From 2fcbd5d76b9d2ad688ae1a7cb7ab7a51ff946f88 Mon Sep 17 00:00:00 2001 From: NtQuery Date: Sun, 23 Mar 2014 17:30:26 +0100 Subject: [PATCH] fix handler --- TitanEngine/TitanEngine.Handler.cpp | 157 +++++++++------------------- TitanEngine/ntdll.h | 58 +++++++++- TitanEngine/stdafx.h | 35 ------- 3 files changed, 104 insertions(+), 146 deletions(-) diff --git a/TitanEngine/TitanEngine.Handler.cpp b/TitanEngine/TitanEngine.Handler.cpp index bac093c..86d848e 100644 --- a/TitanEngine/TitanEngine.Handler.cpp +++ b/TitanEngine/TitanEngine.Handler.cpp @@ -70,119 +70,47 @@ __declspec(dllexport) bool TITCALL HandlerIsHandleOpen(DWORD ProcessId, HANDLE h return HandleActive; } -__declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName) -{ - - bool NameFound = false; - HANDLE myHandle = NULL; - ULONG RequiredSize = NULL; - ULONG TotalHandleCount = NULL; - PNTDLL_QUERY_HANDLE_INFO HandleInfo; - PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; - char ObjectNameInfo[0x2000] = {0}; - PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; - LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - LPVOID tmpHandleFullName = NULL; - - - DynBuf hinfo; - if (!NtQuerySysHandleInfo(hinfo)) - return 0; - LPVOID QuerySystemBuffer = hinfo.GetPtr(); - - - RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); - QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; - while(TotalHandleCount > NULL) - { - if(HandleInfo->ProcessId == ProcessId && (HANDLE)HandleInfo->hHandle == hHandle) - { - //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ - if(HandleInfo->GrantedAccess != 0x0012019F) - { - if(DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) - { - RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); - NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); - NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); - NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); - RtlZeroMemory(HandleFullName, 0x1000); - if(pObjectNameInfo->Name.Length != NULL) - { - WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleFullName, 0x1000, NULL, NULL); - NameFound = true; - if(TranslateName) - { - tmpHandleFullName = TranslateNativeName((char*)HandleFullName); - if(tmpHandleFullName != NULL) - { - VirtualFree(HandleFullName, NULL, MEM_RELEASE); - HandleFullName = tmpHandleFullName; - } - } - } - EngineCloseHandle(myHandle); - break; - } - } - } - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); - TotalHandleCount--; - } - - if(!NameFound) - { - VirtualFree(HandleFullName, NULL, MEM_RELEASE); - return(NULL); - } - else - { - return(HandleFullName); - } -} __declspec(dllexport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName) { - bool NameFound = false; HANDLE myHandle = NULL; ULONG RequiredSize = NULL; - ULONG TotalHandleCount = NULL; - PNTDLL_QUERY_HANDLE_INFO HandleInfo; - PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; - char ObjectNameInfo[0x2000] = {0}; - PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; + OBJECT_BASIC_INFORMATION ObjectBasicInfo = {0}; + char ObjectNameInfo[0x1000] = {0}; + POBJECT_NAME_INFORMATION pObjectNameInfo = (POBJECT_NAME_INFORMATION)ObjectNameInfo; LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); LPVOID tmpHandleFullName = NULL; + DynBuf hinfo; if (!NtQuerySysHandleInfo(hinfo)) + { + VirtualFree(HandleFullName, NULL, MEM_RELEASE); return 0; + } LPVOID QuerySystemBuffer = hinfo.GetPtr(); + PSYSTEM_HANDLE_INFORMATION HandleInfo = (PSYSTEM_HANDLE_INFORMATION)QuerySystemBuffer; + PSYSTEM_HANDLE_TABLE_ENTRY_INFO pHandle = HandleInfo->Handles; - RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); - QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; - while(TotalHandleCount > NULL) + for (ULONG i = 0; i < HandleInfo->NumberOfHandles; i++) { - if(HandleInfo->ProcessId == ProcessId && (HANDLE)HandleInfo->hHandle == hHandle) + if((DWORD)pHandle->UniqueProcessId == ProcessId && (HANDLE)pHandle->HandleValue == hHandle) { //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ - if(HandleInfo->GrantedAccess != 0x0012019F) + if(pHandle->GrantedAccess != 0x0012019F) { - if(DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) + if(DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, FALSE, DUPLICATE_SAME_ACCESS)) { - RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); - NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); - NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); - NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); + RtlZeroMemory(&ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION)); + NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof(OBJECT_BASIC_INFORMATION), &RequiredSize); + NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, sizeof(ObjectNameInfo), &RequiredSize); RtlZeroMemory(HandleFullName, 