├── EAC_Bypass.sln
├── EAC_Bypass
    ├── EAC_Bypass.inf
    ├── EAC_Bypass.vcxproj
    ├── EAC_Bypass.vcxproj.filters
    ├── EAC_Bypass.vcxproj.user
    ├── Main.c
    ├── Main.hpp
    ├── Options.hpp
    ├── common.h
    ├── ntos.h
    ├── ntos.hpp
    └── ntstructs.hpp
├── EAC_Usermode
    ├── EAC.cpp
    ├── EAC.hpp
    ├── EAC_Usermode.vcxproj
    ├── EAC_Usermode.vcxproj.filters
    ├── EAC_Usermode.vcxproj.user
    ├── Options.hpp
    ├── detours.h
    └── main.cpp
├── LICENSE
└── README.md


/EAC_Bypass.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.29009.5
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EAC_Bypass", "EAC_Bypass\EAC_Bypass.vcxproj", "{2BA794F5-5FFA-454A-A1FC-D739771C6F72}"
 7 | EndProject
 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EAC_Usermode", "EAC_Usermode\EAC_Usermode.vcxproj", "{56F38C3E-FC80-4028-B6E9-4688A33E4AEB}"
 9 | EndProject
10 | Global
11 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | 		Debug|ARM = Debug|ARM
13 | 		Debug|ARM64 = Debug|ARM64
14 | 		Debug|x64 = Debug|x64
15 | 		Debug|x86 = Debug|x86
16 | 		Release|ARM = Release|ARM
17 | 		Release|ARM64 = Release|ARM64
18 | 		Release|x64 = Release|x64
19 | 		Release|x86 = Release|x86
20 | 	EndGlobalSection
21 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
22 | 	EndGlobalSection
23 | 	GlobalSection(SolutionProperties) = preSolution
24 | 		HideSolutionNode = FALSE
25 | 	EndGlobalSection
26 | 	GlobalSection(ExtensibilityGlobals) = postSolution
27 | 		SolutionGuid = {4A0C5232-FCF5-4CA3-A672-9A0BAF764A19}
28 | 	EndGlobalSection
29 | EndGlobal
30 | 


--------------------------------------------------------------------------------
/EAC_Bypass/EAC_Bypass.inf:
--------------------------------------------------------------------------------
 1 | ;
 2 | ; EAC_Bypass.inf
 3 | ;
 4 | 
 5 | [Version]
 6 | Signature="$WINDOWS NT$"
 7 | Class=Sample ; TODO: edit Class
 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid
 9 | Provider=%ManufacturerName%
10 | CatalogFile=EAC_Bypass.cat
11 | DriverVer= ; TODO: set DriverVer in stampinf property pages
12 | 
13 | [DestinationDirs]
14 | DefaultDestDir = 12
15 | EAC_Bypass_Device_CoInstaller_CopyFiles = 11
16 | 
17 | ; ================= Class section =====================
18 | 
19 | [ClassInstall32]
20 | Addreg=SampleClassReg
21 | 
22 | [SampleClassReg]
23 | HKR,,,0,%ClassName%
24 | HKR,,Icon,,-5
25 | 
26 | [SourceDisksNames]
27 | 1 = %DiskName%,,,""
28 | 
29 | [SourceDisksFiles]
30 | EAC_Bypass.sys  = 1,,
31 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames
32 | 
33 | ;*****************************************
34 | ; Install Section
35 | ;*****************************************
36 | 
37 | [Manufacturer]
38 | %ManufacturerName%=Standard,NT$ARCH$
39 | 
40 | [Standard.NT$ARCH$]
41 | %EAC_Bypass.DeviceDesc%=EAC_Bypass_Device, Root\EAC_Bypass ; TODO: edit hw-id
42 | 
43 | [EAC_Bypass_Device.NT]
44 | CopyFiles=Drivers_Dir
45 | 
46 | [Drivers_Dir]
47 | EAC_Bypass.sys
48 | 
49 | ;-------------- Service installation
50 | [EAC_Bypass_Device.NT.Services]
51 | AddService = EAC_Bypass,%SPSVCINST_ASSOCSERVICE%, EAC_Bypass_Service_Inst
52 | 
53 | ; -------------- EAC_Bypass driver install sections
54 | [EAC_Bypass_Service_Inst]
55 | DisplayName    = %EAC_Bypass.SVCDESC%
56 | ServiceType    = 1               ; SERVICE_KERNEL_DRIVER
57 | StartType      = 3               ; SERVICE_DEMAND_START
58 | ErrorControl   = 1               ; SERVICE_ERROR_NORMAL
59 | ServiceBinary  = %12%\EAC_Bypass.sys
60 | 
61 | ;
62 | ;--- EAC_Bypass_Device Coinstaller installation ------
63 | ;
64 | 
65 | [EAC_Bypass_Device.NT.CoInstallers]
66 | AddReg=EAC_Bypass_Device_CoInstaller_AddReg
67 | CopyFiles=EAC_Bypass_Device_CoInstaller_CopyFiles
68 | 
69 | [EAC_Bypass_Device_CoInstaller_AddReg]
70 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller"
71 | 
72 | [EAC_Bypass_Device_CoInstaller_CopyFiles]
73 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll
74 | 
75 | [EAC_Bypass_Device.NT.Wdf]
76 | KmdfService =  EAC_Bypass, EAC_Bypass_wdfsect
77 | [EAC_Bypass_wdfsect]
78 | KmdfLibraryVersion = $KMDFVERSION$
79 | 
80 | [Strings]
81 | SPSVCINST_ASSOCSERVICE= 0x00000002
82 | ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
83 | ClassName="Samples" ; TODO: edit ClassName
84 | DiskName = "EAC_Bypass Installation Disk"
85 | EAC_Bypass.DeviceDesc = "EAC_Bypass Device"
86 | EAC_Bypass.SVCDESC = "EAC_Bypass Service"
87 | 


--------------------------------------------------------------------------------
/EAC_Bypass/EAC_Bypass.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |     <ProjectConfiguration Include="Debug|ARM">
 21 |       <Configuration>Debug</Configuration>
 22 |       <Platform>ARM</Platform>
 23 |     </ProjectConfiguration>
 24 |     <ProjectConfiguration Include="Release|ARM">
 25 |       <Configuration>Release</Configuration>
 26 |       <Platform>ARM</Platform>
 27 |     </ProjectConfiguration>
 28 |     <ProjectConfiguration Include="Debug|ARM64">
 29 |       <Configuration>Debug</Configuration>
 30 |       <Platform>ARM64</Platform>
 31 |     </ProjectConfiguration>
 32 |     <ProjectConfiguration Include="Release|ARM64">
 33 |       <Configuration>Release</Configuration>
 34 |       <Platform>ARM64</Platform>
 35 |     </ProjectConfiguration>
 36 |   </ItemGroup>
 37 |   <PropertyGroup Label="Globals">
 38 |     <ProjectGuid>{2BA794F5-5FFA-454A-A1FC-D739771C6F72}</ProjectGuid>
 39 |     <TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
 40 |     <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
 41 |     <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
 42 |     <Configuration>Debug</Configuration>
 43 |     <Platform Condition="'$(Platform)' == ''">Win32</Platform>
 44 |     <RootNamespace>EAC_Bypass</RootNamespace>
 45 |   </PropertyGroup>
 46 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 47 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 48 |     <TargetVersion>Windows10</TargetVersion>
 49 |     <UseDebugLibraries>true</UseDebugLibraries>
 50 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 51 |     <ConfigurationType>Driver</ConfigurationType>
 52 |     <DriverType>KMDF</DriverType>
 53 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 54 |   </PropertyGroup>
 55 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 56 |     <TargetVersion>Windows10</TargetVersion>
 57 |     <UseDebugLibraries>false</UseDebugLibraries>
 58 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 59 |     <ConfigurationType>Driver</ConfigurationType>
 60 |     <DriverType>KMDF</DriverType>
 61 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 62 |   </PropertyGroup>
 63 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 64 |     <TargetVersion>Windows10</TargetVersion>
 65 |     <UseDebugLibraries>true</UseDebugLibraries>
 66 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 67 |     <ConfigurationType>Driver</ConfigurationType>
 68 |     <DriverType>KMDF</DriverType>
 69 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 70 |   </PropertyGroup>
 71 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 72 |     <TargetVersion>
 73 |     </TargetVersion>
 74 |     <UseDebugLibraries>false</UseDebugLibraries>
 75 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 76 |     <ConfigurationType>Driver</ConfigurationType>
 77 |     <DriverType>KMDF</DriverType>
 78 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 79 |     <SpectreMitigation>false</SpectreMitigation>
 80 |   </PropertyGroup>
 81 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
 82 |     <TargetVersion>Windows10</TargetVersion>
 83 |     <UseDebugLibraries>true</UseDebugLibraries>
 84 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 85 |     <ConfigurationType>Driver</ConfigurationType>
 86 |     <DriverType>KMDF</DriverType>
 87 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 88 |   </PropertyGroup>
 89 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
 90 |     <TargetVersion>Windows10</TargetVersion>
 91 |     <UseDebugLibraries>false</UseDebugLibraries>
 92 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 93 |     <ConfigurationType>Driver</ConfigurationType>
 94 |     <DriverType>KMDF</DriverType>
 95 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
 96 |   </PropertyGroup>
 97 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
 98 |     <TargetVersion>Windows10</TargetVersion>
 99 |     <UseDebugLibraries>true</UseDebugLibraries>
100 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
101 |     <ConfigurationType>Driver</ConfigurationType>
102 |     <DriverType>KMDF</DriverType>
103 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
104 |   </PropertyGroup>
105 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
106 |     <TargetVersion>Windows10</TargetVersion>
107 |     <UseDebugLibraries>false</UseDebugLibraries>
108 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
109 |     <ConfigurationType>Driver</ConfigurationType>
110 |     <DriverType>KMDF</DriverType>
111 |     <DriverTargetPlatform>Universal</DriverTargetPlatform>
112 |   </PropertyGroup>
113 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
114 |   <ImportGroup Label="ExtensionSettings">
115 |   </ImportGroup>
116 |   <ImportGroup Label="PropertySheets">
117 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
118 |   </ImportGroup>
119 |   <PropertyGroup Label="UserMacros" />
120 |   <PropertyGroup />
121 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
122 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
123 |   </PropertyGroup>
124 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
125 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
126 |   </PropertyGroup>
127 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
128 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
129 |   </PropertyGroup>
130 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
131 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
132 |     <EnableInf2cat>false</EnableInf2cat>
133 |     <TimeStampServer>http://timestamp.globalsign.com/scripts/timstamp.dll</TimeStampServer>
134 |   </PropertyGroup>
135 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
136 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
137 |   </PropertyGroup>
138 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
139 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
140 |   </PropertyGroup>
141 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
142 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
143 |   </PropertyGroup>
144 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
145 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
146 |   </PropertyGroup>
147 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
148 |     <Link>
149 |       <GenerateDebugInformation>false</GenerateDebugInformation>
150 |       <GenerateMapFile>true</GenerateMapFile>
151 |       <AdditionalDependencies>VirtualizerDDK64.lib;%(AdditionalDependencies)</AdditionalDependencies>
152 |       <ProgramDatabaseFile />
153 |       <Profile>false</Profile>
154 |     </Link>
155 |     <ClCompile>
156 |       <DebugInformationFormat>None</DebugInformationFormat>
157 |       <TreatWarningAsError>false</TreatWarningAsError>
158 |       <BufferSecurityCheck>true</BufferSecurityCheck>
159 |       <AdditionalOptions>/pdbpath:none %(AdditionalOptions)</AdditionalOptions>
160 |       <FunctionLevelLinking>false</FunctionLevelLinking>
161 |       <StringPooling>false</StringPooling>
162 |     </ClCompile>
163 |   </ItemDefinitionGroup>
164 |   <ItemGroup>
165 |     <Inf Include="EAC_Bypass.inf" />
166 |   </ItemGroup>
167 |   <ItemGroup>
168 |     <FilesToPackage Include="$(TargetPath)" />
169 |   </ItemGroup>
170 |   <ItemGroup>
171 |     <ClCompile Include="Main.c" />
172 |   </ItemGroup>
173 |   <ItemGroup>
174 |     <ClInclude Include="Main.hpp" />
175 |     <ClInclude Include="ntos.hpp" />
176 |     <ClInclude Include="ntstructs.hpp" />
177 |     <ClInclude Include="Options.hpp" />
178 |   </ItemGroup>
179 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
180 |   <ImportGroup Label="ExtensionTargets">
181 |   </ImportGroup>
182 | </Project>


--------------------------------------------------------------------------------
/EAC_Bypass/EAC_Bypass.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |     <Filter Include="Driver Files">
17 |       <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
18 |       <Extensions>inf;inv;inx;mof;mc;</Extensions>
19 |     </Filter>
20 |     <Filter Include="Header Files\OS">
21 |       <UniqueIdentifier>{daa8f17e-d414-4954-a19d-8800baded80d}</UniqueIdentifier>
22 |     </Filter>
23 |   </ItemGroup>
24 |   <ItemGroup>
25 |     <Inf Include="EAC_Bypass.inf">
26 |       <Filter>Driver Files</Filter>
27 |     </Inf>
28 |   </ItemGroup>
29 |   <ItemGroup>
30 |     <ClCompile Include="Main.c">
31 |       <Filter>Source Files</Filter>
32 |     </ClCompile>
33 |   </ItemGroup>
34 |   <ItemGroup>
35 |     <ClInclude Include="Main.hpp">
36 |       <Filter>Header Files</Filter>
37 |     </ClInclude>
38 |     <ClInclude Include="ntstructs.hpp">
39 |       <Filter>Header Files\OS</Filter>
40 |     </ClInclude>
41 |     <ClInclude Include="ntos.hpp">
42 |       <Filter>Header Files\OS</Filter>
43 |     </ClInclude>
44 |     <ClInclude Include="Options.hpp">
45 |       <Filter>Header Files</Filter>
46 |     </ClInclude>
47 |   </ItemGroup>
48 | </Project>


--------------------------------------------------------------------------------
/EAC_Bypass/EAC_Bypass.vcxproj.user:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 4 |     <SignMode>ProductionSign</SignMode>
 5 |     <ProductionCertificate>CN=上海渤窿投资管理有限公司, O=上海渤窿投资管理有限公司, L=shanghai, S=shanghai, C=CN | A29E53F93B6BB31BC26997449DBDE4E218217CB4</ProductionCertificate>
 6 |   </PropertyGroup>
 7 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
 8 |     <SignMode>Off</SignMode>
 9 |   </PropertyGroup>
10 | </Project>


