├── Common ├── DataStruct.h ├── IoControlCmd.h ├── MajorFunctionName.h ├── VistaShadowSSDT.h ├── W2K3ShadowSSDT.h ├── W2KShadowSSDT.h ├── Win7ShadowSSDT.h ├── XPShadowSSDT.h └── ring3common.h ├── README.md ├── ScDetective ├── ScDetective.sln └── ScDetective │ ├── Function │ ├── Driver │ │ ├── Driver.cpp │ │ └── Driver.h │ ├── File │ │ ├── File.cpp │ │ └── File.h │ ├── OS │ │ ├── OS.cpp │ │ └── OS.h │ ├── PE │ │ ├── PE.cpp │ │ └── PE.h │ ├── module │ │ ├── Module.cpp │ │ ├── Module.h │ │ ├── Process.cpp │ │ └── Process.h │ └── ssdt │ │ ├── ssdt.cpp │ │ └── ssdt.h │ ├── Page1.cpp │ ├── Page1.h │ ├── Page2.cpp │ ├── Page2.h │ ├── Page3.cpp │ ├── Page3.h │ ├── Page4.cpp │ ├── Page4.h │ ├── Page5.cpp │ ├── Page5.h │ ├── PageFile.cpp │ ├── PageFile.h │ ├── ReadMe.txt │ ├── ScDetective.aps │ ├── ScDetective.cpp │ ├── ScDetective.h │ ├── ScDetective.rc │ ├── ScDetective.vcproj │ ├── ScDetectiveDlg.cpp │ ├── ScDetectiveDlg.h │ ├── res │ ├── 1442.ico │ ├── 870.ico │ ├── ScDetective.ico │ ├── ScDetective.rc2 │ ├── disk.ico │ ├── dvd.ico │ ├── floder.ico │ ├── floppy.ico │ ├── pc.ico │ ├── remote.ico │ └── remove.ico │ ├── resource.h │ ├── stdafx.cpp │ ├── stdafx.h │ └── targetver.h ├── ScDetective_Driver ├── ScDetective.sln ├── ScDetective.suo └── ScDetective │ ├── File │ ├── File.c │ └── File.h │ ├── HookEngine │ ├── HookEngine.c │ └── HookEngine.h │ ├── LDasm │ ├── LDasm.c │ └── LDasm.h │ ├── Memory │ ├── memory.c │ └── memory.h │ ├── Process │ ├── Module.c │ ├── Process.c │ ├── Process.h │ └── module.h │ ├── Protect │ ├── ScProtect.c │ └── ScProtect.h │ ├── ScDetective.W7.vcproj │ ├── ScDetective.c │ ├── ScDetective.h │ ├── ScDetective.vsprops │ ├── System │ ├── Initialize.c │ └── Initialize.h │ ├── buildnumber.h │ ├── ddkbldenv.cmd │ ├── ddkpostbld.cmd │ ├── ddkprebld.cmd │ ├── drvcommon.h │ ├── drvversion.h │ ├── drvversion.rc │ ├── makefile │ ├── resource.h │ ├── sources │ └── ssdt │ ├── ssdt.c │ ├── ssdt.h │ ├── ssdt_shadow.c │ └── ssdt_shadow.h └── ScDetective_Filter ├── ScDetectiveFilter.sln └── ScDetectiveFilter ├── ScDetectiveFilter.W7.vcproj ├── ScDetectiveFilter.c ├── ScDetectiveFilter.h ├── ScDetectiveFilter.vsprops ├── buildnumber.h ├── ddkbldenv.cmd ├── ddkpostbld.cmd ├── ddkprebld.cmd ├── drvcommon.h ├── drvversion.h ├── drvversion.rc ├── fastIO.h ├── makefile ├── myfs.h └── sources /Common/DataStruct.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef _DATASTRUCT_H_ 3 | #define _DATASTRUCT_H_ 4 | 5 | #pragma pack(1) 6 | 7 | typedef struct _SSDT_NAME { 8 | ULONG nIndex; 9 | char FunName[64]; 10 | } SSDT_NAME, * PSSDT_NAME ; 11 | 12 | typedef struct _SSDT_ADDRESS { 13 | ULONG nIndex; 14 | DWORD FunAddress; 15 | } SSDT_ADDRESS, * PSSDT_ADDRESS ; 16 | 17 | typedef struct _SSDT_INFO { 18 | ULONG Index; 19 | char FunName[64]; 20 | DWORD CurrentAddress; 21 | DWORD NativeAddress; 22 | char ImagePath[MAX_PATH]; 23 | BOOL Hideflag; 24 | } SSDT_INFO, * PSSDT_INFO ; 25 | 26 | typedef struct _PROCESS_INFO { 27 | LIST_ENTRY ProcessLink; 28 | ULONG UniqueProcessId; 29 | ULONG InheritedProcessId; 30 | WCHAR ImagePath[260]; 31 | ULONG EProcess; 32 | BOOL bHidden; 33 | } PROCESS_INFO, * PPROCESS_INFO ; 34 | 35 | typedef struct _THREAD_INFO { 36 | LIST_ENTRY ThreadLink; 37 | ULONG ThreadId; 38 | ULONG EThread; 39 | ULONG Teb; 40 | signed char Priority; 41 | ULONG Win32StartAddress; 42 | ULONG ContextSwitches; 43 | WCHAR State[4]; 44 | } THREAD_INFO, * PTHREAD_INFO; 45 | 46 | typedef struct _MODULE_INFO { 47 | LIST_ENTRY ModuleLink; 48 | WCHAR ImagePath[260]; 49 | ULONG BaseAddress; 50 | ULONG ImageSize; 51 | } MODULE_INFO, * PMODULE_INFO ; 52 | 53 | typedef struct _DRIVER_INFO { 54 | LIST_ENTRY DriverLink; 55 | ULONG DriverObject; 56 | WCHAR ImagePath[260]; 57 | WCHAR ServiceName[64]; 58 | ULONG ImageBase; 59 | ULONG DriverSize; 60 | BOOL bHidden; 61 | } DRIVER_INFO, * PDRIVER_INFO ; 62 | 63 | typedef struct _FILE_INFO { 64 | LIST_ENTRY FileLink; 65 | WCHAR FileName[128]; 66 | ULONG FileAttributes; 67 | LARGE_INTEGER AllocationSize; 68 | LARGE_INTEGER EndOfFile; 69 | TIME_FIELDS CreationTime; 70 | TIME_FIELDS LastWriteTime; 71 | } FILE_INFO, * PFILE_INFO; 72 | 73 | #pragma pack() 74 | 75 | #endif -------------------------------------------------------------------------------- /Common/IoControlCmd.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/Common/IoControlCmd.h -------------------------------------------------------------------------------- /Common/MajorFunctionName.h: -------------------------------------------------------------------------------- 1 | #ifndef MAJOR_FUNNAME_H 2 | #define MAJOR_FUNNAME_H 3 | 4 | #define IRP_MJ_MAXIMUM_FUNCTION 0x1c 5 | PCHAR MajorName[IRP_MJ_MAXIMUM_FUNCTION]= 6 | { 7 | "IRP_MJ_CREATE", 8 | "IRP_MJ_CREATE_NAMED_PIPE", 9 | "IRP_MJ_CLOSE", 10 | "IRP_MJ_READ", 11 | "IRP_MJ_WRITE", 12 | "IRP_MJ_QUERY_INFORMATION", 13 | "IRP_MJ_SET_INFORMATION", 14 | "IRP_MJ_QUERY_EA", 15 | "IRP_MJ_SET_EA", 16 | "IRP_MJ_FLUSH_BUFFERS", 17 | "IRP_MJ_QUERY_VOLUME_INFORMATION", 18 | "IRP_MJ_SET_VOLUME_INFORMATION", 19 | "IRP_MJ_DIRECTORY_CONTROL", 20 | "IRP_MJ_FILE_SYSTEM_CONTROL", 21 | "IRP_MJ_DEVICE_CONTROL", 22 | "IRP_MJ_INTERNAL_DEVICE_CONTROL", 23 | "IRP_MJ_SHUTDOWN", 24 | "IRP_MJ_LOCK_CONTROL", 25 | "IRP_MJ_CLEANUP", 26 | "IRP_MJ_CREATE_MAILSLOT", 27 | "IRP_MJ_QUERY_SECURITY", 28 | "IRP_MJ_SET_SECURITY", 29 | "IRP_MJ_QUERY_POWER", 30 | "IRP_MJ_POWER", 31 | "IRP_MJ_DEVICE_CHANGE", 32 | "IRP_MJ_QUERY_QUOTA", 33 | "IRP_MJ_SET_QUOTA", 34 | "IRP_MJ_PNP_POWER" 35 | }; 36 | 37 | 38 | #endif -------------------------------------------------------------------------------- /Common/VistaShadowSSDT.h: -------------------------------------------------------------------------------- 1 | #ifndef _VISTA_SHADOWSSDT_H 2 | #define _VISTA_SHADOWSSDT_H 3 | 4 | #define VISTA_FUNCTION_NUMBER 772 5 | 6 | static PCHAR VistaFunName[773]= 7 | { 8 | "NtGdiAbortDoc", 9 | "NtGdiAbortPath", 10 | "NtGdiAddFontResourceW", 11 | "NtGdiAddRemoteFontToDC", 12 | "NtGdiAddFontMemResourceEx", 13 | "NtGdiRemoveMergeFont", 14 | "NtGdiAddRemoteMMInstanceToDC", 15 | "NtGdiAlphaBlend", 16 | "NtGdiAngleArc", 17 | "NtGdiAnyLinkedFonts", 18 | "NtGdiFontIsLinked", 19 | "NtGdiArcInternal", 20 | "NtGdiBeginPath", 21 | "NtGdiBitBlt", 22 | "NtGdiCancelDC", 23 | "NtGdiCheckBitmapBits", 24 | "NtGdiCloseFigure", 25 | "NtGdiClearBitmapAttributes", 26 | "NtGdiClearBrushAttributes", 27 | "NtGdiColorCorrectPalette", 28 | "NtGdiCombineRgn", 29 | "NtGdiCombineTransform", 30 | "NtGdiComputeXformCoefficients", 31 | "NtGdiConfigureOPMProtectedOutput", 32 | "NtGdiConsoleTextOut", 33 | "NtGdiConvertMetafileRect", 34 | "NtGdiCreateBitmap", 35 | "NtGdiCreateClientObj", 36 | "NtGdiCreateColorSpace", 37 | "NtGdiCreateColorTransform", 38 | "NtGdiCreateCompatibleBitmap", 39 | "NtGdiCreateCompatibleDC", 40 | "NtGdiCreateDIBBrush", 41 | "NtGdiCreateDIBitmapInternal", 42 | "NtGdiCreateDIBSection", 43 | "NtGdiCreateEllipticRgn", 44 | "NtGdiCreateHalftonePalette", 45 | "NtGdiCreateHatchBrushInternal", 46 | "NtGdiCreateMetafileDC", 47 | "NtGdiCreateOPMProtectedOutputs", 48 | "NtGdiCreatePaletteInternal", 49 | "NtGdiCreatePatternBrushInternal", 50 | "NtGdiCreatePen", 51 | "NtGdiCreateRectRgn", 52 | "NtGdiCreateRoundRectRgn", 53 | "NtGdiCreateServerMetaFile", 54 | "NtGdiCreateSolidBrush", 55 | "NtGdiD3dContextCreate", 56 | "NtGdiD3dContextDestroy", 57 | "NtGdiD3dContextDestroyAll", 58 | "NtGdiD3dValidateTextureStageState", 59 | "NtGdiD3dDrawPrimitives2", 60 | "NtGdiDdGetDriverState", 61 | "NtGdiDdAddAttachedSurface", 62 | "NtGdiDdAlphaBlt", 63 | "NtGdiDdAttachSurface", 64 | "NtGdiDdBeginMoCompFrame", 65 | "NtGdiDdBlt", 66 | "NtGdiDdCanCreateSurface", 67 | "NtGdiDdCanCreateD3DBuffer", 68 | "NtGdiDdColorControl", 69 | "NtGdiDdCreateDirectDrawObject", 70 | "NtGdiDdCreateSurface", 71 | "NtGdiDdCreateD3DBuffer", 72 | "NtGdiDdCreateMoComp", 73 | "NtGdiDdCreateSurfaceObject", 74 | "NtGdiDdDeleteDirectDrawObject", 75 | "NtGdiDdDeleteSurfaceObject", 76 | "NtGdiDdDestroyMoComp", 77 | "NtGdiDdDestroySurface", 78 | "NtGdiDdDestroyD3DBuffer", 79 | "NtGdiDdEndMoCompFrame", 80 | "NtGdiDdFlip", 81 | "NtGdiDdFlipToGDISurface", 82 | "NtGdiDdGetAvailDriverMemory", 83 | "NtGdiDdGetBltStatus", 84 | "NtGdiDdGetDC", 85 | "NtGdiDdGetDriverInfo", 86 | "NtGdiDdGetDxHandle", 87 | "NtGdiDdGetFlipStatus", 88 | "NtGdiDdGetInternalMoCompInfo", 89 | "NtGdiDdGetMoCompBuffInfo", 90 | "NtGdiDdGetMoCompGuids", 91 | "NtGdiDdGetMoCompFormats", 92 | "NtGdiDdGetScanLine", 93 | "NtGdiDdLock", 94 | "NtGdiDdLockD3D", 95 | "NtGdiDdQueryDirectDrawObject", 96 | "NtGdiDdQueryMoCompStatus", 97 | "NtGdiDdReenableDirectDrawObject", 98 | "NtGdiDdReleaseDC", 99 | "NtGdiDdRenderMoComp", 100 | "NtGdiDdResetVisrgn", 101 | "NtGdiDdSetColorKey", 102 | "NtGdiDdSetExclusiveMode", 103 | "NtGdiDdSetGammaRamp", 104 | "NtGdiDdCreateSurfaceEx", 105 | "NtGdiDdSetOverlayPosition", 106 | "NtGdiDdUnattachSurface", 107 | "NtGdiDdUnlock", 108 | "NtGdiDdUnlockD3D", 109 | "NtGdiDdUpdateOverlay", 110 | "NtGdiDdWaitForVerticalBlank", 111 | "NtGdiDvpCanCreateVideoPort", 112 | "NtGdiDvpColorControl", 113 | "NtGdiDvpCreateVideoPort", 114 | "NtGdiDvpDestroyVideoPort", 115 | "NtGdiDvpFlipVideoPort", 116 | "NtGdiDvpGetVideoPortBandwidth", 117 | "NtGdiDvpGetVideoPortField", 118 | "NtGdiDvpGetVideoPortFlipStatus", 119 | "NtGdiDvpGetVideoPortInputFormats", 120 | "NtGdiDvpGetVideoPortLine", 121 | "NtGdiDvpGetVideoPortOutputFormats", 122 | "NtGdiDvpGetVideoPortConnectInfo", 123 | "NtGdiDvpGetVideoSignalStatus", 124 | "NtGdiDvpUpdateVideoPort", 125 | "NtGdiDvpWaitForVideoPortSync", 126 | "NtGdiDvpAcquireNotification", 127 | "NtGdiDvpReleaseNotification", 128 | "NtGdiDxgGenericThunk", 129 | "NtGdiDeleteClientObj", 130 | "NtGdiDeleteColorSpace", 131 | "NtGdiDeleteColorTransform", 132 | "NtGdiDeleteObjectApp", 133 | "NtGdiDescribePixelFormat", 134 | "NtGdiDestroyOPMProtectedOutput", 135 | "NtGdiGetPerBandInfo", 136 | "NtGdiDoBanding", 137 | "NtGdiDoPalette", 138 | "NtGdiDrawEscape", 139 | "NtGdiEllipse", 140 | "NtGdiEnableEudc", 141 | "NtGdiEndDoc", 142 | "NtGdiEndPage", 143 | "NtGdiEndPath", 144 | "NtGdiEnumFontChunk", 145 | "NtGdiEnumFontClose", 146 | "NtGdiEnumFontOpen", 147 | "NtGdiEnumObjects", 148 | "NtGdiEqualRgn", 149 | "NtGdiEudcLoadUnloadLink", 150 | "NtGdiExcludeClipRect", 151 | "NtGdiExtCreatePen", 152 | "NtGdiExtCreateRegion", 153 | "NtGdiExtEscape", 154 | "NtGdiExtFloodFill", 155 | "NtGdiExtGetObjectW", 156 | "NtGdiExtSelectClipRgn", 157 | "NtGdiExtTextOutW", 158 | "NtGdiFillPath", 159 | "NtGdiFillRgn", 160 | "NtGdiFlattenPath", 161 | "NtGdiFlush", 162 | "NtGdiForceUFIMapping", 163 | "NtGdiFrameRgn", 164 | "NtGdiFullscreenControl", 165 | "NtGdiGetAndSetDCDword", 166 | "NtGdiGetAppClipBox", 167 | "NtGdiGetBitmapBits", 168 | "NtGdiGetBitmapDimension", 169 | "NtGdiGetBoundsRect", 170 | "NtGdiGetCertificate", 171 | "NtGdiGetCertificateSize", 172 | "NtGdiGetCharABCWidthsW", 173 | "NtGdiGetCharacterPlacementW", 174 | "NtGdiGetCharSet", 175 | "NtGdiGetCharWidthW", 176 | "NtGdiGetCharWidthInfo", 177 | "NtGdiGetColorAdjustment", 178 | "NtGdiGetColorSpaceforBitmap", 179 | "NtGdiGetCOPPCompatibleOPMInformation", 180 | "NtGdiGetDCDword", 181 | "NtGdiGetDCforBitmap", 182 | "NtGdiGetDCObject", 183 | "NtGdiGetDCPoint", 184 | "NtGdiGetDeviceCaps", 185 | "NtGdiGetDeviceGammaRamp", 186 | "NtGdiGetDeviceCapsAll", 187 | "NtGdiGetDIBitsInternal", 188 | "NtGdiGetETM", 189 | "NtGdiGetEudcTimeStampEx", 190 | "NtGdiGetFontData", 191 | "NtGdiGetFontResourceInfoInternalW", 192 | "NtGdiGetGlyphIndicesW", 193 | "NtGdiGetGlyphIndicesWInternal", 194 | "NtGdiGetGlyphOutline", 195 | "NtGdiGetOPMInformation", 196 | "NtGdiGetKerningPairs", 197 | "NtGdiGetLinkedUFIs", 198 | "NtGdiGetMiterLimit", 199 | "NtGdiGetMonitorID", 200 | "NtGdiGetNearestColor", 201 | "NtGdiGetNearestPaletteIndex", 202 | "NtGdiGetObjectBitmapHandle", 203 | "NtGdiGetOPMRandomNumber", 204 | "NtGdiGetOutlineTextMetricsInternalW", 205 | "NtGdiGetPath", 206 | "NtGdiGetPixel", 207 | "NtGdiGetRandomRgn", 208 | "NtGdiGetRasterizerCaps", 209 | "NtGdiGetRealizationInfo", 210 | "NtGdiGetRegionData", 211 | "NtGdiGetRgnBox", 212 | "NtGdiGetServerMetaFileBits", 213 | "NtGdiGetSpoolMessage", 214 | "NtGdiGetStats", 215 | "NtGdiGetStockObject", 216 | "NtGdiGetStringBitmapW", 217 | "NtGdiGetSuggestedOPMProtectedOutputArraySize", 218 | "NtGdiGetSystemPaletteUse", 219 | "NtGdiGetTextCharsetInfo", 220 | "NtGdiGetTextExtent", 221 | "NtGdiGetTextExtentExW", 222 | "NtGdiGetTextFaceW", 223 | "NtGdiGetTextMetricsW", 224 | "NtGdiGetTransform", 225 | "NtGdiGetUFI", 226 | "NtGdiGetEmbUFI", 227 | "NtGdiGetUFIPathname", 228 | "NtGdiGetEmbedFonts", 229 | "NtGdiChangeGhostFont", 230 | "NtGdiAddEmbFontToDC", 231 | "NtGdiGetFontUnicodeRanges", 232 | "NtGdiGetWidthTable", 233 | "NtGdiGradientFill", 234 | "NtGdiHfontCreate", 235 | "NtGdiIcmBrushInfo", 236 | "bInitRedirDev", 237 | "NtGdiInitSpool", 238 | "NtGdiIntersectClipRect", 239 | "NtGdiInvertRgn", 240 | "NtGdiLineTo", 241 | "NtGdiMakeFontDir", 242 | "NtGdiMakeInfoDC", 243 | "NtGdiMaskBlt", 244 | "NtGdiModifyWorldTransform", 245 | "NtGdiMonoBitmap", 246 | "NtGdiMoveTo", 247 | "NtGdiOffsetClipRgn", 248 | "NtGdiOffsetRgn", 249 | "NtGdiOpenDCW", 250 | "NtGdiPatBlt", 251 | "NtGdiPolyPatBlt", 252 | "NtGdiPathToRegion", 253 | "NtGdiPlgBlt", 254 | "NtGdiPolyDraw", 255 | "NtGdiPolyPolyDraw", 256 | "NtGdiPolyTextOutW", 257 | "NtGdiPtInRegion", 258 | "NtGdiPtVisible", 259 | "NtGdiQueryFonts", 260 | "NtGdiQueryFontAssocInfo", 261 | "NtGdiRectangle", 262 | "NtGdiRectInRegion", 263 | "NtGdiRectVisible", 264 | "NtGdiRemoveFontResourceW", 265 | "NtGdiRemoveFontMemResourceEx", 266 | "NtGdiResetDC", 267 | "NtGdiResizePalette", 268 | "NtGdiRestoreDC", 269 | "NtGdiRoundRect", 270 | "NtGdiSaveDC", 271 | "NtGdiScaleViewportExtEx", 272 | "NtGdiScaleWindowExtEx", 273 | "NtGdiSelectBitmap", 274 | "NtGdiSelectBrush", 275 | "NtGdiSelectClipPath", 276 | "NtGdiSelectFont", 277 | "NtGdiSelectPen", 278 | "NtGdiSetBitmapAttributes", 279 | "NtGdiSetBitmapBits", 280 | "NtGdiSetBitmapDimension", 281 | "NtGdiSetBoundsRect", 282 | "NtGdiSetBrushAttributes", 283 | "NtGdiSetBrushOrg", 284 | "NtGdiSetColorAdjustment", 285 | "NtGdiSetColorSpace", 286 | "NtGdiSetDeviceGammaRamp", 287 | "NtGdiSetDIBitsToDeviceInternal", 288 | "NtGdiSetFontEnumeration", 289 | "NtGdiSetFontXform", 290 | "NtGdiSetIcmMode", 291 | "NtGdiSetLinkedUFIs", 292 | "NtGdiSetMagicColors", 293 | "NtGdiSetMetaRgn", 294 | "NtGdiSetMiterLimit", 295 | "NtGdiGetDeviceWidth", 296 | "NtGdiMirrorWindowOrg", 297 | "NtGdiSetLayout", 298 | "NtGdiSetOPMSigningKeyAndSequenceNumbers", 299 | "NtGdiSetPixel", 300 | "NtGdiSetPixelFormat", 301 | "NtGdiSetRectRgn", 302 | "NtGdiSetSystemPaletteUse", 303 | "NtGdiSetTextJustification", 304 | "NtGdiSetupPublicCFONT", 305 | "NtGdiSetVirtualResolution", 306 | "NtGdiSetSizeDevice", 307 | "NtGdiStartDoc", 308 | "NtGdiStartPage", 309 | "NtGdiStretchBlt", 310 | "NtGdiStretchDIBitsInternal", 311 | "NtGdiStrokeAndFillPath", 312 | "NtGdiStrokePath", 313 | "NtGdiSwapBuffers", 314 | "NtGdiTransformPoints", 315 | "NtGdiTransparentBlt", 316 | "DxgStubDvpGetVideoPortFlipStatus", 317 | "NtGdiUMPDEngFreeUserMem", 318 | "NtGdiUnrealizeObject", 319 | "NtGdiUpdateColors", 320 | "NtGdiWidenPath", 321 | "NtUserActivateKeyboardLayout", 322 | "NtUserAddClipboardFormatListener", 323 | "NtUserAlterWindowStyle", 324 | "NtUserAssociateInputContext", 325 | "NtUserAttachThreadInput", 326 | "NtUserBeginPaint", 327 | "NtUserBitBltSysBmp", 328 | "NtUserBlockInput", 329 | "NtUserBuildHimcList", 330 | "NtUserBuildHwndList", 331 | "NtUserBuildNameList", 332 | "NtUserBuildPropList", 333 | "NtUserCallHwnd", 334 | "NtUserCallHwndLock", 335 | "NtUserCallHwndOpt", 336 | "NtUserCallHwndParam", 337 | "NtUserCallHwndParamLock", 338 | "NtUserCallMsgFilter", 339 | "NtUserCallNextHookEx", 340 | "NtUserCallNoParam", 341 | "NtUserCallOneParam", 342 | "NtUserCallTwoParam", 343 | "NtUserChangeClipboardChain", 344 | "NtUserChangeDisplaySettings", 345 | "NtUserCheckAccessForIntegrityLevel", 346 | "NtUserCheckDesktopByThreadId", 347 | "NtUserCheckWindowThreadDesktop", 348 | "NtUserCheckImeHotKey", 349 | "NtUserCheckMenuItem", 350 | "NtUserChildWindowFromPointEx", 351 | "NtUserClipCursor", 352 | "NtUserCloseClipboard", 353 | "NtUserCloseDesktop", 354 | "NtUserCloseWindowStation", 355 | "NtUserConsoleControl", 356 | "NtUserConvertMemHandle", 357 | "NtUserCopyAcceleratorTable", 358 | "NtUserCountClipboardFormats", 359 | "NtUserCreateAcceleratorTable", 360 | "NtUserCreateCaret", 361 | "NtUserCreateDesktopEx", 362 | "NtUserCreateInputContext", 363 | "NtUserCreateLocalMemHandle", 364 | "NtUserCreateWindowEx", 365 | "NtUserCreateWindowStation", 366 | "NtUserDdeInitialize", 367 | "NtUserDeferWindowPos", 368 | "NtUserDefSetText", 369 | "NtUserDeleteMenu", 370 | "NtUserDestroyAcceleratorTable", 371 | "NtUserDestroyCursor", 372 | "NtUserDestroyInputContext", 373 | "NtUserDestroyMenu", 374 | "NtUserDestroyWindow", 375 | "NtUserDisableThreadIme", 376 | "NtUserDispatchMessage", 377 | "NtUserDoSoundConnect", 378 | "NtUserDoSoundDisconnect", 379 | "NtUserDragDetect", 380 | "NtUserDragObject", 381 | "NtUserDrawAnimatedRects", 382 | "NtUserDrawCaption", 383 | "NtUserDrawCaptionTemp", 384 | "NtUserDrawIconEx", 385 | "NtUserDrawMenuBarTemp", 386 | "NtUserEmptyClipboard", 387 | "NtUserEnableMenuItem", 388 | "NtUserEnableScrollBar", 389 | "NtUserEndDeferWindowPosEx", 390 | "NtUserEndMenu", 391 | "NtUserEndPaint", 392 | "NtUserEnumDisplayDevices", 393 | "NtUserEnumDisplayMonitors", 394 | "NtUserEnumDisplaySettings", 395 | "NtUserEvent", 396 | "NtUserExcludeUpdateRgn", 397 | "NtUserFillWindow", 398 | "NtUserFindExistingCursorIcon", 399 | "NtUserFindWindowEx", 400 | "NtUserFlashWindowEx", 401 | "NtUserFrostCrashedWindow", 402 | "NtUserGetAltTabInfo", 403 | "NtUserGetAncestor", 404 | "NtUserGetAppImeLevel", 405 | "NtUserGetAsyncKeyState", 406 | "NtUserGetAtomName", 407 | "NtUserGetCaretBlinkTime", 408 | "NtUserGetCaretPos", 409 | "NtUserGetClassInfoEx", 410 | "NtUserGetClassName", 411 | "NtUserGetClipboardData", 412 | "NtUserGetClipboardFormatName", 413 | "NtUserGetClipboardOwner", 414 | "NtUserGetClipboardSequenceNumber", 415 | "NtUserGetClipboardViewer", 416 | "NtUserGetClipCursor", 417 | "NtUserGetComboBoxInfo", 418 | "NtUserGetControlBrush", 419 | "NtUserGetControlColor", 420 | "NtUserGetCPD", 421 | "NtUserGetCursorFrameInfo", 422 | "NtUserGetCursorInfo", 423 | "NtUserGetDC", 424 | "NtUserGetDCEx", 425 | "NtUserGetDoubleClickTime", 426 | "NtUserGetForegroundWindow", 427 | "NtUserGetGuiResources", 428 | "NtUserGetGUIThreadInfo", 429 | "NtUserGetIconInfo", 430 | "NtUserGetIconSize", 431 | "NtUserGetImeHotKey", 432 | "NtUserGetImeInfoEx", 433 | "NtUserGetInternalWindowPos", 434 | "NtUserGetKeyboardLayoutList", 435 | "NtUserGetKeyboardLayoutName", 436 | "NtUserGetKeyboardState", 437 | "NtUserGetKeyNameText", 438 | "NtUserGetKeyState", 439 | "NtUserGetListBoxInfo", 440 | "NtUserGetMenuBarInfo", 441 | "NtUserGetMenuIndex", 442 | "NtUserGetMenuItemRect", 443 | "NtUserGetMessage", 444 | "NtUserGetMouseMovePointsEx", 445 | "NtUserGetObjectInformation", 446 | "NtUserGetOpenClipboardWindow", 447 | "NtUserGetPriorityClipboardFormat", 448 | "NtUserGetProcessWindowStation", 449 | "NtUserGetRawInputBuffer", 450 | "NtUserGetRawInputData", 451 | "NtUserGetRawInputDeviceInfo", 452 | "NtUserGetRawInputDeviceList", 453 | "NtUserGetRegisteredRawInputDevices", 454 | "NtUserGetScrollBarInfo", 455 | "NtUserGetSystemMenu", 456 | "NtUserGetThreadDesktop", 457 | "NtUserGetThreadState", 458 | "NtUserGetTitleBarInfo", 459 | "NtUserGetUpdatedClipboardFormats", 460 | "NtUserGetUpdateRect", 461 | "NtUserGetUpdateRgn", 462 | "NtUserGetWindowDC", 463 | "NtUserGetWindowPlacement", 464 | "NtUserGetWOWClass", 465 | "NtUserGhostWindowFromHungWindow", 466 | "NtUserHardErrorControl", 467 | "NtUserHideCaret", 468 | "NtUserHiliteMenuItem", 469 | "NtUserHungWindowFromGhostWindow", 470 | "NtUserImpersonateDdeClientWindow", 471 | "NtUserInitialize", 472 | "NtUserInitializeClientPfnArrays", 473 | "NtUserInitTask", 474 | "NtUserInternalGetWindowText", 475 | "NtUserInternalGetWindowIcon", 476 | "NtUserInvalidateRect", 477 | "NtUserInvalidateRgn", 478 | "NtUserIsClipboardFormatAvailable", 479 | "NtUserKillTimer", 480 | "NtUserLoadKeyboardLayoutEx", 481 | "NtUserLockWindowStation", 482 | "NtUserLockWindowUpdate", 483 | "NtUserLockWorkStation", 484 | "NtUserLogicalToPhysicalPoint", 485 | "NtUserMapVirtualKeyEx", 486 | "NtUserMenuItemFromPoint", 487 | "NtUserMessageCall", 488 | "NtUserMinMaximize", 489 | "NtUserMNDragLeave", 490 | "NtUserMNDragOver", 491 | "NtUserModifyUserStartupInfoFlags", 492 | "NtUserMoveWindow", 493 | "NtUserNotifyIMEStatus", 494 | "NtUserNotifyProcessCreate", 495 | "NtUserNotifyWinEvent", 496 | "NtUserOpenClipboard", 497 | "NtUserOpenDesktop", 498 | "NtUserOpenInputDesktop", 499 | "NtUserOpenThreadDesktop", 500 | "NtUserOpenWindowStation", 501 | "NtUserPaintDesktop", 502 | "NtUserPaintMonitor", 503 | "NtUserPhysicalToLogicalPoint", 504 | "NtUserPostMessage", 505 | "NtUserPostThreadMessage", 506 | "NtUserPrintWindow", 507 | "NtUserProcessConnect", 508 | "NtUserQueryInformationThread", 509 | "NtUserQueryInputContext", 510 | "NtUserQuerySendMessage", 511 | "NtUserQueryWindow", 512 | "NtUserRealChildWindowFromPoint", 513 | "NtUserRealInternalGetMessage", 514 | "NtUserRealWaitMessageEx", 515 | "NtUserRedrawWindow", 516 | "NtUserRegisterClassExWOW", 517 | "NtUserRegisterErrorReportingDialog", 518 | "NtUserRegisterUserApiHook", 519 | "NtUserRegisterHotKey", 520 | "NtUserRegisterRawInputDevices", 521 | "NtUserRegisterTasklist", 522 | "NtUserRegisterWindowMessage", 523 | "NuUserRemoveClipborardFormatListener", 524 | "NtUserRemoveMenu", 525 | "NtUserRemoveProp", 526 | "NtUserResolveDesktop", 527 | "NtUserResolveDesktopForWOW", 528 | "NtUserSBGetParms", 529 | "NtUserScrollDC", 530 | "NtUserScrollWindowEx", 531 | "NtUserSelectPalette", 532 | "NtUserSendInput", 533 | "NtUserSetActiveWindow", 534 | "NtUserSetAppImeLevel", 535 | "NtUserSetCapture", 536 | "NtUserSetClassLong", 537 | "NtUserSetClassWord", 538 | "NtUserSetClipboardData", 539 | "NtUserSetClipboardViewer", 540 | "NtUserSetConsoleReserveKeys", 541 | "NtUserSetCursor", 542 | "NtUserSetCursorContents", 543 | "NtUserSetCursorIconData", 544 | "NtUserSetFocus", 545 | "NtUserSetImeHotKey", 546 | "NtUserSetImeInfoEx", 547 | "NtUserSetImeOwnerWindow", 548 | "NtUserSetInformationProcess", 549 | "NtUserSetInformationThread", 550 | "NtUserSetInternalWindowPos", 551 | "NtUserSetKeyboardState", 552 | "NtUserSetLogonNotifyWindow", 553 | "NtUserSetMenu", 554 | "NtUserSetMenuContextHelpId", 555 | "NtUserSetMenuDefaultItem", 556 | "NtUserSetMenuFlagRtoL", 557 | "NtUserSetObjectInformation", 558 | "NtUserSetParent", 559 | "NtUserSetProcessWindowStation", 560 | "NtUserGetProp", 561 | "NtUserSetProp", 562 | "NtUserSetScrollInfo", 563 | "NtUserSetShellWindowEx", 564 | "NtUserSetSysColors", 565 | "NtUserSetSystemCursor", 566 | "NtUserSetSystemMenu", 567 | "NtUserSetSystemTimer", 568 | "NtUserSetThreadDesktop", 569 | "NtUserSetThreadLayoutHandles", 570 | "NtUserSetThreadState", 571 | "NtUserSetTimer", 572 | "NtUserSetProcessDPIAware", 573 | "NtUserSetWindowFNID", 574 | "NtUserSetWindowLong", 575 | "NtUserSetWindowPlacement", 576 | "NtUserSetWindowPos", 577 | "NtUserSetWindowRgn", 578 | "NtUserGetWindowRgnEx", 579 | "NtUserSetWindowRgnEx", 580 | "NtUserSetWindowsHookAW", 581 | "NtUserSetWindowsHookEx", 582 | "NtUserSetWindowStationUser", 583 | "NtUserSetWindowWord", 584 | "NtUserSetWinEventHook", 585 | "NtUserShowCaret", 586 | "NtUserShowScrollBar", 587 | "NtUserShowWindow", 588 | "NtUserShowWindowAsync", 589 | "NtUserSoundSentry", 590 | "NtUserSwitchDesktop", 591 | "NtUserSystemParametersInfo", 592 | "NtUserTestForInteractiveUser", 593 | "NtUserThunkedMenuInfo", 594 | "NtUserThunkedMenuItemInfo", 595 | "NtUserToUnicodeEx", 596 | "NtUserTrackMouseEvent", 597 | "NtUserTrackPopupMenuEx", 598 | "NtUserCalcMenuBar", 599 | "NtUserPaintMenuBar", 600 | "NtUserTranslateAccelerator", 601 | "NtUserTranslateMessage", 602 | "NtUserUnhookWindowsHookEx", 603 | "NtUserUnhookWinEvent", 604 | "NtUserUnloadKeyboardLayout", 605 | "NtUserUnlockWindowStation", 606 | "NtUserUnregisterClass", 607 | "NtUserUnregisterUserApiHook", 608 | "NtUserUnregisterHotKey", 609 | "NtUserUpdateInputContext", 610 | "NtUserUpdateInstance", 611 | "NtUserUpdateLayeredWindow", 612 | "NtUserGetLayeredWindowAttributes", 613 | "NtUserSetLayeredWindowAttributes", 614 | "NtUserUpdatePerUserSystemParameters", 615 | "NtUserUserHandleGrantAccess", 616 | "NtUserValidateHandleSecure", 617 | "NtUserValidateRect", 618 | "NtUserValidateTimerCallback", 619 | "NtUserVkKeyScanEx", 620 | "NtUserWaitForInputIdle", 621 | "NtUserWaitForMsgAndEvent", 622 | "NtUserWaitMessage", 623 | "DxgStubGenericThunk", 624 | "NtUserWindowFromPhysicalPoint", 625 | "NtUserWindowFromPoint", 626 | "NtUserYieldTask", 627 | "NtUserRemoteConnect", 628 | "NtUserRemoteRedrawRectangle", 629 | "NtUserRemoteRedrawScreen", 630 | "NtUserRemoteStopScreenUpdates", 631 | "NtUserCtxDisplayIOCtl", 632 | "NtUserRegisterSessionPort", 633 | "NtUserUnregisterSessionPort", 634 | "NtUserUpdataWindowTransform", 635 | "NtUserDwmStartRedirection", 636 | "NtUserDwmStopRedirection", 637 | "NtUserDwmHintDxUpdate", 638 | "NtUserDwmGetDxRgn", 639 | "NtUserGetWindowMinimizeRect", 640 | "NtGdiEngAssociateSurface", 641 | "NtGdiEngCreateBitmap", 642 | "NtGdiEngCreateDeviceSurface", 643 | "NtGdiEngCreateDeviceBitmap", 644 | "NtGdiEngCreatePalette", 645 | "NtGdiEngComputeGlyphSet", 646 | "NtGdiEngCopyBits", 647 | "NtGdiEngDeletePalette", 648 | "NtGdiEngDeleteSurface", 649 | "NtGdiEngEraseSurface", 650 | "NtGdiEngUnlockSurface", 651 | "NtGdiEngLockSurface", 652 | "NtGdiEngBitBlt", 653 | "NtGdiEngStretchBlt", 654 | "NtGdiEngPlgBlt", 655 | "NtGdiEngMarkBandingSurface", 656 | "NtGdiEngStrokePath", 657 | "NtGdiEngFillPath", 658 | "NtGdiEngStrokeAndFillPath", 659 | "NtGdiEngPaint", 660 | "NtGdiEngLineTo", 661 | "NtGdiEngAlphaBlend", 662 | "NtGdiEngGradientFill", 663 | "NtGdiEngTransparentBlt", 664 | "NtGdiEngTextOut", 665 | "NtGdiEngStretchBltROP", 666 | "NtGdiXLATEOBJ_cGetPalette", 667 | "NtGdiXLATEOBJ_iXlate", 668 | "NtGdiXLATEOBJ_hGetColorTransform", 669 | "NtGdiCLIPOBJ_bEnum", 670 | "NtGdiCLIPOBJ_cEnumStart", 671 | "NtGdiCLIPOBJ_ppoGetPath", 672 | "NtGdiEngDeletePath", 673 | "NtGdiEngCreateClip", 674 | "NtGdiEngDeleteClip", 675 | "NtGdiBRUSHOBJ_ulGetBrushColor", 676 | "NtGdiBRUSHOBJ_pvAllocRbrush", 677 | "NtGdiBRUSHOBJ_pvGetRbrush", 678 | "NtGdiBRUSHOBJ_hGetColorTransform", 679 | "NtGdiXFORMOBJ_bApplyXform", 680 | "NtGdiXFORMOBJ_iGetXform", 681 | "NtGdiFONTOBJ_vGetInfo", 682 | "NtGdiFONTOBJ_pxoGetXform", 683 | "NtGdiFONTOBJ_cGetGlyphs", 684 | "NtGdiFONTOBJ_pifi", 685 | "NtGdiFONTOBJ_pfdg", 686 | "NtGdiFONTOBJ_pQueryGlyphAttrs", 687 | "NtGdiFONTOBJ_pvTrueTypeFontFile", 688 | "NtGdiFONTOBJ_cGetAllGlyphHandles", 689 | "NtGdiSTROBJ_bEnum", 690 | "NtGdiSTROBJ_bEnumPositionsOnly", 691 | "NtGdiSTROBJ_bGetAdvanceWidths", 692 | "NtGdiSTROBJ_vEnumStart", 693 | "NtGdiSTROBJ_dwGetCodePage", 694 | "NtGdiPATHOBJ_vGetBounds", 695 | "NtGdiPATHOBJ_bEnum", 696 | "NtGdiPATHOBJ_vEnumStart", 697 | "NtGdiPATHOBJ_vEnumStartClipLines", 698 | "NtGdiPATHOBJ_bEnumClipLines", 699 | "NtGdiGetDhpdev", 700 | "NtGdiEngCheckAbort", 701 | "NtGdiHT_Get8BPPFormatPalette", 702 | "NtGdiHT_Get8BPPMaskPalette", 703 | "NtGdiUpdateTransform", 704 | "NtGdiSetPUMPDOBJ", 705 | "NtGdiBRUSHOBJ_DeleteRbrush", 706 | "NtGdiUMPDEngFreeUserMem", 707 | "NtGdiDrawStream", 708 | "NtGdiDwmGetDirtyRgn", 709 | "NtGdiDwnGetSurfaceData", 710 | "NtGdiDdDDICreateAllocation", 711 | "NtGdiDdDDIQueryResourceInfo", 712 | "NtGdiDdDDIOpenResource", 713 | "NtGdiDdDDIDestroyAllocation", 714 | "NtGdiDdDDISetAllocationPriority", 715 | "NtGdiDDIQueryAllocationResidency", 716 | "NtGdiDdDDICreateDevice", 717 | "NtGdiDdDDIDestroyDevice", 718 | "NtGdiDdDDICreateContext", 719 | "NtGdiDdDDIDestroyContext", 720 | "NtGdiDdDDICreateSynchronizationObject", 721 | "NtGdiDdDDIDestroySynchronizationObject", 722 | "NtGdiDdDDIWaitForSynchronizationObject", 723 | "NtGdiDdDDISignalSynchronizationObject", 724 | "NtGdiDdDDIGetRuntimeData", 725 | "NtGdiDdDDIQueryAdapterInfo", 726 | "NtGdiDdDDILock", 727 | "NtGdiDdDDIUnlock", 728 | "NtGdiDdDDIGetDisplayModeList", 729 | "NtGdiDdDDISetDisplayMode", 730 | "NtGdiDdDDIGetMultisampleMethodList", 731 | "NtGdiDdDDIPresent", 732 | "NtGdiDdDDIRender", 733 | "NtGdiDdDDIOpenAdapterFromDeviceName", 734 | "NtGdiDdDDIOpenAdapterFromHdc", 735 | "NtGdiDdDDICloseAdapter", 736 | "NtGdiDdDDIGetSharedPrimaryHandle", 737 | "NtGdiDdDDIEscape", 738 | "NtGdiDdDDIQueryStatistics", 739 | "NtGdiDdDDISetVidPnSourceOwner", 740 | "NtGdiDdDDIGetPresentHistory", 741 | "NtGdiDdDDICreateOverlay", 742 | "NtGdiDdDDIUpdateOverlay", 743 | "NtGdiDdDDIFlipOverlay", 744 | "NtGdiDdDDIDestroyOverlay", 745 | "NtGdiDdDDIWaitForVerticalBlankEvent", 746 | "NtGdiDdDDISetGammaRamp", 747 | "NtGdiDdDDIGetDeviceState", 748 | "NtGdiDdDDICreateDCFromMemory", 749 | "NtGdiDdDDIDestroyDCFromMemory", 750 | "NtGdiDdDDISetContextSchedulingPriority", 751 | "NtGdiDdDDIGetContextSchedulingPriority", 752 | "NtGdiDdDDISetProcessSchedulingPriorityClass", 753 | "NtGdiDdDDIGetProcessSchedulingPriorityClass", 754 | "NtGdiDdDDIReleaseProcessVidPnSourceOwners", 755 | "NtGdiDdDDIGetScanLine", 756 | "NtGdiDdDDISetQueuedLimit", 757 | "NtGdiDdDDIPollDisplayChildren", 758 | "NtGdiDdDDIInvalidateActiveVidPn", 759 | "NtGdiDdDDICheckOcclusion", 760 | "NtGdiDdDDIWaitForIdle", 761 | "NtGdiDdDDICheckMonitoPowerState", 762 | "NtGdiDdDDICheckExclusiveOwnership", 763 | "NtGdiDdDDISetDisplayPrivateDriverFormat", 764 | "NtGdiDdDDISharedPrimaryLockNotification", 765 | "NtGdiDdDDISharedPrimaryUnLockNotification", 766 | "DxgStubDvpGetVideoPortFlipStatus", 767 | "DxgStubLockDirectDrawSurface", 768 | "NtGdiGetNumberOfPhysicalMonitors", 769 | "NtGdiGetPhysicalMonitors", 770 | "NtGdiGetPhysicalMonitorsDescription", 771 | "NtGdiDestroyPhysicalMonitor", 772 | "NtGdiDDCCIGetVCPFeature", 773 | "NtGdiDDCCISetVCPFeature", 774 | "NtGdiDDCCISaveCurrentSettings", 775 | "NtGdiDDCCIGetCapabilitiesStringLength", 776 | "NtGdiDDCCIGetCapabilitiesString", 777 | "NtGdiDDCCIGetTimingReport", 778 | "NtUserSetMirrorRendering", 779 | "NtUserShowSystemCursor", 780 | NULL 781 | }; 782 | #endif 783 | -------------------------------------------------------------------------------- /Common/W2K3ShadowSSDT.h: -------------------------------------------------------------------------------- 1 | #ifndef _W2K3_SHADOWSSDT_H 2 | #define _W2K3_SHADOWSSDT_H 3 | 4 | #define WIN2K3_FUNCTION_NUMBER 665 5 | 6 | static PCHAR W2K3FunName[666]= 7 | { 8 | "NtGdiAbortDoc", 9 | "NtGdiAbortPath", 10 | "NtGdiAddFontResourceW", 11 | "NtGdiAddRemoteFontToDC", 12 | "NtGdiAddFontMemResourceEx", 13 | "NtGdiRemoveMergeFont", 14 | "NtGdiAddRemoteMMInstanceToDC", 15 | "NtGdiAlphaBlend", 16 | "NtGdiAngleArc", 17 | "NtGdiAnyLinkedFonts", 18 | "NtGdiFontIsLinked", 19 | "NtGdiArcInternal", 20 | "NtGdiBeginPath", 21 | "NtGdiBitBlt", 22 | "NtGdiCancelDC", 23 | "NtGdiCheckBitmapBits", 24 | "NtGdiCloseFigure", 25 | "NtGdiClearBitmapAttributes", 26 | "NtGdiClearBrushAttributes", 27 | "NtGdiColorCorrectPalette", 28 | "NtGdiCombineRgn", 29 | "NtGdiCombineTransform", 30 | "NtGdiComputeXformCoefficients", 31 | "NtGdiConsoleTextOut", 32 | "NtGdiConvertMetafileRect", 33 | "NtGdiCreateBitmap", 34 | "NtGdiCreateClientObj", 35 | "NtGdiCreateColorSpace", 36 | "NtGdiCreateColorTransform", 37 | "NtGdiCreateCompatibleBitmap", 38 | "NtGdiCreateCompatibleDC", 39 | "NtGdiCreateDIBBrush", 40 | "NtGdiCreateDIBitmapInternal", 41 | "NtGdiCreateDIBSection", 42 | "NtGdiCreateEllipticRgn", 43 | "NtGdiCreateHalftonePalette", 44 | "NtGdiCreateHatchBrushInternal", 45 | "NtGdiCreateMetafileDC", 46 | "NtGdiCreatePaletteInternal", 47 | "NtGdiCreatePatternBrushInternal", 48 | "NtGdiCreatePen", 49 | "NtGdiCreateRectRgn", 50 | "NtGdiCreateRoundRectRgn", 51 | "NtGdiCreateServerMetaFile", 52 | "NtGdiCreateSolidBrush", 53 | "NtGdiD3dContextCreate", 54 | "NtGdiD3dContextDestroy", 55 | "NtGdiD3dContextDestroyAll", 56 | "NtGdiD3dValidateTextureStageState", 57 | "NtGdiD3dDrawPrimitives2", 58 | "NtGdiDdGetDriverState", 59 | "NtGdiDdAddAttachedSurface", 60 | "NtGdiDdAlphaBlt", 61 | "NtGdiDdAttachSurface", 62 | "NtGdiDdBeginMoCompFrame", 63 | "NtGdiDdBlt", 64 | "NtGdiDdCanCreateSurface", 65 | "NtGdiDdCanCreateD3DBuffer", 66 | "NtGdiDdColorControl", 67 | "NtGdiDdCreateDirectDrawObject", 68 | "NtGdiDdCreateSurface", 69 | "NtGdiDdCreateD3DBuffer", 70 | "NtGdiDdCreateMoComp", 71 | "NtGdiDdCreateSurfaceObject", 72 | "NtGdiDdDeleteDirectDrawObject", 73 | "NtGdiDdDeleteSurfaceObject", 74 | "NtGdiDdDestroyMoComp", 75 | "NtGdiDdDestroySurface", 76 | "NtGdiDdDestroyD3DBuffer", 77 | "NtGdiDdEndMoCompFrame", 78 | "NtGdiDdFlip", 79 | "NtGdiDdFlipToGDISurface", 80 | "NtGdiDdGetAvailDriverMemory", 81 | "NtGdiDdGetBltStatus", 82 | "NtGdiDdGetDC", 83 | "NtGdiDdGetDriverInfo", 84 | "NtGdiDdGetDxHandle", 85 | "NtGdiDdGetFlipStatus", 86 | "NtGdiDdGetInternalMoCompInfo", 87 | "NtGdiDdGetMoCompBuffInfo", 88 | "NtGdiDdGetMoCompGuids", 89 | "NtGdiDdGetMoCompFormats", 90 | "NtGdiDdGetScanLine", 91 | "NtGdiDdLock", 92 | "NtGdiDdLockD3D", 93 | "NtGdiDdQueryDirectDrawObject", 94 | "NtGdiDdQueryMoCompStatus", 95 | "NtGdiDdReenableDirectDrawObject", 96 | "NtGdiDdReleaseDC", 97 | "NtGdiDdRenderMoComp", 98 | "NtGdiDdResetVisrgn", 99 | "NtGdiDdSetColorKey", 100 | "NtGdiDdSetExclusiveMode", 101 | "NtGdiDdSetGammaRamp", 102 | "NtGdiDdCreateSurfaceEx", 103 | "NtGdiDdSetOverlayPosition", 104 | "NtGdiDdUnattachSurface", 105 | "NtGdiDdUnlock", 106 | "NtGdiDdUnlockD3D", 107 | "NtGdiDdUpdateOverlay", 108 | "NtGdiDdWaitForVerticalBlank", 109 | "NtGdiDvpCanCreateVideoPort", 110 | "NtGdiDvpColorControl", 111 | "NtGdiDvpCreateVideoPort", 112 | "NtGdiDvpDestroyVideoPort", 113 | "NtGdiDvpFlipVideoPort", 114 | "NtGdiDvpGetVideoPortBandwidth", 115 | "NtGdiDvpGetVideoPortField", 116 | "NtGdiDvpGetVideoPortFlipStatus", 117 | "NtGdiDvpGetVideoPortInputFormats", 118 | "NtGdiDvpGetVideoPortLine", 119 | "NtGdiDvpGetVideoPortOutputFormats", 120 | "NtGdiDvpGetVideoPortConnectInfo", 121 | "NtGdiDvpGetVideoSignalStatus", 122 | "NtGdiDvpUpdateVideoPort", 123 | "NtGdiDvpWaitForVideoPortSync", 124 | "NtGdiDvpAcquireNotification", 125 | "NtGdiDvpReleaseNotification", 126 | "NtGdiDxgGenericThunk", 127 | "NtGdiDeleteClientObj", 128 | "NtGdiDeleteColorSpace", 129 | "NtGdiDeleteColorTransform", 130 | "NtGdiDeleteObjectApp", 131 | "NtGdiDescribePixelFormat", 132 | "NtGdiGetPerBandInfo", 133 | "NtGdiDoBanding", 134 | "NtGdiDoPalette", 135 | "NtGdiDrawEscape", 136 | "NtGdiEllipse", 137 | "NtGdiEnableEudc", 138 | "NtGdiEndDoc", 139 | "NtGdiEndPage", 140 | "NtGdiEndPath", 141 | "NtGdiEnumFontChunk", 142 | "NtGdiEnumFontClose", 143 | "NtGdiEnumFontOpen", 144 | "NtGdiEnumObjects", 145 | "NtGdiEqualRgn", 146 | "NtGdiEudcLoadUnloadLink", 147 | "NtGdiExcludeClipRect", 148 | "NtGdiExtCreatePen", 149 | "NtGdiExtCreateRegion", 150 | "NtGdiExtEscape", 151 | "NtGdiExtFloodFill", 152 | "NtGdiExtGetObjectW", 153 | "NtGdiExtSelectClipRgn", 154 | "NtGdiExtTextOutW", 155 | "NtGdiFillPath", 156 | "NtGdiFillRgn", 157 | "NtGdiFlattenPath", 158 | "NtGdiFlush", 159 | "NtGdiForceUFIMapping", 160 | "NtGdiFrameRgn", 161 | "NtGdiFullscreenControl", 162 | "NtGdiGetAndSetDCDword", 163 | "NtGdiGetAppClipBox", 164 | "NtGdiGetBitmapBits", 165 | "NtGdiGetBitmapDimension", 166 | "NtGdiGetBoundsRect", 167 | "NtGdiGetCharABCWidthsW", 168 | "NtGdiGetCharacterPlacementW", 169 | "NtGdiGetCharSet", 170 | "NtGdiGetCharWidthW", 171 | "NtGdiGetCharWidthInfo", 172 | "NtGdiGetColorAdjustment", 173 | "NtGdiGetColorSpaceforBitmap", 174 | "NtGdiGetDCDword", 175 | "NtGdiGetDCforBitmap", 176 | "NtGdiGetDCObject", 177 | "NtGdiGetDCPoint", 178 | "NtGdiGetDeviceCaps", 179 | "NtGdiGetDeviceGammaRamp", 180 | "NtGdiGetDeviceCapsAll", 181 | "NtGdiGetDIBitsInternal", 182 | "NtGdiGetETM", 183 | "NtGdiGetEudcTimeStampEx", 184 | "NtGdiGetFontData", 185 | "NtGdiGetFontResourceInfoInternalW", 186 | "NtGdiGetGlyphIndicesW", 187 | "NtGdiGetGlyphIndicesWInternal", 188 | "NtGdiGetGlyphOutline", 189 | "NtGdiGetKerningPairs", 190 | "NtGdiGetLinkedUFIs", 191 | "NtGdiGetMiterLimit", 192 | "NtGdiGetMonitorID", 193 | "NtGdiGetNearestColor", 194 | "NtGdiGetNearestPaletteIndex", 195 | "NtGdiGetObjectBitmapHandle", 196 | "NtGdiGetOutlineTextMetricsInternalW", 197 | "NtGdiGetPath", 198 | "NtGdiGetPixel", 199 | "NtGdiGetRandomRgn", 200 | "NtGdiGetRasterizerCaps", 201 | "NtGdiGetRealizationInfo", 202 | "NtGdiGetRegionData", 203 | "NtGdiGetRgnBox", 204 | "NtGdiGetServerMetaFileBits", 205 | "NtGdiGetSpoolMessage", 206 | "NtGdiGetStats", 207 | "NtGdiGetStockObject", 208 | "NtGdiGetStringBitmapW", 209 | "NtGdiGetSystemPaletteUse", 210 | "NtGdiGetTextCharsetInfo", 211 | "NtGdiGetTextExtent", 212 | "NtGdiGetTextExtentExW", 213 | "NtGdiGetTextFaceW", 214 | "NtGdiGetTextMetricsW", 215 | "NtGdiGetTransform", 216 | "NtGdiGetUFI", 217 | "NtGdiGetEmbUFI", 218 | "NtGdiGetUFIPathname", 219 | "NtGdiGetEmbedFonts", 220 | "NtGdiChangeGhostFont", 221 | "NtGdiAddEmbFontToDC", 222 | "NtGdiGetFontUnicodeRanges", 223 | "NtGdiGetWidthTable", 224 | "NtGdiGradientFill", 225 | "NtGdiHfontCreate", 226 | "NtGdiIcmBrushInfo", 227 | "NtGdiInit", 228 | "NtGdiInitSpool", 229 | "NtGdiIntersectClipRect", 230 | "NtGdiInvertRgn", 231 | "NtGdiLineTo", 232 | "NtGdiMakeFontDir", 233 | "NtGdiMakeInfoDC", 234 | "NtGdiMaskBlt", 235 | "NtGdiModifyWorldTransform", 236 | "NtGdiMonoBitmap", 237 | "NtGdiMoveTo", 238 | "NtGdiOffsetClipRgn", 239 | "NtGdiOffsetRgn", 240 | "NtGdiOpenDCW", 241 | "NtGdiPatBlt", 242 | "NtGdiPolyPatBlt", 243 | "NtGdiPathToRegion", 244 | "NtGdiPlgBlt", 245 | "NtGdiPolyDraw", 246 | "NtGdiPolyPolyDraw", 247 | "NtGdiPolyTextOutW", 248 | "NtGdiPtInRegion", 249 | "NtGdiPtVisible", 250 | "NtGdiQueryFonts", 251 | "NtGdiQueryFontAssocInfo", 252 | "NtGdiRectangle", 253 | "NtGdiRectInRegion", 254 | "NtGdiRectVisible", 255 | "NtGdiRemoveFontResourceW", 256 | "NtGdiRemoveFontMemResourceEx", 257 | "NtGdiResetDC", 258 | "NtGdiResizePalette", 259 | "NtGdiRestoreDC", 260 | "NtGdiRoundRect", 261 | "NtGdiSaveDC", 262 | "NtGdiScaleViewportExtEx", 263 | "NtGdiScaleWindowExtEx", 264 | "NtGdiSelectBitmap", 265 | "NtGdiSelectBrush", 266 | "NtGdiSelectClipPath", 267 | "NtGdiSelectFont", 268 | "NtGdiSelectPen", 269 | "NtGdiSetBitmapAttributes", 270 | "NtGdiSetBitmapBits", 271 | "NtGdiSetBitmapDimension", 272 | "NtGdiSetBoundsRect", 273 | "NtGdiSetBrushAttributes", 274 | "NtGdiSetBrushOrg", 275 | "NtGdiSetColorAdjustment", 276 | "NtGdiSetColorSpace", 277 | "NtGdiSetDeviceGammaRamp", 278 | "NtGdiSetDIBitsToDeviceInternal", 279 | "NtGdiSetFontEnumeration", 280 | "NtGdiSetFontXform", 281 | "NtGdiSetIcmMode", 282 | "NtGdiSetLinkedUFIs", 283 | "NtGdiSetMagicColors", 284 | "NtGdiSetMetaRgn", 285 | "NtGdiSetMiterLimit", 286 | "NtGdiGetDeviceWidth", 287 | "NtGdiMirrorWindowOrg", 288 | "NtGdiSetLayout", 289 | "NtGdiSetPixel", 290 | "NtGdiSetPixelFormat", 291 | "NtGdiSetRectRgn", 292 | "NtGdiSetSystemPaletteUse", 293 | "NtGdiSetTextJustification", 294 | "NtGdiSetupPublicCFONT", 295 | "NtGdiSetVirtualResolution", 296 | "NtGdiSetSizeDevice", 297 | "NtGdiStartDoc", 298 | "NtGdiStartPage", 299 | "NtGdiStretchBlt", 300 | "NtGdiStretchDIBitsInternal", 301 | "NtGdiStrokeAndFillPath", 302 | "NtGdiStrokePath", 303 | "NtGdiSwapBuffers", 304 | "NtGdiTransformPoints", 305 | "NtGdiTransparentBlt", 306 | "NtGdiUnloadPrinterDriver", 307 | "NtGdiUnmapMemFont", 308 | "NtGdiUnrealizeObject", 309 | "NtGdiUpdateColors", 310 | "NtGdiWidenPath", 311 | "NtUserActivateKeyboardLayout", 312 | "NtUserAlterWindowStyle", 313 | "NtUserAssociateInputContext", 314 | "NtUserAttachThreadInput", 315 | "NtUserBeginPaint", 316 | "NtUserBitBltSysBmp", 317 | "NtUserBlockInput", 318 | "NtUserBuildHimcList", 319 | "NtUserBuildHwndList", 320 | "NtUserBuildNameList", 321 | "NtUserBuildPropList", 322 | "NtUserCallHwnd", 323 | "NtUserCallHwndLock", 324 | "NtUserCallHwndOpt", 325 | "NtUserCallHwndParam", 326 | "NtUserCallHwndParamLock", 327 | "NtUserCallMsgFilter", 328 | "NtUserCallNextHookEx", 329 | "NtUserCallNoParam", 330 | "NtUserCallOneParam", 331 | "NtUserCallTwoParam", 332 | "NtUserChangeClipboardChain", 333 | "NtUserChangeDisplaySettings", 334 | "NtUserCheckImeHotKey", 335 | "NtUserCheckMenuItem", 336 | "NtUserChildWindowFromPointEx", 337 | "NtUserClipCursor", 338 | "NtUserCloseClipboard", 339 | "NtUserCloseDesktop", 340 | "NtUserCloseWindowStation", 341 | "NtUserConsoleControl", 342 | "NtUserConvertMemHandle", 343 | "NtUserCopyAcceleratorTable", 344 | "NtUserCountClipboardFormats", 345 | "NtUserCreateAcceleratorTable", 346 | "NtUserCreateCaret", 347 | "NtUserCreateDesktop", 348 | "NtUserCreateInputContext", 349 | "NtUserCreateLocalMemHandle", 350 | "NtUserCreateWindowEx", 351 | "NtUserCreateWindowStation", 352 | "NtUserDdeGetQualityOfService", 353 | "NtUserDdeInitialize", 354 | "NtUserDdeSetQualityOfService", 355 | "NtUserDeferWindowPos", 356 | "NtUserDefSetText", 357 | "NtUserDeleteMenu", 358 | "NtUserDestroyAcceleratorTable", 359 | "NtUserDestroyCursor", 360 | "NtUserDestroyInputContext", 361 | "NtUserDestroyMenu", 362 | "NtUserDestroyWindow", 363 | "NtUserDisableThreadIme", 364 | "NtUserDispatchMessage", 365 | "NtUserDragDetect", 366 | "NtUserDragObject", 367 | "NtUserDrawAnimatedRects", 368 | "NtUserDrawCaption", 369 | "NtUserDrawCaptionTemp", 370 | "NtUserDrawIconEx", 371 | "NtUserDrawMenuBarTemp", 372 | "NtUserEmptyClipboard", 373 | "NtUserEnableMenuItem", 374 | "NtUserEnableScrollBar", 375 | "NtUserEndDeferWindowPosEx", 376 | "NtUserEndMenu", 377 | "NtUserEndPaint", 378 | "NtUserEnumDisplayDevices", 379 | "NtUserEnumDisplayMonitors", 380 | "NtUserEnumDisplaySettings", 381 | "NtUserEvent", 382 | "NtUserExcludeUpdateRgn", 383 | "NtUserFillWindow", 384 | "NtUserFindExistingCursorIcon", 385 | "NtUserFindWindowEx", 386 | "NtUserFlashWindowEx", 387 | "NtUserGetAltTabInfo", 388 | "NtUserGetAncestor", 389 | "NtUserGetAppImeLevel", 390 | "NtUserGetAsyncKeyState", 391 | "NtUserGetAtomName", 392 | "NtUserGetCaretBlinkTime", 393 | "NtUserGetCaretPos", 394 | "NtUserGetClassInfo", 395 | "NtUserGetClassName", 396 | "NtUserGetClipboardData", 397 | "NtUserGetClipboardFormatName", 398 | "NtUserGetClipboardOwner", 399 | "NtUserGetClipboardSequenceNumber", 400 | "NtUserGetClipboardViewer", 401 | "NtUserGetClipCursor", 402 | "NtUserGetComboBoxInfo", 403 | "NtUserGetControlBrush", 404 | "NtUserGetControlColor", 405 | "NtUserGetCPD", 406 | "NtUserGetCursorFrameInfo", 407 | "NtUserGetCursorInfo", 408 | "NtUserGetDC", 409 | "NtUserGetDCEx", 410 | "NtUserGetDoubleClickTime", 411 | "NtUserGetForegroundWindow", 412 | "NtUserGetGuiResources", 413 | "NtUserGetGUIThreadInfo", 414 | "NtUserGetIconInfo", 415 | "NtUserGetIconSize", 416 | "NtUserGetImeHotKey", 417 | "NtUserGetImeInfoEx", 418 | "NtUserGetInternalWindowPos", 419 | "NtUserGetKeyboardLayoutList", 420 | "NtUserGetKeyboardLayoutName", 421 | "NtUserGetKeyboardState", 422 | "NtUserGetKeyNameText", 423 | "NtUserGetKeyState", 424 | "NtUserGetListBoxInfo", 425 | "NtUserGetMenuBarInfo", 426 | "NtUserGetMenuIndex", 427 | "NtUserGetMenuItemRect", 428 | "NtUserGetMessage", 429 | "NtUserGetMouseMovePointsEx", 430 | "NtUserGetObjectInformation", 431 | "NtUserGetOpenClipboardWindow", 432 | "NtUserGetPriorityClipboardFormat", 433 | "NtUserGetProcessWindowStation", 434 | "NtUserGetRawInputBuffer", 435 | "NtUserGetRawInputData", 436 | "NtUserGetRawInputDeviceInfo", 437 | "NtUserGetRawInputDeviceList", 438 | "NtUserGetRegisteredRawInputDevices", 439 | "NtUserGetScrollBarInfo", 440 | "NtUserGetSystemMenu", 441 | "NtUserGetThreadDesktop", 442 | "NtUserGetThreadState", 443 | "NtUserGetTitleBarInfo", 444 | "NtUserGetUpdateRect", 445 | "NtUserGetUpdateRgn", 446 | "NtUserGetWindowDC", 447 | "NtUserGetWindowPlacement", 448 | "NtUserGetWOWClass", 449 | "NtUserHardErrorControl", 450 | "NtUserHideCaret", 451 | "NtUserHiliteMenuItem", 452 | "NtUserImpersonateDdeClientWindow", 453 | "NtUserInitialize", 454 | "NtUserInitializeClientPfnArrays", 455 | "NtUserInitTask", 456 | "NtUserInternalGetWindowText", 457 | "NtUserInvalidateRect", 458 | "NtUserInvalidateRgn", 459 | "NtUserIsClipboardFormatAvailable", 460 | "NtUserKillTimer", 461 | "NtUserLoadKeyboardLayoutEx", 462 | "NtUserLockWindowStation", 463 | "NtUserLockWindowUpdate", 464 | "NtUserLockWorkStation", 465 | "NtUserMapVirtualKeyEx", 466 | "NtUserMenuItemFromPoint", 467 | "NtUserMessageCall", 468 | "NtUserMinMaximize", 469 | "NtUserMNDragLeave", 470 | "NtUserMNDragOver", 471 | "NtUserModifyUserStartupInfoFlags", 472 | "NtUserMoveWindow", 473 | "NtUserNotifyIMEStatus", 474 | "NtUserNotifyProcessCreate", 475 | "NtUserNotifyWinEvent", 476 | "NtUserOpenClipboard", 477 | "NtUserOpenDesktop", 478 | "NtUserOpenInputDesktop", 479 | "NtUserOpenWindowStation", 480 | "NtUserPaintDesktop", 481 | "NtUserPeekMessage", 482 | "NtUserPostMessage", 483 | "NtUserPostThreadMessage", 484 | "NtUserPrintWindow", 485 | "NtUserProcessConnect", 486 | "NtUserQueryInformationThread", 487 | "NtUserQueryInputContext", 488 | "NtUserQuerySendMessage", 489 | "NtUserQueryWindow", 490 | "NtUserRealChildWindowFromPoint", 491 | "NtUserRealInternalGetMessage", 492 | "NtUserRealWaitMessageEx", 493 | "NtUserRedrawWindow", 494 | "NtUserRegisterClassExWOW", 495 | "NtUserRegisterUserApiHook", 496 | "NtUserRegisterHotKey", 497 | "NtUserRegisterRawInputDevices", 498 | "NtUserRegisterTasklist", 499 | "NtUserRegisterWindowMessage", 500 | "NtUserRemoveMenu", 501 | "NtUserRemoveProp", 502 | "NtUserResolveDesktop", 503 | "NtUserResolveDesktopForWOW", 504 | "NtUserSBGetParms", 505 | "NtUserScrollDC", 506 | "NtUserScrollWindowEx", 507 | "NtUserSelectPalette", 508 | "NtUserSendInput", 509 | "NtUserSetActiveWindow", 510 | "NtUserSetAppImeLevel", 511 | "NtUserSetCapture", 512 | "NtUserSetClassLong", 513 | "NtUserSetClassWord", 514 | "NtUserSetClipboardData", 515 | "NtUserSetClipboardViewer", 516 | "NtUserSetConsoleReserveKeys", 517 | "NtUserSetCursor", 518 | "NtUserSetCursorContents", 519 | "NtUserSetCursorIconData", 520 | "NtUserSetFocus", 521 | "NtUserSetImeHotKey", 522 | "NtUserSetImeInfoEx", 523 | "NtUserSetImeOwnerWindow", 524 | "NtUserSetInformationProcess", 525 | "NtUserSetInformationThread", 526 | "NtUserSetInternalWindowPos", 527 | "NtUserSetKeyboardState", 528 | "NtUserSetLogonNotifyWindow", 529 | "NtUserSetMenu", 530 | "NtUserSetMenuContextHelpId", 531 | "NtUserSetMenuDefaultItem", 532 | "NtUserSetMenuFlagRtoL", 533 | "NtUserSetObjectInformation", 534 | "NtUserSetParent", 535 | "NtUserSetProcessWindowStation", 536 | "NtUserSetProp", 537 | "NtUserSetScrollInfo", 538 | "NtUserSetShellWindowEx", 539 | "NtUserSetSysColors", 540 | "NtUserSetSystemCursor", 541 | "NtUserSetSystemMenu", 542 | "NtUserSetSystemTimer", 543 | "NtUserSetThreadDesktop", 544 | "NtUserSetThreadLayoutHandles", 545 | "NtUserSetThreadState", 546 | "NtUserSetTimer", 547 | "NtUserSetWindowFNID", 548 | "NtUserSetWindowLong", 549 | "NtUserSetWindowPlacement", 550 | "NtUserSetWindowPos", 551 | "NtUserSetWindowRgn", 552 | "NtUserSetWindowsHookAW", 553 | "NtUserSetWindowsHookEx", 554 | "NtUserSetWindowStationUser", 555 | "NtUserSetWindowWord", 556 | "NtUserSetWinEventHook", 557 | "NtUserShowCaret", 558 | "NtUserShowScrollBar", 559 | "NtUserShowWindow", 560 | "NtUserShowWindowAsync", 561 | "NtUserSoundSentry", 562 | "NtUserSwitchDesktop", 563 | "NtUserSystemParametersInfo", 564 | "NtUserTestForInteractiveUser", 565 | "NtUserThunkedMenuInfo", 566 | "NtUserThunkedMenuItemInfo", 567 | "NtUserToUnicodeEx", 568 | "NtUserTrackMouseEvent", 569 | "NtUserTrackPopupMenuEx", 570 | "NtUserCalcMenuBar", 571 | "NtUserPaintMenuBar", 572 | "NtUserTranslateAccelerator", 573 | "NtUserTranslateMessage", 574 | "NtUserUnhookWindowsHookEx", 575 | "NtUserUnhookWinEvent", 576 | "NtUserUnloadKeyboardLayout", 577 | "NtUserUnlockWindowStation", 578 | "NtUserUnregisterClass", 579 | "NtUserUnregisterUserApiHook", 580 | "NtUserUnregisterHotKey", 581 | "NtUserUpdateInputContext", 582 | "NtUserUpdateInstance", 583 | "NtUserUpdateLayeredWindow", 584 | "NtUserGetLayeredWindowAttributes", 585 | "NtUserSetLayeredWindowAttributes", 586 | "NtUserUpdatePerUserSystemParameters", 587 | "NtUserUserHandleGrantAccess", 588 | "NtUserValidateHandleSecure", 589 | "NtUserValidateRect", 590 | "NtUserValidateTimerCallback", 591 | "NtUserVkKeyScanEx", 592 | "NtUserWaitForInputIdle", 593 | "NtUserWaitForMsgAndEvent", 594 | "NtUserWaitMessage", 595 | "NtUserWin32PoolAllocationStats", 596 | "NtUserWindowFromPoint", 597 | "NtUserYieldTask", 598 | "NtUserRemoteConnect", 599 | "NtUserRemoteRedrawRectangle", 600 | "NtUserRemoteRedrawScreen", 601 | "NtUserRemoteStopScreenUpdates", 602 | "NtUserCtxDisplayIOCtl", 603 | "NtGdiEngAssociateSurface", 604 | "NtGdiEngCreateBitmap", 605 | "NtGdiEngCreateDeviceSurface", 606 | "NtGdiEngCreateDeviceBitmap", 607 | "NtGdiEngCreatePalette", 608 | "NtGdiEngComputeGlyphSet", 609 | "NtGdiEngCopyBits", 610 | "NtGdiEngDeletePalette", 611 | "NtGdiEngDeleteSurface", 612 | "NtGdiEngEraseSurface", 613 | "NtGdiEngUnlockSurface", 614 | "NtGdiEngLockSurface", 615 | "NtGdiEngBitBlt", 616 | "NtGdiEngStretchBlt", 617 | "NtGdiEngPlgBlt", 618 | "NtGdiEngMarkBandingSurface", 619 | "NtGdiEngStrokePath", 620 | "NtGdiEngFillPath", 621 | "NtGdiEngStrokeAndFillPath", 622 | "NtGdiEngPaint", 623 | "NtGdiEngLineTo", 624 | "NtGdiEngAlphaBlend", 625 | "NtGdiEngGradientFill", 626 | "NtGdiEngTransparentBlt", 627 | "NtGdiEngTextOut", 628 | "NtGdiEngStretchBltROP", 629 | "NtGdiXLATEOBJ_cGetPalette", 630 | "NtGdiXLATEOBJ_iXlate", 631 | "NtGdiXLATEOBJ_hGetColorTransform", 632 | "NtGdiCLIPOBJ_bEnum", 633 | "NtGdiCLIPOBJ_cEnumStart", 634 | "NtGdiCLIPOBJ_ppoGetPath", 635 | "NtGdiEngDeletePath", 636 | "NtGdiEngCreateClip", 637 | "NtGdiEngDeleteClip", 638 | "NtGdiBRUSHOBJ_ulGetBrushColor", 639 | "NtGdiBRUSHOBJ_pvAllocRbrush", 640 | "NtGdiBRUSHOBJ_pvGetRbrush", 641 | "NtGdiBRUSHOBJ_hGetColorTransform", 642 | "NtGdiXFORMOBJ_bApplyXform", 643 | "NtGdiXFORMOBJ_iGetXform", 644 | "NtGdiFONTOBJ_vGetInfo", 645 | "NtGdiFONTOBJ_pxoGetXform", 646 | "NtGdiFONTOBJ_cGetGlyphs", 647 | "NtGdiFONTOBJ_pifi", 648 | "NtGdiFONTOBJ_pfdg", 649 | "NtGdiFONTOBJ_pQueryGlyphAttrs", 650 | "NtGdiFONTOBJ_pvTrueTypeFontFile", 651 | "NtGdiFONTOBJ_cGetAllGlyphHandles", 652 | "NtGdiSTROBJ_bEnum", 653 | "NtGdiSTROBJ_bEnumPositionsOnly", 654 | "NtGdiSTROBJ_bGetAdvanceWidths", 655 | "NtGdiSTROBJ_vEnumStart", 656 | "NtGdiSTROBJ_dwGetCodePage", 657 | "NtGdiPATHOBJ_vGetBounds", 658 | "NtGdiPATHOBJ_bEnum", 659 | "NtGdiPATHOBJ_vEnumStart", 660 | "NtGdiPATHOBJ_vEnumStartClipLines", 661 | "NtGdiPATHOBJ_bEnumClipLines", 662 | "NtGdiGetDhpdev", 663 | "NtGdiEngCheckAbort", 664 | "NtGdiHT_Get8BPPFormatPalette", 665 | "NtGdiHT_Get8BPPMaskPalette", 666 | "NtGdiUpdateTransform", 667 | "NtGdiSetPUMPDOBJ", 668 | "NtGdiBRUSHOBJ_DeleteRbrush", 669 | "NtGdiUMPDEngFreeUserMem", 670 | "NTGdiDrawStream", 671 | "?UMPDDryQuerySpoolType", 672 | "NtGdiMakeObjectUnXferable", 673 | NULL 674 | }; 675 | #endif -------------------------------------------------------------------------------- /Common/Win7ShadowSSDT.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef _WIN7_SHADOW_SSDT 3 | #define _WIN7_SHADOW_SSDT 4 | 5 | #define WIN7_FUNCTION_NUMBER 825 6 | 7 | static PCHAR Win7FunName[830] = 8 | { 9 | "NtGdiAbortDoc", 10 | "NtGdiAbortPath", 11 | "NtGdiAddFontResourceW", 12 | "NtGdiAddRemoteFontToDC", 13 | "NtGdiAddFontMemResourceEx", 14 | "NtGdiRemoveMergeFont", 15 | "NtGdiAddRemoteMMInstanceToDC", 16 | "NtGdiAlphaBlend", 17 | "NtGdiAngleArc", 18 | "NtGdiAnyLinkedFonts", 19 | "NtGdiFontIsLinked", 20 | "NtGdiArcInternal", 21 | "NtGdiBeginGdiRendering", 22 | "NtGdiBeginPath", 23 | "NtGdiBitBlt", 24 | "NtGdiCancelDC", 25 | "NtGdiCheckBitmapBits", 26 | "NtGdiCloseFigure", 27 | "NtGdiClearBitmapAttributes", 28 | "NtGdiClearBrushAttributes", 29 | "NtGdiColorCorrectPalette", 30 | "NtGdiCombineRgn", 31 | "NtGdiCombineTransform", 32 | "NtGdiComputeXformCoefficients", 33 | "NtGdiConfigureOPMProtectedOutput", 34 | "NtGdiConvertMetafileRect", 35 | "NtGdiCreateBitmap", 36 | "NtGdiCreateBitmapFromDxSurface", 37 | "NtGdiCreateClientObj", 38 | "NtGdiCreateColorSpace", 39 | "NtGdiCreateColorTransform", 40 | "NtGdiCreateCompatibleBitmap", 41 | "NtGdiCreateCompatibleDC", 42 | "NtGdiCreateDIBBrush", 43 | "NtGdiCreateDIBitmapInternal", 44 | "NtGdiCreateDIBSection", 45 | "NtGdiCreateEllipticRgn", 46 | "NtGdiCreateHalftonePalette", 47 | "NtGdiCreateHatchBrushInternal", 48 | "NtGdiCreateMetafileDC", 49 | "NtGdiCreateOPMProtectedOutputs", 50 | "NtGdiCreatePaletteInternal", 51 | "NtGdiCreatePatternBrushInternal", 52 | "NtGdiCreatePen", 53 | "NtGdiCreateRectRgn", 54 | "NtGdiCreateRoundRectRgn", 55 | "NtGdiCreateServerMetaFile", 56 | "NtGdiCreateSolidBrush", 57 | "NtGdiD3dContextCreate", 58 | "NtGdiD3dContextDestroy", 59 | "NtGdiD3dContextDestroyAll", 60 | "NtGdiD3dValidateTextureStageState", 61 | "NtGdiD3dDrawPrimitives2", 62 | "NtGdiDdGetDriverState", 63 | "NtGdiDdAddAttachedSurface", 64 | "NtGdiDdAlphaBlt", 65 | "NtGdiDdAttachSurface", 66 | "NtGdiDdBeginMoCompFrame", 67 | "NtGdiDdBlt", 68 | "NtGdiDdCanCreateSurface", 69 | "NtGdiDdCanCreateD3DBuffer", 70 | "NtGdiDdColorControl", 71 | "NtGdiDdCreateDirectDrawObject", 72 | "NtGdiDdCreateSurface", 73 | "NtGdiDdCreateD3DBuffer", 74 | "NtGdiDdCreateMoComp", 75 | "NtGdiDdCreateSurfaceObject", 76 | "NtGdiDdDeleteDirectDrawObject", 77 | "NtGdiDdDeleteSurfaceObject", 78 | "NtGdiDdDestroyMoComp", 79 | "NtGdiDdDestroySurface", 80 | "NtGdiDdDestroyD3DBuffer", 81 | "NtGdiDdEndMoCompFrame", 82 | "NtGdiDdFlip", 83 | "NtGdiDdFlipToGDISurface", 84 | "NtGdiDdGetAvailDriverMemory", 85 | "NtGdiDdGetBltStatus", 86 | "NtGdiDdGetDC", 87 | "NtGdiDdGetDriverInfo", 88 | "NtGdiDdGetDxHandle", 89 | "NtGdiDdGetFlipStatus", 90 | "NtGdiDdGetInternalMoCompInfo", 91 | "NtGdiDdGetMoCompBuffInfo", 92 | "NtGdiDdGetMoCompGuids", 93 | "NtGdiDdGetMoCompFormats", 94 | "NtGdiDdGetScanLine", 95 | "NtGdiDdLock", 96 | "NtGdiDdLockD3D", 97 | "NtGdiDdQueryDirectDrawObject", 98 | "NtGdiDdQueryMoCompStatus", 99 | "NtGdiDdReenableDirectDrawObject", 100 | "NtGdiDdReleaseDC", 101 | "NtGdiDdRenderMoComp", 102 | "NtGdiDdResetVisrgn", 103 | "NtGdiDdSetColorKey", 104 | "NtGdiDdSetExclusiveMode", 105 | "NtGdiDdSetGammaRamp", 106 | "NtGdiDdCreateSurfaceEx", 107 | "NtGdiDdSetOverlayPosition", 108 | "NtGdiDdUnattachSurface", 109 | "NtGdiDdUnlock", 110 | "NtGdiDdUnlockD3D", 111 | "NtGdiDdUpdateOverlay", 112 | "NtGdiDdWaitForVerticalBlank", 113 | "NtGdiDvpCanCreateVideoPort", 114 | "NtGdiDvpColorControl", 115 | "NtGdiDvpCreateVideoPort", 116 | "NtGdiDvpDestroyVideoPort", 117 | "NtGdiDvpFlipVideoPort", 118 | "NtGdiDvpGetVideoPortBandwidth", 119 | "NtGdiDvpGetVideoPortField", 120 | "NtGdiDvpGetVideoPortFlipStatus", 121 | "NtGdiDvpGetVideoPortInputFormats", 122 | "NtGdiDvpGetVideoPortLine", 123 | "NtGdiDvpGetVideoPortOutputFormats", 124 | "NtGdiDvpGetVideoPortConnectInfo", 125 | "NtGdiDvpGetVideoSignalStatus", 126 | "NtGdiDvpUpdateVideoPort", 127 | "NtGdiDvpWaitForVideoPortSync", 128 | "NtGdiDvpAcquireNotification", 129 | "NtGdiDvpReleaseNotification", 130 | "NtGdiDxgGenericThunk", 131 | "NtGdiDeleteClientObj", 132 | "NtGdiDeleteColorSpace", 133 | "NtGdiDeleteColorTransform", 134 | "NtGdiDeleteObjectApp", 135 | "NtGdiDescribePixelFormat", 136 | "NtGdiDestroyOPMProtectedOutput", 137 | "NtGdiGetPerBandInfo", 138 | "NtGdiDoBanding", 139 | "NtGdiDoPalette", 140 | "NtGdiDrawEscape", 141 | "NtGdiEllipse", 142 | "NtGdiEnableEudc", 143 | "NtGdiEndDoc", 144 | "NtGdiEndGdiRendering", 145 | "NtGdiEndPage", 146 | "NtGdiEndPath", 147 | "NtGdiEnumFonts", 148 | "NtGdiEnumObjects", 149 | "NtGdiEqualRgn", 150 | "NtGdiEudcLoadUnloadLink", 151 | "NtGdiExcludeClipRect", 152 | "NtGdiExtCreatePen", 153 | "NtGdiExtCreateRegion", 154 | "NtGdiExtEscape", 155 | "NtGdiExtFloodFill", 156 | "NtGdiExtGetObjectW", 157 | "NtGdiExtSelectClipRgn", 158 | "NtGdiExtTextOutW", 159 | "NtGdiFillPath", 160 | "NtGdiFillRgn", 161 | "NtGdiFlattenPath", 162 | "NtGdiFlush", 163 | "NtGdiForceUFIMapping", 164 | "NtGdiFrameRgn", 165 | "NtGdiFullscreenControl", 166 | "NtGdiGetAndSetDCDword", 167 | "NtGdiGetAppClipBox", 168 | "NtGdiGetBitmapBits", 169 | "NtGdiGetBitmapDimension", 170 | "NtGdiGetBoundsRect", 171 | "NtGdiGetCertificate", 172 | "NtGdiGetCertificateSize", 173 | "NtGdiGetCharABCWidthsW", 174 | "NtGdiGetCharacterPlacementW", 175 | "NtGdiGetCharSet", 176 | "NtGdiGetCharWidthW", 177 | "NtGdiGetCharWidthInfo", 178 | "NtGdiGetColorAdjustment", 179 | "NtGdiGetColorSpaceforBitmap", 180 | "NtGdiGetCOPPCompatibleOPMInformation", 181 | "NtGdiGetDCDword", 182 | "NtGdiGetDCforBitmap", 183 | "NtGdiGetDCObject", 184 | "NtGdiGetDCPoint", 185 | "NtGdiGetDeviceCaps", 186 | "NtGdiGetDeviceGammaRamp", 187 | "NtGdiGetDeviceCapsAll", 188 | "NtGdiGetDIBitsInternal", 189 | "NtGdiGetETM", 190 | "NtGdiGetEudcTimeStampEx", 191 | "NtGdiGetFontData", 192 | "NtGdiGetFontFileData", 193 | "NtGdiGetFontFileInfo", 194 | "NtGdiGetFontResourceInfoInternalW", 195 | "NtGdiGetGlyphIndicesW", 196 | "NtGdiGetGlyphIndicesWInternal", 197 | "NtGdiGetGlyphOutline", 198 | "NtGdiGetOPMInformation", 199 | "NtGdiGetKerningPairs", 200 | "NtGdiGetLinkedUFIs", 201 | "NtGdiGetMiterLimit", 202 | "NtGdiGetMonitorID", 203 | "NtGdiGetNearestColor", 204 | "NtGdiGetNearestPaletteIndex", 205 | "NtGdiGetObjectBitmapHandle", 206 | "NtGdiGetOPMRandomNumber", 207 | "NtGdiGetOutlineTextMetricsInternalW", 208 | "NtGdiGetPath", 209 | "NtGdiGetPixel", 210 | "NtGdiGetRandomRgn", 211 | "NtGdiGetRasterizerCaps", 212 | "NtGdiGetRealizationInfo", 213 | "NtGdiGetRegionData", 214 | "NtGdiGetRgnBox", 215 | "NtGdiGetServerMetaFileBits", 216 | "DxgStubDvpUpdateVideoPort", 217 | "NtGdiGetStats", 218 | "NtGdiGetStockObject", 219 | "NtGdiGetStringBitmapW", 220 | "NtGdiGetSuggestedOPMProtectedOutputArraySize", 221 | "NtGdiGetSystemPaletteUse", 222 | "NtGdiGetTextCharsetInfo", 223 | "NtGdiGetTextExtent", 224 | "NtGdiGetTextExtentExW", 225 | "NtGdiGetTextFaceW", 226 | "NtGdiGetTextMetricsW", 227 | "NtGdiGetTransform", 228 | "NtGdiGetUFI", 229 | "NtGdiGetEmbUFI", 230 | "NtGdiGetUFIPathname", 231 | "NtGdiGetEmbedFonts", 232 | "NtGdiChangeGhostFont", 233 | "NtGdiAddEmbFontToDC", 234 | "NtGdiGetFontUnicodeRanges", 235 | "NtGdiGetWidthTable", 236 | "NtGdiGradientFill", 237 | "NtGdiHfontCreate", 238 | "NtGdiIcmBrushInfo", 239 | "bInitRedirDev", 240 | "NtGdiInitSpool", 241 | "NtGdiIntersectClipRect", 242 | "NtGdiInvertRgn", 243 | "NtGdiLineTo", 244 | "NtGdiMakeFontDir", 245 | "NtGdiMakeInfoDC", 246 | "NtGdiMaskBlt", 247 | "NtGdiModifyWorldTransform", 248 | "NtGdiMonoBitmap", 249 | "NtGdiMoveTo", 250 | "NtGdiOffsetClipRgn", 251 | "NtGdiOffsetRgn", 252 | "NtGdiOpenDCW", 253 | "NtGdiPatBlt", 254 | "NtGdiPolyPatBlt", 255 | "NtGdiPathToRegion", 256 | "NtGdiPlgBlt", 257 | "NtGdiPolyDraw", 258 | "NtGdiPolyPolyDraw", 259 | "NtGdiPolyTextOutW", 260 | "NtGdiPtInRegion", 261 | "NtGdiPtVisible", 262 | "NtGdiQueryFonts", 263 | "NtGdiQueryFontAssocInfo", 264 | "NtGdiRectangle", 265 | "NtGdiRectInRegion", 266 | "NtGdiRectVisible", 267 | "NtGdiRemoveFontResourceW", 268 | "NtGdiRemoveFontMemResourceEx", 269 | "NtGdiResetDC", 270 | "NtGdiResizePalette", 271 | "NtGdiRestoreDC", 272 | "NtGdiRoundRect", 273 | "NtGdiSaveDC", 274 | "NtGdiScaleViewportExtEx", 275 | "NtGdiScaleWindowExtEx", 276 | "NtGdiSelectBitmap", 277 | "NtGdiSelectBrush", 278 | "NtGdiSelectClipPath", 279 | "NtGdiSelectFont", 280 | "NtGdiSelectPen", 281 | "NtGdiSetBitmapAttributes", 282 | "NtGdiSetBitmapBits", 283 | "NtGdiSetBitmapDimension", 284 | "NtGdiSetBoundsRect", 285 | "NtGdiSetBrushAttributes", 286 | "NtGdiSetBrushOrg", 287 | "NtGdiSetColorAdjustment", 288 | "NtGdiSetColorSpace", 289 | "NtGdiSetDeviceGammaRamp", 290 | "NtGdiSetDIBitsToDeviceInternal", 291 | "NtGdiSetFontEnumeration", 292 | "NtGdiSetFontXform", 293 | "NtGdiSetIcmMode", 294 | "NtGdiSetLinkedUFIs", 295 | "NtGdiSetMagicColors", 296 | "NtGdiSetMetaRgn", 297 | "NtGdiSetMiterLimit", 298 | "NtGdiGetDeviceWidth", 299 | "NtGdiMirrorWindowOrg", 300 | "NtGdiSetLayout", 301 | "NtGdiSetOPMSigningKeyAndSequenceNumbers", 302 | "NtGdiSetPixel", 303 | "NtGdiSetPixelFormat", 304 | "NtGdiSetRectRgn", 305 | "NtGdiSetSystemPaletteUse", 306 | "NtGdiSetTextJustification", 307 | "NtGdiSetVirtualResolution", 308 | "NtGdiSetSizeDevice", 309 | "NtGdiStartDoc", 310 | "NtGdiStartPage", 311 | "NtGdiStretchBlt", 312 | "NtGdiStretchDIBitsInternal", 313 | "NtGdiStrokeAndFillPath", 314 | "NtGdiStrokePath", 315 | "NtGdiSwapBuffers", 316 | "NtGdiTransformPoints", 317 | "NtGdiTransparentBlt", 318 | "DxgStubEndMoCompFrame", 319 | "NtGdiUMPDEngFreeUserMem", 320 | "NtGdiUnrealizeObject", 321 | "NtGdiUpdateColors", 322 | "NtGdiWidenPath", 323 | "NtUserActivateKeyboardLayout", 324 | "NtUserAddClipboardFormatListener", 325 | "NtUserAlterWindowStyle", 326 | "NtUserAssociateInputContext", 327 | "NtUserAttachThreadInput", 328 | "NtUserBeginPaint", 329 | "NtUserBitBltSysBmp", 330 | "NtUserBlockInput", 331 | "NtUserBuildHimcList", 332 | "NtUserBuildHwndList", 333 | "NtUserBuildNameList", 334 | "NtUserBuildPropList", 335 | "NtUserCallHwnd", 336 | "NtUserCallHwndLock", 337 | "NtUserCallHwndOpt", 338 | "NtUserCallHwndParam", 339 | "NtUserCallHwndParamLock", 340 | "NtUserCallMsgFilter", 341 | "NtUserCallNextHookEx", 342 | "NtUserCallNoParam", 343 | "NtUserCallOneParam", 344 | "NtUserCallTwoParam", 345 | "NtUserChangeClipboardChain", 346 | "NtUserChangeDisplaySettings", 347 | "NtUserGetDisplayConfigBufferSizes", 348 | "NtUserSetDisplayConfig", 349 | "NtUserQueryDisplayConfig", 350 | "NtUserDisplayConfigGetDeviceInfo", 351 | "NtUserDisplayConfigSetDeviceInfo", 352 | "NtUserCheckAccessForIntegrityLevel", 353 | "NtUserCheckDesktopByThreadId", 354 | "NtUserCheckWindowThreadDesktop", 355 | "NtUserCheckMenuItem", 356 | "NtUserChildWindowFromPointEx", 357 | "NtUserClipCursor", 358 | "NtUserCloseClipboard", 359 | "NtUserCloseDesktop", 360 | "NtUserCloseWindowStation", 361 | "NtUserConsoleControl", 362 | "NtUserConvertMemHandle", 363 | "NtUserCopyAcceleratorTable", 364 | "NtUserCountClipboardFormats", 365 | "NtUserCreateAcceleratorTable", 366 | "NtUserCreateCaret", 367 | "NtUserCreateDesktopEx", 368 | "NtUserCreateInputContext", 369 | "NtUserCreateLocalMemHandle", 370 | "NtUserCreateWindowEx", 371 | "NtUserCreateWindowStation", 372 | "NtUserDdeInitialize", 373 | "NtUserDeferWindowPos", 374 | "NtUserDefSetText", 375 | "NtUserDeleteMenu", 376 | "NtUserDestroyAcceleratorTable", 377 | "NtUserDestroyCursor", 378 | "NtUserDestroyInputContext", 379 | "NtUserDestroyMenu", 380 | "NtUserDestroyWindow", 381 | "NtUserDisableThreadIme", 382 | "NtUserDispatchMessage", 383 | "NtUserDoSoundConnect", 384 | "NtUserDoSoundDisconnect", 385 | "NtUserDragDetect", 386 | "NtUserDragObject", 387 | "NtUserDrawAnimatedRects", 388 | "NtUserDrawCaption", 389 | "NtUserDrawCaptionTemp", 390 | "NtUserDrawIconEx", 391 | "NtUserDrawMenuBarTemp", 392 | "NtUserEmptyClipboard", 393 | "NtUserEnableMenuItem", 394 | "NtUserEnableScrollBar", 395 | "NtUserEndDeferWindowPosEx", 396 | "NtUserEndMenu", 397 | "NtUserEndPaint", 398 | "NtUserEnumDisplayDevices", 399 | "NtUserEnumDisplayMonitors", 400 | "NtUserEnumDisplaySettings", 401 | "NtUserEvent", 402 | "NtUserExcludeUpdateRgn", 403 | "NtUserFillWindow", 404 | "NtUserFindExistingCursorIcon", 405 | "NtUserFindWindowEx", 406 | "NtUserFlashWindowEx", 407 | "NtUserFrostCrashedWindow", 408 | "NtUserGetAltTabInfo", 409 | "NtUserGetAncestor", 410 | "NtUserGetAppImeLevel", 411 | "NtUserGetAsyncKeyState", 412 | "NtUserGetAtomName", 413 | "NtUserGetCaretBlinkTime", 414 | "NtUserGetCaretPos", 415 | "NtUserGetClassInfoEx", 416 | "NtUserGetClassName", 417 | "NtUserGetClipboardData", 418 | "NtUserGetClipboardFormatName", 419 | "NtUserGetClipboardOwner", 420 | "NtUserGetClipboardSequenceNumber", 421 | "NtUserGetClipboardViewer", 422 | "NtUserGetClipCursor", 423 | "NtUserGetComboBoxInfo", 424 | "NtUserGetControlBrush", 425 | "NtUserGetControlColor", 426 | "NtUserGetCPD", 427 | "NtUserGetCursorFrameInfo", 428 | "NtUserGetCursorInfo", 429 | "NtUserGetDC", 430 | "NtUserGetDCEx", 431 | "NtUserGetDoubleClickTime", 432 | "NtUserGetForegroundWindow", 433 | "NtUserGetGuiResources", 434 | "NtUserGetGUIThreadInfo", 435 | "NtUserGetIconInfo", 436 | "NtUserGetIconSize", 437 | "NtUserGetImeHotKey", 438 | "NtUserGetImeInfoEx", 439 | "NtUserGetInputLocaleInfo", 440 | "NtUserGetInternalWindowPos", 441 | "NtUserGetKeyboardLayoutList", 442 | "NtUserGetKeyboardLayoutName", 443 | "NtUserGetKeyboardState", 444 | "NtUserGetKeyNameText", 445 | "NtUserGetKeyState", 446 | "NtUserGetListBoxInfo", 447 | "NtUserGetMenuBarInfo", 448 | "NtUserGetMenuIndex", 449 | "NtUserGetMenuItemRect", 450 | "NtUserGetMessage", 451 | "NtUserGetMouseMovePointsEx", 452 | "NtUserGetObjectInformation", 453 | "NtUserGetOpenClipboardWindow", 454 | "NtUserGetPriorityClipboardFormat", 455 | "NtUserGetProcessWindowStation", 456 | "NtUserGetRawInputBuffer", 457 | "NtUserGetRawInputData", 458 | "NtUserGetRawInputDeviceInfo", 459 | "NtUserGetRawInputDeviceList", 460 | "NtUserGetRegisteredRawInputDevices", 461 | "NtUserGetScrollBarInfo", 462 | "NtUserGetSystemMenu", 463 | "NtUserGetThreadDesktop", 464 | "NtUserGetThreadState", 465 | "NtUserGetTitleBarInfo", 466 | "NtUserGetTopLevelWindow", 467 | "NtUserGetUpdatedClipboardFormats", 468 | "NtUserGetUpdateRect", 469 | "NtUserGetUpdateRgn", 470 | "NtUserGetWindowCompositionInfo", 471 | "NtUserGetWindowCompositionAttribute", 472 | "NtUserGetWindowDC", 473 | "NtUserGetWindowDisplayAffinity", 474 | "NtUserGetWindowPlacement", 475 | "NtUserGetWOWClass", 476 | "NtUserGhostWindowFromHungWindow", 477 | "NtUserHardErrorControl", 478 | "NtUserHideCaret", 479 | "NtUserHiliteMenuItem", 480 | "NtUserHungWindowFromGhostWindow", 481 | "NtUserImpersonateDdeClientWindow", 482 | "NtUserInitialize", 483 | "NtUserInitializeClientPfnArrays", 484 | "NtUserInitTask", 485 | "NtUserInternalGetWindowText", 486 | "NtUserInternalGetWindowIcon", 487 | "NtUserInvalidateRect", 488 | "NtUserInvalidateRgn", 489 | "NtUserIsClipboardFormatAvailable", 490 | "NtUserIsTopLevelWindow", 491 | "NtUserKillTimer", 492 | "NtUserLoadKeyboardLayoutEx", 493 | "NtUserLockWindowStation", 494 | "NtUserLockWindowUpdate", 495 | "NtUserLockWorkStation", 496 | "NtUserLogicalToPhysicalPoint", 497 | "NtUserMapVirtualKeyEx", 498 | "NtUserMenuItemFromPoint", 499 | "NtUserMessageCall", 500 | "NtUserMinMaximize", 501 | "NtUserMNDragLeave", 502 | "NtUserMNDragOver", 503 | "NtUserModifyUserStartupInfoFlags", 504 | "NtUserMoveWindow", 505 | "NtUserNotifyIMEStatus", 