├── .gitattributes ├── .gitignore ├── Include ├── Common │ └── MBox.Macro.h ├── Microsoft │ ├── MBox.Apc.h │ ├── MBox.Base.h │ ├── MBox.Context.h │ ├── MBox.File.h │ ├── MBox.Images.PE.h │ ├── MBox.Memory.Information.h │ ├── MBox.Network.Socket.h │ ├── MBox.Network.h │ ├── MBox.Object.Directory.h │ ├── MBox.Object.Job.h │ ├── MBox.Object.Symboliclinks.h │ ├── MBox.Object.Synchronize.h │ ├── MBox.Object.h │ ├── MBox.Process.h │ ├── MBox.Registry.h │ ├── MBox.Runtime.h │ ├── MBox.Security.Macro.h │ ├── MBox.Security.Token.h │ ├── MBox.Security.h │ ├── MBox.System.Information.h │ ├── MBox.System.Version.h │ ├── MBox.Thread.EThread.14393.h │ ├── MBox.Thread.EThread.15063.h │ ├── MBox.Thread.EThread.h │ ├── MBox.Thread.KThread.14393.h │ ├── MBox.Thread.KThread.15063.h │ ├── MBox.Thread.KThread.h │ ├── MBox.Thread.h │ └── Mbox.Module.Loader.h └── Owl │ ├── MBox.MiniFlt.OwlProtocol.h │ └── MBox.OwlProtocol.h ├── LICENSE ├── Project └── MBox.sln ├── README.md ├── Ring0 ├── DeviceFlt │ ├── DeviceFlt.Callback.Context.cpp │ ├── DeviceFlt.Callback.Context.h │ ├── DeviceFlt.Callback.Instance.cpp │ ├── DeviceFlt.Callback.Instance.h │ ├── DeviceFlt.Callback.Operation.cpp │ ├── DeviceFlt.Callback.Operation.h │ ├── DeviceFlt.Callback.Packet.cpp │ ├── DeviceFlt.Callback.Packet.h │ ├── DeviceFlt.Context.cpp │ ├── DeviceFlt.Context.h │ ├── DeviceFlt.Macro.h │ ├── DeviceFlt.cpp │ ├── DeviceFlt.h │ ├── DeviceFlt.vcxproj │ ├── DeviceFlt.vcxproj.filters │ ├── stdafx.cpp │ └── stdafx.h ├── DriverMgr │ ├── DriverMgr.cpp │ ├── DriverMgr.h │ ├── DriverMgr.vcxproj │ ├── DriverMgr.vcxproj.filters │ ├── stdafx.cpp │ └── stdafx.h ├── KTL │ ├── KTL.Algorithm.h │ ├── KTL.Characters.h │ ├── KTL.Containers.List.h │ ├── KTL.Containers.ListNode.cpp │ ├── KTL.Containers.ListNode.h │ ├── KTL.Containers.Tuple.h │ ├── KTL.Functional.Bind.h │ ├── KTL.Functional.Function.h │ ├── KTL.Functional.h │ ├── KTL.Iterators.IteratorTraits.h │ ├── KTL.Iterators.ListIterator.h │ ├── KTL.Iterators.NormalIterator.h │ ├── KTL.Iterators.h │ ├── KTL.Macro.Float.h │ ├── KTL.Macro.h │ ├── KTL.Memory.Allocator.h │ ├── KTL.Memory.AllocatorTraits.h │ ├── KTL.Memory.MemoryResource.cpp │ ├── KTL.Memory.MemoryResource.h │ ├── KTL.Memory.New.cpp │ ├── KTL.Memory.New.h │ ├── KTL.Memory.SharedPtr.h │ ├── KTL.Memory.SmartPointerBase.h │ ├── KTL.Memory.WeakPtr.h │ ├── KTL.Memory.cpp │ ├── KTL.Memory.h │ ├── KTL.Multithreading.LockHelper.h │ ├── KTL.Multithreading.NullLock.h │ ├── KTL.Multithreading.Singleton.h │ ├── KTL.Multithreading.SpinLock.cpp │ ├── KTL.Multithreading.SpinLock.h │ ├── KTL.Multithreading.SpinLockShimsApi.cpp │ ├── KTL.Multithreading.SpinLockShimsApi.h │ ├── KTL.Random.h │ ├── KTL.Strings.Formator.h │ ├── KTL.Strings.String.h │ ├── KTL.Strings.h │ ├── KTL.Type.AlignedBuffer.h │ ├── KTL.Type.FloatPointer.h │ ├── KTL.Type.PointerTraits.h │ ├── KTL.Type.TypeTraits.h │ ├── KTL.Type.Uitility.cpp │ ├── KTL.Type.Uitility.h │ ├── KTL.Type.h │ ├── KTL.UUID.cpp │ ├── KTL.UUID.h │ ├── KTL.h │ ├── KTL.vcxproj │ └── KTL.vcxproj.filters ├── MiniFlt.Owl.Kernel │ ├── MiniFlt.Owl.Kernel.vcxproj │ ├── MiniFlt.Owl.Kernel.vcxproj.filters │ ├── MiniFlt.Owl.cpp │ ├── MiniFlt.Owl.h │ ├── stdafx.cpp │ └── stdafx.h ├── MiniFlt │ ├── MiniFlt.Callback.ContextCleanup.cpp │ ├── MiniFlt.Callback.ContextCleanup.h │ ├── MiniFlt.Callback.FileContext.cpp │ ├── MiniFlt.Callback.FileContext.h │ ├── MiniFlt.Callback.InstanceContext.cpp │ ├── MiniFlt.Callback.InstanceContext.h │ ├── MiniFlt.Callback.Name.cpp │ ├── MiniFlt.Callback.Name.h │ ├── MiniFlt.Callback.Operation.cpp │ ├── MiniFlt.Callback.Operation.h │ ├── MiniFlt.Callback.Packet.cpp │ ├── MiniFlt.Callback.Packet.h │ ├── MiniFlt.Callback.SectionContext.cpp │ ├── MiniFlt.Callback.SectionContext.h │ ├── MiniFlt.Callback.StreamContext.cpp │ ├── MiniFlt.Callback.StreamContext.h │ ├── MiniFlt.Callback.StreamHandleContext.cpp │ ├── MiniFlt.Callback.StreamHandleContext.h │ ├── MiniFlt.Callback.TransactionContext.cpp │ ├── MiniFlt.Callback.TransactionContext.h │ ├── MiniFlt.Helper.cpp │ ├── MiniFlt.Helper.h │ ├── MiniFlt.Macro.h │ ├── MiniFlt.Registration.cpp │ ├── MiniFlt.Registration.h │ ├── MiniFlt.cpp │ ├── MiniFlt.h │ ├── MiniFlt.vcxproj │ ├── MiniFlt.vcxproj.filters │ ├── stdafx.cpp │ └── stdafx.h ├── NdisFlt │ ├── NdisFlt.vcxproj │ ├── NdisFlt.vcxproj.filters │ ├── stdafx.cpp │ └── stdafx.h ├── Owl.Kernel │ ├── Owl.Kernel.vcxproj │ ├── Owl.Kernel.vcxproj.filters │ ├── Owl.cpp │ ├── Owl.h │ ├── stdafx.cpp │ └── stdafx.h ├── RegisterFlt │ ├── RegisterFlt.cpp │ ├── RegisterFlt.h │ ├── RegisterFlt.vcxproj │ ├── RegisterFlt.vcxproj.filters │ ├── stdafx.cpp │ └── stdafx.h ├── ShimsApi │ ├── ShimsApi.Macro.h │ ├── ShimsApi.MiniFilter.cpp │ ├── ShimsApi.MiniFilter.h │ ├── ShimsApi.Ndis.cpp │ ├── ShimsApi.Ndis.h │ ├── ShimsApi.WFP.Callout.cpp │ ├── ShimsApi.WFP.Callout.h │ ├── ShimsApi.WFP.Engine.cpp │ ├── ShimsApi.WFP.Engine.h │ ├── ShimsApi.WFP.EngineState.cpp │ ├── ShimsApi.WFP.EngineState.h │ ├── ShimsApi.WFP.Filters.cpp │ ├── ShimsApi.WFP.Filters.h │ ├── ShimsApi.WFP.Injection.cpp │ ├── ShimsApi.WFP.Injection.h │ ├── ShimsApi.WFP.Provider.cpp │ ├── ShimsApi.WFP.Provider.h │ ├── ShimsApi.WFP.Redirect.cpp │ ├── ShimsApi.WFP.Redirect.h │ ├── ShimsApi.WFP.Sublayer.cpp │ ├── ShimsApi.WFP.Sublayer.h │ ├── ShimsApi.WFP.Transaction.cpp │ ├── ShimsApi.WFP.Transaction.h │ ├── ShimsApi.WFP.cpp │ ├── ShimsApi.WFP.h │ ├── ShimsApi.vcxproj │ ├── ShimsApi.vcxproj.filters │ ├── stdafx.cpp │ └── stdafx.h ├── UnitTest.Ring0 │ ├── Controller.cpp │ ├── Controller.h │ ├── Listener.cpp │ ├── Listener.h │ ├── Macro.h │ ├── StorageController.cpp │ ├── StorageController.h │ ├── UnitTest.Ring0.X64.inf │ ├── UnitTest.Ring0.X86.inf │ ├── UnitTest.Ring0.vcxproj │ ├── UnitTest.Ring0.vcxproj.filters │ ├── main.cpp │ ├── stdafx.cpp │ └── stdafx.h ├── Vol.Kernel │ ├── Vol.DateTime.cpp │ ├── Vol.DateTime.h │ ├── Vol.Device.Macro.h │ ├── Vol.Device.cpp │ ├── Vol.Device.h │ ├── Vol.Kernel.filters │ ├── Vol.Kernel.vcxproj │ ├── Vol.Kernel.vcxproj.filters │ ├── Vol.Memory.cpp │ ├── Vol.Memory.h │ ├── Vol.Module.cpp │ ├── Vol.Module.h │ ├── Vol.Object.Event.cpp │ ├── Vol.Object.Event.h │ ├── Vol.Object.cpp │ ├── Vol.Object.h │ ├── Vol.PE.cpp │ ├── Vol.PE.h │ ├── Vol.Paths.cpp │ ├── Vol.Paths.h │ ├── Vol.Process.cpp │ ├── Vol.Process.h │ ├── Vol.Registry.cpp │ ├── Vol.Registry.h │ ├── Vol.Security.SecurityDescriptor.cpp │ ├── Vol.Security.SecurityDescriptor.h │ ├── Vol.Security.cpp │ ├── Vol.Security.h │ ├── Vol.Symboliclinks.cpp │ ├── Vol.Symboliclinks.h │ ├── Vol.System.cpp │ ├── Vol.System.h │ ├── Vol.Thread.cpp │ ├── Vol.Thread.h │ ├── Vol.ThreadPool.cpp │ ├── Vol.ThreadPool.h │ ├── stdafx.cpp │ └── stdafx.h └── WFPFlt │ ├── WFPFlt.ApiWrapper.Callout.cpp │ ├── WFPFlt.ApiWrapper.Callout.h │ ├── WFPFlt.ApiWrapper.Engine.cpp │ ├── WFPFlt.ApiWrapper.Engine.h │ ├── WFPFlt.ApiWrapper.EngineState.cpp │ ├── WFPFlt.ApiWrapper.EngineState.h │ ├── WFPFlt.ApiWrapper.Filter.cpp │ ├── WFPFlt.ApiWrapper.Filter.h │ ├── WFPFlt.ApiWrapper.Injection.cpp │ ├── WFPFlt.ApiWrapper.Injection.h │ ├── WFPFlt.ApiWrapper.Provider.cpp │ ├── WFPFlt.ApiWrapper.Provider.h │ ├── WFPFlt.ApiWrapper.Redirect.cpp │ ├── WFPFlt.ApiWrapper.Redirect.h │ ├── WFPFlt.ApiWrapper.Sublayer.cpp │ ├── WFPFlt.ApiWrapper.Sublayer.h │ ├── WFPFlt.ApiWrapper.Transaction.cpp │ ├── WFPFlt.ApiWrapper.Transaction.h │ ├── WFPFlt.ApiWrapper.cpp │ ├── WFPFlt.ApiWrapper.h │ ├── WFPFlt.Manager.Callout.cpp │ ├── WFPFlt.Manager.Callout.h │ ├── WFPFlt.Manager.Engine.cpp │ ├── WFPFlt.Manager.Engine.h │ ├── WFPFlt.Manager.EngineState.cpp │ ├── WFPFlt.Manager.EngineState.h │ ├── WFPFlt.Manager.Injection.cpp │ ├── WFPFlt.Manager.Injection.h │ ├── WFPFlt.Manager.Provider.cpp │ ├── WFPFlt.Manager.Provider.h │ ├── WFPFlt.Manager.Redirect.cpp │ ├── WFPFlt.Manager.Redirect.h │ ├── WFPFlt.Manager.Transaction.cpp │ ├── WFPFlt.Manager.Transaction.h │ ├── WFPFlt.Utilities.cpp │ ├── WFPFlt.Utilities.h │ ├── WFPFlt.cpp │ ├── WFPFlt.h │ ├── WFPFlt.vcxproj │ ├── WFPFlt.vcxproj.filters │ ├── stdafx.cpp │ └── stdafx.h └── Ring3 ├── Detours.User ├── CREDITS.TXT ├── Detours Version 3.0 Build_343 ├── Detours.User.vcxproj ├── Detours.User.vcxproj.filters ├── Detours.chm ├── LICENSE.RTF ├── ReadMe.txt ├── VERSION.TXT ├── creatwth.cpp ├── detours.cpp ├── detours.h ├── detver.h ├── disasm.cpp ├── disolarm.cpp ├── disolarm64.cpp ├── disolia64.cpp ├── disolx64.cpp ├── disolx86.cpp ├── image.cpp ├── modules.cpp ├── samples │ ├── Makefile │ ├── README.TXT │ ├── comeasy │ │ ├── Makefile │ │ ├── comeasy.cpp │ │ ├── wrotei.cpp │ │ └── wrotei.rc │ ├── commem │ │ ├── Makefile │ │ └── commem.cpp │ ├── common.mak │ ├── cping │ │ ├── Makefile │ │ ├── ReadMe.Txt │ │ ├── cping.cpp │ │ ├── cping.dat │ │ └── iping.idl │ ├── disas │ │ ├── Makefile │ │ ├── arm.asm │ │ ├── disas.cpp │ │ ├── ia64.asm │ │ ├── unk.cpp │ │ ├── x64.asm │ │ └── x86.cpp │ ├── dtest │ │ ├── Makefile │ │ ├── NORMAL_IA64.TXT │ │ ├── NORMAL_X64.TXT │ │ ├── NORMAL_X86.TXT │ │ ├── dtarge.cpp │ │ ├── dtarge.h │ │ ├── dtarge.rc │ │ └── dtest.cpp │ ├── dumpe │ │ ├── Makefile │ │ └── dumpe.cpp │ ├── dumpi │ │ ├── Makefile │ │ └── dumpi.cpp │ ├── echo │ │ ├── Makefile │ │ ├── echofx.cpp │ │ ├── echofx.rc │ │ ├── echonul.cpp │ │ └── main.cpp │ ├── einst │ │ ├── Makefile │ │ ├── edll1x.cpp │ │ ├── edll2x.cpp │ │ ├── edll3x.cpp │ │ └── einst.cpp │ ├── excep │ │ ├── Makefile │ │ ├── excep.cpp │ │ ├── firstexc.cpp │ │ └── firstexc.h │ ├── findfunc │ │ ├── Makefile │ │ ├── extend.cpp │ │ ├── extend.rc │ │ ├── findfunc.cpp │ │ ├── symtest.cpp │ │ ├── target.cpp │ │ ├── target.h │ │ └── target.rc │ ├── impmunge │ │ ├── Makefile │ │ └── impmunge.cpp │ ├── member │ │ ├── Makefile │ │ └── member.cpp │ ├── opengl │ │ ├── Makefile │ │ ├── ogldet.cpp │ │ ├── ogldet.rc │ │ └── testogl.cpp │ ├── region │ │ ├── Makefile │ │ └── region.cpp │ ├── setdll │ │ ├── Makefile │ │ └── setdll.cpp │ ├── simple │ │ ├── Makefile │ │ ├── simple.cpp │ │ ├── simple.rc │ │ └── sleep5.cpp │ ├── slept │ │ ├── Makefile │ │ ├── NORMAL_IA64.TXT │ │ ├── NORMAL_X64.TXT │ │ ├── NORMAL_X86.TXT │ │ ├── dslept.cpp │ │ ├── dslept.rc │ │ ├── sleepbed.cpp │ │ ├── sleepnew.cpp │ │ ├── sleepold.cpp │ │ ├── slept.cpp │ │ ├── slept.h │ │ ├── slept.rc │ │ └── verify.cpp │ ├── syelog │ │ ├── Makefile │ │ ├── sltest.cpp │ │ ├── sltestp.cpp │ │ ├── syelog.cpp │ │ ├── syelog.h │ │ └── syelogd.cpp │ ├── talloc │ │ ├── Makefile │ │ ├── NORMAL_IA64.TXT │ │ ├── NORMAL_X64.TXT │ │ ├── talloc.cpp │ │ ├── tdll1x.cpp │ │ ├── tdll2x.cpp │ │ ├── tdll3x.cpp │ │ ├── tdll4x.cpp │ │ ├── tdll5x.cpp │ │ ├── tdll6x.cpp │ │ ├── tdll7x.cpp │ │ ├── tdll8x.cpp │ │ └── tdll9x.cpp │ ├── traceapi │ │ ├── Makefile │ │ ├── _win32.cpp │ │ ├── testapi.cpp │ │ ├── trcapi.cpp │ │ └── trcapi.rc │ ├── tracebld │ │ ├── Makefile │ │ ├── tracebld.cpp │ │ ├── tracebld.h │ │ ├── trcbld.cpp │ │ └── trcbld.rc │ ├── tracelnk │ │ ├── Makefile │ │ ├── trclnk.cpp │ │ └── trclnk.rc │ ├── tracemem │ │ ├── Makefile │ │ ├── trcmem.cpp │ │ └── trcmem.rc │ ├── tracereg │ │ ├── Makefile │ │ ├── trcreg.cpp │ │ └── trcreg.rc │ ├── traceser │ │ ├── Makefile │ │ ├── trcser.cpp │ │ └── trcser.rc │ ├── tracessl │ │ ├── Makefile │ │ ├── trcssl.cpp │ │ └── trcssl.rc │ ├── tracetcp │ │ ├── Makefile │ │ ├── trctcp.cpp │ │ └── trctcp.rc │ ├── tryman │ │ ├── Makefile │ │ ├── managed.cs │ │ ├── size.cpp │ │ ├── tryman.cpp │ │ ├── tstman.cpp │ │ └── tstman.rc │ └── withdll │ │ ├── Makefile │ │ └── withdll.cpp ├── system.mak └── uimports.cpp ├── MiniFlt.Owl.User ├── MiniFlt.Owl.User.vcxproj ├── MiniFlt.Owl.User.vcxproj.filters ├── MiniFlt.Owl.cpp ├── MiniFlt.Owl.h ├── stdafx.cpp └── stdafx.h ├── Owl.User ├── Owl.User.vcxproj ├── Owl.User.vcxproj.filters ├── Owl.cpp ├── Owl.h ├── stdafx.cpp └── stdafx.h ├── UnitTest.Ring3 ├── UnitTest.Ring3.vcxproj ├── UnitTest.Ring3.vcxproj.filters ├── main.cpp ├── stdafx.cpp └── stdafx.h └── Vol.User ├── Vol.Device.Disk.cpp ├── Vol.Device.Disk.h ├── Vol.Device.Volume.cpp ├── Vol.Device.Volume.h ├── Vol.Process.cpp ├── Vol.Process.h ├── Vol.Registry.cpp ├── Vol.Registry.h ├── Vol.Security.Sddl.h ├── Vol.Security.SecurityDescriptor.cpp ├── Vol.Security.SecurityDescriptor.h ├── Vol.Security.cpp ├── Vol.Security.h ├── Vol.Service.Base.cpp ├── Vol.Service.Base.h ├── Vol.Service.Controller.cpp ├── Vol.Service.Controller.h ├── Vol.Service.Installer.cpp ├── Vol.Service.Installer.h ├── Vol.Service.cpp ├── Vol.Service.h ├── Vol.Symboliclinks.cpp ├── Vol.Symboliclinks.h ├── Vol.System.cpp ├── Vol.System.h ├── Vol.ThreadPool.cpp ├── Vol.ThreadPool.h ├── Vol.User.vcxproj ├── Vol.User.vcxproj.filters ├── stdafx.cpp └── stdafx.h /Include/Common/MBox.Macro.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | namespace MBox 4 | { 5 | 6 | #ifndef MBoxCompileTimeLog$ 7 | #define MBoxCompileTimeLog$(aLevel, aFormat, ...) \ 8 | do{ \ 9 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, aLevel, \ 10 | "MBox [%04u, %s]-> " aFormat "\n", \ 11 | __LINE__, __FUNCTION__, __VA_ARGS__); \ 12 | }while(0) 13 | #endif 14 | 15 | } 16 | -------------------------------------------------------------------------------- /Include/Microsoft/MBox.Apc.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "MBox.Base.h" 3 | 4 | #pragma warning(push) 5 | #pragma warning(disable: 4201) 6 | namespace MBox 7 | { 8 | struct KApcState 9 | { 10 | ListEntry ApcListHead[MaximumMode]; 11 | struct _KPROCESS * Process; 12 | union 13 | { 14 | UCHAR InProgressFlags; 15 | struct 16 | { 17 | BOOLEAN KernelApcInProgress : 1; 18 | BOOLEAN SpecialApcInProgress : 1; 19 | }; 20 | }; 21 | 22 | BOOLEAN KernelApcPending; 23 | BOOLEAN UserApcPending; 24 | }; 25 | 26 | enum class ApcEnvironment: UINT32 27 | { 28 | OriginalApcEnvironment, 29 | AttachedApcEnvironment, 30 | CurrentApcEnvironment, 31 | InsertApcEnvironment 32 | }; 33 | 34 | extern"C" 35 | { 36 | typedef VOID(NTAPI *PKNORMAL_ROUTINE)( 37 | PVOID aNormalContext, 38 | PVOID aSystemArgument1, 39 | PVOID aSystemArgument2); 40 | 41 | typedef VOID(NTAPI *PKKERNEL_ROUTINE)( 42 | PKAPC aApc, 43 | PKNORMAL_ROUTINE *aNormalRoutine, 44 | PVOID *aNormalContext, 45 | PVOID *aSystemArgument1, 46 | PVOID *aSystemArgument2); 47 | 48 | typedef VOID(NTAPI *PKRUNDOWN_ROUTINE)( 49 | PKAPC aApc); 50 | 51 | VOID NTAPI KeInitializeApc( 52 | PKAPC aApc, 53 | PRKTHREAD aThread, 54 | ApcEnvironment aEnvironment, 55 | PKKERNEL_ROUTINE aKernelRoutine, 56 | PKRUNDOWN_ROUTINE aRundownRoutine, 57 | PKNORMAL_ROUTINE aNormalRoutine, 58 | KPROCESSOR_MODE aProcessorMode, 59 | PVOID aNormalContext); 60 | 61 | BOOLEAN NTAPI KeInsertQueueApc( 62 | PKAPC aApc, 63 | PVOID aSystemArgument1, 64 | PVOID aSystemArgument2, 65 | KPRIORITY aIncrement); 66 | 67 | } 68 | } 69 | #pragma warning(pop) 70 | -------------------------------------------------------------------------------- /Include/Microsoft/MBox.File.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "MBox.Base.h" 3 | 4 | 5 | #pragma warning(push) 6 | #pragma warning(disable: 4201) 7 | namespace MBox 8 | { 9 | 10 | 11 | extern"C" 12 | { 13 | NTSTATUS NTAPI IoQueryFileDosDeviceName( 14 | PFILE_OBJECT aFileObject, 15 | ObjectNameInformation** aObjectNameInformation); 16 | 17 | } 18 | } 19 | #pragma warning(pop) 20 | -------------------------------------------------------------------------------- /Include/Microsoft/MBox.Network.Socket.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #pragma warning(push) 4 | #pragma warning(disable: 4201) 5 | namespace MBox 6 | { 7 | enum AddressFamily : ktl::u16 8 | { 9 | Unspecified = 0, 10 | Unix = 1, 11 | IPv4 = 2, 12 | IPX = 6, 13 | AppleTalk = 16, 14 | NetBios = 17, 15 | ATM = 22, 16 | IPv6 = 23, 17 | InfraredData = 26, 18 | Bluetooth = 32, 19 | 20 | Max = 35, 21 | }; 22 | 23 | } 24 | #pragma warning(pop) 25 | -------------------------------------------------------------------------------- /Include/Microsoft/MBox.Network.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | #pragma warning(push) 5 | #pragma warning(disable: 4201) 6 | namespace MBox 7 | { 8 | enum class NetworkAdapterCharacteristics : UINT32 9 | { 10 | NCF_VIRTUAL = 0x00000001, 11 | NCF_SOFTWARE_ENUMERATED = 0x00000002, 12 | NCF_PHYSICAL = 0x00000004, 13 | NCF_HIDDEN = 0x00000008, 14 | NCF_NO_SERVICE = 0x00000010, 15 | NCF_NOT_USER_REMOVABLE = 0x00000020, 16 | NCF_MULTIPORT_INSTANCED_ADAPTER = 0x00000040, 17 | NCF_HAS_UI = 0x00000080, 18 | NCF_SINGLE_INSTANCE = 0x00000100, 19 | NCF_FILTER = 0x00000400, 20 | NCF_DONTEXPOSELOWER = 0x00001000, 21 | NCF_HIDE_BINDING = 0x00002000, 22 | NCF_NDIS_PROTOCOL = 0x00004000, 23 | NCF_FIXED_BINDING = 0x00020000, 24 | NCF_LW_FILTER = 0x00040000 25 | }; 26 | 27 | } 28 | #pragma warning(pop) 29 | -------------------------------------------------------------------------------- /Include/Microsoft/MBox.Object.Directory.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "MBox.Object.h" 3 | 4 | #pragma warning(push) 5 | #pragma warning(disable: 4201) 6 | namespace MBox 7 | { 8 | enum DirectoryAccessMask : UINT32 9 | { 10 | DirectoryQuery = 0x0001, 11 | DirectoryTraverse = 0x0002, 12 | DirectoryCreateObject = 0x0004, 13 | DirectoryCreateSubDirectory = 0x0008, 14 | 15 | DirectoryAllAccess = (StandardRightsRequired | 0xF), 16 | }; 17 | 18 | struct ObjectDirectoryInformation 19 | { 20 | UnicodeString m_Name; 21 | UnicodeString m_TypeName; 22 | }; 23 | 24 | extern"C" 25 | { 26 | NTSTATUS NTAPI ZwOpenDirectoryObject( 27 | PHANDLE aDirectoryHandle, 28 | ACCESS_MASK aDesiredAccess, 29 | ObjectAttributes* aObjectAttributes); 30 | 31 | NTSTATUS NTAPI ZwQueryDirectoryObject( 32 | HANDLE aDirectoryHandle, 33 | PVOID aBuffer, 34 | UINT32 aLength, 35 | BOOLEAN aReturnSingleEntry, 36 | BOOLEAN aRestartScan, 37 | UINT32* aContext, 38 | UINT32* aReturnLength); 39 | 40 | 41 | } 42 | } 43 | #pragma warning(pop) 44 | -------------------------------------------------------------------------------- /Include/Microsoft/MBox.Object.Symboliclinks.h: -------------------------------------------------------------------------------- 1 | #include "MBox.Object.h" 2 | 3 | 4 | #pragma warning(push) 5 | #pragma warning(disable: 4201) 6 | namespace MBox 7 | { 8 | enum SymboliclinkAccessMask : UINT32 9 | { 10 | SymboliclinkQuery = 0x00000001, 11 | SymboliclinkSet = 0x00000002, 12 | 13 | SymboliclinkAllAccess = StandardRightsRequired | SymboliclinkQuery, 14 | SymboliclinkAllAccessEx = StandardRightsRequired | 0xFFFF, 15 | }; 16 | 17 | extern"C" 18 | { 19 | NTSTATUS NTAPI ZwOpenSymbolicLinkObject( 20 | PHANDLE aLinkHandle, 21 | ACCESS_MASK aDesiredAccess, 22 | ObjectAttributes* aObjectAttributes); 23 | 24 | NTSTATUS NTAPI ZwQuerySymbolicLinkObject( 25 | HANDLE LinkHandle, 26 | UnicodeString* LinkTarget, 27 | UINT32* ReturnedLength); 28 | 29 | } 30 | } 31 | #pragma warning(pop) 32 | -------------------------------------------------------------------------------- /Include/Microsoft/MBox.Object.Synchronize.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "MBox.Object.h" 3 | 4 | #pragma warning(push) 5 | #pragma warning(disable: 4201) 6 | namespace MBox 7 | { 8 | enum EventType : UINT32 9 | { 10 | NotificationEvent, 11 | SynchronizationEvent 12 | }; 13 | 14 | enum EventAccessMask : UINT32 15 | { 16 | EventQueryState = 0x0001, 17 | EventModifyState = 0x0002, 18 | EventAllAccess = (StandardRightsRequired | Synchronize | EventQueryState | EventModifyState) 19 | }; 20 | 21 | extern"C" 22 | { 23 | NTSTATUS ZwCreateEvent( 24 | PHANDLE EventHandle, 25 | ACCESS_MASK DesiredAccess, 26 | ObjectAttributes* ObjectAttributes, 27 | EventType aEventType, 28 | BOOLEAN InitialState); 29 | 30 | NTSTATUS ZwSetEvent( 31 | HANDLE EventHandle, 32 | INT32* PreviousState); 33 | 34 | } 35 | } 36 | #pragma warning(pop) 37 | -------------------------------------------------------------------------------- /Include/Microsoft/MBox.Object.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Include/Microsoft/MBox.Object.h -------------------------------------------------------------------------------- /Include/Microsoft/MBox.Process.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Include/Microsoft/MBox.Process.h -------------------------------------------------------------------------------- /Include/Microsoft/MBox.Runtime.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | #pragma warning(push) 5 | #pragma warning(disable: 4201) 6 | namespace MBox 7 | { 8 | 9 | extern"C" 10 | { 11 | NTSTATUS NTAPI RtlConvertSidToUnicodeString( 12 | PUNICODE_STRING UnicodeString, 13 | PSID Sid, 14 | BOOLEAN AllocateDestinationString); 15 | } 16 | } 17 | #pragma warning(pop) 18 | -------------------------------------------------------------------------------- /Include/Microsoft/MBox.System.Version.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #pragma warning(push) 4 | #pragma warning(disable: 4201) 5 | namespace MBox 6 | { 7 | enum class SystemVersion : UINT32 8 | { 9 | WindowsUnknown, 10 | 11 | WindowsXP, // 5.1.2600 12 | WindowsXP64, // 5.2.3790 13 | 14 | WindowsVista, // 6.0.6000 15 | WindowsVista_SP1, // 6.0.6001 16 | WindowsVista_SP2, // 6.0.6002 17 | 18 | Windows7, // 6.1.7600 19 | Windows7_SP1, // 6.1.7601 20 | 21 | Windows8, // 6.2.9200 22 | 23 | Windows8_1, // 6.3.9600 24 | 25 | Windows10, 26 | Windows10_1507 = Windows10, // 10.0.10240 27 | Windows10_1511, // 10.0.10586 28 | Windows10_1607, // 10.0.14393 29 | Windows10_1703, // 10.0.10563 30 | // Windows10_1710 // 10.0.????? 31 | WindowsMax, 32 | }; 33 | } 34 | #pragma warning(pop) 35 | -------------------------------------------------------------------------------- /Include/Microsoft/MBox.Thread.EThread.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "MBox.Thread.KThread.h" 3 | #include "MBox.Context.h" 4 | 5 | #pragma warning(push) 6 | #pragma warning(disable: 4201) 7 | namespace MBox 8 | { 9 | union PsClientSecurityContext 10 | { 11 | UINT64 ImpersonationData; 12 | VOID *ImpersonationToken; 13 | struct 14 | { 15 | UINT64 ImpersonationLevel : 2; 16 | UINT64 EffectiveOnly : 1; 17 | }; 18 | }; 19 | 20 | struct PsPropertySet 21 | { 22 | ListEntry ListHead; 23 | UINT64 Lock; 24 | }; 25 | } 26 | #pragma warning(pop) 27 | 28 | #include "MBox.Thread.EThread.14393.h" 29 | #include "MBox.Thread.EThread.15063.h" 30 | -------------------------------------------------------------------------------- /Include/Microsoft/Mbox.Module.Loader.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | #pragma warning(push) 5 | #pragma warning(disable: 4201) 6 | namespace MBox 7 | { 8 | struct RtlProcessModuleInformation 9 | { 10 | HANDLE Section; 11 | PVOID MappedBase; 12 | PVOID ImageBase; 13 | UINT32 ImageSize; 14 | UINT32 Flags; 15 | UINT16 LoadOrderIndex; 16 | UINT16 InitOrderIndex; 17 | UINT16 LoadCount; 18 | UINT16 OffsetToFileName; 19 | UCHAR FullPathName[256]; 20 | }; 21 | 22 | struct RtlProcessModules 23 | { 24 | UINT32 NumberOfModules; 25 | RtlProcessModuleInformation Modules[1]; 26 | }; 27 | 28 | using RtlSystemModules = RtlProcessModules; 29 | } 30 | #pragma warning(pop) 31 | -------------------------------------------------------------------------------- /Include/Owl/MBox.MiniFlt.OwlProtocol.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | namespace MBox 5 | { 6 | namespace MiniFltOwlProtocol 7 | { 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /Include/Owl/MBox.OwlProtocol.