├── Loader.h ├── NTHeader.h ├── PELoader.c ├── PELoader.vcxproj ├── PELoader.vcxproj.filters ├── PELoader.vcxproj.user ├── README.md └── Samples ├── SampleDLL_32.dll ├── SampleDLL_64.dll ├── SampleEXE_32.exe └── SampleEXE_64.exe /Loader.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "NTHeader.h" 3 | /* 4 | || AUTHOR Arsium || 5 | || github : https://github.com/arsium || 6 | 7 | || THX TO || 8 | * https://github.com/adamhlt/Manual-DLL-Loader 9 | * https://bidouillesecurity.com/tutorial-writing-a-pe-packer-part-1/ 10 | */ 11 | 12 | typedef BOOL APIENTRY DllMain(HMODULE, DWORD, LPVOID); typedef DllMain* LPDllMain; 13 | typedef VOID APIENTRY ExeEntry(void); 14 | 15 | //This function is a rework of function of Sektor7 Malware Development Intermediate Section 2. PE madness 16 | //with https://github.com/arbiter34/GetProcAddress/blob/master/GetProcAddress/GetProcAddress.cpp 17 | __forceinline LPVOID __cdecl GetProcedureAddressByOrd(HMODULE hMod, UINT ord) 18 | { 19 | DWORD_PTR pBaseAddr = (DWORD_PTR)hMod; 20 | IMAGE_DOS_HEADER* pDosHdr = (IMAGE_DOS_HEADER*)pBaseAddr; 21 | IMAGE_NT_HEADERS* pNTHdr = (IMAGE_NT_HEADERS*)(pBaseAddr + pDosHdr->e_lfanew); 22 | IMAGE_OPTIONAL_HEADER* pOptionalHdr = &pNTHdr->OptionalHeader; 23 | IMAGE_DATA_DIRECTORY* pExportDataDir = (IMAGE_DATA_DIRECTORY*)(&pOptionalHdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]); 24 | IMAGE_EXPORT_DIRECTORY* pExportDirAddr = (IMAGE_EXPORT_DIRECTORY*)(pBaseAddr + pExportDataDir->VirtualAddress); 25 | 26 | DWORD* pEAT = (DWORD*)(pBaseAddr + pExportDirAddr->AddressOfFunctions); 27 | 28 | WORD ordinal = (WORD)ord & 0xFFFF; 29 | DWORD Base = pExportDirAddr->Base; 30 | 31 | if (ordinal < Base || ordinal >= Base + pExportDirAddr->NumberOfFunctions) 32 | { 33 | return NULL_PTR; 34 | } 35 | 36 | PVOID fct = (PVOID)(pBaseAddr + (DWORD_PTR)pEAT[ordinal - Base]); 37 | return fct; 38 | } 39 | 40 | //This function is a rework of function of Sektor7 Malware Development Intermediate Section 2. PE madness 41 | //with https://github.com/arbiter34/GetProcAddress/blob/master/GetProcAddress/GetProcAddress.cpp 42 | __forceinline LPVOID __cdecl GetProcedureAddressByName(HMODULE hMod, char* sProcName) 43 | { 44 | LPNTFREEVIRTUALMEMORY pNtFree = (LPNTFREEVIRTUALMEMORY)GetProcedureAddressNt("NtFreeVirtualMemory\0"); 45 | 46 | DWORD_PTR pBaseAddr = (DWORD_PTR)hMod; 47 | IMAGE_DOS_HEADER* pDosHdr = (IMAGE_DOS_HEADER*)pBaseAddr; 48 | IMAGE_NT_HEADERS* pNTHdr = (IMAGE_NT_HEADERS*)(pBaseAddr + pDosHdr->e_lfanew); 49 | IMAGE_OPTIONAL_HEADER* pOptionalHdr = &pNTHdr->OptionalHeader; 50 | IMAGE_DATA_DIRECTORY* pExportDataDir = (IMAGE_DATA_DIRECTORY*)(&pOptionalHdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]); 51 | IMAGE_EXPORT_DIRECTORY* pExportDirAddr = (IMAGE_EXPORT_DIRECTORY*)(pBaseAddr + pExportDataDir->VirtualAddress); 52 | 53 | DWORD* pEAT = (DWORD*)(pBaseAddr + pExportDirAddr->AddressOfFunctions); 54 | DWORD* pFuncNameTbl = (DWORD*)(pBaseAddr + pExportDirAddr->AddressOfNames); 55 | WORD* pHintsTbl = (WORD*)(pBaseAddr + pExportDirAddr->AddressOfNameOrdinals); 56 | 57 | for (DWORD i = 0; i < pExportDirAddr->NumberOfNames; i++) 58 | { 59 | char* sTmpFuncName = (char*)(pBaseAddr + (DWORD_PTR)pFuncNameTbl[i]); 60 | 61 | if (CompareAnsi(sProcName, sTmpFuncName) == TRUE) 62 | { 63 | unsigned short nameOrdinal = ((unsigned short*)((unsigned long long)pBaseAddr + pExportDirAddr->AddressOfNameOrdinals))[i]; 64 | unsigned int addr = ((unsigned int*)((unsigned long long)pBaseAddr + pExportDirAddr->AddressOfFunctions))[nameOrdinal]; 65 | 66 | if (addr > pExportDataDir->VirtualAddress && addr < pExportDataDir->VirtualAddress + pExportDataDir->Size) 67 | { 68 | char* forwardStr = (char*)(pBaseAddr + addr); 69 | char* funcName = Separator(forwardStr); 70 | char* moduleName = ReverseSeparator(forwardStr); 71 | 72 | SIZE_T size = ((SIZE_T)(StringLengthA(moduleName) * sizeof(WCHAR) + 2)); 73 | WCHAR* moduleUnicode = MallocCustom(&size); 74 | moduleUnicode = CharToWCharT(moduleName); 75 | PVOID modAddress = GetModuleBaseAddress(moduleUnicode); 76 | 77 | pNtFree((HANDLE)(-1), &moduleUnicode, &size, MEM_RELEASE); 78 | size = ((SIZE_T)StringLengthA(moduleName)); 79 | pNtFree((HANDLE)(-1), &moduleName, &size, MEM_RELEASE); 80 | 81 | return GetProcedureAddressByName((HMODULE)modAddress, funcName); 82 | } 83 | else 84 | { 85 | return (LPVOID)(pBaseAddr + (DWORD_PTR)pEAT[pHintsTbl[i]]); 86 | } 87 | } 88 | } 89 | return NULL; 90 | } 91 | 92 | #define min(a,b) (((a) < (b)) ? (a) : (b)) 93 | 94 | __forceinline NTSTATUS __cdecl Loader(BYTE* PEData, NTSTATUS* status, BOOL cloakHeader) 95 | { 96 | LPNTALLOCATEVIRTUALMEMORY pNtAllocate = (LPNTALLOCATEVIRTUALMEMORY)GetProcedureAddressNt((char*)"NtAllocateVirtualMemory\0"); 97 | LPNTWRITEVIRTUALMEMORY pNtWrite = (LPNTWRITEVIRTUALMEMORY)GetProcedureAddressNt((char*)"NtWriteVirtualMemory\0"); 98 | LPLDRLOADDLL pLdrLoadDll = (LPLDRLOADDLL)GetProcedureAddressNt("LdrLoadDll\0"); 99 | LPRTLINITUNICODESTRING pUnicodeString = (LPRTLINITUNICODESTRING)GetProcedureAddressNt("RtlInitUnicodeString\0"); 100 | LPNTPROTECTVIRTUALMEMORY pNtProtect = (LPNTPROTECTVIRTUALMEMORY)GetProcedureAddressNt("NtProtectVirtualMemory\0"); 101 | 102 | IMAGE_DOS_HEADER* pDosHeader = (IMAGE_DOS_HEADER*)PEData; 103 | IMAGE_NT_HEADERS* pNtHeader = (IMAGE_NT_HEADERS*)(((BYTE*)pDosHeader) + pDosHeader->e_lfanew); 104 | 105 | DWORD_PTR sizeOfImage = (DWORD_PTR)pNtHeader->OptionalHeader.SizeOfImage; 106 | DWORD entryPointRVA = pNtHeader->OptionalHeader.AddressOfEntryPoint; 107 | DWORD sizeOfHeaders = pNtHeader->OptionalHeader.SizeOfHeaders; 108 | 109 | BYTE* imageLoadAddress = (BYTE*)NULL; 110 | *status = pNtAllocate((HANDLE)(-1), &imageLoadAddress, 0, &sizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 111 | if (*status != NT_SUCCESS) 112 | { 113 | return *status; 114 | } 115 | 116 | *status = pNtWrite((HANDLE)(-1), imageLoadAddress, PEData, pNtHeader->OptionalHeader.SizeOfHeaders, 0); 117 | 118 | if (*status != NT_SUCCESS) 119 | { 120 | return *status; 121 | } 122 | 123 | if (cloakHeader) 124 | { 125 | PVOID ntdllBaseAddress = GetModuleBaseAddress(L"ntdll.dll\0"); 126 | if (ntdllBaseAddress != NULL) 127 | { 128 | IMAGE_DOS_HEADER* pNtDllDosHeader = ((IMAGE_DOS_HEADER*)ntdllBaseAddress); 129 | IMAGE_NT_HEADERS* pNtDllHeader = ((IMAGE_NT_HEADERS*)ntdllBaseAddress + pNtDllDosHeader->e_lfanew); 130 | *status = pNtWrite((HANDLE)(-1), imageLoadAddress, ntdllBaseAddress, min(pNtDllHeader->OptionalHeader.SizeOfHeaders, sizeOfHeaders), 0); 131 | 132 | if (*status != NT_SUCCESS) 133 | { 134 | return *status; 135 | } 136 | } 137 | } 138 | 139 | IMAGE_SECTION_HEADER* firstSection = (IMAGE_SECTION_HEADER*)((DWORD_PTR)pNtHeader + 4 + sizeof(IMAGE_FILE_HEADER) + pNtHeader->FileHeader.SizeOfOptionalHeader); 140 | 141 | for (int i = 0; i < pNtHeader->FileHeader.NumberOfSections; i++)// ++i 142 | { 143 | IMAGE_SECTION_HEADER* sec = (IMAGE_SECTION_HEADER*)((DWORD_PTR)firstSection + (i * sizeof(IMAGE_SECTION_HEADER))); 144 | BYTE* dest = imageLoadAddress + sec->VirtualAddress; 145 | if (firstSection[i].SizeOfRawData > 0) 146 | { 147 | *status = pNtWrite((HANDLE)(-1), dest, PEData + firstSection[i].PointerToRawData, firstSection[i].SizeOfRawData, 0); 148 | if (*status != NT_SUCCESS) 149 | { 150 | return *status; 151 | } 152 | } 153 | } 154 | 155 | IMAGE_IMPORT_DESCRIPTOR* importDescriptors = (IMAGE_IMPORT_DESCRIPTOR*)(imageLoadAddress + pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); 156 | 157 | for (int i = 0; importDescriptors[i].OriginalFirstThunk != 0; i++)//++i 158 | { 159 | BYTE* moduleName = imageLoadAddress + importDescriptors[i].Name; 160 | WCHAR* m = CharToWCharT((char*)moduleName); 161 | HMODULE importModuleAddr = GetModuleBaseAddress(m); 162 | 163 | if (importModuleAddr == NULL) 164 | { 165 | PVOID moduleAddress = NULL; 166 | UNICODE_STRING name = { 0 }; 167 | pUnicodeString(&name, m); 168 | *status = pLdrLoadDll(NULL, NULL, &name, &moduleAddress); 169 | 170 | if (*status != NT_SUCCESS) 171 | { 172 | return *status; 173 | } 174 | else 175 | { 176 | importModuleAddr = moduleAddress; 177 | } 178 | } 179 | 180 | IMAGE_THUNK_DATA* lookupTable = (IMAGE_THUNK_DATA*)(imageLoadAddress + importDescriptors[i].OriginalFirstThunk); 181 | IMAGE_THUNK_DATA* addressTable = (IMAGE_THUNK_DATA*)(imageLoadAddress + importDescriptors[i].FirstThunk); 182 | 183 | for (int i = 0; lookupTable[i].u1.AddressOfData != 0; ++i) 184 | { 185 | void* functionAddr = NULL; 186 | DWORD_PTR lookupAddr = lookupTable[i].u1.AddressOfData; 187 | 188 | if ((lookupAddr & IMAGE_ORDINAL_FLAG) == 0) 189 | { 190 | IMAGE_IMPORT_BY_NAME* image_import = (IMAGE_IMPORT_BY_NAME*)(imageLoadAddress + lookupAddr); 191 | char* funcName = (char*)&(image_import->Name); 192 | functionAddr = GetProcedureAddressByName(importModuleAddr, funcName); 193 | } 194 | else 195 | { 196 | UINT functionOrdinal = (UINT)IMAGE_ORDINAL(addressTable[i].u1.Ordinal); 197 | functionAddr = GetProcedureAddressByOrd(importModuleAddr, functionOrdinal); 198 | } 199 | /*if (functionAddr == NULL) 200 | { 201 | 202 | }*/ 203 | addressTable[i].u1.Function = (DWORD_PTR)functionAddr; 204 | } 205 | } 206 | 207 | DWORD_PTR deltaVAReloc = ((DWORD_PTR)imageLoadAddress) - (DWORD_PTR)pNtHeader->OptionalHeader.ImageBase; 208 | 209 | if (imageLoadAddress + pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0 && deltaVAReloc != 0) 210 | { 211 | IMAGE_BASE_RELOCATION* pRelocTable = (IMAGE_BASE_RELOCATION*)(imageLoadAddress + pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); 212 | 213 | while (pRelocTable->VirtualAddress != 0) 214 | { 215 | DWORD sizeOfTable = (pRelocTable->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / 2; 216 | WORD* reloc = (WORD*)(pRelocTable + 1); 217 | 218 | for (DWORD i = 0; i < sizeOfTable; ++i) 219 | { 220 | int type = reloc[i] >> 12; 221 | int offset = reloc[i] & 0x0fff; 222 | 223 | DWORD_PTR* addressToChange = (DWORD_PTR*)(imageLoadAddress + pRelocTable->VirtualAddress + offset); 224 | 225 | switch (type) 226 | { 227 | case IMAGE_REL_BASED_HIGHLOW: 228 | *addressToChange += deltaVAReloc; 229 | break; 230 | case IMAGE_REL_BASED_DIR64: 231 | *addressToChange += deltaVAReloc; 232 | break; 233 | default: 234 | break; 235 | } 236 | } 237 | pRelocTable = (IMAGE_BASE_RELOCATION*)(((DWORD_PTR)pRelocTable) + pRelocTable->SizeOfBlock); 238 | } 239 | } 240 | 241 | if (pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != 0 && pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size > 0) 242 | { 243 | PIMAGE_TLS_DIRECTORY pImageTLSDirectory = (PIMAGE_TLS_DIRECTORY)((DWORD_PTR)imageLoadAddress + pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); 244 | PIMAGE_TLS_CALLBACK* pCallbackTable = (PIMAGE_TLS_CALLBACK*)pImageTLSDirectory->AddressOfCallBacks; 245 | 246 | while (*pCallbackTable != NULL_PTR) 247 | { 248 | PIMAGE_TLS_CALLBACK pImageCallback = *pCallbackTable; 249 | pImageCallback(PEData, DLL_PROCESS_ATTACH, NULL_PTR); 250 | pCallbackTable++; 251 | } 252 | } 253 | 254 | DWORD oldProtect; 255 | DWORD_PTR sizeOf = pNtHeader->OptionalHeader.SizeOfHeaders; 256 | pNtProtect((HANDLE)(-1), &imageLoadAddress, &sizeOf, PAGE_READONLY, &oldProtect);; 257 | 258 | for (int i = 0; i < pNtHeader->FileHeader.NumberOfSections; i++) 259 | { 260 | BYTE* dest = imageLoadAddress + firstSection[i].VirtualAddress; 261 | DWORD sectionFlag = firstSection[i].Characteristics; 262 | DWORD virtualMemFlag = 0; 263 | if (sectionFlag & IMAGE_SCN_MEM_EXECUTE) 264 | { 265 | virtualMemFlag = (sectionFlag & IMAGE_SCN_MEM_WRITE) ? PAGE_EXECUTE_READWRITE : PAGE_EXECUTE_READ; 266 | } 267 | else 268 | { 269 | virtualMemFlag = (sectionFlag & IMAGE_SCN_MEM_WRITE) ? PAGE_READWRITE : PAGE_READONLY; 270 | } 271 | 272 | sizeOf = firstSection[i].Misc.VirtualSize; 273 | pNtProtect((HANDLE)(-1), &dest, &sizeOf, virtualMemFlag, &oldProtect); 274 | } 275 | 276 | DWORD_PTR callAddress = (DWORD_PTR)(imageLoadAddress + entryPointRVA); 277 | 278 | if (!(pNtHeader->FileHeader.Characteristics & IMAGE_FILE_DLL)) 279 | { 280 | ExeEntry* mainExe = (ExeEntry*)((DWORD_PTR)callAddress); 281 | mainExe(); 282 | } 283 | else 284 | { 285 | DllMain* mainDll = (DllMain*)((DWORD_PTR)callAddress); 286 | mainDll(((HMODULE)callAddress), DLL_PROCESS_ATTACH, NULL); 287 | } 288 | 289 | return NT_SUCCESS; 290 | } -------------------------------------------------------------------------------- /NTHeader.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | /* 4 | Author : Arsium Copyright (C) 2023 5 | Arsium. All Rights Reserved. 6 | 7 | The definition types below come from my personal reversed stuff or link below. 8 | This header aims to provide definitions for most symbols used in reverse & security in Windows world. 9 | This header may be incomplete, incorrect or outdated. 10 | More definions will come in the future (existing could be updated) and will be sorted. 11 | 12 | OS : 21h2 (Windows 10) 13 | Build : 19044.2486 14 | Verision : 10.0.19044 15 | 16 | Sources : 17 | * https://learn.microsoft.com/en-us/windows/win32/winprog/windows-data-types 18 | * https://en.wikipedia.org/wiki/Win32_Thread_Information_Block 19 | * https://github.com/processhacker/phnt 20 | * https://github.com/winsiderss/systeminformer/tree/master/phnt/include 21 | * https://captmeelo.com/redteam/maldev/2022/05/10/ntcreateuserprocess.html 22 | * https://github.com/reactos/reactos 23 | * https://github.com/adamhlt/Manual-DLL-Loader 24 | * https://github.com/vxunderground/VX-API 25 | * https://github.com/arbiter34/GetProcAddress/blob/master/GetProcAddress/GetProcAddress.cpp 26 | * Sektor7 PE Madness 27 | */ 28 | 29 | #define NULL_PTR ((void *)0) 30 | #define NULL ((void *)0) 31 | #define far 32 | #define near 33 | #define FAR far 34 | #define NEAR near 35 | #define DUMMYSTRUCTNAME 36 | #define DUMMYUNIONNAME 37 | #define DUMMYUNIONNAME2 38 | //#define __nullterminated 39 | #define NTAPI __stdcall 40 | 41 | #ifdef FALSE 42 | #undef FALSE 43 | #endif 44 | #define FALSE 0 45 | 46 | #ifdef TRUE 47 | #undef TRUE 48 | #endif 49 | #define TRUE 1 50 | 51 | typedef void* PVOID; 52 | typedef PVOID HANDLE; 53 | typedef unsigned long DWORD; 54 | typedef HANDLE HICON; 55 | typedef unsigned short WORD; 56 | typedef long LONG; 57 | typedef long NTSTATUS; 58 | 59 | #ifdef NT_SUCCESS 60 | #undef NT_SUCCESS 61 | #endif 62 | #define NT_SUCCESS ((NTSTATUS)0x00000000L) 63 | #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) 64 | #define STATUS_PORT_NOT_SET ((NTSTATUS)0xC0000353L) 65 | #define STATUS_NOT_ALL_ASSIGNED ((NTSTATUS)0x00000106) 66 | 67 | typedef unsigned short WCHAR; 68 | typedef unsigned short USHORT; 69 | typedef unsigned char UCHAR; 70 | 71 | typedef DWORD ACCESS_MASK; 72 | typedef ACCESS_MASK* PACCESS_MASK; 73 | 74 | #ifdef UNICODE 75 | typedef WCHAR TBYTE; 76 | #else 77 | typedef unsigned char TBYTE; 78 | #endif 79 | 80 | #ifdef UNICODE 81 | typedef WCHAR TCHAR; 82 | #else 83 | typedef char TCHAR; 84 | #endif 85 | 86 | #if !defined(_M_IX86) 87 | typedef unsigned __int64 ULONGLONG; 88 | #else 89 | typedef double ULONGLONG; 90 | #endif 91 | 92 | #if defined(_WIN64) 93 | typedef unsigned __int64 ULONG_PTR; 94 | #else 95 | typedef unsigned long ULONG_PTR; 96 | #endif 97 | 98 | #if !defined(_M_IX86) 99 | typedef __int64 LONGLONG; 100 | #else 101 | typedef double LONGLONG; 102 | #endif 103 | 104 | #if defined(_WIN64) 105 | typedef __int64 LONG_PTR; 106 | #else 107 | typedef long LONG_PTR; 108 | #endif 109 | 110 | #ifdef _WIN64 111 | typedef unsigned int UHALF_PTR; 112 | #else 113 | typedef unsigned short UHALF_PTR; 114 | #endif 115 | 116 | typedef int BOOL; 117 | typedef unsigned char BYTE; 118 | typedef BYTE BOOLEAN; 119 | #define CALLBACK __stdcall 120 | typedef char CCHAR; 121 | typedef char CHAR; 122 | typedef DWORD COLORREF; 123 | #define CONST const 124 | 125 | typedef unsigned __int64 DWORDLONG; 126 | typedef ULONG_PTR DWORD_PTR; 127 | typedef unsigned int DWORD32; 128 | typedef unsigned __int64 DWORD64; 129 | typedef float FLOAT; 130 | typedef HANDLE HACCEL; 131 | typedef float FLOAT; 