--------------------------------------------------------------------------------
/EAC_Bypass/Main.c:
--------------------------------------------------------------------------------
   1 | #include "main.hpp"
   2 | #include "Options.hpp"
   3 | 
   4 | #pragma region CallBacks
   5 | OB_PREOP_CALLBACK_STATUS ProcessObjectPreCallback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation)
   6 | {
   7 | 	UNREFERENCED_PARAMETER(RegistrationContext);
   8 | 	VirtualizerStart();
   9 | 	VirtualizerStrEncryptStart();
  10 | #if (PROTECT_PROCESS == 1)
  11 | 	if (OperationInformation && MmIsAddressValid(OperationInformation))
  12 | 	{
  13 | 		HANDLE pid = PsGetProcessId((PEPROCESS)OperationInformation->Object);
  14 | 		if (pid && pid == (HANDLE)ProcessIdToProtect)
  15 | 		{
  16 | 			if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE ||
  17 | 				OperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE)
  18 | 			{
  19 | 				if ((OperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)
  20 | 				{
  21 | 					OperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;
  22 | 				}
  23 | 				if ((OperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_OPERATION) == PROCESS_VM_OPERATION)
  24 | 				{
  25 | 					OperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_OPERATION;
  26 | 				}
  27 | 				if ((OperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_READ) == PROCESS_VM_READ)
  28 | 				{
  29 | 					OperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_READ;
  30 | 				}
  31 | 				if ((OperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE)
  32 | 				{
  33 | 					OperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_WRITE;
  34 | 				}
  35 | 			}
  36 | 		}
  37 | 	}
  38 | #endif
  39 | 	VirtualizerStrEncryptEnd();
  40 | 	VirtualizerEnd();
  41 | 	if (PsGetCurrentProcessId() == 4)
  42 | 	{
  43 | 		POB_PRE_OPERATION_CALLBACK EACCallBack = (POB_PRE_OPERATION_CALLBACK)ProcessPreOperation;
  44 | 		EACCallBack(RegistrationContext, OperationInformation);
  45 | 	}
  46 | 	if (PsGetCurrentProcessId() == pGameId)
  47 | 	{
  48 | 		POB_PRE_OPERATION_CALLBACK EACCallBack = (POB_PRE_OPERATION_CALLBACK)ProcessPreOperation;
  49 | 		EACCallBack(RegistrationContext, OperationInformation);
  50 | 	}
  51 | 	return(OB_PREOP_SUCCESS);
  52 | }
  53 | 
  54 | VOID ProcessObjectPostCallback(PVOID RegistrationContext, POB_POST_OPERATION_INFORMATION OperationInformation)
  55 | {
  56 | 	if (PsGetCurrentProcessId() == 4)
  57 | 	{
  58 | 		POB_POST_OPERATION_CALLBACK EACCallBack = (POB_POST_OPERATION_CALLBACK)ProcessPostOperation;
  59 | 		EACCallBack(RegistrationContext, OperationInformation);
  60 | 	}
  61 | 	if (PsGetCurrentProcessId() == pGameId)
  62 | 	{
  63 | 		POB_POST_OPERATION_CALLBACK EACCallBack = (POB_POST_OPERATION_CALLBACK)ProcessPostOperation;
  64 | 		EACCallBack(RegistrationContext, OperationInformation);
  65 | 	}
  66 | 	return;
  67 | }
  68 | 
  69 | OB_PREOP_CALLBACK_STATUS ThreadObjectPreCallback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation)
  70 | {
  71 | 	if (PsGetCurrentProcessId() == 4)
  72 | 	{
  73 | 		POB_PRE_OPERATION_CALLBACK EACCallBack = (POB_PRE_OPERATION_CALLBACK)ThreadPreOperation;
  74 | 		EACCallBack(RegistrationContext, OperationInformation);
  75 | 	}
  76 | 	
  77 | 	return(OB_PREOP_SUCCESS);
  78 | }
  79 | 
  80 | VOID ThreadObjectPostCallback(PVOID RegistrationContext, POB_POST_OPERATION_INFORMATION OperationInformation)
  81 | {
  82 | 	if (PsGetCurrentProcessId() == 4)
  83 | 	{
  84 | 		POB_POST_OPERATION_CALLBACK EACCallBack = (POB_POST_OPERATION_CALLBACK)ThreadPostOperation;
  85 | 		EACCallBack(RegistrationContext, OperationInformation);
  86 | 	}
  87 | 	return;
  88 | }
  89 | 
  90 | // credits for this function and the offsets goes to https://www.write-bug.com/article/2503.html
  91 | BOOLEAN RemoveMiniFilter()
  92 | {
  93 | #if (REMOVE_FILTER == 1)
  94 | 	VirtualizerStart();
  95 | 	VirtualizerStrEncryptStart();
  96 | 	NTSTATUS status = STATUS_SUCCESS;
  97 | 	ULONG ulFilterListSize = 0;
  98 | 	PFLT_FILTER* ppFilterList = NULL;
  99 | 	ULONG i = 0;
 100 | 	PFLT_OPERATION_REGISTRATION pFltOperationRegistration = NULL;
 101 | 	FltEnumerateFilters(NULL, 0, &ulFilterListSize);
 102 | 	ppFilterList = (PFLT_FILTER*)ExAllocatePool(NonPagedPool, ulFilterListSize * sizeof(PFLT_FILTER));
 103 | 	if (NULL == ppFilterList)
 104 | 	{
 105 | 		DbgPrint("[EAC_Bypass] ExAllocatePool Error!\n");
 106 | 		return FALSE;
 107 | 	}
 108 | 	status = FltEnumerateFilters(ppFilterList, ulFilterListSize, &ulFilterListSize);
 109 | 	if (!NT_SUCCESS(status))
 110 | 	{
 111 | 		DbgPrint("[EAC_Bypass] FltEnumerateFilters Error![0x%X]\n", status);
 112 | 		return FALSE;
 113 | 	}
 114 | 	DbgPrint("[EAC_Bypass] ulFilterListSize=%d\n", ulFilterListSize);
 115 | 	if (lOperationsOffset == 0)
 116 | 	{
 117 | 		DbgPrint("[EAC_Bypass] GetOperationsOffset Error\n");
 118 | 		return FALSE;
 119 | 	}
 120 | 	try
 121 | 	{
 122 | 		for (i = 0; i < ulFilterListSize; i++)
 123 | 		{
 124 | 			pFltOperationRegistration = (PFLT_OPERATION_REGISTRATION)(*(PVOID*)((PUCHAR)ppFilterList[i] + lOperationsOffset));
 125 | 			try
 126 | 			{
 127 | 				while (IRP_MJ_OPERATION_END != pFltOperationRegistration->MajorFunction)
 128 | 				{
 129 | 					if (MmIsAddressValid(pFltOperationRegistration->PreOperation) &&
 130 | 						IsFromEACRange(pFltOperationRegistration->PreOperation))
 131 | 					{
 132 | 						FilterAddr = pFltOperationRegistration->PreOperation;
 133 | 						pFltOperationRegistration->PreOperation = DummyObjectPreCallback;
 134 | 						DbgPrint("[EAC_Bypass] BE Filter found 0x%llX", FilterAddr);
 135 | 						break;
 136 | 					}
 137 | 					pFltOperationRegistration = (PFLT_OPERATION_REGISTRATION)((PUCHAR)pFltOperationRegistration + sizeof(FLT_OPERATION_REGISTRATION));
 138 | 				}
 139 | 			}
 140 | 			__except (EXCEPTION_EXECUTE_HANDLER)
 141 | 			{
 142 | 				DbgPrint("[EAC_Bypass] Exception [0x%X] in RemoveMiniFilter", GetExceptionCode());
 143 | 			}
 144 | 			FltObjectDereference(ppFilterList[i]);
 145 | 		}
 146 | 	}
 147 | 	__except (EXCEPTION_EXECUTE_HANDLER)
 148 | 	{
 149 | 		DbgPrint("[EAC_Bypass] Exception [0x%X] in RemoveMiniFilter", GetExceptionCode());
 150 | 	}
 151 | 	VirtualizerStrEncryptEnd();
 152 | 	VirtualizerEnd();
 153 | 	ExFreePool(ppFilterList);
 154 | 	ppFilterList = NULL;
 155 | #endif
 156 | 	return TRUE;
 157 | }
 158 | 
 159 | BOOLEAN RestoreMiniFilter()
 160 | {
 161 | #if (REMOVE_FILTER == 1)
 162 | 	NTSTATUS status = STATUS_SUCCESS;
 163 | 	ULONG ulFilterListSize = 0;
 164 | 	PFLT_FILTER* ppFilterList = NULL;
 165 | 	ULONG i = 0;
 166 | 	PFLT_OPERATION_REGISTRATION pFltOperationRegistration = NULL;
 167 | 	try
 168 | 	{
 169 | 		VirtualizerStart();
 170 | 		VirtualizerStrEncryptStart();
 171 | 		FltEnumerateFilters(NULL, 0, &ulFilterListSize);
 172 | 		ppFilterList = (PFLT_FILTER*)ExAllocatePool(NonPagedPool, ulFilterListSize * sizeof(PFLT_FILTER));
 173 | 		if (NULL == ppFilterList)
 174 | 		{
 175 | 			DbgPrint("[EAC_Bypass] ExAllocatePool Error!\n");
 176 | 			return FALSE;
 177 | 		}
 178 | 		status = FltEnumerateFilters(ppFilterList, ulFilterListSize, &ulFilterListSize);
 179 | 		if (!NT_SUCCESS(status))
 180 | 		{
 181 | 			DbgPrint("[EAC_Bypass] FltEnumerateFilters Error![0x%X]\n", status);
 182 | 			return FALSE;
 183 | 		}
 184 | 		DbgPrint("[EAC_Bypass] ulFilterListSize=%d\n", ulFilterListSize);
 185 | 		if (lOperationsOffset == 0)
 186 | 		{
 187 | 			DbgPrint("[EAC_Bypass] GetOperationsOffset Error\n");
 188 | 			return FALSE;
 189 | 		}
 190 | 		for (i = 0; i < ulFilterListSize; i++)
 191 | 		{
 192 | 			pFltOperationRegistration = (PFLT_OPERATION_REGISTRATION)(*(PVOID*)((PUCHAR)ppFilterList[i] + lOperationsOffset));
 193 | 			try
 194 | 			{
 195 | 				while (IRP_MJ_OPERATION_END != pFltOperationRegistration->MajorFunction)
 196 | 				{
 197 | 					if (pFltOperationRegistration->PreOperation == DummyObjectPreCallback)
 198 | 					{
 199 | 						pFltOperationRegistration->PreOperation = pFltOperationRegistration->PreOperation;
 200 | 						DbgPrint("[EAC_Bypass] EAC Filter restored");
 201 | 					}
 202 | 					pFltOperationRegistration = (PFLT_OPERATION_REGISTRATION)((PUCHAR)pFltOperationRegistration + sizeof(FLT_OPERATION_REGISTRATION));
 203 | 				}
 204 | 			}
 205 | 			__except (EXCEPTION_EXECUTE_HANDLER)
 206 | 			{
 207 | 				DbgPrint("[EAC_Bypass] Exception [0x%X] in RemoveMiniFilter", GetExceptionCode());
 208 | 			}
 209 | 			FltObjectDereference(ppFilterList[i]);
 210 | 		}
 211 | 	}
 212 | 	__except (EXCEPTION_EXECUTE_HANDLER)
 213 | 	{
 214 | 		DbgPrint("[EAC_Bypass] Exception [0x%X] in RemoveMiniFilter", GetExceptionCode());
 215 | 	}
 216 | 	VirtualizerStrEncryptEnd();
 217 | 	VirtualizerEnd();
 218 | 
 219 | 	ExFreePool(ppFilterList);
 220 | 	ppFilterList = NULL;
 221 | #endif
 222 | 	return TRUE;
 223 | }
 224 | 
 225 | BOOLEAN Do_Bypass()
 226 | {
 227 | 	PLIST_ENTRY FirstEntry = 0;
 228 | 	PLIST_ENTRY pEntry = 0;;
 229 | 	__try
 230 | 	{
 231 | 		VirtualizerStart();
 232 | 		VirtualizerStrEncryptStart();
 233 | #if (REMOVE_PROCESSCALLBACKS == 1)
 234 | 		if (ProcessPostOperation || ProcessPreOperation)
 235 | 			return TRUE;
 236 | #if (SUSPEND_EAC == 1)
 237 | 		if (!NT_SUCCESS(SuspendOrResumeAllThreads(1)))
 238 | 		{
 239 | 			DbgPrint("[EAC_Bypass] SuspendOrResumeAllThreads failed.");
 240 | 			return FALSE;
 241 | 		}
 242 | #endif
 243 | 		FirstEntry = (PLIST_ENTRY)((uintptr_t)* PsProcessType + 0xC8);
 244 | 		pEntry = FirstEntry;
 245 | 		while (pEntry != NULL || pEntry != FirstEntry)
 246 | 		{
 247 | 			CALLBACK_ENTRY_ITEM* curCallback = (CALLBACK_ENTRY_ITEM*)pEntry;
 248 | 			if (!MmIsAddressValid(pEntry))
 249 | 				break;
 250 | 			if (IsFromEACRange((PVOID)curCallback->PostOperation) ||
 251 | 				IsFromEACRange((PVOID)curCallback->PreOperation))
 252 | 			{
 253 | 				ProcessPostOperation = (PVOID)curCallback->PostOperation;
 254 | 				ProcessPreOperation = (PVOID)curCallback->PreOperation;
 255 | 				curCallback->PostOperation = (POB_POST_OPERATION_CALLBACK)ProcessObjectPostCallback;
 256 | 				curCallback->PreOperation = (POB_PRE_OPERATION_CALLBACK)ProcessObjectPreCallback;
 257 | 				break;
 258 | 			}
 259 | 			pEntry = pEntry->Flink;
 260 | 			if (pEntry == FirstEntry || pEntry == 0 || !MmIsAddressValid(pEntry) || !MmIsAddressValid(pEntry)) break;
 261 | 		}
 262 | #endif
 263 | #if (REMOVE_THREADCALLBACKS == 1)
 264 | 		FirstEntry = (PLIST_ENTRY)((uintptr_t)* PsThreadType + 0xC8);
 265 | 		pEntry = FirstEntry;
 266 | 		while (pEntry != NULL || pEntry != FirstEntry)
 267 | 		{
 268 | 			CALLBACK_ENTRY_ITEM* curCallback = (CALLBACK_ENTRY_ITEM*)pEntry;
 269 | 			if (!MmIsAddressValid(pEntry))
 270 | 				break;
 271 | 			if (IsFromEACRange((PVOID)curCallback->PostOperation) ||
 272 | 				IsFromEACRange((PVOID)curCallback->PreOperation))
 273 | 			{
 274 | 				ThreadPostOperation = (PVOID)curCallback->PostOperation;
 275 | 				ThreadPreOperation = (PVOID)curCallback->PreOperation;
 276 | 				curCallback->PostOperation = (POB_POST_OPERATION_CALLBACK)ThreadObjectPostCallback;
 277 | 				curCallback->PreOperation = (POB_PRE_OPERATION_CALLBACK)ThreadObjectPreCallback;
 278 | 				break;
 279 | 			}
 280 | 			pEntry = pEntry->Flink;
 281 | 			if (pEntry == FirstEntry || pEntry == 0 || !MmIsAddressValid(pEntry) || !MmIsAddressValid(pEntry)) break;
 282 | 		}
 283 | #endif
 284 | 		VirtualizerStrEncryptEnd();
 285 | 		VirtualizerEnd();
 286 | 	}
 287 | 	except(EXCEPTION_EXECUTE_HANDLER)
 288 | 	{
 289 | 		VirtualizerStrEncryptStart();
 290 | 		DbgPrint("[EAC_Bypass] Exception [0x%X] in Do_Bypass", GetExceptionCode());
 291 | 		VirtualizerStrEncryptEnd();
 292 | 		return FALSE;
 293 | 	}
 294 | 	return TRUE;
 295 | }
 296 | 
 297 | BOOLEAN Remove_Bypass()
 298 | {
 299 | 	PLIST_ENTRY FirstEntry = 0;
 300 | 	PLIST_ENTRY pEntry = 0;
 301 | 	__try
 302 | 	{
 303 | 		VirtualizerStart();
 304 | 		VirtualizerStrEncryptStart();
 305 | #if (REMOVE_PROCESSCALLBACKS == 1)
 306 | 		FirstEntry = (PLIST_ENTRY)((uintptr_t)* PsProcessType + 0xC8);
 307 | 		pEntry = FirstEntry;
 308 | 		while (pEntry != NULL || pEntry != FirstEntry)
 309 | 		{
 310 | 			CALLBACK_ENTRY_ITEM* curCallback = (CALLBACK_ENTRY_ITEM*)pEntry;
 311 | 			if (!MmIsAddressValid(pEntry))
 312 | 				break;
 313 | 			if (curCallback->PostOperation == ProcessObjectPostCallback ||
 314 | 				curCallback->PreOperation == ProcessObjectPreCallback)
 315 | 			{
 316 | 				curCallback->PostOperation = (POB_POST_OPERATION_CALLBACK)ProcessPostOperation;
 317 | 				curCallback->PreOperation = (POB_PRE_OPERATION_CALLBACK)ProcessPreOperation;
 318 | 				ProcessPostOperation = 0;
 319 | 				ProcessPreOperation = 0;
 320 | 				break;
 321 | 			}
 322 | 			pEntry = pEntry->Flink;
 323 | 			if (pEntry == FirstEntry || pEntry == 0 || !MmIsAddressValid(pEntry)) break;
 324 | 		}
 325 | #endif
 326 | #if (REMOVE_THREADCALLBACKS == 1)
 327 | 		FirstEntry = (PLIST_ENTRY)((uintptr_t)* PsThreadType + 0xC8);
 328 | 		pEntry = FirstEntry;
 329 | 		while (pEntry != NULL || pEntry != FirstEntry)
 330 | 		{
 331 | 			CALLBACK_ENTRY_ITEM* curCallback = (CALLBACK_ENTRY_ITEM*)pEntry;
 332 | 			if (!MmIsAddressValid(pEntry))
 333 | 				break;
 334 | 			if (curCallback->PostOperation == ThreadObjectPostCallback ||
 335 | 				curCallback->PreOperation == ThreadObjectPreCallback)
 336 | 			{
 337 | 				curCallback->PostOperation = (POB_POST_OPERATION_CALLBACK)ThreadPostOperation;
 338 | 				curCallback->PreOperation = (POB_PRE_OPERATION_CALLBACK)ThreadPreOperation;
 339 | 				ThreadPostOperation = 0;
 340 | 				ThreadPreOperation = 0;
 341 | 				break;
 342 | 			}
 343 | 			pEntry = pEntry->Flink;
 344 | 			if (pEntry == FirstEntry || pEntry == 0 || !MmIsAddressValid(pEntry)) break;
 345 | 		}
 346 | #endif
 347 | #if (SUSPEND_EAC == 1)
 348 | 		if (!NT_SUCCESS(SuspendOrResumeAllThreads(0)))
 349 | 		{
 350 | 			DbgPrint("[EAC_Bypass] SuspendOrResumeAllThreads failed.");
 351 | 			return FALSE;
 352 | 		}
 353 | #endif
 354 | 		VirtualizerStrEncryptEnd();
 355 | 		VirtualizerEnd();
 356 | 	}
 357 | 	except(EXCEPTION_EXECUTE_HANDLER)
 358 | 	{
 359 | 		VirtualizerStrEncryptStart();
 360 | 		DbgPrint("[EAC_Bypass] Exception [0x%X] in Remove_Bypass", GetExceptionCode());
 361 | 		VirtualizerStrEncryptEnd();
 362 | 		return FALSE;
 363 | 	}
 364 | 	return TRUE;
 365 | }
 366 | 
 367 | BOOLEAN FuckImageCallBack()
 368 | {
 369 | #if (REMOVE_IMAGEROUTINE == 1)
 370 | 	__try
 371 | 	{
 372 | 		VirtualizerStart();
 373 | 		VirtualizerStrEncryptStart();
 374 | 		ULONG64	NotifyAddr = 0, MagicPtr = 0;
 375 | 		ULONG64	PspLoadImageNotifyRoutine = (ULONG64)ImageCallBacks;
 376 | 		for (int i = 0; i < 64; i++)
 377 | 		{
 378 | 			MagicPtr = PspLoadImageNotifyRoutine + i * 8;
 379 | 			NotifyAddr = *(PULONG64)(MagicPtr);
 380 | 			if (MmIsAddressValid((PVOID)NotifyAddr) && NotifyAddr != 0)
 381 | 			{
 382 | 				NotifyAddr = *(PULONG64)(NotifyAddr & 0xfffffffffffffff8);
 383 | 				if (IsFromEACRange((PVOID)NotifyAddr))
 384 | 				{
 385 | 					DbgPrint("[EAC_Bypass] EAC found in ImageCallBacks");
 386 | 					EAC_ImageRoutine = (PVOID)NotifyAddr;
 387 | 					if (!NT_SUCCESS(PsRemoveLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)NotifyAddr)))
 388 | 						DbgPrint("[EAC_Bypass] PsRemoveLoadImageNotifyRoutine failed");
 389 | 					else
 390 | 					{
 391 | 						DbgPrint("[EAC_Bypass] ImageCallBack has been removed");
 392 | 						return TRUE;
 393 | 					}
 394 | 				}
 395 | 			}
 396 | 		}
 397 | 		VirtualizerStrEncryptEnd();
 398 | 		VirtualizerEnd();
 399 | 	}
 400 | 	except(EXCEPTION_EXECUTE_HANDLER)
 401 | 	{
 402 | 		VirtualizerStrEncryptStart();
 403 | 		DbgPrint("[EAC_Bypass] Exception [0x%X] in FuckImageCallBack", GetExceptionCode());
 404 | 		VirtualizerStrEncryptEnd();
 405 | 		return FALSE;
 406 | 	}
 407 | #endif
 408 | 	return FALSE;
 409 | }
 410 | 
 411 | BOOLEAN FuckThreadCallBack()
 412 | {
 413 | #if (REMOVE_THREADROUTINE == 1)
 414 | 	__try
 415 | 	{
 416 | 		VirtualizerStart();
 417 | 		VirtualizerStrEncryptStart();
 418 | 		ULONG64	NotifyAddr = 0, MagicPtr = 0;
 419 | 		ULONG64	PspCreateThreadNotifyRoutine = (ULONG64)ThreadCallBacks;
 420 | 		for (int i = 0; i < 64; i++)
 421 | 		{
 422 | 			MagicPtr = PspCreateThreadNotifyRoutine + i * 8;
 423 | 			NotifyAddr = *(PULONG64)(MagicPtr);
 424 | 			if (MmIsAddressValid((PVOID)NotifyAddr) && NotifyAddr != 0)
 425 | 			{
 426 | 				NotifyAddr = *(PULONG64)(NotifyAddr & 0xfffffffffffffff8);
 427 | 				if (IsFromEACRange((PVOID)NotifyAddr))
 428 | 				{
 429 | 					DbgPrint("[EAC_Bypass] EAC found in ThreadCallBacks");
 430 | 					EAC_ThreadRoutine = (PVOID)NotifyAddr;
 431 | 					if (!NT_SUCCESS(PsRemoveCreateThreadNotifyRoutine((PCREATE_THREAD_NOTIFY_ROUTINE)NotifyAddr)))
 432 | 						DbgPrint("[EAC_Bypass] PsRemoveCreateThreadNotifyRoutine failed");
 433 | 					else
 434 | 					{
 435 | 						DbgPrint("[EAC_Bypass] ThreadCallBack has been removed");
 436 | 						return TRUE;
 437 | 					}
 438 | 				}
 439 | 			}
 440 | 		}
 441 | 		VirtualizerStrEncryptEnd();
 442 | 		VirtualizerEnd();
 443 | 	}
 444 | 	except(EXCEPTION_EXECUTE_HANDLER)
 445 | 	{
 446 | 		VirtualizerStrEncryptStart();
 447 | 		DbgPrint("[EAC_Bypass] Exception [0x%X] in FuckThreadCallBack", GetExceptionCode());
 448 | 		VirtualizerStrEncryptEnd();
 449 | 		return FALSE;
 450 | 	}
 451 | #endif
 452 | 
 453 | 	return FALSE;
 454 | }
 455 | 
 456 | BOOLEAN RestoreImageCallBack()
 457 | {
 458 | 	VirtualizerStart();
 459 | 	VirtualizerStrEncryptStart();
 460 | #if (REMOVE_IMAGEROUTINE == 1)
 461 | 	if (!MmIsAddressValid((PVOID)EAC_ImageRoutine) ||
 462 | 		!NT_SUCCESS(PsSetLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)EAC_ImageRoutine)))
 463 | 		DbgPrint("[EAC_Bypass] WARNING : PsSetLoadImageNotifyRoutine failed");
 464 | 	else
 465 | 	{
 466 | 		DbgPrint("[EAC_Bypass] ImageCallBack has been restored");
 467 | 		return TRUE;
 468 | 	}
 469 | #endif
 470 | 	VirtualizerStrEncryptEnd();
 471 | 	VirtualizerEnd();
 472 | 	return FALSE;
 473 | }
 474 | 
 475 | BOOLEAN RestoreThreadCallBack()
 476 | {
 477 | 	VirtualizerStart();
 478 | 	VirtualizerStrEncryptStart();
 479 | #if (REMOVE_THREADROUTINE == 1)
 480 | 	if (!MmIsAddressValid((PVOID)EAC_ThreadRoutine) ||
 481 | 		!NT_SUCCESS(PsSetCreateThreadNotifyRoutine((PCREATE_THREAD_NOTIFY_ROUTINE)EAC_ThreadRoutine)))
 482 | 		DbgPrint("[EAC_Bypass] WARNING : PsSetCreateThreadNotifyRoutine failed");
 483 | 	else
 484 | 	{
 485 | 		DbgPrint("[EAC_Bypass] ThreadCallBack has been restored");
 486 | 		return TRUE;
 487 | 	}
 488 | #endif
 489 | 	VirtualizerStrEncryptEnd();
 490 | 	VirtualizerEnd();
 491 | 	return FALSE;
 492 | }
 493 | 
 494 | #pragma endregion CallBacks
 495 | 
 496 | #pragma region Routines
 497 | VOID ImageRoutine(PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO Info)
 498 | {
 499 | 	UNREFERENCED_PARAMETER(ProcessId);
 500 | 	//VirtualizerStart();
 501 | 	if (wcsstr(FullImageName->Buffer, L"EasyAntiCheat.sys"))
 502 | 	{
 503 | 		EAC_Base = Info->ImageBase;
 504 | 		EAC_Base_Size = Info->ImageSize;
 505 | 		VirtualizerStrEncryptStart();
 506 | 		DbgPrint("[EAC_Bypass] EAC found in ImageRoutine 0x%llX %d", EAC_Base, EAC_Base_Size);
 507 | 		VirtualizerStrEncryptEnd();
 508 | 	}
 509 | 	//VirtualizerEnd();
 510 | }
 511 | 
 512 | VOID ProcessRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create)
 513 | {
 514 | 	VirtualizerStart();
 515 | 	VirtualizerStrEncryptStart();
 516 | 	LPSTR lpFileName = 0;
 517 | 	PEPROCESS Process = 0;
 518 | 	if (ProcessId == pGameId && pGameId)
 519 | 	{
 520 | 		if (Create == 0)
 521 | 		{
 522 | 			DbgPrint("[EAC_Bypass] Protected process %d close %I64x %I64x", ProcessId, EAC_Base, EAC_Base_Size);
 523 | 			if (ProcessPreOperation || ProcessPostOperation || ThreadPreOperation || ThreadPostOperation)
 524 | 			{
 525 | 
 526 | 				if (Remove_Bypass() == FALSE)
 527 | 					DbgPrint("[EAC_Bypass] WARNING : Remove_Bypass failed");
 528 | 			}
 529 | 			IsBypassEnabled = FALSE;
 530 | 			if (FilterAddr)
 531 | 			{
 532 | 				if (!RestoreMiniFilter())
 533 | 					DbgPrint("[EAC_Bypass] WARNING : RestoreMiniFilter failed");
 534 | 			}
 535 | #if (RESTORE_ROUTINES == 1)
 536 | 			/*if (RestoreThreadCallBack() == FALSE)
 537 | 				DbgPrint("[EAC_Bypass] WARNING : RestoreImageCallBack failed.");
 538 | 			if (RestoreImageCallBack() == FALSE)
 539 | 				DbgPrint("[EAC_Bypass] WARNING : RestoreImageCallBack failed.");*/
 540 | #endif
 541 | 		}
 542 | 	}
 543 | 	// This is required to make sure we don't disturb the game launch
 544 | 	if (ProcessId == pParentId && pParentId)
 545 | 	{
 546 | 		if (Create == 0)
 547 | 		{
 548 | 			DbgPrint("[EAC_Bypass] Protected launcher %d close %I64x %I64x", ProcessId);
 549 | 			if (FuckImageCallBack() == FALSE)
 550 | 				DbgPrint("[EAC_Bypass] WARNING : FuckImageCallBack failed");
 551 | 			if (FuckThreadCallBack() == FALSE)
 552 | 				DbgPrint("[EAC_Bypass] WARNING : FuckThreadCallBack failed");
 553 | 			if (!RemoveMiniFilter())
 554 | 				DbgPrint("[EAC_Bypass] WARNING : RemoveMiniFilter failed");
 555 | 		}
 556 | 	}
 557 | 	if (!NT_SUCCESS(PsLookupProcessByProcessId(ProcessId, &Process)))
 558 | 	{
 559 | 		DbgPrint("[EAC_Bypass] WARNING : PsLookupProcessByProcessId failed");
 560 | 		return;
 561 | 	}
 562 | 	if (MmIsAddressValid(Process))
 563 | 	{
 564 | 		lpFileName = (LPSTR)PsGetProcessImageFileName(Process);
 565 | 		if (MmIsAddressValid(lpFileName))
 566 | 		{
 567 | 			// 
 568 | 			if (!_stricmp(lpFileName, "YourEACGame.exe") ||
 569 | 				strstr(lpFileName, "YourEACGame.exe"))
 570 | 			{
 571 | 				if (Create)
 572 | 				{
 573 | 					pParentId = ParentId;
 574 | 					pGameId = ProcessId;
 575 | 					DbgPrint("[EAC_Bypass] Protected process %d found %I64x %I64x", ProcessId, EAC_Base, EAC_Base_Size);
 576 | 					FilterAddr = 0;
 577 | 					IsBypassEnabled = FALSE;
 578 | 					if (Do_Bypass() == FALSE)
 579 | 						DbgPrint("[EAC_Bypass] WARNING : Do_Bypass failed");
 580 | 					IsBypassEnabled = TRUE;
 581 | #if (RESTORE_ROUTINES == 1)
 582 | 					if (RestoreThreadCallBack() == FALSE)
 583 | 						DbgPrint("[EAC_Bypass] WARNING : RestoreImageCallBack failed.");
 584 | 					if (RestoreImageCallBack() == FALSE)
 585 | 						DbgPrint("[EAC_Bypass] WARNING : RestoreImageCallBack failed.");
 586 | 
 587 | #endif
 588 | 				}
 589 | 			}
 590 | 		}
 591 | 	}
 592 | 
 593 | 	VirtualizerStrEncryptEnd();
 594 | 	VirtualizerEnd();
 595 | }
 596 | 
 597 | 
 598 | #pragma endregion Routines
 599 | 
 600 | BOOLEAN InitBypass()
 601 | {
 602 | 	VirtualizerStart();
 603 | 	VirtualizerStrEncryptStart();
 604 | 	BOOLEAN Result = FALSE;
 605 | 	RTL_OSVERSIONINFOW	osInfo;
 606 | 	PVOID Base = 0;
 607 | 	PIMAGE_NT_HEADERS64 Header = 0;
 608 | 	PIMAGE_SECTION_HEADER pFirstSec = 0;
 609 | 	ANSI_STRING s1, s2;
 610 | 	PVOID pFound = 0;
 611 | 	NTSTATUS status = -1;
 612 | 	RtlFillMemory(&osInfo, sizeof(RTL_OSVERSIONINFOW), 0);
 613 | 	RtlFillMemory(&s1, sizeof(ANSI_STRING), 0);
 614 | 	RtlFillMemory(&s2, sizeof(ANSI_STRING), 0);
 615 | 	osInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);
 616 | 	RtlGetVersion(&osInfo);
 617 | 
 618 | 	DbgPrint("[EAC_Bypass] OsInfo: BuildNumber[%ld] dwMajorVersion[%d] dwMinorVersion[%d]", osInfo.dwBuildNumber, osInfo.dwMajorVersion, osInfo.dwMinorVersion);
 619 | 	if (6 == osInfo.dwMajorVersion)
 620 | 	{
 621 | 		if (osInfo.dwMinorVersion == 1)
 622 | 		{
 623 | 			DbgPrint("[EAC_Bypass] Windows 7 detected");
 624 | 			//Windows 7
 625 | 			Base = GetKernelBase();
 626 | 			if (Base == 0)
 627 | 			{
 628 | 				DbgPrint("[EAC_Bypass] GetKernelBase failed.");
 629 | 				return Result;
 630 | 			}
 631 | 			Header = RtlImageNtHeader(Base);
 632 | 			pFirstSec = (PIMAGE_SECTION_HEADER)(Header + 1);
 633 | 			for (PIMAGE_SECTION_HEADER pSec = pFirstSec; pSec < pFirstSec + (Header->FileHeader.NumberOfSections); pSec++)
 634 | 			{
 635 | 				RtlInitAnsiString(&s1, "PAGE");
 636 | 				RtlInitAnsiString(&s2, (PCCHAR)pSec->Name);
 637 | 				if (RtlCompareString(&s1, &s2, TRUE) == 0)
 638 | 				{
 639 | 					//BE ?? ?? ?? ?? 6A 00 8B CB 8B C6 E8 ?? ?? ?? ??  84 C0 75 20 83 C7 04 83 C6 04 81 ?? ?? ?? ?? ?? 72 E3 53 E8 ?? ?? ?? ??  B8 ?? ?? ?? ??  5F
 640 | 					UCHAR ImageCallBacks_pattern[] = "\x48\x8D\x0D\xCC\xCC\xCC\xCC\x45\x33\xC0\x48\x8B\xD7\x48\x8D\x0C\xD9\xE8\xCC\xCC\xCC\xCC\x84\xC0\x75\xCC\xFF\xC3\x83\xFB\x08\xCC\xCC\x48\x8B\xCF";
 641 | 					UCHAR ImageCallBacks_pattern2[] = "\xBE\xCC\xCC\xCC\xCC\x6A\x00\x8B\xCB\x8B\xC6\xE8\xCC\xCC\xCC\xCC\x84\xC0\x75\x20\x83\xC7\x04\x83\xC6\x04\x81\xCC\xCC\xCC\xCC\xCC\x72\xE3\x53\xE8\xCC\xCC\xCC\xCC\xB8\xCC\xCC\xCC\xCC";
 642 | 
 643 | 					//BE ?? ?? ?? ?? 6A 00 8B CB 8B C6 E8 ?? ?? ?? ??  84 C0 75 20 83 C7 04 83 C6 04 81 ?? ?? ?? ?? ?? 72 E3 53 E8 ?? ?? ?? ??  B8 ?? ?? ?? ??  5E
 644 | 					UCHAR ThreadCallBacks_pattern[] = "\x48\x8D\x1D\xCC\xCC\xCC\xCC\x41\xBF\x40\x00\x00\x00\x48\x8B\xCB";
 645 | 					UCHAR ThreadCallBacks_pattern2[] = "\xBE\xCC\xCC\xCC\xCC\x6A\x00\x8B\xCB\x8B\xC\xE8\xCC\xCC\xCC\xCC\x84\xC0\x75\x20\x83\xC7\x04\x83\xC6\x04\x81\xCC\xCC\xCC\xCC\xCC\x72\xE3\x53\xE8\xCC\xCC\xCC\xCC\xB8\xCC\xCC\xCC\xCC\x5E";
 646 | 					UCHAR PsSuspendThread_pattern[] = "\xE8\xCC\xCC\xCC\xCC\x8B\xF8\x48\x8B\x4C\x24\x68\xE8\xCC\xCC\xCC\xCC\xCC\x48";
 647 | 					//E8 ?? ?? ?? ?? 53 8B 45 08 E8 ?? ?? ?? ?? 8B D8 85 DB 75 E9
 648 | 					UCHAR PsSuspendThread_pattern2[] = "\xE8\xCC\xCC\xCC\xCC\x53\x8B\x45\x08\xE8\xCC\xCC\xCC\xCC\x8B\xD8\x85\xDB\x75\xE9";
 649 | 					// E8 ?? ?? ?? ?? 8B D8 85 DB 75 EA 8B 0F 83 E1 FE
 650 | 					UCHAR PsResumeThread_pattern[] = "\xE8\xCC\xCC\xCC\xCC\x8B\xF8\x48\x8B\x4C\x24\x60\xE8";
 651 | 					UCHAR PsResumeThread_pattern2[] = "\xE8\xCC\xCC\xCC\xCC\x8B\xD8\x85\xDB\x75\xEA\x8B\x0F\x83\xE1\xFE";
 652 | 					status = SearchPattern(ImageCallBacks_pattern, 0xCC, sizeof(ImageCallBacks_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
 653 | 					if (NT_SUCCESS(status))
 654 | 						ImageCallBacks = (PVOID*)dereference((uintptr_t)pFound, 3);
 655 | 					if (!ImageCallBacks)
 656 | 					{
 657 | 						status = SearchPattern(ImageCallBacks_pattern2, 0xCC, sizeof(ImageCallBacks_pattern2) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
 658 | 						if (NT_SUCCESS(status))
 659 | 						{
 660 | 							DbgPrint("[EAC_Bypass] ImageCallBacks found!!");
 661 | 							ImageCallBacks = *(uintptr_t*)((uintptr_t)(pFound)+1);
 662 | 						}
 663 | 						if (!ImageCallBacks)
 664 | 						{
 665 | 							DbgPrint("[EAC_Bypass] ImageCallBacks not found.");
 666 | 							return Result;
 667 | 						}
 668 | 					}
 669 | 					
 670 | 					pFound = 0;
 671 | 					status = SearchPattern(ThreadCallBacks_pattern, 0xCC, sizeof(ThreadCallBacks_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
 672 | 					if (NT_SUCCESS(status))
 673 | 						ThreadCallBacks = (PVOID*)dereference((uintptr_t)pFound, 3);
 674 | 					if (!ThreadCallBacks)
 675 | 					{
 676 | 						status = SearchPattern(ThreadCallBacks_pattern2, 0xCC, sizeof(ThreadCallBacks_pattern2) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
 677 | 						if (NT_SUCCESS(status))
 678 | 							ThreadCallBacks = *(uintptr_t*)((uintptr_t)(pFound)+1);
 679 | 						if (!ThreadCallBacks)
 680 | 						{
 681 | 							DbgPrint("[EAC_Bypass] ThreadCallBacks not found.");
 682 | 							return Result;
 683 | 						}
 684 | 					}
 685 | 					
 686 | 					pFound = 0;
 687 | 					status = SearchPattern(PsSuspendThread_pattern, 0xCC, sizeof(PsSuspendThread_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
 688 | 					if (NT_SUCCESS(status))
 689 | 						o_PsSuspendThread = (p_PsSuspendThread)dereference((uintptr_t)pFound, 1);
 690 | 					if (!o_PsSuspendThread)
 691 | 					{
 692 | 						status = SearchPattern(PsSuspendThread_pattern2, 0xCC, sizeof(PsSuspendThread_pattern2) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
 693 | 						if (NT_SUCCESS(status))
 694 | 							o_PsSuspendThread = (p_PsSuspendThread)dereference((uintptr_t)pFound, 1);
 695 | 						if (!o_PsSuspendThread)
 696 | 						{
 697 | 							DbgPrint("[EAC_Bypass] o_PsSuspendThread not found.");
 698 | 							return Result;
 699 | 						}
 700 | 					}
 701 | 					pFound = 0;
 702 | 					status = SearchPattern(PsResumeThread_pattern, 0xCC, sizeof(PsResumeThread_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
 703 | 					if (NT_SUCCESS(status))
 704 | 						o_PsResumeThread = (p_PsResumeThread)dereference((uintptr_t)pFound, 1);
 705 | 					if (!o_PsResumeThread)
 706 | 					{
 707 | 						status = SearchPattern(PsResumeThread_pattern2, 0xCC, sizeof(PsResumeThread_pattern2) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
 708 | 						if (NT_SUCCESS(status))
 709 | 							o_PsResumeThread = (p_PsResumeThread)dereference((uintptr_t)pFound, 1);
 710 | 						if (!o_PsResumeThread)
 711 | 						{
 712 | 							DbgPrint("[EAC_Bypass] o_PsResumeThread not found.");
 713 | 							return Result;
 714 | 						}
 715 | 					}
 716 | 				}
 717 | 			}
 718 | 			if (ImageCallBacks && ThreadCallBacks && o_PsSuspendThread && o_PsResumeThread)
 719 | 			{
 720 | 				DbgPrint("[EAC_Bypass] PsSuspendThread found at 0x%llX", o_PsSuspendThread);
 721 | 				DbgPrint("[EAC_Bypass] PsResumeThread found at 0x%llX", o_PsResumeThread);
 722 | 				DbgPrint("[EAC_Bypass] ImageCallBacks found at 0x%llX", ImageCallBacks);
 723 | 				DbgPrint("[EAC_Bypass] ThreadCallBacks found at 0x%llX", ThreadCallBacks);
 724 | 				DbgPrint("[EAC_Bypass] All Addresses found. Bypass is ready!");
 725 | 				Result = 1;
 726 | 			}
 727 | 		}
 728 | 		else if (osInfo.dwMinorVersion == 3)
 729 | 		{
 730 | 			// Win8.1
 731 | 			DbgPrint("[EAC_Bypass] Windows 8.1 detected");
 732 | 			Base = GetKernelBase();
 733 | 			if (Base == 0)
 734 | 			{
 735 | 				DbgPrint("[EAC_Bypass] GetKernelBase failed.");
 736 | 				return Result;
 737 | 			}
 738 | 			Header = RtlImageNtHeader(Base);
 739 | 			pFirstSec = (PIMAGE_SECTION_HEADER)(Header + 1);
 740 | 			for (PIMAGE_SECTION_HEADER pSec = pFirstSec; pSec < pFirstSec + (Header->FileHeader.NumberOfSections); pSec++)
 741 | 			{
 742 | 				RtlInitAnsiString(&s1, "PAGE");
 743 | 				RtlInitAnsiString(&s2, (PCCHAR)pSec->Name);
 744 | 				if (RtlCompareString(&s1, &s2, TRUE) == 0)
 745 | 				{
 746 | 					UCHAR ImageCallBacks_pattern[] = "\x48\x8D\x3D\xCC\xCC\xCC\xCC\xBD\x40\x00\x00\x00\x89\x06";
 747 | 					UCHAR ThreadCallBacks_pattern[] = "\x48\x8D\x1D\xCC\xCC\xCC\xCC\x41\xBF\x40\x00\x00\x00\x48\x8B\xCB";
 748 | 					UCHAR PsSuspendThread_pattern[] = "\xE8\xCC\xCC\xCC\xCC\x8B\xF8\xBA\xCC\xCC\xCC\xCC\x48\x8B\x4C\x24\x68";
 749 | 					UCHAR PsResumeThread_pattern[] = "\xE8\xCC\xCC\xCC\xCC\x8B\xF8\x83\xF8\x01\x75\xCC\x48\x8B\x8E\xCC\xCC\xCC\xCC";
 750 | 					status = SearchPattern(ImageCallBacks_pattern, 0xCC, sizeof(ImageCallBacks_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
 751 | 					if (NT_SUCCESS(status))
 752 | 						ImageCallBacks = (PVOID*)dereference((uintptr_t)pFound, 3);
 753 | 					if (!ImageCallBacks)
 754 | 					{
 755 | 						DbgPrint("[EAC_Bypass] ImageCallBacks not found.");
 756 | 						return Result;
 757 | 					}
 758 | 					pFound = 0;
 759 | 					status = SearchPattern(ThreadCallBacks_pattern, 0xCC, sizeof(ThreadCallBacks_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
 760 | 					if (NT_SUCCESS(status))
 761 | 						ThreadCallBacks = (PVOID*)dereference((uintptr_t)pFound, 3);
 762 | 					if (!ThreadCallBacks)
 763 | 					{
 764 | 						DbgPrint("[EAC_Bypass] ThreadCallBacks not found.");
 765 | 						return Result;
 766 | 					}
 767 | 					pFound = 0;
 768 | 					status = SearchPattern(PsSuspendThread_pattern, 0xCC, sizeof(PsSuspendThread_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
 769 | 					if (NT_SUCCESS(status))
 770 | 						o_PsSuspendThread = (p_PsSuspendThread)dereference((uintptr_t)pFound, 1);
 771 | 					if (!o_PsSuspendThread)
 772 | 					{
 773 | 						DbgPrint("[EAC_Bypass] o_PsSuspendThread not found.");
 774 | 						return Result;
 775 | 					}
 776 | 					pFound = 0;
 777 | 					status = SearchPattern(PsResumeThread_pattern, 0xCC, sizeof(PsResumeThread_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
 778 | 					if (NT_SUCCESS(status))
 779 | 						o_PsResumeThread = (p_PsResumeThread)dereference((uintptr_t)pFound, 1);
 780 | 					if (!o_PsResumeThread)
 781 | 					{
 782 | 						DbgPrint("[EAC_Bypass] o_PsResumeThread not found.");
 783 | 						return Result;
 784 | 					}
 785 | 				}
 786 | 			}
 787 | 			if (ImageCallBacks && ThreadCallBacks && o_PsSuspendThread && o_PsResumeThread)
 788 | 			{
 789 | 				DbgPrint("[EAC_Bypass] PsSuspendThread found at 0x%llX", o_PsSuspendThread);
 790 | 				DbgPrint("[EAC_Bypass] PsResumeThread found at 0x%llX", o_PsResumeThread);
 791 | 				DbgPrint("[EAC_Bypass] ImageCallBacks found at 0x%llX", ImageCallBacks);
 792 | 				DbgPrint("[EAC_Bypass] ThreadCallBacks found at 0x%llX", ThreadCallBacks);
 793 | 				DbgPrint("[EAC_Bypass] All Addresses found. Bypass is ready!");
 794 | 				Result = 1;
 795 | 			}
 796 | 		}
 797 | 	}
 798 | 	else if (osInfo.dwMajorVersion == 10)
 799 | 	{
 800 | 		// Win10
 801 | 		DbgPrint("[EAC_Bypass] Windows 10 detected");
 802 | 		Base = GetKernelBase();
 803 | 		if (Base == 0)
 804 | 		{
 805 | 			DbgPrint("[EAC_Bypass] GetKernelBase failed.");
 806 | 			return Result;
 807 | 		}
 808 | 		Header = RtlImageNtHeader(Base);
 809 | 		pFirstSec = (PIMAGE_SECTION_HEADER)(Header + 1);
 810 | 		for (PIMAGE_SECTION_HEADER pSec = pFirstSec; pSec < pFirstSec + (Header->FileHeader.NumberOfSections); pSec++)
 811 | 		{
 812 | 			RtlInitAnsiString(&s1, "PAGE");
 813 | 			RtlInitAnsiString(&s2, (PCCHAR)pSec->Name);
 814 | 			if (RtlCompareString(&s1, &s2, TRUE) == 0)
 815 | 			{
 816 | 				UCHAR ImageCallBacks_pattern[] = "\x48\x8D\x0D\xCC\xCC\xCC\xCC\x45\x33\xC0\x48\x8D\x0C\xD9\x48\x8B\xD7\xE8\xCC\xCC\xCC\xCC\x84\xC0\x0F\x84\xCC\xCC\xCC\xCC";
 817 | 				UCHAR ThreadCallBacks_pattern[] = "\x48\x8D\x0D\xCC\xCC\xCC\xCC\x45\x33\xC0\x48\x8D\x0C\xD9\x48\x8B\xD7\xE8\xCC\xCC\xCC\xCC\x84\xC0\x74";
 818 | 				// for older win10 versions 
 819 | 				UCHAR ThreadCallBacks2_pattern[] = "\x48\x8D\x0D\xCC\xCC\xCC\xCC\x45\x33\xC0\x48\x8D\x0C\xD9\x48\x8B\xD7\xE8\xCC\xCC\xCC\xCC\x84\xC0\x75";
 820 | 				UCHAR PsSuspendThread_pattern[] = "\xE8\xCC\xCC\xCC\xCC\x48\x8B\xD6\x48\x8B\xCD\xE8\xCC\xCC\xCC\xCC\x48\x8B\xF0";
 821 | 				UCHAR PsResumeThread_pattern[] = "\xE8\xCC\xCC\xCC\xCC\x48\x8B\xD7\x48\x8B\xCD\xE8\xCC\xCC\xCC\xCC\xEB\xCC\xBB";
 822 | 				// old win10 builds
 823 | 				UCHAR PsSuspendThread3_pattern[] = "\xE8\xCC\xCC\xCC\xCC\x8B\xF8\xBA\xCC\xCC\xCC\xCC\x48\x8B\x4C\x24\x78";
 824 | 				UCHAR PsResumeThread3_pattern[] = "\xE8\xCC\xCC\xCC\xCC\xBA\xCC\xCC\xCC\xCC\x48\x8B\x4C\x24\x78\xE8\xCC\xCC\xCC\xCC\x90";
 825 | 
 826 | 				// for win10 ver 1903 and higher
 827 | 				UCHAR PsSuspendThread2_pattern[] = "\xE8\xCC\xCC\xCC\xCC\x48\x8B\xD7\x48\x8B\xCE\xE8\xCC\xCC\xCC\xCC\x48\x8B\xF8";
 828 | 				UCHAR PsResumeThread2_pattern[] = "\xE8\xCC\xCC\xCC\xCC\x48\x8B\xD7\x48\x8B\xCE\xE8\xCC\xCC\xCC\xCC\xCC\xCC\x49\x8B\xCE";
 829 | 
 830 | 				status = SearchPattern(ImageCallBacks_pattern, 0xCC, sizeof(ImageCallBacks_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
 831 | 				if (NT_SUCCESS(status))
 832 | 					ImageCallBacks = (PVOID*)dereference((uintptr_t)pFound, 3);
 833 | 				if (!ImageCallBacks)
 834 | 				{
 835 | 					DbgPrint("[EAC_Bypass] ImageCallBacks not found.");
 836 | 					return Result;
 837 | 				}
 838 | 				pFound = 0;
 839 | 				status = SearchPattern(ThreadCallBacks_pattern, 0xCC, sizeof(ThreadCallBacks_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
 840 | 				if (NT_SUCCESS(status))
 841 | 					ThreadCallBacks = (PVOID*)dereference((uintptr_t)pFound, 3);
 842 | 				if (!ThreadCallBacks)
 843 | 				{
 844 | 					DbgPrint("[EAC_Bypass] ThreadCallBacks not found.Retrying...");
 845 | 					status = SearchPattern(ThreadCallBacks2_pattern, 0xCC, sizeof(ThreadCallBacks2_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
 846 | 					if (NT_SUCCESS(status))
 847 | 						ThreadCallBacks = (PVOID*)dereference((uintptr_t)pFound, 3);
 848 | 					if (!ThreadCallBacks)
 849 | 					{
 850 | 						DbgPrint("[EAC_Bypass] ThreadCallBacks not found.");
 851 | 						return Result;
 852 | 					}
 853 | 
 854 | 				}
 855 | 				pFound = 0;
 856 | 				status = SearchPattern(PsSuspendThread_pattern, 0xCC, sizeof(PsSuspendThread_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
 857 | 				if (NT_SUCCESS(status))
 858 | 					o_PsSuspendThread = (p_PsSuspendThread)dereference((uintptr_t)pFound, 1);
 859 | 				if (!o_PsSuspendThread)
 860 | 				{
 861 | 					DbgPrint("[EAC_Bypass] o_PsSuspendThread not found.Retrying...");
 862 | 					status = SearchPattern(PsSuspendThread2_pattern, 0xCC, sizeof(PsSuspendThread2_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
 863 | 					if (NT_SUCCESS(status))
 864 | 						o_PsSuspendThread = (p_PsSuspendThread)dereference((uintptr_t)pFound, 1);
 865 | 					if (!o_PsSuspendThread)
 866 | 					{
 867 | 						DbgPrint("[EAC_Bypass] o_PsSuspendThread not found.Retrying...");
 868 | 						status = SearchPattern(PsSuspendThread3_pattern, 0xCC, sizeof(PsSuspendThread3_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
 869 | 						if (NT_SUCCESS(status))
 870 | 							o_PsSuspendThread = (p_PsSuspendThread)dereference((uintptr_t)pFound, 1);
 871 | 						if (!o_PsSuspendThread)
 872 | 						{
 873 | 							DbgPrint("[EAC_Bypass] o_PsSuspendThread not found.");
 874 | 							return Result;
 875 | 						}
 876 | 					}
 877 | 				}
 878 | 				pFound = 0;
 879 | 				status = SearchPattern(PsResumeThread_pattern, 0xCC, sizeof(PsResumeThread_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
 880 | 				if (NT_SUCCESS(status))
 881 | 					o_PsResumeThread = (p_PsResumeThread)dereference((uintptr_t)pFound, 1);
 882 | 				if (!o_PsResumeThread)
 883 | 				{
 884 | 					DbgPrint("[EAC_Bypass] o_PsResumeThread not found.Retrying...");
 885 | 					status = SearchPattern(PsResumeThread2_pattern, 0xCC, sizeof(PsResumeThread2_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
 886 | 					if (NT_SUCCESS(status))
 887 | 						o_PsResumeThread = (p_PsResumeThread)dereference((uintptr_t)pFound, 1);
 888 | 					if (!o_PsResumeThread)
 889 | 					{
 890 | 						DbgPrint("[EAC_Bypass] o_PsResumeThread not found.Retrying...");
 891 | 						status = SearchPattern(PsResumeThread3_pattern, 0xCC, sizeof(PsResumeThread3_pattern) - 1, (void*)((PUCHAR)(Base)+pSec->VirtualAddress), pSec->Misc.VirtualSize, &pFound);
 892 | 						if (NT_SUCCESS(status))
 893 | 							o_PsResumeThread = (p_PsResumeThread)dereference((uintptr_t)pFound, 1);
 894 | 						if (!o_PsResumeThread)
 895 | 						{
 896 | 							DbgPrint("[EAC_Bypass] o_PsResumeThread not found.");
 897 | 							return Result;
 898 | 						}
 899 | 					}
 900 | 				}
 901 | 			}
 902 | 		}
 903 | 		if (ImageCallBacks && ThreadCallBacks && o_PsSuspendThread && o_PsResumeThread)
 904 | 		{
 905 | 			DbgPrint("[EAC_Bypass] PsSuspendThread found at 0x%llX", o_PsSuspendThread);
 906 | 			DbgPrint("[EAC_Bypass] PsResumeThread found at 0x%llX", o_PsResumeThread);
 907 | 			DbgPrint("[EAC_Bypass] ImageCallBacks found at 0x%llX", ImageCallBacks);
 908 | 			DbgPrint("[EAC_Bypass] ThreadCallBacks found at 0x%llX", ThreadCallBacks);
 909 | 			DbgPrint("[EAC_Bypass] All Addresses found. Bypass is ready!");
 910 | 			Result = 1;
 911 | 		}
 912 | 	}
 913 | 
 914 | 	if (Result == 0)
 915 | 		return Result;
 916 | 
 917 | 	if (!NT_SUCCESS(PsSetLoadImageNotifyRoutine(ImageRoutine)) ||
 918 | 		!NT_SUCCESS(PsSetCreateProcessNotifyRoutine(ProcessRoutine, 0)))
 919 | 	{
 920 | 		VirtualizerStrEncryptStart();
 921 | 		DbgPrint("[EAC_Bypass] CallBack installation failed.");
 922 | 		VirtualizerStrEncryptEnd();
 923 | 		Result = 0;
 924 | 		return Result;
 925 | 	}
 926 | 	ProcessPreOperation = 0;
 927 | 	ProcessPostOperation = 0;
 928 | 	ThreadPreOperation = 0;
 929 | 	ThreadPostOperation = 0;
 930 | 	VirtualizerStrEncryptEnd();
 931 | 	VirtualizerEnd();
 932 | 	return Result;
 933 | }
 934 | 
 935 | BOOLEAN UninitBypass()
 936 | {
 937 | 	VirtualizerStart();
 938 | 	VirtualizerStrEncryptStart();
 939 | 	BOOLEAN Result = 1;
 940 | 	if (ProcessPreOperation || ProcessPostOperation || ThreadPreOperation || ThreadPostOperation)
 941 | 	{
 942 | 		if (!Remove_Bypass())
 943 | 		{
 944 | 			DbgPrint("[EAC_Bypass] WARNING : Failed to reset the callbacks");
 945 | 			Result = 0;
 946 | 		}
 947 | 	}
 948 | 	IsBypassEnabled = FALSE;
 949 | #if (RESTORE_ROUTINES == 1)
 950 | 	if (RestoreThreadCallBack() == FALSE)
 951 | 		DbgPrint("[EAC_Bypass] WARNING : RestoreImageCallBack failed.");
 952 | 	if (RestoreImageCallBack() == FALSE)
 953 | 		DbgPrint("[EAC_Bypass] WARNING : RestoreImageCallBack failed.");
 954 | #endif
 955 | 	if (FilterAddr)
 956 | 	{
 957 | 		if (!RestoreMiniFilter())
 958 | 		{
 959 | 			DbgPrint("[EAC_Bypass] Failed to restore the minifilter");
 960 | 			Result = 0;
 961 | 		}
 962 | 	}
 963 | 	if (!NT_SUCCESS(PsRemoveLoadImageNotifyRoutine(ImageRoutine)) ||
 964 | 		!NT_SUCCESS(PsSetCreateProcessNotifyRoutine(ProcessRoutine, 1)))
 965 | 	{
 966 | 		DbgPrint("[EAC_Bypass] Failed to remove the callbacks");
 967 | 		Result = 0;
 968 | 	}
 969 | 	VirtualizerStrEncryptEnd();
 970 | 	VirtualizerEnd();
 971 | 	return Result;
 972 | }
 973 | 
 974 | VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
 975 | {
 976 | 	UNREFERENCED_PARAMETER(DriverObject);
 977 | 	VirtualizerStart();
 978 | 	VirtualizerStrEncryptStart();
 979 | 
 980 | 	UNICODE_STRING symLink;
 981 | 	RtlInitUnicodeString(&symLink, dSymLinkBuffer);
 982 | 
 983 | 	if (!NT_SUCCESS(IoDeleteSymbolicLink(&symLink)))
 984 | 	{
 985 | 		DbgPrint("[EAC_Bypass] WARNING : IoDeleteSymbolicLink failed.");
 986 | 	}
 987 | 	if (pDeviceObject)
 988 | 		IoDeleteDevice(pDeviceObject);
 989 | 	if (!UninitBypass())
 990 | 		DbgPrint("[EAC_Bypass] WARNING : Failed to uninitialize the bypass.");
 991 | 	VirtualizerStrEncryptEnd();
 992 | 	VirtualizerEnd();
 993 | 
 994 | }
 995 | 
 996 | 
 997 | NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
 998 | {
 999 | 	UNREFERENCED_PARAMETER(RegistryPath);
1000 | 	VirtualizerStart();
1001 | 	VirtualizerStrEncryptStart();
1002 | 	NTSTATUS ntStatus = -1;
1003 | 	UNICODE_STRING deviceNameUnicodeString, deviceSymLinkUnicodeString;
1004 | 
1005 | 	RtlInitUnicodeString(&deviceNameUnicodeString, dNameBuffer);
1006 | 	RtlInitUnicodeString(&deviceSymLinkUnicodeString, dSymLinkBuffer);
1007 | 
1008 | 	DriverObject->DriverUnload = OnUnload;
1009 | 	DriverObject->MajorFunction[IRP_MJ_CREATE] = DeviceCreate;
1010 | 	DriverObject->MajorFunction[IRP_MJ_CLOSE] = DeviceClose;
1011 | 	DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DeviceIoHandler;
1012 | 
1013 | 	if (InitBypass() == 0)
1014 | 	{
1015 | 		DbgPrint("[EAC_Bypass] InitBypass failed.");
1016 | 		return ntStatus;
1017 | 	}
1018 | 
1019 | 	ntStatus = IoCreateDevice(DriverObject, 0, &deviceNameUnicodeString, FILE_DEVICE_UNKNOWN, FILE_DEVICE_UNKNOWN, FALSE, &pDeviceObject);
1020 | 	if (!NT_SUCCESS(ntStatus))
1021 | 	{
1022 | 		DbgPrint("[EAC_Bypass] IoCreateDevice failed.");
1023 | 		return ntStatus;
1024 | 	}
1025 | 	ntStatus = IoCreateSymbolicLink(&deviceSymLinkUnicodeString, &deviceNameUnicodeString);
1026 | 	if (!NT_SUCCESS(ntStatus))
1027 | 	{
1028 | 		DbgPrint("[EAC_Bypass] IoCreateSymbolicLink failed.");
1029 | 		return ntStatus;
1030 | 	}
1031 | 	//HideDriver(DriverObject);
1032 | 	VirtualizerStrEncryptEnd();
1033 | 	VirtualizerEnd();
1034 | 	return ntStatus;
1035 | }
1036 | 
1037 | NTSTATUS DeviceCreate(PDEVICE_OBJECT DeviceObject, PIRP Irp)
1038 | {
1039 | 	UNREFERENCED_PARAMETER(DeviceObject);
1040 | 	UNREFERENCED_PARAMETER(Irp);
1041 | 	return STATUS_SUCCESS;
1042 | }
1043 | 
1044 | NTSTATUS DeviceClose(PDEVICE_OBJECT DeviceObject, PIRP Irp)
1045 | {
1046 | 	UNREFERENCED_PARAMETER(DeviceObject);
1047 | 	UNREFERENCED_PARAMETER(Irp);
1048 | 	return STATUS_SUCCESS;
1049 | }
1050 | 
1051 | NTSTATUS DeviceIoHandler(PDEVICE_OBJECT DeviceObject, PIRP IRP)
1052 | {
1053 | 	UNREFERENCED_PARAMETER(DeviceObject);
1054 | 	VirtualizerStart();
1055 | 	VirtualizerStrEncryptStart();
1056 | 	PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(IRP);
1057 | 	IRP->IoStatus.Status = STATUS_SUCCESS;
1058 | 	if (stack)
1059 | 	{
1060 | 		if (stack->Parameters.DeviceIoControl.IoControlCode == ctl_protectprocess)
1061 | 		{
1062 | 			PHIDEPROC_STRUCT buffer = (PHIDEPROC_STRUCT)IRP->AssociatedIrp.SystemBuffer;
1063 | 			if (MmIsAddressValid(buffer))
1064 | 				ProcessIdToProtect = buffer->pId;
1065 | 			IRP->IoStatus.Information = sizeof(PHIDEPROC_STRUCT);
1066 | 		}
1067 | 
1068 | 		if (stack->Parameters.DeviceIoControl.IoControlCode == ctl_isenabled)
1069 | 		{
1070 | 			PIS_ENABLED_STRUCT buffer = (PIS_ENABLED_STRUCT)IRP->AssociatedIrp.SystemBuffer;
1071 | 			if (MmIsAddressValid(buffer))
1072 | 				buffer->IsEnabled = IsBypassEnabled;
1073 | 			IRP->IoStatus.Information = sizeof(PIS_ENABLED_STRUCT);
1074 | 		}
1075 | 		if (stack->Parameters.DeviceIoControl.IoControlCode == ctl_getprocid)
1076 | 		{
1077 | 			PGETPROC_STRUCT buffer = (PGETPROC_STRUCT)IRP->AssociatedIrp.SystemBuffer;
1078 | 			if (MmIsAddressValid(buffer))
1079 | 				buffer->pId = pGameId;
1080 | 			IRP->IoStatus.Information = sizeof(PGETPROC_STRUCT);
1081 | 		}
1082 | 	}
1083 | 
1084 | 	IoCompleteRequest(IRP, IO_NO_INCREMENT);
1085 | 	VirtualizerStrEncryptEnd();
1086 | 	VirtualizerEnd();
1087 | 	return IRP->IoStatus.Status;
1088 | }
1089 | 
1090 | #pragma region Utils
1091 | 
1092 | // Credits to DarthTon (BlackBone, Github)
1093 | NTSTATUS SearchPattern(IN PCUCHAR pattern, IN UCHAR wildcard, IN ULONG_PTR len, IN const VOID* base, IN ULONG_PTR size, OUT PVOID* ppFound)
1094 | {
1095 | 	ASSERT(ppFound != NULL && pattern != NULL && base != NULL);
1096 | 	if (ppFound == NULL || pattern == NULL || base == NULL)
1097 | 		return STATUS_INVALID_PARAMETER;
1098 | 
1099 | 	for (ULONG_PTR i = 0; i < size - len; i++)
1100 | 	{
1101 | 		BOOLEAN found = TRUE;
1102 | 		for (ULONG_PTR j = 0; j < len; j++)
1103 | 		{
1104 | 			if (pattern[j] != wildcard && pattern[j] != ((PCUCHAR)base)[i + j])
1105 | 			{
1106 | 				found = FALSE;
1107 | 				break;
1108 | 			}
1109 | 		}
1110 | 		if (found != FALSE)
1111 | 		{
1112 | 			*ppFound = (PUCHAR)base + i;
1113 | 			return STATUS_SUCCESS;
1114 | 		}
1115 | 	}
1116 | 	return STATUS_NOT_FOUND;
1117 | }
1118 | 
1119 | 
1120 | 
1121 | PVOID GetKernelBase()
1122 | {
1123 | 	VirtualizerStart();
1124 | 	VirtualizerStrEncryptStart();
1125 | 	NTSTATUS status = STATUS_INSUFFICIENT_RESOURCES;
1126 | 	PVOID Base = 0;
1127 | 	ULONG cb = 0x10000;
1128 | 	do
1129 | 	{
1130 | 		status = STATUS_INSUFFICIENT_RESOURCES;
1131 | 		PRTL_PROCESS_MODULES prpm = (PRTL_PROCESS_MODULES)ExAllocatePool(PagedPool, cb);
1132 | 		if (prpm)
1133 | 		{
1134 | 			if (0 <= (status == ZwQuerySystemInformation(0x0B, prpm, cb, &cb)))
1135 | 			{
1136 | 				ULONG NumberOfModules = prpm->NumberOfModules;
1137 | 				if (NumberOfModules)
1138 | 				{
1139 | 					PRTL_PROCESS_MODULE_INFORMATION Modules = prpm->Modules;
1140 | 					do
1141 | 					{
1142 | 						if ((ULONG64)Modules->ImageBase > (ULONG64)(0x8000000000000000))
1143 | 						{
1144 | 							Base = Modules->ImageBase;
1145 | 							break;
1146 | 						}
1147 | 					} while (Modules++, --NumberOfModules);
1148 | 				}
1149 | 			}
1150 | 			ExFreePool(prpm);
1151 | 		}
1152 | 
1153 | 	} while (status == STATUS_INFO_LENGTH_MISMATCH);
1154 | 	VirtualizerStrEncryptEnd();
1155 | 	VirtualizerEnd();
1156 | 	return Base;
1157 | }
1158 | 
1159 | BOOLEAN IsFromEACRange(PVOID Address)
1160 | {
1161 | 	if ((ULONG64)Address > (ULONG64)EAC_Base &&
1162 | 		(ULONG64)((ULONG64)EAC_Base + (ULONG64)EAC_Base_Size) > (ULONG64)Address)
1163 | 	{
1164 | 		return 1;
1165 | 	}
1166 | 	return 0;
1167 | }
1168 | 
1169 | BOOLEAN SuspendOrResumeAllThreads(BOOLEAN Suspend)
1170 | {
1171 | 	VirtualizerStart();
1172 | 	VirtualizerStrEncryptStart();
1173 | 	ULONG cb = 0x20000;
1174 | 	PSYSTEM_PROCESS_INFORMATION psi = 0;
1175 | 	PVOID buf = 0;
1176 | 	NTSTATUS status = 0, rc = 0;
1177 | 	PETHREAD peThread = 0;
1178 | 	do
1179 | 	{
1180 | 		status = STATUS_INSUFFICIENT_RESOURCES;
1181 | 
1182 | 		if (buf = ExAllocatePool(PagedPool, cb))
1183 | 		{
1184 | 			if (0 <= (status = ZwQuerySystemInformation(5, buf, cb, &cb)))
1185 | 			{
1186 | 				psi = (PSYSTEM_PROCESS_INFORMATION)buf;
1187 | 				while (psi->NextEntryOffset)
1188 | 				{
1189 | 					if (psi->UniqueProcessId == (HANDLE)4)
1190 | 					{
1191 | 						for (ULONG i = 0; i < psi->NumberOfThreads; i++)
1192 | 						{
1193 | 							if (MmIsAddressValid(psi->Threads[i].StartAddress) && IsFromEACRange(psi->Threads[i].StartAddress))
1194 | 							{
1195 | 								rc = PsLookupThreadByThreadId(psi->Threads[i].ClientId.UniqueThread, &peThread);
1196 | 								if (!NT_SUCCESS(rc))
1197 | 								{
1198 | 									DbgPrint("[EAC_Bypass] PsLookupThreadByThreadId failed in SuspendOrResumeAllThreads");
1199 | 									if (buf)
1200 | 										ExFreePool(buf);
1201 | 									return 0;
1202 | 								}
1203 | 								if (NT_SUCCESS(rc))
1204 | 								{
1205 | 									DbgPrint("[EAC_Bypass] Found EAC Thread %d !", psi->Threads[i].ClientId.UniqueThread);
1206 | 									if (peThread)
1207 | 									{
1208 | 										if (Suspend == TRUE)
1209 | 										{
1210 | 											if (!NT_SUCCESS(o_PsSuspendThread(peThread, 0)))
1211 | 												DbgPrint("[EAC_Bypass] o_PsSuspendThread failed.");
1212 | 										}
1213 | 										else
1214 | 											if (!NT_SUCCESS(o_PsResumeThread(peThread)))
1215 | 												DbgPrint("[EAC_Bypass] o_PsSuspendThread failed.");
1216 | 									}
1217 | 								}
1218 | 							}
1219 | 						}
1220 | 
1221 | 					}
1222 | 					psi = (PSYSTEM_PROCESS_INFORMATION)((ULONG64)(psi)+psi->NextEntryOffset);
1223 | 				}
1224 | 
1225 | 			}
1226 | 			if (buf)
1227 | 				ExFreePool(buf);
1228 | 		}
1229 | 
1230 | 	} while (status == STATUS_INFO_LENGTH_MISMATCH);
1231 | 	VirtualizerStrEncryptEnd();
1232 | 	VirtualizerEnd();
1233 | 	return (status == 0) ? 1 : 0;
1234 | }
1235 | 
1236 | // Credits to GayPig (Github), yes I am lazy
1237 | uintptr_t dereference(uintptr_t address, unsigned int offset)
1238 | {
1239 | 	if (address == 0)
1240 | 		return 0;
1241 | 
1242 | 	return address + (int)((*(int*)(address + offset) + offset) + sizeof(int));
1243 | }
1244 | 
1245 | #pragma endregion Utils
1246 | 


