Improved pickling types parser APIs.

tyranid · tyranid · commit bd200deb97a2 · 2020-06-28T13:53:49.000+01:00
diff --git a/NtApiDotNet/Ndr/NdrParser.cs b/NtApiDotNet/Ndr/NdrParser.cs
@@ -203,16 +203,21 @@ private static IEnumerable<NdrProcedureDefinition> ReadProcs(IMemoryReader reade
             return procs.AsReadOnly();
         }
 
-        private void ReadTypes(IntPtr midl_type_pickling_info_ptr, IntPtr midl_stub_desc_ptr, IEnumerable<int> fmt_offsets)
+        private void ReadTypes(IntPtr midl_type_pickling_info_ptr, IntPtr midl_stub_desc_ptr, bool deref_stub_desc, Func<IMemoryReader, IntPtr, IEnumerable<int>> get_offsets)
         {
             if (midl_type_pickling_info_ptr == IntPtr.Zero)
             {
-                throw new ArgumentException("Must specify the MIDL_TYPE_PICKLING_INFO pointer");
+                throw new ArgumentException("Must specify a MIDL_TYPE_PICKLING_INFO pointer");
             }
 
             if (midl_stub_desc_ptr == IntPtr.Zero)
             {
-                throw new ArgumentException("Must specify the MIDL_STUB_DESC pointer");
+                throw new ArgumentException($"Must specify a {(deref_stub_desc ? "MIDL_STUBLESS_PROXY_INFO" : "MIDL_STUB_DESC")} pointer");
+            }
+
+            if (deref_stub_desc)
+            {
+                midl_stub_desc_ptr = _reader.ReadIntPtr(midl_stub_desc_ptr);
             }
 
             var pickle_info = _reader.ReadStruct<MIDL_TYPE_PICKLING_INFO>(midl_type_pickling_info_ptr);
@@ -225,7 +230,7 @@ private void ReadTypes(IntPtr midl_type_pickling_info_ptr, IntPtr midl_stub_desc
             MIDL_STUB_DESC stub_desc = _reader.ReadStruct<MIDL_STUB_DESC>(midl_stub_desc_ptr);
             NdrParseContext context = new NdrParseContext(_type_cache, null, stub_desc, stub_desc.pFormatTypes, stub_desc.GetExprDesc(_reader),
                 flags, _reader, NdrParserFlags.IgnoreUserMarshal);
-            foreach (var i in fmt_offsets)
+            foreach (var i in get_offsets(_reader, stub_desc.pFormatTypes))
             {
                 NdrBaseTypeReference.Read(context, i);
             }
@@ -407,6 +412,19 @@ private static IMemoryReader CreateReader(NtProcess process)
             }
         }
 
+        private static IEnumerable<NdrComplexTypeReference> ReadPicklingComplexTypes(NdrParserFlags parser_flags, NtProcess process, IntPtr midl_type_pickling_info, IntPtr midl_stub_desc, bool deref_stub_desc, Func<IMemoryReader, IntPtr, IEnumerable<int>> get_offsets)
+        {
+            NdrParser parser = new NdrParser(process, null, parser_flags);
+            RunWithAccessCatch(() => parser.ReadTypes(midl_type_pickling_info, midl_stub_desc, deref_stub_desc, get_offsets));
+            return parser.ComplexTypes;
+        }
+
+        private static IEnumerable<int> GetPicklingTableOffsets(IMemoryReader reader, IntPtr type_pickling_offset_table, IEnumerable<int> type_index)
+        {
+            var table = reader.ReadIntPtr(type_pickling_offset_table);
+            return type_index.Select(i => reader.ReadInt32(table + i * 4));
+        }
+
         #endregion
 
         #region Internal Members
@@ -644,26 +662,87 @@ public IEnumerable<NdrBaseTypeReference> Types
         #endregion
 
