├── Input_dll ├── Input_dll.vcxproj ├── Input_dll.vcxproj.filters ├── dll_x64.h ├── dll_x86.h └── main.cpp ├── Loader ├── Loader.vcxproj ├── Loader.vcxproj.filters └── loader.cpp ├── MemLoadDll.h ├── README.md ├── _global.cpp ├── _global.h ├── driver_inject.cpp ├── driver_inject.sln ├── driver_inject.v12.suo ├── driver_inject.vcxproj ├── driver_inject.vcxproj.filters ├── hooklib.cpp ├── hooklib.h ├── misc.cpp ├── misc.h ├── ntdll.cpp ├── ntdll.h ├── pe.cpp ├── pe.h ├── readme.md ├── ssdt.cpp ├── ssdt.h ├── undocumented.cpp └── undocumented.h /Input_dll/Input_dll.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637} 15 | Win32Proj 16 | Input_dll 17 | 18 | 19 | 20 | Application 21 | true 22 | v120 23 | Unicode 24 | 25 | 26 | Application 27 | false 28 | v120 29 | true 30 | Unicode 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | true 44 | $(SolutionDir)\Bin\ 45 | $(SolutionDir)\Temp\$(Configuration)\ 46 | $(ProjectName)_d 47 | 48 | 49 | false 50 | $(SolutionDir)\Bin\ 51 | $(SolutionDir)\Temp\$(Configuration)\ 52 | 53 | 54 | 55 | 56 | 57 | Level3 58 | Disabled 59 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) 60 | 61 | 62 | Console 63 | true 64 | 65 | 66 | 67 | 68 | Level3 69 | 70 | 71 | MaxSpeed 72 | true 73 | true 74 | WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) 75 | MultiThreaded 76 | 77 | 78 | Console 79 | false 80 | true 81 | true 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | -------------------------------------------------------------------------------- /Input_dll/Input_dll.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 源文件 20 | 21 | 22 | -------------------------------------------------------------------------------- /Input_dll/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include "dll_x86.h" 6 | #include "dll_x64.h" 7 | 8 | 9 | #define IOCTL_SET_INJECT_X86DLL \ 10 | CTL_CODE(FILE_DEVICE_UNKNOWN, 0x900, METHOD_IN_DIRECT, FILE_ANY_ACCESS) 11 | 12 | #define IOCTL_SET_INJECT_X64DLL \ 13 | CTL_CODE(FILE_DEVICE_UNKNOWN, 0x901, METHOD_IN_DIRECT, FILE_ANY_ACCESS) 14 | 15 | 16 | 17 | int main() 18 | { 19 | BOOL result; 20 | DWORD returnLen; 21 | char output; 22 | 23 | HANDLE hDevice = CreateFile(L"\\\\.\\CrashDumpUpload", 24 | NULL, 25 | NULL, 26 | NULL, 27 | OPEN_EXISTING, 28 | NULL, 29 | NULL); 30 | 31 | if (hDevice == INVALID_HANDLE_VALUE) 32 | { 33 | std::cout << "connect device fail." << std::endl; 34 | goto __exit; 35 | } 36 | 37 | result = DeviceIoControl(hDevice, 38 | IOCTL_SET_INJECT_X86DLL, 39 | &dll_x86, 40 | sizeof(dll_x86), 41 | &output, 42 | sizeof(char), 43 | &returnLen, 44 | NULL); 45 | 46 | std::cout << (result ? "ok x86dll" : "fail x86dll") << std::endl; 47 | 48 | result = DeviceIoControl(hDevice, 49 | IOCTL_SET_INJECT_X64DLL, 50 | &dll_x64, 51 | sizeof(dll_x64), 52 | &output, 53 | sizeof(char), 54 | &returnLen, 55 | NULL); 56 | 57 | std::cout << (result ? "ok x64dll" : "fail x64dll") << std::endl; 58 | 59 | 60 | __exit: 61 | getchar(); 62 | return 0; 63 | } -------------------------------------------------------------------------------- /Loader/Loader.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {29392CD7-AAFC-434B-8395-A7016A677011} 23 | Win32Proj 24 | Loader 25 | 26 | 27 | 28 | Application 29 | true 30 | v120 31 | Unicode 32 | 33 | 34 | Application 35 | true 36 | v120 37 | Unicode 38 | 39 | 40 | Application 41 | false 42 | v120_xp 43 | true 44 | Unicode 45 | 46 | 47 | Application 48 | false 49 | v120_xp 50 | true 51 | Unicode 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | true 71 | $(SolutionDir)\Bin\ 72 | Temp\$(ProjectName)\$(Platform)\$(ConfigurationName)\ 73 | $(TargetName.Replace(' ',''))_d 74 | 75 | 76 | true 77 | $(SolutionDir)\Bin\ 78 | Temp\$(ProjectName)\$(Platform)\$(ConfigurationName)\ 79 | $(TargetName.Replace(' ',''))_x64_d 80 | 81 | 82 | false 83 | $(SolutionDir)\Bin\ 84 | $(SolutionDir)\Temp\$(Configuration)\ 85 | $(TargetName.Replace(' ','')) 86 | 87 | 88 | false 89 | $(SolutionDir)\Bin\ 90 | $(SolutionDir)\Temp\$(Configuration)\ 91 | $(TargetName.Replace(' ',''))_x64 92 | 93 | 94 | 95 | 96 | 97 | Level3 98 | Disabled 99 | WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions) 100 | 101 | 102 | Windows 103 | true 104 | 105 | 106 | 107 | 108 | 109 | 110 | Level3 111 | Disabled 112 | WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions) 113 | 114 | 115 | Windows 116 | true 117 | 118 | 119 | 120 | 121 | Level3 122 | 123 | 124 | Disabled 125 | true 126 | false 127 | WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions) 128 | false 129 | false 130 | MultiThreaded 131 | 132 | 133 | Windows 134 | true 135 | true 136 | true 137 | false 138 | Loader 139 | 140 | 141 | 142 | 143 | Level3 144 | 145 | 146 | Disabled 147 | true 148 | false 149 | WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions) 150 | false 151 | false 152 | MultiThreaded 153 | 154 | 155 | Windows 156 | true 157 | true 158 | true 159 | false 160 | Loader 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | -------------------------------------------------------------------------------- /Loader/Loader.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 源文件 20 | 21 | 22 | -------------------------------------------------------------------------------- /Loader/loader.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/haidragon/DriverInjectDll/274489b7a548fe2cb3769d121e4d4787b2bb1e3e/Loader/loader.cpp -------------------------------------------------------------------------------- /MemLoadDll.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef _MEMLOAD_SHELLCODE_H 3 | #define _MEMLOAD_SHELLCODE_H 4 | 5 | unsigned char MemLoadShellcode_x86[] = { 6 | 7 | 0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x54, 0xC7, 0x45, 0xC4, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xC0, 8 | 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xCC, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x45, 0xBC, 0x00, 0x00, 9 | 0x00, 0x00, 0x8B, 0x45, 0x08, 0x0F, 0xB7, 0x08, 0x81, 0xF9, 0x4D, 0x5A, 0x00, 0x00, 0x74, 0x07, 10 | 0x33, 0xC0, 0xE9, 0xEE, 0x06, 0x00, 0x00, 0x8B, 0x55, 0x08, 0x8B, 0x45, 0x08, 0x03, 0x42, 0x3C, 11 | 0x89, 0x45, 0xD8, 0x8B, 0x4D, 0xD8, 0x81, 0x39, 0x50, 0x45, 0x00, 0x00, 0x74, 0x07, 0x33, 0xC0, 12 | 0xE9, 0xD0, 0x06, 0x00, 0x00, 0x64, 0x8B, 0x15, 0x30, 0x00, 0x00, 0x00, 0x89, 0x55, 0xF8, 0x8B, 13 | 0x45, 0xF8, 0x8B, 0x48, 0x0C, 0x89, 0x4D, 0xF8, 0x8B, 0x55, 0xF8, 0x8B, 0x42, 0x14, 0x89, 0x45, 14 | 0xF4, 0x83, 0x7D, 0xF4, 0x00, 0x0F, 0x84, 0x89, 0x02, 0x00, 0x00, 0x8B, 0x4D, 0xF4, 0x8B, 0x51, 15 | 0x28, 0x89, 0x55, 0xE8, 0x8B, 0x45, 0xF4, 0x66, 0x8B, 0x48, 0x24, 0x66, 0x89, 0x4D, 0xFC, 0xC7, 16 | 0x45, 0xF0, 0x00, 0x00, 0x00, 0x00, 0x8B, 0x55, 0xF0, 0x52, 0xE8, 0xD1, 0x06, 0x00, 0x00, 0x83, 17 | 0xC4, 0x04, 0x89, 0x45, 0xF0, 0x8B, 0x45, 0xE8, 0x0F, 0xB6, 0x08, 0x83, 0xF9, 0x61, 0x7C, 0x12, 18 | 0x8B, 0x55, 0xE8, 0x0F, 0xB6, 0x02, 0x8B, 0x4D, 0xF0, 0x8D, 0x54, 0x01, 0xE0, 0x89, 0x55, 0xF0, 19 | 0xEB, 0x0C, 0x8B, 0x45, 0xE8, 0x0F, 0xB6, 0x08, 0x03, 0x4D, 0xF0, 0x89, 0x4D, 0xF0, 0x8B, 0x55, 20 | 0xE8, 0x83, 0xC2, 0x01, 0x89, 0x55, 0xE8, 0x66, 0x8B, 0x45, 0xFC, 0x66, 0x83, 0xE8, 0x01, 0x66, 21 | 0x89, 0x45, 0xFC, 0x0F, 0xB7, 0x4D, 0xFC, 0x85, 0xC9, 0x75, 0xAB, 0x81, 0x7D, 0xF0, 0x5B, 0xBC, 22 | 0x4A, 0x6A, 0x0F, 0x85, 0x11, 0x01, 0x00, 0x00, 0x8B, 0x55, 0xF4, 0x8B, 0x42, 0x10, 0x89, 0x45, 23 | 0xF8, 0x8B, 0x4D, 0xF8, 0x8B, 0x55, 0xF8, 0x03, 0x51, 0x3C, 0x89, 0x55, 0xE4, 0xB8, 0x08, 0x00, 24 | 0x00, 0x00, 0x6B, 0xC8, 0x00, 0x8B, 0x55, 0xE4, 0x8D, 0x44, 0x0A, 0x78, 0x89, 0x45, 0xE0, 0x8B, 25 | 0x4D, 0xE0, 0x8B, 0x55, 0xF8, 0x03, 0x11, 0x89, 0x55, 0xE4, 0x8B, 0x45, 0xE4, 0x8B, 0x4D, 0xF8, 26 | 0x03, 0x48, 0x20, 0x89, 0x4D, 0xE0, 0x8B, 0x55, 0xE4, 0x8B, 0x45, 0xF8, 0x03, 0x42, 0x24, 0x89, 27 | 0x45, 0xD0, 0xB9, 0x03, 0x00, 0x00, 0x00, 0x66, 0x89, 0x4D, 0xFC, 0x0F, 0xB7, 0x55, 0xFC, 0x85, 28 | 0xD2, 0x0F, 0x8E, 0xAD, 0x00, 0x00, 0x00, 0x8B, 0x45, 0xE0, 0x8B, 0x4D, 0xF8, 0x03, 0x08, 0x51, 29 | 0xE8, 0xCB, 0x05, 0x00, 0x00, 0x83, 0xC4, 0x04, 0x89, 0x45, 0xD4, 0x81, 0x7D, 0xD4, 0x8E, 0x4E, 30 | 0x0E, 0xEC, 0x74, 0x12, 0x81, 0x7D, 0xD4, 0xAA, 0xFC, 0x0D, 0x7C, 0x74, 0x09, 0x81, 0x7D, 0xD4, 31 | 0x54, 0xCA, 0xAF, 0x91, 0x75, 0x67, 0x8B, 0x55, 0xE4, 0x8B, 0x45, 0xF8, 0x03, 0x42, 0x1C, 0x89, 32 | 0x45, 0xDC, 0x8B, 0x4D, 0xD0, 0x0F, 0xB7, 0x11, 0x8B, 0x45, 0xDC, 0x8D, 0x0C, 0x90, 0x89, 0x4D, 33 | 0xDC, 0x81, 0x7D, 0xD4, 0x8E, 0x4E, 0x0E, 0xEC, 0x75, 0x0D, 0x8B, 0x55, 0xDC, 0x8B, 0x45, 0xF8, 34 | 0x03, 0x02, 0x89, 0x45, 0xC4, 0xEB, 0x2A, 0x81, 0x7D, 0xD4, 0xAA, 0xFC, 0x0D, 0x7C, 0x75, 0x0D, 35 | 0x8B, 0x4D, 0xDC, 0x8B, 0x55, 0xF8, 0x03, 0x11, 0x89, 0x55, 0xC0, 0xEB, 0x14, 0x81, 0x7D, 0xD4, 36 | 0x54, 0xCA, 0xAF, 0x91, 0x75, 0x0B, 0x8B, 0x45, 0xDC, 0x8B, 0x4D, 0xF8, 0x03, 0x08, 0x89, 0x4D, 37 | 0xCC, 0x66, 0x8B, 0x55, 0xFC, 0x66, 0x83, 0xEA, 0x01, 0x66, 0x89, 0x55, 0xFC, 0x8B, 0x45, 0xE0, 38 | 0x83, 0xC0, 0x04, 0x89, 0x45, 0xE0, 0x8B, 0x4D, 0xD0, 0x83, 0xC1, 0x02, 0x89, 0x4D, 0xD0, 0xE9, 39 | 0x47, 0xFF, 0xFF, 0xFF, 0xE9, 0xD4, 0x00, 0x00, 0x00, 0x81, 0x7D, 0xF0, 0x5D, 0x68, 0xFA, 0x3C, 40 | 0x0F, 0x85, 0xC7, 0x00, 0x00, 0x00, 0x8B, 0x55, 0xF4, 0x8B, 0x42, 0x10, 0x89, 0x45, 0xF8, 0x8B, 41 | 0x4D, 0xF8, 0x8B, 0x55, 0xF8, 0x03, 0x51, 0x3C, 0x89, 0x55, 0xE4, 0xB8, 0x08, 0x00, 0x00, 0x00, 42 | 0x6B, 0xC8, 0x00, 0x8B, 0x55, 0xE4, 0x8D, 0x44, 0x0A, 0x78, 0x89, 0x45, 0xE0, 0x8B, 0x4D, 0xE0, 43 | 0x8B, 0x55, 0xF8, 0x03, 0x11, 0x89, 0x55, 0xE4, 0x8B, 0x45, 0xE4, 0x8B, 0x4D, 0xF8, 0x03, 0x48, 44 | 0x20, 0x89, 0x4D, 0xE0, 0x8B, 0x55, 0xE4, 0x8B, 0x45, 0xF8, 0x03, 0x42, 0x24, 0x89, 0x45, 0xD0, 45 | 0xB9, 0x01, 0x00, 0x00, 0x00, 0x66, 0x89, 0x4D, 0xFC, 0x0F, 0xB7, 0x55, 0xFC, 0x85, 0xD2, 0x7E, 46 | 0x6C, 0x8B, 0x45, 0xE0, 0x8B, 0x4D, 0xF8, 0x03, 0x08, 0x51, 0xE8, 0xB1, 0x04, 0x00, 0x00, 0x83, 47 | 0xC4, 0x04, 0x89, 0x45, 0xD4, 0x81, 0x7D, 0xD4, 0xB8, 0x0A, 0x4C, 0x53, 0x75, 0x3B, 0x8B, 0x55, 48 | 0xE4, 0x8B, 0x45, 0xF8, 0x03, 0x42, 0x1C, 0x89, 0x45, 0xDC, 0x8B, 0x4D, 0xD0, 0x0F, 0xB7, 0x11, 49 | 0x8B, 0x45, 0xDC, 0x8D, 0x0C, 0x90, 0x89, 0x4D, 0xDC, 0x81, 0x7D, 0xD4, 0xB8, 0x0A, 0x4C, 0x53, 50 | 0x75, 0x0B, 0x8B, 0x55, 0xDC, 0x8B, 0x45, 0xF8, 0x03, 0x02, 0x89, 0x45, 0xBC, 0x66, 0x8B, 0x4D, 51 | 0xFC, 0x66, 0x83, 0xE9, 0x01, 0x66, 0x89, 0x4D, 0xFC, 0x8B, 0x55, 0xE0, 0x83, 0xC2, 0x04, 0x89, 52 | 0x55, 0xE0, 0x8B, 0x45, 0xD0, 0x83, 0xC0, 0x02, 0x89, 0x45, 0xD0, 0xEB, 0x8C, 0x83, 0x7D, 0xC4, 53 | 0x00, 0x74, 0x14, 0x83, 0x7D, 0xC0, 0x00, 0x74, 0x0E, 0x83, 0x7D, 0xCC, 0x00, 0x74, 0x08, 0x83, 54 | 0x7D, 0xBC, 0x00, 0x74, 0x02, 0xEB, 0x0D, 0x8B, 0x4D, 0xF4, 0x8B, 0x11, 0x89, 0x55, 0xF4, 0xE9, 55 | 0x6D, 0xFD, 0xFF, 0xFF, 0x8B, 0x45, 0x08, 0x0F, 0xB7, 0x08, 0x81, 0xF9, 0x4D, 0x5A, 0x00, 0x00, 56 | 0x74, 0x07, 0x33, 0xC0, 0xE9, 0x0C, 0x04, 0x00, 0x00, 0x8B, 0x55, 0x08, 0x8B, 0x45, 0x08, 0x03, 57 | 0x42, 0x3C, 0x89, 0x45, 0xD8, 0x8B, 0x4D, 0xD8, 0x81, 0x39, 0x50, 0x45, 0x00, 0x00, 0x74, 0x07, 58 | 0x33, 0xC0, 0xE9, 0xEE, 0x03, 0x00, 0x00, 0x6A, 0x40, 0x68, 0x00, 0x30, 0x00, 0x00, 0x8B, 0x55, 59 | 0xD8, 0x8B, 0x42, 0x50, 0x50, 0x6A, 0x00, 0xFF, 0x55, 0xCC, 0x89, 0x45, 0xF8, 0x8B, 0x4D, 0xD8, 60 | 0x8B, 0x51, 0x54, 0x89, 0x55, 0xF4, 0x8B, 0x45, 0x08, 0x89, 0x45, 0xE8, 0x8B, 0x4D, 0xF8, 0x89, 61 | 0x4D, 0xF0, 0x8B, 0x55, 0xF4, 0x89, 0x55, 0xB8, 0x8B, 0x45, 0xF4, 