132 | 133 | #ifdef _WIN64 134 | typedef int HALF_PTR; 135 | #else 136 | typedef short HALF_PTR; 137 | #endif 138 | 139 | typedef HANDLE HBITMAP; 140 | typedef HANDLE HBRUSH; 141 | typedef HANDLE HCOLORSPACE; 142 | typedef HANDLE HCONV; 143 | typedef HANDLE HCONVLIST; 144 | typedef HICON HCURSOR; 145 | typedef HANDLE HDC; 146 | typedef HANDLE HDDEDATA; 147 | typedef HANDLE HDESK; 148 | typedef HANDLE HDROP; 149 | typedef HANDLE HDWP; 150 | typedef HANDLE HENHMETAFILE; 151 | typedef int HFILE; 152 | typedef HANDLE HFONT; 153 | typedef HANDLE HGDIOBJ; 154 | typedef HANDLE HGLOBAL; 155 | typedef HANDLE HHOOK; 156 | typedef HANDLE HINSTANCE; 157 | typedef HANDLE HKEY; 158 | typedef HANDLE HKL; 159 | typedef HANDLE HLOCAL; 160 | typedef HANDLE HMENU; 161 | typedef HANDLE HMETAFILE; 162 | typedef HINSTANCE HMODULE; 163 | typedef HANDLE HMONITOR; //if (WINVER >= 0x0500) 164 | typedef HANDLE HPALETTE; 165 | typedef HANDLE HPEN; 166 | typedef LONG HRESULT; 167 | typedef HANDLE HRGN; 168 | typedef HANDLE HRSRC; 169 | typedef HANDLE HSZ; 170 | typedef HANDLE WINSTA; 171 | typedef HANDLE HWND; 172 | typedef int INT; 173 | 174 | #if defined(_WIN64) 175 | typedef __int64 INT_PTR; 176 | #else 177 | typedef int INT_PTR; 178 | #endif 179 | 180 | typedef signed char INT8; 181 | typedef signed short INT16; 182 | typedef signed int INT32; 183 | typedef signed __int64 INT64; 184 | typedef WORD LANGID; 185 | typedef DWORD LCID; 186 | typedef DWORD LCTYPE; 187 | typedef DWORD LGRPID; 188 | 189 | typedef signed int LONG32; 190 | typedef __int64 LONG64; 191 | typedef LONG_PTR LPARAM; 192 | typedef BOOL far* LPBOOL; 193 | typedef BYTE far* LPBYTE; 194 | typedef DWORD* LPCOLORREF; 195 | typedef CONST CHAR* LPCSTR; //__nullterminated 196 | 197 | typedef CONST WCHAR* LPCWSTR; 198 | 199 | #ifdef UNICODE 200 | typedef LPCWSTR LPCTSTR; 201 | #else 202 | typedef LPCSTR LPCTSTR; 203 | #endif 204 | 205 | typedef CONST void* LPCVOID; 206 | typedef DWORD* LPDWORD; 207 | typedef HANDLE* LPHANDLE; 208 | typedef int* LPINT; 209 | typedef long* LPLONG; 210 | typedef CHAR* LPSTR; 211 | 212 | typedef WCHAR* LPWSTR; 213 | 214 | #ifdef UNICODE 215 | typedef LPWSTR LPTSTR; 216 | #else 217 | typedef LPSTR LPTSTR; 218 | #endif 219 | 220 | typedef void* LPVOID; 221 | typedef WORD* LPWORD; 222 | typedef LONG_PTR LRESULT; 223 | typedef BOOL* PBOOL; 224 | typedef BOOLEAN* PBOOLEAN; 225 | typedef BYTE* PBYTE; 226 | typedef CHAR* PCHAR; 227 | typedef CONST CHAR* PCSTR; 228 | 229 | #ifdef UNICODE 230 | typedef LPCWSTR PCTSTR; 231 | #else 232 | typedef LPCSTR PCTSTR; 233 | #endif 234 | 235 | typedef CONST WCHAR* PCWSTR; 236 | typedef DWORD* PDWORD; 237 | typedef DWORDLONG* PDWORDLONG; 238 | typedef DWORD_PTR* PDWORD_PTR; 239 | typedef DWORD32* PDWORD32; 240 | typedef DWORD64* PDWORD64; 241 | typedef FLOAT* PFLOAT; 242 | 243 | #ifdef _WIN64 244 | typedef HALF_PTR* PHALF_PTR; 245 | #else 246 | typedef HALF_PTR* PHALF_PTR; 247 | #endif 248 | 249 | typedef HANDLE* PHANDLE; 250 | typedef HKEY* PHKEY; 251 | typedef int* PINT; 252 | typedef INT_PTR* PINT_PTR; 253 | typedef INT8* PINT8; 254 | typedef INT16* PINT16; 255 | typedef INT32* PINT32; 256 | typedef INT64* PINT64; 257 | typedef PDWORD PLCID; 258 | typedef LONG* PLONG; 259 | typedef LONGLONG* PLONGLONG; 260 | typedef LONG_PTR* PLONG_PTR; 261 | typedef LONG32* PLONG32; 262 | typedef LONG64* PLONG64; 263 | 264 | #if defined(_WIN64) 265 | #define POINTER_32 __ptr32 266 | #else 267 | #define POINTER_32 268 | #endif 269 | 270 | #if (_MSC_VER >= 1300) 271 | #define POINTER_64 __ptr64 272 | #else 273 | #define POINTER_64 274 | #endif 275 | 276 | #define POINTER_SIGNED __sptr 277 | #define POINTER_UNSIGNED __uptr 278 | 279 | #if (_MSC_VER >= 1300) && !defined(MIDL_PASS) 280 | #define DECLSPEC_ALIGN(x) __declspec(align(x)) 281 | #endif 282 | #if (_MSC_VER >= 1915) && !defined(MIDL_PASS) && !defined(SORTPP_PASS) && !defined(RC_INVOKED) 283 | #define DECLSPEC_NOINITALL __pragma(warning(push)) __pragma(warning(disable:4845)) __declspec(no_init_all) __pragma(warning(pop)) 284 | #endif 285 | 286 | #ifdef UNICODE 287 | typedef LPWSTR PTSTR; 288 | #else typedef LPSTR PTSTR; 289 | #endif 290 | 291 | typedef UCHAR* PUCHAR; 292 | 293 | #ifdef _WIN64 294 | typedef UHALF_PTR* PUHALF_PTR; 295 | #else 296 | typedef UHALF_PTR* PUHALF_PTR; 297 | #endif 298 | 299 | typedef unsigned __int64 QWORD; 300 | typedef HANDLE SC_HANDLE; 301 | typedef LPVOID SC_LOCK; 302 | typedef HANDLE SERVICE_STATUS_HANDLE; 303 | typedef short SHORT; 304 | typedef ULONG_PTR SIZE_T; 305 | typedef LONG_PTR SSIZE_T; 306 | 307 | typedef SHORT* PSHORT; 308 | typedef SIZE_T* PSIZE_T; 309 | typedef SSIZE_T* PSSIZE_T; 310 | typedef CHAR* PSTR; 311 | typedef TBYTE* PTBYTE; 312 | typedef TCHAR* PTCHAR; 313 | 314 | typedef unsigned int UINT; 315 | 316 | #if defined(_WIN64) 317 | typedef unsigned __int64 UINT_PTR; 318 | #else 319 | typedef unsigned int UINT_PTR; 320 | #endif 321 | 322 | typedef unsigned char UINT8; 323 | typedef unsigned short UINT16; 324 | typedef unsigned int UINT32; 325 | typedef unsigned __int64 UINT64; 326 | typedef unsigned long ULONG; 327 | 328 | typedef unsigned int ULONG32; 329 | typedef unsigned __int64 ULONG64; 330 | 331 | typedef UINT* PUINT; 332 | typedef UINT_PTR* PUINT_PTR; 333 | typedef UINT8* PUINT8; 334 | typedef UINT16* PUINT16; 335 | typedef UINT32* PUINT32; 336 | typedef UINT64* PUINT64; 337 | typedef ULONG* PULONG; 338 | typedef ULONGLONG* PULONGLONG; 339 | typedef ULONG_PTR* PULONG_PTR; 340 | typedef ULONG32* PULONG32; 341 | typedef ULONG64* PULONG64; 342 | typedef USHORT* PUSHORT; 343 | typedef WCHAR* PWCHAR; 344 | typedef WORD* PWORD; 345 | typedef WCHAR* PWSTR; 346 | 347 | typedef CHAR* LPCH, * PCH; 348 | typedef const CHAR* LPCCH, * PCCH; 349 | typedef char* BSTR; 350 | 351 | typedef struct _UNICODE_STRING { 352 | USHORT Length; 353 | USHORT MaximumLength; 354 | PWSTR Buffer; 355 | } UNICODE_STRING; 356 | typedef UNICODE_STRING* PUNICODE_STRING; 357 | typedef const UNICODE_STRING* PCUNICODE_STRING; 358 | 359 | typedef LONGLONG USN; 360 | #define VOID void 361 | #define WINAPI __stdcall 362 | typedef UINT_PTR WPARAM; 363 | 364 | #define APIENTRY WINAPI 365 | typedef WORD ATOM; 366 | typedef int (FAR WINAPI* FARPROC)(void); 367 | 368 | typedef union _LARGE_INTEGER { 369 | struct { 370 | DWORD LowPart; 371 | LONG HighPart; 372 | } DUMMYSTRUCTNAME; 373 | struct { 374 | DWORD LowPart; 375 | LONG HighPart; 376 | } u; 377 | LONGLONG QuadPart; 378 | } LARGE_INTEGER; 379 | typedef LARGE_INTEGER* PLARGE_INTEGER; 380 | 381 | 382 | typedef union _ULARGE_INTEGER { 383 | struct { 384 | DWORD LowPart; 385 | DWORD HighPart; 386 | } DUMMYSTRUCTNAME; 387 | struct { 388 | DWORD LowPart; 389 | DWORD HighPart; 390 | } u; 391 | ULONGLONG QuadPart; 392 | } ULARGE_INTEGER; 393 | typedef ULARGE_INTEGER* PULARGE_INTEGER; 394 | 395 | typedef struct _FILETIME 396 | { 397 | DWORD dwLowDateTime; 398 | DWORD dwHighDateTime; 399 | }FILETIME, * PFILETIME; 400 | 401 | typedef struct _OBJECT_ATTRIBUTES 402 | { 403 | ULONG Length; 404 | HANDLE RootDirectory; 405 | PUNICODE_STRING ObjectName; 406 | ULONG Attributes; 407 | PVOID SecurityDescriptor; 408 | PVOID SecurityQualityOfService; 409 | } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; 410 | 411 | typedef struct _GUID 412 | { 413 | DWORD Data1; 414 | WORD Data2; 415 | WORD Data3; 416 | UCHAR Data4[0x8]; 417 | }GUID, * PGUID; 418 | 419 | typedef struct _LUID 420 | { 421 | DWORD LowPart; 422 | LONG HighPart; 423 | }LUID, * PLUID; 424 | 425 | typedef struct _ROOT_INFO_LUID 426 | { 427 | DWORD LowPart; 428 | LONG HighPart; 429 | }ROOT_INFO_LUID, * PROOT_INFO_LUID; 430 | 431 | typedef struct DECLSPEC_ALIGN(16) _M128A { 432 | ULONGLONG Low; 433 | LONGLONG High; 434 | } M128A, * PM128A; 435 | 436 | typedef struct _FILE_ID_128 { 437 | BYTE Identifier[16]; 438 | } FILE_ID_128, * PFILE_ID_128; 439 | 440 | typedef struct _STRING { 441 | USHORT Length; 442 | USHORT MaximumLength; 443 | PCHAR Buffer; 444 | } STRING, * PSTRING; 445 | 446 | typedef struct _STRING32 447 | { 448 | USHORT Length; 449 | USHORT MaximumLength; 450 | DWORD* Buffer; 451 | }STRING32, * PSTRING32; 452 | 453 | typedef struct _STRING64 454 | { 455 | USHORT Length; 456 | USHORT MaximumLength; 457 | QWORD* Buffer; 458 | }STRING64, * PSTRING64; 459 | 460 | typedef STRING ANSI_STRING; 461 | typedef PSTRING PANSI_STRING; 462 | 463 | typedef struct _LIST_ENTRY 464 | { 465 | struct _LIST_ENTRY* Flink; 466 | struct _LIST_ENTRY* Blink; 467 | } LIST_ENTRY, * PLIST_ENTRY; 468 | 469 | typedef struct LIST_ENTRY32 470 | { 471 | DWORD Flink; 472 | DWORD Blink; 473 | }LIST_ENTRY32, * PLIST_ENTRY32; 474 | 475 | typedef struct _LIST_ENTRY64 476 | { 477 | QWORD Flink; 478 | QWORD Blink; 479 | }LIST_ENTRY64, * PLIST_ENTRY64; 480 | 481 | typedef struct _PEB_LDR_DATA 482 | { 483 | ULONG Length; 484 | BOOLEAN Initialized; 485 | PVOID SsHandle; 486 | LIST_ENTRY InLoadOrderModuleList; 487 | LIST_ENTRY InMemoryOrderModuleList; 488 | LIST_ENTRY InInitializationOrderModuleList; 489 | PVOID EntryInProgress; 490 | UCHAR ShutdownInProgress; 491 | PVOID ShutdownThreadId; 492 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 493 | 494 | typedef struct _LDR_DATA_ENTRY 495 | { 496 | LIST_ENTRY InLoadOrderModuleList; 497 | LIST_ENTRY InMemoryOrderModuleList; 498 | LIST_ENTRY InInitializationOrderModuleList; 499 | PVOID BaseAddress; 500 | PVOID EntryPoint; 501 | ULONG SizeOfImage; 502 | UNICODE_STRING FullDllName; 503 | UNICODE_STRING BaseDllName; 504 | ULONG Flags; 505 | WORD LoadCount; 506 | WORD TlsIndex; 507 | LIST_ENTRY HashLinks; 508 | ULONG TimeDateStamp; 509 | HANDLE ActivationContext; 510 | PVOID PatchInformation; 511 | LIST_ENTRY ForwarderLinks; 512 | LIST_ENTRY ServiceTagLinks; 513 | LIST_ENTRY StaticLinks; 514 | PVOID ContextInformation; 515 | ULONG_PTR OriginalBase; 516 | LARGE_INTEGER LoadTime; 517 | } LDR_DATA_ENTRY, * PLDR_DATA_ENTRY;//_LDR_MODULE 518 | 519 | typedef struct _RTL_BITMAP 520 | { 521 | ULONG SizeOfBitMap; 522 | PULONG Buffer; 523 | } RTL_BITMAP, * PRTL_BITMAP; 524 | 525 | typedef struct _RTL_DRIVE_LETTER_CURDIR 526 | { 527 | USHORT Flags; 528 | USHORT Length; 529 | ULONG TimeStamp; 530 | STRING DosPath;//UNICODE_STRING DosPath; 531 | } RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR; 532 | 533 | typedef struct _CURDIR 534 | { 535 | UNICODE_STRING DosPath; 536 | PVOID Handle; 537 | } CURDIR, * PCURDIR; 538 | 539 | typedef struct _RTL_USER_PROCESS_PARAMETERS_PEB 540 | { 541 | ULONG AllocationSize; 542 | ULONG Size; 543 | ULONG Flags; 544 | ULONG DebugFlags; 545 | HANDLE ConsoleHandle; 546 | ULONG ConsoleFlags; 547 | HANDLE hStdInput; 548 | HANDLE hStdOutput; 549 | HANDLE hStdError; 550 | CURDIR CurrentDirectory; 551 | UNICODE_STRING DllPath; 552 | UNICODE_STRING ImagePathName; 553 | UNICODE_STRING CommandLine; 554 | PWSTR Environment; 555 | ULONG dwX; 556 | ULONG dwY; 557 | ULONG dwXSize; 558 | ULONG dwYSize; 559 | ULONG dwXCountChars; 560 | ULONG dwYCountChars; 561 | ULONG dwFillAttribute; 562 | ULONG dwFlags; 563 | ULONG wShowWindow; 564 | UNICODE_STRING WindowTitle; 565 | UNICODE_STRING Desktop; 566 | UNICODE_STRING ShellInfo; 567 | UNICODE_STRING RuntimeInfo; 568 | RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20]; 569 | } RTL_USER_PROCESS_PARAMETERS_PEB, * PRTL_USER_PROCESS_PARAMETERS_PEB; 570 | 571 | typedef struct _RTL_CRITICAL_SECTION_DEBUG 572 | { 573 | WORD Type; 574 | WORD CreatorBackTraceIndex; 575 | struct _RTL_CRITICAL_SECTION* CriticalSection; 576 | LIST_ENTRY ProcessLocksList; 577 | DWORD EntryCount; 578 | DWORD ContentionCount; 579 | DWORD Flags; 580 | WORD CreatorBackTraceIndexHigh; 581 | WORD Identifier; 582 | } RTL_CRITICAL_SECTION_DEBUG, * PRTL_CRITICAL_SECTION_DEBUG, RTL_RESOURCE_DEBUG, * PRTL_RESOURCE_DEBUG; 583 | 584 | typedef struct _RTL_CRITICAL_SECTION 585 | { 586 | PRTL_CRITICAL_SECTION_DEBUG DebugInfo; 587 | LONG LockCount; 588 | LONG RecursionCount; 589 | HANDLE OwningThread; 590 | HANDLE LockSemaphore; 591 | ULONG_PTR SpinCount; 592 | } RTL_CRITICAL_SECTION, * PRTL_CRITICAL_SECTION; 593 | 594 | typedef struct _PEB 595 | { /* win32/win64 */ 596 | BOOLEAN InheritedAddressSpace; /* 000/000 */ 597 | BOOLEAN ReadImageFileExecOptions; /* 001/001 */ 598 | BOOLEAN BeingDebugged; /* 002/002 */ 599 | BOOLEAN SpareBool; /* 003/003 */ 600 | HANDLE Mutant; /* 004/008 */ 601 | PVOID ImageBaseAddress; /* 008/010 */ 602 | PPEB_LDR_DATA LdrData; 603 | RTL_USER_PROCESS_PARAMETERS_PEB* ProcessParameters; /* 010/020 */ 604 | PVOID SubSystemData; /* 014/028 */ 605 | HANDLE ProcessHeap; /* 018/030 */ 606 | PRTL_CRITICAL_SECTION FastPebLock; /* 01c/038 */ 607 | PVOID /*PPEBLOCKROUTINE*/ FastPebLockRoutine; /* 020/040 */ 608 | PVOID /*PPEBLOCKROUTINE*/ FastPebUnlockRoutine; /* 024/048 */ 609 | ULONG EnvironmentUpdateCount; /* 028/050 */ 610 | PVOID KernelCallbackTable; /* 02c/058 */ 611 | ULONG Reserved[2]; /* 030/060 */ 612 | PVOID /*PPEB_FREE_BLOCK*/ FreeList; /* 038/068 */ 613 | ULONG TlsExpansionCounter; /* 03c/070 */ 614 | PRTL_BITMAP TlsBitmap; /* 040/078 */ 615 | ULONG TlsBitmapBits[2]; /* 044/080 */ 616 | PVOID ReadOnlySharedMemoryBase; /* 04c/088 */ 617 | PVOID ReadOnlySharedMemoryHeap; /* 050/090 */ 618 | PVOID* ReadOnlyStaticServerData; /* 054/098 */ 619 | PVOID AnsiCodePageData; /* 058/0a0 */ 620 | PVOID OemCodePageData; /* 05c/0a8 */ 621 | PVOID UnicodeCaseTableData; /* 060/0b0 */ 622 | ULONG NumberOfProcessors; /* 064/0b8 */ 623 | ULONG NtGlobalFlag; /* 068/0bc */ 624 | LARGE_INTEGER CriticalSectionTimeout; /* 070/0c0 */ 625 | ULONG_PTR HeapSegmentReserve; /* 078/0c8 */ 626 | ULONG_PTR HeapSegmentCommit; /* 07c/0d0 */ 627 | ULONG_PTR HeapDeCommitTotalFreeThreshold; /* 080/0d8 */ 628 | ULONG_PTR HeapDeCommitFreeBlockThreshold; /* 084/0e0 */ 629 | ULONG NumberOfHeaps; /* 088/0e8 */ 630 | ULONG MaximumNumberOfHeaps; /* 08c/0ec */ 631 | PVOID* ProcessHeaps; /* 090/0f0 */ 632 | PVOID GdiSharedHandleTable; /* 094/0f8 */ 633 | PVOID ProcessStarterHelper; /* 098/100 */ 634 | PVOID GdiDCAttributeList; /* 09c/108 */ 635 | PVOID LoaderLock; /* 0a0/110 */ 636 | ULONG OSMajorVersion; /* 0a4/118 */ 637 | ULONG OSMinorVersion; /* 0a8/11c */ 638 | ULONG OSBuildNumber; /* 0ac/120 */ 639 | ULONG OSPlatformId; /* 0b0/124 */ 640 | ULONG ImageSubSystem; /* 0b4/128 */ 641 | ULONG ImageSubSystemMajorVersion; /* 0b8/12c */ 642 | ULONG ImageSubSystemMinorVersion; /* 0bc/130 */ 643 | ULONG ImageProcessAffinityMask; /* 0c0/134 */ 644 | HANDLE GdiHandleBuffer[28]; /* 0c4/138 */ 645 | ULONG unknown[6]; /* 134/218 */ 646 | PVOID PostProcessInitRoutine; /* 14c/230 */ 647 | PRTL_BITMAP TlsExpansionBitmap; /* 150/238 */ 648 | ULONG TlsExpansionBitmapBits[32]; /* 154/240 */ 649 | ULONG SessionId; /* 1d4/2c0 */ 650 | ULARGE_INTEGER AppCompatFlags; /* 1d8/2c8 */ 651 | ULARGE_INTEGER AppCompatFlagsUser; /* 1e0/2d0 */ 652 | PVOID ShimData; /* 1e8/2d8 */ 653 | PVOID AppCompatInfo; /* 1ec/2e0 */ 654 | UNICODE_STRING CSDVersion; /* 1f0/2e8 */ 655 | PVOID ActivationContextData; /* 1f8/2f8 */ 656 | PVOID ProcessAssemblyStorageMap; /* 1fc/300 */ 657 | PVOID SystemDefaultActivationData; /* 200/308 */ 658 | PVOID SystemAssemblyStorageMap; /* 204/310 */ 659 | ULONG_PTR MinimumStackCommit; /* 208/318 */ 660 | PVOID* FlsCallback; /* 20c/320 */ 661 | LIST_ENTRY FlsListHead; /* 210/328 */ 662 | PRTL_BITMAP FlsBitmap; /* 218/338 */ 663 | ULONG FlsBitmapBits[4]; /* 21c/340 */ 664 | } PEB, * PPEB; 665 | 666 | //----------------------------------------------------------------------------------- 667 | 668 | #define IMAGE_DOS_SIGNATURE 0x5A4D //MZ 669 | #define IMAGE_NT_SIGNATURE 0x50450000 //PE00 670 | 671 | #define IMAGE_SIZEOF_FILE_HEADER 20 672 | #define IMAGE_SIZEOF_SECTION_HEADER 40 673 | #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16 674 | #define IMAGE_SIZEOF_SHORT_NAME 8 675 | 676 | #define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b 677 | #define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b 678 | 679 | typedef enum _PE_MAGIC // uint16_t 680 | { 681 | PE_ROM_IMAGE = 0x107, 682 | PE_32BIT = 0x10b, 683 | PE_64BIT = 0x20b 684 | }PE_MAGIC, * PPE_MAGIC; 685 | 686 | #define IMAGE_ORDINAL_FLAG64 0x8000000000000000 687 | #define IMAGE_ORDINAL_FLAG32 0x80000000 688 | #define IMAGE_ORDINAL64(Ordinal) (Ordinal & 0xffff) 689 | #define IMAGE_ORDINAL32(Ordinal) (Ordinal & 0xffff) 690 | #define IMAGE_SNAP_BY_ORDINAL64(Ordinal) ((Ordinal & IMAGE_ORDINAL_FLAG64) != 0) 691 | #define IMAGE_SNAP_BY_ORDINAL32(Ordinal) ((Ordinal & IMAGE_ORDINAL_FLAG32) != 0) 692 | 693 | #define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory 694 | #define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory 695 | #define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory 696 | #define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory 697 | #define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory 698 | #define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table 699 | #define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory 700 | // IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage) 701 | #define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data 702 | #define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP 703 | #define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory 704 | #define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory 705 | #define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers 706 | #define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table 707 | #define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors 708 | #define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor 709 | 710 | #define DLL_PROCESS_ATTACH 1 711 | #define DLL_THREAD_ATTACH 2 712 | #define DLL_THREAD_DETACH 3 713 | #define DLL_PROCESS_DETACH 0 714 | 715 | #define IMAGE_FILE_MACHINE_UNKNOWN 0 716 | #define IMAGE_FILE_MACHINE_TARGET_HOST 0x0001 717 | #define IMAGE_FILE_MACHINE_I386 0x014c// Intel 386. 