--------------------------------------------------------------------------------
/EAC_Bypass/Main.hpp:
--------------------------------------------------------------------------------
 1 | #pragma once 
 2 | 
 3 | #include "ntos.hpp"
 4 | #include "ntstructs.hpp"
 5 | 
 6 | // Driver stuff
 7 | 
 8 | typedef struct HIDEPROC_STRUCT
 9 | {
10 | 	ULONG pId;
11 | }HIDEPROC_STRUCT, * PHIDEPROC_STRUCT;
12 | 
13 | typedef struct IS_ENABLED_STRUCT
14 | {
15 | 	BOOLEAN IsEnabled;
16 | }IS_ENABLED_STRUCT, * PIS_ENABLED_STRUCT;
17 | 
18 | typedef struct GETPROC_STRUCT
19 | {
20 | 	ULONG pId;
21 | }GETPROC_STRUCT, * PGETPROC_STRUCT;
22 | 
23 | #define ctl_protectprocess    CTL_CODE(FILE_DEVICE_UNKNOWN, 0xad138, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
24 | #define ctl_isenabled    CTL_CODE(FILE_DEVICE_UNKNOWN, 0xad136, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
25 | #define ctl_getprocid    CTL_CODE(FILE_DEVICE_UNKNOWN, 0xad139, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
26 | 
27 | const WCHAR dNameBuffer[] = L"\\Device\\EAC_Bypass";
28 | const WCHAR dSymLinkBuffer[] = L"\\DosDevices\\EAC_Bypass";
29 | ULONG ProcessIdToProtect = 0;
30 | BOOLEAN IsBypassEnabled = 0;
31 | PDEVICE_OBJECT pDeviceObject = 0;
32 | NTSTATUS DeviceIoHandler(PDEVICE_OBJECT devicDriverObjecte_obj, PIRP IRP);
33 | NTSTATUS DeviceCreate(PDEVICE_OBJECT DeviceObject, PIRP Irp);
34 | NTSTATUS DeviceClose(PDEVICE_OBJECT DeviceObject, PIRP Irp);
35 | 
36 | // Callbacks
37 | PVOID* ThreadCallBacks = 0, *ImageCallBacks = 0;
38 | 
39 | // Backups
40 | PVOID ProcessPostOperation = 0, ProcessPreOperation = 0, ThreadPostOperation = 0, ThreadPreOperation = 0, FilterAddr = 0;
41 | PVOID EAC_ThreadRoutine = 0, EAC_ImageRoutine = 0;
42 | 
43 | // EAC information
44 | PVOID EAC_Base = 0;
45 | ULONG64 EAC_Base_Size = 0;
46 | 
47 | // Filter information
48 | HANDLE pParentId = 0, pGameId = 0;
49 | LONG lOperationsOffset = 0;
50 | 
51 | typedef NTSTATUS(NTAPI* p_PsSuspendThread)(IN PETHREAD Thread, OUT PULONG PreviousCount OPTIONAL);
52 | p_PsSuspendThread o_PsSuspendThread = 0;
53 | 
54 | typedef NTSTATUS(NTAPI* p_PsResumeThread)(IN PETHREAD Thread);
55 | p_PsResumeThread o_PsResumeThread = 0;
56 | 
57 | // Bypass functions
58 | BOOLEAN RestoreImageCallBack();
59 | BOOLEAN RestoreThreadCallBack();
60 | 
61 | // Routines
62 | VOID ImageRoutine(PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO Info);
63 | VOID ProcessRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create);
64 | 
65 | 
66 | // Utils
67 | NTSTATUS SearchPattern(IN PCUCHAR pattern, IN UCHAR wildcard, IN ULONG_PTR len, IN const VOID* base, IN ULONG_PTR size, OUT PVOID* ppFound);
68 | PVOID GetKernelBase();
69 | BOOLEAN IsFromEACRange(PVOID Address);
70 | BOOLEAN SuspendOrResumeAllThreads(BOOLEAN Suspend);
71 | uintptr_t dereference(uintptr_t address, unsigned int offset);
72 | VOID HideDriver(PDRIVER_OBJECT pDriverObject);
73 | 
74 | 


--------------------------------------------------------------------------------
/EAC_Bypass/Options.hpp:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | 
 4 | #define REMOVE_IMAGEROUTINE 1
 5 | #define REMOVE_THREADROUTINE 1
 6 | #define REMOVE_PROCESSCALLBACKS 1
 7 | #define REMOVE_THREADCALLBACKS 1
 8 | #define REMOVE_FILTER 0
 9 | #define SUSPEND_EAC 1
10 | #define PROTECT_PROCESS 1
11 | #define RESTORE_ROUTINES 1
12 | #define USE_VM 0
13 | 
14 | #if(USE_VM == 1)
15 | #include "VL\VirtualizerSDK.h"
16 | #else
17 | #define VM_TIGER_WHITE_START
18 | #define VM_TIGER_WHITE_END
19 | #define VM_TIGER_WHITE_START
20 | #define VM_TIGER_WHITE_END
21 | #define VM_EAGLE_BLACK_START
22 | #define VM_EAGLE_BLACK_END
23 | #define VIRTUALIZER_TIGER_WHITE_START 
24 | #define VIRTUALIZER_TIGER_WHITE_END 
25 | static void VirtualizerStart() {}
26 | static void VirtualizerEnd() {}
27 | static void VirtualizerStrEncryptStart() {}
28 | static void VirtualizerStrEncryptEnd() {}
29 | #endif


--------------------------------------------------------------------------------
/EAC_Bypass/common.h:
--------------------------------------------------------------------------------
  1 | #pragma once 
  2 | 
  3 | #include "ntos.h"
  4 | 
  5 | typedef struct _OPERATION_INFO_ENTRY
  6 | {
  7 | 	LIST_ENTRY    ListEntry;
  8 | 	OB_OPERATION  Operation;
  9 | 	ULONG         Flags;
 10 | 	PVOID         Object;
 11 | 	POBJECT_TYPE  ObjectType;
 12 | 	ACCESS_MASK   AccessMask;
 13 | } OPERATION_INFO_ENTRY, * POPERATION_INFO_ENTRY;
 14 | 
 15 | 
 16 | typedef struct _THREAD_BASIC_INFORMATION
 17 | {
 18 | 	NTSTATUS                ExitStatus;
 19 | 	PVOID                   TebBaseAddress;
 20 | 	CLIENT_ID               ClientId;
 21 | 	KAFFINITY               AffinityMask;
 22 | 	KPRIORITY               Priority;
 23 | 	KPRIORITY               BasePriority;
 24 | } THREAD_BASIC_INFORMATION, * PTHREAD_BASIC_INFORMATION;
 25 | 
 26 | 
 27 | typedef struct _RTL_PROCESS_MODULE_INFORMATION
 28 | {
 29 | 	HANDLE Section;
 30 | 	PVOID MappedBase;
 31 | 	PVOID ImageBase;
 32 | 	ULONG ImageSize;
 33 | 	ULONG Flags;
 34 | 	USHORT LoadOrderIndex;
 35 | 	USHORT InitOrderIndex;
 36 | 	USHORT LoadCount;
 37 | 	USHORT OffsetToFileName;
 38 | 	UCHAR FullPathName[256];
 39 | } RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION;
 40 | 
 41 | typedef struct _SYSTEM_THREAD {
 42 | 	LARGE_INTEGER           KernelTime;
 43 | 	LARGE_INTEGER           UserTime;
 44 | 	LARGE_INTEGER           CreateTime;
 45 | 	ULONG                   WaitTime;
 46 | 	PVOID                   StartAddress;
 47 | 	CLIENT_ID               ClientId;
 48 | 	KPRIORITY               Priority;
 49 | 	LONG                    BasePriority;
 50 | 	ULONG                   ContextSwitchCount;
 51 | 	ULONG                   State;
 52 | 	KWAIT_REASON            WaitReason;
 53 | } SYSTEM_THREAD, * PSYSTEM_THREAD;
 54 | 
 55 | typedef struct _SYSTEM_THREAD_INFORMATION
 56 | {
 57 | 	LARGE_INTEGER KernelTime;
 58 | 	LARGE_INTEGER UserTime;
 59 | 	LARGE_INTEGER CreateTime;
 60 | 	ULONG WaitTime;
 61 | 	PVOID StartAddress;
 62 | 	CLIENT_ID ClientId;
 63 | 	KPRIORITY Priority;
 64 | 	LONG BasePriority;
 65 | 	ULONG ContextSwitches;
 66 | 	ULONG ThreadState;
 67 | 	KWAIT_REASON WaitReason;
 68 | } SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;
 69 | 
 70 | typedef struct _SYSTEM_PROCESS_INFORMATION
 71 | {
 72 | 	ULONG NextEntryOffset;
 73 | 	ULONG NumberOfThreads;
 74 | 	LARGE_INTEGER WorkingSetPrivateSize; // since VISTA
 75 | 	ULONG HardFaultCount; // since WIN7
 76 | 	ULONG NumberOfThreadsHighWatermark; // since WIN7
 77 | 	ULONGLONG CycleTime; // since WIN7
 78 | 	LARGE_INTEGER CreateTime;
 79 | 	LARGE_INTEGER UserTime;
 80 | 	LARGE_INTEGER KernelTime;
 81 | 	UNICODE_STRING ImageName;
 82 | 	KPRIORITY BasePriority;
 83 | 	HANDLE UniqueProcessId;
 84 | 	HANDLE InheritedFromUniqueProcessId;
 85 | 	ULONG HandleCount;
 86 | 	ULONG SessionId;
 87 | 	ULONG_PTR UniqueProcessKey; // since VISTA (requires SystemExtendedProcessInformation)
 88 | 	SIZE_T PeakVirtualSize;
 89 | 	SIZE_T VirtualSize;
 90 | 	ULONG PageFaultCount;
 91 | 	SIZE_T PeakWorkingSetSize;
 92 | 	SIZE_T WorkingSetSize;
 93 | 	SIZE_T QuotaPeakPagedPoolUsage;
 94 | 	SIZE_T QuotaPagedPoolUsage;
 95 | 	SIZE_T QuotaPeakNonPagedPoolUsage;
 96 | 	SIZE_T QuotaNonPagedPoolUsage;
 97 | 	SIZE_T PagefileUsage;
 98 | 	SIZE_T PeakPagefileUsage;
 99 | 	SIZE_T PrivatePageCount;
100 | 	LARGE_INTEGER ReadOperationCount;
101 | 	LARGE_INTEGER WriteOperationCount;
102 | 	LARGE_INTEGER OtherOperationCount;
103 | 	LARGE_INTEGER ReadTransferCount;
104 | 	LARGE_INTEGER WriteTransferCount;
105 | 	LARGE_INTEGER OtherTransferCount;
106 | 	SYSTEM_THREAD_INFORMATION Threads[1];
107 | } SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
108 | 
109 | typedef struct _RTL_PROCESS_MODULES
110 | {
111 | 	ULONG NumberOfModules;
112 | 	RTL_PROCESS_MODULE_INFORMATION Modules[ANYSIZE_ARRAY];
113 | }RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;
114 | 
115 | typedef struct _IMAGE_SECTION_HEADER {
116 | 	char  Name[8];
117 | 	union {
118 | 		ULONG PhysicalAddress;
119 | 		ULONG VirtualSize;
120 | 	} Misc;
121 | 	ULONG VirtualAddress;
122 | 	ULONG SizeOfRawData;
123 | 	ULONG PointerToRawData;
124 | 	ULONG PointerToRelocations;
125 | 	ULONG PointerToLinenumbers;
126 | 	WORD  NumberOfRelocations;
127 | 	WORD  NumberOfLinenumbers;
128 | 	ULONG Characteristics;
129 | } IMAGE_SECTION_HEADER, * PIMAGE_SECTION_HEADER;
130 | 
131 | typedef struct _IMAGE_FILE_HEADER {
132 | 	WORD  Machine;
133 | 	WORD  NumberOfSections;
134 | 	ULONG TimeDateStamp;
135 | 	ULONG PointerToSymbolTable;
136 | 	ULONG NumberOfSymbols;
137 | 	WORD  SizeOfOptionalHeader;
138 | 	WORD  Characteristics;
139 | } IMAGE_FILE_HEADER, * PIMAGE_FILE_HEADER;
140 | 
141 | typedef struct _IMAGE_DATA_DIRECTORY {
142 | 	ULONG VirtualAddress;
143 | 	ULONG Size;
144 | } IMAGE_DATA_DIRECTORY, * PIMAGE_DATA_DIRECTORY;
145 | 
146 | typedef struct _IMAGE_OPTIONAL_HEADER64 {
147 | 	WORD        Magic;
148 | 	char        MajorLinkerVersion;
149 | 	char        MinorLinkerVersion;
150 | 	ULONG       SizeOfCode;
151 | 	ULONG       SizeOfInitializedData;
152 | 	ULONG       SizeOfUninitializedData;
153 | 	ULONG       AddressOfEntryPoint;
154 | 	ULONG       BaseOfCode;
155 | 	ULONGLONG   ImageBase;
156 | 	ULONG       SectionAlignment;
157 | 	ULONG       FileAlignment;
158 | 	WORD        MajorOperatingSystemVersion;
159 | 	WORD        MinorOperatingSystemVersion;
160 | 	WORD        MajorImageVersion;
161 | 	WORD        MinorImageVersion;
162 | 	WORD        MajorSubsystemVersion;
163 | 	WORD        MinorSubsystemVersion;
164 | 	ULONG       Win32VersionValue;
165 | 	ULONG       SizeOfImage;
166 | 	ULONG       SizeOfHeaders;
167 | 	ULONG       CheckSum;
168 | 	WORD        Subsystem;
169 | 	WORD        DllCharacteristics;
170 | 	ULONGLONG   SizeOfStackReserve;
171 | 	ULONGLONG   SizeOfStackCommit;
172 | 	ULONGLONG   SizeOfHeapReserve;
173 | 	ULONGLONG   SizeOfHeapCommit;
174 | 	ULONG       LoaderFlags;
175 | 	ULONG       NumberOfRvaAndSizes;
176 | 	IMAGE_DATA_DIRECTORY DataDirectory[16];
177 | } IMAGE_OPTIONAL_HEADER64, * PIMAGE_OPTIONAL_HEADER64;
178 | 
179 | typedef struct _IMAGE_NT_HEADERS64 {
180 | 	ULONG                   Signature;
181 | 	IMAGE_FILE_HEADER       FileHeader;
182 | 	IMAGE_OPTIONAL_HEADER64 OptionalHeader;
183 | } IMAGE_NT_HEADERS64, * PIMAGE_NT_HEADERS64;
184 | 
185 | 
186 | typedef struct _OBJECT_TYPE_INITIALIZER
187 | {
188 | 	SHORT Length;
189 | 	UCHAR ObjectTypeFlags;
190 | 	ULONG CaseInsensitive : 1;
191 | 	ULONG UnnamedObjectsOnly : 1;
192 | 	ULONG UseDefaultObject : 1;
193 | 	ULONG SecurityRequired : 1;
194 | 	ULONG MaintainHandleCount : 1;
195 | 	ULONG MaintainTypeList : 1;
196 | 	ULONG ObjectTypeCode;
197 | 	ULONG InvalidAttributes;
198 | 	GENERIC_MAPPING GenericMapping;
199 | 	ULONG ValidAccessMask;
200 | 	POOL_TYPE PoolType;
201 | 	ULONG DefaultPagedPoolCharge;
202 | 	ULONG DefaultNonPagedPoolCharge;
203 | 	PVOID DumpProcedure;
204 | 	LONG* OpenProcedure;
205 | 	PVOID CloseProcedure;
206 | 	PVOID DeleteProcedure;
207 | 	LONG* ParseProcedure;
208 | 	LONG* SecurityProcedure;
209 | 	LONG* QueryNameProcedure;
210 | 	UCHAR* OkayToCloseProcedure;
211 | } OBJECT_TYPE_INITIALIZER, * POBJECT_TYPE_INITIALIZER;
212 | 
213 | typedef struct _CALLBACK_ENTRY {
214 | 	UINT16 Version; 
215 | 	UINT16 OperationRegistrationCount; 
216 | 	UINT32 unk1; 
217 | 	PVOID RegistrationContext; 
218 | 	UNICODE_STRING Altitude; 
219 | } CALLBACK_ENTRY, * PCALLBACK_ENTRY;
220 | 
221 | typedef struct _CALLBACK_ENTRY_ITEM {
222 | 	LIST_ENTRY EntryItemList;
223 | 	OB_OPERATION Operations;
224 | 	CALLBACK_ENTRY* CallbackEntry; 
225 | 	POBJECT_TYPE ObjectType;
226 | 	POB_PRE_OPERATION_CALLBACK PreOperation;
227 | 	POB_POST_OPERATION_CALLBACK PostOperation;
228 | 	__int64 unk;
229 | }CALLBACK_ENTRY_ITEM, * PCALLBACK_ENTRY_ITEM;
230 | 
231 | typedef struct _OBJECT_TYPE {
232 | 	LIST_ENTRY TypeList;
233 | 	UNICODE_STRING Name;
234 | 	VOID* DefaultObject;
235 | 	UCHAR Index;
236 | 	unsigned __int32 TotalNumberOfObjects;
237 | 	unsigned __int32 TotalNumberOfHandles;
238 | 	unsigned __int32 HighWaterNumberOfObjects;
239 | 	unsigned __int32 HighWaterNumberOfHandles;
240 | 	OBJECT_TYPE_INITIALIZER TypeInfo;
241 | 	EX_PUSH_LOCK TypeLock;
242 | 	unsigned __int32 Key;
243 | 	LIST_ENTRY CallbackList; 
244 | }OBJECT_TYPE, * POBJECT_TYPE;
245 | 
246 | 
247 | // Callbacks
248 | PVOID *ThreadCallBacks = 0, *ImageCallBacks = 0;
249 | // Backups
250 | PVOID ProcessPostOperation = 0, ProcessPreOperation = 0, ThreadPostOperation = 0, ThreadPreOperation = 0;
251 | PVOID EAC_ThreadRoutine = 0, EAC_ImageRoutine = 0;
252 | 
253 | // EAC Information
254 | PVOID EAC_Base = 0;
255 | ULONG64 EAC_Base_Size = 0;
256 | // Filter information
257 | HANDLE pParentId = 0, pGameId = 0;
258 | 
259 | typedef NTSTATUS(NTAPI* p_PsSuspendThread)(IN PETHREAD Thread, OUT PULONG PreviousCount OPTIONAL);
260 | p_PsSuspendThread o_PsSuspendThread = 0;
261 | 
262 | typedef NTSTATUS(NTAPI* p_PsResumeThread)(IN PETHREAD Thread);
263 | p_PsResumeThread o_PsResumeThread = 0;
264 | 
265 | VOID FuckThreadCallBack();
266 | VOID FuckImageCallBack();
267 | VOID Do_Bypass();
268 | VOID Remove_Bypass();
269 | VOID ImageRoutine(PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO Info);
270 | VOID ProcessRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create);
271 | 
272 | 
273 | NTSTATUS SearchPattern(IN PCUCHAR pattern, IN UCHAR wildcard, IN ULONG_PTR len, IN const VOID* base, IN ULONG_PTR size, OUT PVOID* ppFound);
274 | PVOID GetKernelBase();
275 | BOOLEAN IsFromEACRange(PVOID Address);
276 | BOOLEAN SuspendOrResumeAllThreads(BOOLEAN Suspend);
277 | uintptr_t dereference(uintptr_t address, unsigned int offset);
278 | 


