├── 1.jpg
├── 2.png
├── 3.jpg
├── 4.jpg
├── Kernel_Inject
    ├── CRT
    │   ├── Ntddk.hpp
    │   ├── CRTCPP.hpp
    │   └── NtSysAPI_Func.hpp
    ├── Get_SSDT.hpp
    ├── DLL_Inject.cc
    ├── Blackbone.h
    ├── main.cc
    ├── DLL_Inject.h
    ├── Kernel_Inject.vcxproj.filters
    ├── Blackbone.cc
    ├── Process.hpp
    └── Kernel_Inject.vcxproj
├── Readme.md
├── .gitattributes
├── .gitignore
└── Kernel_Inject.sln


/1.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DragonQuestHero/Kernel_Inject/HEAD/1.jpg


--------------------------------------------------------------------------------
/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DragonQuestHero/Kernel_Inject/HEAD/2.png


--------------------------------------------------------------------------------
/3.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DragonQuestHero/Kernel_Inject/HEAD/3.jpg


--------------------------------------------------------------------------------
/4.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DragonQuestHero/Kernel_Inject/HEAD/4.jpg


--------------------------------------------------------------------------------
/Kernel_Inject/CRT/Ntddk.hpp:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include <ntifs.h>
3 | #include <intrin.h>
4 | 
5 | 


--------------------------------------------------------------------------------
/Kernel_Inject/Get_SSDT.hpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DragonQuestHero/Kernel_Inject/HEAD/Kernel_Inject/Get_SSDT.hpp


--------------------------------------------------------------------------------
/Kernel_Inject/DLL_Inject.cc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/DragonQuestHero/Kernel_Inject/HEAD/Kernel_Inject/DLL_Inject.cc


--------------------------------------------------------------------------------
/Kernel_Inject/Blackbone.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "CRT/Ntddk.hpp"
3 | #include "CRT/NtSysAPI_Func.hpp"
4 | 
5 | 
6 | PVOID BBGetModuleExport(IN PVOID pBase, IN PCCHAR name_ord);
7 | 


--------------------------------------------------------------------------------
/Readme.md:
--------------------------------------------------------------------------------
 1 | ### 别问 问就是F7
 2 | 
 3 | <h1 align="center">
 4 | 	<img src="1.jpg" >
 5 | 	<br>
 6 | 	<br>
 7 | </h1>
 8 | 
 9 | <h1 align="center">
10 | 	<img src="2.png" >
11 | 	<br>
12 | 	<br>
13 | </h1>
14 | 
15 | <h1 align="center">
16 | 	<img src="3.jpg" >
17 | 	<br>
18 | 	<br>
19 | </h1>
20 | 
21 | <h1 align="center">
22 | 	<img src="4.jpg" >
23 | 	<br>
24 | 	<br>
25 | </h1>
26 | 
27 | ### 修仙交流(限定筑基期至渡劫期):729338597


--------------------------------------------------------------------------------
/Kernel_Inject/main.cc:
--------------------------------------------------------------------------------
 1 | #include "CRT/Ntddk.hpp"
 2 | #include "DLL_Inject.h"
 3 | 
 4 | 
 5 | DLL_Inject *_DLL_Inject;
 6 | 
 7 | void DriverUnload(PDRIVER_OBJECT drive_object)
 8 | {
 9 | 	DbgPrint("Unload Over!\n");
10 | 	_DLL_Inject->UnRegister_Load_Image();
11 | }
12 | 
13 | extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT drive_object, PUNICODE_STRING path)
14 | {
15 | 	drive_object->DriverUnload = DriverUnload;
16 | 
17 | 	_DLL_Inject = new DLL_Inject();
18 | 	_DLL_Inject->Register_Load_Image();
19 | 
20 | 
21 | 
22 | 	return STATUS_SUCCESS;
23 | }


--------------------------------------------------------------------------------
/Kernel_Inject/CRT/CRTCPP.hpp:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include "Ntddk.hpp"
 3 | 
 4 | #define Tager 'OCK'
 5 | #ifdef _AMD64_
 6 | static void *operator new(size_t lBlockSize)
 7 | {
 8 | 	return ExAllocatePoolWithTag(NonPagedPool, lBlockSize, Tager);
 9 | }
10 | 
11 | static void operator delete(void *p)
12 | {
13 | 	if (p == nullptr)
14 | 	{
15 | 		return;
16 | 	}
17 | 	ExFreePoolWithTag(p, Tager);
18 | }
19 | #else
20 | static void * __CRTDECL operator new(size_t lBlockSize)
21 | {
22 | 	return ExAllocatePoolWithTag(NonPagedPool, lBlockSize, Tager);
23 | }
24 | 
25 | static void __CRTDECL operator delete(void *p)
26 | {
27 | 	if (!p)
28 | 	{
29 | 		return;
30 | 	}
31 | 	ExFreePoolWithTag(p, Tager);
32 | }
33 | #endif


--------------------------------------------------------------------------------
/Kernel_Inject/DLL_Inject.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include "CRT/Ntddk.hpp"
 3 | #include "CRT/NtSysAPI_Func.hpp"
 4 | #include "Process.hpp"
 5 | #include "Blackbone.h"
 6 | #include "Get_SSDT.hpp"
 7 | 
 8 | class DLL_Inject
 9 | {
10 | public:
11 | 	DLL_Inject()
12 | 	{
13 | 		_This = this;
14 | 		RTL_OSVERSIONINFOW Version = { 0 };
15 | 		Version.dwOSVersionInfoSize = sizeof(Version);
16 | 		RtlGetVersion(&Version);
17 | 		if (Version.dwMajorVersion == 6)
18 | 		{
19 | 			if (Version.dwMinorVersion == 0)
20 | 			{
21 | 				AddressCreationLock_Offset = 0x0178;
22 | 			}
23 | 			if (Version.dwMinorVersion == 1)
24 | 			{
25 | 				AddressCreationLock_Offset = 0x0218;
26 | 			}
27 | 		}
28 | 		else
29 | 		{
30 | 			AddressCreationLock_Offset = 0x0368;
31 | 		}
32 | 	}
33 | 	~DLL_Inject() = default;
34 | public:
35 | 	bool Register_Load_Image();
36 | 	bool UnRegister_Load_Image();
37 | private:
38 | 	static void Load_Image(
39 | 		_In_ PUNICODE_STRING FullImageName,
40 | 		_In_ HANDLE ProcessId,
41 | 		_In_ PIMAGE_INFO ImageInfo
42 | 		);
43 | 	static void Write_Process_Memory();
44 | private:
45 | 	static DLL_Inject *_This;
46 | 	void *LdrLoadDll_Func = nullptr;
47 | 	void *LdrGetProcedureAddressForCaller_Func = nullptr;
48 | 	ULONG64 AddressCreationLock_Offset = 0;
49 | };
50 | 
51 | 


--------------------------------------------------------------------------------
/Kernel_Inject/Kernel_Inject.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |     <Filter Include="Driver Files">
17 |       <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
18 |       <Extensions>inf;inv;inx;mof;mc;</Extensions>
19 |     </Filter>
20 |     <Filter Include="Header Files\CRT">
21 |       <UniqueIdentifier>{075cb073-9f7b-42a5-89d8-68ac2a73371d}</UniqueIdentifier>
22 |     </Filter>
23 |   </ItemGroup>
24 |   <ItemGroup>
25 |     <Inf Include="Kernel_Inject.inf">
26 |       <Filter>Driver Files</Filter>
27 |     </Inf>
28 |   </ItemGroup>
29 |   <ItemGroup>
30 |     <ClCompile Include="main.cc">
31 |       <Filter>Source Files</Filter>
32 |     </ClCompile>
33 |     <ClCompile Include="DLL_Inject.cc">
34 |       <Filter>Source Files</Filter>
35 |     </ClCompile>
36 |     <ClCompile Include="Blackbone.cc">
37 |       <Filter>Header Files</Filter>
38 |     </ClCompile>
39 |   </ItemGroup>
40 |   <ItemGroup>
41 |     <ClInclude Include="CRT\CRTCPP.hpp">
42 |       <Filter>Header Files\CRT</Filter>
43 |     </ClInclude>
44 |     <ClInclude Include="CRT\Ntddk.hpp">
45 |       <Filter>Header Files\CRT</Filter>
46 |     </ClInclude>
47 |     <ClInclude Include="CRT\NtSysAPI_Func.hpp">
48 |       <Filter>Header Files\CRT</Filter>
49 |     </ClInclude>
50 |     <ClInclude Include="Get_SSDT.hpp">
51 |       <Filter>Header Files</Filter>
52 |     </ClInclude>
53 |     <ClInclude Include="DLL_Inject.h">
54 |       <Filter>Header Files</Filter>
55 |     </ClInclude>
56 |     <ClInclude Include="Process.hpp">
57 |       <Filter>Header Files</Filter>
58 |     </ClInclude>
59 |     <ClInclude Include="Blackbone.h">
60 |       <Filter>Header Files</Filter>
61 |     </ClInclude>
62 |   </ItemGroup>
63 | </Project>


--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
 1 | ###############################################################################
 2 | # Set default behavior to automatically normalize line endings.
 3 | ###############################################################################
 4 | * text=auto
 5 | 
 6 | ###############################################################################
 7 | # Set default behavior for command prompt diff.
 8 | #
 9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs     diff=csharp
14 | 
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following 
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln       merge=binary
26 | #*.csproj    merge=binary
27 | #*.vbproj    merge=binary
28 | #*.vcxproj   merge=binary
29 | #*.vcproj    merge=binary
30 | #*.dbproj    merge=binary
31 | #*.fsproj    merge=binary
32 | #*.lsproj    merge=binary
33 | #*.wixproj   merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj   merge=binary
36 | #*.wwaproj   merge=binary
37 | 
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg   binary
44 | #*.png   binary
45 | #*.gif   binary
46 | 
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | # 
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the 
52 | # entries below.
53 | ###############################################################################
54 | #*.doc   diff=astextplain
55 | #*.DOC   diff=astextplain
56 | #*.docx  diff=astextplain
57 | #*.DOCX  diff=astextplain
58 | #*.dot   diff=astextplain
59 | #*.DOT   diff=astextplain
60 | #*.pdf   diff=astextplain
61 | #*.PDF   diff=astextplain
62 | #*.rtf   diff=astextplain
63 | #*.RTF   diff=astextplain
64 | 