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | namespace MBox 4 | { 5 | namespace OwlProtocol 6 | { 7 | enum class IoCode : UINT32 8 | { 9 | BeginCode = 0x800, 10 | 11 | Connecttion = CTL_CODE(FILE_DEVICE_UNKNOWN, BeginCode + 1, METHOD_BUFFERED, FILE_ANY_ACCESS), 12 | Disconnection = CTL_CODE(FILE_DEVICE_UNKNOWN, BeginCode + 2, METHOD_IN_DIRECT, FILE_ANY_ACCESS), 13 | 14 | UserMessage = CTL_CODE(FILE_DEVICE_UNKNOWN, BeginCode + 3, METHOD_OUT_DIRECT,FILE_ANY_ACCESS), 15 | 16 | KernelMessage = CTL_CODE(FILE_DEVICE_UNKNOWN, BeginCode + 4, METHOD_OUT_DIRECT,FILE_ANY_ACCESS), 17 | ReplyKernelMessage = CTL_CODE(FILE_DEVICE_UNKNOWN, BeginCode + 5, METHOD_IN_DIRECT, FILE_ANY_ACCESS), 18 | }; 19 | 20 | #pragma pack(push, 8) 21 | struct ConnectContextHeader 22 | { 23 | IN UINT64 m_ThreadHandle = 0; 24 | IN UINT64 m_NotifySemaphore = 0; 25 | }; 26 | 27 | struct ReplyHeader 28 | { 29 | NTSTATUS m_Status = 0; 30 | UINT64 m_MessageId = 0; 31 | }; 32 | 33 | struct MessageHeader 34 | { 35 | UINT32 m_ReplyBytes = 0; 36 | UINT64 m_MessageId = 0; 37 | }; 38 | #pragma pack(pop) 39 | 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 MeeSong 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # MBox 2 | 3 | MeeSong Box : Windows tool box library 4 | 5 | License : MIT 6 | 7 | IDE : Visual Studio 2017 8 | 9 | Language : C++11/14, 17 10 | 11 | SDK/WDK : 10.0.16299 12 | -------------------------------------------------------------------------------- /Ring0/DeviceFlt/DeviceFlt.Callback.Context.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "DeviceFlt.Callback.Context.h" 3 | #include "DeviceFlt.Callback.Packet.h" 4 | 5 | namespace MBox 6 | { 7 | namespace DeviceFlt 8 | { 9 | static void InstanceContextCleanup(FltInstanceContext* aContext) 10 | { 11 | ContextCleanupCallbackParameter vParameter; 12 | vParameter.m_ContextType = ContextType::Instance; 13 | 14 | auto vCallback = [aContext, &vParameter]( 15 | ContextCleanupCallbackPacket* CallbackPacket, 16 | UINT32 aIndex) -> BOOLEAN 17 | { 18 | if (nullptr == aContext[aIndex].m_Context) 19 | { 20 | return FALSE; 21 | } 22 | 23 | vParameter.m_Context = aContext[aIndex].m_Context; 24 | vParameter.m_RegisterContext = CallbackPacket->m_RegisterContext; 25 | CallbackPacket->m_ContextCleanupCallback(&vParameter); 26 | aContext[aIndex].m_Context = nullptr; 27 | 28 | return FALSE; 29 | }; 30 | TraverseContextCleanupCallback(vCallback); 31 | } 32 | 33 | 34 | void __stdcall ContextCleanupCallback( 35 | void * aContext, 36 | ContextType aContextType) 37 | { 38 | if (nullptr == aContext) return; 39 | 40 | switch (aContextType) 41 | { 42 | case MBox::DeviceFlt::ContextType::Instance: 43 | InstanceContextCleanup((FltInstanceContext*)aContext); 44 | break; 45 | } 46 | } 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /Ring0/DeviceFlt/DeviceFlt.Callback.Context.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | #include "DeviceFlt.Context.h" 5 | #include "DeviceFlt.Macro.h" 6 | 7 | 8 | namespace MBox 9 | { 10 | namespace DeviceFlt 11 | { 12 | struct ContextCleanupCallbackParameter 13 | { 14 | void* m_Context{}; 15 | ContextType m_ContextType{}; 16 | 17 | void* m_RegisterContext{}; 18 | }; 19 | 20 | using ContextCleanupCallbackFunctor$Type = ktl::function; 21 | 22 | struct ContextCleanupCallbackPacket 23 | { 24 | UINT32 m_IsEnableCleanupCallback : 1; 25 | 26 | ContextCleanupCallbackFunctor$Type m_ContextCleanupCallback{}; 27 | 28 | PVOID m_RegisterContext{}; 29 | 30 | ContextCleanupCallbackPacket() 31 | { 32 | m_IsEnableCleanupCallback = FALSE; 33 | } 34 | }; 35 | 36 | // 37 | // Callback 38 | // 39 | 40 | DeviceFlt$Function$TraverseCallbackPacketMember$Macro(ContextCleanupCallbackPacket, m_ContextCleanupCallbackPacket) 41 | 42 | #define DeviceFlt$Function$TraverseContextCleanupCallbackPacketCallbackName$Macro \ 43 | DeviceFlt$Function$TraverseCallbackPacketMemberName$Macro(ContextCleanupCallbackPacket) 44 | 45 | template 46 | static void TraverseContextCleanupCallback(F aFunctor) 47 | { 48 | auto vCallback = [&aFunctor](ContextCleanupCallbackPacket* aInstanceCallbackFunction, UINT32 aIndex) -> BOOLEAN 49 | { 50 | if (aInstanceCallbackFunction->m_IsEnableCleanupCallback) 51 | { 52 | return aFunctor(aInstanceCallbackFunction, aIndex); 53 | } 54 | 55 | return FALSE; 56 | }; 57 | DeviceFlt$Function$TraverseContextCleanupCallbackPacketCallbackName$Macro(vCallback); 58 | } 59 | 60 | void __stdcall ContextCleanupCallback( 61 | void* aContext, 62 | ContextType aContextType); 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /Ring0/DeviceFlt/DeviceFlt.Callback.Operation.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring0/DeviceFlt/DeviceFlt.Callback.Operation.cpp -------------------------------------------------------------------------------- /Ring0/DeviceFlt/DeviceFlt.Callback.Operation.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring0/DeviceFlt/DeviceFlt.Callback.Operation.h -------------------------------------------------------------------------------- /Ring0/DeviceFlt/DeviceFlt.Callback.Packet.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include 3 | #include 4 | 5 | #include "DeviceFlt.Callback.Packet.h" 6 | 7 | 8 | namespace MBox 9 | { 10 | namespace DeviceFlt 11 | { 12 | CallbackPacketManager * GetCallbackPacketManager() 13 | { 14 | static CallbackPacketManager sCallbackPacketManager; 15 | return &sCallbackPacketManager; 16 | } 17 | 18 | NTSTATUS CallbackPacketManager::Initialize() 19 | { 20 | if (m_CallbackPacketList) return STATUS_SUCCESS; 21 | 22 | m_CallbackPacketList = new CallbackPacketList$Type; 23 | if (nullptr == m_CallbackPacketList) 24 | { 25 | return STATUS_INSUFFICIENT_RESOURCES; 26 | } 27 | 28 | return STATUS_SUCCESS; 29 | } 30 | 31 | void CallbackPacketManager::Uninitialize() 32 | { 33 | if (nullptr == m_CallbackPacketList) return; 34 | 35 | m_CallbackPacketList->clear(); 36 | delete m_CallbackPacketList; 37 | m_CallbackPacketList = nullptr; 38 | } 39 | 40 | CallbackPacketManager::CallbackPacketList$Type * CallbackPacketManager::GetCallbackPacketList() 41 | { 42 | return GetCallbackPacketManager()->m_CallbackPacketList; 43 | } 44 | 45 | } 46 | 47 | } 48 | -------------------------------------------------------------------------------- /Ring0/DeviceFlt/DeviceFlt.Context.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | 9 | namespace MBox 10 | { 11 | namespace DeviceFlt 12 | { 13 | enum : UINT32 14 | { 15 | DefaultContextPoolTag = KTL$CompileTime$ByteSwap32$Macro('MBox'), 16 | }; 17 | 18 | enum class ContextType : UINT32 19 | { 20 | Unknown, 21 | Instance, 22 | }; 23 | 24 | class ContextManager 25 | { 26 | public: 27 | struct FltContextImpl 28 | { 29 | ContextType m_ContextType = ContextType::Unknown; 30 | DEVICE_OBJECT* m_DeviceObject = nullptr; 31 | volatile long m_UsedCount = 0; 32 | 33 | void* m_Context = nullptr; 34 | }; 35 | 36 | using FltContextList$Type = ktl::list>; 37 | 38 | enum class ContextSetOperation : ktl::u32 39 | { 40 | ReplaceIfExists, 41 | KeepIfExists, 42 | }; 43 | 44 | NTSTATUS Initialize(); 45 | void Uninitialize(); 46 | 47 | NTSTATUS ContextAllocate( 48 | DEVICE_OBJECT* aDeviceObject, 49 | ContextType aContextType, 50 | ktl::u32 aContextSize, 51 | POOL_TYPE aPoolType, 52 | void** aContext); 53 | 54 | NTSTATUS ContextSet( 55 | DEVICE_OBJECT* aDeviceObject, 56 | ContextSetOperation aSetOperation, 57 | void* aContext, 58 | void** aOldContext); 59 | 60 | NTSTATUS ContextGet( 61 | DEVICE_OBJECT* aDeviceObject, 62 | ContextType aContextType, 63 | void** aContext); 64 | 65 | void ReferenceContext(void* aContext); 66 | void ReleaseContexts(void* aContext); 67 | 68 | static void __stdcall ContextCleanup(FltContextImpl* aFltContext); 69 | 70 | template 71 | void TraverseContexts(F aCallback) 72 | { 73 | if (nullptr == m_FltContextList) 74 | { 75 | return; 76 | } 77 | 78 | for (auto vContext : *m_FltContextList) 79 | { 80 | if (TRUE == aCallback(vContext)) 81 | { 82 | break; 83 | } 84 | } 85 | } 86 | 87 | private: 88 | FltContextList$Type* m_FltContextList = nullptr; 89 | ktl::spin_lock m_Lock; 90 | }; 91 | 92 | ContextManager* GetContextManager(); 93 | } 94 | } 95 | -------------------------------------------------------------------------------- /Ring0/DeviceFlt/DeviceFlt.Macro.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define DeviceFlt$Function$TraverseCallbackPacketMemberName$Macro(aFunctionName) \ 4 | Traverse ## aFunctionName ## Callback 5 | 6 | #define DeviceFlt$Function$DeclareTraverseCallbackPacketMember$Macro(aFunctionName) \ 7 | template \ 8 | void DeviceFlt$Function$TraverseCallbackPacketMemberName$Macro(aFunctionName)(F aFunctor); 9 | 10 | #define DeviceFlt$Function$TraverseCallbackPacketMember$Macro(aFunctionName, aMember) \ 11 | template \ 12 | void DeviceFlt$Function$TraverseCallbackPacketMemberName$Macro(aFunctionName)(F aFunctor) \ 13 | { \ 14 | auto vCallback = [&aFunctor](ktl::shared_ptr aCallbackPacket, UINT32 aIndex) -> BOOLEAN \ 15 | { \ 16 | if (aCallbackPacket->aMember) \ 17 | { \ 18 | return aFunctor(aCallbackPacket->aMember, aIndex); \ 19 | } \ 20 | return FALSE; \ 21 | }; \ 22 | GetCallbackPacketManager()->TraverseCallbackPacket(vCallback); \ 23 | } 24 | -------------------------------------------------------------------------------- /Ring0/DeviceFlt/DeviceFlt.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "DeviceFlt.Callback.Packet.h" 3 | 4 | namespace MBox 5 | { 6 | namespace DeviceFlt 7 | { 8 | NTSTATUS Initialize(); 9 | void Uninitialize(); 10 | 11 | NTSTATUS RegisterFilter(); 12 | 13 | NTSTATUS StartFilter(); 14 | NTSTATUS StopFilter(); 15 | BOOLEAN IsStartedFilter(); 16 | 17 | template 18 | NTSTATUS RegisterCallbackPacket( 19 | CallbackPacket* aCallbackPacket, 20 | F aDeletor) 21 | { 22 | return GetCallbackPacketManager()->RegisterCallbackPacket( 23 | aCallbackPacket, aDeletor); 24 | } 25 | 26 | } 27 | 28 | } 29 | -------------------------------------------------------------------------------- /Ring0/DeviceFlt/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | #ifdef _WIN64 4 | #pragma comment(lib, "DriverMgr.X64.lib") 5 | #else 6 | #pragma comment(lib, "DriverMgr.X86.lib") 7 | #endif 8 | -------------------------------------------------------------------------------- /Ring0/DeviceFlt/stdafx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef NTDDI_VERSION 4 | #undef NTDDI_VERSION 5 | #define NTDDI_VERSION WDK_NTDDI_VERSION 6 | #else 7 | #define NTDDI_VERSION WDK_NTDDI_VERSION 8 | #endif 9 | 10 | #include 11 | #include 12 | 13 | #include 14 | #include 15 | 16 | #include 17 | 18 | 19 | -------------------------------------------------------------------------------- /Ring0/DriverMgr/DriverMgr.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring0/DriverMgr/DriverMgr.cpp -------------------------------------------------------------------------------- /Ring0/DriverMgr/DriverMgr.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | 26 | 27 | Source Files 28 | 29 | 30 | Source Files 31 | 32 | 33 | -------------------------------------------------------------------------------- /Ring0/DriverMgr/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | #ifdef _WIN64 4 | #pragma comment(lib, "Vol.Kernel.X64.lib") 5 | #else 6 | #pragma comment(lib, "Vol.Kernel.X86.lib") 7 | #endif 8 | -------------------------------------------------------------------------------- /Ring0/DriverMgr/stdafx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef NTDDI_VERSION 4 | #undef NTDDI_VERSION 5 | #define NTDDI_VERSION WDK_NTDDI_VERSION 6 | #else 7 | #define NTDDI_VERSION WDK_NTDDI_VERSION 8 | #endif 9 | 10 | 11 | #include 12 | #include 13 | #include 14 | 15 | #include 16 | #include 17 | #include 18 | -------------------------------------------------------------------------------- /Ring0/KTL/KTL.Characters.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #ifndef Characters_$CEBFBD62_DE6B_4263_98F1_60E07677ADE1 3 | #define Characters_$CEBFBD62_DE6B_4263_98F1_60E07677ADE1 1 4 | 5 | namespace ktl 6 | { 7 | inline namespace characters 8 | { 9 | 10 | template 11 | _C characters_toupper(_C aChar) 12 | { 13 | enum 14 | { 15 | LatterCaseDifference = _C('a') - _C('A'), 16 | }; 17 | 18 | if ('a' <= aChar && 'z' >= aChar) 19 | { 20 | aChar -= LatterCaseDifference; 21 | } 22 | 23 | return aChar; 24 | } 25 | 26 | template 27 | _C characters_tolower(_C aChar) 28 | { 29 | enum 30 | { 31 | LatterCaseDifference = _C('a') - _C('A'), 32 | }; 33 | 34 | if ('A' <= aChar && 'Z' >= aChar) 35 | { 36 | aChar += LatterCaseDifference; 37 | } 38 | 39 | return aChar; 40 | } 41 | } 42 | 43 | } 44 | 45 | 46 | #endif 47 | -------------------------------------------------------------------------------- /Ring0/KTL/KTL.Containers.ListNode.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #ifndef ListNode_$89124ED5_6C94_4326_A78C_B42E9952D04F 3 | #define ListNode_$89124ED5_6C94_4326_A78C_B42E9952D04F 1 4 | 5 | #include "KTL.Type.h" 6 | #include "KTL.Type.AlignedBuffer.h" 7 | 8 | namespace ktl 9 | { 10 | inline namespace containers 11 | { 12 | /// STRUCT _List_node_base 13 | 14 | struct _List_node_base 15 | { 16 | _List_node_base* m_prev = this; 17 | _List_node_base* m_next = this; 18 | 19 | static void swap(_List_node_base& aLeft, _List_node_base& aRight) NOEXCEPT$TYPE; 20 | bool empty() const NOEXCEPT$TYPE; 21 | void transfer(_List_node_base *const aFirst, _List_node_base *const aLast) NOEXCEPT$TYPE; 22 | void reverse() NOEXCEPT$TYPE; 23 | void hook(_List_node_base *const aPosition) NOEXCEPT$TYPE; 24 | void unhook() NOEXCEPT$TYPE; 25 | }; 26 | 27 | template 28 | struct list_node : _List_node_base 29 | { 30 | aligned_membuf<_Type> m_storage; 31 | _Type* get_pointer() 32 | { 33 | return m_storage.get_pointer(); 34 | } 35 | 36 | const _Type * get_pointer() const 37 | { 38 | return m_storage.get_pointer(); 39 | } 40 | }; 41 | 42 | } 43 | 44 | } 45 | 46 | #endif 47 | -------------------------------------------------------------------------------- /Ring0/KTL/KTL.Memory.MemoryResource.cpp: -------------------------------------------------------------------------------- 1 | #include "KTL.Memory.MemoryResource.h" 2 | #include "KTL.Memory.h" 3 | 4 | namespace ktl 5 | { 6 | inline namespace memory 7 | { 8 | /// TEMPLATE CLASS memory_resource 9 | 10 | void * memory_resource::do_allocate(usize aSize, const usize aAlignment) 11 | { 12 | return default_allocate(aSize, aAlignment); 13 | } 14 | 15 | void memory_resource::do_deallocate(void *aPtr, usize /*aSize*/, usize /*aAlignment*/) 16 | { 17 | return default_deallocate(aPtr); 18 | } 19 | 20 | bool memory_resource::do_is_equal(const memory_resource& /*aRight*/) const NOEXCEPT$TYPE 21 | { 22 | return true; 23 | } 24 | 25 | void * memory_resource::allocate(usize aSize, usize aAlignment) 26 | { 27 | return do_allocate(aSize, aAlignment); 28 | } 29 | 30 | void memory_resource::deallocate(void *aPtr, usize aSize, usize aAlignment) 31 | { 32 | return do_deallocate(aPtr, aSize, aAlignment); 33 | } 34 | 35 | bool memory_resource::is_equal(const memory_resource& aRight) const NOEXCEPT$TYPE 36 | { 37 | return do_is_equal(aRight); 38 | } 39 | 40 | inline bool memory_resource::operator==(const memory_resource& aRight) NOEXCEPT$TYPE 41 | { 42 | return ((this == &aRight) || (is_equal(aRight))); 43 | } 44 | 45 | inline bool memory_resource::operator!=(const memory_resource& aRight) NOEXCEPT$TYPE 46 | { 47 | return !(operator==(aRight)); 48 | } 49 | 50 | } 51 | 52 | } 53 | -------------------------------------------------------------------------------- /Ring0/KTL/KTL.Memory.MemoryResource.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #ifndef MemoryResource_$C507C683_02A6_45DD_9542_257520B06073 3 | #define MemoryResource_$C507C683_02A6_45DD_9542_257520B06073 1 4 | 5 | #include "KTL.Memory.AllocatorTraits.h" 6 | 7 | namespace ktl 8 | { 9 | inline namespace memory 10 | { 11 | /// TEMPLATE CLASS memory_resource 12 | 13 | class memory_resource 14 | { 15 | protected: 16 | static constexpr usize m_MaxAlign = alignof(max_align_t); 17 | 18 | virtual void *do_allocate(usize aSize, const usize aAlignment); 19 | virtual void do_deallocate(void *aPtr, usize /*aSize*/, usize /*aAlignment*/); 20 | virtual bool do_is_equal(const memory_resource& aRight) const NOEXCEPT$TYPE; 21 | 22 | public: 23 | 24 | void *allocate(usize aSize, usize aAlignment = m_MaxAlign); 25 | void deallocate(void *aPtr, usize aSize, usize aAlignment = m_MaxAlign); 26 | bool is_equal(const memory_resource& aRight) const NOEXCEPT$TYPE; 27 | inline bool operator==(const memory_resource& aRight) NOEXCEPT$TYPE; 28 | inline bool operator!=(const memory_resource& aRight) NOEXCEPT$TYPE; 29 | }; 30 | 31 | /// TEMPLATE CLASS polymorphic_allocator 32 | 33 | // ... 34 | 35 | } 36 | 37 | } 38 | 39 | #endif 40 | -------------------------------------------------------------------------------- /Ring0/KTL/KTL.Memory.New.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring0/KTL/KTL.Memory.New.cpp -------------------------------------------------------------------------------- /Ring0/KTL/KTL.Memory.New.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifndef New_$910C2682_3929_4387_9BE4_E556DE90DABA 4 | #define New_$910C2682_3929_4387_9BE4_E556DE90DABA 1 5 | 6 | #include "KTL.Type.h" 7 | 8 | using size_t = ktl::usize; 9 | 10 | extern const ktl::u32 DefaultPoolTag; 11 | extern POOL_TYPE DefaultPoolType; 12 | 13 | void KtlInitializeDefaultPoolTypeWithRuntime( 14 | ktl::u32 aRuntimeFlags = 0x00000001); // DrvRtPoolNxOptIn 15 | 16 | // replaceable usual deallocation functions 17 | void* __cdecl operator new(size_t aSize) NOEXCEPT$TYPE; 18 | void __cdecl operator delete (void *aPtr) NOEXCEPT$TYPE; 19 | 20 | void* __cdecl operator new (size_t aSize, POOL_TYPE aPoolType) NOEXCEPT$TYPE; 21 | void* __cdecl operator new (size_t aSize, POOL_TYPE aPoolType, unsigned long aTag) NOEXCEPT$TYPE; 22 | void __cdecl operator delete (void *aPtr, unsigned long aTag) NOEXCEPT$TYPE; 23 | //void __cdecl operator delete (void *aPtr, POOL_TYPE aPoolType, unsigned long aTag) NOEXCEPT$TYPE; 24 | 25 | void* __cdecl operator new[](size_t aSize) NOEXCEPT$TYPE; 26 | void __cdecl operator delete[](void* aPtr) NOEXCEPT$TYPE; 27 | 28 | void* __cdecl operator new[](size_t aSize, POOL_TYPE aPoolType) NOEXCEPT$TYPE; 29 | void* __cdecl operator new[](size_t aSize, POOL_TYPE aPoolType, unsigned long aTag) NOEXCEPT$TYPE; 30 | void __cdecl operator delete[](void *aPtr, unsigned long aTag) NOEXCEPT$TYPE; 31 | //void __cdecl operator delete[](void *aPtr, POOL_TYPE aPoolType, unsigned long aTag) NOEXCEPT$TYPE; 32 | 33 | // replaceable placement deallocation functions 34 | void* __cdecl operator new (size_t aSize, void* aPtr) NOEXCEPT$TYPE; 35 | void* __cdecl operator new[](size_t aSize, void* aPtr) NOEXCEPT$TYPE; 36 | 37 | // T::~T() 38 | // void __cdecl operator delete (void* aPtr, void*) NOEXCEPT$TYPE; 39 | // void __cdecl operator delete[](void* aPtr, void*) NOEXCEPT$TYPE; 40 | 41 | // sized class - specific deallocation functions 42 | void __cdecl operator delete (void* aPtr, size_t aSize) NOEXCEPT$TYPE; 43 | void __cdecl operator delete[](void* aPtr, size_t aSize) NOEXCEPT$TYPE; 44 | 45 | 46 | #endif 47 | -------------------------------------------------------------------------------- /Ring0/KTL/KTL.Memory.cpp: -------------------------------------------------------------------------------- 1 | #include "KTL.Memory.h" 2 | #include "KTL.Type.Uitility.h" 3 | #include "KTL.Algorithm.h" 4 | 5 | #include 6 | 7 | namespace ktl 8 | { 9 | inline namespace memory 10 | { 11 | /// FUNCTION default_allocate & default_deallocate 12 | 13 | void *default_allocate(usize aSize, const usize aAlignment) 14 | { 15 | usize vNewSize = aligned_size(aSize, aAlignment); 16 | return (void*)(new byte[vNewSize]); 17 | } 18 | 19 | void default_deallocate(void *aPtr) 20 | { 21 | delete[](byte*)(aPtr); 22 | } 23 | 24 | void * memory_set(void * aDestBuffer, usize aDestBufferBytesCount, byte aValue) 25 | { 26 | if (nullptr == aDestBuffer 27 | || 0 == aDestBufferBytesCount) 28 | { 29 | return aDestBuffer; 30 | } 31 | 32 | __stosb((ktl::byte*)aDestBuffer, aValue, aDestBufferBytesCount); 33 | return aDestBuffer; 34 | } 35 | 36 | void * memory_zero(void * aBuffer, usize aBufferBytesCont) 37 | { 38 | return memory_set(aBuffer, aBufferBytesCont, 0); 39 | } 40 | 41 | usize memory_copy( 42 | void * aDestBuffer, usize aDestBufferBytesCount, 43 | void * aSrcBuffer, usize aSrcBufferBytesCount) 44 | { 45 | if (nullptr == aDestBuffer 46 | || nullptr == aSrcBuffer 47 | || 0 == aDestBufferBytesCount 48 | || 0 == aSrcBufferBytesCount 49 | || aDestBuffer == aSrcBuffer) 50 | { 51 | return 0; 52 | } 53 | 54 | usize vCopyBytesCount = min(aDestBufferBytesCount, aSrcBufferBytesCount); 55 | 56 | __movsb((ktl::byte*)aDestBuffer, (const ktl::byte*)aSrcBuffer, vCopyBytesCount); 57 | return vCopyBytesCount; 58 | } 59 | } 60 | 61 | } 62 | -------------------------------------------------------------------------------- /Ring0/KTL/KTL.Memory.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #ifndef Memory_$3C7D1B09_9AF6_4390_B588_420D096AE364 3 | #define Memory_$3C7D1B09_9AF6_4390_B588_420D096AE364 1 4 | 5 | #include "KTL.Type.h" 6 | 7 | namespace ktl 8 | { 9 | inline namespace memory 10 | { 11 | /// FUNCTION default_allocate & default_deallocate 12 | 13 | void *default_allocate(usize aSize, const usize aAlignment = alignof(usize)); 14 | void default_deallocate(void *aPtr); 15 | 16 | /// FUNCTION Uitility 17 | 18 | void* memory_set(void* aDestBuffer, usize aDestBufferBytesCount, byte aValue); 19 | void * memory_zero(void * aBuffer, usize aBufferBytesCont); 20 | 21 | usize memory_copy( 22 | void* aDestBuffer, usize aDestBufferBytesCount, 23 | void* aSrcBuffer, usize aSrcBufferBytesCount); 24 | } 25 | 26 | } 27 | 28 | #endif 29 | -------------------------------------------------------------------------------- /Ring0/KTL/KTL.Multithreading.LockHelper.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | namespace ktl 5 | { 6 | inline namespace multithreading 7 | { 8 | template 9 | class lock_guard 10 | { 11 | public: 12 | #pragma prefast(push) 13 | #pragma prefast(disable:28167, "Automatically upgrade and restore IRQL.") 14 | explicit lock_guard(_Lock& aLock) 15 | : m_Lock(aLock) 16 | { 17 | m_Lock.lock(); 18 | } 19 | 20 | ~lock_guard() 21 | { 22 | m_Lock.unlock(); 23 | } 24 | #pragma prefast(pop) 25 | 26 | lock_guard(const lock_guard&) = delete; 27 | lock_guard& operator=(const lock_guard&) = delete; 28 | 29 | protected: 30 | _Lock& m_Lock; 31 | }; 32 | 33 | template 34 | class shared_lock_guard 35 | { 36 | public: 37 | explicit shared_lock_guard(_Lock& aLock) 38 | : m_Lock(aLock) 39 | { 40 | m_Lock.lock_shared(); 41 | } 42 | 43 | ~shared_lock_guard() 44 | { 45 | m_Lock.unlock_shared(); 46 | } 47 | 48 | shared_lock_guard(const shared_lock_guard&) = delete; 49 | shared_lock_guard& operator=(const shared_lock_guard&) = delete; 50 | 51 | protected: 52 | _Lock& m_Lock; 53 | }; 54 | 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /Ring0/KTL/KTL.Multithreading.NullLock.