--------------------------------------------------------------------------------
/EAC_Bypass/ntos.h:
--------------------------------------------------------------------------------
   1 | #pragma once 
   2 | 
   3 | #include <ntdef.h>
   4 | #include <ntifs.h>
   5 | #include <ntddk.h>
   6 | 
   7 | 
   8 | typedef unsigned long long QWORD;
   9 | 
  10 | NTKERNELAPI
  11 | NTSTATUS
  12 | PsCreateSystemProcess(
  13 | 	OUT PHANDLE ProcessHandle,
  14 | 	IN ULONG DesiredAccess,
  15 | 	IN POBJECT_ATTRIBUTES ObjectAttributes
  16 | );
  17 | 
  18 | typedef unsigned short WORD;
  19 | 
  20 | 
  21 | typedef
  22 | VOID
  23 | (*PCREATE_THREAD_NOTIFY_ROUTINE)(
  24 | 	IN HANDLE ProcessId,
  25 | 	IN HANDLE ThreadId,
  26 | 	IN BOOLEAN Create
  27 | 	);
  28 | 
  29 | 
  30 | 
  31 | 
  32 | typedef
  33 | VOID
  34 | (*PLOAD_IMAGE_NOTIFY_ROUTINE)(
  35 | 	IN PUNICODE_STRING FullImageName,
  36 | 	IN HANDLE ProcessId,                // pid into which image is being mapped 
  37 | 	IN PIMAGE_INFO ImageInfo
  38 | 	);
  39 | 
  40 | 
  41 | NTKERNELAPI
  42 | NTSTATUS
  43 | PsRemoveCreateThreadNotifyRoutine(
  44 | 	IN PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine
  45 | );
  46 | 
  47 | NTSYSAPI PIMAGE_NT_HEADERS NTAPI RtlImageNtHeader(IN PVOID ModuleAddress);
  48 | 
  49 | NTKERNELAPI
  50 | NTSTATUS
  51 | PsRemoveLoadImageNotifyRoutine(
  52 | 	IN PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine
  53 | );
  54 | 
  55 | NTKERNELAPI
  56 | BOOLEAN
  57 | PsIsThreadTerminating(
  58 | 	IN PETHREAD Thread
  59 | );
  60 | 
  61 | /*
  62 | typedef struct _CLIENT_ID {
  63 | HANDLE UniqueProcess;
  64 | HANDLE UniqueThread;
  65 | } CLIENT_ID;
  66 | typedef CLIENT_ID *PCLIENT_ID;
  67 | */
  68 | 
  69 | NTKERNELAPI
  70 | NTSTATUS
  71 | PsLookupProcessThreadByCid(
  72 | 	IN PCLIENT_ID Cid,
  73 | 	OUT PEPROCESS* Process,
  74 | 	OUT PETHREAD* Thread
  75 | );
  76 | 
  77 | // begin_ntosp 
  78 | 
  79 | NTKERNELAPI
  80 | NTSTATUS
  81 | PsLookupProcessByProcessId(
  82 | 	IN HANDLE ProcessId,
  83 | 	OUT PEPROCESS* Process
  84 | );
  85 | 
  86 | NTKERNELAPI
  87 | NTSTATUS
  88 | PsLookupThreadByThreadId(
  89 | 	IN HANDLE ThreadId,
  90 | 	OUT PETHREAD* Thread
  91 | );
  92 | NTKERNELAPI
  93 | PVOID
  94 | PsGetCurrentThreadStackLimit(
  95 | 	VOID
  96 | );
  97 | 
  98 | NTKERNELAPI
  99 | PVOID
 100 | PsGetCurrentThreadStackBase(
 101 | 	VOID
 102 | );
 103 | 
 104 | NTKERNELAPI
 105 | PVOID
 106 | PsGetProcessDebugPort(
 107 | 	IN PEPROCESS Process
 108 | );
 109 | 
 110 | NTKERNELAPI
 111 | BOOLEAN
 112 | PsIsProcessBeingDebugged(
 113 | 	IN PEPROCESS Process
 114 | );
 115 | 
 116 | NTKERNELAPI
 117 | HANDLE
 118 | PsGetProcessId(
 119 | 	IN PEPROCESS Process
 120 | );
 121 | 
 122 | NTKERNELAPI
 123 | HANDLE
 124 | PsGetProcessInheritedFromUniqueProcessId(
 125 | 	IN PEPROCESS Process
 126 | );
 127 | 
 128 | NTKERNELAPI
 129 | PPEB
 130 | PsGetProcessPeb(
 131 | 	IN PEPROCESS Process
 132 | );
 133 | 
 134 | NTKERNELAPI
 135 | PVOID
 136 | PsGetThreadTeb(
 137 | 	IN PETHREAD Thread
 138 | );
 139 | 
 140 | NTKERNELAPI                         //ntifs 
 141 | BOOLEAN                             //ntifs 
 142 | PsIsSystemThread(                   //ntifs 
 143 | 	IN PETHREAD Thread                 //ntifs 
 144 | );                              //ntifs 
 145 | 
 146 | NTKERNELAPI
 147 | NTSTATUS
 148 | PsSetProcessWin32Process(
 149 | 	IN PEPROCESS Process,
 150 | 	IN PVOID Win32Process,
 151 | 	IN PVOID PrevWin32Process
 152 | );
 153 | 
 154 | NTKERNELAPI
 155 | VOID
 156 | PsSetProcessWindowStation(
 157 | 	OUT PEPROCESS Process,
 158 | 	IN HANDLE Win32WindowStation
 159 | );
 160 | 
 161 | NTKERNELAPI
 162 | VOID
 163 | PsSetThreadWin32Thread(
 164 | 	IN OUT PETHREAD Thread,
 165 | 	IN PVOID Win32Thread,
 166 | 	IN PVOID PrevWin32Thread
 167 | );
 168 | 
 169 | 
 170 | 
 171 | // Processor modes. 
 172 | // 
 173 | /*
 174 | typedef CCHAR KPROCESSOR_MODE;
 175 | typedef enum _MODE {
 176 | KernelMode,
 177 | UserMode,
 178 | MaximumMode
 179 | } MODE;
 180 | #define OBJECT_LOCK_COUNT 4
 181 | // Object Manager types
 182 | //
 183 | typedef struct _OBJECT_HANDLE_INFORMATION {
 184 | ULONG HandleAttributes;
 185 | ACCESS_MASK GrantedAccess;
 186 | } OBJECT_HANDLE_INFORMATION, *POBJECT_HANDLE_INFORMATION;
 187 | // end_ntddk end_wdm end_nthal end_ntifs
 188 | typedef struct _OBJECT_DUMP_CONTROL {
 189 | PVOID Stream;
 190 | ULONG Detail;
 191 | } OB_DUMP_CONTROL, *POB_DUMP_CONTROL;
 192 | typedef VOID (*OB_DUMP_METHOD)(
 193 | IN PVOID Object,
 194 | IN POB_DUMP_CONTROL Control OPTIONAL
 195 | );
 196 | typedef enum _OB_OPEN_REASON {
 197 | ObCreateHandle,
 198 | ObOpenHandle,
 199 | ObDuplicateHandle,
 200 | ObInheritHandle,
 201 | ObMaxOpenReason
 202 | } OB_OPEN_REASON;
 203 | typedef NTSTATUS (*OB_OPEN_METHOD)(
 204 | IN OB_OPEN_REASON OpenReason,
 205 | IN PEPROCESS Process OPTIONAL,
 206 | IN PVOID Object,
 207 | IN ACCESS_MASK GrantedAccess,
 208 | IN ULONG HandleCount
 209 | );
 210 | typedef BOOLEAN (*OB_OKAYTOCLOSE_METHOD)(
 211 | IN PEPROCESS Process OPTIONAL,
 212 | IN PVOID Object,
 213 | IN HANDLE Handle,
 214 | IN KPROCESSOR_MODE PreviousMode
 215 | );
 216 | typedef VOID (*OB_CLOSE_METHOD)(
 217 | IN PEPROCESS Process OPTIONAL,
 218 | IN PVOID Object,
 219 | IN ACCESS_MASK GrantedAccess,
 220 | IN ULONG_PTR ProcessHandleCount,
 221 | IN ULONG_PTR SystemHandleCount
 222 | );
 223 | typedef VOID (*OB_DELETE_METHOD)(
 224 | IN  PVOID   Object
 225 | );
 226 | typedef NTSTATUS (*OB_PARSE_METHOD)(
 227 | IN PVOID ParseObject,
 228 | IN PVOID ObjectType,
 229 | IN OUT PACCESS_STATE AccessState,
 230 | IN KPROCESSOR_MODE AccessMode,
 231 | IN ULONG Attributes,
 232 | IN OUT PUNICODE_STRING CompleteName,
 233 | IN OUT PUNICODE_STRING RemainingName,
 234 | IN OUT PVOID Context OPTIONAL,
 235 | IN PSECURITY_QUALITY_OF_SERVICE SecurityQos OPTIONAL,
 236 | OUT PVOID *Object
 237 | );
 238 | typedef NTSTATUS (*OB_SECURITY_METHOD)(
 239 | IN PVOID Object,
 240 | IN SECURITY_OPERATION_CODE OperationCode,
 241 | IN PSECURITY_INFORMATION SecurityInformation,
 242 | IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
 243 | IN OUT PULONG CapturedLength,
 244 | IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
 245 | IN POOL_TYPE PoolType,
 246 | IN PGENERIC_MAPPING GenericMapping
 247 | );
 248 | typedef NTSTATUS (*OB_QUERYNAME_METHOD)(
 249 | IN PVOID Object,
 250 | IN BOOLEAN HasObjectName,
 251 | OUT POBJECT_NAME_INFORMATION ObjectNameInfo,
 252 | IN ULONG Length,
 253 | OUT PULONG ReturnLength,
 254 | IN KPROCESSOR_MODE Mode
 255 | );
 256 | typedef struct _OBJECT_TYPE_INITIALIZER {
 257 | USHORT Length;
 258 | BOOLEAN UseDefaultObject;
 259 | BOOLEAN CaseInsensitive;
 260 | ULONG InvalidAttributes;
 261 | GENERIC_MAPPING GenericMapping;
 262 | ULONG ValidAccessMask;
 263 | BOOLEAN SecurityRequired;
 264 | BOOLEAN MaintainHandleCount;
 265 | BOOLEAN MaintainTypeList;
 266 | POOL_TYPE PoolType;
 267 | ULONG DefaultPagedPoolCharge;
 268 | ULONG DefaultNonPagedPoolCharge;
 269 | OB_DUMP_METHOD DumpProcedure;
 270 | OB_OPEN_METHOD OpenProcedure;
 271 | OB_CLOSE_METHOD CloseProcedure;
 272 | OB_DELETE_METHOD DeleteProcedure;
 273 | OB_PARSE_METHOD ParseProcedure;
 274 | OB_SECURITY_METHOD SecurityProcedure;
 275 | OB_QUERYNAME_METHOD QueryNameProcedure;
 276 | OB_OKAYTOCLOSE_METHOD OkayToCloseProcedure;
 277 | } OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
 278 | typedef struct _OBJECT_TYPE {
 279 | ERESOURCE Mutex;
 280 | LIST_ENTRY TypeList;
 281 | UNICODE_STRING Name;            // Copy from object header for convenience
 282 | PVOID DefaultObject;
 283 | ULONG Index;
 284 | ULONG TotalNumberOfObjects;
 285 | ULONG TotalNumberOfHandles;
 286 | ULONG HighWaterNumberOfObjects;
 287 | ULONG HighWaterNumberOfHandles;
 288 | OBJECT_TYPE_INITIALIZER TypeInfo;
 289 | #ifdef POOL_TAGGING
 290 | ULONG Key;
 291 | #endif //POOL_TAGGING
 292 | ERESOURCE ObjectLocks[ OBJECT_LOCK_COUNT ];
 293 | } OBJECT_TYPE, *POBJECT_TYPE;
 294 | NTKERNELAPI
 295 | NTSTATUS
 296 | ObCreateObject(
 297 | IN KPROCESSOR_MODE ProbeMode,
 298 | IN POBJECT_TYPE ObjectType,
 299 | IN POBJECT_ATTRIBUTES ObjectAttributes,
 300 | IN KPROCESSOR_MODE OwnershipMode,
 301 | INout_opt PVOID ParseContext,
 302 | IN ULONG ObjectBodySize,
 303 | IN ULONG PagedPoolCharge,
 304 | IN ULONG NonPagedPoolCharge,
 305 | OUT PVOID *Object
 306 | );
 307 | NTKERNELAPI
 308 | NTSTATUS
 309 | ObInsertObject(
 310 | IN PVOID Object,
 311 | IN PACCESS_STATE PassedAccessState,
 312 | IN ACCESS_MASK DesiredAccess,
 313 | IN ULONG ObjectPointerBias,
 314 | OUT_opt PVOID *NewObject,
 315 | OUT_opt PHANDLE Handle
 316 | );
 317 | NTKERNELAPI
 318 | NTSTATUS
 319 | ObOpenObjectByName(
 320 | IN POBJECT_ATTRIBUTES ObjectAttributes,
 321 | IN POBJECT_TYPE ObjectType,
 322 | IN KPROCESSOR_MODE AccessMode,
 323 | INout_opt PACCESS_STATE AccessState,
 324 | IN ACCESS_MASK DesiredAccess,
 325 | INout_opt PVOID ParseContext,
 326 | OUT PHANDLE Handle
 327 | );
 328 | NTKERNELAPI                                                     // ntifs
 329 | NTSTATUS                                                        // ntifs
 330 | ObOpenObjectByPointer(                                          // ntifs
 331 | IN PVOID Object,                                            // ntifs
 332 | IN ULONG HandleAttributes,                                  // ntifs
 333 | IN PACCESS_STATE PassedAccessState,                // ntifs
 334 | IN ACCESS_MASK DesiredAccess,                      // ntifs
 335 | IN POBJECT_TYPE ObjectType,                        // ntifs
 336 | IN KPROCESSOR_MODE AccessMode,                              // ntifs
 337 | OUT PHANDLE Handle                                          // ntifs
 338 | );                                                          // ntifs
 339 | NTKERNELAPI
 340 | NTSTATUS
 341 | ObReferenceObjectByName(
 342 | IN PUNICODE_STRING ObjectName,
 343 | IN ULONG Attributes,
 344 | IN PACCESS_STATE AccessState,
 345 | IN ACCESS_MASK DesiredAccess,
 346 | IN POBJECT_TYPE ObjectType,
 347 | IN KPROCESSOR_MODE AccessMode,
 348 | INout_opt PVOID ParseContext,
 349 | OUT PVOID *Object
 350 | );
 351 | NTKERNELAPI
 352 | BOOLEAN
 353 | ObFindHandleForObject(
 354 | IN PEPROCESS Process,
 355 | IN PVOID Object,
 356 | IN POBJECT_TYPE ObjectType,
 357 | IN POBJECT_HANDLE_INFORMATION MatchCriteria,
 358 | OUT PHANDLE Handle
 359 | );
 360 | // begin_ntifs begin_ntosp
 361 | NTKERNELAPI
 362 | NTSTATUS
 363 | ObQueryNameString(
 364 | IN PVOID Object,
 365 | OUT_bcount(Length) POBJECT_NAME_INFORMATION ObjectNameInfo,
 366 | IN ULONG Length,
 367 | OUT PULONG ReturnLength
 368 | );
 369 | NTKERNELAPI
 370 | NTSTATUS
 371 | ObSetHandleAttributes (
 372 | IN HANDLE Handle,
 373 | IN POBJECT_HANDLE_FLAG_INFORMATION HandleFlags,
 374 | IN KPROCESSOR_MODE PreviousMode
 375 | );
 376 | NTKERNELAPI
 377 | NTSTATUS
 378 | ObCloseHandle (
 379 | IN HANDLE Handle,
 380 | IN KPROCESSOR_MODE PreviousMode
 381 | );
 382 | */
 383 | ////////////////////////////////////////////////////////////////////////// 
 384 | //Nt?|????��??????��??????��?|D 
 385 | 
 386 | //typedef struct _KPROCESS *PKPROCESS, *PRKPROCESS, *PEPROCESS;
 387 | 
 388 | // begin_ntddk begin_ntifs 
 389 | NTSYSCALLAPI
 390 | NTSTATUS
 391 | NTAPI
 392 | NtOpenProcess(
 393 | 	OUT PHANDLE ProcessHandle,
 394 | 	IN ACCESS_MASK DesiredAccess,
 395 | 	IN POBJECT_ATTRIBUTES ObjectAttributes,
 396 | 	IN PCLIENT_ID ClientId
 397 | );
 398 | // end_ntddk end_ntifs 
 399 | 
 400 | // begin_ntddk begin_ntifs 
 401 | /*
 402 | typedef enum _PROCESSINFOCLASS {
 403 | ProcessBasicInformation,
 404 | ProcessQuotaLimits,
 405 | ProcessIoCounters,
 406 | ProcessVmCounters,
 407 | ProcessTimes,
 408 | ProcessBasePriority,
 409 | ProcessRaisePriority,
 410 | ProcessDebugPort,
 411 | ProcessExceptionPort,
 412 | ProcessAccessToken,
 413 | ProcessLdtInformation,
 414 | ProcessLdtSize,
 415 | ProcessDefaultHardErrorMode,
 416 | ProcessIoPortHandlers,          // Note: this is kernel mode only
 417 | ProcessPooledUsageAndLimits,
 418 | ProcessWorkingSetWatch,
 419 | ProcessUserModeIOPL,
 420 | ProcessEnableAlignmentFaultFixup,
 421 | ProcessPriorityClass,
 422 | ProcessWx86Information,
 423 | ProcessHandleCount,
 424 | ProcessAffinityMask,
 425 | ProcessPriorityBoost,
 426 | ProcessDeviceMap,
 427 | ProcessSessionInformation,
 428 | ProcessForegroundInformation,
 429 | ProcessWow64Information,
 430 | ProcessImageFileName,
 431 | ProcessLUIDDeviceMapsEnabled,
 432 | ProcessBreakOnTermination,
 433 | ProcessDebugObjectHandle,
 434 | ProcessDebugFlags,
 435 | ProcessHandleTracing,
 436 | ProcessIoPriority,
 437 | ProcessExecuteFlags,
 438 | ProcessResourceManagement,
 439 | ProcessCookie,
 440 | ProcessImageInformation,
 441 | MaxProcessInfoClass             // MaxProcessInfoClass should always be the last enum
 442 | } PROCESSINFOCLASS;
 443 | */
 444 | 
 445 | NTSYSCALLAPI
 446 | NTSTATUS
 447 | NTAPI
 448 | NtQueryInformationProcess(
 449 | 	IN HANDLE ProcessHandle,
 450 | 	IN PROCESSINFOCLASS ProcessInformationClass,
 451 | 	OUT  PVOID ProcessInformation,
 452 | 	IN ULONG ProcessInformationLength,
 453 | 	OUT PULONG ReturnLength
 454 | );
 455 | // end_ntddk end_ntifs 
 456 | 
 457 | 
 458 | NTSYSCALLAPI
 459 | NTSTATUS
 460 | NTAPI
 461 | NtSetInformationProcess(
 462 | 	IN HANDLE ProcessHandle,
 463 | 	IN PROCESSINFOCLASS ProcessInformationClass,
 464 | 	IN PVOID ProcessInformation,
 465 | 	IN ULONG ProcessInformationLength
 466 | );
 467 | 
 468 | 
 469 | NTSYSCALLAPI
 470 | NTSTATUS
 471 | NTAPI
 472 | NtOpenThread(
 473 | 	OUT PHANDLE ThreadHandle,
 474 | 	IN ACCESS_MASK DesiredAccess,
 475 | 	IN POBJECT_ATTRIBUTES ObjectAttributes,
 476 | 	IN PCLIENT_ID ClientId
 477 | );
 478 | 
 479 | // 
 480 | // Thread Information Classes 
 481 | // 
 482 | /*
 483 | typedef enum _THREADINFOCLASS {
 484 | ThreadBasicInformation,
 485 | ThreadTimes,
 486 | ThreadPriority,
 487 | ThreadBasePriority,
 488 | ThreadAffinityMask,
 489 | ThreadImpersonationToken,
 490 | ThreadDescriptorTableEntry,
 491 | ThreadEnableAlignmentFaultFixup,
 492 | ThreadEventPair_Reusable,
 493 | ThreadQuerySetWin32StartAddress,
 494 | ThreadZeroTlsCell,
 495 | ThreadPerformanceCount,
 496 | ThreadAmILastThread,
 497 | ThreadIdealProcessor,
 498 | ThreadPriorityBoost,
 499 | ThreadSetTlsArrayAddress,
 500 | ThreadIsIoPending,
 501 | ThreadHideFromDebugger,
 502 | ThreadBreakOnTermination,
 503 | ThreadSwitchLegacyState,
 504 | ThreadIsTerminated,
 505 | MaxThreadInfoClass
 506 | } THREADINFOCLASS;
 507 | // end_ntddk end_ntifs
 508 | */
 509 | 
 510 | NTSYSCALLAPI
 511 | NTSTATUS
 512 | NTAPI
 513 | NtQueryInformationThread(
 514 | 	IN HANDLE ThreadHandle,
 515 | 	IN THREADINFOCLASS ThreadInformationClass,
 516 | 	OUT PVOID ThreadInformation,
 517 | 	IN ULONG ThreadInformationLength,
 518 | 	OUT PULONG ReturnLength
 519 | );
 520 | 
 521 | // begin_ntifs 
 522 | NTSYSCALLAPI
 523 | NTSTATUS
 524 | NTAPI
 525 | NtSetInformationThread(
 526 | 	IN HANDLE ThreadHandle,
 527 | 	IN THREADINFOCLASS ThreadInformationClass,
 528 | 	IN PVOID ThreadInformation,
 529 | 	IN ULONG ThreadInformationLength
 530 | );
 531 | // end_ntifs 
 532 | /*
 533 | typedef struct _IO_STATUS_BLOCK {
 534 | union {
 535 | NTSTATUS Status;
 536 | PVOID Pointer;
 537 | };
 538 | ULONG_PTR Information;
 539 | } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
 540 | */
 541 | NTSYSCALLAPI
 542 | NTSTATUS
 543 | NTAPI
 544 | NtCreateFile(
 545 | 	OUT PHANDLE FileHandle,
 546 | 	IN ACCESS_MASK DesiredAccess,
 547 | 	IN POBJECT_ATTRIBUTES ObjectAttributes,
 548 | 	OUT PIO_STATUS_BLOCK IoStatusBlock,
 549 | 	IN PLARGE_INTEGER AllocationSize,
 550 | 	IN ULONG FileAttributes,
 551 | 	IN ULONG ShareAccess,
 552 | 	IN ULONG CreateDisposition,
 553 | 	IN ULONG CreateOptions,
 554 | 	IN PVOID EaBuffer,
 555 | 	IN ULONG EaLength
 556 | );
 557 | 
 558 | typedef
 559 | VOID
 560 | (NTAPI* PIO_APC_ROUTINE) (
 561 | 	IN PVOID ApcContext,
 562 | 	IN PIO_STATUS_BLOCK IoStatusBlock,
 563 | 	IN ULONG Reserved
 564 | 	);
 565 | 
 566 | 
 567 | NTSYSCALLAPI
 568 | NTSTATUS
 569 | NTAPI
 570 | NtDeviceIoControlFile(
 571 | 	IN HANDLE FileHandle,
 572 | 	IN HANDLE Event,
 573 | 	IN PIO_APC_ROUTINE ApcRoutine,
 574 | 	IN PVOID ApcContext,
 575 | 	OUT PIO_STATUS_BLOCK IoStatusBlock,
 576 | 	IN ULONG IoControlCode,
 577 | 	IN PVOID InputBuffer,
 578 | 	IN ULONG InputBufferLength,
 579 | 	OUT PVOID OutputBuffer,
 580 | 	IN ULONG OutputBufferLength
 581 | );
 582 | 
 583 | /*
 584 | typedef enum _FILE_INFORMATION_CLASS {
 585 | // end_wdm
 586 | FileDirectoryInformation         = 1,
 587 | FileFullDirectoryInformation,   // 2
 588 | FileBothDirectoryInformation,   // 3
 589 | FileBasicInformation,           // 4  wdm
 590 | FileStandardInformation,        // 5  wdm
 591 | FileInternalInformation,        // 6
 592 | FileEaInformation,              // 7
 593 | FileAccessInformation,          // 8
 594 | FileNameInformation,            // 9
 595 | FileRenameInformation,          // 10
 596 | FileLinkInformation,            // 11
 597 | FileNamesInformation,           // 12
 598 | FileDispositionInformation,     // 13
 599 | FilePositionInformation,        // 14 wdm
 600 | FileFullEaInformation,          // 15
 601 | FileModeInformation,            // 16
 602 | FileAlignmentInformation,       // 17
 603 | FileAllInformation,             // 18
 604 | FileAllocationInformation,      // 19
 605 | FileEndOfFileInformation,       // 20 wdm
 606 | FileAlternateNameInformation,   // 21
 607 | FileStreamInformation,          // 22
 608 | FilePipeInformation,            // 23
 609 | FilePipeLocalInformation,       // 24
 610 | FilePipeRemoteInformation,      // 25
 611 | FileMailslotQueryInformation,   // 26
 612 | FileMailslotSetInformation,     // 27
 613 | FileCompressionInformation,     // 28
 614 | FileObjectIdInformation,        // 29
 615 | FileCompletionInformation,      // 30
 616 | FileMoveClusterInformation,     // 31
 617 | FileQuotaInformation,           // 32
 618 | FileReparsePointInformation,    // 33
 619 | FileNetworkOpenInformation,     // 34
 620 | FileAttributeTagInformation,    // 35
 621 | FileTrackingInformation,        // 36
 622 | FileIdBothDirectoryInformation, // 37
 623 | FileIdFullDirectoryInformation, // 38
 624 | FileValidDataLengthInformation, // 39
 625 | FileShortNameInformation,       // 40
 626 | FileMaximumInformation
 627 | // begin_wdm
 628 | } FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
 629 | */
 630 | 
 631 | NTSYSCALLAPI
 632 | NTSTATUS
 633 | NTAPI
 634 | NtQueryDirectoryFile(
 635 | 	IN HANDLE FileHandle,
 636 | 	IN HANDLE Event,
 637 | 	IN PIO_APC_ROUTINE ApcRoutine,
 638 | 	IN PVOID ApcContext,
 639 | 	OUT PIO_STATUS_BLOCK IoStatusBlock,
 640 | 	OUT PVOID FileInformation,
 641 | 	IN ULONG Length,
 642 | 	IN FILE_INFORMATION_CLASS FileInformationClass,
 643 | 	IN BOOLEAN ReturnSingleEntry,
 644 | 	IN PUNICODE_STRING FileName,
 645 | 	IN BOOLEAN RestartScan
 646 | );
 647 | 
 648 | NTSYSCALLAPI
 649 | NTSTATUS
 650 | NTAPI
 651 | NtQueryInformationFile(
 652 | 	IN HANDLE FileHandle,
 653 | 	OUT PIO_STATUS_BLOCK IoStatusBlock,
 654 | 	OUT PVOID FileInformation,
 655 | 	IN ULONG Length,
 656 | 	IN FILE_INFORMATION_CLASS FileInformationClass
 657 | );
 658 | 
 659 | /*
 660 | typedef enum _FSINFOCLASS {
 661 | FileFsVolumeInformation       = 1,
 662 | FileFsLabelInformation,      // 2
 663 | FileFsSizeInformation,       // 3
 664 | FileFsDeviceInformation,     // 4
 665 | FileFsAttributeInformation,  // 5
 666 | FileFsControlInformation,    // 6
 667 | FileFsFullSizeInformation,   // 7
 668 | FileFsObjectIdInformation,   // 8
 669 | FileFsDriverPathInformation, // 9
 670 | FileFsMaximumInformation
 671 | } FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS;
 672 | */
 673 | 
 674 | NTSYSCALLAPI
 675 | NTSTATUS
 676 | NTAPI
 677 | NtQueryVolumeInformationFile(
 678 | 	IN HANDLE FileHandle,
 679 | 	OUT PIO_STATUS_BLOCK IoStatusBlock,
 680 | 	OUT  PVOID FsInformation,
 681 | 	IN ULONG Length,
 682 | 	IN FS_INFORMATION_CLASS FsInformationClass
 683 | );
 684 | 
 685 | NTSYSCALLAPI
 686 | NTSTATUS
 687 | NTAPI
 688 | NtReadFile(
 689 | 	IN HANDLE FileHandle,
 690 | 	IN HANDLE Event,
 691 | 	IN PIO_APC_ROUTINE ApcRoutine,
 692 | 	IN PVOID ApcContext,
 693 | 	OUT PIO_STATUS_BLOCK IoStatusBlock,
 694 | 	OUT PVOID Buffer,
 695 | 	IN ULONG Length,
 696 | 	IN PLARGE_INTEGER ByteOffset,
 697 | 	IN PULONG Key
 698 | );
 699 | 
 700 | NTSYSCALLAPI
 701 | NTSTATUS
 702 | NTAPI
 703 | NtSetInformationFile(
 704 | 	IN HANDLE FileHandle,
 705 | 	OUT PIO_STATUS_BLOCK IoStatusBlock,
 706 | 	IN PVOID FileInformation,
 707 | 	IN ULONG Length,
 708 | 	IN FILE_INFORMATION_CLASS FileInformationClass
 709 | );
 710 | 
 711 | NTSYSCALLAPI
 712 | NTSTATUS
 713 | NTAPI
 714 | NtSetVolumeInformationFile(
 715 | 	IN HANDLE FileHandle,
 716 | 	OUT PIO_STATUS_BLOCK IoStatusBlock,
 717 | 	IN PVOID FsInformation,
 718 | 	IN ULONG Length,
 719 | 	IN FS_INFORMATION_CLASS FsInformationClass
 720 | );
 721 | 
 722 | NTSYSCALLAPI
 723 | NTSTATUS
 724 | NTAPI
 725 | NtWriteFile(
 726 | 	IN HANDLE FileHandle,
 727 | 	IN HANDLE Event,
 728 | 	IN PIO_APC_ROUTINE ApcRoutine,
 729 | 	IN PVOID ApcContext,
 730 | 	OUT PIO_STATUS_BLOCK IoStatusBlock,
 731 | 	IN PVOID Buffer,
 732 | 	IN ULONG Length,
 733 | 	IN PLARGE_INTEGER ByteOffset,
 734 | 	IN PULONG Key
 735 | );
 736 | 
 737 | NTSYSCALLAPI
 738 | NTSTATUS
 739 | NTAPI
 740 | NtUnlockFile(
 741 | 	IN HANDLE FileHandle,
 742 | 	OUT PIO_STATUS_BLOCK IoStatusBlock,
 743 | 	IN PLARGE_INTEGER ByteOffset,
 744 | 	IN PLARGE_INTEGER Length,
 745 | 	IN ULONG Key
 746 | );
 747 | 
 748 | NTSYSCALLAPI
 749 | NTSTATUS
 750 | NTAPI
 751 | NtSetEaFile(
 752 | 	IN HANDLE FileHandle,
 753 | 	OUT PIO_STATUS_BLOCK IoStatusBlock,
 754 | 	IN PVOID Buffer,
 755 | 	IN ULONG Length
 756 | );
 757 | 
 758 | NTSYSCALLAPI
 759 | NTSTATUS
 760 | NTAPI
 761 | NtLockFile(
 762 | 	IN HANDLE FileHandle,
 763 | 	IN HANDLE Event,
 764 | 	IN PIO_APC_ROUTINE ApcRoutine,
 765 | 	IN PVOID ApcContext,
 766 | 	OUT PIO_STATUS_BLOCK IoStatusBlock,
 767 | 	IN PLARGE_INTEGER ByteOffset,
 768 | 	IN PLARGE_INTEGER Length,
 769 | 	IN ULONG Key,
 770 | 	IN BOOLEAN FailImmediately,
 771 | 	IN BOOLEAN ExclusiveLock
 772 | );
 773 | 
 774 | typedef enum _SHUTDOWN_ACTION {
 775 | 	ShutdownNoReboot,
 776 | 	ShutdownReboot,
 777 | 	ShutdownPowerOff
 778 | } SHUTDOWN_ACTION;
 779 | 
 780 | NTSYSCALLAPI
 781 | NTSTATUS
 782 | NTAPI
 783 | NtShutdownSystem(
 784 | 	IN SHUTDOWN_ACTION Action
 785 | );
 786 | 
 787 | ////////////////////////////////////////////////////////////////////////// 
 788 | //Io?|????��??????��??????��?|D (1??a|????��???????��?????????��??????��????��?????��??????��?|??????��?o????????��????��???��?????��??????��????..) 
 789 | // 
 790 | // Define driver initialization routine type. 
 791 | // 
 792 | typedef
 793 | NTSTATUS
 794 | (*PDRIVER_INITIALIZE) (
 795 | 	IN struct _DRIVER_OBJECT* DriverObject,
 796 | 	IN PUNICODE_STRING RegistryPath
 797 | 	);
 798 | 
 799 | NTKERNELAPI
 800 | NTSTATUS
 801 | IoCreateDriver(
 802 | 	IN PUNICODE_STRING DriverName, OPTIONAL
 803 | 	IN PDRIVER_INITIALIZE InitializationFunction
 804 | );
 805 | 
 806 | NTKERNELAPI
 807 | VOID
 808 | IoDeleteDriver(
 809 | 	IN PDRIVER_OBJECT DriverObject
 810 | );
 811 | 
 812 | ////////////////////////////////////////////////////////////////////////// 
 813 | //Kd?|????��??????��??????��?|D 
 814 | /*
 815 | NTKERNELAPI
 816 | NTSTATUS
 817 | KdDisableDebugger(
 818 | VOID
 819 | );
 820 | NTKERNELAPI
 821 | NTSTATUS
 822 | KdEnableDebugger(
 823 | VOID
 824 | );
 825 | */
 826 | 
 827 | 
 828 | 
 829 | NTKERNELAPI
 830 | NTSTATUS
 831 | KdPowerTransition(
 832 | 	IN DEVICE_POWER_STATE newDeviceState
 833 | );
 834 | 
 835 | NTKERNELAPI
 836 | BOOLEAN
 837 | KdPollBreakIn(
 838 | 	VOID
 839 | );
 840 | 
 841 | ////////////////////////////////////////////////////////////////////////// 
 842 | //Ke?|????��??????��??????��?|D 
 843 | 
 844 | NTSTATUS
 845 | NTAPI
 846 | Ke386CallBios(
 847 | 	IN ULONG BiosCommand,
 848 | 	IN OUT PCONTEXT BiosArguments
 849 | );
 850 | 
 851 | #define IOPM_SIZE           8192 
 852 | 
 853 | typedef UCHAR   KIO_ACCESS_MAP[IOPM_SIZE];
 854 | 
 855 | typedef KIO_ACCESS_MAP* PKIO_ACCESS_MAP;
 856 | 
 857 | BOOLEAN
 858 | NTAPI
 859 | Ke386SetIoAccessMap(
 860 | 	ULONG               MapNumber,
 861 | 	PKIO_ACCESS_MAP     IoAccessMap
 862 | );
 863 | 
 864 | BOOLEAN
 865 | NTAPI
 866 | Ke386QueryIoAccessMap(
 867 | 	ULONG              MapNumber,
 868 | 	PKIO_ACCESS_MAP    IoAccessMap
 869 | );
 870 | 
 871 | 
 872 | NTKERNELAPI
 873 | BOOLEAN
 874 | KeAddSystemServiceTable(
 875 | 	IN PULONG_PTR Base,
 876 | 	IN PULONG Count OPTIONAL,
 877 | 	IN ULONG Limit,
 878 | 	IN PUCHAR Number,
 879 | 	IN ULONG Index
 880 | );
 881 | 
 882 | #define PKPROCESS PRKPROCESS 
 883 | 
 884 | 
 885 | NTKERNELAPI
 886 | VOID
 887 | KeDetachProcess(
 888 | 	VOID
 889 | );
 890 | 
 891 | NTKERNELAPI
 892 | DECLSPEC_NORETURN
 893 | VOID
 894 | NTAPI
 895 | KeBugCheck(
 896 | 	IN ULONG BugCheckCode
 897 | );
 898 | 
 899 | NTKERNELAPI
 900 | DECLSPEC_NORETURN
 901 | VOID
 902 | KeBugCheckEx(
 903 | 	IN ULONG BugCheckCode,
 904 | 	IN ULONG_PTR BugCheckParameter1,
 905 | 	IN ULONG_PTR BugCheckParameter2,
 906 | 	IN ULONG_PTR BugCheckParameter3,
 907 | 	IN ULONG_PTR BugCheckParameter4
 908 | );
 909 | 
 910 | /*
 911 | //
 912 | // Interrupt object
 913 | //
 914 | struct _KINTERRUPT;
 915 | // begin_ntddk begin_wdm begin_ntifs begin_ntosp
 916 | typedef
 917 | BOOLEAN
 918 | (*PKSERVICE_ROUTINE) (
 919 | IN struct _KINTERRUPT *Interrupt,
 920 | IN PVOID ServiceContext
 921 | );
 922 | typedef struct _KINTERRUPT {
 923 | CSHORT Type;
 924 | CSHORT Size;
 925 | LIST_ENTRY InterruptListEntry;
 926 | PKSERVICE_ROUTINE ServiceRoutine;
 927 | PVOID ServiceContext;
 928 | KSPIN_LOCK SpinLock;
 929 | ULONG TickCount;
 930 | PKSPIN_LOCK ActualLock;
 931 | PKINTERRUPT_ROUTINE DispatchAddress;
 932 | ULONG Vector;
 933 | KIRQL Irql;
 934 | KIRQL SynchronizeIrql;
 935 | BOOLEAN FloatingSave;
 936 | BOOLEAN Connected;
 937 | CCHAR Number;
 938 | BOOLEAN ShareVector;
 939 | KINTERRUPT_MODE Mode;
 940 | ULONG ServiceCount;
 941 | ULONG DispatchCount;
 942 | #if defined(_AMD64_)
 943 | PKTRAP_FRAME TrapFrame;
 944 | PVOID Reserved;
 945 | ULONG DispatchCode[DISPATCH_LENGTH];
 946 | #else
 947 | ULONG DispatchCode[DISPATCH_LENGTH];
 948 | #endif
 949 | } KINTERRUPT;
 950 | #if !defined(_X86AMD64_) && defined(_AMD64_)
 951 | C_ASSERT((FIELD_OFFSET(KINTERRUPT, DispatchCode) % 16) == 0);
 952 | C_ASSERT((sizeof(KINTERRUPT) % 16) == 0);
 953 | #endif
 954 | typedef struct _KINTERRUPT *PKINTERRUPT, *PRKINTERRUPT; // ntndis ntosp
 955 | NTKERNELAPI
 956 | BOOLEAN
 957 | KeDisconnectInterrupt (
 958 | INout PKINTERRUPT Interrupt
 959 | );
 960 | */
 961 | 
 962 | NTKERNELAPI
 963 | VOID
 964 | KeEnterKernelDebugger(
 965 | 	VOID
 966 | );
 967 | 
 968 | NTSTATUS
 969 | NTAPI
 970 | KeI386AbiosCall(
 971 | 	IN USHORT LogicalId,
 972 | 	IN struct _DRIVER_OBJECT* DriverObject,
 973 | 	IN PUCHAR RequestBlock,
 974 | 	IN USHORT EntryPoint
 975 | );
 976 | 
 977 | NTSTATUS
 978 | NTAPI
 979 | KeI386AllocateGdtSelectors(
 980 | 	OUT PUSHORT SelectorArray,
 981 | 	IN USHORT NumberOfSelectors
 982 | );
 983 | 
 984 | NTSTATUS
 985 | NTAPI
 986 | KeI386FlatToGdtSelector(
 987 | 	IN ULONG SelectorBase,
 988 | 	IN USHORT Length,
 989 | 	IN USHORT Selector
 990 | );
 991 | 
 992 | NTSTATUS
 993 | NTAPI
 994 | KeI386ReleaseGdtSelectors(
 995 | 	OUT PUSHORT SelectorArray,
 996 | 	IN USHORT NumberOfSelectors
 997 | );
 998 | 
 999 | // 
1000 | // GDT Entry 
1001 | // 
1002 | 
1003 | typedef struct _KGDTENTRY {
1004 | 	USHORT  LimitLow;
1005 | 	USHORT  BaseLow;
1006 | 	union {
1007 | 		struct {
1008 | 			UCHAR   BaseMid;
1009 | 			UCHAR   Flags1;     // Declare as bytes to avoid alignment 
1010 | 			UCHAR   Flags2;     // Problems. 
1011 | 			UCHAR   BaseHi;
1012 | 		} Bytes;
1013 | 		struct {
1014 | 			ULONG   BaseMid : 8;
1015 | 			ULONG   Type : 5;
1016 | 			ULONG   Dpl : 2;
1017 | 			ULONG   Pres : 1;
1018 | 			ULONG   LimitHi : 4;
1019 | 			ULONG   Sys : 1;
1020 | 			ULONG   Reserved_0 : 1;
1021 | 			ULONG   Default_Big : 1;
1022 | 			ULONG   Granularity : 1;
1023 | 			ULONG   BaseHi : 8;
1024 | 		} Bits;
1025 | 	} HighWord;
1026 | } KGDTENTRY, * PKGDTENTRY;
1027 | 
1028 | NTSTATUS
1029 | NTAPI
1030 | KeI386SetGdtSelector(
1031 | 	ULONG       Selector,
1032 | 	PKGDTENTRY  GdtValue
1033 | );
1034 | 
1035 | NTSTATUS
1036 | NTAPI
1037 | KeI386GetLid(
1038 | 	IN USHORT DeviceId,
1039 | 	IN USHORT RelativeLid,
1040 | 	IN BOOLEAN SharedLid,
1041 | 	IN struct _DRIVER_OBJECT* DeviceObject,
1042 | 	OUT PUSHORT LogicalId
1043 | );
1044 | 
1045 | 
1046 | NTSTATUS
1047 | NTAPI
1048 | KeI386ReleaseLid(
1049 | 	IN USHORT LogicalId,
1050 | 	IN struct _DRIVER_OBJECT* DeviceObject
1051 | );
1052 | 
1053 | /*
1054 | typedef enum _MODE {
1055 | KernelMode,
1056 | UserMode,
1057 | MaximumMode
1058 | } MODE;
1059 | */
1060 | 
1061 | 
1062 | 
1063 | NTKERNELAPI
1064 | VOID
1065 | KeTerminateThread(
1066 | 	IN KPRIORITY Increment
1067 | );
1068 | 
1069 | 
1070 | ////////////////////////////////////////////////////////////////////////// 
1071 | //Mm?|????��??????��??????��?|D 
1072 | NTKERNELAPI
1073 | PVOID
1074 | MmGetVirtualForPhysical(
1075 | 	IN PHYSICAL_ADDRESS PhysicalAddress
1076 | );
1077 | 
1078 | NTKERNELAPI
1079 | NTSTATUS
1080 | MmMapUserAddressesToPage(
1081 | 	IN PVOID BaseAddress,
1082 | 	IN SIZE_T NumberOfBytes,
1083 | 	IN PVOID PageAddress
1084 | );
1085 | 
1086 | NTKERNELAPI
1087 | NTSTATUS
1088 | MmMapViewOfSection(
1089 | 	IN PVOID SectionToMap,
1090 | 	IN PEPROCESS Process,
1091 | 	PVOID* CapturedBase,
1092 | 	IN ULONG_PTR ZeroBits,
1093 | 	IN SIZE_T CommitSize,
1094 | 	IN OUT PLARGE_INTEGER SectionOffset,
1095 | 	IN OUT PSIZE_T CapturedViewSize,
1096 | 	IN SECTION_INHERIT InheritDisposition,
1097 | 	IN ULONG AllocationType,
1098 | 	IN ULONG Win32Protect
1099 | );
1100 | 
1101 | NTKERNELAPI
1102 | NTSTATUS
1103 | MmUnmapViewOfSection(
1104 | 	IN PEPROCESS Process,
1105 | 	IN PVOID BaseAddress
1106 | );
1107 | 
1108 | /*
1109 | typedef enum _MM_SYSTEM_SIZE {
1110 | MmSmallSystem,
1111 | MmMediumSystem,
1112 | MmLargeSystem
1113 | } MM_SYSTEMSIZE;
1114 | */
1115 | NTKERNELAPI
1116 | MM_SYSTEMSIZE
1117 | MmQuerySystemSize(
1118 | 	VOID
1119 | );
1120 | 
1121 | NTSTATUS NTAPI MmCopyVirtualMemory
1122 | (
1123 | 	PEPROCESS SourceProcess,
1124 | 	PVOID SourceAddress,
1125 | 	PEPROCESS TargetProcess,
1126 | 	PVOID TargetAddress,
1127 | 	SIZE_T BufferSize,
1128 | 	KPROCESSOR_MODE PreviousMode,
1129 | 	PSIZE_T ReturnSize
1130 | );
1131 | 
1132 | NTSTATUS ZwQuerySystemInformation(ULONG InfoClass, PVOID Buffer, ULONG Length, PULONG ReturnLength);
1133 | LPSTR PsGetProcessImageFileName(PEPROCESS Process);
1134 | 
1135 | 
1136 | BOOLEAN KeInsertQueueApc(
1137 | 	PRKAPC Apc,
1138 | 	PVOID SystemArgument1,
1139 | 	PVOID SystemArgument2,
1140 | 	KPRIORITY Increment);
1141 | 
1142 | NTSTATUS ZwAllocateVirtualMemory(
1143 | 	_In_    HANDLE    ProcessHandle,
1144 | 	_Inout_ PVOID* BaseAddress,
1145 | 	_In_    ULONG_PTR ZeroBits,
1146 | 	_Inout_ PSIZE_T   RegionSize,
1147 | 	_In_    ULONG     AllocationType,
1148 | 	_In_    ULONG     Protect
1149 | );
1150 | NTSTATUS ZwFreeVirtualMemory(
1151 | 	_In_    HANDLE  ProcessHandle,
1152 | 	_Inout_ PVOID* BaseAddress,
1153 | 	_Inout_ PSIZE_T RegionSize,
1154 | 	_In_    ULONG   FreeType
1155 | );
1156 | 
1157 | //
1158 | // Copyright (c) Microsoft Corporation. All rights reserved.
1159 | //
1160 | // You may only use this code if you agree to the terms of the Windows Research Kernel Source Code License agreement (see License.txt).
1161 | // If you do not agree to the terms, do not use the code.
1162 | //
1163 | 
1164 | NTSYSAPI
1165 | NTSTATUS
1166 | NTAPI
1167 | ZwDelayExecution(
1168 | 	__in BOOLEAN Alertable,
1169 | 	__in PLARGE_INTEGER DelayInterval
1170 | );
1171 | NTSYSAPI
1172 | NTSTATUS
1173 | NTAPI
1174 | ZwQuerySystemEnvironmentValue(
1175 | 	__in PUNICODE_STRING VariableName,
1176 | 	__out_bcount(ValueLength) PWSTR VariableValue,
1177 | 	__in USHORT ValueLength,
1178 | 	__out_opt PUSHORT ReturnLength
1179 | );
1180 | NTSYSAPI
1181 | NTSTATUS
1182 | NTAPI
1183 | ZwSetSystemEnvironmentValue(
1184 | 	__in PUNICODE_STRING VariableName,
1185 | 	__in PUNICODE_STRING VariableValue
1186 | );
1187 | NTSYSAPI
1188 | NTSTATUS
1189 | NTAPI
1190 | ZwQuerySystemEnvironmentValueEx(
1191 | 	__in PUNICODE_STRING VariableName,
1192 | 	__in LPGUID VendorGuid,
1193 | 	__out_bcount_opt(*ValueLength) PVOID Value,
1194 | 	__inout PULONG ValueLength,
1195 | 	__out_opt PULONG Attributes
1196 | );
1197 | NTSYSAPI
1198 | NTSTATUS
1199 | NTAPI
1200 | ZwSetSystemEnvironmentValueEx(
1201 | 	__in PUNICODE_STRING VariableName,
1202 | 	__in LPGUID VendorGuid,
1203 | 	__in_bcount_opt(ValueLength) PVOID Value,
1204 | 	__in ULONG ValueLength,
1205 | 	__in ULONG Attributes
1206 | );
1207 | NTSYSAPI
1208 | NTSTATUS
1209 | NTAPI
1210 | ZwEnumerateSystemEnvironmentValuesEx(
1211 | 	__in ULONG InformationClass,
1212 | 	__out PVOID Buffer,
1213 | 	__inout PULONG BufferLength
1214 | );
1215 | 
1216 | NTSYSAPI
1217 | NTSTATUS
1218 | NTAPI
1219 | ZwDeleteBootEntry(
1220 | 	__in ULONG Id
1221 | );
1222 | 
1223 | NTSYSAPI
1224 | NTSTATUS
1225 | NTAPI
1226 | ZwEnumerateBootEntries(
1227 | 	__out_bcount_opt(*BufferLength) PVOID Buffer,
1228 | 	__inout PULONG BufferLength
1229 | );
1230 | NTSYSAPI
1231 | NTSTATUS
1232 | NTAPI
1233 | ZwQueryBootEntryOrder(
1234 | 	__out_ecount_opt(*Count) PULONG Ids,
1235 | 	__inout PULONG Count
1236 | );
1237 | NTSYSAPI
1238 | NTSTATUS
1239 | NTAPI
1240 | ZwSetBootEntryOrder(
1241 | 	__in_ecount(Count) PULONG Ids,
1242 | 	__in ULONG Count
1243 | );
1244 | 
1245 | NTSYSAPI
1246 | NTSTATUS
1247 | NTAPI
1248 | ZwDeleteDriverEntry(
1249 | 	__in ULONG Id
1250 | );
1251 | 
1252 | NTSYSAPI
1253 | NTSTATUS
1254 | NTAPI
1255 | ZwEnumerateDriverEntries(
1256 | 	__out_bcount(*BufferLength) PVOID Buffer,
1257 | 	__inout PULONG BufferLength
1258 | );
1259 | NTSYSAPI
1260 | NTSTATUS
1261 | NTAPI
1262 | ZwQueryDriverEntryOrder(
1263 | 	__out_ecount(*Count) PULONG Ids,
1264 | 	__inout PULONG Count
1265 | );
1266 | NTSYSAPI
1267 | NTSTATUS
1268 | NTAPI
1269 | ZwSetDriverEntryOrder(
1270 | 	__in_ecount(Count) PULONG Ids,
1271 | 	__in ULONG Count
1272 | );
1273 | NTSYSAPI
1274 | NTSTATUS
1275 | NTAPI
1276 | ZwClearEvent(
1277 | 	__in HANDLE EventHandle
1278 | );
1279 | NTSYSAPI
1280 | NTSTATUS
1281 | NTAPI
1282 | ZwCreateEvent(
1283 | 	__out PHANDLE EventHandle,
1284 | 	__in ACCESS_MASK DesiredAccess,
1285 | 	__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
1286 | 	__in EVENT_TYPE EventType,
1287 | 	__in BOOLEAN InitialState
1288 | );
1289 | NTSYSAPI
1290 | NTSTATUS
1291 | NTAPI
1292 | ZwOpenEvent(
1293 | 	__out PHANDLE EventHandle,
1294 | 	__in ACCESS_MASK DesiredAccess,
1295 | 	__in POBJECT_ATTRIBUTES ObjectAttributes
1296 | );
1297 | NTSYSAPI
1298 | NTSTATUS
1299 | NTAPI
1300 | ZwPulseEvent(
1301 | 	__in HANDLE EventHandle,
1302 | 	__out_opt PLONG PreviousState
1303 | );
1304 | 
1305 | NTSYSAPI
1306 | NTSTATUS
1307 | NTAPI
1308 | ZwResetEvent(
1309 | 	__in HANDLE EventHandle,
1310 | 	__out_opt PLONG PreviousState
1311 | );
1312 | NTSYSAPI
1313 | NTSTATUS
1314 | NTAPI
1315 | ZwSetEvent(
1316 | 	__in HANDLE EventHandle,
1317 | 	__out_opt PLONG PreviousState
1318 | );
1319 | NTSYSAPI
1320 | NTSTATUS
1321 | NTAPI
1322 | ZwSetEventBoostPriority(
1323 | 	__in HANDLE EventHandle
1324 | );
1325 | NTSYSAPI
1326 | NTSTATUS
1327 | NTAPI
1328 | ZwCreateEventPair(
1329 | 	__out PHANDLE EventPairHandle,
1330 | 	__in ACCESS_MASK DesiredAccess,
1331 | 	__in_opt POBJECT_ATTRIBUTES ObjectAttributes
1332 | );
1333 | NTSYSAPI
1334 | NTSTATUS
1335 | NTAPI
1336 | ZwOpenEventPair(
1337 | 	__out PHANDLE EventPairHandle,
1338 | 	__in ACCESS_MASK DesiredAccess,
1339 | 	__in POBJECT_ATTRIBUTES ObjectAttributes
1340 | );
1341 | NTSYSAPI
1342 | NTSTATUS
1343 | NTAPI
1344 | ZwWaitLowEventPair(
1345 | 	__in HANDLE EventPairHandle
1346 | );
1347 | NTSYSAPI
1348 | NTSTATUS
1349 | NTAPI
1350 | ZwWaitHighEventPair(
1351 | 	__in HANDLE EventPairHandle
1352 | );
1353 | NTSYSAPI
1354 | NTSTATUS
1355 | NTAPI
1356 | ZwSetLowWaitHighEventPair(
1357 | 	__in HANDLE EventPairHandle
1358 | );
1359 | NTSYSAPI
1360 | NTSTATUS
1361 | NTAPI
1362 | ZwSetHighWaitLowEventPair(
1363 | 	__in HANDLE EventPairHandle
1364 | );
1365 | NTSYSAPI
1366 | NTSTATUS
1367 | NTAPI
1368 | ZwSetLowEventPair(
1369 | 	__in HANDLE EventPairHandle
1370 | );
1371 | NTSYSAPI
1372 | NTSTATUS
1373 | NTAPI
1374 | ZwSetHighEventPair(
1375 | 	__in HANDLE EventPairHandle
1376 | );
1377 | NTSYSAPI
1378 | NTSTATUS
1379 | NTAPI
1380 | ZwCreateMutant(
1381 | 	__out PHANDLE MutantHandle,
1382 | 	__in ACCESS_MASK DesiredAccess,
1383 | 	__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
1384 | 	__in BOOLEAN InitialOwner
1385 | );
1386 | NTSYSAPI
1387 | NTSTATUS
1388 | NTAPI
1389 | ZwOpenMutant(
1390 | 	__out PHANDLE MutantHandle,
1391 | 	__in ACCESS_MASK DesiredAccess,
1392 | 	__in POBJECT_ATTRIBUTES ObjectAttributes
1393 | );
1394 | 
1395 | NTSYSAPI
1396 | NTSTATUS
1397 | NTAPI
1398 | ZwReleaseMutant(
1399 | 	__in HANDLE MutantHandle,
1400 | 	__out_opt PLONG PreviousCount
1401 | );
1402 | NTSYSAPI
1403 | NTSTATUS
1404 | NTAPI
1405 | ZwCreateSemaphore(
1406 | 	__out PHANDLE SemaphoreHandle,
1407 | 	__in ACCESS_MASK DesiredAccess,
1408 | 	__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
1409 | 	__in LONG InitialCount,
1410 | 	__in LONG MaximumCount
1411 | );
1412 | NTSYSAPI
1413 | NTSTATUS
1414 | NTAPI
1415 | ZwOpenSemaphore(
1416 | 	__out PHANDLE SemaphoreHandle,
1417 | 	__in ACCESS_MASK DesiredAccess,
1418 | 	__in POBJECT_ATTRIBUTES ObjectAttributes
1419 | );
1420 | 
1421 | NTSYSAPI
1422 | NTSTATUS
1423 | NTAPI
1424 | ZwReleaseSemaphore(
1425 | 	__in HANDLE SemaphoreHandle,
1426 | 	__in LONG ReleaseCount,
1427 | 	__out_opt PLONG PreviousCount
1428 | );
1429 | 
1430 | 
1431 | NTSYSAPI
1432 | NTSTATUS
1433 | NTAPI
1434 | ZwQuerySystemTime(
1435 | 	__out PLARGE_INTEGER SystemTime
1436 | );
1437 | NTSYSAPI
1438 | NTSTATUS
1439 | NTAPI
1440 | ZwSetSystemTime(
1441 | 	__in_opt PLARGE_INTEGER SystemTime,
1442 | 	__out_opt PLARGE_INTEGER PreviousTime
1443 | );
1444 | NTSYSAPI
1445 | NTSTATUS
1446 | NTAPI
1447 | ZwQueryTimerResolution(
1448 | 	__out PULONG MaximumTime,
1449 | 	__out PULONG MinimumTime,
1450 | 	__out PULONG CurrentTime
1451 | );
1452 | NTSYSAPI
1453 | NTSTATUS
1454 | NTAPI
1455 | ZwSetTimerResolution(
1456 | 	__in ULONG DesiredTime,
1457 | 	__in BOOLEAN SetResolution,
1458 | 	__out PULONG ActualTime
1459 | );
1460 | NTSYSAPI
1461 | NTSTATUS
1462 | NTAPI
1463 | ZwAllocateLocallyUniqueId(
1464 | 	__out PLUID Luid
1465 | );
1466 | NTSYSAPI
1467 | NTSTATUS
1468 | NTAPI
1469 | ZwSetUuidSeed(
1470 | 	__in PCHAR Seed
1471 | );
1472 | NTSYSAPI
1473 | NTSTATUS
1474 | NTAPI
1475 | ZwAllocateUuids(
1476 | 	__out PULARGE_INTEGER Time,
1477 | 	__out PULONG Range,
1478 | 	__out PULONG Sequence,
1479 | 	__out PCHAR Seed
1480 | );
1481 | NTSYSAPI
1482 | NTSTATUS
1483 | NTAPI
1484 | ZwCreateProfile(
1485 | 	__out PHANDLE ProfileHandle,
1486 | 	__in HANDLE Process OPTIONAL,
1487 | 	__in PVOID ProfileBase,
1488 | 	__in SIZE_T ProfileSize,
1489 | 	__in ULONG BucketSize,
1490 | 	__in PULONG Buffer,
1491 | 	__in ULONG BufferSize,
1492 | 	__in KPROFILE_SOURCE ProfileSource,
1493 | 	__in KAFFINITY Affinity
1494 | );
1495 | NTSYSAPI
1496 | NTSTATUS
1497 | NTAPI
1498 | ZwStartProfile(
1499 | 	__in HANDLE ProfileHandle
1500 | );
1501 | NTSYSAPI
1502 | NTSTATUS
1503 | NTAPI
1504 | ZwStopProfile(
1505 | 	__in HANDLE ProfileHandle
1506 | );
1507 | NTSYSAPI
1508 | NTSTATUS
1509 | NTAPI
1510 | ZwSetIntervalProfile(
1511 | 	__in ULONG Interval,
1512 | 	__in KPROFILE_SOURCE Source
1513 | );
1514 | NTSYSAPI
1515 | NTSTATUS
1516 | NTAPI
1517 | ZwQueryIntervalProfile(
1518 | 	__in KPROFILE_SOURCE ProfileSource,
1519 | 	__out PULONG Interval
1520 | );
1521 | NTSYSAPI
1522 | NTSTATUS
1523 | NTAPI
1524 | ZwQueryPerformanceCounter(
1525 | 	__out PLARGE_INTEGER PerformanceCounter,
1526 | 	__out_opt PLARGE_INTEGER PerformanceFrequency
1527 | );
1528 | NTSYSAPI
1529 | NTSTATUS
1530 | NTAPI
1531 | ZwCreateKeyedEvent(
1532 | 	__out PHANDLE KeyedEventHandle,
1533 | 	__in ACCESS_MASK DesiredAccess,
1534 | 	__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
1535 | 	__in ULONG Flags
1536 | );
1537 | NTSYSAPI
1538 | NTSTATUS
1539 | NTAPI
1540 | ZwOpenKeyedEvent(
1541 | 	__out PHANDLE KeyedEventHandle,
1542 | 	__in ACCESS_MASK DesiredAccess,
1543 | 	__in POBJECT_ATTRIBUTES ObjectAttributes
1544 | );
1545 | NTSYSAPI
1546 | NTSTATUS
1547 | NTAPI
1548 | ZwReleaseKeyedEvent(
1549 | 	__in HANDLE KeyedEventHandle,
1550 | 	__in PVOID KeyValue,
1551 | 	__in BOOLEAN Alertable,
1552 | 	__in_opt PLARGE_INTEGER Timeout
1553 | );
1554 | NTSYSAPI
1555 | NTSTATUS
1556 | NTAPI
1557 | ZwWaitForKeyedEvent(
1558 | 	__in HANDLE KeyedEventHandle,
1559 | 	__in PVOID KeyValue,
1560 | 	__in BOOLEAN Alertable,
1561 | 	__in_opt PLARGE_INTEGER Timeout
1562 | );
1563 | 
1564 | 
1565 | NTSYSAPI
1566 | NTSTATUS
1567 | NTAPI
1568 | ZwRaiseHardError(
1569 | 	__in NTSTATUS ErrorStatus,
1570 | 	__in ULONG NumberOfParameters,
1571 | 	__in ULONG UnicodeStringParameterMask,
1572 | 	__in_ecount(NumberOfParameters) PULONG_PTR Parameters,
1573 | 	__in ULONG ValidResponseOptions,
1574 | 	__out PULONG Response
1575 | );
1576 | NTSYSAPI
1577 | NTSTATUS
1578 | NTAPI
1579 | ZwQueryDefaultLocale(
1580 | 	__in BOOLEAN UserProfile,
1581 | 	__out PLCID DefaultLocaleId
1582 | );
1583 | NTSYSAPI
1584 | NTSTATUS
1585 | NTAPI
1586 | ZwSetDefaultLocale(
1587 | 	__in BOOLEAN UserProfile,
1588 | 	__in LCID DefaultLocaleId
1589 | );
1590 | NTSYSAPI
1591 | NTSTATUS
1592 | NTAPI
1593 | ZwQueryInstallUILanguage(
1594 | 	__out LANGID* InstallUILanguageId
1595 | );
1596 | NTSYSAPI
1597 | NTSTATUS
1598 | NTAPI
1599 | ZwQueryDefaultUILanguage(
1600 | 	__out LANGID* DefaultUILanguageId
1601 | );
1602 | NTSYSAPI
1603 | NTSTATUS
1604 | NTAPI
1605 | ZwSetDefaultUILanguage(
1606 | 	__in LANGID DefaultUILanguageId
1607 | );
1608 | NTSYSAPI
1609 | NTSTATUS
1610 | NTAPI
1611 | ZwSetDefaultHardErrorPort(
1612 | 	__in HANDLE DefaultHardErrorPort
1613 | );
1614 | NTSYSAPI
1615 | NTSTATUS
1616 | NTAPI
1617 | ZwShutdownSystem(
1618 | 	__in SHUTDOWN_ACTION Action
1619 | );
1620 | NTSYSAPI
1621 | NTSTATUS
1622 | NTAPI
1623 | ZwDisplayString(
1624 | 	__in PUNICODE_STRING String
1625 | );
1626 | 
1627 | NTSYSAPI
1628 | NTSTATUS
1629 | NTAPI
1630 | ZwCancelIoFile(
1631 | 	__in HANDLE FileHandle,
1632 | 	__out PIO_STATUS_BLOCK IoStatusBlock
1633 | );
1634 | NTSYSAPI
1635 | NTSTATUS
1636 | NTAPI
1637 | ZwCreateNamedPipeFile(
1638 | 	__out PHANDLE FileHandle,
1639 | 	__in ULONG DesiredAccess,
1640 | 	__in POBJECT_ATTRIBUTES ObjectAttributes,
1641 | 	__out PIO_STATUS_BLOCK IoStatusBlock,
1642 | 	__in ULONG ShareAccess,
1643 | 	__in ULONG CreateDisposition,
1644 | 	__in ULONG CreateOptions,
1645 | 	__in ULONG NamedPipeType,
1646 | 	__in ULONG ReadMode,
1647 | 	__in ULONG CompletionMode,
1648 | 	__in ULONG MaximumInstances,
1649 | 	__in ULONG InboundQuota,
1650 | 	__in ULONG OutboundQuota,
1651 | 	__in_opt PLARGE_INTEGER DefaultTimeout
1652 | );
1653 | NTSYSAPI
1654 | NTSTATUS
1655 | NTAPI
1656 | ZwCreateMailslotFile(
1657 | 	__out PHANDLE FileHandle,
1658 | 	__in ULONG DesiredAccess,
1659 | 	__in POBJECT_ATTRIBUTES ObjectAttributes,
1660 | 	__out PIO_STATUS_BLOCK IoStatusBlock,
1661 | 	__in ULONG CreateOptions,
1662 | 	__in ULONG MailslotQuota,
1663 | 	__in ULONG MaximumMessageSize,
1664 | 	__in PLARGE_INTEGER ReadTimeout
1665 | );
1666 | NTSYSAPI
1667 | NTSTATUS
1668 | NTAPI
1669 | ZwDeleteFile(
1670 | 	__in POBJECT_ATTRIBUTES ObjectAttributes
1671 | );
1672 | NTSYSAPI
1673 | NTSTATUS
1674 | NTAPI
1675 | ZwFlushBuffersFile(
1676 | 	__in HANDLE FileHandle,
1677 | 	__out PIO_STATUS_BLOCK IoStatusBlock
1678 | );
1679 | NTSYSAPI
1680 | NTSTATUS
1681 | NTAPI
1682 | ZwNotifyChangeDirectoryFile(
1683 | 	__in HANDLE FileHandle,
1684 | 	__in_opt HANDLE Event,
1685 | 	__in_opt PIO_APC_ROUTINE ApcRoutine,
1686 | 	__in_opt PVOID ApcContext,
1687 | 	__out PIO_STATUS_BLOCK IoStatusBlock,
1688 | 	__out_bcount(Length) PVOID Buffer,
1689 | 	__in ULONG Length,
1690 | 	__in ULONG CompletionFilter,
1691 | 	__in BOOLEAN WatchTree
1692 | );
1693 | NTSYSAPI
1694 | NTSTATUS
1695 | NTAPI
1696 | ZwQueryAttributesFile(
1697 | 	__in POBJECT_ATTRIBUTES ObjectAttributes,
1698 | 	__out PFILE_BASIC_INFORMATION FileInformation
1699 | );
1700 | NTSYSAPI
1701 | NTSTATUS
1702 | NTAPI
1703 | ZwQueryFullAttributesFile(
1704 | 	__in POBJECT_ATTRIBUTES ObjectAttributes,
1705 | 	__out PFILE_NETWORK_OPEN_INFORMATION FileInformation
1706 | );
1707 | NTSYSAPI
1708 | NTSTATUS
1709 | NTAPI
1710 | ZwCreateFile(
1711 | 	__out PHANDLE FileHandle,
1712 | 	__in ACCESS_MASK DesiredAccess,
1713 | 	__in POBJECT_ATTRIBUTES ObjectAttributes,
1714 | 	__out PIO_STATUS_BLOCK IoStatusBlock,
1715 | 	__in_opt PLARGE_INTEGER AllocationSize,
1716 | 	__in ULONG FileAttributes,
1717 | 	__in ULONG ShareAccess,
1718 | 	__in ULONG CreateDisposition,
1719 | 	__in ULONG CreateOptions,
1720 | 	__in_bcount_opt(EaLength) PVOID EaBuffer,
1721 | 	__in ULONG EaLength
1722 | );
1723 | NTSYSAPI
1724 | NTSTATUS
1725 | NTAPI
1726 | ZwDeviceIoControlFile(
1727 | 	__in HANDLE FileHandle,
1728 | 	__in_opt HANDLE Event,
1729 | 	__in_opt PIO_APC_ROUTINE ApcRoutine,
1730 | 	__in_opt PVOID ApcContext,
1731 | 	__out PIO_STATUS_BLOCK IoStatusBlock,
1732 | 	__in ULONG IoControlCode,
1733 | 	__in_bcount_opt(InputBufferLength) PVOID InputBuffer,
1734 | 	__in ULONG InputBufferLength,
1735 | 	__out_bcount_opt(OutputBufferLength) PVOID OutputBuffer,
1736 | 	__in ULONG OutputBufferLength
1737 | );
1738 | NTSYSAPI
1739 | NTSTATUS
1740 | NTAPI
1741 | ZwFsControlFile(
1742 | 	__in HANDLE FileHandle,
1743 | 	__in_opt HANDLE Event,
1744 | 	__in_opt PIO_APC_ROUTINE ApcRoutine,
1745 | 	__in_opt PVOID ApcContext,
1746 | 	__out PIO_STATUS_BLOCK IoStatusBlock,
1747 | 	__in ULONG FsControlCode,
1748 | 	__in_bcount_opt(InputBufferLength) PVOID InputBuffer,
1749 | 	__in ULONG InputBufferLength,
1750 | 	__out_bcount_opt(OutputBufferLength) PVOID OutputBuffer,
1751 | 	__in ULONG OutputBufferLength
1752 | );
1753 | NTSYSAPI
1754 | NTSTATUS
1755 | NTAPI
1756 | ZwLockFile(
1757 | 	__in HANDLE FileHandle,
1758 | 	__in_opt HANDLE Event,
1759 | 	__in_opt PIO_APC_ROUTINE ApcRoutine,
1760 | 	__in_opt PVOID ApcContext,
1761 | 	__out PIO_STATUS_BLOCK IoStatusBlock,
1762 | 	__in PLARGE_INTEGER ByteOffset,
1763 | 	__in PLARGE_INTEGER Length,
1764 | 	__in ULONG Key,
1765 | 	__in BOOLEAN FailImmediately,
1766 | 	__in BOOLEAN ExclusiveLock
1767 | );
1768 | NTSYSAPI
1769 | NTSTATUS
1770 | NTAPI
1771 | ZwOpenFile(
1772 | 	__out PHANDLE FileHandle,
1773 | 	__in ACCESS_MASK DesiredAccess,
1774 | 	__in POBJECT_ATTRIBUTES ObjectAttributes,
1775 | 	__out PIO_STATUS_BLOCK IoStatusBlock,
1776 | 	__in ULONG ShareAccess,
1777 | 	__in ULONG OpenOptions
1778 | );
1779 | NTSYSAPI
1780 | NTSTATUS
1781 | NTAPI
1782 | ZwQueryDirectoryFile(
1783 | 	__in HANDLE FileHandle,
1784 | 	__in_opt HANDLE Event,
1785 | 	__in_opt PIO_APC_ROUTINE ApcRoutine,
1786 | 	__in_opt PVOID ApcContext,
1787 | 	__out PIO_STATUS_BLOCK IoStatusBlock,
1788 | 	__out_bcount(Length) PVOID FileInformation,
1789 | 	__in ULONG Length,
1790 | 	__in FILE_INFORMATION_CLASS FileInformationClass,
1791 | 	__in BOOLEAN ReturnSingleEntry,
1792 | 	__in_opt PUNICODE_STRING FileName,
1793 | 	__in BOOLEAN RestartScan
1794 | );
1795 | NTSYSAPI
1796 | NTSTATUS
1797 | NTAPI
1798 | ZwQueryInformationFile(
1799 | 	__in HANDLE FileHandle,
1800 | 	__out PIO_STATUS_BLOCK IoStatusBlock,
1801 | 	__out_bcount(Length) PVOID FileInformation,
1802 | 	__in ULONG Length,
1803 | 	__in FILE_INFORMATION_CLASS FileInformationClass
1804 | );
1805 | NTSYSAPI
1806 | NTSTATUS
1807 | NTAPI
1808 | ZwQueryQuotaInformationFile(
1809 | 	__in HANDLE FileHandle,
1810 | 	__out PIO_STATUS_BLOCK IoStatusBlock,
1811 | 	__out_bcount(Length) PVOID Buffer,
1812 | 	__in ULONG Length,
1813 | 	__in BOOLEAN ReturnSingleEntry,
1814 | 	__in_bcount_opt(SidListLength) PVOID SidList,
1815 | 	__in ULONG SidListLength,
1816 | 	__in_opt PSID StartSid,
1817 | 	__in BOOLEAN RestartScan
1818 | );
1819 | NTSYSAPI
1820 | NTSTATUS
1821 | NTAPI
1822 | ZwQueryVolumeInformationFile(
1823 | 	__in HANDLE FileHandle,
1824 | 	__out PIO_STATUS_BLOCK IoStatusBlock,
1825 | 	__out_bcount(Length) PVOID FsInformation,
1826 | 	__in ULONG Length,
1827 | 	__in FS_INFORMATION_CLASS FsInformationClass
1828 | );
1829 | NTSYSAPI
1830 | NTSTATUS
1831 | NTAPI
1832 | ZwReadFile(
1833 | 	__in HANDLE FileHandle,
1834 | 	__in_opt HANDLE Event,
1835 | 	__in_opt PIO_APC_ROUTINE ApcRoutine,
1836 | 	__in_opt PVOID ApcContext,
1837 | 	__out PIO_STATUS_BLOCK IoStatusBlock,
1838 | 	__out_bcount(Length) PVOID Buffer,
1839 | 	__in ULONG Length,
1840 | 	__in_opt PLARGE_INTEGER ByteOffset,
1841 | 	__in_opt PULONG Key
1842 | );
1843 | NTSYSAPI
1844 | NTSTATUS
1845 | NTAPI
1846 | ZwSetInformationFile(
1847 | 	__in HANDLE FileHandle,
1848 | 	__out PIO_STATUS_BLOCK IoStatusBlock,
1849 | 	__in_bcount(Length) PVOID FileInformation,
1850 | 	__in ULONG Length,
1851 | 	__in FILE_INFORMATION_CLASS FileInformationClass
1852 | );
1853 | NTSYSAPI
1854 | NTSTATUS
1855 | NTAPI
1856 | ZwSetQuotaInformationFile(
1857 | 	__in HANDLE FileHandle,
1858 | 	__out PIO_STATUS_BLOCK IoStatusBlock,
1859 | 	__in_bcount(Length) PVOID Buffer,
1860 | 	__in ULONG Length
1861 | );
1862 | NTSYSAPI
1863 | NTSTATUS
1864 | NTAPI
1865 | ZwSetVolumeInformationFile(
1866 | 	__in HANDLE FileHandle,
1867 | 	__out PIO_STATUS_BLOCK IoStatusBlock,
1868 | 	__in_bcount(Length) PVOID FsInformation,
1869 | 	__in ULONG Length,
1870 | 	__in FS_INFORMATION_CLASS FsInformationClass
1871 | );
1872 | NTSYSAPI
1873 | NTSTATUS
1874 | NTAPI
1875 | ZwWriteFile(
1876 | 	__in HANDLE FileHandle,
1877 | 	__in_opt HANDLE Event,
1878 | 	__in_opt PIO_APC_ROUTINE ApcRoutine,
1879 | 	__in_opt PVOID ApcContext,
1880 | 	__out PIO_STATUS_BLOCK IoStatusBlock,
1881 | 	__in_bcount(Length) PVOID Buffer,
1882 | 	__in ULONG Length,
1883 | 	__in_opt PLARGE_INTEGER ByteOffset,
1884 | 	__in_opt PULONG Key
1885 | );
1886 | NTSYSAPI
1887 | NTSTATUS
1888 | NTAPI
1889 | ZwUnlockFile(
1890 | 	__in HANDLE FileHandle,
1891 | 	__out PIO_STATUS_BLOCK IoStatusBlock,
1892 | 	__in PLARGE_INTEGER ByteOffset,
1893 | 	__in PLARGE_INTEGER Length,
1894 | 	__in ULONG Key
1895 | );
1896 | NTSYSAPI
1897 | NTSTATUS
1898 | NTAPI
1899 | ZwReadFileScatter(
1900 | 	__in HANDLE FileHandle,
1901 | 	__in_opt HANDLE Event,
1902 | 	__in_opt PIO_APC_ROUTINE ApcRoutine,
1903 | 	__in_opt PVOID ApcContext,
1904 | 	__out PIO_STATUS_BLOCK IoStatusBlock,
1905 | 	__in PFILE_SEGMENT_ELEMENT SegmentArray,
1906 | 	__in ULONG Length,
1907 | 	__in_opt PLARGE_INTEGER ByteOffset,
1908 | 	__in_opt PULONG Key
1909 | );
1910 | 
1911 | NTSYSAPI
1912 | NTSTATUS
1913 | NTAPI
1914 | ZwWriteFileGather(
1915 | 	__in HANDLE FileHandle,
1916 | 	__in_opt HANDLE Event,
1917 | 	__in_opt PIO_APC_ROUTINE ApcRoutine,
1918 | 	__in_opt PVOID ApcContext,
1919 | 	__out PIO_STATUS_BLOCK IoStatusBlock,
1920 | 	__in PFILE_SEGMENT_ELEMENT SegmentArray,
1921 | 	__in ULONG Length,
1922 | 	__in_opt PLARGE_INTEGER ByteOffset,
1923 | 	__in_opt PULONG Key
1924 | );
1925 | NTSYSAPI
1926 | NTSTATUS
1927 | NTAPI
1928 | ZwLoadDriver(
1929 | 	__in PUNICODE_STRING DriverServiceName
1930 | );
1931 | NTSYSAPI
1932 | NTSTATUS
1933 | NTAPI
1934 | ZwUnloadDriver(
1935 | 	__in PUNICODE_STRING DriverServiceName
1936 | );
1937 | NTSYSAPI
1938 | NTSTATUS
1939 | NTAPI
1940 | ZwCreateIoCompletion(
1941 | 	__out PHANDLE IoCompletionHandle,
1942 | 	__in ACCESS_MASK DesiredAccess,
1943 | 	__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
1944 | 	__in ULONG Count OPTIONAL
1945 | );
1946 | NTSYSAPI
1947 | NTSTATUS
1948 | NTAPI
1949 | ZwOpenIoCompletion(
1950 | 	__out PHANDLE IoCompletionHandle,
1951 | 	__in ACCESS_MASK DesiredAccess,
1952 | 	__in POBJECT_ATTRIBUTES ObjectAttributes
1953 | );
1954 | 
1955 | NTSYSAPI
1956 | NTSTATUS
1957 | NTAPI
1958 | ZwSetIoCompletion(
1959 | 	__in HANDLE IoCompletionHandle,
1960 | 	__in PVOID KeyContext,
1961 | 	__in_opt PVOID ApcContext,
1962 | 	__in NTSTATUS IoStatus,
1963 | 	__in ULONG_PTR IoStatusInformation
1964 | );
1965 | NTSYSAPI
1966 | NTSTATUS
1967 | NTAPI
1968 | ZwRemoveIoCompletion(
1969 | 	__in HANDLE IoCompletionHandle,
1970 | 	__out PVOID* KeyContext,
1971 | 	__out PVOID* ApcContext,
1972 | 	__out PIO_STATUS_BLOCK IoStatusBlock,
1973 | 	__in_opt PLARGE_INTEGER Timeout
1974 | );
1975 | NTSYSAPI
1976 | NTSTATUS
1977 | NTAPI
1978 | ZwCallbackReturn(
1979 | 	__in_bcount_opt(OutputLength) PVOID OutputBuffer,
1980 | 	__in ULONG OutputLength,
1981 | 	__in NTSTATUS Status
1982 | );
1983 | NTSYSAPI
1984 | NTSTATUS
1985 | NTAPI
1986 | ZwQueryDebugFilterState(
1987 | 	__in ULONG ComponentId,
1988 | 	__in ULONG Level
1989 | );
1990 | NTSYSAPI
1991 | NTSTATUS
1992 | NTAPI
1993 | ZwSetDebugFilterState(
1994 | 	__in ULONG ComponentId,
1995 | 	__in ULONG Level,
1996 | 	__in BOOLEAN State
1997 | );
1998 | NTSYSAPI
1999 | NTSTATUS
2000 | NTAPI
2001 | ZwYieldExecution(
2002 | 	VOID
2003 | );
2004 | NTSYSAPI
2005 | NTSTATUS
2006 | NTAPI
2007 | ZwCreatePort(
2008 | 	__out PHANDLE PortHandle,
2009 | 	__in POBJECT_ATTRIBUTES ObjectAttributes,
2010 | 	__in ULONG MaxConnectionInfoLength,
2011 | 	__in ULONG MaxMessageLength,
2012 | 	__in_opt ULONG MaxPoolUsage
2013 | );
2014 | NTSYSAPI
2015 | NTSTATUS
2016 | NTAPI
2017 | ZwCreateWaitablePort(
2018 | 	__out PHANDLE PortHandle,
2019 | 	__in POBJECT_ATTRIBUTES ObjectAttributes,
2020 | 	__in ULONG MaxConnectionInfoLength,
2021 | 	__in ULONG MaxMessageLength,
2022 | 	__in_opt ULONG MaxPoolUsage
2023 | );
2024 | 
2025 | NTSYSAPI
2026 | NTSTATUS
2027 | NTAPI
2028 | ZwCompleteConnectPort(
2029 | 	__in HANDLE PortHandle
2030 | );
2031 | 
2032 | NTSYSAPI
2033 | NTSTATUS
2034 | NTAPI
2035 | ZwCreateSection(
2036 | 	__out PHANDLE SectionHandle,
2037 | 	__in ACCESS_MASK DesiredAccess,
2038 | 	__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
2039 | 	__in_opt PLARGE_INTEGER MaximumSize,
2040 | 	__in ULONG SectionPageProtection,
2041 | 	__in ULONG AllocationAttributes,
2042 | 	__in_opt HANDLE FileHandle
2043 | );
2044 | NTSYSAPI
2045 | NTSTATUS
2046 | NTAPI
2047 | ZwOpenSection(
2048 | 	__out PHANDLE SectionHandle,
2049 | 	__in ACCESS_MASK DesiredAccess,
2050 | 	__in POBJECT_ATTRIBUTES ObjectAttributes
2051 | );
2052 | NTSYSAPI
2053 | NTSTATUS
2054 | NTAPI
2055 | ZwMapViewOfSection(
2056 | 	__in HANDLE SectionHandle,
2057 | 	__in HANDLE ProcessHandle,
2058 | 	__inout PVOID* BaseAddress,
2059 | 	__in ULONG_PTR ZeroBits,
2060 | 	__in SIZE_T CommitSize,
2061 | 	__inout_opt PLARGE_INTEGER SectionOffset,
2062 | 	__inout PSIZE_T ViewSize,
2063 | 	__in SECTION_INHERIT InheritDisposition,
2064 | 	__in ULONG AllocationType,
2065 | 	__in ULONG Win32Protect
2066 | );
2067 | NTSYSAPI
2068 | NTSTATUS
2069 | NTAPI
2070 | ZwUnmapViewOfSection(
2071 | 	__in HANDLE ProcessHandle,
2072 | 	__in PVOID BaseAddress
2073 | );
2074 | NTSYSAPI
2075 | NTSTATUS
2076 | NTAPI
2077 | ZwExtendSection(
2078 | 	__in HANDLE SectionHandle,
2079 | 	__inout PLARGE_INTEGER NewSectionSize
2080 | );
2081 | NTSYSAPI
2082 | NTSTATUS
2083 | NTAPI
2084 | ZwAreMappedFilesTheSame(
2085 | 	__in PVOID File1MappedAsAnImage,
2086 | 	__in PVOID File2MappedAsFile
2087 | );
2088 | 
2089 | NTSYSAPI
2090 | NTSTATUS
2091 | NTAPI
2092 | ZwReadVirtualMemory(
2093 | 	__in HANDLE ProcessHandle,
2094 | 	__in_opt PVOID BaseAddress,
2095 | 	__out_bcount(BufferSize) PVOID Buffer,
2096 | 	__in SIZE_T BufferSize,
2097 | 	__out_opt PSIZE_T NumberOfBytesRead
2098 | );
2099 | NTSYSAPI
2100 | NTSTATUS
2101 | NTAPI
2102 | ZwWriteVirtualMemory(
2103 | 	__in HANDLE ProcessHandle,
2104 | 	__in_opt PVOID BaseAddress,
2105 | 	__in_bcount(BufferSize) CONST VOID* Buffer,
2106 | 	__in SIZE_T BufferSize,
2107 | 	__out_opt PSIZE_T NumberOfBytesWritten
2108 | );
2109 | NTSYSAPI
2110 | NTSTATUS
2111 | NTAPI
2112 | ZwFlushVirtualMemory(
2113 | 	__in HANDLE ProcessHandle,
2114 | 	__inout PVOID* BaseAddress,
2115 | 	__inout PSIZE_T RegionSize,
2116 | 	__out PIO_STATUS_BLOCK IoStatus
2117 | );
2118 | NTSYSAPI
2119 | NTSTATUS
2120 | NTAPI
2121 | ZwLockVirtualMemory(
2122 | 	__in HANDLE ProcessHandle,
2123 | 	__inout PVOID* BaseAddress,
2124 | 	__inout PSIZE_T RegionSize,
2125 | 	__in ULONG MapType
2126 | );
2127 | NTSYSAPI
2128 | NTSTATUS
2129 | NTAPI
2130 | ZwUnlockVirtualMemory(
2131 | 	__in HANDLE ProcessHandle,
2132 | 	__inout PVOID* BaseAddress,
2133 | 	__inout PSIZE_T RegionSize,
2134 | 	__in ULONG MapType
2135 | );
2136 | NTSYSAPI
2137 | NTSTATUS
2138 | NTAPI
2139 | ZwProtectVirtualMemory(
2140 | 	__in HANDLE ProcessHandle,
2141 | 	__inout PVOID* BaseAddress,
2142 | 	__inout PSIZE_T RegionSize,
2143 | 	__in ULONG NewProtect,
2144 | 	__out PULONG OldProtect
2145 | );
2146 | NTSYSAPI
2147 | NTSTATUS
2148 | NTAPI
2149 | ZwQueryVirtualMemory(
2150 | 	__in HANDLE ProcessHandle,
2151 | 	__in PVOID BaseAddress,
2152 | 	__in MEMORY_INFORMATION_CLASS MemoryInformationClass,
2153 | 	__out_bcount(MemoryInformationLength) PVOID MemoryInformation,
2154 | 	__in SIZE_T MemoryInformationLength,
2155 | 	__out_opt PSIZE_T ReturnLength
2156 | );
2157 | NTSYSAPI
2158 | NTSTATUS
2159 | NTAPI
2160 | ZwMapUserPhysicalPages(
2161 | 	__in PVOID VirtualAddress,
2162 | 	__in ULONG_PTR NumberOfPages,
2163 | 	__in_ecount_opt(NumberOfPages) PULONG_PTR UserPfnArray
2164 | );
2165 | NTSYSAPI
2166 | NTSTATUS
2167 | NTAPI
2168 | ZwMapUserPhysicalPagesScatter(
2169 | 	__in_ecount(NumberOfPages) PVOID* VirtualAddresses,
2170 | 	__in ULONG_PTR NumberOfPages,
2171 | 	__in_ecount_opt(NumberOfPages) PULONG_PTR UserPfnArray
2172 | );
2173 | NTSYSAPI
2174 | NTSTATUS
2175 | NTAPI
2176 | ZwAllocateUserPhysicalPages(
2177 | 	__in HANDLE ProcessHandle,
2178 | 	__inout PULONG_PTR NumberOfPages,
2179 | 	__out_ecount(*NumberOfPages) PULONG_PTR UserPfnArray
2180 | );
2181 | NTSYSAPI
2182 | NTSTATUS
2183 | NTAPI
2184 | ZwFreeUserPhysicalPages(
2185 | 	__in HANDLE ProcessHandle,
2186 | 	__inout PULONG_PTR NumberOfPages,
2187 | 	__in_ecount(*NumberOfPages) PULONG_PTR UserPfnArray
2188 | );
2189 | NTSYSAPI
2190 | NTSTATUS
2191 | NTAPI
2192 | ZwGetWriteWatch(
2193 | 	__in HANDLE ProcessHandle,
2194 | 	__in ULONG Flags,
2195 | 	__in PVOID BaseAddress,
2196 | 	__in SIZE_T RegionSize,
2197 | 	__out_ecount(*EntriesInUserAddressArray) PVOID* UserAddressArray,
2198 | 	__inout PULONG_PTR EntriesInUserAddressArray,
2199 | 	__out PULONG Granularity
2200 | );
2201 | NTSYSAPI
2202 | NTSTATUS
2203 | NTAPI
2204 | ZwResetWriteWatch(
2205 | 	__in HANDLE ProcessHandle,
2206 | 	__in PVOID BaseAddress,
2207 | 	__in SIZE_T RegionSize
2208 | );
2209 | NTSYSAPI
2210 | NTSTATUS
2211 | NTAPI
2212 | ZwCreatePagingFile(
2213 | 	__in PUNICODE_STRING PageFileName,
2214 | 	__in PLARGE_INTEGER MinimumSize,
2215 | 	__in PLARGE_INTEGER MaximumSize,
2216 | 	__in ULONG Priority
2217 | );
2218 | NTSYSAPI
2219 | NTSTATUS
2220 | NTAPI
2221 | ZwFlushInstructionCache(
2222 | 	__in HANDLE ProcessHandle,
2223 | 	__in_opt PVOID BaseAddress,
2224 | 	__in SIZE_T Length
2225 | );
2226 | NTSYSAPI
2227 | NTSTATUS
2228 | NTAPI
2229 | ZwFlushWriteBuffer(
2230 | 	VOID
2231 | );
2232 | NTSYSAPI
2233 | NTSTATUS
2234 | NTAPI
2235 | ZwQueryObject(
2236 | 	__in HANDLE Handle,
2237 | 	__in OBJECT_INFORMATION_CLASS ObjectInformationClass,
2238 | 	__out_bcount_opt(ObjectInformationLength) PVOID ObjectInformation,
2239 | 	__in ULONG ObjectInformationLength,
2240 | 	__out_opt PULONG ReturnLength
2241 | );
2242 | NTSYSAPI
2243 | NTSTATUS
2244 | NTAPI
2245 | ZwSetInformationObject(
2246 | 	__in HANDLE Handle,
2247 | 	__in OBJECT_INFORMATION_CLASS ObjectInformationClass,
2248 | 	__in_bcount(ObjectInformationLength) PVOID ObjectInformation,
2249 | 	__in ULONG ObjectInformationLength
2250 | );
2251 | NTSYSAPI
2252 | NTSTATUS
2253 | NTAPI
2254 | ZwDuplicateObject(
2255 | 	__in HANDLE SourceProcessHandle,
2256 | 	__in HANDLE SourceHandle,
2257 | 	__in_opt HANDLE TargetProcessHandle,
2258 | 	__out_opt PHANDLE TargetHandle,
2259 | 	__in ACCESS_MASK DesiredAccess,
2260 | 	__in ULONG HandleAttributes,
2261 | 	__in ULONG Options
2262 | );
2263 | NTSYSAPI
2264 | NTSTATUS
2265 | NTAPI
2266 | ZwMakeTemporaryObject(
2267 | 	__in HANDLE Handle
2268 | );
2269 | NTSYSAPI
2270 | NTSTATUS
2271 | NTAPI
2272 | ZwMakePermanentObject(
2273 | 	__in HANDLE Handle
2274 | );
2275 | NTSYSAPI
2276 | NTSTATUS
2277 | NTAPI
2278 | ZwSignalAndWaitForSingleObject(
2279 | 	__in HANDLE SignalHandle,
2280 | 	__in HANDLE WaitHandle,
2281 | 	__in BOOLEAN Alertable,
2282 | 	__in_opt PLARGE_INTEGER Timeout
2283 | );
2284 | NTSYSAPI
2285 | NTSTATUS
2286 | NTAPI
2287 | ZwWaitForSingleObject(
2288 | 	__in HANDLE Handle,
2289 | 	__in BOOLEAN Alertable,
2290 | 	__in_opt PLARGE_INTEGER Timeout
2291 | );
2292 | NTSYSAPI
2293 | NTSTATUS
2294 | NTAPI
2295 | ZwWaitForMultipleObjects(
2296 | 	__in ULONG Count,
2297 | 	__in_ecount(Count) HANDLE Handles[],
2298 | 	__in WAIT_TYPE WaitType,
2299 | 	__in BOOLEAN Alertable,
2300 | 	__in_opt PLARGE_INTEGER Timeout
2301 | );
2302 | NTSYSAPI
2303 | NTSTATUS
2304 | NTAPI
2305 | ZwWaitForMultipleObjects32(
2306 | 	__in ULONG Count,
2307 | 	__in_ecount(Count) LONG Handles[],
2308 | 	__in WAIT_TYPE WaitType,
2309 | 	__in BOOLEAN Alertable,
2310 | 	__in_opt PLARGE_INTEGER Timeout
2311 | );
2312 | NTSYSAPI
2313 | NTSTATUS
2314 | NTAPI
2315 | ZwSetSecurityObject(
2316 | 	__in HANDLE Handle,
2317 | 	__in SECURITY_INFORMATION SecurityInformation,
2318 | 	__in PSECURITY_DESCRIPTOR SecurityDescriptor
2319 | );
2320 | NTSYSAPI
2321 | NTSTATUS
2322 | NTAPI
2323 | ZwQuerySecurityObject(
2324 | 	__in HANDLE Handle,
2325 | 	__in SECURITY_INFORMATION SecurityInformation,
2326 | 	__out_bcount_opt(Length) PSECURITY_DESCRIPTOR SecurityDescriptor,
2327 | 	__in ULONG Length,
2328 | 	__out PULONG LengthNeeded
2329 | );
2330 | NTSYSAPI
2331 | NTSTATUS
2332 | NTAPI
2333 | ZwClose(
2334 | 	__in HANDLE Handle
2335 | );
2336 | NTSYSAPI
2337 | NTSTATUS
2338 | NTAPI
2339 | ZwCreateDirectoryObject(
2340 | 	__out PHANDLE DirectoryHandle,
2341 | 	__in ACCESS_MASK DesiredAccess,
2342 | 	__in POBJECT_ATTRIBUTES ObjectAttributes
2343 | );
2344 | NTSYSAPI
2345 | NTSTATUS
2346 | NTAPI
2347 | ZwOpenDirectoryObject(
2348 | 	__out PHANDLE DirectoryHandle,
2349 | 	__in ACCESS_MASK DesiredAccess,
2350 | 	__in POBJECT_ATTRIBUTES ObjectAttributes
2351 | );
2352 | NTSYSAPI
2353 | NTSTATUS
2354 | NTAPI
2355 | ZwQueryDirectoryObject(
2356 | 	__in HANDLE DirectoryHandle,
2357 | 	__out_bcount_opt(Length) PVOID Buffer,
2358 | 	__in ULONG Length,
2359 | 	__in BOOLEAN ReturnSingleEntry,
2360 | 	__in BOOLEAN RestartScan,
2361 | 	__inout PULONG Context,
2362 | 	__out_opt PULONG ReturnLength
2363 | );
2364 | NTSYSAPI
2365 | NTSTATUS
2366 | NTAPI
2367 | ZwCreateSymbolicLinkObject(
2368 | 	__out PHANDLE LinkHandle,
2369 | 	__in ACCESS_MASK DesiredAccess,
2370 | 	__in POBJECT_ATTRIBUTES ObjectAttributes,
2371 | 	__in PUNICODE_STRING LinkTarget
2372 | );
2373 | NTSYSAPI
2374 | NTSTATUS
2375 | NTAPI
2376 | ZwOpenSymbolicLinkObject(
2377 | 	__out PHANDLE LinkHandle,
2378 | 	__in ACCESS_MASK DesiredAccess,
2379 | 	__in POBJECT_ATTRIBUTES ObjectAttributes
2380 | );
2381 | NTSYSAPI
2382 | NTSTATUS
2383 | NTAPI
2384 | ZwQuerySymbolicLinkObject(
2385 | 	__in HANDLE LinkHandle,
2386 | 	__inout PUNICODE_STRING LinkTarget,
2387 | 	__out_opt PULONG ReturnedLength
2388 | );
2389 | 
2390 | NTSYSAPI
2391 | NTSTATUS
2392 | NTAPI
2393 | ZwPowerInformation(
2394 | 	__in POWER_INFORMATION_LEVEL InformationLevel,
2395 | 	__in_bcount_opt(InputBufferLength) PVOID InputBuffer,
2396 | 	__in ULONG InputBufferLength,
2397 | 	__out_bcount_opt(OutputBufferLength) PVOID OutputBuffer,
2398 | 	__in ULONG OutputBufferLength
2399 | );
2400 | NTSYSAPI
2401 | NTSTATUS
2402 | NTAPI
2403 | ZwSetThreadExecutionState(
2404 | 	__in EXECUTION_STATE esFlags,               // ES_xxx flags
2405 | 	__out EXECUTION_STATE* PreviousFlags
2406 | );
2407 | NTSYSAPI
2408 | NTSTATUS
2409 | NTAPI
2410 | ZwRequestWakeupLatency(
2411 | 	__in LATENCY_TIME latency
2412 | );
2413 | NTSYSAPI
2414 | NTSTATUS
2415 | NTAPI
2416 | ZwInitiatePowerAction(
2417 | 	__in POWER_ACTION SystemAction,
2418 | 	__in SYSTEM_POWER_STATE MinSystemState,
2419 | 	__in ULONG Flags,                 // POWER_ACTION_xxx flags
2420 | 	__in BOOLEAN Asynchronous
2421 | );
2422 | NTSYSAPI
2423 | NTSTATUS
2424 | NTAPI
2425 | ZwSetSystemPowerState(
2426 | 	__in POWER_ACTION SystemAction,
2427 | 	__in SYSTEM_POWER_STATE MinSystemState,
2428 | 	__in ULONG Flags                  // POWER_ACTION_xxx flags
2429 | );
2430 | NTSYSAPI
2431 | NTSTATUS
2432 | NTAPI
2433 | ZwGetDevicePowerState(
2434 | 	__in HANDLE Device,
2435 | 	__out DEVICE_POWER_STATE* State
2436 | );
2437 | NTSYSAPI
2438 | NTSTATUS
2439 | NTAPI
2440 | ZwCancelDeviceWakeupRequest(
2441 | 	__in HANDLE Device
2442 | );
2443 | NTSYSAPI
2444 | NTSTATUS
2445 | NTAPI
2446 | ZwRequestDeviceWakeup(
2447 | 	__in HANDLE Device
2448 | );
2449 | NTSYSAPI
2450 | NTSTATUS
2451 | NTAPI
2452 | ZwCreateProcess(
2453 | 	__out PHANDLE ProcessHandle,
2454 | 	__in ACCESS_MASK DesiredAccess,
2455 | 	__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
2456 | 	__in HANDLE ParentProcess,
2457 | 	__in BOOLEAN InheritObjectTable,
2458 | 	__in_opt HANDLE SectionHandle,
2459 | 	__in_opt HANDLE DebugPort,
2460 | 	__in_opt HANDLE ExceptionPort
2461 | );
2462 | NTSYSAPI
2463 | NTSTATUS
2464 | NTAPI
2465 | ZwCreateProcessEx(
2466 | 	__out PHANDLE ProcessHandle,
2467 | 	__in ACCESS_MASK DesiredAccess,
2468 | 	__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
2469 | 	__in HANDLE ParentProcess,
2470 | 	__in ULONG Flags,
2471 | 	__in_opt HANDLE SectionHandle,
2472 | 	__in_opt HANDLE DebugPort,
2473 | 	__in_opt HANDLE ExceptionPort,
2474 | 	__in ULONG JobMemberLevel
2475 | );
2476 | NTSYSAPI
2477 | NTSTATUS
2478 | NTAPI
2479 | ZwOpenProcess(
2480 | 	__out PHANDLE ProcessHandle,
2481 | 	__in ACCESS_MASK DesiredAccess,
2482 | 	__in POBJECT_ATTRIBUTES ObjectAttributes,
2483 | 	__in_opt PCLIENT_ID ClientId
2484 | );
2485 | NTSYSAPI
2486 | NTSTATUS
2487 | NTAPI
2488 | ZwTerminateProcess(
2489 | 	__in_opt HANDLE ProcessHandle,
2490 | 	__in NTSTATUS ExitStatus
2491 | );
2492 | NTSYSAPI
2493 | NTSTATUS
2494 | NTAPI
2495 | ZwQueryInformationProcess(
2496 | 	__in HANDLE ProcessHandle,
2497 | 	__in PROCESSINFOCLASS ProcessInformationClass,
2498 | 	__out_bcount(ProcessInformationLength) PVOID ProcessInformation,
2499 | 	__in ULONG ProcessInformationLength,
2500 | 	__out_opt PULONG ReturnLength
2501 | );
2502 | NTSYSAPI
2503 | NTSTATUS
2504 | NTAPI
2505 | ZwGetNextProcess(
2506 | 	__in HANDLE ProcessHandle,
2507 | 	__in ACCESS_MASK DesiredAccess,
2508 | 	__in ULONG HandleAttributes,
2509 | 	__in ULONG Flags,
2510 | 	__out PHANDLE NewProcessHandle
2511 | );
2512 | NTSYSAPI
2513 | NTSTATUS
2514 | NTAPI
2515 | ZwGetNextThread(
2516 | 	__in HANDLE ProcessHandle,
2517 | 	__in HANDLE ThreadHandle,
2518 | 	__in ACCESS_MASK DesiredAccess,
2519 | 	__in ULONG HandleAttributes,
2520 | 	__in ULONG Flags,
2521 | 	__out PHANDLE NewThreadHandle
2522 | );
2523 | NTSYSAPI
2524 | NTSTATUS
2525 | NTAPI
2526 | ZwQueryPortInformationProcess(
2527 | 	VOID
2528 | );
2529 | NTSYSAPI
2530 | NTSTATUS
2531 | NTAPI
2532 | ZwSetInformationProcess(
2533 | 	__in HANDLE ProcessHandle,
2534 | 	__in PROCESSINFOCLASS ProcessInformationClass,
2535 | 	__in_bcount(ProcessInformationLength) PVOID ProcessInformation,
2536 | 	__in ULONG ProcessInformationLength
2537 | );
2538 | 
2539 | NTSYSAPI
2540 | NTSTATUS
2541 | NTAPI
2542 | ZwOpenThread(
2543 | 	__out PHANDLE ThreadHandle,
2544 | 	__in ACCESS_MASK DesiredAccess,
2545 | 	__in POBJECT_ATTRIBUTES ObjectAttributes,
2546 | 	__in_opt PCLIENT_ID ClientId
2547 | );
2548 | NTSYSAPI
2549 | NTSTATUS
2550 | NTAPI
2551 | ZwTerminateThread(
2552 | 	__in_opt HANDLE ThreadHandle,
2553 | 	__in NTSTATUS ExitStatus
2554 | );
2555 | NTSYSAPI
2556 | NTSTATUS
2557 | NTAPI
2558 | ZwSuspendThread(
2559 | 	__in HANDLE ThreadHandle,
2560 | 	__out_opt PULONG PreviousSuspendCount
2561 | );
2562 | NTSYSAPI
2563 | NTSTATUS
2564 | NTAPI
2565 | ZwResumeThread(
2566 | 	__in HANDLE ThreadHandle,
2567 | 	__out_opt PULONG PreviousSuspendCount
2568 | );
2569 | NTSYSAPI
2570 | NTSTATUS
2571 | NTAPI
2572 | ZwSuspendProcess(
2573 | 	__in HANDLE ProcessHandle
2574 | );
2575 | NTSYSAPI
2576 | NTSTATUS
2577 | NTAPI
2578 | ZwResumeProcess(
2579 | 	__in HANDLE ProcessHandle
2580 | );
2581 | NTSYSAPI
2582 | NTSTATUS
2583 | NTAPI
2584 | ZwGetContextThread(
2585 | 	__in HANDLE ThreadHandle,
2586 | 	__inout PCONTEXT ThreadContext
2587 | );
2588 | NTSYSAPI
2589 | NTSTATUS
2590 | NTAPI
2591 | ZwSetContextThread(
2592 | 	__in HANDLE ThreadHandle,
2593 | 	__in PCONTEXT ThreadContext
2594 | );
2595 | NTSYSAPI
2596 | NTSTATUS
2597 | NTAPI
2598 | ZwQueryInformationThread(
2599 | 	__in HANDLE ThreadHandle,
2600 | 	__in THREADINFOCLASS ThreadInformationClass,
2601 | 	__out_bcount(ThreadInformationLength) PVOID ThreadInformation,
2602 | 	__in ULONG ThreadInformationLength,
2603 | 	__out_opt PULONG ReturnLength
2604 | );
2605 | NTSYSAPI
2606 | NTSTATUS
2607 | NTAPI
2608 | ZwSetInformationThread(
2609 | 	__in HANDLE ThreadHandle,
2610 | 	__in THREADINFOCLASS ThreadInformationClass,
2611 | 	__in_bcount(ThreadInformationLength) PVOID ThreadInformation,
2612 | 	__in ULONG ThreadInformationLength
2613 | );
2614 | NTSYSAPI
2615 | NTSTATUS
2616 | NTAPI
2617 | ZwAlertThread(
2618 | 	__in HANDLE ThreadHandle
2619 | );
2620 | NTSYSAPI
2621 | NTSTATUS
2622 | NTAPI
2623 | ZwAlertResumeThread(
2624 | 	__in HANDLE ThreadHandle,
2625 | 	__out_opt PULONG PreviousSuspendCount
2626 | );
2627 | NTSYSAPI
2628 | NTSTATUS
2629 | NTAPI
2630 | ZwImpersonateThread(
2631 | 	__in HANDLE ServerThreadHandle,
2632 | 	__in HANDLE ClientThreadHandle,
2633 | 	__in PSECURITY_QUALITY_OF_SERVICE SecurityQos
2634 | );
2635 | NTSYSAPI
2636 | NTSTATUS
2637 | NTAPI
2638 | ZwTestAlert(
2639 | 	VOID
2640 | );
2641 | NTSYSAPI
2642 | NTSTATUS
2643 | NTAPI
2644 | ZwRegisterThreadTerminatePort(
2645 | 	__in HANDLE PortHandle
2646 | );
2647 | NTSYSAPI
2648 | NTSTATUS
2649 | NTAPI
2650 | ZwSetLdtEntries(
2651 | 	__in ULONG Selector0,
2652 | 	__in ULONG Entry0Low,
2653 | 	__in ULONG Entry0Hi,
2654 | 	__in ULONG Selector1,
2655 | 	__in ULONG Entry1Low,
2656 | 	__in ULONG Entry1Hi
2657 | );
2658 | 
2659 | NTSYSAPI
2660 | NTSTATUS
2661 | NTAPI
2662 | ZwCreateJobObject(
2663 | 	__out PHANDLE JobHandle,
2664 | 	__in ACCESS_MASK DesiredAccess,
2665 | 	__in_opt POBJECT_ATTRIBUTES ObjectAttributes
2666 | );
2667 | NTSYSAPI
2668 | NTSTATUS
2669 | NTAPI
2670 | ZwOpenJobObject(
2671 | 	__out PHANDLE JobHandle,
2672 | 	__in ACCESS_MASK DesiredAccess,
2673 | 	__in POBJECT_ATTRIBUTES ObjectAttributes
2674 | );
2675 | NTSYSAPI
2676 | NTSTATUS
2677 | NTAPI
2678 | ZwAssignProcessToJobObject(
2679 | 	__in HANDLE JobHandle,
2680 | 	__in HANDLE ProcessHandle
2681 | );
2682 | NTSYSAPI
2683 | NTSTATUS
2684 | NTAPI
2685 | ZwTerminateJobObject(
2686 | 	__in HANDLE JobHandle,
2687 | 	__in NTSTATUS ExitStatus
2688 | );
2689 | NTSYSAPI
2690 | NTSTATUS
2691 | NTAPI
2692 | ZwIsProcessInJob(
2693 | 	__in HANDLE ProcessHandle,
2694 | 	__in_opt HANDLE JobHandle
2695 | );
2696 | 
2697 | NTSYSAPI
2698 | NTSTATUS
2699 | NTAPI
2700 | ZwCreateKey(
2701 | 	__out PHANDLE KeyHandle,
2702 | 	__in ACCESS_MASK DesiredAccess,
2703 | 	__in POBJECT_ATTRIBUTES ObjectAttributes,
2704 | 	__reserved ULONG TitleIndex,
2705 | 	__in_opt PUNICODE_STRING Class,
2706 | 	__in ULONG CreateOptions,
2707 | 	__out_opt PULONG Disposition
2708 | );
2709 | NTSYSAPI
2710 | NTSTATUS
2711 | NTAPI
2712 | ZwDeleteKey(
2713 | 	__in HANDLE KeyHandle
2714 | );
2715 | NTSYSAPI
2716 | NTSTATUS
2717 | NTAPI
2718 | ZwDeleteValueKey(
2719 | 	__in HANDLE KeyHandle,
2720 | 	__in PUNICODE_STRING ValueName
2721 | );
2722 | NTSYSAPI
2723 | NTSTATUS
2724 | NTAPI
2725 | ZwEnumerateKey(
2726 | 	__in HANDLE KeyHandle,
2727 | 	__in ULONG Index,
2728 | 	__in KEY_INFORMATION_CLASS KeyInformationClass,
2729 | 	__out_bcount_opt(Length) PVOID KeyInformation,
2730 | 	__in ULONG Length,
2731 | 	__out PULONG ResultLength
2732 | );
2733 | NTSYSAPI
2734 | NTSTATUS
2735 | NTAPI
2736 | ZwEnumerateValueKey(
2737 | 	__in HANDLE KeyHandle,
2738 | 	__in ULONG Index,
2739 | 	__in KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
2740 | 	__out_bcount_opt(Length) PVOID KeyValueInformation,
2741 | 	__in ULONG Length,
2742 | 	__out PULONG ResultLength
2743 | );
2744 | NTSYSAPI
2745 | NTSTATUS
2746 | NTAPI
2747 | ZwFlushKey(
2748 | 	__in HANDLE KeyHandle
2749 | );
2750 | NTSYSAPI
2751 | NTSTATUS
2752 | NTAPI
2753 | ZwInitializeRegistry(
2754 | 	__in USHORT BootCondition
2755 | );
2756 | NTSYSAPI
2757 | NTSTATUS
2758 | NTAPI
2759 | ZwNotifyChangeKey(
2760 | 	__in HANDLE KeyHandle,
2761 | 	__in_opt HANDLE Event,
2762 | 	__in_opt PIO_APC_ROUTINE ApcRoutine,
2763 | 	__in_opt PVOID ApcContext,
2764 | 	__out PIO_STATUS_BLOCK IoStatusBlock,
2765 | 	__in ULONG CompletionFilter,
2766 | 	__in BOOLEAN WatchTree,
2767 | 	__out_bcount_opt(BufferSize) PVOID Buffer,
2768 | 	__in ULONG BufferSize,
2769 | 	__in BOOLEAN Asynchronous
2770 | );
2771 | NTSYSAPI
2772 | NTSTATUS
2773 | NTAPI
2774 | ZwNotifyChangeMultipleKeys(
2775 | 	__in HANDLE MasterKeyHandle,
2776 | 	__in_opt ULONG Count,
2777 | 	__in_ecount_opt(Count) OBJECT_ATTRIBUTES SlaveObjects[],
2778 | 	__in_opt HANDLE Event,
2779 | 	__in_opt PIO_APC_ROUTINE ApcRoutine,
2780 | 	__in_opt PVOID ApcContext,
2781 | 	__out PIO_STATUS_BLOCK IoStatusBlock,
2782 | 	__in ULONG CompletionFilter,
2783 | 	__in BOOLEAN WatchTree,
2784 | 	__out_bcount_opt(BufferSize) PVOID Buffer,
2785 | 	__in ULONG BufferSize,
2786 | 	__in BOOLEAN Asynchronous
2787 | );
2788 | NTSYSAPI
2789 | NTSTATUS
2790 | NTAPI
2791 | ZwLoadKey(
2792 | 	__in POBJECT_ATTRIBUTES TargetKey,
2793 | 	__in POBJECT_ATTRIBUTES SourceFile
2794 | );
2795 | NTSYSAPI
2796 | NTSTATUS
2797 | NTAPI
2798 | ZwLoadKey2(
2799 | 	__in POBJECT_ATTRIBUTES   TargetKey,
2800 | 	__in POBJECT_ATTRIBUTES   SourceFile,
2801 | 	__in ULONG                Flags
2802 | );
2803 | NTSYSAPI
2804 | NTSTATUS
2805 | NTAPI
2806 | ZwLoadKeyEx(
2807 | 	__in POBJECT_ATTRIBUTES   TargetKey,
2808 | 	__in POBJECT_ATTRIBUTES   SourceFile,
2809 | 	__in ULONG                Flags,
2810 | 	__in_opt HANDLE           TrustClassKey
2811 | );
2812 | NTSYSAPI
2813 | NTSTATUS
2814 | NTAPI
2815 | ZwOpenKey(
2816 | 	__out PHANDLE KeyHandle,
2817 | 	__in ACCESS_MASK DesiredAccess,
2818 | 	__in POBJECT_ATTRIBUTES ObjectAttributes
2819 | );
2820 | NTSYSAPI
2821 | NTSTATUS
2822 | NTAPI
2823 | ZwQueryKey(
2824 | 	__in HANDLE KeyHandle,
2825 | 	__in KEY_INFORMATION_CLASS KeyInformationClass,
2826 | 	__out_bcount_opt(Length) PVOID KeyInformation,
2827 | 	__in ULONG Length,
2828 | 	__out PULONG ResultLength
2829 | );
2830 | NTSYSAPI
2831 | NTSTATUS
2832 | NTAPI
2833 | ZwQueryValueKey(
2834 | 	__in HANDLE KeyHandle,
2835 | 	__in PUNICODE_STRING ValueName,
2836 | 	__in KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
2837 | 	__out_bcount_opt(Length) PVOID KeyValueInformation,
2838 | 	__in ULONG Length,
2839 | 	__out PULONG ResultLength
2840 | );
2841 | NTSYSAPI
2842 | NTSTATUS
2843 | NTAPI
2844 | ZwQueryMultipleValueKey(
2845 | 	__in HANDLE KeyHandle,
2846 | 	__inout_ecount(EntryCount) PKEY_VALUE_ENTRY ValueEntries,
2847 | 	__in ULONG EntryCount,
2848 | 	__out_bcount(*BufferLength) PVOID ValueBuffer,
2849 | 	__inout PULONG BufferLength,
2850 | 	__out_opt PULONG RequiredBufferLength
2851 | );
2852 | NTSYSAPI
2853 | NTSTATUS
2854 | NTAPI
2855 | ZwReplaceKey(
2856 | 	__in POBJECT_ATTRIBUTES NewFile,
2857 | 	__in HANDLE             TargetHandle,
2858 | 	__in POBJECT_ATTRIBUTES OldFile
2859 | );
2860 | NTSYSAPI
2861 | NTSTATUS
2862 | NTAPI
2863 | ZwRenameKey(
2864 | 	__in HANDLE           KeyHandle,
2865 | 	__in PUNICODE_STRING  NewName
2866 | );
2867 | NTSYSAPI
2868 | NTSTATUS
2869 | NTAPI
2870 | ZwCompactKeys(
2871 | 	__in ULONG Count,
2872 | 	__in_ecount(Count) HANDLE KeyArray[]
2873 | );
2874 | NTSYSAPI
2875 | NTSTATUS
2876 | NTAPI
2877 | ZwCompressKey(
2878 | 	__in HANDLE Key
2879 | );
2880 | NTSYSAPI
2881 | NTSTATUS
2882 | NTAPI
2883 | ZwRestoreKey(
2884 | 	__in HANDLE KeyHandle,
2885 | 	__in HANDLE FileHandle,
2886 | 	__in ULONG Flags
2887 | );
2888 | NTSYSAPI
2889 | NTSTATUS
2890 | NTAPI
2891 | ZwSaveKey(
2892 | 	__in HANDLE KeyHandle,
2893 | 	__in HANDLE FileHandle
2894 | );
2895 | NTSYSAPI
2896 | NTSTATUS
2897 | NTAPI
2898 | ZwSaveKeyEx(
2899 | 	__in HANDLE KeyHandle,
2900 | 	__in HANDLE FileHandle,
2901 | 	__in ULONG  Format
2902 | );
2903 | NTSYSAPI
2904 | NTSTATUS
2905 | NTAPI
2906 | ZwSaveMergedKeys(
2907 | 	__in HANDLE HighPrecedenceKeyHandle,
2908 | 	__in HANDLE LowPrecedenceKeyHandle,
2909 | 	__in HANDLE FileHandle
2910 | );
2911 | NTSYSAPI
2912 | NTSTATUS
2913 | NTAPI
2914 | ZwSetValueKey(
2915 | 	__in HANDLE KeyHandle,
2916 | 	__in PUNICODE_STRING ValueName,
2917 | 	__in_opt ULONG TitleIndex,
2918 | 	__in ULONG Type,
2919 | 	__in_bcount_opt(DataSize) PVOID Data,
2920 | 	__in ULONG DataSize
2921 | );
2922 | NTSYSAPI
2923 | NTSTATUS
2924 | NTAPI
2925 | ZwUnloadKey(
2926 | 	__in POBJECT_ATTRIBUTES TargetKey
2927 | );
2928 | NTSYSAPI
2929 | NTSTATUS
2930 | NTAPI
2931 | ZwUnloadKey2(
2932 | 	__in POBJECT_ATTRIBUTES   TargetKey,
2933 | 	__in ULONG                Flags
2934 | );
2935 | NTSYSAPI
2936 | NTSTATUS
2937 | NTAPI
2938 | ZwUnloadKeyEx(
2939 | 	__in POBJECT_ATTRIBUTES TargetKey,
2940 | 	__in_opt HANDLE Event
2941 | );
2942 | NTSYSAPI
2943 | NTSTATUS
2944 | NTAPI
2945 | ZwSetInformationKey(
2946 | 	__in HANDLE KeyHandle,
2947 | 	__in KEY_SET_INFORMATION_CLASS KeySetInformationClass,
2948 | 	__in_bcount(KeySetInformationLength) PVOID KeySetInformation,
2949 | 	__in ULONG KeySetInformationLength
2950 | );
2951 | NTSYSAPI
2952 | NTSTATUS
2953 | NTAPI
2954 | ZwQueryOpenSubKeys(
2955 | 	__in POBJECT_ATTRIBUTES TargetKey,
2956 | 	__out PULONG  HandleCount
2957 | );
2958 | NTSYSAPI
2959 | NTSTATUS
2960 | NTAPI
2961 | ZwQueryOpenSubKeysEx(
2962 | 	__in POBJECT_ATTRIBUTES   TargetKey,
2963 | 	__in ULONG                BufferLength,
2964 | 	__out_bcount(BufferLength) PVOID               Buffer,
2965 | 	__out PULONG              RequiredSize
2966 | );
2967 | NTSYSAPI
2968 | NTSTATUS
2969 | NTAPI
2970 | ZwLockRegistryKey(
2971 | 	__in HANDLE           KeyHandle
2972 | );
2973 | NTSYSAPI
2974 | NTSTATUS
2975 | NTAPI
2976 | ZwLockProductActivationKeys(
2977 | 	__inout_opt ULONG* pPrivateVer,
2978 | 	__out_opt ULONG* pSafeMode
2979 | );
2980 | NTSYSAPI
2981 | NTSTATUS
2982 | NTAPI
2983 | ZwAccessCheck(
2984 | 	__in PSECURITY_DESCRIPTOR SecurityDescriptor,
2985 | 	__in HANDLE ClientToken,
2986 | 	__in ACCESS_MASK DesiredAccess,
2987 | 	__in PGENERIC_MAPPING GenericMapping,
2988 | 	__out_bcount(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
2989 | 	__inout PULONG PrivilegeSetLength,
2990 | 	__out PACCESS_MASK GrantedAccess,
2991 | 	__out PNTSTATUS AccessStatus
2992 | );
2993 | NTSYSAPI
2994 | NTSTATUS
2995 | NTAPI
2996 | ZwAccessCheckByType(
2997 | 	__in PSECURITY_DESCRIPTOR SecurityDescriptor,
2998 | 	__in_opt PSID PrincipalSelfSid,
2999 | 	__in HANDLE ClientToken,
3000 | 	__in ACCESS_MASK DesiredAccess,
3001 | 	__in_ecount(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
3002 | 	__in ULONG ObjectTypeListLength,
3003 | 	__in PGENERIC_MAPPING GenericMapping,
3004 | 	__out_bcount(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
3005 | 	__inout PULONG PrivilegeSetLength,
3006 | 	__out PACCESS_MASK GrantedAccess,
3007 | 	__out PNTSTATUS AccessStatus
3008 | );
3009 | NTSYSAPI
3010 | NTSTATUS
3011 | NTAPI
3012 | ZwAccessCheckByTypeResultList(
3013 | 	__in PSECURITY_DESCRIPTOR SecurityDescriptor,
3014 | 	__in_opt PSID PrincipalSelfSid,
3015 | 	__in HANDLE ClientToken,
3016 | 	__in ACCESS_MASK DesiredAccess,
3017 | 	__in_ecount(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
3018 | 	__in ULONG ObjectTypeListLength,
3019 | 	__in PGENERIC_MAPPING GenericMapping,
3020 | 	__out_bcount(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
3021 | 	__inout PULONG PrivilegeSetLength,
3022 | 	__out_ecount(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
3023 | 	__out_ecount(ObjectTypeListLength) PNTSTATUS AccessStatus
3024 | );
3025 | NTSYSAPI
3026 | NTSTATUS
3027 | NTAPI
3028 | ZwCreateToken(
3029 | 	__out PHANDLE TokenHandle,
3030 | 	__in ACCESS_MASK DesiredAccess,
3031 | 	__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
3032 | 	__in TOKEN_TYPE TokenType,
3033 | 	__in PLUID AuthenticationId,
3034 | 	__in PLARGE_INTEGER ExpirationTime,
3035 | 	__in PTOKEN_USER User,
3036 | 	__in PTOKEN_GROUPS Groups,
3037 | 	__in PTOKEN_PRIVILEGES Privileges,
3038 | 	__in_opt PTOKEN_OWNER Owner,
3039 | 	__in PTOKEN_PRIMARY_GROUP PrimaryGroup,
3040 | 	__in_opt PTOKEN_DEFAULT_DACL DefaultDacl,
3041 | 	__in PTOKEN_SOURCE TokenSource
3042 | );
3043 | NTSYSAPI
3044 | NTSTATUS
3045 | NTAPI
3046 | ZwCompareTokens(
3047 | 	__in HANDLE FirstTokenHandle,
3048 | 	__in HANDLE SecondTokenHandle,
3049 | 	__out PBOOLEAN Equal
3050 | );
3051 | NTSYSAPI
3052 | NTSTATUS
3053 | NTAPI
3054 | ZwOpenThreadToken(
3055 | 	__in HANDLE ThreadHandle,
3056 | 	__in ACCESS_MASK DesiredAccess,
3057 | 	__in BOOLEAN OpenAsSelf,
3058 | 	__out PHANDLE TokenHandle
3059 | );
3060 | NTSYSAPI
3061 | NTSTATUS
3062 | NTAPI
3063 | ZwOpenThreadTokenEx(
3064 | 	__in HANDLE ThreadHandle,
3065 | 	__in ACCESS_MASK DesiredAccess,
3066 | 	__in BOOLEAN OpenAsSelf,
3067 | 	__in ULONG HandleAttributes,
3068 | 	__out PHANDLE TokenHandle
3069 | );
3070 | NTSYSAPI
3071 | NTSTATUS
3072 | NTAPI
3073 | ZwOpenProcessToken(
3074 | 	__in HANDLE ProcessHandle,
3075 | 	__in ACCESS_MASK DesiredAccess,
3076 | 	__out PHANDLE TokenHandle
3077 | );
3078 | NTSYSAPI
3079 | NTSTATUS
3080 | NTAPI
3081 | ZwOpenProcessTokenEx(
3082 | 	__in HANDLE ProcessHandle,
3083 | 	__in ACCESS_MASK DesiredAccess,
3084 | 	__in ULONG HandleAttributes,
3085 | 	__out PHANDLE TokenHandle
3086 | );
3087 | NTSYSAPI
3088 | NTSTATUS
3089 | NTAPI
3090 | ZwDuplicateToken(
3091 | 	__in HANDLE ExistingTokenHandle,
3092 | 	__in ACCESS_MASK DesiredAccess,
3093 | 	__in POBJECT_ATTRIBUTES ObjectAttributes,
3094 | 	__in BOOLEAN EffectiveOnly,
3095 | 	__in TOKEN_TYPE TokenType,
3096 | 	__out PHANDLE NewTokenHandle
3097 | );
3098 | NTSYSAPI
3099 | NTSTATUS
3100 | NTAPI
3101 | ZwFilterToken(
3102 | 	__in HANDLE ExistingTokenHandle,
3103 | 	__in ULONG Flags,
3104 | 	__in_opt PTOKEN_GROUPS SidsToDisable,
3105 | 	__in_opt PTOKEN_PRIVILEGES PrivilegesToDelete,
3106 | 	__in_opt PTOKEN_GROUPS RestrictedSids,
3107 | 	__out PHANDLE NewTokenHandle
3108 | );
3109 | NTSYSAPI
3110 | NTSTATUS
3111 | NTAPI
3112 | ZwImpersonateAnonymousToken(
3113 | 	__in HANDLE ThreadHandle
3114 | );
3115 | NTSYSAPI
3116 | NTSTATUS
3117 | NTAPI
3118 | ZwQueryInformationToken(
3119 | 	__in HANDLE TokenHandle,
3120 | 	__in TOKEN_INFORMATION_CLASS TokenInformationClass,
3121 | 	__out_bcount_part_opt(TokenInformationLength, *ReturnLength) PVOID TokenInformation,
3122 | 	__in ULONG TokenInformationLength,
3123 | 	__out PULONG ReturnLength
3124 | );
3125 | NTSYSAPI
3126 | NTSTATUS
3127 | NTAPI
3128 | ZwSetInformationToken(
3129 | 	__in HANDLE TokenHandle,
3130 | 	__in TOKEN_INFORMATION_CLASS TokenInformationClass,
3131 | 	__in_bcount(TokenInformationLength) PVOID TokenInformation,
3132 | 	__in ULONG TokenInformationLength
3133 | );
3134 | NTSYSAPI
3135 | NTSTATUS
3136 | NTAPI
3137 | ZwAdjustPrivilegesToken(
3138 | 	__in HANDLE TokenHandle,
3139 | 	__in BOOLEAN DisableAllPrivileges,
3140 | 	__in_opt PTOKEN_PRIVILEGES NewState,
3141 | 	__in_opt ULONG BufferLength,
3142 | 	__out_bcount_part_opt(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState,
3143 | 	__out_opt PULONG ReturnLength
3144 | );
3145 | NTSYSAPI
3146 | NTSTATUS
3147 | NTAPI
3148 | ZwAdjustGroupsToken(
3149 | 	__in HANDLE TokenHandle,
3150 | 	__in BOOLEAN ResetToDefault,
3151 | 	__in PTOKEN_GROUPS NewState,
3152 | 	__in_opt ULONG BufferLength,
3153 | 	__out_bcount_part_opt(BufferLength, *ReturnLength) PTOKEN_GROUPS PreviousState,
3154 | 	__out PULONG ReturnLength
3155 | );
3156 | NTSYSAPI
3157 | NTSTATUS
3158 | NTAPI
3159 | ZwPrivilegeCheck(
3160 | 	__in HANDLE ClientToken,
3161 | 	__inout PPRIVILEGE_SET RequiredPrivileges,
3162 | 	__out PBOOLEAN Result
3163 | );
3164 | NTSYSAPI
3165 | NTSTATUS
3166 | NTAPI
3167 | ZwAccessCheckAndAuditAlarm(
3168 | 	__in PUNICODE_STRING SubsystemName,
3169 | 	__in_opt PVOID HandleId,
3170 | 	__in PUNICODE_STRING ObjectTypeName,
3171 | 	__in PUNICODE_STRING ObjectName,
3172 | 	__in PSECURITY_DESCRIPTOR SecurityDescriptor,
3173 | 	__in ACCESS_MASK DesiredAccess,
3174 | 	__in PGENERIC_MAPPING GenericMapping,
3175 | 	__in BOOLEAN ObjectCreation,
3176 | 	__out PACCESS_MASK GrantedAccess,
3177 | 	__out PNTSTATUS AccessStatus,
3178 | 	__out PBOOLEAN GenerateOnClose
3179 | );
3180 | NTSYSAPI
3181 | NTSTATUS
3182 | NTAPI
3183 | ZwAccessCheckByTypeAndAuditAlarm(
3184 | 	__in PUNICODE_STRING SubsystemName,
3185 | 	__in_opt PVOID HandleId,
3186 | 	__in PUNICODE_STRING ObjectTypeName,
3187 | 	__in PUNICODE_STRING ObjectName,
3188 | 	__in PSECURITY_DESCRIPTOR SecurityDescriptor,
3189 | 	__in_opt PSID PrincipalSelfSid,
3190 | 	__in ACCESS_MASK DesiredAccess,
3191 | 	__in AUDIT_EVENT_TYPE AuditType,
3192 | 	__in ULONG Flags,
3193 | 	__in_ecount_opt(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
3194 | 	__in ULONG ObjectTypeListLength,
3195 | 	__in PGENERIC_MAPPING GenericMapping,
3196 | 	__in BOOLEAN ObjectCreation,
3197 | 	__out PACCESS_MASK GrantedAccess,
3198 | 	__out PNTSTATUS AccessStatus,
3199 | 	__out PBOOLEAN GenerateOnClose
3200 | );
3201 | NTSYSAPI
3202 | NTSTATUS
3203 | NTAPI
3204 | ZwAccessCheckByTypeResultListAndAuditAlarm(
3205 | 	__in PUNICODE_STRING SubsystemName,
3206 | 	__in_opt PVOID HandleId,
3207 | 	__in PUNICODE_STRING ObjectTypeName,
3208 | 	__in PUNICODE_STRING ObjectName,
3209 | 	__in PSECURITY_DESCRIPTOR SecurityDescriptor,
3210 | 	__in_opt PSID PrincipalSelfSid,
3211 | 	__in ACCESS_MASK DesiredAccess,
3212 | 	__in AUDIT_EVENT_TYPE AuditType,
3213 | 	__in ULONG Flags,
3214 | 	__in_ecount_opt(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
3215 | 	__in ULONG ObjectTypeListLength,
3216 | 	__in PGENERIC_MAPPING GenericMapping,
3217 | 	__in BOOLEAN ObjectCreation,
3218 | 	__out_ecount(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
3219 | 	__out_ecount(ObjectTypeListLength) PNTSTATUS AccessStatus,
3220 | 	__out PBOOLEAN GenerateOnClose
3221 | );
3222 | NTSYSAPI
3223 | NTSTATUS
3224 | NTAPI
3225 | ZwAccessCheckByTypeResultListAndAuditAlarmByHandle(
3226 | 	__in PUNICODE_STRING SubsystemName,
3227 | 	__in_opt PVOID HandleId,
3228 | 	__in HANDLE ClientToken,
3229 | 	__in PUNICODE_STRING ObjectTypeName,
3230 | 	__in PUNICODE_STRING ObjectName,
3231 | 	__in PSECURITY_DESCRIPTOR SecurityDescriptor,
3232 | 	__in_opt PSID PrincipalSelfSid,
3233 | 	__in ACCESS_MASK DesiredAccess,
3234 | 	__in AUDIT_EVENT_TYPE AuditType,
3235 | 	__in ULONG Flags,
3236 | 	__in_ecount_opt(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
3237 | 	__in ULONG ObjectTypeListLength,
3238 | 	__in PGENERIC_MAPPING GenericMapping,
3239 | 	__in BOOLEAN ObjectCreation,
3240 | 	__out_ecount(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
3241 | 	__out_ecount(ObjectTypeListLength) PNTSTATUS AccessStatus,
3242 | 	__out PBOOLEAN GenerateOnClose
3243 | );
3244 | NTSYSAPI
3245 | NTSTATUS
3246 | NTAPI
3247 | ZwOpenObjectAuditAlarm(
3248 | 	__in PUNICODE_STRING SubsystemName,
3249 | 	__in_opt PVOID HandleId,
3250 | 	__in PUNICODE_STRING ObjectTypeName,
3251 | 	__in PUNICODE_STRING ObjectName,
3252 | 	__in_opt PSECURITY_DESCRIPTOR SecurityDescriptor,
3253 | 	__in HANDLE ClientToken,
3254 | 	__in ACCESS_MASK DesiredAccess,
3255 | 	__in ACCESS_MASK GrantedAccess,
3256 | 	__in_opt PPRIVILEGE_SET Privileges,
3257 | 	__in BOOLEAN ObjectCreation,
3258 | 	__in BOOLEAN AccessGranted,
3259 | 	__out PBOOLEAN GenerateOnClose
3260 | );
3261 | NTSYSAPI
3262 | NTSTATUS
3263 | NTAPI
3264 | ZwPrivilegeObjectAuditAlarm(
3265 | 	__in PUNICODE_STRING SubsystemName,
3266 | 	__in_opt PVOID HandleId,
3267 | 	__in HANDLE ClientToken,
3268 | 	__in ACCESS_MASK DesiredAccess,
3269 | 	__in PPRIVILEGE_SET Privileges,
3270 | 	__in BOOLEAN AccessGranted
3271 | );
3272 | NTSYSAPI
3273 | NTSTATUS
3274 | NTAPI
3275 | ZwCloseObjectAuditAlarm(
3276 | 	__in PUNICODE_STRING SubsystemName,
3277 | 	__in_opt PVOID HandleId,
3278 | 	__in BOOLEAN GenerateOnClose
3279 | );
3280 | NTSYSAPI
3281 | NTSTATUS
3282 | NTAPI
3283 | ZwDeleteObjectAuditAlarm(
3284 | 	__in PUNICODE_STRING SubsystemName,
3285 | 	__in_opt PVOID HandleId,
3286 | 	__in BOOLEAN GenerateOnClose
3287 | );
3288 | NTSYSAPI
3289 | NTSTATUS
3290 | NTAPI
3291 | ZwPrivilegedServiceAuditAlarm(
3292 | 	__in PUNICODE_STRING SubsystemName,
3293 | 	__in PUNICODE_STRING ServiceName,
3294 | 	__in HANDLE ClientToken,
3295 | 	__in PPRIVILEGE_SET Privileges,
3296 | 	__in BOOLEAN AccessGranted
3297 | );
3298 | NTSYSAPI
3299 | NTSTATUS
3300 | NTAPI
3301 | ZwTraceEvent(
3302 | 	__in HANDLE TraceHandle,
3303 | 	__in ULONG Flags,
3304 | 	__in ULONG FieldSize,
3305 | 	__in PVOID Fields
3306 | );
3307 | NTSYSAPI
3308 | NTSTATUS
3309 | NTAPI
3310 | ZwContinue(
3311 | 	__in PCONTEXT ContextRecord,
3312 | 	__in BOOLEAN TestAlert
3313 | );
3314 | NTSYSAPI
3315 | NTSTATUS
3316 | NTAPI
3317 | ZwRaiseException(
3318 | 	__in PEXCEPTION_RECORD ExceptionRecord,
3319 | 	__in PCONTEXT ContextRecord,
3320 | 	__in BOOLEAN FirstChance
3321 | );
3322 | 
3323 | NTSTATUS NTAPI MmCopyVirtualMemory
3324 | (
3325 | 	PEPROCESS SourceProcess,
3326 | 	PVOID SourceAddress,
3327 | 	PEPROCESS TargetProcess,
3328 | 	PVOID TargetAddress,
3329 | 	SIZE_T BufferSize,
3330 | 	KPROCESSOR_MODE PreviousMode,
3331 | 	PSIZE_T ReturnSize
3332 | );
3333 | 


