├── KernelSharp
├── nuget.config
├── Program.cs
├── Runtime
│ ├── CompilerServices.cs
│ ├── Runtime.cs
│ ├── InteropServices.cs
│ ├── CompilerHelpers.cs
│ └── System.cs
├── KernelSharp.sln
├── build.bat
├── KernelSharp.csproj
└── WDK.cs
├── LICENSE
├── README.md
└── .gitignore
/KernelSharp/nuget.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/KernelSharp/Program.cs:
--------------------------------------------------------------------------------
1 | using System.Runtime;
2 | using static KernelSharp.WDK; // equivalent to #include :^)
3 |
4 | public unsafe class Program
5 | {
6 | //Dummy main method to satisfy the compiler
7 | static void Main() {}
8 |
9 | [RuntimeExport("DriverEntry")]
10 | static NTSTATUS DriverEntry()
11 | {
12 | var pool = ExAllocatePool(PoolType.NonPagedPool, 0x1000);
13 |
14 | //.NET strings are wide strings, DbgPrintEx wants a Multibyte char
15 | DbgPrintEx(0, 0, "Allocated Pool: %p | cr3: %p".c_str(), pool, __readcr3());
16 |
17 | ExFreePool(pool);
18 |
19 | return NTSTATUS.Success;
20 | }
21 | }
22 |
--------------------------------------------------------------------------------
/KernelSharp/Runtime/CompilerServices.cs:
--------------------------------------------------------------------------------
1 | namespace System.Runtime.CompilerServices
2 | {
3 | public class RuntimeHelpers
4 | {
5 | public static unsafe int OffsetToStringData => sizeof(IntPtr) + sizeof(int);
6 | }
7 |
8 | public sealed class ExtensionAttribute : Attribute { }
9 |
10 | public enum MethodImplOptions
11 | {
12 | Unmanaged = 0x0004,
13 | NoInlining = 0x0008,
14 | NoOptimization = 0x0040,
15 | AggressiveInlining = 0x0100,
16 | AggressiveOptimization = 0x200,
17 | InternalCall = 0x1000,
18 | }
19 |
20 | //Implementing the MethodImpl attribute for RuntimeExport to work
21 | public sealed class MethodImplAttribute : Attribute
22 | {
23 | public MethodImplAttribute(MethodImplOptions opt) { }
24 | }
25 | }
26 |
27 |
--------------------------------------------------------------------------------
/KernelSharp/Runtime/Runtime.cs:
--------------------------------------------------------------------------------
1 | namespace System
2 | {
3 | namespace Runtime
4 | {
5 | internal sealed class RuntimeExportAttribute : Attribute
6 | {
7 | public RuntimeExportAttribute(string entry) { }
8 | }
9 |
10 | internal sealed class RuntimeImportAttribute : Attribute
11 | {
12 | public string DllName { get; }
13 | public string EntryPoint { get; }
14 |
15 | public RuntimeImportAttribute(string entry)
16 | {
17 | EntryPoint = entry;
18 | }
19 |
20 | public RuntimeImportAttribute(string dllName, string entry)
21 | {
22 | EntryPoint = entry;
23 | DllName = dllName;
24 | }
25 | }
26 | }
27 |
28 | class Array : Array { }
29 | }
--------------------------------------------------------------------------------
/KernelSharp/KernelSharp.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31624.102
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "KernelSharp", "KernelSharp.csproj", "{F0D68ECC-DAED-4E7E-B880-B01039269FD4}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Release|Any CPU = Release|Any CPU
11 | EndGlobalSection
12 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
13 | {F0D68ECC-DAED-4E7E-B880-B01039269FD4}.Release|Any CPU.ActiveCfg = Release|Any CPU
14 | {F0D68ECC-DAED-4E7E-B880-B01039269FD4}.Release|Any CPU.Build.0 = Release|Any CPU
15 | EndGlobalSection
16 | GlobalSection(SolutionProperties) = preSolution
17 | HideSolutionNode = FALSE
18 | EndGlobalSection
19 | GlobalSection(ExtensibilityGlobals) = postSolution
20 | SolutionGuid = {6AE68CFE-EF9C-42D3-9D9D-2DCD85C7F5BD}
21 | EndGlobalSection
22 | EndGlobal
23 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2021 VollRagm
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/KernelSharp/build.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 |
3 | :: you have to set the path to whatever it is for you
4 | @set ILCPATH="E:\tools"
5 | @set NTOSKRNLLIBPATH="D:\Windows Kits\10\lib\10.0.19041.0\km\x64\ntoskrnl.lib"
6 |
7 | @if not exist %ILCPATH%\ilc.exe (
8 | echo The DROPPATH environment variable not set.
9 | exit /B
10 | )
11 |
12 | @del Program.ilexe >nul 2>&1
13 | @del Program.obj >nul 2>&1
14 | @del Program.exe >nul 2>&1
15 | @del Program.map >nul 2>&1
16 | @del Program.pdb >nul 2>&1
17 |
18 | @if "%1" == "clean" exit /B
19 |
20 | csc.exe /nologo /debug:embedded /noconfig /nostdlib /runtimemetadataversion:v4.0.30319 Program.cs WDK.cs Runtime/InteropServices.cs Runtime/CompilerHelpers.cs Runtime/CompilerServices.cs Runtime/System.cs Runtime/Runtime.cs /out:Program.ilexe /langversion:latest /unsafe || goto Error
21 | %ILCPATH%\ilc Program.ilexe -o Program.obj --systemmodule Program --map Program.map -O || goto Error
22 |
23 | :: Also set this path to your oath
24 | link.exe %NTOSKRNLLIBPATH% /nologo /subsystem:native /DRIVER:WDM Program.obj /entry:DriverEntry /incremental:no /out:Driver.sys || goto Error
25 | @goto :EOF
26 |
27 | :Error
28 | @echo Tool failed.
29 | exit /B 1
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # KernelSharp
2 | This is an example of how to use [NativeAOT](https://github.com/dotnet/runtimelab/tree/feature/NativeAOT) to compile C# code to a Windows Kernel Mode driver.
3 | This repository contains parts of https://github.com/ZeroLP/ZeroKernel.
4 |
5 | If you want to see an example of a full memory R/W Driver using this, check out my repo https://github.com/VollRagm/KernelBypassSharp.
6 |
7 | # Compiling
8 | Open the build.bat and fix the file paths.
9 | ILCPATH is located at `C:\Users\username\.nuget\packages\runtime.win-x64.microsoft.dotnet.ilcompiler\7.0.0-alpha.1.21430.2\tools`, ntoskrnl.lib is located in the WDK install path.
10 | Run `x64 Native Tools Command Prompt for VS 2019`, cd into the project directory and run build.bat.
11 | You can load the driver or map it with kdmapper.
12 |
13 | # Creating a project
14 | Follow the [Quick start guide](https://github.com/dotnet/runtimelab/blob/feature/NativeAOT/docs/using-nativeaot/compiling.md) to create a new native project. After that simply edit the project file itself and add all properties from the project in this repository.
15 | After including WDK.cs and the Runtime folder in your project you will be able to compile it.
16 |
17 | ## Features
18 |
19 | - Call any kernel export
20 | - Convert C# strings to multibyte characters
21 | - Reading cr3
22 |
23 | ## Limitations
24 |
25 | - No support for variadic arguments
26 | - No managed multibyte character string type, conversion is required
27 | - The native compiler misplaces globally declared strings wrongly, causing a bluescreen when referenced
28 |
--------------------------------------------------------------------------------
/KernelSharp/KernelSharp.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Exe
5 | net5.0
6 | true
7 | 9.0
8 |
9 | true
10 | true
11 | v4.0.30319
12 | false
13 | false
14 | true
15 |
16 | KernelSharp
17 |
18 |
19 |
20 |
21 |
22 | Release
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
--------------------------------------------------------------------------------
/KernelSharp/Runtime/InteropServices.cs:
--------------------------------------------------------------------------------
1 | using System;
2 |
3 | namespace System.Runtime.InteropServices
4 | {
5 | public enum CallingConvention
6 | {
7 | Winapi = 1,
8 | Cdecl = 2,
9 | StdCall = 3,
10 | ThisCall = 4,
11 | FastCall = 5,
12 | }
13 |
14 | public class UnmanagedType { }
15 |
16 | #nullable enable
17 | [AttributeUsage(AttributeTargets.Method)]
18 | public sealed class UnmanagedCallersOnlyAttribute : Attribute
19 | {
20 | public UnmanagedCallersOnlyAttribute()
21 | {
22 | }
23 |
24 | ///
25 | /// Optional. If omitted, the runtime will use the default platform calling convention.