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | namespace ktl 4 | { 5 | inline namespace multithreading 6 | { 7 | class null_lock 8 | { 9 | bool try_lock() { return true; } 10 | bool lock() { return true; } 11 | bool unlock() { return true; } 12 | 13 | ~null_lock() { unlock(); } 14 | }; 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /Ring0/KTL/KTL.Multithreading.Singleton.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "KTL.Memory.New.h" 3 | #include "KTL.Multithreading.SpinLock.h" 4 | 5 | namespace ktl 6 | { 7 | inline namespace multithreading 8 | { 9 | // 10 | // Singleton with lock 11 | // 12 | 13 | template 14 | class singleton 15 | { 16 | public: 17 | static _Type* get_instance() 18 | { 19 | if (s_Instance) return s_Instance; 20 | 21 | if (false == s_Lock.lock()) 22 | { 23 | return nullptr; 24 | } 25 | 26 | if (s_Instance) 27 | { 28 | s_Lock.unlock(); 29 | return s_Instance; 30 | } 31 | 32 | s_Instance = new _Type{}; 33 | s_Lock.unlock(); 34 | return s_Instance; 35 | } 36 | 37 | static void destroy_instance() 38 | { 39 | delete s_Instance; 40 | s_Instance = nullptr; 41 | } 42 | 43 | protected: 44 | static spin_lock s_Lock; 45 | static _Type* s_Instance; 46 | }; 47 | 48 | template 49 | __declspec(selectany) _Type* singleton<_Type>::s_Instance = nullptr; 50 | 51 | // 52 | // Singleton without lock 53 | // 54 | 55 | template 56 | class singleton_without_lock 57 | { 58 | public: 59 | static _Type* get_instance() 60 | { 61 | if (s_Instance) return s_Instance; 62 | 63 | s_Instance = new _Type{}; 64 | return s_Instance; 65 | } 66 | 67 | static void destroy_instance() 68 | { 69 | delete s_Instance; 70 | s_Instance = nullptr; 71 | } 72 | 73 | protected: 74 | static _Type* s_Instance; 75 | }; 76 | 77 | template 78 | __declspec(selectany) _Type* singleton_without_lock<_Type>::s_Instance = nullptr; 79 | 80 | } 81 | } 82 | -------------------------------------------------------------------------------- /Ring0/KTL/KTL.Multithreading.SpinLockShimsApi.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | namespace ktl 5 | { 6 | inline namespace multithreading 7 | { 8 | namespace ShimsApi 9 | { 10 | KIRQL __stdcall ExAcquireSpinLockExclusiveShims(PEX_SPIN_LOCK aExSpinLock); 11 | 12 | void __stdcall ExReleaseSpinLockExclusiveShims(PEX_SPIN_LOCK aExSpinLock, KIRQL aIrql); 13 | 14 | KIRQL __stdcall ExAcquireSpinLockSharedShims(PEX_SPIN_LOCK aExSpinLock); 15 | 16 | void __stdcall ExReleaseSpinLockSharedShims(PEX_SPIN_LOCK aExSpinLock, KIRQL aIrql); 17 | 18 | unsigned long __stdcall ExTryConvertSharedSpinLockExclusiveShims(PEX_SPIN_LOCK aExSpinLock); 19 | } 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /Ring0/KTL/KTL.Random.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring0/KTL/KTL.Random.h -------------------------------------------------------------------------------- /Ring0/KTL/KTL.Type.Uitility.cpp: -------------------------------------------------------------------------------- 1 | #include "KTL.Type.Uitility.h" 2 | 3 | namespace ktl 4 | { 5 | inline namespace uitility 6 | { 7 | usize aligned_size(usize aSize, usize aAlignment) 8 | { 9 | usize vNewAlignment = ((aAlignment != 0) && !(aAlignment & (aAlignment - 1))) ? 10 | aAlignment : alignof(max_align_t); 11 | usize vNewSize = ((aSize - 1) | (vNewAlignment - 1)) + 1; 12 | 13 | return vNewSize; 14 | } 15 | } 16 | 17 | } 18 | -------------------------------------------------------------------------------- /Ring0/KTL/KTL.UUID.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "KTL.Random.h" 3 | #include 4 | 5 | namespace ktl 6 | { 7 | namespace UUID 8 | { 9 | enum UUIDVersion : ktl::u8 10 | { 11 | TimeBased = 0x1, 12 | DecUid, 13 | NameBased, 14 | Random, 15 | NameBasedSha1 16 | }; 17 | 18 | struct UUID 19 | { 20 | ktl::u32 m_Data1 = 0; 21 | ktl::u16 m_Data2 = 0; 22 | ktl::u16 m_Data3 = 0; 23 | ktl::u8 m_Data4[8] = { 0 }; 24 | 25 | 26 | UUID() = default; 27 | 28 | explicit UUID(const UUID& aOther); 29 | explicit UUID(const ::GUID& aOther); 30 | 31 | explicit UUID(UUID&& aOther); 32 | explicit UUID(::GUID&& aOther); 33 | 34 | UUID& operator=(const UUID& aOther); 35 | UUID& operator=(const ::GUID& aOther); 36 | 37 | UUID& operator=(UUID&& aOther); 38 | UUID& operator=(::GUID&& aOther); 39 | 40 | bool operator==(const UUID& aOther) const; 41 | bool operator==(const ::GUID& aOther) const; 42 | 43 | bool is_nil() const; 44 | UUIDVersion get_version() const; 45 | }; 46 | 47 | static_assert(sizeof(UUID) == sizeof(::GUID) 48 | && sizeof(UUID) == sizeof(ktl::u64) * 2, 49 | "ktl::UUID != ::GUID !!!!"); 50 | 51 | void CreateUUID(UUID* aUUID, random::mt19937_64& aRandomEngine); 52 | void CreateGUID(::GUID* aGUID, random::mt19937_64& aRandomEngine); 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /Ring0/KTL/KTL.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "KTL.Type.h" 4 | #include "KTL.Memory.New.h" 5 | #include "KTL.Type.TypeTraits.h" 6 | #include "KTL.Type.Uitility.h" 7 | #include "KTL.Type.PointerTraits.h" 8 | #include "KTL.Functional.h" 9 | #include "KTL.Containers.Tuple.h" 10 | #include "KTL.Functional.Bind.h" 11 | #include "KTL.Functional.Function.h" 12 | #include "KTL.Memory.h" 13 | #include "KTL.Memory.SharedPtr.h" 14 | #include "KTL.Memory.WeakPtr.h" 15 | #include "KTL.Memory.Allocator.h" 16 | #include "KTL.Memory.MemoryResource.h" 17 | #include "KTL.Containers.List.h" 18 | #include "KTL.Algorithm.h" 19 | #include "KTL.Strings.h" 20 | //#include "KTL.Strings.String.h" 21 | -------------------------------------------------------------------------------- /Ring0/MiniFlt.Owl.Kernel/MiniFlt.Owl.Kernel.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | 26 | 27 | Source Files 28 | 29 | 30 | Source Files 31 | 32 | 33 | -------------------------------------------------------------------------------- /Ring0/MiniFlt.Owl.Kernel/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | -------------------------------------------------------------------------------- /Ring0/MiniFlt.Owl.Kernel/stdafx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef NTDDI_VERSION 4 | #undef NTDDI_VERSION 5 | #define NTDDI_VERSION WDK_NTDDI_VERSION 6 | #else 7 | #define NTDDI_VERSION WDK_NTDDI_VERSION 8 | #endif 9 | 10 | #include 11 | 12 | #include 13 | #include 14 | #include 15 | 16 | -------------------------------------------------------------------------------- /Ring0/MiniFlt/MiniFlt.Callback.FileContext.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring0/MiniFlt/MiniFlt.Callback.FileContext.cpp -------------------------------------------------------------------------------- /Ring0/MiniFlt/MiniFlt.Callback.Name.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "MiniFlt.Callback.Name.h" 3 | 4 | namespace MBox 5 | { 6 | namespace MiniFlt 7 | { 8 | NTSTATUS __stdcall GenerateFileNameCallback( 9 | PFLT_INSTANCE /*Instance*/, 10 | PFILE_OBJECT /*FileObject*/, 11 | PFLT_CALLBACK_DATA /*CallbackData*/, 12 | FLT_FILE_NAME_OPTIONS /*NameOptions*/, 13 | PBOOLEAN /*CacheFileNameInformation*/, 14 | PFLT_NAME_CONTROL /*FileName*/) 15 | { 16 | return STATUS_SUCCESS; 17 | } 18 | 19 | NTSTATUS __stdcall NormalizeNameComponentCallback( 20 | PFLT_INSTANCE /*Instance*/, 21 | PCUNICODE_STRING /*ParentDirectory*/, 22 | USHORT /*VolumeNameLength*/, 23 | PCUNICODE_STRING /*Component*/, 24 | PFILE_NAMES_INFORMATION /*ExpandComponentName*/, 25 | ULONG /*ExpandComponentNameLength*/, 26 | FLT_NORMALIZE_NAME_FLAGS /*Flags*/, 27 | PVOID* /*NormalizationContext*/) 28 | { 29 | return STATUS_SUCCESS; 30 | } 31 | 32 | NTSTATUS __stdcall NormalizeNameComponentCallbackEx( 33 | PFLT_INSTANCE /*Instance*/, 34 | PFILE_OBJECT /*FileObject*/, 35 | PCUNICODE_STRING /*ParentDirectory*/, 36 | USHORT /*VolumeNameLength*/, 37 | PCUNICODE_STRING /*Component*/, 38 | PFILE_NAMES_INFORMATION /*ExpandComponentName*/, 39 | ULONG /*ExpandComponentNameLength*/, 40 | FLT_NORMALIZE_NAME_FLAGS /*Flags*/, 41 | PVOID* /*NormalizationContext*/) 42 | { 43 | return STATUS_SUCCESS; 44 | } 45 | 46 | void __stdcall NormalizeNameComponentContextCleanupCallback( 47 | PVOID * /*NormalizationContext*/) 48 | { 49 | 50 | } 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /Ring0/MiniFlt/MiniFlt.Callback.Name.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | namespace MBox 4 | { 5 | namespace MiniFlt 6 | { 7 | NTSTATUS __stdcall GenerateFileNameCallback( 8 | PFLT_INSTANCE Instance, 9 | PFILE_OBJECT FileObject, 10 | PFLT_CALLBACK_DATA CallbackData, 11 | FLT_FILE_NAME_OPTIONS NameOptions, 12 | PBOOLEAN CacheFileNameInformation, 13 | PFLT_NAME_CONTROL FileName); 14 | 15 | NTSTATUS __stdcall NormalizeNameComponentCallback( 16 | PFLT_INSTANCE Instance, 17 | PCUNICODE_STRING ParentDirectory, 18 | USHORT VolumeNameLength, 19 | PCUNICODE_STRING Component, 20 | PFILE_NAMES_INFORMATION ExpandComponentName, 21 | ULONG ExpandComponentNameLength, 22 | FLT_NORMALIZE_NAME_FLAGS Flags, 23 | PVOID *NormalizationContext); 24 | 25 | NTSTATUS __stdcall NormalizeNameComponentCallbackEx( 26 | PFLT_INSTANCE Instance, 27 | PFILE_OBJECT FileObject, 28 | PCUNICODE_STRING ParentDirectory, 29 | USHORT VolumeNameLength, 30 | PCUNICODE_STRING Component, 31 | PFILE_NAMES_INFORMATION ExpandComponentName, 32 | ULONG ExpandComponentNameLength, 33 | FLT_NORMALIZE_NAME_FLAGS Flags, 34 | PVOID *NormalizationContext); 35 | 36 | void __stdcall NormalizeNameComponentContextCleanupCallback( 37 | PVOID *NormalizationContext); 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /Ring0/MiniFlt/MiniFlt.Callback.Operation.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring0/MiniFlt/MiniFlt.Callback.Operation.cpp -------------------------------------------------------------------------------- /Ring0/MiniFlt/MiniFlt.Callback.Operation.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring0/MiniFlt/MiniFlt.Callback.Operation.h -------------------------------------------------------------------------------- /Ring0/MiniFlt/MiniFlt.Callback.Packet.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "MiniFlt.Callback.Packet.h" 3 | 4 | namespace MBox 5 | { 6 | namespace MiniFlt 7 | { 8 | CallbackPacketManager * GetCallbackPacketManager() 9 | { 10 | static CallbackPacketManager sCallbackPacketManager; 11 | return &sCallbackPacketManager; 12 | } 13 | 14 | NTSTATUS CallbackPacketManager::Initialize() 15 | { 16 | if (s_CallbackPacketList) 17 | { 18 | return STATUS_SUCCESS; 19 | } 20 | 21 | s_CallbackPacketList = new CallbackPacketList$Type; 22 | if (nullptr == s_CallbackPacketList) 23 | { 24 | return STATUS_INSUFFICIENT_RESOURCES; 25 | } 26 | 27 | return STATUS_SUCCESS; 28 | } 29 | 30 | void CallbackPacketManager::Uninitialize() 31 | { 32 | if (!s_CallbackPacketList) 33 | { 34 | return; 35 | } 36 | 37 | s_CallbackPacketList->clear(); 38 | delete s_CallbackPacketList; 39 | s_CallbackPacketList = nullptr; 40 | } 41 | 42 | CallbackPacketManager::CallbackPacketList$Type* CallbackPacketManager::GetCallbackPacketList() 43 | { 44 | return s_CallbackPacketList; 45 | } 46 | 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /Ring0/MiniFlt/MiniFlt.Callback.SectionContext.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "MiniFlt.Callback.SectionContext.h" 3 | 4 | namespace MBox 5 | { 6 | namespace MiniFlt 7 | { 8 | NTSTATUS __stdcall SectionNotificationCallback( 9 | PFLT_INSTANCE /*Instance*/, 10 | PFLT_CONTEXT /*SectionContext*/, 11 | PFLT_CALLBACK_DATA /*Data*/) 12 | { 13 | return STATUS_SUCCESS; 14 | } 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /Ring0/MiniFlt/MiniFlt.Callback.SectionContext.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | namespace MBox 4 | { 5 | namespace MiniFlt 6 | { 7 | NTSTATUS __stdcall SectionNotificationCallback( 8 | PFLT_INSTANCE Instance, 9 | PFLT_CONTEXT SectionContext, 10 | PFLT_CALLBACK_DATA Data); 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /Ring0/MiniFlt/MiniFlt.Callback.StreamContext.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring0/MiniFlt/MiniFlt.Callback.StreamContext.cpp -------------------------------------------------------------------------------- /Ring0/MiniFlt/MiniFlt.Callback.StreamHandleContext.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring0/MiniFlt/MiniFlt.Callback.StreamHandleContext.cpp -------------------------------------------------------------------------------- /Ring0/MiniFlt/MiniFlt.Callback.TransactionContext.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring0/MiniFlt/MiniFlt.Callback.TransactionContext.cpp -------------------------------------------------------------------------------- /Ring0/MiniFlt/MiniFlt.Helper.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | 5 | namespace MBox 6 | { 7 | namespace MiniFlt 8 | { 9 | namespace Helper 10 | { 11 | __forceinline void ParseIRPCreateOptions( 12 | UINT32 aOptions, 13 | UINT32* aAccessMask, 14 | UINT32* aCreateOptions) 15 | { 16 | // The high 8 bits correspond to the value of the `CreateDisposition` parameter of ZwCreateFile, 17 | // and the low 24 bits correspond to the value of the `CreateOptions` parameter of ZwCreateFile. 18 | 19 | if (aAccessMask) *aAccessMask = (aOptions & 0xFF000000ui32) >> 24; 20 | if (aCreateOptions) *aCreateOptions = (aOptions & 0x00FFFFFFui32); 21 | } 22 | 23 | NTSTATUS QueryDeviceBusType( 24 | PCFLT_RELATED_OBJECTS aFltObject, 25 | STORAGE_BUS_TYPE* aBusType, 26 | BOOLEAN* aRemovableMedia); 27 | 28 | NTSTATUS ReferenceVolumeDosName( 29 | PCFLT_RELATED_OBJECTS aFltObject, 30 | PUNICODE_STRING aDosName); 31 | 32 | void DeferenceVolumeDosName( 33 | PUNICODE_STRING aDosName); 34 | 35 | NTSTATUS ReferenceFileNtName( 36 | PCFLT_RELATED_OBJECTS aFltObject, 37 | PFLT_CALLBACK_DATA aFltData, 38 | PUNICODE_STRING* aNtName, 39 | FLT_FILE_NAME_OPTIONS aOptions = FLT_FILE_NAME_NORMALIZED, 40 | POOL_TYPE aPoolType = DefaultPoolType, 41 | UINT32 aTag = DefaultPoolTag); 42 | 43 | void DeferenceFileNtName(PUNICODE_STRING aNtName); 44 | 45 | NTSTATUS ReferenceFileDosName( 46 | PCFLT_RELATED_OBJECTS aFltObject, 47 | PFLT_CALLBACK_DATA aFltData, 48 | PUNICODE_STRING* aDosName, 49 | FLT_FILE_NAME_OPTIONS aOptions = FLT_FILE_NAME_NORMALIZED, 50 | POOL_TYPE aPoolType = DefaultPoolType, 51 | UINT32 aTag = DefaultPoolTag); 52 | 53 | void DeferenceFileDosName(PUNICODE_STRING aDosName); 54 | 55 | } 56 | } 57 | } -------------------------------------------------------------------------------- /Ring0/MiniFlt/MiniFlt.Macro.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define MiniFlt$Function$TraverseCallbackPacketMemberName$Macro(aFunctionName) \ 4 | Traverse ## aFunctionName ## Callback 5 | 6 | #define MiniFlt$Function$DeclareTraverseCallbackPacketMember$Macro(aFunctionName) \ 7 | template \ 8 | void MiniFlt$Function$TraverseCallbackPacketMemberName$Macro(aFunctionName)(F aFunctor); 9 | 10 | #define MiniFlt$Function$TraverseCallbackPacketMember$Macro(aFunctionName, aMember) \ 11 | template \ 12 | void MiniFlt$Function$TraverseCallbackPacketMemberName$Macro(aFunctionName)(F aFunctor) \ 13 | { \ 14 | auto vCallback = [&aFunctor](ktl::shared_ptr aCallbackPacket, UINT32 aIndex) -> BOOLEAN \ 15 | { \ 16 | if (aCallbackPacket->aMember) \ 17 | { \ 18 | return aFunctor(aCallbackPacket->aMember, aIndex); \ 19 | } \ 20 | return FALSE; \ 21 | }; \ 22 | GetCallbackPacketManager()->TraverseCallbackPacket(vCallback); \ 23 | } 24 | -------------------------------------------------------------------------------- /Ring0/MiniFlt/MiniFlt.Registration.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring0/MiniFlt/MiniFlt.Registration.cpp -------------------------------------------------------------------------------- /Ring0/MiniFlt/MiniFlt.Registration.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | namespace MBox 4 | { 5 | namespace MiniFlt 6 | { 7 | const PFLT_REGISTRATION GetFilterRegistration( 8 | SystemVersion aVersion, 9 | FLT_CONTEXT_TYPE aContextSupportedType, 10 | FLT_REGISTRATION_FLAGS aFltRegistrationFlags, 11 | PFLT_FILTER_UNLOAD_CALLBACK aUnload); 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /Ring0/MiniFlt/MiniFlt.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include "MiniFlt.Callback.Packet.h" 4 | 5 | namespace MBox 6 | { 7 | namespace MiniFlt 8 | { 9 | using fun$FltUnload = NTSTATUS(*)(FLT_FILTER_UNLOAD_FLAGS aFlags, void* aParameter); 10 | 11 | NTSTATUS Initialize( 12 | DRIVER_OBJECT* aDriverObject, 13 | UNICODE_STRING* /*aRegistryPath*/, 14 | fun$FltUnload aPreUnload, 15 | void* aPreUnloadParameter, 16 | fun$FltUnload aPostUnload, 17 | void* aPostUnloadParameter); 18 | 19 | NTSTATUS Uninitialize(); 20 | 21 | NTSTATUS RegisterFilter( 22 | SystemVersion aMinimumVersion, 23 | FLT_CONTEXT_TYPE aContextSupportedType, 24 | FLT_REGISTRATION_FLAGS aFltRegistrationFlags); 25 | NTSTATUS UnregisterFilter(); 26 | 27 | NTSTATUS StartFilter(); 28 | NTSTATUS StopFilter(); 29 | BOOLEAN IsStartedFilter(); 30 | 31 | PFLT_FILTER GetFilterHandle(); 32 | 33 | template 34 | NTSTATUS RegisterCallbackPacket( 35 | CallbackPacket* aCallbackPacket, 36 | F aDeletor) 37 | { 38 | return GetCallbackPacketManager()->RegisterCallbackPacket( 39 | aCallbackPacket, aDeletor); 40 | } 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /Ring0/MiniFlt/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | #ifdef _WIN64 4 | #pragma comment(lib, "ShimsApi.X64.lib") 5 | #else 6 | #pragma comment(lib, "ShimsApi.X64.lib") 7 | #endif 8 | -------------------------------------------------------------------------------- /Ring0/MiniFlt/stdafx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef NTDDI_VERSION 4 | #undef NTDDI_VERSION 5 | #define NTDDI_VERSION WDK_NTDDI_VERSION 6 | #else 7 | #define NTDDI_VERSION WDK_NTDDI_VERSION 8 | #endif 9 | 10 | #include 11 | 12 | #include 13 | #include 14 | #include 15 | -------------------------------------------------------------------------------- /Ring0/NdisFlt/NdisFlt.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | -------------------------------------------------------------------------------- /Ring0/NdisFlt/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | #ifdef _WIN64 4 | #pragma comment(lib, "ShimsApi.X64.lib") 5 | #else 6 | #pragma comment(lib, "ShimsApi.X86.lib") 7 | #endif 8 | -------------------------------------------------------------------------------- /Ring0/NdisFlt/stdafx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef NTDDI_VERSION 4 | #undef NTDDI_VERSION 5 | #define NTDDI_VERSION WDK_NTDDI_VERSION 6 | #else 7 | #define NTDDI_VERSION WDK_NTDDI_VERSION 8 | #endif 9 | 10 | #include 11 | 12 | #include 13 | #include 14 | #include 15 | -------------------------------------------------------------------------------- /Ring0/Owl.Kernel/Owl.Kernel.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {e49d26b7-5e55-4591-a33d-bce450049b61} 18 | 19 | 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | 29 | 30 | Header Files 31 | 32 | 33 | Header Files 34 | 35 | 36 | Include 37 | 38 | 39 | -------------------------------------------------------------------------------- /Ring0/Owl.Kernel/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | #ifdef _WIN64 4 | #pragma comment(lib, "DriverMgr.X64.lib") 5 | #else 6 | #pragma comment(lib, "DriverMgr.X86.lib") 7 | #endif 8 | -------------------------------------------------------------------------------- /Ring0/Owl.Kernel/stdafx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef NTDDI_VERSION 4 | #undef NTDDI_VERSION 5 | #define NTDDI_VERSION WDK_NTDDI_VERSION 6 | #else 7 | #define NTDDI_VERSION WDK_NTDDI_VERSION 8 | #endif 9 | 10 | 11 | #include 12 | #include 13 | 14 | #include 15 | #include 16 | #include 17 | 18 | #include 19 | -------------------------------------------------------------------------------- /Ring0/RegisterFlt/RegisterFlt.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring0/RegisterFlt/RegisterFlt.cpp -------------------------------------------------------------------------------- /Ring0/RegisterFlt/RegisterFlt.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | 26 | 27 | Source Files 28 | 29 | 30 | Source Files 31 | 32 | 33 | -------------------------------------------------------------------------------- /Ring0/RegisterFlt/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | -------------------------------------------------------------------------------- /Ring0/RegisterFlt/stdafx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef NTDDI_VERSION 4 | #undef NTDDI_VERSION 5 | #define NTDDI_VERSION WDK_NTDDI_VERSION 6 | #else 7 | #define NTDDI_VERSION WDK_NTDDI_VERSION 8 | #endif 9 | 10 | #include 11 | 12 | #include 13 | #include 14 | #include 15 | -------------------------------------------------------------------------------- /Ring0/ShimsApi/ShimsApi.MiniFilter.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | namespace MBox 4 | { 5 | namespace ShimsApi 6 | { 7 | namespace MiniFilter 8 | { 9 | // 10 | // File Context 11 | // 12 | 13 | BOOLEAN __stdcall FltSupportsFileContextsShims(PFILE_OBJECT aFileObject); 14 | 15 | NTSTATUS __stdcall FltSetFileContextShims( 16 | PFLT_INSTANCE aInstance, 17 | PFILE_OBJECT aFileObject, 18 | FLT_SET_CONTEXT_OPERATION aOperation, 19 | PFLT_CONTEXT aNewContext, 20 | PFLT_CONTEXT *aOldContext); 21 | 22 | NTSTATUS __stdcall FltGetFileContextShims( 23 | PFLT_INSTANCE aInstance, 24 | PFILE_OBJECT aFileObject, 25 | PFLT_CONTEXT *aContext); 26 | 27 | // 28 | // Transaction Context 29 | // 30 | 31 | NTSTATUS __stdcall FltSetTransactionContextShims( 32 | PFLT_INSTANCE aInstance, 33 | PKTRANSACTION aTransaction, 34 | FLT_SET_CONTEXT_OPERATION aOperation, 35 | PFLT_CONTEXT aNewContext, 36 | PFLT_CONTEXT *aOldContext); 37 | 38 | NTSTATUS __stdcall FltEnlistInTransactionShims( 39 | PFLT_INSTANCE aInstance, 40 | PKTRANSACTION aTransaction, 41 | PFLT_CONTEXT aTransactionContext, 42 | NOTIFICATION_MASK aNotificationMask); 43 | 44 | NTSTATUS __stdcall FltGetTransactionContextShims( 45 | PFLT_INSTANCE aInstance, 46 | PKTRANSACTION aTransaction, 47 | PFLT_CONTEXT *aContext); 48 | 49 | } 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /Ring0/ShimsApi/ShimsApi.Ndis.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "ShimsApi.Ndis.h" 3 | 4 | -------------------------------------------------------------------------------- /Ring0/ShimsApi/ShimsApi.Ndis.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | -------------------------------------------------------------------------------- /Ring0/ShimsApi/ShimsApi.WFP.Engine.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include "ShimsApi.WFP.Engine.h" 8 | 9 | 10 | namespace MBox 11 | { 12 | namespace ShimsApi 13 | { 14 | namespace WFP 15 | { 16 | // 17 | // Engine Manager 18 | // 19 | 20 | ShimsApi$CompileTime$DefineApi$5$Macro( 21 | STATUS_NOT_SUPPORTED, GetFwpIpsecRoutineAddress, 22 | FwpmEngineOpen0, NTSTATUS, __stdcall, 23 | const wchar_t*, aServerName, 24 | UINT32, aAuthnService, 25 | SEC_WINNT_AUTH_IDENTITY_W*, aAuthIdentity, 26 | const FWPM_SESSION0*, aSession, 27 | HANDLE*, aEngineHandle) 28 | 29 | ShimsApi$CompileTime$DefineApi$1$Macro( 30 | STATUS_NOT_SUPPORTED, GetFwpIpsecRoutineAddress, 31 | FwpmEngineClose0, NTSTATUS, __stdcall, 32 | HANDLE, aEngineHandle); 33 | 34 | } 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /Ring0/ShimsApi/ShimsApi.WFP.Engine.