├── Context.h ├── Notifications.h ├── README.md ├── WdFilter.h └── WdFilterAux.h /Context.h: -------------------------------------------------------------------------------- 1 | /* 2 | This headers file contain the different Context used 3 | throughout WdFilter 4 | */ 5 | 6 | // Process Context 7 | enum MP_PROCESS_CTX_FLAGS 8 | { 9 | ExcludedProcess = 0x1, 10 | MsMpEngProcess = 0x8, 11 | MpServiceSidProcess = 0x10, 12 | FriendlyProcess = 0x20, 13 | TrustedProcess = 0x40, 14 | MsSecesProcess = 0x80, 15 | SvchostProcess = 0x100, 16 | ImageWow64cpu = 0x200, 17 | ThreadNotifyRoutineExSet = 0x400, 18 | ProcessExplorer = 0x800, 19 | }; 20 | 21 | enum MP_PROCESS_CTX_RULES 22 | { 23 | DoNotNotifyDesktopHandlesOp = 0x8, 24 | AllowedToInjectCode = 0x10000, 25 | AllowIncomingCodeInjection = 0x80000, 26 | NotifyNewThreadDifferentProcess = 0x400000, 27 | AllowedToQuerySuspendResume = 0x1000000, 28 | AllowQuerySuspendResume = 0x2000000, 29 | NotifyNewThreadSameProcess = 0x10000000, 30 | NotifyProcessCmdLine = 0x20000000, 31 | }; 32 | 33 | typedef struct _ProcessCtx 34 | { 35 | USHORT Magic; 36 | USHORT StructSize; 37 | LIST_ENTRY ProcessCtxList; 38 | HANDLE ProcessId; 39 | _QWORD CreationTime; 40 | PUNICODE_STRING ProcessCmdLine; 41 | volatile signed __int32 RefCount; 42 | _DWORD ProcessFlags; 43 | _DWORD ProcessRules; 44 | _QWORD CodeInjectionTargetMask; 45 | _QWORD CodeInjectionRequestMask; 46 | MP_DOC_RULE *pDocRule; 47 | BOOLEAN (__fastcall *pCsrssPreScanHook)(PFLT_CALLBACK_DATA, FltStreamCtx *); 48 | int field_60; 49 | int NotificationsSent; 50 | int InjectionsHandlesCount; 51 | int field_6C; 52 | PVOID Wow64CpuImageBase; 53 | int ProcessSubsystemInformation; 54 | PUNICODE_STRING ImageFileName; 55 | BYTE HipRules[16]; 56 | BYTE HipRules1[16]; 57 | __int64 field_A8; 58 | __int64 field_B0; 59 | _PS_PROTECTION ProcessProtection; 60 | int StreamHandleCtxCount; 61 | } ProcessCtx, *PProcessCtx; 62 | 63 | typedef struct _MP_PROCESS_CTX_LIST_ENTRY 64 | { 65 | __int16 Magic; 66 | __int16 Size; 67 | int field_4; 68 | PVOID *__shifted(MP_PROCESS_CTX_LIST_ENTRY,8) *PrevEntry; 69 | PProcessCtx ProcessCtx; 70 | } MP_PROCESS_CTX_LIST_ENTRY, *PMP_PROCESS_CTX_LIST_ENTRY; 71 | 72 | // Registry Contexts 73 | 74 | typedef struct _KeyCtx 75 | { 76 | USHORT Magic; 77 | USHORT Size; 78 | PVOID FreeKeyCtx; 79 | __int64 CurrentThread; 80 | __int64 KeyName; 81 | union TypeOfOperation Operation; 82 | 83 | 84 | } KeyCtx, *PKeyCtx; 85 | 86 | union TypeOfOperation : __int32 87 | { 88 | CreateKeyCtx CreateKey; 89 | RenameKeyCtx RenameKey; 90 | SetValueKeyCtx SetValueKey; 91 | DeleteValueKeyCtx DeleteValueKey; 92 | DeleteKeyCtx DeleteKey; 93 | } 94 | 95 | struct CreateKeyCtx 96 | { 97 | PMP_REG_MATCH_INFO MatchInfo; 98 | }; 99 | 100 | struct RenameKeyCtx 101 | { 102 | PUNICODE_STRING RegKeyName; 103 | PMP_REG_MATCH_INFO MatchInfo; 104 | }; 105 | 106 | struct SetValueKeyCtx 107 | { 108 | PKEY_VALUE_PARTIAL_INFORMATION KeyValueInfo; 109 | _DWORD KeyType; 110 | PMP_REG_MATCH_INFO MatchInfo; 111 | }; 112 | 113 | struct DeleteValueKeyCtx 114 | { 115 | PUNICODE_STRING ValueName; 116 | PMP_REG_MATCH_INFO MatchInfo; 117 | }; 118 | 119 | struct DeleteKeyCtx 120 | { 121 | PMP_REG_MATCHING_INFO MatchInfo; 122 | }; 123 | 124 | 125 | // Filtering Contexts - https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/managing-contexts 126 | typedef struct _FltInstanceCtx 127 | { 128 | _WORD Magic; 129 | _WORD Size; 130 | int field_4; 131 | LIST_ENTRY AnotherListEntry; 132 | UNICODE_STRING VolumeName; 133 | _UNICODE_STRING VolumeGuidName; 134 | GUID VolumeGuid; 135 | __int64 field_48; 136 | _DWORD InstanceFlags; 137 | int field_54; 138 | unsigned __int16 unsigned58; 139 | _DWORD dword5C; 140 | _DWORD dword60; 141 | int field_64; 