├── Source ├── Irritate │ ├── stdafx.cpp │ ├── README.md │ ├── Irritate.vcxproj.user │ ├── stdafx.h │ ├── ProcessorExecute.h │ ├── Irritate.vcxproj.filters │ ├── ProcessorExecute.cpp │ ├── Irritate.x64.mof │ ├── Irritate.inf │ ├── main.cpp │ ├── WPPTrace.h │ └── Irritate.vcxproj ├── Sunstrider │ ├── stdafx.cpp │ ├── README.md │ ├── stdafx.h │ ├── Sunstrider.vcxproj.user │ ├── main.cpp │ ├── Sunstrider.vcxproj.filters │ ├── Sunstrider.inf │ ├── WPPTrace.h │ └── Sunstrider.vcxproj └── PGKd │ ├── PGKd.alz │ ├── PGKd.cpp │ ├── stdafx.cpp │ ├── stdafx.h │ ├── Screenshot │ ├── analyze.jpg │ └── findpg.jpg │ ├── Debuggers │ └── lib │ │ ├── arm │ │ ├── dbgeng.lib │ │ └── dbghelp.lib │ │ ├── arm64 │ │ ├── dbgeng.lib │ │ └── dbghelp.lib │ │ ├── x64 │ │ ├── dbgeng.lib │ │ └── dbghelp.lib │ │ └── x86 │ │ ├── dbgeng.lib │ │ └── dbghelp.lib │ ├── PGKd.vcxproj.user │ ├── scope_guard.h │ ├── PoolTagNote.h │ ├── Progress.h │ ├── README.md │ ├── Progress.cpp │ ├── PGKd.def │ ├── PoolTagNote.cpp │ ├── PGKd.vcxproj.filters │ ├── WDK.PTE.h │ ├── WDK.h │ ├── PGKd.h │ ├── PGKd.vcxproj │ └── WDK.PGContext.h ├── README.md ├── Project └── Sunstrider.sln └── LICENSE /Source/Irritate/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | -------------------------------------------------------------------------------- /Source/Sunstrider/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | -------------------------------------------------------------------------------- /Source/Sunstrider/README.md: -------------------------------------------------------------------------------- 1 | # Sunstrider 2 | 3 | Undone. 4 | -------------------------------------------------------------------------------- /Source/Irritate/README.md: -------------------------------------------------------------------------------- 1 | # Irritate 2 | 3 | Trigger PG with IDT 4 | -------------------------------------------------------------------------------- /Source/PGKd/PGKd.alz: -------------------------------------------------------------------------------- 1 | PluginId PGKd 2 | DebuggeeClass Kernel 3 | BugCheckCode 0x109 4 | -------------------------------------------------------------------------------- /Source/PGKd/PGKd.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/Sunstrider/HEAD/Source/PGKd/PGKd.cpp -------------------------------------------------------------------------------- /Source/PGKd/stdafx.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/Sunstrider/HEAD/Source/PGKd/stdafx.cpp -------------------------------------------------------------------------------- /Source/PGKd/stdafx.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/Sunstrider/HEAD/Source/PGKd/stdafx.h -------------------------------------------------------------------------------- /Source/PGKd/Screenshot/analyze.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/Sunstrider/HEAD/Source/PGKd/Screenshot/analyze.jpg -------------------------------------------------------------------------------- /Source/PGKd/Screenshot/findpg.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/Sunstrider/HEAD/Source/PGKd/Screenshot/findpg.jpg -------------------------------------------------------------------------------- /Source/PGKd/Debuggers/lib/arm/dbgeng.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/Sunstrider/HEAD/Source/PGKd/Debuggers/lib/arm/dbgeng.lib -------------------------------------------------------------------------------- /Source/PGKd/Debuggers/lib/arm/dbghelp.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/Sunstrider/HEAD/Source/PGKd/Debuggers/lib/arm/dbghelp.lib -------------------------------------------------------------------------------- /Source/PGKd/Debuggers/lib/arm64/dbgeng.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/Sunstrider/HEAD/Source/PGKd/Debuggers/lib/arm64/dbgeng.lib -------------------------------------------------------------------------------- /Source/PGKd/Debuggers/lib/x64/dbgeng.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/Sunstrider/HEAD/Source/PGKd/Debuggers/lib/x64/dbgeng.lib -------------------------------------------------------------------------------- /Source/PGKd/Debuggers/lib/x64/dbghelp.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/Sunstrider/HEAD/Source/PGKd/Debuggers/lib/x64/dbghelp.lib -------------------------------------------------------------------------------- /Source/PGKd/Debuggers/lib/x86/dbgeng.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/Sunstrider/HEAD/Source/PGKd/Debuggers/lib/x86/dbgeng.lib -------------------------------------------------------------------------------- /Source/PGKd/Debuggers/lib/x86/dbghelp.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/Sunstrider/HEAD/Source/PGKd/Debuggers/lib/x86/dbghelp.lib -------------------------------------------------------------------------------- /Source/PGKd/Debuggers/lib/arm64/dbghelp.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MeeSong/Sunstrider/HEAD/Source/PGKd/Debuggers/lib/arm64/dbghelp.lib -------------------------------------------------------------------------------- /Source/PGKd/PGKd.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /Source/Irritate/Irritate.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /Source/Irritate/stdafx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | #define NTSTRSAFE_NO_CCH_FUNCTIONS 1 7 | #include 8 | 9 | #include "WPPTrace.h" 10 | -------------------------------------------------------------------------------- /Source/Sunstrider/stdafx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | #define NTSTRSAFE_NO_CCH_FUNCTIONS 1 7 | #include 8 | 9 | #include "WPPTrace.h" 10 | -------------------------------------------------------------------------------- /Source/Sunstrider/Sunstrider.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /Source/Irritate/ProcessorExecute.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | using $ProcessorrExecuteRoutine = void(__stdcall *)(UINT32 aProcessorNumber, void* aContext); 5 | 6 | auto ProcessorExecute($ProcessorrExecuteRoutine aRoutine, void* aContext) 7 | -> void; 8 | -------------------------------------------------------------------------------- /Source/PGKd/scope_guard.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | namespace std 6 | { 7 | namespace experimental 8 | { 9 | 10 | template 11 | inline auto scope_guard(T* aValue, D aDeleter) 12 | { 13 | return std::unique_ptr(aValue, aDeleter); 14 | } 15 | 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Sunstrider 2 | Analyze PatchGuard 3 | 4 | VS2017 (15.8) 5 | WDK10.0.17134 6 | SDK10.0.17134 7 | 8 | ## Project 9 | 10 | > [Irritate](./Source/Irritate) 11 | > Trigger PatchGuard Driver 12 | 13 | > [PGKd](./Source/PGKd) 14 | > Windbg Extension: Analyze PatchGuard 15 | 16 | > [Sunstrider](./Source/Sunstrider) 17 | > Bypass PatchGuard Driver (Undone) 18 | -------------------------------------------------------------------------------- /Source/PGKd/PoolTagNote.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | namespace Sunstrider 6 | { 7 | 8 | class PoolTagNote 9 | { 10 | PGET_POOL_TAG_DESCRIPTION _GetPoolTagDescription = nullptr; 11 | 12 | public: 13 | PoolTagNote(__in ExtExtension* aExt); 14 | 15 | auto get(__in ULONG aTag) const 16 | -> std::string; 17 | }; 18 | 19 | } 20 | -------------------------------------------------------------------------------- /Source/PGKd/Progress.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | 5 | namespace Sunstrider 6 | { 7 | 8 | class Progress 9 | { 10 | ExtExtension* _Ext = nullptr; 11 | std::uint64_t _Progress = 0; 12 | 13 | public: 14 | Progress(__in ExtExtension* aExt); 15 | 16 | ~Progress(); 17 | 18 | Progress& operator++(); 19 | }; 20 | 21 | } 22 | -------------------------------------------------------------------------------- /Source/PGKd/README.md: -------------------------------------------------------------------------------- 1 | # PGKd 2 | 3 | Windbg Extension: Analyze PatchGuard 4 | 5 | > Support: 6 | > Windows7 ~ Windows10 (1803), But don't support Windows 8.1 Because i don't got dump. 7 | 8 | > Thanks: 9 | > [tandasat/findpg](https://github.com/tandasat/findpg) 10 | > [tandasat/PgResarch](https://github.com/tandasat/PgResarch) 11 | 12 | ![analyze](./Screenshot/analyze.jpg) 13 | 14 | ![findpg](./Screenshot/findpg.jpg) 15 | -------------------------------------------------------------------------------- /Source/PGKd/Progress.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "Progress.h" 3 | 4 | 5 | namespace Sunstrider 6 | { 7 | 8 | Progress::Progress(__in ExtExtension * aExt) 9 | : _Ext(aExt) 10 | , _Progress(0) 11 | { } 12 | 13 | Progress::~Progress() 14 | { 15 | _Ext->Out("\n"); 16 | } 17 | 18 | Progress & Progress::operator++() 19 | { 20 | if (_Progress == 70) 21 | { 22 | _Progress = 0, _Ext->Out("\n"); 23 | } 24 | ++_Progress, _Ext->Out("."); 25 | 26 | return *this; 27 | } 28 | 29 | 30 | } 31 | -------------------------------------------------------------------------------- /Source/Sunstrider/main.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | #include "main.tmh" // Windows software trace preprocessor 4 | 5 | extern"C" 6 | { 7 | DRIVER_INITIALIZE DriverEntry; 8 | } 9 | 10 | static auto DriverUnload(PDRIVER_OBJECT aDriverObject) 11 | -> void 12 | { 13 | WPP_CLEANUP(aDriverObject); 14 | } 15 | 16 | auto DriverEntry(PDRIVER_OBJECT aDriverObject, PUNICODE_STRING aRegistryPath) 17 | -> NTSTATUS 18 | { 19 | NTSTATUS vStatus = STATUS_UNSUCCESSFUL; 20 | 21 | for (;;) 22 | { 23 | WPP_INIT_TRACING(aDriverObject, aRegistryPath); 24 | 25 | 26 | 27 | aDriverObject->DriverUnload = DriverUnload; 28 | break; 29 | } 30 | TraceReturn(vStatus); 31 | 32 | if (!NT_SUCCESS(vStatus)) 33 | { 34 | DriverUnload(aDriverObject); 35 | } 36 | 37 | return vStatus; 38 | } 39 | -------------------------------------------------------------------------------- /Source/PGKd/PGKd.def: -------------------------------------------------------------------------------- 1 | ;-------------------------------------------------------------------- 2 | ; Copyright (c) 2018 MeeSong 3 | ; 4 | ;Module: 5 | ; PGKd.def 6 | ;-------------------------------------------------------------------- 7 | 8 | LIBRARY PGKd 9 | 10 | EXPORTS 11 | 12 | ;-------------------------------------------------------------------- 13 | ; Core exports provided by the ExtCpp framework. 14 | ;-------------------------------------------------------------------- 15 | 16 | DebugExtensionInitialize 17 | DebugExtensionUninitialize 18 | DebugExtensionNotify 19 | help 20 | 21 | ;-------------------------------------------------------------------- 22 | ; Extension commands. 23 | ;-------------------------------------------------------------------- 24 | 25 | findpg 26 | analyzepg 27 | dumppg 28 | _EFN_Analyze 29 | -------------------------------------------------------------------------------- /Source/Sunstrider/Sunstrider.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | {79daadfa-c596-430e-b1af-d78f924b5127} 9 | h;hpp;c;cc;cpp;inl;asm 10 | 11 | 12 | 13 | 14 | Src 15 | 16 | 17 | Src 18 | 19 | 20 | 21 | 22 | Src 23 | 24 | 25 | Src 26 | 27 | 28 | -------------------------------------------------------------------------------- /Source/Irritate/Irritate.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | {ea37b06a-aafa-49ac-b4ac-c7dc4d084d3c} 9 | h;hpp;c;cc;cpp;inl;asm 10 | 11 | 12 | 13 | 14 | Src 15 | 16 | 17 | Src 18 | 19 | 20 | Src 21 | 22 | 23 | 24 | 25 | Src 26 | 27 | 28 | Src 29 | 30 | 31 | Src 32 | 33 | 34 | -------------------------------------------------------------------------------- /Source/Irritate/ProcessorExecute.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "ProcessorExecute.h" 3 | 4 | 5 | extern"C" 6 | { 7 | VOID NTAPI KeGenericCallDpc( 8 | __in PKDEFERRED_ROUTINE Routine, 9 | __in_opt PVOID Context); 10 | 11 | LOGICAL KeSignalCallDpcSynchronize( 12 | __in PVOID SystemArgument2); 13 | 14 | VOID KeSignalCallDpcDone( 15 | __in PVOID SystemArgument1); 16 | 17 | } 18 | 19 | auto ProcessorExecute($ProcessorrExecuteRoutine aRoutine, void * aContext) 20 | -> void 21 | { 22 | struct DpcContext 23 | { 24 | $ProcessorrExecuteRoutine Routine; 25 | PVOID Context; 26 | }; 27 | 28 | auto vContext = DpcContext{ aRoutine, aContext }; 29 | 30 | KeGenericCallDpc([]( 31 | PKDPC /*aDpc*/, PVOID aContext, PVOID aBarrier, PVOID aReverseBarrier) -> void 32 | { 33 | auto vContext = static_cast(aContext); 34 | vContext->Routine(KeGetCurrentProcessorNumber(), vContext->Context); 35 | 36 | KeSignalCallDpcSynchronize(aReverseBarrier); 37 | KeSignalCallDpcDone(aBarrier); 38 | }, &vContext); 39 | } 40 | -------------------------------------------------------------------------------- /Source/Irritate/Irritate.x64.mof: -------------------------------------------------------------------------------- 1 | #pragma autorecover 2 | #pragma classflags("forceupdate") 3 | #pragma namespace("\\\\.\\root\\WMI") 4 | // 5 | // WPP Generated File 6 | // PDB: E:\Self\Sunstrider\Project\..\Output\Debug\Irritate.x64.pdb 7 | // PDB: Last Updated :2018-08-02:04:03:11:963 (UTC) [tracepdb] 8 | // 9 | 10 | //ModuleName = Irritate.x64WPPTraceGuid (Init called in Function WPP_CONTROL_ANNOTATION) 11 | [Dynamic, 12 | Description("Irritate.x64_WPPTraceGuid"), 13 | guid("{7CA5906D-C7EE-4BCB-A179-C4609D13A9BC}"), 14 | locale("MS\\0x409")] 15 | class Irritate.x64WPPTraceGuid : EventTrace 16 | { 17 | [Description ("Enable Flags") : amended, 18 | ValueDescriptions{ 19 | "WPP_ANY_FLAGS Flag", 20 | "WPP_FUNC_TRACE Flag"}, 21 | DefineValues{ 22 | "WPP_ANY_FLAGS", 23 | "WPP_FUNC_TRACE"}, 24 | Values{ 25 | "WPP_ANY_FLAGS", 26 | "WPP_FUNC_TRACE"}, 27 | ValueMap{ 28 | "0x00000001", 29 | "0x00000002"}: amended 30 | ] 31 | uint32 Flags; 32 | [Description ("Levels") : amended, 33 | ValueDescriptions{ 34 | "Abnormal exit or termination", 35 | "Severe errors that need logging", 36 | "Warnings such as allocation failure", 37 | "Includes non-error cases", 38 | "Detailed traces from intermediate steps" } : amended, 39 | DefineValues{ 40 | "TRACE_LEVEL_FATAL", 41 | "TRACE_LEVEL_ERROR", 42 | "TRACE_LEVEL_WARNING" 43 | "TRACE_LEVEL_INFORMATION", 44 | "TRACE_LEVEL_VERBOSE" }, 45 | Values{ 46 | "Fatal", 47 | "Error", 48 | "Warning", 49 | "Information", 50 | "Verbose" }, 51 | ValueMap{ 52 | "0x1", 53 | "0x2", 54 | "0x3", 55 | "0x4", 56 | "0x5" }, 57 | ValueType("index") 58 | ] 59 | uint32 Level; 60 | }; 61 | -------------------------------------------------------------------------------- /Source/PGKd/PoolTagNote.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "PoolTagNote.h" 3 | 4 | 5 | 6 | namespace Sunstrider 7 | { 8 | 9 | PoolTagNote::PoolTagNote(__in ExtExtension* aExt) 10 | { 11 | aExt->m_Control->GetExtensionFunction(0, 12 | "GetPoolTagDescription", 13 | reinterpret_cast(&_GetPoolTagDescription)); 14 | } 15 | 16 | auto PoolTagNote::get(__in ULONG aTag) const 17 | -> std::string 18 | { 19 | auto vResult = std::string(); 20 | 21 | for (;;) 22 | { 23 | if (!_GetPoolTagDescription) 24 | { 25 | break; 26 | } 27 | 28 | DEBUG_POOLTAG_DESCRIPTION vTagInfo = { sizeof(vTagInfo) }; 29 | auto hr = _GetPoolTagDescription(aTag, &vTagInfo); 30 | if (FAILED(hr)) 31 | { 32 | break; 33 | } 34 | 35 | char vDesc[400] = {}; 36 | if (vTagInfo.Description[0]) 37 | { 38 | hr = StringCbPrintfA(vDesc, sizeof(vDesc), 39 | " Pooltag %4.4s : %s", (char*)&aTag, vTagInfo.Description); 40 | } 41 | else 42 | { 43 | hr = StringCbPrintfA(vDesc, sizeof(vDesc), 44 | " Pooltag %4.4s : Unknown", (char*)&aTag); 45 | } 46 | 47 | char vBinary[100] = {}; 48 | if (vTagInfo.Binary[0]) 49 | { 50 | hr = StringCbPrintfA(vBinary, sizeof(vBinary), 51 | ", Binary : %s", vTagInfo.Binary); 52 | } 53 | 54 | char vOwner[100] = {}; 55 | if (vTagInfo.Owner[0]) 56 | { 57 | hr = StringCbPrintfA(vOwner, sizeof(vOwner), 58 | ", Owner : %s", vTagInfo.Owner); 59 | } 60 | 61 | vResult = vDesc + std::string(vBinary) + vOwner; 62 | break; 63 | } 64 | 65 | return std::move(vResult); 66 | } 67 | 68 | } 69 | -------------------------------------------------------------------------------- /Source/Irritate/Irritate.