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ShimsApi.WFP.h" 3 | 4 | 5 | namespace MBox 6 | { 7 | namespace ShimsApi 8 | { 9 | namespace WFP 10 | { 11 | // 12 | // Engine Manager 13 | // 14 | 15 | ShimsApi$CompileTime$DeclareApi$5$Macro( 16 | FwpmEngineOpen0, NTSTATUS, __stdcall, 17 | const wchar_t*, aServerName, 18 | UINT32, aAuthnService, 19 | SEC_WINNT_AUTH_IDENTITY_W*, aAuthIdentity, 20 | const FWPM_SESSION0*, aSession, 21 | HANDLE*, aEngineHandle); 22 | 23 | ShimsApi$CompileTime$DeclareApi$1$Macro( 24 | FwpmEngineClose0, NTSTATUS, __stdcall, 25 | HANDLE, aEngineHandle); 26 | 27 | } 28 | } 29 | } 30 | 31 | -------------------------------------------------------------------------------- /Ring0/ShimsApi/ShimsApi.WFP.EngineState.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include "ShimsApi.WFP.EngineState.h" 8 | 9 | 10 | namespace MBox 11 | { 12 | namespace ShimsApi 13 | { 14 | namespace WFP 15 | { 16 | // 17 | // Engine State Manager 18 | // 19 | 20 | ShimsApi$CompileTime$DefineApi$4$Macro( 21 | STATUS_NOT_SUPPORTED, GetFwpIpsecRoutineAddress, 22 | FwpmBfeStateSubscribeChanges0, NTSTATUS, __stdcall, 23 | void*, aDeviceObject, 24 | FWPM_SERVICE_STATE_CHANGE_CALLBACK0, aCallback, 25 | void*, aContext, 26 | HANDLE*, aChangeHandle) 27 | 28 | ShimsApi$CompileTime$DefineApi$1$Macro( 29 | STATUS_NOT_SUPPORTED, GetFwpIpsecRoutineAddress, 30 | FwpmBfeStateUnsubscribeChanges0, NTSTATUS, __stdcall, 31 | HANDLE, aChangeHandle) 32 | 33 | ShimsApi$CompileTime$DefineApi$0$Macro( 34 | FWPM_SERVICE_STOPPED, GetFwpIpsecRoutineAddress, 35 | FwpmBfeStateGet0, FWPM_SERVICE_STATE, __stdcall) 36 | 37 | } 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /Ring0/ShimsApi/ShimsApi.WFP.EngineState.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ShimsApi.WFP.h" 3 | 4 | 5 | namespace MBox 6 | { 7 | namespace ShimsApi 8 | { 9 | namespace WFP 10 | { 11 | // 12 | // Engine State Manager 13 | // 14 | 15 | ShimsApi$CompileTime$DeclareApi$4$Macro( 16 | FwpmBfeStateSubscribeChanges0, NTSTATUS, __stdcall, 17 | void*, aDeviceObject, 18 | FWPM_SERVICE_STATE_CHANGE_CALLBACK0, aCallback, 19 | void*, aContext, 20 | HANDLE*, aChangeHandle); 21 | 22 | ShimsApi$CompileTime$DeclareApi$1$Macro( 23 | FwpmBfeStateUnsubscribeChanges0, NTSTATUS, __stdcall, 24 | HANDLE, aChangeHandle); 25 | 26 | ShimsApi$CompileTime$DeclareApi$0$Macro( 27 | FwpmBfeStateGet0, FWPM_SERVICE_STATE, __stdcall); 28 | 29 | 30 | } 31 | } 32 | } 33 | 34 | -------------------------------------------------------------------------------- /Ring0/ShimsApi/ShimsApi.WFP.Redirect.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include "ShimsApi.WFP.Redirect.h" 8 | 9 | 10 | namespace MBox 11 | { 12 | namespace ShimsApi 13 | { 14 | namespace WFP 15 | { 16 | ShimsApi$CompileTime$DefineApi$3$Macro( 17 | STATUS_NOT_SUPPORTED, GetFwpIpsecRoutineAddress, 18 | FwpsRedirectHandleCreate0, NTSTATUS, __stdcall, 19 | const GUID*, aProviderGuid, 20 | UINT32, Flags, 21 | HANDLE*, aRedirectHandle); 22 | 23 | ShimsApi$CompileTime$DefineApi$1$Macro( 24 | ShimsApi$CompileTime$EmptyReturn$Macro, GetFwpIpsecRoutineAddress, 25 | FwpsRedirectHandleDestroy0, void, __stdcall, 26 | HANDLE, aRedirectHandle); 27 | 28 | ShimsApi$CompileTime$DefineApi$3$Macro( 29 | FWPS_CONNECTION_NOT_REDIRECTED, GetFwpIpsecRoutineAddress, 30 | FwpsQueryConnectionRedirectState0, FWPS_CONNECTION_REDIRECT_STATE, __stdcall, 31 | HANDLE, aRedirectRecords, 32 | HANDLE, aRedirectHandle, 33 | void**, aRedirectContext); 34 | 35 | ShimsApi$CompileTime$DefineApi$4$Macro( 36 | STATUS_NOT_SUPPORTED, GetFwpIpsecRoutineAddress, 37 | FwpsQueryConnectionSioFormatRedirectRecords0, NTSTATUS, __stdcall, 38 | HANDLE, aRedirectRecords, 39 | PVOID, aOutputBuffer, 40 | SIZE_T, aOutputBufferLength, 41 | PSIZE_T, aBytesTransferred); 42 | } 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /Ring0/ShimsApi/ShimsApi.WFP.Redirect.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ShimsApi.WFP.h" 3 | 4 | 5 | namespace MBox 6 | { 7 | namespace ShimsApi 8 | { 9 | namespace WFP 10 | { 11 | ShimsApi$CompileTime$DeclareApi$3$Macro( 12 | FwpsRedirectHandleCreate0, NTSTATUS, __stdcall, 13 | const GUID*, aProviderGuid, 14 | UINT32, Flags, 15 | HANDLE*, aRedirectHandle); 16 | 17 | ShimsApi$CompileTime$DeclareApi$1$Macro( 18 | FwpsRedirectHandleDestroy0, void, __stdcall, 19 | HANDLE, aRedirectHandle); 20 | 21 | ShimsApi$CompileTime$DeclareApi$3$Macro( 22 | FwpsQueryConnectionRedirectState0, FWPS_CONNECTION_REDIRECT_STATE, __stdcall, 23 | HANDLE, aRedirectRecords, 24 | HANDLE, aRedirectHandle, 25 | void**, aRedirectContext); 26 | 27 | ShimsApi$CompileTime$DeclareApi$4$Macro( 28 | FwpsQueryConnectionSioFormatRedirectRecords0, NTSTATUS, __stdcall, 29 | HANDLE, aRedirectRecords, 30 | PVOID, aOutputBuffer, 31 | SIZE_T, aOutputBufferLength, 32 | PSIZE_T, aBytesTransferred); 33 | } 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /Ring0/ShimsApi/ShimsApi.WFP.Transaction.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include "ShimsApi.WFP.Transaction.h" 8 | 9 | 10 | namespace MBox 11 | { 12 | namespace ShimsApi 13 | { 14 | namespace WFP 15 | { 16 | // 17 | // Explicit Transaction 18 | // 19 | 20 | ShimsApi$CompileTime$DefineApi$2$Macro( 21 | STATUS_NOT_SUPPORTED, GetFwpIpsecRoutineAddress, 22 | FwpmTransactionBegin0, NTSTATUS, __stdcall, 23 | HANDLE, aEngineHandle, 24 | UINT32, aFlags); 25 | 26 | ShimsApi$CompileTime$DefineApi$1$Macro( 27 | STATUS_NOT_SUPPORTED, GetFwpIpsecRoutineAddress, 28 | FwpmTransactionCommit0, NTSTATUS, __stdcall, 29 | HANDLE, aEngineHandle); 30 | 31 | ShimsApi$CompileTime$DefineApi$1$Macro( 32 | STATUS_NOT_SUPPORTED, GetFwpIpsecRoutineAddress, 33 | FwpmTransactionAbort0, NTSTATUS, __stdcall, 34 | HANDLE, aEngineHandle); 35 | 36 | } 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /Ring0/ShimsApi/ShimsApi.WFP.Transaction.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ShimsApi.WFP.h" 3 | 4 | 5 | namespace MBox 6 | { 7 | namespace ShimsApi 8 | { 9 | namespace WFP 10 | { 11 | // 12 | // Explicit Transaction 13 | // 14 | 15 | ShimsApi$CompileTime$DeclareApi$2$Macro( 16 | FwpmTransactionBegin0, NTSTATUS, __stdcall, 17 | HANDLE, aEngineHandle, 18 | UINT32, aFlags); 19 | 20 | ShimsApi$CompileTime$DeclareApi$1$Macro( 21 | FwpmTransactionCommit0, NTSTATUS, __stdcall, 22 | HANDLE, aEngineHandle); 23 | 24 | ShimsApi$CompileTime$DeclareApi$1$Macro( 25 | FwpmTransactionAbort0, NTSTATUS, __stdcall, 26 | HANDLE, aEngineHandle); 27 | 28 | 29 | } 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /Ring0/ShimsApi/ShimsApi.WFP.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include "ShimsApi.WFP.h" 8 | #include 9 | 10 | namespace MBox 11 | { 12 | namespace ShimsApi 13 | { 14 | namespace WFP 15 | { 16 | static const char s_FwpIpSecModulePath[] = { "\\SystemRoot\\System32\\drivers\\fwpkclnt.sys" }; 17 | 18 | NTSTATUS __stdcall GetFwpIpsecModuleAddress( 19 | const void ** aModuleAddress) 20 | { 21 | static const void * sModuleAddress = nullptr; 22 | 23 | if (nullptr == aModuleAddress) 24 | { 25 | return STATUS_INVALID_PARAMETER; 26 | } 27 | 28 | if (nullptr != sModuleAddress) 29 | { 30 | *aModuleAddress = sModuleAddress; 31 | return STATUS_SUCCESS; 32 | } 33 | 34 | NTSTATUS vStatus = Vol::Modules::GetModuleAddress(&sModuleAddress, s_FwpIpSecModulePath); 35 | 36 | *aModuleAddress = sModuleAddress; 37 | return vStatus; 38 | } 39 | 40 | const void * __stdcall GetFwpIpsecRoutineAddress(const char * aRoutineName) 41 | { 42 | NTSTATUS vStatus = STATUS_SUCCESS; 43 | 44 | if (nullptr == aRoutineName || '\0' == aRoutineName[0]) 45 | { 46 | return nullptr; 47 | } 48 | 49 | const void* vModuleAddress = nullptr; 50 | vStatus = GetFwpIpsecModuleAddress(&vModuleAddress); 51 | if (!NT_SUCCESS(vStatus)) 52 | { 53 | return nullptr; 54 | } 55 | 56 | return Vol::Modules::GetRoutineAddress(vModuleAddress, aRoutineName); 57 | } 58 | 59 | 60 | ShimsApi$CompileTime$DefineApi$1$Macro( 61 | ShimsApi$CompileTime$EmptyReturn$Macro, GetFwpIpsecRoutineAddress, 62 | FwpmFreeMemory0, void, __stdcall, 63 | void**, aPtr); 64 | } 65 | } 66 | } 67 | -------------------------------------------------------------------------------- /Ring0/ShimsApi/ShimsApi.WFP.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ShimsApi.Macro.h" 3 | 4 | namespace MBox 5 | { 6 | namespace ShimsApi 7 | { 8 | namespace WFP 9 | { 10 | NTSTATUS __stdcall GetFwpIpsecModuleAddress(const void** aModuleAddress); 11 | 12 | const void* __stdcall GetFwpIpsecRoutineAddress(const char* aRoutineName); 13 | 14 | 15 | ShimsApi$CompileTime$DeclareApi$1$Macro( 16 | FwpmFreeMemory0, void, __stdcall, 17 | void**, aPtr); 18 | } 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /Ring0/ShimsApi/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | #ifdef _WIN64 4 | #pragma comment(lib, "Vol.Kernel.X64.lib") 5 | #else 6 | #pragma comment(lib, "Vol.Kernel.X86.lib") 7 | #endif 8 | -------------------------------------------------------------------------------- /Ring0/ShimsApi/stdafx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef NTDDI_VERSION 4 | #undef NTDDI_VERSION 5 | #define NTDDI_VERSION WDK_NTDDI_VERSION 6 | #else 7 | #define NTDDI_VERSION WDK_NTDDI_VERSION 8 | #endif 9 | 10 | #define NDIS_SUPPORT_NDIS660 1 11 | 12 | #include 13 | -------------------------------------------------------------------------------- /Ring0/UnitTest.Ring0/Controller.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "Controller.h" 3 | 4 | ////////////////////////////////////////////////////////////////////////// 5 | 6 | namespace MBox 7 | { 8 | Controller::Controller() 9 | { 10 | } 11 | 12 | Controller::~Controller() 13 | { 14 | } 15 | 16 | NTSTATUS Controller::Initialize(DRIVER_OBJECT* /*aDriverObject*/) 17 | { 18 | NTSTATUS vStatus = STATUS_SUCCESS; 19 | 20 | for (;;) 21 | { 22 | vStatus = RegisterFilter(); 23 | if (!NT_SUCCESS(vStatus)) 24 | { 25 | break; 26 | } 27 | 28 | break; 29 | } 30 | 31 | if (!NT_SUCCESS(vStatus)) 32 | { 33 | Uninitialize(); 34 | } 35 | 36 | return vStatus; 37 | } 38 | 39 | void Controller::Uninitialize() 40 | { 41 | 42 | } 43 | 44 | NTSTATUS Controller::RegisterFilter() 45 | { 46 | return STATUS_SUCCESS; 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /Ring0/UnitTest.Ring0/Controller.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | namespace MBox 4 | { 5 | class Controller 6 | { 7 | public: 8 | Controller(); 9 | virtual ~Controller(); 10 | 11 | virtual NTSTATUS Initialize(DRIVER_OBJECT* aDriverObject); 12 | virtual void Uninitialize(); 13 | 14 | protected: 15 | virtual NTSTATUS RegisterFilter(); 16 | }; 17 | } 18 | -------------------------------------------------------------------------------- /Ring0/UnitTest.Ring0/Listener.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "StorageController.h" 3 | 4 | namespace MBox 5 | { 6 | class Listener : public StorageController 7 | { 8 | protected: 9 | FLT_PREOP_CALLBACK_STATUS PreOperationCallback(MiniFlt::PreOperationCallbackParameterPacket* aParameter); 10 | FLT_POSTOP_CALLBACK_STATUS PostOperationCallback(MiniFlt::PostOperationCallbackParameterPacket* aParameter); 11 | 12 | NTSTATUS RegisterFilter(); 13 | }; 14 | } 15 | -------------------------------------------------------------------------------- /Ring0/UnitTest.Ring0/Macro.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifndef UnitTest$CompileTime$Log$Macro 4 | #define UnitTest$CompileTime$Log$Macro(aLevel, aFormat, ...) \ 5 | do{ \ 6 | DbgPrintEx(DPFLTR_IHVDRIVER_ID, aLevel, \ 7 | "MBox [%04u, %s]-> " aFormat "\n", \ 8 | __LINE__, __FUNCTION__, __VA_ARGS__); \ 9 | }while(0) 10 | #endif 11 | -------------------------------------------------------------------------------- /Ring0/UnitTest.Ring0/UnitTest.Ring0.X64.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; UnitTest.Ring0.X64.inf 3 | ; 4 | 5 | [Version] 6 | Signature = "$WINDOWS NT$" 7 | Class = "ActivityMonitor" 8 | ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} 9 | Provider = "UnitTest" 10 | CatalogFile = %DriverName%.cat 11 | DriverVer = 07/01/2017; 12 | 13 | [DestinationDirs] 14 | DefaultDestDir = 12 15 | UnitTest.DriverFiles = 12 16 | 17 | [DefaultInstall] 18 | OptionDesc = %UnitTestServiceDesc% 19 | CopyFiles = UnitTest.DriverFiles 20 | 21 | [DefaultInstall.Services] 22 | AddService = %UnitTestServiceName%,,UnitTest.Service 23 | 24 | [UnitTest.Service] 25 | DisplayName = %UnitTestServiceName% 26 | Description = %UnitTestServiceDesc% 27 | ServiceBinary = %12%\%DriverName%.sys 28 | ServiceType = 2 ; SERVICE_FILE_SYSTEM_DRIVER 29 | StartType = 3 ; SERVICE_DEMAND_START 30 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL% 31 | LoadOrderGroup = "FSFilter Activity Monitor" 32 | AddReg = UnitTest.AddRegistry 33 | Dependencies = FltMgr,BFE 34 | 35 | [UnitTest.AddRegistry] 36 | HKR,%RegInstancesSubkeyName%,%RegDefaultInstanceValueName%,0x00000000,%DefaultInstance% 37 | HKR,%RegInstancesSubkeyName%"\"%Instance1.Name%,%RegAltitudeValueName%,0x00000000,%Instance1.Altitude% 38 | HKR,%RegInstancesSubkeyName%"\"%Instance1.Name%,%RegFlagsValueName%,0x00010001,%Instance1.Flags% 39 | 40 | [UnitTest.DriverFiles] 41 | %DriverName%.sys 42 | 43 | [SourceDisksFiles] 44 | UnitTest.Ring0.X64.sys = 1,, 45 | 46 | [SourceDisksNames] 47 | 1 = %DiskId1%,,, 48 | 49 | [DefaultUninstall] 50 | DelFiles = UnitTest.DriverFiles 51 | ;DelReg = UnitTest.DelRegistry 52 | 53 | [DefaultUninstall.Services] 54 | DelService = UnitTest,0x200 55 | 56 | [Strings] 57 | DriverName = "UnitTest.Ring0.X64" 58 | UnitTestServiceDesc = "UnitTest mini-filter driver" 59 | UnitTestServiceName = "UnitTest" 60 | DiskId1 = "UnitTest Device Installation Disk" 61 | 62 | RegInstancesSubkeyName = "Instances" 63 | RegDefaultInstanceValueName = "DefaultInstance" 64 | RegAltitudeValueName = "Altitude" 65 | RegFlagsValueName = "Flags" 66 | 67 | DefaultInstance = "UnitTest - Top Instance" 68 | Instance1.Name = "UnitTest - Top Instance" 69 | Instance1.Altitude = "370021" 70 | Instance1.Flags = 0x0 71 | -------------------------------------------------------------------------------- /Ring0/UnitTest.Ring0/UnitTest.Ring0.X86.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; UnitTest.Ring0.X86.inf 3 | ; 4 | 5 | [Version] 6 | Signature = "$WINDOWS NT$" 7 | Class = "ActivityMonitor" 8 | ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} 9 | Provider = "UnitTest" 10 | CatalogFile = %DriverName%.cat 11 | DriverVer = 07/01/2017; 12 | 13 | [DestinationDirs] 14 | DefaultDestDir = 12 15 | UnitTest.DriverFiles = 12 16 | 17 | [DefaultInstall] 18 | OptionDesc = %UnitTestServiceDesc% 19 | CopyFiles = UnitTest.DriverFiles 20 | 21 | [DefaultInstall.Services] 22 | AddService = %UnitTestServiceName%,,UnitTest.Service 23 | 24 | [UnitTest.Service] 25 | DisplayName = %UnitTestServiceName% 26 | Description = %UnitTestServiceDesc% 27 | ServiceBinary = %12%\%DriverName%.sys 28 | ServiceType = 2 ; SERVICE_FILE_SYSTEM_DRIVER 29 | StartType = 3 ; SERVICE_DEMAND_START 30 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL% 31 | LoadOrderGroup = "FSFilter Activity Monitor" 32 | AddReg = UnitTest.AddRegistry 33 | Dependencies = FltMgr,BFE 34 | 35 | [UnitTest.AddRegistry] 36 | HKR,%RegInstancesSubkeyName%,%RegDefaultInstanceValueName%,0x00000000,%DefaultInstance% 37 | HKR,%RegInstancesSubkeyName%"\"%Instance1.Name%,%RegAltitudeValueName%,0x00000000,%Instance1.Altitude% 38 | HKR,%RegInstancesSubkeyName%"\"%Instance1.Name%,%RegFlagsValueName%,0x00010001,%Instance1.Flags% 39 | 40 | [UnitTest.DriverFiles] 41 | %DriverName%.sys 42 | 43 | [SourceDisksFiles] 44 | UnitTest.Ring0.X86.sys = 1,, 45 | 46 | [SourceDisksNames] 47 | 1 = %DiskId1%,,, 48 | 49 | [DefaultUninstall] 50 | DelFiles = UnitTest.DriverFiles 51 | ;DelReg = UnitTest.DelRegistry 52 | 53 | [DefaultUninstall.Services] 54 | DelService = UnitTest,0x200 55 | 56 | [Strings] 57 | DriverName = "UnitTest.Ring0.X86" 58 | UnitTestServiceDesc = "UnitTest mini-filter driver" 59 | UnitTestServiceName = "UnitTest" 60 | DiskId1 = "UnitTest Device Installation Disk" 61 | 62 | RegInstancesSubkeyName = "Instances" 63 | RegDefaultInstanceValueName = "DefaultInstance" 64 | RegAltitudeValueName = "Altitude" 65 | RegFlagsValueName = "Flags" 66 | 67 | DefaultInstance = "UnitTest - Top Instance" 68 | Instance1.Name = "UnitTest - Top Instance" 69 | Instance1.Altitude = "370021" 70 | Instance1.Flags = 0x0 71 | -------------------------------------------------------------------------------- /Ring0/UnitTest.Ring0/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | #ifdef _WIN64 4 | #pragma comment(lib, "MiniFlt.X64.lib") 5 | #pragma comment(lib, "WFPFlt.X64.lib") 6 | #else 7 | #pragma comment(lib, "MiniFlt.X86.lib") 8 | #pragma comment(lib, "WFPFlt.X86.lib") 9 | #endif 10 | -------------------------------------------------------------------------------- /Ring0/UnitTest.Ring0/stdafx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef NTDDI_VERSION 4 | #undef NTDDI_VERSION 5 | #define NTDDI_VERSION WDK_NTDDI_VERSION 6 | #else 7 | #define NTDDI_VERSION WDK_NTDDI_VERSION 8 | #endif 9 | 10 | #ifndef NDIS_SUPPORT_NDIS6 11 | #define NDIS_SUPPORT_NDIS6 1 12 | #endif 13 | 14 | #include 15 | 16 | #include 17 | #include 18 | #include 19 | 20 | #include 21 | 22 | #include 23 | 24 | #include "Macro.h" 25 | -------------------------------------------------------------------------------- /Ring0/Vol.Kernel/Vol.DateTime.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "Vol.DateTime.h" 3 | 4 | 5 | namespace MBox 6 | { 7 | namespace Vol 8 | { 9 | namespace DateTime 10 | { 11 | PLARGE_INTEGER FormatTimeoutToLargeInteger(PLARGE_INTEGER aTimeout, UINT32 aMilliseconds) 12 | { 13 | //if (INFINITE == aMilliseconds) 14 | if (Infinite == aMilliseconds) 15 | { 16 | return nullptr; 17 | } 18 | 19 | aTimeout->QuadPart = Int32x32To64(aMilliseconds, -10000); 20 | return aTimeout; 21 | } 22 | 23 | void GetLocalTime(PLARGE_INTEGER aLocalTime) 24 | { 25 | LARGE_INTEGER vUtcTime; 26 | KeQuerySystemTime(&vUtcTime); 27 | ExSystemTimeToLocalTime(&vUtcTime, aLocalTime); 28 | } 29 | 30 | void GetLocalTimeFields(PTIME_FIELDS aTimeFields) 31 | { 32 | LARGE_INTEGER vLocalTime; 33 | GetLocalTime(&vLocalTime); 34 | RtlTimeToTimeFields(&vLocalTime, aTimeFields); 35 | } 36 | 37 | } 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /Ring0/Vol.Kernel/Vol.DateTime.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | namespace MBox 4 | { 5 | namespace Vol 6 | { 7 | namespace DateTime 8 | { 9 | enum : UINT32 10 | { 11 | Infinite = 0xFFFFFFFF, 12 | }; 13 | 14 | PLARGE_INTEGER FormatTimeoutToLargeInteger( 15 | PLARGE_INTEGER aTimeout, 16 | UINT32 aMilliseconds); 17 | 18 | void GetLocalTime(PLARGE_INTEGER aLocalTime); 19 | 20 | void GetLocalTimeFields(PTIME_FIELDS aTimeFields); 21 | } 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /Ring0/Vol.Kernel/Vol.Device.Macro.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring0/Vol.Kernel/Vol.Device.Macro.h -------------------------------------------------------------------------------- /Ring0/Vol.Kernel/Vol.Memory.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | namespace MBox 4 | { 5 | namespace Vol 6 | { 7 | namespace Memory 8 | { 9 | NTSTATUS LockBuffer( 10 | _Out_ PMDL* aLockedMdl, 11 | _Out_ void** aLockedBuffer, 12 | _In_ void* aBuffer, 13 | _In_ ktl::u32 aBufferBytes, 14 | _In_opt_ KPROCESSOR_MODE aAccessMode = MODE::UserMode, 15 | _In_opt_ LOCK_OPERATION aOperation = LOCK_OPERATION::IoReadAccess); 16 | 17 | void UnlockBuffer(_In_ PMDL aLockedMdl); 18 | 19 | } 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /Ring0/Vol.Kernel/Vol.Module.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring0/Vol.Kernel/Vol.Module.cpp -------------------------------------------------------------------------------- /Ring0/Vol.Kernel/Vol.Object.Event.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "Vol.Object.Event.h" 3 | #include 4 | #include 5 | 6 | namespace MBox 7 | { 8 | namespace Vol 9 | { 10 | namespace Object 11 | { 12 | NTSTATUS CreateOnlyWaitEvent( 13 | HANDLE * aEventHandle, 14 | PUNICODE_STRING aEventName) 15 | { 16 | NTSTATUS vStatus = STATUS_SUCCESS; 17 | 18 | MBox::SecurityDescriptor* vSecurityDescriptor = nullptr; 19 | for (;;) 20 | { 21 | vStatus = MBox::Vol::Security::BuildSecurityDescriptor( 22 | L"D:P(A;CIOI;GRGX;;;WD)", 23 | &vSecurityDescriptor); 24 | if (!NT_SUCCESS(vStatus)) 25 | { 26 | break; 27 | } 28 | 29 | OBJECT_ATTRIBUTES vObjectAttributes{}; 30 | InitializeObjectAttributes( 31 | &vObjectAttributes, 32 | aEventName, 33 | OBJ_FORCE_ACCESS_CHECK | OBJ_CASE_INSENSITIVE, 34 | nullptr, 35 | vSecurityDescriptor); 36 | 37 | vStatus = ZwCreateEvent( 38 | aEventHandle, 39 | EVENT_ALL_ACCESS, 40 | (ObjectAttributes*)(&vObjectAttributes), 41 | EventType::NotificationEvent, 42 | FALSE); 43 | if (!NT_SUCCESS(vStatus)) 44 | { 45 | break; 46 | } 47 | 48 | break; 49 | } 50 | MBox::Vol::Security::FreeSecurityDescriptor(vSecurityDescriptor); 51 | 52 | return vStatus; 53 | } 54 | 55 | } 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /Ring0/Vol.Kernel/Vol.Object.Event.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | namespace MBox 5 | { 6 | namespace Vol 7 | { 8 | namespace Object 9 | { 10 | NTSTATUS CreateOnlyWaitEvent( 11 | HANDLE* aEventHandle, 12 | PUNICODE_STRING aEventName); /* E.g \BaseNamedObjects\Namespace_DriverUnloadEvent{GUID} */ 13 | 14 | } 15 | } 16 | } -------------------------------------------------------------------------------- /Ring0/Vol.Kernel/Vol.Object.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring0/Vol.Kernel/Vol.Object.h -------------------------------------------------------------------------------- /Ring0/Vol.Kernel/Vol.Paths.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | 5 | namespace MBox 6 | { 7 | namespace Vol 8 | { 9 | namespace Paths 10 | { 11 | NTSTATUS ReferenceNtPathFromDosPath( 12 | PUNICODE_STRING* aNtPath, 13 | const PUNICODE_STRING aDosPath, 14 | POOL_TYPE aPoolType = DefaultPoolType, 15 | UINT32 aTag = DefaultPoolTag); 16 | 17 | NTSTATUS ReferenceNtPathFromHarddiskPath( 18 | PUNICODE_STRING* aNtPath, 19 | const PUNICODE_STRING aHarddiskPath, 20 | POOL_TYPE aPoolType = DefaultPoolType, 21 | UINT32 aTag = DefaultPoolTag); 22 | 23 | /*NTSTATUS ReferenceNtPathFromArcPath( 24 | PUNICODE_STRING* aNtPath, 25 | const PUNICODE_STRING aArcPath, 26 | POOL_TYPE aPoolType = DefaultPoolType, 27 | UINT32 aTag = DefaultPoolTag);*/ 28 | 29 | void DeferenceNtPath(PUNICODE_STRING aNtPath); 30 | } 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /Ring0/Vol.Kernel/Vol.Security.SecurityDescriptor.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | 5 | namespace MBox 6 | { 7 | namespace Vol 8 | { 9 | namespace Security 10 | { 11 | UINT32 GetSidNeedLength(unsigned char aSubAuthorityCount); 12 | 13 | NTSTATUS BuildSid(const wchar_t* aStringSid, Sid** aSid); 14 | void FreeSid(Sid* aSid); 15 | 16 | NTSTATUS BuildSecurityDescriptor( 17 | const wchar_t* aSddl, 18 | SecurityDescriptor ** aSecurityDescriptor, 19 | UINT32* aSecurityDescriptorBytes = nullptr); 20 | 21 | void FreeSecurityDescriptor( 22 | SecurityDescriptor * aSecurityDescriptor); 23 | 24 | } 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /Ring0/Vol.Kernel/Vol.Security.