0x83, 0xE8, 0x01, 0x89, 0x45, 62 | 0xF4, 0x83, 0x7D, 0xB8, 0x00, 0x74, 0x1E, 0x8B, 0x4D, 0xF0, 0x8B, 0x55, 0xE8, 0x8A, 0x02, 0x88, 63 | 0x01, 0x8B, 0x4D, 0xF0, 0x83, 0xC1, 0x01, 0x89, 0x4D, 0xF0, 0x8B, 0x55, 0xE8, 0x83, 0xC2, 0x01, 64 | 0x89, 0x55, 0xE8, 0xEB, 0xCD, 0x8B, 0x45, 0xD8, 0x0F, 0xB7, 0x48, 0x14, 0x8B, 0x55, 0xD8, 0x8D, 65 | 0x44, 0x0A, 0x18, 0x89, 0x45, 0xF4, 0x8B, 0x4D, 0xD8, 0x0F, 0xB7, 0x51, 0x06, 0x89, 0x55, 0xC8, 66 | 0x8B, 0x45, 0xC8, 0x89, 0x45, 0xB4, 0x8B, 0x4D, 0xC8, 0x83, 0xE9, 0x01, 0x89, 0x4D, 0xC8, 0x83, 67 | 0x7D, 0xB4, 0x00, 0x74, 0x5F, 0x8B, 0x55, 0xF4, 0x8B, 0x45, 0xF8, 0x03, 0x42, 0x0C, 0x89, 0x45, 68 | 0xE8, 0x8B, 0x4D, 0xF4, 0x8B, 0x55, 0x08, 0x03, 0x51, 0x14, 0x89, 0x55, 0xF0, 0x8B, 0x45, 0xF4, 69 | 0x8B, 0x48, 0x10, 0x89, 0x4D, 0xEC, 0x8B, 0x55, 0xEC, 0x89, 0x55, 0xB0, 0x8B, 0x45, 0xEC, 0x83, 70 | 0xE8, 0x01, 0x89, 0x45, 0xEC, 0x83, 0x7D, 0xB0, 0x00, 0x74, 0x1E, 0x8B, 0x4D, 0xE8, 0x8B, 0x55, 71 | 0xF0, 0x8A, 0x02, 0x88, 0x01, 0x8B, 0x4D, 0xE8, 0x83, 0xC1, 0x01, 0x89, 0x4D, 0xE8, 0x8B, 0x55, 72 | 0xF0, 0x83, 0xC2, 0x01, 0x89, 0x55, 0xF0, 0xEB, 0xCD, 0x8B, 0x45, 0xF4, 0x83, 0xC0, 0x28, 0x89, 73 | 0x45, 0xF4, 0xEB, 0x8C, 0xB9, 0x08, 0x00, 0x00, 0x00, 0xC1, 0xE1, 0x00, 0x8B, 0x55, 0xD8, 0x8D, 74 | 0x44, 0x0A, 0x78, 0x89, 0x45, 0xE8, 0x8B, 0x4D, 0xE8, 0x8B, 0x55, 0xF8, 0x03, 0x11, 0x89, 0x55, 75 | 0xF0, 0x8B, 0x45, 0xF0, 0x83, 0x78, 0x0C, 0x00, 0x0F, 0x84, 0xEB, 0x00, 0x00, 0x00, 0x8B, 0x4D, 76 | 0xF0, 0x8B, 0x55, 0xF8, 0x03, 0x51, 0x0C, 0x52, 0xFF, 0x55, 0xC4, 0x89, 0x45, 0x08, 0x8B, 0x45, 77 | 0xF0, 0x8B, 0x4D, 0xF8, 0x03, 0x08, 0x89, 0x4D, 0xEC, 0x8B, 0x55, 0xF0, 0x8B, 0x45, 0xF8, 0x03, 78 | 0x42, 0x10, 0x89, 0x45, 0xF4, 0x8B, 0x4D, 0xF4, 0x83, 0x39, 0x00, 0x0F, 0x84, 0xAA, 0x00, 0x00, 79 | 0x00, 0x83, 0x7D, 0xEC, 0x00, 0x74, 0x69, 0x8B, 0x55, 0xEC, 0x8B, 0x02, 0x25, 0x00, 0x00, 0x00, 80 | 0x80, 0x74, 0x5D, 0x8B, 0x4D, 0x08, 0x8B, 0x55, 0x08, 0x03, 0x51, 0x3C, 0x89, 0x55, 0xE4, 0xB8, 81 | 0x08, 0x00, 0x00, 0x00, 0x6B, 0xC8, 0x00, 0x8B, 0x55, 0xE4, 0x8D, 0x44, 0x0A, 0x78, 0x89, 0x45, 82 | 0xE0, 0x8B, 0x4D, 0xE0, 0x8B, 0x55, 0x08, 0x03, 0x11, 0x89, 0x55, 0xE4, 0x8B, 0x45, 0xE4, 0x8B, 83 | 0x4D, 0x08, 0x03, 0x48, 0x1C, 0x89, 0x4D, 0xDC, 0x8B, 0x55, 0xEC, 0x8B, 0x02, 0x25, 0xFF, 0xFF, 84 | 0x00, 0x00, 0x8B, 0x4D, 0xE4, 0x2B, 0x41, 0x10, 0x8B, 0x55, 0xDC, 0x8D, 0x04, 0x82, 0x89, 0x45, 85 | 0xDC, 0x8B, 0x4D, 0xDC, 0x8B, 0x55, 0x08, 0x03, 0x11, 0x8B, 0x45, 0xF4, 0x89, 0x10, 0xEB, 0x1E, 86 | 0x8B, 0x4D, 0xF4, 0x8B, 0x55, 0xF8, 0x03, 0x11, 0x89, 0x55, 0xE8, 0x8B, 0x45, 0xE8, 0x83, 0xC0, 87 | 0x02, 0x50, 0x8B, 0x4D, 0x08, 0x51, 0xFF, 0x55, 0xC0, 0x8B, 0x55, 0xF4, 0x89, 0x02, 0x8B, 0x45, 88 | 0xF4, 0x83, 0xC0, 0x04, 0x89, 0x45, 0xF4, 0x83, 0x7D, 0xEC, 0x00, 0x74, 0x09, 0x8B, 0x4D, 0xEC, 89 | 0x83, 0xC1, 0x04, 0x89, 0x4D, 0xEC, 0xE9, 0x4A, 0xFF, 0xFF, 0xFF, 0x8B, 0x55, 0xF0, 0x83, 0xC2, 90 | 0x14, 0x89, 0x55, 0xF0, 0xE9, 0x08, 0xFF, 0xFF, 0xFF, 0x8B, 0x45, 0xD8, 0x8B, 0x4D, 0xF8, 0x2B, 91 | 0x48, 0x34, 0x89, 0x4D, 0x08, 0xBA, 0x08, 0x00, 0x00, 0x00, 0x6B, 0xC2, 0x05, 0x8B, 0x4D, 0xD8, 92 | 0x8D, 0x54, 0x01, 0x78, 0x89, 0x55, 0xE8, 0x8B, 0x45, 0xE8, 0x83, 0x78, 0x04, 0x00, 0x0F, 0x84, 93 | 0x9E, 0x01, 0x00, 0x00, 0x8B, 0x4D, 0xE8, 0x8B, 0x55, 0xF8, 0x03, 0x11, 0x89, 0x55, 0xF0, 0x8B, 94 | 0x45, 0xF0, 0x83, 0x78, 0x04, 0x00, 0x0F, 0x84, 0x86, 0x01, 0x00, 0x00, 0x8B, 0x4D, 0xF0, 0x8B, 95 | 0x55, 0xF8, 0x03, 0x11, 0x89, 0x55, 0xF4, 0x8B, 0x45, 0xF0, 0x8B, 0x48, 0x04, 0x83, 0xE9, 0x08, 96 | 0xD1, 0xE9, 0x89, 0x4D, 0xE8, 0x8B, 0x55, 0xF0, 0x83, 0xC2, 0x08, 0x89, 0x55, 0xEC, 0x8B, 0x45, 97 | 0xE8, 0x89, 0x45, 0xAC, 0x8B, 0x4D, 0xE8, 0x83, 0xE9, 0x01, 0x89, 0x4D, 0xE8, 0x83, 0x7D, 0xAC, 98 | 0x00, 0x0F, 0x84, 0x3A, 0x01, 0x00, 0x00, 0x8B, 0x55, 0xEC, 0x66, 0x8B, 0x02, 0x66, 0xC1, 0xE8, 99 | 0x0C, 0x66, 0x83, 0xE0, 0x0F, 0x0F, 0xB7, 0xC8, 0x83, 0xF9, 0x0A, 0x75, 0x30, 0xBA, 0xFF, 0x0F, 100 | 0x00, 0x00, 0x8B, 0x45, 0xEC, 0x66, 0x23, 0x10, 0x0F, 0xB7, 0xCA, 0x8B, 0x55, 0xF4, 0x8B, 0x04, 101 | 0x0A, 0x03, 0x45, 0x08, 0xB9, 0xFF, 0x0F, 0x00, 0x00, 0x8B, 0x55, 0xEC, 0x66, 0x23, 0x0A, 0x0F, 102 | 0xB7, 0xC9, 0x8B, 0x55, 0xF4, 0x89, 0x04, 0x0A, 0xE9, 0xE6, 0x00, 0x00, 0x00, 0x8B, 0x45, 0xEC, 103 | 0x66, 0x8B, 0x08, 0x66, 0xC1, 0xE9, 0x0C, 0x66, 0x83, 0xE1, 0x0F, 0x0F, 0xB7, 0xD1, 0x83, 0xFA, 104 | 0x03, 0x75, 0x30, 0xB8, 0xFF, 0x0F, 0x00, 0x00, 0x8B, 0x4D, 0xEC, 0x66, 0x23, 0x01, 0x0F, 0xB7, 105 | 0xD0, 0x8B, 0x45, 0xF4, 0x8B, 0x0C, 0x10, 0x03, 0x4D, 0x08, 0xBA, 0xFF, 0x0F, 0x00, 0x00, 0x8B, 106 | 0x45, 0xEC, 0x66, 0x23, 0x10, 0x0F, 0xB7, 0xD2, 0x8B, 0x45, 0xF4, 0x89, 0x0C, 0x10, 0xE9, 0xA0, 107 | 0x00, 0x00, 0x00, 0x8B, 0x4D, 0xEC, 0x66, 0x8B, 0x11, 0x66, 0xC1, 0xEA, 0x0C, 0x66, 0x83, 0xE2, 108 | 0x0F, 0x0F, 0xB7, 0xC2, 0x83, 0xF8, 0x01, 0x75, 0x3D, 0xB9, 0xFF, 0x0F, 0x00, 0x00, 0x8B, 0x55, 109 | 0xEC, 0x66, 0x23, 0x0A, 0x0F, 0xB7, 0xC1, 0x8B, 0x4D, 0x08, 0xC1, 0xE9, 0x10, 0x81, 0xE1, 0xFF, 110 | 0xFF, 0x00, 0x00, 0x0F, 0xB7, 0xD1, 0x8B, 0x4D, 0xF4, 0x0F, 0xB7, 0x04, 0x01, 0x03, 0xC2, 0xB9, 111 | 0xFF, 0x0F, 0x00, 0x00, 0x8B, 0x55, 0xEC, 0x66, 0x23, 0x0A, 0x0F, 0xB7, 0xC9, 0x8B, 0x55, 0xF4, 112 | 0x66, 0x89, 0x04, 0x0A, 0xEB, 0x4D, 0x8B, 0x45, 0xEC, 0x66, 0x8B, 0x08, 0x66, 0xC1, 0xE9, 0x0C, 113 | 0x66, 0x83, 0xE1, 0x0F, 0x0F, 0xB7, 0xD1, 0x83, 0xFA, 0x02, 0x75, 0x37, 0xB8, 0xFF, 0x0F, 0x00, 114 | 0x00, 0x8B, 0x4D, 0xEC, 0x66, 0x23, 0x01, 0x0F, 0xB7, 0xD0, 0x8B, 0x45, 0x08, 0x25, 0xFF, 0xFF, 115 | 0x00, 0x00, 0x0F, 0xB7, 0xC8, 0x8B, 0x45, 0xF4, 0x0F, 0xB7, 0x14, 0x10, 0x03, 0xD1, 0xB8, 0xFF, 116 | 0x0F, 0x00, 0x00, 0x8B, 0x4D, 0xEC, 0x66, 0x23, 0x01, 0x0F, 0xB7, 0xC0, 0x8B, 0x4D, 0xF4, 0x66, 117 | 0x89, 0x14, 0x01, 0x8B, 0x55, 0xEC, 0x83, 0xC2, 0x02, 0x89, 0x55, 0xEC, 0xE9, 0xAD, 0xFE, 0xFF, 118 | 0xFF, 0x8B, 0x45, 0xF0, 0x8B, 0x4D, 0xF0, 0x03, 0x48, 0x04, 0x89, 0x4D, 0xF0, 0xE9, 0x6D, 0xFE, 119 | 0xFF, 0xFF, 0x8B, 0x55, 0xD8, 0x8B, 0x45, 0xF8, 0x03, 0x42, 0x28, 0x89, 0x45, 0xF4, 0x6A, 0x00, 120 | 0x6A, 0x00, 0x6A, 0xFF, 0xFF, 0x55, 0xBC, 0x6A, 0x00, 0x6A, 0x01, 0x8B, 0x4D, 0xF8, 0x51, 0xFF, 121 | 0x55, 0xF4, 0x8B, 0x45, 0xF8, 0x8B, 0xE5, 0x5D, 0xC2, 0x04, 0x00, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 122 | 0x55, 0x8B, 0xEC, 0x51, 0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00, 0x00, 0x8B, 0x45, 0xFC, 0x50, 0xE8, 123 | 0x2C, 0x00, 0x00, 0x00, 0x83, 0xC4, 0x04, 0x89, 0x45, 0xFC, 0x8B, 0x4D, 0x08, 0x0F, 0xBE, 0x11, 124 | 0x03, 0x55, 0xFC, 0x89, 0x55, 0xFC, 0x8B, 0x45, 0x08, 0x83, 0xC0, 0x01, 0x89, 0x45, 0x08, 0x8B, 125 | 0x4D, 0x08, 0x0F, 0xBE, 0x11, 0x85, 0xD2, 0x75, 0xD2, 0x8B, 0x45, 0xFC, 0x8B, 0xE5, 0x5D, 0xC3, 126 | 0x55, 0x8B, 0xEC, 0x8B, 0x45, 0x08, 0xC1, 0xC8, 0x0D, 0x5D, 0xC3, 0x00, 0x00, 0x00, 0x00, 0x00, 127 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 128 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 129 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 130 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 131 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 132 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 133 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 134 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 135 | 136 | 137 | }; 138 | 139 | 140 | unsigned char MemLoadShellcode_x64[] = { 141 | 142 | 143 | 0x48, 0x89, 0x4C, 0x24, 0x08, 0x48, 0x81, 0xEC, 0xD8, 0x00, 0x00, 0x00, 0x48, 0xC7, 0x84, 0x24, 144 | 0x98, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0xC7, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 145 | 0x00, 0x00, 0x00, 0x00, 0x48, 0xC7, 0x84, 0x24, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 146 | 0x48, 0xC7, 0x84, 0x24, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 147 | 0xE0, 0x00, 0x00, 0x00, 0x0F, 0xB7, 0x00, 0x3D, 0x4D, 0x5A, 0x00, 0x00, 0x74, 0x07, 0x33, 0xC0, 148 | 0xE9, 0x19, 0x0B, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x48, 0x63, 0x40, 149 | 0x3C, 0x48, 0x8B, 0x8C, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 150 | 0x89, 0x44, 0x24, 0x70, 0x48, 0x8B, 0x44, 0x24, 0x70, 0x81, 0x38, 0x50, 0x45, 0x00, 0x00, 0x74, 151 | 0x07, 0x33, 0xC0, 0xE9, 0xE6, 0x0A, 0x00, 0x00, 0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 152 | 0x00, 0x48, 0x89, 0x44, 0x24, 0x28, 0x48, 0x8B, 0x44, 0x24, 0x28, 0x48, 0x8B, 0x40, 0x18, 0x48, 153 | 0x89, 0x44, 0x24, 0x28, 0x48, 0x8B, 0x44, 0x24, 0x28, 0x48, 0x8B, 0x40, 0x20, 0x48, 0x89, 0x44, 154 | 0x24, 0x30, 0x48, 0x83, 0x7C, 0x24, 0x30, 0x00, 0x0F, 0x84, 0xF1, 0x03, 0x00, 0x00, 0x48, 0x8B, 155 | 0x44, 0x24, 0x30, 0x48, 0x8B, 0x40, 0x50, 0x48, 0x89, 0x44, 0x24, 0x48, 0x48, 0x8B, 0x44, 0x24, 156 | 0x30, 0x0F, 0xB7, 0x40, 0x48, 0x66, 0x89, 0x44, 0x24, 0x20, 0x48, 0xC7, 0x44, 0x24, 0x38, 0x00, 157 | 0x00, 0x00, 0x00, 0x8B, 0x4C, 0x24, 0x38, 0xE8, 0xF4, 0x0A, 0x00, 0x00, 0x8B, 0xC0, 0x48, 0x89, 158 | 0x44, 0x24, 0x38, 0x48, 0x8B, 0x44, 0x24, 0x48, 0x0F, 0xB6, 0x00, 0x83, 0xF8, 0x61, 0x7C, 0x1F, 159 | 0x48, 0x8B, 0x44, 0x24, 0x48, 0x0F, 0xB6, 0x00, 0x83, 0xE8, 0x20, 0x48, 0x98, 0x48, 0x8B, 0x4C, 160 | 0x24, 0x38, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x38, 0xEB, 0x18, 0x48, 161 | 0x8B, 0x44, 0x24, 0x48, 0x0F, 0xB6, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x38, 0x48, 0x03, 0xC8, 0x48, 162 | 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x38, 0x48, 0x8B, 0x44, 0x24, 0x48, 0x48, 0xFF, 0xC0, 0x48, 163 | 0x89, 0x44, 0x24, 0x48, 0x0F, 0xB7, 0x44, 0x24, 0x20, 0x66, 0xFF, 0xC8, 0x66, 0x89, 0x44, 0x24, 164 | 0x20, 0x0F, 0xB7, 0x44, 0x24, 0x20, 0x85, 0xC0, 0x75, 0x89, 0x81, 0x7C, 0x24, 0x38, 0x5B, 0xBC, 165 | 0x4A, 0x6A, 0x0F, 0x85, 0xB1, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x30, 0x48, 0x8B, 0x40, 166 | 0x20, 0x48, 0x89, 0x44, 0x24, 0x28, 0x48, 0x8B, 0x44, 0x24, 0x28, 0x48, 0x63, 0x40, 0x3C, 0x48, 167 | 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x58, 0xB8, 168 | 0x08, 0x00, 0x00, 0x00, 0x48, 0x6B, 0xC0, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x58, 0x48, 0x8D, 0x84, 169 | 0x01, 0x88, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x60, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x8B, 170 | 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 171 | 0x58, 0x48, 0x8B, 0x44, 0x24, 0x58, 0x8B, 0x40, 0x20, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 172 | 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x60, 0x48, 0x8B, 0x44, 0x24, 0x58, 0x8B, 0x40, 173 | 0x24, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 174 | 0x78, 0xB8, 0x03, 0x00, 0x00, 0x00, 0x66, 0x89, 0x44, 0x24, 0x20, 0x0F, 0xB7, 0x44, 0x24, 0x20, 175 | 0x85, 0xC0, 0x0F, 0x8E, 0x0C, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x8B, 0x00, 0x48, 176 | 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x8B, 0xC8, 0xE8, 0x5E, 0x09, 177 | 0x00, 0x00, 0x89, 0x44, 0x24, 0x50, 0x81, 0x7C, 0x24, 0x50, 0x8E, 0x4E, 0x0E, 0xEC, 0x74, 0x18, 178 | 0x81, 0x7C, 0x24, 0x50, 0xAA, 0xFC, 0x0D, 0x7C, 0x74, 0x0E, 0x81, 0x7C, 0x24, 0x50, 0x54, 0xCA, 179 | 0xAF, 0x91, 0x0F, 0x85, 0xAB, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x58, 0x8B, 0x40, 0x1C, 180 | 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x68, 181 | 0x48, 0x8B, 0x44, 0x24, 0x78, 0x0F, 0xB7, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x68, 0x48, 0x8D, 0x04, 182 | 0x81, 0x48, 0x89, 0x44, 0x24, 0x68, 0x81, 0x7C, 0x24, 0x50, 0x8E, 0x4E, 0x0E, 