--------------------------------------------------------------------------------
/Kernel_Inject/Blackbone.cc:
--------------------------------------------------------------------------------
 1 | #include "Blackbone.h"
 2 | 
 3 | 
 4 | PVOID BBGetModuleExport(IN PVOID pBase, IN PCCHAR name_ord)
 5 | {
 6 | 	PIMAGE_DOS_HEADER pDosHdr = (PIMAGE_DOS_HEADER)pBase;
 7 | 	PIMAGE_NT_HEADERS32 pNtHdr32 = NULL;
 8 | 	PIMAGE_NT_HEADERS64 pNtHdr64 = NULL;
 9 | 	PIMAGE_EXPORT_DIRECTORY pExport = NULL;
10 | 	ULONG expSize = 0;
11 | 	ULONG_PTR pAddress = 0;
12 | 	PUSHORT pAddressOfOrds;
13 | 	PULONG  pAddressOfNames;
14 | 	PULONG  pAddressOfFuncs;
15 | 	ULONG i;
16 | 
17 | 
18 | 	ASSERT(pBase != NULL);
19 | 	if (pBase == NULL)
20 | 	{
21 | 		return NULL;
22 | 	}
23 | 
24 | 
25 | 	/// Not a PE file
26 | 	if (pDosHdr->e_magic != IMAGE_DOS_SIGNATURE)
27 | 	{
28 | 		return NULL;
29 | 	}
30 | 
31 | 
32 | 	pNtHdr32 = (PIMAGE_NT_HEADERS32)((PUCHAR)pBase + pDosHdr->e_lfanew);
33 | 	pNtHdr64 = (PIMAGE_NT_HEADERS64)((PUCHAR)pBase + pDosHdr->e_lfanew);
34 | 
35 | 	// Not a PE file
36 | 	if (pNtHdr32->Signature != IMAGE_NT_SIGNATURE)
37 | 	{
38 | 		return NULL;
39 | 	}
40 | 
41 | 
42 | 	// 64 bit image
43 | 	if (pNtHdr32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
44 | 	{
45 | 		pExport = (PIMAGE_EXPORT_DIRECTORY)(pNtHdr64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + (ULONG_PTR)pBase);
46 | 		expSize = pNtHdr64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
47 | 	}
48 | 	// 32 bit image
49 | 	else
50 | 	{
51 | 		pExport = (PIMAGE_EXPORT_DIRECTORY)(pNtHdr32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + (ULONG_PTR)pBase);
52 | 		expSize = pNtHdr32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
53 | 	}
54 | 
55 | 	pAddressOfOrds = (PUSHORT)(pExport->AddressOfNameOrdinals + (ULONG_PTR)pBase);
56 | 	pAddressOfNames = (PULONG)(pExport->AddressOfNames + (ULONG_PTR)pBase);
57 | 	pAddressOfFuncs = (PULONG)(pExport->AddressOfFunctions + (ULONG_PTR)pBase);
58 | 
59 | 	for (i = 0; i < pExport->NumberOfFunctions; ++i)
60 | 	{
61 | 		USHORT OrdIndex = 0xFFFF;
62 | 		PCHAR  pName = NULL;
63 | 
64 | 		// Find by index
65 | 		if ((ULONG_PTR)name_ord <= 0xFFFF)
66 | 		{
67 | 			OrdIndex = (USHORT)i;
68 | 		}
69 | 		// Find by name
70 | 		else if ((ULONG_PTR)name_ord > 0xFFFF && i < pExport->NumberOfNames)
71 | 		{
72 | 			pName = (PCHAR)(pAddressOfNames[i] + (ULONG_PTR)pBase);
73 | 			OrdIndex = pAddressOfOrds[i];
74 | 		}
75 | 		// Weird params
76 | 		else
77 | 		{
78 | 			return NULL;
79 | 		}
80 | 
81 | 
82 | 		if (((ULONG_PTR)name_ord <= 0xFFFF && (USHORT)((ULONG_PTR)name_ord) == OrdIndex + pExport->Base) ||
83 | 			((ULONG_PTR)name_ord > 0xFFFF && strcmp(pName, name_ord) == 0))
84 | 		{
85 | 			pAddress = pAddressOfFuncs[OrdIndex] + (ULONG_PTR)pBase;
86 | 
87 | 			// Check forwarded export
88 | 			if (pAddress >= (ULONG_PTR)pExport && pAddress <= (ULONG_PTR)pExport + expSize)
89 | 			{
90 | 				return NULL;
91 | 			}
92 | 			break;
93 | 		}
94 | 	}
95 | 	return (PVOID)pAddress;
96 | }


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | 
  4 | # User-specific files
  5 | *.suo
  6 | *.user
  7 | *.sln.docstates
  8 | 
  9 | # Build results
 10 | [Dd]ebug/
 11 | [Dd]ebugPublic/
 12 | [Rr]elease/
 13 | x64/
 14 | build/
 15 | bld/
 16 | [Bb]in/
 17 | [Oo]bj/
 18 | 
 19 | # Roslyn cache directories
 20 | *.ide/
 21 | 
 22 | # MSTest test Results
 23 | [Tt]est[Rr]esult*/
 24 | [Bb]uild[Ll]og.*
 25 | 
 26 | #NUNIT
 27 | *.VisualState.xml
 28 | TestResult.xml
 29 | 
 30 | # Build Results of an ATL Project
 31 | [Dd]ebugPS/
 32 | [Rr]eleasePS/
 33 | dlldata.c
 34 | 
 35 | *_i.c
 36 | *_p.c
 37 | *_i.h
 38 | *.ilk
 39 | *.meta
 40 | *.obj
 41 | *.pch
 42 | *.pdb
 43 | *.pgc
 44 | *.pgd
 45 | *.rsp
 46 | *.sbr
 47 | *.tlb
 48 | *.tli
 49 | *.tlh
 50 | *.tmp
 51 | *.tmp_proj
 52 | *.log
 53 | *.vspscc
 54 | *.vssscc
 55 | .builds
 56 | *.pidb
 57 | *.svclog
 58 | *.scc
 59 | 
 60 | # Chutzpah Test files
 61 | _Chutzpah*
 62 | 
 63 | # Visual C++ cache files
 64 | ipch/
 65 | *.aps
 66 | *.ncb
 67 | *.opensdf
 68 | *.sdf
 69 | *.cachefile
 70 | 
 71 | # Visual Studio profiler
 72 | *.psess
 73 | *.vsp
 74 | *.vspx
 75 | 
 76 | # TFS 2012 Local Workspace
 77 | $tf/
 78 | 
 79 | # Guidance Automation Toolkit
 80 | *.gpState
 81 | 
 82 | # ReSharper is a .NET coding add-in
 83 | _ReSharper*/
 84 | *.[Rr]e[Ss]harper
 85 | *.DotSettings.user
 86 | 
 87 | # JustCode is a .NET coding addin-in
 88 | .JustCode
 89 | 
 90 | # TeamCity is a build add-in
 91 | _TeamCity*
 92 | 
 93 | # DotCover is a Code Coverage Tool
 94 | *.dotCover
 95 | 
 96 | # NCrunch
 97 | _NCrunch_*
 98 | .*crunch*.local.xml
 99 | 
100 | # MightyMoose
101 | *.mm.*
102 | AutoTest.Net/
103 | 
104 | # Web workbench (sass)
105 | .sass-cache/
106 | 
107 | # Installshield output folder
108 | [Ee]xpress/
109 | 
110 | # DocProject is a documentation generator add-in
111 | DocProject/buildhelp/
112 | DocProject/Help/*.HxT
113 | DocProject/Help/*.HxC
114 | DocProject/Help/*.hhc
115 | DocProject/Help/*.hhk
116 | DocProject/Help/*.hhp
117 | DocProject/Help/Html2
118 | DocProject/Help/html
119 | 
120 | # Click-Once directory
121 | publish/
122 | 
123 | # Publish Web Output
124 | *.[Pp]ublish.xml
125 | *.azurePubxml
126 | ## TODO: Comment the next line if you want to checkin your
127 | ## web deploy settings but do note that will include unencrypted
128 | ## passwords
129 | #*.pubxml
130 | 
131 | # NuGet Packages Directory
132 | packages/*
133 | ## TODO: If the tool you use requires repositories.config
134 | ## uncomment the next line
135 | #!packages/repositories.config
136 | 
137 | # Enable "build/" folder in the NuGet Packages folder since
138 | # NuGet packages use it for MSBuild targets.
139 | # This line needs to be after the ignore of the build folder
140 | # (and the packages folder if the line above has been uncommented)
141 | !packages/build/
142 | 
143 | # Windows Azure Build Output
144 | csx/
145 | *.build.csdef
146 | 
147 | # Windows Store app package directory
148 | AppPackages/
149 | 
150 | # Others
151 | sql/
152 | *.Cache
153 | ClientBin/
154 | [Ss]tyle[Cc]op.*
155 | ~$*
156 | *~
157 | *.dbmdl
158 | *.dbproj.schemaview
159 | *.pfx
160 | *.publishsettings
161 | node_modules/
162 | 
163 | # RIA/Silverlight projects
164 | Generated_Code/
165 | 
166 | # Backup & report files from converting an old project file
167 | # to a newer Visual Studio version. Backup files are not needed,
168 | # because we have git ;-)
169 | _UpgradeReport_Files/
170 | Backup*/
171 | UpgradeLog*.XML
172 | UpgradeLog*.htm
173 | 
174 | # SQL Server files
175 | *.mdf
176 | *.ldf
177 | 
178 | # Business Intelligence projects
179 | *.rdl.data
180 | *.bim.layout
181 | *.bim_*.settings
182 | 
183 | # Microsoft Fakes
184 | FakesAssemblies/
185 | 
186 | # LightSwitch generated files
187 | GeneratedArtifacts/
188 | _Pvt_Extensions/
189 | ModelManifest.xml
190 | *.inf
191 | 


--------------------------------------------------------------------------------
/Kernel_Inject.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 2013
 4 | VisualStudioVersion = 12.0.40629.0
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Kernel_Inject", "Kernel_Inject\Kernel_Inject.vcxproj", "{A5E8F27B-568A-4930-9A90-A9208F98C194}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Win7 Debug|Win32 = Win7 Debug|Win32
11 | 		Win7 Debug|x64 = Win7 Debug|x64
12 | 		Win7 Release|Win32 = Win7 Release|Win32
13 | 		Win7 Release|x64 = Win7 Release|x64
14 | 		Win8 Debug|Win32 = Win8 Debug|Win32
15 | 		Win8 Debug|x64 = Win8 Debug|x64
16 | 		Win8 Release|Win32 = Win8 Release|Win32
17 | 		Win8 Release|x64 = Win8 Release|x64
18 | 		Win8.1 Debug|Win32 = Win8.1 Debug|Win32
19 | 		Win8.1 Debug|x64 = Win8.1 Debug|x64
20 | 		Win8.1 Release|Win32 = Win8.1 Release|Win32
21 | 		Win8.1 Release|x64 = Win8.1 Release|x64
22 | 	EndGlobalSection
23 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
24 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win7 Debug|Win32.ActiveCfg = Win7 Debug|Win32
25 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win7 Debug|Win32.Build.0 = Win7 Debug|Win32
26 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win7 Debug|Win32.Deploy.0 = Win7 Debug|Win32
27 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win7 Debug|x64.ActiveCfg = Win7 Debug|x64
28 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win7 Debug|x64.Build.0 = Win7 Debug|x64
29 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win7 Debug|x64.Deploy.0 = Win7 Debug|x64
30 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win7 Release|Win32.ActiveCfg = Win7 Release|Win32
31 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win7 Release|Win32.Build.0 = Win7 Release|Win32
32 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win7 Release|Win32.Deploy.0 = Win7 Release|Win32
33 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win7 Release|x64.ActiveCfg = Win7 Release|x64
34 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win7 Release|x64.Build.0 = Win7 Release|x64
35 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win7 Release|x64.Deploy.0 = Win7 Release|x64
36 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8 Debug|Win32.ActiveCfg = Win8 Debug|Win32
37 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8 Debug|Win32.Build.0 = Win8 Debug|Win32
38 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8 Debug|Win32.Deploy.0 = Win8 Debug|Win32
39 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8 Debug|x64.ActiveCfg = Win8 Debug|x64
40 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8 Debug|x64.Build.0 = Win8 Debug|x64
41 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8 Debug|x64.Deploy.0 = Win8 Debug|x64
42 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8 Release|Win32.ActiveCfg = Win8 Release|Win32
43 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8 Release|Win32.Build.0 = Win8 Release|Win32
44 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8 Release|Win32.Deploy.0 = Win8 Release|Win32
45 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8 Release|x64.ActiveCfg = Win8 Release|x64
46 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8 Release|x64.Build.0 = Win8 Release|x64
47 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8 Release|x64.Deploy.0 = Win8 Release|x64
48 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8.1 Debug|Win32.ActiveCfg = Win8.1 Debug|Win32
49 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8.1 Debug|Win32.Build.0 = Win8.1 Debug|Win32
50 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8.1 Debug|Win32.Deploy.0 = Win8.1 Debug|Win32
51 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8.1 Debug|x64.ActiveCfg = Win8.1 Debug|x64
52 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8.1 Debug|x64.Build.0 = Win8.1 Debug|x64
53 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8.1 Debug|x64.Deploy.0 = Win8.1 Debug|x64
54 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8.1 Release|Win32.ActiveCfg = Win8.1 Release|Win32
55 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8.1 Release|Win32.Build.0 = Win8.1 Release|Win32
56 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8.1 Release|Win32.Deploy.0 = Win8.1 Release|Win32
57 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8.1 Release|x64.ActiveCfg = Win8.1 Release|x64
58 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8.1 Release|x64.Build.0 = Win8.1 Release|x64
59 | 		{A5E8F27B-568A-4930-9A90-A9208F98C194}.Win8.1 Release|x64.Deploy.0 = Win8.1 Release|x64
60 | 	EndGlobalSection
61 | 	GlobalSection(SolutionProperties) = preSolution
62 | 		HideSolutionNode = FALSE
63 | 	EndGlobalSection
64 | EndGlobal
65 | 