26 | ///
27 | public CallingConvention CallingConvention;
28 |
29 | ///
30 | /// Optional. If omitted, no named export is emitted during compilation.
31 | ///
32 | public string? EntryPoint;
33 | }
34 |
35 | #nullable disable
36 | [AttributeUsage(AttributeTargets.Field, Inherited = false)]
37 | public sealed class FieldOffsetAttribute : Attribute
38 | {
39 | public FieldOffsetAttribute(int offset)
40 | {
41 | Value = offset;
42 | }
43 |
44 | public int Value { get; }
45 | }
46 |
47 | sealed class StructLayoutAttribute : Attribute
48 | {
49 | public StructLayoutAttribute(LayoutKind layoutKind)
50 | {
51 | }
52 | }
53 |
54 | internal enum LayoutKind
55 | {
56 | Sequential = 0, // 0x00000008,
57 | Explicit = 2, // 0x00000010,
58 | Auto = 3, // 0x00000000,
59 | }
60 |
61 | internal enum CharSet
62 | {
63 | None = 1, // User didn't specify how to marshal strings.
64 | Ansi = 2, // Strings should be marshalled as ANSI 1 byte chars.
65 | Unicode = 3, // Strings should be marshalled as Unicode 2 byte chars.
66 | Auto = 4, // Marshal Strings in the right way for the target system.
67 | }
68 | }
69 |
--------------------------------------------------------------------------------
/KernelSharp/Runtime/CompilerHelpers.cs:
--------------------------------------------------------------------------------
1 | using System.Runtime;
2 |
3 | namespace Internal.Runtime.CompilerHelpers
4 | {
5 |
6 |
7 | // A class that the compiler looks for that has helpers to initialize the
8 | // process. The compiler can gracefully handle the helpers not being present,
9 | // but the class itself being absent is unhandled. Let's add an empty class.
10 | class StartupCodeHelpers
11 | {
12 | //A couple symbols the generated code will need we park them in this class
13 | // for no particular reason.These aid in transitioning to/from managed code.
14 | //Since we don't have a GC, the transition is a no-op.
15 | [RuntimeExport("RhpReversePInvoke2")]
16 | static void RhpReversePInvoke2() { }
17 | [RuntimeExport("RhpFallbackFailFast")]
18 | static void RhpFallbackFailFast() { }
19 | [RuntimeExport("RhpReversePInvokeReturn2")]
20 | static void RhpReversePInvokeReturn2() { }
21 | [RuntimeExport("RhpReversePInvoke")]
22 | static void RhpReversePInvoke() { }
23 | [RuntimeExport("RhpReversePInvokeReturn")]
24 | static void RhpReversePInvokeReturn() { }
25 | [System.Runtime.RuntimeExport("__fail_fast")]
26 | static void FailFast() { while (true) ; }
27 | [System.Runtime.RuntimeExport("RhpPInvoke")]
28 | static void RphPinvoke() { }
29 | [System.Runtime.RuntimeExport("RhpPInvokeReturn")]
30 | static void RphPinvokeReturn() { }
31 | }
32 |
33 | public class ThrowHelpers
34 | {
35 | //The function bodies can be left empty, they are only here to satisfy the compiler
36 |
37 | public enum ExceptionStringID
38 | {
39 | // TypeLoadException
40 | ClassLoadGeneral,
41 | ClassLoadExplicitGeneric,
42 | ClassLoadBadFormat,
43 | ClassLoadExplicitLayout,
44 | ClassLoadValueClassTooLarge,
45 | ClassLoadRankTooLarge,
46 |
47 | // MissingMethodException
48 | MissingMethod,
49 |
50 | // MissingFieldException
51 | MissingField,
52 |
53 | // FileNotFoundException
54 | FileLoadErrorGeneric,
55 |
56 | // InvalidProgramException
57 | InvalidProgramDefault,
58 | InvalidProgramSpecific,
59 | InvalidProgramVararg,
60 | InvalidProgramCallVirtFinalize,
61 | InvalidProgramUnmanagedCallersOnly,
62 | InvalidProgramCallAbstractMethod,
63 | InvalidProgramCallVirtStatic,
64 | InvalidProgramNonStaticMethod,
65 | InvalidProgramGenericMethod,
66 | InvalidProgramNonBlittableTypes,
67 |
68 | // BadImageFormatException
69 | BadImageFormatGeneric,
70 | }
71 |
72 | public static void ThrowInvalidProgramExceptionWithArgument(ExceptionStringID id, string methodName) { }
73 | public static void ThrowArgumentException() { }
74 | public static void ThrowOverflowException() { }
75 | public static void ThrowInvalidProgramException(ExceptionStringID id) { }
76 | }
77 | }
--------------------------------------------------------------------------------
/KernelSharp/Runtime/System.cs:
--------------------------------------------------------------------------------
1 | namespace System
2 | {
3 | public class Object
4 | {
5 | #pragma warning disable 169
6 | // The layout of object is a contract with the compiler.
7 | private IntPtr m_pMethodTable;
8 | #pragma warning restore 169
9 | }
10 | public struct Void { }
11 |
12 | // The layout of primitive types is special cased because it would be recursive.
13 | // These really don't need any fields to work.