--------------------------------------------------------------------------------
/EAC_Bypass/ntstructs.hpp:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | 
  3 | typedef struct _OPERATION_INFO_ENTRY
  4 | {
  5 | 	LIST_ENTRY    ListEntry;
  6 | 	OB_OPERATION  Operation;
  7 | 	ULONG         Flags;
  8 | 	PVOID         Object;
  9 | 	POBJECT_TYPE  ObjectType;
 10 | 	ACCESS_MASK   AccessMask;
 11 | } OPERATION_INFO_ENTRY, * POPERATION_INFO_ENTRY;
 12 | 
 13 | 
 14 | typedef struct _THREAD_BASIC_INFORMATION
 15 | {
 16 | 	NTSTATUS                ExitStatus;
 17 | 	PVOID                   TebBaseAddress;
 18 | 	CLIENT_ID               ClientId;
 19 | 	KAFFINITY               AffinityMask;
 20 | 	KPRIORITY               Priority;
 21 | 	KPRIORITY               BasePriority;
 22 | } THREAD_BASIC_INFORMATION, * PTHREAD_BASIC_INFORMATION;
 23 | 
 24 | 
 25 | typedef struct _RTL_PROCESS_MODULE_INFORMATION
 26 | {
 27 | 	HANDLE Section;
 28 | 	PVOID MappedBase;
 29 | 	PVOID ImageBase;
 30 | 	ULONG ImageSize;
 31 | 	ULONG Flags;
 32 | 	USHORT LoadOrderIndex;
 33 | 	USHORT InitOrderIndex;
 34 | 	USHORT LoadCount;
 35 | 	USHORT OffsetToFileName;
 36 | 	UCHAR FullPathName[256];
 37 | } RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION;
 38 | 
 39 | typedef struct _SYSTEM_THREAD {
 40 | 	LARGE_INTEGER           KernelTime;
 41 | 	LARGE_INTEGER           UserTime;
 42 | 	LARGE_INTEGER           CreateTime;
 43 | 	ULONG                   WaitTime;
 44 | 	PVOID                   StartAddress;
 45 | 	CLIENT_ID               ClientId;
 46 | 	KPRIORITY               Priority;
 47 | 	LONG                    BasePriority;
 48 | 	ULONG                   ContextSwitchCount;
 49 | 	ULONG                   State;
 50 | 	KWAIT_REASON            WaitReason;
 51 | } SYSTEM_THREAD, * PSYSTEM_THREAD;
 52 | 
 53 | typedef struct _SYSTEM_THREAD_INFORMATION
 54 | {
 55 | 	LARGE_INTEGER KernelTime;
 56 | 	LARGE_INTEGER UserTime;
 57 | 	LARGE_INTEGER CreateTime;
 58 | 	ULONG WaitTime;
 59 | 	PVOID StartAddress;
 60 | 	CLIENT_ID ClientId;
 61 | 	KPRIORITY Priority;
 62 | 	LONG BasePriority;
 63 | 	ULONG ContextSwitches;
 64 | 	ULONG ThreadState;
 65 | 	KWAIT_REASON WaitReason;
 66 | } SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;
 67 | 
 68 | typedef struct _SYSTEM_PROCESS_INFORMATION
 69 | {
 70 | 	ULONG NextEntryOffset;
 71 | 	ULONG NumberOfThreads;
 72 | 	LARGE_INTEGER WorkingSetPrivateSize; // since VISTA
 73 | 	ULONG HardFaultCount; // since WIN7
 74 | 	ULONG NumberOfThreadsHighWatermark; // since WIN7
 75 | 	ULONGLONG CycleTime; // since WIN7
 76 | 	LARGE_INTEGER CreateTime;
 77 | 	LARGE_INTEGER UserTime;
 78 | 	LARGE_INTEGER KernelTime;
 79 | 	UNICODE_STRING ImageName;
 80 | 	KPRIORITY BasePriority;
 81 | 	HANDLE UniqueProcessId;
 82 | 	HANDLE InheritedFromUniqueProcessId;
 83 | 	ULONG HandleCount;
 84 | 	ULONG SessionId;
 85 | 	ULONG_PTR UniqueProcessKey; // since VISTA (requires SystemExtendedProcessInformation)
 86 | 	SIZE_T PeakVirtualSize;
 87 | 	SIZE_T VirtualSize;
 88 | 	ULONG PageFaultCount;
 89 | 	SIZE_T PeakWorkingSetSize;
 90 | 	SIZE_T WorkingSetSize;
 91 | 	SIZE_T QuotaPeakPagedPoolUsage;
 92 | 	SIZE_T QuotaPagedPoolUsage;
 93 | 	SIZE_T QuotaPeakNonPagedPoolUsage;
 94 | 	SIZE_T QuotaNonPagedPoolUsage;
 95 | 	SIZE_T PagefileUsage;
 96 | 	SIZE_T PeakPagefileUsage;
 97 | 	SIZE_T PrivatePageCount;
 98 | 	LARGE_INTEGER ReadOperationCount;
 99 | 	LARGE_INTEGER WriteOperationCount;
100 | 	LARGE_INTEGER OtherOperationCount;
101 | 	LARGE_INTEGER ReadTransferCount;
102 | 	LARGE_INTEGER WriteTransferCount;
103 | 	LARGE_INTEGER OtherTransferCount;
104 | 	SYSTEM_THREAD_INFORMATION Threads[1];
105 | } SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
106 | 
107 | typedef struct _RTL_PROCESS_MODULES
108 | {
109 | 	ULONG NumberOfModules;
110 | 	RTL_PROCESS_MODULE_INFORMATION Modules[ANYSIZE_ARRAY];
111 | }RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;
112 | 
113 | typedef struct _IMAGE_SECTION_HEADER {
114 | 	char  Name[8];
115 | 	union {
116 | 		ULONG PhysicalAddress;
117 | 		ULONG VirtualSize;
118 | 	} Misc;
119 | 	ULONG VirtualAddress;
120 | 	ULONG SizeOfRawData;
121 | 	ULONG PointerToRawData;
122 | 	ULONG PointerToRelocations;
123 | 	ULONG PointerToLinenumbers;
124 | 	WORD  NumberOfRelocations;
125 | 	WORD  NumberOfLinenumbers;
126 | 	ULONG Characteristics;
127 | } IMAGE_SECTION_HEADER, * PIMAGE_SECTION_HEADER;
128 | 
129 | typedef struct _IMAGE_FILE_HEADER {
130 | 	WORD  Machine;
131 | 	WORD  NumberOfSections;
132 | 	ULONG TimeDateStamp;
133 | 	ULONG PointerToSymbolTable;
134 | 	ULONG NumberOfSymbols;
135 | 	WORD  SizeOfOptionalHeader;
136 | 	WORD  Characteristics;
137 | } IMAGE_FILE_HEADER, * PIMAGE_FILE_HEADER;
138 | 
139 | typedef struct _IMAGE_DATA_DIRECTORY {
140 | 	ULONG VirtualAddress;
141 | 	ULONG Size;
142 | } IMAGE_DATA_DIRECTORY, * PIMAGE_DATA_DIRECTORY;
143 | 
144 | typedef struct _IMAGE_OPTIONAL_HEADER64 {
145 | 	WORD        Magic;
146 | 	char        MajorLinkerVersion;
147 | 	char        MinorLinkerVersion;
148 | 	ULONG       SizeOfCode;
149 | 	ULONG       SizeOfInitializedData;
150 | 	ULONG       SizeOfUninitializedData;
151 | 	ULONG       AddressOfEntryPoint;
152 | 	ULONG       BaseOfCode;
153 | 	ULONGLONG   ImageBase;
154 | 	ULONG       SectionAlignment;
155 | 	ULONG       FileAlignment;
156 | 	WORD        MajorOperatingSystemVersion;
157 | 	WORD        MinorOperatingSystemVersion;
158 | 	WORD        MajorImageVersion;
159 | 	WORD        MinorImageVersion;
160 | 	WORD        MajorSubsystemVersion;
161 | 	WORD        MinorSubsystemVersion;
162 | 	ULONG       Win32VersionValue;
163 | 	ULONG       SizeOfImage;
164 | 	ULONG       SizeOfHeaders;
165 | 	ULONG       CheckSum;
166 | 	WORD        Subsystem;
167 | 	WORD        DllCharacteristics;
168 | 	ULONGLONG   SizeOfStackReserve;
169 | 	ULONGLONG   SizeOfStackCommit;
170 | 	ULONGLONG   SizeOfHeapReserve;
171 | 	ULONGLONG   SizeOfHeapCommit;
172 | 	ULONG       LoaderFlags;
173 | 	ULONG       NumberOfRvaAndSizes;
174 | 	IMAGE_DATA_DIRECTORY DataDirectory[16];
175 | } IMAGE_OPTIONAL_HEADER64, * PIMAGE_OPTIONAL_HEADER64;
176 | 
177 | typedef struct _IMAGE_NT_HEADERS64 {
178 | 	ULONG                   Signature;
179 | 	IMAGE_FILE_HEADER       FileHeader;
180 | 	IMAGE_OPTIONAL_HEADER64 OptionalHeader;
181 | } IMAGE_NT_HEADERS64, * PIMAGE_NT_HEADERS64;
182 | 
183 | 
184 | typedef struct _OBJECT_TYPE_INITIALIZER
185 | {
186 | 	SHORT Length;
187 | 	UCHAR ObjectTypeFlags;
188 | 	ULONG CaseInsensitive : 1;
189 | 	ULONG UnnamedObjectsOnly : 1;
190 | 	ULONG UseDefaultObject : 1;
191 | 	ULONG SecurityRequired : 1;
192 | 	ULONG MaintainHandleCount : 1;
193 | 	ULONG MaintainTypeList : 1;
194 | 	ULONG ObjectTypeCode;
195 | 	ULONG InvalidAttributes;
196 | 	GENERIC_MAPPING GenericMapping;
197 | 	ULONG ValidAccessMask;
198 | 	POOL_TYPE PoolType;
199 | 	ULONG DefaultPagedPoolCharge;
200 | 	ULONG DefaultNonPagedPoolCharge;
201 | 	PVOID DumpProcedure;
202 | 	LONG* OpenProcedure;
203 | 	PVOID CloseProcedure;
204 | 	PVOID DeleteProcedure;
205 | 	LONG* ParseProcedure;
206 | 	LONG* SecurityProcedure;
207 | 	LONG* QueryNameProcedure;
208 | 	UCHAR* OkayToCloseProcedure;
209 | } OBJECT_TYPE_INITIALIZER, * POBJECT_TYPE_INITIALIZER;
210 | 
211 | typedef struct _CALLBACK_ENTRY {
212 | 	UINT16 Version;
213 | 	UINT16 OperationRegistrationCount;
214 | 	UINT32 unk1;
215 | 	PVOID RegistrationContext;
216 | 	UNICODE_STRING Altitude;
217 | } CALLBACK_ENTRY, * PCALLBACK_ENTRY;
218 | 
219 | typedef struct _CALLBACK_ENTRY_ITEM {
220 | 	LIST_ENTRY EntryItemList;
221 | 	OB_OPERATION Operations;
222 | 	CALLBACK_ENTRY* CallbackEntry;
223 | 	POBJECT_TYPE ObjectType;
224 | 	POB_PRE_OPERATION_CALLBACK PreOperation;
225 | 	POB_POST_OPERATION_CALLBACK PostOperation;
226 | 	__int64 unk;
227 | }CALLBACK_ENTRY_ITEM, * PCALLBACK_ENTRY_ITEM;
228 | 
229 | typedef struct _OBJECT_TYPE {
230 | 	LIST_ENTRY TypeList;
231 | 	UNICODE_STRING Name;
232 | 	VOID* DefaultObject;
233 | 	UCHAR Index;
234 | 	unsigned __int32 TotalNumberOfObjects;
235 | 	unsigned __int32 TotalNumberOfHandles;
236 | 	unsigned __int32 HighWaterNumberOfObjects;
237 | 	unsigned __int32 HighWaterNumberOfHandles;
238 | 	OBJECT_TYPE_INITIALIZER TypeInfo;
239 | 	EX_PUSH_LOCK TypeLock;
240 | 	unsigned __int32 Key;
241 | 	LIST_ENTRY CallbackList;
242 | }OBJECT_TYPE, * POBJECT_TYPE;
243 | 
244 | typedef struct _LDR_DATA_TABLE_ENTRY
245 | {
246 | 	LIST_ENTRY InLoadOrderLinks;
247 | 	LIST_ENTRY InMemoryOrderLinks;
248 | 	LIST_ENTRY InInitializationOrderLinks;
249 | 	PVOID DllBase;
250 | 	PVOID EntryPoint;
251 | 	ULONG SizeOfImage;
252 | 	UNICODE_STRING FullDllName;
253 | 	UNICODE_STRING BaseDllName;
254 | 	ULONG Flags;
255 | 	USHORT LoadCount;
256 | 	USHORT TlsIndex;
257 | 	union
258 | 	{
259 | 		LIST_ENTRY HashLinks;
260 | 		struct
261 | 		{
262 | 			PVOID SectionPointer;
263 | 			ULONG CheckSum;
264 | 		};
265 | 	};
266 | 	union
267 | 	{
268 | 		ULONG TimeDateStamp;
269 | 		PVOID LoadedImports;
270 | 	};
271 | 	struct _ACTIVATION_CONTEXT* EntryPointActivationContext;
272 | 	PVOID PatchInformation;
273 | 	LIST_ENTRY ForwarderLinks;
274 | 	LIST_ENTRY ServiceTagLinks;
275 | 	LIST_ENTRY StaticLinks;
276 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;