718 | #define IMAGE_FILE_MACHINE_R3000 0x0162 719 | #define IMAGE_FILE_MACHINE_R4000 0x0166 720 | #define IMAGE_FILE_MACHINE_R10000 0x0168 721 | #define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169 722 | #define IMAGE_FILE_MACHINE_ALPHA 0x0184 723 | #define IMAGE_FILE_MACHINE_SH3 0x01a2 724 | #define IMAGE_FILE_MACHINE_SH3DSP 0x01a3 725 | #define IMAGE_FILE_MACHINE_SH3E 0x01a4 726 | #define IMAGE_FILE_MACHINE_SH4 0x01a6 727 | #define IMAGE_FILE_MACHINE_SH5 0x01a8 728 | #define IMAGE_FILE_MACHINE_ARM 0x01c0 729 | #define IMAGE_FILE_MACHINE_THUMB 0x01c2 730 | #define IMAGE_FILE_MACHINE_ARMNT 0x01c4 731 | #define IMAGE_FILE_MACHINE_AM33 0x01d3 732 | #define IMAGE_FILE_MACHINE_POWERPC 0x01F0 733 | #define IMAGE_FILE_MACHINE_POWERPCFP 0x01f1 734 | #define IMAGE_FILE_MACHINE_IA64 0x0200// Intel 64 735 | #define IMAGE_FILE_MACHINE_MIPS16 0x0266 736 | #define IMAGE_FILE_MACHINE_ALPHA64 0x0284 737 | #define IMAGE_FILE_MACHINE_MIPSFPU 0x0366 738 | #define IMAGE_FILE_MACHINE_MIPSFPU16 0x0466 739 | #define IMAGE_FILE_MACHINE_AXP64 _IMAGE_FILE_MACHINE_ALPHA64 740 | #define IMAGE_FILE_MACHINE_TRICORE 0x0520 741 | #define IMAGE_FILE_MACHINE_CEF 0x0CEF 742 | #define IMAGE_FILE_MACHINE_EBC 0x0EBC 743 | #define IMAGE_FILE_MACHINE_AMD64 0x8664// AMD64 (K8) 744 | #define IMAGE_FILE_MACHINE_M32R 0x9041 745 | #define IMAGE_FILE_MACHINE_ARM64 0xAA64 746 | #define IMAGE_FILE_MACHINE_CEE 0xC0EE 747 | #define IMAGE_FILE_MACHINE_RISCV32 0x5032 748 | #define IMAGE_FILE_MACHINE_RISCV64 0x5064 749 | #define IMAGE_FILE_MACHINE_RISCV128 0x5128 750 | 751 | #define IMAGE_SUBSYSTEM_UNKNOWN 0 752 | #define IMAGE_SUBSYSTEM_NATIVE 1 // #define IMAGE doesn't require a subsystem. 753 | #define IMAGE_SUBSYSTEM_WINDOWS_GUI 2 // #define IMAGE runs in the Windows GUI subsystem. 754 | #define IMAGE_SUBSYSTEM_WINDOWS_CUI 3 // #define IMAGE runs in the Windows character subsystem. 755 | #define IMAGE_SUBSYSTEM_OS2_CUI 5 // #define IMAGE runs in the OS/2 character subsystem. 756 | #define IMAGE_SUBSYSTEM_POSIX_CUI 7 // #define IMAGE runs in the Posix character subsystem. 757 | #define IMAGE_SUBSYSTEM_NATIVE_WINDOWS 8 // #define IMAGE is a native Win9x driver. 758 | #define IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9 // #define IMAGE runs in the Windows CE subsystem. 759 | #define IMAGE_SUBSYSTEM_EFI_APPLICATION 10 760 | #define IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11 761 | #define IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12 762 | #define IMAGE_SUBSYSTEM_EFI_ROM 13 763 | #define IMAGE_SUBSYSTEM_XBOX 14 764 | #define IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16 765 | #define IMAGE_SUBSYSTEM_XBOX_CODE_CATALOG 17 766 | 767 | #define IMAGE_LIBRARY_PROCESS_INIT 0x0001 // Reserved. 768 | #define IMAGE_LIBRARY_PROCESS_TERM 0x0002 // Reserved. 769 | #define IMAGE_LIBRARY_THREAD_INIT 0x0004 // Reserved. 770 | #define IMAGE_LIBRARY_THREAD_TERM 0x0008 // Reserved. 771 | 772 | #define IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA 0x0020//64-bit 773 | #define IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040 774 | #define IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY 0x0080 775 | #define IMAGE_DLLCHARACTERISTICS_NX_COMPAT 0x0100// DEP 776 | #define IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200 777 | #define IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400 778 | #define IMAGE_DLLCHARACTERISTICS_NO_BIND 0x0800 779 | #define IMAGE_DLLCHARACTERISTICS_APPCONTAINER 0x1000 780 | #define IMAGE_DLLCHARACTERISTICS_WDM_DRIVER 0x2000 781 | #define IMAGE_DLLCHARACTERISTICS_GUARD_CF 0x4000 782 | #define IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE 0x8000 783 | #define IMAGE_DLLCHARACTERISTICS_EX_CET_COMPAT 0x01 784 | #define IMAGE_DLLCHARACTERISTICS_EX_CET_COMPAT_STRICT_MODE 0x02 785 | #define IMAGE_DLLCHARACTERISTICS_EX_CET_SET_CONTEXT_IP_VALIDATION_RELAXED_MODE 0x04 786 | #define IMAGE_DLLCHARACTERISTICS_EX_CET_DYNAMIC_APIS_ALLOW_IN_PROC 0x08 787 | #define IMAGE_DLLCHARACTERISTICS_EX_CET_RESERVED_1 0x10 788 | #define IMAGE_DLLCHARACTERISTICS_EX_CET_RESERVED_2 0x20 789 | 790 | #define IMAGE_FILE_RELOCS_STRIPPED 0x0001 // Relocation info stripped from file. 791 | #define IMAGEIMAGE_FILE_EXECUTABLE_IMAGE 0x0002 // File is executable (i.e. no unresolved external references). 792 | #define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 // Line nunbers stripped from file. 793 | #define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 // Local symbols stripped from file. 794 | #define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 // Aggressively trim working set 795 | #define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 // App can handle >2gb addresses 796 | #define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 // Bytes of machine word are reversed. 797 | #define IMAGE_FILE_32BIT_MACHINE 0x0100 // 32 bit word machine. 798 | #define IMAGE_FILE_DEBUG_STRIPPED 0x0200 // Debugging info stripped from file in .DBG file 799 | #define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 // If #define IMAGE is on removable media copy and run from the swap file. 800 | #define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 // If #define IMAGE is on Net copy and run from the swap file. 801 | #define IMAGE_FILE_SYSTEM 0x1000 // System File. 802 | #define IMAGE_FILE_DLL 0x2000 // File is a DLL. 803 | #define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 // File should only be run on a UP machine 804 | #define IMAGE_FILE_BYTES_REVERSED_HI 0x8000 // Bytes of machine word are reversed. 805 | 806 | typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header 807 | WORD e_magic; // Magic number 808 | WORD e_cblp; // Bytes on last page of file 809 | WORD e_cp; // Pages in file 810 | WORD e_crlc; // Relocations 811 | WORD e_cparhdr; // Size of header in paragraphs 812 | WORD e_minalloc; // Minimum extra paragraphs needed 813 | WORD e_maxalloc; // Maximum extra paragraphs needed 814 | WORD e_ss; // Initial (relative) SS value 815 | WORD e_sp; // Initial SP value 816 | WORD e_csum; // Checksum 817 | WORD e_ip; // Initial IP value 818 | WORD e_cs; // Initial (relative) CS value 819 | WORD e_lfarlc; // File address of relocation table 820 | WORD e_ovno; // Overlay number 821 | WORD e_res[4]; // Reserved words 822 | WORD e_oemid; // OEM identifier (for e_oeminfo) 823 | WORD e_oeminfo; // OEM information; e_oemid specific 824 | WORD e_res2[10]; // Reserved words 825 | LONG e_lfanew; // File address of new exe header 826 | } IMAGE_DOS_HEADER, * PIMAGE_DOS_HEADER; 827 | 828 | typedef struct _IMAGE_DATA_DIRECTORY { 829 | DWORD VirtualAddress; 830 | DWORD Size; 831 | } IMAGE_DATA_DIRECTORY, * PIMAGE_DATA_DIRECTORY; 832 | 833 | typedef struct _RICH_HEADER 834 | { 835 | DWORD e_magic__DanS; 836 | DWORD e_align[0x3]; 837 | DWORD e_entry_id0__00937809; 838 | DWORD e_entry_count0__51; 839 | DWORD e_entry_id1__00010000; 840 | DWORD e_entry_count1__135; 841 | DWORD e_entry_id2__00fd6b14; 842 | DWORD e_entry_count2__1; 843 | DWORD e_entry_id3__01006b14; 844 | DWORD e_entry_count3__1; 845 | DWORD e_entry_id4__01036b14; 846 | DWORD e_entry_count4__50; 847 | DWORD e_entry_id5__01056b14; 848 | DWORD e_entry_count5__94; 849 | DWORD e_entry_id6__010e6b14; 850 | DWORD e_entry_count6__568; 851 | DWORD e_entry_id7__01046b14; 852 | DWORD e_entry_count7__75; 853 | DWORD e_entry_id8__00ff6b14; 854 | DWORD e_entry_count8__1; 855 | DWORD e_entry_id9__01026b14; 856 | DWORD e_entry_count9__1; 857 | char e_magic[0x4]; 858 | DWORD e_checksum; 859 | }RICH_HEADER, * PRICH_HEADER; 860 | 861 | typedef struct _IMAGE_OPTIONAL_HEADER32 { 862 | WORD Magic; 863 | BYTE MajorLinkerVersion; 864 | BYTE MinorLinkerVersion; 865 | DWORD SizeOfCode; 866 | DWORD SizeOfInitializedData; 867 | DWORD SizeOfUninitializedData; 868 | DWORD AddressOfEntryPoint; 869 | DWORD BaseOfCode; 870 | DWORD BaseOfData; 871 | DWORD ImageBase; 872 | DWORD SectionAlignment; 873 | DWORD FileAlignment; 874 | WORD MajorOperatingSystemVersion; 875 | WORD MinorOperatingSystemVersion; 876 | WORD MajorImageVersion; 877 | WORD MinorImageVersion; 878 | WORD MajorSubsystemVersion; 879 | WORD MinorSubsystemVersion; 880 | DWORD Win32VersionValue; 881 | DWORD SizeOfImage; 882 | DWORD SizeOfHeaders; 883 | DWORD CheckSum; 884 | WORD Subsystem; 885 | WORD DllCharacteristics; 886 | DWORD SizeOfStackReserve; 887 | DWORD SizeOfStackCommit; 888 | DWORD SizeOfHeapReserve; 889 | DWORD SizeOfHeapCommit; 890 | DWORD LoaderFlags; 891 | DWORD NumberOfRvaAndSizes; 892 | IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; 893 | } IMAGE_OPTIONAL_HEADER32, * PIMAGE_OPTIONAL_HEADER32; 894 | 895 | typedef struct _IMAGE_OPTIONAL_HEADER64 { 896 | WORD Magic; 897 | BYTE MajorLinkerVersion; 898 | BYTE MinorLinkerVersion; 899 | DWORD SizeOfCode; 900 | DWORD SizeOfInitializedData; 901 | DWORD SizeOfUninitializedData; 902 | DWORD AddressOfEntryPoint; 903 | DWORD BaseOfCode; 904 | ULONGLONG ImageBase; 905 | DWORD SectionAlignment; 906 | DWORD FileAlignment; 907 | WORD MajorOperatingSystemVersion; 908 | WORD MinorOperatingSystemVersion; 909 | WORD MajorImageVersion; 910 | WORD MinorImageVersion; 911 | WORD MajorSubsystemVersion; 912 | WORD MinorSubsystemVersion; 913 | DWORD Win32VersionValue; 914 | DWORD SizeOfImage; 915 | DWORD SizeOfHeaders; 916 | DWORD CheckSum; 917 | WORD Subsystem; 918 | WORD DllCharacteristics; 919 | ULONGLONG SizeOfStackReserve; 920 | ULONGLONG SizeOfStackCommit; 921 | ULONGLONG SizeOfHeapReserve; 922 | ULONGLONG SizeOfHeapCommit; 923 | DWORD LoaderFlags; 924 | DWORD NumberOfRvaAndSizes; 925 | IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; 926 | } IMAGE_OPTIONAL_HEADER64, * PIMAGE_OPTIONAL_HEADER64; 927 | 928 | 929 | #if defined(_M_MRX000) || defined(_M_ALPHA) || defined(_M_PPC) || defined(_M_IA64) || defined(_M_AMD64) || defined(_M_ARM) || defined(_M_ARM64) 930 | #define ALIGNMENT_MACHINE 931 | #define UNALIGNED __unaligned 932 | #if defined(_WIN64) 933 | #define UNALIGNED64 __unaligned 934 | #else 935 | #define UNALIGNED64 936 | #endif 937 | #else 938 | #undef ALIGNMENT_MACHINE 939 | #define UNALIGNED 940 | #define UNALIGNED64 941 | #endif 942 | 943 | typedef struct _IMAGE_FILE_HEADER { 944 | WORD Machine; 945 | WORD NumberOfSections; 946 | DWORD TimeDateStamp; 947 | DWORD PointerToSymbolTable; 948 | DWORD NumberOfSymbols; 949 | WORD SizeOfOptionalHeader; 950 | WORD Characteristics; 951 | } IMAGE_FILE_HEADER, * PIMAGE_FILE_HEADER; 952 | 953 | typedef struct _IMAGE_NT_HEADERS64 { 954 | DWORD Signature; 955 | IMAGE_FILE_HEADER FileHeader; 956 | IMAGE_OPTIONAL_HEADER64 OptionalHeader; 957 | } IMAGE_NT_HEADERS64, * PIMAGE_NT_HEADERS64; 958 | 959 | typedef struct _IMAGE_NT_HEADERS32 { 960 | DWORD Signature; 961 | IMAGE_FILE_HEADER FileHeader; 962 | IMAGE_OPTIONAL_HEADER32 OptionalHeader; 963 | } IMAGE_NT_HEADERS32, * PIMAGE_NT_HEADERS32; 964 | 965 | #define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) \ 966 | ((ULONG_PTR)(ntheader) + \ 967 | FIELD_OFFSET( IMAGE_NT_HEADERS, OptionalHeader ) + \ 968 | ((ntheader))->FileHeader.SizeOfOptionalHeader \ 969 | )) 970 | 971 | #define IMAGE_SCN_TYPE_REG 0x00000000 // Reserved. 972 | #define IMAGE_SCN_TYPE_DSECT 0x00000001 // Reserved. 973 | #define IMAGE_SCN_TYPE_NOLOAD 0x00000002 // Reserved. 974 | #define IMAGE_SCN_TYPE_GROUP 0x00000004 // Reserved. 975 | #define IMAGE_SCN_TYPE_NO_PAD 0x00000008 // Reserved. 976 | #define IMAGE_SCN_TYPE_COPY 0x00000010 // Reserved. 977 | 978 | #define IMAGE_SCN_CNT_CODE 0x00000020 // Section contains code. 979 | #define IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 // Section contains initialized data. 980 | #define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 // Section contains uninitialized data. 981 | 982 | #define IMAGE_SCN_LNK_OTHER 0x00000100 // Reserved. 983 | #define IMAGE_SCN_LNK_INFO 0x00000200 // Section contains comments or some other type of information. 984 | #define IMAGE_SCN_TYPE_OVER 0x00000400 // Reserved. 985 | #define IMAGE_SCN_LNK_REMOVE 0x00000800 // Section contents will not become part of #define IMAGE. 986 | #define IMAGE_SCN_LNK_COMDAT 0x00001000 // Section contents comdat. 987 | // 0x00002000 // Reserved. 988 | //#define IMAGE_SCN_MEM_PROTECTED - Obsolete 0x00004000 989 | #define IMAGE_SCN_NO_DEFER_SPEC_EXC 0x00004000 // Reset speculative exceptions handling bits in the TLB entries for this section. 990 | #define IMAGE_SCN_GPREL 0x00008000 // Section content can be accessed relative to GP 991 | #define IMAGE_SCN_MEM_FARDATA 0x00008000 992 | //#define IMAGE_SCN_MEM_SYSHEAP - Obsolete 0x00010000 993 | #define IMAGE_SCN_MEM_PURGEABLE 0x00020000 994 | #define IMAGE_SCN_MEM_16BIT 0x00020000 995 | #define IMAGE_SCN_MEM_LOCKED 0x00040000 996 | #define IMAGE_SCN_MEM_PRELOAD 0x00080000 997 | 998 | #define IMAGE_SCN_ALIGN_1BYTES 0x00100000 999 | #define IMAGE_SCN_ALIGN_2BYTES 0x00200000 1000 | #define IMAGE_SCN_ALIGN_4BYTES 0x00300000 1001 | #define IMAGE_SCN_ALIGN_8BYTES 0x00400000 1002 | #define IMAGE_SCN_ALIGN_16BYTES 0x00500000 // Default alignment if no others are specified. 1003 | #define IMAGE_SCN_ALIGN_32BYTES 0x00600000 1004 | #define IMAGE_SCN_ALIGN_64BYTES 0x00700000 1005 | #define IMAGE_SCN_ALIGN_128BYTES 0x00800000 1006 | #define IMAGE_SCN_ALIGN_256BYTES 0x00900000 1007 | #define IMAGE_SCN_ALIGN_512BYTES 0x00A00000 1008 | #define IMAGE_SCN_ALIGN_1024BYTES 0x00B00000 1009 | #define IMAGE_SCN_ALIGN_2048BYTES 0x00C00000 1010 | #define IMAGE_SCN_ALIGN_4096BYTES 0x00D00000 1011 | #define IMAGE_SCN_ALIGN_8192BYTES 0x00E00000 1012 | // Unused 0x00F00000 1013 | #define IMAGE_SCN_ALIGN_MASK 0x00F00000 1014 | 1015 | #define IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000 // Section contains extended relocations. 1016 | #define IMAGE_SCN_MEM_DISCARDABLE 0x02000000 // Section can be discarded. 1017 | #define IMAGE_SCN_MEM_NOT_CACHED 0x04000000 // Section is not cachable. 1018 | #define IMAGE_SCN_MEM_NOT_PAGED 0x08000000 // Section is not pageable. 1019 | #define IMAGE_SCN_MEM_SHARED 0x10000000 // Section is shareable. 1020 | #define IMAGE_SCN_MEM_EXECUTE 0x20000000 // Section is executable. 