--------------------------------------------------------------------------------
/Kernel_Inject/Process.hpp:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | #include "CRT/CRTCPP.hpp"
  3 | #include "CRT/NtSysAPI_Func.hpp"
  4 | 
  5 | 
  6 | 
  7 | namespace CG
  8 | {
  9 | 	class Process
 10 | 	{
 11 | 	public:
 12 | 		Process() = default;
 13 | 		~Process() = default;
 14 | 	public:
 15 | 		bool Get_Process_EProcess(HANDLE ProcessId, PEPROCESS *Process_Struct)
 16 | 		{
 17 | 			NTSTATUS status = 0;
 18 | 			//get eprocess
 19 | 			status = PsLookupProcessByProcessId(ProcessId, Process_Struct);
 20 | 			if (!NT_SUCCESS(status))
 21 | 			{
 22 | 				KdPrint(("PsLookupProcessByProcessId ERROR_CODE:%d\n", status));
 23 | 				return false;
 24 | 			}
 25 | 			ObDereferenceObject(*Process_Struct);
 26 | 			return true;
 27 | 		}
 28 | 
 29 | 		//need closehandle
 30 | 		bool Get_Process_Handle(HANDLE ProcessId, HANDLE *Process_Handle)
 31 | 		{
 32 | 			NTSTATUS status = 0;
 33 | 			//open process get processhandle
 34 | 			OBJECT_ATTRIBUTES obj_attributes = { 0 };
 35 | 			InitializeObjectAttributes(&obj_attributes, 0, 0, 0, 0);
 36 | 			CLIENT_ID cid = { 0 };
 37 | 			cid.UniqueProcess = ProcessId;
 38 | 			status = ZwOpenProcess(Process_Handle, GENERIC_ALL, &obj_attributes, &cid);
 39 | 			if (!NT_SUCCESS(status))
 40 | 			{
 41 | 				KdPrint(("ZwOpenProcess ERROR_CODE:%d\n", status));
 42 | 				return false;
 43 | 			}
 44 | 			return true;
 45 | 		}
 46 | 
 47 | 		bool Get_Process_PEB(PEPROCESS Process, PPEB *PEB)
 48 | 		{
 49 | 			NTSTATUS status = 0;
 50 | 			*PEB = PsGetProcessPeb(Process);
 51 | 			return true;
 52 | 		}
 53 | 
 54 | 		//need delete path
 55 | 		bool Get_Process_Image(HANDLE Process_Handle,UNICODE_STRING *Process_Path)
 56 | 		{
 57 | 			NTSTATUS status = 0;
 58 | 			ULONG Query_Return_Lenght = 0;
 59 | 			UNICODE_STRING *temp_process_image_name = nullptr;
 60 | 			FILE_OBJECT *process_image_file_object = nullptr;
 61 | 			DEVICE_OBJECT *process_image_device_object = nullptr;
 62 | 			OBJECT_NAME_INFORMATION *process_image_object_name = nullptr;
 63 | 
 64 | 			//get full image name
 65 | 			status = ZwQueryInformationProcess(Process_Handle, ProcessImageFileName,
 66 | 				nullptr, 0, &Query_Return_Lenght);
 67 | 			temp_process_image_name = (UNICODE_STRING*)new char[Query_Return_Lenght];
 68 | 			RtlZeroMemory(temp_process_image_name, Query_Return_Lenght);
 69 | 			//frist call ZwQueryInformationProcess get how long memory for we need
 70 | 			status = ZwQueryInformationProcess(Process_Handle, ProcessImageFileName,
 71 | 				temp_process_image_name, Query_Return_Lenght, &Query_Return_Lenght);
 72 | 			if (!NT_SUCCESS(status))
 73 | 			{
 74 | 				KdPrint(("ZwQueryInformationProcess ERROR_CODE:%d\n", status));
 75 | 				goto Clean;
 76 | 			}
 77 | 
 78 | 			//conversion the image path
 79 | 			status = IoGetDeviceObjectPointer(temp_process_image_name, SYNCHRONIZE,
 80 | 				&process_image_file_object, &process_image_device_object);
 81 | 			if (!NT_SUCCESS(status))
 82 | 			{
 83 | 				KdPrint(("IoGetDeviceObjectPointer ERROR_CODE:%d\n", status));
 84 | 				goto Clean;
 85 | 			}
 86 | 			status = IoQueryFileDosDeviceName(process_image_file_object, &process_image_object_name);
 87 | 			if (!NT_SUCCESS(status))
 88 | 			{
 89 | 				KdPrint(("IoQueryFileDosDeviceName ERROR_CODE:%d\n", status));
 90 | 				goto Clean;
 91 | 			}
 92 | 			Process_Path->Length = process_image_object_name->Name.Length;
 93 | 			Process_Path->MaximumLength = process_image_object_name->Name.MaximumLength;
 94 | 			Process_Path->Buffer = (PWCH)new char[Process_Path->MaximumLength];
 95 | 			RtlCopyMemory(Process_Path->Buffer,
 96 | 				process_image_object_name->Name.Buffer, Process_Path->MaximumLength);
 97 | 
 98 | 			ExFreePool(process_image_object_name);
 99 | 			delete[] (char*)temp_process_image_name;
100 | 			ObDereferenceObject(process_image_file_object);
101 | 			return true;
102 | 		Clean:
103 | 			//we did it but need free memory
104 | 			ExFreePool(process_image_object_name);
105 | 			delete[](char*)temp_process_image_name;
106 | 			ObDereferenceObject(process_image_file_object);
107 | 			return false;
108 | 		}
109 | 
110 | 		bool Get_Process_Command(HANDLE Process_Handle, PEPROCESS Process,
111 | 			PPEB PEB, UNICODE_STRING *CommandLine)
112 | 		{
113 | 			/*NTSTATUS status = 0;
114 | 			ULONG Query_Return_Lenght = 0;
115 | 
116 | 			ULONG_PTR IsWin32Process = 0;
117 | 			status = Func_ZwQueryInformationProcess(Process_Handle, ProcessWow64Information,
118 | 			&IsWin32Process, sizeof(ULONG_PTR), &Query_Return_Lenght);
119 | 			if (!NT_SUCCESS(status))
120 | 			{
121 | 			KdPrint(("ZwQueryInformationProcess ERROR_CODE:%d\n", status));
122 | 			return false;
123 | 			}*/
124 | 
125 | 			KAPC_STATE apc_state;
126 | 			KeStackAttachProcess(Process, &apc_state);
127 | 
128 | 			//ULONG64 *temp_point = nullptr;
129 | 			//if (IsWin32Process == 0)// not running in a WOW64 environment.
130 | 			//{
131 | 			//	temp_point = (ULONG64*)((char*)PEB + 0x20);
132 | 			//}
133 | 			//else
134 | 			//{
135 | 			//	temp_point = (ULONG64*)((char*)PEB + 0x10);
136 | 			//}
137 | 
138 | #ifdef _AMD64_ 
139 | 			ULONG64 *temp_point = (ULONG64*)((char*)PEB + 0x20);
140 | #else
141 | 			ULONG64 *temp_point = (ULONG64*)((char*)PEB + 0x10);
142 | #endif
143 | 
144 | 			RTL_USER_PROCESS_PARAMETERS *temp_struct = (RTL_USER_PROCESS_PARAMETERS*)*temp_point;
145 | 
146 | 			CommandLine->Buffer = (WCHAR*)new char[temp_struct->CommandLine.MaximumLength];
147 | 			CommandLine->Length = temp_struct->CommandLine.Length;
148 | 			CommandLine->MaximumLength = temp_struct->CommandLine.MaximumLength;
149 | 			RtlCopyMemory(CommandLine->Buffer, temp_struct->CommandLine.Buffer, CommandLine->MaximumLength);
150 | 
151 | 			KeUnstackDetachProcess(&apc_state);
152 | 
153 | 			return true;
154 | 		}
155 | 
156 | 		//----------
157 | 		bool Get_Process_SID(HANDLE Process_Handle)
158 | 		{
159 | 			NTSTATUS status = 0;
160 | 			ULONG Query_Return_Lenght = 0;
161 | 			HANDLE ProcessToken_Handle = nullptr;
162 | 			//
163 | 			UNICODE_STRING ZwOpenProcessToken_Func_Name;
164 | 			RtlInitUnicodeString(&ZwOpenProcessToken_Func_Name, L"ZwOpenProcessToken");
165 | 			_ZwOpenProcessToken Func_ZwOpenProcessToken = (_ZwOpenProcessToken)
166 | 				MmGetSystemRoutineAddress(&ZwOpenProcessToken_Func_Name);
167 | 			if (!Func_ZwOpenProcessToken)
168 | 			{
169 | 				KdPrint(("Get ZwOpenProcessToken Error\n"));
170 | 				goto Clean;
171 | 			}
172 | 			status = Func_ZwOpenProcessToken(Process_Handle, TOKEN_ALL_ACCESS, &ProcessToken_Handle);
173 | 			if (!NT_SUCCESS(status))
174 | 			{
175 | 				KdPrint(("ZwOpenProcessToken ERROR_CODE:%d\n", status));
176 | 				goto Clean;
177 | 			}
178 | 			CHAR Buffer[200];
179 | 			TOKEN_USER *token_user = nullptr;
180 | 			UNICODE_STRING SidString;
181 | 			Query_Return_Lenght = 0;
182 | 			ZwQueryInformationToken(ProcessToken_Handle, TokenUser,
183 | 				Buffer, 200, &Query_Return_Lenght);
184 | 			//RtlCopySid()
185 | 			if (!NT_SUCCESS(status))
186 | 			{
187 | 				KdPrint(("ZwQueryInformationToken ERROR_CODE:%d\n", status));
188 | 				goto Clean;
189 | 			}
190 | 			token_user = (PTOKEN_USER)Buffer;
191 | 			status = RtlConvertSidToUnicodeString(&SidString, token_user->User.Sid, true);
192 | 			if (!NT_SUCCESS(status))
193 | 			{
194 | 				KdPrint(("RtlConvertSidToUnicodeString ERROR_CODE:%d\n", status));
195 | 				goto Clean;
196 | 			}
197 | 			KdPrint(("%wZ\n", SidString));
198 | 
199 | 
200 | 			RtlFreeUnicodeString(&SidString);
201 | 			ZwClose(ProcessToken_Handle);
202 | 			return true;
203 | 		Clean:
204 | 			RtlFreeUnicodeString(&SidString);
205 | 			ZwClose(ProcessToken_Handle);
206 | 			return false;
207 | 		}
208 | 
209 | 		bool Get_Process_Create_Time(HANDLE Process_Handle)
210 | 		{
211 | 			NTSTATUS status = 0;
212 | 			ULONG Query_Return_Lenght = 0;
213 | 
214 | 			KERNEL_USER_TIMES temp_time = { 0 };
215 | 			ZwQueryInformationProcess(Process_Handle, ProcessTimes,
216 | 				&temp_time, sizeof(KERNEL_USER_TIMES), &Query_Return_Lenght);
217 | 			if (!NT_SUCCESS(status))
218 | 			{
219 | 				KdPrint(("ZwQueryInformationProcess ERROR_CODE:%d\n", status));
220 | 				return false;
221 | 			}
222 | 
223 | 			KdPrint(("%d\n", temp_time.CreateTime.QuadPart));
224 | 
225 | 
226 | 		}
227 | 	private:
228 | 		_PsGetProcessPeb PsGetProcessPeb = nullptr;
229 | 	};
230 | }