14 | public struct Boolean { }
15 | public struct Char { }
16 | public struct SByte { }
17 | public struct Byte { }
18 | public struct Int16 { }
19 | public struct UInt16 { }
20 | public struct Int32 { }
21 | public struct UInt32 { }
22 | public struct Int64 { }
23 | public struct UInt64 { }
24 | public struct IntPtr { }
25 | public struct UIntPtr { }
26 | public struct Single { }
27 | public struct Double { }
28 | public struct Type { }
29 |
30 | public abstract class ValueType { }
31 | public abstract class Enum : ValueType { }
32 |
33 | public struct Nullable where T : struct { }
34 |
35 | public sealed class String { public readonly int Length; }
36 | public abstract class Array { }
37 | public abstract class Delegate { }
38 | public abstract class MulticastDelegate : Delegate { }
39 |
40 | public struct RuntimeTypeHandle { }
41 | public struct RuntimeMethodHandle { }
42 | public struct RuntimeFieldHandle { }
43 |
44 | public class Attribute { }
45 |
46 | [AttributeUsage(AttributeTargets.Class, Inherited = true)]
47 | public sealed class AttributeUsageAttribute : Attribute
48 | {
49 | private readonly AttributeTargets _attributeTarget;
50 | private bool _allowMultiple;
51 | private bool _inherited;
52 |
53 | internal static readonly AttributeUsageAttribute Default = new AttributeUsageAttribute(AttributeTargets.All);
54 |
55 | public AttributeUsageAttribute(AttributeTargets validOn)
56 | {
57 | _attributeTarget = validOn;
58 | _inherited = true;
59 | }
60 |
61 | internal AttributeUsageAttribute(AttributeTargets validOn, bool allowMultiple, bool inherited)
62 | {
63 | _attributeTarget = validOn;
64 | _allowMultiple = allowMultiple;
65 | _inherited = inherited;
66 | }
67 |
68 | public AttributeTargets ValidOn => _attributeTarget;
69 |
70 | public bool AllowMultiple
71 | {
72 | get => _allowMultiple;
73 | set => _allowMultiple = value;
74 | }
75 |
76 | public bool Inherited
77 | {
78 | get => _inherited;
79 | set => _inherited = value;
80 | }
81 | }
82 |
83 | [AttributeUsage(AttributeTargets.Enum, Inherited = false)]
84 | public class FlagsAttribute : Attribute
85 | {
86 | public FlagsAttribute()
87 | {
88 | }
89 | }
90 |
91 | [Flags]
92 | public enum AttributeTargets
93 | {
94 | Assembly = 0x0001,
95 | Module = 0x0002,
96 | Class = 0x0004,
97 | Struct = 0x0008,
98 | Enum = 0x0010,
99 | Constructor = 0x0020,
100 | Method = 0x0040,
101 | Property = 0x0080,
102 | Field = 0x0100,
103 | Event = 0x0200,
104 | Interface = 0x0400,
105 | Parameter = 0x0800,
106 | Delegate = 0x1000,
107 | ReturnValue = 0x2000,
108 | GenericParameter = 0x4000,
109 |
110 | All = Assembly | Module | Class | Struct | Enum | Constructor |
111 | Method | Property | Field | Event | Interface | Parameter |
112 | Delegate | ReturnValue | GenericParameter
113 | }
114 | }
115 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 | *.ilexe
13 | *.lnk
14 | *.map
15 | *.exe
16 | *.sys
17 |
18 | # User-specific files (MonoDevelop/Xamarin Studio)
19 | *.userprefs
20 |
21 | # Mono auto generated files
22 | mono_crash.*
23 |
24 | # Build results
25 | [Dd]ebug/
26 | [Dd]ebugPublic/
27 | [Rr]elease/
28 | [Rr]eleases/
29 | x64/
30 | x86/
31 | [Aa][Rr][Mm]/
32 | [Aa][Rr][Mm]64/
33 | bld/
34 | [Bb]in/
35 | [Oo]bj/
36 | [Ll]og/
37 | [Ll]ogs/
38 |
39 | # Visual Studio 2015/2017 cache/options directory
40 | .vs/
41 | # Uncomment if you have tasks that create the project's static files in wwwroot
42 | #wwwroot/
43 |
44 | # Visual Studio 2017 auto generated files
45 | Generated\ Files/
46 |
47 | # MSTest test Results
48 | [Tt]est[Rr]esult*/
49 | [Bb]uild[Ll]og.*
50 |
51 | # NUnit
52 | *.VisualState.xml
53 | TestResult.xml
54 | nunit-*.xml
55 |
56 | # Build Results of an ATL Project
57 | [Dd]ebugPS/
58 | [Rr]eleasePS/
59 | dlldata.c
60 |
61 | # Benchmark Results
62 | BenchmarkDotNet.Artifacts/
63 |
64 | # .NET Core
65 | project.lock.json
66 | project.fragment.lock.json
67 | artifacts/
68 |
69 | # StyleCop
70 | StyleCopReport.xml
71 |
72 | # Files built by Visual Studio
73 | *_i.c
74 | *_p.c
75 | *_h.h
76 | *.ilk
77 | *.meta
78 | *.obj
79 | *.iobj
80 | *.pch
81 | *.pdb
82 | *.ipdb
83 | *.pgc
84 | *.pgd
85 | *.rsp
86 | *.sbr
87 | *.tlb
88 | *.tli
89 | *.tlh
90 | *.tmp
91 | *.tmp_proj
92 | *_wpftmp.csproj
93 | *.log
94 | *.vspscc
95 | *.vssscc
96 | .builds
97 | *.pidb
98 | *.svclog
99 | *.scc
100 |
101 | # Chutzpah Test files
102 | _Chutzpah*
103 |
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 |
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 |
121 | # Visual Studio Trace Files
122 | *.e2e
123 |
124 | # TFS 2012 Local Workspace
125 | $tf/
126 |
127 | # Guidance Automation Toolkit
128 | *.gpState
129 |
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 |
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 |
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 |
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 |
145 | # Visual Studio code coverage results
146 | *.coverage
147 | *.coveragexml
148 |
149 | # NCrunch
150 | _NCrunch_*
151 | .*crunch*.local.xml
152 | nCrunchTemp_*
153 |
154 | # MightyMoose
155 | *.mm.*
156 | AutoTest.Net/
157 |
158 | # Web workbench (sass)
159 | .sass-cache/
160 |
161 | # Installshield output folder
162 | [Ee]xpress/
163 |
164 | # DocProject is a documentation generator add-in
165 | DocProject/buildhelp/
166 | DocProject/Help/*.HxT
167 | DocProject/Help/*.HxC
168 | DocProject/Help/*.hhc
169 | DocProject/Help/*.hhk
170 | DocProject/Help/*.hhp
171 | DocProject/Help/Html2
172 | DocProject/Help/html
173 |
174 | # Click-Once directory
175 | publish/
176 |
177 | # Publish Web Output
178 | *.[Pp]ublish.xml
179 | *.azurePubxml
180 | # Note: Comment the next line if you want to checkin your web deploy settings,
181 | # but database connection strings (with potential passwords) will be unencrypted
182 | *.pubxml
183 | *.publishproj
184 |
185 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
186 | # checkin your Azure Web App publish settings, but sensitive information contained
187 | # in these scripts will be unencrypted
188 | PublishScripts/
189 |
190 | # NuGet Packages
191 | *.nupkg
192 | # NuGet Symbol Packages
193 | *.snupkg
194 | # The packages folder can be ignored because of Package Restore
195 | **/[Pp]ackages/*
196 | # except build/, which is used as an MSBuild target.