142 | const PFLT_INSTANCE Instance; 143 | const PFLT_VOLUME Volume; 144 | FLT_FILESYSTEM_TYPE VolumeFileSystemType; 145 | _DWORD VolumeDeviceType; 146 | LIST_ENTRY StreamCtxList; 147 | int gap90; 148 | int field_94; 149 | LIST_ENTRY field_98; 150 | RTL_GENERIC_TABLE RtlGenericTable; 151 | int LimitSizeAVLTree; 152 | int GenericTableElementsCount; 153 | ERESOURCE FileStateGenericTableResource; 154 | _ERESOURCE InstanceExResource; 155 | LIST_ENTRY TransactionCtxList; 156 | PFLT_GENERIC_WORKITEM GenericWorkItem; 157 | union _SLIST_HEADER SingleListEntry; 158 | _DWORD dword1F0; 159 | PVOID qword1F8; 160 | char field_200; 161 | } FltInstanceCtx, *PFltInstanceCtx; 162 | 163 | typedef struct _TxfStreamCtx 164 | { 165 | LIST_ENTRY StreamCtxList; 166 | __int64 field_10; 167 | _DWORD dword18; 168 | int field_1C; 169 | _QWORD qword20; 170 | __int64 gap28; 171 | volatile signed __int32 volatile30; 172 | int field_34; 173 | _QWORD qword38; 174 | PFLT_CONTEXT pFltContext; 175 | __int64 field_48; 176 | __int64 field_50; 177 | __int64 field_58; 178 | __int64 field_60; 179 | __int64 field_68; 180 | __int64 field_70; 181 | __int64 field_78; 182 | FltInstanceCtx *pFltInstanceCtx; 183 | __int64 field_88; 184 | __int64 field_90; 185 | PUNICODE_STRING field_98; 186 | PVOID field_A0; 187 | __int64 field_A8; 188 | } TxfStreamCtx, *PTxfStreamCtx; 189 | 190 | 191 | typedef struct _FltStreamHandleCtx 192 | { 193 | __int16 Magic; 194 | __int16 Size; 195 | int field_4; 196 | __int64 field_8; 197 | PKTHREAD CurrentThread; 198 | ProcessCtx *pProcessCtx; 199 | int gap20; 200 | int AccessStateFlags; 201 | UNICODE_STRING SomeUnicodeString; 202 | } FltStreamHandleCtx, *PFltStreamHandleCtx; 203 | 204 | 205 | typedef struct _FltStreamCtx 206 | { 207 | _WORD Magic; 208 | _WORD Size; 209 | FltInstanceCtx *pFltInstanceCtx; 210 | LIST_ENTRY StreamCtxList; 211 | _DWORD dword20; 212 | int field_24; 213 | __int64 field_28; 214 | _DWORD StreamCtxRules; 215 | _DWORD dword34; 216 | LIST_ENTRY char38; 217 | PFILE_OBJECT pFileObject; 218 | PKTHREAD CurrentThread; 219 | __int64 field_58; 220 | __int64 field_60; 221 | __int64 field_68; 222 | __int64 field_70; 223 | __int64 field_78; 224 | __int64 field_80; 225 | __int64 field_88; 226 | PKEVENT StreamCtxEvent; 227 | PVOID field_98; 228 | int IoPriority; 229 | _BYTE byteA4; 230 | _QWORD FileId; 231 | _QWORD qwordB0; 232 | unsigned __int64 StreamCtxLock; 233 | PVOID field_C0; 234 | __int64 field_C8; 235 | __int64 field_D0; 236 | __int64 field_D8; 237 | __int64 field_E0; 238 | __int64 field_E8; 239 | PVOID field_F0; 240 | } FltStreamCtx, *PFltStreamCtx; 241 | 242 | 243 | typedef struct _FltSectionCtx 244 | { 245 | _WORD Magic; 246 | _WORD Size; 247 | int dword4; 248 | } FltSectionCtx, *PFltSectionCtx; 249 | 250 | 251 | typedef struct _FltTransactionCtx 252 | { 253 | __int16 Magic; 254 | _WORD Size; 255 | _ERESOURCE ExResource; 256 | LIST_ENTRY TransactionCtxList; 257 | FltInstanceCtx *pFltInstanceCtx; 258 | LIST_ENTRY qword88; 259 | PUNICODE_STRING pGuidString; 260 | const GUID *const pGuid; 261 | int field_A8; 262 | } FltTransactionCtx, *PFltTransactionCtx; -------------------------------------------------------------------------------- /Notifications.h: -------------------------------------------------------------------------------- 1 | /* 2 | This headers file contain everything related and necessary 3 | to send and receive notifications 4 | */ 5 | 6 | // Async Messages 7 | typedef struct _MP_ASYNC_NOTIFICATIONS 8 | { 9 | USHORT Magic; 10 | USHORT Size; 11 | LIST_ENTRY AsyncNotificationsList; 12 | PVOID *__shifted(AsyncMessageData,8) pBuffer; 13 | _DWORD BufferSize; 14 | } MP_ASYNC_NOTIFICATIONS, *PMP_ASYNC_NOTIFICATIONS; 15 | 16 | struct AsyncMessageData 17 | { 18 | int Magic; 