--------------------------------------------------------------------------------
/Kernel_Inject/Kernel_Inject.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Win8.1 Debug|Win32">
  5 |       <Configuration>Win8.1 Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Win8.1 Release|Win32">
  9 |       <Configuration>Win8.1 Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Win8 Debug|Win32">
 13 |       <Configuration>Win8 Debug</Configuration>
 14 |       <Platform>Win32</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Win8 Release|Win32">
 17 |       <Configuration>Win8 Release</Configuration>
 18 |       <Platform>Win32</Platform>
 19 |     </ProjectConfiguration>
 20 |     <ProjectConfiguration Include="Win7 Debug|Win32">
 21 |       <Configuration>Win7 Debug</Configuration>
 22 |       <Platform>Win32</Platform>
 23 |     </ProjectConfiguration>
 24 |     <ProjectConfiguration Include="Win7 Release|Win32">
 25 |       <Configuration>Win7 Release</Configuration>
 26 |       <Platform>Win32</Platform>
 27 |     </ProjectConfiguration>
 28 |     <ProjectConfiguration Include="Win8.1 Debug|x64">
 29 |       <Configuration>Win8.1 Debug</Configuration>
 30 |       <Platform>x64</Platform>
 31 |     </ProjectConfiguration>
 32 |     <ProjectConfiguration Include="Win8.1 Release|x64">
 33 |       <Configuration>Win8.1 Release</Configuration>
 34 |       <Platform>x64</Platform>
 35 |     </ProjectConfiguration>
 36 |     <ProjectConfiguration Include="Win8 Debug|x64">
 37 |       <Configuration>Win8 Debug</Configuration>
 38 |       <Platform>x64</Platform>
 39 |     </ProjectConfiguration>
 40 |     <ProjectConfiguration Include="Win8 Release|x64">
 41 |       <Configuration>Win8 Release</Configuration>
 42 |       <Platform>x64</Platform>
 43 |     </ProjectConfiguration>
 44 |     <ProjectConfiguration Include="Win7 Debug|x64">
 45 |       <Configuration>Win7 Debug</Configuration>
 46 |       <Platform>x64</Platform>
 47 |     </ProjectConfiguration>
 48 |     <ProjectConfiguration Include="Win7 Release|x64">
 49 |       <Configuration>Win7 Release</Configuration>
 50 |       <Platform>x64</Platform>
 51 |     </ProjectConfiguration>
 52 |   </ItemGroup>
 53 |   <PropertyGroup Label="Globals">
 54 |     <ProjectGuid>{A5E8F27B-568A-4930-9A90-A9208F98C194}</ProjectGuid>
 55 |     <TemplateGuid>{dd38f7fc-d7bd-488b-9242-7d8754cde80d}</TemplateGuid>
 56 |     <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
 57 |     <MinimumVisualStudioVersion>11.0</MinimumVisualStudioVersion>
 58 |     <Configuration>Win8.1 Debug</Configuration>
 59 |     <Platform Condition="'$(Platform)' == ''">Win32</Platform>
 60 |     <RootNamespace>Kernel_Inject</RootNamespace>
 61 |   </PropertyGroup>
 62 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 63 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|Win32'" Label="Configuration">
 64 |     <TargetVersion>WindowsV6.3</TargetVersion>
 65 |     <UseDebugLibraries>true</UseDebugLibraries>
 66 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
 67 |     <ConfigurationType>Driver</ConfigurationType>
 68 |     <DriverType>WDM</DriverType>
 69 |   </PropertyGroup>
 70 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|Win32'" Label="Configuration">
 71 |     <TargetVersion>WindowsV6.3</TargetVersion>
 72 |     <UseDebugLibraries>false</UseDebugLibraries>
 73 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
 74 |     <ConfigurationType>Driver</ConfigurationType>
 75 |     <DriverType>WDM</DriverType>
 76 |   </PropertyGroup>
 77 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|Win32'" Label="Configuration">
 78 |     <TargetVersion>Windows8</TargetVersion>
 79 |     <UseDebugLibraries>true</UseDebugLibraries>
 80 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
 81 |     <ConfigurationType>Driver</ConfigurationType>
 82 |     <DriverType>WDM</DriverType>
 83 |   </PropertyGroup>
 84 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|Win32'" Label="Configuration">
 85 |     <TargetVersion>Windows8</TargetVersion>
 86 |     <UseDebugLibraries>false</UseDebugLibraries>
 87 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
 88 |     <ConfigurationType>Driver</ConfigurationType>
 89 |     <DriverType>WDM</DriverType>
 90 |   </PropertyGroup>
 91 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|Win32'" Label="Configuration">
 92 |     <TargetVersion>Windows7</TargetVersion>
 93 |     <UseDebugLibraries>true</UseDebugLibraries>
 94 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
 95 |     <ConfigurationType>Driver</ConfigurationType>
 96 |     <DriverType>WDM</DriverType>
 97 |   </PropertyGroup>
 98 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|Win32'" Label="Configuration">
 99 |     <TargetVersion>Windows7</TargetVersion>
100 |     <UseDebugLibraries>false</UseDebugLibraries>
101 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
102 |     <ConfigurationType>Driver</ConfigurationType>
103 |     <DriverType>WDM</DriverType>
104 |   </PropertyGroup>
105 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|x64'" Label="Configuration">
106 |     <TargetVersion>WindowsV6.3</TargetVersion>
107 |     <UseDebugLibraries>true</UseDebugLibraries>
108 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
109 |     <ConfigurationType>Driver</ConfigurationType>
110 |     <DriverType>WDM</DriverType>
111 |   </PropertyGroup>
112 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|x64'" Label="Configuration">
113 |     <TargetVersion>WindowsV6.3</TargetVersion>
114 |     <UseDebugLibraries>false</UseDebugLibraries>
115 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
116 |     <ConfigurationType>Driver</ConfigurationType>
117 |     <DriverType>WDM</DriverType>
118 |   </PropertyGroup>
119 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|x64'" Label="Configuration">
120 |     <TargetVersion>Windows8</TargetVersion>
121 |     <UseDebugLibraries>true</UseDebugLibraries>
122 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
123 |     <ConfigurationType>Driver</ConfigurationType>
124 |     <DriverType>WDM</DriverType>
125 |   </PropertyGroup>
126 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|x64'" Label="Configuration">
127 |     <TargetVersion>Windows8</TargetVersion>
128 |     <UseDebugLibraries>false</UseDebugLibraries>
129 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
130 |     <ConfigurationType>Driver</ConfigurationType>
131 |     <DriverType>WDM</DriverType>
132 |   </PropertyGroup>
133 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|x64'" Label="Configuration">
134 |     <TargetVersion>Windows7</TargetVersion>
135 |     <UseDebugLibraries>true</UseDebugLibraries>
136 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
137 |     <ConfigurationType>Driver</ConfigurationType>
138 |     <DriverType>WDM</DriverType>
139 |   </PropertyGroup>
140 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|x64'" Label="Configuration">
141 |     <TargetVersion>Windows7</TargetVersion>
142 |     <UseDebugLibraries>false</UseDebugLibraries>
143 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
144 |     <ConfigurationType>Driver</ConfigurationType>
145 |     <DriverType>WDM</DriverType>
146 |   </PropertyGroup>
147 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
148 |   <ImportGroup Label="ExtensionSettings">
149 |   </ImportGroup>
150 |   <ImportGroup Label="PropertySheets">
151 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
152 |   </ImportGroup>
153 |   <PropertyGroup Label="UserMacros" />
154 |   <PropertyGroup />
155 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|Win32'">
156 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
157 |   </PropertyGroup>
158 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|Win32'">
159 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
160 |   </PropertyGroup>
161 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|Win32'">
162 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
163 |   </PropertyGroup>
164 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|Win32'">
165 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
166 |   </PropertyGroup>
167 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|Win32'">
168 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
169 |   </PropertyGroup>
170 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|Win32'">
171 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
172 |   </PropertyGroup>
173 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|x64'">
174 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
175 |   </PropertyGroup>
176 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|x64'">
177 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
178 |   </PropertyGroup>
179 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|x64'">
180 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
181 |   </PropertyGroup>
182 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|x64'">
183 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
184 |   </PropertyGroup>
185 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|x64'">
186 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
187 |   </PropertyGroup>
188 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|x64'">
189 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
190 |   </PropertyGroup>
191 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|x64'">
192 |     <ClCompile>
193 |       <TreatWarningAsError>false</TreatWarningAsError>
194 |     </ClCompile>
195 |   </ItemDefinitionGroup>
196 |   <ItemGroup>
197 |     <Inf Include="Kernel_Inject.inf" />
198 |   </ItemGroup>
199 |   <ItemGroup>
200 |     <FilesToPackage Include="$(TargetPath)" />
201 |     <FilesToPackage Include="@(Inf->'%(CopyOutput)')" Condition="'@(Inf)'!=''" />
202 |   </ItemGroup>
203 |   <ItemGroup>
204 |     <ClCompile Include="Blackbone.cc" />
205 |     <ClCompile Include="DLL_Inject.cc" />
206 |     <ClCompile Include="main.cc" />
207 |   </ItemGroup>
208 |   <ItemGroup>
209 |     <ClInclude Include="Blackbone.h" />
210 |     <ClInclude Include="CRT\CRTCPP.hpp" />
211 |     <ClInclude Include="CRT\Ntddk.hpp" />
212 |     <ClInclude Include="CRT\NtSysAPI_Func.hpp" />
213 |     <ClInclude Include="DLL_Inject.h" />
214 |     <ClInclude Include="Get_SSDT.hpp" />
215 |     <ClInclude Include="Process.hpp" />
216 |   </ItemGroup>
217 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
218 |   <ImportGroup Label="ExtensionTargets">
219 |   </ImportGroup>
220 | </Project>