0xEC, 0x75, 0x1C, 183 | 0x48, 0x8B, 0x44, 0x24, 0x68, 0x8B, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 184 | 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0x98, 0x00, 0x00, 0x00, 0xEB, 0x4A, 0x81, 0x7C, 0x24, 0x50, 185 | 0xAA, 0xFC, 0x0D, 0x7C, 0x75, 0x1C, 0x48, 0x8B, 0x44, 0x24, 0x68, 0x8B, 0x00, 0x48, 0x8B, 0x4C, 186 | 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 187 | 0xEB, 0x24, 0x81, 0x7C, 0x24, 0x50, 0x54, 0xCA, 0xAF, 0x91, 0x75, 0x1A, 0x48, 0x8B, 0x44, 0x24, 188 | 0x68, 0x8B, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 189 | 0x84, 0x24, 0x90, 0x00, 0x00, 0x00, 0x0F, 0xB7, 0x44, 0x24, 0x20, 0x66, 0xFF, 0xC8, 0x66, 0x89, 190 | 0x44, 0x24, 0x20, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x48, 0x83, 0xC0, 0x04, 0x48, 0x89, 0x44, 0x24, 191 | 0x60, 0x48, 0x8B, 0x44, 0x24, 0x78, 0x48, 0x83, 0xC0, 0x02, 0x48, 0x89, 0x44, 0x24, 0x78, 0xE9, 192 | 0xE7, 0xFE, 0xFF, 0xFF, 0xE9, 0x56, 0x01, 0x00, 0x00, 0x81, 0x7C, 0x24, 0x38, 0x5D, 0x68, 0xFA, 193 | 0x3C, 0x0F, 0x85, 0x48, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x30, 0x48, 0x8B, 0x40, 0x20, 194 | 0x48, 0x89, 0x44, 0x24, 0x28, 0x48, 0x8B, 0x44, 0x24, 0x28, 0x48, 0x63, 0x40, 0x3C, 0x48, 0x8B, 195 | 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x58, 0xB8, 0x08, 196 | 0x00, 0x00, 0x00, 0x48, 0x6B, 0xC0, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x58, 0x48, 0x8D, 0x84, 0x01, 197 | 0x88, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x60, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x8B, 0x00, 198 | 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x58, 199 | 0x48, 0x8B, 0x44, 0x24, 0x58, 0x8B, 0x40, 0x20, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 200 | 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x60, 0x48, 0x8B, 0x44, 0x24, 0x58, 0x8B, 0x40, 0x24, 201 | 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x78, 202 | 0xB8, 0x01, 0x00, 0x00, 0x00, 0x66, 0x89, 0x44, 0x24, 0x20, 0x0F, 0xB7, 0x44, 0x24, 0x20, 0x85, 203 | 0xC0, 0x0F, 0x8E, 0xA8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x8B, 0x00, 0x48, 0x8B, 204 | 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x8B, 0xC8, 0xE8, 0x9F, 0x07, 0x00, 205 | 0x00, 0x89, 0x44, 0x24, 0x50, 0x81, 0x7C, 0x24, 0x50, 0xB8, 0x0A, 0x4C, 0x53, 0x75, 0x5F, 0x48, 206 | 0x8B, 0x44, 0x24, 0x58, 0x8B, 0x40, 0x1C, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 207 | 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x68, 0x48, 0x8B, 0x44, 0x24, 0x78, 0x0F, 0xB7, 0x00, 0x48, 208 | 0x8B, 0x4C, 0x24, 0x68, 0x48, 0x8D, 0x04, 0x81, 0x48, 0x89, 0x44, 0x24, 0x68, 0x81, 0x7C, 0x24, 209 | 0x50, 0xB8, 0x0A, 0x4C, 0x53, 0x75, 0x1A, 0x48, 0x8B, 0x44, 0x24, 0x68, 0x8B, 0x00, 0x48, 0x8B, 210 | 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x84, 0x24, 0x88, 0x00, 0x00, 211 | 0x00, 0x0F, 0xB7, 0x44, 0x24, 0x20, 0x66, 0xFF, 0xC8, 0x66, 0x89, 0x44, 0x24, 0x20, 0x48, 0x8B, 212 | 0x44, 0x24, 0x60, 0x48, 0x83, 0xC0, 0x04, 0x48, 0x89, 0x44, 0x24, 0x60, 0x48, 0x8B, 0x44, 0x24, 213 | 0x78, 0x48, 0x83, 0xC0, 0x02, 0x48, 0x89, 0x44, 0x24, 0x78, 0xE9, 0x4B, 0xFF, 0xFF, 0xFF, 0x48, 214 | 0x83, 0xBC, 0x24, 0x98, 0x00, 0x00, 0x00, 0x00, 0x74, 0x23, 0x48, 0x83, 0xBC, 0x24, 0x80, 0x00, 215 | 0x00, 0x00, 0x00, 0x74, 0x18, 0x48, 0x83, 0xBC, 0x24, 0x90, 0x00, 0x00, 0x00, 0x00, 0x74, 0x0D, 216 | 0x48, 0x83, 0xBC, 0x24, 0x88, 0x00, 0x00, 0x00, 0x00, 0x74, 0x02, 0xEB, 0x12, 0x48, 0x8B, 0x44, 217 | 0x24, 0x30, 0x48, 0x8B, 0x00, 0x48, 0x89, 0x44, 0x24, 0x30, 0xE9, 0x03, 0xFC, 0xFF, 0xFF, 0x48, 218 | 0x8B, 0x84, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x0F, 0xB7, 0x00, 0x3D, 0x4D, 0x5A, 0x00, 0x00, 0x74, 219 | 0x07, 0x33, 0xC0, 0xE9, 0xA6, 0x06, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 0xE0, 0x00, 0x00, 0x00, 220 | 0x48, 0x63, 0x40, 0x3C, 0x48, 0x8B, 0x8C, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48, 221 | 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x70, 0x48, 0x8B, 0x44, 0x24, 0x70, 0x81, 0x38, 0x50, 0x45, 222 | 0x00, 0x00, 0x74, 0x07, 0x33, 0xC0, 0xE9, 0x73, 0x06, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x70, 223 | 0x8B, 0x40, 0x50, 0x41, 0xB9, 0x40, 0x00, 0x00, 0x00, 0x41, 0xB8, 0x00, 0x30, 0x00, 0x00, 0x8B, 224 | 0xD0, 0x33, 0xC9, 0xFF, 0x94, 0x24, 0x90, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x28, 0x48, 225 | 0x8B, 0x44, 0x24, 0x70, 0x8B, 0x40, 0x54, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8B, 0x84, 0x24, 226 | 0xE0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x48, 0x48, 0x8B, 0x44, 0x24, 0x28, 0x48, 0x89, 227 | 0x44, 0x24, 0x38, 0x48, 0x8B, 0x44, 0x24, 0x30, 0x48, 0x89, 0x84, 0x24, 0xA8, 0x00, 0x00, 0x00, 228 | 0x48, 0x8B, 0x44, 0x24, 0x30, 0x48, 0xFF, 0xC8, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x83, 0xBC, 229 | 0x24, 0xA8, 0x00, 0x00, 0x00, 0x00, 0x74, 0x2B, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x48, 0x8B, 0x4C, 230 | 0x24, 0x48, 0x0F, 0xB6, 0x09, 0x88, 0x08, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x48, 0xFF, 0xC0, 0x48, 231 | 0x89, 0x44, 0x24, 0x38, 0x48, 0x8B, 0x44, 0x24, 0x48, 0x48, 0xFF, 0xC0, 0x48, 0x89, 0x44, 0x24, 232 | 0x48, 0xEB, 0xB0, 0x48, 0x8B, 0x44, 0x24, 0x70, 0x0F, 0xB7, 0x40, 0x14, 0x48, 0x8B, 0x4C, 0x24, 233 | 0x70, 0x48, 0x8D, 0x44, 0x01, 0x18, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8B, 0x44, 0x24, 0x70, 234 | 0x0F, 0xB7, 0x40, 0x06, 0x48, 0x89, 0x84, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 235 | 0xA0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x84, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x84, 0x24, 236 | 0xA0, 0x00, 0x00, 0x00, 0x48, 0xFF, 0xC8, 0x48, 0x89, 0x84, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x48, 237 | 0x83, 0xBC, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x84, 0xA3, 0x00, 0x00, 0x00, 0x48, 0x8B, 238 | 0x44, 0x24, 0x30, 0x8B, 0x40, 0x0C, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 239 | 0xC1, 0x48, 0x89, 0x44, 0x24, 0x48, 0x48, 0x8B, 0x44, 0x24, 0x30, 0x8B, 0x40, 0x14, 0x48, 0x8B, 240 | 0x8C, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 241 | 0x38, 0x48, 0x8B, 0x44, 0x24, 0x30, 0x8B, 0x40, 0x10, 0x48, 0x89, 0x44, 0x24, 0x40, 0x48, 0x8B, 242 | 0x44, 0x24, 0x40, 0x48, 0x89, 0x84, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x40, 243 | 0x48, 0xFF, 0xC8, 0x48, 0x89, 0x44, 0x24, 0x40, 0x48, 0x83, 0xBC, 0x24, 0xB0, 0x00, 0x00, 0x00, 244 | 0x00, 0x74, 0x2B, 0x48, 0x8B, 0x44, 0x24, 0x48, 0x48, 0x8B, 0x4C, 0x24, 0x38, 0x0F, 0xB6, 0x09, 245 | 0x88, 0x08, 0x48, 0x8B, 0x44, 0x24, 0x48, 0x48, 0xFF, 0xC0, 0x48, 0x89, 0x44, 0x24, 0x48, 0x48, 246 | 0x8B, 0x44, 0x24, 0x38, 0x48, 0xFF, 0xC0, 0x48, 0x89, 0x44, 0x24, 0x38, 0xEB, 0xB0, 0x48, 0x8B, 247 | 0x44, 0x24, 0x30, 0x48, 0x83, 0xC0, 0x28, 0x48, 0x89, 0x44, 0x24, 0x30, 0xE9, 0x2B, 0xFF, 0xFF, 248 | 0xFF, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x48, 0x6B, 0xC0, 0x01, 0x48, 0x8B, 0x4C, 0x24, 0x70, 0x48, 249 | 0x8D, 0x84, 0x01, 0x88, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x48, 0x48, 0x8B, 0x44, 0x24, 250 | 0x48, 0x8B, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 251 | 0x44, 0x24, 0x38, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x83, 0x78, 0x0C, 0x00, 0x0F, 0x84, 0xB9, 0x01, 252 | 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x8B, 0x40, 0x0C, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 253 | 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x8B, 0xC8, 0xFF, 0x94, 0x24, 0x98, 0x00, 0x00, 0x00, 0x48, 254 | 0x89, 0x84, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x8B, 0x00, 0x48, 0x8B, 255 | 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x40, 0x48, 0x8B, 256 | 0x44, 0x24, 0x38, 0x8B, 0x40, 0x10, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 257 | 0xC1, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8B, 0x44, 0x24, 0x30, 0x48, 0x83, 0x38, 0x00, 0x0F, 258 | 0x84, 0x43, 0x01, 0x00, 0x00, 0x48, 0x83, 0x7C, 0x24, 0x40, 0x00, 0x0F, 0x84, 0xD3, 0x00, 0x00, 259 | 0x00, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x48, 0xB9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 260 | 0x48, 0x8B, 0x00, 0x48, 0x23, 0xC1, 0x48, 0x85, 0xC0, 0x0F, 0x84, 0xB5, 0x00, 0x00, 0x00, 0x48, 261 | 0x8B, 0x84, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x48, 0x63, 0x40, 0x3C, 0x48, 0x8B, 0x8C, 0x24, 0xE0, 262 | 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x58, 0xB8, 0x08, 263 | 0x00, 0x00, 0x00, 0x48, 0x6B, 0xC0, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x58, 0x48, 0x8D, 0x84, 0x01, 264 | 0x88, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 0x24, 0x60, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x8B, 0x00, 265 | 0x48, 0x8B, 0x8C, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 266 | 0x44, 0x24, 0x58, 0x48, 0x8B, 0x44, 0x24, 0x58, 0x8B, 0x40, 0x1C, 0x48, 0x8B, 0x8C, 0x24, 0xE0, 267 | 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x68, 0x48, 0x8B, 268 | 0x44, 0x24, 0x40, 0x48, 0x8B, 0x00, 0x48, 0x25, 0xFF, 0xFF, 0x00, 0x00, 0x48, 0x8B, 0x4C, 0x24, 269 | 0x58, 0x8B, 0x49, 0x10, 0x48, 0x2B, 0xC1, 0x48, 0x8B, 0x4C, 0x24, 0x68, 0x48, 0x8D, 0x04, 0x81, 270 | 0x48, 0x89, 0x44, 0x24, 0x68, 0x48, 0x8B, 0x44, 0x24, 0x68, 0x8B, 0x00, 0x48, 0x8B, 0x8C, 0x24, 271 | 0xE0, 0x00, 0x00, 0x00, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x8B, 0x4C, 0x24, 0x30, 0x48, 272 | 0x89, 0x01, 0xEB, 0x3B, 0x48, 0x8B, 0x44, 0x24, 0x30, 0x48, 0x8B, 0x00, 0x48, 0x8B, 0x4C, 0x24, 273 | 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x48, 0x48, 0x8B, 0x44, 0x24, 274 | 0x48, 0x48, 0x83, 0xC0, 0x02, 0x48, 0x8B, 0xD0, 0x48, 0x8B, 0x8C, 0x24, 0xE0, 0x00, 0x00, 0x00, 275 | 0xFF, 0x94, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x30, 0x48, 0x89, 0x01, 0x48, 276 | 0x8B, 0x44, 0x24, 0x30, 0x48, 0x83, 0xC0, 0x08, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x83, 0x7C, 277 | 0x24, 0x40, 0x00, 0x74, 0x0E, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x48, 0x83, 0xC0, 0x08, 0x48, 0x89, 278 | 0x44, 0x24, 0x40, 0xE9, 0xAE, 0xFE, 0xFF, 0xFF, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x48, 0x83, 0xC0, 279 | 0x14, 0x48, 0x89, 0x44, 0x24, 0x38, 0xE9, 0x38, 0xFE, 0xFF, 0xFF, 0x48, 0x8B, 0x44, 0x24, 0x70, 280 | 0x48, 0x8B, 0x40, 0x30, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x2B, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 281 | 0x89, 0x84, 0x24, 0xE0, 0x00, 0x00, 0x00, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x48, 0x6B, 0xC0, 0x05, 282 | 0x48, 0x8B, 0x4C, 0x24, 0x70, 0x48, 0x8D, 0x84, 0x01, 0x88, 0x00, 0x00, 0x00, 0x48, 0x89, 0x44, 283 | 0x24, 0x48, 0x48, 0x8B, 0x44, 0x24, 0x48, 0x83, 0x78, 0x04, 0x00, 0x0F, 0x84, 0x5C, 0x02, 0x00, 284 | 0x00, 0x48, 0x8B, 0x44, 0x24, 0x48, 0x8B, 0x00, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 285 | 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x38, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x83, 0x78, 0x04, 286 | 0x00, 0x0F, 0x84, 0x36, 0x02, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x8B, 0x00, 0x48, 0x8B, 287 | 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8B, 288 | 0x44, 0x24, 0x38, 0x8B, 0x40, 0x04, 0x48, 0x83, 0xE8, 0x08, 0x33, 0xD2, 0xB9, 0x02, 0x00, 0x00, 289 | 0x00, 0x48, 0xF7, 0xF1, 0x48, 0x89, 0x44, 0x24, 0x48, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x48, 0x83, 