18bfd76950 *WinObjAdv\propDesktop.h
9364e13a1eb1c2c8062ce1002fcbf7d5dfba344c *WinObjAdv\propDlg.c
bdc4258b60a8c512c487cfd6c726caa0ff3b0976 *WinObjAdv\propDlg.h
72cb46536bd855f9ee2b6be32bd097ec48267909 *WinObjAdv\propDriver.c
d4bf75d244002db8da4cd5314ea757896bbcbd3e *WinObjAdv\propDriver.h
b72b9ee8ccfbbd78844548e40d6bebf42d497a67 *WinObjAdv\propDriverConsts.h
a82596fc8914f384049c68469eb45c0468866c44 *WinObjAdv\propObjectDump.c
df95b45770b80b5e88fd5cfea593eb51790222a2 *WinObjAdv\propObjectDump.h
f4de0f1071031d2ae108a683ca9deb5066a9f3a3 *WinObjAdv\propObjectDumpConsts.h
1e3d3e0747dd2bf464f9351018309e78fe02870e *WinObjAdv\propProcess.c
4a050a42f7bf083fafe23f0fe94bf34d45287559 *WinObjAdv\propProcess.h
0325abb4e9bf8867eea50fdb7f508b010d702d70 *WinObjAdv\propSecurity.c
ac8356ce68b06cbd917bd54ed463d3ea15f06856 *WinObjAdv\propSecurity.h
aefd3c0d9ea1a5506cafa3425fbb6128aab132d4 *WinObjAdv\propSecurityConsts.h
7513279bf1104150e0a1608176b899f2b5073fa3 *WinObjAdv\propType.c
b01ee5835191e2e2e47106630f5f42fcab789b92 *WinObjAdv\propType.h
565a332243f0beb23970bf4e0180c9607bd7a246 *WinObjAdv\propTypeConsts.h
21028096ddc34328c1c098ca3de2de59aa6e9075 *WinObjAdv\resource.h
4d063a98918873efcc86682d31c18aeb821e2367 *WinObjAdv\Resource.rc
f2c93d88f1a5dbfa8cafa1c31e02c866dc975371 *WinObjAdv\rsrc\100.ico
69a5a4ed71a85e99b4806563a2739d7de5dc2e38 *WinObjAdv\rsrc\101.ico
fd979dd62fdbeba6298ac1dabbc678fe0dbb0ae5 *WinObjAdv\rsrc\102.ico
c16779a0fef28aab679eda6c18e7c6f5e68a5c20 *WinObjAdv\rsrc\103.ico
bcd4d1222ebdcf1545209451c5247cb61549ec23 *WinObjAdv\rsrc\104.ico
a0b22a0e9ab1401926aef939df99acc1a7a7d9ad *WinObjAdv\rsrc\105.ico
e94d7aad576eccad0d8d8c52249700230dab76c8 *WinObjAdv\rsrc\106.ico
824001cd7bae24b7217b075d32da7618c93bdd00 *WinObjAdv\rsrc\107.ico
c5c1a26d3e2bab8086d663ce2326f476e73f0f08 *WinObjAdv\rsrc\108.ico
65f8d9d565b00930920fbff580c87d399b90f9cc *WinObjAdv\rsrc\109.ico
56c27e823eb044da4d7726f0d35d98822bd79344 *WinObjAdv\rsrc\110.ico
08b8573a1efd1803099698a011f3c3d6eb00d3da *WinObjAdv\rsrc\111.ico
f9ea074c8c152d30af74f4b266ab80aaf10a2821 *WinObjAdv\rsrc\112.ico
13e524fbc7b803ab711e11fb61f1014641cff8b6 *WinObjAdv\rsrc\113.ico
69a5a4ed71a85e99b4806563a2739d7de5dc2e38 *WinObjAdv\rsrc\114.ico
3a9b58b48fd4dfcb356abfd915036d7195c3c29c *WinObjAdv\rsrc\115.ico
335fd760d495b9a68ccafbcfb52f4f1ddc90b3fc *WinObjAdv\rsrc\116.ico