19 | int Size; 20 | __int64 NotificationNumber; 21 | _DWORD SizeOfData; 22 | int RefCount; 23 | MP_ASYNC_NOTIFICATION_OPERATION TypeOfOperation; 24 | union TypeOfMessage TypeOfMessage; 25 | }; 26 | 27 | union TypeOfMessage 28 | { 29 | ImageLoadAndProcessNotifyMessage ImageLoadAndProcessNotify; 30 | TrustedOrUntrustedProcessMessage TrustedProcess; 31 | ThreadNotifyMessage ThreadNotify; 32 | CheckJournalMessage CheckJournal; 33 | Wow64CpuLoadMessage Wow64CpuLoad; 34 | ObDesktopHandleMessage ObDesktopHandle; 35 | ObProcessHandleMessage ObProcessHandle; 36 | }; 37 | 38 | enum MP_ASYNC_NOTIFICATION_OPERATION : __int32 39 | { 40 | CreateProcess = 0x0, 41 | RegistryEvent = 0x1, 42 | SendFile = 0x2, 43 | LoadImage = 0x3, 44 | OpenProcess = 0x4, 45 | RawVolumeWrite = 0x5, 46 | CreateThread = 0x6, 47 | DocOpen = 0x7, 48 | PostMount = 0x8, 49 | OpenDesktop = 0x9, 50 | PanicMode = 0xB, 51 | CheckJournal = 0xC, 52 | TrustedOrUntrustedProcess = 0xD, 53 | LogPrint = 0xE, 54 | Wow64cpuLoad = 0xF, 55 | OpenWithoutRead = 0x10, 56 | EventsWorker = 0x11, 57 | DlpOnFileObjectClose = 0x13, 58 | }; 59 | 60 | struct ImageLoadAndProcessNotifyMessage 61 | { 62 | AuxPidCreationTime ParentProcess; 63 | AuxPidCreationTime CurrentProcess; 64 | _BYTE CreationFlag; 65 | _BYTE ProcessFlags; 66 | int field_20; 67 | _DWORD FileNameLength; 68 | _DWORD OffsetToImageFileName; 69 | _DWORD SessionId; 70 | _DWORD CommandLineLenght; 71 | _DWORD OffsetToCommandLine; 72 | _DWORD TokenElevationType; 73 | _DWORD TokenElevation; 74 | _DWORD TokenIntegrityLevel; 75 | int Unk; 76 | AuxPidCreationTime CreatorProcess; 77 | }; 78 | 79 | struct TrustedOrUntrustedProcessMessage 80 | { 81 | BYTE UntrustedFlag; 82 | WCHAR ImageFileName[15]; 83 | }; 84 | 85 | struct ThreadNotifyMessage 86 | { 87 | AuxPidCreationTime CurrentProcess; 88 | int CurrentThreadId; 89 | AuxPidCreationTime CreatedThreadProcess; 90 | AuxTidCreationTime CreatedThread; 91 | WCHAR ImageFileName[16]; 92 | }; 93 | 94 | struct CheckJournalMessage 95 | { 96 | int FsControlCode; 97 | GUID VolumeGuid; 98 | }; 99 | 100 | struct Wow64CpuLoadMessage 101 | { 102 | int ProcessId; 103 | int ThreadId; 104 | __int64 Wow64CpuImageBase; 105 | }; 106 | 107 | struct ObDesktopHandleMessage 108 | { 109 | AuxPidCreationTime Process; 110 | int ThreadId; 111 | int SessionId; 112 | char Operation; 113 | char KernelHandleFlag; 114 | int DesiredAccess; 115 | PWCHAR ObjectName; 116 | }; 117 | 118 | struct ObProcessHandleMessage 119 | { 120 | AuxPidCreationTime Process; 121 | AuxPidCreationTime TargetProcess; 122 | int SessionId; 123 | int FinalDesiredAccess; 124 | int FileNameLen; 125 | int FileNameOffset; 126 | int TargeFileNameLen; 127 | int TargeFileNameOffset; 128 | BYTE HipRule[16]; 129 | BYTE HipRule1[16]; 130 | int Unk; 131 | MP_OB_NOTIFICATION_REASON NotificationReason; 132 | }; 133 | 134 | enum MP_OB_NOTIFICATION_REASON 135 | { 136 | DesiredAccessModified = 0x1, 137 | AllowCodeInjectionHIPSTrigger = 0x2, 138 | QuerySuspendResumeHIPSTrigger = 0x4, 139 | SameDesiredAccesAndAllowCodeInjectionHIPSTrigger = 0x8, 140 | SameDesiredAccessAndQuerySuspendResumeHIPSTrigger = 0x10, 141 | }; 142 | 143 | // Sync messages 144 | typedef struct _SyncMessageData 145 | { 146 | __int16 Magic; 147 | __int16 SizeHeader; 148 | _DWORD TotalSize; 149 | MP_IO_PRIORITY MpIoPriority; 150 | MP_SYNC_NOTIFICATION_OPERATION TypeOfOperation; 151 | AuxPidCreationTime CurrentProcess; 152 | int SizeOfData; 153 | union TypeOfMessageSync TypeOfMessage; 154 | } SyncMessageData, *PSyncMessageData; 155 | 156 | union TypeOfMessageSync 157 | { 158 | ThreadNotifySyncMessage ThreadNotify; 159 | ThreadNotifyCmdLine ThreadNotifyCmdLine[2]; 160 | }; 161 | 162 | enum MP_SYNC_NOTIFICATION_OPERATION 163 | { 164 | NewImageLoadPerStream = 0x1, 165 | RegistryEventSync = 0x2, 166 | NewThreadDifferentProcess = 0x3, 167 | NewImageLoadPerProcess = 0x5, 168 | NewThreadSameProcess = 0x6, 169 | NewThreadAndCmdLine = 0x7, 170 | }; 171 | 172 | 173 | struct MP_SYNC_NOTIFICATIONS_STATUS 174 | { 175 | __int64 Timestamp; 176 | int NotificationsCount; 177 | }; 178 | 179 | struct ThreadNotifySyncMessage 180 | { 181 | AuxTidCreationTime CreatedThread; 182 | AuxTidCreationTime CurrentThread; 183 | AuxPidCreationTime Process; 184 | __int64 VariableData; 185 | PVOID ThreadStartAddress; 186 | }; 187 | 188 | struct ThreadNotifyCmdLine 189 | { 190 | PUNICODE_STRING ProcessCtxCmdLine; 191 | PVOID ProcessCmdLineInformation; 192 | }; 193 | 194 | /* 736 */ 195 | struct ReplySyncMessage 196 | { 197 | __int64 field_0; 198 | int OperationType; 199 | int field_C; 200 | int field_10; 201 | }; 202 | 203 | 204 | // User-Mode Messages 205 | 206 | enum MP_OPERATIONS 207 | { 208 | MP_OPERATIONS_0 = 0x0, 209 | MP_OPERATIONS_1 = 0x1, 210 | CREATE_SECTION_FOR_SCAN = 0x2, 211 | QUERY_NAME = 0x3, 212 | PURGE_CACHE = 0x4, 213 | QUERY_STATISTICS = 0x5, 214 | QUERY_NAME_1 = 0x6, 215 | SET_PROCESS_EXCLUSION = 0x7, 216 | SET_VOLUME_EXCLUSION = 0x8, 217 | MP_OPERATIONS_9 = 0x9, 218 | REG_UPDATE_DATA = 0xA, 219 | SET_MONITOR_FLAGS = 0xB, 220 | QUERY_DOS_NAME = 0xC, 221 | SET_FILES_TIMEOUT = 0xD, 222 | MP_OPERATIONS_E = 0xE, 223 | MP_OPERATIONS_F = 0xF, 224 | MP_OPERATIONS_10 = 0x10, 225 | SET_DOC_OPEN_RULE = 0x11, 226 | QUERY_LOADED_DRIVERS = 0x12, 227 | MP_OPERATIONS_13 = 0x13, 228 | QUERY_FILE_USN = 0x14, 229 | QUERY_MOTW_ADS = 0x15, 230 | REGISTER_THREAD_BOOST = 0x16, 231 | MP_OPERATIONS_17 = 0x17, 232 | QUERY_TRUSTED_AND_UNTRUSTED_PROCESS = 0x18, 233 | QUERY_RUNTIME_DRIVERS = 0x19, 234 | SET_PROCESS_INFO = 0x1A, 235 | REGISTER_FRIENDLY_PROCESS = 0x1B, 236 | WRITE_BOOT_SECTOR = 0x1C, 237 | MP_OPERATIONS_1D = 0x1D, 238 | UPDATE_FG_USER_DATA = 0x1E, 239 | MP_OPERATIONS_1F = 0x1F, 240 | UPDATE_SYNC_MONITOR_CONFIG = 0x20, 241 | MP_OPERATIONS_21 = 0x21, 242 | SET_DATA_LOSS_PREVENTION = 0x22, 243 | }; 244 | 245 | struct ReplyAsyncMessage 246 | { 247 | char Magic; 248 | __int16 Size; 249 | __int64 field_8; 250 | __int64 field_10; 251 | __int64 field_18; 252 | __int64 field_20; 253 | __int64 field_28; 254 | __int64 field_30; 255 | __int64 field_38; 256 | __int64 field_40; 257 | char AccessDenied; 258 | __int64 field_50; 259 | __int64 field_58; 260 | }; 261 | 262 | // Reg Notification 263 | 264 | struct RegNotification 265 | { 266 | PVOID KeyObject; 267 | PUNICODE_STRING KeyName; 268 | PUNICODE_STRING ValueName; 269 | PUNICODE_STRING NewKeyName; 270 | PUNICODE_STRING OldFileName; 271 | PUNICODE_STRING NewFileName; 272 | int ValueType; 273 | int ValueDataSize; 274 | __int64 ValueData; 275 | int NewValueType; 276 | int NewValueDataSize; 277 | _DWORD RegRestoreFlags; 278 | PVOID NewValueData; 279 | int FinalKeyRules; 280 | MP_REG_MATCH_INFO *MatchInfo; 281 | }; 282 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # WdFilter-Research - [WIP] 2 | > ### **Disclaimer! Still very incomplete** 3 | 4 | Data and structures regarding the research done on WdFilter. Structures are exported directly from IDA and have minor modifications, if you plan to use them for anything else than reversing you should consider unifying data types, because right now there's a complete mess. 5 | 6 | For more information: [WdFilter Research](https://n4r1b.netlify.com/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/) 7 | -------------------------------------------------------------------------------- /WdFilter.h: -------------------------------------------------------------------------------- 1 | /* 2 | This headers file contain the main structures used by WdFilter 3 | */ 