506 | "NtUserNotifyProcessCreate", 507 | "NtUserNotifyWinEvent", 508 | "NtUserOpenClipboard", 509 | "NtUserOpenDesktop", 510 | "NtUserOpenInputDesktop", 511 | "NtUserOpenThreadDesktop", 512 | "NtUserOpenWindowStation", 513 | "NtUserPaintDesktop", 514 | "NtUserPaintMonitor", 515 | "NtUserPeekMessage", 516 | "NtUserPhysicalToLogicalPoint", 517 | "NtUserPostMessage", 518 | "NtUserPostThreadMessage", 519 | "NtUserPrintWindow", 520 | "NtUserProcessConnect", 521 | "NtUserQueryInformationThread", 522 | "NtUserQueryInputContext", 523 | "NtUserQuerySendMessage", 524 | "NtUserQueryWindow", 525 | "NtUserRealChildWindowFromPoint", 526 | "NtUserRealInternalGetMessage", 527 | "NtUserRealWaitMessageEx", 528 | "NtUserRedrawWindow", 529 | "NtUserRegisterClassExWOW", 530 | "NtUserRegisterErrorReportingDialog", 531 | "NtUserRegisterUserApiHook", 532 | "NtUserRegisterHotKey", 533 | "NtUserRegisterRawInputDevices", 534 | "NtUserRegisterServicesProcess", 535 | "NtUserRegisterTasklist", 536 | "NtUserRegisterWindowMessage", 537 | "NtUserRemoveClipboardFormatListener", 538 | "NtUserRemoveMenu", 539 | "NtUserRemoveProp", 540 | "NtUserResolveDesktopForWOW", 541 | "NtUserSBGetParms", 542 | "NtUserScrollDC", 543 | "NtUserScrollWindowEx", 544 | "NtUserSelectPalette", 545 | "NtUserSendInput", 546 | "NtUserSetActiveWindow", 547 | "NtUserSetAppImeLevel", 548 | "NtUserSetCapture", 549 | "NtUserSetChildWindowNoActivate", 550 | "NtUserSetClassLong", 551 | "NtUserSetClassWord", 552 | "NtUserSetClipboardData", 553 | "NtUserSetClipboardViewer", 554 | "NtUserSetCursor", 555 | "NtUserSetCursorContents", 556 | "NtUserSetCursorIconData", 557 | "NtUserSetFocus", 558 | "NtUserSetImeHotKey", 559 | "NtUserSetImeInfoEx", 560 | "NtUserSetImeOwnerWindow", 561 | "NtUserSetInformationThread", 562 | "NtUserSetInternalWindowPos", 563 | "NtUserSetKeyboardState", 564 | "NtUserSetMenu", 565 | "NtUserSetMenuContextHelpId", 566 | "NtUserSetMenuDefaultItem", 567 | "NtUserSetMenuFlagRtoL", 568 | "NtUserSetObjectInformation", 569 | "NtUserSetParent", 570 | "NtUserSetProcessWindowStation", 571 | "NtUserGetProp", 572 | "NtUserSetProp", 573 | "NtUserSetScrollInfo", 574 | "NtUserSetShellWindowEx", 575 | "NtUserSetSysColors", 576 | "NtUserSetSystemCursor", 577 | "NtUserSetSystemMenu", 578 | "NtUserSetSystemTimer", 579 | "NtUserSetThreadDesktop", 580 | "NtUserSetThreadLayoutHandles", 581 | "NtUserSetThreadState", 582 | "NtUserSetTimer", 583 | "NtUserSetProcessDPIAware", 584 | "NtUserSetWindowCompositionAttribute", 585 | "NtUserSetWindowDisplayAffinity", 586 | "NtUserSetWindowFNID", 587 | "NtUserSetWindowLong", 588 | "NtUserSetWindowPlacement", 589 | "NtUserSetWindowPos", 590 | "NtUserSetWindowRgn", 591 | "NtUserGetWindowRgnEx", 592 | "NtUserSetWindowRgnEx", 593 | "NtUserSetWindowsHookAW", 594 | "NtUserSetWindowsHookEx", 595 | "NtUserSetWindowStationUser", 596 | "NtUserSetWindowWord", 597 | "NtUserSetWinEventHook", 598 | "NtUserShowCaret", 599 | "NtUserShowScrollBar", 600 | "NtUserShowWindow", 601 | "NtUserShowWindowAsync", 602 | "NtUserSoundSentry", 603 | "NtUserSwitchDesktop", 604 | "NtUserSystemParametersInfo", 605 | "NtUserTestForInteractiveUser", 606 | "NtUserThunkedMenuInfo", 607 | "NtUserThunkedMenuItemInfo", 608 | "NtUserToUnicodeEx", 609 | "NtUserTrackMouseEvent", 610 | "NtUserTrackPopupMenuEx", 611 | "NtUserCalculatePopupWindowPosition", 612 | "NtUserCalcMenuBar", 613 | "NtUserPaintMenuBar", 614 | "NtUserTranslateAccelerator", 615 | "NtUserTranslateMessage", 616 | "NtUserUnhookWindowsHookEx", 617 | "NtUserUnhookWinEvent", 618 | "NtUserUnloadKeyboardLayout", 619 | "NtUserUnlockWindowStation", 620 | "NtUserUnregisterClass", 621 | "NtUserUnregisterUserApiHook", 622 | "NtUserUnregisterHotKey", 623 | "NtUserUpdateInputContext", 624 | "NtUserUpdateInstance", 625 | "NtUserUpdateLayeredWindow", 626 | "NtUserGetLayeredWindowAttributes", 627 | "NtUserSetLayeredWindowAttributes", 628 | "NtUserUpdatePerUserSystemParameters", 629 | "NtUserUserHandleGrantAccess", 630 | "NtUserValidateHandleSecure", 631 | "NtUserValidateRect", 632 | "NtUserValidateTimerCallback", 633 | "NtUserVkKeyScanEx", 634 | "NtUserWaitForInputIdle", 635 | "NtUserWaitForMsgAndEvent", 636 | "NtUserWaitMessage", 637 | "NtUserWindowFromPhysicalPoint", 638 | "NtUserWindowFromPoint", 639 | "NtUserYieldTask", 640 | "NtUserRemoteConnect", 641 | "NtUserRemoteRedrawRectangle", 642 | "NtUserRemoteRedrawScreen", 643 | "NtUserRemoteStopScreenUpdates", 644 | "NtUserCtxDisplayIOCtl", 645 | "NtUserRegisterSessionPort", 646 | "NtUserUnregisterSessionPort", 647 | "NtUserUpdateWindowTransform", 648 | "NtUserDwmStartRedirection", 649 | "NtUserDwmStopRedirection", 650 | "NtUserGetWindowMinimizeRect", 651 | "NtUserSfmDxBindSwapChain", 652 | "NtUserSfmDxOpenSwapChain", 653 | "NtUserSfmDxReleaseSwapChain", 654 | "NtUserSfmDxSetSwapChainBindingStatus", 655 | "NtUserSfmDxQuerySwapChainBindingStatus", 656 | "NtUserSfmDxReportPendingBindingsToDwm", 657 | "NtUserSfmDxGetSwapChainStats", 658 | "NtUserSfmDxSetSwapChainStats", 659 | "NtUserSfmGetLogicalSurfaceBinding", 660 | "NtUserSfmDestroyLogicalSurfaceBinding", 661 | "NtUserModifyWindowTouchCapability", 662 | "NtUserIsTouchWindow", 663 | "NtUserSendTouchInput", 664 | "NtUserEndTouchOperation", 665 | "NtUserGetTouchInputInfo", 666 | "NtUserChangeWindowMessageFilterEx", 667 | "NtUserInjectGesture", 668 | "NtUserGetGestureInfo", 669 | "NtUserGetGestureExtArgs", 670 | "NtUserManageGestureHandlerWindow", 671 | "NtUserSetGestureConfig", 672 | "NtUserGetGestureConfig", 673 | "NtGdiEngAssociateSurface", 674 | "NtGdiEngCreateBitmap", 675 | "NtGdiEngCreateDeviceSurface", 676 | "NtGdiEngCreateDeviceBitmap", 677 | "NtGdiEngCreatePalette", 678 | "NtGdiEngComputeGlyphSet", 679 | "NtGdiEngCopyBits", 680 | "NtGdiEngDeletePalette", 681 | "NtGdiEngDeleteSurface", 682 | "NtGdiEngEraseSurface", 683 | "NtGdiEngUnlockSurface", 684 | "NtGdiEngLockSurface", 685 | "NtGdiEngBitBlt", 686 | "NtGdiEngStretchBlt", 687 | "NtGdiEngPlgBlt", 688 | "NtGdiEngMarkBandingSurface", 689 | "NtGdiEngStrokePath", 690 | "NtGdiEngFillPath", 691 | "NtGdiEngStrokeAndFillPath", 692 | "NtGdiEngPaint", 693 | "NtGdiEngLineTo", 694 | "NtGdiEngAlphaBlend", 695 | "NtGdiEngGradientFill", 696 | "NtGdiEngTransparentBlt", 697 | "NtGdiEngTextOut", 698 | "NtGdiEngStretchBltROP", 699 | "NtGdiXLATEOBJ_cGetPalette", 700 | "NtGdiXLATEOBJ_iXlate", 701 | "NtGdiXLATEOBJ_hGetColorTransform", 702 | "NtGdiCLIPOBJ_bEnum", 703 | "NtGdiCLIPOBJ_cEnumStart", 704 | "NtGdiCLIPOBJ_ppoGetPath", 705 | "NtGdiEngDeletePath", 706 | "NtGdiEngCreateClip", 707 | "NtGdiEngDeleteClip", 708 | "NtGdiBRUSHOBJ_ulGetBrushColor", 709 | "NtGdiBRUSHOBJ_pvAllocRbrush", 710 | "NtGdiBRUSHOBJ_pvGetRbrush", 711 | "NtGdiBRUSHOBJ_hGetColorTransform", 712 | "NtGdiXFORMOBJ_bApplyXform", 713 | "NtGdiXFORMOBJ_iGetXform", 714 | "NtGdiFONTOBJ_vGetInfo", 715 | "NtGdiFONTOBJ_pxoGetXform", 716 | "NtGdiFONTOBJ_cGetGlyphs", 717 | "NtGdiFONTOBJ_pifi", 718 | "NtGdiFONTOBJ_pfdg", 719 | "NtGdiFONTOBJ_pQueryGlyphAttrs", 720 | "NtGdiFONTOBJ_pvTrueTypeFontFile", 721 | "NtGdiFONTOBJ_cGetAllGlyphHandles", 722 | "NtGdiSTROBJ_bEnum", 723 | "NtGdiSTROBJ_bEnumPositionsOnly", 724 | "NtGdiSTROBJ_bGetAdvanceWidths", 725 | "NtGdiSTROBJ_vEnumStart", 726 | "NtGdiSTROBJ_dwGetCodePage", 727 | "NtGdiPATHOBJ_vGetBounds", 728 | "NtGdiPATHOBJ_bEnum", 729 | "NtGdiPATHOBJ_vEnumStart", 730 | "NtGdiPATHOBJ_vEnumStartClipLines", 731 | "NtGdiPATHOBJ_bEnumClipLines", 732 | "NtGdiGetDhpdev", 733 | "NtGdiEngCheckAbort", 734 | "NtGdiHT_Get8BPPFormatPalette", 735 | "NtGdiHT_Get8BPPMaskPalette", 736 | "NtGdiUpdateTransform", 737 | "NtGdiSetPUMPDOBJ", 738 | "NtGdiBRUSHOBJ_DeleteRbrush", 739 | "NtGdiUMPDEngFreeUserMem", 740 | "NtGdiDrawStream", 741 | "NtGdiSfmGetNotificationTokens", 742 | "NtGdiHLSurfGetInformation", 743 | "NtGdiHLSurfSetInformation", 744 | "NtGdiDdDDICreateAllocation", 745 | "NtGdiDdDDIQueryResourceInfo", 746 | "NtGdiDdDDIOpenResource", 747 | "NtGdiDdDDIDestroyAllocation", 748 | "NtGdiDdDDISetAllocationPriority", 749 | "NtGdiDdDDIQueryAllocationResidency", 750 | "NtGdiDdDDICreateDevice", 751 | "NtGdiDdDDIDestroyDevice", 752 | "NtGdiDdDDICreateContext", 753 | "NtGdiDdDDIDestroyContext", 754 | "NtGdiDdDDICreateSynchronizationObject", 755 | "NtGdiDdDDIOpenSynchronizationObject", 756 | "NtGdiDdDDIDestroySynchronizationObject", 757 | "NtGdiDdDDIWaitForSynchronizationObject", 758 | "NtGdiDdDDISignalSynchronizationObject", 759 | "NtGdiDdDDIGetRuntimeData", 760 | "NtGdiDdDDIQueryAdapterInfo", 761 | "NtGdiDdDDILock", 762 | "NtGdiDdDDIUnlock", 763 | "NtGdiDdDDIGetDisplayModeList", 764 | "NtGdiDdDDISetDisplayMode", 765 | "NtGdiDdDDIGetMultisampleMethodList", 766 | "NtGdiDdDDIPresent", 767 | "NtGdiDdDDIRender", 768 | "NtGdiDdDDIOpenAdapterFromDeviceName", 769 | "NtGdiDdDDIOpenAdapterFromHdc", 770 | "NtGdiDdDDICloseAdapter", 771 | "NtGdiDdDDIGetSharedPrimaryHandle", 772 | "NtGdiDdDDIEscape", 773 | "NtGdiDdDDIQueryStatistics", 774 | "NtGdiDdDDISetVidPnSourceOwner", 775 | "NtGdiDdDDIGetPresentHistory", 776 | "NtGdiDdDDIGetPresentQueueEvent", 777 | "NtGdiDdDDICreateOverlay", 778 | "NtGdiDdDDIUpdateOverlay", 779 | "NtGdiDdDDIFlipOverlay", 780 | "NtGdiDdDDIDestroyOverlay", 781 | "NtGdiDdDDIWaitForVerticalBlankEvent", 782 | "NtGdiDdDDISetGammaRamp", 783 | "NtGdiDdDDIGetDeviceState", 784 | "NtGdiDdDDICreateDCFromMemory", 785 | "NtGdiDdDDIDestroyDCFromMemory", 786 | "NtGdiDdDDISetContextSchedulingPriority", 787 | "NtGdiDdDDIGetContextSchedulingPriority", 788 | "NtGdiDdDDISetProcessSchedulingPriorityClass", 789 | "NtGdiDdDDIGetProcessSchedulingPriorityClass", 790 | "NtGdiDdDDIReleaseProcessVidPnSourceOwners", 791 | "NtGdiDdDDIGetScanLine", 792 | "NtGdiDdDDISetQueuedLimit", 793 | "NtGdiDdDDIPollDisplayChildren", 794 | "NtGdiDdDDIInvalidateActiveVidPn", 795 | "NtGdiDdDDICheckOcclusion", 796 | "NtGdiDdDDIWaitForIdle", 797 | "NtGdiDdDDICheckMonitorPowerState", 798 | "NtGdiDdDDICheckExclusiveOwnership", 799 | "NtGdiDdDDISetDisplayPrivateDriverFormat", 800 | "NtGdiDdDDISharedPrimaryLockNotification", 801 | "NtGdiDdDDISharedPrimaryUnLockNotification", 802 | "NtGdiDdDDICreateKeyedMutex", 803 | "NtGdiDdDDIOpenKeyedMutex", 804 | "NtGdiDdDDIDestroyKeyedMutex", 805 | "NtGdiDdDDIAcquireKeyedMutex", 806 | "NtGdiDdDDIReleaseKeyedMutex", 807 | "NtGdiDdDDIConfigureSharedResource", 808 | "NtGdiDdDDIGetOverlayState", 809 | "NtGdiDdDDICheckVidPnExclusiveOwnership", 810 | "NtGdiDdDDICheckSharedResourceAccess", 811 | "DxgStubEndMoCompFrame", 812 | "DxgStubContextDestroyAll", 813 | "NtGdiGetNumberOfPhysicalMonitors", 814 | "NtGdiGetPhysicalMonitors", 815 | "NtGdiGetPhysicalMonitorDescription", 816 | "NtGdiDestroyPhysicalMonitor", 817 | "NtGdiDDCCIGetVCPFeature", 818 | "NtGdiDDCCISetVCPFeature", 819 | "NtGdiDDCCISaveCurrentSettings", 820 | "NtGdiDDCCIGetCapabilitiesStringLength", 821 | "NtGdiDDCCIGetCapabilitiesString", 822 | "NtGdiDDCCIGetTimingReport", 823 | "NtGdiDdCreateFullscreenSprite", 824 | "NtGdiDdNotifyFullscreenSpriteUpdate", 825 | "NtGdiDdDestroyFullscreenSprite", 826 | "DxEngVisRgnUniq", 827 | "NtUserSetMirrorRendering", 828 | "NtUserShowSystemCursor", 829 | "NtUserMagControl", 830 | "NtUserMagSetContextInformation", 831 | "NtUserMagGetContextInformation", 832 | "NtUserHwndQueryRedirectionInfo", 833 | "NtUserHwndSetRedirectionInfo", 834 | NULL 835 | } 836 | 837 | #endif -------------------------------------------------------------------------------- /Common/XPShadowSSDT.h: -------------------------------------------------------------------------------- 1 | #ifndef _XP_SHADOWSSDT_H 2 | #define _XP_SHADOWSSDT_H 3 | 4 | #define XP_FUNCTION_NUMBER 667 5 | 6 | static PCHAR XPFunName[668]= 7 | { 8 | "NtGdiAbortDoc", 9 | "NtGdiAbortPath", 10 | "NtGdiAddFontResourceW", 11 | "NtGdiAddRemoteFontToDC", 12 | "NtGdiAddFontMemResourceEx", 13 | "NtGdiRemoveMergeFont", 14 | "NtGdiAddRemoteMMInstanceToDC", 15 | "NtGdiAlphaBlend", 16 | "NtGdiAngleArc", 17 | "NtGdiAnyLinkedFonts", 18 | "NtGdiFontIsLinked", 19 | "NtGdiArcInternal", 20 | "NtGdiBeginPath", 21 | "NtGdiBitBlt", 22 | "NtGdiCancelDC", 23 | "NtGdiCheckBitmapBits", 24 | "NtGdiCloseFigure", 25 | "NtGdiClearBitmapAttributes", 26 | "NtGdiClearBrushAttributes", 27 | "NtGdiColorCorrectPalette", 28 | "NtGdiCombineRgn", 29 | "NtGdiCombineTransform", 30 | "NtGdiComputeXformCoefficients", 31 | "NtGdiConsoleTextOut", 32 | "NtGdiConvertMetafileRect", 33 | "NtGdiCreateBitmap", 34 | "NtGdiCreateClientObj", 35 | "NtGdiCreateColorSpace", 36 | "NtGdiCreateColorTransform", 37 | "NtGdiCreateCompatibleBitmap", 38 | "NtGdiCreateCompatibleDC", 39 | "NtGdiCreateDIBBrush", 40 | "NtGdiCreateDIBitmapInternal", 41 | "NtGdiCreateDIBSection", 42 | "NtGdiCreateEllipticRgn", 43 | "NtGdiCreateHalftonePalette", 44 | "NtGdiCreateHatchBrushInternal", 45 | "NtGdiCreateMetafileDC", 46 | "NtGdiCreatePaletteInternal", 47 | "NtGdiCreatePatternBrushInternal", 48 | "NtGdiCreatePen", 49 | "NtGdiCreateRectRgn", 50 | "NtGdiCreateRoundRectRgn", 51 | "NtGdiCreateServerMetaFile", 52 | "NtGdiCreateSolidBrush", 53 | "NtGdiD3dContextCreate", 54 | "NtGdiD3dContextDestroy", 55 | "NtGdiD3dContextDestroyAll", 56 | "NtGdiD3dValidateTextureStageState", 57 | "NtGdiD3dDrawPrimitives2", 58 | "NtGdiDdGetDriverState", 59 | "NtGdiDdAddAttachedSurface", 60 | "NtGdiDdAlphaBlt", 61 | "NtGdiDdAttachSurface", 62 | "NtGdiDdBeginMoCompFrame", 63 | "NtGdiDdBlt", 64 | "NtGdiDdCanCreateSurface", 65 | "NtGdiDdCanCreateD3DBuffer", 66 | "NtGdiDdColorControl", 67 | "NtGdiDdCreateDirectDrawObject", 68 | "NtGdiDdCreateSurface", 69 | "NtGdiDdCreateD3DBuffer", 70 | "NtGdiDdCreateMoComp", 71 | "NtGdiDdCreateSurfaceObject", 72 | "NtGdiDdDeleteDirectDrawObject", 73 | "NtGdiDdDeleteSurfaceObject", 74 | "NtGdiDdDestroyMoComp", 75 | "NtGdiDdDestroySurface", 76 | "NtGdiDdDestroyD3DBuffer", 77 | "NtGdiDdEndMoCompFrame", 78 | "NtGdiDdFlip", 79 | "NtGdiDdFlipToGDISurface", 80 | "NtGdiDdGetAvailDriverMemory", 81 | "NtGdiDdGetBltStatus", 82 | "NtGdiDdGetDC", 83 | "NtGdiDdGetDriverInfo", 84 | "NtGdiDdGetDxHandle", 85 | "NtGdiDdGetFlipStatus", 86 | "NtGdiDdGetInternalMoCompInfo", 87 | "NtGdiDdGetMoCompBuffInfo", 88 | "NtGdiDdGetMoCompGuids", 89 | "NtGdiDdGetMoCompFormats", 90 | "NtGdiDdGetScanLine", 91 | "NtGdiDdLock", 92 | "NtGdiDdLockD3D", 93 | "NtGdiDdQueryDirectDrawObject", 94 | "NtGdiDdQueryMoCompStatus", 95 | "NtGdiDdReenableDirectDrawObject", 96 | "NtGdiDdReleaseDC", 97 | "NtGdiDdRenderMoComp", 98 | "NtGdiDdResetVisrgn", 99 | "NtGdiDdSetColorKey", 100 | "NtGdiDdSetExclusiveMode", 101 | "NtGdiDdSetGammaRamp", 102 | "NtGdiDdCreateSurfaceEx", 103 | "NtGdiDdSetOverlayPosition", 104 | "NtGdiDdUnattachSurface", 105 | "NtGdiDdUnlock", 106 | "NtGdiDdUnlockD3D", 107 | "NtGdiDdUpdateOverlay", 108 | "NtGdiDdWaitForVerticalBlank", 109 | "NtGdiDvpCanCreateVideoPort", 110 | "NtGdiDvpColorControl", 111 | "NtGdiDvpCreateVideoPort", 112 | "NtGdiDvpDestroyVideoPort", 113 | "NtGdiDvpFlipVideoPort", 114 | "NtGdiDvpGetVideoPortBandwidth", 115 | "NtGdiDvpGetVideoPortField", 116 | "NtGdiDvpGetVideoPortFlipStatus", 117 | "NtGdiDvpGetVideoPortInputFormats", 118 | "NtGdiDvpGetVideoPortLine", 119 | "NtGdiDvpGetVideoPortOutputFormats", 120 | "NtGdiDvpGetVideoPortConnectInfo", 121 | "NtGdiDvpGetVideoSignalStatus", 122 | "NtGdiDvpUpdateVideoPort", 123 | "NtGdiDvpWaitForVideoPortSync", 124 | "NtGdiDvpAcquireNotification", 125 | "NtGdiDvpReleaseNotification", 126 | "NtGdiDxgGenericThunk", 127 | "NtGdiDeleteClientObj", 128 | "NtGdiDeleteColorSpace", 129 | "NtGdiDeleteColorTransform", 130 | "NtGdiDeleteObjectApp", 131 | "NtGdiDescribePixelFormat", 132 | "NtGdiGetPerBandInfo", 133 | "NtGdiDoBanding", 134 | "NtGdiDoPalette", 135 | "NtGdiDrawEscape", 136 | "NtGdiEllipse", 137 | "NtGdiEnableEudc", 138 | "NtGdiEndDoc", 139 | "NtGdiEndPage", 140 | "NtGdiEndPath", 141 | "NtGdiEnumFontChunk", 142 | "NtGdiEnumFontClose", 143 | "NtGdiEnumFontOpen", 144 | "NtGdiEnumObjects", 145 | "NtGdiEqualRgn", 146 | "NtGdiEudcLoadUnloadLink", 147 | "NtGdiExcludeClipRect", 148 | "NtGdiExtCreatePen", 149 | "NtGdiExtCreateRegion", 150 | "NtGdiExtEscape", 151 | "NtGdiExtFloodFill", 152 | "NtGdiExtGetObjectW", 153 | "NtGdiExtSelectClipRgn", 154 | "NtGdiExtTextOutW", 155 | "NtGdiFillPath", 156 | "NtGdiFillRgn", 157 | "NtGdiFlattenPath", 158 | "NtGdiFlushUserBatch", 159 | "NtGdiFlush", 160 | "NtGdiForceUFIMapping", 161 | "NtGdiFrameRgn", 162 | "NtGdiFullscreenControl", 163 | "NtGdiGetAndSetDCDword", 164 | "NtGdiGetAppClipBox", 165 | "NtGdiGetBitmapBits", 166 | "NtGdiGetBitmapDimension", 167 | "NtGdiGetBoundsRect", 168 | "NtGdiGetCharABCWidthsW", 169 | "NtGdiGetCharacterPlacementW", 170 | "NtGdiGetCharSet", 171 | "NtGdiGetCharWidthW", 172 | "NtGdiGetCharWidthInfo", 173 | "NtGdiGetColorAdjustment", 174 | "NtGdiGetColorSpaceforBitmap", 175 | "NtGdiGetDCDword", 176 | "NtGdiGetDCforBitmap", 177 | "NtGdiGetDCObject", 178 | "NtGdiGetDCPoint", 179 | "NtGdiGetDeviceCaps", 180 | "NtGdiGetDeviceGammaRamp", 181 | "NtGdiGetDeviceCapsAll", 182 | "NtGdiGetDIBitsInternal", 183 | "NtGdiGetETM", 184 | "NtGdiGetEudcTimeStampEx", 185 | "NtGdiGetFontData", 186 | "NtGdiGetFontResourceInfoInternalW", 187 | "NtGdiGetGlyphIndicesW", 188 | "NtGdiGetGlyphIndicesWInternal", 189 | "NtGdiGetGlyphOutline", 190 | "NtGdiGetKerningPairs", 191 | "NtGdiGetLinkedUFIs", 192 | "NtGdiGetMiterLimit", 193 | "NtGdiGetMonitorID", 194 | "NtGdiGetNearestColor", 195 | "NtGdiGetNearestPaletteIndex", 196 | "NtGdiGetObjectBitmapHandle", 197 | "NtGdiGetOutlineTextMetricsInternalW", 198 | "NtGdiGetPath", 199 | "NtGdiGetPixel", 200 | "NtGdiGetRandomRgn", 201 | "NtGdiGetRasterizerCaps", 202 | "NtGdiGetRealizationInfo", 203 | "NtGdiGetRegionData", 204 | "NtGdiGetRgnBox", 205 | "NtGdiGetServerMetaFileBits", 206 | "NtGdiGetSpoolMessage", 207 | "NtGdiGetStats", 208 | "NtGdiGetStockObject", 209 | "NtGdiGetStringBitmapW", 210 | "NtGdiGetSystemPaletteUse", 211 | "NtGdiGetTextCharsetInfo", 212 | "NtGdiGetTextExtent", 213 | "NtGdiGetTextExtentExW", 214 | "NtGdiGetTextFaceW", 215 | "NtGdiGetTextMetricsW", 216 | "NtGdiGetTransform", 217 | "NtGdiGetUFI", 218 | "NtGdiGetEmbUFI", 219 | "NtGdiGetUFIPathname", 220 | "NtGdiGetEmbedFonts", 221 | "NtGdiChangeGhostFont", 222 | "NtGdiAddEmbFontToDC", 223 | "NtGdiGetFontUnicodeRanges", 224 | "NtGdiGetWidthTable", 225 | "NtGdiGradientFill", 226 | "NtGdiHfontCreate", 227 | "NtGdiIcmBrushInfo", 228 | "NtGdiInit", 229 | "NtGdiInitSpool", 230 | "NtGdiIntersectClipRect", 231 | "NtGdiInvertRgn", 232 | "NtGdiLineTo", 233 | "NtGdiMakeFontDir", 234 | "NtGdiMakeInfoDC", 235 | "NtGdiMaskBlt", 236 | "NtGdiModifyWorldTransform", 237 | "NtGdiMonoBitmap", 238 | "NtGdiMoveTo", 239 | "NtGdiOffsetClipRgn", 240 | "NtGdiOffsetRgn", 241 | "NtGdiOpenDCW", 242 | "NtGdiPatBlt", 243 | "NtGdiPolyPatBlt", 244 | "NtGdiPathToRegion", 245 | "NtGdiPlgBlt", 246 | "NtGdiPolyDraw", 247 | "NtGdiPolyPolyDraw", 248 | "NtGdiPolyTextOutW", 249 | "NtGdiPtInRegion", 250 | "NtGdiPtVisible", 251 | "NtGdiQueryFonts", 252 | "NtGdiQueryFontAssocInfo", 253 | "NtGdiRectangle", 254 | "NtGdiRectInRegion", 255 | "NtGdiRectVisible", 256 | "NtGdiRemoveFontResourceW", 257 | "NtGdiRemoveFontMemResourceEx", 258 | "NtGdiResetDC", 259 | "NtGdiResizePalette", 260 | "NtGdiRestoreDC", 261 | "NtGdiRoundRect", 262 | "NtGdiSaveDC", 263 | "NtGdiScaleViewportExtEx", 264 | "NtGdiScaleWindowExtEx", 265 | "NtGdiSelectBitmap", 266 | "NtGdiSelectBrush", 267 | "NtGdiSelectClipPath", 268 | "NtGdiSelectFont", 269 | "NtGdiSelectPen", 270 | "NtGdiSetBitmapAttributes", 271 | "NtGdiSetBitmapBits", 272 | "NtGdiSetBitmapDimension", 273 | "NtGdiSetBoundsRect", 274 | "NtGdiSetBrushAttributes", 275 | "NtGdiSetBrushOrg", 276 | "NtGdiSetColorAdjustment", 277 | "NtGdiSetColorSpace", 278 | "NtGdiSetDeviceGammaRamp", 279 | "NtGdiSetDIBitsToDeviceInternal", 280 | "NtGdiSetFontEnumeration", 281 | "NtGdiSetFontXform", 282 | "NtGdiSetIcmMode", 283 | "NtGdiSetLinkedUFIs", 284 | "NtGdiSetMagicColors", 285 | "NtGdiSetMetaRgn", 286 | "NtGdiSetMiterLimit", 287 | "NtGdiGetDeviceWidth", 288 | "NtGdiMirrorWindowOrg", 289 | "NtGdiSetLayout", 290 | "NtGdiSetPixel", 291 | "NtGdiSetPixelFormat", 292 | "NtGdiSetRectRgn", 293 | "NtGdiSetSystemPaletteUse", 294 | "NtGdiSetTextJustification", 295 | "NtGdiSetupPublicCFONT", 296 | "NtGdiSetVirtualResolution", 297 | "NtGdiSetSizeDevice", 298 | "NtGdiStartDoc", 299 | "NtGdiStartPage", 300 | "NtGdiStretchBlt", 301 | "NtGdiStretchDIBitsInternal", 302 | "NtGdiStrokeAndFillPath", 303 | "NtGdiStrokePath", 304 | "NtGdiSwapBuffers", 305 | "NtGdiTransformPoints", 306 | "NtGdiTransparentBlt", 307 | "NtGdiUnloadPrinterDriver", 308 | "NtGdiUnmapMemFont", 309 | "NtGdiUnrealizeObject", 310 | "NtGdiUpdateColors", 311 | "NtGdiWidenPath", 312 | "NtUserActivateKeyboardLayout", 313 | "NtUserAlterWindowStyle", 314 | "NtUserAssociateInputContext", 315 | "NtUserAttachThreadInput", 316 | "NtUserBeginPaint", 317 | "NtUserBitBltSysBmp", 318 | "NtUserBlockInput", 319 | "NtUserBuildHimcList", 320 | "NtUserBuildHwndList", 321 | "NtUserBuildNameList", 322 | "NtUserBuildPropList", 323 | "NtUserCallHwnd", 324 | "NtUserCallHwndLock", 325 | "NtUserCallHwndOpt", 326 | "NtUserCallHwndParam", 327 | "NtUserCallHwndParamLock", 328 | "NtUserCallMsgFilter", 329 | "NtUserCallNextHookEx", 330 | "NtUserCallNoParam", 331 | "NtUserCallOneParam", 332 | "NtUserCallTwoParam", 333 | "NtUserChangeClipboardChain", 334 | "NtUserChangeDisplaySettings", 335 | "NtUserCheckImeHotKey", 336 | "NtUserCheckMenuItem", 337 | "NtUserChildWindowFromPointEx", 338 | "NtUserClipCursor", 339 | "NtUserCloseClipboard", 340 | "NtUserCloseDesktop", 341 | "NtUserCloseWindowStation", 342 | "NtUserConsoleControl", 343 | "NtUserConvertMemHandle", 344 | "NtUserCopyAcceleratorTable", 345 | "NtUserCountClipboardFormats", 346 | "NtUserCreateAcceleratorTable", 347 | "NtUserCreateCaret", 348 | "NtUserCreateDesktop", 349 | "NtUserCreateInputContext", 350 | "NtUserCreateLocalMemHandle", 351 | "NtUserCreateWindowEx", 352 | "NtUserCreateWindowStation", 353 | "NtUserDdeGetQualityOfService", 354 | "NtUserDdeInitialize", 355 | "NtUserDdeSetQualityOfService", 356 | "NtUserDeferWindowPos", 357 | "NtUserDefSetText", 358 | "NtUserDeleteMenu", 359 | "NtUserDestroyAcceleratorTable", 360 | "NtUserDestroyCursor", 361 | "NtUserDestroyInputContext", 362 | "NtUserDestroyMenu", 363 | "NtUserDestroyWindow", 