197 | !**/[Pp]ackages/build/
198 | # Uncomment if necessary however generally it will be regenerated when needed
199 | #!**/[Pp]ackages/repositories.config
200 | # NuGet v3's project.json files produces more ignorable files
201 | *.nuget.props
202 | *.nuget.targets
203 |
204 | # Microsoft Azure Build Output
205 | csx/
206 | *.build.csdef
207 |
208 | # Microsoft Azure Emulator
209 | ecf/
210 | rcf/
211 |
212 | # Windows Store app package directories and files
213 | AppPackages/
214 | BundleArtifacts/
215 | Package.StoreAssociation.xml
216 | _pkginfo.txt
217 | *.appx
218 | *.appxbundle
219 | *.appxupload
220 |
221 | # Visual Studio cache files
222 | # files ending in .cache can be ignored
223 | *.[Cc]ache
224 | # but keep track of directories ending in .cache
225 | !?*.[Cc]ache/
226 |
227 | # Others
228 | ClientBin/
229 | ~$*
230 | *~
231 | *.dbmdl
232 | *.dbproj.schemaview
233 | *.jfm
234 | *.pfx
235 | *.publishsettings
236 | orleans.codegen.cs
237 |
238 | # Including strong name files can present a security risk
239 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
240 | #*.snk
241 |
242 | # Since there are multiple workflows, uncomment next line to ignore bower_components
243 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
244 | #bower_components/
245 |
246 | # RIA/Silverlight projects
247 | Generated_Code/
248 |
249 | # Backup & report files from converting an old project file
250 | # to a newer Visual Studio version. Backup files are not needed,
251 | # because we have git ;-)
252 | _UpgradeReport_Files/
253 | Backup*/
254 | UpgradeLog*.XML
255 | UpgradeLog*.htm
256 | ServiceFabricBackup/
257 | *.rptproj.bak
258 |
259 | # SQL Server files
260 | *.mdf
261 | *.ldf
262 | *.ndf
263 |
264 | # Business Intelligence projects
265 | *.rdl.data
266 | *.bim.layout
267 | *.bim_*.settings
268 | *.rptproj.rsuser
269 | *- [Bb]ackup.rdl
270 | *- [Bb]ackup ([0-9]).rdl
271 | *- [Bb]ackup ([0-9][0-9]).rdl
272 |
273 | # Microsoft Fakes
274 | FakesAssemblies/
275 |
276 | # GhostDoc plugin setting file
277 | *.GhostDoc.xml
278 |
279 | # Node.js Tools for Visual Studio
280 | .ntvs_analysis.dat
281 | node_modules/
282 |
283 | # Visual Studio 6 build log
284 | *.plg
285 |
286 | # Visual Studio 6 workspace options file
287 | *.opt
288 |
289 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
290 | *.vbw
291 |
292 | # Visual Studio LightSwitch build output
293 | **/*.HTMLClient/GeneratedArtifacts
294 | **/*.DesktopClient/GeneratedArtifacts
295 | **/*.DesktopClient/ModelManifest.xml
296 | **/*.Server/GeneratedArtifacts
297 | **/*.Server/ModelManifest.xml
298 | _Pvt_Extensions
299 |
300 | # Paket dependency manager
301 | .paket/paket.exe
302 | paket-files/
303 |
304 | # FAKE - F# Make
305 | .fake/
306 |
307 | # CodeRush personal settings
308 | .cr/personal
309 |
310 | # Python Tools for Visual Studio (PTVS)
311 | __pycache__/
312 | *.pyc
313 |
314 | # Cake - Uncomment if you are using it
315 | # tools/**
316 | # !tools/packages.config
317 |
318 | # Tabs Studio
319 | *.tss
320 |
321 | # Telerik's JustMock configuration file
322 | *.jmconfig
323 |
324 | # BizTalk build output
325 | *.btp.cs
326 | *.btm.cs
327 | *.odx.cs
328 | *.xsd.cs
329 |
330 | # OpenCover UI analysis results
331 | OpenCover/
332 |
333 | # Azure Stream Analytics local run output
334 | ASALocalRun/
335 |
336 | # MSBuild Binary and Structured Log
337 | *.binlog
338 |
339 | # NVidia Nsight GPU debugger configuration file
340 | *.nvuser
341 |
342 | # MFractors (Xamarin productivity tool) working folder
343 | .mfractor/
344 |
345 | # Local History for Visual Studio
346 | .localhistory/
347 |
348 | # BeatPulse healthcheck temp database
349 | healthchecksdb
350 |
351 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
352 | MigrationBackup/
353 |
354 | # Ionide (cross platform F# VS Code tools) working folder
355 | .ionide/
356 | *.sys
357 |
--------------------------------------------------------------------------------
/KernelSharp/WDK.cs:
--------------------------------------------------------------------------------
1 | using System.Runtime;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | namespace KernelSharp
6 | {
7 | public static unsafe class WDK
8 | {
9 | #region Struct Definitions
10 |
11 | public struct PEPROCESS
12 | {
13 | private void* _Value;
14 |
15 | public static implicit operator PEPROCESS(void* value)
16 | {
17 | return new PEPROCESS { _Value = value };
18 | }
19 |
20 | public static implicit operator PEPROCESS(ulong value)
21 | {
22 | return new PEPROCESS { _Value = (void*)value };
23 | }
24 |
25 | public static implicit operator void*(PEPROCESS value)
26 | {
27 | return value._Value;
28 | }
29 |
30 | public static implicit operator ulong(PEPROCESS value)
31 | {
32 | return (ulong)value._Value;
33 | }
34 | }
35 |
36 | public struct PVOID
37 | {
38 | private void* _Value;
39 |
40 | public static implicit operator PVOID(void* value)
41 | {
42 | return new PVOID { _Value = value };
43 | }
44 |
45 | public static implicit operator PVOID(ulong value)
46 | {
47 | return new PVOID { _Value = (void*)value };
48 | }
49 |
50 | public static implicit operator void*(PVOID value)
51 | {
52 | return value._Value;
53 | }
54 |
55 | public static implicit operator ulong(PVOID value)
56 | {
57 | return (ulong)value._Value;
58 | }
59 | }
60 |
61 | #endregion
62 |
63 | #region Helper Methods
64 |
65 | public static bool NT_SUCCESS(NTSTATUS status)
66 | {
67 | return (((int)(status)) >= 0);
68 | }
69 |
70 | public static char* w_str(this string str)
71 | {
72 | fixed (char* wc = str)
73 | return wc;
74 | }
75 |
76 | ///
77 | /// Converts the Wide string into a Multibyte string. The pool has to be freed after usage.
78 | ///
79 | ///
80 | ///
81 | public static char* c_str(this string str)
82 | {
83 | fixed (void* wc = str)
84 | {
85 | //Allocate pool for char* taking the null terminator into consideration
86 | var buf = ExAllocatePool(PoolType.NonPagedPool, (ulong)str.Length + 1);
87 |
88 | //convert wchar_t* to char*
89 | wcstombs((char*)buf, wc, (ulong)(str.Length * 2) + 2);
90 | return (char*)buf;
91 | }
92 | }
93 |
94 | public static ulong __readcr3()
95 | {
96 | void* buffer = stackalloc byte[0x5C0];
97 | var sat = KeSaveStateForHibernate(buffer);
98 | ulong cr3 = *(ulong*)((ulong)buffer + 0x10);
99 | return cr3;
100 | }
101 |