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; Irritate.inf 3 | ; 4 | 5 | [Version] 6 | Signature = "$WINDOWS NT$" 7 | Class = AntiVirus 8 | ClassGuid = {b1d1a169-c54f-4379-81db-bee7d88d7454} 9 | Provider = %ManufacturerName% 10 | CatalogFile = Irritate.cat 11 | DriverVer = 08/02/2018 12 | 13 | ;************************************* 14 | 15 | [DestinationDirs] 16 | DefaultDestDir = 12 17 | 18 | [SourceDisksNames] 19 | 1 = %DiskId%,,,"" 20 | 21 | [SourceDisksFiles] 22 | Irritate.sys = 1,, 23 | Irritate.x86.sys = 1,, 24 | Irritate.x64.sys = 1,, 25 | 26 | [Files.Copy.NTx86] 27 | Irritate.sys,Irritate.x86.sys,,0x00004020 ; COPYFLG_IN_USE_RENAME | COPYFLG_NO_VERSION_DIALOG 28 | 29 | [Files.Copy.NTamd64] 30 | Irritate.sys,Irritate.x64.sys,,0x00004020 31 | 32 | [Files.Del] 33 | Irritate.sys 34 | 35 | ;************************************* 36 | 37 | [DefaultInstall.NTx86] 38 | CopyFiles=Files.Copy.NTx86 39 | 40 | [DefaultInstall.NTamd64] 41 | CopyFiles=Files.Copy.NTamd64 42 | 43 | [DefaultInstall.NTx86.Services] 44 | AddService = %ServiceName%,%ServicInstFlags%, ServiceInstall 45 | 46 | [DefaultInstall.NTamd64.Services] 47 | AddService = %ServiceName%,%ServicInstFlags%, ServiceInstall 48 | 49 | [DefaultUninstall.NTx86] 50 | DelFiles = Files.Del 51 | 52 | [DefaultUninstall.NTamd64] 53 | DelFiles = Files.Del 54 | 55 | [DefaultUninstall.NTx86.Services] 56 | DelService = %ServiceName%,0x200 57 | 58 | [DefaultUninstall.NTamd64.Services] 59 | DelService = %ServiceName%,0x200 60 | 61 | ;************************************* 62 | 63 | [ServiceInstall] 64 | DisplayName = %ServiceName% 65 | Description = %ServiceDesc% 66 | ServiceBinary = %12%\Irritate.sys 67 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 68 | StartType = 3 ; 0 = SERVICE_BOOT_START 69 | ; 1 = SERVICE_SYSTEM_START 70 | ; 2 = SERVICE_AUTO_START 71 | ; 3 = SERVICE_DEMAND_START 72 | ; 4 = SERVICE_DISABLED 73 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 74 | 75 | ;************************************* 76 | 77 | [Strings] 78 | ServicInstFlags = 0x00000000 79 | 80 | ManufacturerName = "Sunstrider" 81 | DriverName = "Irritate" 82 | ServiceDesc = "Sunstrider's PatchGuard Irritate" 83 | ServiceName = "Irritate" 84 | DiskId = "Irritate Device Installation Disk" 85 | -------------------------------------------------------------------------------- /Source/Sunstrider/Sunstrider.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; Sunstrider.inf 3 | ; 4 | 5 | [Version] 6 | Signature = "$WINDOWS NT$" 7 | Class = AntiVirus 8 | ClassGuid = {b1d1a169-c54f-4379-81db-bee7d88d7454} 9 | Provider = %ManufacturerName% 10 | CatalogFile = Sunstrider.cat 11 | DriverVer = 08/02/2018 12 | 13 | ;************************************* 14 | 15 | [DestinationDirs] 16 | DefaultDestDir = 12 17 | 18 | [SourceDisksNames] 19 | 1 = %DiskId%,,,"" 20 | 21 | [SourceDisksFiles] 22 | Sunstrider.sys = 1,, 23 | Sunstrider.x86.sys = 1,, 24 | Sunstrider.x64.sys = 1,, 25 | 26 | [Files.Copy.NTx86] 27 | Sunstrider.sys,Sunstrider.x86.sys,,0x00004020 ; COPYFLG_IN_USE_RENAME | COPYFLG_NO_VERSION_DIALOG 28 | 29 | [Files.Copy.NTamd64] 30 | Sunstrider.sys,Sunstrider.x64.sys,,0x00004020 31 | 32 | [Files.Del] 33 | Sunstrider.sys 34 | 35 | ;************************************* 36 | 37 | [DefaultInstall.NTx86] 38 | CopyFiles=Files.Copy.NTx86 39 | 40 | [DefaultInstall.NTamd64] 41 | CopyFiles=Files.Copy.NTamd64 42 | 43 | [DefaultInstall.NTx86.Services] 44 | AddService = %ServiceName%,%ServicInstFlags%, ServiceInstall 45 | 46 | [DefaultInstall.NTamd64.Services] 47 | AddService = %ServiceName%,%ServicInstFlags%, ServiceInstall 48 | 49 | [DefaultUninstall.NTx86] 50 | DelFiles = Files.Del 51 | 52 | [DefaultUninstall.NTamd64] 53 | DelFiles = Files.Del 54 | 55 | [DefaultUninstall.NTx86.Services] 56 | DelService = %ServiceName%,0x200 57 | 58 | [DefaultUninstall.NTamd64.Services] 59 | DelService = %ServiceName%,0x200 60 | 61 | ;************************************* 62 | 63 | [ServiceInstall] 64 | DisplayName = %ServiceName% 65 | Description = %ServiceDesc% 66 | ServiceBinary = %12%\Sunstrider.sys 67 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 68 | StartType = 3 ; 0 = SERVICE_BOOT_START 69 | ; 1 = SERVICE_SYSTEM_START 70 | ; 2 = SERVICE_AUTO_START 71 | ; 3 = SERVICE_DEMAND_START 72 | ; 4 = SERVICE_DISABLED 73 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 74 | 75 | ;************************************* 76 | 77 | [Strings] 78 | ServicInstFlags = 0x00000000 79 | 80 | ManufacturerName = "Sunstrider" 81 | DriverName = "Sunstrider" 82 | ServiceDesc = "Sunstrider" 83 | ServiceName = "Sunstrider" 84 | DiskId = "Sunstrider Device Installation Disk" 85 | -------------------------------------------------------------------------------- /Source/Irritate/main.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include 3 | #include "ProcessorExecute.h" 4 | 5 | #include "main.tmh" // Windows software trace preprocessor 6 | 7 | ////////////////////////////////////////////////////////////////////////// 8 | 9 | #pragma pack(push, 1) 10 | typedef struct _KDESCRIPTOR 11 | { 12 | UINT16 Limit; 13 | PVOID Base; 14 | }KDESCRIPTOR, *PKDESCRIPTOR; 15 | #pragma pack(pop) 16 | 17 | extern"C" 18 | { 19 | DRIVER_INITIALIZE DriverEntry; 20 | } 21 | 22 | static auto AdjustIDTLimit(UINT16 aDiff) 23 | -> NTSTATUS 24 | { 25 | NTSTATUS vStatus = STATUS_SUCCESS; 26 | 27 | TraceEntry(); 28 | for (;;) 29 | { 30 | static UINT16 sOldLimit = 0; 31 | if (0 == aDiff) 32 | { 33 | if (0 == sOldLimit) 34 | { 35 | break; 36 | } 37 | aDiff = sOldLimit; 38 | } 39 | 40 | ProcessorExecute([](UINT32 aProcessorNumber, void* aContext) -> void 41 | { 42 | auto vLimitDiff = (INT16)(SIZE_T)aContext; 43 | auto vIdt = KDESCRIPTOR{}; 44 | 45 | __sidt(&vIdt); 46 | 47 | if (0 == sOldLimit) 48 | { 49 | sOldLimit = vIdt.Limit; 50 | } 51 | vIdt.Limit = vLimitDiff; 52 | 53 | __lidt(&vIdt); 54 | 55 | TraceInfo("Cpu[%d] idt base: 0x%p, limit: 0x%04X to 0x%04X", aProcessorNumber, vIdt.Base, sOldLimit, vIdt.Limit); 56 | 57 | }, (void*)(SIZE_T)aDiff); 58 | 59 | break; 60 | } 61 | TraceExit(vStatus); 62 | 63 | return vStatus; 64 | } 65 | 66 | static auto DriverUnload(PDRIVER_OBJECT aDriverObject) 67 | -> void 68 | { 69 | AdjustIDTLimit(static_cast(0u)); 70 | 71 | WPP_CLEANUP(aDriverObject); 72 | } 73 | 74 | auto DriverEntry(PDRIVER_OBJECT aDriverObject, PUNICODE_STRING aRegistryPath) 75 | -> NTSTATUS 76 | { 77 | NTSTATUS vStatus = STATUS_UNSUCCESSFUL; 78 | 79 | for (;;) 80 | { 81 | WPP_INIT_TRACING(aDriverObject, aRegistryPath); 82 | 83 | vStatus = AdjustIDTLimit(static_cast(-1)); 84 | if (!NT_SUCCESS(vStatus)) 85 | { 86 | break; 87 | } 88 | 89 | aDriverObject->DriverUnload = DriverUnload; 90 | break; 91 | } 92 | TraceReturn(vStatus); 93 | 94 | if (!NT_SUCCESS(vStatus)) 95 | { 96 | DriverUnload(aDriverObject); 97 | } 98 | 99 | return vStatus; 100 | } 101 | -------------------------------------------------------------------------------- /Source/PGKd/PGKd.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx;h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 7 | 8 | 9 | {98aa858e-8fb8-41af-ab90-e8fd656509c9} 10 | 11 | 12 | 13 | 14 | Src 15 | 16 | 17 | Src\Sdk 18 | 19 | 20 | Src 21 | 22 | 23 | Src 24 | 25 | 26 | Src 27 | 28 | 29 | 30 | 31 | Src 32 | 33 | 34 | Src\Sdk 35 | 36 | 37 | Src\Sdk 38 | 39 | 40 | Src\Sdk 41 | 42 | 43 | Src\Sdk 44 | 45 | 46 | Src\Sdk 47 | 48 | 49 | Src 50 | 51 | 52 | Src 53 | 54 | 55 | Src 56 | 57 | 58 | Src 59 | 60 | 61 | Src 62 | 63 | 64 | Src 65 | 66 | 67 | Src 68 | 69 | 70 | 71 | 72 | Src 73 | 74 | 75 | 76 | -------------------------------------------------------------------------------- /Source/Irritate/WPPTrace.h: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Module Name: 4 | 5 | Trace.h 6 | 7 | Abstract: 8 | 9 | Header file for the debug tracing related function defintions and macros. 10 | 11 | Environment: 12 | 13 | Kernel mode 14 | 15 | --*/ 16 | 17 | #pragma once 18 | #include 19 | 20 | // 21 | // Define the tracing flags. 22 | // 23 | // Tracing GUID - 0A64AABE-7F43-4A58-A161-BD1A03A515E7 24 | // 25 | 26 | #define WPP_CONTROL_GUIDS \ 27 | WPP_DEFINE_CONTROL_GUID( \ 28 | WPPTraceGuid, (0A64AABE,7F43,4A58,A161,BD1A03A515E7), \ 29 | WPP_DEFINE_BIT(WPP_ANY_FLAGS) \ 30 | WPP_DEFINE_BIT(WPP_FUNC_TRACE) \ 31 | ) 32 | 33 | #define WPP_FLAGS_LEVEL_LOGGER(flags, level) \ 34 | WPP_LEVEL_LOGGER(flags) 35 | 36 | #define WPP_FLAGS_LEVEL_ENABLED(flags, level) \ 37 | (WPP_LEVEL_ENABLED(flags) && WPP_CONTROL(WPP_BIT_ ## flags).Level >= level) 38 | 39 | #define WPP_LEVEL_FLAGS_LOGGER(level, flags) \ 40 | WPP_LEVEL_LOGGER(flags) 41 | 42 | #define WPP_LEVEL_FLAGS_ENABLED(level, flags) \ 43 | (WPP_LEVEL_ENABLED(flags) && WPP_CONTROL(WPP_BIT_ ## flags).Level >= level) 44 | 45 | // 46 | // PRE macro: The name of the macro includes the condition arguments FLAGS and EXP 47 | // define in FUNC above 48 | // 49 | #define WPP_FLAGS_NT_PRE(FLAGS, NT) {if (!NT_SUCCESS(NT)) { 50 | 51 | // 52 | // POST macro 53 | // The name of the macro includes the condition arguments FLAGS and EXP 54 | // define in FUNC above 55 | #define WPP_FLAGS_NT_POST(FLAGS, NT) ;}} 56 | 57 | // 58 | // The two macros below are for checking if the event should be logged and for 59 | // choosing the logger handle to use when calling the ETW trace API 60 | // 61 | #define WPP_FLAGS_NT_ENABLED(FLAGS, NT) WPP_FLAG_ENABLED(FLAGS) 62 | #define WPP_FLAGS_NT_LOGGER(FLAGS, NT) WPP_FLAG_LOGGER(FLAGS) 63 | 64 | // Map the null flags used by Entry/Exit to a function called FuncTrace 65 | #define WPP__ENABLED() WPP_LEVEL_ENABLED(WPP_FUNC_TRACE) 66 | #define WPP__LOGGER() WPP_LEVEL_LOGGER(WPP_FUNC_TRACE) 67 | 68 | #define WPP_NT_ENABLED(NT) WPP_LEVEL_ENABLED(WPP_FUNC_TRACE) 69 | #define WPP_NT_LOGGER(NT) WPP_LEVEL_LOGGER(WPP_FUNC_TRACE) 70 | 71 | // 72 | // WPP orders static parameters before dynamic parameters. To support the Trace function 73 | // defined below which sets FLAGS=MYDRIVER_ALL_INFO, a custom macro must be defined to 74 | // reorder the arguments to what the .tpl configuration file expects. 75 | // 76 | #define WPP_RECORDER_FLAGS_LEVEL_ARGS(flags, level) WPP_RECORDER_LEVEL_FLAGS_ARGS(level, flags) 77 | #define WPP_RECORDER_FLAGS_LEVEL_FILTER(flags, level) WPP_RECORDER_LEVEL_FLAGS_FILTER(level, flags) 78 | 79 | // MACRO: TraceReturn 80 | // Configuration block that defines trace macro. It uses the PRE/POST macros to include 81 | // code as part of the trace macro expansion. TRACE_MACRO is equivalent to the code below: 82 | // 83 | // {if (Status != STATUS_SUCCESS){ // This is the code in the PRE macro 84 | // Trace(TRACE_LEVEL_ERROR, "%!FUNC! Return = %!STATUS!", Status) 85 | // ;}} // This is the code in the POST macro 86 | // 87 | // 88 | // USEPREFIX statement: Defines a format string prefix to be used when logging the event, 89 | // below the STDPREFIX is used. The first value is the trace function name with out parenthesis 90 | // and the second value is the format string to be used. 91 | // 92 | // USESUFFIX statement: Defines a suffix format string that gets logged with the event. 93 | // 94 | // FUNC statement: Defines the name and signature of the trace function. The function defined 95 | // below takes one argument, no format string, and predefines the flag equal to FLAG_ONE. 96 | // 97 | // 98 | //begin_wpp config 99 | //USEPREFIX (TraceReturn, "%!STDPREFIX!"); 100 | //FUNC TraceReturn{FLAGS=WPP_ANY_FLAGS}(NT); 101 | //USESUFFIX (TraceReturn, "%!FUNC! Return=%!STATUS!", NT); 102 | //end_wpp 103 | 104 | // MACRO: TraceBegin 105 | // 106 | //begin_wpp config 107 | //FUNC TraceEntry(); 108 | //FUNC TraceExit(NT); 109 | //USESUFFIX (TraceEntry, "Entry to %!FUNC!"); 110 | //USESUFFIX (TraceExit, "%!FUNC! Return=%!STATUS!", NT); 111 | //end_wpp 112 | 113 | // 114 | // This comment block is scanned by the trace preprocessor to define our 115 | // Trace function. 116 | // 117 | // begin_wpp config 118 | // FUNC TraceEvents (LEVEL, FLAGS, MSG, ...); 119 | // FUNC Trace{FLAGS=WPP_ANY_FLAGS} (LEVEL, MSG, ...); 120 | // FUNC TraceCritical{FLAGS=WPP_ANY_FLAGS, LEVEL=TRACE_LEVEL_CRITICAL} (MSG, ...); 121 | // FUNC TraceFatal{FLAGS=WPP_ANY_FLAGS, LEVEL=TRACE_LEVEL_FATAL} (MSG, ...); 122 | // FUNC TraceError{FLAGS=WPP_ANY_FLAGS, LEVEL=TRACE_LEVEL_ERROR} (MSG, ...); 123 | // FUNC TraceWarn{FLAGS=WPP_ANY_FLAGS, LEVEL=TRACE_LEVEL_WARNING} (MSG, ...); 124 | // FUNC TraceInfo{FLAGS=WPP_ANY_FLAGS, LEVEL=TRACE_LEVEL_INFORMATION} (MSG, ...); 125 | // FUNC TraceVerbose{FLAGS=WPP_ANY_FLAGS, LEVEL=TRACE_LEVEL_VERBOSE} (MSG, ...); 126 | // end_wpp 127 | // 128 | 129 | -------------------------------------------------------------------------------- /Source/Sunstrider/WPPTrace.h: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Module Name: 4 | 5 | Trace.h 6 | 7 | Abstract: 8 | 9 | Header file for the debug tracing related function defintions and macros. 10 | 11 | Environment: 12 | 13 | Kernel mode 14 | 15 | --*/ 16 | 17 | #pragma once 18 | #include 19 | 20 | // 21 | // Define the tracing flags. 22 | // 23 | // Tracing GUID - 7CA5906D-C7EE-4BCB-A179-C4609D13A9BC 24 | // 25 | 26 | #define WPP_CONTROL_GUIDS \ 27 | WPP_DEFINE_CONTROL_GUID( \ 28 | WPPTraceGuid, (7CA5906D,C7EE,4BCB,A179,C4609D13A9BC), \ 29 | WPP_DEFINE_BIT(WPP_ANY_FLAGS) \ 30 | WPP_DEFINE_BIT(WPP_FUNC_TRACE) \ 31 | ) 32 | 33 | #define WPP_FLAGS_LEVEL_LOGGER(flags, level) \ 34 | WPP_LEVEL_LOGGER(flags) 35 | 36 | #define WPP_FLAGS_LEVEL_ENABLED(flags, level) \ 37 | (WPP_LEVEL_ENABLED(flags) && WPP_CONTROL(WPP_BIT_ ## flags).Level >= level) 38 | 39 | #define WPP_LEVEL_FLAGS_LOGGER(level, flags) \ 40 | WPP_LEVEL_LOGGER(flags) 41 | 42 | #define WPP_LEVEL_FLAGS_ENABLED(level, flags) \ 43 | (WPP_LEVEL_ENABLED(flags) && WPP_CONTROL(WPP_BIT_ ## flags).Level >= level) 44 | 45 | // 46 | // PRE macro: The name of the macro includes the condition arguments FLAGS and EXP 47 | // define in FUNC above 48 | // 49 | #define WPP_FLAGS_NT_PRE(FLAGS, NT) {if (!NT_SUCCESS(NT)) { 50 | 51 | // 52 | // POST macro 53 | // The name of the macro includes the condition arguments FLAGS and EXP 54 | // define in FUNC above 55 | #define WPP_FLAGS_NT_POST(FLAGS, NT) ;}} 56 | 57 | // 58 | // The two macros below are for checking if the event should be logged and for 59 | // choosing the logger handle to use when calling the ETW trace API 60 | // 61 | #define WPP_FLAGS_NT_ENABLED(FLAGS, NT) WPP_FLAG_ENABLED(FLAGS) 62 | #define WPP_FLAGS_NT_LOGGER(FLAGS, NT) WPP_FLAG_LOGGER(FLAGS) 63 | 64 | // Map the null flags used by Entry/Exit to a function called FuncTrace 65 | #define WPP__ENABLED() WPP_LEVEL_ENABLED(WPP_FUNC_TRACE) 66 | #define WPP__LOGGER() WPP_LEVEL_LOGGER(WPP_FUNC_TRACE) 67 | 68 | #define WPP_NT_ENABLED(NT) WPP_LEVEL_ENABLED(WPP_FUNC_TRACE) 69 | #define WPP_NT_LOGGER(NT) WPP_LEVEL_LOGGER(WPP_FUNC_TRACE) 70 | 71 | // 72 | // WPP orders static parameters before dynamic parameters. To support the Trace function 73 | // defined below which sets FLAGS=MYDRIVER_ALL_INFO, a custom macro must be defined to 74 | // reorder the arguments to what the .tpl configuration file expects. 75 | // 76 | #define WPP_RECORDER_FLAGS_LEVEL_ARGS(flags, level) WPP_RECORDER_LEVEL_FLAGS_ARGS(level, flags) 77 | #define WPP_RECORDER_FLAGS_LEVEL_FILTER(flags, level) WPP_RECORDER_LEVEL_FLAGS_FILTER(level, flags) 78 | 79 | // MACRO: TraceReturn 80 | // Configuration block that defines trace macro. It uses the PRE/POST macros to include 81 | // code as part of the trace macro expansion. TRACE_MACRO is equivalent to the code below: 82 | // 83 | // {if (Status != STATUS_SUCCESS){ // This is the code in the PRE macro 84 | // Trace(TRACE_LEVEL_ERROR, "%!FUNC! Return = %!STATUS!", Status) 85 | // ;}} // This is the code in the POST macro 86 | // 87 | // 88 | // USEPREFIX statement: Defines a format string prefix to be used when logging the event, 89 | // below the STDPREFIX is used. The first value is the trace function name with out parenthesis 90 | // and the second value is the format string to be used. 91 | // 92 | // USESUFFIX statement: Defines a suffix format string that gets logged with the event. 93 | // 94 | // FUNC statement: Defines the name and signature of the trace function. The function defined 95 | // below takes one argument, no format string, and predefines the flag equal to FLAG_ONE. 96 | // 97 | // 98 | //begin_wpp config 99 | //USEPREFIX (TraceReturn, "%!STDPREFIX!"); 100 | //FUNC TraceReturn{FLAGS=WPP_ANY_FLAGS}(NT); 101 | //USESUFFIX (TraceReturn, "%!FUNC! Return=%!STATUS!", NT); 102 | //end_wpp 103 | 104 | // MACRO: TraceBegin 105 | // 106 | //begin_wpp config 107 | //FUNC TraceEntry(); 108 | //FUNC TraceExit(NT); 109 | //USESUFFIX (TraceEntry, "Entry to %!FUNC!"); 110 | //USESUFFIX (TraceExit, "%!FUNC! Return=%!STATUS!", NT); 111 | //end_wpp 112 | 113 | // 114 | // This comment block is scanned by the trace preprocessor to define our 115 | // Trace function. 116 | // 117 | // begin_wpp config 118 | // FUNC TraceEvents (LEVEL, FLAGS, MSG, ...); 119 | // FUNC Trace{FLAGS=WPP_ANY_FLAGS} (LEVEL, MSG, ...); 120 | // FUNC TraceCritical{FLAGS=WPP_ANY_FLAGS, LEVEL=TRACE_LEVEL_CRITICAL} (MSG, ...); 121 | // FUNC TraceFatal{FLAGS=WPP_ANY_FLAGS, LEVEL=TRACE_LEVEL_FATAL} (MSG, ...); 122 | // FUNC TraceError{FLAGS=WPP_ANY_FLAGS, LEVEL=TRACE_LEVEL_ERROR} (MSG, ...); 123 | // FUNC TraceWarn{FLAGS=WPP_ANY_FLAGS, LEVEL=TRACE_LEVEL_WARNING} (MSG, ...); 124 | // FUNC TraceInfo{FLAGS=WPP_ANY_FLAGS, LEVEL=TRACE_LEVEL_INFORMATION} (MSG, ...); 125 | // FUNC TraceVerbose{FLAGS=WPP_ANY_FLAGS, LEVEL=TRACE_LEVEL_VERBOSE} (MSG, ...); 126 | // end_wpp 127 | // 128 | 129 | -------------------------------------------------------------------------------- /Source/PGKd/WDK.PTE.