364 | "NtUserDisableThreadIme", 365 | "NtUserDispatchMessage", 366 | "NtUserDragDetect", 367 | "NtUserDragObject", 368 | "NtUserDrawAnimatedRects", 369 | "NtUserDrawCaption", 370 | "NtUserDrawCaptionTemp", 371 | "NtUserDrawIconEx", 372 | "NtUserDrawMenuBarTemp", 373 | "NtUserEmptyClipboard", 374 | "NtUserEnableMenuItem", 375 | "NtUserEnableScrollBar", 376 | "NtUserEndDeferWindowPosEx", 377 | "NtUserEndMenu", 378 | "NtUserEndPaint", 379 | "NtUserEnumDisplayDevices", 380 | "NtUserEnumDisplayMonitors", 381 | "NtUserEnumDisplaySettings", 382 | "NtUserEvent", 383 | "NtUserExcludeUpdateRgn", 384 | "NtUserFillWindow", 385 | "NtUserFindExistingCursorIcon", 386 | "NtUserFindWindowEx", 387 | "NtUserFlashWindowEx", 388 | "NtUserGetAltTabInfo", 389 | "NtUserGetAncestor", 390 | "NtUserGetAppImeLevel", 391 | "NtUserGetAsyncKeyState", 392 | "NtUserGetAtomName", 393 | "NtUserGetCaretBlinkTime", 394 | "NtUserGetCaretPos", 395 | "NtUserGetClassInfo", 396 | "NtUserGetClassName", 397 | "NtUserGetClipboardData", 398 | "NtUserGetClipboardFormatName", 399 | "NtUserGetClipboardOwner", 400 | "NtUserGetClipboardSequenceNumber", 401 | "NtUserGetClipboardViewer", 402 | "NtUserGetClipCursor", 403 | "NtUserGetComboBoxInfo", 404 | "NtUserGetControlBrush", 405 | "NtUserGetControlColor", 406 | "NtUserGetCPD", 407 | "NtUserGetCursorFrameInfo", 408 | "NtUserGetCursorInfo", 409 | "NtUserGetDC", 410 | "NtUserGetDCEx", 411 | "NtUserGetDoubleClickTime", 412 | "NtUserGetForegroundWindow", 413 | "NtUserGetGuiResources", 414 | "NtUserGetGUIThreadInfo", 415 | "NtUserGetIconInfo", 416 | "NtUserGetIconSize", 417 | "NtUserGetImeHotKey", 418 | "NtUserGetImeInfoEx", 419 | "NtUserGetInternalWindowPos", 420 | "NtUserGetKeyboardLayoutList", 421 | "NtUserGetKeyboardLayoutName", 422 | "NtUserGetKeyboardState", 423 | "NtUserGetKeyNameText", 424 | "NtUserGetKeyState", 425 | "NtUserGetListBoxInfo", 426 | "NtUserGetMenuBarInfo", 427 | "NtUserGetMenuIndex", 428 | "NtUserGetMenuItemRect", 429 | "NtUserGetMessage", 430 | "NtUserGetMouseMovePointsEx", 431 | "NtUserGetObjectInformation", 432 | "NtUserGetOpenClipboardWindow", 433 | "NtUserGetPriorityClipboardFormat", 434 | "NtUserGetProcessWindowStation", 435 | "NtUserGetRawInputBuffer", 436 | "NtUserGetRawInputData", 437 | "NtUserGetRawInputDeviceInfo", 438 | "NtUserGetRawInputDeviceList", 439 | "NtUserGetRegisteredRawInputDevices", 440 | "NtUserGetScrollBarInfo", 441 | "NtUserGetSystemMenu", 442 | "NtUserGetThreadDesktop", 443 | "NtUserGetThreadState", 444 | "NtUserGetTitleBarInfo", 445 | "NtUserGetUpdateRect", 446 | "NtUserGetUpdateRgn", 447 | "NtUserGetWindowDC", 448 | "NtUserGetWindowPlacement", 449 | "NtUserGetWOWClass", 450 | "NtUserHardErrorControl", 451 | "NtUserHideCaret", 452 | "NtUserHiliteMenuItem", 453 | "NtUserImpersonateDdeClientWindow", 454 | "NtUserInitialize", 455 | "NtUserInitializeClientPfnArrays", 456 | "NtUserInitTask", 457 | "NtUserInternalGetWindowText", 458 | "NtUserInvalidateRect", 459 | "NtUserInvalidateRgn", 460 | "NtUserIsClipboardFormatAvailable", 461 | "NtUserKillTimer", 462 | "NtUserLoadKeyboardLayoutEx", 463 | "NtUserLockWindowStation", 464 | "NtUserLockWindowUpdate", 465 | "NtUserLockWorkStation", 466 | "NtUserMapVirtualKeyEx", 467 | "NtUserMenuItemFromPoint", 468 | "NtUserMessageCall", 469 | "NtUserMinMaximize", 470 | "NtUserMNDragLeave", 471 | "NtUserMNDragOver", 472 | "NtUserModifyUserStartupInfoFlags", 473 | "NtUserMoveWindow", 474 | "NtUserNotifyIMEStatus", 475 | "NtUserNotifyProcessCreate", 476 | "NtUserNotifyWinEvent", 477 | "NtUserOpenClipboard", 478 | "NtUserOpenDesktop", 479 | "NtUserOpenInputDesktop", 480 | "NtUserOpenWindowStation", 481 | "NtUserPaintDesktop", 482 | "NtUserPeekMessage", 483 | "NtUserPostMessage", 484 | "NtUserPostThreadMessage", 485 | "NtUserPrintWindow", 486 | "NtUserProcessConnect", 487 | "NtUserQueryInformationThread", 488 | "NtUserQueryInputContext", 489 | "NtUserQuerySendMessage", 490 | "NtUserQueryUserCounters", 491 | "NtUserQueryWindow", 492 | "NtUserRealChildWindowFromPoint", 493 | "NtUserRealInternalGetMessage", 494 | "NtUserRealWaitMessageEx", 495 | "NtUserRedrawWindow", 496 | "NtUserRegisterClassExWOW", 497 | "NtUserRegisterUserApiHook", 498 | "NtUserRegisterHotKey", 499 | "NtUserRegisterRawInputDevices", 500 | "NtUserRegisterTasklist", 501 | "NtUserRegisterWindowMessage", 502 | "NtUserRemoveMenu", 503 | "NtUserRemoveProp", 504 | "NtUserResolveDesktop", 505 | "NtUserResolveDesktopForWOW", 506 | "NtUserSBGetParms", 507 | "NtUserScrollDC", 508 | "NtUserScrollWindowEx", 509 | "NtUserSelectPalette", 510 | "NtUserSendInput", 511 | "NtUserSetActiveWindow", 512 | "NtUserSetAppImeLevel", 513 | "NtUserSetCapture", 514 | "NtUserSetClassLong", 515 | "NtUserSetClassWord", 516 | "NtUserSetClipboardData", 517 | "NtUserSetClipboardViewer", 518 | "NtUserSetConsoleReserveKeys", 519 | "NtUserSetCursor", 520 | "NtUserSetCursorContents", 521 | "NtUserSetCursorIconData", 522 | "NtUserSetDbgTag", 523 | "NtUserSetFocus", 524 | "NtUserSetImeHotKey", 525 | "NtUserSetImeInfoEx", 526 | "NtUserSetImeOwnerWindow", 527 | "NtUserSetInformationProcess", 528 | "NtUserSetInformationThread", 529 | "NtUserSetInternalWindowPos", 530 | "NtUserSetKeyboardState", 531 | "NtUserSetLogonNotifyWindow", 532 | "NtUserSetMenu", 533 | "NtUserSetMenuContextHelpId", 534 | "NtUserSetMenuDefaultItem", 535 | "NtUserSetMenuFlagRtoL", 536 | "NtUserSetObjectInformation", 537 | "NtUserSetParent", 538 | "NtUserSetProcessWindowStation", 539 | "NtUserSetProp", 540 | "NtUserSetRipFlags", 541 | "NtUserSetScrollInfo", 542 | "NtUserSetShellWindowEx", 543 | "NtUserSetSysColors", 544 | "NtUserSetSystemCursor", 545 | "NtUserSetSystemMenu", 546 | "NtUserSetSystemTimer", 547 | "NtUserSetThreadDesktop", 548 | "NtUserSetThreadLayoutHandles", 549 | "NtUserSetThreadState", 550 | "NtUserSetTimer", 551 | "NtUserSetWindowFNID", 552 | "NtUserSetWindowLong", 553 | "NtUserSetWindowPlacement", 554 | "NtUserSetWindowPos", 555 | "NtUserSetWindowRgn", 556 | "NtUserSetWindowsHookAW", 557 | "NtUserSetWindowsHookEx", 558 | "NtUserSetWindowStationUser", 559 | "NtUserSetWindowWord", 560 | "NtUserSetWinEventHook", 561 | "NtUserShowCaret", 562 | "NtUserShowScrollBar", 563 | "NtUserShowWindow", 564 | "NtUserShowWindowAsync", 565 | "NtUserSoundSentry", 566 | "NtUserSwitchDesktop", 567 | "NtUserSystemParametersInfo", 568 | "NtUserTestForInteractiveUser", 569 | "NtUserThunkedMenuInfo", 570 | "NtUserThunkedMenuItemInfo", 571 | "NtUserToUnicodeEx", 572 | "NtUserTrackMouseEvent", 573 | "NtUserTrackPopupMenuEx", 574 | "NtUserCalcMenuBar", 575 | "NtUserPaintMenuBar", 576 | "NtUserTranslateAccelerator", 577 | "NtUserTranslateMessage", 578 | "NtUserUnhookWindowsHookEx", 579 | "NtUserUnhookWinEvent", 580 | "NtUserUnloadKeyboardLayout", 581 | "NtUserUnlockWindowStation", 582 | "NtUserUnregisterClass", 583 | "NtUserUnregisterUserApiHook", 584 | "NtUserUnregisterHotKey", 585 | "NtUserUpdateInputContext", 586 | "NtUserUpdateInstance", 587 | "NtUserUpdateLayeredWindow", 588 | "NtUserGetLayeredWindowAttributes", 589 | "NtUserSetLayeredWindowAttributes", 590 | "NtUserUpdatePerUserSystemParameters", 591 | "NtUserUserHandleGrantAccess", 592 | "NtUserValidateHandleSecure", 593 | "NtUserValidateRect", 594 | "NtUserValidateTimerCallback", 595 | "NtUserVkKeyScanEx", 596 | "NtUserWaitForInputIdle", 597 | "NtUserWaitForMsgAndEvent", 598 | "NtUserWaitMessage", 599 | "NtUserWin32PoolAllocationStats", 600 | "NtUserWindowFromPoint", 601 | "NtUserYieldTask", 602 | "NtUserRemoteConnect", 603 | "NtUserRemoteRedrawRectangle", 604 | "NtUserRemoteRedrawScreen", 605 | "NtUserRemoteStopScreenUpdates", 606 | "NtUserCtxDisplayIOCtl", 607 | "NtGdiEngAssociateSurface", 608 | "NtGdiEngCreateBitmap", 609 | "NtGdiEngCreateDeviceSurface", 610 | "NtGdiEngCreateDeviceBitmap", 611 | "NtGdiEngCreatePalette", 612 | "NtGdiEngComputeGlyphSet", 613 | "NtGdiEngCopyBits", 614 | "NtGdiEngDeletePalette", 615 | "NtGdiEngDeleteSurface", 616 | "NtGdiEngEraseSurface", 617 | "NtGdiEngUnlockSurface", 618 | "NtGdiEngLockSurface", 619 | "NtGdiEngBitBlt", 620 | "NtGdiEngStretchBlt", 621 | "NtGdiEngPlgBlt", 622 | "NtGdiEngMarkBandingSurface", 623 | "NtGdiEngStrokePath", 624 | "NtGdiEngFillPath", 625 | "NtGdiEngStrokeAndFillPath", 626 | "NtGdiEngPaint", 627 | "NtGdiEngLineTo", 628 | "NtGdiEngAlphaBlend", 629 | "NtGdiEngGradientFill", 630 | "NtGdiEngTransparentBlt", 631 | "NtGdiEngTextOut", 632 | "NtGdiEngStretchBltROP", 633 | "NtGdiXLATEOBJ_cGetPalette", 634 | "NtGdiXLATEOBJ_iXlate", 635 | "NtGdiXLATEOBJ_hGetColorTransform", 636 | "NtGdiCLIPOBJ_bEnum", 637 | "NtGdiCLIPOBJ_cEnumStart", 638 | "NtGdiCLIPOBJ_ppoGetPath", 639 | "NtGdiEngDeletePath", 640 | "NtGdiEngCreateClip", 641 | "NtGdiEngDeleteClip", 642 | "NtGdiBRUSHOBJ_ulGetBrushColor", 643 | "NtGdiBRUSHOBJ_pvAllocRbrush", 644 | "NtGdiBRUSHOBJ_pvGetRbrush", 645 | "NtGdiBRUSHOBJ_hGetColorTransform", 646 | "NtGdiXFORMOBJ_bApplyXform", 647 | "NtGdiXFORMOBJ_iGetXform", 648 | "NtGdiFONTOBJ_vGetInfo", 649 | "NtGdiFONTOBJ_pxoGetXform", 650 | "NtGdiFONTOBJ_cGetGlyphs", 651 | "NtGdiFONTOBJ_pifi", 652 | "NtGdiFONTOBJ_pfdg", 653 | "NtGdiFONTOBJ_pQueryGlyphAttrs", 654 | "NtGdiFONTOBJ_pvTrueTypeFontFile", 655 | "NtGdiFONTOBJ_cGetAllGlyphHandles", 656 | "NtGdiSTROBJ_bEnum", 657 | "NtGdiSTROBJ_bEnumPositionsOnly", 658 | "NtGdiSTROBJ_bGetAdvanceWidths", 659 | "NtGdiSTROBJ_vEnumStart", 660 | "NtGdiSTROBJ_dwGetCodePage", 661 | "NtGdiPATHOBJ_vGetBounds", 662 | "NtGdiPATHOBJ_bEnum", 663 | "NtGdiPATHOBJ_vEnumStart", 664 | "NtGdiPATHOBJ_vEnumStartClipLines", 665 | "NtGdiPATHOBJ_bEnumClipLines", 666 | "NtGdiGetDhpdev", 667 | "NtGdiEngCheckAbort", 668 | "NtGdiHT_Get8BPPFormatPalette", 669 | "NtGdiHT_Get8BPPMaskPalette", 670 | "NtGdiUpdateTransform", 671 | "NtGdiSetPUMPDOBJ", 672 | "NtGdiBRUSHOBJ_DeleteRbrush", 673 | "NtGdiUnmapMemFont", 674 | "NtGdiDrawStream", 675 | NULL 676 | }; 677 | #endif -------------------------------------------------------------------------------- /Common/ring3common.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef _RING3_COMMON_ 3 | #define _RING3_COMMON_ 4 | 5 | typedef short CSHORT; 6 | 7 | typedef struct _TIME_FIELDS { 8 | CSHORT Year; // range [1601...] 9 | CSHORT Month; // range [1..12] 10 | CSHORT Day; // range [1..31] 11 | CSHORT Hour; // range [0..23] 12 | CSHORT Minute; // range [0..59] 13 | CSHORT Second; // range [0..59] 14 | CSHORT Milliseconds;// range [0..999] 15 | CSHORT Weekday; // range [0..6] == [Sunday..Saturday] 16 | } TIME_FIELDS, * PTIME_FIELDS; 17 | 18 | #endif -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ScDetective [![Total views](https://sourcegraph.com/api/repos/github.com/kedebug/ScDetective/counters/views.png)](https://sourcegraph.com/github.com/kedebug/ScDetective) 2 | ============================================================== 3 | A kernel level Anti-Rootkit tool which runs on the windows platform. 4 | 5 | ## Basic information 6 | - GUI : VS2008 - MFC 7 | - Driver :VS2005 - ddkwizard 8 | - DDK Version:7600.16385.1 9 | - Debug : Windbg - VirtualKD - VMware 10 | - Platform :XPSP3 & WIN7 11 | - Finished : 2010.12 12 | - Author: kedebug (Wei Sun) 13 | 14 | ## Kernel module 15 | 16 | There are about 6 modules in the ScDetective_Driver content: 17 | 18 | - Detect and restore the SSDT and shadow SSDT. 19 | - Checking SSDT in both user and kernel module to ensure accuracy. 20 | - Detect and static judging the active processes. 21 | - Get the accuracy process list from PspCidTable. 22 | - Brute force all the process from memory section. 23 | - Detect and static judging the drivers. 24 | - HookEngine module and part of the work was reversed from CNNIC driver. 25 | - Send Deferred Procedure Call(DPC) to ensure the safety during the hooking. 26 | - The Engine was reversed from CNNIC hook module. 27 | - Self-protect module(some DKOM skills). 28 | - Remove ourself from process link list. 29 | - Erase our handle from global handle table. 30 | - A demo file filter driver depended on sfilter library(In progress). 31 | 32 | ## Thanks 33 | ScDetective is my very first project, and it's currently in a very alpha state. 34 | It was finished in my third year in college, at that time I was addicted to the 35 | windows driver programming and accumulated lot of debug skills. 36 | 37 | Thanks to the great open source spirit, without previous work I couldn't do all 38 | this alone. Thanks to the [bbs.pediy.com](http://bbs.pediy.com/) forum, it gave me so much happiness and 39 | unforgetable memories in my college life. 40 | 41 | If you have any suggestion or questions, please feel free to get in touch via kedebug0@gmail.com. 42 | -------------------------------------------------------------------------------- /ScDetective/ScDetective.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 10.00 3 | # Visual Studio 2008 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ScDetective", "ScDetective\ScDetective.vcproj", "{6D3EC7EF-4DD2-4E50-97DC-80985E33D8E3}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Release|Win32 = Release|Win32 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {6D3EC7EF-4DD2-4E50-97DC-80985E33D8E3}.Debug|Win32.ActiveCfg = Debug|Win32 13 | {6D3EC7EF-4DD2-4E50-97DC-80985E33D8E3}.Debug|Win32.Build.0 = Debug|Win32 14 | {6D3EC7EF-4DD2-4E50-97DC-80985E33D8E3}.Release|Win32.ActiveCfg = Release|Win32 15 | {6D3EC7EF-4DD2-4E50-97DC-80985E33D8E3}.Release|Win32.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | EndGlobal 21 | -------------------------------------------------------------------------------- /ScDetective/ScDetective/Function/Driver/Driver.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/Function/Driver/Driver.cpp -------------------------------------------------------------------------------- /ScDetective/ScDetective/Function/Driver/Driver.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/Function/Driver/Driver.h -------------------------------------------------------------------------------- /ScDetective/ScDetective/Function/File/File.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/Function/File/File.cpp -------------------------------------------------------------------------------- /ScDetective/ScDetective/Function/File/File.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | #ifndef __FILE_H__ 4 | #define __FILE_H__ 5 | 6 | typedef struct _LANGUAGE_CODE_PAGE { 7 | WORD wLanguage; 8 | WORD wCodePage; 9 | } LANGUAGE_CODE_PAGE, * PLANGUAGE_CODE_PAGE; 10 | 11 | BOOL 12 | GetFileCorporation( 13 | PWCHAR pszFileName, 14 | PWCHAR pszFileCorporation 15 | ); 16 | VOID 17 | BrowseFolder( 18 | LPCTSTR szImagePath 19 | ); 20 | VOID ModifyFileImagePath( 21 | PSTR pszFilePath, 22 | PSTR pszWin32Name, 23 | ULONG cbszWin32Name 24 | ); 25 | VOID 26 | GetFileNameByImagePath( 27 | LPTSTR pszImagePath, 28 | LPTSTR pszFileName 29 | ); 30 | 31 | #endif 32 | 33 | -------------------------------------------------------------------------------- /ScDetective/ScDetective/Function/OS/OS.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/Function/OS/OS.cpp -------------------------------------------------------------------------------- /ScDetective/ScDetective/Function/OS/OS.h: -------------------------------------------------------------------------------- 1 | #ifndef __OS_H 2 | #define __OS_H 3 | 4 | #define VER_GET_ERROR 0 5 | #define VER_UNSUPPORT 1 6 | #define VER_WINXP 2 7 | #define VER_WXPSP1 3 8 | #define VER_WXPSP2 4 9 | #define VER_WXPSP3 5 10 | #define VER_W2K3 6 11 | #define VER_W2K3SP1 7 12 | #define VER_W2K3SP2 8 13 | #define VER_VISTA11 9 14 | #define VER_VISTASP1 10 15 | #define VER_VISTAULT 11 16 | #define VER_WINDOWS7 12 17 | 18 | ////////////////////////////////////////////////////////////////////////// 19 | 20 | WORD GetCurrentOSVersion(VOID); 21 | 22 | #endif -------------------------------------------------------------------------------- /ScDetective/ScDetective/Function/PE/PE.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/Function/PE/PE.cpp -------------------------------------------------------------------------------- /ScDetective/ScDetective/Function/PE/PE.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef _PE_H_ 3 | #define _PE_H_ 4 | 5 | #define ibaseDD *(PDWORD)&ibase 6 | 7 | DWORD 8 | GetHeaders( 9 | PCHAR ibase, 10 | PIMAGE_FILE_HEADER *pfh, 11 | PIMAGE_OPTIONAL_HEADER *poh, 12 | PIMAGE_SECTION_HEADER *psh 13 | ); 14 | 15 | PCHAR 16 | GetSectionPoint( 17 | PCTSTR ImagePath, 18 | PCSTR SectionName, 19 | PDWORD ImageBase, 20 | char** pFile 21 | ); 22 | 23 | 24 | BOOL 25 | GetFuncAddressFromIAT( 26 | HMODULE ModuleBase, 27 | PSTR pszFuncName, 28 | PULONG pFuncAddress 29 | ); 30 | 31 | 32 | #endif 33 | 34 | -------------------------------------------------------------------------------- /ScDetective/ScDetective/Function/module/Module.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/Function/module/Module.cpp -------------------------------------------------------------------------------- /ScDetective/ScDetective/Function/module/Module.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef _MODULE_H_ 3 | #define _MODULE_H_ 4 | 5 | #include 6 | #include 7 | #pragma comment(lib, "ntdll.lib") 8 | 9 | BOOL 10 | GetKernelModuleNameByAddress( 11 | PSTR pszName, 12 | ULONG cbName, 13 | DWORD dwFunAddress, 14 | BOOL bFlag 15 | ); 16 | 17 | BOOL 18 | GetKernelModuleBaseByName( 19 | PSTR pszName, 20 | PULONG SysBase 21 | ); 22 | 23 | BOOL 24 | GetKernelInformation( 25 | PSTR pszKernelName, 26 | ULONG cbName, 27 | PULONG pKernelBase 28 | ); 29 | BOOL 30 | GetPsModuleNameByAddress( 31 | ULONG ProcessId, 32 | ULONG pfnAddress, 33 | LPTSTR pszModuleName, 34 | ULONG cbszModuleName 35 | ); 36 | 37 | #endif -------------------------------------------------------------------------------- /ScDetective/ScDetective/Function/module/Process.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/Function/module/Process.cpp -------------------------------------------------------------------------------- /ScDetective/ScDetective/Function/module/Process.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef _PROCESS_H__ 3 | #define _PROCESS_H__ 4 | 5 | VOID 6 | Convert2DosDeviceName( 7 | PTSTR pszSource, 8 | PTSTR pszDest, 9 | int cbszDest 10 | ); 11 | VOID 12 | GetProcessImagePath( 13 | HANDLE hProcess, 14 | LPTSTR szFullImagePath 15 | ); 16 | BOOL 17 | AquireUserAccess( 18 | ULONG ProcessId, 19 | PHANDLE Handle 20 | ); 21 | VOID 22 | CloseMyHandles( 23 | ULONG ProcessId 24 | ); 25 | 26 | #endif -------------------------------------------------------------------------------- /ScDetective/ScDetective/Function/ssdt/ssdt.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/Function/ssdt/ssdt.cpp -------------------------------------------------------------------------------- /ScDetective/ScDetective/Function/ssdt/ssdt.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef _SSDT_H 3 | #define _SSDT_H 4 | 5 | #define MOV_OPCODE 0xB8 6 | 7 | ;typedef struct _IMAGE_FIXUP_ENTRY { 8 | WORD offset:12; 9 | WORD type:4; 10 | } IMAGE_FIXUP_ENTRY, * PIMAGE_FIXUP_ENTRY ; 11 | 12 | DWORD 13 | FindKiServiceTable( 14 | HMODULE hModule, 15 | DWORD dwKSDT 16 | ); 17 | 18 | PDWORD 19 | GetSsdtNativeFunAddresses( 20 | PDWORD NumOfAddress 21 | ); 22 | 23 | PSSDT_NAME 24 | GetSsdtNativeFunNames( 25 | PDWORD NumOfFunName 26 | ); 27 | 28 | ////////////////////////////////////////////////////////////////////////// 29 | 30 | PDWORD 31 | GetShadowSsdtNativeFunAddresses( 32 | PDWORD NumberOfAddresses 33 | ); 34 | 35 | #endif 36 | 37 | -------------------------------------------------------------------------------- /ScDetective/ScDetective/Page1.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/Page1.cpp -------------------------------------------------------------------------------- /ScDetective/ScDetective/Page1.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/Page1.h -------------------------------------------------------------------------------- /ScDetective/ScDetective/Page2.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/Page2.cpp -------------------------------------------------------------------------------- /ScDetective/ScDetective/Page2.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/Page2.h -------------------------------------------------------------------------------- /ScDetective/ScDetective/Page3.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/Page3.cpp -------------------------------------------------------------------------------- /ScDetective/ScDetective/Page3.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/Page3.h -------------------------------------------------------------------------------- /ScDetective/ScDetective/Page4.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/Page4.cpp -------------------------------------------------------------------------------- /ScDetective/ScDetective/Page4.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/Page4.h -------------------------------------------------------------------------------- /ScDetective/ScDetective/Page5.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/Page5.cpp -------------------------------------------------------------------------------- /ScDetective/ScDetective/Page5.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/Page5.h -------------------------------------------------------------------------------- /ScDetective/ScDetective/PageFile.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/PageFile.cpp -------------------------------------------------------------------------------- /ScDetective/ScDetective/PageFile.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/PageFile.h -------------------------------------------------------------------------------- /ScDetective/ScDetective/ReadMe.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/ReadMe.txt -------------------------------------------------------------------------------- /ScDetective/ScDetective/ScDetective.aps: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/ScDetective.aps -------------------------------------------------------------------------------- /ScDetective/ScDetective/ScDetective.