--------------------------------------------------------------------------------
/EAC_Usermode/EAC.cpp:
--------------------------------------------------------------------------------
 1 | #include "EAC.hpp"
 2 | #include <TlHelp32.h>
 3 | 
 4 | HANDLE EAC::hEvent;
 5 | typedef BOOL(NTAPI* p_DeviceIoControl)(HANDLE hDevice, DWORD dwIoControlCode, LPVOID lpInBuffer, DWORD nInBufferSize, LPVOID lpOutBuffer, DWORD nOutBufferSize, LPDWORD lpBytesReturned, LPOVERLAPPED lpOverlapped);
 6 | static p_DeviceIoControl o_DeviceIoControl = nullptr;
 7 | 
 8 | bool EAC::Init()
 9 | {
10 | 	return Bypass_DeviceIoControl(true);
11 | }
12 | bool EAC::Uninit()
13 | {
14 | 	return Bypass_DeviceIoControl(false);
15 | }
16 | 
17 | 
18 | bool WINAPI DeviceIoControl_Hook (HANDLE hDevice, DWORD dwIoControlCode, LPVOID lpInBuffer, DWORD nInBufferSize, LPVOID lpOutBuffer, DWORD nOutBufferSize, LPDWORD lpBytesReturned, LPOVERLAPPED lpOverlapped)
19 | {
20 | 	VM_START
21 | 	DWORD_PTR dwStartAddress = 0;
22 | 	HMODULE hModule = 0;
23 | 	static HANDLE hThread = nullptr;
24 | 	if (NT_SUCCESS(NtQueryInformationThread(GetCurrentThread(), static_cast<THREADINFOCLASS>(9), &dwStartAddress, sizeof(DWORD_PTR), NULL)) &&
25 | 		!GetModuleHandleExA(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, reinterpret_cast<char*>(dwStartAddress), &hModule))
26 | 	{
27 | 		if (!EnumWindows([](HWND hWnd, LPARAM lParam) -> BOOL
28 | 			{
29 | 				DWORD procId = 0;
30 | 				if (GetWindowThreadProcessId(hWnd, &procId) && procId == GetCurrentProcessId())
31 | 					SuspendThread(GetCurrentThread());
32 | 				return TRUE;
33 | 			}, NULL))
34 | 		{
35 | 			MessageBoxExA(0, "Failed to use EnumWindows!", "ERRROR!", 0, 0);
36 | 			return false;
37 | 		}
38 | 	}
39 | 	VM_END
40 | 	return o_DeviceIoControl(hDevice, dwIoControlCode, lpInBuffer, nInBufferSize, lpOutBuffer, nOutBufferSize, lpBytesReturned, lpOverlapped);
41 | };
42 | 
43 | bool EAC::Bypass_DeviceIoControl(bool detourStatus)
44 | {
45 | 	VM_START
46 | 	if(!o_DeviceIoControl)
47 | 		o_DeviceIoControl = reinterpret_cast<p_DeviceIoControl>(GetProcAddress(GetModuleHandleA("KERNELBASE"), "DeviceIoControl"));
48 | 	if (DetourTransactionBegin() != NO_ERROR ||
49 | 		DetourUpdateThread(GetCurrentThread()) != NO_ERROR ||
50 | 		DetourAttach(&(PVOID&)o_DeviceIoControl, DeviceIoControl_Hook) != NO_ERROR ||
51 | 		DetourTransactionCommit() != NO_ERROR)
52 | 	{
53 | #if _DEBUG == 1
54 | 		std::cout << "Could not hook functions" << std::endl;
55 | #endif
56 | 		MessageBoxExA(0, "Failed to hook functions!", "ERRROR!", 0, 0);
57 | 		return false;
58 | 	}
59 | 	VM_END
60 | 	return true;
61 | 	}