290 | 0xC0, 0x08, 0x48, 0x89, 0x44, 0x24, 0x40, 0x48, 0x8B, 0x44, 0x24, 0x48, 0x48, 0x89, 0x84, 0x24, 291 | 0xC0, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x48, 0x48, 0xFF, 0xC8, 0x48, 0x89, 0x44, 0x24, 292 | 0x48, 0x48, 0x83, 0xBC, 0x24, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x84, 0xB0, 0x01, 0x00, 0x00, 293 | 0x48, 0x8B, 0x44, 0x24, 0x40, 0x0F, 0xB7, 0x00, 0x66, 0xC1, 0xE8, 0x0C, 0x66, 0x83, 0xE0, 0x0F, 294 | 0x0F, 0xB7, 0xC0, 0x83, 0xF8, 0x0A, 0x75, 0x4B, 0xB8, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8B, 0x4C, 295 | 0x24, 0x40, 0x0F, 0xB7, 0x09, 0x66, 0x23, 0xC8, 0x0F, 0xB7, 0xC1, 0x0F, 0xB7, 0xC0, 0x48, 0x8B, 296 | 0x4C, 0x24, 0x30, 0x48, 0x8B, 0x04, 0x01, 0x48, 0x03, 0x84, 0x24, 0xE0, 0x00, 0x00, 0x00, 0xB9, 297 | 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8B, 0x54, 0x24, 0x40, 0x0F, 0xB7, 0x12, 0x66, 0x23, 0xD1, 0x0F, 298 | 0xB7, 0xCA, 0x0F, 0xB7, 0xC9, 0x48, 0x8B, 0x54, 0x24, 0x30, 0x48, 0x89, 0x04, 0x0A, 0xE9, 0x3A, 299 | 0x01, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x0F, 0xB7, 0x00, 0x66, 0xC1, 0xE8, 0x0C, 0x66, 300 | 0x83, 0xE0, 0x0F, 0x0F, 0xB7, 0xC0, 0x83, 0xF8, 0x03, 0x75, 0x48, 0xB8, 0xFF, 0x0F, 0x00, 0x00, 301 | 0x48, 0x8B, 0x4C, 0x24, 0x40, 0x0F, 0xB7, 0x09, 0x66, 0x23, 0xC8, 0x0F, 0xB7, 0xC1, 0x0F, 0xB7, 302 | 0xC0, 0x48, 0x8B, 0x4C, 0x24, 0x30, 0x8B, 0x04, 0x01, 0x03, 0x84, 0x24, 0xE0, 0x00, 0x00, 0x00, 303 | 0xB9, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8B, 0x54, 0x24, 0x40, 0x0F, 0xB7, 0x12, 0x66, 0x23, 0xD1, 304 | 0x0F, 0xB7, 0xCA, 0x0F, 0xB7, 0xC9, 0x48, 0x8B, 0x54, 0x24, 0x30, 0x89, 0x04, 0x0A, 0xE9, 0xDA, 305 | 0x00, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x0F, 0xB7, 0x00, 0x66, 0xC1, 0xE8, 0x0C, 0x66, 306 | 0x83, 0xE0, 0x0F, 0x0F, 0xB7, 0xC0, 0x83, 0xF8, 0x01, 0x75, 0x58, 0xB8, 0xFF, 0x0F, 0x00, 0x00, 307 | 0x48, 0x8B, 0x4C, 0x24, 0x40, 0x0F, 0xB7, 0x09, 0x66, 0x23, 0xC8, 0x0F, 0xB7, 0xC1, 0x0F, 0xB7, 308 | 0xC0, 0x48, 0x8B, 0x8C, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x48, 0xC1, 0xE9, 0x10, 0x48, 0x81, 0xE1, 309 | 0xFF, 0xFF, 0x00, 0x00, 0x0F, 0xB7, 0xC9, 0x48, 0x8B, 0x54, 0x24, 0x30, 0x0F, 0xB7, 0x04, 0x02, 310 | 0x03, 0xC1, 0xB9, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8B, 0x54, 0x24, 0x40, 0x0F, 0xB7, 0x12, 0x66, 311 | 0x23, 0xD1, 0x0F, 0xB7, 0xCA, 0x0F, 0xB7, 0xC9, 0x48, 0x8B, 0x54, 0x24, 0x30, 0x66, 0x89, 0x04, 312 | 0x0A, 0xEB, 0x6A, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x0F, 0xB7, 0x00, 0x66, 0xC1, 0xE8, 0x0C, 0x66, 313 | 0x83, 0xE0, 0x0F, 0x0F, 0xB7, 0xC0, 0x83, 0xF8, 0x02, 0x75, 0x52, 0xB8, 0xFF, 0x0F, 0x00, 0x00, 314 | 0x48, 0x8B, 0x4C, 0x24, 0x40, 0x0F, 0xB7, 0x09, 0x66, 0x23, 0xC8, 0x0F, 0xB7, 0xC1, 0x0F, 0xB7, 315 | 0xC0, 0x48, 0x8B, 0x8C, 0x24, 0xE0, 0x00, 0x00, 0x00, 0x48, 0x81, 0xE1, 0xFF, 0xFF, 0x00, 0x00, 316 | 0x0F, 0xB7, 0xC9, 0x48, 0x8B, 0x54, 0x24, 0x30, 0x0F, 0xB7, 0x04, 0x02, 0x03, 0xC1, 0xB9, 0xFF, 317 | 0x0F, 0x00, 0x00, 0x48, 0x8B, 0x54, 0x24, 0x40, 0x0F, 0xB7, 0x12, 0x66, 0x23, 0xD1, 0x0F, 0xB7, 318 | 0xCA, 0x0F, 0xB7, 0xC9, 0x48, 0x8B, 0x54, 0x24, 0x30, 0x66, 0x89, 0x04, 0x0A, 0x48, 0x8B, 0x44, 319 | 0x24, 0x40, 0x48, 0x83, 0xC0, 0x02, 0x48, 0x89, 0x44, 0x24, 0x40, 0xE9, 0x27, 0xFE, 0xFF, 0xFF, 320 | 0x48, 0x8B, 0x44, 0x24, 0x38, 0x8B, 0x40, 0x04, 0x48, 0x8B, 0x4C, 0x24, 0x38, 0x48, 0x03, 0xC8, 321 | 0x48, 0x8B, 0xC1, 0x48, 0x89, 0x44, 0x24, 0x38, 0xE9, 0xBB, 0xFD, 0xFF, 0xFF, 0x48, 0x8B, 0x44, 322 | 0x24, 0x70, 0x8B, 0x40, 0x28, 0x48, 0x8B, 0x4C, 0x24, 0x28, 0x48, 0x03, 0xC8, 0x48, 0x8B, 0xC1, 323 | 0x48, 0x89, 0x44, 0x24, 0x30, 0x45, 0x33, 0xC0, 0x33, 0xD2, 0x48, 0xC7, 0xC1, 0xFF, 0xFF, 0xFF, 324 | 0xFF, 0xFF, 0x94, 0x24, 0x88, 0x00, 0x00, 0x00, 0x45, 0x33, 0xC0, 0xBA, 0x01, 0x00, 0x00, 0x00, 325 | 0x48, 0x8B, 0x4C, 0x24, 0x28, 0xFF, 0x54, 0x24, 0x30, 0x48, 0x8B, 0x44, 0x24, 0x28, 0x48, 0x81, 326 | 0xC4, 0xD8, 0x00, 0x00, 0x00, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 327 | 0x48, 0x89, 0x4C, 0x24, 0x08, 0x48, 0x83, 0xEC, 0x38, 0xC7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 328 | 0x00, 0x8B, 0x4C, 0x24, 0x20, 0xE8, 0x46, 0x00, 0x00, 0x00, 0x89, 0x44, 0x24, 0x20, 0x48, 0x8B, 329 | 0x44, 0x24, 0x40, 0x0F, 0xBE, 0x00, 0x8B, 0x4C, 0x24, 0x20, 0x03, 0xC8, 0x8B, 0xC1, 0x89, 0x44, 330 | 0x24, 0x20, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x48, 0xFF, 0xC0, 0x48, 0x89, 0x44, 0x24, 0x40, 0x48, 331 | 0x8B, 0x44, 0x24, 0x40, 0x0F, 0xBE, 0x00, 0x85, 0xC0, 0x75, 0xC6, 0x8B, 0x44, 0x24, 0x20, 0x48, 332 | 0x83, 0xC4, 0x38, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 333 | 0x89, 0x4C, 0x24, 0x08, 0x8B, 0x44, 0x24, 0x08, 0xC1, 0xC8, 0x0D, 0xC3, 0x00, 0x00, 0x00, 0x00, 334 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 335 | 0x00, 0x00, 0x00, 0x00, 0x24, 0xD9, 0x29, 0x5B, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 336 | 0x54, 0x00, 0x00, 0x00, 0x38, 0x20, 0x00, 0x00, 0x38, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 337 | 0x24, 0xD9, 0x29, 0x5B, 0x00, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 338 | 0x8C, 0x20, 0x00, 0x00, 0x8C, 0x10, 0x00, 0x00, 0x52, 0x53, 0x44, 0x53, 0x45, 0x16, 0xB7, 0x56, 339 | 0x5A, 0x59, 0xCF, 0x4A, 0xA1, 0xCD, 0xB1, 0xA7, 0xB6, 0x5E, 0x15, 0xCE, 0x02, 0x00, 0x00, 0x00 340 | 341 | 342 | }; 343 | 344 | 345 | #endif -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # DriverInjectDll 2 | InjectDll 3 | -------------------------------------------------------------------------------- /_global.cpp: -------------------------------------------------------------------------------- 1 | #include "_global.h" 2 | 3 | void* RtlAllocateMemory(bool InZeroMemory, SIZE_T InSize) 4 | { 5 | void* Result = ExAllocatePoolWithTag(NonPagedPool, InSize, 'HIDE'); 6 | if(InZeroMemory && (Result != NULL)) 7 | RtlZeroMemory(Result, InSize); 8 | return Result; 9 | } 10 | 11 | void RtlFreeMemory(void* InPointer) 12 | { 13 | ExFreePool(InPointer); 14 | } 15 | 16 | //Based on: http://leguanyuan.blogspot.nl/2013/09/x64-inline-hook-zwcreatesection.html 17 | NTSTATUS RtlSuperCopyMemory(IN VOID UNALIGNED* Destination, IN CONST VOID UNALIGNED* Source, IN ULONG Length) 18 | { 19 | //Change memory properties. 20 | PMDL g_pmdl = IoAllocateMdl(Destination, Length, 0, 0, NULL); 21 | if(!g_pmdl) 22 | return STATUS_UNSUCCESSFUL; 23 | MmBuildMdlForNonPagedPool(g_pmdl); 24 | unsigned int* Mapped = (unsigned int*)MmMapLockedPages(g_pmdl, KernelMode); 25 | if(!Mapped) 26 | { 27 | IoFreeMdl(g_pmdl); 28 | return STATUS_UNSUCCESSFUL; 29 | } 30 | KIRQL kirql = KeRaiseIrqlToDpcLevel(); 31 | RtlCopyMemory(Mapped, Source, Length); 32 | KeLowerIrql(kirql); 33 | //Restore memory properties. 34 | MmUnmapLockedPages((PVOID)Mapped, g_pmdl); 35 | IoFreeMdl(g_pmdl); 36 | return STATUS_SUCCESS; 37 | } -------------------------------------------------------------------------------- /_global.h: -------------------------------------------------------------------------------- 1 | #ifndef _GLOBAL_H 2 | #define _GLOBAL_H 3 | 4 | #ifndef _WIN32_WINNT 5 | #define _WIN32_WINNT 0x0501 6 | #endif 7 | 8 | #ifdef __cplusplus 9 | extern "C" 10 | { 11 | #endif 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | #ifdef __cplusplus 21 | } 22 | #endif 23 | 24 | void* RtlAllocateMemory(bool InZeroMemory, SIZE_T InSize); 25 | void RtlFreeMemory(void* InPointer); 26 | NTSTATUS RtlSuperCopyMemory(IN VOID UNALIGNED* Destination, IN CONST VOID UNALIGNED* Source, IN ULONG Length); 27 | 28 | #endif -------------------------------------------------------------------------------- /driver_inject.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/haidragon/DriverInjectDll/274489b7a548fe2cb3769d121e4d4787b2bb1e3e/driver_inject.cpp -------------------------------------------------------------------------------- /driver_inject.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2013 4 | VisualStudioVersion = 12.0.40629.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "driver_inject", "driver_inject.vcxproj", "{95EEC86A-C34A-4076-A55C-859BE9BFBDBF}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Input_dll", "Input_dll\Input_dll.vcxproj", "{4B797ED2-6D2A-41A8-AF02-FD3F41F43637}" 9 | EndProject 10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Loader", "Loader\Loader.vcxproj", "{29392CD7-AAFC-434B-8395-A7016A677011}" 11 | EndProject 12 | Global 13 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 14 | Debug|Win32 = Debug|Win32 15 | Debug|x64 = Debug|x64 16 | Release|Win32 = Release|Win32 17 | Release|x64 = Release|x64 18 | Win7 Debug|Win32 = Win7 Debug|Win32 19 | Win7 Debug|x64 = Win7 Debug|x64 20 | Win7 Release|Win32 = Win7 Release|Win32 21 | Win7 Release|x64 = Win7 Release|x64 22 | EndGlobalSection 23 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 24 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Debug|Win32.ActiveCfg = Win7 Debug|Win32 25 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Debug|Win32.Build.0 = Win7 Debug|Win32 26 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Debug|x64.ActiveCfg = Win7 Debug|x64 27 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Debug|x64.Build.0 = Win7 Debug|x64 28 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Release|Win32.ActiveCfg = Win7 Release|Win32 29 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Release|Win32.Build.0 = Win7 Release|Win32 30 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Release|x64.ActiveCfg = Win7 Release|x64 31 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Release|x64.Build.0 = Win7 Release|x64 32 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Win7 Debug|Win32.ActiveCfg = Win7 Debug|Win32 33 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Win7 Debug|Win32.Build.0 = Win7 Debug|Win32 34 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Win7 Debug|x64.ActiveCfg = Win7 Debug|x64 35 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Win7 Debug|x64.Build.0 = Win7 Debug|x64 36 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Win7 Debug|x64.Deploy.0 = Win7 Debug|x64 37 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Win7 Release|Win32.ActiveCfg = Win7 Release|Win32 38 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Win7 Release|Win32.Build.0 = Win7 Release|Win32 39 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Win7 Release|x64.ActiveCfg = Win7 Release|x64 40 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Win7 Release|x64.Build.0 = Win7 Release|x64 41 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF}.Win7 Release|x64.Deploy.0 = Win7 Release|x64 42 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Debug|Win32.ActiveCfg = Debug|Win32 43 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Debug|Win32.Build.0 = Debug|Win32 44 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Debug|x64.ActiveCfg = Debug|Win32 45 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Release|Win32.ActiveCfg = Release|Win32 46 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Release|Win32.Build.0 = Release|Win32 47 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Release|x64.ActiveCfg = Release|Win32 48 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Win7 Debug|Win32.ActiveCfg = Debug|Win32 49 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Win7 Debug|Win32.Build.0 = Debug|Win32 50 