4 | 5 | typedef struc _MP_DATA 6 | { 7 | SHORT Magic; 8 | SHORT StructSize; 9 | PDRIVER_OBJECT pDriverObject; 10 | PFLT_FILTER MpFilter; 11 | NTSTATUS (__fastcall *pPsSetCreateProcessNotifyRoutineEx)(PCREATE_PROCESS_NOTIFY_ROUTINE_EX, BOOLEAN); 12 | NTSTATUS (__fastcall *pPsSetCreateProcessNotifyRoutineEx2)(PSCREATEPROCESSNOTIFYTYPE, PVOID, BOOLEAN); 13 | NTSTATUS (__fastcall *pPsSetCreateThreadNotifyRoutineEx)(PSCREATETHREADNOTIFYTYPE, PVOID); 14 | NTSTATUS (__fastcall *pObRegisterCallbacks)(POB_CALLBACK_REGISTRATION, PVOID *); 15 | void (__stdcall *pObUnRegisterCallbacks)(PVOID); 16 | NTSTATUS (__fastcall *pFltRegisterForDataScan)(const PFLT_INSTANCE); 17 | NTSTATUS (__fastcall *pFltCreateSectionForDataScan)(PFLT_INSTANCE Instance, PFILE_OBJECT FileObject, PFLT_CONTEXT SectionContext, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PLARGE_INTEGER MaximumSize, ULONG SectionPageProtection, ULONG AllocationAttributes, ULONG Flags, PHANDLE SectionHandle, PVOID *SectionObject, PLARGE_INTEGER SectionFileSize); 18 | NTSTATUS (__fastcall *pFltCloseSectionForDataScan)(PFLT_CONTEXT); 19 | NTSTATUS (__fastcall *pFltRequestFileInfoOnCreateCompletion)(PFLT_FILTER, PFLT_CALLBACK_DATA, ULONG); 20 | PVOID (__fastcall *pFltRetrieveFileInfoOnCreateCompletion)(PFLT_FILTER Filter, PFLT_CALLBACK_DATA Data, ULONG InfoClass, PULONG Size); 21 | NTSTATUS (__fastcall *pFsRtlQueryCachedVdl)(PFILE_OBJECT FileObject, PLONGLONG Vdl); 22 | PVOID pIoBoostThreadIo; 23 | PVOID pKeSetActualBasePriorityThread; 24 | PVOID pSeGetCachedSigningLevel; 25 | PIO_FOEXT_SILO_PARAMETERS (__fastcall *pIoGetSiloParameters)(const PFILE_OBJECT); 26 | char field_90; 27 | char PanicModeFlag; 28 | char field_92; 29 | char field_93; 30 | int ScannedFilesCount; 31 | int field_98; 32 | int field_9C; 33 | PEPROCESS MsMpEngProcess; 34 | HANDLE MsMpEngProcessId; 35 | int ConnectionPortCookieSet; 36 | PFLT_PORT FltProtectionControlPort; 37 | PFLT_PORT ProtectionControlPortServerCookie; 38 | PFLT_PORT FltProtectionPort; 39 | PFLT_PORT ProtectionPortServerCookie; 40 | PFLT_PORT FltProtectionVeryLowIoPort; 41 | PFLT_PORT ProtectionVeryLowIoServerCookie; 42 | PFLT_PORT FltProtectionRemoteIoPort; 43 | PFLT_PORT ProtectionRemoteIoServerCookie; 44 | PFLT_PORT FltProtectionAsyncPort; 45 | PFLT_PORT ProtectionAsyncServerCookie; 46 | int SomeScanFileFlag; 47 | int SendSyncNotificationFlag; 48 | KSEMAPHORE ScanFileSemaphore1; 49 | KSEMAPHORE ScanFileSempahore2; 50 | KSEMAPHORE SendingSyncSemaphore; 51 | PVOID pBootSectorCache; 52 | LIST_ENTRY FltInstanceCtxList; 53 | LIST_ENTRY FltStreamCtxList; 54 | PCWSTR RegistryParametersPath; 55 | char DriverVerifiedFlag; 56 | char field_1A1; 57 | char field_1A2; 58 | char field_1A3; 59 | int VerifyDriverLevelValue; 60 | __int64 ResetTimer; 61 | int FileScanConsecutiveTimeoutsCount; 62 | int field_1B4; 63 | KDPC WdFilterDPC; 64 | KTIMER WdFilterTimer; 65 | ERESOURCE MpDataResource; 66 | __int64 AsyncNotificationCount; 67 | int OsVersionMask; 68 | int MonitorFlags; 69 | __int64 field_2B0; 70 | __int64 field_2B8; 71 | PAGED_LOOKASIDE_LIST CompletionContextLookaside; 72 | NPAGED_LOOKASIDE_LIST WriteContextLookaside; 73 | NPAGED_LOOKASIDE_LIST field_3C0; 74 | PAGED_LOOKASIDE_LIST InstanceContextLookaside; 75 | PAGED_LOOKASIDE_LIST FltInputMessagesLookaside; 76 | PAGED_LOOKASIDE_LIST FltOutputMessagesLookaside; 77 | ULONG MpFilterEcpSize; 78 | __int64 field_5C8; 79 | __int64 field_5D0; 80 | __int64 field_5D8; 81 | __int64 field_5E0; 82 | __int64 field_5E8; 83 | __int64 field_5F0; 84 | __int64 field_5F8; 85 | NPAGED_LOOKASIDE_LIST ExtraCreateParamsLookaside; 86 | PVOID ObRegistrationHandle; 87 | PSID MpServiceSID; 88 | PSID NriServiceSID; 89 | PSID TrustedInstallerSID; 90 | int MaxLocalScanTimeout; 91 | int MaxNetworkScanTimeout; 92 | int field_6A8; 93 | int ObAndRegCallbackUnset; 94 | char RawVolumeWriteFlag; 95 | char MpOrWdFlag; 96 | char field_6B2; 97 | char field_6B3; 98 | int field_6B4; 99 | PVOID PowerSettingCbHandle; 100 | char LowPowerEpochOn; 101 | char field_6C1; 102 | char field_6C2; 103 | char field_6C3; 104 | int field_6C4; 105 | __int64 MachineUptime; 106 | MP_CSRSS_HOOK_DATA *pCsrssHookData; 107 | PCALLBACK_OBJECT pProcessNotificationCallback; 108 | PCALLBACK_OBJECT pNriNotificationCallback; 109 | __int64 NriNotificationCallbackHandle; 110 | __int64 field_6F0; 111 | __int64 field_6F8; 112 | LIST_ENTRY field_700; 113 | FAST_MUTEX MpDataFastMutex; 114 | __int64 field_748; 115 | __int64 field_750; 116 | __int64 field_758; 117 | __int64 field_760; 118 | __int64 field_768; 119 | __int64 field_770; 120 | __int64 field_778; 121 | PAGED_LOOKASIDE_LIST PagedLookasideMPbc; 122 | int field_800; 123 | int field_804; 124 | __int64 field_808; 125 | __int64 field_810; 126 | __int64 field_818; 127 | __int64 field_820; 128 | __int64 field_828; 129 | __int64 field_830; 130 | __int64 field_838; 131 | __int64 field_840; 132 | __int64 field_848; 133 | __int64 field_850; 134 | __int64 field_858; 135 | __int64 field_860; 136 | int CsvFileStateCacheType; 137 | int FileStateCachePolicy; 138 | __int64 field_870; 139 | int field_878; 140 | int field_87C; 141 | int CounterFileSystemTypeCSVFS; 142 | int field_884; 143 | int field_888; 144 | int RefsFileStateCacheType; 145 | int FileStateCachePolicy1; 146 | __int64 field_898; 147 | int field_8A0; 148 | int field_8A4; 149 | int CounterFileSystemTypeREFS; 150 | int field_8AC; 151 | int field_8B0; 152 | __int64 FltSendMessageTimeStamp; 153 | int FltSendMessageCount; 154 | int field_8C4; 155 | int SomethingWithSettingProcessInfo; 156 | int FltSendMessageError; 157 | int FltSendMessageErrorCode; 158 | int FltSendMessageStatusTimeout; 159 | int FltSendMessageReplyBufferMismatch; 160 | int AllowFilterManualDetach; 161 | LIST_ENTRY BootScanCtxList; 162 | ERESOURCE ExResource1; 163 | ERESOURCE ExResource2; 164 | int field_9C0; 165 | int field_9C4; 166 | PUNICODE_STRING SystemRootPath; 167 | int field_9D0; 168 | int field_9D4; 169 | char OpenWithoutReadNotificationFlag; 170 | RTL_GENERIC_TABLE RtlGenericTable; 171 | FAST_MUTEX WdFilterGenericTableMutex; 172 | MP_SYNC_NOTIFICATIONS_STATUS SyncNotifications[8]; 173 | signed __int32 SyncNotificationRecvCount[8]; 174 | signed __int32 ErrorSyncNotificationsCount[8]; 175 | signed __int32 ErrorSyncNotificationsStatus[8]; 176 | signed __int32 SyncNotificationsIoTimeoutCount[8]; 177 | signed __int32 SyncNotificationsRecvErrorCount[8]; 178 | int SyncMonitorNotificationFlag; 179 | int field_B84; 180 | __int64 SyncMonitorNotificationTimeout; 181 | __int64 RandNumber; 182 | char MpEaString[256]; 183 | int AsyncDirectoryNotificationFlag; 184 | char DataLossPreventionFlag; 185 | char field_C9D; 186 | char field_C9E; 187 | char field_C9F; 188 | __int64 field_CA0; 189 | __int64 field_CA8; 190 | __int64 field_CB0; 191 | __int64 field_CB8; 192 | } MP_DATA, *PMP_DATA; 193 | 194 | typedef struct _MP_PROCESS_TABLE 195 | { 196 | __int16 Magic; 197 | __int16 Size; 198 | ERESOURCE ExResource; 199 | PAGED_LOOKASIDE_LIST ProcessCtxLookaside; 200 | PAGED_LOOKASIDE_LIST ProcessCtxListLookaside; 201 | LIST_ENTRY *__shifted(ProcessCtx,8) (*ProcessCtxArray)[128]; 202 | KEVENT ProcessTableEvent; 203 | _DWORD BeingAccessed; 204 | int TrustedProcessCtxCounter; 205 | int UntrustedProcessCtxCounter; 206 | int Unk; 207 | int CreateThreadNotifyLock; 208 | } MP_PROCESS_TABLE, *PMP_PROCESS_TABLE; 209 | 210 | typedef struct _MP_REG_DATA 211 | { 212 | __int16 Magic; 213 | __int16 Size; 214 | ULONG_PTR RegDataPushLock; 215 | PVOID field_10; 