├── AMD64 ├── ExceptAMD64.c └── StubsAMD64.asm ├── Except.c ├── Except.h ├── I386 ├── ExceptI386.c └── StubsI386.asm ├── Reload.c ├── Reload.h ├── Stubs.c ├── Stubs.h ├── StubsApi.h └── Testis.h /AMD64/ExceptAMD64.c: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (c) 2015-2017 by blindtiger ( blindtiger@foxmail.com ) 4 | * 5 | * The contents of this file are subject to the Mozilla Public License Version 6 | * 2.0 (the "License")); you may not use this file except in compliance with 7 | * the License. You may obtain a copy of the License at 8 | * http://www.mozilla.org/MPL/ 9 | * 10 | * Software distributed under the License is distributed on an "AS IS" basis, 11 | * WITHOUT WARRANTY OF ANY KIND, either express or implied. SEe the License 12 | * for the specific language governing rights and limitations under the 13 | * License. 14 | * 15 | * The Initial Developer of the Original e is blindtiger. 16 | * 17 | */ 18 | 19 | #include 20 | 21 | #include 22 | 23 | #include "Except.h" 24 | #include "Reload.h" 25 | #include "Testis.h" 26 | 27 | static PFUNCTION_TABLE InvertedFunctionTable; 28 | static PFUNCTION_TABLE UserInvertedFunctionTable; 29 | static PFUNCTION_TABLE Wx86UserInvertedFunctionTable; 30 | static PFUNCTION_TABLE_SPECIAL Wx86UserSpecialInvertedFunctionTable; 31 | 32 | NTSTATUS 33 | NTAPI 34 | ProtectPages( 35 | __inout PVOID BaseAddress, 36 | __inout SIZE_T RegionSize, 37 | __in ULONG NewProtect, 38 | __out PULONG OldProtect 39 | ); 40 | 41 | VOID 42 | NTAPI 43 | SearchInvertedFunctionTable( 44 | VOID 45 | ) 46 | { 47 | PVOID ImageBase = NULL; 48 | PIMAGE_NT_HEADERS NtHeaders = NULL; 49 | PIMAGE_SECTION_HEADER NtSection = NULL; 50 | PSTR SectionName = NULL; 51 | PCHAR SectionBase = NULL; 52 | ULONG SizeToLock = 0; 53 | USHORT Index = 0; 54 | SIZE_T Offset = 0; 55 | PFUNCTION_TABLE_ENTRY64 FunctionTableEntry = NULL; 56 | PFUNCTION_TABLE_ENTRY64 FoundFunctionTableEntry = NULL; 57 | PVOID FunctionTable = NULL; 58 | ULONG SizeOfTable = 0; 59 | 60 | ImageBase = GetImageHandle("ntoskrnl.exe"); 61 | 62 | if (NULL != ImageBase) { 63 | NtHeaders = RtlImageNtHeader(ImageBase); 64 | 65 | if (FALSE != MmIsAddressValid(NtHeaders)) { 66 | NtSection = IMAGE_FIRST_SECTION(NtHeaders); 67 | 68 | FunctionTableEntry = ExAllocatePool( 69 | NonPagedPool, 70 | sizeof(FUNCTION_TABLE_ENTRY64)); 71 | 72 | if (NULL != FunctionTableEntry) { 73 | CaptureImageExceptionValues( 74 | ImageBase, 75 | &FunctionTable, 76 | &SizeOfTable); 77 | 78 | FunctionTableEntry->FunctionTable = (ULONG64)FunctionTable; 79 | FunctionTableEntry->ImageBase = (ULONG64)ImageBase; 80 | FunctionTableEntry->SizeOfImage = FetchSizeOfImage(ImageBase); 81 | FunctionTableEntry->SizeOfTable = SizeOfTable; 82 | 83 | for (Index = 0; 84 | Index < NtHeaders->FileHeader.NumberOfSections; 85 | Index++) { 86 | SectionBase = (PCHAR)ImageBase + NtSection[Index].VirtualAddress; 87 | 88 | SizeToLock = NtSection[Index].SizeOfRawData; 89 | 90 | if (SizeToLock < NtSection[Index].Misc.VirtualSize) { 91 | SizeToLock = NtSection[Index].Misc.VirtualSize; 92 | } 93 | 94 | if (FALSE != MmIsAddressValid(SectionBase)) { 95 | if (IMAGE_SCN_CNT_INITIALIZED_DATA == FlagOn( 96 | NtSection[Index].Characteristics, 97 | IMAGE_SCN_CNT_INITIALIZED_DATA)) { 98 | for (Offset = 0; 99 | Offset < AlignedToSize( 100 | SizeToLock, 101 | NtHeaders->OptionalHeader.SectionAlignment) - sizeof(FUNCTION_TABLE_ENTRY64); 102 | Offset += sizeof(PVOID)) { 103 | FoundFunctionTableEntry = SectionBase + Offset; 104 | 105 | if (sizeof(FUNCTION_TABLE_ENTRY64) == RtlCompareMemory( 106 | FoundFunctionTableEntry, 107 | FunctionTableEntry, 108 | sizeof(FUNCTION_TABLE_ENTRY64))) { 109 | do { 110 | InvertedFunctionTable = CONTAINING_RECORD( 111 | FoundFunctionTableEntry, 112 | FUNCTION_TABLE, 113 | TableEntry); 114 | 115 | if (InvertedFunctionTable->MaximumSize == MAXIMUM_KERNEL_FUNCTION_TABLE_SIZE && 116 | (InvertedFunctionTable->Overflow == TRUE || 117 | InvertedFunctionTable->Overflow == FALSE)) { 118 | break; 119 | } 120 | 121 | FoundFunctionTableEntry--; 122 | } while (TRUE); 123 | 124 | goto exit; 125 | } 126 | } 127 | } 128 | } 129 | } 130 | 131 | exit: 132 | ExFreePool(FunctionTableEntry); 133 | } 134 | } 135 | } 136 | } 137 | 138 | VOID 139 | NTAPI 140 | SearchUserInvertedFunctionTable( 141 | VOID 142 | ) 143 | { 144 | PVOID ImageBase = NULL; 145 | PIMAGE_NT_HEADERS NtHeaders = NULL; 146 | PIMAGE_SECTION_HEADER NtSection = NULL; 147 | PSTR SectionName = NULL; 148 | PCHAR SectionBase = NULL; 149 | ULONG SizeToLock = 0; 150 | USHORT Index = 0; 151 | SIZE_T Offset = 0; 152 | PFUNCTION_TABLE_ENTRY64 FunctionTableEntry = NULL; 153 | PFUNCTION_TABLE_ENTRY64 FoundFunctionTableEntry = NULL; 154 | PVOID FunctionTable = NULL; 155 | ULONG SizeOfTable = 0; 156 | 157 | if (FALSE == PsIsSystemProcess(IoGetCurrentProcess())) { 158 | ImageBase = GetImageHandle("ntdll.dll"); 159 | 160 | if (NULL != ImageBase) { 161 | NtHeaders = RtlImageNtHeader(ImageBase); 162 | 163 | if (FALSE != MmIsAddressValid(NtHeaders)) { 164 | NtSection = IMAGE_FIRST_SECTION(NtHeaders); 165 | 166 | FunctionTableEntry = ExAllocatePool( 167 | NonPagedPool, 168 | sizeof(FUNCTION_TABLE_ENTRY64)); 169 | 170 | if (NULL != FunctionTableEntry) { 171 | CaptureImageExceptionValues( 172 | ImageBase, 173 | &FunctionTable, 174 | &SizeOfTable); 175 | 176 | FunctionTableEntry->FunctionTable = (ULONG64)FunctionTable; 177 | FunctionTableEntry->ImageBase = (ULONG64)ImageBase; 178 | FunctionTableEntry->SizeOfImage = FetchSizeOfImage(ImageBase); 179 | FunctionTableEntry->SizeOfTable = SizeOfTable; 180 | 181 | for (Index = 0; 182 | Index < NtHeaders->FileHeader.NumberOfSections; 183 | Index++) { 184 | SectionBase = (PCHAR)ImageBase + NtSection[Index].VirtualAddress; 185 | 186 | SizeToLock = NtSection[Index].SizeOfRawData; 187 | 188 | if (SizeToLock < NtSection[Index].Misc.VirtualSize) { 189 | SizeToLock = NtSection[Index].Misc.VirtualSize; 190 | } 191 | 192 | if (FALSE != MmIsAddressValid(SectionBase)) { 193 | if (IMAGE_SCN_CNT_INITIALIZED_DATA == FlagOn( 194 | NtSection[Index].Characteristics, 195 | IMAGE_SCN_CNT_INITIALIZED_DATA)) { 196 | for (Offset = 0; 197 | Offset < AlignedToSize( 198 | SizeToLock, 199 | NtHeaders->OptionalHeader.SectionAlignment) - sizeof(FUNCTION_TABLE_ENTRY64); 200 | Offset += sizeof(PVOID)) { 201 | FoundFunctionTableEntry = SectionBase + Offset; 202 | 203 | if (sizeof(FUNCTION_TABLE_ENTRY64) == RtlCompareMemory( 204 | FoundFunctionTableEntry, 205 | FunctionTableEntry, 206 | sizeof(FUNCTION_TABLE_ENTRY64))) { 207 | do { 208 | UserInvertedFunctionTable = CONTAINING_RECORD( 209 | FoundFunctionTableEntry, 210 | FUNCTION_TABLE, 211 | TableEntry); 212 | 213 | if (UserInvertedFunctionTable->MaximumSize == MAXIMUM_USER_FUNCTION_TABLE_SIZE && 214 | (UserInvertedFunctionTable->Overflow == TRUE || 215 | UserInvertedFunctionTable->Overflow == FALSE)) { 216 | break; 217 | } 218 | 219 | FoundFunctionTableEntry--; 220 | } while (TRUE); 221 | 222 | goto exit; 223 | } 224 | } 225 | } 226 | } 227 | } 228 | 229 | exit: 230 | ExFreePool(FunctionTableEntry); 231 | } 232 | } 233 | } 234 | } 235 | } 236 | 237 | VOID 238 | NTAPI 239 | SearchWx86UserInvertedFunctionTable( 240 | VOID 241 | ) 242 | { 243 | PVOID ImageBase = NULL; 244 | PIMAGE_NT_HEADERS32 NtHeaders = NULL; 245 | PIMAGE_SECTION_HEADER NtSection = NULL; 246 | PSTR SectionName = NULL; 247 | PCHAR SectionBase = NULL; 248 | ULONG SizeToLock = 0; 249 | USHORT Index = 0; 250 | SIZE_T Offset = 0; 251 | PFUNCTION_TABLE_ENTRY32 FunctionTableEntry = NULL; 252 | PFUNCTION_TABLE_ENTRY32 FoundFunctionTableEntry = NULL; 253 | PVOID FunctionTable = NULL; 254 | ULONG SizeOfTable = 0; 255 | 256 | if (FALSE == PsIsSystemProcess(IoGetCurrentProcess())) { 257 | ImageBase = UlongToPtr(Wx86GetImageHandle("ntdll.dll")); 258 | 259 | if (NULL != ImageBase) { 260 | NtHeaders = RtlImageNtHeader(ImageBase); 261 | 262 | if (FALSE != MmIsAddressValid(NtHeaders)) { 263 | NtSection = IMAGE_FIRST_SECTION(NtHeaders); 264 | 265 | FunctionTableEntry = ExAllocatePool( 266 | NonPagedPool, 267 | sizeof(FUNCTION_TABLE_ENTRY32)); 268 | 269 | if (NULL != FunctionTableEntry) { 270 | CaptureImageExceptionValues( 271 | ImageBase, 272 | &FunctionTable, 273 | &SizeOfTable); 274 | 275 | FunctionTableEntry->FunctionTable = PtrToUlong(FunctionTable); 276 | FunctionTableEntry->ImageBase = PtrToUlong(ImageBase); 277 | FunctionTableEntry->SizeOfImage = FetchSizeOfImage(ImageBase); 278 | FunctionTableEntry->SizeOfTable = SizeOfTable; 279 | 280 | for (Index = 0; 281 | Index < NtHeaders->FileHeader.NumberOfSections; 282 | Index++) { 283 | SectionBase = (PCHAR)ImageBase + NtSection[Index].VirtualAddress; 284 | 285 | SizeToLock = NtSection[Index].SizeOfRawData; 286 | 287 | if (SizeToLock < NtSection[Index].Misc.VirtualSize) { 288 | SizeToLock = NtSection[Index].Misc.VirtualSize; 289 | } 290 | 291 | if (FALSE != MmIsAddressValid(SectionBase)) { 292 | if (IMAGE_SCN_CNT_INITIALIZED_DATA == FlagOn( 293 | NtSection[Index].Characteristics, 294 | IMAGE_SCN_CNT_INITIALIZED_DATA)) { 295 | for (Offset = 0; 296 | Offset < AlignedToSize( 297 | SizeToLock, 298 | NtHeaders->OptionalHeader.SectionAlignment) - sizeof(FUNCTION_TABLE_ENTRY32); 299 | Offset += sizeof(ULONG)) { 300 | FoundFunctionTableEntry = SectionBase + Offset; 301 | 302 | if (sizeof(FUNCTION_TABLE_ENTRY32) == RtlCompareMemory( 303 | FoundFunctionTableEntry, 304 | FunctionTableEntry, 305 | sizeof(FUNCTION_TABLE_ENTRY32))) { 306 | do { 307 | Wx86UserInvertedFunctionTable = CONTAINING_RECORD( 308 | FoundFunctionTableEntry, 309 | FUNCTION_TABLE, 310 | TableEntry); 311 | 312 | if (Wx86UserInvertedFunctionTable->MaximumSize == MAXIMUM_USER_FUNCTION_TABLE_SIZE && 313 | (Wx86UserInvertedFunctionTable->Overflow == TRUE || 314 | Wx86UserInvertedFunctionTable->Overflow == FALSE)) { 315 | break; 316 | } 317 | 318 | FoundFunctionTableEntry--; 319 | } while (TRUE); 320 | 321 | goto exit; 322 | } 323 | } 324 | } 325 | } 326 | } 327 | 328 | exit: 329 | ExFreePool(FunctionTableEntry); 330 | } 331 | } 332 | } 333 | } 334 | } 335 | 336 | VOID 337 | NTAPI 338 | SearchWx86UserSpecialInvertedFunctionTable( 339 | VOID 340 | ) 341 | { 342 | PVOID ImageBase = NULL; 343 | PIMAGE_NT_HEADERS32 NtHeaders = NULL; 344 | PIMAGE_SECTION_HEADER NtSection = NULL; 345 | PSTR SectionName = NULL; 346 | PCHAR SectionBase = NULL; 347 | ULONG SizeToLock = 0; 348 | USHORT Index = 0; 349 | SIZE_T Offset = 0; 350 | PFUNCTION_TABLE_ENTRY32 FunctionTableEntry = NULL; 351 | PFUNCTION_TABLE_ENTRY32 FoundFunctionTableEntry = NULL; 352 | PVOID FunctionTable = NULL; 353 | ULONG SizeOfTable = 0; 354 | 355 | if (FALSE == PsIsSystemProcess(IoGetCurrentProcess())) { 356 | ImageBase = UlongToPtr(Wx86GetImageHandle("ntdll.dll")); 357 | 358 | if (NULL != ImageBase) { 359 | NtHeaders = RtlImageNtHeader(ImageBase); 360 | 361 | if (FALSE != MmIsAddressValid(NtHeaders)) { 362 | NtSection = IMAGE_FIRST_SECTION(NtHeaders); 363 | 364 | FunctionTableEntry = ExAllocatePool( 365 | NonPagedPool, 366 | sizeof(FUNCTION_TABLE_ENTRY32)); 367 | 368 | if (NULL != FunctionTableEntry) { 369 | CaptureImageExceptionValues( 370 | ImageBase, 371 | &FunctionTable, 372 | &SizeOfTable); 373 | 374 | FunctionTableEntry->FunctionTable = EncodeSystemPointer(PtrToUlong(FunctionTable)); 375 | FunctionTableEntry->ImageBase = PtrToUlong(ImageBase); 376 | FunctionTableEntry->SizeOfImage = FetchSizeOfImage(ImageBase); 377 | FunctionTableEntry->SizeOfTable = SizeOfTable; 378 | 379 | for (Index = 0; 380 | Index < NtHeaders->FileHeader.NumberOfSections; 381 | Index++) { 382 | SectionBase = (PCHAR)ImageBase + NtSection[Index].VirtualAddress; 383 | 384 | SizeToLock = NtSection[Index].SizeOfRawData; 385 | 386 | if (SizeToLock < NtSection[Index].Misc.VirtualSize) { 387 | SizeToLock = NtSection[Index].Misc.VirtualSize; 388 | } 389 | 390 | if (FALSE != MmIsAddressValid(SectionBase)) { 391 | if (IMAGE_SCN_CNT_INITIALIZED_DATA == FlagOn( 392 | NtSection[Index].Characteristics, 393 | IMAGE_SCN_CNT_INITIALIZED_DATA)) { 394 | for (Offset = 0; 395 | Offset < AlignedToSize( 396 | SizeToLock, 397 | NtHeaders->OptionalHeader.SectionAlignment) - sizeof(FUNCTION_TABLE_ENTRY32); 398 | Offset += sizeof(ULONG)) { 399 | FoundFunctionTableEntry = SectionBase + Offset; 400 | 401 | if (sizeof(FUNCTION_TABLE_ENTRY32) == RtlCompareMemory( 402 | FoundFunctionTableEntry, 403 | FunctionTableEntry, 404 | sizeof(FUNCTION_TABLE_ENTRY32))) { 405 | do { 406 | Wx86UserSpecialInvertedFunctionTable = CONTAINING_RECORD( 407 | FoundFunctionTableEntry, 408 | FUNCTION_TABLE_SPECIAL, 409 | TableEntry); 410 | 411 | if (Wx86UserSpecialInvertedFunctionTable->MaximumSize == MAXIMUM_USER_FUNCTION_TABLE_SIZE && 412 | (Wx86UserSpecialInvertedFunctionTable->Overflow == TRUE || 413 | Wx86UserSpecialInvertedFunctionTable->Overflow == FALSE)) { 414 | break; 415 | } 416 | 417 | FoundFunctionTableEntry--; 418 | } while (TRUE); 419 | 420 | goto exit; 421 | } 422 | } 423 | } 424 | } 425 | } 426 | 427 | exit: 428 | ExFreePool(FunctionTableEntry); 429 | } 430 | } 431 | } 432 | } 433 | } 434 | 435 | VOID 436 | NTAPI 437 | InsertInvertedFunctionTable( 438 | __in PVOID ImageBase, 439 | __in ULONG SizeOfImage 440 | ) 441 | { 442 | ULONG CurrentSize = 0; 443 | ULONG SizeOfTable = 0; 444 | ULONG Index = 0; 445 | PVOID FunctionTable = NULL; 446 | PFUNCTION_TABLE_ENTRY64 FunctionTableEntry = NULL; 447 | PVOID ImageHandle = NULL; 448 | 449 | if (NULL == InvertedFunctionTable) { 450 | SearchInvertedFunctionTable(); 451 | } 452 | 453 | if (NULL != InvertedFunctionTable) { 454 | FunctionTableEntry = (PFUNCTION_TABLE_ENTRY64) 455 | &InvertedFunctionTable->TableEntry; 456 | 457 | CurrentSize = InvertedFunctionTable->CurrentSize; 458 | 459 | ImageHandle = GetImageHandle("ntoskrnl.exe"); 460 | 461 | if (NULL != ImageHandle && 462 | ImageHandle == (PVOID)FunctionTableEntry[0].ImageBase) { 463 | Index = 1; 464 | } 465 | 466 | if (CurrentSize != InvertedFunctionTable->MaximumSize) { 467 | if (0 != CurrentSize) { 468 | for (; 469 | Index < CurrentSize; 470 | Index++) { 471 | if ((ULONG64)ImageBase < FunctionTableEntry[Index].ImageBase) { 472 | RtlMoveMemory( 473 | &FunctionTableEntry[Index + 1], 474 | &FunctionTableEntry[Index], 475 | (CurrentSize - Index) * sizeof(FUNCTION_TABLE_ENTRY64)); 476 | 477 | break; 478 | } 479 | } 480 | } 481 | 482 | CaptureImageExceptionValues( 483 | ImageBase, 484 | &FunctionTable, 485 | &SizeOfTable); 486 | 487 | FunctionTableEntry[Index].ImageBase = (ULONG64)ImageBase; 488 | FunctionTableEntry[Index].SizeOfImage = SizeOfImage; 489 | FunctionTableEntry[Index].FunctionTable = (ULONG64)FunctionTable; 490 | FunctionTableEntry[Index].SizeOfTable = SizeOfTable; 491 | 492 | InvertedFunctionTable->CurrentSize += 1; 493 | 494 | #ifndef VMP 495 | DbgPrint( 496 | "Soul - Testis - insert inverted function table < %04d >\n", 497 | Index); 498 | #endif // !VMP 499 | } 500 | else { 501 | InvertedFunctionTable->Overflow = TRUE; 502 | } 503 | } 504 | } 505 | 506 | VOID 507 | NTAPI 508 | RemoveInvertedFunctionTable( 509 | __in PVOID ImageBase 510 | ) 511 | { 512 | ULONG CurrentSize = 0; 513 | ULONG Index = 0; 514 | PFUNCTION_TABLE_ENTRY64 FunctionTableEntry = NULL; 515 | 516 | if (NULL != InvertedFunctionTable) { 517 | FunctionTableEntry = (PFUNCTION_TABLE_ENTRY64) 518 | &InvertedFunctionTable->TableEntry; 519 | 520 | CurrentSize = InvertedFunctionTable->CurrentSize; 521 | 522 | for (Index = 0; 523 | Index < CurrentSize; 524 | Index += 1) { 525 | if ((ULONG64)ImageBase == FunctionTableEntry[Index].ImageBase) { 526 | RtlMoveMemory( 527 | &FunctionTableEntry[Index], 528 | &FunctionTableEntry[Index + 1], 529 | (CurrentSize - Index - 1) * sizeof(FUNCTION_TABLE_ENTRY64)); 530 | 531 | InvertedFunctionTable->CurrentSize -= 1; 532 | 533 | #ifndef VMP 534 | DbgPrint( 535 | "Soul - Testis - remote inverted function table < %04d >\n", 536 | Index); 537 | #endif // !VMP 538 | 539 | break; 540 | } 541 | } 542 | } 543 | } 544 | 545 | VOID 546 | NTAPI 547 | InsertUserInvertedFunctionTable( 548 | __in PVOID ImageBase, 549 | __in ULONG SizeOfImage 550 | ) 551 | { 552 | NTSTATUS Status = STATUS_SUCCESS; 553 | ULONG CurrentSize = 0; 554 | ULONG SizeOfTable = 0; 555 | ULONG Index = 0; 556 | PVOID FunctionTable = NULL; 557 | PFUNCTION_TABLE_ENTRY64 FunctionTableEntry = NULL; 558 | PVOID ImageHandle = NULL; 559 | ULONG OldProtect = 0; 560 | 561 | if (NULL == UserInvertedFunctionTable) { 562 | SearchUserInvertedFunctionTable(); 563 | } 564 | 565 | if (NULL != UserInvertedFunctionTable) { 566 | FunctionTableEntry = (PFUNCTION_TABLE_ENTRY64) 567 | &UserInvertedFunctionTable->TableEntry; 568 | 569 | CurrentSize = UserInvertedFunctionTable->CurrentSize; 570 | 571 | Status = ProtectPages( 572 | UserInvertedFunctionTable, 573 | FIELD_OFFSET(FUNCTION_TABLE, TableEntry) + 574 | sizeof(FUNCTION_TABLE_ENTRY64) * UserInvertedFunctionTable->MaximumSize, 575 | PAGE_READWRITE, 576 | &OldProtect); 577 | 578 | if (NT_SUCCESS(Status)) { 579 | ImageHandle = GetImageHandle("ntdll.dll"); 580 | 581 | if (NULL != ImageHandle && 582 | ImageHandle == (PVOID)FunctionTableEntry[0].ImageBase) { 583 | Index = 1; 584 | } 585 | 586 | if (CurrentSize != UserInvertedFunctionTable->MaximumSize) { 587 | if (0 != CurrentSize) { 588 | for (; 589 | Index < CurrentSize; 590 | Index++) { 591 | if ((ULONG64)ImageBase < FunctionTableEntry[Index].ImageBase) { 592 | RtlMoveMemory( 593 | &FunctionTableEntry[Index + 1], 594 | &FunctionTableEntry[Index], 595 | (CurrentSize - Index) * sizeof(FUNCTION_TABLE_ENTRY64)); 596 | 597 | break; 598 | } 599 | } 600 | } 601 | 602 | CaptureImageExceptionValues( 603 | ImageBase, 604 | &FunctionTable, 605 | &SizeOfTable); 606 | 607 | FunctionTableEntry[Index].ImageBase = (ULONG64)ImageBase; 608 | FunctionTableEntry[Index].SizeOfImage = SizeOfImage; 609 | FunctionTableEntry[Index].FunctionTable = (ULONG64)FunctionTable; 610 | FunctionTableEntry[Index].SizeOfTable = SizeOfTable; 611 | 612 | UserInvertedFunctionTable->CurrentSize += 1; 613 | 614 | #ifndef VMP 615 | DbgPrint( 616 | "Soul - Testis - insert user inverted function table < %04d >\n", 617 | Index); 618 | #endif // !VMP 619 | } 620 | else { 621 | UserInvertedFunctionTable->Overflow = TRUE; 622 | } 623 | 624 | ProtectPages( 625 | UserInvertedFunctionTable, 626 | FIELD_OFFSET(FUNCTION_TABLE, TableEntry) + 627 | sizeof(FUNCTION_TABLE_ENTRY64) * UserInvertedFunctionTable->MaximumSize, 628 | OldProtect, 629 | &OldProtect); 630 | } 631 | } 632 | } 633 | 634 | VOID 635 | NTAPI 636 | RemoveUserInvertedFunctionTable( 637 | __in PVOID ImageBase 638 | ) 639 | { 640 | NTSTATUS Status = STATUS_SUCCESS; 641 | ULONG CurrentSize = 0; 642 | ULONG Index = 0; 643 | PFUNCTION_TABLE_ENTRY64 FunctionTableEntry = NULL; 644 | ULONG OldProtect = 0; 645 | 646 | if (NULL != UserInvertedFunctionTable) { 647 | FunctionTableEntry = (PFUNCTION_TABLE_ENTRY64) 648 | &UserInvertedFunctionTable->TableEntry; 649 | 650 | CurrentSize = UserInvertedFunctionTable->CurrentSize; 651 | 652 | Status = ProtectPages( 653 | UserInvertedFunctionTable, 654 | FIELD_OFFSET(FUNCTION_TABLE, TableEntry) + 655 | sizeof(FUNCTION_TABLE_ENTRY64) * UserInvertedFunctionTable->MaximumSize, 656 | PAGE_READWRITE, 657 | &OldProtect); 658 | 659 | if (NT_SUCCESS(Status)) { 660 | for (Index = 0; 661 | Index < CurrentSize; 662 | Index += 1) { 663 | if ((ULONG64)ImageBase == FunctionTableEntry[Index].ImageBase) { 664 | RtlMoveMemory( 665 | &FunctionTableEntry[Index], 666 | &FunctionTableEntry[Index + 1], 667 | (CurrentSize - Index - 1) * sizeof(FUNCTION_TABLE_ENTRY64)); 668 | 669 | UserInvertedFunctionTable->CurrentSize -= 1; 670 | 671 | #ifndef VMP 672 | DbgPrint( 673 | "Soul - Testis - remote user inverted function table < %04d >\n", 674 | Index); 675 | #endif // !VMP 676 | 677 | break; 678 | } 679 | } 680 | 681 | ProtectPages( 682 | UserInvertedFunctionTable, 683 | FIELD_OFFSET(FUNCTION_TABLE, TableEntry) + 684 | sizeof(FUNCTION_TABLE_ENTRY64) * UserInvertedFunctionTable->MaximumSize, 685 | OldProtect, 686 | &OldProtect); 687 | } 688 | } 689 | } 690 | 691 | VOID 692 | NTAPI 693 | InsertWx86UserInvertedFunctionTable( 694 | __in PVOID ImageBase, 695 | __in ULONG SizeOfImage 696 | ) 697 | { 698 | NTSTATUS Status = STATUS_SUCCESS; 699 | ULONG CurrentSize = 0; 700 | ULONG SizeOfTable = 0; 701 | ULONG Index = 0; 702 | PVOID FunctionTable = NULL; 703 | PFUNCTION_TABLE_ENTRY32 FunctionTableEntry = NULL; 704 | PVOID ImageHandle = NULL; 705 | ULONG OldProtect = 0; 706 | 707 | if (NULL == Wx86UserInvertedFunctionTable) { 708 | SearchWx86UserInvertedFunctionTable(); 709 | } 710 | 711 | if (NULL != Wx86UserInvertedFunctionTable) { 712 | FunctionTableEntry = (PFUNCTION_TABLE_ENTRY32) 713 | &Wx86UserInvertedFunctionTable->TableEntry; 714 | 715 | CurrentSize = Wx86UserInvertedFunctionTable->CurrentSize; 716 | 717 | Status = ProtectPages( 718 | Wx86UserInvertedFunctionTable, 719 | FIELD_OFFSET(FUNCTION_TABLE, TableEntry) + 720 | sizeof(FUNCTION_TABLE_ENTRY32) * Wx86UserInvertedFunctionTable->MaximumSize, 721 | PAGE_READWRITE, 722 | &OldProtect); 723 | 724 | if (NT_SUCCESS(Status)) { 725 | ImageHandle = UlongToPtr(Wx86GetImageHandle("ntdll.dll")); 726 | 727 | if (NULL != ImageHandle && 728 | ImageHandle == UlongToPtr(FunctionTableEntry[0].ImageBase)) { 729 | Index = 1; 730 | } 731 | 732 | if (CurrentSize != Wx86UserInvertedFunctionTable->MaximumSize) { 733 | if (0 != CurrentSize) { 734 | for (; 735 | Index < CurrentSize; 736 | Index++) { 737 | if (PtrToUlong(ImageBase) < FunctionTableEntry[Index].ImageBase) { 738 | RtlMoveMemory( 739 | &FunctionTableEntry[Index + 1], 740 | &FunctionTableEntry[Index], 741 | (CurrentSize - Index) * sizeof(FUNCTION_TABLE_ENTRY32)); 742 | 743 | break; 744 | } 745 | } 746 | } 747 | 748 | CaptureImageExceptionValues( 749 | ImageBase, 750 | &FunctionTable, 751 | &SizeOfTable); 752 | 753 | if (LongToPtr(-1) != FunctionTable && 754 | -1 != SizeOfTable) { 755 | FunctionTableEntry[Index].ImageBase = PtrToUlong(ImageBase); 756 | FunctionTableEntry[Index].SizeOfImage = SizeOfImage; 757 | FunctionTableEntry[Index].FunctionTable = EncodeSystemPointer(PtrToUlong(FunctionTable)); 758 | FunctionTableEntry[Index].SizeOfTable = SizeOfTable; 759 | 760 | Wx86UserInvertedFunctionTable->CurrentSize += 1; 761 | 762 | #ifndef VMP 763 | DbgPrint( 764 | "Soul - Testis - insert wx86 user inverted function table < %04d >\n", 765 | Index); 766 | #endif // !VMP 767 | } 768 | } 769 | else { 770 | Wx86UserInvertedFunctionTable->Overflow = TRUE; 771 | } 772 | 773 | ProtectPages( 774 | Wx86UserInvertedFunctionTable, 775 | FIELD_OFFSET(FUNCTION_TABLE, TableEntry) + 776 | sizeof(FUNCTION_TABLE_ENTRY32) * Wx86UserInvertedFunctionTable->MaximumSize, 777 | OldProtect, 778 | &OldProtect); 779 | } 780 | } 781 | } 782 | 783 | VOID 784 | NTAPI 785 | RemoveWx86UserInvertedFunctionTable( 786 | __in PVOID ImageBase 787 | ) 788 | { 789 | NTSTATUS Status = STATUS_SUCCESS; 790 | ULONG CurrentSize = 0; 791 | ULONG Index = 0; 792 | PFUNCTION_TABLE_ENTRY32 FunctionTableEntry = NULL; 793 | ULONG OldProtect = 0; 794 | 795 | if (NULL != Wx86UserInvertedFunctionTable) { 796 | FunctionTableEntry = (PFUNCTION_TABLE_ENTRY32) 797 | &Wx86UserInvertedFunctionTable->TableEntry; 798 | 799 | CurrentSize = Wx86UserInvertedFunctionTable->CurrentSize; 800 | 801 | Status = ProtectPages( 802 | Wx86UserInvertedFunctionTable, 803 | FIELD_OFFSET(FUNCTION_TABLE, TableEntry) + 804 | sizeof(FUNCTION_TABLE_ENTRY32) * Wx86UserInvertedFunctionTable->MaximumSize, 805 | PAGE_READWRITE, 806 | &OldProtect); 807 | 808 | if (NT_SUCCESS(Status)) { 809 | for (Index = 0; 810 | Index < CurrentSize; 811 | Index += 1) { 812 | if (PtrToUlong(ImageBase) == FunctionTableEntry[Index].ImageBase) { 813 | RtlMoveMemory( 814 | &FunctionTableEntry[Index], 815 | &FunctionTableEntry[Index + 1], 816 | (CurrentSize - Index - 1) * sizeof(FUNCTION_TABLE_ENTRY32)); 817 | 818 | Wx86UserInvertedFunctionTable->CurrentSize -= 1; 819 | 820 | #ifndef VMP 821 | DbgPrint( 822 | "Soul - Testis - remote wx86 user inverted function table < %04d >\n", 823 | Index); 824 | #endif // !VMP 825 | 826 | break; 827 | } 828 | } 829 | 830 | ProtectPages( 831 | Wx86UserInvertedFunctionTable, 832 | FIELD_OFFSET(FUNCTION_TABLE, TableEntry) + 833 | sizeof(FUNCTION_TABLE_ENTRY32) * Wx86UserInvertedFunctionTable->MaximumSize, 834 | OldProtect, 835 | &OldProtect); 836 | } 837 | } 838 | } 839 | 840 | VOID 841 | NTAPI 842 | InsertWx86UserSpecialInvertedFunctionTable( 843 | __in PVOID ImageBase, 844 | __in ULONG SizeOfImage 845 | ) 846 | { 847 | NTSTATUS Status = STATUS_SUCCESS; 848 | ULONG CurrentSize = 0; 