102 | public static ulong DbgPrintEx(uint ComponentId, uint level, string Format, PVOID vararg1)
103 | {
104 | fixed (void* wc = Format)
105 | {
106 | //Allocate memory on the stack for char* taking the null terminator into consideration
107 | var buf = stackalloc byte[Format.Length + 1];
108 |
109 | //convert wchar_t* to char*
110 | wcstombs((char*)buf, wc, (ulong)(Format.Length * 2) + 2);
111 | return _DbgPrintEx(ComponentId, level, (char*)buf, vararg1);
112 | }
113 | }
114 |
115 | #endregion
116 |
117 | #region NTAPI Imports
118 |
119 | [MethodImpl(MethodImplOptions.InternalCall)]
120 | [RuntimeImport("ntoskrnl.exe", "ExAllocatePool")]
121 | public static extern PVOID ExAllocatePool(PoolType poolType, ulong size);
122 |
123 | [MethodImpl(MethodImplOptions.InternalCall)]
124 | [RuntimeImport("ntoskrnl.exe", "ExFreePool")]
125 | public static extern void ExFreePool(PVOID pool);
126 |
127 | [MethodImpl(MethodImplOptions.InternalCall)]
128 | [RuntimeImport("ntoskrnl.exe", "KeSaveStateForHibernate")]
129 | public static extern NTSTATUS KeSaveStateForHibernate(void* state);
130 |
131 | [MethodImpl(MethodImplOptions.InternalCall)]
132 | [RuntimeImport("ntoskrnl.exe", "DbgPrintEx")]
133 | private static extern ulong _DbgPrintEx(uint ComponentId, uint level, char* Format, void* vararg1);
134 |
135 | [MethodImpl(MethodImplOptions.InternalCall)]
136 | [RuntimeImport("ntoskrnl.exe", "ExGetPreviousMode")]
137 | public static extern KProcessorMode ExGetPreviousMode();
138 |
139 | [MethodImpl(MethodImplOptions.InternalCall)]
140 | [RuntimeImport("ntoskrnl.exe", "IoGetCurrentProcess")]
141 | public static extern void* IoGetCurrentProcess();
142 |
143 | [MethodImpl(MethodImplOptions.InternalCall)]
144 | [RuntimeImport("ntoskrnl.exe", "PsLookupProcessByProcessId")]
145 | public static extern NTSTATUS PsLookupProcessByProcessId(uint ProcessId, PEPROCESS* process);
146 |
147 | [MethodImpl(MethodImplOptions.InternalCall)]
148 | [RuntimeImport("ntoskrnl.exe", "DbgBreakPoint")]
149 | public static extern void DbgBreakPoint();
150 |
151 | [MethodImpl(MethodImplOptions.InternalCall)]
152 | [RuntimeImport("ntoskrnl.exe", "wcstombs")]
153 | public static extern ulong wcstombs(char* mbstr, void* wcstr, ulong count);
154 |
155 | [MethodImpl(MethodImplOptions.InternalCall)]
156 | [RuntimeImport("ntoskrnl.exe", "strstr")]
157 | public static extern char* strstr(char* str, char* subStr);
158 |
159 | [MethodImpl(MethodImplOptions.InternalCall)]
160 | [RuntimeImport("ntoskrnl.exe", "strlen")]
161 | public static extern ulong strlen(char* str);
162 |
163 | [MethodImpl(MethodImplOptions.InternalCall)]
164 | [RuntimeImport("ntoskrnl.exe", "wcslen")]
165 | public static extern ulong wcslen(char* str);
166 |
167 | [MethodImpl(MethodImplOptions.InternalCall)]
168 | [RuntimeImport("ntoskrnl.exe", "memcmp")]
169 | public static extern int memcmp(void* buf1, void* buf2, ulong size);
170 |
171 |
172 |
173 | #endregion
174 |
175 | public static class Undocumented
176 | {
177 |
178 | [MethodImpl(MethodImplOptions.InternalCall)]
179 | [RuntimeImport("ntoskrnl.exe", "ZwQuerySystemInformation")]
180 | public static extern NTSTATUS ZwQuerySystemInformation(SystemInformationClass SystemInformationClass, void* systemInformation, uint systemInformationLength, uint* ReturnLength);
181 |
182 | [MethodImpl(MethodImplOptions.InternalCall)]
183 | [RuntimeImport("ntoskrnl.exe", "MmCopyVirtualMemory")]
184 | public static extern NTSTATUS MmCopyVirtualMemory(void* SourceProcess, void* SourceAddress, void* TargetProcess, void* TargetAddress, ulong BufferSize, KProcessorMode PreviousMode, ulong* ReturnSize);
185 |
186 | [MethodImpl(MethodImplOptions.InternalCall)]
187 | [RuntimeImport("ntoskrnl.exe", "PsGetProcessSectionBaseAddress")]
188 | public static extern PVOID PsGetProcessSectionBaseAddress(void* process);
189 |
190 | [StructLayout(LayoutKind.Sequential)]
191 | public struct RTL_PROCESS_MODULE_INFORMATION
192 | {
193 | public ulong Handle;
194 | public ulong MappedBase;
195 | public ulong ImageBase;
196 | public uint ImageSize;
197 | public uint Flags;
198 | public ushort LoadOrderIndex;
199 | public ushort InitOrderIndex;
200 | public ushort LoadCount;
201 | public ushort OffsetToFileName;
202 | public fixed byte FullPathName[256];
203 | }
204 |
205 | [StructLayout(LayoutKind.Sequential)]
206 | public struct RTL_PROCESS_MODULES
207 | {
208 | public uint NumberOfModules;
209 | public RTL_PROCESS_MODULE_INFORMATION Modules;
210 | }
211 | }
212 |
213 | #region Enums
214 |
215 | public enum KProcessorMode
216 | {
217 | KernelMode,
218 | UserMode,
219 | MaximumMode
220 | };
221 |
222 | public enum SystemInformationClass
223 | {
224 | SystemBasicInformation = 0x0,
225 | SystemProcessorInformation = 0x1,
226 | SystemPerformanceInformation = 0x2,
227 | SystemTimeOfDayInformation = 0x3,
228 | SystemPathInformation = 0x4,
229 | SystemProcessInformation = 0x5,
230 | SystemCallCountInformation = 0x6,
231 | SystemDeviceInformation = 0x7,
232 | SystemProcessorPerformanceInformation = 0x8,
233 | SystemFlagsInformation = 0x9,
234 | SystemCallTimeInformation = 0xa,
235 | SystemModuleInformation = 0xb,
236 | SystemLocksInformation = 0xc,
237 | SystemStackTraceInformation = 0xd,
238 | SystemPagedPoolInformation = 0xe,
239 | SystemNonPagedPoolInformation = 0xf,
240 | SystemHandleInformation = 0x10,
241 | SystemObjectInformation = 0x11,
242 | SystemPageFileInformation = 0x12,
243 | SystemVdmInstemulInformation = 0x13,
244 | SystemVdmBopInformation = 0x14,
245 | SystemFileCacheInformation = 0x15,
246 | SystemPoolTagInformation = 0x16,
247 | SystemInterruptInformation = 0x17,
248 | SystemDpcBehaviorInformation = 0x18,
249 | SystemFullMemoryInformation = 0x19,
250 | SystemLoadGdiDriverInformation = 0x1a,
251 | SystemUnloadGdiDriverInformation = 0x1b,
252 | SystemTimeAdjustmentInformation = 0x1c,
253 | SystemSummaryMemoryInformation = 0x1d,
254 | SystemMirrorMemoryInformation = 0x1e,
255 | SystemPerformanceTraceInformation = 0x1f,
256 | SystemObsolete0 = 0x20,
257 | SystemExceptionInformation = 0x21,
258 | SystemCrashDumpStateInformation = 0x22,
259 | SystemKernelDebuggerInformation = 0x23,
260 | SystemContextSwitchInformation = 0x24,
261 | SystemRegistryQuotaInformation = 0x25,
262 | SystemExtendServiceTableInformation = 0x26,
263 | SystemPrioritySeperation = 0x27,