1021 | #define IMAGE_SCN_MEM_READ 0x40000000 // Section is readable. 1022 | #define IMAGE_SCN_MEM_WRITE 0x80000000 // Section is writeable. 1023 | #define IMAGE_SCN_SCALE_INDEX 0x00000001 // Tls index is scaled*/ 1024 | 1025 | typedef struct _IMAGE_SECTION_HEADER { 1026 | BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; 1027 | union { 1028 | DWORD PhysicalAddress; //always virtualSize 1029 | DWORD VirtualSize; 1030 | } Misc; 1031 | DWORD VirtualAddress; 1032 | DWORD SizeOfRawData; 1033 | DWORD PointerToRawData; 1034 | DWORD PointerToRelocations; 1035 | DWORD PointerToLinenumbers; 1036 | WORD NumberOfRelocations; 1037 | WORD NumberOfLinenumbers; 1038 | DWORD Characteristics; 1039 | } IMAGE_SECTION_HEADER, * PIMAGE_SECTION_HEADER; 1040 | 1041 | typedef struct _IMAGE_IMPORT_DESCRIPTOR { 1042 | union { 1043 | DWORD Characteristics; // 0 for terminating null import descriptor 1044 | DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA) 1045 | } DUMMYUNIONNAME; 1046 | DWORD TimeDateStamp; // 0 if not bound, 1047 | // -1 if bound, and real date\time stamp 1048 | // in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND) 1049 | // O.W. date/time stamp of DLL bound to (Old BIND) 1050 | 1051 | DWORD ForwarderChain; // -1 if no forwarders 1052 | DWORD Name; 1053 | DWORD FirstThunk; // RVA to IAT (if bound this IAT has actual addresses) 1054 | } IMAGE_IMPORT_DESCRIPTOR; 1055 | typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED* PIMAGE_IMPORT_DESCRIPTOR; 1056 | 1057 | #define MAKEINTRESOURCEA(i) ((LPSTR)((ULONG_PTR)((WORD)(i)))) 1058 | 1059 | typedef struct _IMAGE_IMPORT_BY_NAME { 1060 | WORD Hint; 1061 | CHAR Name[1]; 1062 | } IMAGE_IMPORT_BY_NAME, * PIMAGE_IMPORT_BY_NAME; 1063 | 1064 | typedef enum _IMPORT_OBJECT_NAME_TYPE // int32_t 1065 | { 1066 | IMPORT_OBJECT_ORDINAL = 0x0, 1067 | IMPORT_OBJECT_NAME = 0x1, 1068 | IMPORT_OBJECT_NAME_NO_PREFIX = 0x2, 1069 | IMPORT_OBJECT_NAME_UNDECORATE = 0x3, 1070 | IMPORT_OBJECT_NAME_EXPORTAS = 0x4 1071 | }IMPORT_OBJECT_NAME_TYPE, * PIMPORT_OBJECT_NAME_TYPE; 1072 | 1073 | typedef enum _IMPORT_OBJECT_TYPE // int32_t 1074 | { 1075 | IMPORT_OBJECT_CODE = 0x0, 1076 | IMPORT_OBJECT_DATA = 0x1, 1077 | IMPORT_OBJECT_CONST = 0x2 1078 | }IMPORT_OBJECT_TYPE, * PIMPORT_OBJECT_TYPE; 1079 | 1080 | #define IMPORT_OBJECT_HDR_SIG2 0xffff 1081 | 1082 | typedef struct _IMPORT_OBJECT_HEADER 1083 | { 1084 | USHORT Sig1; 1085 | USHORT Sig2; 1086 | USHORT Version; 1087 | USHORT Machine; 1088 | DWORD TimeDateStamp; 1089 | DWORD SizeOfData; 1090 | union 1091 | { 1092 | USHORT Ordinal; 1093 | USHORT Hint; 1094 | } __inner6; 1095 | union 1096 | { 1097 | USHORT Type; 1098 | USHORT NameType; 1099 | USHORT Reserved; 1100 | } __bitfield18; 1101 | }IMPORT_OBJECT_HEADER, * PIMPORT_OBJECT_HEADER; 1102 | 1103 | //@[comment("MVI_tracked")] 1104 | typedef struct _IMAGE_THUNK_DATA64 { 1105 | union { 1106 | ULONGLONG ForwarderString; // PBYTE 1107 | ULONGLONG Function; // PDWORD 1108 | ULONGLONG Ordinal; 1109 | ULONGLONG AddressOfData; // PIMAGE_IMPORT_BY_NAME 1110 | } u1; 1111 | } IMAGE_THUNK_DATA64; 1112 | typedef IMAGE_THUNK_DATA64* PIMAGE_THUNK_DATA64; 1113 | 1114 | typedef struct _IMAGE_THUNK_DATA32 { 1115 | union { 1116 | DWORD ForwarderString; // PBYTE 1117 | DWORD Function; // PDWORD 1118 | DWORD Ordinal; 1119 | DWORD AddressOfData; // PIMAGE_IMPORT_BY_NAME 1120 | } u1; 1121 | } IMAGE_THUNK_DATA32; 1122 | typedef IMAGE_THUNK_DATA32* PIMAGE_THUNK_DATA32; 1123 | 1124 | typedef struct _IMAGE_TLS_DIRECTORY64 { 1125 | ULONGLONG StartAddressOfRawData; 1126 | ULONGLONG EndAddressOfRawData; 1127 | ULONGLONG AddressOfIndex; // PDWORD 1128 | ULONGLONG AddressOfCallBacks; // PIMAGE_TLS_CALLBACK *; 1129 | DWORD SizeOfZeroFill; 1130 | union { 1131 | DWORD Characteristics; 1132 | struct { 1133 | DWORD Reserved0 : 20; 1134 | DWORD Alignment : 4; 1135 | DWORD Reserved1 : 8; 1136 | } DUMMYSTRUCTNAME; 1137 | } DUMMYUNIONNAME; 1138 | 1139 | } IMAGE_TLS_DIRECTORY64; 1140 | 1141 | typedef IMAGE_TLS_DIRECTORY64* PIMAGE_TLS_DIRECTORY64; 1142 | 1143 | typedef struct _IMAGE_TLS_DIRECTORY32 { 1144 | DWORD StartAddressOfRawData; 1145 | DWORD EndAddressOfRawData; 1146 | DWORD AddressOfIndex; // PDWORD 1147 | DWORD AddressOfCallBacks; // PIMAGE_TLS_CALLBACK * 1148 | DWORD SizeOfZeroFill; 1149 | union { 1150 | DWORD Characteristics; 1151 | struct { 1152 | DWORD Reserved0 : 20; 1153 | DWORD Alignment : 4; 1154 | DWORD Reserved1 : 8; 1155 | } DUMMYSTRUCTNAME; 1156 | } DUMMYUNIONNAME; 1157 | 1158 | } IMAGE_TLS_DIRECTORY32; 1159 | typedef IMAGE_TLS_DIRECTORY32* PIMAGE_TLS_DIRECTORY32; 1160 | 1161 | typedef VOID(NTAPI* PIMAGE_TLS_CALLBACK) ( 1162 | PVOID DllHandle, 1163 | DWORD Reason, 1164 | PVOID Reserved 1165 | ); 1166 | 1167 | #define IMAGE_REL_BASED_ABSOLUTE 0 1168 | #define IMAGE_REL_BASED_HIGH 1 1169 | #define IMAGE_REL_BASED_LOW 2 1170 | #define IMAGE_REL_BASED_HIGHLOW 3 1171 | #define IMAGE_REL_BASED_HIGHADJ 4 1172 | #define IMAGE_REL_BASED_MACHINE_SPECIFIC_5 5 1173 | #define IMAGE_REL_BASED_RESERVED 6 1174 | #define IMAGE_REL_BASED_MACHINE_SPECIFIC_7 7 1175 | #define IMAGE_REL_BASED_MACHINE_SPECIFIC_8 8 1176 | #define IMAGE_REL_BASED_MACHINE_SPECIFIC_9 9 1177 | #define IMAGE_REL_BASED_DIR64 10 1178 | 1179 | typedef struct _IMAGE_BASE_RELOCATION { 1180 | DWORD VirtualAddress; 1181 | DWORD SizeOfBlock; 1182 | // WORD TypeOffset[1]; 1183 | } IMAGE_BASE_RELOCATION; 1184 | typedef IMAGE_BASE_RELOCATION UNALIGNED* PIMAGE_BASE_RELOCATION; 1185 | 1186 | typedef struct _IMAGE_EXPORT_DIRECTORY { 1187 | DWORD Characteristics; 1188 | DWORD TimeDateStamp; 1189 | WORD MajorVersion; 1190 | WORD MinorVersion; 1191 | DWORD Name; 1192 | DWORD Base; 1193 | DWORD NumberOfFunctions; 1194 | DWORD NumberOfNames; 1195 | DWORD AddressOfFunctions; // RVA from base of image 1196 | DWORD AddressOfNames; // RVA from base of image 1197 | DWORD AddressOfNameOrdinals; // RVA from base of image 1198 | } IMAGE_EXPORT_DIRECTORY, * PIMAGE_EXPORT_DIRECTORY; 1199 | 1200 | #ifdef _WIN64 1201 | typedef IMAGE_NT_HEADERS64 IMAGE_NT_HEADERS; 1202 | typedef PIMAGE_NT_HEADERS64 PIMAGE_NT_HEADERS; 1203 | typedef IMAGE_OPTIONAL_HEADER64 IMAGE_OPTIONAL_HEADER; 1204 | typedef PIMAGE_OPTIONAL_HEADER64 PIMAGE_OPTIONAL_HEADER; 1205 | #define IMAGE_NT_OPTIONAL_HDR_MAGIC IMAGE_NT_OPTIONAL_HDR64_MAGIC 1206 | 1207 | #define IMAGE_ORDINAL_FLAG IMAGE_ORDINAL_FLAG64 1208 | #define IMAGE_ORDINAL(Ordinal) IMAGE_ORDINAL64(Ordinal) 1209 | typedef IMAGE_THUNK_DATA64 IMAGE_THUNK_DATA; 1210 | typedef PIMAGE_THUNK_DATA64 PIMAGE_THUNK_DATA; 1211 | #define IMAGE_SNAP_BY_ORDINAL(Ordinal) IMAGE_SNAP_BY_ORDINAL64(Ordinal) 1212 | typedef IMAGE_TLS_DIRECTORY64 IMAGE_TLS_DIRECTORY; 1213 | typedef PIMAGE_TLS_DIRECTORY64 PIMAGE_TLS_DIRECTORY; 1214 | 1215 | #else 1216 | typedef IMAGE_NT_HEADERS32 IMAGE_NT_HEADERS; 1217 | typedef PIMAGE_NT_HEADERS32 PIMAGE_NT_HEADERS; 1218 | typedef IMAGE_OPTIONAL_HEADER32 IMAGE_OPTIONAL_HEADER; 1219 | typedef PIMAGE_OPTIONAL_HEADER32 PIMAGE_OPTIONAL_HEADER; 1220 | #define IMAGE_NT_OPTIONAL_HDR_MAGIC IMAGE_NT_OPTIONAL_HDR32_MAGIC 1221 | 1222 | #define IMAGE_ORDINAL_FLAG IMAGE_ORDINAL_FLAG32 1223 | #define IMAGE_ORDINAL(Ordinal) IMAGE_ORDINAL32(Ordinal) 1224 | typedef IMAGE_THUNK_DATA32 IMAGE_THUNK_DATA; 1225 | typedef PIMAGE_THUNK_DATA32 PIMAGE_THUNK_DATA; 1226 | #define IMAGE_SNAP_BY_ORDINAL(Ordinal) IMAGE_SNAP_BY_ORDINAL32(Ordinal) 1227 | typedef IMAGE_TLS_DIRECTORY32 IMAGE_TLS_DIRECTORY; 1228 | typedef PIMAGE_TLS_DIRECTORY32 PIMAGE_TLS_DIRECTORY; 1229 | #endif 1230 | 1231 | #define IMAGE_DEBUG_TYPE_UNKNOWN 0x0 1232 | #define IMAGE_DEBUG_TYPE_COFF 0x1 1233 | #define IMAGE_DEBUG_TYPE_CODEVIEW 0x2 1234 | #define IMAGE_DEBUG_TYPE_FPO 0x3 1235 | #define IMAGE_DEBUG_TYPE_MISC 0x4 1236 | #define IMAGE_DEBUG_TYPE_EXCEPTION 0x5 1237 | #define IMAGE_DEBUG_TYPE_FIXUP 0x6 1238 | #define IMAGE_DEBUG_TYPE_OMAP_TO_SRC 0x7 1239 | #define IMAGE_DEBUG_TYPE_OMAP_FROM_SRC 0x8 1240 | #define IMAGE_DEBUG_TYPE_BORLAND 0x9 1241 | #define IMAGE_DEBUG_TYPE_RESERVED10 0xa 1242 | #define IMAGE_DEBUG_TYPE_CLSID 0xb 1243 | #define IMAGE_DEBUG_TYPE_VC_FEATURE 0xc 1244 | #define IMAGE_DEBUG_TYPE_POGO 0xd 1245 | #define IMAGE_DEBUG_TYPE_ILTCG 0xe 1246 | #define IMAGE_DEBUG_TYPE_MPX 0xf 1247 | 1248 | typedef struct _DEBUG_DIRECTORY_TABLE 1249 | { 1250 | DWORD characteristics; 1251 | DWORD timeDateStamp; 1252 | WORD majorVersion; 1253 | WORD minorVersion; 1254 | DWORD Type;//DWORD 1255 | DWORD sizeOfData; 1256 | DWORD addressOfRawData; 1257 | DWORD pointerToRawData; 1258 | }DEBUG_DIRECTORY_TABLE, * PDEBUG_DIRECTORY_TABLE; 1259 | 1260 | typedef struct _EXCEPTION_DIRECTORY_ENTRY 1261 | { 1262 | DWORD beginAddress; 1263 | DWORD endAddress; 1264 | DWORD unwindInformation; //?UNWIND_INFO 1265 | }EXCEPTION_DIRECTORY_ENTRY, * PEXCEPTION_DIRECTORY_ENTRY; 1266 | 1267 | typedef struct _IMAGE_RUNTIME_FUNCTION_ENTRY 1268 | { 1269 | DWORD BeginAddress; 1270 | DWORD EndAddress; 1271 | union 1272 | { 1273 | DWORD UnwindInfoAddress; 1274 | DWORD UnwindData; 1275 | } __inner2; 1276 | }IMAGE_RUNTIME_FUNCTION_ENTRY, * PIMAGE_RUNTIME_FUNCTION_ENTRY; 1277 | 1278 | typedef enum _UNWIND_OP_CODES // int32_t 1279 | { 1280 | UWOP_PUSH_NONVOL = 0x0, 1281 | UWOP_ALLOC_LARGE = 0x1, 1282 | UWOP_ALLOC_SMALL = 0x2, 1283 | UWOP_SET_FPREG = 0x3, 1284 | UWOP_SAVE_NONVOL = 0x4, 1285 | UWOP_SAVE_NONVOL_FAR = 0x5, 1286 | UWOP_EPILOG = 0x6, 1287 | UWOP_SPARE_CODE = 0x7, 1288 | UWOP_SAVE_XMM128 = 0x8, 1289 | UWOP_SAVE_XMM128_FAR = 0x9, 1290 | UWOP_PUSH_MACHFRAME = 0xa 1291 | }UNWIND_OP_CODES, * PUNWIND_OP_CODES; 1292 | 1293 | typedef struct _UNWIND_INFO 1294 | { 1295 | UCHAR VersionAndFlag; 1296 | UCHAR SizeOfProlog; 1297 | UCHAR CountOfUnwindCodes; 1298 | UCHAR FrameRegisterAndFrameRegisterOffset; 1299 | }UNWIND_INFO, * PUNWIND_INFO; 1300 | 1301 | typedef struct _UNWIND_HISTORY_TABLE_ENTRY 1302 | { 1303 | PVOID ImageBase; 1304 | IMAGE_RUNTIME_FUNCTION_ENTRY* FunctionEntry; 1305 | }UNWIND_HISTORY_TABLE_ENTRY, * PUNWIND_HISTORY_TABLE_ENTRY; 1306 | 1307 | typedef struct _UNWIND_HISTORY_TABLE 1308 | { 1309 | DWORD Count; 1310 | UCHAR LocalHint; 1311 | UCHAR GlobalHint; 1312 | UCHAR Search; 1313 | UCHAR Once; 1314 | QWORD LowAddress; 1315 | QWORD HighAddress; 1316 | UNWIND_HISTORY_TABLE_ENTRY Entry[0xc]; 1317 | }UNWIND_HISTORY_TABLE, * PUNWIND_HISTORY_TABLE; 1318 | 1319 | typedef struct _DELAY_IMPORT_DIRECTORY 1320 | { 1321 | DWORD attributes; 1322 | DWORD name; 1323 | DWORD moduleHandle; 1324 | DWORD delayImportAddressTable; 1325 | DWORD delayImportNameTable; 1326 | DWORD boundDelayImportTable; 1327 | DWORD unloadDelayImportTable; 1328 | DWORD timestamp; 1329 | }DELAY_IMPORT_DIRECTORY, * PDELAY_IMPORT_DIRECTORY; 1330 | 1331 | typedef struct GUARD_CONTROL_FLOW_FUNCTION_TABLE 1332 | { 1333 | /* uint32_t rvAddr; 1334 | uint8_t metadata;*/ 1335 | DWORD rvAddr; 1336 | UCHAR metadata; 1337 | }GUARD_CONTROL_FLOW_FUNCTION_TABLE, * PGUARD_CONTROL_FLOW_FUNCTION_TABLE; 1338 | 1339 | typedef struct _IMAGE_SECURITY_CONTEXT 1340 | { 1341 | union 1342 | { 1343 | PVOID PageHashes; 1344 | QWORD Value; 1345 | union 1346 | { 1347 | QWORD SecurityBeingCreated; 1348 | QWORD SecurityMandatory; 1349 | QWORD PageHashPointer; 1350 | } __bitfield0; 1351 | } __inner0; 1352 | }IMAGE_SECURITY_CONTEXT, * PIMAGE_SECURITY_CONTEXT; 1353 | 1354 | typedef struct _IMAGE_AUX_SYMBOL_TOKEN_DEF 1355 | { 1356 | UCHAR bAuxType; 1357 | UCHAR bReserved; 1358 | //__offset(0x2); 1359 | DWORD SymbolTableIndex; 1360 | UCHAR rgbReserved[0xc]; 1361 | }IMAGE_AUX_SYMBOL_TOKEN_DEF, * PIMAGE_AUX_SYMBOL_TOKEN_DEF; 1362 | 1363 | typedef union _IMAGE_AUX_SYMBOL 1364 | { 1365 | struct 1366 | { 1367 | DWORD TagIndex; 1368 | union 1369 | { 1370 | struct 1371 | { 1372 | WORD Linenumber; 1373 | WORD Size; 1374 | } LnSz; 1375 | DWORD TotalSize; 1376 | } Misc; 1377 | union 1378 | { 1379 | struct 1380 | { 1381 | DWORD PointerToLinenumber; 1382 | DWORD PointerToNextFunction; 1383 | } Function; 1384 | struct 1385 | { 1386 | WORD Dimension[0x4]; 1387 | } Array; 1388 | } FcnAry; 1389 | WORD TvIndex; 1390 | } Sym; 1391 | struct 1392 | { 1393 | UCHAR Name[0x12]; 1394 | } File; 1395 | struct 1396 | { 1397 | DWORD Length; 1398 | WORD NumberOfRelocations; 1399 | WORD NumberOfLinenumbers; 1400 | DWORD CheckSum; 1401 | SHORT Number; 1402 | UCHAR Selection; 1403 | UCHAR bReserved; 1404 | SHORT HighNumber; 1405 | } Section; 1406 | IMAGE_AUX_SYMBOL_TOKEN_DEF TokenDef; 1407 | struct 1408 | { 1409 | DWORD crc; 1410 | UCHAR rgbReserved[0xe]; 1411 | } CRC; 1412 | }IMAGE_AUX_SYMBOL, * PIMAGE_AUX_SYMBOL; 1413 | 1414 | typedef union _IMAGE_AUX_SYMBOL_EX 1415 | { 1416 | struct 1417 | { 1418 | DWORD WeakDefaultSymIndex; 1419 | DWORD WeakSearchType; 1420 | UCHAR rgbReserved[0xc]; 1421 | } Sym; 1422 | struct 1423 | { 1424 | UCHAR Name[0x14]; 1425 | } File; 1426 | struct 1427 | { 1428 | DWORD Length; 1429 | WORD NumberOfRelocations; 1430 | WORD NumberOfLinenumbers; 1431 | DWORD CheckSum; 1432 | SHORT Number; 1433 | UCHAR Selection; 1434 | UCHAR bReserved; 1435 | SHORT HighNumber; 1436 | UCHAR rgbReserved[0x2]; 1437 | } Section; 1438 | struct 1439 | { 1440 | IMAGE_AUX_SYMBOL_TOKEN_DEF TokenDef; 1441 | UCHAR rgbReserved[0x2]; 1442 | } __inner3; 1443 | struct 1444 | { 1445 | DWORD crc; 1446 | UCHAR rgbReserved[0x10]; 1447 | } CRC; 1448 | }IMAGE_AUX_SYMBOL_EX, * PIMAGE_AUX_SYMBOL_EX; 1449 | 1450 | typedef struct _IMAGE_BOUND_FORWARDER_REF 1451 | { 1452 | DWORD TimeDateStamp; 1453 | WORD OffsetModuleName; 1454 | WORD Reserved; 1455 | }IMAGE_BOUND_FORWARDER_REF, * PIMAGE_BOUND_FORWARDER_REF; 1456 | 1457 | typedef struct _IMAGE_BOUND_IMPORT_DESCRIPTOR 1458 | { 1459 | DWORD TimeDateStamp; 1460 | WORD OffsetModuleName; 1461 | WORD NumberOfModuleForwarderRefs; 1462 | }IMAGE_BOUND_IMPORT_DESCRIPTOR, * PIMAGE_BOUND_IMPORT_DESCRIPTOR; 1463 | 1464 | typedef struct _IMAGE_CE_RUNTIME_FUNCTION_ENTRY 1465 | { 1466 | DWORD FuncStart; 1467 | union 1468 | { 1469 | DWORD PrologLen; 1470 | DWORD FuncLen; 1471 | DWORD ThirtyTwoBit; 1472 | DWORD ExceptionFlag; 1473 | } __bitfield4; 1474 | }IMAGE_CE_RUNTIME_FUNCTION_ENTRY, * PIMAGE_CE_RUNTIME_FUNCTION_ENTRY; 1475 | 1476 | #define IMAGE_DEBUG_TYPE_UNKNOWN 0 1477 | #define IMAGE_DEBUG_TYPE_COFF 1 1478 | #define IMAGE_DEBUG_TYPE_CODEVIEW 2 1479 | #define IMAGE_DEBUG_TYPE_FPO 3 1480 | #define IMAGE_DEBUG_TYPE_MISC 4 1481 | #define IMAGE_DEBUG_TYPE_EXCEPTION 5 1482 | #define IMAGE_DEBUG_TYPE_FIXUP 6 1483 | #define IMAGE_DEBUG_TYPE_OMAP_TO_SRC 7 1484 | #define IMAGE_DEBUG_TYPE_OMAP_FROM_SRC 8 1485 | #define IMAGE_DEBUG_TYPE_BORLAND 9 1486 | #define IMAGE_DEBUG_TYPE_RESERVED10 10 1487 | #define IMAGE_DEBUG_TYPE_BBT IMAGE_DEBUG_TYPE_RESERVED10 1488 | #define IMAGE_DEBUG_TYPE_CLSID 11 1489 | #define IMAGE_DEBUG_TYPE_VC_FEATURE 12 1490 | #define IMAGE_DEBUG_TYPE_POGO 13 1491 | #define IMAGE_DEBUG_TYPE_ILTCG 14 1492 | #define IMAGE_DEBUG_TYPE_MPX 15 1493 | #define IMAGE_DEBUG_TYPE_REPRO 16 1494 | #define IMAGE_DEBUG_TYPE_SPGO 18 1495 | #define IMAGE_DEBUG_TYPE_EX_DLLCHARACTERISTICS 20 1496 | 1497 | typedef struct _IMAGE_DEBUG_DIRECTORY 1498 | { 1499 | DWORD Characteristics; 1500 | DWORD TimeDateStamp; 1501 | WORD MajorVersion; 1502 | WORD MinorVersion; 1503 | DWORD Type; 1504 | DWORD SizeOfData; 1505 | DWORD AddressOfRawData; 1506 | DWORD PointerToRawData; 1507 | }IMAGE_DEBUG_DIRECTORY, * PIMAGE_DEBUG_DIRECTORY; 1508 | 1509 | #define IMAGE_DEBUG_MISC_EXENAME 1 1510 | 1511 | typedef struct _IMAGE_DEBUG_MISC 1512 | { 1513 | DWORD DataType; 1514 | DWORD Length; 1515 | UCHAR Unicode; 1516 | UCHAR Reserved[0x3]; 1517 | UCHAR Data[0x1]; 1518 | }IMAGE_DEBUG_MISC, * PIMAGE_DEBUG_MISC; 1519 | 1520 | typedef struct _IMAGE_DELAYLOAD_DESCRIPTOR 1521 | { 1522 | union 1523 | { 1524 | DWORD AllAttributes; 1525 | DWORD RvaBased; 1526 | DWORD ReservedAttributes; 1527 | } Attributes; 1528 | DWORD DllNameRVA; 1529 | DWORD ModuleHandleRVA; 1530 | DWORD ImportAddressTableRVA; 1531 | DWORD ImportNameTableRVA; 1532 | DWORD BoundImportAddressTableRVA; 1533 | DWORD UnloadInformationTableRVA; 1534 | DWORD TimeDateStamp; 1535 | }IMAGE_DELAYLOAD_DESCRIPTOR, * PIMAGE_DELAYLOAD_DESCRIPTOR; 1536 | 1537 | typedef struct _IMAGE_DYNAMIC_RELOCATION32 1538 | { 1539 | DWORD Symbol; 1540 | DWORD BaseRelocSize; 1541 | }IMAGE_DYNAMIC_RELOCATION32, * PIMAGE_DYNAMIC_RELOCATION32; 1542 | 1543 | typedef struct _IMAGE_DYNAMIC_RELOCATION32_V2 1544 | { 1545 | DWORD HeaderSize; 1546 | DWORD FixupInfoSize; 1547 | DWORD Symbol; 1548 | DWORD SymbolGroup; 1549 | DWORD Flags; 1550 | }IMAGE_DYNAMIC_RELOCATION32_V2, * PIMAGE_DYNAMIC_RELOCATION32_V2; 1551 | 1552 | typedef struct _IMAGE_DYNAMIC_RELOCATION64 1553 | { 1554 | QWORD Symbol; 1555 | DWORD BaseRelocSize; 1556 | }IMAGE_DYNAMIC_RELOCATION64, * PIMAGE_DYNAMIC_RELOCATION64; 1557 | 1558 | typedef struct _IMAGE_DYNAMIC_RELOCATION64_V2 1559 | { 1560 | DWORD HeaderSize; 1561 | DWORD FixupInfoSize; 1562 | QWORD Symbol; 1563 | DWORD SymbolGroup; 1564 | DWORD Flags; 1565 | }IMAGE_DYNAMIC_RELOCATION64_V2, * PIMAGE_DYNAMIC_RELOCATION64_V2; 1566 | 1567 | typedef struct _IMAGE_DYNAMIC_RELOCATION_TABLE 1568 | { 1569 | DWORD Version; 1570 | DWORD Size; 1571 | }IMAGE_DYNAMIC_RELOCATION_TABLE, * PIMAGE_DYNAMIC_RELOCATION_TABLE; 1572 | 1573 | typedef struct _IMAGE_ENCLAVE_CONFIG32 1574 | { 1575 | DWORD Size; 1576 | DWORD MinimumRequiredConfigSize; 1577 | DWORD PolicyFlags; 1578 | DWORD NumberOfImports; 1579 | DWORD ImportList; 1580 | DWORD ImportEntrySize; 1581 | UCHAR FamilyID[0x10]; 1582 | UCHAR ImageID[0x10]; 1583 | DWORD ImageVersion; 1584 | DWORD SecurityVersion; 1585 | DWORD EnclaveSize; 1586 | DWORD NumberOfThreads; 1587 | DWORD EnclaveFlags; 1588 | }IMAGE_ENCLAVE_CONFIG32, * PIMAGE_ENCLAVE_CONFIG32; 1589 | 1590 | typedef struct _IMAGE_ENCLAVE_CONFIG64 1591 | { 1592 | DWORD Size; 1593 | DWORD MinimumRequiredConfigSize; 1594 | DWORD PolicyFlags; 1595 | DWORD NumberOfImports; 1596 | DWORD ImportList; 1597 | DWORD ImportEntrySize; 1598 | UCHAR FamilyID[0x10]; 1599 | UCHAR ImageID[0x10]; 1600 | DWORD ImageVersion; 1601 | DWORD SecurityVersion; 1602 | QWORD EnclaveSize; 1603 | DWORD NumberOfThreads; 1604 | DWORD EnclaveFlags; 1605 | }IMAGE_ENCLAVE_CONFIG64, * PIMAGE_ENCLAVE_CONFIG64; 1606 | 1607 | #define IMAGE_ENCLAVE_POLICY_DEBUGGABLE 0x00000001 1608 | #define IMAGE_ENCLAVE_FLAG_PRIMARY_IMAGE 0x00000001 1609 | 1610 | #define IMAGE_ENCLAVE_IMPORT_MATCH_NONE 0x00000000 1611 | #define IMAGE_ENCLAVE_IMPORT_MATCH_UNIQUE_ID 0x00000001 1612 | #define IMAGE_ENCLAVE_IMPORT_MATCH_AUTHOR_ID 0x00000002 1613 | #define IMAGE_ENCLAVE_IMPORT_MATCH_FAMILY_ID 0x00000003 1614 | #define IMAGE_ENCLAVE_IMPORT_MATCH_IMAGE_ID 0x00000004 1615 | 1616 | typedef struct _IMAGE_ENCLAVE_IMPORT 1617 | { 1618 | DWORD MatchType; 1619 | DWORD MinimumSecurityVersion; 1620 | UCHAR UniqueOrAuthorID[0x20]; 1621 | UCHAR FamilyID[0x10]; 1622 | UCHAR ImageID[0x10]; 1623 | DWORD ImportName; 1624 | DWORD Reserved; 1625 | }IMAGE_ENCLAVE_IMPORT, * PIMAGE_ENCLAVE_IMPORT; 1626 | 1627 | typedef struct _IMAGE_EPILOGUE_DYNAMIC_RELOCATION_HEADER 1628 | { 1629 | DWORD EpilogueCount; 1630 | UCHAR EpilogueByteCount; 1631 | UCHAR BranchDescriptorElementSize; 1632 | WORD BranchDescriptorCount; 1633 | }IMAGE_EPILOGUE_DYNAMIC_RELOCATION_HEADER, * PIMAGE_EPILOGUE_DYNAMIC_RELOCATION_HEADER; 1634 | 1635 | typedef struct _IMAGE_FUNCTION_ENTRY 1636 | { 1637 | DWORD StartingAddress; 1638 | DWORD EndingAddress; 1639 | DWORD EndOfPrologue; 1640 | }IMAGE_FUNCTION_ENTRY, * PIMAGE_FUNCTION_ENTRY; 1641 | 1642 | typedef struct _IMAGE_FUNCTION_ENTRY64 1643 | { 1644 | QWORD StartingAddress; 1645 | QWORD EndingAddress; 1646 | union 1647 | { 1648 | QWORD EndOfPrologue; 1649 | QWORD UnwindInfoAddress; 1650 | } __inner2; 1651 | }IMAGE_FUNCTION_ENTRY64, * PIMAGE_FUNCTION_ENTRY64; 1652 | 1653 | typedef struct _IMAGE_HOT_PATCH_BASE 1654 | { 1655 | DWORD SequenceNumber; 1656 | DWORD Flags; 1657 | DWORD OriginalTimeDateStamp; 1658 | DWORD OriginalCheckSum; 1659 | DWORD CodeIntegrityInfo; 1660 | DWORD CodeIntegritySize; 1661 | DWORD PatchTable; 1662 | DWORD BufferOffset; 1663 | }IMAGE_HOT_PATCH_BASE, * PIMAGE_HOT_PATCH_BASE; 1664 | 1665 | typedef struct _IMAGE_HOT_PATCH_HASHES 1666 | { 1667 | UCHAR SHA256[0x20]; 1668 | UCHAR SHA1[0x14]; 1669 | }IMAGE_HOT_PATCH_HASHES, * PIMAGE_HOT_PATCH_HASHES; 1670 | 1671 | typedef struct _IMAGE_HOT_PATCH_INFO 1672 | { 1673 | DWORD Version; 1674 | DWORD Size; 1675 | DWORD SequenceNumber; 1676 | DWORD BaseImageList; 1677 | DWORD BaseImageCount; 1678 | DWORD BufferOffset; 1679 | DWORD ExtraPatchSize; 1680 | }IMAGE_HOT_PATCH_INFO, * PIMAGE_HOT_PATCH_INFO; 1681 | 1682 | typedef struct _IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION 1683 | { 1684 | union 1685 | { 1686 | DWORD PageRelativeOffset; 1687 | DWORD IndirectCall; 1688 | DWORD IATIndex; 1689 | } __bitfield0; 1690 | }IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION, * PIMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION; 1691 | 1692 | typedef struct _IMAGE_INDIR_CONTROL_TRANSFER_DYNAMIC_RELOCATION 1693 | { 1694 | union 1695 | { 1696 | WORD PageRelativeOffset; 1697 | WORD IndirectCall; 1698 | WORD RexWPrefix; 1699 | WORD CfgCheck; 1700 | DWORD Reserved; 1701 | } __bitfield0; 1702 | }IMAGE_INDIR_CONTROL_TRANSFER_DYNAMIC_RELOCATION, * PIMAGE_INDIR_CONTROL_TRANSFER_DYNAMIC_RELOCATION; 1703 | 1704 | typedef struct _IMAGE_LINENUMBER 1705 | { 1706 | union 1707 | { 1708 | DWORD SymbolTableIndex; 1709 | DWORD VirtualAddress; 1710 | } Type; 1711 | WORD Linenumber; 1712 | }IMAGE_LINENUMBER, * PIMAGE_LINENUMBER; 1713 | 1714 | #define IMAGE_HOT_PATCH_BASE_OBLIGATORY 0x00000001 1715 | #define IMAGE_HOT_PATCH_BASE_CAN_ROLL_BACK 0x00000002 1716 | 1717 | #define IMAGE_HOT_PATCH_CHUNK_INVERSE 0x80000000 1718 | #define IMAGE_HOT_PATCH_CHUNK_OBLIGATORY 0x40000000 1719 | #define IMAGE_HOT_PATCH_CHUNK_RESERVED 0x3FF03000 1720 | #define IMAGE_HOT_PATCH_CHUNK_TYPE 0x000FC000 1721 | #define IMAGE_HOT_PATCH_CHUNK_SOURCE_RVA 0x00008000 1722 | #define IMAGE_HOT_PATCH_CHUNK_TARGET_RVA 0x00004000 1723 | #define IMAGE_HOT_PATCH_CHUNK_SIZE 0x00000FFF 1724 | 1725 | #define IMAGE_HOT_PATCH_NONE 0x00000000 1726 | #define IMAGE_HOT_PATCH_FUNCTION 0x0001C000 1727 | #define IMAGE_HOT_PATCH_ABSOLUTE 0x0002C000 1728 | #define IMAGE_HOT_PATCH_REL32 0x0003C000 1729 | #define IMAGE_HOT_PATCH_CALL_TARGET 0x00044000 1730 | #define IMAGE_HOT_PATCH_INDIRECT 0x0005C000 1731 | #define IMAGE_HOT_PATCH_NO_CALL_TARGET 0x00064000 1732 | #define IMAGE_HOT_PATCH_DYNAMIC_VALUE 0x00078000 1733 | 1734 | #define IMAGE_GUARD_CF_INSTRUMENTED 0x00000100 // Module performs control flow integrity checks using system-supplied support 1735 | #define IMAGE_GUARD_CFW_INSTRUMENTED 0x00000200 // Module performs control flow and write integrity checks 1736 | #define IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT 0x00000400 // Module contains valid control flow target metadata 1737 | #define IMAGE_GUARD_SECURITY_COOKIE_UNUSED 0x00000800 // Module does not make use of the /GS security cookie 1738 | #define IMAGE_GUARD_PROTECT_DELAYLOAD_IAT 0x00001000 // Module supports read only delay load IAT 1739 | #define IMAGE_GUARD_DELAYLOAD_IAT_IN_ITS_OWN_SECTION 0x00002000 // Delayload import table in its own .didat section (with nothing else in it) that can be freely reprotected 1740 | #define IMAGE_GUARD_CF_EXPORT_SUPPRESSION_INFO_PRESENT 0x00004000 // Module contains suppressed export information. This also infers that the address taken 1741 | // taken IAT table is also present in the load config. 1742 | #define IMAGE_GUARD_CF_ENABLE_EXPORT_SUPPRESSION 0x00008000 // Module enables suppression of exports 1743 | #define IMAGE_GUARD_CF_LONGJUMP_TABLE_PRESENT 0x00010000 // Module contains longjmp target information 1744 | #define IMAGE_GUARD_RF_INSTRUMENTED 0x00020000 // Module contains return flow instrumentation and metadata 1745 | #define IMAGE_GUARD_RF_ENABLE 0x00040000 // Module requests that the OS enable return flow protection 1746 | #define IMAGE_GUARD_RF_STRICT 0x00080000 // Module requests that the OS enable return flow protection in strict mode 1747 | #define IMAGE_GUARD_RETPOLINE_PRESENT 0x00100000 // Module was built with retpoline support 1748 | // DO_NOT_USE 0x00200000 // Was EHCont flag on VB (20H1) 1749 | #define IMAGE_GUARD_EH_CONTINUATION_TABLE_PRESENT 0x00400000 // Module contains EH continuation target information 1750 | #define IMAGE_GUARD_XFG_ENABLED 0x00800000 // Module was built with xfg 1751 | #define IMAGE_GUARD_CASTGUARD_PRESENT 0x01000000 // Module has CastGuard instrumentation present 1752 | #define IMAGE_GUARD_MEMCPY_PRESENT 0x02000000 // Module has Guarded Memcpy instrumentation present 1753 | 1754 | #define IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_MASK 0xF0000000 // Stride of Guard CF function table encoded in these bits (additional count of bytes per element) 1755 | #define IMAGE_GUARD_CF_FUNCTION_TABLE_SIZE_SHIFT 28 // Shift to right-justify Guard CF function table stride 1756 | 1757 | // 1758 | // GFIDS table entry flags. 1759 | // 1760 | 1761 | #define IMAGE_GUARD_FLAG_FID_SUPPRESSED 0x01 // The containing GFID entry is suppressed 1762 | #define IMAGE_GUARD_FLAG_EXPORT_SUPPRESSED 0x02 // The containing GFID entry is export suppressed 1763 | #define IMAGE_GUARD_FLAG_FID_LANGEXCPTHANDLER 0x04 1764 | #define IMAGE_GUARD_FLAG_FID_XFG 0x08 1765 | 1766 | typedef struct _IMAGE_LOAD_CONFIG_CODE_INTEGRITY 1767 | { 1768 | WORD Flags; 1769 | WORD Catalog; 1770 | DWORD CatalogOffset; 1771 | DWORD Reserved; 1772 | }IMAGE_LOAD_CONFIG_CODE_INTEGRITY, * PIMAGE_LOAD_CONFIG_CODE_INTEGRITY; 1773 | 1774 | typedef struct _IMAGE_LOAD_CONFIG_DIRECTORY32 1775 | { 1776 | DWORD Size; 1777 | DWORD TimeDateStamp; 1778 | WORD MajorVersion; 1779 | WORD MinorVersion; 1780 | DWORD GlobalFlagsClear; 1781 | DWORD GlobalFlagsSet; 1782 | DWORD CriticalSectionDefaultTimeout; 1783 | DWORD DeCommitFreeBlockThreshold; 1784 | DWORD DeCommitTotalFreeThreshold; 1785 | DWORD LockPrefixTable; 1786 | DWORD MaximumAllocationSize; 1787 | DWORD VirtualMemoryThreshold; 1788 | DWORD ProcessHeapFlags; 1789 | DWORD ProcessAffinityMask; 1790 | WORD CSDVersion; 1791 | WORD DependentLoadFlags; 1792 | DWORD EditList; 1793 | DWORD SecurityCookie; 1794 | DWORD SEHandlerTable; 1795 | DWORD SEHandlerCount; 1796 | DWORD GuardCFCheckFunctionPointer; 1797 | DWORD GuardCFDispatchFunctionPointer; 1798 | DWORD GuardCFFunctionTable; 1799 | DWORD GuardCFFunctionCount; 1800 | DWORD GuardFlags; 1801 | IMAGE_LOAD_CONFIG_CODE_INTEGRITY CodeIntegrity; 1802 | DWORD GuardAddressTakenIatEntryTable; 1803 | DWORD GuardAddressTakenIatEntryCount; 1804 | DWORD GuardLongJumpTargetTable; 1805 | DWORD GuardLongJumpTargetCount; 1806 | DWORD DynamicValueRelocTable; 1807 | DWORD CHPEMetadataPointer; 1808 | DWORD GuardRFFailureRoutine; 1809 | DWORD GuardRFFailureRoutineFunctionPointer; 1810 | DWORD DynamicValueRelocTableOffset; 1811 | WORD DynamicValueRelocTableSection; 1812 | WORD Reserved2; 1813 | DWORD GuardRFVerifyStackPointerFunctionPointer; 1814 | DWORD HotPatchTableOffset; 1815 | DWORD Reserved3; 1816 | DWORD EnclaveConfigurationPointer; 1817 | DWORD VolatileMetadataPointer; 1818 | DWORD GuardEHContinuationTable; 1819 | DWORD GuardEHContinuationCount; 1820 | }IMAGE_LOAD_CONFIG_DIRECTORY32, * PIMAGE_LOAD_CONFIG_DIRECTORY32; 1821 | 1822 | typedef struct _IMAGE_LOAD_CONFIG_DIRECTORY64 1823 | { 1824 | DWORD Size; 1825 | DWORD TimeDateStamp; 1826 | WORD MajorVersion; 1827 | WORD MinorVersion; 1828 | DWORD GlobalFlagsClear; 1829 | DWORD GlobalFlagsSet; 1830 | DWORD CriticalSectionDefaultTimeout; 1831 | QWORD DeCommitFreeBlockThreshold; 1832 | QWORD DeCommitTotalFreeThreshold; 1833 | QWORD LockPrefixTable; 1834 | QWORD MaximumAllocationSize; 1835 | QWORD VirtualMemoryThreshold; 1836 | QWORD ProcessAffinityMask; 1837 | DWORD ProcessHeapFlags; 1838 | WORD CSDVersion; 1839 | WORD DependentLoadFlags; 1840 | QWORD EditList; 1841 | QWORD SecurityCookie; 1842 | QWORD SEHandlerTable; 1843 | QWORD SEHandlerCount; 1844 | QWORD GuardCFCheckFunctionPointer; 1845 | QWORD GuardCFDispatchFunctionPointer; 1846 | QWORD GuardCFFunctionTable; 1847 | QWORD GuardCFFunctionCount; 1848 | DWORD GuardFlags; 1849 | IMAGE_LOAD_CONFIG_CODE_INTEGRITY CodeIntegrity; 1850 | QWORD GuardAddressTakenIatEntryTable; 1851 | QWORD GuardAddressTakenIatEntryCount; 1852 | QWORD GuardLongJumpTargetTable; 1853 | QWORD GuardLongJumpTargetCount; 1854 | QWORD DynamicValueRelocTable; 1855 | QWORD CHPEMetadataPointer; 1856 | QWORD GuardRFFailureRoutine; 1857 | QWORD GuardRFFailureRoutineFunctionPointer; 1858 | DWORD DynamicValueRelocTableOffset; 1859 | WORD DynamicValueRelocTableSection; 1860 | WORD Reserved2; 1861 | QWORD GuardRFVerifyStackPointerFunctionPointer; 1862 | DWORD HotPatchTableOffset; 1863 | DWORD Reserved3; 1864 | QWORD EnclaveConfigurationPointer; 1865 | QWORD VolatileMetadataPointer; 1866 | QWORD GuardEHContinuationTable; 1867 | QWORD GuardEHContinuationCount; 1868 | }IMAGE_LOAD_CONFIG_DIRECTORY64, * PIMAGE_LOAD_CONFIG_DIRECTORY64; 1869 | 1870 | typedef enum _IMAGE_MITIGATION_POLICY// int32_t 1871 | { 1872 | ImageDepPolicy = 0x0, 1873 | ImageAslrPolicy = 0x1, 1874 | ImageDynamicCodePolicy = 0x2, 1875 | ImageStrictHandleCheckPolicy = 0x3, 1876 | ImageSystemCallDisablePolicy = 0x4, 1877 | ImageMitigationOptionsMask = 0x5, 1878 | ImageExtensionPointDisablePolicy = 0x6, 1879 | ImageControlFlowGuardPolicy = 0x7, 1880 | ImageSignaturePolicy = 0x8, 1881 | ImageFontDisablePolicy = 0x9, 1882 | ImageImageLoadPolicy = 0xa, 1883 | ImagePayloadRestrictionPolicy = 0xb, 1884 | ImageChildProcessPolicy = 0xc, 1885 | ImageSehopPolicy = 0xd, 1886 | ImageHeapPolicy = 0xe, 1887 | ImageUserShadowStackPolicy = 0xf, 1888 | MaxImageMitigationPolicy = 0x10 1889 | }IMAGE_MITIGATION_POLICY, * PIMAGE_MITIGATION_POLICY; 1890 | 1891 | typedef enum _IMAGE_POLICY_ENTRY_TYPE // int32_t 1892 | { 1893 | ImagePolicyEntryTypeNone = 0x0, 1894 | ImagePolicyEntryTypeBool = 0x1, 1895 | ImagePolicyEntryTypeInt8 = 0x2, 1896 | ImagePolicyEntryTypeUInt8 = 0x3, 1897 | ImagePolicyEntryTypeInt16 = 0x4, 1898 | ImagePolicyEntryTypeUInt16 = 0x5, 1899 | ImagePolicyEntryTypeInt32 = 0x6, 1900 | ImagePolicyEntryTypeUInt32 = 0x7, 1901 | ImagePolicyEntryTypeInt64 = 0x8, 1902 | ImagePolicyEntryTypeUInt64 = 0x9, 1903 | ImagePolicyEntryTypeAnsiString = 0xa, 1904 | ImagePolicyEntryTypeUnicodeString = 0xb, 1905 | ImagePolicyEntryTypeOverride = 0xc, 1906 | ImagePolicyEntryTypeMaximum = 0xd 1907 | }IMAGE_POLICY_ENTRY_TYPE, * PIMAGE_POLICY_ENTRY_TYPE; 1908 | 1909 | typedef enum _IMAGE_POLICY_ID // int32_t 1910 | { 1911 | ImagePolicyIdNone = 0x0, 1912 | ImagePolicyIdEtw = 0x1, 1913 | ImagePolicyIdDebug = 0x2, 1914 | ImagePolicyIdCrashDump = 0x3, 1915 | ImagePolicyIdCrashDumpKey = 0x4, 1916 | ImagePolicyIdCrashDumpKeyGuid = 0x5, 1917 | ImagePolicyIdParentSd = 0x6, 1918 | ImagePolicyIdParentSdRev = 0x7, 1919 | ImagePolicyIdSvn = 0x8, 1920 | ImagePolicyIdDeviceId = 0x9, 1921 | ImagePolicyIdCapability = 0xa, 1922 | ImagePolicyIdScenarioId = 0xb, 1923 | ImagePolicyIdMaximum = 0xc 1924 | }IMAGE_POLICY_ID, * PIMAGE_POLICY_ID; 1925 | 1926 | typedef struct _IMAGE_POLICY_ENTRY 1927 | { 1928 | IMAGE_POLICY_ENTRY_TYPE Type; 1929 | IMAGE_POLICY_ID PolicyId; 1930 | union 1931 | { 1932 | void const* None; 1933 | UCHAR BoolValue; 1934 | char Int8Value; 1935 | UCHAR UInt8Value; 1936 | SHORT Int16Value; 1937 | WORD UInt16Value; 1938 | LONG Int32Value; 1939 | DWORD UInt32Value; 1940 | __int64 Int64Value; 1941 | QWORD UInt64Value; 1942 | char const* AnsiStringValue; 1943 | PWSTR const* UnicodeStringValue; 1944 | } u; 1945 | }IMAGE_POLICY_ENTRY, * PIMAGE_POLICY_ENTRY; 1946 | 1947 | typedef struct _IMAGE_POLICY_METADATA 1948 | { 1949 | UCHAR Version; 1950 | UCHAR Reserved0[0x7]; 1951 | QWORD ApplicationId; 1952 | struct _IMAGE_POLICY_ENTRY Policies[0x0]; 1953 | }IMAGE_POLICY_METADATA, * PIMAGE_POLICY_METADATA; 1954 | 1955 | typedef struct _IMAGE_PROLOGUE_DYNAMIC_RELOCATION_HEADER 1956 | { 1957 | UCHAR PrologueByteCount; 1958 | }IMAGE_PROLOGUE_DYNAMIC_RELOCATION_HEADER, * PIMAGE_PROLOGUE_DYNAMIC_RELOCATION_HEADER; 1959 | 1960 | typedef struct _IMAGE_RELOCATION 1961 | { 1962 | union 1963 | { 1964 | DWORD VirtualAddress; 1965 | DWORD RelocCount; 1966 | } __inner0; 1967 | DWORD SymbolTableIndex; 1968 | WORD Type; 1969 | }IMAGE_RELOCATION, * PIMAGE_RELOCATION; 1970 | 1971 | typedef struct _IMAGE_RESOURCE_DATA_ENTRY 1972 | { 1973 | DWORD OffsetToData; 1974 | DWORD Size; 1975 | DWORD CodePage; 1976 | DWORD Reserved; 1977 | }IMAGE_RESOURCE_DATA_ENTRY, * PIMAGE_RESOURCE_DATA_ENTRY; 1978 | 1979 | typedef struct _IMAGE_RESOURCE_DIRECTORY 1980 | { 1981 | DWORD Characteristics; 1982 | DWORD TimeDateStamp; 1983 | WORD MajorVersion; 1984 | WORD MinorVersion; 1985 | WORD NumberOfNamedEntries; 1986 | WORD NumberOfIdEntries; 1987 | }IMAGE_RESOURCE_DIRECTORY, * PIMAGE_RESOURCE_DIRECTORY; 1988 | 1989 | typedef struct _IMAGE_RESOURCE_DIRECTORY_ENTRY { 1990 | union { 1991 | struct { 1992 | DWORD NameOffset : 31; 1993 | DWORD NameIsString : 1; 1994 | } DUMMYSTRUCTNAME; 1995 | DWORD Name; 1996 | WORD Id; 1997 | } DUMMYUNIONNAME; 1998 | union { 1999 | DWORD OffsetToData; 2000 | struct { 2001 | DWORD OffsetToDirectory : 31; 2002 | DWORD DataIsDirectory : 1; 2003 | } DUMMYSTRUCTNAME2; 2004 | } DUMMYUNIONNAME2; 2005 | } IMAGE_RESOURCE_DIRECTORY_ENTRY, * PIMAGE_RESOURCE_DIRECTORY_ENTRY; 2006 | 2007 | typedef struct _IMAGE_RESOURCE_DIRECTORY_STRING 2008 | { 2009 | WORD Length; 2010 | char NameString[0x1]; 2011 | }IMAGE_RESOURCE_DIRECTORY_STRING, * PIMAGE_RESOURCE_DIRECTORY_STRING; 2012 | 2013 | typedef struct _IMAGE_RESOURCE_DIR_STRING_U 2014 | { 2015 | WORD Length; 2016 | UCHAR NameString[0x1]; 2017 | }IMAGE_RESOURCE_DIR_STRING_U, * PIMAGE_RESOURCE_DIR_STRING_U; 2018 | 2019 | typedef struct _NON_PAGED_DEBUG_INFO { 2020 | WORD Signature; 2021 | WORD Flags; 2022 | DWORD Size; 2023 | WORD Machine; 2024 | WORD Characteristics; 2025 | DWORD TimeDateStamp; 2026 | DWORD CheckSum; 2027 | DWORD SizeOfImage; 2028 | ULONGLONG ImageBase; 2029 | //DebugDirectorySize 2030 | //IMAGE_DEBUG_DIRECTORY 2031 | } NON_PAGED_DEBUG_INFO, * PNON_PAGED_DEBUG_INFO; 2032 | 2033 | #define IMAGE_SEPARATE_DEBUG_FLAGS_MASK 0x8000 2034 | #define IMAGE_SEPARATE_DEBUG_MISMATCH 0x8000 // when DBG was updated, the old checksum didn't match. 