--------------------------------------------------------------------------------
/Kernel_Inject/CRT/NtSysAPI_Func.hpp:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | #include "CRTCPP.hpp"
  3 | 
  4 | 
  5 | typedef unsigned long       DWORD;
  6 | typedef int                 BOOL;
  7 | typedef unsigned char       BYTE;
  8 | typedef unsigned short      WORD;
  9 | typedef float               FLOAT;
 10 | typedef int                 INT;
 11 | typedef unsigned int        UINT;
 12 | typedef unsigned int        *PUINT;
 13 | 
 14 | //enum
 15 | //-------------------------------------------
 16 | typedef enum _SYSTEM_INFORMATION_CLASS {
 17 | 	SystemBasicInformation,
 18 | 	SystemProcessorInformation,             // obsolete...delete
 19 | 	SystemPerformanceInformation,
 20 | 	SystemTimeOfDayInformation,
 21 | 	SystemPathInformation,
 22 | 	SystemProcessInformation,
 23 | 	SystemCallCountInformation,
 24 | 	SystemDeviceInformation,
 25 | 	SystemProcessorPerformanceInformation,
 26 | 	SystemFlagsInformation,
 27 | 	SystemCallTimeInformation,
 28 | 	SystemModuleInformation,
 29 | 	SystemLocksInformation,
 30 | 	SystemStackTraceInformation,
 31 | 	SystemPagedPoolInformation,
 32 | 	SystemNonPagedPoolInformation,
 33 | 	SystemHandleInformation,
 34 | 	SystemObjectInformation,
 35 | 	SystemPageFileInformation,
 36 | 	SystemVdmInstemulInformation,
 37 | 	SystemVdmBopInformation,
 38 | 	SystemFileCacheInformation,
 39 | 	SystemPoolTagInformation,
 40 | 	SystemInterruptInformation,
 41 | 	SystemDpcBehaviorInformation,
 42 | 	SystemFullMemoryInformation,
 43 | 	SystemLoadGdiDriverInformation,
 44 | 	SystemUnloadGdiDriverInformation,
 45 | 	SystemTimeAdjustmentInformation,
 46 | 	SystemSummaryMemoryInformation,
 47 | 	SystemMirrorMemoryInformation,
 48 | 	SystemPerformanceTraceInformation,
 49 | 	SystemObsolete0,
 50 | 	SystemExceptionInformation,
 51 | 	SystemCrashDumpStateInformation,
 52 | 	SystemKernelDebuggerInformation,
 53 | 	SystemContextSwitchInformation,
 54 | 	SystemRegistryQuotaInformation,
 55 | 	SystemExtendServiceTableInformation,
 56 | 	SystemPrioritySeperation,
 57 | 	SystemVerifierAddDriverInformation,
 58 | 	SystemVerifierRemoveDriverInformation,
 59 | 	SystemProcessorIdleInformation,
 60 | 	SystemLegacyDriverInformation,
 61 | 	SystemCurrentTimeZoneInformation,
 62 | 	SystemLookasideInformation,
 63 | 	SystemTimeSlipNotification,
 64 | 	SystemSessionCreate,
 65 | 	SystemSessionDetach,
 66 | 	SystemSessionInformation,
 67 | 	SystemRangeStartInformation,
 68 | 	SystemVerifierInformation,
 69 | 	SystemVerifierThunkExtend,
 70 | 	SystemSessionProcessInformation,
 71 | 	SystemLoadGdiDriverInSystemSpace,
 72 | 	SystemNumaProcessorMap,
 73 | 	SystemPrefetcherInformation,
 74 | 	SystemExtendedProcessInformation,
 75 | 	SystemRecommendedSharedDataAlignment,
 76 | 	SystemComPlusPackage,
 77 | 	SystemNumaAvailableMemory,
 78 | 	SystemProcessorPowerInformation,
 79 | 	SystemEmulationBasicInformation,
 80 | 	SystemEmulationProcessorInformation,
 81 | 	SystemExtendedHandleInformation,
 82 | 	SystemLostDelayedWriteInformation,
 83 | 	SystemBigPoolInformation,
 84 | 	SystemSessionPoolTagInformation,
 85 | 	SystemSessionMappedViewInformation,
 86 | 	SystemHotpatchInformation,
 87 | 	SystemObjectSecurityMode,
 88 | 	SystemWatchdogTimerHandler,
 89 | 	SystemWatchdogTimerInformation,
 90 | 	SystemLogicalProcessorInformation,
 91 | 	SystemWow64SharedInformation,
 92 | 	SystemRegisterFirmwareTableInformationHandler,
 93 | 	SystemFirmwareTableInformation,
 94 | 	SystemModuleInformationEx,
 95 | 	SystemVerifierTriageInformation,
 96 | 	SystemSuperfetchInformation,
 97 | 	SystemMemoryListInformation,
 98 | 	SystemFileCacheInformationEx,
 99 | 	MaxSystemInfoClass  // MaxSystemInfoClass should always be the last enum
100 | } SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
101 | 
102 | 
103 | //Struct
104 | //-------------------------------------------
105 | typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {
106 | 	USHORT UniqueProcessId;
107 | 	USHORT CreatorBackTraceIndex;
108 | 	UCHAR ObjectTypeIndex;
109 | 	UCHAR HandleAttributes;
110 | 	USHORT HandleValue;
111 | 	PVOID Object;
112 | 	ULONG GrantedAccess;
113 | } SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
114 | 
115 | typedef struct _SYSTEM_HANDLE_INFORMATION {
116 | 	ULONG NumberOfHandles;
117 | 	SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
118 | } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
119 | 
120 | typedef struct _CURDIR {
121 | 	UNICODE_STRING DosPath;
122 | 	HANDLE Handle;
123 | } CURDIR, *PCURDIR;
124 | 
125 | typedef struct _RTL_DRIVE_LETTER_CURDIR {
126 | 	USHORT Flags;
127 | 	USHORT Length;
128 | 	ULONG TimeStamp;
129 | 	STRING DosPath;
130 | } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
131 | 
132 | #define RTL_MAX_DRIVE_LETTERS 32
133 | typedef struct _RTL_USER_PROCESS_PARAMETERS {
134 | 	ULONG MaximumLength;
135 | 	ULONG Length;
136 | 
137 | 	ULONG Flags;
138 | 	ULONG DebugFlags;
139 | 
140 | 	HANDLE ConsoleHandle;
141 | 	ULONG  ConsoleFlags;
142 | 	HANDLE StandardInput;
143 | 	HANDLE StandardOutput;
144 | 	HANDLE StandardError;
145 | 
146 | 	CURDIR CurrentDirectory;        // ProcessParameters
147 | 	UNICODE_STRING DllPath;         // ProcessParameters
148 | 	UNICODE_STRING ImagePathName;   // ProcessParameters
149 | 	UNICODE_STRING CommandLine;     // ProcessParameters
150 | 	PVOID Environment;              // NtAllocateVirtualMemory
151 | 
152 | 	ULONG StartingX;
153 | 	ULONG StartingY;
154 | 	ULONG CountX;
155 | 	ULONG CountY;
156 | 	ULONG CountCharsX;
157 | 	ULONG CountCharsY;
158 | 	ULONG FillAttribute;
159 | 
160 | 	ULONG WindowFlags;
161 | 	ULONG ShowWindowFlags;
162 | 	UNICODE_STRING WindowTitle;     // ProcessParameters
163 | 	UNICODE_STRING DesktopInfo;     // ProcessParameters
164 | 	UNICODE_STRING ShellInfo;       // ProcessParameters
165 | 	UNICODE_STRING RuntimeData;     // ProcessParameters
166 | 	RTL_DRIVE_LETTER_CURDIR CurrentDirectores[RTL_MAX_DRIVE_LETTERS];
167 | } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
168 | 
169 | typedef struct _PEB_LDR_DATA {
170 | 	unsigned char       Reserved1[8];
171 | 	PVOID      Reserved2[3];
172 | 	LIST_ENTRY InMemoryOrderModuleList;
173 | } PEB_LDR_DATA, *PPEB_LDR_DATA;
174 | 
175 | 
176 | 
177 | #ifdef _AMD64_
178 | typedef struct _LDR_DATA_TABLE_ENTRY
179 | {
180 | 	LIST_ENTRY64    InLoadOrderLinks;
181 | 	LIST_ENTRY64    InMemoryOrderLinks;
182 | 	LIST_ENTRY64    InInitializationOrderLinks;
183 | 	PVOID            DllBase;
184 | 	PVOID            EntryPoint;
185 | 	ULONG            SizeOfImage;
186 | 	UNICODE_STRING    FullDllName;
187 | 	UNICODE_STRING     BaseDllName;
188 | 	ULONG            Flags;
189 | 	USHORT            LoadCount;
190 | 	USHORT            TlsIndex;
191 | 	PVOID            SectionPointer;
192 | 	ULONG            CheckSum;
193 | 	PVOID            LoadedImports;
194 | 	PVOID            EntryPointActivationContext;
195 | 	PVOID            PatchInformation;
196 | 	LIST_ENTRY64    ForwarderLinks;
197 | 	LIST_ENTRY64    ServiceTagLinks;
198 | 	LIST_ENTRY64    StaticLinks;
199 | 	PVOID            ContextInformation;
200 | 	ULONG            OriginalBase;
201 | 	LARGE_INTEGER    LoadTime;
202 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
203 | 
204 | typedef struct _PEB {
205 | 	BYTE Reserved1[2];
206 | 	BYTE BeingDebugged;
207 | 	BYTE Reserved2[21];
208 | 	PPEB_LDR_DATA LoaderData;
209 | 	PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
210 | 	BYTE Reserved3[520];
211 | 	PVOID PostProcessInitRoutine;//PPS_POST_PROCESS_INIT_ROUTINE
212 | 	BYTE Reserved4[136];
213 | 	ULONG SessionId;
214 | } PEB;
215 | #else
216 | typedef struct _LDR_DATA_TABLE_ENTRY
217 | {
218 | 	LIST_ENTRY    InLoadOrderLinks;
219 | 	LIST_ENTRY    InMemoryOrderLinks;
220 | 	LIST_ENTRY    InInitializationOrderLinks;
221 | 	PVOID            DllBase;
222 | 	PVOID            EntryPoint;
223 | 	ULONG            SizeOfImage;
224 | 	UNICODE_STRING    FullDllName;
225 | 	UNICODE_STRING     BaseDllName;
226 | 	ULONG            Flags;
227 | 	USHORT            LoadCount;
228 | 	USHORT            TlsIndex;
229 | 	PVOID            SectionPointer;
230 | 	ULONG            CheckSum;
231 | 	PVOID            LoadedImports;
232 | 	PVOID            EntryPointActivationContext;
233 | 	PVOID            PatchInformation;
234 | 	LIST_ENTRY    ForwarderLinks;
235 | 	LIST_ENTRY    ServiceTagLinks;
236 | 	LIST_ENTRY    StaticLinks;
237 | 	PVOID            ContextInformation;
238 | 	ULONG            OriginalBase;
239 | 	LARGE_INTEGER    LoadTime;
240 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
241 | 
242 | typedef struct _PEB {
243 | 	BYTE                          Reserved1[2];
244 | 	BYTE                          BeingDebugged;
245 | 	BYTE                          Reserved2[1];
246 | 	PVOID                         Reserved3[2];
247 | 	PPEB_LDR_DATA                 Ldr;
248 | 	PRTL_USER_PROCESS_PARAMETERS  ProcessParameters;
249 | 	BYTE                          Reserved4[104];
250 | 	PVOID                         Reserved5[52];
251 | 	PVOID PostProcessInitRoutine;//PPS_POST_PROCESS_INIT_ROUTINE
252 | 	BYTE                          Reserved6[128];
253 | 	PVOID                         Reserved7[1];
254 | 	ULONG                         SessionId;
255 | } PEB, *PPEB;
256 | #endif // _AMD64_
257 | 
258 | 
259 | //-----PE
260 | #define IMAGE_DOS_SIGNATURE                 0x5A4D      // MZ
261 | #define IMAGE_OS2_SIGNATURE                 0x454E      // NE
262 | #define IMAGE_OS2_SIGNATURE_LE              0x454C      // LE
263 | #define IMAGE_VXD_SIGNATURE                 0x454C      // LE
264 | #define IMAGE_NT_SIGNATURE                  0x00004550  // PE00
265 | 
266 | typedef struct _IMAGE_DOS_HEADER {      // DOS .EXE header
267 | 	WORD   e_magic;                     // Magic number
268 | 	WORD   e_cblp;                      // Bytes on last page of file