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Win7 Debug|x64.ActiveCfg = Debug|Win32 51 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Win7 Release|Win32.ActiveCfg = Release|Win32 52 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Win7 Release|Win32.Build.0 = Release|Win32 53 | {4B797ED2-6D2A-41A8-AF02-FD3F41F43637}.Win7 Release|x64.ActiveCfg = Release|Win32 54 | {29392CD7-AAFC-434B-8395-A7016A677011}.Debug|Win32.ActiveCfg = Debug|Win32 55 | {29392CD7-AAFC-434B-8395-A7016A677011}.Debug|Win32.Build.0 = Debug|Win32 56 | {29392CD7-AAFC-434B-8395-A7016A677011}.Debug|x64.ActiveCfg = Debug|x64 57 | {29392CD7-AAFC-434B-8395-A7016A677011}.Debug|x64.Build.0 = Debug|x64 58 | {29392CD7-AAFC-434B-8395-A7016A677011}.Release|Win32.ActiveCfg = Release|Win32 59 | {29392CD7-AAFC-434B-8395-A7016A677011}.Release|Win32.Build.0 = Release|Win32 60 | {29392CD7-AAFC-434B-8395-A7016A677011}.Release|x64.ActiveCfg = Release|x64 61 | {29392CD7-AAFC-434B-8395-A7016A677011}.Release|x64.Build.0 = Release|x64 62 | {29392CD7-AAFC-434B-8395-A7016A677011}.Win7 Debug|Win32.ActiveCfg = Debug|Win32 63 | {29392CD7-AAFC-434B-8395-A7016A677011}.Win7 Debug|Win32.Build.0 = Debug|Win32 64 | {29392CD7-AAFC-434B-8395-A7016A677011}.Win7 Debug|x64.ActiveCfg = Debug|x64 65 | {29392CD7-AAFC-434B-8395-A7016A677011}.Win7 Debug|x64.Build.0 = Debug|x64 66 | {29392CD7-AAFC-434B-8395-A7016A677011}.Win7 Release|Win32.ActiveCfg = Release|Win32 67 | {29392CD7-AAFC-434B-8395-A7016A677011}.Win7 Release|Win32.Build.0 = Release|Win32 68 | {29392CD7-AAFC-434B-8395-A7016A677011}.Win7 Release|x64.ActiveCfg = Release|x64 69 | {29392CD7-AAFC-434B-8395-A7016A677011}.Win7 Release|x64.Build.0 = Release|x64 70 | EndGlobalSection 71 | GlobalSection(SolutionProperties) = preSolution 72 | HideSolutionNode = FALSE 73 | EndGlobalSection 74 | EndGlobal 75 | -------------------------------------------------------------------------------- /driver_inject.v12.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/haidragon/DriverInjectDll/274489b7a548fe2cb3769d121e4d4787b2bb1e3e/driver_inject.v12.suo -------------------------------------------------------------------------------- /driver_inject.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Win7 Debug 6 | Win32 7 | 8 | 9 | Win7 Release 10 | Win32 11 | 12 | 13 | Win7 Debug 14 | x64 15 | 16 | 17 | Win7 Release 18 | x64 19 | 20 | 21 | 22 | {95EEC86A-C34A-4076-A55C-859BE9BFBDBF} 23 | {1bc93793-694f-48fe-9372-81e2b05556fd} 24 | v4.5 25 | 11.0 26 | Win8.1 Debug 27 | Win32 28 | TitanHide 29 | driver_inject 30 | 31 | 32 | 33 | Windows7 34 | true 35 | WindowsKernelModeDriver8.1 36 | Driver 37 | WDM 38 | 39 | 40 | Windows7 41 | false 42 | WindowsKernelModeDriver8.1 43 | Driver 44 | WDM 45 | 46 | 47 | Windows7 48 | true 49 | WindowsKernelModeDriver8.1 50 | Driver 51 | WDM 52 | 53 | 54 | Windows7 55 | false 56 | WindowsKernelModeDriver8.1 57 | Driver 58 | WDM 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | DbgengKernelDebugger 69 | Temp\$(ProjectName)\$(Platform)\$(ConfigurationName)\ 70 | $(SolutionDir)\Bin\ 71 | 72 | 73 | DbgengKernelDebugger 74 | Temp\$(ProjectName)\$(Platform)\$(ConfigurationName)\ 75 | $(SolutionDir)\Bin\ 76 | 77 | 78 | DbgengKernelDebugger 79 | $(SolutionDir)\Bin\ 80 | Temp\$(ProjectName)\$(Platform)\$(ConfigurationName)\ 81 | $(TargetName.Replace(' ',''))_x64_d 82 | 83 | 84 | DbgengKernelDebugger 85 | $(TargetName.Replace(' ',''))_x64 86 | Temp\$(ProjectName)\$(Platform)\$(ConfigurationName)\ 87 | $(SolutionDir)\Bin\ 88 | 89 | 90 | 91 | false 92 | trace.h 93 | true 94 | false 95 | _DEBUG;_X86_=1;i386=1;STD_CALL;%(PreprocessorDefinitions) 96 | 97 | 98 | 5.01 99 | 100 | false 101 | 102 | 103 | 104 | 105 | false 106 | trace.h 107 | true 108 | false 109 | 110 | 111 | 5.01 112 | 113 | false 114 | false 115 | 116 | 117 | 118 | 119 | false 120 | trace.h 121 | true 122 | false 123 | _DEBUG;_WIN64;_AMD64_;AMD64;%(PreprocessorDefinitions) 124 | 125 | 126 | 5.01 127 | 128 | false 129 | 130 | 131 | 132 | 133 | false 134 | trace.h 135 | true 136 | false 137 | 138 | 139 | 5.01 140 | 141 | false 142 | false 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | -------------------------------------------------------------------------------- /driver_inject.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | Header Files 29 | 30 | 31 | Header Files 32 | 33 | 34 | Header Files 35 | 36 | 37 | Header Files 38 | 39 | 40 | Header Files 41 | 42 | 43 | Header Files 44 | 45 | 46 | 47 | 48 | Source Files 49 | 50 | 51 | Source Files 52 | 53 | 54 | Source Files 55 | 56 | 57 | Source Files 58 | 59 | 60 | Source Files 61 | 62 | 63 | Source Files 64 | 65 | 66 | Source Files 67 | 68 | 69 | Source Files 70 | 71 | 72 | -------------------------------------------------------------------------------- /hooklib.cpp: -------------------------------------------------------------------------------- 1 | #include "hooklib.h" 2 | 3 | 4 | static HOOK hook_internal(ULONG_PTR addr, void* newfunc) 5 | { 6 | //allocate structure 7 | HOOK hook = (HOOK)RtlAllocateMemory(true, sizeof(HOOKSTRUCT)); 8 | //set hooking address 9 | hook->addr = addr; 10 | //set hooking opcode 11 | #ifdef _WIN64 12 | hook->hook.mov = 0xB848; 13 | #else 14 | hook->hook.mov = 0xB8; 15 | #endif 16 | hook->hook.addr = (ULONG_PTR)newfunc; 17 | hook->hook.push = 0x50; 18 | hook->hook.ret = 0xc3; 19 | //set original data 20 | RtlCopyMemory(&hook->orig, (const void*)addr, sizeof(HOOKOPCODES)); 21 | if(!NT_SUCCESS(RtlSuperCopyMemory((void*)addr, &hook->hook, sizeof(HOOKOPCODES)))) 22 | { 23 | RtlFreeMemory(hook); 24 | return 0; 25 | } 26 | return hook; 27 | } 28 | 29 | HOOK Hooklib::Hook(PVOID api, void* newfunc) 30 | { 31 | ULONG_PTR addr = (ULONG_PTR)api; 32 | if(!addr) 33 | return 0; 34 | DbgPrint("[DeugMessage] hook(0x%p, 0x%p)\r\n", addr, newfunc); 35 | return hook_internal(addr, newfunc); 36 | } 37 | 38 | bool Hooklib::Hook(HOOK hook) 39 | { 40 | if(!hook) 41 | return false; 42 | return (NT_SUCCESS(RtlSuperCopyMemory((void*)hook->addr, &hook->hook, sizeof(HOOKOPCODES)))); 43 | } 44 | 45 | bool Hooklib::Unhook(HOOK hook, bool free) 46 | { 47 | if(!hook || !hook->addr) 48 | return false; 49 | if(NT_SUCCESS(RtlSuperCopyMemory((void*)hook->addr, hook->orig, sizeof(HOOKOPCODES)))) 50 | { 51 | if(free) 52 | RtlFreeMemory(hook); 53 | return true; 54 | } 55 | return false; 56 | } 57 | -------------------------------------------------------------------------------- /hooklib.h: -------------------------------------------------------------------------------- 1 | #ifndef _HOOKLIB_H_ 2 | #define _HOOKLIB_H_ 3 | 4 | #include "_global.h" 5 | 6 | #pragma pack(push,1) 7 | struct HOOKOPCODES 8 | { 9 | #ifdef _WIN64 10 | unsigned short int mov; 11 | #else 12 | unsigned char mov; 13 | #endif 14 | ULONG_PTR addr; 15 | unsigned char push; 16 | unsigned char ret; 17 | }; 18 | #pragma pack(pop) 19 | 20 | typedef struct HOOKSTRUCT 21 | { 22 | ULONG_PTR addr; 23 | HOOKOPCODES hook; 24 | unsigned char orig[sizeof(HOOKOPCODES)]; 25 | //SSDT extension 26 | int SSDTindex; 27 | LONG SSDTold; 28 | LONG SSDTnew; 29 | ULONG_PTR SSDTaddress; 30 | }* HOOK; 31 | 32 | class Hooklib 33 | { 34 | public: 35 | static HOOK Hook(PVOID api, void* newfunc); 36 | static bool Hook(HOOK hook); 37 | static bool Unhook(HOOK hook, bool free = false); 38 | }; 39 | 40 | #endif //_HOOKLIB_H_ 41 | -------------------------------------------------------------------------------- /misc.cpp: -------------------------------------------------------------------------------- 1 | #include "misc.h" 2 | #include "undocumented.h" 3 | 4 | ULONG Misc::GetProcessIDFromProcessHandle(HANDLE ProcessHandle) 5 | { 6 | PROCESS_BASIC_INFORMATION PBI; 7 | if(NT_SUCCESS(Undocumented::ZwQueryInformationProcess(ProcessHandle, ProcessBasicInformation, &PBI, sizeof(PBI), NULL))) 8 | return (ULONG)PBI.UniqueProcessId; 9 | else 10 | return 0; 11 | } 12 | 13 | ULONG Misc::GetProcessIDFromThreadHandle(HANDLE ThreadHandle) 14 | { 15 | typedef struct _THREAD_BASIC_INFORMATION 16 | { 17 | NTSTATUS ExitStatus; 18 | PVOID TebBaseAddress; 19 | CLIENT_ID ClientId; 20 | KAFFINITY AffinityMask; 21 | KPRIORITY Priority; 22 | KPRIORITY BasePriority; 23 | } THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; 24 | THREAD_BASIC_INFORMATION TBI; 25 | if(NT_SUCCESS(Undocumented::ZwQueryInformationThread(ThreadHandle, ThreadBasicInformation, &TBI, sizeof(TBI), NULL))) 26 | return (ULONG)TBI.ClientId.UniqueProcess; 27 | else 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /misc.h: -------------------------------------------------------------------------------- 1 | #ifndef _MISC_H 2 | #define _MISC_H 3 | 4 | #include "_global.h" 5 | 6 | class Misc 7 | { 8 | public: 9 | static ULONG GetProcessIDFromProcessHandle(HANDLE ProcessHandle); 10 | static ULONG GetProcessIDFromThreadHandle(HANDLE ThreadHandle); 11 | }; 12 | 13 | #endif -------------------------------------------------------------------------------- /ntdll.cpp: -------------------------------------------------------------------------------- 1 | #include "ntdll.h" 2 | 3 | #include "pe.h" 4 | 5 | unsigned char* NTDLL::FileData = 0; 6 | ULONG NTDLL::FileSize = 0; 7 | 8 | NTSTATUS NTDLL::Initialize() 9 | { 10 | UNICODE_STRING FileName; 11 | OBJECT_ATTRIBUTES ObjectAttributes; 12 | RtlInitUnicodeString(&FileName, L"\\SystemRoot\\system32\\ntdll.dll"); 13 | InitializeObjectAttributes(&ObjectAttributes, &FileName, 14 | OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 15 | NULL, NULL); 16 | 17 | if(KeGetCurrentIrql() != PASSIVE_LEVEL) 18 | { 19 | #ifdef _DEBUG 20 | DbgPrint("[DeugMessage] KeGetCurrentIrql != PASSIVE_LEVEL!\n"); 21 | #endif 22 | return STATUS_UNSUCCESSFUL; 23 | } 24 | 25 | HANDLE FileHandle; 26 | IO_STATUS_BLOCK IoStatusBlock; 27 | NTSTATUS NtStatus = ZwCreateFile(&FileHandle, 28 | GENERIC_READ, 29 | &ObjectAttributes, 30 | &IoStatusBlock, NULL, 31 | FILE_ATTRIBUTE_NORMAL, 32 | FILE_SHARE_READ, 33 | FILE_OPEN, 34 | FILE_SYNCHRONOUS_IO_NONALERT, 35 | NULL, 0); 36 | if(NT_SUCCESS(NtStatus)) 37 | { 38 | FILE_STANDARD_INFORMATION StandardInformation = { 0 }; 39 | NtStatus = ZwQueryInformationFile(FileHandle, &IoStatusBlock, &StandardInformation, sizeof(FILE_STANDARD_INFORMATION), FileStandardInformation); 40 | if(NT_SUCCESS(NtStatus)) 41 | { 42 | FileSize = StandardInformation.EndOfFile.LowPart; 43 | DbgPrint("[DeugMessage] FileSize of ntdll.dll is %08X!\r\n", StandardInformation.EndOfFile.LowPart); 44 | FileData = (unsigned char*)RtlAllocateMemory(true, FileSize); 45 | 46 | LARGE_INTEGER ByteOffset; 47 | ByteOffset.LowPart = ByteOffset.HighPart = 0; 48 | NtStatus = ZwReadFile(FileHandle, 49 | NULL, NULL, NULL, 50 | &IoStatusBlock, 51 | FileData, 52 | FileSize, 53 | &ByteOffset, NULL); 54 | 55 | if(!NT_SUCCESS(NtStatus)) 56 | { 57 | RtlFreeMemory(FileData); 58 | DbgPrint("[DeugMessage] ZwReadFile failed with status %08X...\r\n", NtStatus); 59 | } 60 | } 61 | else 62 | DbgPrint("[DeugMessage] ZwQueryInformationFile failed with status %08X...\r\n", NtStatus); 63 | ZwClose(FileHandle); 64 | } 65 | else 66 | DbgPrint("[DeugMessage] ZwCreateFile failed with status %08X...