use core::ffi::c_void;
use moon_struct::os::OS_INFO;
use wdk::println;
use wdk_sys::UNICODE_STRING;
use crate::{kernel_fucntion::ObGetObjectType, string::unicode_string_to_string};
pub fn print_process_handle_table(process: *mut c_void) {
let handle_table: *mut c_void =
unsafe { *(process.add(OS_INFO.offset.eprocess_object_table) as *mut u64) as *mut c_void };
let table_code =
unsafe { *(handle_table.add(OS_INFO.offset.handle_table_table_code) as *mut u64) };
let is_multi = (table_code & 7) != 0;
let table_code = (table_code & !7) as *mut u64;
if is_multi {
let mut p = table_code;
loop {
unsafe {
let handle_table_entry: *mut c_void = (*p) as _;
if handle_table_entry.is_null() {
break;
}
let mut index = 0;
let max_index = 256;
loop {
if index >= max_index {
break;
}
let current = handle_table_entry.add(index * 0x10);
if *(current as *mut u64) == 0 {
index = index + 1;
continue;
}
let low = current.add(OS_INFO.offset.handle_table_entry_low);
let low = *(low as *mut u64) as *mut c_void;
let object_header = (((low as u64) >> 16 & 0xFFFFFFFFFFFFFFF0)
+ 0xffff000000000000)
as *mut c_void;
let body = object_header.add(OS_INFO.offset.object_header_body);
let object_type = ObGetObjectType(body);
let type_name = object_type.add(0x10);
let type_name = &*(type_name as *mut UNICODE_STRING);
let type_name = unicode_string_to_string(type_name);
if type_name != "Event"
&& type_name != "WaitCompletionPacket"
&& type_name != "IRTimer"
&& type_name != "EtwRegistration"
&& type_name != "Directory"
&& type_name != "Key"
&& type_name != "Timer"
&& type_name != "Section"
&& type_name != "File"
&& type_name != "Thread"
&& type_name != "ALPC Port"
&& type_name != "Semaphore"
&& type_name != "IoCompletionReserve"
&& type_name != "Mutant"
&& type_name != "IoCompletion"
&& type_name != "Desktop"
&& type_name != "WindowStation"
&& type_name != "TpWorkerFactory"
{
println!("Type:{},addresss:{:p}", type_name, body);
}
index = index + 1;
}
p = p.add(1);
}
}
} else {
println!("single tablecode");
}
}