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | 5 | 6 | namespace MBox 7 | { 8 | namespace Vol 9 | { 10 | namespace Security 11 | { 12 | NTSTATUS QueryTokenInformation( 13 | HANDLE aToken, 14 | TokenInformationClass aClasses, 15 | void* aBuffer, 16 | UINT32 aBufferBytes, 17 | UINT32* aNeedBytes); 18 | 19 | NTSTATUS ReferenceTokenInformation( 20 | HANDLE aToken, 21 | TokenInformationClass aClasses, 22 | void** aBuffer, 23 | POOL_TYPE aPoolType = DefaultPoolType, 24 | UINT32 aTag = DefaultPoolTag); 25 | 26 | void DeferenceTokenInformation( 27 | void* aBuffer); 28 | 29 | NTSTATUS ReferenceCurrentUserSid( 30 | PSID* aSid, 31 | POOL_TYPE aPoolType = DefaultPoolType, 32 | UINT32 aTag = DefaultPoolTag); 33 | 34 | void DeferenceCurrentUserSid( 35 | PSID aSid); 36 | 37 | } 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /Ring0/Vol.Kernel/Vol.Symboliclinks.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring0/Vol.Kernel/Vol.Symboliclinks.h -------------------------------------------------------------------------------- /Ring0/Vol.Kernel/Vol.System.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | namespace MBox 4 | { 5 | namespace Vol 6 | { 7 | namespace System 8 | { 9 | SystemVersion GetSystemVersion(); 10 | 11 | } 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /Ring0/Vol.Kernel/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | #ifdef _WIN64 4 | #pragma comment(lib, "KTL.X64.lib") 5 | #else 6 | #pragma comment(lib, "KTL.X86.lib") 7 | #endif 8 | -------------------------------------------------------------------------------- /Ring0/Vol.Kernel/stdafx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef NTDDI_VERSION 4 | #undef NTDDI_VERSION 5 | #define NTDDI_VERSION WDK_NTDDI_VERSION 6 | #else 7 | #define NTDDI_VERSION WDK_NTDDI_VERSION 8 | #endif 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.ApiWrapper.Engine.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "WFPFlt.ApiWrapper.Engine.h" 3 | #include 4 | 5 | namespace MBox 6 | { 7 | namespace WFPFlt 8 | { 9 | namespace WFPApiWrapper 10 | { 11 | // 12 | // Engine Manager 13 | // 14 | 15 | NTSTATUS EngineOpen(EngineOpenParameter * aParameter) 16 | { 17 | FWPM_SESSION0 vSession0 = { 0 }; 18 | 19 | return ShimsApi::WFP::FwpmEngineOpen0Shims( 20 | aParameter->m_ServerName, 21 | aParameter->m_AuthnService, 22 | aParameter->m_AuthIdentity, 23 | WFPFltSessionToSession(&vSession0, aParameter->m_Session), 24 | aParameter->m_EngineHandle); 25 | } 26 | 27 | NTSTATUS EngineClose(EngineCloseParameter * aParameter) 28 | { 29 | return ShimsApi::WFP::FwpmEngineClose0Shims(aParameter->m_EngineHandle); 30 | } 31 | 32 | } 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.ApiWrapper.Engine.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "WFPFlt.ApiWrapper.h" 3 | 4 | namespace MBox 5 | { 6 | namespace WFPFlt 7 | { 8 | namespace WFPApiWrapper 9 | { 10 | // 11 | // Engine Manager 12 | // 13 | 14 | struct EngineOpenParameter 15 | { 16 | const wchar_t* m_ServerName = nullptr; 17 | UINT32 m_AuthnService = RPC_C_AUTHN_WINNT; 18 | SEC_WINNT_AUTH_IDENTITY_W* m_AuthIdentity = nullptr; 19 | WFPFltSession* m_Session = nullptr; 20 | HANDLE* m_EngineHandle = nullptr; 21 | }; 22 | 23 | NTSTATUS EngineOpen(EngineOpenParameter* aParameter); 24 | 25 | struct EngineCloseParameter 26 | { 27 | HANDLE m_EngineHandle = nullptr; 28 | }; 29 | 30 | NTSTATUS EngineClose(EngineCloseParameter* aParameter); 31 | 32 | } 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.ApiWrapper.EngineState.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "WFPFlt.ApiWrapper.EngineState.h" 3 | #include 4 | 5 | namespace MBox 6 | { 7 | namespace WFPFlt 8 | { 9 | namespace WFPApiWrapper 10 | { 11 | // 12 | // Engine State Manager 13 | // 14 | 15 | NTSTATUS BfeStateSubscribeChanges(BfeStateSubscribeChangesParameter * aParameter) 16 | { 17 | return ShimsApi::WFP::FwpmBfeStateSubscribeChanges0Shims( 18 | aParameter->m_DeviceObject, 19 | aParameter->m_Callback, 20 | aParameter->m_Context, 21 | aParameter->m_ChangeHandle); 22 | } 23 | 24 | NTSTATUS BfeStateUnsubscribeChanges(BfeStateUnsubscribeChangesParameter * aParameter) 25 | { 26 | return ShimsApi::WFP::FwpmBfeStateUnsubscribeChanges0Shims(aParameter->m_ChangeHandle); 27 | } 28 | 29 | FWPM_SERVICE_STATE BfeStateGet() 30 | { 31 | return ShimsApi::WFP::FwpmBfeStateGet0Shims(); 32 | } 33 | 34 | } 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.ApiWrapper.EngineState.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | namespace MBox 4 | { 5 | namespace WFPFlt 6 | { 7 | namespace WFPApiWrapper 8 | { 9 | // 10 | // Engine State Manager 11 | // 12 | 13 | struct BfeStateSubscribeChangesParameter 14 | { 15 | void* m_DeviceObject = nullptr; 16 | void* m_Context = nullptr; 17 | HANDLE* m_ChangeHandle = nullptr; 18 | 19 | FWPM_SERVICE_STATE_CHANGE_CALLBACK0 m_Callback = nullptr; 20 | }; 21 | 22 | NTSTATUS BfeStateSubscribeChanges(BfeStateSubscribeChangesParameter* aParameter); 23 | 24 | struct BfeStateUnsubscribeChangesParameter 25 | { 26 | HANDLE m_ChangeHandle = nullptr; 27 | }; 28 | 29 | NTSTATUS BfeStateUnsubscribeChanges(BfeStateUnsubscribeChangesParameter* aParameter); 30 | 31 | FWPM_SERVICE_STATE BfeStateGet(); 32 | 33 | } 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.ApiWrapper.Filter.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "WFPFlt.ApiWrapper.Filter.h" 3 | #include 4 | 5 | namespace MBox 6 | { 7 | namespace WFPFlt 8 | { 9 | namespace WFPApiWrapper 10 | { 11 | NTSTATUS FilterAdd(FilterAddParameter * aParameter) 12 | { 13 | FWPM_FILTER0 vFilter0{}; 14 | 15 | return ShimsApi::WFP::FwpmFilterAdd0Shims( 16 | aParameter->m_EngineHandle, 17 | WFPFltFilterToFilter(&vFilter0, aParameter->m_Filter), 18 | aParameter->m_SecurityDescriptor, 19 | aParameter->m_FilterId); 20 | } 21 | 22 | NTSTATUS FilterDeleteById(FilterDeleteByIdParameter * aParameter) 23 | { 24 | return ShimsApi::WFP::FwpmFilterDeleteById0Shims(aParameter->m_EngineHandle, aParameter->m_FilterId); 25 | } 26 | 27 | NTSTATUS FilterDeleteByKey(FilterDeleteByKeyParameter * aParameter) 28 | { 29 | return ShimsApi::WFP::FwpmFilterDeleteByKey0Shims(aParameter->m_EngineHandle, aParameter->m_FilterGuid); 30 | } 31 | 32 | NTSTATUS FilterGetById(FilterGetByIdParameter * aParameter) 33 | { 34 | aParameter->m_IsValidFilter0 = TRUE; 35 | return ShimsApi::WFP::FwpmFilterGetById0Shims(aParameter->m_EngineHandle, aParameter->m_FilterId, aParameter->m_Filter0); 36 | } 37 | 38 | NTSTATUS FilterGetByKey(FilterGetByKeyParameter * aParameter) 39 | { 40 | aParameter->m_IsValidFilter0 = TRUE; 41 | return ShimsApi::WFP::FwpmFilterGetByKey0Shims(aParameter->m_EngineHandle, aParameter->m_FilterGuid, aParameter->m_Filter0); 42 | } 43 | 44 | } 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.ApiWrapper.Filter.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "WFPFlt.ApiWrapper.h" 3 | 4 | namespace MBox 5 | { 6 | namespace WFPFlt 7 | { 8 | namespace WFPApiWrapper 9 | { 10 | struct FilterAddParameter 11 | { 12 | HANDLE m_EngineHandle = nullptr; 13 | const WFPFltFilter* m_Filter = nullptr; 14 | PSECURITY_DESCRIPTOR* m_SecurityDescriptor = nullptr; 15 | UINT64* m_FilterId = nullptr; 16 | }; 17 | 18 | NTSTATUS FilterAdd(FilterAddParameter* aParameter); 19 | 20 | 21 | struct FilterDeleteByIdParameter 22 | { 23 | HANDLE m_EngineHandle = nullptr; 24 | UINT64 m_FilterId = 0; 25 | }; 26 | 27 | NTSTATUS FilterDeleteById(FilterDeleteByIdParameter* aParameter); 28 | 29 | 30 | struct FilterDeleteByKeyParameter 31 | { 32 | HANDLE m_EngineHandle = nullptr; 33 | const GUID* m_FilterGuid = nullptr; 34 | }; 35 | 36 | NTSTATUS FilterDeleteByKey(FilterDeleteByKeyParameter* aParameter); 37 | 38 | 39 | struct FilterGetByIdParameter 40 | { 41 | UINT32 m_IsValidFilter0 : 1; 42 | 43 | HANDLE m_EngineHandle = nullptr; 44 | UINT64 m_FilterId = 0; 45 | 46 | union 47 | { 48 | FWPM_FILTER0** m_Filter0; 49 | }; 50 | }; 51 | 52 | NTSTATUS FilterGetById(FilterGetByIdParameter* aParameter); 53 | 54 | 55 | struct FilterGetByKeyParameter 56 | { 57 | UINT32 m_IsValidFilter0 : 1; 58 | 59 | HANDLE m_EngineHandle = nullptr; 60 | const GUID* m_FilterGuid = nullptr; 61 | 62 | union 63 | { 64 | FWPM_FILTER0** m_Filter0; 65 | }; 66 | }; 67 | 68 | NTSTATUS FilterGetByKey(FilterGetByKeyParameter* aParameter); 69 | 70 | } 71 | } 72 | } 73 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.ApiWrapper.Injection.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "WFPFlt.ApiWrapper.Injection.h" 3 | #include 4 | 5 | namespace MBox 6 | { 7 | namespace WFPFlt 8 | { 9 | namespace WFPApiWrapper 10 | { 11 | // 12 | // Injection Manager 13 | // 14 | 15 | NTSTATUS InjectionHandleCreate(InjectionHandleCreateParameter* aParameter) 16 | { 17 | return ShimsApi::WFP::FwpsInjectionHandleCreate0Shims( 18 | aParameter->m_AddressFamily, 19 | aParameter->m_InjectionType, 20 | aParameter->m_InjectionHandle); 21 | } 22 | 23 | NTSTATUS InjectionHandleDestroy(InjectionHandleDestroyParameter * aParameter) 24 | { 25 | return ShimsApi::WFP::FwpsInjectionHandleDestroy0Shims(aParameter->m_InjectionHandle); 26 | } 27 | 28 | FWPS_PACKET_INJECTION_STATE QueryPacketInjectionState(QueryPacketInjectionStateParameter * aParameters) 29 | { 30 | return ShimsApi::WFP::FwpsQueryPacketInjectionState0Shims( 31 | aParameters->m_InjectionHandle, aParameters->m_NetBufferList, aParameters->m_InjectionContext); 32 | } 33 | 34 | } 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.ApiWrapper.Injection.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | namespace MBox 5 | { 6 | namespace WFPFlt 7 | { 8 | namespace WFPApiWrapper 9 | { 10 | // 11 | // Injection Manager 12 | // 13 | 14 | struct InjectionHandleCreateParameter 15 | { 16 | AddressFamily m_AddressFamily = AddressFamily::Unspecified; 17 | UINT32 m_InjectionType = 0; 18 | HANDLE* m_InjectionHandle = nullptr; 19 | }; 20 | 21 | NTSTATUS InjectionHandleCreate(InjectionHandleCreateParameter* aParameter); 22 | 23 | struct InjectionHandleDestroyParameter 24 | { 25 | HANDLE m_InjectionHandle = nullptr; 26 | }; 27 | 28 | NTSTATUS InjectionHandleDestroy(InjectionHandleDestroyParameter* aParameter); 29 | 30 | struct QueryPacketInjectionStateParameter 31 | { 32 | HANDLE m_InjectionHandle = nullptr; 33 | const NET_BUFFER_LIST* m_NetBufferList = nullptr; 34 | HANDLE* m_InjectionContext = nullptr; 35 | }; 36 | 37 | FWPS_PACKET_INJECTION_STATE QueryPacketInjectionState(QueryPacketInjectionStateParameter* aParameters); 38 | } 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.ApiWrapper.Provider.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "WFPFlt.ApiWrapper.Provider.h" 3 | #include 4 | 5 | namespace MBox 6 | { 7 | namespace WFPFlt 8 | { 9 | namespace WFPApiWrapper 10 | { 11 | NTSTATUS ProviderAdd(ProviderAddParameter * aParameter) 12 | { 13 | FWPM_PROVIDER0 vProvider = { 0 }; 14 | 15 | return ShimsApi::WFP::FwpmProviderAdd0Shims( 16 | aParameter->m_EngineHandle, 17 | WFPFltProviderToProvider(&vProvider, aParameter->m_Provider), 18 | aParameter->m_SecurityDescriptor); 19 | } 20 | 21 | NTSTATUS ProviderDeleteByKey(ProviderDeleteByKeyParameter * aParameter) 22 | { 23 | return ShimsApi::WFP::FwpmProviderDeleteByKey0Shims(aParameter->m_EngineHandle, aParameter->m_ProviderGuid); 24 | } 25 | 26 | NTSTATUS ProviderGetByKey(ProviderGetByKeyParameter * aParameter) 27 | { 28 | aParameter->m_IsValidProvider0 = TRUE; 29 | return ShimsApi::WFP::FwpmProviderGetByKey0Shims(aParameter->m_EngineHandle, aParameter->m_KeyGuid, &aParameter->m_Provider0); 30 | } 31 | 32 | } 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.ApiWrapper.Provider.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "WFPFlt.ApiWrapper.h" 3 | 4 | namespace MBox 5 | { 6 | namespace WFPFlt 7 | { 8 | namespace WFPApiWrapper 9 | { 10 | struct ProviderAddParameter 11 | { 12 | HANDLE m_EngineHandle = nullptr; 13 | const WFPFltProvider* m_Provider = nullptr; 14 | PSECURITY_DESCRIPTOR m_SecurityDescriptor = nullptr; 15 | }; 16 | 17 | NTSTATUS ProviderAdd(ProviderAddParameter* aParameter); 18 | 19 | struct ProviderDeleteByKeyParameter 20 | { 21 | HANDLE m_EngineHandle = nullptr; 22 | const GUID* m_ProviderGuid = nullptr; 23 | }; 24 | 25 | NTSTATUS ProviderDeleteByKey(ProviderDeleteByKeyParameter* aParameter); 26 | 27 | struct ProviderGetByKeyParameter 28 | { 29 | UINT32 m_IsValidProvider0 : 1; 30 | 31 | HANDLE m_EngineHandle = nullptr; 32 | const GUID* m_KeyGuid = nullptr; 33 | 34 | union 35 | { 36 | FWPM_PROVIDER0* m_Provider0 = nullptr; 37 | }; 38 | 39 | ProviderGetByKeyParameter() 40 | { 41 | m_IsValidProvider0 = FALSE; 42 | } 43 | }; 44 | 45 | NTSTATUS ProviderGetByKey(ProviderGetByKeyParameter* aParameter); 46 | } 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.ApiWrapper.Redirect.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "WFPFlt.ApiWrapper.Redirect.h" 3 | #include 4 | 5 | namespace MBox 6 | { 7 | namespace WFPFlt 8 | { 9 | namespace WFPApiWrapper 10 | { 11 | NTSTATUS RedirectHandleCreate(RedirectHandleCreateParameter * aParameter) 12 | { 13 | return ShimsApi::WFP::FwpsRedirectHandleCreate0Shims( 14 | aParameter->m_ProviderGuid, aParameter->m_Flags, aParameter->m_RedirectHandle); 15 | } 16 | 17 | void RedirectHandleDestroy(RedirectHandleDestroyParameter * aParameter) 18 | { 19 | return ShimsApi::WFP::FwpsRedirectHandleDestroy0Shims(aParameter->m_RedirectHandle); 20 | } 21 | 22 | FWPS_CONNECTION_REDIRECT_STATE QueryConnectionRedirectState(QueryConnectionRedirectStateParameter * aParameter) 23 | { 24 | return ShimsApi::WFP::FwpsQueryConnectionRedirectState0Shims( 25 | aParameter->m_RedirectRecords, aParameter->m_RedirectHandle, aParameter->m_RedirectContext); 26 | } 27 | 28 | NTSTATUS QueryConnectionSioFormatRedirectRecords(QueryConnectionSioFormatRedirectRecordsParameter * aParameter) 29 | { 30 | return ShimsApi::WFP::FwpsQueryConnectionSioFormatRedirectRecords0Shims( 31 | aParameter->m_RedirectRecords, aParameter->m_OutputBuffer, aParameter->m_OutputBufferLength, aParameter->m_BytesTransferred); 32 | } 33 | } 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.ApiWrapper.Redirect.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "WFPFlt.ApiWrapper.h" 3 | 4 | namespace MBox 5 | { 6 | namespace WFPFlt 7 | { 8 | namespace WFPApiWrapper 9 | { 10 | struct RedirectHandleCreateParameter 11 | { 12 | const GUID* m_ProviderGuid = nullptr; 13 | UINT32 m_Flags = 0; // must 0 14 | HANDLE* m_RedirectHandle = nullptr; 15 | }; 16 | 17 | NTSTATUS RedirectHandleCreate(RedirectHandleCreateParameter* aParameter); 18 | 19 | struct RedirectHandleDestroyParameter 20 | { 21 | HANDLE m_RedirectHandle = nullptr; 22 | }; 23 | 24 | void RedirectHandleDestroy(RedirectHandleDestroyParameter* aParameter); 25 | 26 | struct QueryConnectionRedirectStateParameter 27 | { 28 | HANDLE m_RedirectRecords = nullptr; 29 | HANDLE m_RedirectHandle = nullptr; 30 | void** m_RedirectContext = nullptr; 31 | }; 32 | 33 | FWPS_CONNECTION_REDIRECT_STATE QueryConnectionRedirectState(QueryConnectionRedirectStateParameter* aParameter); 34 | 35 | struct QueryConnectionSioFormatRedirectRecordsParameter 36 | { 37 | HANDLE m_RedirectRecords = nullptr; 38 | PVOID m_OutputBuffer = nullptr; 39 | SIZE_T m_OutputBufferLength = 0; 40 | PSIZE_T m_BytesTransferred = nullptr; 41 | }; 42 | 43 | NTSTATUS QueryConnectionSioFormatRedirectRecords(QueryConnectionSioFormatRedirectRecordsParameter* aParameter); 44 | 45 | } 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.ApiWrapper.Sublayer.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "WFPFlt.ApiWrapper.Sublayer.h" 3 | #include 4 | 5 | namespace MBox 6 | { 7 | namespace WFPFlt 8 | { 9 | namespace WFPApiWrapper 10 | { 11 | NTSTATUS SublayerAdd(SublayerAddParameter * aParameter) 12 | { 13 | FWPM_SUBLAYER0 vSublayer0 = { 0 }; 14 | 15 | return ShimsApi::WFP::FwpmSubLayerAdd0Shims( 16 | aParameter->m_EngineHandle, 17 | WFPFltSublayerToSublayer(&vSublayer0, aParameter->m_Sublayer), 18 | aParameter->m_SecurityDescriptor); 19 | } 20 | NTSTATUS SublayerDeleteByKey(SublayerDeleteByKeyParameter * aParameter) 21 | { 22 | return ShimsApi::WFP::FwpmSubLayerDeleteByKey0Shims(aParameter->m_EngineHandle, aParameter->m_SublayerGuid); 23 | } 24 | } 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.ApiWrapper.Sublayer.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "WFPFlt.ApiWrapper.h" 3 | 4 | namespace MBox 5 | { 6 | namespace WFPFlt 7 | { 8 | namespace WFPApiWrapper 9 | { 10 | struct SublayerAddParameter 11 | { 12 | HANDLE m_EngineHandle = nullptr; 13 | const WFPFltSublayer* m_Sublayer = nullptr; 14 | PSECURITY_DESCRIPTOR m_SecurityDescriptor = nullptr; 15 | }; 16 | 17 | NTSTATUS SublayerAdd(SublayerAddParameter* aParameter); 18 | 19 | struct SublayerDeleteByKeyParameter 20 | { 21 | HANDLE m_EngineHandle = nullptr; 22 | const GUID* m_SublayerGuid = nullptr; 23 | }; 24 | 25 | NTSTATUS SublayerDeleteByKey(SublayerDeleteByKeyParameter* aParameter); 26 | } 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.ApiWrapper.Transaction.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "WFPFlt.ApiWrapper.Transaction.h" 3 | #include 4 | 5 | namespace MBox 6 | { 7 | namespace WFPFlt 8 | { 9 | namespace WFPApiWrapper 10 | { 11 | // 12 | // Transaction 13 | // 14 | 15 | NTSTATUS TransactionBegin(TransactionBeginParameter * aParameter) 16 | { 17 | return ShimsApi::WFP::FwpmTransactionBegin0Shims(aParameter->m_EngineHandle, aParameter->m_Flags); 18 | } 19 | 20 | NTSTATUS TransactionCommit(TransactionCommitParameter * aParameter) 21 | { 22 | return ShimsApi::WFP::FwpmTransactionCommit0Shims(aParameter->m_EngineHandle); 23 | } 24 | 25 | NTSTATUS TransactionAbort(TransactionAbortParameter * aParameter) 26 | { 27 | return ShimsApi::WFP::FwpmTransactionAbort0Shims(aParameter->m_EngineHandle); 28 | } 29 | 30 | } 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.ApiWrapper.Transaction.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | namespace MBox 4 | { 5 | namespace WFPFlt 6 | { 7 | namespace WFPApiWrapper 8 | { 9 | // 10 | // Transaction 11 | // 12 | 13 | struct TransactionBeginParameter 14 | { 15 | HANDLE m_EngineHandle = nullptr; 16 | UINT32 m_Flags = 0; 17 | }; 18 | 19 | NTSTATUS TransactionBegin(TransactionBeginParameter* aParameter); 20 | 21 | struct TransactionCommitParameter 22 | { 23 | HANDLE m_EngineHandle = nullptr; 24 | }; 25 | 26 | NTSTATUS TransactionCommit(TransactionCommitParameter* aParameter); 27 | 28 | struct TransactionAbortParameter 29 | { 30 | HANDLE m_EngineHandle = nullptr; 31 | }; 32 | 33 | NTSTATUS TransactionAbort(TransactionAbortParameter* aParameter); 34 | 35 | } 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.Manager.Engine.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "WFPFlt.Manager.Engine.h" 3 | #include "WFPFlt.ApiWrapper.Engine.h" 4 | 5 | namespace MBox 6 | { 7 | namespace WFPFlt 8 | { 9 | NTSTATUS EngineManager::Initialize() 10 | { 11 | return STATUS_SUCCESS; 12 | } 13 | 14 | void EngineManager::Uninitialize() 15 | { 16 | CloseEngine(); 17 | } 18 | 19 | NTSTATUS EngineManager::OpenEngine() 20 | { 21 | if (m_EngineHandle) 22 | { 23 | return STATUS_SUCCESS; 24 | } 25 | 26 | WFPApiWrapper::EngineOpenParameter vParameter{}; 27 | vParameter.m_EngineHandle = &m_EngineHandle; 28 | 29 | return WFPApiWrapper::EngineOpen(&vParameter); 30 | } 31 | 32 | void EngineManager::CloseEngine() 33 | { 34 | if (nullptr == m_EngineHandle) 35 | { 36 | return; 37 | } 38 | 39 | WFPApiWrapper::EngineCloseParameter vParameter{}; 40 | vParameter.m_EngineHandle = m_EngineHandle; 41 | 42 | WFPApiWrapper::EngineClose(&vParameter); 43 | m_EngineHandle = nullptr; 44 | } 45 | 46 | HANDLE EngineManager::GetEngineHandle() 47 | { 48 | return m_EngineHandle; 49 | } 50 | 51 | EngineManager * GetEngineManager() 52 | { 53 | static EngineManager sEngineManager; 54 | return &sEngineManager; 55 | } 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.Manager.Engine.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | namespace MBox 4 | { 5 | namespace WFPFlt 6 | { 7 | class EngineManager 8 | { 9 | public: 10 | NTSTATUS Initialize(); 11 | void Uninitialize(); 12 | 13 | NTSTATUS OpenEngine(); 14 | void CloseEngine(); 15 | 16 | HANDLE GetEngineHandle(); 17 | 18 | protected: 19 | HANDLE m_EngineHandle = nullptr; 20 | }; 21 | 22 | EngineManager* GetEngineManager(); 23 | 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.Manager.Provider.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | namespace MBox 4 | { 5 | namespace WFPFlt 6 | { 7 | class ProviderManager 8 | { 9 | public: 10 | NTSTATUS Initialize(); 11 | void Uninitialize(); 12 | 13 | NTSTATUS AddProvider(); 14 | NTSTATUS DeleteProvider(); 15 | 16 | }; 17 | 18 | const GUID* GetProviderGuid(); 19 | ProviderManager* GetProviderManager(); 20 | } 21 | } 22 | 23 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.Manager.Redirect.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "WFPFlt.Manager.Redirect.h" 3 | #include "WFPFlt.ApiWrapper.Redirect.h" 4 | #include "WFPFlt.Manager.Provider.h" 5 | 6 | #include 7 | 8 | namespace MBox 9 | { 10 | namespace WFPFlt 11 | { 12 | NTSTATUS RedirectManager::Initialize() 13 | { 14 | if (Vol::System::GetSystemVersion() < SystemVersion::Windows8) 15 | { 16 | return STATUS_NOT_SUPPORTED; 17 | } 18 | 19 | return STATUS_SUCCESS; 20 | } 21 | 22 | void RedirectManager::Uninitialize() 23 | { 24 | CloseRedirectHandle(); 25 | } 26 | 27 | NTSTATUS RedirectManager::CreateRedirectHandle() 28 | { 29 | if (Vol::System::GetSystemVersion() < SystemVersion::Windows8) 30 | { 31 | return STATUS_NOT_SUPPORTED; 32 | } 33 | 34 | if (nullptr != m_RedirectHandle) 35 | { 36 | return STATUS_SUCCESS; 37 | } 38 | 39 | WFPApiWrapper::RedirectHandleCreateParameter vParameter{}; 40 | vParameter.m_ProviderGuid = GetProviderGuid(); 41 | vParameter.m_RedirectHandle = &m_RedirectHandle; 42 | 43 | return WFPApiWrapper::RedirectHandleCreate(&vParameter); 44 | } 45 | 46 | void RedirectManager::CloseRedirectHandle() 47 | { 48 | if (nullptr == m_RedirectHandle) 49 | { 50 | return; 51 | } 52 | 53 | WFPApiWrapper::RedirectHandleDestroyParameter vParameter{}; 54 | vParameter.m_RedirectHandle = m_RedirectHandle; 55 | 56 | return WFPApiWrapper::RedirectHandleDestroy(&vParameter); 57 | } 58 | 59 | 60 | RedirectManager * GetRedirectManager() 61 | { 62 | static RedirectManager sRedirectManager; 63 | return &sRedirectManager; 64 | } 65 | } 66 | } 67 | 68 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.Manager.Redirect.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | namespace MBox 5 | { 6 | namespace WFPFlt 7 | { 8 | class RedirectManager 9 | { 10 | public: 11 | NTSTATUS Initialize(); 12 | void Uninitialize(); 13 | 14 | NTSTATUS CreateRedirectHandle(); 15 | void CloseRedirectHandle(); 16 | 17 | private: 18 | HANDLE m_RedirectHandle = nullptr; 19 | }; 20 | 21 | RedirectManager* GetRedirectManager(); 22 | 23 | } 24 | } 25 | 26 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.Manager.Transaction.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | namespace MBox 5 | { 6 | namespace WFPFlt 7 | { 8 | class TransactionManager 9 | { 10 | public: 11 | 12 | ~TransactionManager(); 13 | 14 | NTSTATUS BeginTransaction(HANDLE aEngineHandle); 15 | NTSTATUS CommitTransaction(); 16 | NTSTATUS AbortTransaction(); 17 | 18 | protected: 19 | volatile long m_IsBegin = FALSE; 20 | HANDLE m_EngineHandle = nullptr; 21 | }; 22 | 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.Utilities.