BlackOfWorld · August 25, 2022 17:58
diff --git a/Printer.cpp b/Printer.cpp
 #include "Printer.h"

 #include <cwchar>


 #define ATTR(attribute) case attribute: \
 	wcscpy_s(name, L#attribute); \
 	break

 namespace Printer
 {
 	void PrintAttributeList(const wchar_t* varName, PPS_ATTRIBUTE_LIST AttributeList)
 	{
 		if (!AttributeList) { wprintf(L"%s is NULL\n", varName); return; }
 		wprintf(L"%s->TotalLength: 0x%lX\n", varName, AttributeList->TotalLength);
 		for (auto i = 0; i < (AttributeList->TotalLength - sizeof(SIZE_T)) / sizeof(PS_ATTRIBUTE); i++)
 		{
 			wchar_t name[124];
 			switch(AttributeList->Attributes[i].Attribute)
 			{
 				ATTR(PS_ATTRIBUTE_PARENT_PROCESS);
 				ATTR(PS_ATTRIBUTE_DEBUG_OBJECT);
 				ATTR(PS_ATTRIBUTE_TOKEN);
 				ATTR(PS_ATTRIBUTE_CLIENT_ID);
 				ATTR(PS_ATTRIBUTE_TEB_ADDRESS);
 				ATTR(PS_ATTRIBUTE_IMAGE_NAME);
 				ATTR(PS_ATTRIBUTE_IMAGE_INFO);
 				ATTR(PS_ATTRIBUTE_MEMORY_RESERVE);
 				ATTR(PS_ATTRIBUTE_PRIORITY_CLASS);
 				ATTR(PS_ATTRIBUTE_ERROR_MODE);
 				ATTR(PS_ATTRIBUTE_STD_HANDLE_INFO);
 				ATTR(PS_ATTRIBUTE_HANDLE_LIST);
 				ATTR(PS_ATTRIBUTE_GROUP_AFFINITY);
 				ATTR(PS_ATTRIBUTE_PREFERRED_NODE);
 				ATTR(PS_ATTRIBUTE_IDEAL_PROCESSOR);
 				ATTR(PS_ATTRIBUTE_MITIGATION_OPTIONS);
 				ATTR(PS_ATTRIBUTE_PROTECTION_LEVEL);
 				ATTR(PS_ATTRIBUTE_SECURE_PROCESS);
 				ATTR(PS_ATTRIBUTE_JOB_LIST);
 				ATTR(PS_ATTRIBUTE_CHILD_PROCESS_POLICY);
 				ATTR(PS_ATTRIBUTE_ALL_APPLICATION_PACKAGES_POLICY);
 				ATTR(PS_ATTRIBUTE_WIN32K_FILTER);
 				ATTR(PS_ATTRIBUTE_SAFE_OPEN_PROMPT_ORIGIN_CLAIM);
 				ATTR(PS_ATTRIBUTE_BNO_ISOLATION);
 				ATTR(PS_ATTRIBUTE_DESKTOP_APP_POLICY);
 				ATTR(PS_ATTRIBUTE_CHPE);
 				ATTR(PS_ATTRIBUTE_MITIGATION_AUDIT_OPTIONS);
 				ATTR(PS_ATTRIBUTE_MACHINE_TYPE);
 				ATTR(PS_ATTRIBUTE_COMPONENT_FILTER);
 				ATTR(PS_ATTRIBUTE_ENABLE_OPTIONAL_XSTATE_FEATURES);
 			default:
 				wcscpy_s(name, L"");
 				break;
 			}
 			wprintf(L"--------------------------------------------------------------------------------------------\n");

 			wprintf(L"%s->Attributes[%d].Attribute: %s (0x%lX)\n", varName, i, name, AttributeList->Attributes[i].Attribute);
 			wprintf(L"%s->Attributes[%d].ReturnLength: 0x%p\n", varName, i, AttributeList->Attributes[i].ReturnLength);
 			wprintf(L"%s->Attributes[%d].Size: %lu (0x%lX)\n", varName, i, AttributeList->Attributes[i].Size, AttributeList->Attributes[i].Size);
 			wprintf(L"%s->Attributes[%d].Value: %lu (0x%lX)\n", varName, i, AttributeList->Attributes[i].Value, AttributeList->Attributes[i].Value);
 			wprintf(L"%s->Attributes[%d].ValuePtr: 0x%p\n", varName, i, AttributeList->Attributes[i].ValuePtr);