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/ScDetective.cpp -------------------------------------------------------------------------------- /ScDetective/ScDetective/ScDetective.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/ScDetective.h -------------------------------------------------------------------------------- /ScDetective/ScDetective/ScDetective.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/ScDetective.rc -------------------------------------------------------------------------------- /ScDetective/ScDetective/ScDetective.vcproj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/ScDetective.vcproj -------------------------------------------------------------------------------- /ScDetective/ScDetective/ScDetectiveDlg.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/ScDetectiveDlg.cpp -------------------------------------------------------------------------------- /ScDetective/ScDetective/ScDetectiveDlg.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/ScDetectiveDlg.h -------------------------------------------------------------------------------- /ScDetective/ScDetective/res/1442.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/res/1442.ico -------------------------------------------------------------------------------- /ScDetective/ScDetective/res/870.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/res/870.ico -------------------------------------------------------------------------------- /ScDetective/ScDetective/res/ScDetective.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/res/ScDetective.ico -------------------------------------------------------------------------------- /ScDetective/ScDetective/res/ScDetective.rc2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/res/ScDetective.rc2 -------------------------------------------------------------------------------- /ScDetective/ScDetective/res/disk.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/res/disk.ico -------------------------------------------------------------------------------- /ScDetective/ScDetective/res/dvd.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/res/dvd.ico -------------------------------------------------------------------------------- /ScDetective/ScDetective/res/floder.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/res/floder.ico -------------------------------------------------------------------------------- /ScDetective/ScDetective/res/floppy.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/res/floppy.ico -------------------------------------------------------------------------------- /ScDetective/ScDetective/res/pc.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/res/pc.ico -------------------------------------------------------------------------------- /ScDetective/ScDetective/res/remote.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/res/remote.ico -------------------------------------------------------------------------------- /ScDetective/ScDetective/res/remove.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/res/remove.ico -------------------------------------------------------------------------------- /ScDetective/ScDetective/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by ScDetective.rc 4 | // 5 | #define IDM_ABOUTBOX 0x0010 6 | #define IDD_ABOUTBOX 100 7 | #define IDS_ABOUTBOX 101 8 | #define IDD_SCDETECTIVE_DIALOG 102 9 | #define IDR_MAINFRAME 128 10 | #define IDD_SSDT 129 11 | #define IDD_SSDTSHADOW 130 12 | #define IDR_MENU1_SSDT 131 13 | #define IDD_PAGE_R3HOOK 132 14 | #define IDR_MENU2_SSDT_SHADOW 132 15 | #define IDD_PAGE_PROCESS 133 16 | #define IDR_MENU4_PROCESS 134 17 | #define IDD_PROCESS_THREADS 135 18 | #define IDD_PROCESS_MODULES 136 19 | #define IDR_MENU1 136 20 | #define IDD_PROCESS_HANDLES 137 21 | #define IDD_PAGE_DRIVEROBJECT 138 22 | #define IDR_MENU5_DRIVER 140 23 | #define IDD_DIALOG1 140 24 | #define IDD_PAGE_FILE 140 25 | #define IDD_MSGHOOK 141 26 | #define IDI_FIXED 141 27 | #define IDC_LIST_MSGHOOK 142 28 | #define IDI_CDROM 142 29 | #define IDD_SYSROUTINE 143 30 | #define IDI_RAMDISK 143 31 | #define IDC_LIST_SYSROUTINE 144 32 | #define IDI_FLODER 144 33 | #define IDI_MYPC 145 34 | #define IDI_REMOTE 146 35 | #define IDI_REMOVEABLE 147 36 | #define IDC_TAB_PAGE 1001 37 | #define IDC_LIST1 1003 38 | #define IDC_STATUS_TEXT 1004 39 | #define IDC_LIST3 1005 40 | #define IDC_LIST2 1006 41 | #define IDC_LIST4 1007 42 | #define IDC_LIST_PROCESS_MODULES 1008 43 | #define IDC_TAB1 1008 44 | #define IDC_LIST_PROCESS_HANDLES 1009 45 | #define IDC_TREE1 1009 46 | #define IDC_LIST5 1010 47 | #define IDC_LIST_PROCESS_THREADS 1011 48 | #define IDR_MENU3_MSGHOOK 1012 49 | #define IDC_LIST6 1023 50 | #define ID_MENU_32771 32771 51 | #define ID_MENU_32772 32772 52 | #define ID_MENU_32773 32773 53 | #define ID_MENU_32774 32774 54 | #define ID_MENU_32775 32775 55 | #define ID_MENU_32776 32776 56 | #define ID_MENU_32777 32777 57 | #define ID_MENU_32778 32778 58 | #define ID_MENU_32779 32779 59 | #define ID_MENU_32780 32780 60 | #define ID_MENU_32781 32781 61 | #define ID_MENU_32782 32782 62 | #define ID_MENU_32783 32783 63 | #define ID_MENU_32784 32784 64 | #define ID_MENU_32785 32785 65 | #define ID_MENU_32786 32786 66 | #define ID_MENU_32787 32787 67 | #define ID_MENU_32788 32788 68 | #define ID_MENU_32789 32789 69 | 70 | // Next default values for new objects 71 | // 72 | #ifdef APSTUDIO_INVOKED 73 | #ifndef APSTUDIO_READONLY_SYMBOLS 74 | #define _APS_NEXT_RESOURCE_VALUE 148 75 | #define _APS_NEXT_COMMAND_VALUE 32790 76 | #define _APS_NEXT_CONTROL_VALUE 1010 77 | #define _APS_NEXT_SYMED_VALUE 101 78 | #endif 79 | #endif 80 | -------------------------------------------------------------------------------- /ScDetective/ScDetective/stdafx.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/stdafx.cpp -------------------------------------------------------------------------------- /ScDetective/ScDetective/stdafx.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/stdafx.h -------------------------------------------------------------------------------- /ScDetective/ScDetective/targetver.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective/ScDetective/targetver.h -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 9.00 3 | # Visual Studio 2005 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ScDetective.W7", "ScDetective\ScDetective.W7.vcproj", "{901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}" 5 | EndProject 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ScDetectiveFilter.W7", "..\ScDetective_Filter\ScDetectiveFilter\ScDetectiveFilter.W7.vcproj", "{2189350A-C978-4D54-ABCF-68F91F29EBE5}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | W7 checked|Win32 = W7 checked|Win32 11 | W7 free|Win32 = W7 free|Win32 12 | W7LH checked|Win32 = W7LH checked|Win32 13 | W7LH free|Win32 = W7LH free|Win32 14 | W7NET checked|Win32 = W7NET checked|Win32 15 | W7NET free|Win32 = W7NET free|Win32 16 | W7XP checked|Win32 = W7XP checked|Win32 17 | W7XP free|Win32 = W7XP free|Win32 18 | EndGlobalSection 19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 20 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7 checked|Win32.ActiveCfg = W7 checked|Win32 21 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7 checked|Win32.Build.0 = W7 checked|Win32 22 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7 checked|Win32.Deploy.0 = W7 checked|Win32 23 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7 free|Win32.ActiveCfg = W7 free|Win32 24 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7 free|Win32.Build.0 = W7 free|Win32 25 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7 free|Win32.Deploy.0 = W7 free|Win32 26 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7LH checked|Win32.ActiveCfg = W7LH checked|Win32 27 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7LH checked|Win32.Build.0 = W7LH checked|Win32 28 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7LH checked|Win32.Deploy.0 = W7LH checked|Win32 29 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7LH free|Win32.ActiveCfg = W7LH free|Win32 30 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7LH free|Win32.Build.0 = W7LH free|Win32 31 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7LH free|Win32.Deploy.0 = W7LH free|Win32 32 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7NET checked|Win32.ActiveCfg = W7NET checked|Win32 33 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7NET checked|Win32.Build.0 = W7NET checked|Win32 34 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7NET checked|Win32.Deploy.0 = W7NET checked|Win32 35 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7NET free|Win32.ActiveCfg = W7NET free|Win32 36 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7NET free|Win32.Build.0 = W7NET free|Win32 37 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7NET free|Win32.Deploy.0 = W7NET free|Win32 38 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7XP checked|Win32.ActiveCfg = W7XP checked|Win32 39 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7XP checked|Win32.Build.0 = W7XP checked|Win32 40 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7XP checked|Win32.Deploy.0 = W7XP checked|Win32 41 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7XP free|Win32.ActiveCfg = W7XP free|Win32 42 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7XP free|Win32.Build.0 = W7XP free|Win32 43 | {901B2D1A-7D66-4EE2-BE8D-0C7D2DA7843B}.W7XP free|Win32.Deploy.0 = W7XP free|Win32 44 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7 checked|Win32.ActiveCfg = W7 checked|Win32 45 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7 checked|Win32.Build.0 = W7 checked|Win32 46 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7 free|Win32.ActiveCfg = W7 free|Win32 47 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7 free|Win32.Build.0 = W7 free|Win32 48 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7LH checked|Win32.ActiveCfg = W7LH checked|Win32 49 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7LH checked|Win32.Build.0 = W7LH checked|Win32 50 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7LH free|Win32.ActiveCfg = W7LH free|Win32 51 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7LH free|Win32.Build.0 = W7LH free|Win32 52 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7NET checked|Win32.ActiveCfg = W7NET checked|Win32 53 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7NET checked|Win32.Build.0 = W7NET checked|Win32 54 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7NET free|Win32.ActiveCfg = W7NET free|Win32 55 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7NET free|Win32.Build.0 = W7NET free|Win32 56 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7XP checked|Win32.ActiveCfg = W7XP checked|Win32 57 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7XP checked|Win32.Build.0 = W7XP checked|Win32 58 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7XP free|Win32.ActiveCfg = W7XP free|Win32 59 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7XP free|Win32.Build.0 = W7XP free|Win32 60 | EndGlobalSection 61 | GlobalSection(SolutionProperties) = preSolution 62 | HideSolutionNode = FALSE 63 | EndGlobalSection 64 | EndGlobal 65 | -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective_Driver/ScDetective.suo -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/File/File.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective_Driver/ScDetective/File/File.c -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/File/File.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef _FILE_H_ 3 | #define _FILE_H_ 4 | 5 | typedef struct _FILE_LIST_HEAD { 6 | LIST_ENTRY FileListHead; 7 | ULONG NumberOfItems; 8 | } FILE_LIST_HEAD, * PFILE_LIST_HEAD; 9 | 10 | ////////////////////////////////////////////////////////////////////////// 11 | 12 | PFILE_LIST_HEAD g_FileListHead = NULL; 13 | 14 | ////////////////////////////////////////////////////////////////////////// 15 | 16 | NTSTATUS 17 | ScfsQueryFileNameString( 18 | PFILE_OBJECT FileObject, 19 | PUNICODE_STRING NameString 20 | ); 21 | 22 | PUNICODE_STRING 23 | Convert2KernelLinkName( 24 | PUNICODE_STRING DosLinkName 25 | ); 26 | 27 | PFILE_LIST_HEAD 28 | ScfsQueryDirectoryInformation( 29 | PWCHAR pszDirectory 30 | ); 31 | 32 | ULONG 33 | ExCopyFileList2Buffer( 34 | PFILE_INFO FileInfo 35 | ); 36 | 37 | #endif 38 | 39 | -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/HookEngine/HookEngine.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective_Driver/ScDetective/HookEngine/HookEngine.c -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/HookEngine/HookEngine.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective_Driver/ScDetective/HookEngine/HookEngine.h -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/LDasm/LDasm.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective_Driver/ScDetective/LDasm/LDasm.c -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/LDasm/LDasm.h: -------------------------------------------------------------------------------- 1 | #ifndef _LDASM_ 2 | #define _LDASM_ 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | 8 | unsigned long __fastcall SizeOfCode(void *Code, unsigned char **pOpcode); 9 | 10 | unsigned long __fastcall SizeOfProc(void *Proc); 11 | 12 | char __fastcall IsRelativeCmd(unsigned char *pOpcode); 13 | 14 | #ifdef __cplusplus 15 | } 16 | #endif 17 | 18 | #endif -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/Memory/memory.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective_Driver/ScDetective/Memory/memory.c -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/Memory/memory.h: -------------------------------------------------------------------------------- 1 | 2 | ////////////////////////////////////////////////////////////////////////// 3 | // 4 | // Memory Operation 5 | // 6 | ////////////////////////////////////////////////////////////////////////// 7 | 8 | #ifndef __MEMORY_H__ 9 | #define __MEMORY_H__ 10 | 11 | #include "ScDetective.h" 12 | 13 | #define INVALID_PAGE 0 14 | #define VALID_PAGE 1 15 | #define PDE_INVALID 2 16 | #define PTE_INVALID 3 17 | 18 | #define PDE_SIZE 0x400000 // 4mb 19 | #define PTE_SIZE 0x1000 // 4kb 20 | 21 | ////////////////////////////////////////////////////////////////////////// 22 | 23 | ULONG ScmNonPagedPoolStart; 24 | ULONG ScmNonPagedPoolEnd0G; // Guess 25 | 26 | ////////////////////////////////////////////////////////////////////////// 27 | PVOID 28 | ScmMapVirtualAddress( 29 | __in PVOID VirtualAddress, 30 | __in ULONG Length, 31 | __out PMDL* MdlAddress 32 | ); 33 | 34 | VOID 35 | ScmUnmapVirtualAddress( 36 | __in PMDL MdlAddress 37 | ); 38 | 39 | ULONG 40 | ScmValidPage( 41 | ULONG address 42 | ); 43 | VOID 44 | InitializeMemoryValue( 45 | VOID 46 | ); 47 | 48 | VOID WPOFF(); 49 | VOID WPON(); 50 | 51 | #endif -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/Process/Module.c: -------------------------------------------------------------------------------- 1 | 2 | #include "module.h" 3 | 4 | ////////////////////////////////////////////////////////////////////////// 5 | 6 | NTSTATUS SobGetObjectInformation(PVOID ActiveObject, POBJECT_CLASS ObjectClass) 7 | { 8 | ULONG NowAddress; 9 | ULONG ReturnValue; 10 | ULONG ObjectType; 11 | ULONG MagicNumber; 12 | PVOID Object = NULL; 13 | 14 | if (ActiveObject == NULL || ObjectClass == NULL) return STATUS_ACCESS_DENIED; 15 | 16 | ObjectType = ScObGetObjectType(ActiveObject); 17 | 18 | ObjectClass->Key = *(PULONG)(ObjectType + offset_ObjectType_Key) | 0x80000000; 19 | ObjectClass->NumberOfObject = *(PULONG)(ObjectType + offset_ObjectType_TotalNumberOfObjects); 20 | 21 | for (NowAddress = ScmNonPagedPoolStart; NowAddress < ScmNonPagedPoolEnd0G; NowAddress += 4) 22 | { 23 | __try { 24 | ReturnValue = ScmValidPage(NowAddress); 25 | 26 | if (ReturnValue == PTE_INVALID) { 27 | NowAddress -= 4; 28 | NowAddress += PTE_SIZE; 29 | continue; 30 | } else if (ReturnValue == PDE_INVALID) { 31 | NowAddress -= 4; 32 | NowAddress += PDE_SIZE; 33 | continue; 34 | } 35 | 36 | if (*((PULONG)NowAddress) != ObjectClass->Key) continue; 37 | 38 | for (MagicNumber = 0; MagicNumber < 0x150; MagicNumber += 4) 39 | { 40 | Object = (PVOID)(NowAddress + MagicNumber); 41 | 42 | if (Object == ActiveObject) { 43 | 44 | ObjectClass->MagicNumber = MagicNumber; 45 | ObjectClass->Type = *((PUSHORT)Object); 46 | ObjectClass->Size = *((PUSHORT)Object + 1); 47 | 48 | return STATUS_SUCCESS; 49 | } 50 | } 51 | } __except (EXCEPTION_EXECUTE_HANDLER) { continue; } 52 | } 53 | return STATUS_UNSUCCESSFUL; 54 | } 55 | 56 | ////////////////////////////////////////////////////////////////////////// 57 | 58 | VOID QueryWorkThread(PVOID ThreadContext) 59 | { 60 | NTSTATUS ntStatus = STATUS_UNSUCCESSFUL; 61 | PDRIVER_CONTEXT Context = ThreadContext; 62 | static OBJECT_CLASS ObjectClass; 63 | static ULONG Number = 1; 64 | ULONG NowAddress; 65 | PDRIVER_OBJECT Object = NULL; 66 | PDRIVER_INFO FoundDriver; 67 | PVOID DriverSection = NULL; 68 | ULONG i; 69 | ULONG ReturnValue; 70 | PDRIVER_INFO ReadyDriver = NULL; 71 | BOOLEAN LableFind = FALSE; 72 | PLIST_ENTRY p; 73 | PSYSTEM_MODULE_INFORMATION Modules; 74 | PSYSTEM_MODULE_INFORMATION_ENTRY ModuleInfo; 75 | PVOID Buffer = NULL; 76 | ULONG BufferSize = 0x2000; 77 | ULONG ReturnLength; 78 | 79 | ////////////////////////////////////////////////////////////////////////// 80 | 81 | _Retry: 82 | Buffer = ExAllocatePoolWithTag(NonPagedPool, BufferSize, MEM_TAG); 83 | 84 | ntStatus = ZwQuerySystemInformation(SystemModuleInformation, Buffer, 85 | BufferSize, &ReturnLength); 86 | if (ntStatus == STATUS_INFO_LENGTH_MISMATCH) { 87 | BufferSize = ReturnLength; 88 | ExFreePoolWithTag(Buffer, MEM_TAG); 89 | goto _Retry; 90 | } 91 | if (NT_SUCCESS(ntStatus)) { 92 | Modules = (PSYSTEM_MODULE_INFORMATION)Buffer; 93 | ModuleInfo = &(Modules->Modules[0]); 94 | for (i = 0; i < Modules->NumberOfModules; i++, ModuleInfo++) 95 | { 96 | if ((ULONG)ModuleInfo->Base < 0x80000000) continue; 97 | 98 | FoundDriver = ExAllocatePoolWithTag(NonPagedPool, sizeof(DRIVER_INFO), MEM_TAG); 99 | RtlZeroMemory(FoundDriver, sizeof(DRIVER_INFO)); 100 | 101 | FoundDriver->ImageBase = (ULONG)ModuleInfo->Base; 102 | FoundDriver->DriverSize = ModuleInfo->Size; 103 | FoundDriver->bHidden = FALSE; 104 | 105 | if (ModuleInfo->OffsetToFileName != 0) 106 | RtlStringCbPrintfW(FoundDriver->ImagePath, 520, 107 | L"%S", ModuleInfo->FullPathName); 108 | else RtlStringCbPrintfW(FoundDriver->ImagePath, 520, 109 | L"\\SystemRoot\\System32\\Drivers\\%S", 110 | ModuleInfo->FullPathName); 111 | 112 | InsertTailList(&g_DriverListHead->DriverListHead, &FoundDriver->DriverLink); 113 | g_DriverListHead->NumberOfDrivers ++; 114 | } 115 | } 116 | ExFreePoolWithTag(Buffer, MEM_TAG); 117 | 118 | ////////////////////////////////////////////////////////////////////////// 119 | 120 | if (Number == 1) { 121 | ntStatus = SobGetObjectInformation(Context->DriverObject, &ObjectClass); 122 | if (!NT_SUCCESS(ntStatus)) { 123 | ExFreePoolWithTag(g_DriverListHead, MEM_TAG); 124 | g_DriverListHead = NULL; return ; 125 | } Number --; 126 | } 127 | 128 | for (NowAddress = ScmNonPagedPoolStart; NowAddress < ScmNonPagedPoolEnd0G; NowAddress += 4) 129 | { 130 | __try { 131 | ReturnValue = ScmValidPage(NowAddress); 132 | 133 | if (ReturnValue == PTE_INVALID) { 134 | NowAddress -= 4; 135 | NowAddress += PTE_SIZE; 136 | continue; 137 | } else if (ReturnValue == PDE_INVALID) { 138 | NowAddress -= 4; 139 | NowAddress += PDE_SIZE; 140 | continue; 141 | } 142 | 143 | if (((PULONG)NowAddress)[0] != ObjectClass.Key) continue; 144 | 145 | Object = (PDRIVER_OBJECT)(NowAddress + ObjectClass.MagicNumber); 146 | 147 | if (!MmIsAddressValid(Object)) continue; 148 | 149 | if (((PUSHORT)Object)[0] != ObjectClass.Type) continue; 150 | if (((PUSHORT)Object + 1)[0] != ObjectClass.Size) continue; 151 | 152 | if (!MmIsAddressValid(Object->DriverSection)) continue; 153 | 154 | DriverSection = Object->DriverSection; 155 | 156 | if (((PULONG)((ULONG)DriverSection + offset_LdrData_DLLBase))[0] != 157 | (ULONG)(Object->DriverStart)) { continue; } 158 | 159 | FoundDriver = ExAllocatePoolWithTag(NonPagedPool, sizeof(DRIVER_INFO), MEM_TAG); 160 | RtlZeroMemory(FoundDriver, sizeof(DRIVER_INFO)); 161 | 162 | FoundDriver->DriverObject = (ULONG)Object; 163 | FoundDriver->ImageBase = (ULONG)Object->DriverStart; 164 | 165 | if (FoundDriver->ImageBase < 0x80000000) { 166 | ExFreePoolWithTag(FoundDriver, MEM_TAG); continue; 167 | } 168 | 169 | FoundDriver->DriverSize = *(PULONG)((ULONG)DriverSection + offset_LdrData_SizeOfImage); 170 | 171 | RtlCopyMemory(FoundDriver->ServiceName, 172 | Object->DriverExtension->ServiceKeyName.Buffer, 173 | Object->DriverExtension->ServiceKeyName.Length); 174 | 175 | for (p = g_DriverListHead->DriverListHead.Flink; 176 | p != &g_DriverListHead->DriverListHead; 177 | p = p->Flink) { 178 | 179 | ReadyDriver = CONTAINING_RECORD(p, DRIVER_INFO, DriverLink); 180 | if (FoundDriver->ImageBase == ReadyDriver->ImageBase) { 181 | 182 | ReadyDriver->DriverObject = FoundDriver->DriverObject; 183 | RtlCopyMemory(ReadyDriver->ServiceName, FoundDriver->ServiceName, 64 * 2); 184 | ExFreePoolWithTag(FoundDriver, MEM_TAG); 185 | 186 | LableFind = TRUE; break; 187 | } 188 | } 189 | 190 | if (LableFind == TRUE) { 191 | LableFind = FALSE; 192 | } else { 193 | FoundDriver->bHidden = TRUE; 194 | RtlStringCbPrintfW(FoundDriver->ImagePath, 520, L"%wZ", 195 | (ULONG)DriverSection + offset_LdrData_FullDllName); 196 | 197 | InsertTailList(&g_DriverListHead->DriverListHead, &FoundDriver->DriverLink); 198 | g_DriverListHead->NumberOfDrivers ++; 199 | } 200 | } __except (EXCEPTION_EXECUTE_HANDLER) { continue; } 201 | } 202 | KeSetEvent(Context->kEvent, IO_NO_INCREMENT, FALSE); 203 | ExFreePoolWithTag(Context, MEM_TAG); 204 | PsTerminateSystemThread(STATUS_SUCCESS); 205 | } 206 | 207 | ////////////////////////////////////////////////////////////////////////// 208 | PDRIVER_LIST_HEAD 209 | ScObQueryDriverObject(PDRIVER_OBJECT DriverObject, PKEVENT UserEvent) 210 | { 211 | PDRIVER_CONTEXT Context; 212 | HANDLE hThread; 213 | 214 | if (g_DriverListHead) return g_DriverListHead; 215 | 216 | if (DriverObject == NULL || UserEvent == NULL) return NULL; 217 | 218 | g_DriverListHead = ExAllocatePoolWithTag(NonPagedPool, sizeof(DRIVER_LIST_HEAD), MEM_TAG); 219 | InitializeListHead(&g_DriverListHead->DriverListHead); 220 | g_DriverListHead->NumberOfDrivers = 0; 221 | 222 | Context = ExAllocatePoolWithTag(NonPagedPool, sizeof(DRIVER_CONTEXT), MEM_TAG); 223 | Context->DriverObject = DriverObject; 224 | Context->kEvent = UserEvent; 225 | 226 | PsCreateSystemThread(&hThread, THREAD_ALL_ACCESS, NULL, 227 | NtCurrentProcess(), NULL, QueryWorkThread, Context); 228 | ZwClose(hThread); 229 | return NULL; 230 | } 231 | 232 | ////////////////////////////////////////////////////////////////////////// 233 | 234 | ULONG ExCopyDriverList2Buffer(PDRIVER_INFO DriverInfo) 235 | { 236 | PDRIVER_INFO tempDriver = NULL; 237 | ULONG ReturnLength = 0; 238 | 239 | if (g_DriverListHead == NULL) return 0; 240 | 241 | while (!IsListEmpty(&g_DriverListHead->DriverListHead)) 242 | { 243 | tempDriver = (PDRIVER_INFO)RemoveHeadList(&g_DriverListHead->DriverListHead); 244 | RtlCopyMemory(DriverInfo, tempDriver, sizeof(DRIVER_INFO)); 245 | ExFreePoolWithTag(tempDriver, MEM_TAG); 246 | DriverInfo ++; 247 | ReturnLength ++; 248 | } 249 | 250 | ExFreePoolWithTag(g_DriverListHead, MEM_TAG); 251 | g_DriverListHead = NULL; 252 | return ReturnLength * sizeof(DRIVER_INFO); 253 | } 254 | 255 | ////////////////////////////////////////////////////////////////////////// -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/Process/Process.