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | namespace MBox 4 | { 5 | namespace WFPFlt 6 | { 7 | namespace Utilities 8 | { 9 | BOOLEAN IsSupportedWFP(); 10 | 11 | AddressFamily GetAddressFamilyForLayer(UINT16 aLayerId); 12 | 13 | FWP_DIRECTION GetPacketDirectionForLayer(UINT16 aLayerId); 14 | 15 | } 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/WFPFlt.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include "WFPFlt.Manager.Callout.h" 7 | 8 | namespace MBox 9 | { 10 | namespace WFPFlt 11 | { 12 | NTSTATUS Initialize( 13 | DRIVER_OBJECT* aDriverObject, 14 | UNICODE_STRING* aRegistryPath, 15 | bool aIsAsynchronous = true); 16 | 17 | void Unitialize(); 18 | 19 | NTSTATUS RegisterFilter( 20 | DEVICE_OBJECT* aDeviceObject = nullptr, 21 | PRKEVENT aCompleteHandle = nullptr); 22 | 23 | template 24 | NTSTATUS RegisterCallbackPacket(CalloutManager::CallbackPacket* aCallbackPacket, F aDeletor) 25 | { 26 | return GetCalloutManager()->RegisterCallback(aCallbackPacket, aDeletor); 27 | } 28 | 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | #ifdef _WIN64 4 | #pragma comment(lib, "ShimsApi.X64.lib") 5 | #else 6 | #pragma comment(lib, "ShimsApi.X86.lib") 7 | #endif 8 | -------------------------------------------------------------------------------- /Ring0/WFPFlt/stdafx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef NTDDI_VERSION 4 | #undef NTDDI_VERSION 5 | #define NTDDI_VERSION WDK_NTDDI_VERSION 6 | #else 7 | #define NTDDI_VERSION WDK_NTDDI_VERSION 8 | #endif 9 | 10 | #ifndef NDIS_SUPPORT_NDIS660 11 | #define NDIS_SUPPORT_NDIS660 1 12 | #endif 13 | 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | #include 21 | #include 22 | #include 23 | #include 24 | -------------------------------------------------------------------------------- /Ring3/Detours.User/Detours Version 3.0 Build_343: -------------------------------------------------------------------------------- 1 | Detours Version 3.0 Build_343 2 | -------------------------------------------------------------------------------- /Ring3/Detours.User/Detours.chm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring3/Detours.User/Detours.chm -------------------------------------------------------------------------------- /Ring3/Detours.User/VERSION.TXT: -------------------------------------------------------------------------------- 1 | Detours Version 3.0 Build_343 2 | -------------------------------------------------------------------------------- /Ring3/Detours.User/detver.h: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Common version parameters. 4 | // 5 | // Microsoft Research Detours Package, Version 3.0 Build_343. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | #pragma once 10 | 11 | #ifdef _DEBUG 12 | #define DETOUR_DEBUG 1 13 | #endif 14 | 15 | #define DETOURS_INTERNAL 16 | 17 | //#define _USING_V110_SDK71_ 1 18 | #include "winver.h" 19 | #if 0 20 | #include 21 | #include 22 | #else 23 | #ifndef DETOURS_STRINGIFY 24 | #define DETOURS_STRINGIFY(x) DETOURS_STRINGIFY_(x) 25 | #define DETOURS_STRINGIFY_(x) #x 26 | #endif 27 | 28 | #define VER_FILEFLAGSMASK 0x3fL 29 | #define VER_FILEFLAGS 0x0L 30 | #define VER_FILEOS 0x00040004L 31 | #define VER_FILETYPE 0x00000002L 32 | #define VER_FILESUBTYPE 0x00000000L 33 | #endif 34 | #define VER_DETOURS_BITS DETOUR_STRINGIFY(DETOURS_BITS) 35 | 36 | #ifndef DETOURS_VERSION 37 | #define DETOURS_VERSION 30001 // 3.00.01 38 | #endif 39 | -------------------------------------------------------------------------------- /Ring3/Detours.User/disolarm.cpp: -------------------------------------------------------------------------------- 1 | #define DETOURS_ARM_OFFLINE_LIBRARY 2 | #include "disasm.cpp" 3 | -------------------------------------------------------------------------------- /Ring3/Detours.User/disolarm64.cpp: -------------------------------------------------------------------------------- 1 | #define DETOURS_ARM64_OFFLINE_LIBRARY 2 | #include "disasm.cpp" 3 | -------------------------------------------------------------------------------- /Ring3/Detours.User/disolia64.cpp: -------------------------------------------------------------------------------- 1 | #define DETOURS_IA64_OFFLINE_LIBRARY 2 | #include "disasm.cpp" 3 | -------------------------------------------------------------------------------- /Ring3/Detours.User/disolx64.cpp: -------------------------------------------------------------------------------- 1 | #define DETOURS_X64_OFFLINE_LIBRARY 2 | #include "disasm.cpp" 3 | -------------------------------------------------------------------------------- /Ring3/Detours.User/disolx86.cpp: -------------------------------------------------------------------------------- 1 | #define DETOURS_X86_OFFLINE_LIBRARY 2 | #include "disasm.cpp" 3 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/README.TXT: -------------------------------------------------------------------------------- 1 | ############################################################################## 2 | ## 3 | ## Samples README File 4 | ## 5 | ## Microsoft Research Detours Package, Version 3.0. 6 | ## 7 | ## Copyright (c) Microsoft Corporation. All rights reserved. 8 | ## 9 | 10 | BUILDING: 11 | ========= 12 | To build the sample applications, type "nmake" in the samples directory. 13 | Note that you must build setdll and syslog in order to use many of the 14 | other sample programs. 15 | 16 | COMMENTS: 17 | ========= 18 | Each of the sample directories has a test, which can be invoked by typing 19 | "nmake test", to demonstrate the usage of the sample. With very few 20 | exceptions, all of the executables also accept a "/?" command to display a 21 | usage message. 22 | 23 | The trace* samples log their output through the syelogd.exe daemon and hook 24 | CreateProcessW to load themselves into any child processes. For example, 25 | typing "withdll -d:traceapi.dll cmd.exe" will create a command shell under 26 | which all processes log their API calls through traceapi.dll. 27 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/comeasy/comeasy.cpp: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detour Test Program (comeasy.cpp of comeasy.exe) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | ////////////////////////////////////////////////////////////////////////////// 15 | // 16 | int __cdecl main(int argc, char **argv) 17 | { 18 | HRESULT hr; 19 | 20 | (void)argc; 21 | (void)argv; 22 | 23 | LPSTREAM pStream = NULL; 24 | ULARGE_INTEGER ul; 25 | LARGE_INTEGER li; 26 | 27 | printf("comeasy.exe: Starting (at %p).\n", main); 28 | 29 | CoInitialize(NULL); 30 | 31 | hr = CreateStreamOnHGlobal(NULL, TRUE, &pStream); 32 | 33 | ul.QuadPart = 512; 34 | hr = pStream->SetSize(ul); 35 | 36 | li.QuadPart = 0; 37 | hr = pStream->Seek(li, STREAM_SEEK_SET, NULL); 38 | 39 | printf("comeasy.exe: First write.\n"); 40 | fflush(stdout); 41 | 42 | li.QuadPart = 0; 43 | hr = pStream->Write(&ul, sizeof(ul), NULL); 44 | 45 | printf("comeasy.exe: Second write.\n"); 46 | fflush(stdout); 47 | 48 | li.QuadPart = 1; 49 | hr = pStream->Write(&li, sizeof(li), NULL); 50 | 51 | printf("comeasy.exe: Third write.\n"); 52 | fflush(stdout); 53 | 54 | li.QuadPart = 2; 55 | hr = pStream->Write(&li, sizeof(li), NULL); 56 | 57 | pStream->Release(); 58 | pStream = NULL; 59 | 60 | CoUninitialize(); 61 | 62 | printf("comeasy.exe: Exiting.\n\n"); 63 | fflush(stdout); 64 | 65 | return 0; 66 | } 67 | 68 | // 69 | ///////////////////////////////////////////////////////////////// End of File. 70 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/comeasy/wrotei.rc: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Version information for wrotei.rc. 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include "detver.h" 11 | 12 | #define VER_INTERNALNAME_STR "wrotei" DETOURS_STRINGIFY(DETOURS_BITS) 13 | #define VER_ORIGINALFILENAME_STR "wrotei" DETOURS_STRINGIFY(DETOURS_BITS) ".dll" 14 | #define VER_FILEDESCRIPTION_STR "Detours COM Easy Sample" 15 | #define VER_COMPANYNAME_STR "Microsoft Corporation" 16 | 17 | #include "common.ver" 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/commem/Makefile: -------------------------------------------------------------------------------- 1 | ############################################################################## 2 | ## 3 | ## Makefile for Detours Test Programs. 4 | ## 5 | ## Microsoft Research Detours Package, Version 3.0. 6 | ## 7 | ## Copyright (c) Microsoft Corporation. All rights reserved. 8 | ## 9 | 10 | !include ..\common.mak 11 | 12 | LIBS=$(LIBS) kernel32.lib 13 | 14 | all: dirs \ 15 | $(BIND)\commem.exe \ 16 | !IF $(DETOURS_SOURCE_BROWSING)==1 17 | $(OBJD)\commem.bsc 18 | !ENDIF 19 | 20 | clean: 21 | -del *~ *.obj *.sbr 2> nul 22 | -del $(BIND)\commem.* 2> nul 23 | -rmdir /q /s $(OBJD) 2>nul 24 | 25 | realclean: clean 26 | -rmdir /q /s $(OBJDS) 2>nul 27 | 28 | dirs: 29 | @if not exist $(BIND) mkdir $(BIND) && echo. Created $(BIND) 30 | @if not exist $(OBJD) mkdir $(OBJD) && echo. Created $(OBJD) 31 | 32 | $(BIND)\commem.obj : commem.cpp 33 | 34 | $(BIND)\commem.exe : $(OBJD)\commem.obj $(DEPS) 35 | cl $(CFLAGS) /Fe$@ /Fd$(@R).pdb $(OBJD)\commem.obj \ 36 | /link $(LINKFLAGS) $(LIBS) ole32.lib /subsystem:console 37 | 38 | $(OBJD)\commem.bsc : $(OBJD)\commem.obj 39 | bscmake /v /n /o $@ $(OBJD)\commem.sbr 40 | 41 | ############################################################################## 42 | 43 | test: $(BIND)\commem.exe 44 | @echo. 45 | $(BIND)\commem.exe 46 | @echo. 47 | 48 | ################################################################# End of File. 49 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/cping/ReadMe.Txt: -------------------------------------------------------------------------------- 1 | Microsoft Research Detours Package, Version 3.0. 2 | ============================================================================== 3 | 4/2/98 4 | 5 | * Instrumentation: 6 | Read Pentium cycle counter 7 | 8 | * PC configuration: 9 | DCOM/TCP, Windows NT Server 4.0, 10 | between two 300MHz Pentium boxes, 11 | Ethernet connecction 12 | 13 | * Client test program: 14 | HRESULT get(SHORT, SHORT, LONG*) 15 | average over 1,000 calls 16 | midl /Oicf 17 | 18 | * Results: 19 | get() { 20 | <-- (1) 21 | IRpcChannelBuffer::SendReceive()) { 22 | <-- (2) 23 | I_RpcSendReceive() { 24 | <-- (3) 25 | send(soc, ) 26 | <-- (4) 27 | NtWaitForSingleObject(soc, ) 28 | <-- (5) 29 | } // end of RPC layer 30 | <-- (6) 31 | } // end of channel object 32 | <-- (7) 33 | } // end of client call 34 | Average number 35 | of Pentium cycles 36 | (1) NDR marshaling overhead (2 SHORTs) 13 K 37 | (No! of which 11K from GetBuffer, 38 | of which 6.2K from I_RpcGetBuffer()!) 39 | (2) Channel object one-way (send) overhead 1.0 K 40 | (3) RPC layer one-way (send) overhead 5.3 K 41 | (4) TCP + all server work 200 K 42 | (5) RPC layer one-way (recv) overhead 5.1 K 43 | (6) Channel object one-way (recv) overhead 2.2 K 44 | (7) NDR unmarshaling overhead (2 LONGs) 4.2 K 45 | 46 | (*) send() only 17 K 47 | TOTAL CYCLES for client get(): 230 K 48 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/cping/cping.dat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring3/Detours.User/samples/cping/cping.dat -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/cping/iping.idl: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Module: iping.idl (cping.exe - COM Ping) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | import "objidl.idl"; 10 | import "oaidl.idl"; 11 | import "oleidl.idl"; 12 | 13 | 14 | [object, uuid(decdbeef-d1ac-11d1-96bc-00aa00573fb0), pointer_default(unique)] 15 | interface IPing : IUnknown 16 | { 17 | HRESULT Ping(void); 18 | HRESULT PingToServer([in] LPSTR pszString); 19 | HRESULT PingToClient([out] LPSTR *ppszString); 20 | HRESULT PingToClientSize([in] ULONG cbOut); 21 | }; 22 | // 23 | ///////////////////////////////////////////////////////////////// End of File. 24 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/disas/unk.cpp: -------------------------------------------------------------------------------- 1 | ///////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detours Test Program (x86.asm of disas.exe) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | static int value = 0; 11 | 12 | extern "C" void TestCodes() 13 | { 14 | value++; 15 | } 16 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/dtest/dtarge.rc: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Version information for dtarge.rc. 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include "detver.h" 11 | 12 | #define VER_INTERNALNAME_STR "dtarge" DETOURS_STRINGIFY(DETOURS_BITS) 13 | #define VER_ORIGINALFILENAME_STR "dtarge" DETOURS_STRINGIFY(DETOURS_BITS) ".dll" 14 | #define VER_FILEDESCRIPTION_STR "Detours Test Module" 15 | #define VER_COMPANYNAME_STR "Microsoft Corporation" 16 | 17 | #include "common.ver" 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/dumpe/Makefile: -------------------------------------------------------------------------------- 1 | ############################################################################## 2 | ## 3 | ## Makefile for Detours Test Programs. 4 | ## 5 | ## Microsoft Research Detours Package, Version 3.0. 6 | ## 7 | ## Copyright (c) Microsoft Corporation. All rights reserved. 8 | ## 9 | 10 | !include ..\common.mak 11 | 12 | LIBS=$(LIBS) kernel32.lib 13 | 14 | all: dirs \ 15 | $(BIND)\dumpe.exe \ 16 | !IF $(DETOURS_SOURCE_BROWSING)==1 17 | $(OBJD)\dumpe.bsc 18 | !ENDIF 19 | 20 | clean: 21 | -del *~ 2>nul 22 | -del $(BIND)\dumpe.* 2>nul 23 | -rmdir /q /s $(OBJD) 2>nul 24 | 25 | realclean: clean 26 | -rmdir /q /s $(OBJDS) 2>nul 27 | 28 | dirs: 29 | @if not exist $(BIND) mkdir $(BIND) && echo. Created $(BIND) 30 | @if not exist $(OBJD) mkdir $(OBJD) && echo. Created $(OBJD) 31 | 32 | $(OBJD)\dumpe.obj : dumpe.cpp 33 | 34 | $(BIND)\dumpe.exe : $(OBJD)\dumpe.obj $(DEPS) 35 | cl $(CFLAGS) /Fe$@ /Fd$(@R).pdb $(OBJD)\dumpe.obj \ 36 | /link $(LINKFLAGS) $(LIBS) \ 37 | /subsystem:console 38 | 39 | $(OBJD)\dumpe.bsc : $(OBJD)\dumpe.obj 40 | bscmake /v /n /o $@ $(OBJD)\dumpe.sbr 41 | 42 | ############################################################################## 43 | 44 | test: $(BIND)\dumpe.exe 45 | $(BIND)\dumpe.exe $(BIND)\slept.dll 46 | 47 | testx: $(BIND)\dumpe.exe 48 | cd $(MAKEDIR)\..\..\src 49 | nmake 50 | cd $(MAKEDIR) 51 | if exist $(SYSTEMROOT)\system32\browseui.dll $(BIND)\dumpe.exe browseui.dll 52 | 53 | ################################################################# End of File. 54 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/dumpi/Makefile: -------------------------------------------------------------------------------- 1 | ############################################################################## 2 | ## 3 | ## Makefile for Detours Test Programs - Dump Imports 4 | ## 5 | ## Microsoft Research Detours Package, Version 3.0. 6 | ## 7 | ## Copyright (c) Microsoft Corporation. All rights reserved. 8 | ## 9 | 10 | !include ..\common.mak 11 | 12 | LIBS=$(LIBS) kernel32.lib 13 | 14 | all: dirs \ 15 | $(BIND)\dumpi.exe \ 16 | !IF $(DETOURS_SOURCE_BROWSING)==1 17 | $(OBJD)\dumpi.bsc \ 18 | !ENDIF 19 | 20 | clean: 21 | -del *~ 2>nul 22 | -del $(BIND)\dumpi.* 2>nul 23 | -rmdir /q /s $(OBJD) 2>nul 24 | 25 | realclean: clean 26 | -rmdir /q /s $(OBJDS) 2>nul 27 | 28 | dirs: 29 | @if not exist $(BIND) mkdir $(BIND) && echo. Created $(BIND) 30 | @if not exist $(OBJD) mkdir $(OBJD) && echo. Created $(OBJD) 31 | 32 | $(OBJD)\dumpi.obj : dumpi.cpp 33 | 34 | $(BIND)\dumpi.exe : $(OBJD)\dumpi.obj $(DEPS) 35 | cl $(CFLAGS) /Fe$@ /Fd$(@R).pdb $(OBJD)\dumpi.obj \ 36 | /link $(LINKFLAGS) $(LIBS) \ 37 | /subsystem:console 38 | 39 | $(OBJD)\dumpi.bsc : $(OBJD)\dumpi.obj 40 | bscmake /v /n /o $@ $(OBJD)\dumpi.sbr 41 | 42 | ############################################################################## 43 | 44 | test: $(BIND)\dumpi.exe 45 | $(BIND)\dumpi.exe $(BIND)\slept.dll $(BIND)\sleepold.exe 46 | 47 | ################################################################# End of File. 48 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/echo/echofx.cpp: -------------------------------------------------------------------------------- 1 | // 2 | // 3 | // 4 | #include 5 | #include 6 | #include 7 | 8 | int WINAPI Echo(PCSTR pszMsg); 9 | 10 | static int (WINAPI * Real_Echo)(PCSTR pszMsg) = Echo; 11 | 12 | int WINAPI Mine_Echo(PCSTR pszMsg) 13 | { 14 | printf("Echo(%s)\n", pszMsg); 15 | return Real_Echo(pszMsg); 16 | } 17 | 18 | BOOL WINAPI DllMain(HINSTANCE hinst, DWORD dwReason, LPVOID reserved) 19 | { 20 | LONG error; 21 | (void)hinst; 22 | (void)reserved; 23 | 24 | if (DetourIsHelperProcess()) { 25 | return TRUE; 26 | } 27 | 28 | if (dwReason == DLL_PROCESS_ATTACH) { 29 | DetourRestoreAfterWith(); 30 | 31 | printf("echofx" DETOURS_STRINGIFY(DETOURS_BITS) ".dll:" 32 | " Starting.\n"); 33 | fflush(stdout); 34 | 35 | DetourTransactionBegin(); 36 | DetourUpdateThread(GetCurrentThread()); 37 | DetourAttach(&(PVOID&)Real_Echo, Mine_Echo); 38 | error = DetourTransactionCommit(); 39 | 40 | if (error == NO_ERROR) { 41 | printf("echofx" DETOURS_STRINGIFY(DETOURS_BITS) ".dll:" 42 | " Detoured Echo().\n"); 43 | } 44 | else { 45 | printf("echofx" DETOURS_STRINGIFY(DETOURS_BITS) ".dll:" 46 | " Error detouring Echo(): %d\n", error); 47 | } 48 | } 49 | else if (dwReason == DLL_PROCESS_DETACH) { 50 | DetourTransactionBegin(); 51 | DetourUpdateThread(GetCurrentThread()); 52 | DetourDetach(&(PVOID&)Real_Echo, Mine_Echo); 53 | error = DetourTransactionCommit(); 54 | 55 | printf("echofx" DETOURS_STRINGIFY(DETOURS_BITS) ".dll:" 56 | " Removed Echo() (result=%d)\n", error); 57 | fflush(stdout); 58 | } 59 | return TRUE; 60 | } 61 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/echo/echofx.rc: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Version information for echofx.rc. 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include "detver.h" 11 | 12 | #define VER_INTERNALNAME_STR "echofx" DETOURS_STRINGIFY(DETOURS_BITS) 13 | #define VER_ORIGINALFILENAME_STR "echofx" DETOURS_STRINGIFY(DETOURS_BITS) ".dll" 14 | #define VER_FILEDESCRIPTION_STR "Detours Echo Interception Module" 15 | #define VER_COMPANYNAME_STR "Microsoft Corporation" 16 | 17 | #include "common.ver" 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/echo/echonul.cpp: -------------------------------------------------------------------------------- 1 | // 2 | // 3 | // 4 | #include 5 | 6 | int WINAPI Echo(PCSTR pszMsg) 7 | { 8 | int sum = 0; 9 | while (*pszMsg) { 10 | sum = sum + *pszMsg++; 11 | } 12 | return sum; 13 | } 14 | 15 | int main() 16 | { 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/echo/main.cpp: -------------------------------------------------------------------------------- 1 | // 2 | // 3 | // 4 | #include 5 | 6 | int WINAPI Echo(PCSTR pszMsg); 7 | 8 | extern "C" int __stdcall mainCRTStartup(HINSTANCE hInstance, 9 | HINSTANCE hPrevInstance, 10 | LPSTR lpCmdLine, 11 | int nCmdShow 12 | ) 13 | { 14 | (void)hInstance; 15 | (void)hPrevInstance; 16 | (void)lpCmdLine; 17 | (void)nCmdShow; 18 | 19 | Echo("Hello World"); 20 | Echo("Goodbye World"); 21 | 22 | return 0x99; 23 | } 24 | 25 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/einst/edll1x.cpp: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detours Test Program (edll1x.cpp of edll1x.dll) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | #include 10 | #include 11 | #include 12 | 13 | //////////////////////////////////////////////////////////////////// DLL Stuff 14 | // 15 | struct CPrivateStuff 16 | { 17 | DETOUR_SECTION_HEADER header; 18 | DETOUR_SECTION_RECORD record; 19 | CHAR szMessage[32]; 20 | }; 21 | 22 | #pragma data_seg(".detour") 23 | 24 | static CPrivateStuff private_stuff = { 25 | DETOUR_SECTION_HEADER_DECLARE(sizeof(CPrivateStuff)), 26 | { 27 | (sizeof(CPrivateStuff) - sizeof(DETOUR_SECTION_HEADER)), 28 | 0, 29 | { /* d9ab8a40-f4cc-11d1-b6d7-006097b010e3 */ 30 | 0xd9ab8a40, 31 | 0xf4cc, 32 | 0x11d1, 33 | {0xb6, 0xd7, 0x00, 0x60, 0x97, 0xb0, 0x10, 0xe3} 34 | } 35 | }, 36 | "The First Dll!" 37 | }; 38 | #pragma data_seg() 39 | 40 | __declspec(dllexport) VOID WINAPI EDll1Function(VOID) 41 | { 42 | return; 43 | } 44 | 45 | __declspec(dllexport) ULONG WINAPI 46 | DllMain(HINSTANCE hInstance, DWORD dwReason, PVOID lpReserved) 47 | { 48 | (void)hInstance; 49 | (void)dwReason; 50 | (void)lpReserved; 51 | 52 | return TRUE; 53 | } 54 | 55 | ///////////////////////////////////////////////////////////////// End of File. 56 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/einst/edll2x.cpp: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detours Test Program (edll2x.cpp of einst.exe/edll2x.dll) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | #include 10 | #include 11 | #include 12 | 13 | //////////////////////////////////////////////////////////////////// DLL Stuff 14 | // 15 | struct CPrivateStuff 16 | { 17 | DETOUR_SECTION_HEADER header; 18 | DETOUR_SECTION_RECORD record; 19 | CHAR szMessage[32]; 20 | }; 21 | 22 | #pragma data_seg(".detour") 23 | 24 | static CPrivateStuff private_stuff = { 25 | DETOUR_SECTION_HEADER_DECLARE(sizeof(CPrivateStuff)), 26 | { 27 | (sizeof(CPrivateStuff) - sizeof(DETOUR_SECTION_HEADER)), 28 | 0, 29 | { /* d9ab8a40-f4cc-11d1-b6d7-006097b010e3 */ 30 | 0xd9ab8a40, 31 | 0xf4cc, 32 | 0x11d1, 33 | {0xb6, 0xd7, 0x00, 0x60, 0x97, 0xb0, 0x10, 0xe3} 34 | } 35 | }, 36 | "The Second Dll!" 37 | }; 38 | #pragma data_seg() 39 | 40 | __declspec(dllexport) VOID WINAPI EDll2Function(VOID) 41 | { 42 | return; 43 | } 44 | 45 | __declspec(dllexport) ULONG WINAPI 46 | DllMain(HINSTANCE hInstance, DWORD dwReason, PVOID lpReserved) 47 | { 48 | (void)hInstance; 49 | (void)dwReason; 50 | (void)lpReserved; 51 | 52 | return TRUE; 53 | } 54 | 55 | ///////////////////////////////////////////////////////////////// End of File. 56 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/excep/Makefile: -------------------------------------------------------------------------------- 1 | ############################################################################## 2 | ## 3 | ## Makefile for Detours Test Programs. 4 | ## 5 | ## Microsoft Research Detours Package, Version 3.0. 6 | ## 7 | ## Copyright (c) Microsoft Corporation. All rights reserved. 8 | ## 9 | 10 | !include ..\common.mak 11 | 12 | LIBS=$(LIBS) kernel32.lib 13 | 14 | all: dirs \ 15 | $(BIND)\excep.exe \ 16 | !IF $(DETOURS_SOURCE_BROWSING)==1 17 | $(OBJD)\excep.bsc 18 | !ENDIF 19 | 20 | clean: 21 | -del *~ 2>nul 22 | -del $(BIND)\excep.