--------------------------------------------------------------------------------
/EAC_Usermode/EAC.hpp:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include <windows.h>
 3 | #include <iostream>
 4 | #include "detours.h"
 5 | #include <cstdint>
 6 | #include <intrin.h>
 7 | #include <winternl.h>
 8 | #include "Options.hpp"
 9 | 
10 | #pragma comment(lib,"ntdll")
11 | #ifdef _WIN64
12 | #pragma comment(lib,"detours64")
13 | #else
14 | #pragma comment(lib,"detours")
15 | #endif
16 | 
17 | class EAC
18 | {
19 | public:
20 | 	static EAC& GetInstance() {
21 | 		static EAC Instance;
22 | 		return Instance;
23 | 	}
24 | 	bool Init();
25 | 	bool Uninit();
26 | 
27 | private:
28 | 	EAC(EAC const&) = delete;
29 | 	EAC(EAC&&) = delete;
30 | 	EAC& operator=(EAC const&) = delete;
31 | 	EAC& operator=(EAC&&) = delete;
32 | 
33 | 	static bool Bypass_DeviceIoControl(bool detourStatus);
34 | protected:
35 | 	EAC()
36 | 	{
37 | 		hEvent = CreateEvent(0, 0, 0, 0);
38 | 	}
39 | 	~EAC()
40 | 	{
41 | 		CloseHandle(hEvent);
42 | 	}
43 | 	static HANDLE hEvent;
44 | };