 		}
 		wprintf(L"============================================================================================\n");

 	}

 	void PrintCreateInfo(const wchar_t* varName, PPS_CREATE_INFO CreateInfo)
 	{
 		if (!CreateInfo) { wprintf(L"%s is NULL\n", varName); return;  }
 		wprintf(L"%s->InitFlags: 0x%08x\n", varName,  CreateInfo->InitState.u1.InitFlags);
 		wprintf(L"%s->WriteOutputOnExit: 0x%08x\n", varName,  CreateInfo->InitState.u1.s1.WriteOutputOnExit);
 		wprintf(L"%s->DetectManifest: 0x%08x\n", varName,  CreateInfo->InitState.u1.s1.DetectManifest);
 		wprintf(L"%s->IFEOSkipDebugger: 0x%08x\n", varName,  CreateInfo->InitState.u1.s1.IFEOSkipDebugger);
 		wprintf(L"%s->IFEODoNotPropagateKeyState: 0x%08x\n", varName,  CreateInfo->InitState.u1.s1.IFEODoNotPropagateKeyState);
 		wprintf(L"%s->SpareBits1: 0x%08x\n", varName,  CreateInfo->InitState.u1.s1.SpareBits1);
 		wprintf(L"%s->SpareBits2: 0x%08x\n", varName,  CreateInfo->InitState.u1.s1.SpareBits2);
 		wprintf(L"%s->ProhibitedImageCharacteristics: 0x%08x\n", varName,  CreateInfo->InitState.u1.s1.ProhibitedImageCharacteristics);
 		wprintf(L"--------------------------------------------------------------------------------------------\n");
 		wprintf(L"%s->OutputFlags: %d\n", varName,  CreateInfo->SuccessState.u2.OutputFlags);
 		wprintf(L"%s->ProtectedProcess: %d\n", varName,  CreateInfo->SuccessState.u2.s2.ProtectedProcess);
 		wprintf(L"%s->ProtectedProcessLight: %d\n", varName,  CreateInfo->SuccessState.u2.s2.ProtectedProcessLight);
 		wprintf(L"%s->AddressSpaceOverride: %d\n", varName,  CreateInfo->SuccessState.u2.s2.AddressSpaceOverride);
 		wprintf(L"%s->DevOverrideEnabled: %d\n", varName,  CreateInfo->SuccessState.u2.s2.DevOverrideEnabled);
 		wprintf(L"%s->ManifestDetected: %d\n", varName,  CreateInfo->SuccessState.u2.s2.ManifestDetected);
 		wprintf(L"%s->SpareBits1: 0x%03x\n", varName,  CreateInfo->SuccessState.u2.s2.SpareBits1);
 		wprintf(L"%s->SpareBits2: 0x%08x\n", varName,  CreateInfo->SuccessState.u2.s2.SpareBits2);
 		wprintf(L"%s->SpareBits3: 0x%08x\n", varName,  CreateInfo->SuccessState.u2.s2.SpareBits3);
 		wprintf(L"--------------------------------------------------------------------------------------------\n");