\r\n", NtStatus); 67 | return NtStatus; 68 | } 69 | 70 | void NTDLL::Deinitialize() 71 | { 72 | RtlFreeMemory(FileData); 73 | } 74 | 75 | int NTDLL::GetExportSsdtIndex(const char* ExportName) 76 | { 77 | ULONG_PTR ExportOffset = PE::GetExportOffset(FileData, FileSize, ExportName); 78 | if(ExportOffset == PE_ERROR_VALUE) 79 | return -1; 80 | 81 | int SsdtOffset = -1; 82 | unsigned char* ExportData = FileData + ExportOffset; 83 | for(int i = 0; i < 32 && ExportOffset + i < FileSize; i++) 84 | { 85 | if(ExportData[i] == 0xC2 || ExportData[i] == 0xC3) //RET 86 | break; 87 | if(ExportData[i] == 0xB8) //mov eax,X 88 | { 89 | SsdtOffset = *(int*)(ExportData + i + 1); 90 | break; 91 | } 92 | } 93 | 94 | if(SsdtOffset == -1) 95 | { 96 | DbgPrint("[DeugMessage] SSDT Offset for %s not found...\r\n", ExportName); 97 | } 98 | 99 | return SsdtOffset; 100 | } -------------------------------------------------------------------------------- /ntdll.h: -------------------------------------------------------------------------------- 1 | #ifndef _NTDLL_H 2 | #define _NTDLL_H 3 | 4 | #include "_global.h" 5 | 6 | class NTDLL 7 | { 8 | public: 9 | static NTSTATUS Initialize(); 10 | static void Deinitialize(); 11 | static int GetExportSsdtIndex(const char* ExportName); 12 | 13 | private: 14 | static unsigned char* FileData; 15 | static ULONG FileSize; 16 | }; 17 | 18 | #endif //_NTDLL_H -------------------------------------------------------------------------------- /pe.cpp: -------------------------------------------------------------------------------- 1 | #include "pe.h" 2 | 3 | 4 | static ULONG RvaToSection(IMAGE_NT_HEADERS* pNtHdr, ULONG dwRVA) 5 | { 6 | USHORT wSections; 7 | PIMAGE_SECTION_HEADER pSectionHdr; 8 | pSectionHdr = IMAGE_FIRST_SECTION(pNtHdr); 9 | wSections = pNtHdr->FileHeader.NumberOfSections; 10 | for(int i = 0; i < wSections; i++) 11 | { 12 | if(pSectionHdr[i].VirtualAddress <= dwRVA) 13 | if((pSectionHdr[i].VirtualAddress + pSectionHdr[i].Misc.VirtualSize) > dwRVA) 14 | { 15 | return i; 16 | } 17 | } 18 | return (ULONG) - 1; 19 | } 20 | 21 | static ULONG RvaToOffset(PIMAGE_NT_HEADERS pnth, ULONG Rva, ULONG FileSize) 22 | { 23 | PIMAGE_SECTION_HEADER psh = IMAGE_FIRST_SECTION(pnth); 24 | USHORT NumberOfSections = pnth->FileHeader.NumberOfSections; 25 | for(int i = 0; i < NumberOfSections; i++) 26 | { 27 | if(psh->VirtualAddress <= Rva) 28 | { 29 | if((psh->VirtualAddress + psh->Misc.VirtualSize) > Rva) 30 | { 31 | Rva -= psh->VirtualAddress; 32 | Rva += psh->PointerToRawData; 33 | return Rva < FileSize ? Rva : PE_ERROR_VALUE; 34 | } 35 | } 36 | psh++; 37 | } 38 | return PE_ERROR_VALUE; 39 | } 40 | 41 | ULONG PE::GetExportOffset(const unsigned char* FileData, ULONG FileSize, const char* ExportName) 42 | { 43 | //Verify DOS Header 44 | PIMAGE_DOS_HEADER pdh = (PIMAGE_DOS_HEADER)FileData; 45 | if(pdh->e_magic != IMAGE_DOS_SIGNATURE) 46 | { 47 | DbgPrint("[DeugMessage] Invalid IMAGE_DOS_SIGNATURE!\r\n"); 48 | return PE_ERROR_VALUE; 49 | } 50 | 51 | //Verify PE Header 52 | PIMAGE_NT_HEADERS pnth = (PIMAGE_NT_HEADERS)(FileData + pdh->e_lfanew); 53 | if(pnth->Signature != IMAGE_NT_SIGNATURE) 54 | { 55 | DbgPrint("[DeugMessage] Invalid IMAGE_NT_SIGNATURE!\r\n"); 56 | return PE_ERROR_VALUE; 57 | } 58 | 59 | //Verify Export Directory 60 | PIMAGE_DATA_DIRECTORY pdd = NULL; 61 | if(pnth->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) 62 | pdd = ((PIMAGE_NT_HEADERS64)pnth)->OptionalHeader.DataDirectory; 63 | else 64 | pdd = ((PIMAGE_NT_HEADERS32)pnth)->OptionalHeader.DataDirectory; 65 | ULONG ExportDirRva = pdd[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; 66 | ULONG ExportDirSize = pdd[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; 67 | ULONG ExportDirOffset = RvaToOffset(pnth, ExportDirRva, FileSize); 68 | if(ExportDirOffset == PE_ERROR_VALUE) 69 | { 70 | DbgPrint("[DeugMessage] Invalid Export Directory!\r\n"); 71 | return PE_ERROR_VALUE; 72 | } 73 | 74 | //Read Export Directory 75 | PIMAGE_EXPORT_DIRECTORY ExportDir = (PIMAGE_EXPORT_DIRECTORY)(FileData + ExportDirOffset); 76 | ULONG NumberOfNames = ExportDir->NumberOfNames; 77 | ULONG AddressOfFunctionsOffset = RvaToOffset(pnth, ExportDir->AddressOfFunctions, FileSize); 78 | ULONG AddressOfNameOrdinalsOffset = RvaToOffset(pnth, ExportDir->AddressOfNameOrdinals, FileSize); 79 | ULONG AddressOfNamesOffset = RvaToOffset(pnth, ExportDir->AddressOfNames, FileSize); 80 | if(AddressOfFunctionsOffset == PE_ERROR_VALUE || 81 | AddressOfNameOrdinalsOffset == PE_ERROR_VALUE || 82 | AddressOfNamesOffset == PE_ERROR_VALUE) 83 | { 84 | DbgPrint("[DeugMessage] Invalid Export Directory Contents!\r\n"); 85 | return PE_ERROR_VALUE; 86 | } 87 | ULONG* AddressOfFunctions = (ULONG*)(FileData + AddressOfFunctionsOffset); 88 | USHORT* AddressOfNameOrdinals = (USHORT*)(FileData + AddressOfNameOrdinalsOffset); 89 | ULONG* AddressOfNames = (ULONG*)(FileData + AddressOfNamesOffset); 90 | 91 | //Find Export 92 | ULONG ExportOffset = PE_ERROR_VALUE; 93 | for(ULONG i = 0; i < NumberOfNames; i++) 94 | { 95 | ULONG CurrentNameOffset = RvaToOffset(pnth, AddressOfNames[i], FileSize); 96 | if(CurrentNameOffset == PE_ERROR_VALUE) 97 | continue; 98 | const char* CurrentName = (const char*)(FileData + CurrentNameOffset); 99 | ULONG CurrentFunctionRva = AddressOfFunctions[AddressOfNameOrdinals[i]]; 100 | if(CurrentFunctionRva >= ExportDirRva && CurrentFunctionRva < ExportDirRva + ExportDirSize) 101 | continue; //we ignore forwarded exports 102 | if(!strcmp(CurrentName, ExportName)) //compare the export name to the requested export 103 | { 104 | ExportOffset = RvaToOffset(pnth, CurrentFunctionRva, FileSize); 105 | break; 106 | } 107 | } 108 | 109 | if(ExportOffset == PE_ERROR_VALUE) 110 | { 111 | DbgPrint("[DeugMessage] Export %s not found in export table!\r\n", ExportName); 112 | } 113 | 114 | return ExportOffset; 115 | } 116 | 117 | PVOID PE::GetPageBase(PVOID lpHeader, ULONG* Size, PVOID ptr) 118 | { 119 | if((unsigned char*)ptr < (unsigned char*)lpHeader) 120 | return 0; 121 | ULONG dwRva = (ULONG)((unsigned char*)ptr - (unsigned char*)lpHeader); 122 | IMAGE_DOS_HEADER* pdh = (IMAGE_DOS_HEADER*)lpHeader; 123 | if(pdh->e_magic != IMAGE_DOS_SIGNATURE) 124 | return 0; 125 | IMAGE_NT_HEADERS* pnth = (IMAGE_NT_HEADERS*)((unsigned char*)lpHeader + pdh->e_lfanew); 126 | if(pnth->Signature != IMAGE_NT_SIGNATURE) 127 | return 0; 128 | IMAGE_SECTION_HEADER* psh = IMAGE_FIRST_SECTION(pnth); 129 | int section = RvaToSection(pnth, dwRva); 130 | if(section == -1) 131 | return 0; 132 | if(Size) 133 | *Size = psh[section].SizeOfRawData; 134 | return (PVOID)((unsigned char*)lpHeader + psh[section].VirtualAddress); 135 | } -------------------------------------------------------------------------------- /pe.h: -------------------------------------------------------------------------------- 1 | #ifndef _PE_H 2 | #define _PE_H 3 | 4 | #include "_global.h" 5 | 6 | #define PE_ERROR_VALUE (ULONG)-1 7 | 8 | class PE 9 | { 10 | public: 11 | static PVOID GetPageBase(PVOID lpHeader, ULONG* Size, PVOID ptr); 12 | static ULONG GetExportOffset(const unsigned char* FileData, ULONG FileSize, const char* ExportName); 13 | }; 14 | 15 | #endif -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # Driver Memory Inject Dll 2 | 3 | -------------------------------------------------------------------------------- /ssdt.cpp: -------------------------------------------------------------------------------- 1 | #include "ssdt.h" 2 | #include "undocumented.h" 3 | #include "pe.h" 4 | 5 | #include "ntdll.h" 6 | 7 | //structures 8 | struct SSDTStruct 9 | { 10 | LONG* pServiceTable; 11 | PVOID pCounterTable; 12 | #ifdef _WIN64 13 | ULONGLONG NumberOfServices; 14 | #else 15 | ULONG NumberOfServices; 16 | #endif 17 | PCHAR pArgumentTable; 18 | }; 19 | 20 | //Based on: https://github.com/hfiref0x/WinObjEx64 21 | static SSDTStruct* SSDTfind() 22 | { 23 | static SSDTStruct* SSDT = 0; 24 | if(!SSDT) 25 | { 26 | #ifndef _WIN64 27 | //x86 code 28 | UNICODE_STRING routineName; 29 | RtlInitUnicodeString(&routineName, L"KeServiceDescriptorTable"); 30 | SSDT = (SSDTStruct*)MmGetSystemRoutineAddress(&routineName); 31 | #else 32 | //x64 code 33 | ULONG kernelSize; 34 | ULONG_PTR kernelBase = (ULONG_PTR)Undocumented::GetKernelBase(&kernelSize); 35 | if(kernelBase == 0 || kernelSize == 0) 36 | return NULL; 37 | 38 | // Find KiSystemServiceStart 39 | const unsigned char KiSystemServiceStartPattern[] = { 0x8B, 0xF8, 0xC1, 0xEF, 0x07, 0x83, 0xE7, 0x20, 0x25, 0xFF, 0x0F, 0x00, 0x00 }; 40 | const ULONG signatureSize = sizeof(KiSystemServiceStartPattern); 41 | bool found = false; 42 | ULONG KiSSSOffset; 43 | for(KiSSSOffset = 0; KiSSSOffset < kernelSize - signatureSize; KiSSSOffset++) 44 | { 45 | if(RtlCompareMemory(((unsigned char*)kernelBase + KiSSSOffset), KiSystemServiceStartPattern, signatureSize) == signatureSize) 46 | { 47 | found = true; 48 | break; 49 | } 50 | } 51 | if(!found) 52 | return NULL; 53 | 54 | // lea r10, KeServiceDescriptorTable 55 | ULONG_PTR address = kernelBase + KiSSSOffset + signatureSize; 56 | LONG relativeOffset = 0; 57 | if((*(unsigned char*)address == 0x4c) && 58 | (*(unsigned char*)(address + 1) == 0x8d) && 59 | (*(unsigned char*)(address + 2) == 0x15)) 60 | { 61 | relativeOffset = *(LONG*)(address + 3); 62 | } 63 | if(relativeOffset == 0) 64 | return NULL; 65 | 66 | SSDT = (SSDTStruct*)(address + relativeOffset + 7); 67 | #endif 68 | } 69 | return SSDT; 70 | } 71 | 72 | PVOID SSDT::GetFunctionAddress(const char* apiname) 73 | { 74 | //read address from SSDT 75 | SSDTStruct* SSDT = SSDTfind(); 76 | if(!SSDT) 77 | { 78 | DbgPrint("[DeugMessage] SSDT not found...\r\n"); 79 | return 0; 80 | } 81 | ULONG_PTR SSDTbase = (ULONG_PTR)SSDT->pServiceTable; 82 | if(!SSDTbase) 83 | { 84 | DbgPrint("[DeugMessage] ServiceTable not found...\r\n"); 85 | return 0; 86 | } 87 | ULONG readOffset = NTDLL::GetExportSsdtIndex(apiname); 88 | if(readOffset == -1) 89 | return 0; 90 | if(readOffset >= SSDT->NumberOfServices) 91 | { 92 | DbgPrint("[DeugMessage] Invalid read offset...\r\n"); 93 | return 0; 94 | } 95 | #ifdef _WIN64 96 | return (PVOID)((SSDT->pServiceTable[readOffset] >> 4) + SSDTbase); 97 | #else 98 | return (PVOID)SSDT->pServiceTable[readOffset]; 99 | #endif 100 | } 101 | 102 | static void InterlockedSet(LONG* Destination, LONG Source) 103 | { 104 | //Change memory properties. 105 | PMDL g_pmdl = IoAllocateMdl(Destination, sizeof(LONG), 0, 0, NULL); 106 | if(!g_pmdl) 107 | return; 108 | MmBuildMdlForNonPagedPool(g_pmdl); 109 | LONG* Mapped = (LONG*)MmMapLockedPages(g_pmdl, KernelMode); 110 | if(!Mapped) 111 | { 112 | IoFreeMdl(g_pmdl); 113 | return; 114 | } 115 | InterlockedExchange(Mapped, Source); 116 | //Restore memory properties. 117 | MmUnmapLockedPages((PVOID)Mapped, g_pmdl); 118 | IoFreeMdl(g_pmdl); 119 | } 120 | 121 | #ifdef _WIN64 122 | static PVOID FindCaveAddress(PVOID CodeStart, ULONG CodeSize, ULONG CaveSize) 123 | { 124 | unsigned char* Code = (unsigned char*)CodeStart; 125 | 126 | for(unsigned int i = 0, j = 0; i < CodeSize; i++) 127 | { 128 | if(Code[i] == 0x90 || Code[i] == 0xCC) //NOP or INT3 129 | j++; 130 | else 131 | j = 0; 132 | if(j == CaveSize) 133 | return (PVOID)((ULONG_PTR)CodeStart + i - CaveSize + 1); 134 | } 135 | return 0; 136 | } 137 | #endif //_WIN64 138 | 139 | HOOK SSDT::Hook(const char* apiname, void* newfunc) 140 | { 141 | SSDTStruct* SSDT = SSDTfind(); 142 | if(!SSDT) 143 | { 144 | DbgPrint("[DeugMessage] SSDT not found...