--------------------------------------------------------------------------------
/EAC_Usermode/EAC_Usermode.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <ProjectGuid>{56F38C3E-FC80-4028-B6E9-4688A33E4AEB}</ProjectGuid>
 24 |     <RootNamespace>EACUsermode</RootNamespace>
 25 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 26 |   </PropertyGroup>
 27 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 28 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 29 |     <ConfigurationType>Application</ConfigurationType>
 30 |     <UseDebugLibraries>true</UseDebugLibraries>
 31 |     <PlatformToolset>v142</PlatformToolset>
 32 |     <CharacterSet>MultiByte</CharacterSet>
 33 |   </PropertyGroup>
 34 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 35 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 36 |     <UseDebugLibraries>false</UseDebugLibraries>
 37 |     <PlatformToolset>v142</PlatformToolset>
 38 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 39 |     <CharacterSet>MultiByte</CharacterSet>
 40 |     <SpectreMitigation>false</SpectreMitigation>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v142</PlatformToolset>
 46 |     <CharacterSet>MultiByte</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v142</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>MultiByte</CharacterSet>
 54 |     <SpectreMitigation>false</SpectreMitigation>
 55 |   </PropertyGroup>
 56 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 57 |   <ImportGroup Label="ExtensionSettings">
 58 |   </ImportGroup>
 59 |   <ImportGroup Label="Shared">
 60 |   </ImportGroup>
 61 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 62 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 63 |   </ImportGroup>
 64 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 65 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 66 |   </ImportGroup>
 67 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 68 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 69 |   </ImportGroup>
 70 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 71 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 72 |   </ImportGroup>
 73 |   <PropertyGroup Label="UserMacros" />
 74 |   <PropertyGroup />
 75 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 76 |     <ClCompile>
 77 |       <WarningLevel>Level3</WarningLevel>
 78 |       <Optimization>MaxSpeed</Optimization>
 79 |       <FunctionLevelLinking>true</FunctionLevelLinking>
 80 |       <IntrinsicFunctions>true</IntrinsicFunctions>
 81 |       <SDLCheck>true</SDLCheck>
 82 |       <ConformanceMode>true</ConformanceMode>
 83 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
 84 |       <DebugInformationFormat>None</DebugInformationFormat>
 85 |     </ClCompile>
 86 |     <Link>
 87 |       <SubSystem>Console</SubSystem>
 88 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
 89 |       <OptimizeReferences>true</OptimizeReferences>
 90 |       <GenerateDebugInformation>false</GenerateDebugInformation>
 91 |       <UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
 92 |     </Link>
 93 |   </ItemDefinitionGroup>
 94 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 95 |     <ClCompile>
 96 |       <WarningLevel>Level3</WarningLevel>
 97 |       <Optimization>Disabled</Optimization>
 98 |       <SDLCheck>true</SDLCheck>
 99 |       <ConformanceMode>true</ConformanceMode>
100 |     </ClCompile>
101 |     <Link>
102 |       <SubSystem>Console</SubSystem>
103 |     </Link>
104 |   </ItemDefinitionGroup>
105 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
106 |     <ClCompile>
107 |       <WarningLevel>Level3</WarningLevel>
108 |       <Optimization>Disabled</Optimization>
109 |       <SDLCheck>true</SDLCheck>
110 |       <ConformanceMode>true</ConformanceMode>
111 |     </ClCompile>
112 |     <Link>
113 |       <SubSystem>Console</SubSystem>
114 |     </Link>
115 |   </ItemDefinitionGroup>
116 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
117 |     <ClCompile>
118 |       <WarningLevel>Level3</WarningLevel>
119 |       <Optimization>Disabled</Optimization>
120 |       <FunctionLevelLinking>true</FunctionLevelLinking>
121 |       <IntrinsicFunctions>true</IntrinsicFunctions>
122 |       <SDLCheck>true</SDLCheck>
123 |       <ConformanceMode>true</ConformanceMode>
124 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
125 |       <BufferSecurityCheck>false</BufferSecurityCheck>
126 |       <DebugInformationFormat>None</DebugInformationFormat>
127 |     </ClCompile>
128 |     <Link>
129 |       <SubSystem>Console</SubSystem>
130 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
131 |       <OptimizeReferences>true</OptimizeReferences>
132 |       <GenerateDebugInformation>false</GenerateDebugInformation>
133 |     </Link>
134 |   </ItemDefinitionGroup>
135 |   <ItemGroup>
136 |     <ClCompile Include="EAC.cpp" />
137 |     <ClCompile Include="main.cpp" />
138 |   </ItemGroup>
139 |   <ItemGroup>
140 |     <ClInclude Include="EAC.hpp" />
141 |     <ClInclude Include="Options.hpp" />
142 |   </ItemGroup>
143 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
144 |   <ImportGroup Label="ExtensionTargets">
145 |   </ImportGroup>
146 | </Project>


--------------------------------------------------------------------------------
/EAC_Usermode/EAC_Usermode.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="main.cpp">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |     <ClCompile Include="EAC.cpp">
22 |       <Filter>Source Files</Filter>
23 |     </ClCompile>
24 |   </ItemGroup>
25 |   <ItemGroup>
26 |     <ClInclude Include="EAC.hpp">
27 |       <Filter>Header Files</Filter>
28 |     </ClInclude>
29 |     <ClInclude Include="Options.hpp">
30 |       <Filter>Resource Files</Filter>
31 |     </ClInclude>
32 |   </ItemGroup>
33 | </Project>


--------------------------------------------------------------------------------
/EAC_Usermode/EAC_Usermode.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/EAC_Usermode/Options.hpp:
--------------------------------------------------------------------------------
 1 | #define USE_VM 0
 2 | 
 3 | #if(USE_VM == 1)
 4 | #include "WL\WinlicenseSDK.h"
 5 | #if _WIN64
 6 | #pragma comment(lib,"WinLicenseSDK64.lib")
 7 | #else
 8 | #pragma comment(lib,"WinLicenseSDK32.lib")
 9 | #endif
10 | #else
11 | #define VM_START
12 | #define VM_END
13 | #endif
14 | 


--------------------------------------------------------------------------------
/EAC_Usermode/detours.h:
--------------------------------------------------------------------------------
  1 | //////////////////////////////////////////////////////////////////////////////
  2 | //
  3 | //  Core Detours Functionality (detours.h of detours.lib)
  4 | //
  5 | //  Microsoft Research Detours Package, Version 3.0 Build_316.
  6 | //
  7 | //  Copyright (c) Microsoft Corporation.  All rights reserved.
  8 | //
  9 | 
 10 | #pragma once
 11 | #ifndef _DETOURS_H_
 12 | #define _DETOURS_H_
 13 | 
 14 | #define DETOURS_VERSION     30000   // 3.00.00
 15 | 
 16 | //////////////////////////////////////////////////////////////////////////////
 17 | //
 18 | 
 19 | #if (_MSC_VER < 1299)
 20 | typedef LONG LONG_PTR;
 21 | typedef ULONG ULONG_PTR;
 22 | #endif
 23 | 
 24 | #ifndef __in_z
 25 | #define __in_z
 26 | #endif
 27 | 
 28 | //////////////////////////////////////////////////////////////////////////////
 29 | //
 30 | #ifndef GUID_DEFINED
 31 | #define GUID_DEFINED
 32 | typedef struct  _GUID
 33 | {
 34 |     DWORD Data1;
 35 |     WORD Data2;
 36 |     WORD Data3;
 37 |     BYTE Data4[ 8 ];
 38 | } GUID;
 39 | 
 40 | #ifdef INITGUID
 41 | #define DEFINE_GUID(name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) \
 42 |         const GUID name \
 43 |                 = { l, w1, w2, { b1, b2,  b3,  b4,  b5,  b6,  b7,  b8 } }
 44 | #else
 45 | #define DEFINE_GUID(name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) \
 46 |     const GUID name
 47 | #endif // INITGUID
 48 | #endif // !GUID_DEFINED
 49 | 
 50 | #if defined(__cplusplus)
 51 | #ifndef _REFGUID_DEFINED
 52 | #define _REFGUID_DEFINED
 53 | #define REFGUID             const GUID &
 54 | #endif // !_REFGUID_DEFINED
 55 | #else // !__cplusplus
 56 | #ifndef _REFGUID_DEFINED
 57 | #define _REFGUID_DEFINED
 58 | #define REFGUID             const GUID * const
 59 | #endif // !_REFGUID_DEFINED
 60 | #endif // !__cplusplus
 61 | 
 62 | //
 63 | //////////////////////////////////////////////////////////////////////////////
 64 | 
 65 | #ifdef __cplusplus
 66 | extern "C" {
 67 | #endif // __cplusplus
 68 | 
 69 | /////////////////////////////////////////////////// Instruction Target Macros.
 70 | //
 71 | #define DETOUR_INSTRUCTION_TARGET_NONE          ((PVOID)0)
 72 | #define DETOUR_INSTRUCTION_TARGET_DYNAMIC       ((PVOID)(LONG_PTR)-1)
 73 | #define DETOUR_SECTION_HEADER_SIGNATURE         0x00727444   // "Dtr\0"
 74 | 
 75 | extern const GUID DETOUR_EXE_RESTORE_GUID;
 76 | extern const GUID DETOUR_EXE_HELPER_GUID;
 77 | 
 78 | #define DETOUR_TRAMPOLINE_SIGNATURE             0x21727444  // Dtr!
 79 | typedef struct _DETOUR_TRAMPOLINE DETOUR_TRAMPOLINE, *PDETOUR_TRAMPOLINE;
 80 | 
 81 | /////////////////////////////////////////////////////////// Binary Structures.
 82 | //
 83 | #pragma pack(push, 8)
 84 | typedef struct _DETOUR_SECTION_HEADER
 85 | {
 86 |     DWORD       cbHeaderSize;
 87 |     DWORD       nSignature;
 88 |     DWORD       nDataOffset;
 89 |     DWORD       cbDataSize;
 90 | 
 91 |     DWORD       nOriginalImportVirtualAddress;
 92 |     DWORD       nOriginalImportSize;
 93 |     DWORD       nOriginalBoundImportVirtualAddress;
 94 |     DWORD       nOriginalBoundImportSize;
 95 | 
 96 |     DWORD       nOriginalIatVirtualAddress;
 97 |     DWORD       nOriginalIatSize;
 98 |     DWORD       nOriginalSizeOfImage;
 99 |     DWORD       cbPrePE;
100 | 
101 |     DWORD       nOriginalClrFlags;
102 |     DWORD       reserved1;
103 |     DWORD       reserved2;
104 |     DWORD       reserved3;
105 | 
106 |     // Followed by cbPrePE bytes of data.
107 | } DETOUR_SECTION_HEADER, *PDETOUR_SECTION_HEADER;
108 | 
109 | typedef struct _DETOUR_SECTION_RECORD
110 | {
111 |     DWORD       cbBytes;
112 |     DWORD       nReserved;
113 |     GUID        guid;
114 | } DETOUR_SECTION_RECORD, *PDETOUR_SECTION_RECORD;
115 | 
116 | typedef struct _DETOUR_CLR_HEADER
117 | {
118 |     // Header versioning
119 |     ULONG                   cb;
120 |     USHORT                  MajorRuntimeVersion;
121 |     USHORT                  MinorRuntimeVersion;
122 | 
123 |     // Symbol table and startup information
124 |     IMAGE_DATA_DIRECTORY    MetaData;
125 |     ULONG                   Flags;
126 | 
127 |     // Followed by the rest of the IMAGE_COR20_HEADER
128 | } DETOUR_CLR_HEADER, *PDETOUR_CLR_HEADER;
129 | 
130 | typedef struct _DETOUR_EXE_RESTORE
131 | {
132 |     DWORD               cb;
133 |     DWORD               cbidh;
134 |     DWORD               cbinh;
135 |     DWORD               cbclr;
136 | 
137 |     PBYTE               pidh;
138 |     PBYTE               pinh;
139 |     PBYTE               pclr;
140 | 
141 |     IMAGE_DOS_HEADER    idh;
142 |     union {
143 |         IMAGE_NT_HEADERS    inh;
144 |         IMAGE_NT_HEADERS32  inh32;
145 |         IMAGE_NT_HEADERS64  inh64;
146 |         BYTE                raw[sizeof(IMAGE_NT_HEADERS64) +
147 |                                 sizeof(IMAGE_SECTION_HEADER) * 32];
148 |     };
149 |     DETOUR_CLR_HEADER   clr;
150 | 
151 | } DETOUR_EXE_RESTORE, *PDETOUR_EXE_RESTORE;
152 | 
153 | typedef struct _DETOUR_EXE_HELPER
154 | {
155 |     DWORD               cb;
156 |     DWORD               pid;
157 |     CHAR                DllName[MAX_PATH];
158 | 
159 | } DETOUR_EXE_HELPER, *PDETOUR_EXE_HELPER;
160 | 
161 | #pragma pack(pop)
162 | 
163 | #define DETOUR_SECTION_HEADER_DECLARE(cbSectionSize) \
164 | { \
165 |       sizeof(DETOUR_SECTION_HEADER),\
166 |       DETOUR_SECTION_HEADER_SIGNATURE,\
167 |       sizeof(DETOUR_SECTION_HEADER),\
168 |       (cbSectionSize),\
169 |       \
170 |       0,\
171 |       0,\
172 |       0,\
173 |       0,\
174 |       \
175 |       0,\
176 |       0,\
177 |       0,\
178 |       0,\
179 | }
180 | 
181 | /////////////////////////////////////////////////////////////// Helper Macros.
182 | //
183 | #define DETOURS_STRINGIFY(x)    DETOURS_STRINGIFY_(x)
184 | #define DETOURS_STRINGIFY_(x)    #x
185 | 
186 | ///////////////////////////////////////////////////////////// Binary Typedefs.
187 | //
188 | typedef BOOL (CALLBACK *PF_DETOUR_BINARY_BYWAY_CALLBACK)(PVOID pContext,
189 |                                                          PCHAR pszFile,
190 |                                                          PCHAR *ppszOutFile);
191 | 
192 | typedef BOOL (CALLBACK *PF_DETOUR_BINARY_FILE_CALLBACK)(PVOID pContext,
193 |                                                         PCHAR pszOrigFile,
194 |                                                         PCHAR pszFile,
195 |                                                         PCHAR *ppszOutFile);
196 | 
197 | typedef BOOL (CALLBACK *PF_DETOUR_BINARY_SYMBOL_CALLBACK)(PVOID pContext,
198 |                                                           ULONG nOrigOrdinal,
199 |                                                           ULONG nOrdinal,
200 |                                                           ULONG *pnOutOrdinal,
201 |                                                           PCHAR pszOrigSymbol,
202 |                                                           PCHAR pszSymbol,
203 |                                                           PCHAR *ppszOutSymbol);
204 | 
205 | typedef BOOL (CALLBACK *PF_DETOUR_BINARY_COMMIT_CALLBACK)(PVOID pContext);
206 | 
207 | typedef BOOL (CALLBACK *PF_DETOUR_ENUMERATE_EXPORT_CALLBACK)(PVOID pContext,
208 |                                                              ULONG nOrdinal,
209 |                                                              PCHAR pszName,
210 |                                                              PVOID pCode);
211 | 
212 | typedef BOOL (CALLBACK *PF_DETOUR_IMPORT_FILE_CALLBACK)(PVOID pContext,
213 |                                                         HMODULE hModule,
214 |                                                         PCSTR pszFile);
215 | 
216 | typedef BOOL (CALLBACK *PF_DETOUR_IMPORT_FUNC_CALLBACK)(PVOID pContext,
217 |                                                         DWORD nOrdinal,
218 |                                                         PCSTR pszFunc,
219 |                                                         PVOID pvFunc);
220 | 
221 | typedef VOID * PDETOUR_BINARY;
222 | typedef VOID * PDETOUR_LOADED_BINARY;
223 | 
224 | //////////////////////////////////////////////////////////// Transaction APIs.
225 | //
226 | LONG WINAPI DetourTransactionBegin(VOID);
227 | LONG WINAPI DetourTransactionAbort(VOID);
228 | LONG WINAPI DetourTransactionCommit(VOID);
229 | LONG WINAPI DetourTransactionCommitEx(PVOID **pppFailedPointer);
230 | 
231 | LONG WINAPI DetourUpdateThread(HANDLE hThread);
232 | 
233 | LONG WINAPI DetourAttach(PVOID *ppPointer,
234 |                          PVOID pDetour);
235 | 
236 | LONG WINAPI DetourAttachEx(PVOID *ppPointer,
237 |                            PVOID pDetour,
238 |                            PDETOUR_TRAMPOLINE *ppRealTrampoline,
239 |                            PVOID *ppRealTarget,
240 |                            PVOID *ppRealDetour);
241 | 
242 | LONG WINAPI DetourDetach(PVOID *ppPointer,
243 |                          PVOID pDetour);
244 | 
245 | BOOL WINAPI DetourSetIgnoreTooSmall(BOOL fIgnore);
246 | BOOL WINAPI DetourSetRetainRegions(BOOL fRetain);
247 | 
248 | ////////////////////////////////////////////////////////////// Code Functions.
249 | //
250 | PVOID WINAPI DetourFindFunction(PCSTR pszModule, PCSTR pszFunction);
251 | PVOID WINAPI DetourCodeFromPointer(PVOID pPointer, PVOID *ppGlobals);
252 | PVOID WINAPI DetourCopyInstruction(PVOID pDst,
253 |                                    PVOID *pDstPool,
254 |                                    PVOID pSrc,
255 |                                    PVOID *ppTarget,
256 |                                    LONG *plExtra);
257 | 
258 | ///////////////////////////////////////////////////// Loaded Binary Functions.
259 | //
260 | HMODULE WINAPI DetourGetContainingModule(PVOID pvAddr);
261 | HMODULE WINAPI DetourEnumerateModules(HMODULE hModuleLast);
262 | PVOID WINAPI DetourGetEntryPoint(HMODULE hModule);
263 | ULONG WINAPI DetourGetModuleSize(HMODULE hModule);
264 | BOOL WINAPI DetourEnumerateExports(HMODULE hModule,
265 |                                    PVOID pContext,
266 |                                    PF_DETOUR_ENUMERATE_EXPORT_CALLBACK pfExport);
267 | BOOL WINAPI DetourEnumerateImports(HMODULE hModule,
268 |                                    PVOID pContext,
269 |                                    PF_DETOUR_IMPORT_FILE_CALLBACK pfImportFile,
270 |                                    PF_DETOUR_IMPORT_FUNC_CALLBACK pfImportFunc);
271 | 
272 | PVOID WINAPI DetourFindPayload(HMODULE hModule, REFGUID rguid, DWORD *pcbData);
273 | PVOID WINAPI DetourFindPayloadEx(REFGUID rguid, DWORD * pcbData);
274 | DWORD WINAPI DetourGetSizeOfPayloads(HMODULE hModule);
275 | 
276 | ///////////////////////////////////////////////// Persistent Binary Functions.
277 | //
278 | 
279 | PDETOUR_BINARY WINAPI DetourBinaryOpen(HANDLE hFile);
280 | PVOID WINAPI DetourBinaryEnumeratePayloads(PDETOUR_BINARY pBinary,
281 |                                            GUID *pGuid,
282 |                                            DWORD *pcbData,
283 |                                            DWORD *pnIterator);
284 | PVOID WINAPI DetourBinaryFindPayload(PDETOUR_BINARY pBinary,
285 |                                      REFGUID rguid,
286 |                                      DWORD *pcbData);
287 | PVOID WINAPI DetourBinarySetPayload(PDETOUR_BINARY pBinary,
288 |                                     REFGUID rguid,
289 |                                     PVOID pData,
290 |                                     DWORD cbData);
291 | BOOL WINAPI DetourBinaryDeletePayload(PDETOUR_BINARY pBinary, REFGUID rguid);
292 | BOOL WINAPI DetourBinaryPurgePayloads(PDETOUR_BINARY pBinary);
293 | BOOL WINAPI DetourBinaryResetImports(PDETOUR_BINARY pBinary);
294 | BOOL WINAPI DetourBinaryEditImports(PDETOUR_BINARY pBinary,
295 |                                     PVOID pContext,
296 |                                     PF_DETOUR_BINARY_BYWAY_CALLBACK pfByway,
297 |                                     PF_DETOUR_BINARY_FILE_CALLBACK pfFile,
298 |                                     PF_DETOUR_BINARY_SYMBOL_CALLBACK pfSymbol,
299 |                                     PF_DETOUR_BINARY_COMMIT_CALLBACK pfCommit);
300 | BOOL WINAPI DetourBinaryWrite(PDETOUR_BINARY pBinary, HANDLE hFile);
301 | BOOL WINAPI DetourBinaryClose(PDETOUR_BINARY pBinary);
302 | 
303 | /////////////////////////////////////////////////// Create Process & Load Dll.
304 | //
305 | typedef BOOL (WINAPI *PDETOUR_CREATE_PROCESS_ROUTINEA)
306 |     (LPCSTR lpApplicationName,
307 |      LPSTR lpCommandLine,
308 |      LPSECURITY_ATTRIBUTES lpProcessAttributes,
309 |      LPSECURITY_ATTRIBUTES lpThreadAttributes,
310 |      BOOL bInheritHandles,
311 |      DWORD dwCreationFlags,
312 |      LPVOID lpEnvironment,
313 |      LPCSTR lpCurrentDirectory,
314 |      LPSTARTUPINFOA lpStartupInfo,
315 |      LPPROCESS_INFORMATION lpProcessInformation);
316 | 
317 | typedef BOOL (WINAPI *PDETOUR_CREATE_PROCESS_ROUTINEW)
318 |     (LPCWSTR lpApplicationName,
319 |      LPWSTR lpCommandLine,
320 |      LPSECURITY_ATTRIBUTES lpProcessAttributes,
321 |      LPSECURITY_ATTRIBUTES lpThreadAttributes,
322 |      BOOL bInheritHandles,
323 |      DWORD dwCreationFlags,
324 |      LPVOID lpEnvironment,
325 |      LPCWSTR lpCurrentDirectory,
326 |      LPSTARTUPINFOW lpStartupInfo,
327 |      LPPROCESS_INFORMATION lpProcessInformation);
328 | 
329 | BOOL WINAPI DetourCreateProcessWithDllA(LPCSTR lpApplicationName,
330 |                                         __in_z LPSTR lpCommandLine,
331 |                                         LPSECURITY_ATTRIBUTES lpProcessAttributes,
332 |                                         LPSECURITY_ATTRIBUTES lpThreadAttributes,
333 |                                         BOOL bInheritHandles,
334 |                                         DWORD dwCreationFlags,
335 |                                         LPVOID lpEnvironment,
336 |                                         LPCSTR lpCurrentDirectory,
337 |                                         LPSTARTUPINFOA lpStartupInfo,
338 |                                         LPPROCESS_INFORMATION lpProcessInformation,
339 |                                         LPCSTR lpDllName,
340 |                                         PDETOUR_CREATE_PROCESS_ROUTINEA
341 |                                         pfCreateProcessA);
342 | 
343 | BOOL WINAPI DetourCreateProcessWithDllW(LPCWSTR lpApplicationName,
344 |                                         __in_z LPWSTR lpCommandLine,
345 |                                         LPSECURITY_ATTRIBUTES lpProcessAttributes,
346 |                                         LPSECURITY_ATTRIBUTES lpThreadAttributes,
347 |                                         BOOL bInheritHandles,
348 |                                         DWORD dwCreationFlags,
349 |                                         LPVOID lpEnvironment,
350 |                                         LPCWSTR lpCurrentDirectory,
351 |                                         LPSTARTUPINFOW lpStartupInfo,
352 |                                         LPPROCESS_INFORMATION lpProcessInformation,
353 |                                         LPCSTR lpDllName,
354 |                                         PDETOUR_CREATE_PROCESS_ROUTINEW
355 |                                         pfCreateProcessW);
356 | 
357 | #ifdef UNICODE
358 | #define DetourCreateProcessWithDll      DetourCreateProcessWithDllW
359 | #define PDETOUR_CREATE_PROCESS_ROUTINE  PDETOUR_CREATE_PROCESS_ROUTINEW
360 | #else
361 | #define DetourCreateProcessWithDll      DetourCreateProcessWithDllA
362 | #define PDETOUR_CREATE_PROCESS_ROUTINE  PDETOUR_CREATE_PROCESS_ROUTINEA
363 | #endif // !UNICODE
364 | 
365 | BOOL WINAPI DetourCreateProcessWithDllExA(LPCSTR lpApplicationName,
366 |                                           __in_z LPSTR lpCommandLine,
367 |                                           LPSECURITY_ATTRIBUTES lpProcessAttributes,
368 |                                           LPSECURITY_ATTRIBUTES lpThreadAttributes,
369 |                                           BOOL bInheritHandles,
370 |                                           DWORD dwCreationFlags,
371 |                                           LPVOID lpEnvironment,
372 |                                           LPCSTR lpCurrentDirectory,
373 |                                           LPSTARTUPINFOA lpStartupInfo,
374 |                                           LPPROCESS_INFORMATION lpProcessInformation,
375 |                                           LPCSTR lpDllName,
376 |                                           PDETOUR_CREATE_PROCESS_ROUTINEA
377 |                                           pfCreateProcessA);
378 | 
379 | BOOL WINAPI DetourCreateProcessWithDllExW(LPCWSTR lpApplicationName,
380 |                                           __in_z LPWSTR lpCommandLine,
381 |                                           LPSECURITY_ATTRIBUTES lpProcessAttributes,
382 |                                           LPSECURITY_ATTRIBUTES lpThreadAttributes,
383 |                                           BOOL bInheritHandles,
384 |                                           DWORD dwCreationFlags,
385 |                                           LPVOID lpEnvironment,
386 |                                           LPCWSTR lpCurrentDirectory,
387 |                                           LPSTARTUPINFOW lpStartupInfo,
388 |                                           LPPROCESS_INFORMATION lpProcessInformation,
389 |                                           LPCSTR lpDllName,
390 |                                           PDETOUR_CREATE_PROCESS_ROUTINEW
391 |                                           pfCreateProcessW);
392 | 
393 | #ifdef UNICODE
394 | #define DetourCreateProcessWithDllEx    DetourCreateProcessWithDllExW
395 | #define PDETOUR_CREATE_PROCESS_ROUTINE  PDETOUR_CREATE_PROCESS_ROUTINEW
396 | #else
397 | #define DetourCreateProcessWithDllEx    DetourCreateProcessWithDllExA
398 | #define PDETOUR_CREATE_PROCESS_ROUTINE  PDETOUR_CREATE_PROCESS_ROUTINEA
399 | #endif // !UNICODE
400 | 
401 | BOOL WINAPI DetourProcessViaHelperA(DWORD dwTargetPid,
402 |                                     LPCSTR lpDllName,
403 |                                     PDETOUR_CREATE_PROCESS_ROUTINEA pfCreateProcessA);
404 | 
405 | BOOL WINAPI DetourProcessViaHelperW(DWORD dwTargetPid,
406 |                                     LPCSTR lpDllName,
407 |                                     PDETOUR_CREATE_PROCESS_ROUTINEW pfCreateProcessW);
408 | 
409 | #ifdef UNICODE
410 | #define DetourProcessViaHelper          DetourProcessViaHelperW
411 | #else
412 | #define DetourProcessViaHelper          DetourProcessViaHelperA
413 | #endif // !UNICODE
414 | 
415 | BOOL WINAPI DetourUpdateProcessWithDll(HANDLE hProcess,
416 |                                        LPCSTR *plpDlls,
417 |                                        DWORD nDlls);
418 | 
419 | BOOL WINAPI DetourCopyPayloadToProcess(HANDLE hProcess,
420 |                                        REFGUID rguid,
421 |                                        PVOID pvData,
422 |                                        DWORD cbData);
423 | BOOL WINAPI DetourRestoreAfterWith(VOID);
424 | BOOL WINAPI DetourRestoreAfterWithEx(PVOID pvData, DWORD cbData);
425 | BOOL WINAPI DetourIsHelperProcess(VOID);
426 | VOID CALLBACK DetourFinishHelperProcess(HWND, HINSTANCE, LPSTR, INT);
427 | 
428 | //
429 | //////////////////////////////////////////////////////////////////////////////
430 | #ifdef __cplusplus
431 | }
432 | #endif // __cplusplus
433 | 
434 | //////////////////////////////////////////////// Detours Internal Definitions.
435 | //
436 | #ifdef __cplusplus
437 | #ifdef DETOURS_INTERNAL
438 | 
439 | #ifndef __deref_out
440 | #define __deref_out
441 | #endif
442 | 
443 | #ifndef __deref
444 | #define __deref
445 | #endif
446 | 
447 | //////////////////////////////////////////////////////////////////////////////
448 | //
449 | #if (_MSC_VER < 1299)
450 | #include <imagehlp.h>
451 | typedef IMAGEHLP_MODULE IMAGEHLP_MODULE64;
452 | typedef PIMAGEHLP_MODULE PIMAGEHLP_MODULE64;
453 | typedef IMAGEHLP_SYMBOL SYMBOL_INFO;
454 | typedef PIMAGEHLP_SYMBOL PSYMBOL_INFO;
455 | 
456 | static inline
457 | LONG InterlockedCompareExchange(LONG *ptr, LONG nval, LONG oval)
458 | {
459 |     return (LONG)::InterlockedCompareExchange((PVOID*)ptr, (PVOID)nval, (PVOID)oval);
460 | }
461 | #else
462 | #include <dbghelp.h>
463 | #endif
464 | 
465 | #ifdef IMAGEAPI // defined by DBGHELP.H
466 | typedef LPAPI_VERSION (NTAPI *PF_ImagehlpApiVersionEx)(LPAPI_VERSION AppVersion);
467 | 
468 | typedef BOOL (NTAPI *PF_SymInitialize)(IN HANDLE hProcess,
469 |                                        IN LPCSTR UserSearchPath,
470 |                                        IN BOOL fInvadeProcess);
471 | typedef DWORD (NTAPI *PF_SymSetOptions)(IN DWORD SymOptions);
472 | typedef DWORD (NTAPI *PF_SymGetOptions)(VOID);
473 | typedef DWORD64 (NTAPI *PF_SymLoadModule64)(IN HANDLE hProcess,
474 |                                             IN HANDLE hFile,
475 |                                             IN PSTR ImageName,
476 |                                             IN PSTR ModuleName,
477 |                                             IN DWORD64 BaseOfDll,
478 |                                             IN DWORD SizeOfDll);
479 | typedef BOOL (NTAPI *PF_SymGetModuleInfo64)(IN HANDLE hProcess,
480 |                                             IN DWORD64 qwAddr,
481 |                                             OUT PIMAGEHLP_MODULE64 ModuleInfo);
482 | typedef BOOL (NTAPI *PF_SymFromName)(IN HANDLE hProcess,
483 |                                      IN LPSTR Name,
484 |                                      OUT PSYMBOL_INFO Symbol);
485 | 
486 | typedef struct _DETOUR_SYM_INFO
487 | {
488 |     HANDLE                  hProcess;
489 |     HMODULE                 hDbgHelp;
490 |     PF_ImagehlpApiVersionEx pfImagehlpApiVersionEx;
491 |     PF_SymInitialize        pfSymInitialize;
492 |     PF_SymSetOptions        pfSymSetOptions;
493 |     PF_SymGetOptions        pfSymGetOptions;
494 |     PF_SymLoadModule64      pfSymLoadModule64;
495 |     PF_SymGetModuleInfo64   pfSymGetModuleInfo64;
496 |     PF_SymFromName          pfSymFromName;
497 | } DETOUR_SYM_INFO, *PDETOUR_SYM_INFO;
498 | 
499 | PDETOUR_SYM_INFO DetourLoadDbgHelp(VOID);
500 | 
501 | #endif // IMAGEAPI
502 | 
503 | #ifndef DETOUR_TRACE
504 | #if DETOUR_DEBUG
505 | #define DETOUR_TRACE(x) printf x
506 | #define DETOUR_BREAK()  __debugbreak()
507 | #include <stdio.h>
508 | #include <limits.h>
509 | #else
510 | #define DETOUR_TRACE(x)
511 | #define DETOUR_BREAK()
512 | #endif
513 | #endif
514 | 
515 | #ifdef DETOURS_IA64
516 | __declspec(align(16)) struct DETOUR_IA64_BUNDLE
517 | {
518 |   public:
519 |     union
520 |     {
521 |         BYTE    data[16];
522 |         UINT64  wide[2];
523 |     };
524 | 
525 |   public:
526 |     struct DETOUR_IA64_METADATA;
527 | 
528 |     typedef BOOL (DETOUR_IA64_BUNDLE::* DETOUR_IA64_METACOPY)
529 |         (const DETOUR_IA64_METADATA *pMeta, DETOUR_IA64_BUNDLE *pDst) const;
530 | 
531 |     enum {
532 |         A_UNIT  = 1u,
533 |         I_UNIT  = 2u,
534 |         M_UNIT  = 3u,
535 |         B_UNIT  = 4u,
536 |         F_UNIT  = 5u,
537 |         L_UNIT  = 6u,
538 |         X_UNIT  = 7u,
539 |         UNIT_MASK = 7u,
540 |         STOP    = 8u
541 |     };
542 |     struct DETOUR_IA64_METADATA
543 |     {
544 |         ULONG       nTemplate       : 8;    // Instruction template.
545 |         ULONG       nUnit0          : 4;    // Unit for slot 0
546 |         ULONG       nUnit1          : 4;    // Unit for slot 1
547 |         ULONG       nUnit2          : 4;    // Unit for slot 2
548 |         DETOUR_IA64_METACOPY    pfCopy;     // Function pointer.
549 |     };
550 | 
551 |   protected:
552 |     BOOL CopyBytes(const DETOUR_IA64_METADATA *pMeta, DETOUR_IA64_BUNDLE *pDst) const;
553 |     BOOL CopyBytesMMB(const DETOUR_IA64_METADATA *pMeta, DETOUR_IA64_BUNDLE *pDst) const;
554 |     BOOL CopyBytesMBB(const DETOUR_IA64_METADATA *pMeta, DETOUR_IA64_BUNDLE *pDst) const;
555 |     BOOL CopyBytesBBB(const DETOUR_IA64_METADATA *pMeta, DETOUR_IA64_BUNDLE *pDst) const;
556 |     BOOL CopyBytesMLX(const DETOUR_IA64_METADATA *pMeta, DETOUR_IA64_BUNDLE *pDst) const;
557 | 
558 |     static const DETOUR_IA64_METADATA s_rceCopyTable[33];
559 | 
560 |   public:
561 |     // 120 112 104 96 88 80 72 64 56 48 40 32 24 16  8  0
562 |     //  f.  e.  d. c. b. a. 9. 8. 7. 6. 5. 4. 3. 2. 1. 0.
563 | 
564 |     //                                      00
565 |     // f.e. d.c. b.a. 9.8. 7.6. 5.4. 3.2. 1.0.
566 |     // 0000 0000 0000 0000 0000 0000 0000 001f : Template [4..0]
567 |     // 0000 0000 0000 0000 0000 03ff ffff ffe0 : Zero [ 41..  5]
568 |     // 0000 0000 0000 0000 0000 3c00 0000 0000 : Zero [ 45.. 42]
569 |     // 0000 0000 0007 ffff ffff c000 0000 0000 : One  [ 82.. 46]
570 |     // 0000 0000 0078 0000 0000 0000 0000 0000 : One  [ 86.. 83]
571 |     // 0fff ffff ff80 0000 0000 0000 0000 0000 : Two  [123.. 87]
572 |     // f000 0000 0000 0000 0000 0000 0000 0000 : Two  [127..124]
573 |     BYTE    GetTemplate() const;
574 |     BYTE    GetInst0() const;
575 |     BYTE    GetInst1() const;
576 |     BYTE    GetInst2() const;
577 |     BYTE    GetUnit0() const;
578 |     BYTE    GetUnit1() const;
579 |     BYTE    GetUnit2() const;
580 |     UINT64  GetData0() const;
581 |     UINT64  GetData1() const;
582 |     UINT64  GetData2() const;
583 | 
584 |   public:
585 |     BOOL    IsBrl() const;
586 |     VOID    SetBrl();
587 |     VOID    SetBrl(UINT64 target);
588 |     UINT64  GetBrlTarget() const;
589 |     VOID    SetBrlTarget(UINT64 target);
590 |     VOID    SetBrlImm(UINT64 imm);
591 |     UINT64  GetBrlImm() const;
592 | 
593 |     BOOL    IsMovlGp() const;
594 |     UINT64  GetMovlGp() const;
595 |     VOID    SetMovlGp(UINT64 gp);
596 | 
597 |     VOID    SetInst0(BYTE nInst);
598 |     VOID    SetInst1(BYTE nInst);
599 |     VOID    SetInst2(BYTE nInst);
600 |     VOID    SetData0(UINT64 nData);
601 |     VOID    SetData1(UINT64 nData);
602 |     VOID    SetData2(UINT64 nData);
603 |     BOOL    SetNop0();
604 |     BOOL    SetNop1();
605 |     BOOL    SetNop2();
606 |     BOOL    SetStop();
607 | 
608 |     BOOL    Copy(DETOUR_IA64_BUNDLE *pDst) const;
609 | };
610 | #endif // DETOURS_IA64
611 | 
612 | //#ifdef DETOURS_ARM
613 | //#error Feature not supported in this release.
614 | 
615 | 
616 | 
617 | //#endif // DETOURS_ARM
618 | 
619 | //////////////////////////////////////////////////////////////////////////////
620 | 
621 | #endif // DETOURS_INTERNAL
622 | #endif // __cplusplus
623 | 
624 | #endif // _DETOURS_H_
625 | //
626 | ////////////////////////////////////////////////////////////////  End of File.
627 | 


--------------------------------------------------------------------------------
/EAC_Usermode/main.cpp:
--------------------------------------------------------------------------------
 1 | #include "EAC.hpp"
 2 | 
 3 | __declspec(dllexport) BOOL UNKNOWN(HMODULE hDll, DWORD dwReason, LPVOID lpReserved)
 4 | {
 5 | 	VM_START
 6 | 	if (dwReason == DLL_PROCESS_ATTACH)
 7 | 		EAC::GetInstance().Init();
 8 | 	if (dwReason == DLL_PROCESS_DETACH)
 9 | 		EAC::GetInstance().Uninit();
10 | 	VM_END
11 | 	return true;
12 | }


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2020 Schnocker
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # EAC Bypass
2 | A simple EAC bypass used for debugging games.
3 | 


--------------------------------------------------------------------------------