2d9b7e5622ef1c6f96cf85d344a989df7d129530 *WinObjAdv\rsrc\117.ico
aa221c069f9a53f9afa7fbccb4465ce4da6baf58 *WinObjAdv\rsrc\118.ico
530ac9c2d277d9908decb955618ab2b43995cd1f *WinObjAdv\rsrc\119.ico
4ef03bb6bbc10b1723770a03b6fd899d3be1044a *WinObjAdv\rsrc\120.ico
d84cd22bab028700050a644be5c2a7dafcc4553a *WinObjAdv\rsrc\121.ico
557be784a62110a81aa0f4b620c210e165857905 *WinObjAdv\rsrc\122.ico
674f4875596c907ee8da940edff1e98401e8b7fa *WinObjAdv\rsrc\123.ico
041a38d1522858aaede0df6d42b2479c8300c988 *WinObjAdv\rsrc\124.ico
c0832fe5bf96f11a8133bbed66449574a3fd9089 *WinObjAdv\rsrc\125.ico
0a2aeedde4dc3934e28d727396c1ff93fddf6a6e *WinObjAdv\rsrc\126.ico
56d12ceb51825d502ba3a096396404af56b8f817 *WinObjAdv\rsrc\127.ico
b7c0bf31dd02382e151e4d62fc078bc292303ff9 *WinObjAdv\rsrc\128.ico
267f398bd643e7c1591412b2c7538b79e1159ca9 *WinObjAdv\rsrc\129.ico
1be3fd5b055f60b2c2357e9cb87dddad22542a95 *WinObjAdv\rsrc\130.ico
8b725d0d5552061a6cd88e17eda3d580c4fa7fde *WinObjAdv\rsrc\131.ico
9e89e0564daacd2bb36f906e4754d3a3b95141d7 *WinObjAdv\rsrc\132.ico
f57a70dbb02c43ffcf8b6d028f775606a2be5d91 *WinObjAdv\rsrc\133.ico
863ce1668eccc967273a8fbaff5e29db81d4d047 *WinObjAdv\rsrc\134.ico
d9bb1b62d374b1cfb0892d5e1437342701db2a1f *WinObjAdv\rsrc\135.ico
8c64531a70ad2bf61c050fd1e69a9d7e87549c35 *WinObjAdv\rsrc\136.ico
34356dcf20c4dd0adc3d363d25dcd7ed4e98bfa9 *WinObjAdv\rsrc\137.ico
656ccfe0b2a147b61b16321e14516e0c2dccbd57 *WinObjAdv\rsrc\138.ico
1721fe712b75808604318f015c09f6b2b469baf7 *WinObjAdv\rsrc\6001.ico
68b25362609b6db97c40b375e2497e2db4f5ee48 *WinObjAdv\rsrc\6002.ico
8f4a9ec169d9c6e80ae2a8ee1947dab63665337d *WinObjAdv\rsrc\Bitmap_125.bmp
6f5b29fffb021bf80ca91d6d67cfc019d63f7175 *WinObjAdv\rsrc\kldbgdrv.sys
da3fa9f3a72da9bde1d73dd4b5f7d93b909fe3d6 *WinObjAdv\sup.c
38c463dcf6a834eea357bc766135dfa5210ba99c *WinObjAdv\sup.h
09ca1ed7f052113f24bf2f11c877538b772701a3 *WinObjAdv\supConsts.h
e87a6e82d41f9b065e58fdc5a2acf362ca6969cb *WinObjAdv\treelist.c
7d5d97dcc923a87d5f6064fe1b9fdba5e04674fe *WinObjAdv\treelist.h
a99d9f26e6df31641a6780993b96b76d0e0ce088 *WinObjAdv\ui.h
e78a55a5c4a562c54d77b16f24b88c42fd6b3816 *WinObjAdv\WinObjAdv.vcxproj
e9ba01dd003e20ab20191dabbebde20921abe3f6 *FILELIST.txt
5eedad7ce5b95dd191d1556072481e18295676fd *README.md
0d66462034a77394dc5272acdb8d13758f448b19 *TODO.txt
16ee9f3cf034a76595910177b911832de6a4081c *WinObjAdv.sln
In attach compiled version.