216 | int field_18; 217 | int field_1C; 218 | NTSTATUS (__fastcall *pCmCallbackGetKeyObjectIDEx)(PLARGE_INTEGER Cookie, PVOID Object, PULONG_PTR ObjectID, PCUNICODE_STRING *ObjectName, ULONG Flags); 219 | void (__fastcall *pCmCallbackReleaseKeyObjectIDEx)(PCUNICODE_STRING ObjectName); 220 | LARGE_INTEGER CmCallbackGetKeyCookie; 221 | __int64 field_38; 222 | PAGED_LOOKASIDE_LIST NotificationsLookaside; 223 | FAST_MUTEX CmUnregisterFastMutex; 224 | LARGE_INTEGER CmRegisterCallbackCookie; 225 | int HardeningCbUnsetFlag; 226 | UNICODE_STRING LoadAppInitString; 227 | LIST_ENTRY ServiceKeyHardeningList; 228 | FAST_MUTEX CallCtxFastMutex; 229 | LIST_ENTRY CallCtxList; 230 | __int64 field_170; 231 | __int64 field_178; 232 | PAGED_LOOKASIDE_LIST CreateKeyCtxLookaside; 233 | PAGED_LOOKASIDE_LIST SetValueKeyCtxLookaside; 234 | PAGED_LOOKASIDE_LIST DeleteValueKeyCtxLookaside; 235 | PAGED_LOOKASIDE_LIST DeleteKeyCtxLookaside; 236 | PAGED_LOOKASIDE_LIST RegDataEntry; 237 | PAGED_LOOKASIDE_LIST KeyNamesLookaside; 238 | PAGED_LOOKASIDE_LIST RenameKeyCtxLookaside; 239 | } MP_REG_DATA, *PMP_REG_DATA; 240 | 241 | typedef struct _MP_CONFIG 242 | { 243 | int ResetToUnknownTimer; 244 | int MaxLocalScanTimeout; 245 | int MaxNetworkScanTimeout; 246 | int MaxProcessCreationMessageTimeout; 247 | int MaxConsecutiveTimeoutsUntilPassThrough; 248 | int StartScanningAgainTimer; 249 | int DebugPassthroughEnabled; 250 | ULONG MaxAsyncNotificationCount; 251 | int AsyncStarvationLimit; 252 | int AsyncTimeout; 253 | int AllowManualDetach; 254 | int MaxCopyCacheSize; 255 | int KnownBadHashSize; 256 | char DirectionalScanningNonNTFS; 257 | char DisableQueryNameNormalize; 258 | char ThreadBoostingFlag; 259 | int CsvFileStateCacheType; 260 | int RefsFileStateCacheType; 261 | int FileStateCachePolicy; 262 | int DisableReadHooking; 263 | int FolderGuardDispatchTimer; 264 | int FolderGuardDispatchLimit; 265 | int DisableTransactionCallback; 266 | __int64 BreakOnStream; 267 | } MP_CONFIG, *PMP_CONFIG; 268 | 269 | typedef struct _MP_CONFIG_PARAMS 270 | { 271 | PVOID *Name; 272 | PMP_CONFIG *pMpConfig; 273 | __int64 DefaultData; 274 | } MP_CONFIG_PARAMS, *PMP_CONFIG_PARAMS; 275 | 276 | typedef struct _MP_PROCESS_EXCLUSION 277 | { 278 | ERESOURCE ProcessExclusionResource; 279 | PMP_PROCESS_EXCLUDED ProcessExclusionList; 280 | PMP_PROCESS_HARDENING_EXCLUDED ProcessHardenedExclusionList; 281 | } MP_PROCESS_EXCLUSION, *PMP_PROCESS_EXCLUSION; 282 | 283 | typedef struct _MP_ASYNC 284 | { 285 | __int16 Magic; 286 | __int16 StructSize; 287 | LIST_ENTRY HighPriorityNotificationsList; 288 | LIST_ENTRY NotificationsList; 289 | PETHREAD WorkerThread; 290 | KEVENT AsyncNotificationEvent; 291 | KSEMAPHORE AsyncSemaphore; 292 | FAST_MUTEX FastMutex; 293 | int NotificationsCount; 294 | __int64 field_A8; 295 | __int64 field_B0; 296 | __int64 field_B8; 297 | PAGED_LOOKASIDE_LIST AsyncNotificationsLookaside; 298 | __int64 TotalSizeAsyncMessageSent; 299 | __int64 TotalSizeRemainingNotifications; 300 | int AsyncMessagesFailed; 301 | __int64 field_158; 302 | __int64 field_160; 303 | __int64 field_168; 304 | __int64 field_170; 305 | __int64 field_178; 306 | } MP_ASYNC, *PMP_ASYNC; 307 | 308 | typedef struct _MP_DOC_OPEN_RULES 309 | { 310 | SHORT Magic; 311 | SHORT StructSize; 312 | SINGLE_LIST_ENTRY *__shifted(MP_DOC_RULE,8) DocObjectsList; 313 | ERESOURCE DocRulesResource; 314 | struct _PAGED_LOOKASIDE_LIST DocObjectsLookasideList; 315 | } MP_DOC_OPEN_RULES, *PMP_DOC_OPEN_RULES; 316 | 317 | typedef struct _MP_DRIVERS_INFO 318 | { 319 | int Status; 320 | BYTE field_4[8]; 321 | int ElamSignaturesMajorVer; 322 | int ElamSignatureMinorVer; 323 | LIST_ENTRY LoadedDriversList; 324 | PSLIST_ENTRY ElamRegistryEntries; 325 | LIST_ENTRY BootProcessList; 