849 | ULONG SizeOfTable = 0; 850 | ULONG Index = 0; 851 | PVOID FunctionTable = NULL; 852 | PFUNCTION_TABLE_ENTRY32 FunctionTableEntry = NULL; 853 | PVOID ImageHandle = NULL; 854 | ULONG OldProtect = 0; 855 | 856 | if (NULL == Wx86UserSpecialInvertedFunctionTable) { 857 | SearchWx86UserSpecialInvertedFunctionTable(); 858 | } 859 | 860 | if (NULL != Wx86UserSpecialInvertedFunctionTable) { 861 | FunctionTableEntry = 862 | FunctionTableEntry = (PFUNCTION_TABLE_ENTRY32) 863 | &Wx86UserSpecialInvertedFunctionTable->TableEntry; 864 | 865 | CurrentSize = Wx86UserSpecialInvertedFunctionTable->CurrentSize; 866 | 867 | Status = ProtectPages( 868 | Wx86UserSpecialInvertedFunctionTable, 869 | FIELD_OFFSET(FUNCTION_TABLE_SPECIAL, TableEntry) + 870 | sizeof(FUNCTION_TABLE_ENTRY32) * Wx86UserSpecialInvertedFunctionTable->MaximumSize, 871 | PAGE_READWRITE, 872 | &OldProtect); 873 | 874 | if (NT_SUCCESS(Status)) { 875 | ImageHandle = UlongToPtr(Wx86GetImageHandle("ntdll.dll")); 876 | 877 | if (NULL != ImageHandle && 878 | ImageHandle == UlongToPtr(FunctionTableEntry[0].ImageBase)) { 879 | Index = 1; 880 | } 881 | 882 | if (CurrentSize != Wx86UserSpecialInvertedFunctionTable->MaximumSize) { 883 | if (0 != CurrentSize) { 884 | for (; 885 | Index < CurrentSize; 886 | Index++) { 887 | if (PtrToUlong(ImageBase) < FunctionTableEntry[Index].ImageBase) { 888 | RtlMoveMemory( 889 | &FunctionTableEntry[Index + 1], 890 | &FunctionTableEntry[Index], 891 | (CurrentSize - Index) * sizeof(FUNCTION_TABLE_ENTRY32)); 892 | 893 | break; 894 | } 895 | } 896 | } 897 | 898 | CaptureImageExceptionValues( 899 | ImageBase, 900 | &FunctionTable, 901 | &SizeOfTable); 902 | 903 | if (LongToPtr(-1) != FunctionTable && 904 | -1 != SizeOfTable) { 905 | FunctionTableEntry[Index].ImageBase = PtrToUlong(ImageBase); 906 | FunctionTableEntry[Index].SizeOfImage = SizeOfImage; 907 | FunctionTableEntry[Index].FunctionTable = EncodeSystemPointer(PtrToUlong(FunctionTable)); 908 | FunctionTableEntry[Index].SizeOfTable = SizeOfTable; 909 | 910 | Wx86UserSpecialInvertedFunctionTable->CurrentSize += 1; 911 | 912 | #ifndef VMP 913 | DbgPrint( 914 | "Soul - Testis - insert wx86 user special inverted function table < %04d >\n", 915 | Index); 916 | #endif // !VMP 917 | } 918 | } 919 | else { 920 | Wx86UserSpecialInvertedFunctionTable->Overflow = TRUE; 921 | } 922 | 923 | ProtectPages( 924 | Wx86UserSpecialInvertedFunctionTable, 925 | FIELD_OFFSET(FUNCTION_TABLE_SPECIAL, TableEntry) + 926 | sizeof(FUNCTION_TABLE_ENTRY32) * Wx86UserSpecialInvertedFunctionTable->MaximumSize, 927 | OldProtect, 928 | &OldProtect); 929 | } 930 | } 931 | } 932 | 933 | VOID 934 | NTAPI 935 | RemoveWx86UserSpecialInvertedFunctionTable( 936 | __in PVOID ImageBase 937 | ) 938 | { 939 | NTSTATUS Status = STATUS_SUCCESS; 940 | ULONG CurrentSize = 0; 941 | ULONG Index = 0; 942 | PFUNCTION_TABLE_ENTRY32 FunctionTableEntry = NULL; 943 | ULONG OldProtect = 0; 944 | 945 | if (NULL != Wx86UserSpecialInvertedFunctionTable) { 946 | FunctionTableEntry = 947 | FunctionTableEntry = (PFUNCTION_TABLE_ENTRY32) 948 | &Wx86UserSpecialInvertedFunctionTable->TableEntry; 949 | 950 | CurrentSize = Wx86UserSpecialInvertedFunctionTable->CurrentSize; 951 | 952 | Status = ProtectPages( 953 | Wx86UserSpecialInvertedFunctionTable, 954 | FIELD_OFFSET(FUNCTION_TABLE_SPECIAL, TableEntry) + 955 | sizeof(FUNCTION_TABLE_ENTRY32) * Wx86UserSpecialInvertedFunctionTable->MaximumSize, 956 | PAGE_READWRITE, 957 | &OldProtect); 958 | 959 | if (NT_SUCCESS(Status)) { 960 | for (Index = 0; 961 | Index < CurrentSize; 962 | Index += 1) { 963 | if (PtrToUlong(ImageBase) == FunctionTableEntry[Index].ImageBase) { 964 | RtlMoveMemory( 965 | &FunctionTableEntry[Index], 966 | &FunctionTableEntry[Index + 1], 967 | (CurrentSize - Index - 1) * sizeof(FUNCTION_TABLE_ENTRY32)); 968 | 969 | Wx86UserSpecialInvertedFunctionTable->CurrentSize -= 1; 970 | 971 | #ifndef VMP 972 | DbgPrint( 973 | "Soul - Testis - remote wx86 user special inverted function table < %04d >\n", 974 | Index); 975 | #endif // !VMP 976 | 977 | break; 978 | } 979 | } 980 | 981 | ProtectPages( 982 | Wx86UserSpecialInvertedFunctionTable, 983 | FIELD_OFFSET(FUNCTION_TABLE_SPECIAL, TableEntry) + 984 | sizeof(FUNCTION_TABLE_ENTRY32) * Wx86UserSpecialInvertedFunctionTable->MaximumSize, 985 | OldProtect, 986 | &OldProtect); 987 | } 988 | } 989 | } 990 | -------------------------------------------------------------------------------- /AMD64/StubsAMD64.asm: -------------------------------------------------------------------------------- 1 | ; 2 | ; 3 | ; Copyright (c) 2015-2017 by blindtiger ( blindtiger@foxmail.com ) 4 | ; 5 | ; The contents of this file are subject to the Mozilla Public License Version 6 | ; 2.0 (the "License"); you may not use this file except in compliance with 7 | ; the License. You may obtain a copy of the License at 8 | ; http://www.mozilla.org/MPL/ 9 | ; 10 | ; Software distributed under the License is distributed on an "AS IS" basis, 11 | ; WITHOUT WARRANTY OF ANY KIND, either express or implied. Ree the License 12 | ; for the specific language governing rights and limitations under the 13 | ; License. 14 | ; 15 | ; The Initial Developer of the Original e is blindtiger. 16 | ; 17 | ; 18 | 19 | .XLIST 20 | INCLUDE DEFS.INC 21 | INCLUDE KSAMD64.INC 22 | .LIST 23 | 24 | OPTION CASEMAP:NONE 25 | 26 | BuildServiceDispatchTable PROTO 27 | 28 | _DATA$00 SEGMENT PAGE 'DATA' 29 | 30 | _DATA$00 ENDS 31 | 32 | _TEXT$00 SEGMENT PAGE 'CODE' 33 | 34 | STUBS_ENTRY macro Name 35 | 36 | Stub&Name : 37 | 38 | mov rax, Stub&Name ; save IP 39 | push rax 40 | mov rax, StubsBridge 41 | jmp rax 42 | 43 | DB 38 dup (0cch) 44 | 45 | int 3 46 | 47 | PUBLIC Stub&Name 48 | 49 | ENDM 50 | 51 | ServiceDispatchTable : 52 | PUBLIC ServiceDispatchTable 53 | 54 | STUBS_ENTRY AcceptConnectPort 55 | 56 | align 40h 57 | 58 | STUBS_ENTRY AccessCheck 59 | 60 | align 40h 61 | 62 | STUBS_ENTRY AccessCheckAndAuditAlarm 63 | 64 | align 40h 65 | 66 | STUBS_ENTRY AccessCheckByType 67 | 68 | align 40h 69 | 70 | STUBS_ENTRY AccessCheckByTypeAndAuditAlarm 71 | 72 | align 40h 73 | 74 | STUBS_ENTRY AccessCheckByTypeResultList 75 | 76 | align 40h 77 | 78 | STUBS_ENTRY AccessCheckByTypeResultListAndAuditAlarm 79 | 80 | align 40h 81 | 82 | STUBS_ENTRY AccessCheckByTypeResultListAndAuditAlarmByHandle 83 | 84 | align 40h 85 | 86 | STUBS_ENTRY AcquireCMFViewOwnership 87 | 88 | align 40h 89 | 90 | STUBS_ENTRY AcquireProcessActivityReference 91 | 92 | align 40h 93 | 94 | STUBS_ENTRY AddAtom 95 | 96 | align 40h 97 | 98 | STUBS_ENTRY AddAtomEx 99 | 100 | align 40h 101 | 102 | STUBS_ENTRY AddBootEntry 103 | 104 | align 40h 105 | 106 | STUBS_ENTRY AddDriverEntry 107 | 108 | align 40h 109 | 110 | STUBS_ENTRY AdjustGroupsToken 111 | 112 | align 40h 113 | 114 | STUBS_ENTRY AdjustPrivilegesToken 115 | 116 | align 40h 117 | 118 | STUBS_ENTRY AdjustTokenClaimsAndDeviceGroups 119 | 120 | align 40h 121 | 122 | STUBS_ENTRY AlertResumeThread 123 | 124 | align 40h 125 | 126 | STUBS_ENTRY AlertThread 127 | 128 | align 40h 129 | 130 | STUBS_ENTRY AlertThreadByThreadId 131 | 132 | align 40h 133 | 134 | STUBS_ENTRY AllocateLocallyUniqueId 135 | 136 | align 40h 137 | 138 | STUBS_ENTRY AllocateReserveObject 139 | 140 | align 40h 141 | 142 | STUBS_ENTRY AllocateUserPhysicalPages 143 | 144 | align 40h 145 | 146 | STUBS_ENTRY AllocateUuids 147 | 148 | align 40h 149 | 150 | STUBS_ENTRY AllocateVirtualMemory 151 | 152 | align 40h 153 | 154 | STUBS_ENTRY AllocateVirtualMemoryEx 155 | 156 | align 40h 157 | 158 | STUBS_ENTRY AlpcAcceptConnectPort 159 | 160 | align 40h 161 | 162 | STUBS_ENTRY AlpcCancelMessage 163 | 164 | align 40h 165 | 166 | STUBS_ENTRY AlpcConnectPort 167 | 168 | align 40h 169 | 170 | STUBS_ENTRY AlpcConnectPortEx 171 | 172 | align 40h 173 | 174 | STUBS_ENTRY AlpcCreatePort 175 | 176 | align 40h 177 | 178 | STUBS_ENTRY AlpcCreatePortSection 179 | 180 | align 40h 181 | 182 | STUBS_ENTRY AlpcCreateResourceReserve 183 | 184 | align 40h 185 | 186 | STUBS_ENTRY AlpcCreateSectionView 187 | 188 | align 40h 189 | 190 | STUBS_ENTRY AlpcCreateSecurityContext 191 | 192 | align 40h 193 | 194 | STUBS_ENTRY AlpcDeletePortSection 195 | 196 | align 40h 197 | 198 | STUBS_ENTRY AlpcDeleteResourceReserve 199 | 200 | align 40h 201 | 202 | STUBS_ENTRY AlpcDeleteSectionView 203 | 204 | align 40h 205 | 206 | STUBS_ENTRY AlpcDeleteSecurityContext 207 | 208 | align 40h 209 | 210 | STUBS_ENTRY AlpcDisconnectPort 211 | 212 | align 40h 213 | 214 | STUBS_ENTRY AlpcImpersonateClientContainerOfPort 215 | 216 | align 40h 217 | 218 | STUBS_ENTRY AlpcImpersonateClientOfPort 219 | 220 | align 40h 221 | 222 | STUBS_ENTRY AlpcOpenSenderProcess 223 | 224 | align 40h 225 | 226 | STUBS_ENTRY AlpcOpenSenderThread 227 | 228 | align 40h 229 | 230 | STUBS_ENTRY AlpcQueryInformation 231 | 232 | align 40h 233 | 234 | STUBS_ENTRY AlpcQueryInformationMessage 235 | 236 | align 40h 237 | 238 | STUBS_ENTRY AlpcRevokeSecurityContext 239 | 240 | align 40h 241 | 242 | STUBS_ENTRY AlpcSendWaitReceivePort 243 | 244 | align 40h 245 | 246 | STUBS_ENTRY AlpcSetInformation 247 | 248 | align 40h 249 | 250 | STUBS_ENTRY ApphelpCacheContro 251 | 252 | align 40h 253 | 254 | STUBS_ENTRY AreMappedFilesTheSame 255 | 256 | align 40h 257 | 258 | STUBS_ENTRY AssignProcessToJobObject 259 | 260 | align 40h 261 | 262 | STUBS_ENTRY AssociateWaitCompletionPacket 263 | 264 | align 40h 265 | 266 | STUBS_ENTRY CallEnclave 267 | 268 | align 40h 269 | 270 | STUBS_ENTRY CallbackReturn 271 | 272 | align 40h 273 | 274 | STUBS_ENTRY CancelDeviceWakeupRequest 275 | 276 | align 40h 277 | 278 | STUBS_ENTRY CancelIoFile 279 | 280 | align 40h 281 | 282 | STUBS_ENTRY CancelIoFileEx 283 | 284 | align 40h 285 | 286 | STUBS_ENTRY CancelSynchronousIoFile 287 | 288 | align 40h 289 | 290 | STUBS_ENTRY CancelTimer 291 | 292 | align 40h 293 | 294 | STUBS_ENTRY CancelTimer2 295 | 296 | align 40h 297 | 298 | STUBS_ENTRY CancelWaitCompletionPacket 299 | 300 | align 40h 301 | 302 | STUBS_ENTRY ClearAllSavepointsTransaction 303 | 304 | align 40h 305 | 306 | STUBS_ENTRY ClearEvent 307 | 308 | align 40h 309 | 310 | STUBS_ENTRY ClearSavepointTransaction 311 | 312 | align 40h 313 | 314 | STUBS_ENTRY Close 315 | 316 | align 40h 317 | 318 | STUBS_ENTRY CloseObjectAuditAlarm 319 | 320 | align 40h 321 | 322 | STUBS_ENTRY CommitComplete 323 | 324 | align 40h 325 | 326 | STUBS_ENTRY CommitEnlistment 327 | 328 | align 40h 329 | 330 | STUBS_ENTRY CommitRegistryTransaction 331 | 332 | align 40h 333 | 334 | STUBS_ENTRY CommitTransaction 335 | 336 | align 40h 337 | 338 | STUBS_ENTRY CompactKeys 339 | 340 | align 40h 341 | 342 | STUBS_ENTRY CompareObjects 343 | 344 | align 40h 345 | 346 | STUBS_ENTRY CompareSigningLevels 347 | 348 | align 40h 349 | 350 | STUBS_ENTRY CompareTokens 351 | 352 | align 40h 353 | 354 | STUBS_ENTRY CompleteConnectPort 355 | 356 | align 40h 357 | 358 | STUBS_ENTRY CompressKey 359 | 360 | align 40h 361 | 362 | STUBS_ENTRY ConnectPort 363 | 364 | align 40h 365 | 366 | STUBS_ENTRY Continue 367 | 368 | align 40h 369 | 370 | STUBS_ENTRY ConvertBetweenAuxiliaryCounterAndPerformanceCounter 371 | 372 | align 40h 373 | 374 | STUBS_ENTRY CreateDebugObject 375 | 376 | align 40h 377 | 378 | STUBS_ENTRY CreateDirectoryObject 379 | 380 | align 40h 381 | 382 | STUBS_ENTRY CreateDirectoryObjectEx 383 | 384 | align 40h 385 | 386 | STUBS_ENTRY CreateEnclave 387 | 388 | align 40h 389 | 390 | STUBS_ENTRY CreateEnlistment 391 | 392 | align 40h 393 | 394 | STUBS_ENTRY CreateEvent 395 | 396 | align 40h 397 | 398 | STUBS_ENTRY CreateEventPair 399 | 400 | align 40h 401 | 402 | STUBS_ENTRY CreateFile 403 | 404 | align 40h 405 | 406 | STUBS_ENTRY CreateIRTimer 407 | 408 | align 40h 409 | 410 | STUBS_ENTRY CreateIoCompletion 411 | 412 | align 40h 413 | 414 | STUBS_ENTRY CreateJobObject 415 | 416 | align 40h 417 | 418 | STUBS_ENTRY CreateJobSet 419 | 420 | align 40h 421 | 422 | STUBS_ENTRY CreateKey 423 | 424 | align 40h 425 | 426 | STUBS_ENTRY CreateKeyTransacted 427 | 428 | align 40h 429 | 430 | STUBS_ENTRY CreateKeyedEvent 431 | 432 | align 40h 433 | 434 | STUBS_ENTRY CreateLowBoxToken 435 | 436 | align 40h 437 | 438 | STUBS_ENTRY CreateMailslotFile 439 | 440 | align 40h 441 | 442 | STUBS_ENTRY CreateMutant 443 | 444 | align 40h 445 | 446 | STUBS_ENTRY CreateNamedPipeFile 447 | 448 | align 40h 449 | 450 | STUBS_ENTRY CreatePagingFile 451 | 452 | align 40h 453 | 454 | STUBS_ENTRY CreatePartition 455 | 456 | align 40h 457 | 458 | STUBS_ENTRY CreatePort 459 | 460 | align 40h 461 | 462 | STUBS_ENTRY CreatePrivateNamespace 463 | 464 | align 40h 465 | 466 | STUBS_ENTRY CreateProcess 467 | 468 | align 40h 469 | 470 | STUBS_ENTRY CreateProcessEx 471 | 472 | align 40h 473 | 474 | STUBS_ENTRY CreateProfile 475 | 476 | align 40h 477 | 478 | STUBS_ENTRY CreateProfileEx 479 | 480 | align 40h 481 | 482 | STUBS_ENTRY CreateRegistryTransaction 483 | 484 | align 40h 485 | 486 | STUBS_ENTRY CreateResourceManager 487 | 488 | align 40h 489 | 490 | STUBS_ENTRY CreateSection 491 | 492 | align 40h 493 | 494 | STUBS_ENTRY CreateSemaphore 495 | 496 | align 40h 497 | 498 | STUBS_ENTRY CreateSymbolicLinkObject 499 | 500 | align 40h 501 | 502 | STUBS_ENTRY CreateThread 503 | 504 | align 40h 505 | 506 | STUBS_ENTRY CreateThreadEx 507 | 508 | align 40h 509 | 510 | STUBS_ENTRY CreateTimer 511 | 512 | align 40h 513 | 514 | STUBS_ENTRY CreateTimer2 515 | 516 | align 40h 517 | 518 | STUBS_ENTRY CreateToken 519 | 520 | align 40h 521 | 522 | STUBS_ENTRY CreateTokenEx 523 | 524 | align 40h 525 | 526 | STUBS_ENTRY CreateTransaction 527 | 528 | align 40h 529 | 530 | STUBS_ENTRY CreateTransactionManager 531 | 532 | align 40h 533 | 534 | STUBS_ENTRY CreateUserProcess 535 | 536 | align 40h 537 | 538 | STUBS_ENTRY CreateWaitCompletionPacket 539 | 540 | align 40h 541 | 542 | STUBS_ENTRY CreateWaitablePort 543 | 544 | align 40h 545 | 546 | STUBS_ENTRY CreateWnfStateName 547 | 548 | align 40h 549 | 550 | STUBS_ENTRY CreateWorkerFactory 551 | 552 | align 40h 553 | 554 | STUBS_ENTRY DebugActiveProcess 555 | 556 | align 40h 557 | 558 | STUBS_ENTRY DebugContinue 559 | 560 | align 40h 561 | 562 | STUBS_ENTRY DelayExecution 563 | 564 | align 40h 565 | 566 | STUBS_ENTRY DeleteAtom 567 | 568 | align 40h 569 | 570 | STUBS_ENTRY DeleteBootEntry 571 | 572 | align 40h 573 | 574 | STUBS_ENTRY DeleteDriverEntry 575 | 576 | align 40h 577 | 578 | STUBS_ENTRY DeleteFile 579 | 580 | align 40h 581 | 582 | STUBS_ENTRY DeleteKey 583 | 584 | align 40h 585 | 586 | STUBS_ENTRY DeleteObjectAuditAlarm 587 | 588 | align 40h 589 | 590 | STUBS_ENTRY DeletePrivateNamespace 591 | 592 | align 40h 593 | 594 | STUBS_ENTRY DeleteValueKey 595 | 596 | align 40h 597 | 598 | STUBS_ENTRY DeleteWnfStateData 599 | 600 | align 40h 601 | 602 | STUBS_ENTRY DeleteWnfStateName 603 | 604 | align 40h 605 | 606 | STUBS_ENTRY DeviceIoControlFile 607 | 608 | align 40h 609 | 610 | STUBS_ENTRY DisableLastKnownGood 611 | 612 | align 40h 613 | 614 | STUBS_ENTRY DisplayString 615 | 616 | align 40h 617 | 618 | STUBS_ENTRY DrawText 619 | 620 | align 40h 621 | 622 | STUBS_ENTRY DuplicateObject 623 | 624 | align 40h 625 | 626 | STUBS_ENTRY DuplicateToken 627 | 628 | align 40h 629 | 630 | STUBS_ENTRY EnableLastKnownGood 631 | 632 | align 40h 633 | 634 | STUBS_ENTRY EnumerateBootEntries 635 | 636 | align 40h 637 | 638 | STUBS_ENTRY EnumerateDriverEntries 639 | 640 | align 40h 641 | 642 | STUBS_ENTRY EnumerateKey 643 | 644 | align 40h 645 | 646 | STUBS_ENTRY EnumerateSystemEnvironmentValuesEx 647 | 648 | align 40h 649 | 650 | STUBS_ENTRY EnumerateTransactionObject 651 | 652 | align 40h 653 | 654 | STUBS_ENTRY EnumerateValueKey 655 | 656 | align 40h 657 | 658 | STUBS_ENTRY ExtendSection 659 | 660 | align 40h 661 | 662 | STUBS_ENTRY FilterBootOption 663 | 664 | align 40h 665 | 666 | STUBS_ENTRY FilterToken 667 | 668 | align 40h 669 | 670 | STUBS_ENTRY FilterTokenEx 671 | 672 | align 40h 673 | 674 | STUBS_ENTRY FindAtom 675 | 676 | align 40h 677 | 678 | STUBS_ENTRY FlushBuffersFile 679 | 680 | align 40h 681 | 682 | STUBS_ENTRY FlushBuffersFileEx 683 | 684 | align 40h 685 | 686 | STUBS_ENTRY FlushInstallUILanguage 687 | 688 | align 40h 689 | 690 | STUBS_ENTRY FlushInstructionCache 691 | 692 | align 40h 693 | 694 | STUBS_ENTRY FlushKey 695 | 696 | align 40h 697 | 698 | STUBS_ENTRY FlushProcessWriteBuffers 699 | 700 | align 40h 701 | 702 | STUBS_ENTRY FlushVirtualMemory 703 | 704 | align 40h 705 | 706 | STUBS_ENTRY FlushWriteBuffer 707 | 708 | align 40h 709 | 710 | STUBS_ENTRY FreeUserPhysicalPages 711 | 712 | align 40h 713 | 714 | STUBS_ENTRY FreeVirtualMemory 715 | 716 | align 40h 717 | 718 | STUBS_ENTRY FreezeRegistry 719 | 720 | align 40h 721 | 722 | STUBS_ENTRY FreezeTransactions 723 | 724 | align 40h 725 | 726 | STUBS_ENTRY FsControlFile 727 | 728 | align 40h 729 | 730 | STUBS_ENTRY GetCachedSigningLeve 731 | 732 | align 40h 733 | 734 | STUBS_ENTRY GetCompleteWnfStateSubscription 735 | 736 | align 40h 737 | 738 | STUBS_ENTRY GetContextThread 739 | 740 | align 40h 741 | 742 | STUBS_ENTRY GetCurrentProcessorNumber 743 | 744 | align 40h 745 | 746 | STUBS_ENTRY GetCurrentProcessorNumberEx 747 | 748 | align 40h 749 | 750 | STUBS_ENTRY GetDevicePowerState 751 | 752 | align 40h 753 | 754 | STUBS_ENTRY GetMUIRegistryInfo 755 | 756 | align 40h 757 | 758 | STUBS_ENTRY GetNextProcess 759 | 760 | align 40h 761 | 762 | STUBS_ENTRY GetNextThread 763 | 764 | align 40h 765 | 766 | STUBS_ENTRY GetNlsSectionPtr 767 | 768 | align 40h 769 | 770 | STUBS_ENTRY GetNotificationResourceManager 771 | 772 | align 40h 773 | 774 | STUBS_ENTRY GetPlugPlayEvent 775 | 776 | align 40h 777 | 778 | STUBS_ENTRY GetWriteWatch 779 | 780 | align 40h 781 | 782 | STUBS_ENTRY ImpersonateAnonymousToken 783 | 784 | align 40h 785 | 786 | STUBS_ENTRY ImpersonateClientOfPort 787 | 788 | align 40h 789 | 790 | STUBS_ENTRY ImpersonateThread 791 | 792 | align 40h 793 | 794 | STUBS_ENTRY InitializeEnclave 795 | 796 | align 40h 797 | 798 | STUBS_ENTRY InitializeNlsFiles 799 | 800 | align 40h 801 | 802 | STUBS_ENTRY InitializeRegistry 803 | 804 | align 40h 805 | 806 | STUBS_ENTRY InitiatePowerAction 807 | 808 | align 40h 809 | 810 | STUBS_ENTRY IsProcessInJob 811 | 812 | align 40h 813 | 814 | STUBS_ENTRY IsSystemResumeAutomatic 815 | 816 | align 40h 817 | 818 | STUBS_ENTRY IsUILanguageComitted 819 | 820 | align 40h 821 | 822 | STUBS_ENTRY ListTransactions 823 | 824 | align 40h 825 | 826 | STUBS_ENTRY ListenPort 827 | 828 | align 40h 829 | 830 | STUBS_ENTRY LoadDriver 831 | 832 | align 40h 833 | 834 | STUBS_ENTRY LoadEnclaveData 835 | 836 | align 40h 837 | 838 | STUBS_ENTRY LoadHotPatch 839 | 840 | align 40h 841 | 842 | STUBS_ENTRY LoadKey 843 | 844 | align 40h 845 | 846 | STUBS_ENTRY LoadKey2 847 | 848 | align 40h 849 | 850 | STUBS_ENTRY LoadKeyEx 851 | 852 | align 40h 853 | 854 | STUBS_ENTRY LockFile 855 | 856 | align 40h 857 | 858 | STUBS_ENTRY LockProductActivationKeys 859 | 860 | align 40h 861 | 862 | STUBS_ENTRY LockRegistryKey 863 | 864 | align 40h 865 | 866 | STUBS_ENTRY LockVirtualMemory 867 | 868 | align 40h 869 | 870 | STUBS_ENTRY MakePermanentObject 871 | 872 | align 40h 873 | 874 | STUBS_ENTRY MakeTemporaryObject 875 | 876 | align 40h 877 | 878 | STUBS_ENTRY ManagePartition 879 | 880 | align 40h 881 | 882 | STUBS_ENTRY MapCMFModule 883 | 884 | align 40h 885 | 886 | STUBS_ENTRY MapUserPhysicalPages 887 | 888 | align 40h 889 | 890 | STUBS_ENTRY MapUserPhysicalPagesScatter 891 | 892 | align 40h 893 | 894 | STUBS_ENTRY MapViewOfSection 895 | 896 | align 40h 897 | 898 | STUBS_ENTRY MapViewOfSectionEx 899 | 900 | align 40h 901 | 902 | STUBS_ENTRY MarshallTransaction 903 | 904 | align 40h 905 | 906 | STUBS_ENTRY ModifyBootEntry 907 | 908 | align 40h 909 | 910 | STUBS_ENTRY ModifyDriverEntry 911 | 912 | align 40h 913 | 914 | STUBS_ENTRY NotifyChangeDirectoryFile 915 | 916 | align 40h 917 | 918 | STUBS_ENTRY NotifyChangeDirectoryFileEx 919 | 920 | align 40h 921 | 922 | STUBS_ENTRY NotifyChangeKey 923 | 924 | align 40h 925 | 926 | STUBS_ENTRY NotifyChangeMultipleKeys 927 | 928 | align 40h 929 | 930 | STUBS_ENTRY NotifyChangeSession 931 | 932 | align 40h 933 | 934 | STUBS_ENTRY OpenDirectoryObject 935 | 936 | align 40h 937 | 938 | STUBS_ENTRY OpenEnlistment 939 | 940 | align 40h 941 | 942 | STUBS_ENTRY OpenEvent 943 | 944 | align 40h 945 | 946 | STUBS_ENTRY OpenEventPair 947 | 948 | align 40h 949 | 950 | STUBS_ENTRY OpenFile 951 | 952 | align 40h 953 | 954 | STUBS_ENTRY OpenIoCompletion 955 | 956 | align 40h 957 | 958 | STUBS_ENTRY OpenJobObject 959 | 960 | align 40h 961 | 962 | STUBS_ENTRY OpenKey 963 | 964 | align 40h 965 | 966 | STUBS_ENTRY OpenKeyEx 967 | 968 | align 40h 969 | 970 | STUBS_ENTRY OpenKeyTransacted 971 | 972 | align 40h 973 | 974 | STUBS_ENTRY OpenKeyTransactedEx 975 | 976 | align 40h 977 | 978 | STUBS_ENTRY OpenKeyedEvent 979 | 980 | align 40h 981 | 982 | STUBS_ENTRY OpenMutant 983 | 984 | align 40h 985 | 986 | STUBS_ENTRY OpenObjectAuditAlarm 987 | 988 | align 40h 989 | 990 | STUBS_ENTRY OpenPartition 991 | 992 | align 40h 993 | 994 | STUBS_ENTRY OpenPrivateNamespace 995 | 996 | align 40h 997 | 998 | STUBS_ENTRY OpenProcess 999 | 1000 | align 40h 1001 | 1002 | STUBS_ENTRY OpenProcessToken 1003 | 1004 | align 40h 1005 | 1006 | STUBS_ENTRY OpenProcessTokenEx 1007 | 1008 | align 40h 1009 | 1010 | STUBS_ENTRY OpenRegistryTransaction 1011 | 1012 | align 40h 1013 | 1014 | STUBS_ENTRY OpenResourceManager 1015 | 1016 | align 40h 1017 | 1018 | STUBS_ENTRY OpenSection 1019 | 1020 | align 40h 1021 | 1022 | STUBS_ENTRY OpenSemaphore 1023 | 1024 | align 40h 1025 | 1026 | STUBS_ENTRY OpenSession 1027 | 1028 | align 40h 1029 | 1030 | STUBS_ENTRY OpenSymbolicLinkObject 1031 | 1032 | align 40h 1033 | 1034 | STUBS_ENTRY OpenThread 1035 | 1036 | align 40h 1037 | 1038 | STUBS_ENTRY OpenThreadToken 1039 | 1040 | align 40h 1041 | 1042 | STUBS_ENTRY OpenThreadTokenEx 1043 | 1044 | align 40h 1045 | 1046 | STUBS_ENTRY OpenTimer 1047 | 1048 | align 40h 1049 | 1050 | STUBS_ENTRY OpenTransaction 1051 | 1052 | align 40h 1053 | 1054 | STUBS_ENTRY OpenTransactionManager 1055 | 1056 | align 40h 1057 | 1058 | STUBS_ENTRY PlugPlayContro 1059 | 1060 | align 40h 1061 | 1062 | STUBS_ENTRY PowerInformation 1063 | 1064 | align 40h 1065 | 1066 | STUBS_ENTRY PrePrepareComplete 1067 | 1068 | align 40h 1069 | 1070 | STUBS_ENTRY PrePrepareEnlistment 1071 | 1072 | align 40h 1073 | 1074 | STUBS_ENTRY PrepareComplete 1075 | 1076 | align 40h 1077 | 1078 | STUBS_ENTRY PrepareEnlistment 1079 | 1080 | align 40h 1081 | 1082 | STUBS_ENTRY PrivilegeCheck 1083 | 1084 | align 40h 1085 | 1086 | STUBS_ENTRY PrivilegeObjectAuditAlarm 1087 | 1088 | align 40h 1089 | 1090 | STUBS_ENTRY PrivilegedServiceAuditAlarm 1091 | 1092 | align 40h 1093 | 1094 | STUBS_ENTRY PropagationComplete 1095 | 1096 | align 40h 1097 | 1098 | STUBS_ENTRY PropagationFailed 1099 | 1100 | align 40h 1101 | 1102 | STUBS_ENTRY ProtectVirtualMemory 1103 | 1104 | align 40h 1105 | 1106 | STUBS_ENTRY PullTransaction 1107 | 1108 | align 40h 1109 | 1110 | STUBS_ENTRY PulseEvent 1111 | 1112 | align 40h 1113 | 1114 | STUBS_ENTRY QueryAttributesFile 1115 | 1116 | align 40h 1117 | 1118 | STUBS_ENTRY QueryAuxiliaryCounterFrequency 1119 | 1120 | align 40h 1121 | 1122 | STUBS_ENTRY QueryBootEntryOrder 1123 | 1124 | align 40h 1125 | 1126 | STUBS_ENTRY QueryBootOptions 1127 | 1128 | align 40h 1129 | 1130 | STUBS_ENTRY QueryDebugFilterState 1131 | 1132 | align 40h 1133 | 1134 | STUBS_ENTRY QueryDefaultLocale 1135 | 1136 | align 40h 1137 | 1138 | STUBS_ENTRY QueryDefaultUILanguage 1139 | 1140 | align 40h 1141 | 1142 | STUBS_ENTRY QueryDirectoryFile 1143 | 1144 | align 40h 1145 | 1146 | STUBS_ENTRY QueryDirectoryFileEx 1147 | 1148 | align 40h 1149 | 1150 | STUBS_ENTRY QueryDirectoryObject 1151 | 1152 | align 40h 1153 | 1154 | STUBS_ENTRY QueryDriverEntryOrder 1155 | 1156 | align 40h 1157 | 1158 | STUBS_ENTRY QueryEaFile 1159 | 1160 | align 40h 1161 | 1162 | STUBS_ENTRY QueryEvent 1163 | 1164 | align 40h 1165 | 1166 | STUBS_ENTRY QueryFullAttributesFile 1167 | 1168 | align 40h 1169 | 1170 | STUBS_ENTRY QueryInformationAtom 1171 | 1172 | align 40h 1173 | 1174 | STUBS_ENTRY QueryInformationByName 1175 | 1176 | align 40h 1177 | 1178 | STUBS_ENTRY QueryInformationEnlistment 1179 | 1180 | align 40h 1181 | 1182 | STUBS_ENTRY QueryInformationFile 1183 | 1184 | align 40h 1185 | 1186 | STUBS_ENTRY QueryInformationJobObject 1187 | 1188 | align 40h 1189 | 1190 | STUBS_ENTRY QueryInformationPort 1191 | 1192 | align 40h 1193 | 1194 | STUBS_ENTRY QueryInformationProcess 1195 | 1196 | align 40h 1197 | 1198 | STUBS_ENTRY QueryInformationResourceManager 1199 | 1200 | align 40h 1201 | 1202 | STUBS_ENTRY QueryInformationThread 1203 | 1204 | align 40h 1205 | 1206 | STUBS_ENTRY QueryInformationToken 1207 | 1208 | align 40h 1209 | 1210 | STUBS_ENTRY QueryInformationTransaction 1211 | 1212 | align 40h 1213 | 1214 | STUBS_ENTRY QueryInformationTransactionManager 1215 | 1216 | align 40h 1217 | 1218 | STUBS_ENTRY QueryInformationWorkerFactory 1219 | 1220 | align 40h 1221 | 1222 | STUBS_ENTRY QueryInstallUILanguage 1223 | 1224 | align 40h 1225 | 1226 | STUBS_ENTRY QueryIntervalProfile 1227 | 1228 | align 40h 1229 | 1230 | STUBS_ENTRY QueryIoCompletion 1231 | 1232 | align 40h 1233 | 1234 | STUBS_ENTRY QueryKey 1235 | 1236 | align 40h 1237 | 1238 | STUBS_ENTRY QueryLicenseValue 1239 | 1240 | align 40h 1241 | 1242 | STUBS_ENTRY QueryMultipleValueKey 1243 | 1244 | align 40h 1245 | 1246 | STUBS_ENTRY QueryMutant 1247 | 1248 | align 40h 1249 | 1250 | STUBS_ENTRY QueryObject 1251 | 1252 | align 40h 1253 | 1254 | STUBS_ENTRY QueryOpenSubKeys 1255 | 1256 | align 40h 1257 | 1258 | STUBS_ENTRY QueryOpenSubKeysEx 1259 | 1260 | align 40h 1261 | 1262 | STUBS_ENTRY QueryPerformanceCounter 1263 | 1264 | align 40h 1265 | 1266 | STUBS_ENTRY QueryPortInformationProcess 1267 | 1268 | align 40h 1269 | 1270 | STUBS_ENTRY QueryQuotaInformationFile 1271 | 1272 | align 40h 1273 | 1274 | STUBS_ENTRY QuerySection 1275 | 1276 | align 40h 1277 | 1278 | STUBS_ENTRY QuerySecurityAttributesToken 1279 | 1280 | align 40h 1281 | 1282 | STUBS_ENTRY QuerySecurityObject 1283 | 1284 | align 40h 1285 | 1286 | STUBS_ENTRY QuerySecurityPolicy 1287 | 1288 | align 40h 1289 | 1290 | STUBS_ENTRY QuerySemaphore 1291 | 1292 | align 40h 1293 | 1294 | STUBS_ENTRY QuerySymbolicLinkObject 1295 | 1296 | align 40h 1297 | 1298 | STUBS_ENTRY QuerySystemEnvironmentValue 1299 | 1300 | align 40h 1301 | 1302 | STUBS_ENTRY QuerySystemEnvironmentValueEx 1303 | 1304 | align 40h 1305 | 1306 | STUBS_ENTRY QuerySystemInformation 1307 | 1308 | align 40h 1309 | 1310 | STUBS_ENTRY QuerySystemInformationEx 1311 | 1312 | align 40h 1313 | 1314 | STUBS_ENTRY QuerySystemTime 1315 | 1316 | align 40h 1317 | 1318 | STUBS_ENTRY QueryTimer 1319 | 1320 | align 40h 1321 | 1322 | STUBS_ENTRY QueryTimerResolution 1323 | 1324 | align 40h 1325 | 1326 | STUBS_ENTRY QueryValueKey 1327 | 1328 | align 40h 1329 | 1330 | STUBS_ENTRY QueryVirtualMemory 1331 | 1332 | align 40h 1333 | 1334 | STUBS_ENTRY QueryVolumeInformationFile 1335 | 1336 | align 40h 1337 | 1338 | STUBS_ENTRY QueryWnfStateData 1339 | 1340 | align 40h 1341 | 1342 | STUBS_ENTRY QueryWnfStateNameInformation 1343 | 1344 | align 40h 1345 | 1346 | STUBS_ENTRY QueueApcThread 1347 | 1348 | align 40h 1349 | 1350 | STUBS_ENTRY QueueApcThreadEx 1351 | 1352 | align 40h 1353 | 1354 | STUBS_ENTRY RaiseException 1355 | 1356 | align 40h 1357 | 1358 | STUBS_ENTRY RaiseHardError 1359 | 1360 | align 40h 1361 | 1362 | STUBS_ENTRY ReadFile 1363 | 1364 | align 40h 1365 | 1366 | STUBS_ENTRY ReadFileScatter 1367 | 1368 | align 40h 1369 | 1370 | STUBS_ENTRY ReadOnlyEnlistment 1371 | 1372 | align 40h 1373 | 1374 | STUBS_ENTRY ReadRequestData 1375 | 1376 | align 40h 1377 | 1378 | STUBS_ENTRY ReadVirtualMemory 1379 | 1380 | align 40h 1381 | 1382 | STUBS_ENTRY RecoverEnlistment 1383 | 1384 | align 40h 1385 | 1386 | STUBS_ENTRY RecoverResourceManager 1387 | 1388 | align 40h 1389 | 1390 | STUBS_ENTRY RecoverTransactionManager 1391 | 1392 | align 40h 1393 | 1394 | STUBS_ENTRY RegisterProtocolAddressInformation 1395 | 1396 | align 40h 1397 | 1398 | STUBS_ENTRY RegisterThreadTerminatePort 1399 | 1400 | align 40h 1401 | 1402 | STUBS_ENTRY ReleaseCMFViewOwnership 1403 | 1404 | align 40h 1405 | 1406 | STUBS_ENTRY ReleaseKeyedEvent 1407 | 1408 | align 40h 1409 | 1410 | STUBS_ENTRY ReleaseMutant 1411 | 1412 | align 40h 1413 | 1414 | STUBS_ENTRY ReleaseSemaphore 1415 | 1416 | align 40h 1417 | 1418 | STUBS_ENTRY ReleaseWorkerFactoryWorker 1419 | 1420 | align 40h 1421 | 1422 | STUBS_ENTRY RemoveIoCompletion 1423 | 1424 | align 40h 1425 | 1426 | STUBS_ENTRY RemoveIoCompletionEx 1427 | 1428 | align 40h 1429 | 1430 | STUBS_ENTRY RemoveProcessDebug 1431 | 1432 | align 40h 1433 | 1434 | STUBS_ENTRY RenameKey 1435 | 1436 | align 40h 1437 | 1438 | STUBS_ENTRY RenameTransactionManager 1439 | 1440 | align 40h 1441 | 1442 | STUBS_ENTRY ReplaceKey 1443 | 1444 | align 40h 1445 | 1446 | STUBS_ENTRY ReplacePartitionUnit 1447 | 1448 | align 40h 1449 | 1450 | STUBS_ENTRY ReplyPort 1451 | 1452 | align 40h 1453 | 1454 | STUBS_ENTRY ReplyWaitReceivePort 1455 | 1456 | align 40h 1457 | 1458 | STUBS_ENTRY ReplyWaitReceivePortEx 1459 | 1460 | align 40h 1461 | 1462 | STUBS_ENTRY ReplyWaitReplyPort 1463 | 1464 | align 40h 1465 | 1466 | STUBS_ENTRY RequestDeviceWakeup 1467 | 1468 | align 40h 1469 | 1470 | STUBS_ENTRY RequestPort 1471 | 1472 | align 40h 1473 | 1474 | STUBS_ENTRY RequestWaitReplyPort 1475 | 1476 | align 40h 1477 | 1478 | STUBS_ENTRY RequestWakeupLatency 1479 | 1480 | align 40h 1481 | 1482 | STUBS_ENTRY ResetEvent 1483 | 1484 | align 40h 1485 | 1486 | STUBS_ENTRY ResetWriteWatch 1487 | 1488 | align 40h 1489 | 1490 | STUBS_ENTRY RestoreKey 1491 | 1492 | align 40h 1493 | 1494 | STUBS_ENTRY ResumeProcess 1495 | 1496 | align 40h 1497 | 1498 | STUBS_ENTRY ResumeThread 1499 | 1500 | align 40h 1501 | 1502 | STUBS_ENTRY RevertContainerImpersonation 1503 | 1504 | align 40h 1505 | 1506 | STUBS_ENTRY RollbackComplete 1507 | 1508 | align 40h 1509 | 1510 | STUBS_ENTRY RollbackEnlistment 1511 | 1512 | align 40h 1513 | 1514 | STUBS_ENTRY RollbackRegistryTransaction 1515 | 1516 | align 40h 1517 | 1518 | STUBS_ENTRY RollbackSavepointTransaction 1519 | 1520 | align 40h 1521 | 1522 | STUBS_ENTRY RollbackTransaction 1523 | 1524 | align 40h 1525 | 1526 | STUBS_ENTRY RollforwardTransactionManager 1527 | 1528 | align 40h 1529 | 1530 | STUBS_ENTRY SaveKey 1531 | 1532 | align 40h 1533 | 1534 | STUBS_ENTRY SaveKeyEx 1535 | 1536 | align 40h 1537 | 1538 | STUBS_ENTRY SaveMergedKeys 1539 | 1540 | align 40h 1541 | 1542 | STUBS_ENTRY SavepointComplete 1543 | 1544 | align 40h 1545 | 1546 | STUBS_ENTRY SavepointTransaction 1547 | 1548 | align 40h 1549 | 1550 | STUBS_ENTRY SecureConnectPort 1551 | 1552 | align 40h 1553 | 1554 | STUBS_ENTRY SerializeBoot 1555 | 1556 | align 40h 1557 | 1558 | STUBS_ENTRY SetBootEntryOrder 1559 | 1560 | align 40h 1561 | 1562 | STUBS_ENTRY SetBootOptions 1563 | 1564 | align 40h 1565 | 1566 | STUBS_ENTRY SetCachedSigningLeve 1567 | 1568 | align 40h 1569 | 1570 | STUBS_ENTRY SetCachedSigningLevel2 1571 | 1572 | align 40h 1573 | 1574 | STUBS_ENTRY SetContextThread 1575 | 1576 | align 40h 1577 | 1578 | STUBS_ENTRY SetDebugFilterState 1579 | 1580 | align 40h 1581 | 1582 | STUBS_ENTRY SetDefaultHardErrorPort 1583 | 1584 | align 40h 1585 | 1586 | STUBS_ENTRY SetDefaultLocale 1587 | 1588 | align 40h 1589 | 1590 | STUBS_ENTRY SetDefaultUILanguage 1591 | 1592 | align 40h 1593 | 1594 | STUBS_ENTRY SetDriverEntryOrder 1595 | 1596 | align 40h 1597 | 1598 | STUBS_ENTRY SetEaFile 1599 | 1600 | align 40h 1601 | 1602 | STUBS_ENTRY SetEvent 1603 | 1604 | align 40h 1605 | 1606 | STUBS_ENTRY SetEventBoostPriority 1607 | 1608 | align 40h 1609 | 1610 | STUBS_ENTRY SetHighEventPair 1611 | 1612 | align 40h 1613 | 1614 | STUBS_ENTRY SetHighWaitLowEventPair 1615 | 1616 | align 40h 1617 | 1618 | STUBS_ENTRY SetIRTimer 1619 | 1620 | align 40h 1621 | 1622 | STUBS_ENTRY SetInformationDebugObject 1623 | 1624 | align 40h 1625 | 1626 | STUBS_ENTRY SetInformationEnlistment 1627 | 1628 | align 40h 1629 | 1630 | STUBS_ENTRY SetInformationFile 1631 | 1632 | align 40h 1633 | 1634 | STUBS_ENTRY SetInformationJobObject 1635 | 1636 | align 40h 1637 | 1638 | STUBS_ENTRY SetInformationKey 1639 | 1640 | align 40h 1641 | 1642 | STUBS_ENTRY SetInformationObject 1643 | 1644 | align 40h 1645 | 1646 | STUBS_ENTRY SetInformationProcess 1647 | 1648 | align 40h 1649 | 1650 | STUBS_ENTRY SetInformationResourceManager 1651 | 1652 | align 40h 1653 | 1654 | STUBS_ENTRY SetInformationSymbolicLink 1655 | 1656 | align 40h 1657 | 1658 | STUBS_ENTRY SetInformationThread 1659 | 1660 | align 40h 1661 | 1662 | STUBS_ENTRY SetInformationToken 1663 | 1664 | align 40h 1665 | 1666 | STUBS_ENTRY SetInformationTransaction 1667 | 1668 | align 40h 1669 | 1670 | STUBS_ENTRY SetInformationTransactionManager 1671 | 1672 | align 40h 1673 | 1674 | STUBS_ENTRY SetInformationVirtualMemory 1675 | 1676 | align 40h 1677 | 1678 | STUBS_ENTRY SetInformationWorkerFactory 1679 | 1680 | align 40h 1681 | 1682 | STUBS_ENTRY SetIntervalProfile 1683 | 1684 | align 40h 1685 | 1686 | STUBS_ENTRY SetIoCompletion 1687 | 1688 | align 40h 1689 | 1690 | STUBS_ENTRY SetIoCompletionEx 1691 | 1692 | align 40h 1693 | 1694 | STUBS_ENTRY SetLdtEntries 1695 | 1696 | align 40h 1697 | 1698 | STUBS_ENTRY SetLowEventPair 1699 | 1700 | align 40h 1701 | 1702 | STUBS_ENTRY SetLowWaitHighEventPair 1703 | 1704 | align 40h 1705 | 1706 | STUBS_ENTRY SetQuotaInformationFile 1707 | 1708 | align 40h 1709 | 1710 | STUBS_ENTRY SetSecurityObject 1711 | 1712 | align 40h 1713 | 1714 | STUBS_ENTRY SetSystemEnvironmentValue 1715 | 1716 | align 40h 1717 | 1718 | STUBS_ENTRY SetSystemEnvironmentValueEx 1719 | 1720 | align 40h 1721 | 1722 | STUBS_ENTRY SetSystemInformation 1723 | 1724 | align 40h 1725 | 1726 | STUBS_ENTRY SetSystemPowerState 1727 | 1728 | align 40h 1729 | 1730 | STUBS_ENTRY SetSystemTime 1731 | 1732 | align 40h 1733 | 1734 | STUBS_ENTRY SetThreadExecutionState 1735 | 1736 | align 40h 1737 | 1738 | STUBS_ENTRY SetTimer 1739 | 1740 | align 40h 1741 | 1742 | STUBS_ENTRY SetTimer2 1743 | 1744 | align 40h 1745 | 1746 | STUBS_ENTRY SetTimerEx 1747 | 1748 | align 40h 1749 | 1750 | STUBS_ENTRY SetTimerResolution 1751 | 1752 | align 40h 1753 | 1754 | STUBS_ENTRY SetUuidSeed 1755 | 1756 | align 40h 1757 | 1758 | STUBS_ENTRY SetValueKey 1759 | 1760 | align 40h 1761 | 1762 | STUBS_ENTRY SetVolumeInformationFile 1763 | 1764 | align 40h 1765 | 1766 | STUBS_ENTRY SetWnfProcessNotificationEvent 1767 | 1768 | align 40h 1769 | 1770 | STUBS_ENTRY ShutdownSystem 1771 | 1772 | align 40h 1773 | 1774 | STUBS_ENTRY ShutdownWorkerFactory 1775 | 1776 | align 40h 1777 | 1778 | STUBS_ENTRY SignalAndWaitForSingleObject 1779 | 1780 | align 40h 1781 | 1782 | STUBS_ENTRY SinglePhaseReject 1783 | 1784 | align 40h 1785 | 1786 | STUBS_ENTRY StartProfile 1787 | 1788 | align 40h 1789 | 1790 | STUBS_ENTRY StartTm 1791 | 1792 | align 40h 1793 | 1794 | STUBS_ENTRY StopProfile 1795 | 1796 | align 40h 1797 | 1798 | STUBS_ENTRY SubscribeWnfStateChange 1799 | 1800 | align 40h 1801 | 1802 | STUBS_ENTRY SuspendProcess 1803 | 1804 | align 40h 1805 | 1806 | STUBS_ENTRY SuspendThread 1807 | 1808 | align 40h 1809 | 1810 | STUBS_ENTRY SystemDebugContro 1811 | 1812 | align 40h 1813 | 1814 | STUBS_ENTRY TerminateEnclave 1815 | 1816 | align 40h 1817 | 1818 | STUBS_ENTRY TerminateJobObject 1819 | 1820 | align 40h 1821 | 1822 | STUBS_ENTRY TerminateProcess 1823 | 1824 | align 40h 1825 | 1826 | STUBS_ENTRY TerminateThread 1827 | 1828 | align 40h 1829 | 1830 | STUBS_ENTRY TestAlert 1831 | 1832 | align 40h 1833 | 1834 | STUBS_ENTRY ThawRegistry 1835 | 1836 | align 40h 1837 | 1838 | STUBS_ENTRY ThawTransactions 1839 | 1840 | align 40h 1841 | 1842 | STUBS_ENTRY TraceContro 1843 | 1844 | align 40h 1845 | 1846 | STUBS_ENTRY TraceEvent 1847 | 1848 | align 40h 1849 | 1850 | STUBS_ENTRY TranslateFilePath 1851 | 1852 | align 40h 1853 | 1854 | STUBS_ENTRY UmsThreadYield 1855 | 1856 | align 40h 1857 | 1858 | STUBS_ENTRY UnloadDriver 1859 | 1860 | align 40h 1861 | 1862 | STUBS_ENTRY UnloadKey 1863 | 1864 | align 40h 1865 | 1866 | STUBS_ENTRY UnloadKey2 1867 | 1868 | align 40h 1869 | 1870 | STUBS_ENTRY UnloadKeyEx 1871 | 1872 | align 40h 1873 | 1874 | STUBS_ENTRY UnlockFile 1875 | 1876 | align 40h 1877 | 1878 | STUBS_ENTRY UnlockVirtualMemory 1879 | 1880 | align 40h 1881 | 1882 | STUBS_ENTRY UnmapViewOfSection 1883 | 1884 | align 40h 1885 | 1886 | STUBS_ENTRY UnmapViewOfSectionEx 1887 | 1888 | align 40h 1889 | 1890 | STUBS_ENTRY UnsubscribeWnfStateChange 1891 | 1892 | align 40h 1893 | 1894 | STUBS_ENTRY UpdateWnfStateData 1895 | 1896 | align 40h 1897 | 1898 | STUBS_ENTRY VdmContro 1899 | 1900 | align 40h 1901 | 1902 | STUBS_ENTRY WaitForAlertByThreadId 1903 | 1904 | align 40h 1905 | 1906 | STUBS_ENTRY WaitForDebugEvent 1907 | 1908 | align 40h 1909 | 1910 | STUBS_ENTRY WaitForKeyedEvent 1911 | 1912 | align 40h 1913 | 1914 | STUBS_ENTRY WaitForMultipleObjects 1915 | 1916 | align 40h 1917 | 1918 | STUBS_ENTRY WaitForMultipleObjects32 1919 | 1920 | align 40h 1921 | 1922 | STUBS_ENTRY WaitForSingleObject 1923 | 1924 | align 40h 1925 | 1926 | STUBS_ENTRY WaitForWnfNotifications 1927 | 1928 | align 40h 1929 | 1930 | STUBS_ENTRY WaitForWorkViaWorkerFactory 1931 | 1932 | align 40h 1933 | 1934 | STUBS_ENTRY WaitHighEventPair 1935 | 1936 | align 40h 1937 | 1938 | STUBS_ENTRY WaitLowEventPair 1939 | 1940 | align 40h 1941 | 1942 | STUBS_ENTRY WorkerFactoryWorkerReady 1943 | 1944 | align 40h 1945 | 1946 | STUBS_ENTRY WriteFile 1947 | 1948 | align 40h 1949 | 1950 | STUBS_ENTRY WriteFileGather 1951 | 1952 | align 40h 1953 | 1954 | STUBS_ENTRY WriteRequestData 1955 | 1956 | align 40h 1957 | 1958 | STUBS_ENTRY WriteVirtualMemory 1959 | 1960 | align 40h 1961 | 1962 | STUBS_ENTRY YieldExecution 1963 | 1964 | align 40h 1965 | 1966 | StubsBridge : 1967 | 1968 | ; [rsp + 8] caller 1969 | mov [rsp + 28h], r9 ; 1970 | mov [rsp + 20h], r8 ; 1971 | mov [rsp + 18h], rdx ; 1972 | mov [rsp + 10h], rcx ; save argument register 1973 | 1974 | sub rsp, 28h 1975 | 1976 | pushfq 1977 | 1978 | call BuildServiceDispatchTable 1979 | 1980 | popfq 1981 | 1982 | add rsp, 28h 1983 | 1984 | mov rcx, [rsp + 10h] ; restore argument register 1985 | mov rdx, [rsp + 18h] 1986 | mov r8, [rsp + 20h] 1987 | mov r9, [rsp + 28h] 1988 | 1989 | ret ; jmp caller (now the stubs table is ajust to system function) 1990 | 1991 | DB 7 dup (0cch) 1992 | 1993 | align 40h 1994 | 1995 | PUBLIC StubsBridge 1996 | 1997 | _TEXT$00 ENDS 1998 | 1999 | END 2000 | -------------------------------------------------------------------------------- /Except.c: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (c) 2015-2017 by blindtiger ( blindtiger@foxmail.com ) 4 | * 5 | * The contents of this file are subject to the Mozilla Public License Version 6 | * 2.0 (the "License")); you may not use this file except in compliance with 7 | * the License. You may obtain a copy of the License at 8 | * http://www.mozilla.org/MPL/ 9 | * 10 | * Software distributed under the License is distributed on an "AS IS" basis, 11 | * WITHOUT WARRANTY OF ANY KIND, either express or implied. SEe the License 12 | * for the specific language governing rights and limitations under the 13 | * License. 14 | * 15 | * The Initial Developer of the Original e is blindtiger. 16 | * 17 | */ 18 | 19 | #include 20 | #include 21 | 22 | #include 23 | 24 | #ifdef _WIN64 25 | #include 26 | #endif // _WIN64 27 | 28 | #include "Except.h" 29 | #include "Reload.h" 30 | 31 | NTSTATUS 32 | NTAPI 33 | ProtectPages( 34 | __inout PVOID BaseAddress, 35 | __inout SIZE_T RegionSize, 36 | __in ULONG NewProtect, 37 | __out PULONG OldProtect 38 | ); 39 | 40 | ULONG 41 | NTAPI 42 | EncodeSystemPointer( 43 | __in ULONG Pointer 44 | ) 45 | { 46 | return ((SharedUserData->Cookie ^ 47 | Pointer) >> (SharedUserData->Cookie & 0x1f)) | 48 | ((SharedUserData->Cookie ^ Pointer) << 49 | (32 - (SharedUserData->Cookie & 0x1f))); 50 | } 51 | 52 | ULONG 53 | NTAPI 54 | DecodeSystemPointer( 55 | __in ULONG Pointer 56 | ) 57 | { 58 | return SharedUserData->Cookie ^ 59 | ((Pointer >> (32 - (SharedUserData->Cookie & 0x1f))) | 60 | (Pointer << (SharedUserData->Cookie & 0x1f))); 61 | } 62 | 63 | VOID 64 | NTAPI 65 | CaptureImageExceptionValues( 66 | __in PVOID Base, 67 | __out PVOID * FunctionTable, 68 | __out PULONG TableSize 69 | ) 70 | { 71 | PIMAGE_NT_HEADERS NtHeaders = NULL; 72 | PIMAGE_LOAD_CONFIG_DIRECTORY32 LoadConfig = NULL; 73 | ULONG LoadConfigSize = 0; 74 | PIMAGE_COR20_HEADER Cor20Header = NULL; 75 | ULONG Cor20HeaderSize = 0; 76 | 77 | NtHeaders = RtlImageNtHeader(Base); 78 | 79 | if (FALSE != MmIsAddressValid(NtHeaders)) { 80 | if (IMAGE_NT_OPTIONAL_HDR32_MAGIC == NtHeaders->OptionalHeader.Magic) { 81 | if (IMAGE_DLLCHARACTERISTICS_NO_SEH == FlagOn( 82 | ((PIMAGE_NT_HEADERS32)NtHeaders)->OptionalHeader.DllCharacteristics, 83 | IMAGE_DLLCHARACTERISTICS_NO_SEH)) { 84 | *FunctionTable = LongToPtr(-1); 85 | *TableSize = -1; 86 | } 87 | else { 88 | LoadConfig = (PIMAGE_LOAD_CONFIG_DIRECTORY32) 89 | RtlImageDirectoryEntryToData( 90 | Base, 91 | TRUE, 92 | IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG, 93 | &LoadConfigSize); 94 | 95 | if (NULL != LoadConfig && 96 | LoadConfig->Size >= RTL_SIZEOF_THROUGH_FIELD(IMAGE_LOAD_CONFIG_DIRECTORY32, SEHandlerCount) && 97 | 0 != LoadConfig->SEHandlerTable && 98 | 0 != LoadConfig->SEHandlerCount) { 99 | *FunctionTable = ULongToPtr(LoadConfig->SEHandlerTable); 100 | *TableSize = LoadConfig->SEHandlerCount; 101 | } 102 | else { 103 | Cor20Header = RtlImageDirectoryEntryToData( 104 | Base, 105 | TRUE, 106 | IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR, 107 | &Cor20HeaderSize); 108 | 109 | if (Cor20Header && ((Cor20Header->Flags & COMIMAGE_FLAGS_ILONLY) == 110 | COMIMAGE_FLAGS_ILONLY)) { 111 | *FunctionTable = LongToPtr(-1); 112 | *TableSize = -1; 113 | } 114 | else { 115 | *FunctionTable = 0; 116 | *TableSize = 0; 117 | } 118 | } 119 | } 120 | } 121 | 122 | if (IMAGE_NT_OPTIONAL_HDR64_MAGIC == NtHeaders->OptionalHeader.Magic) { 123 | *FunctionTable = RtlImageDirectoryEntryToData( 124 | Base, 125 | TRUE, 126 | IMAGE_DIRECTORY_ENTRY_EXCEPTION, 127 | TableSize); 128 | } 129 | } 130 | } 131 | -------------------------------------------------------------------------------- /Except.h: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (c) 2015-2017 by blindtiger ( blindtiger@foxmail.com ) 4 | * 5 | * The contents of this file are subject to the Mozilla Public License Version 6 | * 2.0 (the "License"); you may not use this file except in compliance with 7 | * the License. You may obtain a copy of the License at 8 | * http://www.mozilla.org/MPL/ 9 | * 10 | * Software distributed under the License is distributed on an "AS IS" basis, 11 | * WITHOUT WARRANTY OF ANY KIND, either express or implied. SEe the License 12 | * for the specific language governing rights and limitations under the 13 | * License. 14 | * 15 | * The Initial Developer of the Original e is blindtiger. 16 | * 17 | */ 18 | 19 | #ifndef _EXCEPT_H_ 20 | #define _EXCEPT_H_ 21 | 22 | #ifdef __cplusplus 23 | /* Assume C declarations for C++ */ 24 | extern "C" { 25 | #endif /* __cplusplus */ 26 | 27 | #ifndef _WIN64 28 | typedef struct _DISPATCHER_CONTEXT { 29 | PEXCEPTION_REGISTRATION_RECORD RegistrationPointer; 30 | } DISPATCHER_CONTEXT; 31 | #endif // !_WIN64 32 | 33 | #define MAXIMUM_USER_FUNCTION_TABLE_SIZE 512 34 | #define MAXIMUM_KERNEL_FUNCTION_TABLE_SIZE 256 35 | 36 | typedef struct _FUNCTION_TABLE_ENTRY32 { 37 | ULONG FunctionTable; 38 | ULONG ImageBase; 39 | ULONG SizeOfImage; 40 | ULONG SizeOfTable; 41 | } FUNCTION_TABLE_ENTRY32, *PFUNCTION_TABLE_ENTRY32; 42 | 43 | C_ASSERT(sizeof(FUNCTION_TABLE_ENTRY32) == 0x10); 44 | 45 | typedef struct _FUNCTION_TABLE_ENTRY64 { 46 | ULONG64 FunctionTable; 47 | ULONG64 ImageBase; 48 | ULONG SizeOfImage; 49 | ULONG SizeOfTable; 50 | } FUNCTION_TABLE_ENTRY64, *PFUNCTION_TABLE_ENTRY64; 51 | 52 | C_ASSERT(sizeof(FUNCTION_TABLE_ENTRY64) == 0x18); 53 | 54 | typedef struct _FUNCTION_TABLE { 55 | ULONG CurrentSize; 56 | ULONG MaximumSize; 57 | ULONG Epoch; 58 | BOOLEAN Overflow; 59 | ULONG TableEntry[1]; 60 | } FUNCTION_TABLE, *PFUNCTION_TABLE; 61 | 62 | C_ASSERT(FIELD_OFFSET(FUNCTION_TABLE, TableEntry) == 0x10); 63 | 64 | typedef struct _FUNCTION_TABLE_SPECIAL { 65 | ULONG CurrentSize; 66 | ULONG MaximumSize; 67 | BOOLEAN Overflow; 68 | ULONG TableEntry[1]; 69 | } FUNCTION_TABLE_SPECIAL, *PFUNCTION_TABLE_SPECIAL; 70 | 71 | C_ASSERT(FIELD_OFFSET(FUNCTION_TABLE_SPECIAL, TableEntry) == 0xc); 72 | 73 | ULONG 74 | NTAPI 75 | EncodeSystemPointer( 76 | __in ULONG Pointer 77 | ); 78 | 79 | ULONG 80 | NTAPI 81 | DecodeSystemPointer( 82 | __in ULONG Pointer 83 | ); 84 | 85 | VOID 86 | NTAPI 87 | CaptureImageExceptionValues( 88 | __in PVOID Base, 89 | __out PVOID * FunctionTable, 90 | __out PULONG TableSize 91 | ); 92 | 93 | VOID 94 | NTAPI 95 | InsertInvertedFunctionTable( 96 | __in PVOID ImageBase, 97 | __in ULONG SizeOfImage 98 | ); 99 | 100 | VOID 101 | NTAPI 102 | RemoveInvertedFunctionTable( 103 | __in PVOID ImageBase 104 | ); 105 | 106 | VOID 107 | NTAPI 108 | InsertUserInvertedFunctionTable( 109 | __in PVOID ImageBase, 110 | __in ULONG SizeOfImage 111 | ); 112 | 113 | VOID 114 | NTAPI 115 | RemoveUserInvertedFunctionTable( 116 | __in PVOID ImageBase 117 | ); 118 | 119 | #ifndef _WIN64 120 | VOID 121 | NTAPI 122 | InsertUserSpecialInvertedFunctionTable( 123 | __in PVOID ImageBase, 124 | __in ULONG SizeOfImage 125 | ); 126 | 127 | VOID 128 | NTAPI 129 | RemoveUserSpecialInvertedFunctionTable( 130 | __in PVOID ImageBase 131 | ); 132 | #else 133 | VOID 134 | NTAPI 135 | InsertWx86UserInvertedFunctionTable( 136 | __in PVOID ImageBase, 137 | __in ULONG SizeOfImage 138 | ); 139 | 140 | VOID 141 | NTAPI 142 | RemoveWx86UserInvertedFunctionTable( 143 | __in PVOID ImageBase 144 | ); 145 | 146 | VOID 147 | NTAPI 148 | InsertWx86UserSpecialInvertedFunctionTable( 149 | __in PVOID ImageBase, 150 | __in ULONG SizeOfImage 151 | ); 152 | 153 | VOID 154 | NTAPI 155 | RemoveWx86UserSpecialInvertedFunctionTable( 156 | __in PVOID ImageBase 157 | ); 158 | #endif // !_WIN64 159 | 160 | #ifdef __cplusplus 161 | } 162 | #endif /* __cplusplus */ 163 | 164 | #endif // !_EXCEPT_H_ 165 | -------------------------------------------------------------------------------- /I386/ExceptI386.c: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (c) 2015-2017 by blindtiger ( blindtiger@foxmail.com ) 4 | * 5 | * The contents of this file are subject to the Mozilla Public License Version 6 | * 2.0 (the "License")); you may not use this file except in compliance with 7 | * the License. You may obtain a copy of the License at 8 | * http://www.mozilla.org/MPL/ 9 | * 10 | * Software distributed under the License is distributed on an "AS IS" basis, 11 | * WITHOUT WARRANTY OF ANY KIND, either express or implied. SEe the License 12 | * for the specific language governing rights and limitations under the 13 | * License. 14 | * 15 | * The Initial Developer of the Original e is blindtiger. 