SHA1
Code: Select all
818bf9f0d4189347e9bd157a2810615109423e62 *WinObjEx64.chm
957157318a64482f446b97c82afe786444b1b2ff *WinObjEx64.exe
Copyrights

WinObjEx64 developed by WinObjEx64 Project group, in the alphabetical order:

EP_X0FF
MP_ART

This program uses Windows Debugger Local Kernel Debugging Driver © Microsoft Corporation.

Please use this thread for bugreports. Also take a note that Windows 10 is supported *AS IS* since it wasn't released yet, official support will be added after official release.
Attachments
(184.56 KiB) Downloaded 80 times
 #25362  by EP_X0FF
 Sun Mar 01, 2015 3:42 pm
1.1 in attach, git updated.

Kinda fast, but we just finished what we wanted to put in release, but missed to do this in deadline.

changelog
Code: Select all
added popup menu for Process page 
added file properties dialog for Process page 
added descriptions for more object types 
added named pipes dialog (menu -> extras) 
added information for IoCompletion object type, including structured object body dump
some code revision and corrections 
sha1 for attached files
Code: Select all
20436c56cbb40c3c0b0078b375ae6f8fe0723ab7 *WinObjEx64.chm
6386213cabe7cca553b2a6eb20e06a147e159cce *WinObjEx64.exe
Do not expect new versions soon, well except maybe serious bugfixes if they will be.
Attachments
(196.55 KiB) Downloaded 60 times
 #25375  by Brock
 Tue Mar 03, 2015 6:26 am
Nice tool, actually it saved me a bit of time the other day during some research that I was performing. Just a humble suggestion about the help file, which is well organized and helpful. .CHM files are typically blocked for security reasons on more modern OS. Users should right-click the help file -> "properties" -> "unblock" -> "apply" -> "ok" so they don't see a blank document page or "Navigation cancelled" variants. Of course anyone using a more advanced tool, such as this, should already know this. Perhaps not even worth my mentioning, however it's for those people whom may not know better for whatever strange reason. Keep up the good work :)

Best Regards,
Brock
 #25390  by EP_X0FF
 Thu Mar 05, 2015 3:56 am
billbudsocket wrote:Great tool, thanks! Are you accepting code contributions to this tool? I have changed the code to add support for other object types and security dialog (ACLUI) related stuff.
We must look at your code first. If you share your changes we will look on them and merge to project on approval result.
 #26376  by Insid3Code
 Sun Jul 26, 2015 11:55 am
Thanks for the update, Ported to msvc 2015.

I noticed something strange not related directly to WinObjEx64 project but to msvc 2015. When I try to build any c++ sample (release build not a debug build) the compiler/linker add automatically a DEBUG directory into a binary with invalid debug type (0000000D)

Compiled WinObjEx64 project binary have the same directory, I assume it'is not a real DEBUG infos inside?
 #26379  by EP_X0FF
 Sun Jul 26, 2015 5:12 pm
Insid3Code wrote:Compiled WinObjEx64 project binary have the same directory, I assume it'is not a real DEBUG infos inside?
No, debug settings isn't changed for Release while porting to 2015. It is VS artefact made for undocumented reasons. Anyway loader don't care.
 #27210  by EP_X0FF
 Thu Nov 12, 2015 3:34 pm
Update 1.3.1 with KiServiceTable (7-10TH2 compatible) viewer along with some other little changes.
 #27211  by EP_X0FF
 Thu Nov 12, 2015 3:36 pm
Insid3Code wrote:Thanks for the update, Ported to msvc 2015.

I noticed something strange not related directly to WinObjEx64 project but to msvc 2015. When I try to build any c++ sample (release build not a debug build) the compiler/linker add automatically a DEBUG directory into a binary with invalid debug type (0000000D)

Compiled WinObjEx64 project binary have the same directory, I assume it'is not a real DEBUG infos inside?
Some info found here http://www.hexacorn.com/blog/category/windows-10/, unfortunately seems no visible way to disable this even in Visual Studio 2015 Update 1 RC. Currently you can simple remove debug directory on post build event and recalculate image crc.