\r\n"); 145 | return 0; 146 | } 147 | ULONG_PTR SSDTbase = (ULONG_PTR)SSDT->pServiceTable; 148 | if(!SSDTbase) 149 | { 150 | DbgPrint("[DeugMessage] ServiceTable not found...\r\n"); 151 | return 0; 152 | } 153 | int FunctionIndex = NTDLL::GetExportSsdtIndex(apiname); 154 | if(FunctionIndex == -1) 155 | return 0; 156 | if((ULONGLONG)FunctionIndex >= SSDT->NumberOfServices) 157 | { 158 | DbgPrint("[DeugMessage] Invalid API offset...\r\n"); 159 | return 0; 160 | } 161 | 162 | HOOK hHook = 0; 163 | LONG oldValue = SSDT->pServiceTable[FunctionIndex]; 164 | LONG newValue; 165 | 166 | #ifdef _WIN64 167 | /* 168 | x64 SSDT Hook; 169 | 1) find API addr 170 | 2) get code page+size 171 | 3) find cave address 172 | 4) hook cave address (using hooklib) 173 | 5) change SSDT value 174 | */ 175 | 176 | static ULONG CodeSize = 0; 177 | static PVOID CodeStart = 0; 178 | if(!CodeStart) 179 | { 180 | ULONG_PTR Lowest = SSDTbase; 181 | ULONG_PTR Highest = Lowest + 0x0FFFFFFF; 182 | DbgPrint("[DeugMessage] Range: 0x%p-0x%p\r\n", Lowest, Highest); 183 | CodeSize = 0; 184 | CodeStart = PE::GetPageBase(Undocumented::GetKernelBase(), &CodeSize, (PVOID)((oldValue >> 4) + SSDTbase)); 185 | if(!CodeStart || !CodeSize) 186 | { 187 | DbgPrint("[DeugMessage] PeGetPageBase failed...\r\n"); 188 | return 0; 189 | } 190 | DbgPrint("[DeugMessage] CodeStart: 0x%p, CodeSize: 0x%X\r\n", CodeStart, CodeSize); 191 | if((ULONG_PTR)CodeStart < Lowest) //start of the page is out of range (impossible, but whatever) 192 | { 193 | CodeSize -= (ULONG)(Lowest - (ULONG_PTR)CodeStart); 194 | CodeStart = (PVOID)Lowest; 195 | DbgPrint("[DeugMessage] CodeStart: 0x%p, CodeSize: 0x%X\r\n", CodeStart, CodeSize); 196 | } 197 | DbgPrint("[DeugMessage] Range: 0x%p-0x%p\r\n", CodeStart, (ULONG_PTR)CodeStart + CodeSize); 198 | } 199 | 200 | PVOID CaveAddress = FindCaveAddress(CodeStart, CodeSize, sizeof(HOOKOPCODES)); 201 | if(!CaveAddress) 202 | { 203 | DbgPrint("[DeugMessage] FindCaveAddress failed...\r\n"); 204 | return 0; 205 | } 206 | DbgPrint("[DeugMessage] CaveAddress: 0x%p\r\n", CaveAddress); 207 | 208 | hHook = Hooklib::Hook(CaveAddress, (void*)newfunc); 209 | if(!hHook) 210 | return 0; 211 | 212 | newValue = (LONG)((ULONG_PTR)CaveAddress - SSDTbase); 213 | newValue = (newValue << 4) | oldValue & 0xF; 214 | 215 | //update HOOK structure 216 | hHook->SSDTindex = FunctionIndex; 217 | hHook->SSDTold = oldValue; 218 | hHook->SSDTnew = newValue; 219 | hHook->SSDTaddress = (oldValue >> 4) + SSDTbase; 220 | 221 | #else 222 | /* 223 | x86 SSDT Hook: 224 | 1) change SSDT value 225 | */ 226 | newValue = (ULONG)newfunc; 227 | 228 | hHook = (HOOK)RtlAllocateMemory(true, sizeof(HOOKSTRUCT)); 229 | 230 | //update HOOK structure 231 | hHook->SSDTindex = FunctionIndex; 232 | hHook->SSDTold = oldValue; 233 | hHook->SSDTnew = newValue; 234 | hHook->SSDTaddress = oldValue; 235 | 236 | #endif 237 | 238 | InterlockedSet(&SSDT->pServiceTable[FunctionIndex], newValue); 239 | 240 | DbgPrint("[DeugMessage] SSDThook(%s:0x%p, 0x%p)\r\n", apiname, hHook->SSDTold, hHook->SSDTnew); 241 | 242 | return hHook; 243 | } 244 | 245 | void SSDT::Hook(HOOK hHook) 246 | { 247 | if(!hHook) 248 | return; 249 | SSDTStruct* SSDT = SSDTfind(); 250 | if(!SSDT) 251 | { 252 | DbgPrint("[DeugMessage] SSDT not found...\r\n"); 253 | return; 254 | } 255 | LONG* SSDT_Table = SSDT->pServiceTable; 256 | if(!SSDT_Table) 257 | { 258 | DbgPrint("[DeugMessage] ServiceTable not found...\r\n"); 259 | return; 260 | } 261 | InterlockedSet(&SSDT_Table[hHook->SSDTindex], hHook->SSDTnew); 262 | } 263 | 264 | void SSDT::Unhook(HOOK hHook, bool free) 265 | { 266 | if(!hHook) 267 | return; 268 | SSDTStruct* SSDT = SSDTfind(); 269 | if(!SSDT) 270 | { 271 | DbgPrint("[DeugMessage] SSDT not found...\r\n"); 272 | return; 273 | } 274 | LONG* SSDT_Table = SSDT->pServiceTable; 275 | if(!SSDT_Table) 276 | { 277 | DbgPrint("[DeugMessage] ServiceTable not found...\r\n"); 278 | return; 279 | } 280 | InterlockedSet(&SSDT_Table[hHook->SSDTindex], hHook->SSDTold); 281 | #ifdef _WIN64 282 | if(free) 283 | Hooklib::Unhook(hHook, true); 284 | #else 285 | if(free) 286 | RtlFreeMemory(hHook); 287 | #endif 288 | } -------------------------------------------------------------------------------- /ssdt.h: -------------------------------------------------------------------------------- 1 | #ifndef _SSDT_H 2 | #define _SSDT_H 3 | 4 | #include "_global.h" 5 | #include "hooklib.h" 6 | 7 | class SSDT 8 | { 9 | public: 10 | static PVOID GetFunctionAddress(const char* apiname); 11 | static HOOK Hook(const char* apiname, void* newfunc); 12 | static void Hook(HOOK hHook); 13 | static void Unhook(HOOK hHook, bool free = false); 14 | }; 15 | 16 | #endif -------------------------------------------------------------------------------- /undocumented.cpp: -------------------------------------------------------------------------------- 1 | #include "undocumented.h" 2 | #include "ssdt.h" 3 | 4 | 5 | typedef NTSTATUS(NTAPI* ZWQUERYINFORMATIONPROCESS)( 6 | IN HANDLE ProcessHandle, 7 | IN PROCESSINFOCLASS ProcessInformationClass, 8 | OUT PVOID ProcessInformation, 9 | IN ULONG ProcessInformationLength, 10 | OUT PULONG ReturnLength OPTIONAL 11 | ); 12 | 13 | typedef NTSTATUS(NTAPI* ZWQUERYINFORMATIONTHREAD)( 14 | IN HANDLE ThreadHandle, 15 | IN THREADINFOCLASS ThreadInformationClass, 16 | IN OUT PVOID ThreadInformation, 17 | IN ULONG ThreadInformationLength, 18 | OUT PULONG ReturnLength OPTIONAL 19 | ); 20 | 21 | typedef NTSTATUS(NTAPI* NTQUERYOBJECT)( 22 | IN HANDLE Handle OPTIONAL, 23 | IN OBJECT_INFORMATION_CLASS ObjectInformationClass, 24 | OUT PVOID ObjectInformation OPTIONAL, 25 | IN ULONG ObjectInformationLength, 26 | OUT PULONG ReturnLength OPTIONAL 27 | ); 28 | 29 | typedef NTSTATUS(NTAPI* ZWQUERYSYSTEMINFORMATION)( 30 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 31 | OUT PVOID SystemInformation, 32 | IN ULONG SystemInformationLength, 33 | OUT PULONG ReturnLength OPTIONAL 34 | ); 35 | 36 | typedef NTSTATUS(NTAPI* NTQUERYSYSTEMINFORMATION)( 37 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 38 | OUT PVOID SystemInformation, 39 | IN ULONG SystemInformationLength, 40 | OUT PULONG ReturnLength OPTIONAL 41 | ); 42 | 43 | typedef NTSTATUS(NTAPI* NTCLOSE)( 44 | IN HANDLE Handle 45 | ); 46 | 47 | typedef NTSTATUS(NTAPI* NTSETCONTEXTTHREAD)( 48 | IN HANDLE ThreadHandle, 49 | IN PCONTEXT Context 50 | ); 51 | 52 | typedef NTSTATUS(NTAPI* NTCONTINUE)( 53 | IN PCONTEXT Context, 54 | BOOLEAN RaiseAlert 55 | ); 56 | 57 | typedef NTSTATUS(NTAPI* NTDUPLICATEOBJECT)( 58 | IN HANDLE SourceProcessHandle, 59 | IN HANDLE SourceHandle, 60 | IN HANDLE TargetProcessHandle, 61 | OUT PHANDLE TargetHandle, 62 | IN ACCESS_MASK DesiredAccess OPTIONAL, 63 | IN ULONG HandleAttributes, 64 | IN ULONG Options 65 | ); 66 | 67 | typedef NTSTATUS(NTAPI* KERAISEUSEREXCEPTION)( 68 | IN NTSTATUS ExceptionCode 69 | ); 70 | 71 | typedef NTSTATUS(NTAPI* NTSETINFORMATIONTHREAD)( 72 | IN HANDLE ThreadHandle, 73 | IN THREADINFOCLASS ThreadInformationClass, 74 | IN PVOID ThreadInformation, 75 | IN ULONG ThreadInformationLength 76 | ); 77 | 78 | typedef NTSTATUS(NTAPI* NTSETINFORMATIONPROCESS)( 79 | IN HANDLE ProcessHandle, 80 | IN PROCESSINFOCLASS ProcessInformationClass, 81 | IN PVOID ProcessInformation, 82 | IN ULONG ProcessInformationLength 83 | ); 84 | 85 | typedef NTSTATUS(NTAPI* NTQUERYINFORMATIONPROCESS)( 86 | IN HANDLE ProcessHandle, 87 | IN PROCESSINFOCLASS ProcessInformationClass, 88 | OUT PVOID ProcessInformation, 89 | IN ULONG ProcessInformationLength, 90 | OUT PULONG ReturnLength OPTIONAL 91 | ); 92 | 93 | typedef NTSTATUS(NTAPI* NTSYSTEMDEBUGCONTROL)( 94 | IN SYSDBG_COMMAND Command, 95 | IN PVOID InputBuffer OPTIONAL, 96 | IN ULONG InputBufferLength, 97 | OUT PVOID OutputBuffer OPTIONAL, 98 | IN ULONG OutputBufferLength, 99 | OUT PULONG ReturnLength OPTIONAL 100 | ); 101 | 102 | static ZWQUERYINFORMATIONPROCESS ZwQIP = 0; 103 | static ZWQUERYINFORMATIONTHREAD ZwQIT = 0; 104 | static NTQUERYOBJECT NtQO = 0; 105 | static ZWQUERYSYSTEMINFORMATION ZwQSI = 0; 106 | static NTQUERYSYSTEMINFORMATION NtQSI = 0; 107 | static NTCLOSE NtClo = 0; 108 | static NTSETCONTEXTTHREAD NtSCT = 0; 109 | static NTCONTINUE NtCon = 0; 110 | static NTDUPLICATEOBJECT NtDO = 0; 111 | static KERAISEUSEREXCEPTION KeRUE = 0; 112 | static NTSETINFORMATIONTHREAD NtSIT = 0; 113 | static NTSETINFORMATIONPROCESS NtSIP = 0; 114 | static NTQUERYINFORMATIONPROCESS NtQIP = 0; 115 | static NTSYSTEMDEBUGCONTROL NtSDBC = 0; 116 | 117 | NTSTATUS NTAPI Undocumented::ZwQueryInformationProcess( 118 | IN HANDLE ProcessHandle, 119 | IN PROCESSINFOCLASS ProcessInformationClass, 120 | OUT PVOID ProcessInformation, 121 | IN ULONG ProcessInformationLength, 122 | OUT PULONG ReturnLength OPTIONAL) 123 | { 124 | return ZwQIP(ProcessHandle, ProcessInformationClass, ProcessInformation, ProcessInformationLength, ReturnLength); 125 | } 126 | 127 | NTSTATUS NTAPI Undocumented::ZwQueryInformationThread( 128 | IN HANDLE ThreadHandle, 129 | IN THREADINFOCLASS ThreadInformationClass, 130 | IN OUT PVOID ThreadInformation, 131 | IN ULONG ThreadInformationLength, 132 | OUT PULONG ReturnLength OPTIONAL) 133 | { 134 | return ZwQIT(ThreadHandle, ThreadInformationClass, ThreadInformation, ThreadInformationLength, ReturnLength); 135 | } 136 | 137 | NTSTATUS NTAPI Undocumented::NtQueryObject( 138 | IN HANDLE Handle OPTIONAL, 139 | IN OBJECT_INFORMATION_CLASS ObjectInformationClass, 140 | OUT PVOID ObjectInformation OPTIONAL, 141 | IN ULONG ObjectInformationLength, 142 | OUT PULONG ReturnLength OPTIONAL) 143 | { 144 | return NtQO(Handle, ObjectInformationClass, ObjectInformation, ObjectInformationLength, ReturnLength); 145 | } 146 | 147 | NTSTATUS NTAPI Undocumented::ZwQuerySystemInformation( 148 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 149 | OUT PVOID SystemInformation, 150 | IN ULONG SystemInformationLength, 151 | OUT PULONG ReturnLength OPTIONAL) 152 | { 153 | return ZwQSI(SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength); 154 | } 155 | 156 | NTSTATUS NTAPI Undocumented::NtQuerySystemInformation( 157 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 158 | OUT PVOID SystemInformation, 159 | IN ULONG SystemInformationLength, 160 | OUT PULONG ReturnLength OPTIONAL) 161 | { 162 | return NtQSI(SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength); 163 | } 164 | 165 | NTSTATUS NTAPI Undocumented::NtClose( 166 | IN HANDLE Handle) 167 | { 168 | return NtClo(Handle); 169 | } 170 | 171 | NTSTATUS NTAPI Undocumented::NtSetContextThread( 172 | IN HANDLE ThreadHandle, 173 | IN PCONTEXT Context) 174 | { 175 | return NtSCT(ThreadHandle, Context); 176 | } 177 | 178 | NTSTATUS NTAPI Undocumented::NtContinue( 179 | IN PCONTEXT Context, 180 | BOOLEAN RaiseAlert) 181 | { 182 | return NtCon(Context, RaiseAlert); 183 | } 184 | 185 | NTSTATUS NTAPI Undocumented::NtDuplicateObject( 186 | IN HANDLE SourceProcessHandle, 187 | IN HANDLE SourceHandle, 188 | IN HANDLE TargetProcessHandle, 189 | OUT PHANDLE TargetHandle, 190 | IN ACCESS_MASK DesiredAccess OPTIONAL, 191 | IN ULONG HandleAttributes, 192 | IN ULONG Options) 193 | { 194 | return NtDO(SourceProcessHandle, SourceHandle, TargetProcessHandle, TargetHandle, DesiredAccess, HandleAttributes, Options); 