16 | * 17 | */ 18 | 19 | #include 20 | 21 | #include 22 | 23 | #include "Except.h" 24 | #include "Jump.h" 25 | #include "Reload.h" 26 | #include "Testis.h" 27 | 28 | static PFUNCTION_TABLE InvertedFunctionTable; 29 | static PFUNCTION_TABLE UserInvertedFunctionTable; 30 | static PFUNCTION_TABLE_SPECIAL UserSpecialInvertedFunctionTable; 31 | 32 | BOOLEAN 33 | (NTAPI * NtosRtlDispatchException)( 34 | __in PEXCEPTION_RECORD ExceptionRecord, 35 | __in PCONTEXT ContextRecord 36 | ); 37 | 38 | NTSTATUS 39 | NTAPI 40 | ProtectPages( 41 | __inout PVOID BaseAddress, 42 | __inout SIZE_T RegionSize, 43 | __in ULONG NewProtect, 44 | __out PULONG OldProtect 45 | ); 46 | 47 | EXCEPTION_DISPOSITION 48 | NTAPI 49 | ExecuteHandlerForException( 50 | __in PEXCEPTION_RECORD ExceptionRecord, 51 | __in PVOID EstablisherFrame, 52 | __inout PCONTEXT ContextRecord, 53 | __inout PVOID DispatcherContext, 54 | __in PEXCEPTION_ROUTINE ExceptionRoutine 55 | ); 56 | 57 | BOOLEAN 58 | NTAPI 59 | DispatchException( 60 | __in PEXCEPTION_RECORD ExceptionRecord, 61 | __in PCONTEXT ContextRecord 62 | ); 63 | 64 | NTSTATUS 65 | NTAPI 66 | InitializeExcept( 67 | VOID 68 | ) 69 | { 70 | NTSTATUS Status = STATUS_SUCCESS; 71 | PVOID ImageBase = NULL; 72 | PCHAR NtosRtlRaiseException = NULL; 73 | 74 | ImageBase = GetImageHandle("ntoskrnl.exe"); 75 | 76 | if (NULL != ImageBase) { 77 | NtosRtlRaiseException = GetProcedureAddress( 78 | ImageBase, 79 | "RtlRaiseException", 80 | 0); 81 | 82 | if (NULL != NtosRtlRaiseException) { 83 | NtosRtlDispatchException = (PVOID)((NtosRtlRaiseException + 0x2d) + 84 | *(PLONG)(NtosRtlRaiseException + 85 | 0x2d) + sizeof(LONG)); 86 | 87 | if (NULL != NtosRtlDispatchException) { 88 | Status = SetHotPatchRoutine( 89 | (PVOID *)&NtosRtlDispatchException, 90 | DispatchException); 91 | } 92 | } 93 | } 94 | 95 | return Status; 96 | } 97 | 98 | PVOID 99 | NTAPI 100 | LookupFunctionTable( 101 | __in PVOID ControlPc, 102 | __out PVOID * ImageBase, 103 | __out PULONG SizeOfTable 104 | ) 105 | { 106 | ULONG CurrentSize = 0; 107 | ULONG Index = 0; 108 | PFUNCTION_TABLE_ENTRY32 FunctionTableEntry = NULL; 109 | PVOID FunctionTable = NULL; 110 | 111 | if (NULL != InvertedFunctionTable) { 112 | FunctionTableEntry = CONTAINING_RECORD( 113 | InvertedFunctionTable->TableEntry, 114 | FUNCTION_TABLE, 115 | TableEntry); 116 | 117 | CurrentSize = InvertedFunctionTable->CurrentSize; 118 | 119 | for (Index = 0; 120 | Index < CurrentSize; 121 | Index += 1) { 122 | if (PtrToUlong(ControlPc) >= FunctionTableEntry[Index].ImageBase && 123 | PtrToUlong(ControlPc) < FunctionTableEntry[Index].ImageBase + 124 | FunctionTableEntry[Index].SizeOfImage) { 125 | *ImageBase = UlongToPtr(FunctionTableEntry[Index].ImageBase); 126 | *SizeOfTable = FunctionTableEntry[Index].SizeOfTable; 127 | 128 | FunctionTable = ULongToPtr( 129 | DecodeSystemPointer(FunctionTableEntry[Index].FunctionTable)); 130 | 131 | /* 132 | #ifndef VMP 133 | DbgPrint( 134 | "Soul - Testis - lookup function table < %p >\n", 135 | ControlPc); 136 | #endif // !VMP 137 | */ 138 | 139 | break; 140 | } 141 | } 142 | } 143 | 144 | return FunctionTable; 145 | } 146 | 147 | BOOLEAN 148 | NTAPI 149 | DispatchException( 150 | __in PEXCEPTION_RECORD ExceptionRecord, 151 | __in PCONTEXT ContextRecord 152 | ) 153 | { 154 | BOOLEAN Completion = FALSE; 155 | DISPATCHER_CONTEXT DispatcherContext = { 0 }; 156 | EXCEPTION_DISPOSITION Disposition = { 0 }; 157 | PEXCEPTION_REGISTRATION_RECORD RegistrationPointer = NULL; 158 | PEXCEPTION_REGISTRATION_RECORD NestedRegistration = NULL; 159 | ULONG HighAddress = 0; 160 | ULONG HighLimit = 0; 161 | ULONG LowLimit = 0; 162 | EXCEPTION_RECORD RaiseExceptionRecord = { 0 }; 163 | ULONG Index = 0; 164 | ULONG TestAddress = 0; 165 | PKPRCB Prcb = NULL; 166 | ULONG DpcStack = 0; 167 | PVOID FunctionTable = NULL; 168 | PVOID ImageBase = NULL; 169 | ULONG SizeOfTable = 0; 170 | 171 | IoGetStackLimits(&LowLimit, &HighLimit); 172 | 173 | RegistrationPointer = KeGetPcr()->NtTib.ExceptionList; 174 | 175 | FunctionTable = LookupFunctionTable( 176 | ExceptionRecord->ExceptionAddress, 177 | &ImageBase, 178 | &SizeOfTable); 179 | 180 | if (NULL == FunctionTable) { 181 | Completion = NtosRtlDispatchException(ExceptionRecord, ContextRecord); 182 | goto DispatchExit; 183 | } 184 | 185 | NestedRegistration = 0; 186 | 187 | while (RegistrationPointer != EXCEPTION_CHAIN_END) { 188 | HighAddress = PtrToUlong(RegistrationPointer) + sizeof(EXCEPTION_REGISTRATION_RECORD); 189 | 190 | if ((PtrToUlong(RegistrationPointer) < LowLimit) || 191 | (HighAddress > HighLimit) || 192 | ((PtrToUlong(RegistrationPointer) & 0x3) != 0)) { 193 | TestAddress = PtrToUlong(RegistrationPointer); 194 | 195 | if (((TestAddress & 0x3) == 0) && 196 | KeGetCurrentIrql() >= DISPATCH_LEVEL) { 197 | 198 | Prcb = KeGetCurrentPrcb(); 199 | DpcStack = PtrToUlong(Prcb->DpcStack); 200 | 201 | if ((Prcb->DpcRoutineActive) && 202 | (HighAddress <= DpcStack) && 203 | (TestAddress >= DpcStack - KERNEL_STACK_SIZE)) { 204 | HighLimit = DpcStack; 205 | LowLimit = DpcStack - KERNEL_STACK_SIZE; 206 | continue; 207 | } 208 | } 209 | 210 | ExceptionRecord->ExceptionFlags |= EXCEPTION_STACK_INVALID; 211 | goto DispatchExit; 212 | } 213 | 214 | Disposition = ExecuteHandlerForException( 215 | ExceptionRecord, 216 | RegistrationPointer, 217 | ContextRecord, 218 | &DispatcherContext, 219 | RegistrationPointer->Handler); 220 | 221 | if (NestedRegistration == RegistrationPointer) { 222 | ExceptionRecord->ExceptionFlags &= ~EXCEPTION_NESTED_CALL; 223 | NestedRegistration = 0; 224 | } 225 | 226 | switch (Disposition) { 227 | case ExceptionContinueExecution: { 228 | if ((ExceptionRecord->ExceptionFlags & EXCEPTION_NONCONTINUABLE) != 0) { 229 | RaiseExceptionRecord.ExceptionCode = STATUS_NONCONTINUABLE_EXCEPTION; 230 | RaiseExceptionRecord.ExceptionFlags = EXCEPTION_NONCONTINUABLE; 231 | RaiseExceptionRecord.ExceptionRecord = ExceptionRecord; 232 | RaiseExceptionRecord.NumberParameters = 0; 233 | 234 | RtlRaiseException(&RaiseExceptionRecord); 235 | } 236 | else { 237 | Completion = TRUE; 238 | goto DispatchExit; 239 | } 240 | } 241 | 242 | case ExceptionContinueSearch: { 243 | if (ExceptionRecord->ExceptionFlags & EXCEPTION_STACK_INVALID) { 244 | goto DispatchExit; 245 | } 246 | 247 | break; 248 | } 249 | 250 | case ExceptionNestedException: { 251 | ExceptionRecord->ExceptionFlags |= EXCEPTION_NESTED_CALL; 252 | if (DispatcherContext.RegistrationPointer > NestedRegistration) { 253 | NestedRegistration = DispatcherContext.RegistrationPointer; 254 | } 255 | 256 | break; 257 | } 258 | 259 | default: { 260 | RaiseExceptionRecord.ExceptionCode = STATUS_INVALID_DISPOSITION; 261 | RaiseExceptionRecord.ExceptionFlags = EXCEPTION_NONCONTINUABLE; 262 | RaiseExceptionRecord.ExceptionRecord = ExceptionRecord; 263 | RaiseExceptionRecord.NumberParameters = 0; 264 | 265 | RtlRaiseException(&RaiseExceptionRecord); 266 | 267 | break; 268 | } 269 | } 270 | 271 | RegistrationPointer = RegistrationPointer->Next; 272 | } 273 | 274 | DispatchExit: 275 | return Completion; 276 | } 277 | 278 | VOID 279 | NTAPI 280 | SearchUserInvertedFunctionTable( 281 | VOID 282 | ) 283 | { 284 | PVOID ImageBase = NULL; 285 | PIMAGE_NT_HEADERS NtHeaders = NULL; 286 | PIMAGE_SECTION_HEADER NtSection = NULL; 287 | PSTR SectionName = NULL; 288 | PCHAR SectionBase = NULL; 289 | ULONG SizeToLock = 0; 290 | USHORT Index = 0; 291 | SIZE_T Offset = 0; 292 | PFUNCTION_TABLE_ENTRY32 FunctionTableEntry = NULL; 293 | PFUNCTION_TABLE_ENTRY32 FoundFunctionTableEntry = NULL; 294 | PVOID FunctionTable = NULL; 295 | ULONG SizeOfTable = 0; 296 | 297 | if (FALSE == PsIsSystemProcess(IoGetCurrentProcess())) { 298 | ImageBase = GetImageHandle("ntdll.dll"); 299 | 300 | if (NULL != ImageBase) { 301 | NtHeaders = RtlImageNtHeader(ImageBase); 302 | 303 | if (FALSE != MmIsAddressValid(NtHeaders)) { 304 | NtSection = IMAGE_FIRST_SECTION(NtHeaders); 305 | 306 | FunctionTableEntry = ExAllocatePool( 307 | NonPagedPool, 308 | sizeof(FUNCTION_TABLE_ENTRY32)); 309 | 310 | if (NULL != FunctionTableEntry) { 311 | CaptureImageExceptionValues( 312 | ImageBase, 313 | &FunctionTable, 314 | &SizeOfTable); 315 | 316 | FunctionTableEntry->FunctionTable = PtrToUlong(FunctionTable); 317 | FunctionTableEntry->ImageBase = PtrToUlong(ImageBase); 318 | FunctionTableEntry->SizeOfImage = FetchSizeOfImage(ImageBase); 319 | FunctionTableEntry->SizeOfTable = SizeOfTable; 320 | 321 | for (Index = 0; 322 | Index < NtHeaders->FileHeader.NumberOfSections; 323 | Index++) { 324 | SectionBase = (PCHAR)ImageBase + NtSection[Index].VirtualAddress; 325 | 326 | SizeToLock = NtSection[Index].SizeOfRawData; 327 | 328 | if (SizeToLock < NtSection[Index].Misc.VirtualSize) { 329 | SizeToLock = NtSection[Index].Misc.VirtualSize; 330 | } 331 | 332 | if (FALSE != MmIsAddressValid(SectionBase)) { 333 | if (IMAGE_SCN_CNT_INITIALIZED_DATA == FlagOn( 334 | NtSection[Index].Characteristics, 335 | IMAGE_SCN_CNT_INITIALIZED_DATA)) { 336 | for (Offset = 0; 337 | Offset < AlignedToSize( 338 | SizeToLock, 339 | NtHeaders->OptionalHeader.SectionAlignment) - sizeof(FUNCTION_TABLE_ENTRY32); 340 | Offset += sizeof(PVOID)) { 341 | FoundFunctionTableEntry = SectionBase + Offset; 342 | 343 | if (sizeof(FUNCTION_TABLE_ENTRY32) == RtlCompareMemory( 344 | FoundFunctionTableEntry, 345 | FunctionTableEntry, 346 | sizeof(FUNCTION_TABLE_ENTRY32))) { 347 | do { 348 | UserInvertedFunctionTable = CONTAINING_RECORD( 349 | FoundFunctionTableEntry, 350 | FUNCTION_TABLE, 351 | TableEntry); 352 | 353 | if (UserInvertedFunctionTable->MaximumSize == MAXIMUM_USER_FUNCTION_TABLE_SIZE && 354 | (UserInvertedFunctionTable->Overflow == TRUE || 355 | UserInvertedFunctionTable->Overflow == FALSE)) { 356 | break; 357 | } 358 | 359 | FoundFunctionTableEntry--; 360 | } while (TRUE); 361 | 362 | goto exit; 363 | } 364 | } 365 | } 366 | } 367 | } 368 | 369 | exit: 370 | ExFreePool(FunctionTableEntry); 371 | } 372 | } 373 | } 374 | } 375 | } 376 | 377 | VOID 378 | NTAPI 379 | SearchUserSpecialInvertedFunctionTable( 380 | VOID 381 | ) 382 | { 383 | PVOID ImageBase = NULL; 384 | PIMAGE_NT_HEADERS NtHeaders = NULL; 385 | PIMAGE_SECTION_HEADER NtSection = NULL; 386 | PSTR SectionName = NULL; 387 | PCHAR SectionBase = NULL; 388 | ULONG SizeToLock = 0; 389 | USHORT Index = 0; 390 | SIZE_T Offset = 0; 391 | PFUNCTION_TABLE_ENTRY32 FunctionTableEntry = NULL; 392 | PFUNCTION_TABLE_ENTRY32 FoundFunctionTableEntry = NULL; 393 | PVOID FunctionTable = NULL; 394 | ULONG SizeOfTable = 0; 395 | 396 | if (FALSE == PsIsSystemProcess(IoGetCurrentProcess())) { 397 | ImageBase = GetImageHandle("ntdll.dll"); 398 | 399 | if (NULL != ImageBase) { 400 | NtHeaders = RtlImageNtHeader(ImageBase); 401 | 402 | if (FALSE != MmIsAddressValid(NtHeaders)) { 403 | NtSection = IMAGE_FIRST_SECTION(NtHeaders); 404 | 405 | FunctionTableEntry = ExAllocatePool( 406 | NonPagedPool, 407 | sizeof(FUNCTION_TABLE_ENTRY32)); 408 | 409 | if (NULL != FunctionTableEntry) { 410 | CaptureImageExceptionValues( 411 | ImageBase, 412 | &FunctionTable, 413 | &SizeOfTable); 414 | 415 | FunctionTableEntry->FunctionTable = EncodeSystemPointer(PtrToUlong(FunctionTable)); 416 | FunctionTableEntry->ImageBase = PtrToUlong(ImageBase); 417 | FunctionTableEntry->SizeOfImage = FetchSizeOfImage(ImageBase); 418 | FunctionTableEntry->SizeOfTable = SizeOfTable; 419 | 420 | for (Index = 0; 421 | Index < NtHeaders->FileHeader.NumberOfSections; 422 | Index++) { 423 | SectionBase = (PCHAR)ImageBase + NtSection[Index].VirtualAddress; 424 | 425 | SizeToLock = NtSection[Index].SizeOfRawData; 426 | 427 | if (SizeToLock < NtSection[Index].Misc.VirtualSize) { 428 | SizeToLock = NtSection[Index].Misc.VirtualSize; 429 | } 430 | 431 | if (FALSE != MmIsAddressValid(SectionBase)) { 432 | if (IMAGE_SCN_CNT_INITIALIZED_DATA == FlagOn( 433 | NtSection[Index].Characteristics, 434 | IMAGE_SCN_CNT_INITIALIZED_DATA)) { 435 | for (Offset = 0; 436 | Offset < AlignedToSize( 437 | SizeToLock, 438 | NtHeaders->OptionalHeader.SectionAlignment) - sizeof(FUNCTION_TABLE_ENTRY32); 439 | Offset += sizeof(PVOID)) { 440 | FoundFunctionTableEntry = SectionBase + Offset; 441 | 442 | if (sizeof(FUNCTION_TABLE_ENTRY32) == RtlCompareMemory( 443 | FoundFunctionTableEntry, 444 | FunctionTableEntry, 445 | sizeof(FUNCTION_TABLE_ENTRY32))) { 446 | do { 447 | UserSpecialInvertedFunctionTable = CONTAINING_RECORD( 448 | FoundFunctionTableEntry, 449 | FUNCTION_TABLE_SPECIAL, 450 | TableEntry); 451 | 452 | if (UserSpecialInvertedFunctionTable->MaximumSize == MAXIMUM_USER_FUNCTION_TABLE_SIZE && 453 | (UserSpecialInvertedFunctionTable->Overflow == TRUE || 454 | UserSpecialInvertedFunctionTable->Overflow == FALSE)) { 455 | break; 456 | } 457 | 458 | FoundFunctionTableEntry--; 459 | } while (TRUE); 460 | 461 | goto exit; 462 | } 463 | } 464 | } 465 | } 466 | } 467 | 468 | exit: 469 | ExFreePool(FunctionTableEntry); 470 | } 471 | } 472 | } 473 | } 474 | } 475 | 476 | VOID 477 | NTAPI 478 | InsertInvertedFunctionTable( 479 | __in PVOID ImageBase, 480 | __in ULONG SizeOfImage 481 | ) 482 | { 483 | ULONG CurrentSize = 0; 484 | ULONG SizeOfTable = 0; 485 | ULONG Index = 0; 486 | PVOID FunctionTable = NULL; 487 | PFUNCTION_TABLE_ENTRY32 FunctionTableEntry = NULL; 488 | PVOID ImageHandle = NULL; 489 | 490 | if (NULL == InvertedFunctionTable) { 491 | InvertedFunctionTable = ExAllocatePool( 492 | NonPagedPool, 493 | FIELD_OFFSET(FUNCTION_TABLE_SPECIAL, TableEntry) + 494 | sizeof(FUNCTION_TABLE_ENTRY32) * MAXIMUM_KERNEL_FUNCTION_TABLE_SIZE); 495 | 496 | if (NULL != InvertedFunctionTable) { 497 | RtlZeroMemory( 498 | InvertedFunctionTable, 499 | FIELD_OFFSET(FUNCTION_TABLE_SPECIAL, TableEntry) + 500 | sizeof(FUNCTION_TABLE_ENTRY32) * MAXIMUM_KERNEL_FUNCTION_TABLE_SIZE); 501 | 502 | InvertedFunctionTable->MaximumSize = MAXIMUM_KERNEL_FUNCTION_TABLE_SIZE; 503 | 504 | InitializeExcept(); 505 | } 506 | } 507 | 508 | if (NULL != InvertedFunctionTable) { 509 | FunctionTableEntry = CONTAINING_RECORD( 510 | InvertedFunctionTable->TableEntry, 511 | FUNCTION_TABLE, 512 | TableEntry); 513 | 514 | CurrentSize = InvertedFunctionTable->CurrentSize; 515 | 516 | if (CurrentSize != InvertedFunctionTable->MaximumSize) { 517 | if (0 != CurrentSize) { 518 | for (; 519 | Index < CurrentSize; 520 | Index++) { 521 | if (PtrToUlong(ImageBase) < FunctionTableEntry[Index].ImageBase) { 522 | RtlMoveMemory( 523 | &FunctionTableEntry[Index + 1], 524 | &FunctionTableEntry[Index], 525 | (CurrentSize - Index) * sizeof(FUNCTION_TABLE_ENTRY32)); 526 | 527 | break; 528 | } 529 | } 530 | } 531 | 532 | CaptureImageExceptionValues( 533 | ImageBase, 534 | &FunctionTable, 535 | &SizeOfTable); 536 | 537 | if (LongToPtr(-1) != FunctionTable && 538 | -1 != SizeOfTable) { 539 | FunctionTableEntry[Index].ImageBase = PtrToUlong(ImageBase); 540 | FunctionTableEntry[Index].SizeOfImage = SizeOfImage; 541 | FunctionTableEntry[Index].FunctionTable = EncodeSystemPointer(PtrToUlong(FunctionTable)); 542 | FunctionTableEntry[Index].SizeOfTable = SizeOfTable; 543 | 544 | InvertedFunctionTable->CurrentSize += 1; 545 | 546 | #ifndef VMP 547 | DbgPrint( 548 | "Soul - Testis - insert inverted function table < %04d >\n", 549 | Index); 550 | #endif // !VMP 551 | } 552 | } 553 | else { 554 | InvertedFunctionTable->Overflow = TRUE; 555 | } 556 | } 557 | } 558 | 559 | VOID 560 | NTAPI 561 | RemoveInvertedFunctionTable( 562 | __in PVOID ImageBase 563 | ) 564 | { 565 | ULONG CurrentSize = 0; 566 | ULONG Index = 0; 567 | PFUNCTION_TABLE_ENTRY32 FunctionTableEntry = NULL; 568 | 569 | if (NULL != InvertedFunctionTable) { 570 | FunctionTableEntry = CONTAINING_RECORD( 571 | InvertedFunctionTable->TableEntry, 572 | FUNCTION_TABLE, 573 | TableEntry); 574 | 575 | CurrentSize = InvertedFunctionTable->CurrentSize; 576 | 577 | for (Index = 0; 578 | Index < CurrentSize; 579 | Index += 1) { 580 | if (PtrToUlong(ImageBase) == FunctionTableEntry[Index].ImageBase) { 581 | RtlMoveMemory( 582 | &FunctionTableEntry[Index], 583 | &FunctionTableEntry[Index + 1], 584 | (CurrentSize - Index - 1) * sizeof(FUNCTION_TABLE_ENTRY32)); 585 | 586 | InvertedFunctionTable->CurrentSize -= 1; 587 | 588 | #ifndef VMP 589 | DbgPrint( 590 | "Soul - Testis - remote inverted function table < %04d >\n", 591 | Index); 592 | #endif // !VMP 593 | 594 | break; 595 | } 596 | } 597 | } 598 | } 599 | 600 | VOID 601 | NTAPI 602 | InsertUserInvertedFunctionTable( 603 | __in PVOID ImageBase, 604 | __in ULONG SizeOfImage 605 | ) 606 | { 607 | NTSTATUS Status = STATUS_SUCCESS; 608 | ULONG CurrentSize = 0; 609 | ULONG SizeOfTable = 0; 610 | ULONG Index = 0; 611 | PVOID FunctionTable = NULL; 612 | PFUNCTION_TABLE_ENTRY32 FunctionTableEntry = NULL; 613 | PVOID ImageHandle = NULL; 614 | ULONG OldProtect = 0; 615 | 616 | if (NULL == UserInvertedFunctionTable) { 617 | SearchUserInvertedFunctionTable(); 618 | } 619 | 620 | if (NULL != UserInvertedFunctionTable) { 621 | FunctionTableEntry = (PFUNCTION_TABLE_ENTRY32) 622 | &UserInvertedFunctionTable->TableEntry; 623 | 624 | CurrentSize = UserInvertedFunctionTable->CurrentSize; 625 | 626 | Status = ProtectPages( 627 | UserInvertedFunctionTable, 628 | FIELD_OFFSET(FUNCTION_TABLE, TableEntry) + 629 | sizeof(FUNCTION_TABLE_ENTRY32) * UserInvertedFunctionTable->MaximumSize, 630 | PAGE_READWRITE, 631 | &OldProtect); 632 | 633 | if (NT_SUCCESS(Status)) { 634 | ImageHandle = UlongToPtr(GetImageHandle("ntdll.dll")); 635 | 636 | if (NULL != ImageHandle && 637 | ImageHandle == UlongToPtr(FunctionTableEntry[0].ImageBase)) { 638 | Index = 1; 639 | } 640 | 641 | if (CurrentSize != UserInvertedFunctionTable->MaximumSize) { 642 | if (0 != CurrentSize) { 643 | for (; 644 | Index < CurrentSize; 645 | Index++) { 646 | if (PtrToUlong(ImageBase) < FunctionTableEntry[Index].ImageBase) { 647 | RtlMoveMemory( 648 | &FunctionTableEntry[Index + 1], 649 | &FunctionTableEntry[Index], 650 | (CurrentSize - Index) * sizeof(FUNCTION_TABLE_ENTRY32)); 651 | 652 | break; 653 | } 654 | } 655 | } 656 | 657 | CaptureImageExceptionValues( 658 | ImageBase, 659 | &FunctionTable, 660 | &SizeOfTable); 661 | 662 | if (LongToPtr(-1) != FunctionTable && 663 | -1 != SizeOfTable) { 664 | FunctionTableEntry[Index].ImageBase = PtrToUlong(ImageBase); 665 | FunctionTableEntry[Index].SizeOfImage = SizeOfImage; 666 | FunctionTableEntry[Index].FunctionTable = EncodeSystemPointer(PtrToUlong(FunctionTable)); 667 | FunctionTableEntry[Index].SizeOfTable = SizeOfTable; 668 | 669 | UserInvertedFunctionTable->CurrentSize += 1; 670 | 671 | #ifndef VMP 672 | DbgPrint( 673 | "Soul - Testis - insert user inverted function table < %04d >\n", 674 | Index); 675 | #endif // !VMP 676 | } 677 | } 678 | else { 679 | UserInvertedFunctionTable->Overflow = TRUE; 680 | } 681 | 682 | ProtectPages( 683 | UserInvertedFunctionTable, 684 | FIELD_OFFSET(FUNCTION_TABLE, TableEntry) + 685 | sizeof(FUNCTION_TABLE_ENTRY32) * UserInvertedFunctionTable->MaximumSize, 686 | OldProtect, 687 | &OldProtect); 688 | } 689 | } 690 | } 691 | 692 | VOID 693 | NTAPI 694 | RemoveUserInvertedFunctionTable( 695 | __in PVOID ImageBase 696 | ) 697 | { 698 | NTSTATUS Status = STATUS_SUCCESS; 699 | ULONG CurrentSize = 0; 700 | ULONG Index = 0; 701 | PFUNCTION_TABLE_ENTRY32 FunctionTableEntry = NULL; 702 | ULONG OldProtect = 0; 703 | 704 | if (NULL != UserInvertedFunctionTable) { 705 | FunctionTableEntry = (PFUNCTION_TABLE_ENTRY32) 706 | &UserInvertedFunctionTable->TableEntry; 707 | 708 | CurrentSize = UserInvertedFunctionTable->CurrentSize; 709 | 710 | Status = ProtectPages( 711 | UserInvertedFunctionTable, 712 | FIELD_OFFSET(FUNCTION_TABLE, TableEntry) + 713 | sizeof(FUNCTION_TABLE_ENTRY32) * UserInvertedFunctionTable->MaximumSize, 714 | PAGE_READWRITE, 715 | &OldProtect); 716 | 717 | if (NT_SUCCESS(Status)) { 718 | for (Index = 0; 719 | Index < CurrentSize; 720 | Index += 1) { 721 | if (PtrToUlong(ImageBase) == FunctionTableEntry[Index].ImageBase) { 722 | RtlMoveMemory( 723 | &FunctionTableEntry[Index], 724 | &FunctionTableEntry[Index + 1], 725 | (CurrentSize - Index - 1) * sizeof(FUNCTION_TABLE_ENTRY32)); 726 | 727 | UserInvertedFunctionTable->CurrentSize -= 1; 728 | 729 | #ifndef VMP 730 | DbgPrint( 731 | "Soul - Testis - remote user inverted function table < %04d >\n", 732 | Index); 733 | #endif // !VMP 734 | 735 | break; 736 | } 737 | } 738 | 739 | ProtectPages( 740 | UserInvertedFunctionTable, 741 | FIELD_OFFSET(FUNCTION_TABLE, TableEntry) + 742 | sizeof(FUNCTION_TABLE_ENTRY32) * UserInvertedFunctionTable->MaximumSize, 743 | OldProtect, 744 | &OldProtect); 745 | } 746 | } 747 | } 748 | 749 | VOID 750 | NTAPI 751 | InsertUserSpecialInvertedFunctionTable( 752 | __in PVOID ImageBase, 753 | __in ULONG SizeOfImage 754 | ) 755 | { 756 | NTSTATUS Status = STATUS_SUCCESS; 757 | ULONG CurrentSize = 0; 758 | ULONG SizeOfTable = 0; 759 | ULONG Index = 0; 760 | PVOID FunctionTable = NULL; 761 | PFUNCTION_TABLE_ENTRY32 FunctionTableEntry = NULL; 762 | PVOID ImageHandle = NULL; 763 | ULONG OldProtect = 0; 764 | 765 | if (NULL == UserSpecialInvertedFunctionTable) { 766 | SearchUserSpecialInvertedFunctionTable(); 767 | } 768 | 769 | if (NULL != UserSpecialInvertedFunctionTable) { 770 | FunctionTableEntry = (PFUNCTION_TABLE_ENTRY32) 771 | &UserSpecialInvertedFunctionTable->TableEntry; 772 | 773 | CurrentSize = UserSpecialInvertedFunctionTable->CurrentSize; 774 | 775 | Status = ProtectPages( 776 | UserSpecialInvertedFunctionTable, 777 | FIELD_OFFSET(FUNCTION_TABLE_SPECIAL, TableEntry) + 778 | sizeof(FUNCTION_TABLE_ENTRY32) * UserSpecialInvertedFunctionTable->MaximumSize, 779 | PAGE_READWRITE, 780 | &OldProtect); 781 | 782 | if (NT_SUCCESS(Status)) { 783 | ImageHandle = UlongToPtr(GetImageHandle("ntdll.dll")); 784 | 785 | if (NULL != ImageHandle && 786 | ImageHandle == UlongToPtr(FunctionTableEntry[0].ImageBase)) { 787 | Index = 1; 788 | } 789 | 790 | if (CurrentSize != UserSpecialInvertedFunctionTable->MaximumSize) { 791 | if (0 != CurrentSize) { 792 | for (; 793 | Index < CurrentSize; 794 | Index++) { 795 | if (PtrToUlong(ImageBase) < FunctionTableEntry[Index].ImageBase) { 796 | RtlMoveMemory( 797 | &FunctionTableEntry[Index + 1], 798 | &FunctionTableEntry[Index], 799 | (CurrentSize - Index) * sizeof(FUNCTION_TABLE_ENTRY32)); 800 | 801 | break; 802 | } 803 | } 804 | } 805 | 806 | CaptureImageExceptionValues( 807 | ImageBase, 808 | &FunctionTable, 809 | &SizeOfTable); 810 | 811 | if (LongToPtr(-1) != FunctionTable && 812 | -1 != SizeOfTable) { 813 | FunctionTableEntry[Index].ImageBase = PtrToUlong(ImageBase); 814 | FunctionTableEntry[Index].SizeOfImage = SizeOfImage; 815 | FunctionTableEntry[Index].FunctionTable = EncodeSystemPointer(PtrToUlong(FunctionTable)); 816 | FunctionTableEntry[Index].SizeOfTable = SizeOfTable; 817 | 818 | UserSpecialInvertedFunctionTable->CurrentSize += 1; 819 | 820 | #ifndef VMP 821 | DbgPrint( 822 | "Soul - Testis - insert user special inverted function table < %04d >\n", 823 | Index); 824 | #endif // !VMP 825 | } 826 | } 827 | else { 828 | UserSpecialInvertedFunctionTable->Overflow = TRUE; 829 | } 830 | 831 | ProtectPages( 832 | UserSpecialInvertedFunctionTable, 833 | FIELD_OFFSET(FUNCTION_TABLE_SPECIAL, TableEntry) + 834 | sizeof(FUNCTION_TABLE_ENTRY32) * UserSpecialInvertedFunctionTable->MaximumSize, 835 | OldProtect, 836 | &OldProtect); 837 | } 838 | } 839 | } 840 | 841 | VOID 842 | NTAPI 843 | RemoveUserSpecialInvertedFunctionTable( 844 | __in PVOID ImageBase 845 | ) 846 | { 847 | NTSTATUS Status = STATUS_SUCCESS; 848 | ULONG CurrentSize = 0; 849 | ULONG Index = 0; 850 | PFUNCTION_TABLE_ENTRY32 FunctionTableEntry = NULL; 851 | ULONG OldProtect = 0; 852 | 853 | if (NULL != UserSpecialInvertedFunctionTable) { 854 | FunctionTableEntry = (PFUNCTION_TABLE_ENTRY32) 855 | &UserSpecialInvertedFunctionTable->TableEntry; 856 | 857 | CurrentSize = UserSpecialInvertedFunctionTable->CurrentSize; 858 | 859 | Status = ProtectPages( 860 | UserSpecialInvertedFunctionTable, 861 | FIELD_OFFSET(FUNCTION_TABLE_SPECIAL, TableEntry) + 862 | sizeof(FUNCTION_TABLE_ENTRY32) * UserSpecialInvertedFunctionTable->MaximumSize, 863 | PAGE_READWRITE, 864 | &OldProtect); 865 | 866 | if (NT_SUCCESS(Status)) { 867 | for (Index = 0; 868 | Index < CurrentSize; 869 | Index += 1) { 870 | if (PtrToUlong(ImageBase) == FunctionTableEntry[Index].ImageBase) { 871 | RtlMoveMemory( 872 | &FunctionTableEntry[Index], 873 | &FunctionTableEntry[Index + 1], 874 | (CurrentSize - Index - 1) * sizeof(FUNCTION_TABLE_ENTRY32)); 875 | 876 | UserSpecialInvertedFunctionTable->CurrentSize -= 1; 877 | 878 | #ifndef VMP 879 | DbgPrint( 880 | "Soul - Testis - remote user special inverted function table < %04d >\n", 881 | Index); 882 | #endif // !VMP 883 | 884 | break; 885 | } 886 | } 887 | 888 | ProtectPages( 889 | UserSpecialInvertedFunctionTable, 890 | FIELD_OFFSET(FUNCTION_TABLE_SPECIAL, TableEntry) + 891 | sizeof(FUNCTION_TABLE_ENTRY32) * UserSpecialInvertedFunctionTable->MaximumSize, 892 | OldProtect, 893 | &OldProtect); 894 | } 895 | } 896 | } 897 | -------------------------------------------------------------------------------- /I386/StubsI386.asm: -------------------------------------------------------------------------------- 1 | ; 2 | ; 3 | ; Copyright (c) 2015-2017 by blindtiger ( blindtiger@foxmail.com ) 4 | ; 5 | ; The contents of this file are subject to the Mozilla Public License Version 6 | ; 2.0 (the "License"); you may not use this file except in compliance with 7 | ; the License. You may obtain a copy of the License at 8 | ; http://www.mozilla.org/MPL/ 9 | ; 10 | ; Software distributed under the License is distributed on an "AS IS" basis, 11 | ; WITHOUT WARRANTY OF ANY KIND, either express or implied. Ree the License 12 | ; for the specific language governing rights and limitations under the 13 | ; License. 14 | ; 15 | ; The Initial Developer of the Original e is blindtiger. 