 		wprintf(L"%s->FileHandle: 0x%p\n", varName,  CreateInfo->SuccessState.FileHandle);
 		wprintf(L"%s->SectionHandle: 0x%p\n", varName,  CreateInfo->SuccessState.SectionHandle);
 		wprintf(L"%s->UserProcessParametersNative: 0x%llx\n", varName,  CreateInfo->SuccessState.UserProcessParametersNative);
 		wprintf(L"%s->CurrentParameterFlags: 0x%08x\n", varName,  CreateInfo->SuccessState.CurrentParameterFlags);
 		wprintf(L"%s->PebAddressNative: 0x%llx\n", varName,  CreateInfo->SuccessState.PebAddressNative);
 		wprintf(L"%s->ManifestAddress: 0x%llx\n", varName,  CreateInfo->SuccessState.ManifestAddress);
 		wprintf(L"%s->ManifestSize: %d\n", varName,  CreateInfo->SuccessState.ManifestSize);
 		wprintf(L"--------------------------------------------------------------------------------------------\n");
 		wprintf(L"%s->ExeFormat.DllCharacteristics: 0x%08x\n", varName,  CreateInfo->ExeFormat.DllCharacteristics);
 		wprintf(L"============================================================================================\n");
 	}
 	void PrintObjectAttributes(const wchar_t* varName,POBJECT_ATTRIBUTES attributes)
 	{
 		if (!attributes) { wprintf(L"%s is NULL\n", varName); return; }
 		wprintf(L"%s->Attributes: %lu\n", varName, attributes->Attributes);
 		wprintf(L"%s->Length: %lu\n", varName, attributes->Length);
 		wprintf(L"%s->RootDirectory: %p\n", varName, attributes->RootDirectory);
 		wprintf(L"%s->SecurityDescriptor: %p\n", varName, attributes->SecurityDescriptor);
 		wprintf(L"%s->SecurityQualityOfService: %p\n", varName, attributes->SecurityQualityOfService);
 		wprintf(L"%s->ObjectName: %wZ\n", varName, attributes->ObjectName);
 		wprintf(L"============================================================================================\n");
 	}
 }
diff --git a/printer.h b/printer.h
 #pragma once
 #include "ntdll.h"
 namespace Printer
 {
 	void PrintAttributeList(const wchar_t* varName, PPS_ATTRIBUTE_LIST AttributeList);
 	void PrintCreateInfo(const wchar_t* varName, PPS_CREATE_INFO CreateInfo);
 	void PrintObjectAttributes(const wchar_t* varName, POBJECT_ATTRIBUTES attributes);
 }
	#include "Printer.h"