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | #pragma warning(push) 5 | #pragma warning(disable: 4201) 6 | namespace wdk 7 | { 8 | 9 | constexpr auto PAGE_SIZE = 4096UI64; 10 | 11 | constexpr auto PXE_SIZE = PAGE_SIZE; 12 | constexpr auto PPE_SIZE = PXE_SIZE * 512; 13 | constexpr auto PDE_SIZE = PPE_SIZE * 512; 14 | constexpr auto PTE_SIZE = PDE_SIZE * 512; 15 | 16 | constexpr auto PTE_PER_PAGE = 512; 17 | constexpr auto PDE_PER_PAGE = 512; 18 | constexpr auto PPE_PER_PAGE = 512; 19 | constexpr auto PXE_PER_PAGE = 512; 20 | 21 | constexpr auto PTI_MASK_AMD64 = PTE_PER_PAGE - 1; 22 | constexpr auto PDI_MASK_AMD64 = PDE_PER_PAGE - 1; 23 | constexpr auto PPI_MASK = PPE_PER_PAGE - 1; 24 | constexpr auto PXI_MASK = PXE_PER_PAGE - 1; 25 | 26 | constexpr auto PTI_SHIFT = 12; 27 | constexpr auto PDI_SHIFT = 21; 28 | constexpr auto PPI_SHIFT = 30; 29 | constexpr auto PXI_SHIFT = 39; 30 | 31 | __declspec(selectany) auto PTE_BASE = 0xFFFFF68000000000UI64; 32 | __declspec(selectany) auto PDE_BASE = ((PTE_BASE & 0x0000FFFFFFFFF000) >> 12) * 8 + PTE_BASE; //0xFFFFF6FB40000000UI64; 33 | __declspec(selectany) auto PPE_BASE = ((PDE_BASE & 0x0000FFFFFFFFF000) >> 12) * 8 + PTE_BASE; //0xFFFFF6FB7DA00000UI64; 34 | __declspec(selectany) auto PXE_BASE = ((PPE_BASE & 0x0000FFFFFFFFF000) >> 12) * 8 + PTE_BASE; //0xFFFFF6FB7DBED000UI64; 35 | __declspec(selectany) auto PXE_SELFMAP = ((PXE_BASE & 0x0000FFFFFFFFF000) >> 12) * 8 + PTE_BASE; //0xFFFFF6FB7DBEDF68UI64; 36 | 37 | __declspec(selectany) auto PXE_TOP = PXE_BASE + PXE_SIZE - 1; 38 | __declspec(selectany) auto PPE_TOP = PPE_BASE + PPE_SIZE - 1; 39 | __declspec(selectany) auto PDE_TOP = PDE_BASE + PDE_SIZE - 1; 40 | __declspec(selectany) auto PTE_TOP = PTE_BASE + PTE_SIZE - 1; 41 | 42 | } 43 | 44 | namespace wdk 45 | { 46 | 47 | typedef struct _HARDWARE_PTE 48 | { 49 | enum : UINT64 { HARDWARE_PTE_WORKING_SET_BITS = 11 }; 50 | 51 | ULONG64 Valid : 1; 52 | ULONG64 Write : 1; // UP version 53 | ULONG64 Owner : 1; 54 | ULONG64 WriteThrough : 1; 55 | ULONG64 CacheDisable : 1; 56 | ULONG64 Accessed : 1; 57 | ULONG64 Dirty : 1; 58 | ULONG64 LargePage : 1; 59 | ULONG64 Global : 1; 60 | ULONG64 CopyOnWrite : 1; // software field 61 | ULONG64 Prototype : 1; // software field 62 | ULONG64 reserved0 : 1; // software field 63 | ULONG64 PageFrameNumber : 36; 64 | ULONG64 reserved1 : 4; 65 | ULONG64 SoftwareWsIndex : HARDWARE_PTE_WORKING_SET_BITS; 66 | ULONG64 NoExecute : 1; 67 | } HARDWARE_PTE, *PHARDWARE_PTE; 68 | static_assert(sizeof(HARDWARE_PTE) == 8, "sizeof(HARDWARE_PTE) != 8"); 69 | 70 | inline auto MiInitPte(UINT64 aPteBase) 71 | -> void 72 | { 73 | PTE_BASE = aPteBase; 74 | PDE_BASE = ((PTE_BASE & 0x0000FFFFFFFFF000) >> 12) * 8 + PTE_BASE; 75 | PPE_BASE = ((PDE_BASE & 0x0000FFFFFFFFF000) >> 12) * 8 + PTE_BASE; 76 | PXE_BASE = ((PPE_BASE & 0x0000FFFFFFFFF000) >> 12) * 8 + PTE_BASE; 77 | PXE_SELFMAP = ((PXE_BASE & 0x0000FFFFFFFFF000) >> 12) * 8 + PTE_BASE; 78 | 79 | PXE_TOP = PXE_BASE + PXE_SIZE - 1; 80 | PPE_TOP = PPE_BASE + PPE_SIZE - 1; 81 | PDE_TOP = PDE_BASE + PDE_SIZE - 1; 82 | PTE_TOP = PTE_BASE + PTE_SIZE - 1; 83 | } 84 | 85 | inline auto MiPxeToAddress(__in PHARDWARE_PTE aPointerPxe) 86 | -> void* 87 | { 88 | return reinterpret_cast( 89 | (reinterpret_cast(aPointerPxe) << 52) >> 16); 90 | } 91 | 92 | 93 | inline auto MiPpeToAddress(__in PHARDWARE_PTE aPointerPpe) 94 | -> void* 95 | { 96 | return reinterpret_cast( 97 | (reinterpret_cast(aPointerPpe) << 43) >> 16); 98 | } 99 | 100 | 101 | inline auto MiPdeToAddress(__in PHARDWARE_PTE aPointerPde) 102 | -> void* 103 | { 104 | return reinterpret_cast( 105 | (reinterpret_cast(aPointerPde) << 34) >> 16); 106 | } 107 | 108 | 109 | inline auto MiPteToAddress(__in PHARDWARE_PTE aPointerPte) 110 | -> void* 111 | { 112 | return reinterpret_cast( 113 | (reinterpret_cast(aPointerPte) << 25) >> 16); 114 | } 115 | 116 | 117 | inline auto MiAddressToPxe(__in void* aAddress) 118 | -> PHARDWARE_PTE 119 | { 120 | auto Offset = reinterpret_cast(aAddress) >> (PXI_SHIFT - 3); 121 | Offset &= (0x1FF << 3); 122 | return reinterpret_cast(PXE_BASE + Offset); 123 | } 124 | 125 | 126 | inline auto MiAddressToPpe(__in void* aAddress) 127 | -> PHARDWARE_PTE 128 | { 129 | auto Offset = reinterpret_cast(aAddress) >> (PPI_SHIFT - 3); 130 | Offset &= (0x3FFFF << 3); 131 | return reinterpret_cast(PPE_BASE + Offset); 132 | } 133 | 134 | 135 | inline auto MiAddressToPde(__in void* aAddress) 136 | -> PHARDWARE_PTE 137 | { 138 | auto Offset = reinterpret_cast(aAddress) >> (PDI_SHIFT - 3); 139 | Offset &= (0x7FFFFFF << 3); 140 | return reinterpret_cast(PDE_BASE + Offset); 141 | } 142 | 143 | 144 | inline auto MiAddressToPte(__in void* aAddress) 145 | -> PHARDWARE_PTE 146 | { 147 | auto Offset = reinterpret_cast(aAddress) >> (PTI_SHIFT - 3); 148 | Offset &= (0xFFFFFFFFFULL << 3); 149 | return reinterpret_cast(PTE_BASE + Offset); 150 | } 151 | 152 | } 153 | #pragma warning(pop) 154 | -------------------------------------------------------------------------------- /Project/Sunstrider.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.27703.2042 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Irritate", "..\Source\Irritate\Irritate.vcxproj", "{46494858-3262-4346-9CCC-038A9572F85C}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Sunstrider", "..\Source\Sunstrider\Sunstrider.vcxproj", "{10D935D1-C3AB-4842-8A92-712FC8C512B6}" 9 | EndProject 10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PGKd", "..\Source\PGKd\PGKd.vcxproj", "{80EFCE05-799F-4D34-BA50-D6DB3B8641FE}" 11 | EndProject 12 | Global 13 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 14 | Debug|ARM = Debug|ARM 15 | Debug|ARM64 = Debug|ARM64 16 | Debug|x64 = Debug|x64 17 | Debug|x86 = Debug|x86 18 | Release|ARM = Release|ARM 19 | Release|ARM64 = Release|ARM64 20 | Release|x64 = Release|x64 21 | Release|x86 = Release|x86 22 | EndGlobalSection 23 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 24 | {46494858-3262-4346-9CCC-038A9572F85C}.Debug|ARM.ActiveCfg = Debug|ARM 25 | {46494858-3262-4346-9CCC-038A9572F85C}.Debug|ARM.Build.0 = Debug|ARM 26 | {46494858-3262-4346-9CCC-038A9572F85C}.Debug|ARM.Deploy.0 = Debug|ARM 27 | {46494858-3262-4346-9CCC-038A9572F85C}.Debug|ARM64.ActiveCfg = Debug|ARM64 28 | {46494858-3262-4346-9CCC-038A9572F85C}.Debug|ARM64.Build.0 = Debug|ARM64 29 | {46494858-3262-4346-9CCC-038A9572F85C}.Debug|ARM64.Deploy.0 = Debug|ARM64 30 | {46494858-3262-4346-9CCC-038A9572F85C}.Debug|x64.ActiveCfg = Debug|x64 31 | {46494858-3262-4346-9CCC-038A9572F85C}.Debug|x64.Build.0 = Debug|x64 32 | {46494858-3262-4346-9CCC-038A9572F85C}.Debug|x64.Deploy.0 = Debug|x64 33 | {46494858-3262-4346-9CCC-038A9572F85C}.Debug|x86.ActiveCfg = Debug|Win32 34 | {46494858-3262-4346-9CCC-038A9572F85C}.Debug|x86.Build.0 = Debug|Win32 35 | {46494858-3262-4346-9CCC-038A9572F85C}.Debug|x86.Deploy.0 = Debug|Win32 36 | {46494858-3262-4346-9CCC-038A9572F85C}.Release|ARM.ActiveCfg = Release|ARM 37 | {46494858-3262-4346-9CCC-038A9572F85C}.Release|ARM.Build.0 = Release|ARM 38 | {46494858-3262-4346-9CCC-038A9572F85C}.Release|ARM.Deploy.0 = Release|ARM 39 | {46494858-3262-4346-9CCC-038A9572F85C}.Release|ARM64.ActiveCfg = Release|ARM64 40 | {46494858-3262-4346-9CCC-038A9572F85C}.Release|ARM64.Build.0 = Release|ARM64 41 | {46494858-3262-4346-9CCC-038A9572F85C}.Release|ARM64.Deploy.0 = Release|ARM64 42 | {46494858-3262-4346-9CCC-038A9572F85C}.Release|x64.ActiveCfg = Release|x64 43 | {46494858-3262-4346-9CCC-038A9572F85C}.Release|x64.Build.0 = Release|x64 44 | {46494858-3262-4346-9CCC-038A9572F85C}.Release|x64.Deploy.0 = Release|x64 45 | {46494858-3262-4346-9CCC-038A9572F85C}.Release|x86.ActiveCfg = Release|Win32 46 | {46494858-3262-4346-9CCC-038A9572F85C}.Release|x86.Build.0 = Release|Win32 47 | {46494858-3262-4346-9CCC-038A9572F85C}.Release|x86.Deploy.0 = Release|Win32 48 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Debug|ARM.ActiveCfg = Debug|ARM 49 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Debug|ARM.Build.0 = Debug|ARM 50 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Debug|ARM.Deploy.0 = Debug|ARM 51 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Debug|ARM64.ActiveCfg = Debug|ARM64 52 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Debug|ARM64.Build.0 = Debug|ARM64 53 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Debug|ARM64.Deploy.0 = Debug|ARM64 54 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Debug|x64.ActiveCfg = Debug|x64 55 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Debug|x64.Build.0 = Debug|x64 56 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Debug|x64.Deploy.0 = Debug|x64 57 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Debug|x86.ActiveCfg = Debug|Win32 58 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Debug|x86.Build.0 = Debug|Win32 59 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Debug|x86.Deploy.0 = Debug|Win32 60 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Release|ARM.ActiveCfg = Release|ARM 61 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Release|ARM.Build.0 = Release|ARM 62 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Release|ARM.Deploy.0 = Release|ARM 63 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Release|ARM64.ActiveCfg = Release|ARM64 64 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Release|ARM64.Build.0 = Release|ARM64 65 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Release|ARM64.Deploy.0 = Release|ARM64 66 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Release|x64.ActiveCfg = Release|x64 67 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Release|x64.Build.0 = Release|x64 68 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Release|x64.Deploy.0 = Release|x64 69 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Release|x86.ActiveCfg = Release|Win32 70 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Release|x86.Build.0 = Release|Win32 71 | {10D935D1-C3AB-4842-8A92-712FC8C512B6}.Release|x86.Deploy.0 = Release|Win32 72 | {80EFCE05-799F-4D34-BA50-D6DB3B8641FE}.Debug|ARM.ActiveCfg = Debug|Win32 73 | {80EFCE05-799F-4D34-BA50-D6DB3B8641FE}.Debug|ARM64.ActiveCfg = Debug|Win32 74 | {80EFCE05-799F-4D34-BA50-D6DB3B8641FE}.Debug|x64.ActiveCfg = Debug|x64 75 | {80EFCE05-799F-4D34-BA50-D6DB3B8641FE}.Debug|x64.Build.0 = Debug|x64 76 | {80EFCE05-799F-4D34-BA50-D6DB3B8641FE}.Debug|x86.ActiveCfg = Debug|Win32 77 | {80EFCE05-799F-4D34-BA50-D6DB3B8641FE}.Debug|x86.Build.0 = Debug|Win32 78 | {80EFCE05-799F-4D34-BA50-D6DB3B8641FE}.Release|ARM.ActiveCfg = Release|Win32 79 | {80EFCE05-799F-4D34-BA50-D6DB3B8641FE}.Release|ARM64.ActiveCfg = Release|Win32 80 | {80EFCE05-799F-4D34-BA50-D6DB3B8641FE}.Release|x64.ActiveCfg = Release|x64 81 | {80EFCE05-799F-4D34-BA50-D6DB3B8641FE}.Release|x64.Build.0 = Release|x64 82 | {80EFCE05-799F-4D34-BA50-D6DB3B8641FE}.Release|x86.ActiveCfg = Release|Win32 83 | {80EFCE05-799F-4D34-BA50-D6DB3B8641FE}.Release|x86.Build.0 = Release|Win32 84 | EndGlobalSection 85 | GlobalSection(SolutionProperties) = preSolution 86 | HideSolutionNode = FALSE 87 | EndGlobalSection 88 | GlobalSection(ExtensibilityGlobals) = postSolution 89 | SolutionGuid = {D62DE72B-40DB-4A85-8A43-0343CBE38085} 90 | EndGlobalSection 91 | EndGlobal 92 | -------------------------------------------------------------------------------- /Source/PGKd/WDK.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #pragma warning(push) 4 | #pragma warning(disable: 4201) 5 | namespace wdk 6 | { 7 | 8 | enum class SystemVersion : UINT32 9 | { 10 | Unknown, 11 | 12 | WindowsXP, // 5.1.2600 13 | WindowsXP64, // 5.2.3790 14 | 15 | WindowsVista, // 6.0.6000 16 | WindowsVista_SP1, // 6.0.6001 17 | WindowsVista_SP2, // 6.0.6002 18 | 19 | Windows7, // 6.1.7600 20 | Windows7_SP1, // 6.1.7601 21 | 22 | Windows8, // 6.2.9200 23 | 24 | Windows8_1, // 6.3.9600 25 | 26 | Windows10, 27 | Windows10_1507 = Windows10, // 10.0.10240 28 | Windows10_1511, // 10.0.10586 29 | Windows10_1607, // 10.0.14393 30 | Windows10_1703, // 10.0.15063 31 | Windows10_1709, // 10.0.16299 32 | Windows10_1803, // 10.0.17134 33 | Windows10_1809, // 10.0.17741 34 | WindowsMax, 35 | }; 36 | 37 | 38 | typedef enum _POOL_TYPE { 39 | NonPagedPool, 40 | NonPagedPoolExecute = NonPagedPool, 41 | PagedPool, 42 | NonPagedPoolMustSucceed = NonPagedPool + 2, 43 | DontUseThisType, 44 | NonPagedPoolCacheAligned = NonPagedPool + 4, 45 | PagedPoolCacheAligned, 46 | NonPagedPoolCacheAlignedMustS = NonPagedPool + 6, 47 | MaxPoolType, 48 | 49 | // 50 | // Define base types for NonPaged (versus Paged) pool, for use in cracking 51 | // the underlying pool type. 52 | // 53 | 54 | NonPagedPoolBase = 0, 55 | NonPagedPoolBaseMustSucceed = NonPagedPoolBase + 2, 56 | NonPagedPoolBaseCacheAligned = NonPagedPoolBase + 4, 57 | NonPagedPoolBaseCacheAlignedMustS = NonPagedPoolBase + 6, 58 | 59 | // 60 | // Note these per session types are carefully chosen so that the appropriate 61 | // masking still applies as well as MaxPoolType above. 62 | // 63 | 64 | NonPagedPoolSession = 32, 65 | PagedPoolSession = NonPagedPoolSession + 1, 66 | NonPagedPoolMustSucceedSession = PagedPoolSession + 1, 67 | DontUseThisTypeSession = NonPagedPoolMustSucceedSession + 1, 68 | NonPagedPoolCacheAlignedSession = DontUseThisTypeSession + 1, 69 | PagedPoolCacheAlignedSession = NonPagedPoolCacheAlignedSession + 1, 70 | NonPagedPoolCacheAlignedMustSSession = PagedPoolCacheAlignedSession + 1, 71 | 72 | NonPagedPoolNx = 512, 73 | NonPagedPoolNxCacheAligned = NonPagedPoolNx + 4, 74 | NonPagedPoolSessionNx = NonPagedPoolNx + 32, 75 | 76 | } POOL_TYPE; 77 | 78 | typedef union _KIDTENTRY64 { 79 | struct { 80 | UINT16 OffsetLow; 81 | UINT16 Selector; 82 | UINT16 IstIndex : 3; 83 | UINT16 Reserved0 : 5; 84 | UINT16 Type : 5; 85 | UINT16 Dpl : 2; 86 | UINT16 Present : 1; 87 | UINT16 OffsetMiddle; 88 | UINT32 OffsetHigh; 89 | UINT32 Reserved1; 90 | }; 91 | 92 | UINT64 Alignment; 93 | } KIDTENTRY64, *PKIDTENTRY64; 94 | 95 | typedef struct _POOL_TRACKER_BIG_PAGES 96 | { 97 | PVOID Va; 98 | ULONG Tag; 99 | ULONG PoolType; 100 | SIZE_T NumberOfBytes; 101 | } POOL_TRACKER_BIG_PAGES, *PPOOL_TRACKER_BIG_PAGES; 102 | static_assert(sizeof(POOL_TRACKER_BIG_PAGES) == 0x18, "sizeof(POOL_TRACKER_BIG_PAGES) != 0x18"); 103 | 104 | typedef struct _MMPFN 105 | { 106 | union { 107 | UINT64 Flink; 108 | ULONG32 WsIndex; // WorkSet Index 109 | struct _KEVENT * Event; 110 | VOID* Next; 111 | VOID* VolatileNext; 112 | struct _KTHREAD * KernelStackOwner; 113 | SINGLE_LIST_ENTRY NextStackPfn; 114 | } u1; 115 | 116 | union { 117 | UINT64 Blink; 118 | struct _MMPTE * ImageProtoPte; 119 | UINT64 ShareCount; 120 | } u2; 121 | 122 | union { 123 | struct _MMPTE * PteAddress; 124 | VOID * VolatilePteAddress; 125 | LONG32 Lock; 126 | UINT64 PteLong; 127 | }; 128 | 129 | UINT64 DontUseThis[3]; 130 | 131 | } MMPFN, *PMMPFN; 132 | static_assert(sizeof(MMPFN) == sizeof(void *) * 6, "sizeof(MMPFN) != sizeof(void *) * 6"); 133 | 134 | 135 | namespace build_10240 136 | { 137 | typedef struct _POOL_TRACKER_BIG_PAGES 138 | { 139 | PVOID Va; 140 | ULONG Tag; 141 | struct 142 | { 143 | ULONG Pattern : 8; 144 | ULONG PoolType : 12; 145 | ULONG SlushSize : 12; 146 | }; 147 | SIZE_T NumberOfBytes; 148 | } POOL_TRACKER_BIG_PAGES, *PPOOL_TRACKER_BIG_PAGES; 149 | static_assert(sizeof(POOL_TRACKER_BIG_PAGES) == 0x18, "sizeof(build_10240::POOL_TRACKER_BIG_PAGES) != 0x18"); 150 | 151 | typedef struct _MMPFN 152 | { 153 | union { 154 | LIST_ENTRY ListEntry; 155 | //struct _RTL_BALANCED_NODE TreeNode; // sizeof(_RTL_BALANCED_NODE) == 24 156 | struct 157 | { 158 | union { 159 | struct 160 | { 161 | UINT64 Flink : 36; 162 | UINT64 NodeFlinkHigh : 28; 163 | }; 164 | UINT64 WsIndex; // WorkSet Index 165 | struct _KEVENT *Event; 166 | VOID * Next; 167 | VOID * VolatileNext; 168 | struct _KTHREAD*KernelStackOwner; 169 | SINGLE_LIST_ENTRY NextStackPfn; 170 | } u1; 171 | 172 | union { 173 | struct _MMPTE * PteAddress; 174 | VOID * VolatilePteAddress; 175 | UINT64 PteLong; 176 | }; 177 | 178 | UINT64 OriginalPte; 179 | }; // sizeof(unname) == 24 180 | }; 181 | 182 | UINT64 DontUseThis[3]; 183 | 184 | } MMPFN, *PMMPFN; 185 | static_assert(sizeof(MMPFN) == sizeof(void *) * 6, "sizeof(build_10240::MMPFN) != sizeof(void *) * 6"); 186 | 187 | } 188 | 189 | 190 | } 191 | #pragma warning(pop) 192 | 193 | #include "WDK.PTE.h" 194 | #include "WDK.PGContext.h" 195 | -------------------------------------------------------------------------------- /Source/PGKd/PGKd.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | namespace Sunstrider 9 | { 10 | 11 | struct RandomnessInfo 12 | { 13 | ULONG NumberOfDistinctiveNumbers; 14 | ULONG Ramdomness; 15 | }; 16 | 17 | // Returns the number of 0x00 and 0xff in the given range 18 | auto GetNumberOfDistinctiveNumbers( 19 | __in PVOID aAddress, 20 | __in SIZE_T aSize) 21 | -> ULONG; 22 | 23 | // Returns the number of unique bytes in the given range. 