264 | SystemVerifierAddDriverInformation = 0x28,
265 | SystemVerifierRemoveDriverInformation = 0x29,
266 | SystemProcessorIdleInformation = 0x2a,
267 | SystemLegacyDriverInformation = 0x2b,
268 | SystemCurrentTimeZoneInformation = 0x2c,
269 | SystemLookasideInformation = 0x2d,
270 | SystemTimeSlipNotification = 0x2e,
271 | SystemSessionCreate = 0x2f,
272 | SystemSessionDetach = 0x30,
273 | SystemSessionInformation = 0x31,
274 | SystemRangeStartInformation = 0x32,
275 | SystemVerifierInformation = 0x33,
276 | SystemVerifierThunkExtend = 0x34,
277 | SystemSessionProcessInformation = 0x35,
278 | SystemLoadGdiDriverInSystemSpace = 0x36,
279 | SystemNumaProcessorMap = 0x37,
280 | SystemPrefetcherInformation = 0x38,
281 | SystemExtendedProcessInformation = 0x39,
282 | SystemRecommendedSharedDataAlignment = 0x3a,
283 | SystemComPlusPackage = 0x3b,
284 | SystemNumaAvailableMemory = 0x3c,
285 | SystemProcessorPowerInformation = 0x3d,
286 | SystemEmulationBasicInformation = 0x3e,
287 | SystemEmulationProcessorInformation = 0x3f,
288 | SystemExtendedHandleInformation = 0x40,
289 | SystemLostDelayedWriteInformation = 0x41,
290 | SystemBigPoolInformation = 0x42,
291 | SystemSessionPoolTagInformation = 0x43,
292 | SystemSessionMappedViewInformation = 0x44,
293 | SystemHotpatchInformation = 0x45,
294 | SystemObjectSecurityMode = 0x46,
295 | SystemWatchdogTimerHandler = 0x47,
296 | SystemWatchdogTimerInformation = 0x48,
297 | SystemLogicalProcessorInformation = 0x49,
298 | SystemWow64SharedInformationObsolete = 0x4a,
299 | SystemRegisterFirmwareTableInformationHandler = 0x4b,
300 | SystemFirmwareTableInformation = 0x4c,
301 | SystemModuleInformationEx = 0x4d,
302 | SystemVerifierTriageInformation = 0x4e,
303 | SystemSuperfetchInformation = 0x4f,
304 | SystemMemoryListInformation = 0x50,
305 | SystemFileCacheInformationEx = 0x51,
306 | SystemThreadPriorityClientIdInformation = 0x52,
307 | SystemProcessorIdleCycleTimeInformation = 0x53,
308 | SystemVerifierCancellationInformation = 0x54,
309 | SystemProcessorPowerInformationEx = 0x55,
310 | SystemRefTraceInformation = 0x56,
311 | SystemSpecialPoolInformation = 0x57,
312 | SystemProcessIdInformation = 0x58,
313 | SystemErrorPortInformation = 0x59,
314 | SystemBootEnvironmentInformation = 0x5a,
315 | SystemHypervisorInformation = 0x5b,
316 | SystemVerifierInformationEx = 0x5c,
317 | SystemTimeZoneInformation = 0x5d,
318 | SystemImageFileExecutionOptionsInformation = 0x5e,
319 | SystemCoverageInformation = 0x5f,
320 | SystemPrefetchPatchInformation = 0x60,
321 | SystemVerifierFaultsInformation = 0x61,
322 | SystemSystemPartitionInformation = 0x62,
323 | SystemSystemDiskInformation = 0x63,
324 | SystemProcessorPerformanceDistribution = 0x64,
325 | SystemNumaProximityNodeInformation = 0x65,
326 | SystemDynamicTimeZoneInformation = 0x66,
327 | SystemCodeIntegrityInformation = 0x67,
328 | SystemProcessorMicrocodeUpdateInformation = 0x68,
329 | SystemProcessorBrandString = 0x69,
330 | SystemVirtualAddressInformation = 0x6a,
331 | SystemLogicalProcessorAndGroupInformation = 0x6b,
332 | SystemProcessorCycleTimeInformation = 0x6c,
333 | SystemStoreInformation = 0x6d,
334 | SystemRegistryAppendString = 0x6e,
335 | SystemAitSamplingValue = 0x6f,
336 | SystemVhdBootInformation = 0x70,
337 | SystemCpuQuotaInformation = 0x71,
338 | SystemNativeBasicInformation = 0x72,
339 | SystemErrorPortTimeouts = 0x73,
340 | SystemLowPriorityIoInformation = 0x74,
341 | SystemBootEntropyInformation = 0x75,
342 | SystemVerifierCountersInformation = 0x76,
343 | SystemPagedPoolInformationEx = 0x77,
344 | SystemSystemPtesInformationEx = 0x78,
345 | SystemNodeDistanceInformation = 0x79,
346 | SystemAcpiAuditInformation = 0x7a,
347 | SystemBasicPerformanceInformation = 0x7b,
348 | SystemQueryPerformanceCounterInformation = 0x7c,
349 | SystemSessionBigPoolInformation = 0x7d,
350 | SystemBootGraphicsInformation = 0x7e,
351 | SystemScrubPhysicalMemoryInformation = 0x7f,
352 | SystemBadPageInformation = 0x80,
353 | SystemProcessorProfileControlArea = 0x81,
354 | SystemCombinePhysicalMemoryInformation = 0x82,
355 | SystemEntropyInterruptTimingInformation = 0x83,
356 | SystemConsoleInformation = 0x84,
357 | SystemPlatformBinaryInformation = 0x85,
358 | SystemThrottleNotificationInformation = 0x86,
359 | SystemHypervisorProcessorCountInformation = 0x87,
360 | SystemDeviceDataInformation = 0x88,
361 | SystemDeviceDataEnumerationInformation = 0x89,
362 | SystemMemoryTopologyInformation = 0x8a,
363 | SystemMemoryChannelInformation = 0x8b,
364 | SystemBootLogoInformation = 0x8c,
365 | SystemProcessorPerformanceInformationEx = 0x8d,
366 | SystemSpare0 = 0x8e,
367 | SystemSecureBootPolicyInformation = 0x8f,
368 | SystemPageFileInformationEx = 0x90,
369 | SystemSecureBootInformation = 0x91,
370 | SystemEntropyInterruptTimingRawInformation = 0x92,
371 | SystemPortableWorkspaceEfiLauncherInformation = 0x93,
372 | SystemFullProcessInformation = 0x94,
373 | SystemKernelDebuggerInformationEx = 0x95,
374 | SystemBootMetadataInformation = 0x96,
375 | SystemSoftRebootInformation = 0x97,
376 | SystemElamCertificateInformation = 0x98,
377 | SystemOfflineDumpConfigInformation = 0x99,
378 | SystemProcessorFeaturesInformation = 0x9a,
379 | SystemRegistryReconciliationInformation = 0x9b,
380 | SystemSupportedProcessArchitectures = 0xb5,
381 | }
382 |
383 | public enum PoolType
384 | {
385 | NonPagedPool,
386 | NonPagedPoolExecute = NonPagedPool,
387 | PagedPool,
388 | NonPagedPoolMustSucceed = NonPagedPool + 2,
389 | DontUseThisType,
390 | NonPagedPoolCacheAligned = NonPagedPool + 4,
391 | PagedPoolCacheAligned,
392 | NonPagedPoolCacheAlignedMustS = NonPagedPool + 6,
393 | MaxPoolType,
394 | NonPagedPoolBase = 0,
395 | NonPagedPoolBaseMustSucceed = NonPagedPoolBase + 2,
396 | NonPagedPoolBaseCacheAligned = NonPagedPoolBase + 4,
397 | NonPagedPoolBaseCacheAlignedMustS = NonPagedPoolBase + 6,
398 | NonPagedPoolSession = 32,
399 | PagedPoolSession = NonPagedPoolSession + 1,
400 | NonPagedPoolMustSucceedSession = PagedPoolSession + 1,
401 | DontUseThisTypeSession = NonPagedPoolMustSucceedSession + 1,
402 | NonPagedPoolCacheAlignedSession = DontUseThisTypeSession + 1,
403 | PagedPoolCacheAlignedSession = NonPagedPoolCacheAlignedSession + 1,
404 | NonPagedPoolCacheAlignedMustSSession = PagedPoolCacheAlignedSession + 1,
405 | NonPagedPoolNx = 512,