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective_Driver/ScDetective/Process/Process.c -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/Process/Process.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective_Driver/ScDetective/Process/Process.h -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/Process/module.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef _MODULE_H_ 3 | #define _MODULE_H_ 4 | 5 | #include "ScDetective.h" 6 | 7 | 8 | typedef struct _OBJECT_CLASS { 9 | ULONG MagicNumber; 10 | ULONG Key; 11 | ULONG NumberOfObject; 12 | USHORT Type; 13 | USHORT Size; 14 | } OBJECT_CLASS, * POBJECT_CLASS ; 15 | 16 | typedef struct _DRIVER_LIST_HEAD { 17 | LIST_ENTRY DriverListHead; 18 | ULONG NumberOfDrivers; 19 | } DRIVER_LIST_HEAD, * PDRIVER_LIST_HEAD ; 20 | 21 | typedef struct _DRIVER_CONTEXT { 22 | PDRIVER_OBJECT DriverObject; 23 | PKEVENT kEvent; 24 | } DRIVER_CONTEXT, * PDRIVER_CONTEXT ; 25 | 26 | ////////////////////////////////////////////////////////////////////////// 27 | 28 | PDRIVER_LIST_HEAD g_DriverListHead = NULL; 29 | 30 | ////////////////////////////////////////////////////////////////////////// 31 | 32 | PDRIVER_LIST_HEAD 33 | ScObQueryDriverObject( 34 | PDRIVER_OBJECT DriverObject, 35 | PKEVENT UserEvent 36 | ); 37 | 38 | ULONG 39 | ExCopyDriverList2Buffer( 40 | PDRIVER_INFO DriverInfo 41 | ); 42 | 43 | #endif 44 | -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/Protect/ScProtect.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective_Driver/ScDetective/Protect/ScProtect.c -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/Protect/ScProtect.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef __SC_PROTECT__ 3 | #define __SC_PROTECT__ 4 | 5 | #include "ScDetective.h" 6 | 7 | ////////////////////////////////////////////////////////////////////////// 8 | 9 | typedef struct _HANDLE_TABLE_ENTRY { 10 | union { 11 | PVOID Object; 12 | ULONG ObAttributes; 13 | }; 14 | union { 15 | union { 16 | ACCESS_MASK GrantedAccess; 17 | struct { 18 | USHORT GrantedAccessIndex; 19 | USHORT CreatorBackTraceIndex; 20 | }; 21 | }; 22 | LONG NextFreeTableEntry; 23 | }; 24 | } HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY; 25 | 26 | ////////////////////////////////////////////////////////////////////////// 27 | 28 | typedef BOOLEAN (* EX_ENUMERATE_HANDLE_ROUTINE)( 29 | IN PHANDLE_TABLE_ENTRY HandleTableEntry, 30 | IN HANDLE Handle, 31 | IN PVOID EnumParameter 32 | ); 33 | 34 | typedef BOOLEAN (* pFnExEnumHandleTable)( 35 | IN PVOID HandleTable, 36 | IN EX_ENUMERATE_HANDLE_ROUTINE EnumHandleProcedure, 37 | IN PVOID EnumParameter, 38 | OUT PHANDLE Handle OPTIONAL 39 | ); 40 | 41 | ////////////////////////////////////////////////////////////////////////// 42 | 43 | ULONG EraseNumber = 0; 44 | 45 | typedef struct _PROTECT_INFO { 46 | HANDLE_TABLE_ENTRY ObjectInfo[16]; 47 | PLIST_ENTRY ActiveProcessList; 48 | PVOID ObjectEntry[16]; 49 | HANDLE HiddenProcessId; 50 | } PROTECT_INFO, * PPROTECT_INFO ; 51 | 52 | PROTECT_INFO pdoHideGlobalInfo; 53 | 54 | ////////////////////////////////////////////////////////////////////////// 55 | 56 | NTSTATUS 57 | ScPtHideProcessById( 58 | __in HANDLE ProcessId 59 | ); 60 | 61 | VOID 62 | ScPtUnloadRoutine( 63 | VOID 64 | ); 65 | #endif -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/ScDetective.W7.vcproj: -------------------------------------------------------------------------------- 1 | 2 | 8 | 9 | 12 | 13 | 14 | 15 | 16 | 23 | 36 | 37 | 44 | 57 | 58 | 65 | 78 | 79 | 86 | 99 | 100 | 107 | 120 | 121 | 128 | 141 | 142 | 149 | 162 | 163 | 170 | 183 | 184 | 185 | 186 | 187 | 188 | 192 | 195 | 196 | 199 | 200 | 201 | 205 | 208 | 209 | 210 | 214 | 217 | 218 | 221 | 222 | 225 | 226 | 229 | 230 | 233 | 234 | 237 | 238 | 239 | 242 | 245 | 246 | 249 | 250 | 251 | 255 | 258 | 259 | 262 | 263 | 266 | 267 | 270 | 271 | 272 | 275 | 278 | 279 | 282 | 283 | 286 | 287 | 290 | 291 | 292 | 295 | 298 | 299 | 300 | 303 | 306 | 307 | 310 | 311 | 312 | 315 | 318 | 319 | 322 | 323 | 324 | 327 | 330 | 331 | 334 | 335 | 338 | 339 | 342 | 343 | 344 | 347 | 350 | 351 | 354 | 355 | 356 | 359 | 362 | 363 | 366 | 367 | 368 | 371 | 374 | 375 | 378 | 379 | 380 | 383 | 386 | 387 | 390 | 391 | 392 | 393 | 394 | 395 | 396 | -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/ScDetective.c: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////////////////////////////////// 2 | /// 3 | /// Copyright (c) 2010 - kedebug 4 | /// 5 | /// Original filename: ScDetective.cpp 6 | /// Project : ScDetective 7 | /// Date of creation : 2010-10-16 8 | /// Author(s) : kedebug(SJTU) 9 | /// 10 | /// Purpose : Only for study 11 | /// 12 | /// Revisions: 13 | /// 0000 [2010-10-16] Initial revision. 14 | /// 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | // $Id$ 18 | 19 | 20 | #include "ScDetective.h" 21 | 22 | #include "System/Initialize.c" 23 | #include "ssdt/ssdt.c" 24 | #include "ssdt/ssdt_shadow.c" 25 | #include "LDasm/LDasm.c" 26 | #include "Process/Process.c" 27 | #include "Process/module.c" 28 | #include "File/File.c" 29 | #include "Memory/memory.c" 30 | #include "HookEngine/HookEngine.c" 31 | #include "Protect/ScProtect.c" 32 | 33 | #ifdef __cplusplus 34 | namespace { // anonymous namespace to limit the scope of this global variable! 35 | #endif 36 | PDRIVER_OBJECT pdoGlobalDrvObj = 0; 37 | #ifdef __cplusplus 38 | }; // anonymous namespace 39 | #endif 40 | 41 | NTSTATUS ScDetective_DispatchCreate( 42 | IN PDEVICE_OBJECT DeviceObject, 43 | IN PIRP Irp 44 | ) 45 | { 46 | NTSTATUS status = STATUS_SUCCESS; 47 | Irp->IoStatus.Status = status; 48 | Irp->IoStatus.Information = 0; 49 | IoCompleteRequest(Irp, IO_NO_INCREMENT); 50 | return status; 51 | } 52 | 53 | NTSTATUS ScDetective_DispatchClose( 54 | IN PDEVICE_OBJECT DeviceObject, 55 | IN PIRP Irp 56 | ) 57 | { 58 | NTSTATUS status = STATUS_SUCCESS; 59 | LARGE_INTEGER interval; 60 | HANDLE hThread; 61 | 62 | KdPrint(("[ScDetective_DispatchClose] Enter DispatchClose...")); 63 | 64 | UnInlineHookNativeApi(); 65 | 66 | interval.QuadPart = - 4 * 1000 * 100; // 40ms, relative 67 | KeDelayExecutionThread(KernelMode, FALSE, &interval); 68 | 69 | Irp->IoStatus.Status = status; 70 | Irp->IoStatus.Information = 0; 71 | IoCompleteRequest(Irp, IO_NO_INCREMENT); 72 | 73 | KdPrint(("[ScDetective_DispatchClose] Leave DispatchClose...")); 74 | return status; 75 | } 76 | 77 | NTSTATUS ScDetective_DispatchDeviceControl( 78 | IN PDEVICE_OBJECT DeviceObject, 79 | IN PIRP Irp 80 | ) 81 | { 82 | NTSTATUS ntStatus = STATUS_SUCCESS; 83 | PVOID InputBuffer = NULL; 84 | PVOID OutputBuffer = NULL; 85 | ULONG cbInputBuffer = 0; 86 | ULONG cbOutputBuffer = 0; 87 | PIO_STACK_LOCATION irpSp = NULL; 88 | 89 | __try { 90 | irpSp = IoGetCurrentIrpStackLocation(Irp); 91 | 92 | InputBuffer = Irp->AssociatedIrp.SystemBuffer; 93 | cbInputBuffer = irpSp->Parameters.DeviceIoControl.InputBufferLength; 94 | OutputBuffer = Irp->AssociatedIrp.SystemBuffer; 95 | cbOutputBuffer = irpSp->Parameters.DeviceIoControl.OutputBufferLength; 96 | 97 | switch(irpSp->Parameters.DeviceIoControl.IoControlCode) 98 | { 99 | case IOCTL_DUMP_KERNEL_MEMORY: 100 | { 101 | PVOID DumpAddress; 102 | PMDL MdlCreate; 103 | 104 | if (cbInputBuffer == sizeof(ULONG)) { 105 | DumpAddress = (PVOID)((PULONG)InputBuffer)[0]; 106 | if (!MmIsAddressValid(DumpAddress)) { 107 | ntStatus = STATUS_INVALID_ADDRESS; 108 | break; 109 | } else { 110 | ScmMapVirtualAddress(DumpAddress, cbOutputBuffer, &MdlCreate); 111 | RtlCopyMemory(OutputBuffer, DumpAddress, cbOutputBuffer); 112 | ScmUnmapVirtualAddress(MdlCreate); 113 | Irp->IoStatus.Information = cbOutputBuffer; break; 114 | } 115 | } else { 116 | ntStatus = STATUS_BUFFER_TOO_SMALL; break; 117 | } 118 | } 119 | ////////////////////////////////////////////////////////////////////////// 120 | case IOCTL_GET_SSDT: // ��ȡ ssdt 121 | { 122 | ULONG NeedLen = 0; 123 | ULONG Number = GetSsdtServiceNumber(); 124 | 125 | NeedLen = Number * sizeof(SSDT_ADDRESS); 126 | if (cbOutputBuffer < NeedLen) { 127 | if (cbOutputBuffer == sizeof(ULONG)) { 128 | ((PULONG)OutputBuffer)[0] = NeedLen; 129 | Irp->IoStatus.Information = sizeof(ULONG); 130 | break; 131 | } 132 | ntStatus = STATUS_BUFFER_TOO_SMALL; break; 133 | } 134 | Number = GetSsdtCurrentAddresses((PSSDT_ADDRESS)OutputBuffer, &NeedLen); 135 | if (Number == 0) ntStatus = STATUS_UNSUCCESSFUL; 136 | Irp->IoStatus.Information = Number * sizeof(SSDT_ADDRESS); 137 | break; 138 | } 139 | ////////////////////////////////////////////////////////////////////////// 140 | case IOCTL_UNHOOK_SSDT: // �ָ� ssdt 141 | { 142 | PSSDT_ADDRESS SsdtOrig = (PSSDT_ADDRESS)InputBuffer; 143 | 144 | if (cbInputBuffer < sizeof(SSDT_ADDRESS) || 145 | InputBuffer == NULL) { 146 | KdPrint(("���뻺���������뻺����������Ч")); 147 | ntStatus = STATUS_UNSUCCESSFUL; 148 | break; 149 | } 150 | KdPrint(("Ҫ�ָ��ķ����ţ�%d ԭʼ��ַ��0x%X", 151 | SsdtOrig->nIndex, SsdtOrig->FunAddress)); 152 | 153 | if (!UnHookSsdtItem(SsdtOrig)) { 154 | KdPrint(("�ָ�ʧ��")); 155 | ntStatus = STATUS_UNSUCCESSFUL; 156 | } 157 | break; 158 | } 159 | ////////////////////////////////////////////////////////////////////////// 160 | case IOCTL_GET_SSDTSHADOW: 161 | { 162 | ULONG Number = GetShadowSsdtServiceNumber(); 163 | ULONG NeedLen = 0; 164 | 165 | NeedLen = Number * sizeof(SSDT_ADDRESS); 166 | if (cbOutputBuffer < NeedLen) { 167 | if (cbOutputBuffer == sizeof(ULONG)) { 168 | ((PULONG)OutputBuffer)[0] = NeedLen; 169 | Irp->IoStatus.Information = sizeof(ULONG); 170 | break; 171 | } 172 | ntStatus = STATUS_BUFFER_TOO_SMALL; break; 173 | } 174 | Number = GetShadowSsdtCurrentAddresses((PSSDT_ADDRESS)OutputBuffer, &NeedLen); 175 | 176 | if (Number == 0) ntStatus = STATUS_UNSUCCESSFUL; 177 | Irp->IoStatus.Information = Number * sizeof(SSDT_ADDRESS); 178 | break; 179 | } 180 | ////////////////////////////////////////////////////////////////////////// 181 | case IOCTL_UNHOOK_SSDTSHADOW: 182 | { 183 | PSSDT_ADDRESS ShadowSsdtOrig = (PSSDT_ADDRESS)InputBuffer; 184 | 185 | if (cbInputBuffer < sizeof(SSDT_ADDRESS) || 186 | InputBuffer == NULL) { 187 | KdPrint(("���뻺���������뻺����������Ч")); 188 | ntStatus = STATUS_UNSUCCESSFUL; break; 189 | } 190 | KdPrint(("Ҫ�ָ��ķ����ţ�%d ԭʼ��ַ��0x%X", 191 | ShadowSsdtOrig->nIndex, ShadowSsdtOrig->FunAddress)); 192 | 193 | if (!UnHookShadowSsdtItem(ShadowSsdtOrig, g_CsrssProcess)) { 194 | ntStatus = STATUS_UNSUCCESSFUL; 195 | } 196 | break; 197 | } 198 | ////////////////////////////////////////////////////////////////////////// 199 | case IOCTL_GET_PROCESSES: 200 | { 201 | PPROCESS_LIST_HEAD ProcessHead; 202 | ULONG NeedLen; 203 | ULONG ReturnLength; 204 | 205 | ProcessHead = ScPsQuerySystemProcessList(); 206 | NeedLen = ProcessHead->NumberOfProcesses * sizeof(PROCESS_INFO); 207 | 208 | if (cbOutputBuffer < NeedLen) { 209 | if (cbOutputBuffer == sizeof(ULONG)) { 210 | ((PULONG)OutputBuffer)[0] = NeedLen; 211 | Irp->IoStatus.Information = sizeof(ULONG); 212 | break; 213 | } 214 | ntStatus = STATUS_BUFFER_TOO_SMALL; break; 215 | } 216 | ReturnLength = ExCopyProcessList2Buffer((PPROCESS_INFO)OutputBuffer); 217 | if (ReturnLength == 0) ntStatus = STATUS_UNSUCCESSFUL; 218 | Irp->IoStatus.Information = ReturnLength; 219 | break; 220 | } 221 | ////////////////////////////////////////////////////////////////////////// 222 | case IOCTL_GET_PROCESS_IMAGE_PATH: 223 | { 224 | PEPROCESS Process = NULL; 225 | PUNICODE_STRING NameString; 226 | ULONG BufferSize; 227 | 228 | if (cbInputBuffer == sizeof(ULONG)) { 229 | Process = ((PEPROCESS*)InputBuffer)[0]; 230 | if (Process == NULL) { 231 | ntStatus = STATUS_ACCESS_DENIED; break; 232 | } 233 | } else { 234 | ntStatus = STATUS_BUFFER_TOO_SMALL; 235 | break; 236 | } 237 | if (Process == g_SystemProcess) { 238 | if (cbOutputBuffer > sizeof(L"System")) { 239 | RtlCopyMemory(OutputBuffer, L"System", sizeof(L"System")); 240 | Irp->IoStatus.Information = sizeof(L"System"); 241 | break; 242 | } 243 | } else if (Process == g_IdleProcess) { 244 | if (cbOutputBuffer > sizeof(L"Idle")) { 245 | RtlCopyMemory(OutputBuffer, L"Idle", sizeof(L"Idle")); 246 | Irp->IoStatus.Information = sizeof(L"Idle"); 247 | break; 248 | } 249 | } 250 | if (cbOutputBuffer < 520) { 251 | ntStatus = STATUS_BUFFER_TOO_SMALL; 252 | break; 253 | } 254 | BufferSize = cbOutputBuffer + sizeof(UNICODE_STRING); 255 | NameString = ExAllocatePoolWithTag(NonPagedPool, BufferSize, MEM_TAG); 256 | NameString->Buffer = (PWCH)((ULONG)NameString + 8); 257 | NameString->Length = 0; 258 | NameString->MaximumLength = (USHORT)cbOutputBuffer; 259 | 260 | ntStatus = ScPsGetProcessImagePath(Process, NameString); 261 | if (NT_SUCCESS(ntStatus)) { 262 | RtlCopyMemory(OutputBuffer, NameString->Buffer, NameString->Length); 263 | } 264 | Irp->IoStatus.Information = NameString->Length; 265 | ExFreePoolWithTag(NameString, MEM_TAG); 266 | break; 267 | } 268 | ////////////////////////////////////////////////////////////////////////// 269 | case IOCTL_GET_PROCESS_THREADS: 270 | { 271 | PTHREAD_LIST_HEAD ThreadHead = NULL; 272 | PEPROCESS EProcess = NULL; 273 | ULONG NeedLen = 0; 274 | ULONG ReturnLength = 0; 275 | 276 | if (cbInputBuffer == sizeof(ULONG)) { 277 | EProcess = ((PEPROCESS*)InputBuffer)[0]; 278 | } else { 279 | ntStatus = STATUS_BUFFER_TOO_SMALL; 280 | break; 281 | } 282 | if (EProcess == g_IdleProcess) { 283 | if (cbOutputBuffer == sizeof(ULONG)) { 284 | ((PULONG)OutputBuffer)[0] = NeedLen; 285 | Irp->IoStatus.Information = sizeof(ULONG); 286 | break; 287 | } 288 | } 289 | ThreadHead = ScPsQueryProcessThreadList(EProcess); 290 | if (ThreadHead == NULL) { 291 | ntStatus = STATUS_UNSUCCESSFUL; 292 | break; 293 | } 294 | NeedLen = ThreadHead->NumberOfThread * sizeof(THREAD_INFO); 295 | 296 | if (cbOutputBuffer < NeedLen) { 297 | if (cbOutputBuffer == sizeof(ULONG)) { 298 | ((PULONG)OutputBuffer)[0] = NeedLen; 299 | Irp->IoStatus.Information = sizeof(ULONG); 300 | break; 301 | } 302 | ntStatus = STATUS_BUFFER_TOO_SMALL; break; 303 | } 304 | ReturnLength = ExCopyThreadList2Buffer((PTHREAD_INFO)OutputBuffer); 305 | if (ReturnLength == 0) ntStatus = STATUS_UNSUCCESSFUL; 306 | Irp->IoStatus.Information = ReturnLength; 307 | break; 308 | } 309 | ////////////////////////////////////////////////////////////////////////// 310 | case IOCTL_GET_PROCESS_MODULES: 311 | { 312 | PMODULE_LIST_HEAD ModuleHead = NULL; 313 | PEPROCESS EProcess = NULL; 314 | ULONG NeedLen = 0; 315 | ULONG ReturnLength = 0; 316 | 317 | if (cbInputBuffer == sizeof(ULONG)) { 318 | EProcess = ((PEPROCESS*)InputBuffer)[0]; 319 | } else { 320 | ntStatus = STATUS_BUFFER_TOO_SMALL; break; 321 | } 322 | 323 | if (EProcess == g_IdleProcess) { 324 | if (cbOutputBuffer = sizeof(ULONG)) { 325 | ((PULONG)OutputBuffer)[0] = NeedLen; 326 | Irp->IoStatus.Information = sizeof(ULONG); 327 | break; 328 | } 329 | } 330 | ModuleHead = ScPsQueryProcessModuleList(EProcess); 331 | if (ModuleHead == NULL) { 332 | ntStatus = STATUS_UNSUCCESSFUL; break; 333 | } 334 | NeedLen = ModuleHead->NumberOfModules * sizeof(MODULE_INFO); 335 | 336 | if (cbOutputBuffer < NeedLen) { 337 | if (cbOutputBuffer == sizeof(ULONG)) { 338 | ((PULONG)OutputBuffer)[0] = NeedLen; 339 | Irp->IoStatus.Information = sizeof(ULONG); 340 | break; 341 | } 342 | ntStatus = STATUS_BUFFER_TOO_SMALL; break; 343 | } 344 | ReturnLength = ExCopyModuleList2Buffer((PMODULE_INFO)OutputBuffer); 345 | if (ReturnLength == 0) ntStatus = STATUS_UNSUCCESSFUL; 346 | Irp->IoStatus.Information = ReturnLength; 347 | break; 348 | } 349 | ////////////////////////////////////////////////////////////////////////// 350 | case IOCTL_GET_DRIVER_OBJECT: 351 | { 352 | PDRIVER_LIST_HEAD DriverHead = NULL; 353 | PEPROCESS EProcess = NULL; 354 | HANDLE UserEvent; 355 | PKEVENT kEvent; 356 | ULONG NeedLen = 0; 357 | ULONG ReturnLength = 0; 358 | 359 | if (cbInputBuffer == sizeof(HANDLE) * 2) { 360 | UserEvent = *(PHANDLE)InputBuffer; 361 | ntStatus = ObReferenceObjectByHandle(UserEvent, 0, 362 | *ExEventObjectType, UserMode, &kEvent, NULL); 363 | if (NT_SUCCESS(ntStatus)) { 364 | ScObQueryDriverObject(pdoGlobalDrvObj, kEvent); 365 | ObDereferenceObject(kEvent); 366 | } 367 | Irp->IoStatus.Information = 0; break; 368 | } 369 | 370 | DriverHead = ScObQueryDriverObject(NULL, NULL); 371 | if (DriverHead == NULL) { 372 | ntStatus = STATUS_UNSUCCESSFUL; break; 373 | } 374 | NeedLen = DriverHead->NumberOfDrivers * sizeof(DRIVER_INFO); 375 | 376 | if (cbOutputBuffer < NeedLen) { 377 | if (cbOutputBuffer == sizeof(ULONG)) { 378 | ((PULONG)OutputBuffer)[0] = NeedLen; 379 | Irp->IoStatus.Information = sizeof(ULONG); 380 | break; 381 | } 382 | ntStatus = STATUS_BUFFER_TOO_SMALL; break; 383 | } 384 | ReturnLength = ExCopyDriverList2Buffer((PDRIVER_INFO)OutputBuffer); 385 | if (ReturnLength == 0) ntStatus = STATUS_UNSUCCESSFUL; 386 | Irp->IoStatus.Information = ReturnLength; 387 | break; 388 | } 389 | ////////////////////////////////////////////////////////////////////////// 390 | case IOCTL_LIST_DIRECTORY: 391 | { 392 | PWCHAR pszDirectory; 393 | ULONG NeedLength; 394 | ULONG ReturnLength; 395 | PFILE_LIST_HEAD FileHead; 396 | 397 | pszDirectory = ExAllocatePoolWithTag(PagedPool, 260 * 2, MEM_TAG); 398 | RtlZeroMemory(pszDirectory, 260 * 2); 399 | 400 | if (cbInputBuffer == 260 * 2) { 401 | RtlCopyMemory(pszDirectory, InputBuffer, 260 * 2); 402 | } else { 403 | ntStatus = STATUS_BUFFER_TOO_SMALL; break; 404 | } 405 | 406 | FileHead = ScfsQueryDirectoryInformation(pszDirectory); 407 | if (FileHead == NULL) { 408 | ((PULONG)OutputBuffer)[0] = 0; 409 | Irp->IoStatus.Information = sizeof(ULONG); 410 | ntStatus = STATUS_SUCCESS; break; 411 | } 412 | NeedLength = FileHead->NumberOfItems * sizeof(FILE_INFO); 413 | 414 | if (cbOutputBuffer < NeedLength) { 415 | if (cbOutputBuffer == sizeof(ULONG)) { 416 | ((PULONG)OutputBuffer)[0] = NeedLength; 417 | Irp->IoStatus.Information = sizeof(ULONG); 418 | break; 419 | } 420 | ntStatus = STATUS_BUFFER_TOO_SMALL; break; 421 | } 422 | ReturnLength = ExCopyFileList2Buffer((PFILE_INFO)OutputBuffer); 423 | if (ReturnLength == 0) ntStatus = STATUS_UNSUCCESSFUL; 424 | Irp->IoStatus.Information = ReturnLength; 425 | ExFreePoolWithTag(pszDirectory, MEM_TAG); 426 | break; 427 | } 428 | ////////////////////////////////////////////////////////////////////////// 429 | case IOCTL_PROTECT_MYSELF: 430 | { 431 | HANDLE ProcessId; 432 | if (cbInputBuffer == sizeof(ULONG)) { 433 | ProcessId = ((PHANDLE)InputBuffer)[0]; 434 | if (ProcessId) { 435 | ntStatus = ScPtHideProcessById(ProcessId); 436 | } 437 | } 438 | Irp->IoStatus.Information = 0; 439 | break; 440 | } 441 | ////////////////////////////////////////////////////////////////////////// 442 | case IOCTL_EXIT_PROCESS: 443 | ScPtUnloadRoutine(); 444 | break; 445 | ////////////////////////////////////////////////////////////////////////// 446 | default: 447 | Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST; 448 | Irp->IoStatus.Information = 0; 449 | break; 450 | } 451 | } __except (EXCEPTION_EXECUTE_HANDLER) { 452 | ntStatus = GetExceptionCode(); 453 | Irp->IoStatus.Information = 0; 454 | } 455 | 456 | Irp->IoStatus.Status = ntStatus; 457 | IoCompleteRequest(Irp, IO_NO_INCREMENT); 458 | return ntStatus; 459 | } 460 | 461 | VOID ScDetective_DriverUnload( 462 | IN PDRIVER_OBJECT DriverObject 463 | ) 464 | { 465 | PDEVICE_OBJECT pdoNextDeviceObj = pdoGlobalDrvObj->DeviceObject; 466 | 467 | KdPrint(("[ScDetective_DriverUnload] Unloading...")); 468 | 469 | IoDeleteSymbolicLink(&usSymlinkName); 470 | 471 | // Delete all the device objects 472 | while(pdoNextDeviceObj) 473 | { 474 | PDEVICE_OBJECT pdoThisDeviceObj = pdoNextDeviceObj; 475 | pdoNextDeviceObj = pdoThisDeviceObj->NextDevice; 476 | IoDeleteDevice(pdoThisDeviceObj); 477 | } 478 | KdPrint(("[ScDetective_DriverUnload] Unload finished")); 479 | } 480 | 481 | #ifdef __cplusplus 482 | extern "C" { 483 | #endif 484 | NTSTATUS DriverEntry( 485 | IN OUT PDRIVER_OBJECT DriverObject, 486 | IN PUNICODE_STRING RegistryPath 487 | ) 488 | { 489 | PDEVICE_OBJECT pdoDeviceObj = 0; 490 | NTSTATUS status = STATUS_UNSUCCESSFUL; 491 | pdoGlobalDrvObj = DriverObject; 492 | 493 | status = InitializeScDetective(); 494 | if (!NT_SUCCESS(status)) return status; 495 | 496 | // Create the device object. 497 | if(!NT_SUCCESS(status = IoCreateDevice( 498 | DriverObject, 499 | 0, 500 | &usDeviceName, 501 | FILE_DEVICE_SEDECTIVE, 502 | FILE_DEVICE_SECURE_OPEN, 503 | FALSE, 504 | &pdoDeviceObj 505 | ))) 506 | { 507 | // Bail out (implicitly forces the driver to unload). 