	#include <cwchar>


	#define ATTR(attribute) case attribute: \
	wcscpy_s(name, L#attribute); \
	break

	namespace Printer
	{
	void PrintAttributeList(const wchar_t* varName, PPS_ATTRIBUTE_LIST AttributeList)
	{
	if (!AttributeList) { wprintf(L"%s is NULL\n", varName); return; }
	wprintf(L"%s->TotalLength: 0x%lX\n", varName, AttributeList->TotalLength);
	for (auto i = 0; i < (AttributeList->TotalLength - sizeof(SIZE_T)) / sizeof(PS_ATTRIBUTE); i++)
	{
	wchar_t name[124];
	switch(AttributeList->Attributes[i].Attribute)
	{
	ATTR(PS_ATTRIBUTE_PARENT_PROCESS);
	ATTR(PS_ATTRIBUTE_DEBUG_OBJECT);
	ATTR(PS_ATTRIBUTE_TOKEN);
	ATTR(PS_ATTRIBUTE_CLIENT_ID);
	ATTR(PS_ATTRIBUTE_TEB_ADDRESS);
	ATTR(PS_ATTRIBUTE_IMAGE_NAME);
	ATTR(PS_ATTRIBUTE_IMAGE_INFO);
	ATTR(PS_ATTRIBUTE_MEMORY_RESERVE);
	ATTR(PS_ATTRIBUTE_PRIORITY_CLASS);
	ATTR(PS_ATTRIBUTE_ERROR_MODE);
	ATTR(PS_ATTRIBUTE_STD_HANDLE_INFO);
	ATTR(PS_ATTRIBUTE_HANDLE_LIST);
	ATTR(PS_ATTRIBUTE_GROUP_AFFINITY);
	ATTR(PS_ATTRIBUTE_PREFERRED_NODE);
	ATTR(PS_ATTRIBUTE_IDEAL_PROCESSOR);
	ATTR(PS_ATTRIBUTE_MITIGATION_OPTIONS);
	ATTR(PS_ATTRIBUTE_PROTECTION_LEVEL);
	ATTR(PS_ATTRIBUTE_SECURE_PROCESS);
	ATTR(PS_ATTRIBUTE_JOB_LIST);
	ATTR(PS_ATTRIBUTE_CHILD_PROCESS_POLICY);
	ATTR(PS_ATTRIBUTE_ALL_APPLICATION_PACKAGES_POLICY);
	ATTR(PS_ATTRIBUTE_WIN32K_FILTER);
	ATTR(PS_ATTRIBUTE_SAFE_OPEN_PROMPT_ORIGIN_CLAIM);
	ATTR(PS_ATTRIBUTE_BNO_ISOLATION);
	ATTR(PS_ATTRIBUTE_DESKTOP_APP_POLICY);
	ATTR(PS_ATTRIBUTE_CHPE);
	ATTR(PS_ATTRIBUTE_MITIGATION_AUDIT_OPTIONS);
	ATTR(PS_ATTRIBUTE_MACHINE_TYPE);
	ATTR(PS_ATTRIBUTE_COMPONENT_FILTER);
	ATTR(PS_ATTRIBUTE_ENABLE_OPTIONAL_XSTATE_FEATURES);
	default:
	wcscpy_s(name, L"");
	break;
	}
	wprintf(L"--------------------------------------------------------------------------------------------\n");

	wprintf(L"%s->Attributes[%d].Attribute: %s (0x%lX)\n", varName, i, name, AttributeList->Attributes[i].Attribute);
	wprintf(L"%s->Attributes[%d].ReturnLength: 0x%p\n", varName, i, AttributeList->Attributes[i].ReturnLength);
	wprintf(L"%s->Attributes[%d].Size: %lu (0x%lX)\n", varName, i, AttributeList->Attributes[i].Size, AttributeList->Attributes[i].Size);
	wprintf(L"%s->Attributes[%d].Value: %lu (0x%lX)\n", varName, i, AttributeList->Attributes[i].Value, AttributeList->Attributes[i].Value);
	wprintf(L"%s->Attributes[%d].ValuePtr: 0x%p\n", varName, i, AttributeList->Attributes[i].ValuePtr);

	}
	wprintf(L"============================================================================================\n");