24 | // For example, it returns 3 for the following bytes 25 | // 00 01 01 02 02 00 02 26 | auto GetRamdomness( 27 | __in PVOID aAddress, 28 | __in SIZE_T aSize) 29 | -> ULONG; 30 | 31 | 32 | class PGKd : public ExtExtension 33 | { 34 | // The number of bytes to examine to calculate the number of distinctive 35 | // bytes and randomness 36 | static constexpr auto EXAMINATION_BYTES = 100; 37 | 38 | // It is not a PatchGuard page if the number of distinctive bytes are bigger 39 | // than this number 40 | static constexpr auto MAXIMUM_DISTINCTIVE_NUMBER = 5; 41 | 42 | // It is not a PatchGuard page if randomness is smaller than this number 43 | static constexpr auto MINIMUM_RANDOMNESS = 50; 44 | 45 | // It is not a PatchGuard page if the size of the page is smaller than this 46 | static constexpr auto MINIMUM_REGION_SIZE = 0x004000; 47 | 48 | // It is not a PatchGuard page if the size of the page is larger than this 49 | static constexpr auto MAXIMUM_REGION_SIZE = 0xf00000; 50 | 51 | // PG$VerifictionPatchGuardImpl 52 | // (CmpAppendDllSection : call rax ; rax == PG$VerifictionPatchGuardImpl) 53 | // 54 | // INITKDBG : 00000001402F2995 48 B8 E8 B4 C8 91 58 3F A0 A3 mov rax, 0A3A03F5891C8B4E8h 55 | // INITKDBG : 00000001402F299F 48 03 C7 add rax, rdi 56 | // INITKDBG : 00000001402F29A2 48 89 87 98 07 00 00 mov[rdi + 798h], rax 57 | // INITKDBG : 00000001402F29A9 48 B8 15 34 45 E4 DE 4B B7 B3 mov rax, 0B3B74BDEE4453415h 58 | // INITKDBG : 00000001402F29B3 48 03 C3 add rax, rbx 59 | // INITKDBG : 00000001402F29B6 48 89 87 A0 07 00 00 mov[rdi + 7A0h], rax 60 | 61 | static constexpr auto BUGCHECK_109_ARGS0_KEY = 0xA3A03F5891C8B4E8UI64; 62 | static constexpr auto BUGCHECK_109_ARGS1_KEY = 0xB3B74BDEE4453415UI64; 63 | 64 | public: 65 | virtual auto Initialize() 66 | -> HRESULT override; 67 | 68 | EXT_COMMAND_METHOD(findpg); 69 | EXT_COMMAND_METHOD(analyzepg); 70 | EXT_COMMAND_METHOD(dumppg); 71 | 72 | auto _EFN_Analyze( 73 | PDEBUG_CLIENT4 aClient, 74 | FA_EXTENSION_PLUGIN_PHASE aCallPhase, 75 | PDEBUG_FAILURE_ANALYSIS2 aAnalysis) 76 | -> HRESULT; 77 | 78 | private: 79 | auto GetSystemVersion(PDEBUG_CONTROL aDbgControl = nullptr, std::string* aTarget = nullptr) 80 | -> wdk::SystemVersion; 81 | 82 | auto IsWindows10OrGreater() 83 | -> bool; 84 | 85 | auto IsWindowsRS1OrGreater() 86 | -> bool; 87 | 88 | auto GetPfnDatabase() 89 | -> UINT64; 90 | 91 | auto GetPteBase() 92 | -> UINT64; 93 | 94 | auto GetPtes(UINT64 aPteBase) 95 | -> std::unique_ptr>; 96 | 97 | auto IsNonPagedBigPool(const wdk::POOL_TRACKER_BIG_PAGES& aEntry) 98 | -> bool; 99 | 100 | auto IsPageValidReadWriteExecutable(UINT64 aPteAddress) 101 | -> bool; 102 | 103 | auto IsPatchGuardPageAttribute(UINT64 aPageBase) 104 | -> bool; 105 | 106 | auto FindPatchGuardContextFromBigPagePool() 107 | -> std::vector >; 108 | 109 | auto FindPatchGuardContextFromIndependentPages() 110 | -> std::vector >; 111 | 112 | auto FindPatchGuardContext() 113 | -> HRESULT; 114 | 115 | auto GetPGContextTypeString( 116 | UINT64 aErrorWasFound, 117 | UINT64 aTypeOfCorruption) 118 | -> LPCSTR; 119 | 120 | auto DumpPatchGuardContextForType106( 121 | UINT64 aFailureDependent) 122 | -> void; 123 | 124 | template 125 | auto DumpPatchGuardContext( 126 | UINT64 aPGContext, 127 | UINT64 aPGReason, 128 | UINT64 aFailureDependent, 129 | UINT64 aTypeOfCorruption, 130 | T& aContext) 131 | ->HRESULT; 132 | 133 | template 134 | auto DumpPatchGuardImpl( 135 | UINT64 aPGContext, 136 | UINT64 aPGReason, 137 | UINT64 aFailureDependent, 138 | UINT64 aTypeOfCorruption) 139 | -> HRESULT; 140 | 141 | auto DumpPatchGuard( 142 | UINT64 aPGContext, // BugCheckArgs[0] 143 | UINT64 aPGReason, // BugCheckArgs[1] 144 | UINT64 aFailureDependent, // BugCheckArgs[2] 145 | UINT64 aTypeOfCorruption, // BugCheckArgs[3] 146 | bool aNeedBugCheckBanner = false) 147 | -> HRESULT; 148 | }; 149 | 150 | template 151 | inline auto PGKd::DumpPatchGuardImpl( 152 | UINT64 aPGContext, 153 | UINT64 aPGReason, 154 | UINT64 aFailureDependent, 155 | UINT64 aTypeOfCorruption) 156 | -> HRESULT 157 | { 158 | HRESULT hr = S_OK; 159 | 160 | for (;;) 161 | { 162 | // In the case of type 0x106, neither the address of PatchGuard context nor 163 | // the address of the validation structure are given (do not exist). 164 | if (0 == aPGContext && 165 | 0 == aPGReason && 166 | 0x106 == aTypeOfCorruption) // CcBcbProfiler 167 | { 168 | DumpPatchGuardContextForType106(aFailureDependent); 169 | break; 170 | } 171 | 172 | auto vReadBytes = 0ul; 173 | auto vPGContext = std::make_unique(); 174 | hr = m_Data->ReadVirtual(aPGContext, vPGContext.get(), sizeof(PGContextT), &vReadBytes); 175 | if (FAILED(hr)) 176 | { 177 | Err("The given address 0x%016I64x is not readable. [DumpPatchGuard]\n", 178 | aPGContext); 179 | break; 180 | } 181 | 182 | hr = DumpPatchGuardContext(aPGContext, aPGReason, aFailureDependent, aTypeOfCorruption, *vPGContext); 183 | break; 184 | } 185 | 186 | return hr; 187 | } 188 | 189 | } 190 | 191 | #undef EXT_CLASS 192 | #define EXT_CLASS ::Sunstrider::PGKd 193 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU LESSER GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | 9 | This version of the GNU Lesser General Public License incorporates 10 | the terms and conditions of version 3 of the GNU General Public 11 | License, supplemented by the additional permissions listed below. 12 | 13 | 0. Additional Definitions. 14 | 15 | As used herein, "this License" refers to version 3 of the GNU Lesser 16 | General Public License, and the "GNU GPL" refers to version 3 of the GNU 17 | General Public License. 18 | 19 | "The Library" refers to a covered work governed by this License, 20 | other than an Application or a Combined Work as defined below. 21 | 22 | An "Application" is any work that makes use of an interface provided 23 | by the Library, but which is not otherwise based on the Library. 24 | Defining a subclass of a class defined by the Library is deemed a mode 25 | of using an interface provided by the Library. 26 | 27 | A "Combined Work" is a work produced by combining or linking an 28 | Application with the Library. The particular version of the Library 29 | with which the Combined Work was made is also called the "Linked 30 | Version". 31 | 32 | The "Minimal Corresponding Source" for a Combined Work means the 33 | Corresponding Source for the Combined Work, excluding any source code 34 | for portions of the Combined Work that, considered in isolation, are 35 | based on the Application, and not on the Linked Version. 36 | 37 | The "Corresponding Application Code" for a Combined Work means the 38 | object code and/or source code for the Application, including any data 39 | and utility programs needed for reproducing the Combined Work from the 40 | Application, but excluding the System Libraries of the Combined Work. 41 | 42 | 1. Exception to Section 3 of the GNU GPL. 43 | 44 | You may convey a covered work under sections 3 and 4 of this License 45 | without being bound by section 3 of the GNU GPL. 46 | 47 | 2. Conveying Modified Versions. 48 | 49 | If you modify a copy of the Library, and, in your modifications, a 50 | facility refers to a function or data to be supplied by an Application 51 | that uses the facility (other than as an argument passed when the 52 | facility is invoked), then you may convey a copy of the modified 53 | version: 54 | 55 | a) under this License, provided that you make a good faith effort to 56 | ensure that, in the event an Application does not supply the 57 | function or data, the facility still operates, and performs 58 | whatever part of its purpose remains meaningful, or 59 | 60 | b) under the GNU GPL, with none of the additional permissions of 61 | this License applicable to that copy. 62 | 63 | 3. Object Code Incorporating Material from Library Header Files. 64 | 65 | The object code form of an Application may incorporate material from 66 | a header file that is part of the Library. You may convey such object 67 | code under terms of your choice, provided that, if the incorporated 68 | material is not limited to numerical parameters, data structure 69 | layouts and accessors, or small macros, inline functions and templates 70 | (ten or fewer lines in length), you do both of the following: 71 | 72 | a) Give prominent notice with each copy of the object code that the 73 | Library is used in it and that the Library and its use are 74 | covered by this License. 75 | 76 | b) Accompany the object code with a copy of the GNU GPL and this license 77 | document. 78 | 79 | 4. Combined Works. 80 | 81 | You may convey a Combined Work under terms of your choice that, 82 | taken together, effectively do not restrict modification of the 83 | portions of the Library contained in the Combined Work and reverse 84 | engineering for debugging such modifications, if you also do each of 85 | the following: 86 | 87 | a) Give prominent notice with each copy of the Combined Work that 88 | the Library is used in it and that the Library and its use are 89 | covered by this License. 90 | 91 | b) Accompany the Combined Work with a copy of the GNU GPL and this license 92 | document. 93 | 94 | c) For a Combined Work that displays copyright notices during 95 | execution, include the copyright notice for the Library among 96 | these notices, as well as a reference directing the user to the 97 | copies of the GNU GPL and this license document. 98 | 99 | d) Do one of the following: 100 | 101 | 0) Convey the Minimal Corresponding Source under the terms of this 102 | License, and the Corresponding Application Code in a form 103 | suitable for, and under terms that permit, the user to 104 | recombine or relink the Application with a modified version of 105 | the Linked Version to produce a modified Combined Work, in the 106 | manner specified by section 6 of the GNU GPL for conveying 107 | Corresponding Source. 108 | 109 | 1) Use a suitable shared library mechanism for linking with the 110 | Library. A suitable mechanism is one that (a) uses at run time 111 | a copy of the Library already present on the user's computer 112 | system, and (b) will operate properly with a modified version 113 | of the Library that is interface-compatible with the Linked 114 | Version. 115 | 116 | e) Provide Installation Information, but only if you would otherwise 117 | be required to provide such information under section 6 of the 118 | GNU GPL, and only to the extent that such information is 119 | necessary to install and execute a modified version of the 120 | Combined Work produced by recombining or relinking the 121 | Application with a modified version of the Linked Version. (If 122 | you use option 4d0, the Installation Information must accompany 123 | the Minimal Corresponding Source and Corresponding Application 124 | Code. If you use option 4d1, you must provide the Installation 125 | Information in the manner specified by section 6 of the GNU GPL 126 | for conveying Corresponding Source.) 127 | 128 | 5. Combined Libraries. 129 | 130 | You may place library facilities that are a work based on the 131 | Library side by side in a single library together with other library 132 | facilities that are not Applications and are not covered by this 133 | License, and convey such a combined library under terms of your 134 | choice, if you do both of the following: 135 | 136 | a) Accompany the combined library with a copy of the same work based 137 | on the Library, uncombined with any other library facilities, 138 | conveyed under the terms of this License. 139 | 140 | b) Give prominent notice with the combined library that part of it 141 | is a work based on the Library, and explaining where to find the 142 | accompanying uncombined form of the same work. 143 | 144 | 6. Revised Versions of the GNU Lesser General Public License. 145 | 146 | The Free Software Foundation may publish revised and/or new versions 147 | of the GNU Lesser General Public License from time to time. Such new 148 | versions will be similar in spirit to the present version, but may 149 | differ in detail to address new problems or concerns. 150 | 151 | Each version is given a distinguishing version number. If the 152 | Library as you received it specifies that a certain numbered version 153 | of the GNU Lesser General Public License "or any later version" 154 | applies to it, you have the option of following the terms and 155 | conditions either of that published version or of any later version 156 | published by the Free Software Foundation. If the Library as you 157 | received it does not specify a version number of the GNU Lesser 158 | General Public License, you may choose any version of the GNU Lesser 159 | General Public License ever published by the Free Software Foundation. 160 | 161 | If the Library as you received it specifies that a proxy can decide 162 | whether future versions of the GNU Lesser General Public License shall 163 | apply, that proxy's public statement of acceptance of any version is 164 | permanent authorization for you to choose that version for the 165 | Library. 166 | -------------------------------------------------------------------------------- /Source/Sunstrider/Sunstrider.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | Debug 22 | ARM 23 | 24 | 25 | Release 26 | ARM 27 | 28 | 29 | Debug 30 | ARM64 31 | 32 | 33 | Release 34 | ARM64 35 | 36 | 37 | 38 | {10D935D1-C3AB-4842-8A92-712FC8C512B6} 39 | {1bc93793-694f-48fe-9372-81e2b05556fd} 40 | v4.5 41 | 12.0 42 | Debug 43 | Win32 44 | Sunstrider 45 | $(LatestTargetPlatformVersion) 46 | 47 | 48 | 49 | Windows7 50 | true 51 | WindowsKernelModeDriver10.0 52 | Driver 53 | WDM 54 | Desktop 55 | 56 | 57 | Windows7 58 | false 59 | WindowsKernelModeDriver10.0 60 | Driver 61 | WDM 62 | Desktop 63 | 64 | 65 | Windows7 66 | true 67 | WindowsKernelModeDriver10.0 68 | Driver 69 | WDM 70 | Desktop 71 | 72 | 73 | Windows7 74 | false 75 | WindowsKernelModeDriver10.0 76 | Driver 77 | WDM 78 | Desktop 79 | 80 | 81 | Windows10 82 | true 83 | WindowsKernelModeDriver10.0 84 | Driver 85 | KMDF 86 | Universal 87 | 88 | 89 | Windows10 90 | false 91 | WindowsKernelModeDriver10.0 92 | Driver 93 | KMDF 94 | Universal 95 | 96 | 97 | Windows10 98 | true 99 | WindowsKernelModeDriver10.0 100 | Driver 101 | KMDF 102 | Universal 103 | 104 | 105 | Windows10 106 | false 107 | WindowsKernelModeDriver10.0 108 | Driver 109 | KMDF 110 | Universal 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | DbgengKernelDebugger 122 | $(SolutionDir)..\Output\$(Configuration)\ 123 | $(ProjectName).dir\$(Configuration)\$(PlatformTarget)\ 124 | $(TargetName.Replace(' ','')).$(PlatformTarget) 125 | true 126 | 127 | 128 | DbgengKernelDebugger 129 | $(SolutionDir)..\Output\$(Configuration)\ 130 | $(ProjectName).dir\$(Configuration)\$(PlatformTarget)\ 131 | $(TargetName.Replace(' ','')).$(PlatformTarget) 132 | true 133 | 134 | 135 | DbgengKernelDebugger 136 | $(SolutionDir)..\Output\$(Configuration)\ 137 | $(ProjectName).dir\$(Configuration)\$(PlatformTarget)\ 138 | $(TargetName.Replace(' ','')).$(PlatformTarget) 139 | true 140 | 141 | 142 | DbgengKernelDebugger 143 | $(SolutionDir)..\Output\$(Configuration)\ 144 | $(ProjectName).dir\$(Configuration)\$(PlatformTarget)\ 145 | $(TargetName.Replace(' ','')).$(PlatformTarget) 146 | true 147 | 148 | 149 | DbgengKernelDebugger 150 | 151 | 152 | DbgengKernelDebugger 153 | 154 | 155 | DbgengKernelDebugger 156 | 157 | 158 | DbgengKernelDebugger 159 | 160 | 161 | 162 | true 163 | 164 | 165 | 166 | 167 | stdcpp17 168 | Use 169 | true 170 | WPPTrace.h 171 | true 172 | false 173 | 174 | 175 | 176 | 177 | true 178 | 179 | 180 | 181 | 182 | stdcpp17 183 | Use 184 | true 185 | WPPTrace.h 186 | true 187 | 188 | 189 | 190 | 191 | true 192 | 193 | 194 | 195 | 196 | stdcpp17 197 | Use 198 | true 199 | WPPTrace.h 200 | true 201 | false 202 | 203 | 204 | 205 | 206 | true 207 | 208 | 209 | 210 | 211 | stdcpp17 212 | Use 213 | true 214 | WPPTrace.h 215 | true 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | Create 228 | Create 229 | Create 230 | Create 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | -------------------------------------------------------------------------------- /Source/PGKd/PGKd.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {80EFCE05-799F-4D34-BA50-D6DB3B8641FE} 24 | Win32Proj 25 | pgkd 26 | 10.0.17134.0 27 | PGKd 28 | 29 | 30 | 31 | DynamicLibrary 32 | true 33 | v141 34 | Unicode 35 | 36 | 37 | DynamicLibrary 38 | false 39 | v141 40 | true 41 | Unicode 42 | 43 | 44 | DynamicLibrary 45 | true 46 | v141 47 | Unicode 48 | 49 | 50 | DynamicLibrary 51 | false 52 | v141 53 | true 54 | Unicode 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | true 76 | $(SolutionDir)..\Output\$(Configuration)\ 77 | $(ProjectName).dir\$(Configuration)\$(PlatformTarget)\ 78 | NativeRecommendedRules.ruleset 79 | true 80 | 81 | 82 | true 83 | NativeRecommendedRules.ruleset 84 | true 85 | $(SolutionDir)..\Output\$(Configuration)\ 86 | $(ProjectName).dir\$(Configuration)\$(PlatformTarget)\ 87 | 88 | 89 | false 90 | NativeRecommendedRules.ruleset 91 | false 92 | $(SolutionDir)..\Output\$(Configuration)\ 93 | $(ProjectName).dir\$(Configuration)\$(PlatformTarget)\ 94 | 95 | 96 | false 97 | NativeRecommendedRules.ruleset 98 | false 99 | $(SolutionDir)..