         #region Static Methods
+
+        /// <summary>
+        /// Parse NDR complex type information from a pickling structure. Used to extract explicit Encode/Decode method information.
+        /// </summary>
+        /// <param name="process">The process to read from.</param>
+        /// <param name="midl_type_pickling_info">Pointer to the MIDL_TYPE_PICKLING_INFO structure.</param>
+        /// <param name="midl_stub_desc">The pointer to the MIDL_STUB_DESC structure.</param>
+        /// <param name="type_offsets">Pointers to the the format string to the start of the types.</param>
+        /// <param name="parser_flags">Specify additional parser flags.</param>
+        /// <returns>The list of complex types.</returns>
+        /// <remarks>This function is used to extract type information for calls to NdrMesTypeDecode2. MIDL_TYPE_PICKLING_INFO is the second parameter,
+        /// MIDL_STUB_DESC is the third, the Type Offsets is the fourth parameter.</remarks>
+        public static IEnumerable<NdrComplexTypeReference> ReadPicklingComplexTypes(NtProcess process, IntPtr midl_type_pickling_info, IntPtr midl_stub_desc, IntPtr[] type_offsets, NdrParserFlags parser_flags)
+        {
+            if (type_offsets.Length == 0)
+            {
+                return new NdrComplexTypeReference[0];
+            }
+
+            return ReadPicklingComplexTypes(parser_flags, process, midl_type_pickling_info, midl_stub_desc, false, (r, f) => type_offsets.Select(p => (int)(p.ToInt64() - f.ToInt64())));
+        }
+
+        /// <summary>
+        /// Parse NDR complex type information from a pickling structure. Used to extract explicit Encode/Decode method information.
+        /// </summary>
+        /// <param name="process">The process to read from.</param>
+        /// <param name="midl_type_pickling_info">Pointer to the MIDL_TYPE_PICKLING_INFO structure.</param>
+        /// <param name="midl_stubless_proxy">The pointer to the MIDL_STUBLESS_PROXY_INFO structure.</param>
+        /// <param name="type_pickling_offset_table">Pointer to the type pickling offset table.</param>
+        /// <param name="type_index">Index into type_pickling_offset_table array.</param>
+        /// <param name="parser_flags">Specify additional parser flags.</param>
+        /// <returns>The list of complex types.</returns>
+        /// <remarks>This function is used to extract type information for calls to NdrMesTypeDecode3. MIDL_TYPE_PICKLING_INFO is the second parameter,
+        /// MIDL_STUBLESS_PROXY_INFO is the third, the type pickling offset table is the fourth and the type index is the fifth.</remarks>
+        public static IEnumerable<NdrComplexTypeReference> ReadPicklingComplexTypes(NtProcess process, IntPtr midl_type_pickling_info, 
+            IntPtr midl_stubless_proxy, IntPtr type_pickling_offset_table, int[] type_index, NdrParserFlags parser_flags)
+        {
+            if (type_index.Length == 0)
+            {
+                return new NdrComplexTypeReference[0];
+            }
+
+            return ReadPicklingComplexTypes(parser_flags, process, midl_type_pickling_info, midl_stubless_proxy, true, (r, f) => GetPicklingTableOffsets(r, type_pickling_offset_table, type_index));
+        }
+
         /// <summary>
         /// Parse NDR complex type information from a pickling structure. Used to extract explicit Encode/Decode method information.
         /// </summary>
         /// <param name="process">The process to read from.</param>
         /// <param name="midl_type_pickling_info">Pointer to the MIDL_TYPE_PICKLING_INFO structure.</param>
         /// <param name="midl_stub_desc">The pointer to the MIDL_STUB_DESC structure.</param>
         /// <param name="start_offsets">Offsets into the format string to the start of the types.</param>
+        /// <param name="parser_flags">Specify additional parser flags.</param>
         /// <returns>The list of complex types.</returns>
         /// <remarks>This function is used to extract type information for calls to NdrMesTypeDecode2. MIDL_TYPE_PICKLING_INFO is the second parameter,
         /// MIDL_STUB_DESC is the third (minus the offset).</remarks>
-        public static IEnumerable<NdrComplexTypeReference> ReadPicklingComplexTypes(NtProcess process, IntPtr midl_type_pickling_info, IntPtr midl_stub_desc, params int[] start_offsets)
+        public static IEnumerable<NdrComplexTypeReference> ReadPicklingComplexTypes(NtProcess process, 
+            IntPtr midl_type_pickling_info, IntPtr midl_stub_desc, int[] start_offsets, NdrParserFlags parser_flags)
         {
             if (start_offsets.Length == 0)
             {
                 return new NdrComplexTypeReference[0];
             }
 
-            NdrParser parser = new NdrParser(process, null, NdrParserFlags.IgnoreUserMarshal);
-            RunWithAccessCatch(() => parser.ReadTypes(midl_type_pickling_info, midl_stub_desc, start_offsets));
-            return parser.ComplexTypes;
+            return ReadPicklingComplexTypes(parser_flags, process, midl_type_pickling_info, midl_stub_desc, false, (r, f) => start_offsets);
+        }
+
+        /// <summary>
+        /// Parse NDR complex type information from a pickling structure. Used to extract explicit Encode/Decode method information.
+        /// </summary>
+        /// <param name="process">The process to read from.</param>
+        /// <param name="midl_type_pickling_info">Pointer to the MIDL_TYPE_PICKLING_INFO structure.</param>
+        /// <param name="midl_stub_desc">The pointer to the MIDL_STUB_DESC structure.</param>
+        /// <param name="start_offsets">Offsets into the format string to the start of the types.</param>
+        /// <returns>The list of complex types.</returns>
+        /// <remarks>This function is used to extract type information for calls to NdrMesTypeDecode2. MIDL_TYPE_PICKLING_INFO is the second parameter,
+        /// MIDL_STUB_DESC is the third (minus the offset).</remarks>
+        public static IEnumerable<NdrComplexTypeReference> ReadPicklingComplexTypes(NtProcess process, IntPtr midl_type_pickling_info, 
+            IntPtr midl_stub_desc, params int[] start_offsets)
+        {
+            return ReadPicklingComplexTypes(process, midl_type_pickling_info, midl_stub_desc, start_offsets, NdrParserFlags.IgnoreUserMarshal);
         }
 