	}

	void PrintCreateInfo(const wchar_t* varName, PPS_CREATE_INFO CreateInfo)
	{
	if (!CreateInfo) { wprintf(L"%s is NULL\n", varName); return; }
	wprintf(L"%s->InitFlags: 0x%08x\n", varName, CreateInfo->InitState.u1.InitFlags);
	wprintf(L"%s->WriteOutputOnExit: 0x%08x\n", varName, CreateInfo->InitState.u1.s1.WriteOutputOnExit);
	wprintf(L"%s->DetectManifest: 0x%08x\n", varName, CreateInfo->InitState.u1.s1.DetectManifest);
	wprintf(L"%s->IFEOSkipDebugger: 0x%08x\n", varName, CreateInfo->InitState.u1.s1.IFEOSkipDebugger);
	wprintf(L"%s->IFEODoNotPropagateKeyState: 0x%08x\n", varName, CreateInfo->InitState.u1.s1.IFEODoNotPropagateKeyState);
	wprintf(L"%s->SpareBits1: 0x%08x\n", varName, CreateInfo->InitState.u1.s1.SpareBits1);
	wprintf(L"%s->SpareBits2: 0x%08x\n", varName, CreateInfo->InitState.u1.s1.SpareBits2);
	wprintf(L"%s->ProhibitedImageCharacteristics: 0x%08x\n", varName, CreateInfo->InitState.u1.s1.ProhibitedImageCharacteristics);
	wprintf(L"--------------------------------------------------------------------------------------------\n");
	wprintf(L"%s->OutputFlags: %d\n", varName, CreateInfo->SuccessState.u2.OutputFlags);
	wprintf(L"%s->ProtectedProcess: %d\n", varName, CreateInfo->SuccessState.u2.s2.ProtectedProcess);
	wprintf(L"%s->ProtectedProcessLight: %d\n", varName, CreateInfo->SuccessState.u2.s2.ProtectedProcessLight);
	wprintf(L"%s->AddressSpaceOverride: %d\n", varName, CreateInfo->SuccessState.u2.s2.AddressSpaceOverride);
	wprintf(L"%s->DevOverrideEnabled: %d\n", varName, CreateInfo->SuccessState.u2.s2.DevOverrideEnabled);
	wprintf(L"%s->ManifestDetected: %d\n", varName, CreateInfo->SuccessState.u2.s2.ManifestDetected);
	wprintf(L"%s->SpareBits1: 0x%03x\n", varName, CreateInfo->SuccessState.u2.s2.SpareBits1);
	wprintf(L"%s->SpareBits2: 0x%08x\n", varName, CreateInfo->SuccessState.u2.s2.SpareBits2);
	wprintf(L"%s->SpareBits3: 0x%08x\n", varName, CreateInfo->SuccessState.u2.s2.SpareBits3);
	wprintf(L"--------------------------------------------------------------------------------------------\n");
	wprintf(L"%s->FileHandle: 0x%p\n", varName, CreateInfo->SuccessState.FileHandle);
	wprintf(L"%s->SectionHandle: 0x%p\n", varName, CreateInfo->SuccessState.SectionHandle);
	wprintf(L"%s->UserProcessParametersNative: 0x%llx\n", varName, CreateInfo->SuccessState.UserProcessParametersNative);
	wprintf(L"%s->CurrentParameterFlags: 0x%08x\n", varName, CreateInfo->SuccessState.CurrentParameterFlags);
	wprintf(L"%s->PebAddressNative: 0x%llx\n", varName, CreateInfo->SuccessState.PebAddressNative);
	wprintf(L"%s->ManifestAddress: 0x%llx\n", varName, CreateInfo->SuccessState.ManifestAddress);
	wprintf(L"%s->ManifestSize: %d\n", varName, CreateInfo->SuccessState.ManifestSize);
	wprintf(L"--------------------------------------------------------------------------------------------\n");
	wprintf(L"%s->ExeFormat.DllCharacteristics: 0x%08x\n", varName, CreateInfo->ExeFormat.DllCharacteristics);
	wprintf(L"============================================================================================\n");
	}
	void PrintObjectAttributes(const wchar_t* varName,POBJECT_ATTRIBUTES attributes)
	{
	if (!attributes) { wprintf(L"%s is NULL\n", varName); return; }
	wprintf(L"%s->Attributes: %lu\n", varName, attributes->Attributes);
	wprintf(L"%s->Length: %lu\n", varName, attributes->Length);
	wprintf(L"%s->RootDirectory: %p\n", varName, attributes->RootDirectory);
	wprintf(L"%s->SecurityDescriptor: %p\n", varName, attributes->SecurityDescriptor);
	wprintf(L"%s->SecurityQualityOfService: %p\n", varName, attributes->SecurityQualityOfService);
	wprintf(L"%s->ObjectName: %wZ\n", varName, attributes->ObjectName);
	wprintf(L"============================================================================================\n");
	}
	}
	#pragma once
	#include "ntdll.h"
	namespace Printer
	{
	void PrintAttributeList(const wchar_t* varName, PPS_ATTRIBUTE_LIST AttributeList);
	void PrintCreateInfo(const wchar_t* varName, PPS_CREATE_INFO CreateInfo);
	void PrintObjectAttributes(const wchar_t* varName, POBJECT_ATTRIBUTES attributes);
	}