508 | return status; 509 | }; 510 | 511 | // Now create the respective symbolic link object 512 | if(!NT_SUCCESS(status = IoCreateSymbolicLink( 513 | &usSymlinkName, 514 | &usDeviceName 515 | ))) 516 | { 517 | IoDeleteDevice(pdoDeviceObj); 518 | return status; 519 | } 520 | 521 | // NOTE: You need not provide your own implementation for any major function that 522 | // you do not want to handle. I have seen code using DDKWizard that left the 523 | // *empty* dispatch routines intact. This is not necessary at all! 524 | DriverObject->MajorFunction[IRP_MJ_CREATE] = ScDetective_DispatchCreate; 525 | DriverObject->MajorFunction[IRP_MJ_CLOSE] = ScDetective_DispatchClose; 526 | DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ScDetective_DispatchDeviceControl; 527 | DriverObject->DriverUnload = ScDetective_DriverUnload; 528 | 529 | return STATUS_SUCCESS; 530 | } 531 | #ifdef __cplusplus 532 | }; // extern "C" 533 | #endif 534 | -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/ScDetective.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective_Driver/ScDetective/ScDetective.h -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/ScDetective.vsprops: -------------------------------------------------------------------------------- 1 | 2 | 7 | 12 | 13 | -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/System/Initialize.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective_Driver/ScDetective/System/Initialize.c -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/System/Initialize.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective_Driver/ScDetective/System/Initialize.h -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/buildnumber.h: -------------------------------------------------------------------------------- 1 | // Automatically created file! 2 | #define _FILE_VERSION_BUILD 18 3 | 4 | -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/ddkbldenv.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | :: $Id$ 3 | -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/ddkpostbld.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | :: $Id$ 3 | setlocal 4 | :: Perform post-build steps 5 | :: An example follows on the next two lines ... 6 | :: xcopy /y ".\obj%BUILD_ALT_DIR%\i386\*.sys" "..\" 7 | :: xcopy /y ".\obj%BUILD_ALT_DIR%\i386\*.pdb" "..\" 8 | endlocal -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/ddkprebld.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | :: $Id$ 3 | setlocal 4 | :: Perform any pre-build steps 5 | call .\buildinc.cmd 6 | endlocal -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/drvcommon.h: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////////////////////////////////// 2 | /// 3 | /// Copyright (c) 2010 - 4 | /// 5 | /// Useful macros 6 | /// 7 | /// (File was in the PUBLIC DOMAIN - Created by: ddkwizard\.assarbad\.net) 8 | /////////////////////////////////////////////////////////////////////////////// 9 | 10 | // $Id$ 11 | 12 | #ifndef __DRVCOMMON_H_VERSION__ 13 | #define __DRVCOMMON_H_VERSION__ 100 14 | 15 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 16 | #pragma once 17 | #endif 18 | 19 | 20 | #define _ANSISTRING(text) #text 21 | #define ANSISTRING(text) _ANSISTRING(text) 22 | 23 | #define _WIDESTRING(text) L##text 24 | #define WIDESTRING(text) _WIDESTRING(text) 25 | 26 | #define PRESET_UNICODE_STRING(symbol, buffer) \ 27 | UNICODE_STRING symbol = \ 28 | { \ 29 | sizeof(WIDESTRING(buffer)) - sizeof(WCHAR), \ 30 | sizeof(WIDESTRING(buffer)), \ 31 | WIDESTRING(buffer) \ 32 | }; 33 | 34 | #define CREATE_XVER(maj,min,build) maj ## , ## min ## , 0, ## build 35 | #define CREATE_FVER(maj,min,build) maj ## . ## min ## .0. ## build 36 | #define CREATE_PVER(maj,min,build) maj ## . ## min 37 | 38 | #if DBG 39 | #ifdef ADVANCED_DEBUG 40 | #define DebugPrint DbgPrint("[%s] %s (line: %d)\n", __##FILE##__, __##FUNCTION##__, __##LINE##__); DbgPrint 41 | #else 42 | #define DebugPrint DbgPrint 43 | #endif 44 | #else 45 | #define DebugPrint /##/DbgPrint 46 | #endif 47 | 48 | #endif // __DRVCOMMON_H_VERSION__ 49 | -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/drvversion.h: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////////////////////////////////// 2 | /// 3 | /// Copyright (c) 2010 - 4 | /// 5 | /// Defines for the version information in the resource file 6 | /// 7 | /// (File was in the PUBLIC DOMAIN - Created by: ddkwizard\.assarbad\.net) 8 | /////////////////////////////////////////////////////////////////////////////// 9 | 10 | // $Id$ 11 | 12 | #ifndef __DRVVERSION_H_VERSION__ 13 | #define __DRVVERSION_H_VERSION__ 100 14 | 15 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 16 | #pragma once 17 | #endif 18 | 19 | #include "buildnumber.h" 20 | 21 | // --------------------------------------------------------------------------- 22 | // Several defines have to be given before including this file. These are: 23 | // --------------------------------------------------------------------------- 24 | #define TEXT_AUTHOR // author (optional value) 25 | #define PRD_MAJVER 1 // major product version 26 | #define PRD_MINVER 0 // minor product version 27 | #define PRD_BUILD 0 // build number for product 28 | #define FILE_MAJVER 1 // major file version 29 | #define FILE_MINVER 0 // minor file version 30 | #define FILE_BUILD _FILE_VERSION_BUILD // file build number 31 | #define DRV_YEAR 2010 // current year or timespan (e.g. 2003-2009) 32 | #define TEXT_WEBSITE // website 33 | #define TEXT_PRODUCTNAME Supercool driver-based tool // product's name 34 | #define TEXT_FILEDESC The driver for the supercool driver-based tool // component description 35 | #define TEXT_COMPANY // company 36 | #define TEXT_MODULE ScDetect // module name 37 | #define TEXT_COPYRIGHT Copyright \xA9 DRV_YEAR TEXT_COMPANY // copyright information 38 | // #define TEXT_SPECIALBUILD // optional comment for special builds 39 | #define TEXT_INTERNALNAME ScDetect.sys // copyright information 40 | // #define TEXT_COMMENTS // optional comments 41 | // --------------------------------------------------------------------------- 42 | // ... well, that's it. Pretty self-explanatory ;) 43 | // --------------------------------------------------------------------------- 44 | 45 | #endif // __DRVVERSION_H_VERSION__ 46 | -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/drvversion.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective_Driver/ScDetective/drvversion.rc -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=ScDetective 3 | TARGETPATH=obj 4 | TARGETTYPE=DRIVER 5 | 6 | # Create browse info 7 | #BROWSER_INFO=1 8 | #BROWSERFILE= 9 | 10 | # Additional defines for the C/C++ preprocessor 11 | C_DEFINES=$(C_DEFINES) 12 | 13 | SOURCES=ScDetective.c\ 14 | drvversion.rc 15 | -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/ssdt/ssdt.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective_Driver/ScDetective/ssdt/ssdt.c -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/ssdt/ssdt.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef __SSDT_H__ 3 | #define __SSDT_H__ 4 | 5 | #include "ScDetective.h" 6 | 7 | #define MOV_OPCODE 0xB8 8 | 9 | ////////////////////////////////////////////////////////////////////////// 10 | 11 | __declspec(dllimport) SYSTEM_SERVICE_TABLE KeServiceDescriptorTable; 12 | 13 | ////////////////////////////////////////////////////////////////////////// 14 | 15 | ULONG 16 | GetSsdtServiceNumber( 17 | ); 18 | 19 | ULONG 20 | GetSsdtCurrentAddresses( 21 | IN PSSDT_ADDRESS AddressInfo, 22 | OUT IN PULONG Length 23 | ); 24 | 25 | BOOLEAN 26 | UnHookSsdtItem( 27 | IN PSSDT_ADDRESS SsdtInfo 28 | ); 29 | 30 | ULONG 31 | SetServiceAddress( 32 | IN UINT ServiceIndex, 33 | IN ULONG NewServiceAddress 34 | ); 35 | 36 | ULONG 37 | GetServiceIdByName( 38 | PCHAR FunctionName 39 | ); 40 | 41 | #endif -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/ssdt/ssdt_shadow.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective_Driver/ScDetective/ssdt/ssdt_shadow.c -------------------------------------------------------------------------------- /ScDetective_Driver/ScDetective/ssdt/ssdt_shadow.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | #ifndef _SSDT_SHADOW_ 4 | #define _SSDT_SHADOW_ 5 | 6 | #include "ScDetective.h" 7 | 8 | ////////////////////////////////////////////////////////////////////////// 9 | 10 | __declspec(dllimport) _stdcall KeAddSystemServiceTable(PVOID, PVOID, PVOID, PVOID, PVOID); 11 | 12 | ////////////////////////////////////////////////////////////////////////// 13 | BOOLEAN 14 | UnHookShadowSsdtItem( 15 | __in PSSDT_ADDRESS AddressInfo, 16 | __in PEPROCESS CsrssPEProcess 17 | ); 18 | 19 | 20 | ULONG 21 | GetShadowSsdtServiceNumber( 22 | VOID 23 | ); 24 | 25 | ULONG 26 | GetShadowSsdtCurrentAddresses( 27 | PSSDT_ADDRESS AddressInfoma, 28 | PULONG Length 29 | ); 30 | 31 | 32 | PSYSTEM_SERVICE_TABLE 33 | GetKeServiceDescriptorTableShadow( 34 | VOID 35 | ); 36 | 37 | #endif -------------------------------------------------------------------------------- /ScDetective_Filter/ScDetectiveFilter.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 9.00 3 | # Visual Studio 2005 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ScDetectiveFilter.W7", "ScDetectiveFilter\ScDetectiveFilter.W7.vcproj", "{2189350A-C978-4D54-ABCF-68F91F29EBE5}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | W7 checked|Win32 = W7 checked|Win32 9 | W7 free|Win32 = W7 free|Win32 10 | W7LH checked|Win32 = W7LH checked|Win32 11 | W7LH free|Win32 = W7LH free|Win32 12 | W7NET checked|Win32 = W7NET checked|Win32 13 | W7NET free|Win32 = W7NET free|Win32 14 | W7XP checked|Win32 = W7XP checked|Win32 15 | W7XP free|Win32 = W7XP free|Win32 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7 checked|Win32.ActiveCfg = W7 checked|Win32 19 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7 checked|Win32.Build.0 = W7 checked|Win32 20 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7 checked|Win32.Deploy.0 = W7 checked|Win32 21 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7 free|Win32.ActiveCfg = W7 free|Win32 22 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7 free|Win32.Build.0 = W7 free|Win32 23 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7 free|Win32.Deploy.0 = W7 free|Win32 24 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7LH checked|Win32.ActiveCfg = W7LH checked|Win32 25 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7LH checked|Win32.Build.0 = W7LH checked|Win32 26 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7LH checked|Win32.Deploy.0 = W7LH checked|Win32 27 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7LH free|Win32.ActiveCfg = W7LH free|Win32 28 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7LH free|Win32.Build.0 = W7LH free|Win32 29 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7LH free|Win32.Deploy.0 = W7LH free|Win32 30 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7NET checked|Win32.ActiveCfg = W7NET checked|Win32 31 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7NET checked|Win32.Build.0 = W7NET checked|Win32 32 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7NET checked|Win32.Deploy.0 = W7NET checked|Win32 33 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7NET free|Win32.ActiveCfg = W7NET free|Win32 34 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7NET free|Win32.Build.0 = W7NET free|Win32 35 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7NET free|Win32.Deploy.0 = W7NET free|Win32 36 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7XP checked|Win32.ActiveCfg = W7XP checked|Win32 37 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7XP checked|Win32.Build.0 = W7XP checked|Win32 38 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7XP checked|Win32.Deploy.0 = W7XP checked|Win32 39 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7XP free|Win32.ActiveCfg = W7XP free|Win32 40 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7XP free|Win32.Build.0 = W7XP free|Win32 41 | {2189350A-C978-4D54-ABCF-68F91F29EBE5}.W7XP free|Win32.Deploy.0 = W7XP free|Win32 42 | EndGlobalSection 43 | GlobalSection(SolutionProperties) = preSolution 44 | HideSolutionNode = FALSE 45 | EndGlobalSection 46 | EndGlobal 47 | -------------------------------------------------------------------------------- /ScDetective_Filter/ScDetectiveFilter/ScDetectiveFilter.W7.vcproj: -------------------------------------------------------------------------------- 1 | 2 | 8 | 9 | 12 | 13 | 14 | 15 | 16 | 22 | 35 | 36 | 43 | 56 | 57 | 63 | 76 | 77 | 83 | 96 | 97 | 103 | 116 | 117 | 123 | 136 | 137 | 143 | 156 | 157 | 164 | 177 | 178 | 179 | 180 | 181 | 182 | 186 | 189 | 190 | 193 | 194 | 197 | 198 | 199 | 203 | 206 | 207 | 210 | 211 | 214 | 215 | 218 | 219 | 220 | 224 | 227 | 228 | 229 | 233 | 236 | 237 | 240 | 241 | 244 | 245 | 248 | 249 | 252 | 253 | 256 | 257 | 260 | 261 | 264 | 265 | 266 | 269 | 272 | 273 | 274 | 275 | 276 | 277 | 278 | -------------------------------------------------------------------------------- /ScDetective_Filter/ScDetectiveFilter/ScDetectiveFilter.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective_Filter/ScDetectiveFilter/ScDetectiveFilter.c -------------------------------------------------------------------------------- /ScDetective_Filter/ScDetectiveFilter/ScDetectiveFilter.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective_Filter/ScDetectiveFilter/ScDetectiveFilter.h -------------------------------------------------------------------------------- /ScDetective_Filter/ScDetectiveFilter/ScDetectiveFilter.vsprops: -------------------------------------------------------------------------------- 1 | 2 | 7 | 12 | 13 | -------------------------------------------------------------------------------- /ScDetective_Filter/ScDetectiveFilter/buildnumber.h: -------------------------------------------------------------------------------- 1 | // Automatically created file! 2 | #define _FILE_VERSION_BUILD 41 3 | 4 | -------------------------------------------------------------------------------- /ScDetective_Filter/ScDetectiveFilter/ddkbldenv.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | :: $Id$ 3 | -------------------------------------------------------------------------------- /ScDetective_Filter/ScDetectiveFilter/ddkpostbld.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | :: $Id$ 3 | setlocal 4 | :: Perform post-build steps 5 | :: An example follows on the next two lines ... 6 | :: xcopy /y ".\obj%BUILD_ALT_DIR%\i386\*.sys" "..\" 7 | :: xcopy /y ".\obj%BUILD_ALT_DIR%\i386\*.pdb" "..\" 8 | endlocal -------------------------------------------------------------------------------- /ScDetective_Filter/ScDetectiveFilter/ddkprebld.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | :: $Id$ 3 | setlocal 4 | :: Perform any pre-build steps 5 | call .\buildinc.cmd 6 | endlocal -------------------------------------------------------------------------------- /ScDetective_Filter/ScDetectiveFilter/drvcommon.h: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////////////////////////////////// 2 | /// 3 | /// Copyright (c) 2010 - 4 | /// 5 | /// Useful macros 6 | /// 7 | /// (File was in the PUBLIC DOMAIN - Created by: ddkwizard\.assarbad\.net) 8 | /////////////////////////////////////////////////////////////////////////////// 9 | 10 | // $Id$ 11 | 12 | #ifndef __DRVCOMMON_H_VERSION__ 13 | #define __DRVCOMMON_H_VERSION__ 100 14 | 15 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 16 | #pragma once 17 | #endif 18 | 19 | 20 | #define _ANSISTRING(text) #text 21 | #define ANSISTRING(text) _ANSISTRING(text) 22 | 23 | #define _WIDESTRING(text) L##text 24 | #define WIDESTRING(text) _WIDESTRING(text) 25 | 26 | #define PRESET_UNICODE_STRING(symbol, buffer) \ 27 | UNICODE_STRING symbol = \ 28 | { \ 29 | sizeof(WIDESTRING(buffer)) - sizeof(WCHAR), \ 30 | sizeof(WIDESTRING(buffer)), \ 31 | WIDESTRING(buffer) \ 32 | }; 33 | 34 | #define CREATE_XVER(maj,min,build) maj ## , ## min ## , 0, ## build 35 | #define CREATE_FVER(maj,min,build) maj ## . ## min ## .0. ## build 36 | #define CREATE_PVER(maj,min,build) maj ## . ## min 37 | 38 | #if DBG 39 | #ifdef ADVANCED_DEBUG 40 | #define DebugPrint DbgPrint("[%s] %s (line: %d)\n", __##FILE##__, __##FUNCTION##__, __##LINE##__); DbgPrint 41 | #else 42 | #define DebugPrint DbgPrint 43 | #endif 44 | #else 45 | #define DebugPrint /##/DbgPrint 46 | #endif 47 | 48 | #endif // __DRVCOMMON_H_VERSION__ 49 | -------------------------------------------------------------------------------- /ScDetective_Filter/ScDetectiveFilter/drvversion.h: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////////////////////////////////// 2 | /// 3 | /// Copyright (c) 2010 - 4 | /// 5 | /// Defines for the version information in the resource file 6 | /// 7 | /// (File was in the PUBLIC DOMAIN - Created by: ddkwizard\.assarbad\.net) 8 | /////////////////////////////////////////////////////////////////////////////// 9 | 10 | // $Id$ 11 | 12 | #ifndef __DRVVERSION_H_VERSION__ 13 | #define __DRVVERSION_H_VERSION__ 100 14 | 15 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 16 | #pragma once 17 | #endif 18 | 19 | #include "buildnumber.h" 20 | 21 | // --------------------------------------------------------------------------- 22 | // Several defines have to be given before including this file. These are: 23 | // --------------------------------------------------------------------------- 24 | #define TEXT_AUTHOR // author (optional value) 25 | #define PRD_MAJVER 1 // major product version 26 | #define PRD_MINVER 0 // minor product version 27 | #define PRD_BUILD 0 // build number for product 28 | #define FILE_MAJVER 1 // major file version 29 | #define FILE_MINVER 0 // minor file version 30 | #define FILE_BUILD _FILE_VERSION_BUILD // file build number 31 | #define DRV_YEAR 2010 // current year or timespan (e.g. 2003-2009) 32 | #define TEXT_WEBSITE // website 33 | #define TEXT_PRODUCTNAME Supercool driver-based tool // product's name 34 | #define TEXT_FILEDESC The driver for the supercool driver-based tool // component description 35 | #define TEXT_COMPANY // company 36 | #define TEXT_MODULE ScDetectiveFilter // module name 37 | #define TEXT_COPYRIGHT Copyright \xA9 DRV_YEAR TEXT_COMPANY // copyright information 38 | // #define TEXT_SPECIALBUILD // optional comment for special builds 39 | #define TEXT_INTERNALNAME ScDetectiveFilter.sys // copyright information 40 | // #define TEXT_COMMENTS // optional comments 41 | // --------------------------------------------------------------------------- 42 | // ... well, that's it. Pretty self-explanatory ;) 43 | // --------------------------------------------------------------------------- 44 | 45 | #endif // __DRVVERSION_H_VERSION__ 46 | -------------------------------------------------------------------------------- /ScDetective_Filter/ScDetectiveFilter/drvversion.rc: -------------------------------------------------------------------------------- 1 | /////////////////////////////////////////////////////////////////////////////// 2 | /// 3 | /// Copyright (c) 2010 - 4 | /// 5 | /// The version information resource. Depends on "drvversion.h" header file. 6 | /// 7 | /// (File was in the PUBLIC DOMAIN - Created by: ddkwizard\.assarbad\.net) 8 | /////////////////////////////////////////////////////////////////////////////// 9 | 10 | // $Id$ 11 | 12 | #include 13 | #include 14 | 15 | #ifdef RC_INVOKED 16 | LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL 17 | #include "drvcommon.h" 18 | #include "drvversion.h" 19 | 20 | #ifdef DBG 21 | #define ACTUAL_FILEFLAGS VS_FF_DEBUG 22 | #else 23 | #define ACTUAL_FILEFLAGS 0 24 | #endif 25 | 26 | VS_VERSION_INFO VERSIONINFO 27 | FILEVERSION CREATE_XVER(FILE_MAJVER, FILE_MINVER, FILE_BUILD) 28 | PRODUCTVERSION CREATE_XVER(PRD_MAJVER, PRD_MINVER, 0) 29 | FILEFLAGSMASK VS_FFI_FILEFLAGSMASK 30 | FILEFLAGS ACTUAL_FILEFLAGS 31 | FILEOS VOS_NT 32 | FILETYPE VFT_DRV 33 | FILESUBTYPE VFT2_DRV_SYSTEM 34 | BEGIN 35 | BLOCK "StringFileInfo" 36 | BEGIN 37 | BLOCK "000004b0" 38 | BEGIN 39 | #ifdef TEXT_AUTHOR 40 | VALUE "Author", ANSISTRING(TEXT_AUTHOR) 41 | #endif 42 | #ifdef TEXT_COMMENTS 43 | VALUE "Comments", ANSISTRING(TEXT_COMMENTS) 44 | #endif 45 | VALUE "CompanyName", ANSISTRING(TEXT_COMPANY) 46 | VALUE "FileDescription", ANSISTRING(TEXT_FILEDESC) 47 | VALUE "FileVersion", ANSISTRING(CREATE_FVER(FILE_MAJVER, FILE_MINVER, FILE_BUILD)) 48 | VALUE "InternalName", ANSISTRING(TEXT_INTERNALNAME) 49 | VALUE "LegalCopyright", ANSISTRING(TEXT_COPYRIGHT) 50 | VALUE "OriginalFilename", ANSISTRING(TEXT_MODULE) 51 | VALUE "ProductName", ANSISTRING(TEXT_PRODUCTNAME) 52 | VALUE "ProductVersion", ANSISTRING(CREATE_PVER(PRD_MAJVER, PRD_MINVER, PRD_BUILD)) 53 | #ifdef TEXT_SPECIALBUILD 54 | VALUE "SpecialBuild", ANSISTRING(TEXT_SPECIALBUILD) 55 | #endif 56 | VALUE "Website", ANSISTRING(TEXT_WEBSITE) 57 | END 58 | END 59 | BLOCK "VarFileInfo" 60 | BEGIN 61 | VALUE "Translation", 0x0, 1200 62 | END 63 | END 64 | 65 | #endif // RC_INVOKED 66 | -------------------------------------------------------------------------------- /ScDetective_Filter/ScDetectiveFilter/fastIO.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective_Filter/ScDetectiveFilter/fastIO.h -------------------------------------------------------------------------------- /ScDetective_Filter/ScDetectiveFilter/makefile: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /ScDetective_Filter/ScDetectiveFilter/myfs.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kedebug/ScDetective/fe928860958cc4febb0879ee85982e09e761fe75/ScDetective_Filter/ScDetectiveFilter/myfs.h -------------------------------------------------------------------------------- /ScDetective_Filter/ScDetectiveFilter/sources: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | TARGETNAME=ScDetectiveFilter 3 | TARGETPATH=obj 4 | TARGETTYPE=DRIVER 5 | 6 | 7 | # Create browse info 8 | #BROWSER_INFO=1 9 | #BROWSERFILE= 10 | 11 | # Additional defines for the C/C++ preprocessor 12 | C_DEFINES=$(C_DEFINES) 13 | 14 | SOURCES=ScDetectiveFilter.c \ 15 | drvversion.rc 16 | --------------------------------------------------------------------------------