-------------------------------------------------------------------------------------------------- // Opening the Notepad NtOpenFile(OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG OpenOptions) FileHandle 0x0012f418 * 0x00000000 * DesiredAccess 0x100001 ObjectAttributes 0x0012b3cc struct _OBJECT_ATTRIBUTES * Length 0x18 RootDirectory 0x00000000 * ObjectName 0x0012b3e4 "\??\C:\Documents and Settings\Administrator\Desktop\" struct _UNICODE_STRING * Length 0x68 MaximumLength 0x68 Buffer 0x001493e0 * 0x5c Attributes 0x40 SecurityDescriptor 0x00000000 * SecurityQualityOfService 0x00000000 * IoStatusBlock 0x0012b404 struct _IO_STATUS_BLOCK * Status 0n1536000 Pointer 0x00177000 * Information 0x177008 ShareAccess 3 OpenOptions 0x21 ObOpenObjectByName(IN POBJECT_ATTRIBUTES ObjectAttributes, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, IN PACCESS_STATE PassedAccessState, IN ACCESS_MASK DesiredAccess, IN OUT PVOID ParseContext, OUT PHANDLE Handle) ObjectAttributes 0x0012b3cc struct _OBJECT_ATTRIBUTES * Length 0x18 RootDirectory 0x00000000 * ObjectName 0x0012b3e4 "\??\C:\Documents and Settings\Administrator\Desktop\" struct _UNICODE_STRING * Length 0x68 MaximumLength 0x68 Buffer 0x001493e0 * 0x5c Attributes 0x40 SecurityDescriptor 0x00000000 * SecurityQualityOfService 0x00000000 * ObjectType 0x00000000 struct _OBJECT_TYPE * Mutex struct _ERESOURCE TypeList struct _LIST_ENTRY Name struct _UNICODE_STRING DefaultObject Index TotalNumberOfObjects TotalNumberOfHandles HighWaterNumberOfObjects HighWaterNumberOfHandles TypeInfo struct _OBJECT_TYPE_INITIALIZER Key ObjectLocks struct _ERESOURCE [4] AccessMode 0n1 '' PassedAccessState 0x00000000 struct _ACCESS_STATE * DesiredAccess 0x100001 ParseContext 0xb0d42670 * Handle 0xf8109c78 * 0x00000000 * And now, important: ObpLookupObjectName(IN HANDLE RootHandle OPTIONAL, IN PUNICODE_STRING ObjectName, IN ULONG Attributes, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, IN OUT PVOID ParseContext, IN PSECURITY_QUALITY_OF_SERVICE SecurityQos OPTIONAL, IN PVOID InsertObject OPTIONAL, IN OUT PACCESS_STATE AccessState, OUT POBP_LOOKUP_CONTEXT LookupContext, OUT PVOID *FoundObject) RootHandle 0x00000000 * ObjectName 0xf8109c08 "\??\C:\Documents and Settings\Administrator\Desktop\" struct _UNICODE_STRING * Length 0x68 MaximumLength 0xf8 Buffer 0xe1565e88 * 0x5c Attributes 0x40 ObjectType 0x00000000 struct _OBJECT_TYPE * AccessMode 0n1 '' ParseContext 0xb0d42670 * SecurityQos 0x00000000 struct _SECURITY_QUALITY_OF_SERVICE * InsertObject 0x00000000 AccessState 0xb10f7a10 struct _ACCESS_STATE * OperationID struct _LUID SecurityEvaluated 0x00 '' GenerateAudit 0x00 '' GenerateOnClose 0x00 '' PrivilegesAllocated 0x00 '' Flags 0 RemainingDesiredAccess 0x100001 PreviouslyGrantedAccess 0 OriginalDesiredAccess 0x100001 SubjectSecurityContext struct _SECURITY_SUBJECT_CONTEXT ClientToken 0x00000000 ImpersonationLevel SecurityAnonymous (0n0) PrimaryToken 0xe1583688 ProcessAuditId 0x0000033c SecurityDescriptor 0x00000000 AuxData 0xb10f7ac8 Privileges union AuditPrivileges 0x00 '' ObjectName struct _UNICODE_STRING "" ObjectTypeName struct _UNICODE_STRING "" LookupContext 0xb10f7ab4 struct _OBP_LOOKUP_CONTEXT * Directory 0x00000000 struct _OBJECT_DIRECTORY * Object 0x00000000 HashValue 0xacbe2 HashIndex 3 DirectoryLocked 0x00 '' LockStateSignature 0xeeee1234 FoundObject 0xf8109c04 * 0x00000000 AccessCheckMode 0n0 '' CalloutIrql 0x00 '' ComponentName struct _UNICODE_STRING "" Directory 0x804e2ff0 struct _OBJECT_DIRECTORY * MaxReparse 