195 | } 196 | 197 | NTSTATUS NTAPI Undocumented::KeRaiseUserException( 198 | IN NTSTATUS ExceptionCode) 199 | { 200 | return KeRUE(ExceptionCode); 201 | } 202 | 203 | NTSTATUS NTAPI Undocumented::NtSetInformationThread( 204 | IN HANDLE ThreadHandle, 205 | IN THREADINFOCLASS ThreadInformationClass, 206 | IN PVOID ThreadInformation, 207 | IN ULONG ThreadInformationLength) 208 | { 209 | return NtSIT(ThreadHandle, ThreadInformationClass, ThreadInformation, ThreadInformationLength); 210 | } 211 | 212 | NTSTATUS NTAPI Undocumented::NtSetInformationProcess( 213 | IN HANDLE ProcessHandle, 214 | IN PROCESSINFOCLASS ProcessInformationClass, 215 | IN PVOID ProcessInformation, 216 | IN ULONG ProcessInformationLength) 217 | { 218 | return NtSIP(ProcessHandle, ProcessInformationClass, ProcessInformation, ProcessInformationLength); 219 | } 220 | 221 | NTSTATUS NTAPI Undocumented::NtQueryInformationProcess( 222 | IN HANDLE ProcessHandle, 223 | IN PROCESSINFOCLASS ProcessInformationClass, 224 | OUT PVOID ProcessInformation, 225 | IN ULONG ProcessInformationLength, 226 | OUT PULONG ReturnLength OPTIONAL) 227 | { 228 | return NtQIP(ProcessHandle, ProcessInformationClass, ProcessInformation, ProcessInformationLength, ReturnLength); 229 | } 230 | 231 | NTSTATUS NTAPI Undocumented::NtSystemDebugControl( 232 | IN SYSDBG_COMMAND Command, 233 | IN PVOID InputBuffer, 234 | IN ULONG InputBufferLength, 235 | OUT PVOID OutputBuffer, 236 | IN ULONG OutputBufferLength, 237 | OUT PULONG ReturnLength) 238 | { 239 | return NtSDBC(Command, InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength, ReturnLength); 240 | } 241 | 242 | bool Undocumented::UndocumentedInit() 243 | { 244 | //Exported kernel functions after this 245 | if(!ZwQIP) 246 | { 247 | UNICODE_STRING routineName; 248 | RtlInitUnicodeString(&routineName, L"ZwQueryInformationProcess"); 249 | ZwQIP = (ZWQUERYINFORMATIONPROCESS)MmGetSystemRoutineAddress(&routineName); 250 | if(!ZwQIP) 251 | return false; 252 | } 253 | if(!ZwQIT) 254 | { 255 | UNICODE_STRING routineName; 256 | RtlInitUnicodeString(&routineName, L"ZwQueryInformationThread"); 257 | ZwQIT = (ZWQUERYINFORMATIONTHREAD)MmGetSystemRoutineAddress(&routineName); 258 | if(!ZwQIT) 259 | return false; 260 | } 261 | if(!ZwQSI) 262 | { 263 | UNICODE_STRING routineName; 264 | RtlInitUnicodeString(&routineName, L"ZwQuerySystemInformation"); 265 | ZwQSI = (ZWQUERYSYSTEMINFORMATION)MmGetSystemRoutineAddress(&routineName); 266 | if(!ZwQSI) 267 | return false; 268 | } 269 | if(!NtQSI) 270 | { 271 | UNICODE_STRING routineName; 272 | RtlInitUnicodeString(&routineName, L"NtQuerySystemInformation"); 273 | NtQSI = (NTQUERYSYSTEMINFORMATION)MmGetSystemRoutineAddress(&routineName); 274 | if(!NtQSI) 275 | return false; 276 | } 277 | if(!NtClo) 278 | { 279 | UNICODE_STRING routineName; 280 | RtlInitUnicodeString(&routineName, L"NtClose"); 281 | NtClo = (NTCLOSE)MmGetSystemRoutineAddress(&routineName); 282 | if(!NtClo) 283 | return false; 284 | } 285 | if(!NtDO) 286 | { 287 | UNICODE_STRING routineName; 288 | RtlInitUnicodeString(&routineName, L"NtDuplicateObject"); 289 | NtDO = (NTDUPLICATEOBJECT)MmGetSystemRoutineAddress(&routineName); 290 | if(!NtDO) 291 | return false; 292 | } 293 | if(!KeRUE) 294 | { 295 | UNICODE_STRING routineName; 296 | RtlInitUnicodeString(&routineName, L"KeRaiseUserException"); 297 | KeRUE = (KERAISEUSEREXCEPTION)MmGetSystemRoutineAddress(&routineName); 298 | if(!KeRUE) 299 | return false; 300 | } 301 | if(!NtSIT) 302 | { 303 | UNICODE_STRING routineName; 304 | RtlInitUnicodeString(&routineName, L"NtSetInformationThread"); 305 | NtSIT = (NTSETINFORMATIONTHREAD)MmGetSystemRoutineAddress(&routineName); 306 | if(!NtSIT) 307 | return false; 308 | } 309 | if(!NtSIP) 310 | { 311 | UNICODE_STRING routineName; 312 | RtlInitUnicodeString(&routineName, L"NtSetInformationProcess"); 313 | NtSIP = (NTSETINFORMATIONPROCESS)MmGetSystemRoutineAddress(&routineName); 314 | if(!NtSIP) 315 | return false; 316 | } 317 | if(!NtQIP) 318 | { 319 | UNICODE_STRING routineName; 320 | RtlInitUnicodeString(&routineName, L"NtQueryInformationProcess"); 321 | NtQIP = (NTQUERYINFORMATIONPROCESS)MmGetSystemRoutineAddress(&routineName); 322 | if(!NtQIP) 323 | return false; 324 | } 325 | //SSDT-only functions after this 326 | if(!NtQO) 327 | { 328 | NtQO = (NTQUERYOBJECT)SSDT::GetFunctionAddress("NtQueryObject"); 329 | if(!NtQO) 330 | return false; 331 | } 332 | if(!NtSCT) 333 | { 334 | NtSCT = (NTSETCONTEXTTHREAD)SSDT::GetFunctionAddress("NtSetContextThread"); 335 | if(!NtSCT) 336 | return false; 337 | } 338 | if(!NtCon) 339 | { 340 | NtCon = (NTCONTINUE)SSDT::GetFunctionAddress("NtContinue"); 341 | if(!NtCon) 342 | return false; 343 | } 344 | if(!NtSDBC) 345 | { 346 | NtSDBC = (NTSYSTEMDEBUGCONTROL)SSDT::GetFunctionAddress("NtSystemDebugControl"); 347 | if(!NtSDBC) 348 | return false; 349 | } 350 | return true; 351 | } 352 | 353 | //Based on: http://alter.org.ua/docs/nt_kernel/procaddr 354 | PVOID Undocumented::GetKernelBase(PULONG pImageSize) 355 | { 356 | typedef struct _SYSTEM_MODULE_ENTRY 357 | { 358 | HANDLE Section; 359 | PVOID MappedBase; 360 | PVOID ImageBase; 361 | ULONG ImageSize; 362 | ULONG Flags; 363 | USHORT LoadOrderIndex; 364 | USHORT InitOrderIndex; 365 | USHORT LoadCount; 366 | USHORT OffsetToFileName; 367 | UCHAR FullPathName[256]; 368 | } SYSTEM_MODULE_ENTRY, *PSYSTEM_MODULE_ENTRY; 369 | 370 | #pragma warning(disable:4200) 371 | typedef struct _SYSTEM_MODULE_INFORMATION 372 | { 373 | ULONG Count; 374 | SYSTEM_MODULE_ENTRY Module[0]; 375 | } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; 376 | 377 | PVOID pModuleBase = NULL; 378 | PSYSTEM_MODULE_INFORMATION pSystemInfoBuffer = NULL; 379 | 380 | ULONG SystemInfoBufferSize = 0; 381 | 382 | NTSTATUS status = Undocumented::ZwQuerySystemInformation(SystemModuleInformation, 383 | &SystemInfoBufferSize, 384 | 0, 385 | &SystemInfoBufferSize); 386 | 387 | if(!SystemInfoBufferSize) 388 | { 389 | DbgPrint("[DeugMessage] ZwQuerySystemInformation (1) failed...\r\n"); 390 | return NULL; 391 | } 392 | 393 | pSystemInfoBuffer = (PSYSTEM_MODULE_INFORMATION)ExAllocatePool(NonPagedPool, SystemInfoBufferSize * 2); 394 | 395 | if(!pSystemInfoBuffer) 396 | { 397 | DbgPrint("[DeugMessage] ExAllocatePool failed...\r\n"); 398 | return NULL; 399 | } 400 | 401 | memset(pSystemInfoBuffer, 0, SystemInfoBufferSize * 2); 402 | 403 | status = Undocumented::ZwQuerySystemInformation(SystemModuleInformation, 404 | pSystemInfoBuffer, 405 | SystemInfoBufferSize * 2, 406 | &SystemInfoBufferSize); 407 | 408 | if(NT_SUCCESS(status)) 409 | { 410 | pModuleBase = pSystemInfoBuffer->Module[0].ImageBase; 411 | if(pImageSize) 412 | *pImageSize = pSystemInfoBuffer->Module[0].ImageSize; 413 | } 414 | else 415 | DbgPrint("[DeugMessage] ZwQuerySystemInformation (2) failed...\r\n"); 416 | 417 | ExFreePool(pSystemInfoBuffer); 418 | 419 | return pModuleBase; 420 | } 421 | -------------------------------------------------------------------------------- /undocumented.h: -------------------------------------------------------------------------------- 1 | #ifndef _UNDOCUMENTED_H 2 | #define _UNDOCUMENTED_H 3 | 4 | #include "_global.h" 5 | 6 | //structures 7 | typedef struct _OBJECT_TYPE_INFORMATION 8 | { 9 | UNICODE_STRING TypeName; 10 | ULONG TotalNumberOfHandles; 11 | ULONG TotalNumberOfObjects; 12 | } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; 13 | 14 | typedef struct _OBJECT_ALL_INFORMATION 15 | { 16 | ULONG NumberOfObjects; 17 | OBJECT_TYPE_INFORMATION ObjectTypeInformation[1]; 18 | } OBJECT_ALL_INFORMATION, *POBJECT_ALL_INFORMATION; 19 | 20 | /* 21 | //enums 22 | typedef enum _OBJECT_INFORMATION_CLASS 23 | { 24 | ObjectTypeInformation = 2, 25 | ObjectTypesInformation = 3 26 | } OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS; 27 | */ 28 | 29 | typedef enum _SYSTEM_INFORMATION_CLASS 30 | { 31 | SystemModuleInformation = 11, 32 | SystemKernelDebuggerInformation = 35 33 | } SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; 34 | 35 | typedef enum _SYSDBG_COMMAND 36 | { 37 | SysDbgGetTriageDump = 29, 38 | } SYSDBG_COMMAND, *PSYSDBG_COMMAND; 39 | 40 | class Undocumented 41 | { 42 | public: 43 | static NTSTATUS NTAPI ZwQueryInformationProcess( 44 | IN HANDLE ProcessHandle, 45 | IN PROCESSINFOCLASS ProcessInformationClass, 46 | OUT PVOID ProcessInformation, 47 | IN ULONG ProcessInformationLength, 48 | OUT PULONG ReturnLength OPTIONAL); 49 | 50 | static NTSTATUS NTAPI ZwQueryInformationThread( 51 | IN HANDLE ThreadHandle, 52 | IN THREADINFOCLASS ThreadInformationClass, 53 | IN OUT PVOID ThreadInformation, 54 | IN ULONG ThreadInformationLength, 55 | OUT PULONG ReturnLength OPTIONAL); 56 | 57 | static NTSTATUS NTAPI NtQueryObject( 58 | IN HANDLE Handle OPTIONAL, 59 | IN OBJECT_INFORMATION_CLASS ObjectInformationClass, 60 | OUT PVOID ObjectInformation OPTIONAL, 61 | IN ULONG ObjectInformationLength, 62 | OUT PULONG ReturnLength OPTIONAL); 63 | 64 | static NTSTATUS NTAPI ZwQuerySystemInformation( 65 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 66 | OUT PVOID SystemInformation, 67 | IN ULONG SystemInformationLength, 68 | OUT PULONG ReturnLength OPTIONAL); 69 | 70 | static NTSTATUS NTAPI NtQuerySystemInformation( 71 | IN SYSTEM_INFORMATION_CLASS SystemInformationClass, 72 | OUT PVOID SystemInformation, 73 | IN ULONG SystemInformationLength, 74 | OUT PULONG ReturnLength OPTIONAL); 75 | 76 | static NTSTATUS NTAPI NtClose( 77 | IN HANDLE Handle); 78 | 79 | static NTSTATUS NTAPI NtSetContextThread( 80 | IN HANDLE ThreadHandle, 81 | IN PCONTEXT Context); 82 | 83 | static NTSTATUS NTAPI NtContinue( 84 | IN PCONTEXT Context, 85 | BOOLEAN RaiseAlert); 86 | 87 | static NTSTATUS NTAPI NtDuplicateObject( 88 | IN HANDLE SourceProcessHandle, 89 | IN HANDLE SourceHandle, 90 | IN HANDLE TargetProcessHandle, 91 | OUT PHANDLE TargetHandle, 92 | IN ACCESS_MASK DesiredAccess OPTIONAL, 93 | IN ULONG HandleAttributes, 94 | IN ULONG Options); 95 | 96 | static NTSTATUS NTAPI KeRaiseUserException( 97 | IN NTSTATUS ExceptionCode); 98 | 99 | static NTSTATUS NTAPI NtSetInformationThread( 100 | IN HANDLE ThreadHandle, 101 | IN THREADINFOCLASS ThreadInformationClass, 102 | IN PVOID ThreadInformation, 103 | IN ULONG ThreadInformationLength); 104 | 105 | static NTSTATUS NTAPI NtSetInformationProcess( 106 | IN HANDLE ProcessHandle, 107 | IN PROCESSINFOCLASS ProcessInformationClass, 108 | IN PVOID ProcessInformation, 109 | IN ULONG ProcessInformationLength); 110 | 111 | static NTSTATUS NTAPI NtQueryInformationProcess( 112 | IN HANDLE ProcessHandle, 113 | IN PROCESSINFOCLASS ProcessInformationClass, 114 | OUT PVOID ProcessInformation, 115 | IN ULONG ProcessInformationLength, 116 | OUT PULONG ReturnLength OPTIONAL); 117 | 118 | static NTSTATUS NTAPI NtSystemDebugControl( 119 | IN SYSDBG_COMMAND Command, 120 | IN PVOID InputBuffer OPTIONAL, 121 | IN ULONG InputBufferLength OPTIONAL, 122 | OUT PVOID OutputBuffer, 123 | IN ULONG OutputBufferLength, 124 | OUT PULONG ReturnLength OPTIONAL); 125 | 126 | static bool UndocumentedInit(); 127 | static PVOID GetKernelBase(PULONG pImageSize = NULL); 128 | }; 129 | 130 | #endif 131 | --------------------------------------------------------------------------------