269 | 	WORD   e_cp;                        // Pages in file
270 | 	WORD   e_crlc;                      // Relocations
271 | 	WORD   e_cparhdr;                   // Size of header in paragraphs
272 | 	WORD   e_minalloc;                  // Minimum extra paragraphs needed
273 | 	WORD   e_maxalloc;                  // Maximum extra paragraphs needed
274 | 	WORD   e_ss;                        // Initial (relative) SS value
275 | 	WORD   e_sp;                        // Initial SP value
276 | 	WORD   e_csum;                      // Checksum
277 | 	WORD   e_ip;                        // Initial IP value
278 | 	WORD   e_cs;                        // Initial (relative) CS value
279 | 	WORD   e_lfarlc;                    // File address of relocation table
280 | 	WORD   e_ovno;                      // Overlay number
281 | 	WORD   e_res[4];                    // Reserved words
282 | 	WORD   e_oemid;                     // OEM identifier (for e_oeminfo)
283 | 	WORD   e_oeminfo;                   // OEM information; e_oemid specific
284 | 	WORD   e_res2[10];                  // Reserved words
285 | 	LONG   e_lfanew;                    // File address of new exe header
286 | } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
287 | 
288 | typedef struct _IMAGE_OS2_HEADER {      // OS/2 .EXE header
289 | 	WORD   ne_magic;                    // Magic number
290 | 	CHAR   ne_ver;                      // Version number
291 | 	CHAR   ne_rev;                      // Revision number
292 | 	WORD   ne_enttab;                   // Offset of Entry Table
293 | 	WORD   ne_cbenttab;                 // Number of bytes in Entry Table
294 | 	LONG   ne_crc;                      // Checksum of whole file
295 | 	WORD   ne_flags;                    // Flag word
296 | 	WORD   ne_autodata;                 // Automatic data segment number
297 | 	WORD   ne_heap;                     // Initial heap allocation
298 | 	WORD   ne_stack;                    // Initial stack allocation
299 | 	LONG   ne_csip;                     // Initial CS:IP setting
300 | 	LONG   ne_sssp;                     // Initial SS:SP setting
301 | 	WORD   ne_cseg;                     // Count of file segments
302 | 	WORD   ne_cmod;                     // Entries in Module Reference Table
303 | 	WORD   ne_cbnrestab;                // Size of non-resident name table
304 | 	WORD   ne_segtab;                   // Offset of Segment Table
305 | 	WORD   ne_rsrctab;                  // Offset of Resource Table
306 | 	WORD   ne_restab;                   // Offset of resident name table
307 | 	WORD   ne_modtab;                   // Offset of Module Reference Table
308 | 	WORD   ne_imptab;                   // Offset of Imported Names Table
309 | 	LONG   ne_nrestab;                  // Offset of Non-resident Names Table
310 | 	WORD   ne_cmovent;                  // Count of movable entries
311 | 	WORD   ne_align;                    // Segment alignment shift count
312 | 	WORD   ne_cres;                     // Count of resource segments
313 | 	BYTE   ne_exetyp;                   // Target Operating system
314 | 	BYTE   ne_flagsothers;              // Other .EXE flags
315 | 	WORD   ne_pretthunks;               // offset to return thunks
316 | 	WORD   ne_psegrefbytes;             // offset to segment ref. bytes
317 | 	WORD   ne_swaparea;                 // Minimum code swap area size
318 | 	WORD   ne_expver;                   // Expected Windows version number
319 | } IMAGE_OS2_HEADER, *PIMAGE_OS2_HEADER;
320 | 
321 | typedef struct _IMAGE_VXD_HEADER {      // Windows VXD header
322 | 	WORD   e32_magic;                   // Magic number
323 | 	BYTE   e32_border;                  // The byte ordering for the VXD
324 | 	BYTE   e32_worder;                  // The word ordering for the VXD
325 | 	DWORD  e32_level;                   // The EXE format level for now = 0
326 | 	WORD   e32_cpu;                     // The CPU type
327 | 	WORD   e32_os;                      // The OS type
328 | 	DWORD  e32_ver;                     // Module version
329 | 	DWORD  e32_mflags;                  // Module flags
330 | 	DWORD  e32_mpages;                  // Module # pages
331 | 	DWORD  e32_startobj;                // Object # for instruction pointer
332 | 	DWORD  e32_eip;                     // Extended instruction pointer
333 | 	DWORD  e32_stackobj;                // Object # for stack pointer
334 | 	DWORD  e32_esp;                     // Extended stack pointer
335 | 	DWORD  e32_pagesize;                // VXD page size
336 | 	DWORD  e32_lastpagesize;            // Last page size in VXD
337 | 	DWORD  e32_fixupsize;               // Fixup section size
338 | 	DWORD  e32_fixupsum;                // Fixup section checksum
339 | 	DWORD  e32_ldrsize;                 // Loader section size
340 | 	DWORD  e32_ldrsum;                  // Loader section checksum
341 | 	DWORD  e32_objtab;                  // Object table offset
342 | 	DWORD  e32_objcnt;                  // Number of objects in module
343 | 	DWORD  e32_objmap;                  // Object page map offset
344 | 	DWORD  e32_itermap;                 // Object iterated data map offset
345 | 	DWORD  e32_rsrctab;                 // Offset of Resource Table
346 | 	DWORD  e32_rsrccnt;                 // Number of resource entries
347 | 	DWORD  e32_restab;                  // Offset of resident name table
348 | 	DWORD  e32_enttab;                  // Offset of Entry Table
349 | 	DWORD  e32_dirtab;                  // Offset of Module Directive Table
350 | 	DWORD  e32_dircnt;                  // Number of module directives
351 | 	DWORD  e32_fpagetab;                // Offset of Fixup Page Table
352 | 	DWORD  e32_frectab;                 // Offset of Fixup Record Table
353 | 	DWORD  e32_impmod;                  // Offset of Import Module Name Table
354 | 	DWORD  e32_impmodcnt;               // Number of entries in Import Module Name Table
355 | 	DWORD  e32_impproc;                 // Offset of Import Procedure Name Table
356 | 	DWORD  e32_pagesum;                 // Offset of Per-Page Checksum Table
357 | 	DWORD  e32_datapage;                // Offset of Enumerated Data Pages
358 | 	DWORD  e32_preload;                 // Number of preload pages
359 | 	DWORD  e32_nrestab;                 // Offset of Non-resident Names Table
360 | 	DWORD  e32_cbnrestab;               // Size of Non-resident Name Table
361 | 	DWORD  e32_nressum;                 // Non-resident Name Table Checksum
362 | 	DWORD  e32_autodata;                // Object # for automatic data object
363 | 	DWORD  e32_debuginfo;               // Offset of the debugging information
364 | 	DWORD  e32_debuglen;                // The length of the debugging info. in bytes
365 | 	DWORD  e32_instpreload;             // Number of instance pages in preload section of VXD file
366 | 	DWORD  e32_instdemand;              // Number of instance pages in demand load section of VXD file
367 | 	DWORD  e32_heapsize;                // Size of heap - for 16-bit apps
368 | 	BYTE   e32_res3[12];                // Reserved words
369 | 	DWORD  e32_winresoff;
370 | 	DWORD  e32_winreslen;
371 | 	WORD   e32_devid;                   // Device ID for VxD
372 | 	WORD   e32_ddkver;                  // DDK version for VxD
373 | } IMAGE_VXD_HEADER, *PIMAGE_VXD_HEADER;
374 | 
375 | 
376 | //
377 | // File header format.
378 | //
379 | 
380 | typedef struct _IMAGE_FILE_HEADER {
381 | 	WORD    Machine;
382 | 	WORD    NumberOfSections;
383 | 	DWORD   TimeDateStamp;
384 | 	DWORD   PointerToSymbolTable;
385 | 	DWORD   NumberOfSymbols;
386 | 	WORD    SizeOfOptionalHeader;
387 | 	WORD    Characteristics;
388 | } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
389 | 
390 | #define IMAGE_SIZEOF_FILE_HEADER             20
391 | 
392 | #define IMAGE_FILE_RELOCS_STRIPPED           0x0001  // Relocation info stripped from file.
393 | #define IMAGE_FILE_EXECUTABLE_IMAGE          0x0002  // File is executable  (i.e. no unresolved external references).
394 | #define IMAGE_FILE_LINE_NUMS_STRIPPED        0x0004  // Line nunbers stripped from file.
395 | #define IMAGE_FILE_LOCAL_SYMS_STRIPPED       0x0008  // Local symbols stripped from file.
396 | #define IMAGE_FILE_AGGRESIVE_WS_TRIM         0x0010  // Aggressively trim working set
397 | #define IMAGE_FILE_LARGE_ADDRESS_AWARE       0x0020  // App can handle >2gb addresses
398 | #define IMAGE_FILE_BYTES_REVERSED_LO         0x0080  // Bytes of machine word are reversed.
399 | #define IMAGE_FILE_32BIT_MACHINE             0x0100  // 32 bit word machine.
400 | #define IMAGE_FILE_DEBUG_STRIPPED            0x0200  // Debugging info stripped from file in .DBG file
401 | #define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP   0x0400  // If Image is on removable media, copy and run from the swap file.
402 | #define IMAGE_FILE_NET_RUN_FROM_SWAP         0x0800  // If Image is on Net, copy and run from the swap file.
403 | #define IMAGE_FILE_SYSTEM                    0x1000  // System File.
404 | #define IMAGE_FILE_DLL                       0x2000  // File is a DLL.
405 | #define IMAGE_FILE_UP_SYSTEM_ONLY            0x4000  // File should only be run on a UP machine
406 | #define IMAGE_FILE_BYTES_REVERSED_HI         0x8000  // Bytes of machine word are reversed.
407 | 
408 | #define IMAGE_FILE_MACHINE_UNKNOWN           0
409 | #define IMAGE_FILE_MACHINE_I386              0x014c  // Intel 386.
410 | #define IMAGE_FILE_MACHINE_R3000             0x0162  // MIPS little-endian, 0x160 big-endian
411 | #define IMAGE_FILE_MACHINE_R4000             0x0166  // MIPS little-endian
412 | #define IMAGE_FILE_MACHINE_R10000            0x0168  // MIPS little-endian
413 | #define IMAGE_FILE_MACHINE_WCEMIPSV2         0x0169  // MIPS little-endian WCE v2
414 | #define IMAGE_FILE_MACHINE_ALPHA             0x0184  // Alpha_AXP
415 | #define IMAGE_FILE_MACHINE_SH3               0x01a2  // SH3 little-endian
416 | #define IMAGE_FILE_MACHINE_SH3DSP            0x01a3