16 | ; 17 | ; 18 | 19 | .686P 20 | .XMM 21 | 22 | OPTION CASEMAP:NONE 23 | 24 | BuildServiceDispatchTable PROTO STDCALL 25 | 26 | _DATA$00 SEGMENT PAGE 'DATA' 27 | 28 | _DATA$00 ENDS 29 | 30 | _TEXT$00 SEGMENT PAGE 'CODE' 31 | 32 | STUBS_ENTRY MACRO Name, NumArgs 33 | 34 | ifb 35 | _Stub&Name&@&0 : 36 | 37 | mov eax, _Stub&Name&@&0 ; save caller 38 | push eax 39 | mov eax, _StubsBridge 40 | jmp eax 41 | 42 | DB 4 dup (0cch) 43 | ret 44 | 45 | int 3 46 | 47 | PUBLIC _Stub&Name&@&0 48 | else 49 | _Stub&Name&@&NumArgs : 50 | mov eax, _Stub&Name&@&NumArgs ; save caller 51 | push eax 52 | mov eax, _StubsBridge 53 | jmp eax 54 | 55 | DB 4 dup (0cch) 56 | 57 | ret NumArgs 58 | 59 | int 3 60 | 61 | PUBLIC _Stub&Name&@&NumArgs 62 | endif 63 | 64 | ENDM 65 | 66 | _ServiceDispatchTable : 67 | PUBLIC _ServiceDispatchTable 68 | 69 | STUBS_ENTRY AcceptConnectPort, 24 70 | 71 | align 20h 72 | 73 | STUBS_ENTRY AccessCheck, 32 74 | 75 | align 20h 76 | 77 | STUBS_ENTRY AccessCheckAndAuditAlarm, 44 78 | 79 | align 20h 80 | 81 | STUBS_ENTRY AccessCheckByType, 44 82 | 83 | align 20h 84 | 85 | STUBS_ENTRY AccessCheckByTypeAndAuditAlarm, 64 86 | 87 | align 20h 88 | 89 | STUBS_ENTRY AccessCheckByTypeResultList, 44 90 | 91 | align 20h 92 | 93 | STUBS_ENTRY AccessCheckByTypeResultListAndAuditAlarm, 64 94 | 95 | align 20h 96 | 97 | STUBS_ENTRY AccessCheckByTypeResultListAndAuditAlarmByHandle, 68 98 | 99 | align 20h 100 | 101 | STUBS_ENTRY AcquireCMFViewOwnership, 12 102 | 103 | align 20h 104 | 105 | STUBS_ENTRY AcquireProcessActivityReference, 12 106 | 107 | align 20h 108 | 109 | STUBS_ENTRY AddAtom, 12 110 | 111 | align 20h 112 | 113 | STUBS_ENTRY AddAtomEx, 16 114 | 115 | align 20h 116 | 117 | STUBS_ENTRY AddBootEntry, 8 118 | 119 | align 20h 120 | 121 | STUBS_ENTRY AddDriverEntry, 8 122 | 123 | align 20h 124 | 125 | STUBS_ENTRY AdjustGroupsToken, 24 126 | 127 | align 20h 128 | 129 | STUBS_ENTRY AdjustPrivilegesToken, 24 130 | 131 | align 20h 132 | 133 | STUBS_ENTRY AdjustTokenClaimsAndDeviceGroups, 64 134 | 135 | align 20h 136 | 137 | STUBS_ENTRY AlertResumeThread, 8 138 | 139 | align 20h 140 | 141 | STUBS_ENTRY AlertThread, 4 142 | 143 | align 20h 144 | 145 | STUBS_ENTRY AlertThreadByThreadId, 4 146 | 147 | align 20h 148 | 149 | STUBS_ENTRY AllocateLocallyUniqueId, 4 150 | 151 | align 20h 152 | 153 | STUBS_ENTRY AllocateReserveObject, 12 154 | 155 | align 20h 156 | 157 | STUBS_ENTRY AllocateUserPhysicalPages, 12 158 | 159 | align 20h 160 | 161 | STUBS_ENTRY AllocateUuids, 16 162 | 163 | align 20h 164 | 165 | STUBS_ENTRY AllocateVirtualMemory, 24 166 | 167 | align 20h 168 | 169 | STUBS_ENTRY AllocateVirtualMemoryEx, 28 170 | 171 | align 20h 172 | 173 | STUBS_ENTRY AlpcAcceptConnectPort, 36 174 | 175 | align 20h 176 | 177 | STUBS_ENTRY AlpcCancelMessage, 12 178 | 179 | align 20h 180 | 181 | STUBS_ENTRY AlpcConnectPort, 44 182 | 183 | align 20h 184 | 185 | STUBS_ENTRY AlpcConnectPortEx, 44 186 | 187 | align 20h 188 | 189 | STUBS_ENTRY AlpcCreatePort, 12 190 | 191 | align 20h 192 | 193 | STUBS_ENTRY AlpcCreatePortSection, 24 194 | 195 | align 20h 196 | 197 | STUBS_ENTRY AlpcCreateResourceReserve, 16 198 | 199 | align 20h 200 | 201 | STUBS_ENTRY AlpcCreateSectionView, 12 202 | 203 | align 20h 204 | 205 | STUBS_ENTRY AlpcCreateSecurityContext, 12 206 | 207 | align 20h 208 | 209 | STUBS_ENTRY AlpcDeletePortSection, 12 210 | 211 | align 20h 212 | 213 | STUBS_ENTRY AlpcDeleteResourceReserve, 12 214 | 215 | align 20h 216 | 217 | STUBS_ENTRY AlpcDeleteSectionView, 12 218 | 219 | align 20h 220 | 221 | STUBS_ENTRY AlpcDeleteSecurityContext, 12 222 | 223 | align 20h 224 | 225 | STUBS_ENTRY AlpcDisconnectPort, 8 226 | 227 | align 20h 228 | 229 | STUBS_ENTRY AlpcImpersonateClientContainerOfPort, 12 230 | 231 | align 20h 232 | 233 | STUBS_ENTRY AlpcImpersonateClientOfPort, 12 234 | 235 | align 20h 236 | 237 | STUBS_ENTRY AlpcOpenSenderProcess, 24 238 | 239 | align 20h 240 | 241 | STUBS_ENTRY AlpcOpenSenderThread, 24 242 | 243 | align 20h 244 | 245 | STUBS_ENTRY AlpcQueryInformation, 20 246 | 247 | align 20h 248 | 249 | STUBS_ENTRY AlpcQueryInformationMessage, 24 250 | 251 | align 20h 252 | 253 | STUBS_ENTRY AlpcRevokeSecurityContext, 12 254 | 255 | align 20h 256 | 257 | STUBS_ENTRY AlpcSendWaitReceivePort, 32 258 | 259 | align 20h 260 | 261 | STUBS_ENTRY AlpcSetInformation, 16 262 | 263 | align 20h 264 | 265 | STUBS_ENTRY ApphelpCacheControl, 8 266 | 267 | align 20h 268 | 269 | STUBS_ENTRY AreMappedFilesTheSame, 8 270 | 271 | align 20h 272 | 273 | STUBS_ENTRY AssignProcessToJobObject, 8 274 | 275 | align 20h 276 | 277 | STUBS_ENTRY AssociateWaitCompletionPacket, 32 278 | 279 | align 20h 280 | 281 | STUBS_ENTRY CallEnclave, 16 282 | 283 | align 20h 284 | 285 | STUBS_ENTRY CallbackReturn, 12 286 | 287 | align 20h 288 | 289 | STUBS_ENTRY CancelDeviceWakeupRequest, 4 290 | 291 | align 20h 292 | 293 | STUBS_ENTRY CancelIoFile, 8 294 | 295 | align 20h 296 | 297 | STUBS_ENTRY CancelIoFileEx, 12 298 | 299 | align 20h 300 | 301 | STUBS_ENTRY CancelSynchronousIoFile, 12 302 | 303 | align 20h 304 | 305 | STUBS_ENTRY CancelTimer, 8 306 | 307 | align 20h 308 | 309 | STUBS_ENTRY CancelTimer2, 8 310 | 311 | align 20h 312 | 313 | STUBS_ENTRY CancelWaitCompletionPacket, 8 314 | 315 | align 20h 316 | 317 | STUBS_ENTRY ClearAllSavepointsTransaction, 4 318 | 319 | align 20h 320 | 321 | STUBS_ENTRY ClearEvent, 4 322 | 323 | align 20h 324 | 325 | STUBS_ENTRY ClearSavepointTransaction, 8 326 | 327 | align 20h 328 | 329 | STUBS_ENTRY Close, 4 330 | 331 | align 20h 332 | 333 | STUBS_ENTRY CloseObjectAuditAlarm, 12 334 | 335 | align 20h 336 | 337 | STUBS_ENTRY CommitComplete, 8 338 | 339 | align 20h 340 | 341 | STUBS_ENTRY CommitEnlistment, 8 342 | 343 | align 20h 344 | 345 | STUBS_ENTRY CommitRegistryTransaction, 8 346 | 347 | align 20h 348 | 349 | STUBS_ENTRY CommitTransaction, 8 350 | 351 | align 20h 352 | 353 | STUBS_ENTRY CompactKeys, 8 354 | 355 | align 20h 356 | 357 | STUBS_ENTRY CompareObjects, 8 358 | 359 | align 20h 360 | 361 | STUBS_ENTRY CompareSigningLevels, 8 362 | 363 | align 20h 364 | 365 | STUBS_ENTRY CompareTokens, 12 366 | 367 | align 20h 368 | 369 | STUBS_ENTRY CompleteConnectPort, 4 370 | 371 | align 20h 372 | 373 | STUBS_ENTRY CompressKey, 4 374 | 375 | align 20h 376 | 377 | STUBS_ENTRY ConnectPort, 32 378 | 379 | align 20h 380 | 381 | STUBS_ENTRY Continue, 8 382 | 383 | align 20h 384 | 385 | STUBS_ENTRY ConvertBetweenAuxiliaryCounterAndPerformanceCounter, 16 386 | 387 | align 20h 388 | 389 | STUBS_ENTRY CreateDebugObject, 16 390 | 391 | align 20h 392 | 393 | STUBS_ENTRY CreateDirectoryObject, 12 394 | 395 | align 20h 396 | 397 | STUBS_ENTRY CreateDirectoryObjectEx, 20 398 | 399 | align 20h 400 | 401 | STUBS_ENTRY CreateEnclave, 36 402 | 403 | align 20h 404 | 405 | STUBS_ENTRY CreateEnlistment, 32 406 | 407 | align 20h 408 | 409 | STUBS_ENTRY CreateEvent, 20 410 | 411 | align 20h 412 | 413 | STUBS_ENTRY CreateEventPair, 12 414 | 415 | align 20h 416 | 417 | STUBS_ENTRY CreateFile, 44 418 | 419 | align 20h 420 | 421 | STUBS_ENTRY CreateIRTimer, 12 422 | 423 | align 20h 424 | 425 | STUBS_ENTRY CreateIoCompletion, 16 426 | 427 | align 20h 428 | 429 | STUBS_ENTRY CreateJobObject, 12 430 | 431 | align 20h 432 | 433 | STUBS_ENTRY CreateJobSet, 12 434 | 435 | align 20h 436 | 437 | STUBS_ENTRY CreateKey, 28 438 | 439 | align 20h 440 | 441 | STUBS_ENTRY CreateKeyTransacted, 32 442 | 443 | align 20h 444 | 445 | STUBS_ENTRY CreateKeyedEvent, 16 446 | 447 | align 20h 448 | 449 | STUBS_ENTRY CreateLowBoxToken, 36 450 | 451 | align 20h 452 | 453 | STUBS_ENTRY CreateMailslotFile, 32 454 | 455 | align 20h 456 | 457 | STUBS_ENTRY CreateMutant, 16 458 | 459 | align 20h 460 | 461 | STUBS_ENTRY CreateNamedPipeFile, 56 462 | 463 | align 20h 464 | 465 | STUBS_ENTRY CreatePagingFile, 16 466 | 467 | align 20h 468 | 469 | STUBS_ENTRY CreatePartition, 16 470 | 471 | align 20h 472 | 473 | STUBS_ENTRY CreatePort, 20 474 | 475 | align 20h 476 | 477 | STUBS_ENTRY CreatePrivateNamespace, 16 478 | 479 | align 20h 480 | 481 | STUBS_ENTRY CreateProcess, 32 482 | 483 | align 20h 484 | 485 | STUBS_ENTRY CreateProcessEx, 36 486 | 487 | align 20h 488 | 489 | STUBS_ENTRY CreateProfile, 36 490 | 491 | align 20h 492 | 493 | STUBS_ENTRY CreateProfileEx, 40 494 | 495 | align 20h 496 | 497 | STUBS_ENTRY CreateRegistryTransaction, 16 498 | 499 | align 20h 500 | 501 | STUBS_ENTRY CreateResourceManager, 28 502 | 503 | align 20h 504 | 505 | STUBS_ENTRY CreateSection, 28 506 | 507 | align 20h 508 | 509 | STUBS_ENTRY CreateSemaphore, 20 510 | 511 | align 20h 512 | 513 | STUBS_ENTRY CreateSymbolicLinkObject, 16 514 | 515 | align 20h 516 | 517 | STUBS_ENTRY CreateThread, 32 518 | 519 | align 20h 520 | 521 | STUBS_ENTRY CreateThreadEx, 44 522 | 523 | align 20h 524 | 525 | STUBS_ENTRY CreateTimer, 16 526 | 527 | align 20h 528 | 529 | STUBS_ENTRY CreateTimer2, 20 530 | 531 | align 20h 532 | 533 | STUBS_ENTRY CreateToken, 52 534 | 535 | align 20h 536 | 537 | STUBS_ENTRY CreateTokenEx, 68 538 | 539 | align 20h 540 | 541 | STUBS_ENTRY CreateTransaction, 40 542 | 543 | align 20h 544 | 545 | STUBS_ENTRY CreateTransactionManager, 24 546 | 547 | align 20h 548 | 549 | STUBS_ENTRY CreateUserProcess, 44 550 | 551 | align 20h 552 | 553 | STUBS_ENTRY CreateWaitCompletionPacket, 12 554 | 555 | align 20h 556 | 557 | STUBS_ENTRY CreateWaitablePort, 20 558 | 559 | align 20h 560 | 561 | STUBS_ENTRY CreateWnfStateName, 28 562 | 563 | align 20h 564 | 565 | STUBS_ENTRY CreateWorkerFactory, 40 566 | 567 | align 20h 568 | 569 | STUBS_ENTRY DebugActiveProcess, 8 570 | 571 | align 20h 572 | 573 | STUBS_ENTRY DebugContinue, 12 574 | 575 | align 20h 576 | 577 | STUBS_ENTRY DelayExecution, 8 578 | 579 | align 20h 580 | 581 | STUBS_ENTRY DeleteAtom, 4 582 | 583 | align 20h 584 | 585 | STUBS_ENTRY DeleteBootEntry, 4 586 | 587 | align 20h 588 | 589 | STUBS_ENTRY DeleteDriverEntry, 4 590 | 591 | align 20h 592 | 593 | STUBS_ENTRY DeleteFile, 4 594 | 595 | align 20h 596 | 597 | STUBS_ENTRY DeleteKey, 4 598 | 599 | align 20h 600 | 601 | STUBS_ENTRY DeleteObjectAuditAlarm, 12 602 | 603 | align 20h 604 | 605 | STUBS_ENTRY DeletePrivateNamespace, 4 606 | 607 | align 20h 608 | 609 | STUBS_ENTRY DeleteValueKey, 8 610 | 611 | align 20h 612 | 613 | STUBS_ENTRY DeleteWnfStateData, 8 614 | 615 | align 20h 616 | 617 | STUBS_ENTRY DeleteWnfStateName, 4 618 | 619 | align 20h 620 | 621 | STUBS_ENTRY DeviceIoControlFile, 40 622 | 623 | align 20h 624 | 625 | STUBS_ENTRY DisableLastKnownGood, 626 | 627 | align 20h 628 | 629 | STUBS_ENTRY DisplayString, 4 630 | 631 | align 20h 632 | 633 | STUBS_ENTRY DrawText, 4 634 | 635 | align 20h 636 | 637 | STUBS_ENTRY DuplicateObject, 28 638 | 639 | align 20h 640 | 641 | STUBS_ENTRY DuplicateToken, 24 642 | 643 | align 20h 644 | 645 | STUBS_ENTRY EnableLastKnownGood, 646 | 647 | align 20h 648 | 649 | STUBS_ENTRY EnumerateBootEntries, 8 650 | 651 | align 20h 652 | 653 | STUBS_ENTRY EnumerateDriverEntries, 8 654 | 655 | align 20h 656 | 657 | STUBS_ENTRY EnumerateKey, 24 658 | 659 | align 20h 660 | 661 | STUBS_ENTRY EnumerateSystemEnvironmentValuesEx, 12 662 | 663 | align 20h 664 | 665 | STUBS_ENTRY EnumerateTransactionObject, 20 666 | 667 | align 20h 668 | 669 | STUBS_ENTRY EnumerateValueKey, 24 670 | 671 | align 20h 672 | 673 | STUBS_ENTRY ExtendSection, 8 674 | 675 | align 20h 676 | 677 | STUBS_ENTRY FilterBootOption, 20 678 | 679 | align 20h 680 | 681 | STUBS_ENTRY FilterToken, 24 682 | 683 | align 20h 684 | 685 | STUBS_ENTRY FilterTokenEx, 56 686 | 687 | align 20h 688 | 689 | STUBS_ENTRY FindAtom, 12 690 | 691 | align 20h 692 | 693 | STUBS_ENTRY FlushBuffersFile, 8 694 | 695 | align 20h 696 | 697 | STUBS_ENTRY FlushBuffersFileEx, 20 698 | 699 | align 20h 700 | 701 | STUBS_ENTRY FlushInstallUILanguage, 8 702 | 703 | align 20h 704 | 705 | STUBS_ENTRY FlushInstructionCache, 12 706 | 707 | align 20h 708 | 709 | STUBS_ENTRY FlushKey, 4 710 | 711 | align 20h 712 | 713 | STUBS_ENTRY FlushProcessWriteBuffers, 714 | 715 | align 20h 716 | 717 | STUBS_ENTRY FlushVirtualMemory, 16 718 | 719 | align 20h 720 | 721 | STUBS_ENTRY FlushWriteBuffer, 722 | 723 | align 20h 724 | 725 | STUBS_ENTRY FreeUserPhysicalPages, 12 726 | 727 | align 20h 728 | 729 | STUBS_ENTRY FreeVirtualMemory, 16 730 | 731 | align 20h 732 | 733 | STUBS_ENTRY FreezeRegistry, 4 734 | 735 | align 20h 736 | 737 | STUBS_ENTRY FreezeTransactions, 8 738 | 739 | align 20h 740 | 741 | STUBS_ENTRY FsControlFile, 40 742 | 743 | align 20h 744 | 745 | STUBS_ENTRY GetCachedSigningLevel, 24 746 | 747 | align 20h 748 | 749 | STUBS_ENTRY GetCompleteWnfStateSubscription, 24 750 | 751 | align 20h 752 | 753 | STUBS_ENTRY GetContextThread, 8 754 | 755 | align 20h 756 | 757 | STUBS_ENTRY GetCurrentProcessorNumber, 758 | 759 | align 20h 760 | 761 | STUBS_ENTRY GetCurrentProcessorNumberEx, 4 762 | 763 | align 20h 764 | 765 | STUBS_ENTRY GetDevicePowerState, 8 766 | 767 | align 20h 768 | 769 | STUBS_ENTRY GetMUIRegistryInfo, 12 770 | 771 | align 20h 772 | 773 | STUBS_ENTRY GetNextProcess, 20 774 | 775 | align 20h 776 | 777 | STUBS_ENTRY GetNextThread, 24 778 | 779 | align 20h 780 | 781 | STUBS_ENTRY GetNlsSectionPtr, 20 782 | 783 | align 20h 784 | 785 | STUBS_ENTRY GetNotificationResourceManager, 28 786 | 787 | align 20h 788 | 789 | STUBS_ENTRY GetPlugPlayEvent, 16 790 | 791 | align 20h 792 | 793 | STUBS_ENTRY GetWriteWatch, 28 794 | 795 | align 20h 796 | 797 | STUBS_ENTRY ImpersonateAnonymousToken, 4 798 | 799 | align 20h 800 | 801 | STUBS_ENTRY ImpersonateClientOfPort, 8 802 | 803 | align 20h 804 | 805 | STUBS_ENTRY ImpersonateThread, 12 806 | 807 | align 20h 808 | 809 | STUBS_ENTRY InitializeEnclave, 20 810 | 811 | align 20h 812 | 813 | STUBS_ENTRY InitializeNlsFiles, 12 814 | 815 | align 20h 816 | 817 | STUBS_ENTRY InitializeRegistry, 4 818 | 819 | align 20h 820 | 821 | STUBS_ENTRY InitiatePowerAction, 16 822 | 823 | align 20h 824 | 825 | STUBS_ENTRY IsProcessInJob, 8 826 | 827 | align 20h 828 | 829 | STUBS_ENTRY IsSystemResumeAutomatic, 830 | 831 | align 20h 832 | 833 | STUBS_ENTRY IsUILanguageComitted, 834 | 835 | align 20h 836 | 837 | STUBS_ENTRY ListTransactions, 12 838 | 839 | align 20h 840 | 841 | STUBS_ENTRY ListenPort, 8 842 | 843 | align 20h 844 | 845 | STUBS_ENTRY LoadDriver, 4 846 | 847 | align 20h 848 | 849 | STUBS_ENTRY LoadEnclaveData, 36 850 | 851 | align 20h 852 | 853 | STUBS_ENTRY LoadHotPatch, 8 854 | 855 | align 20h 856 | 857 | STUBS_ENTRY LoadKey, 8 858 | 859 | align 20h 860 | 861 | STUBS_ENTRY LoadKey2, 12 862 | 863 | align 20h 864 | 865 | STUBS_ENTRY LoadKeyEx, 32 866 | 867 | align 20h 868 | 869 | STUBS_ENTRY LockFile, 40 870 | 871 | align 20h 872 | 873 | STUBS_ENTRY LockProductActivationKeys, 8 874 | 875 | align 20h 876 | 877 | STUBS_ENTRY LockRegistryKey, 4 878 | 879 | align 20h 880 | 881 | STUBS_ENTRY LockVirtualMemory, 16 882 | 883 | align 20h 884 | 885 | STUBS_ENTRY MakePermanentObject, 4 886 | 887 | align 20h 888 | 889 | STUBS_ENTRY MakeTemporaryObject, 4 890 | 891 | align 20h 892 | 893 | STUBS_ENTRY ManagePartition, 20 894 | 895 | align 20h 896 | 897 | STUBS_ENTRY MapCMFModule, 24 898 | 899 | align 20h 900 | 901 | STUBS_ENTRY MapUserPhysicalPages, 12 902 | 903 | align 20h 904 | 905 | STUBS_ENTRY MapUserPhysicalPagesScatter, 12 906 | 907 | align 20h 908 | 909 | STUBS_ENTRY MapViewOfSection, 40 910 | 911 | align 20h 912 | 913 | STUBS_ENTRY MapViewOfSectionEx, 36 914 | 915 | align 20h 916 | 917 | STUBS_ENTRY MarshallTransaction, 24 918 | 919 | align 20h 920 | 921 | STUBS_ENTRY ModifyBootEntry, 4 922 | 923 | align 20h 924 | 925 | STUBS_ENTRY ModifyDriverEntry, 4 926 | 927 | align 20h 928 | 929 | STUBS_ENTRY NotifyChangeDirectoryFile, 36 930 | 931 | align 20h 932 | 933 | STUBS_ENTRY NotifyChangeDirectoryFileEx, 40 934 | 935 | align 20h 936 | 937 | STUBS_ENTRY NotifyChangeKey, 40 938 | 939 | align 20h 940 | 941 | STUBS_ENTRY NotifyChangeMultipleKeys, 48 942 | 943 | align 20h 944 | 945 | STUBS_ENTRY NotifyChangeSession, 32 946 | 947 | align 20h 948 | 949 | STUBS_ENTRY OpenDirectoryObject, 12 950 | 951 | align 20h 952 | 953 | STUBS_ENTRY OpenEnlistment, 20 954 | 955 | align 20h 956 | 957 | STUBS_ENTRY OpenEvent, 12 958 | 959 | align 20h 960 | 961 | STUBS_ENTRY OpenEventPair, 12 962 | 963 | align 20h 964 | 965 | STUBS_ENTRY OpenFile, 24 966 | 967 | align 20h 968 | 969 | STUBS_ENTRY OpenIoCompletion, 12 970 | 971 | align 20h 972 | 973 | STUBS_ENTRY OpenJobObject, 12 974 | 975 | align 20h 976 | 977 | STUBS_ENTRY OpenKey, 12 978 | 979 | align 20h 980 | 981 | STUBS_ENTRY OpenKeyEx, 16 982 | 983 | align 20h 984 | 985 | STUBS_ENTRY OpenKeyTransacted, 16 986 | 987 | align 20h 988 | 989 | STUBS_ENTRY OpenKeyTransactedEx, 20 990 | 991 | align 20h 992 | 993 | STUBS_ENTRY OpenKeyedEvent, 12 994 | 995 | align 20h 996 | 997 | STUBS_ENTRY OpenMutant, 12 998 | 999 | align 20h 1000 | 1001 | STUBS_ENTRY OpenObjectAuditAlarm, 48 1002 | 1003 | align 20h 1004 | 1005 | STUBS_ENTRY OpenPartition, 12 1006 | 1007 | align 20h 1008 | 1009 | STUBS_ENTRY OpenPrivateNamespace, 16 1010 | 1011 | align 20h 1012 | 1013 | STUBS_ENTRY OpenProcess, 16 1014 | 1015 | align 20h 1016 | 1017 | STUBS_ENTRY OpenProcessToken, 12 1018 | 1019 | align 20h 1020 | 1021 | STUBS_ENTRY OpenProcessTokenEx, 16 1022 | 1023 | align 20h 1024 | 1025 | STUBS_ENTRY OpenRegistryTransaction, 12 1026 | 1027 | align 20h 1028 | 1029 | STUBS_ENTRY OpenResourceManager, 20 1030 | 1031 | align 20h 1032 | 1033 | STUBS_ENTRY OpenSection, 12 1034 | 1035 | align 20h 1036 | 1037 | STUBS_ENTRY OpenSemaphore, 12 1038 | 1039 | align 20h 1040 | 1041 | STUBS_ENTRY OpenSession, 12 1042 | 1043 | align 20h 1044 | 1045 | STUBS_ENTRY OpenSymbolicLinkObject, 12 1046 | 1047 | align 20h 1048 | 1049 | STUBS_ENTRY OpenThread, 16 1050 | 1051 | align 20h 1052 | 1053 | STUBS_ENTRY OpenThreadToken, 16 1054 | 1055 | align 20h 1056 | 1057 | STUBS_ENTRY OpenThreadTokenEx, 20 1058 | 1059 | align 20h 1060 | 1061 | STUBS_ENTRY OpenTimer, 12 1062 | 1063 | align 20h 1064 | 1065 | STUBS_ENTRY OpenTransaction, 20 1066 | 1067 | align 20h 1068 | 1069 | STUBS_ENTRY OpenTransactionManager, 24 1070 | 1071 | align 20h 1072 | 1073 | STUBS_ENTRY PlugPlayControl, 12 1074 | 1075 | align 20h 1076 | 1077 | STUBS_ENTRY PowerInformation, 20 1078 | 1079 | align 20h 1080 | 1081 | STUBS_ENTRY PrePrepareComplete, 8 1082 | 1083 | align 20h 1084 | 1085 | STUBS_ENTRY PrePrepareEnlistment, 8 1086 | 1087 | align 20h 1088 | 1089 | STUBS_ENTRY PrepareComplete, 8 1090 | 1091 | align 20h 1092 | 1093 | STUBS_ENTRY PrepareEnlistment, 8 1094 | 1095 | align 20h 1096 | 1097 | STUBS_ENTRY PrivilegeCheck, 12 1098 | 1099 | align 20h 1100 | 1101 | STUBS_ENTRY PrivilegeObjectAuditAlarm, 24 1102 | 1103 | align 20h 1104 | 1105 | STUBS_ENTRY PrivilegedServiceAuditAlarm, 20 1106 | 1107 | align 20h 1108 | 1109 | STUBS_ENTRY PropagationComplete, 16 1110 | 1111 | align 20h 1112 | 1113 | STUBS_ENTRY PropagationFailed, 12 1114 | 1115 | align 20h 1116 | 1117 | STUBS_ENTRY ProtectVirtualMemory, 20 1118 | 1119 | align 20h 1120 | 1121 | STUBS_ENTRY PullTransaction, 28 1122 | 1123 | align 20h 1124 | 1125 | STUBS_ENTRY PulseEvent, 8 1126 | 1127 | align 20h 1128 | 1129 | STUBS_ENTRY QueryAttributesFile, 8 1130 | 1131 | align 20h 1132 | 1133 | STUBS_ENTRY QueryAuxiliaryCounterFrequency, 4 1134 | 1135 | align 20h 1136 | 1137 | STUBS_ENTRY QueryBootEntryOrder, 8 1138 | 1139 | align 20h 1140 | 1141 | STUBS_ENTRY QueryBootOptions, 8 1142 | 1143 | align 20h 1144 | 1145 | STUBS_ENTRY QueryDebugFilterState, 8 1146 | 1147 | align 20h 1148 | 1149 | STUBS_ENTRY QueryDefaultLocale, 8 1150 | 1151 | align 20h 1152 | 1153 | STUBS_ENTRY QueryDefaultUILanguage, 4 1154 | 1155 | align 20h 1156 | 1157 | STUBS_ENTRY QueryDirectoryFile, 44 1158 | 1159 | align 20h 1160 | 1161 | STUBS_ENTRY QueryDirectoryFileEx, 40 1162 | 1163 | align 20h 1164 | 1165 | STUBS_ENTRY QueryDirectoryObject, 28 1166 | 1167 | align 20h 1168 | 1169 | STUBS_ENTRY QueryDriverEntryOrder, 8 1170 | 1171 | align 20h 1172 | 1173 | STUBS_ENTRY QueryEaFile, 36 1174 | 1175 | align 20h 1176 | 1177 | STUBS_ENTRY QueryEvent, 20 1178 | 1179 | align 20h 1180 | 1181 | STUBS_ENTRY QueryFullAttributesFile, 8 1182 | 1183 | align 20h 1184 | 1185 | STUBS_ENTRY QueryInformationAtom, 20 1186 | 1187 | align 20h 1188 | 1189 | STUBS_ENTRY QueryInformationByName, 20 1190 | 1191 | align 20h 1192 | 1193 | STUBS_ENTRY QueryInformationEnlistment, 20 1194 | 1195 | align 20h 1196 | 1197 | STUBS_ENTRY QueryInformationFile, 20 1198 | 1199 | align 20h 1200 | 1201 | STUBS_ENTRY QueryInformationJobObject, 20 1202 | 1203 | align 20h 1204 | 1205 | STUBS_ENTRY QueryInformationPort, 20 1206 | 1207 | align 20h 1208 | 1209 | STUBS_ENTRY QueryInformationProcess, 20 1210 | 1211 | align 20h 1212 | 1213 | STUBS_ENTRY QueryInformationResourceManager, 20 1214 | 1215 | align 20h 1216 | 1217 | STUBS_ENTRY QueryInformationThread, 20 1218 | 1219 | align 20h 1220 | 1221 | STUBS_ENTRY QueryInformationToken, 20 1222 | 1223 | align 20h 1224 | 1225 | STUBS_ENTRY QueryInformationTransaction, 20 1226 | 1227 | align 20h 1228 | 1229 | STUBS_ENTRY QueryInformationTransactionManager, 20 1230 | 1231 | align 20h 1232 | 1233 | STUBS_ENTRY QueryInformationWorkerFactory, 20 1234 | 1235 | align 20h 1236 | 1237 | STUBS_ENTRY QueryInstallUILanguage, 4 1238 | 1239 | align 20h 1240 | 1241 | STUBS_ENTRY QueryIntervalProfile, 8 1242 | 1243 | align 20h 1244 | 1245 | STUBS_ENTRY QueryIoCompletion, 20 1246 | 1247 | align 20h 1248 | 1249 | STUBS_ENTRY QueryKey, 20 1250 | 1251 | align 20h 1252 | 1253 | STUBS_ENTRY QueryLicenseValue, 20 1254 | 1255 | align 20h 1256 | 1257 | STUBS_ENTRY QueryMultipleValueKey, 24 1258 | 1259 | align 20h 1260 | 1261 | STUBS_ENTRY QueryMutant, 20 1262 | 1263 | align 20h 1264 | 1265 | STUBS_ENTRY QueryObject, 20 1266 | 1267 | align 20h 1268 | 1269 | STUBS_ENTRY QueryOpenSubKeys, 8 1270 | 1271 | align 20h 1272 | 1273 | STUBS_ENTRY QueryOpenSubKeysEx, 16 1274 | 1275 | align 20h 1276 | 1277 | STUBS_ENTRY QueryPerformanceCounter, 8 1278 | 1279 | align 20h 1280 | 1281 | STUBS_ENTRY QueryPortInformationProcess, 1282 | 1283 | align 20h 1284 | 1285 | STUBS_ENTRY QueryQuotaInformationFile, 36 1286 | 1287 | align 20h 1288 | 1289 | STUBS_ENTRY QuerySection, 20 1290 | 1291 | align 20h 1292 | 1293 | STUBS_ENTRY QuerySecurityAttributesToken, 24 1294 | 1295 | align 20h 1296 | 1297 | STUBS_ENTRY QuerySecurityObject, 20 1298 | 1299 | align 20h 1300 | 1301 | STUBS_ENTRY QuerySecurityPolicy, 24 1302 | 1303 | align 20h 1304 | 1305 | STUBS_ENTRY QuerySemaphore, 20 1306 | 1307 | align 20h 1308 | 1309 | STUBS_ENTRY QuerySymbolicLinkObject, 12 1310 | 1311 | align 20h 1312 | 1313 | STUBS_ENTRY QuerySystemEnvironmentValue, 16 1314 | 1315 | align 20h 1316 | 1317 | STUBS_ENTRY QuerySystemEnvironmentValueEx, 20 1318 | 1319 | align 20h 1320 | 1321 | STUBS_ENTRY QuerySystemInformation, 16 1322 | 1323 | align 20h 1324 | 1325 | STUBS_ENTRY QuerySystemInformationEx, 24 1326 | 1327 | align 20h 1328 | 1329 | STUBS_ENTRY QuerySystemTime, 4 1330 | 1331 | align 20h 1332 | 1333 | STUBS_ENTRY QueryTimer, 20 1334 | 1335 | align 20h 1336 | 1337 | STUBS_ENTRY QueryTimerResolution, 12 1338 | 1339 | align 20h 1340 | 1341 | STUBS_ENTRY QueryValueKey, 24 1342 | 1343 | align 20h 1344 | 1345 | STUBS_ENTRY QueryVirtualMemory, 24 1346 | 1347 | align 20h 1348 | 1349 | STUBS_ENTRY QueryVolumeInformationFile, 20 1350 | 1351 | align 20h 1352 | 1353 | STUBS_ENTRY QueryWnfStateData, 24 1354 | 1355 | align 20h 1356 | 1357 | STUBS_ENTRY QueryWnfStateNameInformation, 20 1358 | 1359 | align 20h 1360 | 1361 | STUBS_ENTRY QueueApcThread, 20 1362 | 1363 | align 20h 1364 | 1365 | STUBS_ENTRY QueueApcThreadEx, 24 1366 | 1367 | align 20h 1368 | 1369 | STUBS_ENTRY RaiseException, 12 1370 | 1371 | align 20h 1372 | 1373 | STUBS_ENTRY RaiseHardError, 24 1374 | 1375 | align 20h 1376 | 1377 | STUBS_ENTRY ReadFile, 36 1378 | 1379 | align 20h 1380 | 1381 | STUBS_ENTRY ReadFileScatter, 36 1382 | 1383 | align 20h 1384 | 1385 | STUBS_ENTRY ReadOnlyEnlistment, 8 1386 | 1387 | align 20h 1388 | 1389 | STUBS_ENTRY ReadRequestData, 24 1390 | 1391 | align 20h 1392 | 1393 | STUBS_ENTRY ReadVirtualMemory, 20 1394 | 1395 | align 20h 1396 | 1397 | STUBS_ENTRY RecoverEnlistment, 8 1398 | 1399 | align 20h 1400 | 1401 | STUBS_ENTRY RecoverResourceManager, 4 1402 | 1403 | align 20h 1404 | 1405 | STUBS_ENTRY RecoverTransactionManager, 4 1406 | 1407 | align 20h 1408 | 1409 | STUBS_ENTRY RegisterProtocolAddressInformation, 20 1410 | 1411 | align 20h 1412 | 1413 | STUBS_ENTRY RegisterThreadTerminatePort, 4 1414 | 1415 | align 20h 1416 | 1417 | STUBS_ENTRY ReleaseCMFViewOwnership, 1418 | 1419 | align 20h 1420 | 1421 | STUBS_ENTRY ReleaseKeyedEvent, 16 1422 | 1423 | align 20h 1424 | 1425 | STUBS_ENTRY ReleaseMutant, 8 1426 | 1427 | align 20h 1428 | 1429 | STUBS_ENTRY ReleaseSemaphore, 12 1430 | 1431 | align 20h 1432 | 1433 | STUBS_ENTRY ReleaseWorkerFactoryWorker, 4 1434 | 1435 | align 20h 1436 | 1437 | STUBS_ENTRY RemoveIoCompletion, 20 1438 | 1439 | align 20h 1440 | 1441 | STUBS_ENTRY RemoveIoCompletionEx, 24 1442 | 1443 | align 20h 1444 | 1445 | STUBS_ENTRY RemoveProcessDebug, 8 1446 | 1447 | align 20h 1448 | 1449 | STUBS_ENTRY RenameKey, 8 1450 | 1451 | align 20h 1452 | 1453 | STUBS_ENTRY RenameTransactionManager, 8 1454 | 1455 | align 