         /// <summary>
diff --git a/NtObjectManager/NtObjectManager.psd1 b/NtObjectManager/NtObjectManager.psd1
@@ -89,7 +89,7 @@ FunctionsToExport = 'Get-AccessibleAlpcPort', 'Set-NtTokenPrivilege',
           'Get-NtAccountRight', 'Get-NtAccountRightSid', 'Get-NtConsoleSession', 'Get-ServicePrincipalName',
           'Get-NtTokenId', 'Get-AuthCredential', 'Export-AuthToken', 'Import-AuthToken', 'Get-MD4Hash',
           'Format-ASN1DER', 'Import-KerberosKeyTab', 'Export-KerberosKeyTab', 'New-KerberosKey', 'Get-KerberosKey',
-          'Unprotect-AuthToken', 'Get-KerberosTicket'
+          'Unprotect-AuthToken', 'Get-KerberosTicket', 'Get-NdrComplexType'
 
 # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.
 CmdletsToExport = 'Add-NtKeyHive', 'Get-NtDirectory', 'Get-NtEvent', 'Get-NtFile', 
diff --git a/NtObjectManager/NtObjectManager.psm1 b/NtObjectManager/NtObjectManager.psm1
@@ -9352,4 +9352,78 @@ function Get-KerberosTicket {
             }
         }
     }
+}
+
+<#
+.SYNOPSIS
+Get NDR complex types from memory.
+.DESCRIPTION
+This cmdlet parses NDR complex type information from a location in memory.
+.PARAMETER PicklingInfo
+Specify pointer to the MIDL_TYPE_PICKLING_INFO structure.
+.PARAMETER StubDesc
+Specify pointer to the MIDL_STUB_DESC structure.
+.PARAMETER StublessProxy
+Specify pointer to the MIDL_STUBLESS_PROXY_INFO structure.
+.PARAMETER OffsetTable
+Specify pointer to type offset table.
+.PARAMETER TypeIndex
+Specify list of type index into type offset table.
+.PARAMETER TypeFormat
+Specify list of type format string addresses for the types.
+.PARAMETER TypeOffset
+Specify list of type offsets into the format string for the types.
+.PARAMETER Process
+Specify optional process which contains the types.
+.PARAMETER Module
+Specify optional module base address for the types. If set all pointers
+are relative offsets from the module address.
+.INPUTS
+None
+.OUTPUTS
+NdrComplexTypeReference[]
+#>
+function Get-NdrComplexType {
+    [CmdletBinding(DefaultParameterSetName="FromDecode3")]
+    Param(
+        [Parameter(Mandatory)]
+        [long]$PicklingInfo,
+        [Parameter(Mandatory, ParameterSetName = "FromDecode2")]
+        [Parameter(Mandatory, ParameterSetName = "FromDecode2Offset")]
+        [long]$StubDesc,
+        [Parameter(Mandatory, ParameterSetName = "FromDecode2")]
+        [long[]]$TypeFormat,
+        [Parameter(Mandatory, ParameterSetName = "FromDecode2Offset")]
+        [int[]]$TypeOffset,
+        [Parameter(Mandatory, ParameterSetName = "FromDecode3")]
+        [long]$StublessProxy,
+        [Parameter(Mandatory, ParameterSetName = "FromDecode3")]
+        [long]$OffsetTable,
+        [Parameter(Mandatory, ParameterSetName = "FromDecode3")]
+        [int[]]$TypeIndex,
+        [NtApiDotNet.Win32.SafeLoadLibraryHandle]$Module,
+        [NtApiDotNet.NtProcess]$Process,
+        [NtApiDotNet.Ndr.NdrParserFlags]$Flags = "IgnoreUserMarshal"
+    )
+
+    $base_address = 0
+    if ($null -ne $Module) {
+        $base_address = $Module.DangerousGetHandle().ToInt64()
+    }
+
+    switch($PSCmdlet.ParameterSetName) {
+        "FromDecode2" {
+            $type_offset = $TypeFormat | % { $_ + $base_address }
+            [NtApiDotNet.Ndr.NdrParser]::ReadPicklingComplexTypes($Process, $PicklingInfo+$base_address,`
+                $StubDesc+$base_address, $type_offset, $Flags) | Write-Output
+        }
+        "FromDecode2Offset" {
+            [NtApiDotNet.Ndr.NdrParser]::ReadPicklingComplexTypes($Process, $PicklingInfo+$base_address,`
+                $StubDesc+$base_address, $TypeOffset, $Flags) | Write-Output
+        }
+        "FromDecode3" {
+            [NtApiDotNet.Ndr.NdrParser]::ReadPicklingComplexTypes($Process, $PicklingInfo+$base_address,`
+                $StublessProxy+$base_address, $OffsetTable+$base_address, $TypeIndex, $Flags) | Write-Output
+        }
+    }
 }