406 | NonPagedPoolNxCacheAligned = NonPagedPoolNx + 4,
407 | NonPagedPoolSessionNx = NonPagedPoolNx + 32,
408 | }
409 |
410 | public enum NTSTATUS : uint
411 | {
412 | // Success
413 | Success = 0x00000000,
414 | Wait0 = 0x00000000,
415 | Wait1 = 0x00000001,
416 | Wait2 = 0x00000002,
417 | Wait3 = 0x00000003,
418 | Wait63 = 0x0000003f,
419 | Abandoned = 0x00000080,
420 | AbandonedWait0 = 0x00000080,
421 | AbandonedWait1 = 0x00000081,
422 | AbandonedWait2 = 0x00000082,
423 | AbandonedWait3 = 0x00000083,
424 | AbandonedWait63 = 0x000000bf,
425 | UserApc = 0x000000c0,
426 | KernelApc = 0x00000100,
427 | Alerted = 0x00000101,
428 | Timeout = 0x00000102,
429 | Pending = 0x00000103,
430 | Reparse = 0x00000104,
431 | MoreEntries = 0x00000105,
432 | NotAllAssigned = 0x00000106,
433 | SomeNotMapped = 0x00000107,
434 | OpLockBreakInProgress = 0x00000108,
435 | VolumeMounted = 0x00000109,
436 | RxActCommitted = 0x0000010a,
437 | NotifyCleanup = 0x0000010b,
438 | NotifyEnumDir = 0x0000010c,
439 | NoQuotasForAccount = 0x0000010d,
440 | PrimaryTransportConnectFailed = 0x0000010e,
441 | PageFaultTransition = 0x00000110,
442 | PageFaultDemandZero = 0x00000111,
443 | PageFaultCopyOnWrite = 0x00000112,
444 | PageFaultGuardPage = 0x00000113,
445 | PageFaultPagingFile = 0x00000114,
446 | CrashDump = 0x00000116,
447 | ReparseObject = 0x00000118,
448 | NothingToTerminate = 0x00000122,
449 | ProcessNotInJob = 0x00000123,
450 | ProcessInJob = 0x00000124,
451 | ProcessCloned = 0x00000129,
452 | FileLockedWithOnlyReaders = 0x0000012a,
453 | FileLockedWithWriters = 0x0000012b,
454 |
455 | // Informational
456 | Informational = 0x40000000,
457 | ObjectNameExists = 0x40000000,
458 | ThreadWasSuspended = 0x40000001,
459 | WorkingSetLimitRange = 0x40000002,
460 | ImageNotAtBase = 0x40000003,
461 | RegistryRecovered = 0x40000009,
462 |
463 | // Warning
464 | Warning = 0x80000000,
465 | GuardPageViolation = 0x80000001,
466 | DatatypeMisalignment = 0x80000002,
467 | Breakpoint = 0x80000003,
468 | SingleStep = 0x80000004,
469 | BufferOverflow = 0x80000005,
470 | NoMoreFiles = 0x80000006,
471 | HandlesClosed = 0x8000000a,
472 | PartialCopy = 0x8000000d,
473 | DeviceBusy = 0x80000011,
474 | InvalidEaName = 0x80000013,
475 | EaListInconsistent = 0x80000014,
476 | NoMoreEntries = 0x8000001a,
477 | LongJump = 0x80000026,
478 | DllMightBeInsecure = 0x8000002b,
479 |
480 | // Error
481 | Error = 0xc0000000,
482 | Unsuccessful = 0xc0000001,
483 | NotImplemented = 0xc0000002,
484 | InvalidInfoClass = 0xc0000003,
485 | InfoLengthMismatch = 0xc0000004,
486 | AccessViolation = 0xc0000005,
487 | InPageError = 0xc0000006,
488 | PagefileQuota = 0xc0000007,
489 | InvalidHandle = 0xc0000008,
490 | BadInitialStack = 0xc0000009,
491 | BadInitialPc = 0xc000000a,
492 | InvalidCid = 0xc000000b,
493 | TimerNotCanceled = 0xc000000c,
494 | InvalidParameter = 0xc000000d,
495 | NoSuchDevice = 0xc000000e,
496 | NoSuchFile = 0xc000000f,
497 | InvalidDeviceRequest = 0xc0000010,
498 | EndOfFile = 0xc0000011,
499 | WrongVolume = 0xc0000012,
500 | NoMediaInDevice = 0xc0000013,
501 | NoMemory = 0xc0000017,
502 | NotMappedView = 0xc0000019,
503 | UnableToFreeVm = 0xc000001a,
504 | UnableToDeleteSection = 0xc000001b,
505 | IllegalInstruction = 0xc000001d,
506 | AlreadyCommitted = 0xc0000021,
507 | AccessDenied = 0xc0000022,
508 | BufferTooSmall = 0xc0000023,
509 | ObjectTypeMismatch = 0xc0000024,
510 | NonContinuableException = 0xc0000025,
511 | BadStack = 0xc0000028,
512 | NotLocked = 0xc000002a,
513 | NotCommitted = 0xc000002d,
514 | InvalidParameterMix = 0xc0000030,
515 | ObjectNameInvalid = 0xc0000033,
516 | ObjectNameNotFound = 0xc0000034,
517 | ObjectNameCollision = 0xc0000035,
518 | ObjectPathInvalid = 0xc0000039,
519 | ObjectPathNotFound = 0xc000003a,
520 | ObjectPathSyntaxBad = 0xc000003b,
521 | DataOverrun = 0xc000003c,
522 | DataLate = 0xc000003d,
523 | DataError = 0xc000003e,
524 | CrcError = 0xc000003f,
525 | SectionTooBig = 0xc0000040,
526 | PortConnectionRefused = 0xc0000041,
527 | InvalidPortHandle = 0xc0000042,
528 | SharingViolation = 0xc0000043,
529 | QuotaExceeded = 0xc0000044,
530 | InvalidPageProtection = 0xc0000045,
531 | MutantNotOwned = 0xc0000046,
532 | SemaphoreLimitExceeded = 0xc0000047,
533 | PortAlreadySet = 0xc0000048,
534 | SectionNotImage = 0xc0000049,
535 | SuspendCountExceeded = 0xc000004a,
536 | ThreadIsTerminating = 0xc000004b,
537 | BadWorkingSetLimit = 0xc000004c,
538 | IncompatibleFileMap = 0xc000004d,
539 | SectionProtection = 0xc000004e,
540 | EasNotSupported = 0xc000004f,
541 | EaTooLarge = 0xc0000050,
542 | NonExistentEaEntry = 0xc0000051,
543 | NoEasOnFile = 0xc0000052,
544 | EaCorruptError = 0xc0000053,
545 | FileLockConflict = 0xc0000054,
546 | LockNotGranted = 0xc0000055,
547 | DeletePending = 0xc0000056,
548 | CtlFileNotSupported = 0xc0000057,
549 | UnknownRevision = 0xc0000058,
550 | RevisionMismatch = 0xc0000059,
551 | InvalidOwner = 0xc000005a,
552 | InvalidPrimaryGroup = 0xc000005b,
553 | NoImpersonationToken = 0xc000005c,
554 | CantDisableMandatory = 0xc000005d,
555 | NoLogonServers = 0xc000005e,
556 | NoSuchLogonSession = 0xc000005f,
557 | NoSuchPrivilege = 0xc0000060,
558 | PrivilegeNotHeld = 0xc0000061,
559 | InvalidAccountName = 0xc0000062,
560 | UserExists = 0xc0000063,
561 | NoSuchUser = 0xc0000064,
562 | GroupExists = 0xc0000065,
563 | NoSuchGroup = 0xc0000066,
564 | MemberInGroup = 0xc0000067,
565 | MemberNotInGroup = 0xc0000068,
566 | LastAdmin = 0xc0000069,
567 | WrongPassword = 0xc000006a,
568 | IllFormedPassword = 0xc000006b,
569 | PasswordRestriction = 0xc000006c,
570 | LogonFailure = 0xc000006d,
571 | AccountRestriction = 0xc000006e,
572 | InvalidLogonHours = 0xc000006f,
573 | InvalidWorkstation = 0xc0000070,
574 | PasswordExpired = 0xc0000071,
575 | AccountDisabled = 0xc0000072,
576 | NoneMapped = 0xc0000073,
577 | TooManyLuidsRequested = 0xc0000074,
578 | LuidsExhausted = 0xc0000075,
579 | InvalidSubAuthority = 0xc0000076,
580 | InvalidAcl = 0xc0000077,
581 | InvalidSid = 0xc0000078,
582 | InvalidSecurityDescr = 0xc0000079,
583 | ProcedureNotFound = 0xc000007a,
584 | InvalidImageFormat = 0xc000007b,
585 | NoToken = 0xc000007c,
586 | BadInheritanceAcl = 0xc000007d,
587 | RangeNotLocked = 0xc000007e,
588 | DiskFull = 0xc000007f,
589 | ServerDisabled = 0xc0000080,
590 | ServerNotDisabled = 0xc0000081,