\Output\$(Configuration)\ 100 | $(ProjectName).dir\$(Configuration)\$(PlatformTarget)\ 101 | 102 | 103 | 104 | Use 105 | Level4 106 | Disabled 107 | true 108 | _DEBUG;PGKD_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 109 | true 110 | true 111 | $(ProjectDir)Debuggers\inc\ 112 | 113 | 114 | Windows 115 | true 116 | pgkd.def 117 | 118 | 119 | Copy PGKd.alz $(OutputPath)PGKd.alz 120 | 121 | 122 | Copy PGkd.alz 123 | 124 | 125 | 126 | 127 | Use 128 | Level4 129 | Disabled 130 | true 131 | WIN32;_DEBUG;PGKD_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 132 | true 133 | true 134 | $(ProjectDir)Debuggers\inc\ 135 | 136 | 137 | Windows 138 | true 139 | pgkd.def 140 | 141 | 142 | Copy PGKd.alz $(OutputPath)PGKd.alz 143 | 144 | 145 | Copy PGkd.alz 146 | 147 | 148 | 149 | 150 | Use 151 | Level4 152 | MaxSpeed 153 | true 154 | true 155 | true 156 | WIN32;NDEBUG;PGKD_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 157 | true 158 | false 159 | $(ProjectDir)Debuggers\inc\ 160 | 161 | 162 | Windows 163 | true 164 | true 165 | true 166 | pgkd.def 167 | 168 | 169 | Copy PGKd.alz $(OutputPath)PGKd.alz 170 | 171 | 172 | Copy PGkd.alz 173 | 174 | 175 | 176 | 177 | Use 178 | Level4 179 | MaxSpeed 180 | true 181 | true 182 | true 183 | NDEBUG;PGKD_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 184 | true 185 | false 186 | $(ProjectDir)Debuggers\inc\ 187 | 188 | 189 | Windows 190 | true 191 | true 192 | true 193 | pgkd.def 194 | 195 | 196 | Copy PGKd.alz $(OutputPath)PGKd.alz 197 | 198 | 199 | Copy PGkd.alz 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | NotUsing 220 | NotUsing 221 | NotUsing 222 | NotUsing 223 | 224 | 225 | 226 | 227 | 228 | Create 229 | Create 230 | Create 231 | Create 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | -------------------------------------------------------------------------------- /Source/Irritate/Irritate.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | Debug 22 | ARM 23 | 24 | 25 | Release 26 | ARM 27 | 28 | 29 | Debug 30 | ARM64 31 | 32 | 33 | Release 34 | ARM64 35 | 36 | 37 | 38 | {46494858-3262-4346-9CCC-038A9572F85C} 39 | {1bc93793-694f-48fe-9372-81e2b05556fd} 40 | v4.5 41 | 12.0 42 | Debug 43 | Win32 44 | Irritate 45 | $(LatestTargetPlatformVersion) 46 | 47 | 48 | 49 | Windows7 50 | true 51 | WindowsKernelModeDriver10.0 52 | Driver 53 | WDM 54 | Desktop 55 | 56 | 57 | Windows7 58 | false 59 | WindowsKernelModeDriver10.0 60 | Driver 61 | WDM 62 | Desktop 63 | 64 | 65 | Windows7 66 | true 67 | WindowsKernelModeDriver10.0 68 | Driver 69 | WDM 70 | Desktop 71 | 72 | 73 | Windows7 74 | false 75 | WindowsKernelModeDriver10.0 76 | Driver 77 | WDM 78 | Desktop 79 | 80 | 81 | Windows10 82 | true 83 | WindowsKernelModeDriver10.0 84 | Driver 85 | KMDF 86 | Universal 87 | 88 | 89 | Windows10 90 | false 91 | WindowsKernelModeDriver10.0 92 | Driver 93 | KMDF 94 | Universal 95 | 96 | 97 | Windows10 98 | true 99 | WindowsKernelModeDriver10.0 100 | Driver 101 | KMDF 102 | Universal 103 | 104 | 105 | Windows10 106 | false 107 | WindowsKernelModeDriver10.0 108 | Driver 109 | KMDF 110 | Universal 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | DbgengKernelDebugger 122 | $(SolutionDir)..\Output\$(Configuration)\ 123 | $(ProjectName).dir\$(Configuration)\$(PlatformTarget)\ 124 | $(TargetName.Replace(' ','')).$(PlatformTarget) 125 | true 126 | true 127 | false 128 | 129 | 130 | DbgengKernelDebugger 131 | $(SolutionDir)..\Output\$(Configuration)\ 132 | $(ProjectName).dir\$(Configuration)\$(PlatformTarget)\ 133 | $(TargetName.Replace(' ','')).$(PlatformTarget) 134 | true 135 | true 136 | false 137 | 138 | 139 | DbgengKernelDebugger 140 | $(SolutionDir)..\Output\$(Configuration)\ 141 | $(ProjectName).dir\$(Configuration)\$(PlatformTarget)\ 142 | $(TargetName.Replace(' ','')).$(PlatformTarget) 143 | true 144 | true 145 | false 146 | 147 | 148 | DbgengKernelDebugger 149 | $(SolutionDir)..\Output\$(Configuration)\ 150 | $(ProjectName).dir\$(Configuration)\$(PlatformTarget)\ 151 | $(TargetName.Replace(' ','')).$(PlatformTarget) 152 | true 153 | true 154 | false 155 | 156 | 157 | DbgengKernelDebugger 158 | 159 | 160 | DbgengKernelDebugger 161 | 162 | 163 | DbgengKernelDebugger 164 | 165 | 166 | DbgengKernelDebugger 167 | 168 | 169 | 170 | $(SolutionDir)..\Source\;%(AdditionalIncludeDirectories) 171 | true 172 | stdcpp17 173 | Use 174 | true 175 | WPPTrace.h 176 | true 177 | false 178 | 179 | 180 | tracepdb.exe -f $(OutDir)$(TargetName).pdb -p $(OutDir) 181 | 182 | 183 | Generate tmf 184 | 185 | 186 | 187 | 188 | $(SolutionDir)..\Source\;%(AdditionalIncludeDirectories) 189 | true 190 | stdcpp17 191 | Use 192 | true 193 | WPPTrace.h 194 | true 195 | 196 | 197 | tracepdb.exe -f $(OutDir)$(TargetName).pdb -p $(OutDir) 198 | 199 | 200 | Generate tmf 201 | 202 | 203 | 204 | 205 | $(SolutionDir)..\Source\;%(AdditionalIncludeDirectories) 206 | true 207 | stdcpp17 208 | Use 209 | true 210 | WPPTrace.h 211 | true 212 | false 213 | 214 | 215 | tracepdb.exe -f $(OutDir)$(TargetName).pdb -p $(OutDir) 216 | 217 | 218 | Generate tmf 219 | 220 | 221 | 222 | 223 | $(SolutionDir)..\Source\;%(AdditionalIncludeDirectories) 224 | true 225 | stdcpp17 226 | Use 227 | true 228 | WPPTrace.h 229 | true 230 | 231 | 232 | tracepdb.exe -f $(OutDir)$(TargetName).pdb -p $(OutDir) 233 | 234 | 235 | Generate tmf 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | Create 249 | Create 250 | Create 251 | Create 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | -------------------------------------------------------------------------------- /Source/PGKd/WDK.PGContext.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | #pragma warning(push) 5 | #pragma warning(disable: 4201) 6 | namespace wdk 7 | { 8 | 9 | #define __Append$(x, y) x##y 10 | #define Append$(x, y) __Append$(x, y) 11 | #define AutoInc$(x) Append$(x, __COUNTER__) 12 | #define Unkonwn$ AutoInc$(_Unknown) 13 | 14 | 15 | struct PGProtectCode 16 | { 17 | UINT64 Routine; 18 | UINT64 RoutineBytes; 19 | }; 20 | 21 | struct PGProtectValue 22 | { 23 | UINT64 Address; 24 | UINT64 Value; 25 | }; 26 | 27 | struct PGProtectCode2 28 | { 29 | UINT64 Unkonwn$; 30 | UINT64 Routine; 31 | UINT32 RoutineBytes; 32 | UINT32 Unkonwn$; 33 | UINT64 Unkonwn$; 34 | UINT64 Reserved[2]; 35 | }; 36 | 37 | struct PGHashValidationBlock 38 | { 39 | UINT64 Unkonwn$; 40 | UINT64 Address; 41 | UINT32 Bytes; 42 | UINT32 Hash; 43 | UINT64 Unkonwn$; 44 | UINT64 Unkonwn$; 45 | UINT64 Unkonwn$; 46 | }; 47 | 48 | template 49 | struct PGProtectString 50 | { 51 | UINT32 Bytes; // UINT64 * (2 + Count) 52 | UINT32 Unkonwn$; 53 | UINT64 Flags; 54 | UINT64 Strings[_NumberOfStrs]; 55 | }; 56 | 57 | namespace build_7600 58 | { 59 | struct PGContextHeader 60 | { 61 | enum : UINT32 62 | { 63 | VerificationFunctionBytes = 0xC4 64 | }; 65 | 66 | UINT8 PatchGuardVerification[VerificationFunctionBytes]; 67 | UINT32 ContextSizeInQWord; 68 | }; 69 | 70 | struct PGContext : public PGContextHeader 71 | { 72 | UINT64 ExAcquireResourceSharedLite; 73 | UINT64 ExAllocatePoolWithTag; 74 | UINT64 ExFreePool; 75 | UINT64 ExMapHandleToPointer; 76 | UINT64 ExQueueWorkItem; 77 | UINT64 ExReleaseResourceLite; 78 | UINT64 ExUnlockHandleTableEntry; 79 | UINT64 ExfAcquirePushLockExclusive; 80 | UINT64 ExfReleasePushLockExclusive; 81 | UINT64 KeAcquireInStackQueuedSpinLockAtDpcLevel; 82 | UINT64 ExAcquireSpinLockShared; 83 | UINT64 KeBugCheckEx; 84 | UINT64 KeDelayExecutionThread; 85 | UINT64 KeEnterCriticalRegionThread; 86 | UINT64 KeLeaveCriticalRegion; 87 | UINT64 KeEnterGuardedRegion; 88 | UINT64 KeLeaveGuardedRegion; 89 | UINT64 KeReleaseInStackQueuedSpinLockFromDpcLevel; 90 | UINT64 ExReleaseSpinLockShared; 91 | UINT64 KeRevertToUserAffinityThread; 92 | UINT64 KeProcessorGroupAffinity; 93 | UINT64 KeSetSystemGroupAffinityThread; 94 | UINT64 KeSetTimer; 95 | UINT64 LdrResFindResource; 96 | UINT64 MmDbgCopyMemory; 97 | UINT64 ObfDereferenceObject; 98 | UINT64 ObReferenceObjectByName; 99 | UINT64 RtlAssert; 100 | UINT64 RtlImageDirectoryEntryToData; 101 | UINT64 RtlImageNtHeader; 102 | UINT64 RtlLookupFunctionTable; 103 | UINT64 RtlSectionTableFromVirtualAddress; 104 | UINT64 DbgPrint; 105 | UINT64 DbgPrintEx; 106 | UINT64 KiProcessListHead; 107 | UINT64 KiProcessListLock; 108 | UINT64 ObpTypeObjectType; 109 | UINT64 PsActiveProcessHead; 110 | UINT64 PsInvertedFunctionTable; 111 | UINT64 PsLoadedModuleList; 112 | UINT64 PsLoadedModuleResource; 113 | UINT64 PsLoadedModuleSpinLock; 114 | UINT64 PspActiveProcessLock; 115 | UINT64 PspCidTable; 116 | UINT64 SwapContext; 117 | UINT64 EnlightenedSwapContext; 118 | UINT64 Unkonwn$; 119 | UINT64 Unkonwn$; 120 | UINT64 Unkonwn$; 121 | UINT64 WorkerRoutine; 122 | UINT64 WorkerRoutineContext; 123 | UINT32 Unkonwn$; 124 | UINT32 Unkonwn$; 125 | UINT64 Prcb; 126 | UINT64 PGPageBase; 127 | UINT64 DcpRoutineToBeScheduled; // E.g nt!ExpTimeZoneDpcRoutine 128 | 129 | UINT32 Unkonwn$; 130 | UINT32 Unkonwn$; 131 | 132 | UINT32 OffsetOfPGSelfValidation; // nt!PGSelfValidation 133 | UINT32 OffsetOfRtlLookupFunctionEntryEx; // nt!RtlLookupFunctionEntryEx 134 | UINT32 OffsetOfFsRtlUninitializeSmallMcb; // nt!FsRtlUninitializeSmallMcb 135 | UINT32 OffsetOfPGProtectCode2Table; // PGProtectCode2[?] 136 | 137 | UINT64 Unkonwn$[7]; 138 | 139 | KIDTENTRY64 PGProtectIDTItems[3]; 140 | 141 | UINT64 Unkonwn$; 142 | 143 | UINT64 IsTiggerPG; 144 | UINT64 BugCheckArg0; 145 | UINT64 BugCheckArg1; 146 | UINT64 BugCheckArg3; 147 | UINT64 BugCheckArg2; 148 | 149 | UINT64 Unkonwn$; 150 | 151 | UINT32 NumberOfProtectCodes; 152 | UINT32 NumberOfProtectValues; 153 | 154 | // PGProtectCode ProtectCodes[NumberOfProtectCodes]; 155 | // PGProtectValue ProtectValues[NumberOfProtectValues]; 156 | }; 157 | static_assert(sizeof(PGContext) == 0x340, "sizeof(PGContext) != 0x340"); 158 | 159 | } 160 | 161 | namespace build_7601 162 | { 163 | using namespace build_7600; 164 | } 165 | 166 | namespace build_9200 167 | { 168 | using PGContextHeader = build_7601::PGContextHeader; 169 | 170 | struct PGContext : public PGContextHeader 171 | { 172 | UINT64 ExAcquireResourceSharedLite; 173 | UINT64 ExAllocatePoolWithTag; 174 | UINT64 ExFreePool; 175 | UINT64 ExMapHandleToPointer; 176 | UINT64 ExQueueWorkItem; 177 | UINT64 ExReleaseResourceLite; 178 | UINT64 ExUnlockHandleTableEntry; 179 | UINT64 ExfAcquirePushLockExclusive; 180 | UINT64 ExfReleasePushLockExclusive; 181 | UINT64 KeAcquireInStackQueuedSpinLockAtDpcLevel; 182 | UINT64 ExAcquireSpinLockShared; 183 | UINT64 KeBugCheckEx; 184 | UINT64 KeDelayExecutionThread; 185 | UINT64 KeEnterCriticalRegionThread; 186 | UINT64 KeLeaveCriticalRegion; 187 | UINT64 KeEnterGuardedRegion; 188 | UINT64 KeLeaveGuardedRegion; 189 | UINT64 KeReleaseInStackQueuedSpinLockFromDpcLevel; 190 | UINT64 ExReleaseSpinLockShared; 191 | UINT64 KeRevertToUserAffinityThread; 192 | UINT64 KeProcessorGroupAffinity; 193 | UINT64 KeSetSystemGroupAffinityThread; 194 | UINT64 KeSetCoalescableTimer; 195 | UINT64 LdrResFindResource; 196 | UINT64 MmDbgCopyMemory; 197 | UINT64 ObfDereferenceObject; 198 | UINT64 ObReferenceObjectByName; 199 | UINT64 RtlImageDirectoryEntryToData; 200 | UINT64 RtlImageNtHeader; 201 | UINT64 RtlLookupFunctionTable; 202 | UINT64 RtlSectionTableFromVirtualAddress; 203 | UINT64 DbgPrint; 204 | UINT64 MmAllocateIndependentPages; 205 | UINT64 MmFreeIndependentPages; 206 | UINT64 MmSetPageProtection; 207 | UINT64 Unkonwn$; 208 | UINT64 Unkonwn$; 209 | UINT64 Unkonwn$; 210 | UINT64 Unkonwn$; 211 | UINT64 RtlLookupFunctionEntry; 212 | UINT64 KeAcquireSpinLockRaiseToDpc; 213 | UINT64 KeReleaseSpinLock; 214 | UINT64 MmGetSessionById; 215 | UINT64 MmGetNextSession; 216 | UINT64 MmQuitNextSession; 217 | UINT64 MmAttachSession; 218 | UINT64 MmDetachSession; 219 | UINT64 MmGetSessionIdEx; 220 | UINT64 KeInsertQueueApc; 221 | UINT64 KeWaitForSingleObject; 222 | UINT64 PsCreateSystemThread; // ?? 223 | UINT64 ExReferenceCallBackBlock; 224 | UINT64 ExGetCallBackBlockRoutine; 225 | UINT64 ExDereferenceCallBackBlock; 226 | UINT64 KiScbQueueScanWorker; 227 | UINT64 KiProcessListHead; 228 | UINT64 KiProcessListLock; 229 | UINT64 ObpTypeObjectType; 230 | UINT64 PsActiveProcessHead; 231 | UINT64 PsInvertedFunctionTable; 232 | UINT64 PsLoadedModuleList; 233 | UINT64 PsLoadedModuleResource; 234 | UINT64 PsLoadedModuleSpinLock; 235 | UINT64 PspActiveProcessLock; 236 | UINT64 PspCidTable; 237 | UINT64 SwapContext; 238 | UINT64 EnlightenedSwapContext; 239 | UINT64 Unkonwn$; 240 | UINT64 ExpUuidLock; 241 | UINT64 AlpcpPortListLock; 242 | UINT64 KeServiceDescriptorTable; 243 | UINT64 KeServiceDescriptorTableShadow; 244 | UINT64 VfThunksExtended; 245 | UINT64 PsWin32CallBack; 246 | UINT64 Unkonwn$; // Global-Var In KiMarkBugCheckRegions; 247 | UINT64 KiTableInformation; 248 | UINT64 KxUnexpectedInterrupt0; 249 | UINT64 Unkonwn$[2]; 250 | UINT64 Unkonwn$; 251 | UINT64 ExNode0ListEntry; // &ExNode0.ListEntry 252 | UINT64 WorkerRoutine; 253 | UINT64 WorkerRoutineContext; 254 | UINT64 Unkonwn$; 255 | UINT64 Prcb; 256 | UINT64 PGPageBase; 257 | UINT64 SecondParamOfEndOfUninitialize; 258 | UINT64 DcpRoutineToBeScheduled; // E.g INITKDBG: nt!KiTimerDispatch or nt!ExpCenturyDpcRoutine 259 | 260 | UINT32 Unkonwn$; // NumberOfXXXX 261 | UINT32 Unkonwn$; 262 | 263 | UINT32 OffsetOfPGSelfValidation; // INITKDBG: nt!PGSelfValidation 264 | UINT32 OffsetOfRtlLookupFunctionEntryEx; // nt!RtlLookupFunctionEntryEx 265 | UINT32 OffsetOfFsRtlUninitializeSmallMcb; // nt!FsRtlUninitializeSmallMcb 266 | UINT32 EndOffsetOf; 267 | 268 | UINT64 SpinLock; 269 | 270 | UINT32 OffsetOfPGHashValidationBlockTable; // PGHashValidationBlock[?] 271 | UINT32 Unkonwn$; 272 | 273 | UINT64 Unkonwn$[7]; 274 | 275 | KIDTENTRY64 PGProtectIDTItems[3]; 276 | 277 | UINT64 Unkonwn$[3]; 278 | 279 | UINT64 BaseOfNtos; 280 | UINT64 BaseOfHal; 281 | UINT64 BaseOfNtosNtHeader; 282 | 283 | UINT64 IsTiggerPG; 284 | UINT64 BugCheckArg0; 285 | UINT64 BugCheckArg1; 286 | UINT64 BugCheckArg3; 287 | UINT64 BugCheckArg2; 288 | 289 | PGProtectString<4> PGProtectStrings; 290 | 291 | UINT64 Unkonwn$[4]; 292 | 293 | UINT64 BaseOfWin32k; 294 | 295 | UINT64 Unkonwn$[10]; 296 | 297 | UINT32 NumberOfProtectCodes; 298 | UINT32 NumberOfProtectValues; 299 | 300 | // PGProtectCode ProtectCodes[NumberOfProtectCodes]; 301 | // PGProtectValue ProtectValues[NumberOfProtectValues]; 302 | }; 303 | } 304 | 305 | namespace build_9600 306 | { 307 | using PGContextHeader = build_9200::PGContextHeader; 308 | 309 | struct PGContext : public PGContextHeader 310 | { 311 | UINT64 ExAcquireResourceSharedLite; 312 | UINT64 ExAcquireResourceExclusiveLite; 313 | UINT64 ExAllocatePoolWithTag; 314 | UINT64 ExFreePool; 315 | UINT64 ExMapHandleToPointer; 316 | UINT64 ExQueueWorkItem; 317 | UINT64 ExReleaseResourceLite; 318 | UINT64 ExUnlockHandleTableEntry; 319 | UINT64 ExfAcquirePushLockExclusive; 320 | UINT64 ExfReleasePushLockExclusive; 321 | UINT64 ExfAcquirePushLockShared; 322 | UINT64 ExfReleasePushLockShared; 323 | UINT64 KeAcquireInStackQueuedSpinLockAtDpcLevel; 324 | UINT64 ExAcquireSpinLockSharedAtDpcLevel; 325 | UINT64 KeBugCheckEx; 326 | UINT64 KeDelayExecutionThread; 327 | UINT64 KeEnterCriticalRegionThread; 328 | UINT64 KeLeaveCriticalRegion; 329 | UINT64 KeEnterGuardedRegion; 330 | UINT64 KeLeaveGuardedRegion; 331 | UINT64 KeReleaseInStackQueuedSpinLockFromDpcLevel; 332 | UINT64 ExReleaseSpinLockSharedFromDpcLevel; 333 | UINT64 KeRevertToUserAffinityThread; 334 | UINT64 KeProcessorGroupAffinity; 335 | UINT64 KeSetSystemGroupAffinityThread; 336 | UINT64 KeSetCoalescableTimer; 337 | UINT64 ObfDereferenceObject; 338 | UINT64 ObReferenceObjectByName; 339 | UINT64 RtlImageDirectoryEntryToData; 340 | UINT64 RtlImageNtHeader; 341 | UINT64 RtlLookupFunctionTable; 342 | UINT64 RtlPcToFileHeader; 343 | UINT64 RtlSectionTableFromVirtualAddress; 344 | UINT64 DbgPrint; 345 | UINT64 MmAllocateIndependentPages; 346 | UINT64 MmFreeIndependentPages; 347 | UINT64 MmSetPageProtection; 348 | UINT64 Unkonwn$; 349 | UINT64 Unkonwn$; 350 | UINT64 Unkonwn$; 351 | UINT64 Unkonwn$; 352 | UINT64 RtlLookupFunctionEntry; 353 | UINT64 KeAcquireSpinLockRaiseToDpc; 354 | UINT64 KeReleaseSpinLock; 355 | UINT64 MmGetSessionById; 356 | UINT64 MmGetNextSession; 357 | UINT64 MmQuitNextSession; 358 | UINT64 MmAttachSession; 359 | UINT64 MmDetachSession; 360 | UINT64 MmGetSessionIdEx; 361 | UINT64 MmIsSessionAddress; 362 | UINT64 KeInsertQueueApc; 363 | UINT64 KeWaitForSingleObject; 364 | UINT64 PsCreateSystemThread; 365 | UINT64 ExReferenceCallBackBlock; 366 | UINT64 ExGetCallBackBlockRoutine; 367 | UINT64 ExDereferenceCallBackBlock; 368 | UINT64 KiScbQueueScanWorker; 369 | UINT64 PspEnumerateCallback; 370 | UINT64 CmpEnumerateCallback; 371 | UINT64 DbgEnumerateCallback; 372 | UINT64 ExpEnumerateCallback; 373 | UINT64 ExpGetNextCallback; 374 | UINT64 PopPoCoalescinCallback_; 375 | UINT64 KiSchedulerApcTerminate; 376 | UINT64 KiSchedulerApc; 377 | UINT64 PopPoCoalescinCallback; 378 | UINT64 PGSelfEncryptWaitAndDecrypt; 379 | UINT64 KiGetInterruptObjectAddress; 380 | UINT64 KiWaitAlways; 381 | UINT64 KiEntropyTimingRoutine; 382 | UINT64 KiProcessListHead; 383 | UINT64 KiProcessListLock; 384 | UINT64 ObpTypeObjectType; 385 | UINT64 IoDriverObjectType; 386 | UINT64 PsActiveProcessHead; 387 | UINT64 PsInvertedFunctionTable; 388 | UINT64 PsLoadedModuleList; 389 | UINT64 PsLoadedModuleResource; 390 | UINT64 PsLoadedModuleSpinLock; 391 | UINT64 PspActiveProcessLock; 392 | UINT64 PspCidTable; 393 | UINT64 ExpUuidLock; 394 | UINT64 AlpcpPortListLock; 395 | UINT64 KeServiceDescriptorTable; 396 | UINT64 KeServiceDescriptorTableShadow; 397 | UINT64 VfThunksExtended; 398 | UINT64 PsWin32CallBack; 399 | UINT64 Unkonwn$; // Global-Var In KiMarkBugCheckRegions; 400 | UINT64 KiTableInformation; 401 | UINT64 HandleTableListHead; 402 | UINT64 HandleTableListLock; 403 | UINT64 ObpKernelHandleTable; 404 | UINT64 KiUserSharedData; // 0xFFFFF78000000000 405 | UINT64 KiWaitNever; 406 | UINT64 KxUnexpectedInterrupt0; // KiKvaShadow ? KiIsrThunkShadow : KxUnexpectedInterrupt0 407 | 408 | 409 | }; 410 | } 411 | 412 | namespace build_10240 413 | { 414 | struct PGContextHeader 415 | { 416 | enum : UINT32 417 | { 418 | VerificationFunctionBytes = 0xC4 419 | }; 420 | 421 | UINT8 PatchGuardVerification[VerificationFunctionBytes]; 422 | UINT32 ContextSizeInQWord; 423 | UINT64 Reserved[2]; 424 | }; 425 | 426 | struct PGContext : public PGContextHeader 427 | { 428 | UINT64 ExAcquireResourceSharedLite; 429 | UINT64 ExAcquireResourceExclusiveLite; 430 | UINT64 ExAllocatePoolWithTag; 431 | UINT64 ExFreePool; 432 | UINT64 ExMapHandleToPointer; 433 | UINT64 ExQueueWorkItem; 434 | UINT64 ExReleaseResourceLite; 435 | UINT64 ExUnlockHandleTableEntry; 436 | UINT64 ExAcquirePushLockExclusiveEx; 437 | UINT64 ExReleasePushLockExclusiveEx; 438 | UINT64 ExAcquirePushLockSharedEx; 439 | UINT64 ExReleasePushLockSharedEx; 440 | UINT64 KeAcquireInStackQueuedSpinLockAtDpcLevel; 441 | UINT64 ExAcquireSpinLockSharedAtDpcLevel; 442 | UINT64 KeBugCheckEx; 443 | UINT64 KeDelayExecutionThread; 444 | UINT64 KeEnterCriticalRegionThread; 445 | UINT64 KeLeaveCriticalRegion; 446 | UINT64 KeEnterGuardedRegion; 447 | UINT64 KeLeaveGuardedRegion; 448 | UINT64 KeReleaseInStackQueuedSpinLockFromDpcLevel; 449 | UINT64 ExReleaseSpinLockSharedFromDpcLevel; 450 | UINT64 KeRevertToUserAffinityThread; 451 | UINT64 KeProcessorGroupAffinity; 452 | UINT64 KeSetSystemGroupAffinityThread; 453 | UINT64 KeSetCoalescableTimer; 454 | UINT64 ObfDereferenceObject; 455 | UINT64 ObReferenceObjectByName; 456 | UINT64 RtlImageDirectoryEntryToData; 457 | UINT64 RtlImageNtHeader; 458 | UINT64 RtlLookupFunctionTable; 459 | UINT64 RtlPcToFileHeader; 460 | UINT64 RtlSectionTableFromVirtualAddress; 461 | UINT64 DbgPrint; 462 | UINT64 MmAllocateIndependentPages; 463 | UINT64 MmFreeIndependentPages; 464 | UINT64 MmSetPageProtection; 465 | UINT64 Unkonwn$; 466 | UINT64 Unkonwn$; 467 | UINT64 Unkonwn$; 468 | UINT64 Unkonwn$; 469 | UINT64 RtlLookupFunctionEntry; 470 | UINT64 KeAcquireSpinLockRaiseToDpc; 471 | UINT64 KeReleaseSpinLock; 472 | UINT64 MmGetSessionById; 473 | UINT64 MmGetNextSession; 474 | UINT64 MmQuitNextSession; 475 | UINT64 MmAttachSession; 476 | UINT64 MmDetachSession; 477 | UINT64 MmGetSessionIdEx; 478 | UINT64 MmIsSessionAddress; 479 | UINT64 KeInsertQueueApc; 480 | UINT64 KeWaitForSingleObject; 481 | UINT64 PsCreateSystemThread; 482 | UINT64 ExReferenceCallBackBlock; 483 | UINT64 ExGetCallBackBlockRoutine; 484 | UINT64 ExDereferenceCallBackBlock; 485 | UINT64 KiScbQueueScanWorker; 486 | UINT64 PspEnumerateCallback; 487 | UINT64 CmpEnumerateCallback; 488 | UINT64 DbgEnumerateCallback; 489 | UINT64 ExpEnumerateCallback; 490 | UINT64 ExpGetNextCallback; 491 | UINT64 EmpCheckErrataList_; 492 | UINT64 KiSchedulerApcTerminate; 493 | UINT64 KiSchedulerApc; 494 | UINT64 EmpCheckErrataList; 495 | UINT64 PGSelfEncryptWaitAndDecrypt; 496 | UINT64 MmAllocatePagesForMdlEx; 497 | UINT64 MmAllocateMappingAddress; 498 | UINT64 MmMapLockedPagesWithReservedMapping; 499 | UINT64 MmUnmapReservedMapping; 500 | UINT64 Unkonwn$; // nt!$$116+0x2e8 501 | UINT64 Unkonwn$; // nt!$$116+0x350 502 | UINT64 MmAcquireLoadLock; 503 | UINT64 MmReleaseLoadLock; 504 | UINT64 KeEnumerateQueueApc; 505 | UINT64 KeIsApcRunningThread; 506 | UINT64 Unkonwn$; // nt!$$115 507 | UINT64 PsAcquireProcessExitSynchronization; 508 | UINT64 PsReleaseProcessExitSynchronization; 509 | UINT64 PsGetNextProcess; 510 | UINT64 MmIsSessionLeaderProcess; 511 | UINT64 PsInvokeWin32Callout; 512 | UINT64 MmEnumerateAddressSpaceAndReferenceImages; 513 | UINT64 PsGetProcessProtection; 514 | UINT64 PsGetProcessSignatureLevel; 515 | UINT64 PsGetProcessSectionBaseAddress; 516 | UINT64 SeCompareSigningLevels; 517 | UINT64 KeComputeSha256; 518 | UINT64 KeComputeParallelSha256; 519 | UINT64 KeSetEvent; 520 | UINT64 RtlpConvertFunctionEntry; 521 | UINT64 RtlpLookupPrimaryFunctionEntry; 522 | UINT64 RtlIsMultiSessionSku; 523 | UINT64 KiGetInterruptObjectAddress; 524 | UINT64 Unkonwn$; 525 | UINT64 Unkonwn$; 526 | UINT64 PsInitialSystemProcess; 527 | UINT64 KiWaitAlways; 528 | UINT64 KiEntropyTimingRoutine; 529 | UINT64 KiProcessListHead; 530 | UINT64 KiProcessListLock; 531 | UINT64 ObpTypeObjectType; 532 | UINT64 IoDriverObjectType; 533 | UINT64 PsActiveProcessHead; 534 | UINT64 PsInvertedFunctionTable; 535 | UINT64 PsLoadedModuleList; 536 | UINT64 PsLoadedModuleResource; 537 | UINT64 PsLoadedModuleSpinLock; 538 | UINT64 PspActiveProcessLock; 539 | UINT64 PspCidTable; 540 | UINT64 ExpUuidLock; 541 | UINT64 AlpcpPortListLock; 542 | UINT64 KeServiceDescriptorTable; 543 | UINT64 KeServiceDescriptorTableShadow; 544 | UINT64 VfThunksExtended; 545 | UINT64 PsWin32CallBack; 546 | UINT64 Unkonwn$; 547 | UINT64 KiTableInformation; 548 | UINT64 HandleTableListHead; 549 | UINT64 HandleTableListLock; 550 | UINT64 ObpKernelHandleTable; 551 | UINT64 KiUserSharedData; // 0xFFFFF78000000000 552 | UINT64 KiWaitNever; 553 | UINT64 SeProtectedMapping; 554 | UINT64 KiInterruptThunk; 555 | UINT64 CcPeriodicEvent; 556 | UINT64 KxUnexpectedInterrupt0; 557 | 558 | UINT64 Unkonwn$[2]; 559 | UINT64 Unkonwn$; 560 | UINT64 Unkonwn$; 561 | UINT64 Unkonwn$[2]; 562 | 563 | UINT64 WorkerRoutine; 564 | UINT64 WorkerRoutineContext; 565 | 566 | UINT64 Unkonwn$; 567 | 568 | UINT64 Prcb; 569 | UINT64 PGPageBase; 570 | UINT64 SecondParamOfEndOfUninitialize; 571 | UINT64 DcpRoutineToBeScheduled; 572 | 573 | UINT32 Unkonwn$; // NumberOfXXXX 574 | UINT32 Unkonwn$; 575 | 576 | UINT32 OffsetOfPGSelfValidation; // INITKDBG: nt!PGSelfValidation 577 | UINT32 OffsetOfRtlLookupFunctionEntryEx; // nt!RtlLookupFunctionEntryEx 578 | UINT32 OffsetOfFsRtlUninitializeSmallMcb; // nt!FsRtlUninitializeSmallMcb 579 | UINT32 OffsetOfFsRtlUnknown0; // xref: nt!FsRtlMdlReadCompleteDevEx 580 | UINT32 OffsetOfFsRtlUnkonwn1; // xref: nt!FsRtlMdlReadCompleteDevEx 581 | UINT32 EndOffsetOf; 582 | 583 | UINT64 SpinLock; 584 | 585 | UINT64 Unkonwn$[7]; 586 | 587 | KIDTENTRY64 PGProtectIDTItems[3]; 588 | 589 | UINT64 Unkonwn$; 590 | 591 | UINT64 BaseOfNtos; 592 | UINT64 BaseOfHal; 593 | UINT64 BaseOfNtosNtHeader; 594 | 595 | UINT64 IsTiggerPG; 596 | UINT64 BugCheckArg0; 597 | UINT64 BugCheckArg1; 598 | UINT64 BugCheckArg3; 599 | UINT64 BugCheckArg2; 600 | 601 | PGProtectString<4> PGProtectStrings; 602 | 603 | UINT64 Unkonwn$[4]; 604 | 605 | UINT64 BaseOfWin32k; 606 | 607 | UINT64 Unkonwn$; 608 | UINT64 Unkonwn$; 609 | UINT64 Unkonwn$; 610 | UINT64 Unkonwn$[8]; 611 | 612 | UINT64 _UnknownListEntry0; 613 | UINT64 KiDispatchCallout2; 614 | UINT64 EmpCheckErrataList2; 615 | UINT64 _UnknownListEntry1; 616 | 617 | UINT64 Unkonwn$[11]; 618 | 619 | UINT32 NumberOfProtectCodes; 620 | UINT32 NumberOfProtectValues; 621 | 622 | // PGProtectCode ProtectCodes[NumberOfProtectCodes]; 623 | // PGProtectValue ProtectValues[NumberOfProtectValues]; 624 | }; 625 | } 626 | 627 | namespace build_10586 628 | { 629 | struct PGContextHeader 630 | { 631 | enum : UINT32 632 | { 633 | VerificationFunctionBytes = 0xC4 634 | }; 635 | 636 | UINT8 PatchGuardVerification[VerificationFunctionBytes]; 637 | UINT32 ContextSizeInQWord; 638 | UINT64 Reserved[3]; 639 | }; 640 | 641 | struct PGContext : public PGContextHeader 642 | { 643 | UINT64 ExAcquireResourceSharedLite; 644 | UINT64 ExAcquireResourceExclusiveLite; 645 | UINT64 ExAllocatePoolWithTag; 646 | UINT64 ExFreePool; 647 | UINT64 ExMapHandleToPointer; 648 | UINT64 ExQueueWorkItem; 649 | UINT64 ExReleaseResourceLite; 650 | UINT64 ExUnlockHandleTableEntry; 651 | UINT64 ExAcquirePushLockExclusiveEx; 652 | UINT64 ExReleasePushLockExclusiveEx; 653 | UINT64 ExAcquirePushLockSharedEx; 654 | UINT64 ExReleasePushLockSharedEx; 655 | UINT64 KeAcquireInStackQueuedSpinLockAtDpcLevel; 656 | UINT64 ExAcquireSpinLockSharedAtDpcLevel; 657 | UINT64 KeBugCheckEx; 658 | UINT64 KeDelayExecutionThread; 659 | UINT64 KeEnterCriticalRegionThread; 660 | UINT64 KeLeaveCriticalRegion; 661 | UINT64 KeEnterGuardedRegion; 662 | UINT64 KeLeaveGuardedRegion; 663 | UINT64 KeReleaseInStackQueuedSpinLockFromDpcLevel; 664 | UINT64 ExReleaseSpinLockSharedFromDpcLevel; 665 | UINT64 KeRevertToUserAffinityThread; 666 | UINT64 KeProcessorGroupAffinity; 667 | UINT64 KeSetSystemGroupAffinityThread; 668 | UINT64 KeSetCoalescableTimer; 669 | UINT64 ObfDereferenceObject; 670 | UINT64 ObReferenceObjectByName; 671 | UINT64 RtlImageDirectoryEntryToData; 672 | UINT64 RtlImageNtHeader; 673 | UINT64 RtlLookupFunctionTable; 674 | UINT64 RtlPcToFileHeader; 675 | UINT64 RtlSectionTableFromVirtualAddress; 676 | UINT64 DbgPrint; 677 | UINT64 MmAllocateIndependentPages; 678 | UINT64 MmFreeIndependentPages; 679 | UINT64 MmSetPageProtection; 680 | UINT64 Unkonwn$; 681 | UINT64 Unkonwn$; 682 | UINT64 Unkonwn$; 683 | UINT64 Unkonwn$; 684 | UINT64 RtlLookupFunctionEntry; 685 | UINT64 KeAcquireSpinLockRaiseToDpc; 686 | UINT64 KeReleaseSpinLock; 687 | UINT64 MmGetSessionById; 688 | UINT64 MmGetNextSession; 689 | UINT64 MmQuitNextSession; 690 | UINT64 MmAttachSession; 691 | UINT64 MmDetachSession; 692 | UINT64 MmGetSessionIdEx; 693 | UINT64 MmIsSessionAddress; 694 | UINT64 KeInsertQueueApc; 695 | UINT64 KeWaitForSingleObject; 696 | UINT64 PsCreateSystemThread; 697 | UINT64 ExReferenceCallBackBlock; 698 | UINT64 ExGetCallBackBlockRoutine; 699 | UINT64 ExDereferenceCallBackBlock; 700 | UINT64 KiScbQueueScanWorker; 701 | UINT64 PspEnumerateCallback; 702 | UINT64 CmpEnumerateCallback; 703 | UINT64 DbgEnumerateCallback; 704 | UINT64 ExpEnumerateCallback; 705 | UINT64 ExpGetNextCallback; 706 | UINT64 EmpCheckErrataList_; 707 | UINT64 KiSchedulerApcTerminate; 708 | UINT64 KiSchedulerApc; 709 | UINT64 EmpCheckErrataList; 710 | UINT64 PGSelfEncryptWaitAndDecrypt; 711 | UINT64 MmAllocatePagesForMdlEx; 712 | UINT64 MmAllocateMappingAddress; 713 | UINT64 MmMapLockedPagesWithReservedMapping; 714 | UINT64 MmUnmapReservedMapping; 715 | UINT64 Unkonwn$; // nt!$$116+0x2e8 716 | UINT64 Unkonwn$; // nt!$$116+0x350 717 | UINT64 MmAcquireLoadLock; 718 | UINT64 MmReleaseLoadLock; 719 | UINT64 KeEnumerateQueueApc; 720 | UINT64 KeIsApcRunningThread; 721 | UINT64 Unkonwn$; // nt!$$115 722 | UINT64 PsAcquireProcessExitSynchronization; 723 | UINT64 PsReleaseProcessExitSynchronization; 724 | UINT64 PsGetNextProcess; 725 | UINT64 MmIsSessionLeaderProcess; 726 | UINT64 PsInvokeWin32Callout; 727 | UINT64 MmEnumerateAddressSpaceAndReferenceImages; 728 | UINT64 PsGetProcessProtection; 729 | UINT64 PsGetProcessSignatureLevel; 730 | UINT64 PsGetProcessSectionBaseAddress; 731 | UINT64 SeCompareSigningLevels; 732 | UINT64 KeComputeSha256; 733 | UINT64 KeComputeParallelSha256; 734 | UINT64 KeSetEvent; 735 | UINT64 RtlpConvertFunctionEntry; 736 | UINT64 RtlpLookupPrimaryFunctionEntry; 737 | UINT64 RtlIsMultiSessionSku; 738 | UINT64 KiGetInterruptObjectAddress; 739 | UINT64 Unkonwn$; 740 | UINT64 Unkonwn$; 741 | UINT64 Unkonwn$; 742 | UINT64 PsInitialSystemProcess; 743 | UINT64 KiWaitAlways; 744 | UINT64 KiEntropyTimingRoutine; 745 | UINT64 KiProcessListHead; 746 | UINT64 KiProcessListLock; 747 | UINT64 ObpTypeObjectType; 748 | UINT64 IoDriverObjectType; 749 | UINT64 PsActiveProcessHead; 750 | UINT64 PsInvertedFunctionTable; 751 | UINT64 PsLoadedModuleList; 752 | UINT64 PsLoadedModuleResource; 753 | UINT64 PsLoadedModuleSpinLock; 754 | UINT64 PspActiveProcessLock; 755 | UINT64 PspCidTable; 756 | UINT64 ExpUuidLock; 757 | UINT64 AlpcpPortListLock; 758 | UINT64 KeServiceDescriptorTable; 759 | UINT64 KeServiceDescriptorTableShadow; 760 | UINT64 VfThunksExtended; 761 | UINT64 PsWin32CallBack; 762 | UINT64 Unkonwn$; // nt!TriageImagePageSize+0x30 763 | UINT64 KiTableInformation; 764 | UINT64 HandleTableListHead; 765 | UINT64 HandleTableListLock; 766 | UINT64 ObpKernelHandleTable; 767 | UINT64 KiUserSharedData; // 0xFFFFF78000000000 768 | UINT64 KiWaitNever; 769 | UINT64 SeProtectedMapping; 770 | UINT64 KiInterruptThunk; 771 | UINT64 CcPeriodicEvent; 772 | UINT64 KxUnexpectedInterrupt0; // nt!KiIsrThunk 773 | 774 | UINT64 Unkonwn$[5]; 775 | 776 | UINT64 WorkerRoutine; 777 | UINT64 WorkerRoutineContext; 778 | 779 | UINT64 Unkonwn$; 780 | 781 | UINT64 Prcb; 782 | UINT64 PGPageBase; 783 | UINT64 SecondParamOfEndOfUninitialize; 784 | UINT64 DcpRoutineToBeScheduled; 785 | 786 | UINT32 Unkonwn$; // NumberOfXXXX 787 | UINT32 Unkonwn$; 788 | 789 | UINT32 OffsetOfPGSelfValidation; // INITKDBG: nt!PGSelfValidation 790 | UINT32 OffsetOfRtlLookupFunctionEntryEx; // nt!RtlLookupFunctionEntryEx 791 | UINT32 OffsetOfFsRtlUninitializeSmallMcb; // nt!FsRtlUninitializeSmallMcb 792 | UINT32 OffsetOfFsRtlUnknown0; // xref: nt!FsRtlMdlReadCompleteDevEx 793 | UINT32 OffsetOfFsRtlUnkonwn1; // xref: nt!FsRtlMdlReadCompleteDevEx 794 | UINT32 EndOffsetOf; 795 | 796 | UINT64 SpinLock; 797 | 798 | UINT64 Unkonwn$[7]; 799 | 800 | KIDTENTRY64 PGProtectIDTItems[3]; 801 | 802 | UINT64 Unkonwn$; 803 | 804 | UINT64 BaseOfNtos; 805 | UINT64 BaseOfHal; 806 | UINT64 BaseOfNtosNtHeader; 807 | 808 | UINT64 IsTiggerPG; 809 | UINT64 BugCheckArg0; 810 | UINT64 BugCheckArg1; 811 | UINT64 BugCheckArg3; 812 | UINT64 BugCheckArg2; 813 | 814 | PGProtectString<4> PGProtectStrings; 815 | 816 | UINT64 Unkonwn$[4]; 817 | 818 | UINT64 BaseOfWin32k; 819 | 820 | UINT64 Unkonwn$[25]; 821 | 822 | UINT32 NumberOfProtectCodes; 823 | UINT32 NumberOfProtectValues; 824 | 825 | // PGProtectCode ProtectCodes[NumberOfProtectCodes]; 826 | // PGProtectValue ProtectValues[NumberOfProtectValues]; 827 | }; 828 | } 829 | 830 | namespace build_14393 831 | { 832 | struct PGContextHeader 833 | { 834 | enum : UINT32 835 | { 836 | VerificationFunctionBytes = 0xC4 837 | }; 838 | 839 | UINT8 PatchGuardVerification[VerificationFunctionBytes]; 840 | UINT32 ContextSizeInQWord; 841 | UINT64 Reserved; 842 | }; 843 | 844 | struct PGContext : public PGContextHeader 845 | { 846 | UINT64 ExAcquireResourceSharedLite; 847 | UINT64 ExAcquireResourceExclusiveLite; 848 | UINT64 ExAllocatePoolWithTag; 849 | UINT64 ExFreePool; 850 | UINT64 ExMapHandleToPointer; 851 | UINT64 ExQueueWorkItem; 852 | UINT64 ExReleaseResourceLite; 853 | UINT64 ExUnlockHandleTableEntry; 854 | UINT64 ExAcquirePushLockExclusiveEx; 855 | UINT64 ExReleasePushLockExclusiveEx; 856 | UINT64 ExAcquirePushLockSharedEx; 857 | UINT64 ExReleasePushLockSharedEx; 858 | UINT64 KeAcquireInStackQueuedSpinLockAtDpcLevel; 859 | UINT64 ExAcquireSpinLockSharedAtDpcLevel; 860 | UINT64 KeBugCheckEx; 861 | UINT64 KeDelayExecutionThread; 862 | UINT64 KeEnterCriticalRegionThread; 863 | UINT64 KeLeaveCriticalRegion; 864 | UINT64 KeEnterGuardedRegion; 865 | UINT64 KeLeaveGuardedRegion; 866 | UINT64 KeReleaseInStackQueuedSpinLockFromDpcLevel; 867 | UINT64 ExReleaseSpinLockSharedFromDpcLevel; 868 | UINT64 KeRevertToUserAffinityThread; 869 | UINT64 KeProcessorGroupAffinity; 870 | UINT64 KeInitializeEnumerationContext; 871 | UINT64 KeEnumerateNextProcessor; 872 | UINT64 KeCountSetBitsAffinityEx; 873 | UINT64 KeQueryAffinityProcess; 874 | UINT64 KeQueryAffinityThread; 875 | UINT64 KeSetSystemGroupAffinityThread; 876 | UINT64 KeSetCoalescableTimer; 877 | UINT64 ObfDereferenceObject; 878 | UINT64 ObReferenceObjectByName; 879 | UINT64 RtlImageDirectoryEntryToData; 880 | UINT64 RtlImageNtHeader; 881 | UINT64 RtlLookupFunctionTable; 882 | UINT64 RtlPcToFileHeader; 883 | UINT64 RtlSectionTableFromVirtualAddress; 884 | UINT64 DbgPrint; 885 | UINT64 MmAllocateIndependentPages; 886 | UINT64 MmFreeIndependentPages; 887 | UINT64 MmSetPageProtection; 888 | UINT64 Unkonwn$; 889 | UINT64 Unkonwn$; 890 | UINT64 Unkonwn$; 891 | UINT64 Unkonwn$; 892 | UINT64 RtlLookupFunctionEntry; 893 | UINT64 KeAcquireSpinLockRaiseToDpc; 894 | UINT64 KeReleaseSpinLock; 895 | UINT64 MmGetSessionById; 896 | UINT64 MmGetNextSession; 897 | UINT64 MmQuitNextSession; 898 | UINT64 MmAttachSession; 899 | UINT64 MmDetachSession; 900 | UINT64 MmGetSessionIdEx; 901 | UINT64 MmIsSessionAddress; 902 | UINT64 MmIsAddressValid; 903 | UINT64 MmSessionGetWin32Callouts; 904 | UINT64 KeInsertQueueApc; 905 | UINT64 KeWaitForSingleObject; 906 | UINT64 PsCreateSystemThread; 907 | UINT64 ExReferenceCallBackBlock; 908 | UINT64 ExGetCallBackBlockRoutine; 909 | UINT64 ExDereferenceCallBackBlock; 910 | UINT64 KiScbQueueScanWorker; 911 | UINT64 PspEnumerateCallback; 912 | UINT64 CmpEnumerateCallback; 913 | UINT64 DbgEnumerateCallback; 914 | UINT64 ExpEnumerateCallback; 915 | UINT64 ExpGetNextCallback; 916 | UINT64 EmpCheckErrataList_; 917 | UINT64 KiSchedulerApcTerminate; 918 | UINT64 KiSchedulerApc; 919 | UINT64 EmpCheckErrataList; 920 | UINT64 PGSelfEncryptWaitAndDecrypt; 921 | UINT64 MmAllocatePagesForMdlEx; 922 | UINT64 MmAllocateMappingAddress; 923 | UINT64 MmMapLockedPagesWithReservedMapping; 924 | UINT64 MmUnmapReservedMapping; 925 | UINT64 Unkonwn$; // nt!