0x1000); if(pObjectNameInfo->Name.Length != NULL) { //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleFullName, 0x1000, NULL, NULL); + wcscpy((wchar_t*)HandleFullName, (wchar_t*)pObjectNameInfo->Name.Buffer); NameFound = true; - lstrcpyW((wchar_t*)HandleFullName, (wchar_t*)pObjectNameInfo->Name.Buffer); if(TranslateName) { tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName); @@ -198,8 +126,8 @@ __declspec(dllexport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD } } } - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); - TotalHandleCount--; + + pHandle++; } if(!NameFound) @@ -211,8 +139,21 @@ __declspec(dllexport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD { return(HandleFullName); } +} +__declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName) +{ + wchar_t * name = (wchar_t *)HandlerGetHandleNameW(hProcess, ProcessId, hHandle, TranslateName); - return(NULL); + if (name) + { + LPVOID HandleFullName = VirtualAlloc(NULL, wcslen(name) + 1, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE); + WideCharToMultiByte(CP_ACP, NULL, name, -1, (LPSTR)HandleFullName, wcslen(name) + 1, NULL, NULL); + VirtualFree(name, NULL, MEM_RELEASE); + + return HandleFullName; + } + + return 0; } __declspec(dllexport) long TITCALL HandlerEnumerateOpenHandles(DWORD ProcessId, LPVOID HandleBuffer, DWORD MaxHandleCount) { @@ -252,7 +193,7 @@ __declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess, ULONG RequiredSize = NULL; ULONG TotalHandleCount = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; - PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; + OBJECT_BASIC_INFORMATION ObjectBasicInfo; char HandleFullData[0x1000] = {0}; LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData; @@ -274,8 +215,8 @@ __declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess, { if(DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) { - RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); - NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); + RtlZeroMemory(&ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION); + NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION, &RequiredSize); if(InformationReturn == UE_OPTION_HANDLER_RETURN_HANDLECOUNT) { ReturnData = (ULONG_PTR)ObjectBasicInfo.HandleCount; @@ -375,9 +316,9 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO DWORD LastProcessId = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; - PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; + OBJECT_BASIC_INFORMATION ObjectBasicInfo; char ObjectNameInfo[0x2000] = {0}; - PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; + POBJECT_NAME_INFORMATION pObjectNameInfo = (POBJECT_NAME_INFORMATION)ObjectNameInfo; char HandleFullNameB[0x1000] = {0}; LPVOID HandleFullName = HandleFullNameB; int LenFileOrFolderName = lstrlenW(szFileOrFolderName); @@ -410,8 +351,8 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO { if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) { - RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); - NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); + RtlZeroMemory(&ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION); + NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION, &RequiredSize); NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); RtlZeroMemory(HandleFullName, 0x1000); @@ -481,9 +422,9 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr ULONG TotalHandleCount = NULL; DWORD LastProcessId = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; - PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; + OBJECT_BASIC_INFORMATION ObjectBasicInfo; char ObjectNameInfo[0x2000] = {0}; - PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; + POBJECT_NAME_INFORMATION pObjectNameInfo = (POBJECT_NAME_INFORMATION)ObjectNameInfo; char HandleFullNameB[0x1000] = {0}; LPVOID HandleFullName = HandleFullNameB; int LenFileOrFolderName = lstrlenW(szFileOrFolderName); @@ -517,8 +458,8 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr { if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) { - RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); - NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); + RtlZeroMemory(&ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION); + NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION, &RequiredSize); NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); RtlZeroMemory(HandleFullName, 0x1000); @@ -585,9 +526,9 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN DWORD LastProcessId = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; - PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; + OBJECT_BASIC_INFORMATION ObjectBasicInfo; char ObjectNameInfo[0x2000] = {0}; - PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; + POBJECT_NAME_INFORMATION