591 | TooManyGuidsRequested = 0xc0000082,
592 | GuidsExhausted = 0xc0000083,
593 | InvalidIdAuthority = 0xc0000084,
594 | AgentsExhausted = 0xc0000085,
595 | InvalidVolumeLabel = 0xc0000086,
596 | SectionNotExtended = 0xc0000087,
597 | NotMappedData = 0xc0000088,
598 | ResourceDataNotFound = 0xc0000089,
599 | ResourceTypeNotFound = 0xc000008a,
600 | ResourceNameNotFound = 0xc000008b,
601 | ArrayBoundsExceeded = 0xc000008c,
602 | FloatDenormalOperand = 0xc000008d,
603 | FloatDivideByZero = 0xc000008e,
604 | FloatInexactResult = 0xc000008f,
605 | FloatInvalidOperation = 0xc0000090,
606 | FloatOverflow = 0xc0000091,
607 | FloatStackCheck = 0xc0000092,
608 | FloatUnderflow = 0xc0000093,
609 | IntegerDivideByZero = 0xc0000094,
610 | IntegerOverflow = 0xc0000095,
611 | PrivilegedInstruction = 0xc0000096,
612 | TooManyPagingFiles = 0xc0000097,
613 | FileInvalid = 0xc0000098,
614 | InstanceNotAvailable = 0xc00000ab,
615 | PipeNotAvailable = 0xc00000ac,
616 | InvalidPipeState = 0xc00000ad,
617 | PipeBusy = 0xc00000ae,
618 | IllegalFunction = 0xc00000af,
619 | PipeDisconnected = 0xc00000b0,
620 | PipeClosing = 0xc00000b1,
621 | PipeConnected = 0xc00000b2,
622 | PipeListening = 0xc00000b3,
623 | InvalidReadMode = 0xc00000b4,
624 | IoTimeout = 0xc00000b5,
625 | FileForcedClosed = 0xc00000b6,
626 | ProfilingNotStarted = 0xc00000b7,
627 | ProfilingNotStopped = 0xc00000b8,
628 | NotSameDevice = 0xc00000d4,
629 | FileRenamed = 0xc00000d5,
630 | CantWait = 0xc00000d8,
631 | PipeEmpty = 0xc00000d9,
632 | CantTerminateSelf = 0xc00000db,
633 | InternalError = 0xc00000e5,
634 | InvalidParameter1 = 0xc00000ef,
635 | InvalidParameter2 = 0xc00000f0,
636 | InvalidParameter3 = 0xc00000f1,
637 | InvalidParameter4 = 0xc00000f2,
638 | InvalidParameter5 = 0xc00000f3,
639 | InvalidParameter6 = 0xc00000f4,
640 | InvalidParameter7 = 0xc00000f5,
641 | InvalidParameter8 = 0xc00000f6,
642 | InvalidParameter9 = 0xc00000f7,
643 | InvalidParameter10 = 0xc00000f8,
644 | InvalidParameter11 = 0xc00000f9,
645 | InvalidParameter12 = 0xc00000fa,
646 | MappedFileSizeZero = 0xc000011e,
647 | TooManyOpenedFiles = 0xc000011f,
648 | Cancelled = 0xc0000120,
649 | CannotDelete = 0xc0000121,
650 | InvalidComputerName = 0xc0000122,
651 | FileDeleted = 0xc0000123,
652 | SpecialAccount = 0xc0000124,
653 | SpecialGroup = 0xc0000125,
654 | SpecialUser = 0xc0000126,
655 | MembersPrimaryGroup = 0xc0000127,
656 | FileClosed = 0xc0000128,
657 | TooManyThreads = 0xc0000129,
658 | ThreadNotInProcess = 0xc000012a,
659 | TokenAlreadyInUse = 0xc000012b,
660 | PagefileQuotaExceeded = 0xc000012c,
661 | CommitmentLimit = 0xc000012d,
662 | InvalidImageLeFormat = 0xc000012e,
663 | InvalidImageNotMz = 0xc000012f,
664 | InvalidImageProtect = 0xc0000130,
665 | InvalidImageWin16 = 0xc0000131,
666 | LogonServer = 0xc0000132,
667 | DifferenceAtDc = 0xc0000133,
668 | SynchronizationRequired = 0xc0000134,
669 | DllNotFound = 0xc0000135,
670 | IoPrivilegeFailed = 0xc0000137,
671 | OrdinalNotFound = 0xc0000138,
672 | EntryPointNotFound = 0xc0000139,
673 | ControlCExit = 0xc000013a,
674 | PortNotSet = 0xc0000353,
675 | DebuggerInactive = 0xc0000354,
676 | CallbackBypass = 0xc0000503,
677 | PortClosed = 0xc0000700,
678 | MessageLost = 0xc0000701,
679 | InvalidMessage = 0xc0000702,
680 | RequestCanceled = 0xc0000703,
681 | RecursiveDispatch = 0xc0000704,
682 | LpcReceiveBufferExpected = 0xc0000705,
683 | LpcInvalidConnectionUsage = 0xc0000706,
684 | LpcRequestsNotAllowed = 0xc0000707,
685 | ResourceInUse = 0xc0000708,
686 | ProcessIsProtected = 0xc0000712,
687 | VolumeDirty = 0xc0000806,
688 | FileCheckedOut = 0xc0000901,
689 | CheckOutRequired = 0xc0000902,
690 | BadFileType = 0xc0000903,
691 | FileTooLarge = 0xc0000904,
692 | FormsAuthRequired = 0xc0000905,
693 | VirusInfected = 0xc0000906,
694 | VirusDeleted = 0xc0000907,
695 | TransactionalConflict = 0xc0190001,
696 | InvalidTransaction = 0xc0190002,
697 | TransactionNotActive = 0xc0190003,
698 | TmInitializationFailed = 0xc0190004,
699 | RmNotActive = 0xc0190005,
700 | RmMetadataCorrupt = 0xc0190006,
701 | TransactionNotJoined = 0xc0190007,
702 | DirectoryNotRm = 0xc0190008,
703 | CouldNotResizeLog = 0xc0190009,
704 | TransactionsUnsupportedRemote = 0xc019000a,
705 | LogResizeInvalidSize = 0xc019000b,
706 | RemoteFileVersionMismatch = 0xc019000c,
707 | CrmProtocolAlreadyExists = 0xc019000f,
708 | TransactionPropagationFailed = 0xc0190010,
709 | CrmProtocolNotFound = 0xc0190011,
710 | TransactionSuperiorExists = 0xc0190012,
711 | TransactionRequestNotValid = 0xc0190013,
712 | TransactionNotRequested = 0xc0190014,
713 | TransactionAlreadyAborted = 0xc0190015,
714 | TransactionAlreadyCommitted = 0xc0190016,
715 | TransactionInvalidMarshallBuffer = 0xc0190017,
716 | CurrentTransactionNotValid = 0xc0190018,
717 | LogGrowthFailed = 0xc0190019,
718 | ObjectNoLongerExists = 0xc0190021,
719 | StreamMiniversionNotFound = 0xc0190022,
720 | StreamMiniversionNotValid = 0xc0190023,
721 | MiniversionInaccessibleFromSpecifiedTransaction = 0xc0190024,
722 | CantOpenMiniversionWithModifyIntent = 0xc0190025,
723 | CantCreateMoreStreamMiniversions = 0xc0190026,
724 | HandleNoLongerValid = 0xc0190028,
725 | NoTxfMetadata = 0xc0190029,
726 | LogCorruptionDetected = 0xc0190030,
727 | CantRecoverWithHandleOpen = 0xc0190031,
728 | RmDisconnected = 0xc0190032,
729 | EnlistmentNotSuperior = 0xc0190033,
730 | RecoveryNotNeeded = 0xc0190034,
731 | RmAlreadyStarted = 0xc0190035,
732 | FileIdentityNotPersistent = 0xc0190036,
733 | CantBreakTransactionalDependency = 0xc0190037,
734 | CantCrossRmBoundary = 0xc0190038,
735 | TxfDirNotEmpty = 0xc0190039,
736 | IndoubtTransactionsExist = 0xc019003a,
737 | TmVolatile = 0xc019003b,
738 | RollbackTimerExpired = 0xc019003c,
739 | TxfAttributeCorrupt = 0xc019003d,
740 | EfsNotAllowedInTransaction = 0xc019003e,
741 | TransactionalOpenNotAllowed = 0xc019003f,
742 | TransactedMappingUnsupportedRemote = 0xc0190040,
743 | TxfMetadataAlreadyPresent = 0xc0190041,
744 | TransactionScopeCallbacksNotSet = 0xc0190042,
745 | TransactionRequiredPromotion = 0xc0190043,
746 | CannotExecuteFileInTransaction = 0xc0190044,
747 | TransactionsNotFrozen = 0xc0190045,
748 |
749 | MaximumNtStatus = 0xffffffff
750 | }
751 | #endregion
752 | }
753 | }
754 |
755 |
--------------------------------------------------------------------------------