$$116+0x2e8 926 | UINT64 Unkonwn$; // nt!$$116+0x350 927 | UINT64 MmAcquireLoadLock; 928 | UINT64 MmReleaseLoadLock; 929 | UINT64 KeEnumerateQueueApc; 930 | UINT64 KeIsApcRunningThread; 931 | UINT64 Unkonwn$; // nt!$$115 932 | UINT64 PsAcquireProcessExitSynchronization; 933 | UINT64 PsReleaseProcessExitSynchronization; 934 | UINT64 PsGetNextProcess; 935 | UINT64 PsQuitNextProcess; 936 | UINT64 MmIsSessionLeaderProcess; 937 | UINT64 PsInvokeWin32Callout; 938 | UINT64 MmEnumerateAddressSpaceAndReferenceImages; 939 | UINT64 PsGetProcessProtection; 940 | UINT64 PsGetProcessSignatureLevel; 941 | UINT64 PsGetProcessSectionBaseAddress; 942 | UINT64 SeCompareSigningLevels; 943 | UINT64 KeComputeSha256; 944 | UINT64 KeComputeParallelSha256; 945 | UINT64 KeSetEvent; 946 | UINT64 RtlpConvertFunctionEntry; 947 | UINT64 RtlpLookupPrimaryFunctionEntry; 948 | UINT64 RtlIsMultiSessionSku; 949 | UINT64 KiEnumerateCallback; 950 | UINT64 KeStackAttachProcess; 951 | UINT64 KeUnstackDetachProcess; 952 | UINT64 KiGetInterruptObjectAddress; 953 | UINT64 Unkonwn$; 954 | UINT64 PsInitialSystemProcess; 955 | UINT64 KiWaitAlways; 956 | UINT64 KiEntropyTimingRoutine; 957 | UINT64 KiProcessListHead; 958 | UINT64 KiProcessListLock; 959 | UINT64 ObpTypeObjectType; 960 | UINT64 IoDriverObjectType; 961 | UINT64 PsActiveProcessHead; 962 | UINT64 PsInvertedFunctionTable; 963 | UINT64 PsLoadedModuleList; 964 | UINT64 PsLoadedModuleResource; 965 | UINT64 PsLoadedModuleSpinLock; 966 | UINT64 PspActiveProcessLock; 967 | UINT64 PspCidTable; 968 | UINT64 ExpUuidLock; 969 | UINT64 AlpcpPortListLock; 970 | UINT64 KeServiceDescriptorTable; 971 | UINT64 KeServiceDescriptorTableShadow; 972 | UINT64 KeServiceDescriptorTableFilter; 973 | UINT64 VfThunksExtended; 974 | UINT64 PsWin32CallBack; 975 | UINT64 Unkonwn$; // nt!TriageImagePageSize+0x30 976 | UINT64 KiTableInformation; 977 | UINT64 HandleTableListHead; 978 | UINT64 HandleTableListLock; 979 | UINT64 ObpKernelHandleTable; 980 | UINT64 KiUserSharedData; // 0xFFFFF78000000000 981 | UINT64 KiWaitNever; 982 | UINT64 SeProtectedMapping; 983 | UINT64 KiInterruptThunk; 984 | UINT64 CcPeriodicEvent; 985 | UINT64 PageTables; // 0xFFFFC28000000000 986 | UINT64 KxUnexpectedInterrupt0; // nt!KiIsrThunk 987 | 988 | UINT64 Unkonwn$[5]; 989 | 990 | UINT64 WorkerRoutine; 991 | UINT64 WorkerRoutineContext; 992 | 993 | UINT64 Unkonwn$; 994 | 995 | UINT64 Prcb; 996 | UINT64 PGPageBase; 997 | UINT64 SecondParamOfEndOfUninitialize; 998 | UINT64 DcpRoutineToBeScheduled; 999 | 1000 | UINT32 Unkonwn$; // NumberOfXXXX 1001 | UINT32 Unkonwn$; 1002 | 1003 | UINT32 OffsetOfPGSelfValidation; // INITKDBG: nt!PGSelfValidation 1004 | UINT32 OffsetOfRtlLookupFunctionEntryEx; // nt!RtlLookupFunctionEntryEx 1005 | UINT32 OffsetOfFsRtlUninitializeSmallMcb; // nt!FsRtlUninitializeSmallMcb 1006 | UINT32 OffsetOfFsRtlUnknown0; // xref: nt!FsRtlMdlReadCompleteDevEx 1007 | UINT32 OffsetOfFsRtlUnkonwn1; // xref: nt!FsRtlMdlReadCompleteDevEx 1008 | UINT32 EndOffsetOf; 1009 | 1010 | UINT64 SpinLock; 1011 | 1012 | UINT64 Unkonwn$[7]; 1013 | 1014 | KIDTENTRY64 PGProtectIDTItems[3]; 1015 | 1016 | UINT64 Unkonwn$[2]; 1017 | 1018 | UINT64 BaseOfNtos; 1019 | UINT64 BaseOfHal; 1020 | UINT64 BaseOfNtosNtHeader; 1021 | 1022 | UINT64 IsTiggerPG; 1023 | UINT64 BugCheckArg0; 1024 | UINT64 BugCheckArg1; 1025 | UINT64 BugCheckArg3; 1026 | UINT64 BugCheckArg2; 1027 | 1028 | PGProtectString<4> PGProtectStrings; 1029 | 1030 | UINT64 Unkonwn$[4]; 1031 | 1032 | UINT64 BaseOfWin32k; 1033 | 1034 | UINT64 Unkonwn$[25]; 1035 | 1036 | UINT32 NumberOfProtectCodes; 1037 | UINT32 NumberOfProtectValues; 1038 | 1039 | // PGProtectCode ProtectCodes[NumberOfProtectCodes]; 1040 | // PGProtectValue ProtectValues[NumberOfProtectValues]; 1041 | }; 1042 | } 1043 | 1044 | namespace build_15063 1045 | { 1046 | struct PGContextHeader 1047 | { 1048 | enum : UINT32 1049 | { 1050 | VerificationFunctionBytes = 0xC4 1051 | }; 1052 | 1053 | UINT8 PatchGuardVerification[VerificationFunctionBytes]; 1054 | UINT32 ContextSizeInQWord; 1055 | UINT64 Reserved[4]; 1056 | }; 1057 | 1058 | struct PGContext : public PGContextHeader 1059 | { 1060 | UINT64 ExAcquireResourceSharedLite; 1061 | UINT64 ExAcquireResourceExclusiveLite; 1062 | UINT64 ExAllocatePoolWithTag; 1063 | UINT64 ExFreePool; 1064 | UINT64 ExMapHandleToPointer; 1065 | UINT64 ExQueueWorkItem; 1066 | UINT64 ExReleaseResourceLite; 1067 | UINT64 ExUnlockHandleTableEntry; 1068 | UINT64 ExAcquirePushLockExclusiveEx; 1069 | UINT64 ExReleasePushLockExclusiveEx; 1070 | UINT64 ExAcquirePushLockSharedEx; 1071 | UINT64 ExReleasePushLockSharedEx; 1072 | UINT64 KeAcquireInStackQueuedSpinLockAtDpcLevel; 1073 | UINT64 ExAcquireSpinLockSharedAtDpcLevel; 1074 | UINT64 KeBugCheckEx; 1075 | UINT64 KeDelayExecutionThread; 1076 | UINT64 KeEnterCriticalRegionThread; 1077 | UINT64 KeLeaveCriticalRegion; 1078 | UINT64 KeEnterGuardedRegion; 1079 | UINT64 KeLeaveGuardedRegion; 1080 | UINT64 KeReleaseInStackQueuedSpinLockFromDpcLevel; 1081 | UINT64 ExReleaseSpinLockSharedFromDpcLevel; 1082 | UINT64 KeRevertToUserAffinityThread; 1083 | UINT64 KeProcessorGroupAffinity; 1084 | UINT64 KeInitializeEnumerationContext; 1085 | UINT64 KeEnumerateNextProcessor; 1086 | UINT64 KeCountSetBitsAffinityEx; 1087 | UINT64 KeQueryAffinityProcess; 1088 | UINT64 KeQueryAffinityThread; 1089 | UINT64 KeSetSystemGroupAffinityThread; 1090 | UINT64 KeSetCoalescableTimer; 1091 | UINT64 ObfDereferenceObject; 1092 | UINT64 ObReferenceObjectByName; 1093 | UINT64 RtlImageDirectoryEntryToData; 1094 | UINT64 RtlImageNtHeader; 1095 | UINT64 RtlLookupFunctionTable; 1096 | UINT64 RtlPcToFileHeader; 1097 | UINT64 RtlSectionTableFromVirtualAddress; 1098 | UINT64 DbgPrint; 1099 | UINT64 MmAllocateIndependentPages; 1100 | UINT64 MmFreeIndependentPages; 1101 | UINT64 MmSetPageProtection; 1102 | UINT64 Unkonwn$; 1103 | UINT64 Unkonwn$; 1104 | UINT64 Unkonwn$; 1105 | UINT64 Unkonwn$; 1106 | UINT64 RtlLookupFunctionEntry; 1107 | UINT64 KeAcquireSpinLockRaiseToDpc; 1108 | UINT64 KeReleaseSpinLock; 1109 | UINT64 MmGetSessionById; 1110 | UINT64 MmGetNextSession; 1111 | UINT64 MmQuitNextSession; 1112 | UINT64 MmAttachSession; 1113 | UINT64 MmDetachSession; 1114 | UINT64 MmGetSessionIdEx; 1115 | UINT64 MmIsSessionAddress; 1116 | UINT64 MmIsAddressValid; 1117 | UINT64 MmSessionGetWin32Callouts; 1118 | UINT64 KeInsertQueueApc; 1119 | UINT64 KeWaitForSingleObject; 1120 | UINT64 PsCreateSystemThread; 1121 | UINT64 ExReferenceCallBackBlock; 1122 | UINT64 ExGetCallBackBlockRoutine; 1123 | UINT64 ExDereferenceCallBackBlock; 1124 | UINT64 KiScbQueueScanWorker; 1125 | UINT64 PspEnumerateCallback; 1126 | UINT64 CmpEnumerateCallback; 1127 | UINT64 DbgEnumerateCallback; 1128 | UINT64 ExpEnumerateCallback; 1129 | UINT64 ExpGetNextCallback; 1130 | UINT64 EmpCheckErrataList_; 1131 | UINT64 KiSchedulerApcTerminate; 1132 | UINT64 KiSchedulerApc; 1133 | UINT64 EmpCheckErrataList; 1134 | UINT64 PGSelfEncryptWaitAndDecrypt; 1135 | UINT64 MmAllocatePagesForMdlEx; 1136 | UINT64 MmAllocateMappingAddress; 1137 | UINT64 MmMapLockedPagesWithReservedMapping; 1138 | UINT64 MmUnmapReservedMapping; 1139 | UINT64 Unkonwn$; // nt!KiSwInterruptDispatch+0x12b0 1140 | UINT64 Unkonwn$; // nt!KiSwInterruptDispatch+0x1320 1141 | UINT64 MmAcquireLoadLock; 1142 | UINT64 MmReleaseLoadLock; 1143 | UINT64 KeEnumerateQueueApc; 1144 | UINT64 KeIsApcRunningThread; 1145 | UINT64 Unkonwn$; // nt!KiSwInterruptDispatch+0xe80 1146 | UINT64 PsAcquireProcessExitSynchronization; 1147 | UINT64 ObDereferenceProcessHandleTable; 1148 | UINT64 PsGetNextProcess; 1149 | UINT64 PsQuitNextProcess; 1150 | UINT64 MmIsSessionLeaderProcess; 1151 | UINT64 PsInvokeWin32Callout; 1152 | UINT64 MmEnumerateAddressSpaceAndReferenceImages; 1153 | UINT64 PsGetProcessProtection; 1154 | UINT64 PsGetProcessSignatureLevel; 1155 | UINT64 PsGetProcessSectionBaseAddress; 1156 | UINT64 SeCompareSigningLevels; 1157 | UINT64 KeComputeSha256; 1158 | UINT64 KeComputeParallelSha256; 1159 | UINT64 KeSetEvent; 1160 | UINT64 RtlpConvertFunctionEntry; 1161 | UINT64 RtlpLookupPrimaryFunctionEntry; 1162 | UINT64 RtlIsMultiSessionSku; 1163 | UINT64 KiEnumerateCallback; 1164 | UINT64 KeStackAttachProcess; 1165 | UINT64 KeUnstackDetachProcess; 1166 | UINT64 VslVerifyPage; 1167 | UINT64 KiGetInterruptObjectAddress; 1168 | UINT64 Unkonwn$[4]; 1169 | UINT64 PsInitialSystemProcess; 1170 | UINT64 KiWaitAlways; 1171 | UINT64 KiEntropyTimingRoutine; 1172 | UINT64 KiProcessListHead; 1173 | UINT64 KiProcessListLock; 1174 | UINT64 ObpTypeObjectType; 1175 | UINT64 IoDriverObjectType; 1176 | UINT64 PsActiveProcessHead; 1177 | UINT64 PsInvertedFunctionTable; 1178 | UINT64 PsLoadedModuleList; 1179 | UINT64 PsLoadedModuleResource; 1180 | UINT64 PsLoadedModuleSpinLock; 1181 | UINT64 PspActiveProcessLock; 1182 | UINT64 PspCidTable; 1183 | UINT64 ExpUuidLock; 1184 | UINT64 AlpcpPortListLock; 1185 | UINT64 KeServiceDescriptorTable; 1186 | UINT64 KeServiceDescriptorTableShadow; 1187 | UINT64 KeServiceDescriptorTableFilter; 1188 | UINT64 VfThunksExtended; 1189 | UINT64 PsWin32CallBack; 1190 | UINT64 Unkonwn$; // nt!TriageImagePageSize+0x20 1191 | UINT64 KiTableInformation; 1192 | UINT64 HandleTableListHead; 1193 | UINT64 HandleTableListLock; 1194 | UINT64 ObpKernelHandleTable; 1195 | UINT64 KiUserSharedData; // 0xFFFFF78000000000 1196 | UINT64 KiWaitNever; 1197 | UINT64 SeProtectedMapping; 1198 | UINT64 KiInterruptThunk; 1199 | UINT64 KiStackProtectNotifyEvent; 1200 | UINT64 PageTables; // fffff900`00000000 1201 | UINT64 RtlpInvertedFunctionTable; 1202 | UINT64 KxUnexpectedInterrupt0; // nt!KiIsrThunk 1203 | 1204 | UINT64 Unkonwn$[6]; 1205 | 1206 | UINT64 WorkerRoutine; 1207 | UINT64 WorkerRoutineContext; 1208 | 1209 | UINT64 Unkonwn$; 1210 | 1211 | UINT64 Prcb; 1212 | UINT64 PGPageBase; 1213 | UINT64 SecondParamOfEndOfUninitialize; 1214 | UINT64 DcpRoutineToBeScheduled; 1215 | 1216 | UINT32 Unkonwn$; // NumberOfXXXX 1217 | UINT32 Unkonwn$; 1218 | 1219 | UINT32 OffsetOfPGSelfValidation; // INITKDBG: nt!PGSelfValidation 1220 | UINT32 OffsetOfRtlLookupFunctionEntryEx; // nt!RtlLookupFunctionEntryEx 1221 | UINT32 OffsetOfFsRtlUninitializeSmallMcb; // nt!FsRtlUninitializeSmallMcb 1222 | UINT32 OffsetOfFsRtlUnknown0; // xref: nt!FsRtlMdlReadCompleteDevEx 1223 | UINT32 OffsetOfFsRtlUnkonwn1; // xref: nt!FsRtlMdlReadCompleteDevEx 1224 | UINT32 EndOffsetOf; 1225 | 1226 | UINT64 SpinLock; 1227 | 1228 | UINT64 Unkonwn$[7]; 1229 | 1230 | KIDTENTRY64 PGProtectIDTItems[3]; 1231 | 1232 | UINT64 Unkonwn$[5]; 1233 | 1234 | UINT64 BaseOfNtos; 1235 | UINT64 BaseOfHal; 1236 | UINT64 BaseOfNtosNtHeader; 1237 | 1238 | UINT64 Unkonwn$[2]; 1239 | 1240 | UINT64 IsTiggerPG; 1241 | UINT64 BugCheckArg0; 1242 | UINT64 BugCheckArg1; 1243 | UINT64 BugCheckArg3; 1244 | UINT64 BugCheckArg2; 1245 | 1246 | PGProtectString<4> PGProtectStrings; 1247 | 1248 | UINT64 Unkonwn$[4]; 1249 | 1250 | UINT64 BaseOfWin32k; 1251 | 1252 | UINT64 Unkonwn$[26]; 1253 | 1254 | UINT32 NumberOfProtectCodes; 1255 | UINT32 NumberOfProtectValues; 1256 | 1257 | // PGProtectCode ProtectCodes[NumberOfProtectCodes]; 1258 | // PGProtectValue ProtectValues[NumberOfProtectValues]; 1259 | }; 1260 | } 1261 | 1262 | namespace build_16299 1263 | { 1264 | using PGContextHeader = build_10240::PGContextHeader; 1265 | 1266 | struct PGContext : public PGContextHeader 1267 | { 1268 | UINT64 ExAcquireResourceSharedLite; 1269 | UINT64 ExAcquireResourceExclusiveLite; 1270 | UINT64 ExAllocatePoolWithTag; 1271 | UINT64 ExFreePool; 1272 | UINT64 ExMapHandleToPointer; 1273 | UINT64 ExQueueWorkItem; 1274 | UINT64 ExReleaseResourceLite; 1275 | UINT64 ExUnlockHandleTableEntry; 1276 | UINT64 ExAcquirePushLockExclusiveEx; 1277 | UINT64 ExReleasePushLockExclusiveEx; 1278 | UINT64 ExAcquirePushLockSharedEx; 1279 | UINT64 ExReleasePushLockSharedEx; 1280 | UINT64 KeAcquireInStackQueuedSpinLockAtDpcLevel; 1281 | UINT64 ExAcquireSpinLockSharedAtDpcLevel; 1282 | UINT64 KeBugCheckEx; 1283 | UINT64 KeDelayExecutionThread; 1284 | UINT64 KeEnterCriticalRegionThread; 1285 | UINT64 KeLeaveCriticalRegion; 1286 | UINT64 KeEnterGuardedRegion; 1287 | UINT64 KeLeaveGuardedRegion; 1288 | UINT64 KeReleaseInStackQueuedSpinLockFromDpcLevel; 1289 | UINT64 ExReleaseSpinLockSharedFromDpcLevel; 1290 | UINT64 KeRevertToUserAffinityThread; 1291 | UINT64 KeProcessorGroupAffinity; 1292 | UINT64 KeInitializeEnumerationContext; 1293 | UINT64 KeEnumerateNextProcessor; 1294 | UINT64 KeCountSetBitsAffinityEx; 1295 | UINT64 KeQueryAffinityProcess; 1296 | UINT64 KeQueryAffinityThread; 1297 | UINT64 KeSetSystemGroupAffinityThread; 1298 | UINT64 KeSetCoalescableTimer; 1299 | UINT64 ObfDereferenceObject; 1300 | UINT64 ObReferenceObjectByName; 1301 | UINT64 RtlImageDirectoryEntryToData; 1302 | UINT64 RtlImageNtHeader; 1303 | UINT64 RtlLookupFunctionTable; 1304 | UINT64 RtlPcToFileHeader; 1305 | UINT64 RtlSectionTableFromVirtualAddress; 1306 | UINT64 DbgPrint; 1307 | UINT64 MmAllocateIndependentPages; 1308 | UINT64 MmFreeIndependentPages; 1309 | UINT64 MmSetPageProtection; 1310 | UINT64 Unkonwn$; 1311 | UINT64 Unkonwn$; 1312 | UINT64 Unkonwn$; 1313 | UINT64 Unkonwn$; 1314 | UINT64 Unkonwn$; 1315 | UINT64 RtlLookupFunctionEntry; 1316 | UINT64 KeAcquireSpinLockRaiseToDpc; 1317 | UINT64 KeReleaseSpinLock; 1318 | UINT64 MmGetSessionById; 1319 | UINT64 MmGetNextSession; 1320 | UINT64 MmQuitNextSession; 1321 | UINT64 MmAttachSession; 1322 | UINT64 MmDetachSession; 1323 | UINT64 MmGetSessionIdEx; 1324 | UINT64 MmIsSessionAddress; 1325 | UINT64 MmIsAddressValid; 1326 | UINT64 MmSessionGetWin32Callouts; 1327 | UINT64 KeInsertQueueApc; 1328 | UINT64 KeWaitForSingleObject; 1329 | UINT64 PsCreateSystemThread; 1330 | UINT64 ExReferenceCallBackBlock; 1331 | UINT64 ExGetCallBackBlockRoutine; 1332 | UINT64 ExDereferenceCallBackBlock; 1333 | UINT64 KiScbQueueScanWorker; 1334 | UINT64 PspEnumerateCallback; 1335 | UINT64 CmpEnumerateCallback; 1336 | UINT64 DbgEnumerateCallback; 1337 | UINT64 ExpEnumerateCallback; 1338 | UINT64 ExpGetNextCallback; 1339 | UINT64 EmpCheckErrataList_; 1340 | UINT64 KiSchedulerApcTerminate; 1341 | UINT64 KiSchedulerApc; 1342 | UINT64 EmpCheckErrataList; 1343 | UINT64 PGSelfEncryptWaitAndDecrypt; 1344 | UINT64 MmAllocatePagesForMdlEx; 1345 | UINT64 MmAllocateMappingAddress; 1346 | UINT64 MmMapLockedPagesWithReservedMapping; 1347 | UINT64 MmUnmapReservedMapping; 1348 | UINT64 Unkonwn$; // nt!KiSwInterruptDispatch+0x???? 1349 | UINT64 Unkonwn$; // nt!KiSwInterruptDispatch+0x???? 1350 | UINT64 MmAcquireLoadLock; 1351 | UINT64 MmReleaseLoadLock; 1352 | UINT64 KeEnumerateQueueApc; 1353 | UINT64 KeIsApcRunningThread; 1354 | UINT64 Unkonwn$; // nt!KiSwInterruptDispatch+0x??? 1355 | UINT64 PsAcquireProcessExitSynchronization; 1356 | UINT64 ObDereferenceProcessHandleTable; 1357 | UINT64 PsGetNextProcess; 1358 | UINT64 PsQuitNextProcess; 1359 | UINT64 MmIsSessionLeaderProcess; 1360 | UINT64 PsInvokeWin32Callout; 1361 | UINT64 MmEnumerateAddressSpaceAndReferenceImages; 1362 | UINT64 PsGetProcessProtection; 1363 | UINT64 PsGetProcessSignatureLevel; 1364 | UINT64 PsGetProcessSectionBaseAddress; 1365 | UINT64 SeCompareSigningLevels; 1366 | UINT64 KeComputeSha256; 1367 | UINT64 KeComputeParallelSha256; 1368 | UINT64 KeSetEvent; 1369 | UINT64 RtlpConvertFunctionEntry; 1370 | UINT64 RtlpLookupPrimaryFunctionEntry; 1371 | UINT64 RtlIsMultiSessionSku; 1372 | UINT64 KiEnumerateCallback; 1373 | UINT64 KeStackAttachProcess; 1374 | UINT64 KeUnstackDetachProcess; 1375 | UINT64 KeIpiGenericCall; 1376 | UINT64 Unkonwn$; // nt!PG$xxxxxxx 1377 | UINT64 MmGetPhysicalAddress; 1378 | UINT64 MmUnlockPages; 1379 | UINT64 VslVerifyPage; 1380 | UINT64 KiGetInterruptObjectAddress; 1381 | UINT64 Unkonwn$[3]; 1382 | UINT64 Unkonwn$[4]; // nt!PG$vvvvvvv 1383 | UINT64 PsInitialSystemProcess; 1384 | UINT64 KiWaitAlways; 1385 | UINT64 KiEntropyTimingRoutine; 1386 | UINT64 KiProcessListHead; 1387 | UINT64 KiProcessListLock; 1388 | UINT64 ObpTypeObjectType; 1389 | UINT64 IoDriverObjectType; 1390 | UINT64 PsProcessType; 1391 | UINT64 PsActiveProcessHead; 1392 | UINT64 PsInvertedFunctionTable; 1393 | UINT64 PsLoadedModuleList; 1394 | UINT64 PsLoadedModuleResource; 1395 | UINT64 PsLoadedModuleSpinLock; 1396 | UINT64 PspActiveProcessLock; 1397 | UINT64 PspCidTable; 1398 | UINT64 ExpUuidLock; 1399 | UINT64 AlpcpPortListLock; 1400 | UINT64 KeServiceDescriptorTable; 1401 | UINT64 KeServiceDescriptorTableShadow; 1402 | UINT64 KeServiceDescriptorTableFilter; 1403 | UINT64 VfThunksExtended; 1404 | UINT64 PsWin32CallBack; 1405 | UINT64 Unkonwn$; // nt!TriageImagePageSize+0x?? 1406 | UINT64 KiTableInformation; 1407 | UINT64 HandleTableListHead; 1408 | UINT64 HandleTableListLock; 1409 | UINT64 ObpKernelHandleTable; 1410 | UINT64 KiUserSharedData; // 0xFFFFF78000000000 1411 | UINT64 KiWaitNever; 1412 | UINT64 SeProtectedMapping; 1413 | UINT64 KiInterruptThunk; 1414 | UINT64 KiStackProtectNotifyEvent; 1415 | UINT64 PageTables; // ffffb980`00000000 1416 | UINT64 Ntos; 1417 | UINT64 Hal; 1418 | UINT64 KeNumberProcessors; 1419 | UINT64 