* 2>nul 23 | -rmdir /q /s $(OBJD) 2>nul 24 | 25 | realclean: clean 26 | -rmdir /q /s $(OBJDS) 2>nul 27 | 28 | dirs: 29 | @if not exist $(BIND) mkdir $(BIND) && echo. Created $(BIND) 30 | @if not exist $(OBJD) mkdir $(OBJD) && echo. Created $(OBJD) 31 | 32 | $(OBJD)\excep.obj : excep.cpp 33 | $(OBJD)\firstexc.obj : firstexc.cpp 34 | 35 | $(BIND)\excep.exe : $(OBJD)\excep.obj $(OBJD)\firstexc.obj $(DEPS) 36 | cl $(CFLAGS) /Fe$@ /Fd$(@R).pdb $(OBJD)\excep.obj $(OBJD)\firstexc.obj \ 37 | /link $(LINKFLAGS) $(LIBS) /subsystem:console /entry:WinMainCRTStartup 38 | 39 | $(OBJD)\excep.bsc : $(OBJD)\excep.obj 40 | bscmake /v /n /o $@ $(OBJD)\excep.sbr 41 | 42 | ############################################################################## 43 | 44 | test: $(BIND)\excep.exe 45 | $(BIND)\excep.exe 46 | 47 | ################################################################# End of File. 48 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/excep/firstexc.h: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detours Test Program (firstexc.h of firstexc.exe) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #pragma once 11 | #ifndef _FIRSTEXC_H_ 12 | #define _FIRSTEXC_H_ 13 | 14 | /////////////////////////////////////////////// First Chance Exception Filter. 15 | // 16 | LPTOP_LEVEL_EXCEPTION_FILTER WINAPI 17 | DetourFirstChanceExceptionFilter(LPTOP_LEVEL_EXCEPTION_FILTER lpTopLevelFilter); 18 | 19 | #endif // _FIRSTEXC_H_ 20 | // 21 | //////////////////////////////////////////////////////////////// End of File. 22 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/findfunc/extend.rc: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Version information for extend.rc. 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include "detver.h" 11 | 12 | #define VER_INTERNALNAME_STR "extend" DETOURS_STRINGIFY(DETOURS_BITS) 13 | #define VER_ORIGINALFILENAME_STR "extend" DETOURS_STRINGIFY(DETOURS_BITS) ".dll" 14 | #define VER_FILEDESCRIPTION_STR "Detours Dyanmic Interception Test Module" 15 | #define VER_COMPANYNAME_STR "Microsoft Corporation" 16 | 17 | #include "common.ver" 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/findfunc/findfunc.cpp: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detour Test Program (findfunc.cpp of findfunc.exe) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include 11 | #include 12 | #include 13 | #include "target.h" 14 | 15 | int __cdecl main(void) 16 | { 17 | printf("findfunc.exe: Starting.\n"); 18 | fflush(stdout); 19 | 20 | printf("DLLs:\n"); 21 | for (HMODULE hModule = NULL; (hModule = DetourEnumerateModules(hModule)) != NULL;) { 22 | CHAR szName[MAX_PATH] = { 0 }; 23 | GetModuleFileNameA(hModule, szName, sizeof(szName) - 1); 24 | printf(" %p: %s\n", hModule, szName); 25 | } 26 | 27 | DWORD dwCount = 10000; 28 | for (int i = 0; i < 3; i++) { 29 | printf("findfunc.exe: Calling (%d).\n", dwCount); 30 | dwCount = Target(dwCount) + 10000; 31 | } 32 | return 0; 33 | } 34 | // 35 | ///////////////////////////////////////////////////////////////// End of File. 36 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/findfunc/target.cpp: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detour Test Program (target.cpp of target.dll) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include 11 | #include 12 | #include "target.h" 13 | 14 | extern "C" DWORD WINAPI Hidden(DWORD dwCount) 15 | { 16 | printf("target.dll: Hidden(%d) -> %d.\n", dwCount, dwCount + 1); 17 | return dwCount + 1; 18 | } 19 | 20 | // We use this point to ensure Hidden isn't inlined. 21 | static DWORD (WINAPI * SelfHidden)(DWORD dwCount) = Hidden; 22 | 23 | DWORD WINAPI Target(DWORD dwCount) 24 | { 25 | printf("target.dll: Target (%d) -> %d.\n", dwCount, dwCount + 100); 26 | dwCount = SelfHidden(dwCount + 100); 27 | printf("target.dll: Target (.....) -> %d.\n", dwCount); 28 | return dwCount; 29 | } 30 | 31 | BOOL WINAPI DllMain(HINSTANCE hinst, DWORD dwReason, LPVOID reserved) 32 | { 33 | (void)hinst; 34 | (void)dwReason; 35 | (void)reserved; 36 | 37 | return TRUE; 38 | } 39 | 40 | // 41 | ///////////////////////////////////////////////////////////////// End of File. 42 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/findfunc/target.h: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detour Test Program (target.h of target.dll) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | DWORD WINAPI Target(DWORD dwCount); 11 | 12 | // 13 | ///////////////////////////////////////////////////////////////// End of File. 14 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/findfunc/target.rc: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Version information for target.rc. 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include "detver.h" 11 | 12 | #define VER_INTERNALNAME_STR "target" DETOURS_STRINGIFY(DETOURS_BITS) 13 | #define VER_ORIGINALFILENAME_STR "target" DETOURS_STRINGIFY(DETOURS_BITS) ".dll" 14 | #define VER_FILEDESCRIPTION_STR "Detours Test Module" 15 | #define VER_COMPANYNAME_STR "Microsoft Corporation" 16 | 17 | #include "common.ver" 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/impmunge/Makefile: -------------------------------------------------------------------------------- 1 | ############################################################################## 2 | ## 3 | ## Makefile for Detours Test Programs. 4 | ## 5 | ## Microsoft Research Detours Package, Version 3.0. 6 | ## 7 | ## Copyright (c) Microsoft Corporation. All rights reserved. 8 | ## 9 | 10 | !include ..\common.mak 11 | 12 | LIBS=$(LIBS) kernel32.lib 13 | 14 | all: dirs \ 15 | $(BIND)\impmunge.exe \ 16 | !IF $(DETOURS_SOURCE_BROWSING)==1 17 | $(OBJD)\impmunge.bsc 18 | !ENDIF 19 | 20 | ############################################################################## 21 | 22 | clean: 23 | -del *~ test.exe.* 2>nul 24 | -del $(BIND)\impmunge.* 2>nul 25 | -rmdir /q /s $(OBJD) 2>nul 26 | 27 | realclean: clean 28 | -rmdir /q /s $(OBJDS) 2>nul 29 | 30 | ############################################################################## 31 | 32 | dirs: 33 | @if not exist $(BIND) mkdir $(BIND) && echo. Created $(BIND) 34 | @if not exist $(OBJD) mkdir $(OBJD) && echo. Created $(OBJD) 35 | 36 | $(OBJD)\impmunge.obj : impmunge.cpp 37 | 38 | $(BIND)\impmunge.exe : $(OBJD)\impmunge.obj $(DEPS) 39 | cl $(CFLAGS) /Fe$@ /Fd$(@R).pdb $(OBJD)\impmunge.obj \ 40 | /link $(LINKFLAGS) $(LIBS) imagehlp.lib /subsystem:console 41 | 42 | $(OBJD)\impmunge.bsc : $(OBJD)\impmunge.obj 43 | bscmake /v /n /o $@ $(OBJD)\impmunge.sbr 44 | 45 | ############################################################################## 46 | 47 | test: $(BIND)\impmunge.exe 48 | $(BIND)\impmunge.exe /m /o:test.exe.1 $(BIND)\impmunge.exe 49 | $(BIND)\impmunge.exe /m /l- /o:test.exe.2 test.exe.1 50 | $(BIND)\impmunge.exe /m /l- /o:test.exe.3 test.exe.2 51 | $(BIND)\impmunge.exe /m /l- /o:test.exe.4 test.exe.3 52 | $(BIND)\impmunge.exe /l test.exe.4 53 | $(BIND)\impmunge.exe /r /l- /o:test.exe.0 test.exe.4 54 | $(BIND)\impmunge.exe /l test.exe.0 55 | 56 | ################################################################# End of File. 57 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/member/Makefile: -------------------------------------------------------------------------------- 1 | ############################################################################## 2 | ## 3 | ## Makefile for Detours Test Programs. 4 | ## 5 | ## Microsoft Research Detours Package, Version 3.0. 6 | ## 7 | ## Copyright (c) Microsoft Corporation. All rights reserved. 8 | ## 9 | 10 | !include ..\common.mak 11 | 12 | LIBS=$(LIBS) kernel32.lib 13 | 14 | all: dirs \ 15 | $(BIND)\member.exe \ 16 | !IF $(DETOURS_SOURCE_BROWSING)==1 17 | $(OBJD)\member.bsc 18 | !ENDIF 19 | 20 | clean: 21 | -del *~ 2> nul 22 | -del $(BIND)\member.* 2> nul 23 | -rmdir /q /s $(OBJD) 2>nul 24 | 25 | realclean: clean 26 | -rmdir /q /s $(OBJDS) 2>nul 27 | 28 | dirs: 29 | @if not exist $(BIND) mkdir $(BIND) && echo. Created $(BIND) 30 | @if not exist $(OBJD) mkdir $(OBJD) && echo. Created $(OBJD) 31 | 32 | $(OBJD)\member.obj : member.cpp 33 | 34 | $(BIND)\member.exe : $(OBJD)\member.obj $(DEPS) 35 | cl $(CFLAGS) /Fe$@ /Fd$(@R).pdb $(OBJD)\member.obj \ 36 | /link $(LINKFLAGS) $(LIBS) /subsystem:console 37 | 38 | $(OBJD)\member.bsc : $(OBJD)\member.obj 39 | bscmake /v /n /o $@ $(OBJD)\member.sbr 40 | 41 | ############################################################################## 42 | 43 | test: $(BIND)\member.exe 44 | @echo. 45 | $(BIND)\member.exe 46 | @echo. 47 | 48 | ################################################################# End of File. 49 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/opengl/ogldet.rc: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Version information for ogldet.rc. 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include "detver.h" 11 | 12 | #define VER_INTERNALNAME_STR "ogldet" DETOURS_STRINGIFY(DETOURS_BITS) 13 | #define VER_ORIGINALFILENAME_STR "ogldet" DETOURS_STRINGIFY(DETOURS_BITS) ".dll" 14 | #define VER_FILEDESCRIPTION_STR "Detours Open GL Test Module" 15 | #define VER_COMPANYNAME_STR "Microsoft Corporation" 16 | 17 | #include "common.ver" 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/opengl/testogl.cpp: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // File: testogl.cpp 4 | // Module: testogl.exe (oglsimple.dll) 5 | // 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | int __cdecl main() 12 | { 13 | printf("testogl.exe: Starting\n"); 14 | fflush(stdout); 15 | 16 | glFinish(); 17 | 18 | printf("testogl.exe: done\n"); 19 | fflush(stdout); 20 | 21 | return 0; 22 | } 23 | // 24 | ///////////////////////////////////////////////////////////////// End of File. 25 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/region/Makefile: -------------------------------------------------------------------------------- 1 | ############################################################################## 2 | ## 3 | ## Makefile for Detours Test Programs. 4 | ## 5 | ## Microsoft Research Detours Package, Version 3.0. 6 | ## 7 | ## Copyright (c) Microsoft Corporation. All rights reserved. 8 | ## 9 | 10 | !include ..\common.mak 11 | 12 | LIBS=$(LIBS) kernel32.lib 13 | 14 | all: dirs \ 15 | $(BIND)\region.exe \ 16 | !IF $(DETOURS_SOURCE_BROWSING)==1 17 | $(OBJD)\region.bsc 18 | !ENDIF 19 | 20 | clean: 21 | -del *~ 2> nul 22 | -del $(BIND)\region.* 2> nul 23 | -rmdir /q /s $(OBJD) 2>nul 24 | 25 | realclean: clean 26 | -rmdir /q /s $(OBJDS) 2>nul 27 | 28 | dirs: 29 | @if not exist $(BIND) mkdir $(BIND) && echo. Created $(BIND) 30 | @if not exist $(OBJD) mkdir $(OBJD) && echo. Created $(OBJD) 31 | 32 | $(OBJD)\region.obj : region.cpp 33 | 34 | $(BIND)\region.exe : $(OBJD)\region.obj $(DEPS) 35 | cl $(CFLAGS) /Fe$@ /Fd$(@R).pdb $(OBJD)\region.obj \ 36 | /link $(LINKFLAGS) $(LIBS) /subsystem:console 37 | 38 | $(OBJD)\region.bsc : $(OBJD)\region.obj 39 | bscmake /v /n /o $@ $(OBJD)\region.sbr 40 | 41 | ############################################################################## 42 | 43 | test: $(BIND)\region.exe 44 | @echo. 45 | $(BIND)\region.exe 46 | @echo. 47 | 48 | ################################################################# End of File. 49 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/setdll/Makefile: -------------------------------------------------------------------------------- 1 | ############################################################################## 2 | ## 3 | ## Makefile for Detours Test Programs. 4 | ## 5 | ## Microsoft Research Detours Package, Version 3.0. 6 | ## 7 | ## Copyright (c) Microsoft Corporation. All rights reserved. 8 | ## 9 | 10 | !include ..\common.mak 11 | 12 | LIBS=$(LIBS) kernel32.lib 13 | 14 | all: dirs \ 15 | $(BIND)\setdll.exe \ 16 | !IF $(DETOURS_SOURCE_BROWSING)==1 17 | $(OBJD)\setdll.bsc \ 18 | !ENDIF 19 | option 20 | 21 | ############################################################################## 22 | 23 | clean: 24 | -del *~ 2>nul 25 | -del $(BIND)\setdll.* 2>nul 26 | -rmdir /q /s $(OBJD) 2>nul 27 | 28 | realclean: clean 29 | -rmdir /q /s $(OBJDS) 2>nul 30 | 31 | ############################################################################## 32 | 33 | dirs: 34 | @if not exist $(BIND) mkdir $(BIND) && echo. Created $(BIND) 35 | @if not exist $(OBJD) mkdir $(OBJD) && echo. Created $(OBJD) 36 | 37 | $(OBJD)\setdll.obj : setdll.cpp 38 | 39 | $(BIND)\setdll.exe : $(OBJD)\setdll.obj $(DEPS) 40 | cl $(CFLAGS) /Fe$@ /Fd$(@R).pdb $(OBJD)\setdll.obj \ 41 | /link $(LINKFLAGS) $(LIBS) /subsystem:console 42 | 43 | $(OBJD)\setdll.bsc : $(OBJD)\setdll.obj 44 | bscmake /v /n /o $@ $(OBJD)\setdll.sbr 45 | 46 | ############################################### Install non-bit-size binaries. 47 | 48 | option: 49 | 50 | ############################################################################## 51 | 52 | test: all 53 | @echo -------- Reseting test binaries to initial state. ----------------------- 54 | $(BIND)\setdll.exe -d:$(BIND)\slept$(DETOURS_BITS).dll $(BIND)\sleepold.exe 55 | @echo -------- Should load slept$(DETOURS_BITS).dll statically ------------------------------- 56 | $(BIND)\sleepold.exe 57 | @echo -------- Reseting test binaries to initial state. ----------------------- 58 | $(BIND)\setdll.exe -r $(BIND)\sleepold.exe 59 | @echo -------- Should not load slept$(DETOURS_BITS).dll -------------------------------------- 60 | $(BIND)\sleepold.exe 61 | 62 | ################################################################# End of File. 63 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/simple/simple.rc: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Version information for simple.rc. 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include "detver.h" 11 | 12 | #define VER_INTERNALNAME_STR "simple" DETOURS_STRINGIFY(DETOURS_BITS) 13 | #define VER_ORIGINALFILENAME_STR "simple" DETOURS_STRINGIFY(DETOURS_BITS) ".dll" 14 | #define VER_FILEDESCRIPTION_STR "Detours Test Module" 15 | #define VER_COMPANYNAME_STR "Microsoft Corporation" 16 | 17 | #include "common.ver" 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/simple/sleep5.cpp: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detours Test Program (sleep5.cpp of sleep5.exe) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | int __cdecl main(int argc, char ** argv) 15 | { 16 | if (argc == 2) { 17 | Sleep(atoi(argv[1]) * 1000); 18 | } 19 | else { 20 | printf("sleep5.exe: Starting.\n"); 21 | 22 | Sleep(5000); 23 | 24 | printf("sleep5.exe: Done sleeping.\n"); 25 | } 26 | return 0; 27 | } 28 | // 29 | ///////////////////////////////////////////////////////////////// End of File. 30 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/slept/dslept.rc: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Version information for dslept.rc. 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include "detver.h" 11 | 12 | #define VER_INTERNALNAME_STR "dslept" DETOURS_STRINGIFY(DETOURS_BITS) 13 | #define VER_ORIGINALFILENAME_STR "dslept" DETOURS_STRINGIFY(DETOURS_BITS) ".dll" 14 | #define VER_FILEDESCRIPTION_STR "Detours Sleep Interception Module" 15 | #define VER_COMPANYNAME_STR "Microsoft Corporation" 16 | 17 | #include "common.ver" 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/slept/sleepold.cpp: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detour Test Program (sleepold.cpp of sleepold.exe) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include 11 | #include 12 | 13 | #include "verify.cpp" 14 | 15 | int __cdecl main(int argc, char **argv) 16 | { 17 | BOOL fQuiet = FALSE; 18 | 19 | if (argc == 2 && _stricmp(argv[1], "-quiet") == 0) { 20 | fQuiet = TRUE; 21 | } 22 | 23 | // 24 | // Verify what the code looks like. 25 | // 26 | printf("sleepold.exe: Starting (at %p).\n", main); 27 | if (!fQuiet) { 28 | Verify("SleepEx", (PBYTE)SleepEx); 29 | printf("\n"); 30 | } 31 | fflush(stdout); 32 | 33 | // 34 | // See if another process wants us to wait on a shared event. 35 | // This helps in testing loading a DLL into a new process. 36 | 37 | if (argc == 2 && _stricmp(argv[1], "-wait") == 0) { 38 | HANDLE hEvent = OpenEventA(SYNCHRONIZE, FALSE, "detours_load_test_event"); 39 | if (hEvent) { 40 | printf("sleepold.exe: Waiting for detours_load_test_event to be set.\n"); 41 | fflush(stdout); 42 | WaitForSingleObject(hEvent, INFINITE); 43 | } 44 | else { 45 | printf("sleepold.exe: Couldn't open detours_load_test_event.\n"); 46 | } 47 | } 48 | 49 | // 50 | // Try out sleep (which may be detours). 51 | // 52 | printf("sleepold.exe: Calling Sleep for 1 second.\n"); 53 | Sleep(1000); 54 | 55 | printf("sleepold.exe: Calling SleepEx for 1 second.\n"); 56 | SleepEx(1000, false); 57 | 58 | printf("sleepold.exe: Calling Sleep again for 1 second.\n"); 59 | Sleep(1000); 60 | 61 | // DebugBreak(); 62 | 63 | printf("sleepold.exe: Done sleeping.\n\n"); 64 | fflush(stdout); 65 | 66 | return 0; 67 | } 68 | // 69 | ///////////////////////////////////////////////////////////////// End of File. 70 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/slept/slept.h: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detour Test Program (slept.h of slept.dll) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | DWORD WINAPI UntimedSleepEx(DWORD dwMilliseconds, BOOL bAlertable); 11 | DWORD WINAPI TimedSleepEx(DWORD dwMilliseconds, BOOL bAlertable); 12 | DWORD WINAPI GetSleptTicks(VOID); 13 | DWORD WINAPI TestTicks(VOID); 14 | DWORD WINAPI TestTicksEx(DWORD Add); 15 | 16 | // 17 | ///////////////////////////////////////////////////////////////// End of File. 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/slept/slept.rc: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Version information for sleep.rc. 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include "detver.h" 11 | 12 | #define VER_INTERNALNAME_STR "sleep" DETOURS_STRINGIFY(DETOURS_BITS) 13 | #define VER_ORIGINALFILENAME_STR "sleep" DETOURS_STRINGIFY(DETOURS_BITS) ".dll" 14 | #define VER_FILEDESCRIPTION_STR "Detours Sleep Test Module" 15 | #define VER_COMPANYNAME_STR "Microsoft Corporation" 16 | 17 | #include "common.ver" 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/slept/verify.cpp: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detour Test Program (verify.cpp) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include 11 | 12 | static VOID Dump(PBYTE pbBytes, LONG nBytes, PBYTE pbTarget) 13 | { 14 | for (LONG n = 0; n < nBytes; n += 16) { 15 | printf(" %p: ", pbBytes + n); 16 | for (LONG m = n; m < n + 16; m++) { 17 | if (m >= nBytes) { 18 | printf(" "); 19 | } 20 | else { 21 | printf("%02x", pbBytes[m]); 22 | } 23 | if (m % 4 == 3) { 24 | printf(" "); 25 | } 26 | } 27 | if (n == 0 && pbTarget != DETOUR_INSTRUCTION_TARGET_NONE) { 28 | printf(" [%p]", pbTarget); 29 | } 30 | printf("\n"); 31 | } 32 | } 33 | 34 | static VOID Decode(PCSTR pszDesc, PBYTE pbCode, PBYTE pbOther, PBYTE pbPointer, LONG nInst) 35 | { 36 | if (pbCode != pbPointer) { 37 | printf(" %s = %p [%p]\n", pszDesc, pbCode, pbPointer); 38 | } 39 | else { 40 | printf(" %s = %p\n", pszDesc, pbCode); 41 | } 42 | 43 | if (pbCode == pbOther) { 44 | printf(" ... unchanged ...\n"); 45 | return; 46 | } 47 | 48 | PBYTE pbSrc = pbCode; 49 | PBYTE pbEnd; 50 | PVOID pbTarget; 51 | for (LONG n = 0; n < nInst; n++) { 52 | pbEnd = (PBYTE)DetourCopyInstruction(NULL, NULL, pbSrc, &pbTarget, NULL); 53 | Dump(pbSrc, (int)(pbEnd - pbSrc), (PBYTE)pbTarget); 54 | pbSrc = pbEnd; 55 | } 56 | } 57 | 58 | 59 | VOID WINAPI Verify(PCHAR pszFunc, PVOID pvPointer) 60 | { 61 | PVOID pvCode = DetourCodeFromPointer(pvPointer, NULL); 62 | 63 | Decode(pszFunc, (PBYTE)pvCode, NULL, (PBYTE)pvPointer, 3); 64 | } 65 | 66 | VOID WINAPI VerifyEx(PCHAR pszFunc, PVOID pvPointer, LONG nInst) 67 | { 68 | PVOID pvCode = DetourCodeFromPointer(pvPointer, NULL); 69 | 70 | Decode(pszFunc, (PBYTE)pvCode, NULL, (PBYTE)pvPointer, nInst); 71 | } 72 | 73 | // 74 | ///////////////////////////////////////////////////////////////// End of File. 75 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/talloc/tdll1x.cpp: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detours Test Program (tdll1x.cpp of talloc.exe/tdll1x.dll) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | //////////////////////////////////////////////////////////////////// DLL Stuff 11 | // 12 | __declspec(dllexport) unsigned long __stdcall Dll1Function(unsigned long Value) 13 | { 14 | return Value + 1; 15 | } 16 | 17 | ///////////////////////////////////////////////////////////////// End of File. 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/talloc/tdll2x.cpp: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detours Test Program (tdll2x.cpp of talloc.exe/tdll2x.dll) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | //////////////////////////////////////////////////////////////////// DLL Stuff 11 | // 12 | __declspec(dllexport) unsigned long __stdcall Dll2Function(unsigned long Value) 13 | { 14 | return Value + 1; 15 | } 16 | 17 | ///////////////////////////////////////////////////////////////// End of File. 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/talloc/tdll3x.cpp: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detours Test Program (tdll3x.cpp of talloc.exe/tdll3x.dll) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | //////////////////////////////////////////////////////////////////// DLL Stuff 11 | // 12 | __declspec(dllexport) unsigned long __stdcall Dll3Function(unsigned long Value) 13 | { 14 | return Value + 1; 15 | } 16 | 17 | ///////////////////////////////////////////////////////////////// End of File. 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/talloc/tdll4x.cpp: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detours Test Program (tdll4x.cpp of talloc.exe/tdll4x.dll) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | //////////////////////////////////////////////////////////////////// DLL Stuff 11 | // 12 | __declspec(dllexport) unsigned long __stdcall Dll4Function(unsigned long Value) 13 | { 14 | return Value + 1; 15 | } 16 | 17 | ///////////////////////////////////////////////////////////////// End of File. 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/talloc/tdll5x.cpp: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detours Test Program (tdll5x.cpp of talloc.exe/tdll5x.dll) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | //////////////////////////////////////////////////////////////////// DLL Stuff 11 | // 12 | __declspec(dllexport) unsigned long __stdcall Dll5Function(unsigned long Value) 13 | { 14 | return Value + 1; 15 | } 16 | 17 | ///////////////////////////////////////////////////////////////// End of File. 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/talloc/tdll6x.cpp: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detours Test Program (tdll6x.cpp of talloc.exe/tdll6x.dll) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | //////////////////////////////////////////////////////////////////// DLL Stuff 11 | // 12 | __declspec(dllexport) unsigned long __stdcall Dll6Function(unsigned long Value) 13 | { 14 | return Value + 1; 15 | } 16 | 17 | ///////////////////////////////////////////////////////////////// End of File. 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/talloc/tdll7x.cpp: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detours Test Program (tdll7x.cpp of talloc.exe/tdll7x.dll) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | //////////////////////////////////////////////////////////////////// DLL Stuff 11 | // 12 | __declspec(dllexport) unsigned long __stdcall Dll7Function(unsigned long Value) 13 | { 14 | return Value + 1; 15 | } 16 | 17 | ///////////////////////////////////////////////////////////////// End of File. 