20h 1456 | 1457 | STUBS_ENTRY ReplaceKey, 12 1458 | 1459 | align 20h 1460 | 1461 | STUBS_ENTRY ReplacePartitionUnit, 12 1462 | 1463 | align 20h 1464 | 1465 | STUBS_ENTRY ReplyPort, 8 1466 | 1467 | align 20h 1468 | 1469 | STUBS_ENTRY ReplyWaitReceivePort, 16 1470 | 1471 | align 20h 1472 | 1473 | STUBS_ENTRY ReplyWaitReceivePortEx, 20 1474 | 1475 | align 20h 1476 | 1477 | STUBS_ENTRY ReplyWaitReplyPort, 8 1478 | 1479 | align 20h 1480 | 1481 | STUBS_ENTRY RequestDeviceWakeup, 4 1482 | 1483 | align 20h 1484 | 1485 | STUBS_ENTRY RequestPort, 8 1486 | 1487 | align 20h 1488 | 1489 | STUBS_ENTRY RequestWaitReplyPort, 12 1490 | 1491 | align 20h 1492 | 1493 | STUBS_ENTRY RequestWakeupLatency, 4 1494 | 1495 | align 20h 1496 | 1497 | STUBS_ENTRY ResetEvent, 8 1498 | 1499 | align 20h 1500 | 1501 | STUBS_ENTRY ResetWriteWatch, 12 1502 | 1503 | align 20h 1504 | 1505 | STUBS_ENTRY RestoreKey, 12 1506 | 1507 | align 20h 1508 | 1509 | STUBS_ENTRY ResumeProcess, 4 1510 | 1511 | align 20h 1512 | 1513 | STUBS_ENTRY ResumeThread, 8 1514 | 1515 | align 20h 1516 | 1517 | STUBS_ENTRY RevertContainerImpersonation, 1518 | 1519 | align 20h 1520 | 1521 | STUBS_ENTRY RollbackComplete, 8 1522 | 1523 | align 20h 1524 | 1525 | STUBS_ENTRY RollbackEnlistment, 8 1526 | 1527 | align 20h 1528 | 1529 | STUBS_ENTRY RollbackRegistryTransaction, 8 1530 | 1531 | align 20h 1532 | 1533 | STUBS_ENTRY RollbackSavepointTransaction, 8 1534 | 1535 | align 20h 1536 | 1537 | STUBS_ENTRY RollbackTransaction, 8 1538 | 1539 | align 20h 1540 | 1541 | STUBS_ENTRY RollforwardTransactionManager, 8 1542 | 1543 | align 20h 1544 | 1545 | STUBS_ENTRY SaveKey, 8 1546 | 1547 | align 20h 1548 | 1549 | STUBS_ENTRY SaveKeyEx, 12 1550 | 1551 | align 20h 1552 | 1553 | STUBS_ENTRY SaveMergedKeys, 12 1554 | 1555 | align 20h 1556 | 1557 | STUBS_ENTRY SavepointComplete, 8 1558 | 1559 | align 20h 1560 | 1561 | STUBS_ENTRY SavepointTransaction, 8 1562 | 1563 | align 20h 1564 | 1565 | STUBS_ENTRY SecureConnectPort, 36 1566 | 1567 | align 20h 1568 | 1569 | STUBS_ENTRY SerializeBoot, 1570 | 1571 | align 20h 1572 | 1573 | STUBS_ENTRY SetBootEntryOrder, 8 1574 | 1575 | align 20h 1576 | 1577 | STUBS_ENTRY SetBootOptions, 8 1578 | 1579 | align 20h 1580 | 1581 | STUBS_ENTRY SetCachedSigningLevel, 20 1582 | 1583 | align 20h 1584 | 1585 | STUBS_ENTRY SetCachedSigningLevel2, 24 1586 | 1587 | align 20h 1588 | 1589 | STUBS_ENTRY SetContextThread, 8 1590 | 1591 | align 20h 1592 | 1593 | STUBS_ENTRY SetDebugFilterState, 12 1594 | 1595 | align 20h 1596 | 1597 | STUBS_ENTRY SetDefaultHardErrorPort, 4 1598 | 1599 | align 20h 1600 | 1601 | STUBS_ENTRY SetDefaultLocale, 8 1602 | 1603 | align 20h 1604 | 1605 | STUBS_ENTRY SetDefaultUILanguage, 4 1606 | 1607 | align 20h 1608 | 1609 | STUBS_ENTRY SetDriverEntryOrder, 8 1610 | 1611 | align 20h 1612 | 1613 | STUBS_ENTRY SetEaFile, 16 1614 | 1615 | align 20h 1616 | 1617 | STUBS_ENTRY SetEvent, 8 1618 | 1619 | align 20h 1620 | 1621 | STUBS_ENTRY SetEventBoostPriority, 4 1622 | 1623 | align 20h 1624 | 1625 | STUBS_ENTRY SetHighEventPair, 4 1626 | 1627 | align 20h 1628 | 1629 | STUBS_ENTRY SetHighWaitLowEventPair, 4 1630 | 1631 | align 20h 1632 | 1633 | STUBS_ENTRY SetIRTimer, 8 1634 | 1635 | align 20h 1636 | 1637 | STUBS_ENTRY SetInformationDebugObject, 20 1638 | 1639 | align 20h 1640 | 1641 | STUBS_ENTRY SetInformationEnlistment, 16 1642 | 1643 | align 20h 1644 | 1645 | STUBS_ENTRY SetInformationFile, 20 1646 | 1647 | align 20h 1648 | 1649 | STUBS_ENTRY SetInformationJobObject, 16 1650 | 1651 | align 20h 1652 | 1653 | STUBS_ENTRY SetInformationKey, 16 1654 | 1655 | align 20h 1656 | 1657 | STUBS_ENTRY SetInformationObject, 16 1658 | 1659 | align 20h 1660 | 1661 | STUBS_ENTRY SetInformationProcess, 16 1662 | 1663 | align 20h 1664 | 1665 | STUBS_ENTRY SetInformationResourceManager, 16 1666 | 1667 | align 20h 1668 | 1669 | STUBS_ENTRY SetInformationSymbolicLink, 16 1670 | 1671 | align 20h 1672 | 1673 | STUBS_ENTRY SetInformationThread, 16 1674 | 1675 | align 20h 1676 | 1677 | STUBS_ENTRY SetInformationToken, 16 1678 | 1679 | align 20h 1680 | 1681 | STUBS_ENTRY SetInformationTransaction, 16 1682 | 1683 | align 20h 1684 | 1685 | STUBS_ENTRY SetInformationTransactionManager, 16 1686 | 1687 | align 20h 1688 | 1689 | STUBS_ENTRY SetInformationVirtualMemory, 24 1690 | 1691 | align 20h 1692 | 1693 | STUBS_ENTRY SetInformationWorkerFactory, 16 1694 | 1695 | align 20h 1696 | 1697 | STUBS_ENTRY SetIntervalProfile, 8 1698 | 1699 | align 20h 1700 | 1701 | STUBS_ENTRY SetIoCompletion, 20 1702 | 1703 | align 20h 1704 | 1705 | STUBS_ENTRY SetIoCompletionEx, 24 1706 | 1707 | align 20h 1708 | 1709 | STUBS_ENTRY SetLdtEntries, 24 1710 | 1711 | align 20h 1712 | 1713 | STUBS_ENTRY SetLowEventPair, 4 1714 | 1715 | align 20h 1716 | 1717 | STUBS_ENTRY SetLowWaitHighEventPair, 4 1718 | 1719 | align 20h 1720 | 1721 | STUBS_ENTRY SetQuotaInformationFile, 16 1722 | 1723 | align 20h 1724 | 1725 | STUBS_ENTRY SetSecurityObject, 12 1726 | 1727 | align 20h 1728 | 1729 | STUBS_ENTRY SetSystemEnvironmentValue, 8 1730 | 1731 | align 20h 1732 | 1733 | STUBS_ENTRY SetSystemEnvironmentValueEx, 20 1734 | 1735 | align 20h 1736 | 1737 | STUBS_ENTRY SetSystemInformation, 12 1738 | 1739 | align 20h 1740 | 1741 | STUBS_ENTRY SetSystemPowerState, 12 1742 | 1743 | align 20h 1744 | 1745 | STUBS_ENTRY SetSystemTime, 8 1746 | 1747 | align 20h 1748 | 1749 | STUBS_ENTRY SetThreadExecutionState, 8 1750 | 1751 | align 20h 1752 | 1753 | STUBS_ENTRY SetTimer, 28 1754 | 1755 | align 20h 1756 | 1757 | STUBS_ENTRY SetTimer2, 16 1758 | 1759 | align 20h 1760 | 1761 | STUBS_ENTRY SetTimerEx, 16 1762 | 1763 | align 20h 1764 | 1765 | STUBS_ENTRY SetTimerResolution, 12 1766 | 1767 | align 20h 1768 | 1769 | STUBS_ENTRY SetUuidSeed, 4 1770 | 1771 | align 20h 1772 | 1773 | STUBS_ENTRY SetValueKey, 24 1774 | 1775 | align 20h 1776 | 1777 | STUBS_ENTRY SetVolumeInformationFile, 20 1778 | 1779 | align 20h 1780 | 1781 | STUBS_ENTRY SetWnfProcessNotificationEvent, 4 1782 | 1783 | align 20h 1784 | 1785 | STUBS_ENTRY ShutdownSystem, 4 1786 | 1787 | align 20h 1788 | 1789 | STUBS_ENTRY ShutdownWorkerFactory, 8 1790 | 1791 | align 20h 1792 | 1793 | STUBS_ENTRY SignalAndWaitForSingleObject, 16 1794 | 1795 | align 20h 1796 | 1797 | STUBS_ENTRY SinglePhaseReject, 8 1798 | 1799 | align 20h 1800 | 1801 | STUBS_ENTRY StartProfile, 4 1802 | 1803 | align 20h 1804 | 1805 | STUBS_ENTRY StartTm, 1806 | 1807 | align 20h 1808 | 1809 | STUBS_ENTRY StopProfile, 4 1810 | 1811 | align 20h 1812 | 1813 | STUBS_ENTRY SubscribeWnfStateChange, 16 1814 | 1815 | align 20h 1816 | 1817 | STUBS_ENTRY SuspendProcess, 4 1818 | 1819 | align 20h 1820 | 1821 | STUBS_ENTRY SuspendThread, 8 1822 | 1823 | align 20h 1824 | 1825 | STUBS_ENTRY SystemDebugControl, 24 1826 | 1827 | align 20h 1828 | 1829 | STUBS_ENTRY TerminateEnclave, 8 1830 | 1831 | align 20h 1832 | 1833 | STUBS_ENTRY TerminateJobObject, 8 1834 | 1835 | align 20h 1836 | 1837 | STUBS_ENTRY TerminateProcess, 8 1838 | 1839 | align 20h 1840 | 1841 | STUBS_ENTRY TerminateThread, 8 1842 | 1843 | align 20h 1844 | 1845 | STUBS_ENTRY TestAlert, 1846 | 1847 | align 20h 1848 | 1849 | STUBS_ENTRY ThawRegistry, 1850 | 1851 | align 20h 1852 | 1853 | STUBS_ENTRY ThawTransactions, 1854 | 1855 | align 20h 1856 | 1857 | STUBS_ENTRY TraceControl, 24 1858 | 1859 | align 20h 1860 | 1861 | STUBS_ENTRY TraceEvent, 16 1862 | 1863 | align 20h 1864 | 1865 | STUBS_ENTRY TranslateFilePath, 16 1866 | 1867 | align 20h 1868 | 1869 | STUBS_ENTRY UmsThreadYield, 4 1870 | 1871 | align 20h 1872 | 1873 | STUBS_ENTRY UnloadDriver, 4 1874 | 1875 | align 20h 1876 | 1877 | STUBS_ENTRY UnloadKey, 4 1878 | 1879 | align 20h 1880 | 1881 | STUBS_ENTRY UnloadKey2, 8 1882 | 1883 | align 20h 1884 | 1885 | STUBS_ENTRY UnloadKeyEx, 8 1886 | 1887 | align 20h 1888 | 1889 | STUBS_ENTRY UnlockFile, 20 1890 | 1891 | align 20h 1892 | 1893 | STUBS_ENTRY UnlockVirtualMemory, 16 1894 | 1895 | align 20h 1896 | 1897 | STUBS_ENTRY UnmapViewOfSection, 8 1898 | 1899 | align 20h 1900 | 1901 | STUBS_ENTRY UnmapViewOfSectionEx, 12 1902 | 1903 | align 20h 1904 | 1905 | STUBS_ENTRY UnsubscribeWnfStateChange, 4 1906 | 1907 | align 20h 1908 | 1909 | STUBS_ENTRY UpdateWnfStateData, 28 1910 | 1911 | align 20h 1912 | 1913 | STUBS_ENTRY VdmControl, 8 1914 | 1915 | align 20h 1916 | 1917 | STUBS_ENTRY WaitForAlertByThreadId, 8 1918 | 1919 | align 20h 1920 | 1921 | STUBS_ENTRY WaitForDebugEvent, 16 1922 | 1923 | align 20h 1924 | 1925 | STUBS_ENTRY WaitForKeyedEvent, 16 1926 | 1927 | align 20h 1928 | 1929 | STUBS_ENTRY WaitForMultipleObjects, 20 1930 | 1931 | align 20h 1932 | 1933 | STUBS_ENTRY WaitForMultipleObjects32, 20 1934 | 1935 | align 20h 1936 | 1937 | STUBS_ENTRY WaitForSingleObject, 12 1938 | 1939 | align 20h 1940 | 1941 | STUBS_ENTRY WaitForWnfNotifications, 8 1942 | 1943 | align 20h 1944 | 1945 | STUBS_ENTRY WaitForWorkViaWorkerFactory, 20 1946 | 1947 | align 20h 1948 | 1949 | STUBS_ENTRY WaitHighEventPair, 4 1950 | 1951 | align 20h 1952 | 1953 | STUBS_ENTRY WaitLowEventPair, 4 1954 | 1955 | align 20h 1956 | 1957 | STUBS_ENTRY WorkerFactoryWorkerReady, 4 1958 | 1959 | align 20h 1960 | 1961 | STUBS_ENTRY WriteFile, 36 1962 | 1963 | align 20h 1964 | 1965 | STUBS_ENTRY WriteFileGather, 36 1966 | 1967 | align 20h 1968 | 1969 | STUBS_ENTRY WriteRequestData, 24 1970 | 1971 | align 20h 1972 | 1973 | STUBS_ENTRY WriteVirtualMemory, 20 1974 | 1975 | align 20h 1976 | 1977 | STUBS_ENTRY YieldExecution, 1978 | 1979 | align 20h 1980 | 1981 | _StubsBridge : 1982 | ; [esp + 4] caller 1983 | pushfd ; save eflag 1984 | call BuildServiceDispatchTable 1985 | popfd ; restore eflag 1986 | ret ; jmp caller (now the stubs table is ajust to system function) 1987 | 1988 | DB 24 dup (0cch) 1989 | 1990 | align 20h 1991 | 1992 | _TEXT$00 ENDS 1993 | 1994 | END 1995 | -------------------------------------------------------------------------------- /Reload.c: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (c) 2015-2017 by blindtiger ( blindtiger@foxmail.com ) 4 | * 5 | * The contents of this file are subject to the Mozilla Public License Version 6 | * 2.0 (the "License")); you may not use this file except in compliance with 7 | * the License. You may obtain a copy of the License at 8 | * http://www.mozilla.org/MPL/ 9 | * 10 | * Software distributed under the License is distributed on an "AS IS" basis, 11 | * WITHOUT WARRANTY OF ANY KIND, either express or implied. SEe the License 12 | * for the specific language governing rights and limitations under the 13 | * License. 14 | * 15 | * The Initial Developer of the Original e is blindtiger. 16 | * 17 | */ 18 | 19 | #include 20 | #include 21 | 22 | #include 23 | 24 | #ifdef _WIN64 25 | #include 26 | #endif // _WIN64 27 | 28 | #include "Except.h" 29 | #include "Reload.h" 30 | #include "Testis.h" 31 | 32 | static PLIST_ENTRY LdrList; 33 | 34 | NTSTATUS 35 | NTAPI 36 | ProtectPages( 37 | __inout PVOID BaseAddress, 38 | __inout SIZE_T RegionSize, 39 | __in ULONG NewProtect, 40 | __out PULONG OldProtect 41 | ) 42 | { 43 | NTSTATUS Status = STATUS_SUCCESS; 44 | 45 | Status = StubProtectVirtualMemory( 46 | ZwCurrentProcess(), 47 | &BaseAddress, 48 | &RegionSize, 49 | NewProtect, 50 | OldProtect); 51 | 52 | return Status; 53 | } 54 | 55 | NTSTATUS 56 | NTAPI 57 | FindEntryForDriver( 58 | __in PSTR DriverName, 59 | __out PKLDR_DATA_TABLE_ENTRY * DataTableEntry 60 | ) 61 | { 62 | NTSTATUS Status = STATUS_SUCCESS; 63 | PDRIVER_OBJECT DriverObject = NULL; 64 | UNICODE_STRING DriverPath = { 0 }; 65 | PKLDR_DATA_TABLE_ENTRY LdrDataTableEntry = NULL; 66 | PKLDR_DATA_TABLE_ENTRY FoundDataTableEntry = NULL; 67 | ANSI_STRING AnsiImageFileName = { 0 }; 68 | UNICODE_STRING ImageFileName = { 0 }; 69 | 70 | extern POBJECT_TYPE * IoDriverObjectType; 71 | 72 | if (NULL != LdrList) { 73 | LdrDataTableEntry = CONTAINING_RECORD( 74 | LdrList, 75 | KLDR_DATA_TABLE_ENTRY, 76 | InLoadOrderLinks); 77 | 78 | FoundDataTableEntry = CONTAINING_RECORD( 79 | LdrDataTableEntry->InLoadOrderLinks.Flink, 80 | KLDR_DATA_TABLE_ENTRY, 81 | InLoadOrderLinks); 82 | 83 | RtlInitAnsiString(&AnsiImageFileName, DriverName); 84 | 85 | Status = RtlAnsiStringToUnicodeString( 86 | &ImageFileName, 87 | &AnsiImageFileName, 88 | TRUE); 89 | 90 | if (NT_SUCCESS(Status)) { 91 | Status = STATUS_NO_MORE_ENTRIES; 92 | 93 | while (FoundDataTableEntry != LdrDataTableEntry) { 94 | if (FoundDataTableEntry->DllBase) { 95 | if (FALSE != RtlEqualUnicodeString( 96 | &ImageFileName, 97 | &FoundDataTableEntry->BaseDllName, 98 | TRUE)) { 99 | *DataTableEntry = FoundDataTableEntry; 100 | Status = STATUS_SUCCESS; 101 | goto exit; 102 | } 103 | } 104 | 105 | FoundDataTableEntry = CONTAINING_RECORD( 106 | FoundDataTableEntry->InLoadOrderLinks.Flink, 107 | KLDR_DATA_TABLE_ENTRY, 108 | InLoadOrderLinks); 109 | } 110 | 111 | RtlFreeUnicodeString(&ImageFileName); 112 | } 113 | } 114 | 115 | RtlInitUnicodeString( 116 | &DriverPath, 117 | L"\\Driver\\disk"); 118 | 119 | Status = ObReferenceObjectByName( 120 | &DriverPath, 121 | OBJ_CASE_INSENSITIVE, 122 | NULL, 123 | FILE_ALL_ACCESS, 124 | *IoDriverObjectType, 125 | KernelMode, 126 | NULL, 127 | &DriverObject); 128 | 129 | if (NT_SUCCESS(Status)) { 130 | LdrDataTableEntry = DriverObject->DriverSection; 131 | 132 | if (NULL != LdrDataTableEntry) { 133 | FoundDataTableEntry = CONTAINING_RECORD( 134 | LdrDataTableEntry->InLoadOrderLinks.Flink, 135 | KLDR_DATA_TABLE_ENTRY, 136 | InLoadOrderLinks); 137 | 138 | RtlInitAnsiString(&AnsiImageFileName, DriverName); 139 | 140 | Status = RtlAnsiStringToUnicodeString( 141 | &ImageFileName, 142 | &AnsiImageFileName, 143 | TRUE); 144 | 145 | if (NT_SUCCESS(Status)) { 146 | Status = STATUS_NO_MORE_ENTRIES; 147 | 148 | while (FoundDataTableEntry != LdrDataTableEntry) { 149 | if (NULL != FoundDataTableEntry->DllBase) { 150 | if (FALSE != RtlEqualUnicodeString( 151 | &ImageFileName, 152 | &FoundDataTableEntry->BaseDllName, 153 | TRUE)) { 154 | *DataTableEntry = FoundDataTableEntry; 155 | Status = STATUS_SUCCESS; 156 | 157 | break; 158 | } 159 | } 160 | 161 | FoundDataTableEntry = CONTAINING_RECORD( 162 | FoundDataTableEntry->InLoadOrderLinks.Flink, 163 | KLDR_DATA_TABLE_ENTRY, 164 | InLoadOrderLinks); 165 | } 166 | 167 | RtlFreeUnicodeString(&ImageFileName); 168 | } 169 | } 170 | 171 | ObDereferenceObject(DriverObject); 172 | } 173 | 174 | exit: 175 | return Status; 176 | } 177 | 178 | NTSTATUS 179 | NTAPI 180 | FindEntryForAddress( 181 | __in PVOID Address, 182 | __out PLDR_DATA_TABLE_ENTRY * TableEntry 183 | ) 184 | { 185 | NTSTATUS Status = STATUS_NO_MORE_ENTRIES; 186 | PPEB Peb = NULL; 187 | PPEB_LDR_DATA Ldr = NULL; 188 | PLDR_DATA_TABLE_ENTRY DataTableEntry = NULL; 189 | PLDR_DATA_TABLE_ENTRY LdrDataTableEntry = NULL; 190 | PLDR_DATA_TABLE_ENTRY FoundDataTableEntry = NULL; 191 | 192 | if ((ULONG_PTR)Address > *(PULONG_PTR)MM_HIGHEST_USER_ADDRESS) { 193 | if (NULL != LdrList) { 194 | LdrDataTableEntry = CONTAINING_RECORD( 195 | LdrList, 196 | KLDR_DATA_TABLE_ENTRY, 197 | InLoadOrderLinks); 198 | 199 | FoundDataTableEntry = CONTAINING_RECORD( 200 | LdrDataTableEntry->InLoadOrderLinks.Flink, 201 | KLDR_DATA_TABLE_ENTRY, 202 | InLoadOrderLinks); 203 | 204 | while (FoundDataTableEntry != LdrDataTableEntry) { 205 | if ((ULONG_PTR)Address >= (ULONG_PTR)FoundDataTableEntry->DllBase && 206 | (ULONG_PTR)Address <= (ULONG_PTR)FoundDataTableEntry->DllBase + 207 | FoundDataTableEntry->SizeOfImage) { 208 | *TableEntry = FoundDataTableEntry; 209 | Status = STATUS_SUCCESS; 210 | goto exit; 211 | } 212 | 213 | FoundDataTableEntry = CONTAINING_RECORD( 214 | FoundDataTableEntry->InLoadOrderLinks.Flink, 215 | KLDR_DATA_TABLE_ENTRY, 216 | InLoadOrderLinks); 217 | } 218 | } 219 | 220 | #define KERNEL_NAME "ntoskrnl.exe" 221 | 222 | Status = FindEntryForDriver( 223 | KERNEL_NAME, 224 | &DataTableEntry); 225 | 226 | if (NT_SUCCESS(Status)) { 227 | Status = STATUS_NO_MORE_ENTRIES; 228 | 229 | LdrDataTableEntry = CONTAINING_RECORD( 230 | DataTableEntry->InLoadOrderLinks.Blink, 231 | KLDR_DATA_TABLE_ENTRY, 232 | InLoadOrderLinks); 233 | 234 | FoundDataTableEntry = CONTAINING_RECORD( 235 | LdrDataTableEntry->InLoadOrderLinks.Flink, 236 | KLDR_DATA_TABLE_ENTRY, 237 | InLoadOrderLinks); 238 | 239 | while (FoundDataTableEntry != LdrDataTableEntry) { 240 | if ((ULONG_PTR)Address >= (ULONG_PTR)FoundDataTableEntry->DllBase && 241 | (ULONG_PTR)Address <= (ULONG_PTR)FoundDataTableEntry->DllBase + 242 | FoundDataTableEntry->SizeOfImage) { 243 | *TableEntry = FoundDataTableEntry; 244 | Status = STATUS_SUCCESS; 245 | goto exit; 246 | } 247 | 248 | FoundDataTableEntry = CONTAINING_RECORD( 249 | FoundDataTableEntry->InLoadOrderLinks.Flink, 250 | KLDR_DATA_TABLE_ENTRY, 251 | InLoadOrderLinks); 252 | } 253 | } 254 | } 255 | 256 | Peb = PsGetProcessPeb(IoGetCurrentProcess()); 257 | 258 | if (NULL != Peb) { 259 | Ldr = Peb->Ldr; 260 | 261 | if (NULL != Ldr) { 262 | LdrDataTableEntry = CONTAINING_RECORD( 263 | &Ldr->InLoadOrderModuleList, 264 | LDR_DATA_TABLE_ENTRY, 265 | InLoadOrderLinks); 266 | 267 | FoundDataTableEntry = CONTAINING_RECORD( 268 | LdrDataTableEntry->InLoadOrderLinks.Flink, 269 | LDR_DATA_TABLE_ENTRY, 270 | InLoadOrderLinks); 271 | 272 | if (NULL == Address) { 273 | Address = Peb->ImageBaseAddress; 274 | } 275 | 276 | while (FoundDataTableEntry != LdrDataTableEntry) { 277 | if ((ULONG_PTR)Address >= (ULONG_PTR)FoundDataTableEntry->DllBase && 278 | (ULONG_PTR)Address <= (ULONG_PTR)FoundDataTableEntry->DllBase + 279 | FoundDataTableEntry->SizeOfImage) { 280 | *TableEntry = FoundDataTableEntry; 281 | Status = STATUS_SUCCESS; 282 | goto exit; 283 | } 284 | 285 | FoundDataTableEntry = CONTAINING_RECORD( 286 | FoundDataTableEntry->InLoadOrderLinks.Flink, 287 | LDR_DATA_TABLE_ENTRY, 288 | InLoadOrderLinks); 289 | } 290 | } 291 | } 292 | 293 | exit: 294 | return Status; 295 | } 296 | 297 | PVOID 298 | NTAPI 299 | GetImageHandle( 300 | __in PSTR ImageName 301 | ) 302 | { 303 | NTSTATUS Status = STATUS_NO_MORE_ENTRIES; 304 | PPEB Peb = NULL; 305 | PPEB_LDR_DATA Ldr = NULL; 306 | PLDR_DATA_TABLE_ENTRY LdrDataTableEntry = NULL; 307 | PLDR_DATA_TABLE_ENTRY FoundDataTableEntry = NULL; 308 | ANSI_STRING AnsiImageFileName = { 0 }; 309 | UNICODE_STRING ImageFileName = { 0 }; 310 | PVOID ImageBase = 0; 311 | 312 | if (NULL != ImageName) { 313 | Status = FindEntryForDriver( 314 | ImageName, 315 | &LdrDataTableEntry); 316 | 317 | if (Status >= 0) { 318 | ImageBase = LdrDataTableEntry->DllBase; 319 | goto exit; 320 | } 321 | } 322 | 323 | Peb = PsGetProcessPeb(IoGetCurrentProcess()); 324 | 325 | if (NULL != Peb) { 326 | Ldr = Peb->Ldr; 327 | 328 | if (NULL != Ldr) { 329 | LdrDataTableEntry = CONTAINING_RECORD( 330 | &Ldr->InLoadOrderModuleList, 331 | LDR_DATA_TABLE_ENTRY, 332 | InLoadOrderLinks); 333 | 334 | FoundDataTableEntry = CONTAINING_RECORD( 335 | LdrDataTableEntry->InLoadOrderLinks.Flink, 336 | LDR_DATA_TABLE_ENTRY, 337 | InLoadOrderLinks); 338 | 339 | if (NULL == ImageName) { 340 | ImageBase = Peb->ImageBaseAddress; 341 | goto exit; 342 | } 343 | else { 344 | RtlInitAnsiString( 345 | &AnsiImageFileName, 346 | ImageName); 347 | 348 | Status = RtlAnsiStringToUnicodeString( 349 | &ImageFileName, 350 | &AnsiImageFileName, 351 | TRUE); 352 | 353 | if (NT_SUCCESS(Status)) { 354 | while (FoundDataTableEntry != LdrDataTableEntry) { 355 | if (FALSE != RtlEqualUnicodeString( 356 | &ImageFileName, 357 | &FoundDataTableEntry->BaseDllName, 358 | TRUE)) { 359 | ImageBase = FoundDataTableEntry->DllBase; 360 | break; 361 | } 362 | 363 | FoundDataTableEntry = CONTAINING_RECORD( 364 | FoundDataTableEntry->InLoadOrderLinks.Flink, 365 | LDR_DATA_TABLE_ENTRY, 366 | InLoadOrderLinks); 367 | } 368 | 369 | RtlFreeUnicodeString(&ImageFileName); 370 | } 371 | } 372 | } 373 | } 374 | 375 | exit: 376 | return ImageBase; 377 | } 378 | 379 | PVOID 380 | NTAPI 381 | FetchAddressOfEntryPoint( 382 | __in PVOID ImageBase 383 | ) 384 | { 385 | PIMAGE_NT_HEADERS NtHeaders = NULL; 386 | ULONG Offset = 0; 387 | PVOID EntryPoint = NULL; 388 | 389 | __try { 390 | if (NULL != NtHeaders) { 391 | if (IMAGE_NT_OPTIONAL_HDR32_MAGIC == NtHeaders->OptionalHeader.Magic) { 392 | Offset = ((PIMAGE_NT_HEADERS32)NtHeaders)->OptionalHeader.AddressOfEntryPoint; 393 | } 394 | 395 | if (IMAGE_NT_OPTIONAL_HDR64_MAGIC == NtHeaders->OptionalHeader.Magic) { 396 | Offset = ((PIMAGE_NT_HEADERS64)NtHeaders)->OptionalHeader.AddressOfEntryPoint; 397 | } 398 | 399 | if (0 != Offset) { 400 | EntryPoint = (PCHAR)ImageBase + Offset; 401 | } 402 | } 403 | } 404 | __except (EXCEPTION_EXECUTE_HANDLER) { 405 | EntryPoint = NULL; 406 | } 407 | 408 | return EntryPoint; 409 | } 410 | 411 | ULONG 412 | NTAPI 413 | FetchTimeStamp( 414 | __in PVOID ImageBase 415 | ) 416 | { 417 | PIMAGE_NT_HEADERS NtHeaders = NULL; 418 | ULONG TimeStamp = 0; 419 | 420 | __try { 421 | NtHeaders = RtlImageNtHeader(ImageBase); 422 | 423 | if (NULL != NtHeaders) { 424 | TimeStamp = NtHeaders->FileHeader.TimeDateStamp; 425 | } 426 | } 427 | __except (EXCEPTION_EXECUTE_HANDLER) { 428 | TimeStamp = 0; 429 | } 430 | 431 | return TimeStamp; 432 | } 433 | 434 | USHORT 435 | NTAPI 436 | FetchSubsystem( 437 | __in PVOID ImageBase 438 | ) 439 | { 440 | PIMAGE_NT_HEADERS NtHeaders = NULL; 441 | USHORT Subsystem = 0; 442 | 443 | __try { 444 | NtHeaders = RtlImageNtHeader(ImageBase); 445 | 446 | if (NULL != NtHeaders) { 447 | if (IMAGE_NT_OPTIONAL_HDR32_MAGIC == NtHeaders->OptionalHeader.Magic) { 448 | Subsystem = ((PIMAGE_NT_HEADERS32)NtHeaders)->OptionalHeader.Subsystem; 449 | } 450 | 451 | if (IMAGE_NT_OPTIONAL_HDR64_MAGIC == NtHeaders->OptionalHeader.Magic) { 452 | Subsystem = ((PIMAGE_NT_HEADERS64)NtHeaders)->OptionalHeader.Subsystem; 453 | } 454 | } 455 | } 456 | __except (EXCEPTION_EXECUTE_HANDLER) { 457 | Subsystem = 0; 458 | } 459 | 460 | return Subsystem; 461 | } 462 | 463 | ULONG 464 | NTAPI 465 | FetchSizeOfImage( 466 | __in PVOID ImageBase 467 | ) 468 | { 469 | PIMAGE_NT_HEADERS NtHeaders = NULL; 470 | ULONG SizeOfImage = 0; 471 | 472 | __try { 473 | NtHeaders = RtlImageNtHeader(ImageBase); 474 | 475 | if (NULL != NtHeaders) { 476 | if (IMAGE_NT_OPTIONAL_HDR32_MAGIC == NtHeaders->OptionalHeader.Magic) { 477 | SizeOfImage = ((PIMAGE_NT_HEADERS32)NtHeaders)->OptionalHeader.SizeOfImage; 478 | } 479 | 480 | if (IMAGE_NT_OPTIONAL_HDR64_MAGIC == NtHeaders->OptionalHeader.Magic) { 481 | SizeOfImage = ((PIMAGE_NT_HEADERS64)NtHeaders)->OptionalHeader.SizeOfImage; 482 | } 483 | } 484 | } 485 | __except (EXCEPTION_EXECUTE_HANDLER) { 486 | SizeOfImage = 0; 487 | } 488 | 489 | return SizeOfImage; 490 | } 491 | 492 | PVOID 493 | NTAPI 494 | GetProcedureAddress( 495 | __in PVOID ImageBase, 496 | __in_opt PSTR ProcedureName, 497 | __in_opt ULONG ProcedureNumber 498 | ) 499 | { 500 | PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL; 501 | ULONG Size = 0; 502 | PULONG NameTable = NULL; 503 | PUSHORT OrdinalTable = NULL; 504 | PULONG AddressTable = NULL; 505 | PSTR NameTableName = NULL; 506 | USHORT HintIndex = 0; 507 | PVOID ProcedureAddress = NULL; 508 | 509 | ExportDirectory = RtlImageDirectoryEntryToData( 510 | ImageBase, 511 | TRUE, 512 | IMAGE_DIRECTORY_ENTRY_EXPORT, 513 | &Size); 514 | 515 | if (NULL != ExportDirectory) { 516 | NameTable = (PCHAR)ImageBase + ExportDirectory->AddressOfNames; 517 | OrdinalTable = (PCHAR)ImageBase + ExportDirectory->AddressOfNameOrdinals; 518 | AddressTable = (PCHAR)ImageBase + ExportDirectory->AddressOfFunctions; 519 | 520 | if (NULL != NameTable && 521 | NULL != OrdinalTable && 522 | NULL != AddressTable) { 523 | if (ProcedureNumber >= ExportDirectory->Base && 524 | ProcedureNumber < MAXSHORT) { 525 | ProcedureAddress = (PCHAR)ImageBase + 526 | AddressTable[ProcedureNumber - ExportDirectory->Base]; 527 | } 528 | else { 529 | for (HintIndex = 0; 530 | HintIndex < ExportDirectory->NumberOfNames; 531 | HintIndex++) { 532 | NameTableName = (PCHAR)ImageBase + NameTable[HintIndex]; 533 | 534 | if (0 == strcmp( 535 | ProcedureName, 536 | NameTableName)) { 537 | ProcedureAddress = (PCHAR)ImageBase + 538 | AddressTable[OrdinalTable[HintIndex]]; 539 | } 540 | } 541 | } 542 | } 543 | } 544 | 545 | return ProcedureAddress; 546 | } 547 | 548 | PULONG_PTR 549 | NTAPI 550 | FindThunk( 551 | __in PVOID ImageBase, 552 | __in PSTR ImportName, 553 | __in_opt PSTR ThunkName, 554 | __in_opt ULONG ThunkNumber 555 | ) 556 | { 557 | PIMAGE_IMPORT_DESCRIPTOR ImportDirectory = NULL; 558 | ULONG Size = 0; 559 | PIMAGE_THUNK_DATA OriginalThunk = NULL; 560 | PIMAGE_THUNK_DATA Thunk = NULL; 561 | PIMAGE_IMPORT_BY_NAME ImportByName = NULL; 562 | USHORT Ordinal = 0; 563 | PSTR ForwardImageName = NULL; 564 | ULONG Index = 0; 565 | PULONG_PTR FoundThunk = NULL; 566 | 567 | ImportDirectory = RtlImageDirectoryEntryToData( 568 | ImageBase, 569 | TRUE, 570 | IMAGE_DIRECTORY_ENTRY_IMPORT, 571 | &Size); 572 | 573 | if (0 != Size) { 574 | do { 575 | OriginalThunk = (PCHAR)ImageBase + ImportDirectory->OriginalFirstThunk; 576 | Thunk = (PCHAR)ImageBase + ImportDirectory->FirstThunk; 577 | ForwardImageName = (PCHAR)ImageBase + ImportDirectory->Name; 578 | 579 | if (0 == _stricmp( 580 | ImportName, 581 | ForwardImageName)) { 582 | do { 583 | if (IMAGE_SNAP_BY_ORDINAL(OriginalThunk->u1.Ordinal)) { 584 | Ordinal = (USHORT)IMAGE_ORDINAL(OriginalThunk->u1.Ordinal); 585 | 586 | if (ThunkNumber == Ordinal) { 587 | FoundThunk = &Thunk->u1.Function; 588 | goto exit; 589 | } 590 | } 591 | else { 592 | ImportByName = (PCHAR)ImageBase + OriginalThunk->u1.AddressOfData; 593 | 594 | if (0 == _stricmp( 595 | ImportByName->Name, 596 | ThunkName)) { 597 | FoundThunk = &Thunk->u1.Function; 598 | goto exit; 599 | } 600 | } 601 | 602 | OriginalThunk++; 603 | Thunk++; 604 | } while (OriginalThunk->u1.Function); 605 | } 606 | 607 | ImportDirectory++; 608 | } while (0 != ImportDirectory->Characteristics); 609 | } 610 | 611 | exit: 612 | return FoundThunk; 613 | } 614 | 615 | VOID 616 | NTAPI 617 | ReplaceThunk( 618 | __in PVOID ImageBase, 619 | __in PSTR ImportName, 620 | __in PREPLACE_THUNK ThunkTable, 621 | __in_bcount(ThunkTable) ULONG ThunkCount 622 | ) 623 | { 624 | PIMAGE_IMPORT_DESCRIPTOR ImportDirectory = NULL; 625 | ULONG Size = 0; 626 | PIMAGE_THUNK_DATA OriginalThunk = NULL; 627 | PIMAGE_THUNK_DATA Thunk = NULL; 628 | PIMAGE_IMPORT_BY_NAME ImportByName = NULL; 629 | USHORT Ordinal = 0; 630 | PSTR ForwardImageName = NULL; 631 | ULONG Index = 0; 632 | 633 | ImportDirectory = RtlImageDirectoryEntryToData( 634 | ImageBase, 635 | TRUE, 636 | IMAGE_DIRECTORY_ENTRY_IMPORT, 637 | &Size); 638 | 639 | if (0 != Size) { 640 | do { 641 | OriginalThunk = (PCHAR)ImageBase + ImportDirectory->OriginalFirstThunk; 642 | Thunk = (PCHAR)ImageBase + ImportDirectory->FirstThunk; 643 | ForwardImageName = (PCHAR)ImageBase + ImportDirectory->Name; 644 | 645 | if (0 == _stricmp( 646 | ImportName, 647 | ForwardImageName)) { 648 | do { 649 | if (IMAGE_SNAP_BY_ORDINAL(OriginalThunk->u1.Ordinal)) { 650 | Ordinal = (USHORT)IMAGE_ORDINAL(OriginalThunk->u1.Ordinal); 651 | } 652 | else { 653 | ImportByName = (PCHAR)ImageBase + OriginalThunk->u1.AddressOfData; 654 | 655 | for (Index = 0; 656 | Index < ThunkCount; 657 | Index++) { 658 | if (0 == _stricmp( 659 | ImportByName->Name, 660 | ThunkTable[Index].Name)) { 661 | Thunk->u1.Function = (ULONG_PTR)ThunkTable[Index].Function; 662 | } 663 | } 664 | } 665 | 666 | OriginalThunk++; 667 | Thunk++; 668 | } while (OriginalThunk->u1.Function); 669 | } 670 | 671 | ImportDirectory++; 672 | } while (0 != ImportDirectory->Characteristics); 673 | } 674 | } 675 | 676 | VOID 677 | NTAPI 678 | SnapThunk( 679 | __in PVOID ImageBase 680 | ) 681 | { 682 | PIMAGE_IMPORT_DESCRIPTOR ImportDirectory = NULL; 683 | ULONG Size = 0; 684 | PIMAGE_THUNK_DATA OriginalThunk = NULL; 685 | PIMAGE_THUNK_DATA Thunk = NULL; 686 | PIMAGE_IMPORT_BY_NAME ImportByName = NULL; 687 | USHORT Ordinal = 0; 688 | PSTR ForwardImageName = NULL; 689 | PSTR ForwardImageBase = NULL; 690 | PVOID FunctionAddress = NULL; 691 | 692 | ImportDirectory = RtlImageDirectoryEntryToData( 693 | ImageBase, 694 | TRUE, 695 | IMAGE_DIRECTORY_ENTRY_IMPORT, 696 | &Size); 697 | 698 | if (0 != Size) { 699 | do { 700 | OriginalThunk = (PCHAR)ImageBase + ImportDirectory->OriginalFirstThunk; 701 | Thunk = (PCHAR)ImageBase + ImportDirectory->FirstThunk; 702 | ForwardImageName = (PCHAR)ImageBase + ImportDirectory->Name; 703 | ForwardImageBase = GetImageHandle(ForwardImageName); 704 | 705 | if (NULL != ForwardImageBase) { 706 | do { 707 | if (IMAGE_SNAP_BY_ORDINAL(OriginalThunk->u1.Ordinal)) { 708 | Ordinal = (USHORT)IMAGE_ORDINAL(OriginalThunk->u1.Ordinal); 709 | 710 | FunctionAddress = GetProcedureAddress( 711 | ForwardImageBase, 712 | NULL, 713 | Ordinal); 714 | 715 | if (NULL != FunctionAddress) { 716 | Thunk->u1.Function = (ULONG_PTR)FunctionAddress; 717 | } 718 | else { 719 | DbgPrint( 720 | "Soul - Testis - import procedure ordinal@%d not found\n", 721 | Ordinal); 722 | } 723 | } 724 | else { 725 | ImportByName = (PCHAR)ImageBase + OriginalThunk->u1.AddressOfData; 726 | 727 | FunctionAddress = GetProcedureAddress( 728 | ForwardImageBase, 729 | ImportByName->Name, 730 | 0); 731 | 732 | if (NULL != FunctionAddress) { 733 | Thunk->u1.Function = (ULONG_PTR)FunctionAddress; 734 | } 735 | else { 736 | DbgPrint( 737 | "Soul - Testis - import procedure %hs not found\n", 738 | ImportByName->Name); 739 | } 740 | } 741 | 742 | OriginalThunk++; 743 | Thunk++; 744 | } while (OriginalThunk->u1.Function); 745 | } 746 | else { 747 | DbgPrint( 748 | "Soul - Testis - import dll %hs not found\n", 749 | ForwardImageName); 750 | } 751 | 752 | ImportDirectory++; 753 | } while (0 != ImportDirectory->Characteristics); 754 | } 755 | } 756 | 757 | FORCEINLINE 758 | ULONG 759 | NTAPI 760 | GetRelocCount( 761 | __in ULONG SizeOfBlock 762 | ) 763 | { 764 | ULONG Count = 0; 765 | 766 | Count = (SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(USHORT); 767 | 768 | return Count; 769 | } 770 | 771 | PIMAGE_BASE_RELOCATION 772 | NTAPI 773 | RelocationBlock( 774 | __in PVOID VA, 775 | __in ULONG Count, 776 | __in PUSHORT NextOffset, 777 | __in LONG_PTR Diff 778 | ) 779 | { 780 | PUSHORT FixupVA = NULL; 781 | USHORT Offset = 0; 782 | USHORT Type = 0; 783 | 784 | while (Count--) { 785 | Offset = *NextOffset & 0xfff; 786 | FixupVA = (PCHAR)VA + Offset; 787 | Type = (*NextOffset >> 12) & 0xf; 788 | 789 | switch (Type) { 790 | case IMAGE_REL_BASED_ABSOLUTE: { 791 | break; 792 | } 793 | 794 | case IMAGE_REL_BASED_HIGH: { 795 | FixupVA[1] += (USHORT)((Diff >> 16) & 0xffff); 796 | break; 797 | } 798 | 799 | case IMAGE_REL_BASED_LOW: { 800 | FixupVA[0] += (USHORT)(Diff & 0xffff); 801 | break; 802 | } 803 | 804 | case IMAGE_REL_BASED_HIGHLOW: { 805 | *(PULONG)FixupVA += (ULONG)Diff; 806 | break; 807 | } 808 | 809 | case IMAGE_REL_BASED_HIGHADJ: { 810 | FixupVA[0] += NextOffset[1] & 0xffff; 811 | FixupVA[1] += (USHORT)((Diff >> 16) & 0xffff); 812 | 813 | ++NextOffset; 814 | --Count; 815 | break; 816 | } 817 | 818 | case IMAGE_REL_BASED_MIPS_JMPADDR: 819 | case IMAGE_REL_BASED_SECTION: 820 | case IMAGE_REL_BASED_REL32: 821 | // case IMAGE_REL_BASED_VXD_RELATIVE: 822 | // case IMAGE_REL_BASED_MIPS_JMPADDR16: 823 | 824 | case IMAGE_REL_BASED_IA64_IMM64: { 825 | break; 826 | } 827 | 828 | case IMAGE_REL_BASED_DIR64: { 829 | *(PULONG_PTR)FixupVA += Diff; 830 | break; 831 | } 832 | 833 | default: { 834 | return NULL; 835 | } 836 | } 837 | 838 | ++NextOffset; 839 | } 840 | 841 | return (PIMAGE_BASE_RELOCATION)NextOffset; 842 | } 843 | 844 | VOID 845 | NTAPI 846 | RelocateImage( 847 | __in PVOID ImageBase, 848 | __in LONG_PTR Diff 849 | ) 850 | { 851 | PIMAGE_BASE_RELOCATION RelocDirectory = NULL; 852 | ULONG Size = 0; 853 | PVOID VA = 0; 854 | 855 | RelocDirectory = RtlImageDirectoryEntryToData( 856 | ImageBase, 857 | TRUE, 858 | IMAGE_DIRECTORY_ENTRY_BASERELOC, 859 | &Size); 860 | 861 | if (0 != Size) { 862 | if (0 != Diff) { 863 | while (0 != Size) { 864 | VA = (PCHAR)ImageBase + RelocDirectory->VirtualAddress; 865 | Size -= RelocDirectory->SizeOfBlock; 866 | 867 | RelocDirectory = RelocationBlock( 868 | VA, 869 | GetRelocCount(RelocDirectory->SizeOfBlock), 870 | (PUSHORT)(RelocDirectory + 1), 871 | Diff); 872 | } 873 | } 874 | } 875 | } 876 | 877 | PVOID 878 | NTAPI 879 | AllocatePages( 880 | __in PVOID ViewBase 881 | ) 882 | { 883 | NTSTATUS Status = STATUS_SUCCESS; 884 | PVOID ImageBase = NULL; 885 | PHYSICAL_ADDRESS HighestAcceptableAddress = { 0 }; 886 | USHORT Subsystem = 0; 887 | ULONG SizeOfImage = 0; 888 | ULONG OldProtect = 0; 889 | 890 | Subsystem = FetchSubsystem(ViewBase); 891 | SizeOfImage = FetchSizeOfImage(ViewBase); 892 | 893 | if (0 != SizeOfImage) { 894 | if (IMAGE_SUBSYSTEM_NATIVE == Subsystem) { 895 | HighestAcceptableAddress.QuadPart = -1; 896 | 897 | ImageBase = MmAllocateContiguousMemory( 898 | SizeOfImage, 899 | HighestAcceptableAddress); 900 | } 901 | else if (IMAGE_SUBSYSTEM_WINDOWS_GUI == Subsystem || 902 | IMAGE_SUBSYSTEM_WINDOWS_CUI == Subsystem) { 903 | Status = ZwAllocateVirtualMemory( 904 | ZwCurrentProcess(), 905 | &ImageBase, 906 | 0, 907 | &SizeOfImage, 908 | MEM_COMMIT, 909 | PAGE_EXECUTE); 910 | 911 | if (NT_SUCCESS(Status)) { 912 | Status = ProtectPages( 913 | ImageBase, 914 | SizeOfImage, 915 | PAGE_READWRITE, 916 | &OldProtect); 917 | } 918 | } 919 | else { 920 | DbgPrint( 921 | "Soul - Testis - image type not supported.\n"); 922 | } 923 | } 924 | 925 | return ImageBase; 926 | } 927 | 928 | VOID 929 | NTAPI 930 | UnloadImage( 931 | __in PVOID ImageBase 932 | ) 933 | { 934 | NTSTATUS Status = STATUS_SUCCESS; 935 | USHORT Subsystem = 0; 936 | SIZE_T RegionSize = 0; 937 | 938 | Subsystem = FetchSubsystem(ImageBase); 939 | if (IMAGE_SUBSYSTEM_NATIVE == Subsystem) { 940 | MmFreeContiguousMemory(ImageBase); 941 | } 942 | else if (IMAGE_SUBSYSTEM_WINDOWS_GUI == Subsystem || 943 | IMAGE_SUBSYSTEM_WINDOWS_CUI == Subsystem) { 944 | 945 | Status = ZwFreeVirtualMemory( 946 | ZwCurrentProcess(), 947 | &ImageBase, 948 | &RegionSize, 949 | MEM_RELEASE); 950 | 951 | NT_SUCCESS(Status); 952 | } 953 | } 954 | 955 | PVOID 956 | NTAPI 957 | MapImage( 958 | __in PVOID ViewBase 959 | ) 960 | { 961 | NTSTATUS Status = STATUS_SUCCESS; 962 | PVOID ImageBase = NULL; 963 | PIMAGE_NT_HEADERS NtHeaders = NULL; 964 | PIMAGE_SECTION_HEADER NtSection = NULL; 965 | LONG_PTR Diff = 0; 966 | SIZE_T Index = 0; 967 | 968 | __try { 969 | NtHeaders = RtlImageNtHeader(ViewBase); 970 | 971 | if (NULL != NtHeaders) { 972 | ImageBase = AllocatePages(ViewBase); 973 | 974 | if (NULL != ImageBase) { 975 | RtlZeroMemory( 976 | ImageBase, 977 | NtHeaders->OptionalHeader.SizeOfImage); 978 | 979 | NtSection = IMAGE_FIRST_SECTION(NtHeaders); 980 | 981 | RtlCopyMemory( 982 | ImageBase, 983 | ViewBase, 984 | NtSection->VirtualAddress); 985 | 986 | for (Index = 0; 987 | Index < NtHeaders->FileHeader.NumberOfSections; 988 | Index++) { 989 | RtlCopyMemory( 990 | (PCHAR)ImageBase + NtSection[Index].VirtualAddress, 991 | (PCHAR)ViewBase + NtSection[Index].PointerToRawData, 992 | NtSection[Index].SizeOfRawData); 993 | } 994 | 995 | NtHeaders = RtlImageNtHeader(ImageBase); 996 | 997 | Diff = (LONG_PTR)ImageBase - NtHeaders->OptionalHeader.ImageBase; 998 | NtHeaders->OptionalHeader.ImageBase = (ULONG_PTR)ImageBase; 999 | 1000 | RelocateImage(ImageBase, Diff); 1001 | SnapThunk(ImageBase); 1002 | } 1003 | } 1004 | } 1005 | __except (EXCEPTION_EXECUTE_HANDLER) { 1006 | ImageBase = NULL; 1007 | } 1008 | 1009 | return ImageBase; 1010 | } 1011 | 1012 | static 1013 | ULONG 1014 | NTAPI 1015 | MakeProtection( 1016 | __in PIMAGE_SECTION_HEADER NtSection 1017 | ) 1018 | { 1019 | ULONG Protection = 0; 1020 | 1021 | __try { 1022 | if (FlagOn( 1023 | NtSection->Characteristics, 1024 | IMAGE_SCN_MEM_WRITE) == IMAGE_SCN_MEM_WRITE) { 1025 | Protection = PAGE_READWRITE; 1026 | } 1027 | else { 1028 | if (FlagOn( 1029 | NtSection->Characteristics, 1030 | IMAGE_SCN_MEM_EXECUTE) == IMAGE_SCN_MEM_EXECUTE) { 1031 | Protection = PAGE_EXECUTE_READ; 1032 | } 1033 | else { 1034 | Protection = PAGE_READONLY; 1035 | } 1036 | 1037 | if (FlagOn( 1038 | NtSection->Characteristics, 1039 | IMAGE_SCN_MEM_NOT_CACHED) == IMAGE_SCN_MEM_NOT_CACHED) { 1040 | Protection |= PAGE_NOCACHE; 1041 | } 1042 | } 1043 | } 1044 | __except (EXCEPTION_EXECUTE_HANDLER) { 1045 | Protection = PAGE_EXECUTE_READWRITE; 1046 | } 1047 | 1048 | return Protection; 1049 | } 1050 | 1051 | VOID 1052 | NTAPI 1053 | SetImageProtection( 1054 | __in PVOID ImageBase, 1055 | __in BOOLEAN Reset 1056 | ) 1057 | { 1058 | PIMAGE_NT_HEADERS NtHeaders = NULL; 1059 | PIMAGE_SECTION_HEADER NtSection = NULL; 1060 | ULONG OldProtection = 0; 1061 | ULONG SizeToLock = 0; 1062 | ULONG SizeOfImage = 0; 1063 | PVOID BaseAddress = NULL; 1064 | SIZE_T RegionSize = 0; 1065 | ULONG Index = 0; 1066 | 1067 | __try { 1068 | NtHeaders = RtlImageNtHeader(ImageBase); 1069 | SizeOfImage = FetchSizeOfImage(ImageBase); 1070 | 1071 | if (NULL != NtHeaders) { 1072 | NtSection = IMAGE_FIRST_SECTION(NtHeaders); 1073 | 1074 | BaseAddress = ImageBase; 1075 | RegionSize = NtSection->VirtualAddress; 1076 | 1077 | ProtectPages( 1078 | BaseAddress, 1079 | RegionSize, 1080 | PAGE_READONLY, 1081 | &OldProtection); 1082 | 1083 | for (Index = 0; 1084 | Index < NtHeaders->FileHeader.NumberOfSections; 1085 | Index++) { 1086 | if (0 != NtSection[Index].PointerToRawData) { 1087 | SizeToLock = NtSection[Index].SizeOfRawData; 1088 | 1089 | if (SizeToLock < NtSection[Index].Misc.VirtualSize) { 1090 | SizeToLock = NtSection[Index].Misc.VirtualSize; 1091 | } 1092 | 1093 | BaseAddress = (PCHAR)ImageBase + NtSection[Index].VirtualAddress; 1094 | RegionSize = SizeToLock; 1095 | 1096 | ProtectPages( 1097 | BaseAddress, 1098 | RegionSize, 1099 | FALSE != Reset ? 1100 | PAGE_EXECUTE_READWRITE : 1101 | MakeProtection(&NtSection[Index]), 1102 | &OldProtection); 1103 | } 1104 | } 1105 | } 1106 | } 1107 | __except (EXCEPTION_EXECUTE_HANDLER) { 1108 | NOTHING; 1109 | } 1110 | } 1111 | 1112 | VOID 1113 | NTAPI 1114 | LoadImage( 1115 | __in PVOID ViewBase, 1116 | __out_opt PVOID * ImageHandle 1117 | ) 1118 | { 1119 | PVOID ImageBase = NULL; 1120 | 1121 | ImageBase = MapImage(ViewBase); 1122 | 1123 | if (NULL != ImageBase) { 1124 | if ((ULONG_PTR)ImageBase <= *(PULONG_PTR)MM_HIGHEST_USER_ADDRESS) { 1125 | SetImageProtection(ImageBase, FALSE); 1126 | 1127 | #ifndef _WIN64 1128 | if (OsBuildNumber < 9200) { 1129 | InsertUserSpecialInvertedFunctionTable( 1130 | ImageBase, 1131 | FetchSizeOfImage(ImageBase)); 1132 | } 1133 | else { 1134 | InsertUserInvertedFunctionTable( 1135 | ImageBase, 1136 | FetchSizeOfImage(ImageBase)); 1137 | } 1138 | #else 1139 | InsertUserInvertedFunctionTable( 1140 | ImageBase, 1141 | FetchSizeOfImage(ImageBase)); 1142 | #endif // !_WIN64 1143 | } 1144 | else { 1145 | if (NULL != LdrList) { 1146 | InsertInvertedFunctionTable( 1147 | ImageBase, 1148 | FetchSizeOfImage(ImageBase)); 1149 | } 1150 | } 1151 | 1152 | *ImageHandle = ImageBase; 1153 | } 1154 | } 1155 | 1156 | PKLDR_DATA_TABLE_ENTRY 1157 | NTAPI 1158 | InsertDataTableEntry( 1159 | __in PCWSTR ImageName, 1160 | __in PVOID ImageHandle 1161 | ) 1162 | { 1163 | PKLDR_DATA_TABLE_ENTRY DataTableEntry = NULL; 1164 | 1165 | if (NULL == LdrList) { 1166 | LdrList = ExAllocatePool( 1167 | NonPagedPool, 1168 | sizeof(LIST_ENTRY)); 1169 | 1170 | if (NULL != LdrList) { 1171 | InitializeListHead(LdrList); 1172 | } 1173 | } 1174 | 1175 | if (NULL != LdrList) { 1176 | DataTableEntry = ExAllocatePool( 1177 | NonPagedPool, 1178 | sizeof(KLDR_DATA_TABLE_ENTRY) + 1179 | MAXIMUM_FILENAME_LENGTH * sizeof(WCHAR) * 2); 1180 | 1181 | if (NULL != DataTableEntry) { 1182 | RtlZeroMemory( 1183 | DataTableEntry, 1184 | sizeof(KLDR_DATA_TABLE_ENTRY) + 1185 | MAXIMUM_FILENAME_LENGTH * sizeof(WCHAR) * 2); 1186 | 1187 | DataTableEntry->DllBase = ImageHandle; 1188 | DataTableEntry->SizeOfImage = FetchSizeOfImage(ImageHandle); 1189 | DataTableEntry->EntryPoint = FetchAddressOfEntryPoint(ImageHandle); 1190 | 1191 | CaptureImageExceptionValues( 1192 | ImageHandle, 1193 | &DataTableEntry->ExceptionTable, 1194 | &DataTableEntry->ExceptionTableSize); 1195 | 1196 | DataTableEntry->FullDllName.Buffer = DataTableEntry + 1; 1197 | 1198 | DataTableEntry->FullDllName.MaximumLength = MAXIMUM_FILENAME_LENGTH * sizeof(WCHAR); 1199 | 1200 | wcscat( 1201 | DataTableEntry->FullDllName.Buffer, 1202 | L"Pfs:\\"); 1203 | 1204 | wcscat( 1205 | DataTableEntry->FullDllName.Buffer, 1206 | ImageName); 1207 | 1208 | DataTableEntry->FullDllName.Length = 1209 | wcslen(DataTableEntry->FullDllName.Buffer) * sizeof(WCHAR); 1210 | 1211 | DataTableEntry->BaseDllName.Buffer = 1212 | DataTableEntry->FullDllName.Buffer + MAXIMUM_FILENAME_LENGTH; 1213 | 1214 | DataTableEntry->BaseDllName.MaximumLength = MAXIMUM_FILENAME_LENGTH * sizeof(WCHAR); 1215 | 1216 | wcscat( 1217 | DataTableEntry->BaseDllName.Buffer, 1218 | ImageName); 1219 | 1220 | DataTableEntry->BaseDllName.Length = 1221 | wcslen(DataTableEntry->BaseDllName.Buffer) * sizeof(WCHAR); 1222 | 1223 | InsertTailList( 1224 | LdrList, 1225 | &DataTableEntry->InLoadOrderLinks); 1226 | } 1227 | } 1228 | 1229 | return DataTableEntry; 1230 | } 1231 | 1232 | #ifdef _WIN64 1233 | NTSTATUS 1234 | NTAPI 1235 | Wx86FindEntryForAddress( 1236 | __in PVOID Address, 1237 | __out PLDR_DATA_TABLE_ENTRY32 * TableEntry 1238 | ) 1239 | { 1240 | NTSTATUS Status = STATUS_NO_MORE_ENTRIES; 1241 | PWOW64_PROCESS Wow64Process = NULL; 1242 | PPEB32 Peb = NULL; 1243 | PPEB_LDR_DATA32 Ldr = NULL; 1244 | PLDR_DATA_TABLE_ENTRY32 LdrDataTableEntry = NULL; 1245 | PLDR_DATA_TABLE_ENTRY32 FoundDataTableEntry = NULL; 1246 | 1247 | Wow64Process = PsGetCurrentProcessWow64Process(); 1248 | 1249 | if (NULL != Wow64Process) { 1250 | Peb = (PPEB32)&Wow64Process->Wow64; 1251 | 1252 | Ldr = ULongToPtr(Peb->Ldr); 1253 | 1254 | if (NULL != Ldr) { 1255 | LdrDataTableEntry = CONTAINING_RECORD( 1256 | &Ldr->InLoadOrderModuleList, 1257 | LDR_DATA_TABLE_ENTRY32, 1258 | InLoadOrderLinks); 1259 | 1260 | FoundDataTableEntry = CONTAINING_RECORD( 1261 | ULongToPtr(LdrDataTableEntry->InLoadOrderLinks.Flink), 1262 | LDR_DATA_TABLE_ENTRY32, 1263 | InLoadOrderLinks); 1264 | 1265 | if (NULL == Address) { 1266 | Address = ULongToPtr(Peb->ImageBaseAddress); 1267 | } 1268 | 1269 | while (FoundDataTableEntry != LdrDataTableEntry) { 1270 | if (PtrToUlong(Address) >= FoundDataTableEntry->DllBase && 1271 | PtrToUlong(Address) <= FoundDataTableEntry->DllBase + 1272 | FoundDataTableEntry->SizeOfImage) { 1273 | *TableEntry = FoundDataTableEntry; 1274 | Status = STATUS_SUCCESS; 1275 | goto exit; 1276 | } 1277 | 1278 | FoundDataTableEntry = CONTAINING_RECORD( 1279 | ULongToPtr(FoundDataTableEntry->InLoadOrderLinks.Flink), 1280 | LDR_DATA_TABLE_ENTRY32, 1281 | InLoadOrderLinks); 1282 | } 1283 | } 1284 | } 1285 | 1286 | exit: 1287 | return Status; 1288 | } 1289 | 1290 | ULONG 1291 | NTAPI 1292 | Wx86GetImageHandle( 1293 | __in PSTR ImageName 1294 | ) 1295 | { 1296 | NTSTATUS Status = STATUS_SUCCESS; 1297 | PWOW64_PROCESS Wow64Process = NULL; 1298 | PPEB32 Peb = NULL; 1299 | PPEB_LDR_DATA32 Ldr = NULL; 1300 | PLDR_DATA_TABLE_ENTRY32 LdrDataTableEntry = NULL; 1301 | PLDR_DATA_TABLE_ENTRY32 FoundDataTableEntry = NULL; 1302 | ANSI_STRING AnsiImageFileName = { 0 }; 1303 | UNICODE_STRING ImageFileName = { 0 }; 1304 | UNICODE_STRING Wx86ImageFileName = { 0 }; 1305 | ULONG ImageBase = 0; 1306 | 1307 | Wow64Process = PsGetCurrentProcessWow64Process(); 1308 | 1309 | if (NULL != Wow64Process) { 1310 | Peb = (PPEB32)&Wow64Process->Wow64; 1311 | 1312 | Ldr = ULongToPtr(Peb->Ldr); 1313 | 1314 | if (NULL != Ldr) { 1315 | LdrDataTableEntry = CONTAINING_RECORD( 1316 | &Ldr->InLoadOrderModuleList, 1317 | LDR_DATA_TABLE_ENTRY32, 1318 | InLoadOrderLinks); 1319 | 1320 | FoundDataTableEntry = CONTAINING_RECORD( 1321 | ULongToPtr(LdrDataTableEntry->InLoadOrderLinks.Flink), 1322 | LDR_DATA_TABLE_ENTRY32, 1323 | InLoadOrderLinks); 1324 | 1325 | if (NULL == ImageName) { 1326 | ImageBase = Peb->ImageBaseAddress; 1327 | goto exit; 1328 | } 1329 | else { 1330 | RtlInitAnsiString( 1331 | &AnsiImageFileName, 1332 | ImageName); 1333 | 1334 | Status = RtlAnsiStringToUnicodeString( 1335 | &ImageFileName, 1336 | &AnsiImageFileName, 1337 | TRUE); 1338 | 1339 | if (NT_SUCCESS(Status)) { 1340 | while (FoundDataTableEntry != LdrDataTableEntry) { 1341 | UStr32ToUStr(&Wx86ImageFileName, &FoundDataTableEntry->BaseDllName); 1342 | 1343 | if (FALSE != RtlEqualUnicodeString( 1344 | &ImageFileName, 1345 | &Wx86ImageFileName, 1346 | TRUE)) { 1347 | ImageBase = FoundDataTableEntry->DllBase; 1348 | RtlFreeUnicodeString(&ImageFileName); 1349 | goto exit; 1350 | } 1351 | 1352 | FoundDataTableEntry = CONTAINING_RECORD( 1353 | ULongToPtr(FoundDataTableEntry->InLoadOrderLinks.Flink), 1354 | LDR_DATA_TABLE_ENTRY32, 1355 | InLoadOrderLinks); 1356 | } 1357 | 1358 | RtlFreeUnicodeString(&ImageFileName); 1359 | } 1360 | } 1361 | } 1362 | } 1363 | 1364 | exit: 1365 | return ImageBase; 1366 | } 1367 | 1368 | ULONG 1369 | NTAPI 1370 | Wx86GetProcedureAddress( 1371 | __in ULONG ImageHandle, 1372 | __in_opt PSTR ProcedureName, 1373 | __in_opt ULONG ProcedureNumber 1374 | ) 1375 | { 1376 | PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL; 1377 | ULONG Size = 0; 1378 | PULONG NameTable = NULL; 1379 | PUSHORT OrdinalTable = NULL; 1380 | PULONG AddressTable = NULL; 1381 | PSTR NameTableName = NULL; 1382 | USHORT HintIndex = 0; 1383 | ULONG ProcedureAddress = 0; 1384 | 1385 | ExportDirectory = RtlImageDirectoryEntryToData( 1386 | ULongToPtr(ImageHandle), 1387 | TRUE, 1388 | IMAGE_DIRECTORY_ENTRY_EXPORT, 1389 | &Size); 1390 | 1391 | if (NULL != ExportDirectory) { 1392 | NameTable = (PCHAR)ULongToPtr(ImageHandle) + ExportDirectory->AddressOfNames; 1393 | OrdinalTable = (PCHAR)ULongToPtr(ImageHandle) + ExportDirectory->AddressOfNameOrdinals; 1394 | AddressTable = (PCHAR)ULongToPtr(ImageHandle) + ExportDirectory->AddressOfFunctions; 1395 | 1396 | if (NULL != NameTable && 1397 | NULL != OrdinalTable && 1398 | NULL != AddressTable) { 1399 | if (ProcedureNumber >= ExportDirectory->Base && 1400 | ProcedureNumber < MAXSHORT) { 1401 | ProcedureAddress = ImageHandle + 1402 | AddressTable[ProcedureNumber - ExportDirectory->Base]; 1403 | } 1404 | else { 1405 | for (HintIndex = 0; 1406 | HintIndex < ExportDirectory->NumberOfNames; 1407 | HintIndex++) { 1408 | NameTableName = (PCHAR)ULongToPtr(ImageHandle) + NameTable[HintIndex]; 1409 | 1410 | if (0 == strcmp( 1411 | ProcedureName, 1412 | NameTableName)) { 1413 | ProcedureAddress = ImageHandle + 1414 | AddressTable[OrdinalTable[HintIndex]]; 1415 | } 1416 | } 1417 | } 1418 | } 1419 | } 1420 | 1421 | return ProcedureAddress; 1422 | } 1423 | 1424 | VOID 1425 | NTAPI 1426 | Wx86SnapThunk( 1427 | __in ULONG ImageHandle 1428 | ) 1429 | { 1430 | PIMAGE_IMPORT_DESCRIPTOR ImportDirectory = NULL; 1431 | ULONG Size = 0; 1432 | PIMAGE_THUNK_DATA32 OriginalThunk = NULL; 1433 | PIMAGE_THUNK_DATA32 Thunk = NULL; 1434 | PIMAGE_IMPORT_BY_NAME ImportByName = NULL; 1435 | USHORT Ordinal = 0; 1436 | ULONG ImportDllName = 0; 1437 | ULONG ImportDllHandle = 0; 1438 | ULONG FunctionAddress = 0; 1439 | 1440 | ImportDirectory = RtlImageDirectoryEntryToData( 1441 | ULongToPtr(ImageHandle), 1442 | TRUE, 1443 | IMAGE_DIRECTORY_ENTRY_IMPORT, 1444 | &Size); 1445 | 1446 | if (0 != Size) { 1447 | do { 1448 | OriginalThunk = (PCHAR)ULongToPtr(ImageHandle) + ImportDirectory->OriginalFirstThunk; 1449 | Thunk = (PCHAR)ULongToPtr(ImageHandle) + ImportDirectory->FirstThunk; 1450 | ImportDllName = ImageHandle + ImportDirectory->Name; 1451 | 1452 | ImportDllHandle = Wx86GetImageHandle(UlongToPtr(ImportDllName)); 1453 | 1454 | if (0 != ImportDllHandle) { 1455 | do { 1456 | Ordinal = IMAGE_SNAP_BY_ORDINAL(OriginalThunk->u1.Ordinal); 1457 | 1458 | if (0 != Ordinal) { 1459 | FunctionAddress = Wx86GetProcedureAddress( 1460 | ImportDllHandle, 1461 | NULL, 1462 | Ordinal); 1463 | 1464 | if (0 != FunctionAddress) { 1465 | Thunk->u1.Function = FunctionAddress; 1466 | } 1467 | else { 1468 | DbgPrint( 1469 | "Soul - Testis - import procedure ordinal@%d not found\n", 1470 | Ordinal); 1471 | } 1472 | } 1473 | else { 1474 | ImportByName = (PCHAR)ULongToPtr(ImageHandle) + OriginalThunk->u1.AddressOfData; 1475 | 1476 | FunctionAddress = Wx86GetProcedureAddress( 1477 | ImportDllHandle, 1478 | ImportByName->Name, 1479 | 0); 1480 | 1481 | if (0 != FunctionAddress) { 1482 | Thunk->u1.Function = FunctionAddress; 1483 | } 1484 | else { 1485 | DbgPrint( 1486 | "Soul - Testis - import procedure %hs not found\n", 1487 | ImportByName->Name); 1488 | } 1489 | } 1490 | 1491 | OriginalThunk++; 1492 | Thunk++; 1493 | } while (OriginalThunk->u1.Function); 1494 | } 1495 | else { 1496 | DbgPrint( 1497 | "Soul - Testis - import dll %hs not found\n", 1498 | ImportDllName); 1499 | } 1500 | 1501 | ImportDirectory++; 1502 | } while (0 != ImportDirectory->Characteristics); 1503 | } 1504 | } 1505 | 1506 | PVOID 1507 | NTAPI 1508 | Wx86MapImage( 1509 | __in PVOID ViewBase 1510 | ) 1511 | { 1512 | NTSTATUS Status = STATUS_SUCCESS; 1513 | PVOID ImageBase = 0; 1514 | PIMAGE_NT_HEADERS32 NtHeaders = NULL; 1515 | PIMAGE_SECTION_HEADER NtSection = NULL; 1516 | LONG Diff = 0; 1517 | SIZE_T Index = 0; 1518 | 1519 | NtHeaders = RtlImageNtHeader(ViewBase); 1520 | 1521 | if (NULL != NtHeaders) { 1522 | ImageBase = AllocatePages(ViewBase); 1523 | 1524 | if (NULL != ImageBase && 1525 | 0 == ((ULONG_PTR)ImageBase >> 32)) { 1526 | RtlZeroMemory( 1527 | ImageBase, 1528 | NtHeaders->OptionalHeader.SizeOfImage); 1529 | 1530 | NtSection = IMAGE_FIRST_SECTION(NtHeaders); 1531 | 1532 | RtlCopyMemory( 1533 | ImageBase, 1534 | ViewBase, 1535 | NtSection->VirtualAddress); 1536 | 1537 | for (Index = 0; 1538 | Index < NtHeaders->FileHeader.NumberOfSections; 1539 | Index++) { 1540 | if (0 != NtSection[Index].PointerToRawData) { 1541 | RtlCopyMemory( 1542 | (PCHAR)ImageBase + NtSection[Index].VirtualAddress, 1543 | (PCHAR)ViewBase + NtSection[Index].PointerToRawData, 1544 | NtSection[Index].SizeOfRawData); 1545 | } 1546 | } 1547 | 1548 | NtHeaders = RtlImageNtHeader(ImageBase); 1549 | 1550 | Diff = PtrToLong(ImageBase) - NtHeaders->OptionalHeader.ImageBase; 1551 | NtHeaders->OptionalHeader.ImageBase = PtrToUlong(ImageBase); 1552 | 1553 | RelocateImage(ImageBase, Diff); 1554 | Wx86SnapThunk(PtrToUlong(ImageBase)); 1555 | } 1556 | else { 1557 | UnloadImage(ImageBase); 1558 | ImageBase = NULL; 1559 | } 1560 | } 1561 | 1562 | return ImageBase; 1563 | } 1564 | 1565 | VOID 1566 | NTAPI 1567 | Wx86LoadImage( 1568 | __in PVOID ViewBase, 1569 | __out PVOID * ImageHandle 1570 | ) 1571 | { 1572 | PVOID ImageBase = NULL; 1573 | 1574 | ImageBase = Wx86MapImage(ViewBase); 1575 | 1576 | if (NULL != ImageBase) { 1577 | SetImageProtection(ImageBase, FALSE); 1578 | 1579 | if (OsBuildNumber < 9200) { 1580 | InsertWx86UserSpecialInvertedFunctionTable( 1581 | ImageBase, 1582 | FetchSizeOfImage(ImageBase)); 1583 | } 1584 | else { 1585 | InsertWx86UserInvertedFunctionTable( 1586 | ImageBase, 1587 | FetchSizeOfImage(ImageBase)); 1588 | } 1589 | 1590 | *ImageHandle = ImageBase; 1591 | } 1592 | } 1593 | 1594 | #endif // _WIN64 1595 | -------------------------------------------------------------------------------- /Reload.h: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (c) 2015-2017 by blindtiger ( blindtiger@foxmail.com ) 4 | * 5 | * The contents of this file are subject to the Mozilla Public License Version 6 | * 2.0 (the "License"); you may not use this file except in compliance with 7 | * the License. You may obtain a copy of the License at 8 | * http://www.mozilla.org/MPL/ 9 | * 10 | * Software distributed under the License is distributed on an "AS IS" basis, 11 | * WITHOUT WARRANTY OF ANY KIND, either express or implied. SEe the License 12 | * for the specific language governing rights and limitations under the 13 | * License. 