Unkonwn$; // nt!PG$vvvvvvvv 1420 | UINT64 Unkonwn$; // nt!PG$vvvvvvvv 1421 | UINT64 RtlpInvertedFunctionTable; 1422 | UINT64 KxUnexpectedInterrupt0; // nt!KiIsrThunk or nt!KiIsrThunkShadow 1423 | 1424 | UINT64 Unkonwn$[6]; 1425 | 1426 | UINT64 WorkerRoutine; 1427 | UINT64 WorkerRoutineContext; 1428 | 1429 | UINT64 Unkonwn$; 1430 | 1431 | UINT64 Prcb; 1432 | UINT64 PGPageBase; 1433 | UINT64 SecondParamOfEndOfUninitialize; 1434 | UINT64 DcpRoutineToBeScheduled; 1435 | 1436 | UINT32 Unkonwn$; // NumberOfXXXX 1437 | UINT32 Unkonwn$; 1438 | 1439 | UINT32 OffsetOfPGSelfValidation; // INITKDBG: nt!PGSelfValidation 1440 | UINT32 OffsetOfRtlLookupFunctionEntryEx; // nt!RtlLookupFunctionEntryEx 1441 | UINT32 OffsetOfFsRtlUninitializeSmallMcb; // nt!FsRtlUninitializeSmallMcb 1442 | UINT32 OffsetOfFsRtlUnknown0; // nt!PG$XXXXXXXX 1443 | UINT32 OffsetOfFsRtlUnkonwn1; // 1444 | UINT32 EndOffsetOf; 1445 | 1446 | UINT64 SpinLock; 1447 | 1448 | UINT64 Unkonwn$[8]; 1449 | 1450 | KIDTENTRY64 PGProtectIDTItems[3]; 1451 | 1452 | UINT64 Unkonwn$[10]; 1453 | 1454 | UINT64 BaseOfNtos; 1455 | UINT64 BaseOfHal; 1456 | UINT64 BaseOfNtosNtHeader; 1457 | 1458 | UINT64 Unkonwn$[2]; 1459 | 1460 | UINT64 IsTiggerPG; 1461 | UINT64 BugCheckArg0; 1462 | UINT64 BugCheckArg1; 1463 | UINT64 BugCheckArg3; 1464 | UINT64 BugCheckArg2; 1465 | 1466 | PGProtectString<4> PGProtectStrings; 1467 | 1468 | UINT64 Unkonwn$[37]; 1469 | 1470 | UINT32 NumberOfProtectCodes; 1471 | UINT32 NumberOfProtectValues; 1472 | 1473 | // PGProtectCode ProtectCodes[NumberOfProtectCodes]; 1474 | // PGProtectValue ProtectValues[NumberOfProtectValues]; 1475 | }; 1476 | } 1477 | 1478 | namespace build_17134 1479 | { 1480 | using PGContextHeader = build_15063::PGContextHeader; 1481 | 1482 | struct PGContext : public PGContextHeader 1483 | { 1484 | UINT64 ExAcquireResourceSharedLite; 1485 | UINT64 ExAcquireResourceExclusiveLite; 1486 | UINT64 ExAllocatePoolWithTag; 1487 | UINT64 ExFreePool; 1488 | UINT64 ExMapHandleToPointer; 1489 | UINT64 ExQueueWorkItem; 1490 | UINT64 ExReleaseResourceLite; 1491 | UINT64 ExUnlockHandleTableEntry; 1492 | UINT64 ExAcquirePushLockExclusiveEx; 1493 | UINT64 ExReleasePushLockExclusiveEx; 1494 | UINT64 ExAcquirePushLockSharedEx; 1495 | UINT64 ExReleasePushLockSharedEx; 1496 | UINT64 KeAcquireInStackQueuedSpinLockAtDpcLevel; 1497 | UINT64 ExAcquireSpinLockSharedAtDpcLevel; 1498 | UINT64 KeBugCheckEx; 1499 | UINT64 KeDelayExecutionThread; 1500 | UINT64 KeEnterCriticalRegionThread; 1501 | UINT64 KeLeaveCriticalRegion; 1502 | UINT64 KeEnterGuardedRegion; 1503 | UINT64 KeLeaveGuardedRegion; 1504 | UINT64 KeReleaseInStackQueuedSpinLockFromDpcLevel; 1505 | UINT64 ExReleaseSpinLockSharedFromDpcLevel; 1506 | UINT64 KeRevertToUserAffinityThread; 1507 | UINT64 KeProcessorGroupAffinity; 1508 | UINT64 KeInitializeEnumerationContext; 1509 | UINT64 KeEnumerateNextProcessor; 1510 | UINT64 KeCountSetBitsAffinityEx; 1511 | UINT64 KeQueryAffinityProcess; 1512 | UINT64 KeQueryAffinityThread; 1513 | UINT64 KeSetSystemGroupAffinityThread; 1514 | UINT64 KeSetCoalescableTimer; 1515 | UINT64 ObfDereferenceObject; 1516 | UINT64 ObReferenceObjectByName; 1517 | UINT64 RtlImageDirectoryEntryToData; 1518 | UINT64 RtlImageNtHeader; 1519 | UINT64 RtlLookupFunctionTable; 1520 | UINT64 RtlPcToFileHeader; 1521 | UINT64 RtlSectionTableFromVirtualAddress; 1522 | UINT64 DbgPrint; 1523 | UINT64 MmAllocateIndependentPages; 1524 | UINT64 MmFreeIndependentPages; 1525 | UINT64 MmSetPageProtection; 1526 | UINT64 Unkonwn$; 1527 | UINT64 Unkonwn$; 1528 | UINT64 Unkonwn$; 1529 | UINT64 Unkonwn$; 1530 | UINT64 Unkonwn$; 1531 | UINT64 RtlLookupFunctionEntry; 1532 | UINT64 KeAcquireSpinLockRaiseToDpc; 1533 | UINT64 KeReleaseSpinLock; 1534 | UINT64 MmGetSessionById; 1535 | UINT64 MmGetNextSession; 1536 | UINT64 MmQuitNextSession; 1537 | UINT64 MmAttachSession; 1538 | UINT64 MmDetachSession; 1539 | UINT64 MmGetSessionIdEx; 1540 | UINT64 MmIsSessionAddress; 1541 | UINT64 MmIsAddressValid; 1542 | UINT64 MmSessionGetWin32Callouts; 1543 | UINT64 KeInsertQueueApc; 1544 | UINT64 KeWaitForSingleObject; 1545 | UINT64 PsCreateSystemThread; 1546 | UINT64 ExReferenceCallBackBlock; 1547 | UINT64 ExGetCallBackBlockRoutine; 1548 | UINT64 ExDereferenceCallBackBlock; 1549 | UINT64 KiScbQueueScanWorker; 1550 | UINT64 PspEnumerateCallback; 1551 | UINT64 CmpEnumerateCallback; 1552 | UINT64 DbgEnumerateCallback; 1553 | UINT64 ExpEnumerateCallback; 1554 | UINT64 ExpGetNextCallback; 1555 | UINT64 EmpCheckErrataList_; 1556 | UINT64 KiSchedulerApcTerminate; 1557 | UINT64 KiSchedulerApc; 1558 | UINT64 EmpCheckErrataList; 1559 | UINT64 PGSelfEncryptWaitAndDecrypt; 1560 | UINT64 MmAllocatePagesForMdlEx; 1561 | UINT64 MmAllocateMappingAddress; 1562 | UINT64 MmMapLockedPagesWithReservedMapping; 1563 | UINT64 MmUnmapReservedMapping; 1564 | UINT64 Unkonwn$; // nt!KiSwInterruptDispatch+0x???? 1565 | UINT64 Unkonwn$; // nt!KiSwInterruptDispatch+0x???? 1566 | UINT64 MmAcquireLoadLock; 1567 | UINT64 MmReleaseLoadLock; 1568 | UINT64 KeEnumerateQueueApc; 1569 | UINT64 KeIsApcRunningThread; 1570 | UINT64 Unkonwn$; // nt!KiSwInterruptDispatch+0x??? 1571 | UINT64 PsAcquireProcessExitSynchronization; 1572 | UINT64 ObDereferenceProcessHandleTable; 1573 | UINT64 PsGetNextProcess; 1574 | UINT64 PsQuitNextProcess; 1575 | UINT64 PsGetNextProcessEx; 1576 | UINT64 MmIsSessionLeaderProcess; 1577 | UINT64 PsInvokeWin32Callout; 1578 | UINT64 MmEnumerateAddressSpaceAndReferenceImages; 1579 | UINT64 PsGetProcessProtection; 1580 | UINT64 PsGetProcessSignatureLevel; 1581 | UINT64 PsGetProcessSectionBaseAddress; 1582 | UINT64 SeCompareSigningLevels; 1583 | UINT64 KeComputeSha256; 1584 | UINT64 KeComputeParallelSha256; 1585 | UINT64 KeSetEvent; 1586 | UINT64 RtlpConvertFunctionEntry; 1587 | UINT64 RtlpLookupPrimaryFunctionEntry; 1588 | UINT64 RtlIsMultiSessionSku; 1589 | UINT64 KiEnumerateCallback; 1590 | UINT64 KeStackAttachProcess; 1591 | UINT64 KeUnstackDetachProcess; 1592 | UINT64 KeIpiGenericCall; 1593 | UINT64 Unkonwn$; // nt!PG$xxxxxxx 1594 | UINT64 MmGetPhysicalAddress; 1595 | UINT64 MmUnlockPages; 1596 | UINT64 VslVerifyPage; 1597 | UINT64 KiGetInterruptObjectAddress; 1598 | UINT64 Unkonwn$; 1599 | UINT64 PsLookupProcessByProcessId; 1600 | UINT64 PsGetProcessId; 1601 | UINT64 MmCheckProcessShadow; 1602 | UINT64 Unkonwn$[4]; 1603 | UINT64 Unkonwn$[4]; // nt!PG$vvvvvvv 1604 | UINT64 PsInitialSystemProcess; 1605 | UINT64 KiWaitAlways; 1606 | UINT64 KiEntropyTimingRoutine; 1607 | UINT64 KiProcessListHead; 1608 | UINT64 KiProcessListLock; 1609 | UINT64 ObpTypeObjectType; 1610 | UINT64 IoDriverObjectType; 1611 | UINT64 PsProcessType; 1612 | UINT64 PsActiveProcessHead; 1613 | UINT64 PsInvertedFunctionTable; 1614 | UINT64 PsLoadedModuleList; 1615 | UINT64 PsLoadedModuleResource; 1616 | UINT64 PsLoadedModuleSpinLock; 1617 | UINT64 PspActiveProcessLock; 1618 | UINT64 PspCidTable; 1619 | UINT64 ExpUuidLock; 1620 | UINT64 AlpcpPortListLock; 1621 | UINT64 KeServiceDescriptorTable; 1622 | UINT64 KeServiceDescriptorTableShadow; 1623 | UINT64 KeServiceDescriptorTableFilter; 1624 | UINT64 VfThunksExtended; 1625 | UINT64 PsWin32CallBack; 1626 | UINT64 Unkonwn$; // nt!TriageImagePageSize+0x?? 1627 | UINT64 KiTableInformation; 1628 | UINT64 HandleTableListHead; 1629 | UINT64 HandleTableListLock; 1630 | UINT64 ObpKernelHandleTable; 1631 | UINT64 KiUserSharedData; // 0xFFFFF78000000000 1632 | UINT64 KiWaitNever; 1633 | UINT64 SeProtectedMapping; 1634 | UINT64 KiInterruptThunk; 1635 | UINT64 KiStackProtectNotifyEvent; 1636 | UINT64 PageTables; 1637 | UINT64 Ntos; 1638 | UINT64 Hal; 1639 | UINT64 KeNumberProcessors; 1640 | UINT64 Unkonwn$; // nt!PG$vvvvvvvv 1641 | UINT64 Unkonwn$; // nt!PG$vvvvvvvv 1642 | UINT64 RtlpInvertedFunctionTable; 1643 | UINT64 KxUnexpectedInterrupt0; // nt!KiIsrThunk or nt!KiIsrThunkShadow 1644 | 1645 | UINT64 Unkonwn$[6]; 1646 | 1647 | UINT64 WorkerRoutine; 1648 | UINT64 WorkerRoutineContext; 1649 | 1650 | UINT64 Unkonwn$; 1651 | 1652 | UINT64 Prcb; 1653 | UINT64 PGPageBase; 1654 | UINT64 SecondParamOfEndOfUninitialize; 1655 | UINT64 DcpRoutineToBeScheduled; 1656 | 1657 | UINT32 Unkonwn$; // NumberOfXXXX 1658 | UINT32 Unkonwn$; 1659 | 1660 | UINT32 OffsetOfPGSelfValidation; // INITKDBG: nt!PGSelfValidation 1661 | UINT32 OffsetOfRtlLookupFunctionEntryEx; // nt!RtlLookupFunctionEntryEx 1662 | UINT32 OffsetOfFsRtlUninitializeSmallMcb; // nt!FsRtlUninitializeSmallMcb 1663 | UINT32 OffsetOfFsRtlUnknown0; // nt!PG$XXXXXXXX 1664 | UINT32 OffsetOfFsRtlUnkonwn1; // 1665 | UINT32 EndOffsetOf; 1666 | 1667 | UINT64 SpinLock; 1668 | 1669 | UINT64 Unkonwn$[8]; 1670 | 1671 | KIDTENTRY64 PGProtectIDTItems[3]; 1672 | 1673 | UINT64 Unkonwn$[10]; 1674 | 1675 | UINT64 BaseOfNtos; 1676 | UINT64 BaseOfHal; 1677 | UINT64 BaseOfNtosNtHeader; 1678 | 1679 | UINT64 Unkonwn$[2]; 1680 | 1681 | UINT64 IsTiggerPG; 1682 | UINT64 BugCheckArg0; 1683 | UINT64 BugCheckArg1; 1684 | UINT64 BugCheckArg3; 1685 | UINT64 BugCheckArg2; 1686 | 1687 | PGProtectString<4> PGProtectStrings; 1688 | 1689 | UINT64 Unkonwn$[40]; 1690 | 1691 | UINT32 NumberOfProtectCodes; 1692 | UINT32 NumberOfProtectValues; 1693 | 1694 | // PGProtectCode ProtectCodes[NumberOfProtectCodes]; 1695 | // PGProtectValue ProtectValues[NumberOfProtectValues]; 1696 | }; 1697 | } 1698 | 1699 | namespace build_17741 1700 | { 1701 | using PGContextHeader = build_17134::PGContextHeader; 1702 | 1703 | struct PGContext : public PGContextHeader 1704 | { 1705 | UINT64 ExAcquireResourceSharedLite; 1706 | UINT64 ExAcquireResourceExclusiveLite; 1707 | UINT64 ExAllocatePoolWithTag; 1708 | UINT64 ExFreePool; 1709 | UINT64 ExMapHandleToPointer; 1710 | UINT64 ExQueueWorkItem; 1711 | UINT64 ExReleaseResourceLite; 1712 | UINT64 ExUnlockHandleTableEntry; 1713 | UINT64 ExAcquirePushLockExclusiveEx; 1714 | UINT64 ExReleasePushLockExclusiveEx; 1715 | UINT64 ExAcquirePushLockSharedEx; 1716 | UINT64 ExReleasePushLockSharedEx; 1717 | UINT64 KeAcquireInStackQueuedSpinLockAtDpcLevel; 1718 | UINT64 ExAcquireSpinLockSharedAtDpcLevel; 1719 | UINT64 KeBugCheckEx; 1720 | UINT64 KeDelayExecutionThread; 1721 | UINT64 KeEnterCriticalRegionThread; 1722 | UINT64 KeLeaveCriticalRegion; 1723 | UINT64 KeEnterGuardedRegion; 1724 | UINT64 KeLeaveGuardedRegion; 1725 | UINT64 KxReleaseQueuedSpinLock; 1726 | UINT64 KeReleaseInStackQueuedSpinLockFromDpcLevel; 1727 | UINT64 KeRevertToUserGroupAffinityThread; 1728 | UINT64 KeProcessorGroupAffinity; 1729 | UINT64 KeInitializeEnumerationContext; 1730 | UINT64 KeEnumerateNextProcessor; 1731 | UINT64 KeCountSetBitsAffinityEx; 1732 | UINT64 KeQueryAffinityProcess; 1733 | UINT64 KeQueryAffinityThread; 1734 | UINT64 KeSetSystemGroupAffinityThread; 1735 | UINT64 KeSetCoalescableTimer; 1736 | UINT64 ObfDereferenceObject; 1737 | UINT64 ObReferenceObjectByName; 1738 | UINT64 RtlImageDirectoryEntryToData; 1739 | UINT64 RtlImageNtHeader; 1740 | UINT64 RtlLookupFunctionTable; 1741 | UINT64 RtlPcToFileHeader; 1742 | UINT64 RtlSectionTableFromVirtualAddress; 1743 | UINT64 DbgPrint; 1744 | UINT64 MmAllocateIndependentPages; 1745 | UINT64 MmFreeIndependentPages; 1746 | UINT64 MmSetPageProtection; 1747 | UINT64 Unkonwn$; 1748 | UINT64 Unkonwn$; 1749 | UINT64 Unkonwn$; 1750 | UINT64 Unkonwn$; 1751 | UINT64 Unkonwn$; 1752 | UINT64 RtlLookupFunctionEntry; 1753 | UINT64 KeAcquireSpinLockRaiseToDpc; 1754 | UINT64 KeReleaseSpinLock; 1755 | UINT64 MmGetSessionById; 1756 | UINT64 MmGetNextSession; 1757 | UINT64 MmQuitNextSession; 1758 | UINT64 MmAttachSession; 1759 | UINT64 MmDetachSession; 1760 | UINT64 MmGetSessionIdEx; 1761 | UINT64 MmIsSessionAddress; 1762 | UINT64 MmIsAddressValid; 1763 | UINT64 MmSessionGetWin32Callouts; 1764 | UINT64 KeInsertQueueApc; 1765 | UINT64 KeWaitForSingleObject; 1766 | UINT64 PsCreateSystemThread; 1767 | UINT64 ExReferenceCallBackBlock; 1768 | UINT64 ExGetCallBackBlockRoutine; 1769 | UINT64 ExDereferenceCallBackBlock; 1770 | UINT64 KiScbQueueScanWorker; 1771 | UINT64 PspEnumerateCallback; 1772 | UINT64 CmpEnumerateCallback; 1773 | UINT64 DbgEnumerateCallback; 1774 | UINT64 ExpEnumerateCallback; 1775 | UINT64 ExpGetNextCallback; 1776 | UINT64 EmpCheckErrataList_; 1777 | UINT64 KiSchedulerApcTerminate; 1778 | UINT64 KiSchedulerApc; 1779 | UINT64 EmpCheckErrataList; 1780 | UINT64 PGSelfEncryptWaitAndDecrypt; 1781 | UINT64 MmAllocatePagesForMdlEx; 1782 | UINT64 MmAllocateMappingAddress; 1783 | UINT64 MmMapLockedPagesWithReservedMapping; 1784 | UINT64 MmUnmapReservedMapping; 1785 | UINT64 Unkonwn$; // nt!KiSwInterruptDispatch+0x???? 1786 | UINT64 Unkonwn$; // nt!KiSwInterruptDispatch+0x???? 1787 | UINT64 MmAcquireLoadLock; 1788 | UINT64 MmReleaseLoadLock; 1789 | UINT64 KeEnumerateQueueApc; 1790 | UINT64 KeIsApcRunningThread; 1791 | UINT64 Unkonwn$; // nt!KiSwInterruptDispatch+0x??? 1792 | UINT64 PsAcquireProcessExitSynchronization; 1793 | UINT64 ObDereferenceProcessHandleTable; 1794 | UINT64 PsGetNextProcess; 1795 | UINT64 PsQuitNextProcess; 1796 | UINT64 PsGetNextProcessEx; 1797 | UINT64 MmIsSessionLeaderProcess; 1798 | UINT64 PsInvokeWin32Callout; 1799 | UINT64 MmEnumerateAddressSpaceAndReferenceImages; 1800 | UINT64 PsGetProcessProtection; 1801 | UINT64 PsGetProcessSignatureLevel; 1802 | UINT64 PsGetProcessSectionBaseAddress; 1803 | UINT64 SeCompareSigningLevels; 1804 | UINT64 KeComputeSha256; 1805 | UINT64 KeComputeParallelSha256; 1806 | UINT64 KeSetEvent; 1807 | UINT64 RtlpConvertFunctionEntry; 1808 | UINT64 RtlpLookupPrimaryFunctionEntry; 1809 | UINT64 RtlIsMultiSessionSku; 1810 | UINT64 KiEnumerateCallback; 1811 | UINT64 KeStackAttachProcess; 1812 | UINT64 KeUnstackDetachProcess; 1813 | UINT64 KeIpiGenericCall; 1814 | UINT64 Unkonwn$; // nt!PG$xxxxxxx 1815 | UINT64 MmGetPhysicalAddress; 1816 | UINT64 MmUnlockPages; 1817 | UINT64 VslVerifyPage; 1818 | UINT64 KiGetInterruptObjectAddress; 1819 | UINT64 Unkonwn$; 1820 | UINT64 PsLookupProcessByProcessId; 1821 | UINT64 PsGetProcessId; 1822 | UINT64 MmCheckProcessShadow; 1823 | UINT64 MmGetImageRetpolineCodePage; 1824 | UINT64 Unkonwn$[4]; 1825 | UINT64 Unkonwn$[4]; // nt!PG$vvvvvvv 1826 | UINT64 PsInitialSystemProcess; 1827 | UINT64 KiWaitAlways; 1828 | UINT64 KiEntropyTimingRoutine; 1829 | UINT64 KiProcessListHead; 1830 | UINT64 KiProcessListLock; 1831 | UINT64 ObpTypeObjectType; 1832 | UINT64 IoDriverObjectType; 1833 | UINT64 PsProcessType; 1834 | UINT64 PsActiveProcessHead; 1835 | UINT64 PsInvertedFunctionTable; 1836 | UINT64 PsLoadedModuleList; 1837 | UINT64 PsLoadedModuleResource; 1838 | UINT64 PsLoadedModuleSpinLock; 1839 | UINT64 PspActiveProcessLock; 1840 | UINT64 PspCidTable; 1841 | UINT64 ExpUuidLock; 1842 | UINT64 AlpcpPortListLock; 1843 | UINT64 KeServiceDescriptorTable; 1844 | UINT64 KeServiceDescriptorTableShadow; 1845 | UINT64 KeServiceDescriptorTableFilter; 1846 | UINT64 VfThunksExtended; 1847 | UINT64 PsWin32CallBack; 1848 | UINT64 Unkonwn$; // nt!TriageImagePageSize+0x?? 1849 | UINT64 KiTableInformation; 1850 | UINT64 HandleTableListHead; 1851 | UINT64 HandleTableListLock; 1852 | UINT64 ObpKernelHandleTable; 1853 | UINT64 KiUserSharedData; // 0xFFFFF78000000000 1854 | UINT64 KiWaitNever; 1855 | UINT64 SeProtectedMapping; 1856 | UINT64 KiInterruptThunk; 1857 | UINT64 KiStackProtectNotifyEvent; 1858 | UINT64 PageTables; // 0xFFFFB20000000000 1859 | UINT64 Ntos; 1860 | UINT64 Hal; 1861 | UINT64 KeNumberProcessors; 1862 | UINT64 Unkonwn$; // nt!PG$vvvvvvvv 1863 | UINT64 Unkonwn$; // nt!PG$vvvvvvvv 1864 | UINT64 RtlpInvertedFunctionTable; 1865 | UINT64 KxUnexpectedInterrupt0; // nt!KiIsrThunk or nt!KiIsrThunkShadow 1866 | 1867 | UINT64 Unkonwn$[49]; 1868 | 1869 | UINT64 WorkerRoutine; 1870 | UINT64 WorkerRoutineContext; 1871 | 1872 | UINT64 Unkonwn$; 1873 | 1874 | UINT64 Prcb; 1875 | UINT64 PGPageBase; 1876 | UINT64 SecondParamOfEndOfUninitialize; 1877 | UINT64 DcpRoutineToBeScheduled; // nt!KiTimerDispatch 1878 | 1879 | UINT32 Unkonwn$; // NumberOfXXXX 1880 | UINT32 Unkonwn$; 1881 | 1882 | UINT32 OffsetOfPGSelfValidation; // INITKDBG: nt!PGSelfValidation 1883 | UINT32 OffsetOfRtlLookupFunctionEntryEx; // nt!RtlLookupFunctionEntryEx 1884 | UINT32 OffsetOfFsRtlUninitializeSmallMcb; // nt!FsRtlUninitializeSmallMcb 1885 | UINT32 OffsetOfFsRtlUnknown0; // nt!PG$XXXXXXXX 1886 | UINT32 OffsetOfFsRtlUnkonwn1; // 1887 | UINT32 EndOffsetOf; 1888 | 1889 | UINT64 SpinLock; 1890 | 1891 | UINT64 Unkonwn$[8]; 1892 | 1893 | KIDTENTRY64 PGProtectIDTItems[3]; 1894 | 1895 | UINT64 Unkonwn$[10]; 1896 | 1897 | UINT64 BaseOfNtos; 1898 | UINT64 BaseOfHal; 1899 | UINT64 BaseOfNtosNtHeader; 1900 | 1901 | UINT64 Unkonwn$[2]; 1902 | 1903 | UINT64 IsTiggerPG; 1904 | UINT64 BugCheckArg0; 1905 | UINT64 BugCheckArg1; 1906 | UINT64 BugCheckArg3; 1907 | UINT64 BugCheckArg2; 1908 | 1909 | PGProtectString<4> PGProtectStrings; 1910 | 1911 | UINT64 Unkonwn$[40]; 1912 | 1913 | UINT32 NumberOfProtectCodes; 1914 | UINT32 NumberOfProtectValues; 1915 | 1916 | // PGProtectCode ProtectCodes[NumberOfProtectCodes]; 1917 | // PGProtectValue ProtectValues[NumberOfProtectValues]; 1918 | }; 1919 | } 1920 | } 1921 | #pragma warning(pop) 1922 | --------------------------------------------------------------------------------