417 | #define IMAGE_FILE_MACHINE_SH3E              0x01a4  // SH3E little-endian
418 | #define IMAGE_FILE_MACHINE_SH4               0x01a6  // SH4 little-endian
419 | #define IMAGE_FILE_MACHINE_SH5               0x01a8  // SH5
420 | #define IMAGE_FILE_MACHINE_ARM               0x01c0  // ARM Little-Endian
421 | #define IMAGE_FILE_MACHINE_THUMB             0x01c2  // ARM Thumb/Thumb-2 Little-Endian
422 | #define IMAGE_FILE_MACHINE_ARMNT             0x01c4  // ARM Thumb-2 Little-Endian
423 | #define IMAGE_FILE_MACHINE_AM33              0x01d3
424 | #define IMAGE_FILE_MACHINE_POWERPC           0x01F0  // IBM PowerPC Little-Endian
425 | #define IMAGE_FILE_MACHINE_POWERPCFP         0x01f1
426 | #define IMAGE_FILE_MACHINE_IA64              0x0200  // Intel 64
427 | #define IMAGE_FILE_MACHINE_MIPS16            0x0266  // MIPS
428 | #define IMAGE_FILE_MACHINE_ALPHA64           0x0284  // ALPHA64
429 | #define IMAGE_FILE_MACHINE_MIPSFPU           0x0366  // MIPS
430 | #define IMAGE_FILE_MACHINE_MIPSFPU16         0x0466  // MIPS
431 | #define IMAGE_FILE_MACHINE_AXP64             IMAGE_FILE_MACHINE_ALPHA64
432 | #define IMAGE_FILE_MACHINE_TRICORE           0x0520  // Infineon
433 | #define IMAGE_FILE_MACHINE_CEF               0x0CEF
434 | #define IMAGE_FILE_MACHINE_EBC               0x0EBC  // EFI Byte Code
435 | #define IMAGE_FILE_MACHINE_AMD64             0x8664  // AMD64 (K8)
436 | #define IMAGE_FILE_MACHINE_M32R              0x9041  // M32R little-endian
437 | #define IMAGE_FILE_MACHINE_CEE               0xC0EE
438 | 
439 | //
440 | // Directory format.
441 | //
442 | 
443 | typedef struct _IMAGE_DATA_DIRECTORY {
444 | 	DWORD   VirtualAddress;
445 | 	DWORD   Size;
446 | } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
447 | 
448 | #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES    16
449 | 
450 | //
451 | // Optional header format.
452 | //
453 | 
454 | typedef struct _IMAGE_OPTIONAL_HEADER {
455 | 	//
456 | 	// Standard fields.
457 | 	//
458 | 
459 | 	WORD    Magic;
460 | 	BYTE    MajorLinkerVersion;
461 | 	BYTE    MinorLinkerVersion;
462 | 	DWORD   SizeOfCode;
463 | 	DWORD   SizeOfInitializedData;
464 | 	DWORD   SizeOfUninitializedData;
465 | 	DWORD   AddressOfEntryPoint;
466 | 	DWORD   BaseOfCode;
467 | 	DWORD   BaseOfData;
468 | 
469 | 	//
470 | 	// NT additional fields.
471 | 	//
472 | 
473 | 	DWORD   ImageBase;
474 | 	DWORD   SectionAlignment;
475 | 	DWORD   FileAlignment;
476 | 	WORD    MajorOperatingSystemVersion;
477 | 	WORD    MinorOperatingSystemVersion;
478 | 	WORD    MajorImageVersion;
479 | 	WORD    MinorImageVersion;
480 | 	WORD    MajorSubsystemVersion;
481 | 	WORD    MinorSubsystemVersion;
482 | 	DWORD   Win32VersionValue;
483 | 	DWORD   SizeOfImage;
484 | 	DWORD   SizeOfHeaders;
485 | 	DWORD   CheckSum;
486 | 	WORD    Subsystem;
487 | 	WORD    DllCharacteristics;
488 | 	DWORD   SizeOfStackReserve;
489 | 	DWORD   SizeOfStackCommit;
490 | 	DWORD   SizeOfHeapReserve;
491 | 	DWORD   SizeOfHeapCommit;
492 | 	DWORD   LoaderFlags;
493 | 	DWORD   NumberOfRvaAndSizes;
494 | 	IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
495 | } IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
496 | 
497 | typedef struct _IMAGE_ROM_OPTIONAL_HEADER {
498 | 	WORD   Magic;
499 | 	BYTE   MajorLinkerVersion;
500 | 	BYTE   MinorLinkerVersion;
501 | 	DWORD  SizeOfCode;
502 | 	DWORD  SizeOfInitializedData;
503 | 	DWORD  SizeOfUninitializedData;
504 | 	DWORD  AddressOfEntryPoint;
505 | 	DWORD  BaseOfCode;
506 | 	DWORD  BaseOfData;
507 | 	DWORD  BaseOfBss;
508 | 	DWORD  GprMask;
509 | 	DWORD  CprMask[4];
510 | 	DWORD  GpValue;
511 | } IMAGE_ROM_OPTIONAL_HEADER, *PIMAGE_ROM_OPTIONAL_HEADER;
512 | 
513 | typedef struct _IMAGE_OPTIONAL_HEADER64 {
514 | 	WORD        Magic;
515 | 	BYTE        MajorLinkerVersion;
516 | 	BYTE        MinorLinkerVersion;
517 | 	DWORD       SizeOfCode;
518 | 	DWORD       SizeOfInitializedData;
519 | 	DWORD       SizeOfUninitializedData;
520 | 	DWORD       AddressOfEntryPoint;
521 | 	DWORD       BaseOfCode;
522 | 	ULONGLONG   ImageBase;
523 | 	DWORD       SectionAlignment;
524 | 	DWORD       FileAlignment;
525 | 	WORD        MajorOperatingSystemVersion;
526 | 	WORD        MinorOperatingSystemVersion;
527 | 	WORD        MajorImageVersion;
528 | 	WORD        MinorImageVersion;
529 | 	WORD        MajorSubsystemVersion;
530 | 	WORD        MinorSubsystemVersion;
531 | 	DWORD       Win32VersionValue;
532 | 	DWORD       SizeOfImage;
533 | 	DWORD       SizeOfHeaders;
534 | 	DWORD       CheckSum;
535 | 	WORD        Subsystem;
536 | 	WORD        DllCharacteristics;
537 | 	ULONGLONG   SizeOfStackReserve;
538 | 	ULONGLONG   SizeOfStackCommit;
539 | 	ULONGLONG   SizeOfHeapReserve;
540 | 	ULONGLONG   SizeOfHeapCommit;
541 | 	DWORD       LoaderFlags;
542 | 	DWORD       NumberOfRvaAndSizes;
543 | 	IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
544 | } IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;
545 | 
546 | #define IMAGE_NT_OPTIONAL_HDR32_MAGIC      0x10b
547 | #define IMAGE_NT_OPTIONAL_HDR64_MAGIC      0x20b
548 | #define IMAGE_ROM_OPTIONAL_HDR_MAGIC       0x107
549 | 
550 | #ifdef _WIN64
551 | typedef IMAGE_OPTIONAL_HEADER64             IMAGE_OPTIONAL_HEADER;
552 | typedef PIMAGE_OPTIONAL_HEADER64            PIMAGE_OPTIONAL_HEADER;
553 | #define IMAGE_NT_OPTIONAL_HDR_MAGIC         IMAGE_NT_OPTIONAL_HDR64_MAGIC
554 | #else
555 | typedef IMAGE_OPTIONAL_HEADER32             IMAGE_OPTIONAL_HEADER;
556 | typedef PIMAGE_OPTIONAL_HEADER32            PIMAGE_OPTIONAL_HEADER;
557 | #define IMAGE_NT_OPTIONAL_HDR_MAGIC         IMAGE_NT_OPTIONAL_HDR32_MAGIC
558 | #endif
559 | 
560 | 
561 | typedef struct _IMAGE_NT_HEADERS64 {
562 | 	DWORD Signature;
563 | 	IMAGE_FILE_HEADER FileHeader;
564 | 	IMAGE_OPTIONAL_HEADER64 OptionalHeader;
565 | } IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;
566 | 
567 | typedef struct _IMAGE_NT_HEADERS {
568 | 	DWORD Signature;
569 | 	IMAGE_FILE_HEADER FileHeader;
570 | 	IMAGE_OPTIONAL_HEADER32 OptionalHeader;
571 | } IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
572 | 
573 | typedef struct _IMAGE_ROM_HEADERS {
574 | 	IMAGE_FILE_HEADER FileHeader;
575 | 	IMAGE_ROM_OPTIONAL_HEADER OptionalHeader;
576 | } IMAGE_ROM_HEADERS, *PIMAGE_ROM_HEADERS;
577 | 
578 | #ifdef _WIN64
579 | typedef IMAGE_NT_HEADERS64                  IMAGE_NT_HEADERS;
580 | typedef PIMAGE_NT_HEADERS64                 PIMAGE_NT_HEADERS;
581 | #else
582 | typedef IMAGE_NT_HEADERS32                  IMAGE_NT_HEADERS;
583 | typedef PIMAGE_NT_HEADERS32                 PIMAGE_NT_HEADERS;
584 | #endif
585 | 
586 | // IMAGE_FIRST_SECTION doesn't need 32/64 versions since the file header is the same either way.
587 | 
588 | #define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER)        \
589 |     ((ULONG_PTR)(ntheader) +                                            \
590 |      FIELD_OFFSET( IMAGE_NT_HEADERS, OptionalHeader ) +                 \
591 |      ((ntheader))->FileHeader.SizeOfOptionalHeader   \
592 |     ))
593 | 
594 | // Subsystem Values
595 | 
596 | #define IMAGE_SUBSYSTEM_UNKNOWN              0   // Unknown subsystem.
597 | #define IMAGE_SUBSYSTEM_NATIVE               1   // Image doesn't require a subsystem.
598 | #define IMAGE_SUBSYSTEM_WINDOWS_GUI          2   // Image runs in the Windows GUI subsystem.
599 | #define IMAGE_SUBSYSTEM_WINDOWS_CUI          3   // Image runs in the Windows character subsystem.
600 | #define IMAGE_SUBSYSTEM_OS2_CUI              5   // image runs in the OS/2 character subsystem.
601 | #define IMAGE_SUBSYSTEM_POSIX_CUI            7   // image runs in the Posix character subsystem.
602 | #define IMAGE_SUBSYSTEM_NATIVE_WINDOWS       8   // image is a native Win9x driver.
603 | #define IMAGE_SUBSYSTEM_WINDOWS_CE_GUI       9   // Image runs in the Windows CE subsystem.
604 | #define IMAGE_SUBSYSTEM_EFI_APPLICATION      10  //
605 | #define IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER  11   //
606 | #define IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER   12  //
607 | #define IMAGE_SUBSYSTEM_EFI_ROM              13
608 | #define IMAGE_SUBSYSTEM_XBOX                 14
609 | #define IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16
610 | 
611 | // DllCharacteristics Entries
612 | 
613 | //      IMAGE_LIBRARY_PROCESS_INIT            0x0001     // Reserved.
614 | //      IMAGE_LIBRARY_PROCESS_TERM            0x0002     // Reserved.
615 | //      IMAGE_LIBRARY_THREAD_INIT             0x0004     // Reserved.
616 | //      IMAGE_LIBRARY_THREAD_TERM             0x0008     // Reserved.
617 | #define IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA    0x0020  // Image can handle a high entropy 64-bit virtual address space.
618 | #define IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040     // DLL can move.
619 | #define IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY    0x0080     // Code Integrity Image
620 | #define IMAGE_DLLCHARACTERISTICS_NX_COMPAT    0x0100     // Image is NX compatible
621 | #define IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200     // Image understands isolation and doesn't want it
622 | #define IMAGE_DLLCHARACTERISTICS_NO_SEH       0x0400     // Image does not use SEH.  No SE handler may reside in this image
623 | #define IMAGE_DLLCHARACTERISTICS_NO_BIND      0x0800     // Do not bind this image.
624 | #define IMAGE_DLLCHARACTERISTICS_APPCONTAINER 0x1000     // Image should execute in an AppContainer
625 | #define IMAGE_DLLCHARACTERISTICS_WDM_DRIVER   0x2000     // Driver uses WDM model
626 | #define IMAGE_DLLCHARACTERISTICS_GUARD_CF     0x4000     // Image supports Control Flow Guard.
627 | #define IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE     0x8000
628 | 
629 | // Directory Entries
630 | 
631 | #define IMAGE_DIRECTORY_ENTRY_EXPORT          0   // Export Directory
632 | #define IMAGE_DIRECTORY_ENTRY_IMPORT          1   // Import Directory