2035 | 2036 | typedef struct _IMAGE_SEPARATE_DEBUG_HEADER 2037 | { 2038 | WORD Signature; 2039 | WORD Flags; 2040 | WORD Machine; 2041 | WORD Characteristics; 2042 | DWORD TimeDateStamp; 2043 | DWORD CheckSum; 2044 | DWORD ImageBase; 2045 | DWORD SizeOfImage; 2046 | DWORD NumberOfSections; 2047 | DWORD ExportedNamesSize; 2048 | DWORD DebugDirectorySize; 2049 | DWORD SectionAlignment; 2050 | DWORD Reserved[0x2]; 2051 | }IMAGE_SEPARATE_DEBUG_HEADER, * PIMAGE_SEPARATE_DEBUG_HEADER; 2052 | 2053 | typedef struct _IMAGE_SWITCHTABLE_BRANCH_DYNAMIC_RELOCATION 2054 | { 2055 | union 2056 | { 2057 | WORD PageRelativeOffset; 2058 | WORD RegisterNumber; 2059 | } __bitfield0; 2060 | }IMAGE_SWITCHTABLE_BRANCH_DYNAMIC_RELOCATION, * PIMAGE_SWITCHTABLE_BRANCH_DYNAMIC_RELOCATION; 2061 | 2062 | #define IMAGE_SYM_UNDEFINED (SHORT)0 // Symbol is undefined or is common. 2063 | #define IMAGE_SYM_ABSOLUTE (SHORT)-1 // Symbol is an absolute value. 2064 | #define IMAGE_SYM_DEBUG (SHORT)-2 // Symbol is a special debug item. 2065 | #define IMAGE_SYM_SECTION_MAX 0xFEFF // Values 0xFF00-0xFFFF are special 2066 | #define IMAGE_SYM_SECTION_MAX_EX MAXLONG 2067 | 2068 | #define IMAGE_SYM_TYPE_NULL 0x0000 // no type. 2069 | #define IMAGE_SYM_TYPE_VOID 0x0001 // 2070 | #define IMAGE_SYM_TYPE_CHAR 0x0002 // type character. 2071 | #define IMAGE_SYM_TYPE_SHORT 0x0003 // type short integer. 2072 | #define IMAGE_SYM_TYPE_INT 0x0004 // 2073 | #define IMAGE_SYM_TYPE_LONG 0x0005 // 2074 | #define IMAGE_SYM_TYPE_FLOAT 0x0006 // 2075 | #define IMAGE_SYM_TYPE_DOUBLE 0x0007 // 2076 | #define IMAGE_SYM_TYPE_STRUCT 0x0008 // 2077 | #define IMAGE_SYM_TYPE_UNION 0x0009 // 2078 | #define IMAGE_SYM_TYPE_ENUM 0x000A // enumeration. 2079 | #define IMAGE_SYM_TYPE_MOE 0x000B // member of enumeration. 2080 | #define IMAGE_SYM_TYPE_BYTE 0x000C // 2081 | #define IMAGE_SYM_TYPE_WORD 0x000D // 2082 | #define IMAGE_SYM_TYPE_UINT 0x000E // 2083 | #define IMAGE_SYM_TYPE_DWORD 0x000F // 2084 | #define IMAGE_SYM_TYPE_PCODE 0x8000 // 2085 | 2086 | #define IMAGE_SYM_DTYPE_NULL 0 // no derived type. 2087 | #define IMAGE_SYM_DTYPE_POINTER 1 // pointer. 2088 | #define IMAGE_SYM_DTYPE_FUNCTION 2 // function. 2089 | #define IMAGE_SYM_DTYPE_ARRAY 3 // array. 2090 | 2091 | #define IMAGE_SYM_CLASS_END_OF_FUNCTION (BYTE )-1 2092 | #define IMAGE_SYM_CLASS_NULL 0x0000 2093 | #define IMAGE_SYM_CLASS_AUTOMATIC 0x0001 2094 | #define IMAGE_SYM_CLASS_EXTERNAL 0x0002 2095 | #define IMAGE_SYM_CLASS_STATIC 0x0003 2096 | #define IMAGE_SYM_CLASS_REGISTER 0x0004 2097 | #define IMAGE_SYM_CLASS_EXTERNAL_DEF 0x0005 2098 | #define IMAGE_SYM_CLASS_LABEL 0x0006 2099 | #define IMAGE_SYM_CLASS_UNDEFINED_LABEL 0x0007 2100 | #define IMAGE_SYM_CLASS_MEMBER_OF_STRUCT 0x0008 2101 | #define IMAGE_SYM_CLASS_ARGUMENT 0x0009 2102 | #define IMAGE_SYM_CLASS_STRUCT_TAG 0x000A 2103 | #define IMAGE_SYM_CLASS_MEMBER_OF_UNION 0x000B 2104 | #define IMAGE_SYM_CLASS_UNION_TAG 0x000C 2105 | #define IMAGE_SYM_CLASS_TYPE_DEFINITION 0x000D 2106 | #define IMAGE_SYM_CLASS_UNDEFINED_STATIC 0x000E 2107 | #define IMAGE_SYM_CLASS_ENUM_TAG 0x000F 2108 | #define IMAGE_SYM_CLASS_MEMBER_OF_ENUM 0x0010 2109 | #define IMAGE_SYM_CLASS_REGISTER_PARAM 0x0011 2110 | #define IMAGE_SYM_CLASS_BIT_FIELD 0x0012 2111 | 2112 | #define IMAGE_SYM_CLASS_FAR_EXTERNAL 0x0044 // 2113 | 2114 | #define IMAGE_SYM_CLASS_BLOCK 0x0064 2115 | #define IMAGE_SYM_CLASS_FUNCTION 0x0065 2116 | #define IMAGE_SYM_CLASS_END_OF_STRUCT 0x0066 2117 | #define IMAGE_SYM_CLASS_FILE 0x0067 2118 | // new 2119 | #define IMAGE_SYM_CLASS_SECTION 0x0068 2120 | #define IMAGE_SYM_CLASS_WEAK_EXTERNAL 0x0069 2121 | 2122 | #define IMAGE_SYM_CLASS_CLR_TOKEN 0x006B 2123 | 2124 | #define N_BTMASK 0x000F 2125 | #define N_TMASK 0x0030 2126 | #define N_TMASK1 0x00C0 2127 | #define N_TMASK2 0x00F0 2128 | #define N_BTSHFT 4 2129 | #define N_TSHIFT 2 2130 | // MACROS 2131 | 2132 | // Basic Type of x 2133 | #define BTYPE(x) ((x) & N_BTMASK) 2134 | 2135 | // Is x a pointer? 2136 | #ifndef ISPTR 2137 | #define ISPTR(x) (((x) & N_TMASK) == (IMAGE_SYM_DTYPE_POINTER << N_BTSHFT)) 2138 | #endif 2139 | 2140 | // Is x a function? 2141 | #ifndef ISFCN 2142 | #define ISFCN(x) (((x) & N_TMASK) == (IMAGE_SYM_DTYPE_FUNCTION << N_BTSHFT)) 2143 | #endif 2144 | 2145 | // Is x an array? 2146 | 2147 | #ifndef ISARY 2148 | #define ISARY(x) (((x) & N_TMASK) == (IMAGE_SYM_DTYPE_ARRAY << N_BTSHFT)) 2149 | #endif 2150 | 2151 | // Is x a structure, union, or enumeration TAG? 2152 | #ifndef ISTAG 2153 | #define ISTAG(x) ((x)==IMAGE_SYM_CLASS_STRUCT_TAG || (x)==IMAGE_SYM_CLASS_UNION_TAG || (x)==IMAGE_SYM_CLASS_ENUM_TAG) 2154 | #endif 2155 | 2156 | #ifndef INCREF 2157 | #define INCREF(x) ((((x)&~N_BTMASK)<>N_TSHIFT)&~N_BTMASK)|((x)&N_BTMASK)) 2161 | #endif 2162 | 2163 | 2164 | typedef struct _IMAGE_SYMBOL 2165 | { 2166 | union 2167 | { 2168 | UCHAR ShortName[0x8]; 2169 | struct 2170 | { 2171 | DWORD Short; 2172 | DWORD Long; 2173 | } Name; 2174 | DWORD LongName[0x2]; 2175 | } N; 2176 | DWORD Value; 2177 | SHORT SectionNumber; 2178 | WORD Type; 2179 | UCHAR StorageClass; 2180 | UCHAR NumberOfAuxSymbols; 2181 | }IMAGE_SYMBOL, * PIMAGE_SYMBOL; 2182 | 2183 | typedef struct _IMAGE_SYMBOL_EX 2184 | { 2185 | union 2186 | { 2187 | UCHAR ShortName[0x8]; 2188 | struct 2189 | { 2190 | DWORD Short; 2191 | DWORD Long; 2192 | } Name; 2193 | DWORD LongName[0x2]; 2194 | } N; 2195 | DWORD Value; 2196 | LONG SectionNumber; 2197 | WORD Type; 2198 | UCHAR StorageClass; 2199 | UCHAR NumberOfAuxSymbols; 2200 | }IMAGE_SYMBOL_EX, * PIMAGE_SYMBOL_EX; 2201 | 2202 | typedef enum _FUNCTION_TABLE_TYPE //int32_t 2203 | { 2204 | RF_SORTED = 0x0, 2205 | RF_UNSORTED = 0x1, 2206 | RF_CALLBACK = 0x2, 2207 | RF_KERNEL_DYNAMIC = 0x3 2208 | }FUNCTION_TABLE_TYPE, * PFUNCTION_TABLE_TYPE; 2209 | 2210 | typedef struct _RTL_BALANCED_NODE 2211 | { 2212 | union 2213 | { 2214 | struct _RTL_BALANCED_NODE* Children[2]; //0x0 2215 | struct 2216 | { 2217 | struct _RTL_BALANCED_NODE* Left; //0x0 2218 | struct _RTL_BALANCED_NODE* Right; //0x4 2219 | }; 2220 | }; 2221 | union 2222 | { 2223 | struct 2224 | { 2225 | UCHAR Red : 1; //0x8 2226 | UCHAR Balance : 2; //0x8 2227 | }; 2228 | ULONG ParentValue; //0x8 2229 | }; 2230 | }RTL_BALANCED_NODE, * PRTL_BALANCED_NODE; 2231 | 2232 | typedef struct _DYNAMIC_FUNCTION_TABLE 2233 | { 2234 | LIST_ENTRY ListEntry; 2235 | IMAGE_RUNTIME_FUNCTION_ENTRY* FunctionTable; 2236 | LARGE_INTEGER TimeStamp; 2237 | QWORD MinimumAddress; 2238 | QWORD MaximumAddress; 2239 | QWORD BaseAddress; 2240 | IMAGE_RUNTIME_FUNCTION_ENTRY* (*Callback)(QWORD, PVOID); 2241 | PVOID Context; 2242 | USHORT* OutOfProcessCallbackDll; 2243 | FUNCTION_TABLE_TYPE Type; 2244 | DWORD EntryCount; 2245 | RTL_BALANCED_NODE TreeNodeMin; 2246 | RTL_BALANCED_NODE TreeNodeMax; 2247 | }DYNAMIC_FUNCTION_TABLE, * PDYNAMIC_FUNCTION_TABLE; 2248 | 2249 | typedef struct _INVERTED_FUNCTION_TABLE_ENTRY 2250 | { 2251 | union 2252 | { 2253 | IMAGE_RUNTIME_FUNCTION_ENTRY* FunctionTable; 2254 | DYNAMIC_FUNCTION_TABLE* DynamicTable; 2255 | } __inner0; 2256 | PVOID ImageBase; 2257 | DWORD SizeOfImage; 2258 | DWORD SizeOfTable; 2259 | }INVERTED_FUNCTION_TABLE_ENTRY, * PINVERTED_FUNCTION_TABLE_ENTRY; 2260 | 2261 | typedef struct _INVERTED_FUNCTION_TABLE 2262 | { 2263 | DWORD CurrentSize; 2264 | DWORD MaximumSize; 2265 | DWORD volatile Epoch; 2266 | UCHAR Overflow; 2267 | INVERTED_FUNCTION_TABLE_ENTRY TableEntry[0x200]; 2268 | }INVERTED_FUNCTION_TABLE, * PINVERTED_FUNCTION_TABLE; 2269 | 2270 | typedef struct _IMAGE_ARCHITECTURE_ENTRY 2271 | { 2272 | DWORD FixupInstRVA; 2273 | DWORD NewInst; 2274 | }IMAGE_ARCHITECTURE_ENTRY, * PIMAGE_ARCHITECTURE_ENTRY; 2275 | 2276 | /*typedef struct _IMAGE_ARCHITECTURE_HEADER { 2277 | unsigned int AmaskValue : 1; // 1 -> code section depends on mask bit 2278 | // 0 -> new instruction depends on mask bit 2279 | int : 7; // MBZ 2280 | unsigned int AmaskShift : 8; // Amask bit in question for this fixup 2281 | int : 16; // MBZ 2282 | DWORD FirstEntryRVA; // RVA into .arch section to array of ARCHITECTURE_ENTRY's 2283 | } IMAGE_ARCHITECTURE_HEADER, * PIMAGE_ARCHITECTURE_HEADER;*/ 2284 | /* 2285 | typedef struct _IMAGE_ARCHITECTURE_HEADER 2286 | { 2287 | union 2288 | { 2289 | DWORD AmaskValue; 2290 | DWORD AmaskShift; 2291 | } __bitfield0; 2292 | DWORD FirstEntryRVA; 2293 | }IMAGE_ARCHITECTURE_HEADER, * PIMAGE_ARCHITECTURE_HEADER;*/ 2294 | 2295 | typedef struct _IMAGE_ARCHITECTURE_HEADER { 2296 | unsigned int AmaskValue : 1; // 1 -> code section depends on mask bit 2297 | // 0 -> new instruction depends on mask bit 2298 | int : 7; // MBZ 2299 | unsigned int AmaskShift : 8; // Amask bit in question for this fixup 2300 | int : 16; // MBZ 2301 | DWORD FirstEntryRVA; // RVA into .arch section to array of ARCHITECTURE_ENTRY's 2302 | } IMAGE_ARCHITECTURE_HEADER, * PIMAGE_ARCHITECTURE_HEADER; 2303 | 2304 | typedef struct _OSINFO 2305 | { 2306 | DWORD dwOSPlatformId; 2307 | DWORD dwOSMajorVersion; 2308 | DWORD dwOSMinorVersion; 2309 | }OSINFO, * POSINFO; 2310 | 2311 | typedef struct _ASSEMBLYMETADATA 2312 | { 2313 | USHORT usMajorVersion; 2314 | USHORT usMinorVersion; 2315 | USHORT usBuildNumber; 2316 | USHORT usRevisionNumber; 2317 | USHORT* szLocale; 2318 | DWORD cbLocale; 2319 | DWORD* rProcessor; 2320 | DWORD ulProcessor; 2321 | OSINFO* rOS; 2322 | DWORD ulOS; 2323 | }ASSEMBLYMETADATA, * PASSEMBLYMETADATA; 2324 | 2325 | typedef struct _JIT_DEBUG_INFO 2326 | { 2327 | DWORD dwSize; 2328 | DWORD dwProcessorArchitecture; 2329 | DWORD dwThreadID; 2330 | DWORD dwReserved0; 2331 | QWORD lpExceptionAddress; 2332 | QWORD lpExceptionRecord; 2333 | QWORD lpContextRecord; 2334 | }JIT_DEBUG_INFO, * PJIT_DEBUG_INFO; 2335 | 2336 | //FROM LDR 2337 | typedef struct _LOADED_IMAGE 2338 | { 2339 | char* ModuleName; 2340 | PVOID hFile; 2341 | UCHAR* MappedAddress; 2342 | IMAGE_NT_HEADERS64* FileHeader; 2343 | IMAGE_SECTION_HEADER* LastRvaSection; 2344 | DWORD NumberOfSections; 2345 | IMAGE_SECTION_HEADER* Sections; 2346 | DWORD Characteristics; 2347 | UCHAR fSystemImage; 2348 | UCHAR fDOSImage; 2349 | UCHAR fReadOnly; 2350 | UCHAR Version; 2351 | LIST_ENTRY Links; 2352 | DWORD SizeOfImage; 2353 | }LOADED_IMAGE, * PLOADED_IMAGE; 2354 | 2355 | typedef struct _LOAD_ASDATA_TABLE 2356 | { 2357 | PVOID Module; 2358 | PWSTR FilePath; 2359 | QWORD Size; 2360 | PVOID* Handle; 2361 | LONG RefCount; 2362 | struct _ACTIVATION_CONTEXT* EntryPointActivationContext; 2363 | }LOAD_ASDATA_TABLE, * PLOAD_ASDATA_TABLE; 2364 | 2365 | typedef struct _LOAD_DLL_DEBUG_INFO 2366 | { 2367 | PVOID hFile; 2368 | PVOID lpBaseOfDll; 2369 | DWORD dwDebugInfoFileOffset; 2370 | DWORD nDebugInfoSize; 2371 | PVOID lpImageName; 2372 | WORD fUnicode; 2373 | }LOAD_DLL_DEBUG_INFO, * PLOAD_DLL_DEBUG_INFO; 2374 | 2375 | typedef struct _LOCALMANAGEDAPPLICATION 2376 | { 2377 | PWSTR pszDeploymentName; 2378 | PWSTR pszPolicyName; 2379 | PWSTR pszProductId; 2380 | DWORD dwState; 2381 | }LOCALMANAGEDAPPLICATION, * PLOCALMANAGEDAPPLICATION; 2382 | 2383 | typedef struct _HOT_PATCH_IMAGE_INFO 2384 | { 2385 | DWORD CheckSum; 2386 | DWORD TimeDateStamp; 2387 | }HOT_PATCH_IMAGE_INFO, * PHOT_PATCH_IMAGE_INFO; 2388 | 2389 | typedef struct _MANAGEDAPPLICATION 2390 | { 2391 | PWSTR pszPackageName; 2392 | PWSTR pszPublisher; 2393 | DWORD dwVersionHi; 2394 | DWORD dwVersionLo; 2395 | DWORD dwRevision; 2396 | GUID GpoId; 2397 | PWSTR pszPolicyName; 2398 | GUID ProductId; 2399 | USHORT Language; 2400 | PWSTR pszOwner; 2401 | PWSTR pszCompany; 2402 | PWSTR pszComments; 2403 | PWSTR pszContact; 2404 | PWSTR pszSupportUrl; 2405 | DWORD dwPathType; 2406 | LONG bInstalled; 2407 | }MANAGEDAPPLICATION, * PMANAGEDAPPLICATION; 2408 | 2409 | typedef struct _SID_IDENTIFIER_AUTHORITY 2410 | { 2411 | UCHAR Value[0x6]; 2412 | }SID_IDENTIFIER_AUTHORITY, * PSID_IDENTIFIER_AUTHORITY; 2413 | 2414 | typedef struct _SID 2415 | { 2416 | UCHAR Revision; 2417 | UCHAR SubAuthorityCount; 2418 | SID_IDENTIFIER_AUTHORITY IdentifierAuthority; 2419 | DWORD SubAuthority[0x1]; 2420 | }SID, * PSID; 2421 | 2422 | typedef struct _MANAGE_HOT_PATCH_LOAD_PATCH 2423 | { 2424 | DWORD Version; 2425 | UNICODE_STRING PatchPath; 2426 | union 2427 | { 2428 | SID Sid; 2429 | UCHAR Buffer[0x44]; 2430 | } UserSid; 2431 | HOT_PATCH_IMAGE_INFO BaseInfo; 2432 | }MANAGE_HOT_PATCH_LOAD_PATCH, * PMANAGE_HOT_PATCH_LOAD_PATCH; 2433 | 2434 | typedef struct _MANAGE_HOT_PATCH_QUERY_ACTIVE_PATCHES 2435 | { 2436 | DWORD Version; 2437 | PVOID ProcessHandle; 2438 | DWORD PatchCount; 2439 | UNICODE_STRING* PatchPathStrings; 2440 | HOT_PATCH_IMAGE_INFO* BaseInfos; 2441 | }MANAGE_HOT_PATCH_QUERY_ACTIVE_PATCHES, * PMANAGE_HOT_PATCH_QUERY_ACTIVE_PATCHES; 2442 | 2443 | typedef struct _MANAGE_HOT_PATCH_QUERY_PATCHES 2444 | { 2445 | DWORD Version; 2446 | union 2447 | { 2448 | SID Sid; 2449 | UCHAR Buffer[0x44]; 2450 | } UserSid; 2451 | DWORD PatchCount; 2452 | UNICODE_STRING* PatchPathStrings; 2453 | HOT_PATCH_IMAGE_INFO* BaseInfos; 2454 | }MANAGE_HOT_PATCH_QUERY_PATCHES, * PMANAGE_HOT_PATCH_QUERY_PATCHES; 2455 | 2456 | typedef struct _MANAGE_HOT_PATCH_UNLOAD_PATCH 2457 | { 2458 | DWORD Version; 2459 | HOT_PATCH_IMAGE_INFO BaseInfo; 2460 | union 2461 | { 2462 | SID Sid; 2463 | UCHAR Buffer[0x44]; 2464 | } UserSid; 2465 | }MANAGE_HOT_PATCH_UNLOAD_PATCH, * PMANAGE_HOT_PATCH_UNLOAD_PATCH; 2466 | 2467 | typedef struct _MANAGE_WRITES_TO_EXECUTABLE_MEMORY 2468 | { 2469 | union 2470 | { 2471 | DWORD Version; 2472 | DWORD ProcessEnableWriteExceptions; 2473 | DWORD ThreadAllowWrites; 2474 | DWORD Spare; 2475 | } __bitfield0; 2476 | PVOID KernelWriteToExecutableSignal; 2477 | }MANAGE_WRITES_TO_EXECUTABLE_MEMORY, * PMANAGE_WRITES_TO_EXECUTABLE_MEMORY; 2478 | 2479 | //----------------------------------------------------------------------------------- 2480 | 2481 | #define MEM_COMMIT 0x00001000 2482 | #define MEM_PRIVATE 0x00020000 2483 | #define MEM_RESERVE 0x00002000 2484 | #define MEM_REPLACE_PLACEHOLDER 0x00004000 2485 | #define MEM_MAPPED 0x00040000 2486 | #define MEM_IMAGE 0x1000000 2487 | #define MEM_RESET 0x00080000 2488 | #define MEM_TOP_DOWN 0x00100000 2489 | #define MEM_WRITE_WATCH 0x00200000 2490 | #define MEM_PHYSICAL 0x00400000 2491 | #define MEM_ROTATE 0x00800000 2492 | #define MEM_DIFFERENT_IMAGE_BASE_OK 0x00800000 2493 | #define MEM_RESET_UNDO 0x01000000 2494 | #define MEM_LARGE_PAGES 0x20000000 2495 | #define MEM_4MB_PAGES 0x80000000 2496 | #define MEM_64K_PAGES (MEM_LARGE_PAGES | MEM_PHYSICAL) 2497 | #define MEM_UNMAP_WITH_TRANSIENT_BOOST 0x00000001 2498 | #define MEM_COALESCE_PLACEHOLDERS 0x00000001 2499 | #define MEM_PRESERVE_PLACEHOLDER 0x00000002 2500 | #define MEM_FREE 0x00010000 2501 | 2502 | #define PAGE_NOACCESS 0x01 2503 | #define PAGE_READONLY 0x02 2504 | #define PAGE_READWRITE 0x04 2505 | #define PAGE_WRITECOPY 0x08 2506 | #define PAGE_EXECUTE 0x10 2507 | #define PAGE_EXECUTE_READ 0x20 2508 | #define PAGE_EXECUTE_READWRITE 0x40 2509 | #define PAGE_EXECUTE_WRITECOPY 0x80 2510 | #define PAGE_GUARD 0x100 2511 | #define PAGE_NOCACHE 0x200 2512 | #define PAGE_WRITECOMBINE 0x400 2513 | #define PAGE_GRAPHICS_NOACCESS 0x0800 2514 | #define PAGE_GRAPHICS_READONLY 0x1000 2515 | #define PAGE_GRAPHICS_READWRITE 0x2000 2516 | #define PAGE_GRAPHICS_EXECUTE 0x4000 2517 | #define PAGE_GRAPHICS_EXECUTE_READ 0x8000 2518 | #define PAGE_GRAPHICS_EXECUTE_READWRITE 0x10000 2519 | #define PAGE_GRAPHICS_COHERENT 0x20000 2520 | #define PAGE_GRAPHICS_NOCACHE 0x40000 2521 | #define PAGE_ENCLAVE_THREAD_CONTROL 0x80000000 2522 | #define PAGE_REVERT_TO_FILE_MAP 0x80000000 2523 | #define PAGE_TARGETS_NO_UPDATE 0x40000000 2524 | #define PAGE_TARGETS_INVALID 0x40000000 2525 | #define PAGE_ENCLAVE_UNVALIDATED 0x20000000 2526 | #define PAGE_ENCLAVE_MASK 0x10000000 2527 | #define PAGE_ENCLAVE_DECOMMIT (PAGE_ENCLAVE_MASK | 0) 2528 | #define PAGE_ENCLAVE_SS_FIRST (PAGE_ENCLAVE_MASK | 1) 2529 | #define PAGE_ENCLAVE_SS_REST (PAGE_ENCLAVE_MASK | 2) 2530 | 2531 | #define MEM_DECOMMIT 0x00004000 2532 | #define MEM_RELEASE 0x00008000 2533 | 2534 | #define OBJ_INHERIT 0x00000002 2535 | #define OBJ_PERMANENT 0x00000010 2536 | #define OBJ_EXCLUSIVE 0x00000020 2537 | #define OBJ_CASE_INSENSITIVE 0x00000040 2538 | #define OBJ_OPENIF 0x00000080 2539 | #define OBJ_OPENLINK 0x00000100 2540 | #define OBJ_KERNEL_HANDLE 0x00000200 2541 | #define OBJ_FORCE_ACCESS_CHECK 0x00000400 2542 | #define OBJ_VALID_ATTRIBUTES 0x000007f2 2543 | 2544 | #define DELETE 0x00010000L 2545 | #define READ_CONTROL 0x00020000L 2546 | #define WRITE_DAC 0x00040000L 2547 | #define WRITE_OWNER 0x00080000L 2548 | #define SYNCHRONIZE 0x00100000L 2549 | #define STANDARD_RIGHTS_REQUIRED 0x000F0000L 2550 | #define STANDARD_RIGHTS_READ READ_CONTROL 2551 | #define STANDARD_RIGHTS_WRITE READ_CONTROL 2552 | #define STANDARD_RIGHTS_EXECUTE READ_CONTROL 2553 | #define STANDARD_RIGHTS_ALL 0x001F0000L 2554 | #define SPECIFIC_RIGHTS_ALL 0x0000FFFFL 2555 | #define ACCESS_SYSTEM_SECURITY 0x01000000L 2556 | #define MAXIMUM_ALLOWED 0x02000000L 2557 | #define GENERIC_READ 0x80000000L 2558 | #define GENERIC_WRITE 0x40000000L 2559 | #define GENERIC_EXECUTE 0x20000000L 2560 | #define GENERIC_ALL 0x10000000L 2561 | 2562 | #define FILE_DIRECTORY_FILE 0x00000001 2563 | #define FILE_WRITE_THROUGH 0x00000002 2564 | #define FILE_SEQUENTIAL_ONLY 0x00000004 2565 | #define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008 2566 | #define FILE_SYNCHRONOUS_IO_ALERT 0x00000010 2567 | #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 2568 | #define FILE_NON_DIRECTORY_FILE 0x00000040 2569 | #define FILE_CREATE_TREE_CONNECTION 0x00000080 2570 | #define FILE_COMPLETE_IF_OPLOCKED 0x00000100 2571 | #define FILE_NO_EA_KNOWLEDGE 0x00000200 2572 | #define FILE_OPEN_FOR_RECOVERY 0x00000400 2573 | #define FILE_RANDOM_ACCESS 0x00000800 2574 | #define FILE_DELETE_ON_CLOSE 0x00001000 2575 | #define FILE_OPEN_BY_FILE_ID 0x00002000 2576 | #define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000 2577 | #define FILE_NO_COMPRESSION 0x00008000 2578 | #define FILE_OPEN_REQUIRING_OPLOCK 0x00010000 2579 | #define FILE_DISALLOW_EXCLUSIVE 0x00020000 2580 | #define FILE_SESSION_AWARE 0x00040000 2581 | #define FILE_RESERVE_OPFILTER 0x00100000 2582 | #define FILE_OPEN_REPARSE_POINT 0x00200000 2583 | #define FILE_OPEN_NO_RECALL 0x00400000 2584 | #define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000 2585 | #define FILE_COPY_STRUCTURED_STORAGE 0x00000041 2586 | #define FILE_STRUCTURED_STORAGE 0x00000441 2587 | #define FILE_SUPERSEDED 0x00000000 2588 | #define FILE_OPENED 0x00000001 2589 | #define FILE_CREATED 0x00000002 2590 | #define FILE_OVERWRITTEN 0x00000003 2591 | #define FILE_EXISTS 0x00000004 2592 | #define FILE_DOES_NOT_EXIST 0x00000005 2593 | #define FILE_WRITE_TO_END_OF_FILE 0xffffffff 2594 | #define FILE_USE_FILE_POINTER_POSITION 0xfffffffe 2595 | 2596 | #define FILE_SHARE_READ 0x00000001 2597 | #define FILE_SHARE_WRITE 0x00000002 2598 | #define FILE_SHARE_DELETE 0x00000004 2599 | #define FILE_ATTRIBUTE_READONLY 0x00000001 2600 | #define FILE_ATTRIBUTE_HIDDEN 0x00000002 2601 | #define FILE_ATTRIBUTE_SYSTEM 0x00000004 2602 | #define FILE_ATTRIBUTE_DIRECTORY 0x00000010 2603 | #define FILE_ATTRIBUTE_ARCHIVE 0x00000020 2604 | #define FILE_ATTRIBUTE_DEVICE 0x00000040 2605 | #define FILE_ATTRIBUTE_NORMAL 0x00000080 2606 | #define FILE_ATTRIBUTE_TEMPORARY 0x00000100 2607 | #define FILE_ATTRIBUTE_SPARSE_FILE 0x00000200 2608 | #define FILE_ATTRIBUTE_REPARSE_POINT 0x00000400 2609 | #define FILE_ATTRIBUTE_COMPRESSED 0x00000800 2610 | #define FILE_ATTRIBUTE_OFFLINE 0x00001000 2611 | #define FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000 2612 | #define FILE_ATTRIBUTE_ENCRYPTED 0x00004000 2613 | #define FILE_ATTRIBUTE_INTEGRITY_STREAM 0x00008000 2614 | #define FILE_ATTRIBUTE_VIRTUAL 0x00010000 2615 | #define FILE_ATTRIBUTE_NO_SCRUB_DATA 0x00020000 2616 | #define FILE_ATTRIBUTE_EA 0x00040000 2617 | #define FILE_ATTRIBUTE_PINNED 0x00080000 2618 | #define FILE_ATTRIBUTE_UNPINNED 0x00100000 2619 | #define FILE_ATTRIBUTE_RECALL_ON_OPEN 0x00040000 2620 | #define FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS 0x00400000 2621 | 2622 | #define FILE_FLAG_WRITE_THROUGH 0x80000000 2623 | #define FILE_FLAG_OVERLAPPED 0x40000000 2624 | #define FILE_FLAG_NO_BUFFERING 0x20000000 2625 | #define FILE_FLAG_RANDOM_ACCESS 0x10000000 2626 | #define FILE_FLAG_SEQUENTIAL_SCAN 0x8000000 2627 | #define FILE_FLAG_DELETE_ON_CLOSE 0x4000000 2628 | #define FILE_FLAG_BACKUP_SEMANTICS 0x2000000 2629 | #define FILE_FLAG_POSIX_SEMANTICS 0x1000000 2630 | #define FILE_FLAG_SESSION_AWARE 0x800000 2631 | #define FILE_FLAG_OPEN_REPARSE_POINT 0x200000 2632 | #define FILE_FLAG_OPEN_NO_RECALL 0x100000 2633 | #define FILE_FLAG_FIRST_PIPE_INSTANCE 0x80000 2634 | 2635 | typedef struct _FILE_STANDARD_INFORMATION 2636 | { 2637 | LARGE_INTEGER AllocationSize; 2638 | LARGE_INTEGER EndOfFile; 2639 | ULONG NumberOfLinks; 2640 | BOOLEAN DeletePending; 2641 | BOOLEAN Directory; 2642 | } FILE_STANDARD_INFORMATION, * PFILE_STANDARD_INFORMATION; 2643 | 2644 | typedef struct _IO_STATUS_BLOCK 2645 | { 2646 | union 2647 | { 2648 | NTSTATUS Status; 2649 | PVOID Pointer; 2650 | }; 2651 | ULONG_PTR Information; 2652 | } IO_STATUS_BLOCK, * PIO_STATUS_BLOCK; 2653 | 2654 | //Source: http://processhacker.sourceforge.net 2655 | typedef enum _FILE_INFORMATION_CLASS 2656 | { 2657 | FileDirectoryInformation = 0x1, 2658 | FileFullDirectoryInformation = 0x2, 2659 | FileBothDirectoryInformation = 0x3, 2660 | FileBasicInformation = 0x4, 2661 | FileStandardInformation = 0x5, 2662 | FileInternalInformation = 0x6, 2663 | FileEaInformation = 0x7, 2664 | FileAccessInformation = 0x8, 2665 | FileNameInformation = 0x9, 2666 | FileRenameInformation = 0xa, 2667 | FileLinkInformation = 0xb, 2668 | FileNamesInformation = 0xc, 2669 | FileDispositionInformation = 0xd, 2670 | FilePositionInformation = 0xe, 2671 | FileFullEaInformation = 0xf, 2672 | FileModeInformation = 0x10, 2673 | FileAlignmentInformation = 0x11, 2674 | FileAllInformation = 0x12, 2675 | FileAllocationInformation = 0x13, 2676 | FileEndOfFileInformation = 0x14, 2677 | FileAlternateNameInformation = 0x15, 2678 | FileStreamInformation = 0x16, 2679 | FilePipeInformation = 0x17, 2680 | FilePipeLocalInformation = 0x18, 2681 | FilePipeRemoteInformation = 0x19, 2682 | FileMailslotQueryInformation = 0x1a, 2683 | FileMailslotSetInformation = 0x1b, 2684 | FileCompressionInformation = 0x1c, 2685 | FileObjectIdInformation = 0x1d, 2686 | FileCompletionInformation = 0x1e, 2687 | FileMoveClusterInformation = 0x1f, 2688 | FileQuotaInformation = 0x20, 2689 | FileReparsePointInformation = 0x21, 2690 | FileNetworkOpenInformation = 0x22, 2691 | FileAttributeTagInformation = 0x23, 2692 | FileTrackingInformation = 0x24, 2693 | FileIdBothDirectoryInformation = 0x25, 2694 | FileIdFullDirectoryInformation = 0x26, 2695 | FileValidDataLengthInformation = 0x27, 2696 | FileShortNameInformation = 0x28, 2697 | FileIoCompletionNotificationInformation = 0x29, 2698 | FileIoStatusBlockRangeInformation = 0x2a, 2699 | FileIoPriorityHintInformation = 0x2b, 2700 | FileSfioReserveInformation = 0x2c, 2701 | FileSfioVolumeInformation = 0x2d, 2702 | FileHardLinkInformation = 0x2e, 2703 | FileProcessIdsUsingFileInformation = 0x2f, 2704 | FileNormalizedNameInformation = 0x30, 2705 | FileNetworkPhysicalNameInformation = 0x31, 2706 | FileIdGlobalTxDirectoryInformation = 0x32, 2707 | FileIsRemoteDeviceInformation = 0x33, 2708 | FileUnusedInformation = 0x34, 2709 | FileNumaNodeInformation = 0x35, 2710 | FileStandardLinkInformation = 0x36, 2711 | FileRemoteProtocolInformation = 0x37, 2712 | FileRenameInformationBypassAccessCheck = 0x38, 2713 | FileLinkInformationBypassAccessCheck = 0x39, 2714 | FileVolumeNameInformation = 0x3a, 2715 | FileIdInformation = 0x3b, 2716 | FileIdExtdDirectoryInformation = 0x3c, 2717 | FileReplaceCompletionInformation = 0x3d, 2718 | FileHardLinkFullIdInformation = 0x3e, 2719 | FileIdExtdBothDirectoryInformation = 0x3f, 2720 | FileDispositionInformationEx = 0x40, 2721 | FileRenameInformationEx = 0x41, 2722 | FileRenameInformationExBypassAccessCheck = 0x42, 2723 | FileDesiredStorageClassInformation = 0x43, 2724 | FileStatInformation = 0x44, 2725 | FileMemoryPartitionInformation = 0x45, 2726 | FileStatLxInformation = 0x46, 2727 | FileCaseSensitiveInformation = 0x47, 2728 | FileLinkInformationEx = 0x48, 2729 | FileLinkInformationExBypassAccessCheck = 0x49, 2730 | FileStorageReserveIdInformation = 0x4a, 2731 | FileCaseSensitiveInformationForceAccessCheck = 0x4b, 2732 | FileMaximumInformation = 0x4c 2733 | } FILE_INFORMATION_CLASS, * PFILE_INFORMATION_CLASS; 2734 | 2735 | typedef NTSTATUS NTAPI LDRLOADDLL( 2736 | PWSTR SearchPathw, 2737 | PULONG DllCharacteristics, 2738 | PUNICODE_STRING DllName, 2739 | PVOID* BaseAddress 2740 | ); typedef LDRLOADDLL* LPLDRLOADDLL; 2741 | 2742 | typedef NTSTATUS NTAPI NTALLOCATEVIRTUALMEMORY 2743 | ( 2744 | HANDLE ProcessHandle, 2745 | PVOID* BaseAddress, 2746 | ULONG_PTR ZeroBits, 2747 | PSIZE_T RegionSize, 2748 | ULONG AllocationType, 2749 | ULONG Protect 2750 | ); typedef NTALLOCATEVIRTUALMEMORY* LPNTALLOCATEVIRTUALMEMORY; 2751 | 2752 | typedef NTSTATUS NTAPI NTCLOSE( 2753 | HANDLE Handle 2754 | ); typedef NTCLOSE* LPNTCLOSE; 2755 | 2756 | typedef NTSTATUS NTAPI NTFREEVIRTUALMEMORY 2757 | ( 2758 | HANDLE ProcessHandle, 2759 | PVOID* BaseAddress, 2760 | PSIZE_T RegionSize, 2761 | ULONG FreeType 2762 | ); typedef NTFREEVIRTUALMEMORY* LPNTFREEVIRTUALMEMORY; 2763 | 2764 | typedef NTSTATUS NTAPI NTOPENFILE( 2765 | PHANDLE FileHandle, 2766 | ACCESS_MASK DesiredAccess, 2767 | POBJECT_ATTRIBUTES ObjectAttributes, 2768 | PIO_STATUS_BLOCK IoStatusBlock, 2769 | ULONG ShareAccess, 2770 | ULONG OpenOptions 2771 | ); typedef NTOPENFILE* LPNTOPENFILE; 2772 | 2773 | typedef NTSTATUS NTAPI NTPROTECTVIRTUALMEMORY 2774 | ( 2775 | HANDLE ProcessHandle, 2776 | PVOID* BaseAddress, 2777 | SIZE_T* NumberOfBytesToProtect, 2778 | ULONG NewAccessProtection, 2779 | PULONG OldAccessProtection 2780 | ); typedef NTPROTECTVIRTUALMEMORY* LPNTPROTECTVIRTUALMEMORY; 2781 | 2782 | typedef NTSTATUS NTAPI NTQUERYINFORMATIONFILE( 2783 | HANDLE FileHandle, 2784 | PIO_STATUS_BLOCK IoStatusBlock, 2785 | PVOID FileInformation, 2786 | ULONG Length, 2787 | FILE_INFORMATION_CLASS FileInformationClass 2788 | ); typedef NTQUERYINFORMATIONFILE* LPNTQUERYINFORMATIONFILE; 2789 | 2790 | typedef NTSTATUS NTAPI NTREADFILE( 2791 | HANDLE FileHandle, 2792 | HANDLE Event, 2793 | PVOID ApcRoutine, //PIO_APC_ROUTINE//This parameter is reserved. Device and intermediate drivers should set this pointer to NULL. 2794 | PVOID ApcContext, 2795 | PIO_STATUS_BLOCK IoStatusBlock, 2796 | PVOID Buffer, 2797 | ULONG Length, 2798 | PLARGE_INTEGER ByteOffset, 2799 | PULONG Key 2800 | ); typedef NTREADFILE* LPNTREADFILE; 2801 | 2802 | typedef NTSTATUS NTAPI NTWRITEVIRTUALMEMORY 2803 | ( 2804 | HANDLE ProcessHandle, 2805 | PVOID BaseAddress, 2806 | PVOID Buffer, 2807 | ULONG NumberOfBytesToWrite, //ULONG NumberOfBytesToWrite 2808 | PULONG NumberOfBytesWritten //PULONG NumberOfBytesWritten 2809 | ); typedef NTWRITEVIRTUALMEMORY* LPNTWRITEVIRTUALMEMORY; 2810 | 2811 | typedef NTSTATUS NTAPI RTLINITUNICODESTRING( 2812 | PUNICODE_STRING DestinationString, //_Out_ 2813 | PWSTR SourceString //_In_opt_z_ 2814 | ); typedef RTLINITUNICODESTRING* LPRTLINITUNICODESTRING; 2815 | 2816 | //----------------------------------------------------------------------------------- 2817 | 2818 | __forceinline WCHAR __cdecl ToLowerW(WCHAR wideChar) 2819 | { 2820 | if (wideChar > 0x40 && wideChar < 0x5B) 2821 | { 2822 | return wideChar + 0x20; 2823 | } 2824 | return wideChar; 2825 | } 2826 | 2827 | __forceinline char __cdecl ToLowerA(char baseChar) 2828 | { 2829 | if (baseChar > 96 && baseChar < 123) 2830 | { 2831 | baseChar -= 32; 2832 | } 2833 | return baseChar; 2834 | } 2835 | 2836 | __forceinline int __cdecl StringLengthA(char* baseStr) 2837 | { 2838 | int length; 2839 | for (length = 0; baseStr[length] != '\0'; length++) {} 2840 | return length; 2841 | } 2842 | 2843 | __forceinline int __cdecl StringLengthW(WCHAR* wideStr) { 2844 | int length; 2845 | for (length = 0; wideStr[length] != '\0'; length++) {} 2846 | return length; 2847 | } 2848 | 2849 | __forceinline BOOLEAN __cdecl CompareUnicode(PWSTR wideStr1, PWSTR wideStr2) 2850 | { 2851 | for (int i = 0; i < StringLengthW(wideStr1); i++) 2852 | { 2853 | if (ToLowerW(wideStr1[i]) != ToLowerW(wideStr2[i])) 2854 | return FALSE; 2855 | } 2856 | return TRUE; 2857 | } 2858 | 2859 | __forceinline BOOLEAN __cdecl CompareAnsi(char* baseStr1, char* baseStr2) 2860 | { 2861 | for (int i = 0; i < StringLengthA(baseStr1); i++) 2862 | { 2863 | if (ToLowerA(baseStr1[i]) != ToLowerA(baseStr2[i])) 2864 | return FALSE; 2865 | } 2866 | return TRUE; 2867 | } 2868 | 2869 | __forceinline char* __cdecl Separator(char* fullName) 2870 | { 2871 | SIZE_T len = (SIZE_T)StringLengthA(fullName); 2872 | 2873 | for (SIZE_T i = 0; i < len; i++) 2874 | { 2875 | if (fullName[i] == '.') 