14 | * 15 | * The Initial Developer of the Original e is blindtiger. 16 | * 17 | */ 18 | 19 | #ifndef _RELOAD_H_ 20 | #define _RELOAD_H_ 21 | 22 | #ifdef __cplusplus 23 | /* Assume C declarations for C++ */ 24 | extern "C" { 25 | #endif /* __cplusplus */ 26 | 27 | typedef struct _REPLACE_THUNK { 28 | PSTR Name; 29 | USHORT Ordinal; 30 | PSTR ReplaceName; 31 | USHORT ReplaceOrdinal; 32 | PVOID Function; 33 | } REPLACE_THUNK, *PREPLACE_THUNK; 34 | 35 | NTSTATUS 36 | NTAPI 37 | FindEntryForDriver( 38 | __in PSTR DriverName, 39 | __out PKLDR_DATA_TABLE_ENTRY * DataTableEntry 40 | ); 41 | 42 | NTSTATUS 43 | NTAPI 44 | FindEntryForAddress( 45 | __in PVOID Address, 46 | __out PLDR_DATA_TABLE_ENTRY * TableEntry 47 | ); 48 | 49 | PVOID 50 | NTAPI 51 | GetImageHandle( 52 | __in PSTR ImageName 53 | ); 54 | 55 | PVOID 56 | NTAPI 57 | FetchAddressOfEntryPoint( 58 | __in PVOID ImageBase 59 | ); 60 | 61 | ULONG 62 | NTAPI 63 | FetchSizeOfImage( 64 | __in PVOID ImageBase 65 | ); 66 | 67 | PVOID 68 | NTAPI 69 | GetProcedureAddress( 70 | __in PVOID ImageHandle, 71 | __in_opt PSTR ProcedureName, 72 | __in_opt ULONG ProcedureNumber 73 | ); 74 | 75 | PULONG_PTR 76 | NTAPI 77 | FindThunk( 78 | __in PVOID ImageBase, 79 | __in PSTR ImportName, 80 | __in_opt PSTR ThunkName, 81 | __in_opt ULONG ThunkNumber 82 | ); 83 | 84 | VOID 85 | NTAPI 86 | ReplaceThunk( 87 | __in PVOID ImageBase, 88 | __in PSTR ImportName, 89 | __in PREPLACE_THUNK ThunkTable, 90 | __in_bcount(ThunkTable) ULONG ThunkCount 91 | ); 92 | 93 | VOID 94 | NTAPI 95 | SetImageProtection( 96 | __in PVOID ImageBase, 97 | __in BOOLEAN Reset 98 | ); 99 | 100 | VOID 101 | NTAPI 102 | UnloadImage( 103 | __in PVOID ImageBase 104 | ); 105 | 106 | VOID 107 | NTAPI 108 | LoadImage( 109 | __in PVOID ViewBase, 110 | __out_opt PVOID * ImageHandle 111 | ); 112 | 113 | PKLDR_DATA_TABLE_ENTRY 114 | NTAPI 115 | InsertDataTableEntry( 116 | __in PCWSTR ImageName, 117 | __in PVOID ImageHandle 118 | ); 119 | 120 | #ifdef _WIN64 121 | NTSTATUS 122 | NTAPI 123 | Wx86FindEntryForAddress( 124 | __in PVOID Address, 125 | __out PLDR_DATA_TABLE_ENTRY32 * TableEntry 126 | ); 127 | 128 | ULONG 129 | NTAPI 130 | Wx86GetImageHandle( 131 | __in PSTR ImageName 132 | ); 133 | 134 | ULONG 135 | NTAPI 136 | Wx86GetProcedureAddress( 137 | __in ULONG ImageHandle, 138 | __in_opt PSTR ProcedureName, 139 | __in_opt ULONG ProcedureNumber 140 | ); 141 | 142 | VOID 143 | NTAPI 144 | Wx86LoadImage( 145 | __in PVOID ViewBase, 146 | __out PVOID * ImageHandle 147 | ); 148 | #endif // _WIN64 149 | 150 | #ifdef __cplusplus 151 | } 152 | #endif /* __cplusplus */ 153 | 154 | #endif // !_RELOAD_H_ 155 | -------------------------------------------------------------------------------- /Stubs.h: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (c) 2015-2017 by blindtiger ( blindtiger@foxmail.com ) 4 | * 5 | * The contents of this file are subject to the Mozilla Public License Version 6 | * 2.0 (the "License"); you may not use this file except in compliance with 7 | * the License. You may obtain a copy of the License at 8 | * http://www.mozilla.org/MPL/ 9 | * 10 | * Software distributed under the License is distributed on an "AS IS" basis, 11 | * WITHOUT WARRANTY OF ANY KIND, either express or implied. Ree the License 12 | * for the specific language governing rights and limitations under the 13 | * License. 14 | * 15 | * The Initial Developer of the Original e is blindtiger. 16 | * 17 | */ 18 | 19 | #ifndef _STUBS_H_ 20 | #define _STUBS_H_ 21 | 22 | #ifdef __cplusplus 23 | /* Assume C declarations for C++ */ 24 | extern "C" { 25 | #endif /* __cplusplus */ 26 | 27 | typedef enum _KSTUBS_CLASS { 28 | NumberAcceptConnectPort, 29 | NumberAccessCheck, 30 | NumberAccessCheckAndAuditAlarm, 31 | NumberAccessCheckByType, 32 | NumberAccessCheckByTypeAndAuditAlarm, 33 | NumberAccessCheckByTypeResultList, 34 | NumberAccessCheckByTypeResultListAndAuditAlarm, 35 | NumberAccessCheckByTypeResultListAndAuditAlarmByHandle, 36 | NumberAcquireCMFViewOwnership, 37 | NumberAcquireProcessActivityReference, 38 | NumberAddAtom, 39 | NumberAddAtomEx, 40 | NumberAddBootEntry, 41 | NumberAddDriverEntry, 42 | NumberAdjustGroupsToken, 43 | NumberAdjustPrivilegesToken, 44 | NumberAdjustTokenClaimsAndDeviceGroups, 45 | NumberAlertResumeThread, 46 | NumberAlertThread, 47 | NumberAlertThreadByThreadId, 48 | NumberAllocateLocallyUniqueId, 49 | NumberAllocateReserveObject, 50 | NumberAllocateUserPhysicalPages, 51 | NumberAllocateUuids, 52 | NumberAllocateVirtualMemory, 53 | NumberAllocateVirtualMemoryEx, 54 | NumberAlpcAcceptConnectPort, 55 | NumberAlpcCancelMessage, 56 | NumberAlpcConnectPort, 57 | NumberAlpcConnectPortEx, 58 | NumberAlpcCreatePort, 59 | NumberAlpcCreatePortSection, 60 | NumberAlpcCreateResourceReserve, 61 | NumberAlpcCreateSectionView, 62 | NumberAlpcCreateSecurityContext, 63 | NumberAlpcDeletePortSection, 64 | NumberAlpcDeleteResourceReserve, 65 | NumberAlpcDeleteSectionView, 66 | NumberAlpcDeleteSecurityContext, 67 | NumberAlpcDisconnectPort, 68 | NumberAlpcImpersonateClientContainerOfPort, 69 | NumberAlpcImpersonateClientOfPort, 70 | NumberAlpcOpenSenderProcess, 71 | NumberAlpcOpenSenderThread, 72 | NumberAlpcQueryInformation, 73 | NumberAlpcQueryInformationMessage, 74 | NumberAlpcRevokeSecurityContext, 75 | NumberAlpcSendWaitReceivePort, 76 | NumberAlpcSetInformation, 77 | NumberApphelpCacheControl, 78 | NumberAreMappedFilesTheSame, 79 | NumberAssignProcessToJobObject, 80 | NumberAssociateWaitCompletionPacket, 81 | NumberCallEnclave, 82 | NumberCallbackReturn, 83 | NumberCancelDeviceWakeupRequest, 84 | NumberCancelIoFile, 85 | NumberCancelIoFileEx, 86 | NumberCancelSynchronousIoFile, 87 | NumberCancelTimer, 88 | NumberCancelTimer2, 89 | NumberCancelWaitCompletionPacket, 90 | NumberClearAllSavepointsTransaction, 91 | NumberClearEvent, 92 | NumberClearSavepointTransaction, 93 | NumberClose, 94 | NumberCloseObjectAuditAlarm, 95 | NumberCommitComplete, 96 | NumberCommitEnlistment, 97 | NumberCommitRegistryTransaction, 98 | NumberCommitTransaction, 99 | NumberCompactKeys, 100 | NumberCompareObjects, 101 | NumberCompareSigningLevels, 102 | NumberCompareTokens, 103 | NumberCompleteConnectPort, 104 | NumberCompressKey, 105 | NumberConnectPort, 106 | NumberContinue, 107 | NumberConvertBetweenAuxiliaryCounterAndPerformanceCounter, 108 | NumberCreateDebugObject, 109 | NumberCreateDirectoryObject, 110 | NumberCreateDirectoryObjectEx, 111 | NumberCreateEnclave, 112 | NumberCreateEnlistment, 113 | NumberCreateEvent, 114 | NumberCreateEventPair, 115 | NumberCreateFile, 116 | NumberCreateIRTimer, 117 | NumberCreateIoCompletion, 118 | NumberCreateJobObject, 119 | NumberCreateJobSet, 120 | NumberCreateKey, 121 | NumberCreateKeyTransacted, 122 | NumberCreateKeyedEvent, 123 | NumberCreateLowBoxToken, 124 | NumberCreateMailslotFile, 125 | NumberCreateMutant, 126 | NumberCreateNamedPipeFile, 127 | NumberCreatePagingFile, 128 | NumberCreatePartition, 129 | NumberCreatePort, 130 | NumberCreatePrivateNamespace, 131 | NumberCreateProcess, 132 | NumberCreateProcessEx, 133 | NumberCreateProfile, 134 | NumberCreateProfileEx, 135 | NumberCreateRegistryTransaction, 136 | NumberCreateResourceManager, 137 | NumberCreateSection, 138 | NumberCreateSemaphore, 139 | NumberCreateSymbolicLinkObject, 140 | NumberCreateThread, 141 | NumberCreateThreadEx, 142 | NumberCreateTimer, 143 | NumberCreateTimer2, 144 | NumberCreateToken, 145 | NumberCreateTokenEx, 146 | NumberCreateTransaction, 147 | NumberCreateTransactionManager, 148 | NumberCreateUserProcess, 149 | NumberCreateWaitCompletionPacket, 150 | NumberCreateWaitablePort, 151 | NumberCreateWnfStateName, 152 | NumberCreateWorkerFactory, 153 | NumberDebugActiveProcess, 154 | NumberDebugContinue, 155 | NumberDelayExecution, 156 | NumberDeleteAtom, 157 | NumberDeleteBootEntry, 158 | NumberDeleteDriverEntry, 159 | NumberDeleteFile, 160 | NumberDeleteKey, 161 | NumberDeleteObjectAuditAlarm, 162 | NumberDeletePrivateNamespace, 163 | NumberDeleteValueKey, 164 | NumberDeleteWnfStateData, 165 | NumberDeleteWnfStateName, 166 | NumberDeviceIoControlFile, 167 | NumberDisableLastKnownGood, 168 | NumberDisplayString, 169 | NumberDrawText, 170 | NumberDuplicateObject, 171 | NumberDuplicateToken, 172 | NumberEnableLastKnownGood, 173 | NumberEnumerateBootEntries, 174 | NumberEnumerateDriverEntries, 175 | NumberEnumerateKey, 176 | NumberEnumerateSystemEnvironmentValuesEx, 177 | NumberEnumerateTransactionObject, 178 | NumberEnumerateValueKey, 179 | NumberExtendSection, 180 | NumberFilterBootOption, 181 | NumberFilterToken, 182 | NumberFilterTokenEx, 183 | NumberFindAtom, 184 | NumberFlushBuffersFile, 185 | NumberFlushBuffersFileEx, 186 | NumberFlushInstallUILanguage, 187 | NumberFlushInstructionCache, 188 | NumberFlushKey, 189 | NumberFlushProcessWriteBuffers, 190 | NumberFlushVirtualMemory, 191 | NumberFlushWriteBuffer, 192 | NumberFreeUserPhysicalPages, 193 | NumberFreeVirtualMemory, 194 | NumberFreezeRegistry, 195 | NumberFreezeTransactions, 196 | NumberFsControlFile, 197 | NumberGetCachedSigningLevel, 198 | NumberGetCompleteWnfStateSubscription, 199 | NumberGetContextThread, 200 | NumberGetCurrentProcessorNumber, 201 | NumberGetCurrentProcessorNumberEx, 202 | NumberGetDevicePowerState, 203 | NumberGetMUIRegistryInfo, 204 | NumberGetNextProcess, 205 | NumberGetNextThread, 206 | NumberGetNlsSectionPtr, 207 | NumberGetNotificationResourceManager, 208 | NumberGetPlugPlayEvent, 209 | NumberGetWriteWatch, 210 | NumberImpersonateAnonymousToken, 211 | NumberImpersonateClientOfPort, 212 | NumberImpersonateThread, 213 | NumberInitializeEnclave, 214 | NumberInitializeNlsFiles, 215 | NumberInitializeRegistry, 216 | NumberInitiatePowerAction, 217 | NumberIsProcessInJob, 218 | NumberIsSystemResumeAutomatic, 219 | NumberIsUILanguageComitted, 220 | NumberListTransactions, 221 | NumberListenPort, 222 | NumberLoadDriver, 223 | NumberLoadEnclaveData, 224 | NumberLoadHotPatch, 225 | NumberLoadKey, 226 | NumberLoadKey2, 227 | NumberLoadKeyEx, 228 | NumberLockFile, 229 | NumberLockProductActivationKeys, 230 | NumberLockRegistryKey, 231 | NumberLockVirtualMemory, 232 | NumberMakePermanentObject, 233 | NumberMakeTemporaryObject, 234 | NumberManagePartition, 235 | NumberMapCMFModule, 236 | NumberMapUserPhysicalPages, 237 | NumberMapUserPhysicalPagesScatter, 238 | NumberMapViewOfSection, 239 | NumberMapViewOfSectionEx, 240 | NumberMarshallTransaction, 241 | NumberModifyBootEntry, 242 | NumberModifyDriverEntry, 243 | NumberNotifyChangeDirectoryFile, 244 | NumberNotifyChangeDirectoryFileEx, 245 | NumberNotifyChangeKey, 246 | NumberNotifyChangeMultipleKeys, 247 | NumberNotifyChangeSession, 248 | NumberOpenDirectoryObject, 249 | NumberOpenEnlistment, 250 | NumberOpenEvent, 251 | NumberOpenEventPair, 252 | NumberOpenFile, 253 | NumberOpenIoCompletion, 254 | NumberOpenJobObject, 255 | NumberOpenKey, 256 | NumberOpenKeyEx, 257 | NumberOpenKeyTransacted, 258 | NumberOpenKeyTransactedEx, 259 | NumberOpenKeyedEvent, 260 | NumberOpenMutant, 261 | NumberOpenObjectAuditAlarm, 262 | NumberOpenPartition, 263 | NumberOpenPrivateNamespace, 264 | NumberOpenProcess, 265 | NumberOpenProcessToken, 266 | NumberOpenProcessTokenEx, 267 | NumberOpenRegistryTransaction, 268 | NumberOpenResourceManager, 269 | NumberOpenSection, 270 | NumberOpenSemaphore, 271 | NumberOpenSession, 272 | NumberOpenSymbolicLinkObject, 273 | NumberOpenThread, 274 | NumberOpenThreadToken, 275 | NumberOpenThreadTokenEx, 276 | NumberOpenTimer, 277 | NumberOpenTransaction, 278 | NumberOpenTransactionManager, 279 | NumberPlugPlayControl, 280 | NumberPowerInformation, 281 | NumberPrePrepareComplete, 282 | NumberPrePrepareEnlistment, 283 | NumberPrepareComplete, 284 | NumberPrepareEnlistment, 285 | NumberPrivilegeCheck, 286 | NumberPrivilegeObjectAuditAlarm, 287 | NumberPrivilegedServiceAuditAlarm, 288 | NumberPropagationComplete, 289 | NumberPropagationFailed, 290 | NumberProtectVirtualMemory, 291 | NumberPullTransaction, 292 | NumberPulseEvent, 293 | NumberQueryAttributesFile, 294 | NumberQueryAuxiliaryCounterFrequency, 295 | NumberQueryBootEntryOrder, 296 | NumberQueryBootOptions, 297 | NumberQueryDebugFilterState, 298 | NumberQueryDefaultLocale, 299 | NumberQueryDefaultUILanguage, 300 | NumberQueryDirectoryFile, 301 | NumberQueryDirectoryFileEx, 302 | NumberQueryDirectoryObject, 303 | NumberQueryDriverEntryOrder, 304 | NumberQueryEaFile, 305 | NumberQueryEvent, 306 | NumberQueryFullAttributesFile, 307 | NumberQueryInformationAtom, 308 | NumberQueryInformationByName, 309 | NumberQueryInformationEnlistment, 310 | NumberQueryInformationFile, 311 | NumberQueryInformationJobObject, 312 | NumberQueryInformationPort, 313 | NumberQueryInformationProcess, 314 | NumberQueryInformationResourceManager, 315 | NumberQueryInformationThread, 316 | NumberQueryInformationToken, 317 | NumberQueryInformationTransaction, 318 | NumberQueryInformationTransactionManager, 319 | NumberQueryInformationWorkerFactory, 320 | NumberQueryInstallUILanguage, 321 | NumberQueryIntervalProfile, 322 | NumberQueryIoCompletion, 323 | NumberQueryKey, 324 | NumberQueryLicenseValue, 325 | NumberQueryMultipleValueKey, 326 | NumberQueryMutant, 327 | NumberQueryObject, 328 | NumberQueryOpenSubKeys, 329 | NumberQueryOpenSubKeysEx, 330 | NumberQueryPerformanceCounter, 331 | NumberQueryPortInformationProcess, 332 | NumberQueryQuotaInformationFile, 333 | NumberQuerySection, 334 | NumberQuerySecurityAttributesToken, 335 | NumberQuerySecurityObject, 336 | NumberQuerySecurityPolicy, 337 | NumberQuerySemaphore, 338 | NumberQuerySymbolicLinkObject, 339 | NumberQuerySystemEnvironmentValue, 340 | NumberQuerySystemEnvironmentValueEx, 341 | NumberQuerySystemInformation, 342 | NumberQuerySystemInformationEx, 343 | NumberQuerySystemTime, 344 | NumberQueryTimer, 345 | NumberQueryTimerResolution, 346 | NumberQueryValueKey, 347 | NumberQueryVirtualMemory, 348 | NumberQueryVolumeInformationFile, 349 | NumberQueryWnfStateData, 350 | NumberQueryWnfStateNameInformation, 351 | NumberQueueApcThread, 352 | NumberQueueApcThreadEx, 353 | NumberRaiseException, 354 | NumberRaiseHardError, 355 | NumberReadFile, 356 | NumberReadFileScatter, 357 | NumberReadOnlyEnlistment, 358 | NumberReadRequestData, 359 | NumberReadVirtualMemory, 360 | NumberRecoverEnlistment, 361 | NumberRecoverResourceManager, 362 | NumberRecoverTransactionManager, 363 | NumberRegisterProtocolAddressInformation, 364 | NumberRegisterThreadTerminatePort, 365 | NumberReleaseCMFViewOwnership, 366 | NumberReleaseKeyedEvent, 367 | NumberReleaseMutant, 368 | NumberReleaseSemaphore, 369 | NumberReleaseWorkerFactoryWorker, 370 | NumberRemoveIoCompletion, 371 | NumberRemoveIoCompletionEx, 372 | NumberRemoveProcessDebug, 373 | NumberRenameKey, 374 | NumberRenameTransactionManager, 375 | NumberReplaceKey, 376 | NumberReplacePartitionUnit, 377 | NumberReplyPort, 378 | NumberReplyWaitReceivePort, 379 | NumberReplyWaitReceivePortEx, 380 | NumberReplyWaitReplyPort, 381 | NumberRequestDeviceWakeup, 382 | NumberRequestPort, 383 | NumberRequestWaitReplyPort, 384 | NumberRequestWakeupLatency, 385 | NumberResetEvent, 386 | NumberResetWriteWatch, 387 | NumberRestoreKey, 388 | NumberResumeProcess, 389 | NumberResumeThread, 390 | NumberRevertContainerImpersonation, 391 | NumberRollbackComplete, 392 | NumberRollbackEnlistment, 393 | NumberRollbackRegistryTransaction, 394 | NumberRollbackSavepointTransaction, 395 | NumberRollbackTransaction, 396 | NumberRollforwardTransactionManager, 397 | NumberSaveKey, 398 | NumberSaveKeyEx, 399 | NumberSaveMergedKeys, 400 | NumberSavepointComplete, 401 | NumberSavepointTransaction, 402 | NumberSecureConnectPort, 403 | NumberSerializeBoot, 404 | NumberSetBootEntryOrder, 405 | NumberSetBootOptions, 406 | NumberSetCachedSigningLevel, 407 | NumberSetCachedSigningLevel2, 408 | NumberSetContextThread, 409 | NumberSetDebugFilterState, 410 | NumberSetDefaultHardErrorPort, 411 | NumberSetDefaultLocale, 412 | NumberSetDefaultUILanguage, 413 | NumberSetDriverEntryOrder, 414 | NumberSetEaFile, 415 | NumberSetEvent, 416 | NumberSetEventBoostPriority, 417 | NumberSetHighEventPair, 418 | NumberSetHighWaitLowEventPair, 419 | NumberSetIRTimer, 420 | NumberSetInformationDebugObject, 421 | NumberSetInformationEnlistment, 422 | NumberSetInformationFile, 423 | NumberSetInformationJobObject, 424 | NumberSetInformationKey, 425 | NumberSetInformationObject, 426 | NumberSetInformationProcess, 427 | NumberSetInformationResourceManager, 428 | NumberSetInformationSymbolicLink, 429 | NumberSetInformationThread, 430 | NumberSetInformationToken, 431 | NumberSetInformationTransaction, 432 | NumberSetInformationTransactionManager, 433 | NumberSetInformationVirtualMemory, 434 | NumberSetInformationWorkerFactory, 435 | NumberSetIntervalProfile, 436 | NumberSetIoCompletion, 437 | NumberSetIoCompletionEx, 438 | NumberSetLdtEntries, 439 | NumberSetLowEventPair, 440 | NumberSetLowWaitHighEventPair, 441 | NumberSetQuotaInformationFile, 442 | NumberSetSecurityObject, 443 | NumberSetSystemEnvironmentValue, 444 | NumberSetSystemEnvironmentValueEx, 445 | NumberSetSystemInformation, 446 | NumberSetSystemPowerState, 447 | NumberSetSystemTime, 448 | NumberSetThreadExecutionState, 449 | NumberSetTimer, 450 | NumberSetTimer2, 451 | NumberSetTimerEx, 452 | NumberSetTimerResolution, 453 | NumberSetUuidSeed, 454 | NumberSetValueKey, 455 | NumberSetVolumeInformationFile, 456 | NumberSetWnfProcessNotificationEvent, 457 | NumberShutdownSystem, 458 | NumberShutdownWorkerFactory, 459 | NumberSignalAndWaitForSingleObject, 460 | NumberSinglePhaseReject, 461 | NumberStartProfile, 462 | NumberStartTm, 463 | NumberStopProfile, 464 | NumberSubscribeWnfStateChange, 465 | NumberSuspendProcess, 466 | NumberSuspendThread, 467 | NumberSystemDebugControl, 468 | NumberTerminateEnclave, 469 | NumberTerminateJobObject, 470 | NumberTerminateProcess, 471 | NumberTerminateThread, 472 | NumberTestAlert, 473 | NumberThawRegistry, 474 | NumberThawTransactions, 475 | NumberTraceControl, 476 | NumberTraceEvent, 477 | NumberTranslateFilePath, 478 | NumberUmsThreadYield, 479 | NumberUnloadDriver, 480 | NumberUnloadKey, 481 | NumberUnloadKey2, 482 | NumberUnloadKeyEx, 483 | NumberUnlockFile, 484 | NumberUnlockVirtualMemory, 485 | NumberUnmapViewOfSection, 486 | NumberUnmapViewOfSectionEx, 487 | NumberUnsubscribeWnfStateChange, 488 | NumberUpdateWnfStateData, 489 | NumberVdmControl, 490 | NumberWaitForAlertByThreadId, 491 | NumberWaitForDebugEvent, 492 | NumberWaitForKeyedEvent, 493 | NumberWaitForMultipleObjects, 494 | NumberWaitForMultipleObjects32, 495 | NumberWaitForSingleObject, 496 | NumberWaitForWnfNotifications, 497 | NumberWaitForWorkViaWorkerFactory, 498 | NumberWaitHighEventPair, 499 | NumberWaitLowEventPair, 500 | NumberWorkerFactoryWorkerReady, 501 | NumberWriteFile, 502 | NumberWriteFileGather, 503 | NumberWriteRequestData, 504 | NumberWriteVirtualMemory, 505 | NumberYieldExecution, 506 | MaxNumberStubs 507 | }KSTUBS_CLASS; 508 | 509 | #ifndef _WIN64 510 | 511 | typedef struct _KSTUBS_ENTRY { 512 | #pragma pack(push, 1) 513 | CHAR Reserved1[1]; 514 | 515 | union { 516 | CHAR Reserved2[4]; 517 | ULONG KiServiceTableIndex; 518 | }u1; 519 | 520 | CHAR Reserved3[8]; 521 | 522 | union { 523 | CHAR Reserved4[4]; 524 | ULONG KiSystemService; 525 | }u2; 526 | 527 | CHAR Ret[3]; 528 | CHAR Alignment[12]; 529 | #pragma pack(pop) 530 | } KSTUBS_ENTRY, *PKSTUBS_ENTRY; 531 | 532 | C_ASSERT(FIELD_OFFSET(KSTUBS_ENTRY, u1.KiServiceTableIndex) == 1); 533 | C_ASSERT(FIELD_OFFSET(KSTUBS_ENTRY, u2.KiSystemService) == 0xd); 534 | C_ASSERT(sizeof(KSTUBS_ENTRY) == 0x20); 535 | #else 536 | typedef struct _KSTUBS_ENTRY { 537 | #pragma pack(push, 1) 538 | CHAR Reserved1[34]; 539 | 540 | union { 541 | CHAR Reserved2[8]; 542 | ULONGLONG KiServiceLinkage; 543 | }u1; 544 | 545 | CHAR Reserved3[2]; 546 | 547 | union { 548 | CHAR Reserved4[4]; 549 | ULONG KiServiceTableIndex; 550 | }u2; 551 | 552 | CHAR Reserved5[2]; 553 | 554 | union { 555 | CHAR Reserved6[8]; 556 | ULONGLONG KiServiceInternal; 557 | }u3; 558 | 559 | CHAR Reserved7[3]; 560 | CHAR Alignment[3]; 561 | #pragma pack(pop) 562 | } KSTUBS_ENTRY, *PKSTUBS_ENTRY; 563 | 564 | C_ASSERT(FIELD_OFFSET(KSTUBS_ENTRY, u1.KiServiceLinkage) == 0x22); 565 | C_ASSERT(FIELD_OFFSET(KSTUBS_ENTRY, u2.KiServiceTableIndex) == 0x2c); 566 | C_ASSERT(FIELD_OFFSET(KSTUBS_ENTRY, u3.KiServiceInternal) == 0x32); 567 | C_ASSERT(sizeof(KSTUBS_ENTRY) == 0x40); 568 | #endif // !_WIN64 569 | 570 | #ifdef __cplusplus 571 | } 572 | #endif /* __cplusplus */ 573 | 574 | #endif // !_STUBS_H_ 575 | -------------------------------------------------------------------------------- /Testis.h: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (c) 2015-2017 by blindtiger ( blindtiger@foxmail.com ) 4 | * 5 | * The contents of this file are subject to the Mozilla Public License Version 6 | * 2.0 (the "License"); you may not use this file except in compliance with 7 | * the License. You may obtain a copy of the License at 8 | * http://www.mozilla.org/MPL/ 9 | * 10 | * Software distributed under the License is distributed on an "AS IS" basis, 11 | * WITHOUT WARRANTY OF ANY KIND, either express or implied. SEe the License 12 | * for the specific language governing rights and limitations under the 13 | * License. 14 | * 15 | * The Initial Developer of the Original e is blindtiger. 16 | * 17 | */ 18 | 19 | #ifndef _TESTIS_H_ 20 | #define _TESTIS_H_ 21 | 22 | #ifdef _WIN64 23 | #include 24 | #endif // _WIN64 25 | 26 | #ifdef __cplusplus 27 | /* Assume C declarations for C++ */ 28 | extern "C" { 29 | #endif /* __cplusplus */ 30 | 31 | extern ULONG OsBuildNumber; 32 | 33 | #ifdef __cplusplus 34 | } 35 | #endif /* __cplusplus */ 36 | 37 | #endif // !_TESTIS_H_ 38 | --------------------------------------------------------------------------------