633 | #define IMAGE_DIRECTORY_ENTRY_RESOURCE        2   // Resource Directory
634 | #define IMAGE_DIRECTORY_ENTRY_EXCEPTION       3   // Exception Directory
635 | #define IMAGE_DIRECTORY_ENTRY_SECURITY        4   // Security Directory
636 | #define IMAGE_DIRECTORY_ENTRY_BASERELOC       5   // Base Relocation Table
637 | #define IMAGE_DIRECTORY_ENTRY_DEBUG           6   // Debug Directory
638 | //      IMAGE_DIRECTORY_ENTRY_COPYRIGHT       7   // (X86 usage)
639 | #define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE    7   // Architecture Specific Data
640 | #define IMAGE_DIRECTORY_ENTRY_GLOBALPTR       8   // RVA of GP
641 | #define IMAGE_DIRECTORY_ENTRY_TLS             9   // TLS Directory
642 | #define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG    10   // Load Configuration Directory
643 | #define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT   11   // Bound Import Directory in headers
644 | #define IMAGE_DIRECTORY_ENTRY_IAT            12   // Import Address Table
645 | #define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT   13   // Delay Load Import Descriptors
646 | #define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14   // COM Runtime descriptor
647 | 
648 | //
649 | // Section header format.
650 | //
651 | 
652 | #define IMAGE_SIZEOF_SHORT_NAME              8
653 | 
654 | typedef struct _IMAGE_SECTION_HEADER {
655 | 	BYTE    Name[IMAGE_SIZEOF_SHORT_NAME];
656 | 	union {
657 | 		DWORD   PhysicalAddress;
658 | 		DWORD   VirtualSize;
659 | 	} Misc;
660 | 	DWORD   VirtualAddress;
661 | 	DWORD   SizeOfRawData;
662 | 	DWORD   PointerToRawData;
663 | 	DWORD   PointerToRelocations;
664 | 	DWORD   PointerToLinenumbers;
665 | 	WORD    NumberOfRelocations;
666 | 	WORD    NumberOfLinenumbers;
667 | 	DWORD   Characteristics;
668 | } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
669 | 
670 | #define IMAGE_SIZEOF_SECTION_HEADER          40
671 | 
672 | typedef struct _IMAGE_EXPORT_DIRECTORY {
673 | 	DWORD   Characteristics;
674 | 	DWORD   TimeDateStamp;
675 | 	WORD    MajorVersion;
676 | 	WORD    MinorVersion;
677 | 	DWORD   Name;
678 | 	DWORD   Base;
679 | 	DWORD   NumberOfFunctions;
680 | 	DWORD   NumberOfNames;
681 | 	DWORD   AddressOfFunctions;     // RVA from base of image
682 | 	DWORD   AddressOfNames;         // RVA from base of image
683 | 	DWORD   AddressOfNameOrdinals;  // RVA from base of image
684 | } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
685 | 
686 | 
687 | /// nt!_HARDWARE_PTE on x86 PAE-disabled Windows
688 | struct HardwarePteX86 {
689 | 	ULONG valid : 1;               //!< [0]
690 | 	ULONG write : 1;               //!< [1]
691 | 	ULONG owner : 1;               //!< [2]
692 | 	ULONG write_through : 1;       //!< [3]
693 | 	ULONG cache_disable : 1;       //!< [4]
694 | 	ULONG accessed : 1;            //!< [5]
695 | 	ULONG dirty : 1;               //!< [6]
696 | 	ULONG large_page : 1;          //!< [7]
697 | 	ULONG global : 1;              //!< [8]
698 | 	ULONG copy_on_write : 1;       //!< [9]
699 | 	ULONG prototype : 1;           //!< [10]
700 | 	ULONG reserved0 : 1;           //!< [11]
701 | 	ULONG page_frame_number : 20;  //!< [12:31]
702 | };
703 | 
704 | /// nt!_HARDWARE_PTE on x86 PAE-enabled Windows
705 | struct HardwarePteX86Pae {
706 | 	ULONG64 valid : 1;               //!< [0]
707 | 	ULONG64 write : 1;               //!< [1]
708 | 	ULONG64 owner : 1;               //!< [2]
709 | 	ULONG64 write_through : 1;       //!< [3]     PWT
710 | 	ULONG64 cache_disable : 1;       //!< [4]     PCD
711 | 	ULONG64 accessed : 1;            //!< [5]
712 | 	ULONG64 dirty : 1;               //!< [6]
713 | 	ULONG64 large_page : 1;          //!< [7]     PAT
714 | 	ULONG64 global : 1;              //!< [8]
715 | 	ULONG64 copy_on_write : 1;       //!< [9]
716 | 	ULONG64 prototype : 1;           //!< [10]
717 | 	ULONG64 reserved0 : 1;           //!< [11]
718 | 	ULONG64 page_frame_number : 26;  //!< [12:37]
719 | 	ULONG64 reserved1 : 25;          //!< [38:62]
720 | 	ULONG64 no_execute : 1;          //!< [63]
721 | };
722 | 
723 | /// nt!_HARDWARE_PTE on x64 Windows
724 | struct HardwarePteX64 {
725 | 	ULONG64 valid : 1;               //!< [0]
726 | 	ULONG64 write : 1;               //!< [1]
727 | 	ULONG64 owner : 1;               //!< [2]
728 | 	ULONG64 write_through : 1;       //!< [3]     PWT
729 | 	ULONG64 cache_disable : 1;       //!< [4]     PCD
730 | 	ULONG64 accessed : 1;            //!< [5]
731 | 	ULONG64 dirty : 1;               //!< [6]
732 | 	ULONG64 large_page : 1;          //!< [7]     PAT
733 | 	ULONG64 global : 1;              //!< [8]
734 | 	ULONG64 copy_on_write : 1;       //!< [9]
735 | 	ULONG64 prototype : 1;           //!< [10]
736 | 	ULONG64 reserved0 : 1;           //!< [11]
737 | 	ULONG64 page_frame_number : 36;  //!< [12:47]
738 | 	ULONG64 reserved1 : 4;           //!< [48:51]
739 | 	ULONG64 software_ws_index : 11;  //!< [52:62]
740 | 	ULONG64 no_execute : 1;          //!< [63]
741 | };
742 | 
743 | #if defined(_X86_)
744 | using HardwarePte = HardwarePteX86;
745 | #elif defined(_AMD64_)
746 | using HardwarePte = HardwarePteX64;
747 | #endif
748 | 
749 | typedef struct _SYSTEM_BIGPOOL_ENTRY
750 | {
751 | 	union {
752 | 		PVOID VirtualAddress;
753 | 		ULONG_PTR NonPaged : 1;
754 | 	};
755 | 	ULONG_PTR SizeInBytes;
756 | 	union {
757 | 		UCHAR Tag[4];
758 | 		ULONG TagUlong;
759 | 	};
760 | } SYSTEM_BIGPOOL_ENTRY, *PSYSTEM_BIGPOOL_ENTRY;
761 | typedef struct _SYSTEM_BIGPOOL_INFORMATION {
762 | 	ULONG Count;
763 | 	SYSTEM_BIGPOOL_ENTRY AllocatedInfo[1];
764 | } SYSTEM_BIGPOOL_INFORMATION, *PSYSTEM_BIGPOOL_INFORMATION;
765 | 
766 | 
767 | typedef struct _SYSTEM_SERVICE_TABLE {
768 | 	PVOID ServiceTableBase;
769 | 	PVOID ServiceCounterTableBase;
770 | #if defined(_X86_)
771 | 	ULONG NumberOfServices;
772 | #elif defined(_AMD64_)
773 | 	ULONG64	NumberOfServices;
774 | #endif
775 | 	PVOID  		ParamTableBase;
776 | } SYSTEM_SERVICE_TABLE, *PSYSTEM_SERVICE_TABLE;
777 | //-------------------------------------------
778 | 
779 | 
780 | //Function
781 | //-------------------------------------------
782 | extern "C" NTKERNELAPI NTSTATUS NTAPI ZwQueryInformationProcess(
783 | __in HANDLE ProcessHandle,
784 | __in PROCESSINFOCLASS ProcessInformationClass,
785 | __out_bcount(ProcessInformationLength) PVOID ProcessInformation,
786 | __in ULONG ProcessInformationLength,
787 | __out_opt PULONG ReturnLength
788 | );
789 | 
790 | #if defined(_X86_)
791 | extern "C" NTKERNELAPI NTSTATUS NTAPI ZwQuerySystemInformation(
792 | 	_In_      SYSTEM_INFORMATION_CLASS SystemInformationClass,
793 | 	_Inout_   PVOID                    SystemInformation,
794 | 	_In_      ULONG                    SystemInformationLength,
795 | 	_Out_opt_ PULONG                   ReturnLength
796 | 	);
797 | #elif defined(_AMD64_)
798 | extern "C" NTKERNELAPI NTSTATUS NTAPI ZwQuerySystemInformation(
799 | 	_In_      SYSTEM_INFORMATION_CLASS SystemInformationClass,
800 | 	_Inout_   PVOID                    SystemInformation,
801 | 	_In_      ULONG                    SystemInformationLength,
802 | 	_Out_opt_ PULONG64                   ReturnLength
803 | 	);
804 | #endif
805 | 
806 | extern "C" NTKERNELAPI UCHAR NTAPI PsGetProcessImageFileName(
807 | 	__in PEPROCESS Process
808 | 	);
809 | 
810 | extern "C" NTSYSAPI PVOID NTAPI RtlPcToFileHeader(
811 | 	PVOID PcValue,
812 | 	PVOID *BaseOfImage
813 | 	);
814 | 
815 | extern "C" NTKERNELAPI PIMAGE_NT_HEADERS NTAPI RtlImageNtHeader(
816 | 	PVOID Base
817 | 	);
818 | 
819 | extern "C" NTKERNELAPI NTSTATUS NTAPI MmCopyVirtualMemory(
820 | 	PEPROCESS SourceProcess,
821 | 	PVOID SourceAddress,
822 | 	PEPROCESS TargetProcess,
823 | 	PVOID TargetAddress,
824 | 	SIZE_T BufferSize,
825 | 	KPROCESSOR_MODE PreviousMode,
826 | 	PSIZE_T ReturnSize
827 | 	);
828 | 
829 | typedef NTSTATUS(NTAPI *_ZwOpenProcessToken)(
830 | __in HANDLE ProcessHandle,
831 | __in ACCESS_MASK DesiredAccess,
832 | __out PHANDLE TokenHandle
833 | );
834 | 
835 | typedef PVOID(NTAPI *_PsGetProcessDebugPort)(
836 | 	__in PEPROCESS Process
837 | 	);
838 | 
839 | typedef NTSTATUS(NTAPI *_ZwQuerySystemInformation)(
840 | 	_In_      SYSTEM_INFORMATION_CLASS SystemInformationClass,
841 | 	_Inout_   PVOID                    SystemInformation,
842 | 	_In_      ULONG                    SystemInformationLength,
843 | 	_Out_opt_ PULONG                   ReturnLength
844 | 	);
845 | 
846 | typedef PPEB(NTAPI *_PsGetProcessPeb)(
847 | 	__in PEPROCESS Process
848 | 	);
849 | 
850 | typedef VOID(NTAPI *_MiProcessLoaderEntry)(
851 | 	IN PVOID DataTableEntry,//PKLDR_DATA_TABLE_ENTRY
852 | 	IN LOGICAL Insert
853 | 	);
854 | 
855 | typedef NTSTATUS(*_NtReadVirtualMemory)(
856 | 	IN HANDLE               ProcessHandle,
857 | 	IN PVOID                BaseAddress,
858 | 	OUT PVOID               Buffer,
859 | 	IN ULONG                NumberOfBytesToRead,
860 | 	OUT PULONG              NumberOfBytesReaded OPTIONAL
861 | 	);
862 | 
863 | typedef NTSTATUS(*_NtProtectVirtualMemory)(
864 | 	IN HANDLE ProcessHandle,
865 | 	IN OUT PVOID *BaseAddress,
866 | 	IN OUT PSIZE_T ProtectSize,
867 | 	IN ULONG NewProtect,
868 | 	OUT PULONG OldProtect);
869 | 
870 | typedef NTSTATUS(*_NtWriteVirtualMemory)(
871 | 	IN HANDLE               ProcessHandle,
872 | 	IN PVOID                BaseAddress,
873 | 	IN PVOID                Buffer,
874 | 	IN ULONG64                NumberOfBytesToWrite,
875 | 	OUT PULONG64              NumberOfBytesWritten OPTIONAL);
876 | 
877 | typedef NTSTATUS(*_NtAllocateVirtualMemory)(
878 | 	IN HANDLE               ProcessHandle,
879 | 	IN OUT PVOID            *BaseAddress,
880 | 	IN ULONG                ZeroBits,
881 | 	IN OUT PULONG           RegionSize,
882 | 	IN ULONG                AllocationType,
883 | 	IN ULONG                Protect);
884 | //-------------------------------------------
885 | 
886 | 
887 | 
888 | 
889 | 
890 | 
891 | 
892 | 


--------------------------------------------------------------------------------