0xf8109c08 NewName 0x00000023 Object 0x00000000 ObjectHeader 0xf8109ca4 struct _OBJECT_HEADER * ObjectNameInfo 0x00000000 struct _OBJECT_HEADER_NAME_INFO * ParentDirectory 0x00000008 struct _OBJECT_DIRECTORY * ParseRoutine 0x7ffd5000 ReferencedDirectory 0x0012b3a8 struct _OBJECT_DIRECTORY * ReferencedParentDirectory 0x00000023 struct _OBJECT_DIRECTORY * RemainingName struct _UNICODE_STRING "????" Reparse 0x00 '' RootDirectory 0xf8109d14 struct _OBJECT_DIRECTORY * Status 0n-1324385776 SymLink 0x00 '' --------------------------------------- --Opening via AddFontResource testcase NtOpenFile FileHandle 0xf80aeca0 DesiredAccess 0x120089 ObjectAttributes 0xf80aec68 struct _OBJECT_ATTRIBUTES * Length 0x18 RootDirectory 0x00000000 * ObjectName 0xf80aecd0 "\??\C:\Documents and Settings\Administrator\Desktop\bpen.ttf" struct _UNICODE_STRING * Length 0xf0 MaximumLength 0x7a Buffer 0xe15b0350 * 0x5c Attributes 0 SecurityDescriptor 0x00000000 * SecurityQualityOfService 0x00000000 * IoStatusBlock 0xf80aec5c struct _IO_STATUS_BLOCK * Status 0n1 Pointer 0x00000001 Information 1 ShareAccess 1 OpenOptions 0x20 ObjectAttributes 0xf80aec68 struct _OBJECT_ATTRIBUTES * Length 0x18 RootDirectory 0x00000000 * ObjectName 0xf80aecd0 "\??\C:\Documents and Settings\Administrator\Desktop\bpen.ttf" struct _UNICODE_STRING * Length 0xf0 MaximumLength 0x7a Buffer 0xe15b0350 Attributes 0 SecurityDescriptor 0x00000000 SecurityQualityOfService 0x00000000 ObjectType 0x00000000 struct _OBJECT_TYPE * AccessMode 0n0 '' PassedAccessState 0x00000000 struct _ACCESS_STATE * DesiredAccess 0x120089 ParseContext 0xb10d4980 Handle 0xf80aeac0 GenericMapping 0x7ffaf000 struct _GENERIC_MAPPING * Object 0xf80aeaec ObjectHeader 0xf80aeafc struct _OBJECT_HEADER * ObjectName struct _UNICODE_STRING "???" OpenReason 0n-133502212 (No matching enumerant) Status 0n-133501892 Status2 0n8 TempBuffer 0x804de0f0 struct _OB_TEMP_BUFFER * ObOpenObjectByName(IN POBJECT_ATTRIBUTES ObjectAttributes, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, IN PACCESS_STATE PassedAccessState, IN ACCESS_MASK DesiredAccess, IN OUT PVOID ParseContext, OUT PHANDLE Handle) ObjectAttributes 0xf80aec68 struct _OBJECT_ATTRIBUTES * Length 0x18 RootDirectory 0x00000000 * ObjectName 0xf80aecd0 "\??\C:\Documents and Settings\Administrator\Desktop\bpen.ttf" struct _UNICODE_STRING * Length 0xf0 MaximumLength 0x7a Buffer 0xe15b0350 Attributes 0 SecurityDescriptor 0x00000000 SecurityQualityOfService 0x00000000 ObjectType 0x00000000 struct _OBJECT_TYPE * AccessMode 0n0 '' PassedAccessState 0x00000000 struct _ACCESS_STATE * DesiredAccess 0x120089 ParseContext 0xb10d4980 Handle 0xf80aeac0 NTAPI ObpLookupObjectName(IN HANDLE RootHandle OPTIONAL, IN PUNICODE_STRING ObjectName, IN ULONG Attributes, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, IN OUT PVOID ParseContext, IN PSECURITY_QUALITY_OF_SERVICE SecurityQos OPTIONAL, IN PVOID InsertObject OPTIONAL, IN OUT PACCESS_STATE AccessState, OUT POBP_LOOKUP_CONTEXT LookupContext, OUT PVOID *FoundObject) RootHandle 0x00000000 ObjectName 0xf80aea50 "\??\C:\Documents and Settings\Administrator\Desktop\bpen.ttf" struct _UNICODE_STRING * Length 0xf0 MaximumLength 0xf8 Buffer 0xe1066ee8 * 0x5c Attributes 0 ObjectType 0x00000000 struct _OBJECT_TYPE * AccessMode 0n0 '' ParseContext 0xb10d4980 SecurityQos 0x00000000 struct _SECURITY_QUALITY_OF_SERVICE * InsertObject 0x00000000 AccessState 0xb11aa7c8 struct _ACCESS_STATE * LookupContext 0xb11aa86c struct _OBP_LOOKUP_CONTEXT * FoundObject 0xf80aea4c * 0x00000000