pObjectNameInfo = (POBJECT_NAME_INFORMATION)ObjectNameInfo; char HandleFullNameB[0x1000] = {0}; LPVOID HandleFullName = HandleFullNameB; int LenFileOrFolderName = lstrlenW(szFileOrFolderName); @@ -620,8 +561,8 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN { if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) { - RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); - NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); + RtlZeroMemory(&ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION); + NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof OBJECT_BASIC_INFORMATION, &RequiredSize); NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); RtlZeroMemory(HandleFullName, 0x1000); @@ -794,7 +735,7 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t char HandleNameData[0x1000] = {0}; PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData; char ObjectNameInfo[0x2000] = {0}; - PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; + POBJECT_NAME_INFORMATION pObjectNameInfo = (POBJECT_NAME_INFORMATION)ObjectNameInfo; wchar_t RealMutexName[512] = L"\\BaseNamedObjects\\"; diff --git a/TitanEngine/ntdll.h b/TitanEngine/ntdll.h index 26731c9..2701b8c 100644 --- a/TitanEngine/ntdll.h +++ b/TitanEngine/ntdll.h @@ -170,16 +170,68 @@ typedef struct _SYSTEM_PROCESS_INFORMATION SYSTEM_THREAD_INFORMATION Threads[1]; } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; -typedef struct _PUBLIC_OBJECT_BASIC_INFORMATION + +typedef struct _OBJECT_BASIC_INFORMATION { ULONG Attributes; ACCESS_MASK GrantedAccess; ULONG HandleCount; ULONG PointerCount; + ULONG PagedPoolCharge; + ULONG NonPagedPoolCharge; + ULONG Reserved[ 3 ]; + ULONG NameInfoSize; + ULONG TypeInfoSize; + ULONG SecurityDescriptorSize; + LARGE_INTEGER CreationTime; +} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION; - ULONG Reserved[10]; // reserved for internal use +typedef struct _OBJECT_NAME_INFORMATION +{ + UNICODE_STRING Name; +} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; -} PUBLIC_OBJECT_BASIC_INFORMATION, *PPUBLIC_OBJECT_BASIC_INFORMATION; +typedef struct _OBJECT_TYPE_INFORMATION +{ + UNICODE_STRING TypeName; + ULONG TotalNumberOfObjects; + ULONG TotalNumberOfHandles; + ULONG TotalPagedPoolUsage; + ULONG TotalNonPagedPoolUsage; + ULONG TotalNamePoolUsage; + ULONG TotalHandleTableUsage; + ULONG HighWaterNumberOfObjects; + ULONG HighWaterNumberOfHandles; + ULONG HighWaterPagedPoolUsage; + ULONG HighWaterNonPagedPoolUsage; + ULONG HighWaterNamePoolUsage; + ULONG HighWaterHandleTableUsage; + ULONG InvalidAttributes; + GENERIC_MAPPING GenericMapping; + ULONG ValidAccessMask; + BOOLEAN SecurityRequired; + BOOLEAN MaintainHandleCount; + ULONG PoolType; + ULONG DefaultPagedPoolCharge; + ULONG DefaultNonPagedPoolCharge; +} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; + +typedef struct _OBJECT_TYPES_INFORMATION +{ + ULONG NumberOfTypes; + OBJECT_TYPE_INFORMATION TypeInformation[1]; +} OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION; + +//typedef struct _PUBLIC_OBJECT_BASIC_INFORMATION +//{ +// ULONG Attributes; +// ACCESS_MASK GrantedAccess; +// ULONG HandleCount; +// ULONG PointerCount; +// +// ULONG Reserved[10]; // reserved for internal use +// +//} PUBLIC_OBJECT_BASIC_INFORMATION, *PPUBLIC_OBJECT_BASIC_INFORMATION; typedef struct __PUBLIC_OBJECT_TYPE_INFORMATION { diff --git a/TitanEngine/stdafx.h b/TitanEngine/stdafx.h index 7a578eb..4456e9d 100644 --- a/TitanEngine/stdafx.h +++ b/TitanEngine/stdafx.h @@ -784,42 +784,7 @@ typedef struct ACCESS_MASK GrantedAccess; } NTDLL_QUERY_HANDLE_INFO, *PNTDLL_QUERY_HANDLE_INFO; -/*typedef struct _PUBLIC_OBJECT_BASIC_INFORMATION { - ULONG Attributes; - ACCESS_MASK GrantedAccess; - ULONG HandleCount; - ULONG PointerCount; - ULONG PagedPoolUsage; - ULONG NonPagedPoolUsage; - ULONG Reserved[3]; - ULONG NameInformationLength; - ULONG TypeInformationLength; - ULONG SecurityDescriptorLength; - LARGE_INTEGER CreateTime; -} PUBLIC_OBJECT_BASIC_INFORMATION, *PPUBLIC_OBJECT_BASIC_INFORMATION;*/ -typedef struct _PUBLIC_OBJECT_NAME_INFORMATION // Information Class 1 -{ - UNICODE_STRING Name; -} PUBLIC_OBJECT_NAME_INFORMATION, *PPUBLIC_OBJECT_NAME_INFORMATION; - -/*typedef struct _PUBLIC_OBJECT_TYPE_INFORMATION { // Information Class 2 - UNICODE_STRING Name; - ULONG ObjectCount; - ULONG HandleCount; - ULONG Reserved1[4]; - ULONG PeakObjectCount; - ULONG PeakHandleCount; - ULONG Reserved2[4]; - ULONG InvalidAttributes; - GENERIC_MAPPING GenericMapping; - ULONG ValidAccess; - UCHAR Unknown; - BOOLEAN MaintainHandleDatabase; - POOL_TYPE PoolType; - ULONG PagedPoolUsage; - ULONG NonPagedPoolUsage; -} PUBLIC_OBJECT_TYPE_INFORMATION, *PPUBLIC_OBJECT_TYPE_INFORMATION;*/ typedef void (*PPEBLOCKROUTINE)( PVOID PebLock