2876 | { 2877 | return &fullName[i + 1]; 2878 | } 2879 | } 2880 | return NULL_PTR; 2881 | } 2882 | 2883 | __forceinline BOOL __cdecl StringMatches(WCHAR* wideStr1, WCHAR* wideStr2) 2884 | { 2885 | if (wideStr1 == NULL_PTR || wideStr2 == NULL_PTR || StringLengthW(wideStr1) != StringLengthW(wideStr2)) 2886 | { 2887 | return FALSE; 2888 | } 2889 | 2890 | for (int i = 0; wideStr1[i] != '\0' && wideStr2[i] != '\0'; i++) 2891 | { 2892 | if (ToLowerW(wideStr1[i]) != ToLowerW(wideStr2[i])) 2893 | { 2894 | return FALSE; 2895 | } 2896 | } 2897 | return TRUE; 2898 | } 2899 | 2900 | __forceinline BOOL __cdecl StringMatchesA(CHAR* wideStr1, CHAR* wideStr2) 2901 | { 2902 | if (wideStr1 == NULL_PTR || wideStr2 == NULL_PTR || StringLengthA(wideStr1) != StringLengthA(wideStr2)) 2903 | { 2904 | return FALSE; 2905 | } 2906 | 2907 | for (int i = 0; wideStr1[i] != '\0' && wideStr2[i] != '\0'; i++) 2908 | { 2909 | if (ToLowerA(wideStr1[i]) != ToLowerA(wideStr2[i])) 2910 | { 2911 | return FALSE; 2912 | } 2913 | } 2914 | return TRUE; 2915 | } 2916 | 2917 | static PVOID PEBAddress = NULL_PTR; 2918 | 2919 | __forceinline LPVOID __cdecl NtCurrentPeb(void) 2920 | { 2921 | #if defined(_WIN64) 2922 | //UINT64 pPebLocation = __readgsqword(0x60); 2923 | //return (LPVOID)pPebLocation; 2924 | if (PEBAddress == NULL_PTR) 2925 | PEBAddress = (PVOID)__readgsqword(0x60); 2926 | return PEBAddress; 2927 | #else 2928 | //UINT32 pPebLocation = __readfsdword(0x30); 2929 | //return (LPVOID)pPebLocation; 2930 | if (PEBAddress == NULL_PTR) 2931 | PEBAddress = (PVOID)__readfsdword(0x30); 2932 | return PEBAddress; 2933 | #endif 2934 | } 2935 | 2936 | static PVOID TEBAddress = NULL_PTR; 2937 | 2938 | __forceinline LPVOID __cdecl NtCurrentTIBOrTEB(void) 2939 | { 2940 | #if defined(_WIN64) 2941 | //UINT64 pTibOrTEBLocation = __readgsqword(0x30); 2942 | //return (LPVOID)pTibOrTEBLocation; 2943 | if (TEBAddress == NULL_PTR) 2944 | TEBAddress = (LPVOID)__readgsqword(0x30); 2945 | return TEBAddress; 2946 | #else 2947 | //UINT32 pTibOrTEBLocation = __readfsdword(0x18); 2948 | //return (LPVOID)pTibOrTEBLocation; 2949 | if (TEBAddress == NULL_PTR) 2950 | TEBAddress = (LPVOID)__readfsdword(0x18); 2951 | return TEBAddress; 2952 | #endif 2953 | } 2954 | 2955 | #if !defined(_WIN64) 2956 | __forceinline LPVOID __cdecl FastSysCallWoW64(void) { 2957 | UINT32 wow64Transition = __readfsdword(0xC0); 2958 | return (LPVOID)wow64Transition; 2959 | } 2960 | #endif 2961 | 2962 | #define NtCurrentProcessId() (((PTEB)NtCurrentTIBOrTEB())->ClientId.UniqueProcess) 2963 | #define NtCurrentThreadId() (((PTEB)NtCurrentTIBOrTEB())->ClientId.UniqueThread) 2964 | 2965 | __forceinline PVOID __cdecl GetModuleBaseAddress(PWSTR wideName) 2966 | { 2967 | PPEB pPeb = (PPEB)NtCurrentPeb(); 2968 | PPEB_LDR_DATA pLdrData = (PPEB_LDR_DATA)pPeb->LdrData; 2969 | 2970 | for (PLDR_DATA_ENTRY pLdrDataEntry = (PLDR_DATA_ENTRY)pLdrData->InLoadOrderModuleList.Flink; pLdrDataEntry->BaseAddress != NULL_PTR; pLdrDataEntry = (PLDR_DATA_ENTRY)pLdrDataEntry->InLoadOrderModuleList.Flink) 2971 | { 2972 | if (CompareUnicode(wideName, pLdrDataEntry->BaseDllName.Buffer)) 2973 | return pLdrDataEntry->BaseAddress; 2974 | } 2975 | return NULL_PTR; 2976 | } 2977 | 2978 | __forceinline LPVOID __cdecl GetProcedureAddressNt(char* sProcName)//, DWORD ordinal) 2979 | { 2980 | WCHAR nt[] = { 'n','t','d','l','l','.','d','l','l','\0' }; 2981 | DWORD_PTR pBaseAddr = (DWORD_PTR)GetModuleBaseAddress(nt);//L"ntdll.dll\0" 2982 | IMAGE_DOS_HEADER* pDosHdr = (IMAGE_DOS_HEADER*)pBaseAddr; 2983 | IMAGE_NT_HEADERS* pNTHdr = (IMAGE_NT_HEADERS*)(pBaseAddr + pDosHdr->e_lfanew); 2984 | IMAGE_OPTIONAL_HEADER* pOptionalHdr = &pNTHdr->OptionalHeader; 2985 | IMAGE_DATA_DIRECTORY* pExportDataDir = (IMAGE_DATA_DIRECTORY*)(&pOptionalHdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]); 2986 | IMAGE_EXPORT_DIRECTORY* pExportDirAddr = (IMAGE_EXPORT_DIRECTORY*)(pBaseAddr + pExportDataDir->VirtualAddress); 2987 | 2988 | DWORD* pEAT = (DWORD*)(pBaseAddr + pExportDirAddr->AddressOfFunctions); 2989 | DWORD* pFuncNameTbl = (DWORD*)(pBaseAddr + pExportDirAddr->AddressOfNames); 2990 | WORD* pHintsTbl = (WORD*)(pBaseAddr + pExportDirAddr->AddressOfNameOrdinals); 2991 | 2992 | for (DWORD i = 0; i < pExportDirAddr->NumberOfNames; i++) 2993 | { 2994 | char* sTmpFuncName = (char*)(pBaseAddr + (DWORD_PTR)pFuncNameTbl[i]); 2995 | 2996 | if (CompareAnsi(sProcName, sTmpFuncName) == TRUE) 2997 | { 2998 | return (LPVOID)(pBaseAddr + (DWORD_PTR)pEAT[pHintsTbl[i]]); 2999 | } 3000 | } 3001 | return NULL; 3002 | } 3003 | 3004 | __forceinline PVOID __cdecl MallocCustom(PSIZE_T size) 3005 | { 3006 | char ntAllocate[] = { 'N','t','A','l','l','o','c','a','t','e','V','i','r','t','u','a','l','M','e','m','o','r','y', '\0' }; 3007 | LPNTALLOCATEVIRTUALMEMORY pNtAllocate = (LPNTALLOCATEVIRTUALMEMORY)GetProcedureAddressNt(ntAllocate);//"NtAllocateVirtualMemory\0" 3008 | PVOID pAllocated = NULL_PTR; 3009 | pNtAllocate((HANDLE)(-1), &pAllocated, 0, size, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 3010 | return pAllocated; 3011 | } 3012 | 3013 | __forceinline char* __cdecl ReverseSeparator(char* fullName) 3014 | { 3015 | SIZE_T len = StringLengthA(fullName); 3016 | 3017 | int indexPoint = 5;//. d l l \0 3018 | 3019 | for (SIZE_T i = 0; i < len; i++) 3020 | { 3021 | if (fullName[i] == '.') 3022 | { 3023 | indexPoint += (int)i; 3024 | break; 3025 | } 3026 | } 3027 | DWORD_PTR size = (DWORD_PTR)((sizeof(char) * indexPoint)); 3028 | char* name = (char*)MallocCustom(&size); 3029 | if (name != NULL_PTR) 3030 | { 3031 | for (int i = 0; i < indexPoint; i++) 3032 | name[i] = fullName[i]; 3033 | 3034 | name[indexPoint - 5] = '.'; 3035 | name[indexPoint - 4] = 'd'; 3036 | name[indexPoint - 3] = 'l'; 3037 | name[indexPoint - 2] = 'l'; 3038 | name[indexPoint - 1] = '\0'; 3039 | return name; 3040 | } 3041 | return NULL_PTR; 3042 | } 3043 | 3044 | __forceinline WCHAR* __cdecl CharToWCharT(char* baseChar) 3045 | { 3046 | int length = StringLengthA(baseChar); 3047 | 3048 | DWORD_PTR size = (DWORD_PTR)(sizeof(WCHAR) * length + 2); 3049 | WCHAR* wideChar = (WCHAR*)MallocCustom(&size); 3050 | 3051 | if (wideChar != NULL_PTR) 3052 | { 3053 | for (int i = 0; i < length; i++) 3054 | { 3055 | wideChar[i] = (WCHAR)(baseChar[i]); 3056 | } 3057 | wideChar[length] = '\0'; 3058 | return (WCHAR*)wideChar; 3059 | } 3060 | return NULL_PTR; 3061 | } 3062 | 3063 | //This function is a rework of function of Sektor7 Malware Development Intermediate Section 2. PE madness 3064 | //with https://github.com/arbiter34/GetProcAddress/blob/master/GetProcAddress/GetProcAddress.cpp 3065 | __forceinline LPVOID __cdecl GetProcedureAddress(HMODULE hMod, char* sProcName) 3066 | { 3067 | char ntFree[] = { 'N','t','F','r','e','e','V','i','r','t','u','a','l','M','e','m','o','r','y','\0' }; 3068 | LPNTFREEVIRTUALMEMORY pNtFree = (LPNTFREEVIRTUALMEMORY)GetProcedureAddressNt(ntFree);//"NtFreeVirtualMemory\0" 3069 | DWORD_PTR pBaseAddr = (DWORD_PTR)hMod; 3070 | IMAGE_DOS_HEADER* pDosHdr = (IMAGE_DOS_HEADER*)pBaseAddr; 3071 | IMAGE_NT_HEADERS* pNTHdr = (IMAGE_NT_HEADERS*)(pBaseAddr + pDosHdr->e_lfanew); 3072 | IMAGE_OPTIONAL_HEADER* pOptionalHdr = &pNTHdr->OptionalHeader; 3073 | IMAGE_DATA_DIRECTORY* pExportDataDir = (IMAGE_DATA_DIRECTORY*)(&pOptionalHdr->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]); 3074 | IMAGE_EXPORT_DIRECTORY* pExportDirAddr = (IMAGE_EXPORT_DIRECTORY*)(pBaseAddr + pExportDataDir->VirtualAddress); 3075 | 3076 | DWORD* pEAT = (DWORD*)(pBaseAddr + pExportDirAddr->AddressOfFunctions); 3077 | DWORD* pFuncNameTbl = (DWORD*)(pBaseAddr + pExportDirAddr->AddressOfNames); 3078 | WORD* pHintsTbl = (WORD*)(pBaseAddr + pExportDirAddr->AddressOfNameOrdinals); 3079 | 3080 | if (((DWORD_PTR)sProcName >> 16) == 0) 3081 | { 3082 | WORD ordinal = (WORD)sProcName & 0xFFFF; 3083 | DWORD Base = pExportDirAddr->Base; 3084 | 3085 | if (ordinal < Base || ordinal >= Base + pExportDirAddr->NumberOfFunctions) 3086 | { 3087 | return NULL_PTR; 3088 | } 3089 | return (LPVOID)(pBaseAddr + (DWORD_PTR)pEAT[ordinal - Base]); 3090 | } 3091 | else 3092 | { 3093 | for (DWORD i = 0; i < pExportDirAddr->NumberOfNames; i++) 3094 | { 3095 | char* sTmpFuncName = (char*)(pBaseAddr + (DWORD_PTR)pFuncNameTbl[i]); 3096 | 3097 | if (CompareAnsi(sProcName, sTmpFuncName) == TRUE) 3098 | { 3099 | unsigned short nameOrdinal = ((unsigned short*)(((unsigned long long)pBaseAddr) + pExportDirAddr->AddressOfNameOrdinals))[i]; 3100 | unsigned int addr = ((unsigned int*)(((unsigned long long)pBaseAddr) + pExportDirAddr->AddressOfFunctions))[nameOrdinal]; 3101 | 3102 | if (addr > pExportDataDir->VirtualAddress && addr < pExportDataDir->VirtualAddress + pExportDataDir->Size) 3103 | { 3104 | char* forwardStr = (char*)(pBaseAddr + addr); 3105 | char* funcName = Separator(forwardStr); 3106 | char* moduleName = ReverseSeparator(forwardStr); 3107 | 3108 | SIZE_T size = ((SIZE_T)(StringLengthA(moduleName) * sizeof(WCHAR) + 2)); 3109 | PWSTR moduleUnicode = MallocCustom(&size); 3110 | moduleUnicode = CharToWCharT(moduleName); 3111 | PVOID modAddr = GetModuleBaseAddress(moduleUnicode); 3112 | 3113 | pNtFree((HANDLE)(-1), &moduleUnicode, &size, MEM_RELEASE); 3114 | size = ((SIZE_T)StringLengthA(moduleName)); 3115 | pNtFree((HANDLE)(-1), &moduleName, &size, MEM_RELEASE); 3116 | 3117 | return GetProcedureAddress((HMODULE)modAddr, funcName); 3118 | } 3119 | else 3120 | { 3121 | return (LPVOID)(pBaseAddr + (DWORD_PTR)pEAT[pHintsTbl[i]]); 3122 | } 3123 | } 3124 | } 3125 | } 3126 | return NULL; 3127 | } -------------------------------------------------------------------------------- /PELoader.c: -------------------------------------------------------------------------------- 1 | #pragma comment(linker, "/entry:main") 2 | #include "Loader.h" 3 | 4 | /* 5 | || AUTHOR Arsium || 6 | || github : https://github.com/arsium || 7 | */ 8 | 9 | NTSTATUS main(void) 10 | { 11 | char rtlUnicode[] = "RtlInitUnicodeString\0"; 12 | char ntOpen[] = "NtOpenFile\0"; 13 | char ntClose[] = "NtClose\0"; 14 | char ntQueryInformationFile[] = "NtQueryInformationFile\0"; 15 | char ntAllocate[] = "NtAllocateVirtualMemory\0"; 16 | char ntRead[] = "NtReadFile\0"; 17 | 18 | LPRTLINITUNICODESTRING pRtlInitUnicode = (LPRTLINITUNICODESTRING)GetProcedureAddressNt(rtlUnicode); 19 | LPNTOPENFILE pNtOpen = (LPNTOPENFILE)GetProcedureAddressNt(ntOpen);; 20 | LPNTCLOSE pNtClose = (LPNTCLOSE)GetProcedureAddressNt(ntClose); 21 | LPNTQUERYINFORMATIONFILE pNtQueryInformationFile = (LPNTQUERYINFORMATIONFILE)GetProcedureAddressNt(ntQueryInformationFile); 22 | LPNTALLOCATEVIRTUALMEMORY pNtAllocate = (LPNTALLOCATEVIRTUALMEMORY)GetProcedureAddressNt(ntAllocate); 23 | LPNTREADFILE pNtRead = (LPNTREADFILE)GetProcedureAddressNt(ntRead); 24 | 25 | UNICODE_STRING objectName = { 0 }; 26 | 27 | #if defined(_WIN64) 28 | WCHAR filePath[] = L"\\??\\\\C:\\your_pe.dll\0";//or exe 29 | #else 30 | WCHAR filePath[] = L"\\??\\\\C:\\your_pe.dll\0";//or exe 31 | 32 | #endif 33 | pRtlInitUnicode(&objectName, filePath); 34 | 35 | OBJECT_ATTRIBUTES objectAttributes = { 0 }; 36 | objectAttributes.Length = sizeof(OBJECT_ATTRIBUTES); 37 | objectAttributes.RootDirectory = NULL_PTR; 38 | objectAttributes.ObjectName = &objectName; 39 | objectAttributes.Attributes = OBJ_CASE_INSENSITIVE; 40 | objectAttributes.SecurityDescriptor = NULL_PTR; 41 | objectAttributes.SecurityQualityOfService = NULL_PTR; 42 | IO_STATUS_BLOCK statusBlock = { 0 }; 43 | HANDLE handleToFile = NULL_PTR; 44 | 45 | NTSTATUS status = pNtOpen(&handleToFile, GENERIC_READ | SYNCHRONIZE, &objectAttributes, &statusBlock, FILE_SHARE_READ, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_ALERT); 46 | 47 | if (status != NT_SUCCESS) 48 | return status; 49 | 50 | FILE_STANDARD_INFORMATION fileInfo = { 0x0 }; 51 | status = pNtQueryInformationFile(handleToFile, &statusBlock, &fileInfo, sizeof(fileInfo), FileStandardInformation); 52 | 53 | if (status != NT_SUCCESS) 54 | return status; 55 | 56 | BYTE* peData = NULL_PTR; 57 | 58 | #if defined(_WIN64) 59 | SIZE_T sizeFile = (SIZE_T)(fileInfo.EndOfFile.QuadPart + 1); 60 | #else 61 | SIZE_T sizeFile = (SIZE_T)(fileInfo.EndOfFile.LowPart + 1); 62 | #endif 63 | 64 | status = pNtAllocate((HANDLE)(-1), &peData, 0, &sizeFile, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 65 | 66 | if (status != NT_SUCCESS) 67 | return status; 68 | 69 | LARGE_INTEGER liBytes = { 0x0 }; 70 | 71 | #if defined(_WIN64) 72 | status = pNtRead(handleToFile, NULL_PTR, NULL_PTR, NULL_PTR, &statusBlock, peData, (ULONG)(fileInfo.EndOfFile.QuadPart + 1), &liBytes, NULL_PTR); 73 | #else 74 | status = pNtRead(handleToFile, NULL_PTR, NULL_PTR, NULL_PTR, &statusBlock, peData, (ULONG)(fileInfo.EndOfFile.LowPart + 1), &liBytes, NULL_PTR); 75 | #endif 76 | 77 | if (status != NT_SUCCESS) 78 | return status; 79 | 80 | status = pNtClose(handleToFile); 81 | 82 | if (status != NT_SUCCESS) 83 | return status; 84 | 85 | status = NT_SUCCESS; 86 | 87 | return Loader(peData, &status, FALSE); 88 | } -------------------------------------------------------------------------------- /PELoader.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {e7ae90e4-84e0-48b6-95db-e56ad94327d2} 25 | PELoader 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | false 75 | $(SolutionDir)Release_64\ 76 | $(SolutionDir)Release_64\ 77 | $(ProjectName)_64 78 | 79 | 80 | $(SolutionDir)Release\ 81 | $(SolutionDir)Release\ 82 | $(ProjectName)_32 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | false 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | false 106 | false 107 | /DNOMINMAX /Zc:__cplusplus /Zc:alignedNew /Zc:checkGwOdr /EHsc /diagnostics:caret /experimental:module /Zc:preprocessor /permissive- /Wall /Os /GF /Gw /MP /GR- /D_HAS_EXCEPTIONS=0 %(AdditionalOptions) 108 | None 109 | 110 | 111 | Console 112 | true 113 | true 114 | false 115 | NoErrorReport 116 | false 117 | /MERGE:.pdata=.text /MERGE:.rdata=.text /INCREMENTAL:NO /OPT:REF /OPT:ICF /emittoolversioninfo:no /emitpogophaseinfo /MANIFEST:NO /LTCG:OFF /MERGE:.data=.lol /MERGE:.text=.code %(AdditionalOptions) 118 | true 119 | 120 | 121 | 122 | 123 | Level3 124 | true 125 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 126 | true 127 | 128 | 129 | Console 130 | true 131 | 132 | 133 | 134 | 135 | Level3 136 | true 137 | true 138 | false 139 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 140 | true 141 | Disabled 142 | false 143 | false 144 | false 145 | None 146 | /DNOMINMAX /Zc:__cplusplus /Zc:alignedNew /Zc:checkGwOdr /EHsc /diagnostics:caret /experimental:module /Zc:preprocessor /permissive- /Wall /Os /GF /Gw /MP /GR- /D_HAS_EXCEPTIONS=0 %(AdditionalOptions) 147 | MultiThreadedDLL 148 | None 149 | Neither 150 | 151 | 152 | Console 153 | true 154 | true 155 | false 156 | NoErrorReport 157 | true 158 | /MERGE:.pdata=.text /MERGE:.rdata=.text /INCREMENTAL:NO /OPT:REF /OPT:ICF /emittoolversioninfo:no /emitpogophaseinfo /MANIFEST:NO /LTCG:OFF /MERGE:.data=.lol /MERGE:.text=.code %(AdditionalOptions) 159 | false 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | -------------------------------------------------------------------------------- /PELoader.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Fichiers sources 20 | 21 | 22 | 23 | 24 | Fichiers d%27en-tête 25 | 26 | 27 | Fichiers d%27en-tête 28 | 29 | 30 | -------------------------------------------------------------------------------- /PELoader.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PELoader 2 | 3 | A PE loader written in pure C with Nt routines. 4 | 5 | Supports : 6 | 7 | * Relocations 8 | * Map sections & Headers 9 | * Imports 10 | * Cloak headers : steals the header of ntdll 11 | * x86 & x64 architecture 12 | 13 | Improvements : 14 | 15 | * Indirect syscalls 16 | * Hook detection 17 | * ETW Patching 18 | * ... 19 | 20 | Thx to : 21 | 22 | * [Manual Loader](https://github.com/adamhlt/Manual-DLL-Loader) 23 | * [PE Packer](https://bidouillesecurity.com/tutorial-writing-a-pe-packer-part-1/) 24 | -------------------------------------------------------------------------------- /Samples/SampleDLL_32.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arsium/PELoader/a211bd2af3409fb19f3ad0df483ea1ebef85cb06/Samples/SampleDLL_32.dll -------------------------------------------------------------------------------- /Samples/SampleDLL_64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arsium/PELoader/a211bd2af3409fb19f3ad0df483ea1ebef85cb06/Samples/SampleDLL_64.dll -------------------------------------------------------------------------------- /Samples/SampleEXE_32.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arsium/PELoader/a211bd2af3409fb19f3ad0df483ea1ebef85cb06/Samples/SampleEXE_32.exe -------------------------------------------------------------------------------- /Samples/SampleEXE_64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arsium/PELoader/a211bd2af3409fb19f3ad0df483ea1ebef85cb06/Samples/SampleEXE_64.exe --------------------------------------------------------------------------------