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/talloc/tdll8x.cpp: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detours Test Program (tdll8x.cpp of talloc.exe/tdll8x.dll) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | //////////////////////////////////////////////////////////////////// DLL Stuff 11 | // 12 | __declspec(dllexport) unsigned long __stdcall Dll8Function(unsigned long Value) 13 | { 14 | return Value + 1; 15 | } 16 | 17 | ///////////////////////////////////////////////////////////////// End of File. 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/talloc/tdll9x.cpp: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detours Test Program (tdll9x.cpp of talloc.exe/tdll9x.dll) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | //////////////////////////////////////////////////////////////////// DLL Stuff 11 | // 12 | __declspec(dllexport) unsigned long __stdcall Dll9Function(unsigned long Value) 13 | { 14 | return Value + 1; 15 | } 16 | 17 | ///////////////////////////////////////////////////////////////// End of File. 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/traceapi/trcapi.rc: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Version information for trcapi.rc. 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include "detver.h" 11 | 12 | #define VER_INTERNALNAME_STR "trcapi" DETOURS_STRINGIFY(DETOURS_BITS) 13 | #define VER_ORIGINALFILENAME_STR "trcapi" DETOURS_STRINGIFY(DETOURS_BITS) ".dll" 14 | #define VER_FILEDESCRIPTION_STR "Detours Win32 API Tracing Module" 15 | #define VER_COMPANYNAME_STR "Microsoft Corporation" 16 | 17 | #include "common.ver" 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/tracebld/tracebld.h: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detours Test Program (tracebld.h of tracebld.exe) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | #pragma once 10 | #ifndef _TRACEBLD_H_ 11 | #define _TRACEBLD_H_ 12 | #include 13 | 14 | ////////////////////////////////////////////////////////////////////////////// 15 | // 16 | // 17 | #define TBLOG_PIPE_NAMEA "\\\\.\\pipe\\tracebuild" 18 | #define TBLOG_PIPE_NAMEW L"\\\\.\\pipe\\tracebuild" 19 | #ifdef UNICODE 20 | #define TBLOG_PIPE_NAME TBLOG_PIPE_NAMEW 21 | #else 22 | #define TBLOG_PIPE_NAME TBLOG_PIPE_NAMEA 23 | #endif 24 | 25 | ////////////////////////////////////////////////////////////////////////////// 26 | // 27 | typedef struct _TBLOG_MESSAGE 28 | { 29 | DWORD nBytes; 30 | CHAR szMessage[32764]; // 32768 - sizeof(nBytes) 31 | } TBLOG_MESSAGE, *PTBLOG_MESSAGE; 32 | 33 | typedef struct _TBLOG_PAYLOAD 34 | { 35 | DWORD nParentProcessId; 36 | DWORD nTraceProcessId; 37 | DWORD nGeneology; 38 | DWORD rGeneology[64]; 39 | WCHAR wzParents[256]; 40 | WCHAR wzStdin[256]; 41 | WCHAR wzStdout[256]; 42 | WCHAR wzStderr[256]; 43 | BOOL fStdoutAppend; 44 | BOOL fStderrAppend; 45 | WCHAR wzzDrop[1024]; // Like an environment: zero terminated strings with a last zero. 46 | WCHAR wzzEnvironment[32768]; 47 | } TBLOG_PAYLOAD, *PTBLOG_PAYLOAD; 48 | 49 | // Shared state payload guid. 50 | // 51 | const GUID s_guidTrace = { 52 | 0xd8e2dc69, 0x3004, 0x453e, 53 | {0x94, 0x15, 0x19, 0x0e, 0x79, 0xe8, 0x93, 0x52} 54 | }; 55 | 56 | 57 | #endif // _TRACEBLD_H_ 58 | // 59 | ///////////////////////////////////////////////////////////////// End of File. 60 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/tracebld/trcbld.rc: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Version information for trcbld.rc. 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include "detver.h" 11 | 12 | #define VER_INTERNALNAME_STR "trcbld" DETOURS_STRINGIFY(DETOURS_BITS) 13 | #define VER_ORIGINALFILENAME_STR "trcbld" DETOURS_STRINGIFY(DETOURS_BITS) ".dll" 14 | #define VER_FILEDESCRIPTION_STR "Detours Build Tracing Module" 15 | #define VER_COMPANYNAME_STR "Microsoft Corporation" 16 | 17 | #include "common.ver" 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/tracelnk/trclnk.rc: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Version information for trclnk.rc. 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include "detver.h" 11 | 12 | #define VER_INTERNALNAME_STR "trclnk" DETOURS_STRINGIFY(DETOURS_BITS) 13 | #define VER_ORIGINALFILENAME_STR "trclnk" DETOURS_STRINGIFY(DETOURS_BITS) ".dll" 14 | #define VER_FILEDESCRIPTION_STR "Detours Dynamic Linking Trace Module" 15 | #define VER_COMPANYNAME_STR "Microsoft Corporation" 16 | 17 | #include "common.ver" 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/tracemem/trcmem.rc: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Version information for trcmem.rc. 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include "detver.h" 11 | 12 | #define VER_INTERNALNAME_STR "trcmem" DETOURS_STRINGIFY(DETOURS_BITS) 13 | #define VER_ORIGINALFILENAME_STR "trcmem" DETOURS_STRINGIFY(DETOURS_BITS) ".dll" 14 | #define VER_FILEDESCRIPTION_STR "Detours Memory Trace Module" 15 | #define VER_COMPANYNAME_STR "Microsoft Corporation" 16 | 17 | #include "common.ver" 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/tracereg/trcreg.rc: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Version information for trcreg.rc. 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include "detver.h" 11 | 12 | #define VER_INTERNALNAME_STR "trcreg" DETOURS_STRINGIFY(DETOURS_BITS) 13 | #define VER_ORIGINALFILENAME_STR "trcreg" DETOURS_STRINGIFY(DETOURS_BITS) ".dll" 14 | #define VER_FILEDESCRIPTION_STR "Detours Registry Trace Module" 15 | #define VER_COMPANYNAME_STR "Microsoft Corporation" 16 | 17 | #include "common.ver" 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/traceser/trcser.rc: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Version information for trcser.rc. 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include "detver.h" 11 | 12 | #define VER_INTERNALNAME_STR "trcser" DETOURS_STRINGIFY(DETOURS_BITS) 13 | #define VER_ORIGINALFILENAME_STR "trcsrc" DETOURS_STRINGIFY(DETOURS_BITS) ".dll" 14 | #define VER_FILEDESCRIPTION_STR "Detours Serial Trace Module" 15 | #define VER_COMPANYNAME_STR "Microsoft Corporation" 16 | 17 | #include "common.ver" 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/tracessl/trcssl.rc: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Version information for trcssl.rc. 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include "detver.h" 11 | 12 | #define VER_INTERNALNAME_STR "trcssl" DETOURS_STRINGIFY(DETOURS_BITS) 13 | #define VER_ORIGINALFILENAME_STR "trcsll" DETOURS_STRINGIFY(DETOURS_BITS) ".dll" 14 | #define VER_FILEDESCRIPTION_STR "Detours SSL Trace Module" 15 | #define VER_COMPANYNAME_STR "Microsoft Corporation" 16 | 17 | #include "common.ver" 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/tracetcp/trctcp.rc: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Version information for trctcp.rc. 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include "detver.h" 11 | 12 | #define VER_INTERNALNAME_STR "trctcp" DETOURS_STRINGIFY(DETOURS_BITS) 13 | #define VER_ORIGINALFILENAME_STR "trctcp" DETOURS_STRINGIFY(DETOURS_BITS) ".dll" 14 | #define VER_FILEDESCRIPTION_STR "Detours TCP Trace Module" 15 | #define VER_COMPANYNAME_STR "Microsoft Corporation" 16 | 17 | #include "common.ver" 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/tryman/managed.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Reflection; 3 | using System.Runtime.InteropServices; 4 | 5 | [assembly: AssemblyProduct("Microsoft Research Detours")] 6 | [assembly: AssemblyCompany("Microsoft Corporation")] 7 | [assembly: AssemblyVersion("1.0.0.0")] 8 | 9 | public class Test 10 | { 11 | // [DllImport("kernel32.dll", CharSet=CharSet.Auto, SetLastError=true)] 12 | // static extern IntPtr LoadLibrary([In, MarshalAs(UnmanagedType.LPStr)] string lpFileName); 13 | 14 | [DllImport("kernel32", CharSet=CharSet.Auto, SetLastError=true)] 15 | static extern IntPtr LoadLibrary(string lpFileName); 16 | 17 | public static int Main() 18 | { 19 | if (IntPtr.Size == 4) { 20 | Console.WriteLine(" *** Managed code with 32-bit runtime ({0})", 21 | Environment.Version); 22 | } 23 | else if (IntPtr.Size == 8) { 24 | Console.WriteLine(" *** Managed code with 64-bit runtime ({0})", 25 | Environment.Version); 26 | } 27 | else { 28 | Console.WriteLine(" *** Managed code of unknown IntPtr.Size: {0}", IntPtr.Size); 29 | } 30 | 31 | if (IntPtr.Size == 4) { 32 | if (LoadLibrary("tstman32.dll") == (IntPtr)0) { 33 | Console.WriteLine("--------: managed code failed to load tstman32.dll"); 34 | 35 | } 36 | } 37 | else { 38 | if (LoadLibrary("tstman64.dll") == (IntPtr)0) { 39 | Console.WriteLine("--------: managed code failed to load tstman64.dll"); 40 | 41 | } 42 | } 43 | 44 | return 0; 45 | } 46 | } 47 | 48 | 49 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/tryman/tryman.cpp: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Detours Test Program (tryman.cpp of tryman.exe) 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include 11 | 12 | extern int WINAPI Test3264(int arg); 13 | 14 | int __cdecl main(int argc, char ** argv) 15 | { 16 | (void)argv; 17 | int ret = 0; 18 | 19 | ret = Test3264(argc); 20 | return ret == 0 ? ret : 0; 21 | } 22 | // 23 | ///////////////////////////////////////////////////////////////// End of File. 24 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/tryman/tstman.rc: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Version information for tstman.rc. 4 | // 5 | // Microsoft Research Detours Package, Version 3.0. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #include "detver.h" 11 | 12 | #define VER_INTERNALNAME_STR "tstman" DETOURS_STRINGIFY(DETOURS_BITS) 13 | #define VER_ORIGINALFILENAME_STR "tstman" DETOURS_STRINGIFY(DETOURS_BITS) ".dll" 14 | #define VER_FILEDESCRIPTION_STR "Detours 32/64-bit Test Module" 15 | #define VER_COMPANYNAME_STR "Microsoft Corporation" 16 | 17 | #include "common.ver" 18 | -------------------------------------------------------------------------------- /Ring3/Detours.User/samples/withdll/Makefile: -------------------------------------------------------------------------------- 1 | ############################################################################## 2 | ## 3 | ## Makefile for Detours Test Programs. 4 | ## 5 | ## Microsoft Research Detours Package, Version 3.0. 6 | ## 7 | ## Copyright (c) Microsoft Corporation. All rights reserved. 8 | ## 9 | 10 | !include ..\common.mak 11 | 12 | LIBS=$(LIBS) kernel32.lib 13 | 14 | ############################################################################## 15 | 16 | all: dirs \ 17 | $(BIND)\withdll.exe \ 18 | !IF $(DETOURS_SOURCE_BROWSING)==1 19 | $(OBJD)\withdll.bsc \ 20 | !ENDIF 21 | option 22 | 23 | clean: 24 | -del *~ 2>nul 25 | -del $(BIND)\withdll.* 2>nul 26 | -rmdir /q /s $(OBJD) 2>nul 27 | 28 | realclean: clean 29 | -rmdir /q /s $(OBJDS) 2>nul 30 | 31 | ############################################################################## 32 | 33 | dirs: 34 | @if not exist $(BIND) mkdir $(BIND) && echo. Created $(BIND) 35 | @if not exist $(OBJD) mkdir $(OBJD) && echo. Created $(OBJD) 36 | 37 | $(OBJD)\withdll.obj : withdll.cpp 38 | 39 | $(BIND)\withdll.exe : $(OBJD)\withdll.obj $(DEPS) 40 | cl $(CFLAGS) /Fe$@ /Fd$(@R).pdb $(OBJD)\withdll.obj \ 41 | /link $(LINKFLAGS) $(LIBS) /subsystem:console 42 | 43 | $(OBJD)\withdll.bsc : $(OBJD)\withdll.obj 44 | bscmake /v /n /o $@ $(OBJD)\withdll.sbr 45 | 46 | ############################################### Install non-bit-size binaries. 47 | 48 | option: 49 | 50 | ############################################################################## 51 | 52 | test: all 53 | $(BIND)\withdll.exe -d:$(BIND)\slept$(DETOURS_BITS).dll $(BIND)\sleepold.exe 54 | $(BIND)\withdll.exe -v -d:$(BIND)\slept$(DETOURS_BITS).dll $(BIND)\sleepold.exe 55 | 56 | debug: all 57 | windbg -c ".srcfix;l+s;l+t" -o \ 58 | $(BIND)\withdll.exe -d:$(BIND)\slept$(DETOURS_BITS).dll $(BIND)\sleepold.exe 59 | 60 | ################################################################# End of File. 61 | -------------------------------------------------------------------------------- /Ring3/MiniFlt.Owl.User/MiniFlt.Owl.User.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 6 | h;hh;hpp;hxx;hm;inl;inc;xsd 7 | 8 | 9 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 10 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 11 | 12 | 13 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 14 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | 26 | 27 | Source Files 28 | 29 | 30 | Source Files 31 | 32 | 33 | -------------------------------------------------------------------------------- /Ring3/MiniFlt.Owl.User/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | -------------------------------------------------------------------------------- /Ring3/MiniFlt.Owl.User/stdafx.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring3/MiniFlt.Owl.User/stdafx.h -------------------------------------------------------------------------------- /Ring3/Owl.User/Owl.User.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {8248ec0b-fa6f-4b44-9c36-849c98e6ad2a} 6 | 7 | 8 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 9 | h;hh;hpp;hxx;hm;inl;inc;xsd 10 | 11 | 12 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 13 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 14 | 15 | 16 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 17 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | Include 29 | 30 | 31 | 32 | 33 | Source Files 34 | 35 | 36 | Source Files 37 | 38 | 39 | -------------------------------------------------------------------------------- /Ring3/Owl.User/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | -------------------------------------------------------------------------------- /Ring3/Owl.User/stdafx.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring3/Owl.User/stdafx.h -------------------------------------------------------------------------------- /Ring3/UnitTest.Ring3/UnitTest.Ring3.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 头文件 20 | 21 | 22 | 23 | 24 | 源文件 25 | 26 | 27 | 源文件 28 | 29 | 30 | -------------------------------------------------------------------------------- /Ring3/UnitTest.Ring3/stdafx.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring3/UnitTest.Ring3/stdafx.cpp -------------------------------------------------------------------------------- /Ring3/UnitTest.Ring3/stdafx.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring3/UnitTest.Ring3/stdafx.h -------------------------------------------------------------------------------- /Ring3/Vol.User/Vol.Device.Disk.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | namespace MBox::Vol::Device 5 | { 6 | HRESULT GetDiskDeviceName( 7 | UINT32 aDiskNumber, 8 | wchar_t* aName, 9 | UINT32 aNameCharCount); 10 | 11 | HRESULT GetDiskLettersAndType( 12 | UINT32 aDiskNumber, 13 | wchar_t* aLetters, 14 | UINT32 aLettersCharCount, 15 | UINT32* aReturnedLetterCount, 16 | UINT32* aDiskType); 17 | 18 | HRESULT GetDiskLetters( 19 | UINT32 aDiskNumber, 20 | wchar_t* aLetters, 21 | UINT32 aLettersCharCount, 22 | UINT32* aReturnedLetterCount); 23 | 24 | HRESULT GetDiskType( 25 | UINT32 aDiskNumber, 26 | UINT32* aDiskType); 27 | 28 | HRESULT DiskOpen( 29 | HANDLE* aDisk, 30 | UINT32 aDiskNumber, 31 | UINT32 aDesiredAccess = FILE_ALL_ACCESS, 32 | UINT32 aShareMode = 0); 33 | 34 | void DiskClose( 35 | HANDLE& aDisk); 36 | 37 | HRESULT DiskRefreshProperties( 38 | HANDLE aDisk); 39 | 40 | HRESULT IsExistsDisk(UINT32 aDiskNumber, bool* aIsExists); 41 | 42 | HRESULT GetDiskGeometry(HANDLE aDisk, DISK_GEOMETRY& aGeometry); 43 | 44 | HRESULT GetSectorSize(HANDLE aDisk, UINT32& aSectorSize); 45 | 46 | } 47 | -------------------------------------------------------------------------------- /Ring3/Vol.User/Vol.Process.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "Vol.Process.h" 3 | 4 | 5 | namespace MBox::Vol::Process 6 | { 7 | HRESULT IsWow64Process( 8 | HANDLE aProcessHandle, 9 | BOOLEAN * aWow64Process) 10 | { 11 | using IsWow64Process$Type = BOOL(WINAPI*)(HANDLE, PBOOL); 12 | static IsWow64Process$Type sIsWow64Process = nullptr; 13 | 14 | HRESULT hr = S_OK; 15 | 16 | for (;;) 17 | { 18 | *aWow64Process = FALSE; 19 | 20 | if (nullptr == sIsWow64Process) 21 | { 22 | auto vModuleHandle = GetModuleHandleW(L"Kernel32.dll"); 23 | if (nullptr == vModuleHandle) 24 | { 25 | hr = HRESULT_FROM_WIN32(GetLastError()); 26 | break; 27 | } 28 | auto vRoutinue = GetProcAddress(vModuleHandle, "IsWow64Process"); 29 | if (nullptr == vRoutinue) 30 | { 31 | hr = HRESULT_FROM_WIN32(GetLastError()); 32 | break; 33 | } 34 | sIsWow64Process = (IsWow64Process$Type)vRoutinue; 35 | } 36 | 37 | BOOL vWow64Process = FALSE; 38 | if (!sIsWow64Process(aProcessHandle, &vWow64Process)) 39 | { 40 | hr = HRESULT_FROM_WIN32(GetLastError()); 41 | break; 42 | } 43 | 44 | *aWow64Process = BOOLEAN(vWow64Process); 45 | break; 46 | } 47 | 48 | return hr; 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /Ring3/Vol.User/Vol.Process.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | namespace MBox::Vol::Process 5 | { 6 | HRESULT IsWow64Process( 7 | HANDLE aProcessHandle, 8 | BOOLEAN* aWow64Process); 9 | } 10 | -------------------------------------------------------------------------------- /Ring3/Vol.User/Vol.Security.Sddl.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | namespace MBox 4 | { 5 | namespace Vol 6 | { 7 | namespace Security 8 | { 9 | #define Vol$Sddl$Sacl$LowIntegrity L"S:(ML;;NW;;;LW)" 10 | 11 | 12 | 13 | } 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /Ring3/Vol.User/Vol.Security.SecurityDescriptor.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | 5 | 6 | namespace MBox 7 | { 8 | namespace Vol 9 | { 10 | namespace Security 11 | { 12 | UINT32 GetSidNeedLength(unsigned char aSubAuthorityCount); 13 | 14 | HRESULT BuildSid(const wchar_t* aStringSid, Sid** aSid); 15 | void FreeSid(Sid* aSid); 16 | 17 | HRESULT BuildSecurityDescriptor( 18 | const wchar_t* aSddl, 19 | SecurityDescriptor ** aSecurityDescriptor, 20 | UINT32* aSecurityDescriptorBytes = nullptr); 21 | 22 | void FreeSecurityDescriptor( 23 | SecurityDescriptor * aSecurityDescriptor); 24 | 25 | } 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /Ring3/Vol.User/Vol.Security.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include "Vol.Security.Sddl.h" 4 | 5 | 6 | namespace MBox 7 | { 8 | namespace Vol 9 | { 10 | namespace Security 11 | { 12 | 13 | #ifndef Vol$Security$MandatoryLevelToMandatoryRid$Macro 14 | #define Vol$Security$MandatoryLevelToMandatoryRid$Macro(Level) (Level * 0x1000) 15 | #endif 16 | 17 | #ifndef Vol$Security$MandatoryRidToMandatoryLevel$Macro 18 | #define Vol$Security$MandatoryRidToMandatoryLevel$Macro(Rid) (Rid / 0x1000) 19 | #endif 20 | 21 | HRESULT SetObjectIntegrityLabel( 22 | HANDLE aObject, 23 | const wchar_t* aSDDL, 24 | SE_OBJECT_TYPE aObjectType); 25 | 26 | HRESULT SetObjectIntegrityLabel( 27 | const wchar_t* aObjectName, 28 | const wchar_t* aSDDL, 29 | SE_OBJECT_TYPE aObjectType); 30 | 31 | HRESULT SetTokenIntegrityLevel( 32 | HANDLE aToken, 33 | MANDATORY_LEVEL aLevel); 34 | 35 | HRESULT QueryTokenIntegrityLevel( 36 | HANDLE aToken, 37 | MANDATORY_LEVEL* aLevel); 38 | 39 | HRESULT QueryTokenInformation( 40 | HANDLE aToken, 41 | TOKEN_INFORMATION_CLASS aClasses, 42 | void* aBuffer, 43 | UINT32 aBufferBytes, 44 | UINT32* aNeedBytes); 45 | 46 | HRESULT ReferenceTokenInformation( 47 | HANDLE aToken, 48 | TOKEN_INFORMATION_CLASS aClasses, 49 | void** aBuffer); 50 | 51 | void DeferenceTokenInformation( 52 | void* aBuffer); 53 | 54 | HRESULT SetTokenPrivileges( 55 | HANDLE aToken, 56 | const wchar_t* aPrivilege, // E.g SE_DEBUG_NAME 57 | bool aEnablePrivilege); 58 | } 59 | } 60 | } -------------------------------------------------------------------------------- /Ring3/Vol.User/Vol.Service.Controller.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | 5 | namespace MBox 6 | { 7 | namespace Vol 8 | { 9 | namespace Service 10 | { 11 | class ServiceController 12 | { 13 | public: 14 | HRESULT Initialize(const wchar_t* aServiceName); 15 | void Uninitialize(); 16 | 17 | SC_HANDLE GetServiceHandle(); 18 | const wchar_t* GetServiceName(); 19 | 20 | HRESULT Start( 21 | UINT32 aArgc, 22 | const wchar_t* aArgv[], 23 | UINT32 aWaitStopMilliseconds = 3 * 1000, 24 | UINT32 aWaitStartMilliseconds = 3 * 1000); 25 | 26 | HRESULT Stop( 27 | UINT32 aWaitStopMilliseconds = 3 * 1000); 28 | HRESULT StopDependentServices( 29 | UINT32 aEveryWaitStopMilliseconds = 500); 30 | 31 | HRESULT Enable(UINT32 aStartType); 32 | HRESULT Disable(); 33 | 34 | HRESULT QueryConfig( 35 | QUERY_SERVICE_CONFIG* aConfig, 36 | UINT32 aBytes, UINT32* aNeedBytes); 37 | HRESULT ReferenceConfig(QUERY_SERVICE_CONFIG** aConfig); 38 | void DeferenceConfig(QUERY_SERVICE_CONFIG* aConfig); 39 | 40 | HRESULT ChangeConfig(QUERY_SERVICE_CONFIG* aConfig); 41 | 42 | HRESULT QueryStatus(SERVICE_STATUS_PROCESS* aServiceStatus); 43 | 44 | HRESULT EnumerateDependentServices( 45 | std::function aCallback, 46 | UINT32 aServiceState = SERVICE_STATE_ALL); 47 | 48 | HRESULT EnumerateDependenciesServices( 49 | std::function aCallback, 50 | UINT32 aServiceState = SERVICE_STATE_ALL); 51 | 52 | private: 53 | HRESULT WaitStatus(UINT32 aStatus, UINT32 aMilliseconds); 54 | 55 | SC_HANDLE m_ServiceHandle = nullptr; 56 | std::wstring m_ServiceName; 57 | }; 58 | } 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /Ring3/Vol.User/Vol.Service.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | 5 | namespace MBox 6 | { 7 | namespace Vol 8 | { 9 | namespace Service 10 | { 11 | HRESULT EnumerateServices( 12 | std::function aCallback, 13 | UINT32 aServiceType = SERVICE_TYPE_ALL, 14 | UINT32 aServiceState = SERVICE_STATE_ALL, 15 | const wchar_t* aGroupName = nullptr); 16 | 17 | } 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /Ring3/Vol.User/Vol.Symboliclinks.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring3/Vol.User/Vol.Symboliclinks.h -------------------------------------------------------------------------------- /Ring3/Vol.User/Vol.System.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "Vol.System.h" 3 | #include "Vol.Process.h" 4 | 5 | 6 | namespace MBox::Vol::System 7 | { 8 | bool Is64BitSystem() 9 | { 10 | #ifdef _AMD64_ 11 | return bool(sizeof(size_t) == sizeof(__int64)); 12 | #else 13 | // 32-bit programs run on both 32-bit and 64-bit Windows 14 | BOOLEAN vIs64Bit = FALSE; 15 | return (SUCCEEDED(Process::IsWow64Process(GetCurrentProcess(), &vIs64Bit)) && vIs64Bit); 16 | #endif 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /Ring3/Vol.User/Vol.System.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | namespace MBox::Vol::System 5 | { 6 | bool Is64BitSystem(); 7 | 8 | inline bool Is32BitSystem() { return (!Is64BitSystem()); }; 9 | } 10 | -------------------------------------------------------------------------------- /Ring3/Vol.User/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | -------------------------------------------------------------------------------- /Ring3/Vol.User/stdafx.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/MBox/05295cef7933d802718b5bfcc27d979f87873971/Ring3/Vol.User/stdafx.h --------------------------------------------------------------------------------