326 | PCALLBACK_OBJECT CallbackObject; 327 | PVOID BootDriverCallbackRegistration; 328 | struct _FAST_MUTEX DriversInfoFastMutex; 329 | int TotalDriverEntriesLenght; 330 | NTSTATUS (__fastcall *pSeRegisterImageVerificationCallback)(SE_IMAGE_TYPE, SE_IMAGE_VERIFICATION_CALLBACK_TYPE, PSE_IMAGE_VERIFICATION_CALLBACK_FUNCTION, PVOID, SE_IMAGE_VERIFICATION_CALLBACK_TOKEN, PVOID *); 331 | void (__fastcall *pSeUnregisterImageVerificationCallback)(PVOID); 332 | PVOID ImageVerificationCbHandle; 333 | int RuntimeDriversCount; 334 | int RuntimeDriversArrayLenght; 335 | PVOID RuntimeDriversArray; 336 | LIST_ENTRY RuntimeDriversList; 337 | __int64 field_C8; 338 | } MP_DRIVERS_INFO, *PMP_DRIVERS_INFO; 339 | 340 | struct MP_REG_HARDENING 341 | { 342 | LPWSTR ServiceName; 343 | __int64 Flag; 344 | }; 345 | 346 | struct MP_SERVICE_HARDENING 347 | { 348 | LIST_ENTRY ServiceKeyHardeningList; 349 | PUNICODE_STRING ServiceKeyName; 350 | }; 351 | 352 | typedef struct _MP_REG_KEY_NAME 353 | { 354 | UNICODE_STRING KeyName; 355 | POBJECT_NAME_INFORMATION pObjectNameInfo; 356 | _DWORD ObjectNameSize; 357 | struct _OBJECT_NAME_INFORMATION ObjectNameInfo; 358 | } MP_REG_KEY_NAME, *PMP_REG_KEY_NAME; 359 | 360 | typedef struct _MP_DOC_RULE 361 | { 362 | SHORT Magic; 363 | SHORT StructSize; 364 | int RefCount; 365 | SINGLE_LIST_ENTRY SingleListEntryDocRules; 366 | WCHAR DocProcessName[261]; 367 | PCWSTR RuleExtension; 368 | } MP_DOC_RULE, *PMP_DOC_RULE; 369 | 370 | typedef struct _MP_CSRSS_HOOK_DATA 371 | { 372 | POBJECT_NAME_INFORMATION ObjNameInfoSystemRootDir; 373 | POBJECT_NAME_INFORMATION ObjNameInfoWinSxsDir; 374 | POBJECT_NAME_INFORMATION ObjNameInfoCsrssPath; 375 | char HookSetFlag; 376 | } MP_CSRSS_HOOK_DATA, *PMP_CSRSS_HOOK_DATA; 377 | 378 | typedef struct _MP_PROCESS_HARDENING_EXCLUDED 379 | { 380 | LIST_ENTRY ProcessExcludedList; 381 | PUNICODE_STRING ProcessPath; 382 | int ProcessHardeningExcludedFlag; 383 | } MP_PROCESS_HARDENING_EXCLUDED, *PMP_PROCESS_HARDENING_EXCLUDED; 384 | 385 | struct MP_BOOT_PROCESS 386 | { 387 | LIST_ENTRY BootProcessList; 388 | HANDLE ProcessId; 389 | HANDLE ParentProcessId; 390 | UNICODE_STRING ImageFileName; 391 | UNICODE_STRING CommandLine; 392 | _DWORD SomeFlag; 393 | }; 394 | 395 | typedef struct _MP_PROCESS_CB_NOTIFY 396 | { 397 | HANDLE ProcessId; 398 | HANDLE ParentId; 399 | PUNICODE_STRING ImageFileName; 400 | MP_NOTIFY_CB_OPERATION_TYPE OperationType; 401 | char ProcessFlags; 402 | } MP_PROCESS_CB_NOTIFY, *PMP_PROCESS_CB_NOTIFY; 403 | 404 | enum MP_NOTIFY_CB_OPERATION_TYPE 405 | { 406 | ProcessCreation = 0x1, 407 | ProcessTermination = 0x2, 408 | SetProcessInfo = 0x3, 409 | }; 410 | 411 | struct MP_PROCESS_EXCLUDED 412 | { 413 | SINGLE_LIST_ENTRY ExcludedProcessList; 414 | UNICODE_STRING ProcessFullPath; 415 | char NoBackslashFlag; 416 | char WildcardPathFlag; 417 | }; 418 | 419 | typedef struct _MP_SCAN_FILE 420 | { 421 | __int16 Magic; 422 | __int16 Size; 423 | _DWORD VariableSize; 424 | MP_IO_PRIORITY IoPriority; 425 | _DWORD dword18; 426 | _DWORD ScanAttributes; 427 | signed __int64 StreamSize; 428 | _QWORD RequestorProcessId; 429 | int ProcessRules; 430 | __unaligned __declspec(align(1)) __int64 RequestorProcessCreationTime; 431 | int field_3C; 432 | HANDLE CurrentThreadId; 433 | _QWORD TokenSessionId; 434 | __int64 AsyncNotificationsCount; 435 | __int64 field_58; 436 | _WORD word58; 437 | _OWORD oword5A; 438 | _OWORD oword6A; 439 | _OWORD oword7A; 440 | _OWORD oword8A; 441 | _OWORD oword9A; 442 | _OWORD owordAA; 443 | _WORD wordBA; 444 | _WORD wordBC; 445 | _WORD wordBE; 446 | char charC0; 447 | __unaligned __declspec(align(1)) __int64 gapC1; 448 | __unaligned __declspec(align(1)) __int64 field_DF; 449 | __unaligned __declspec(align(1)) __int64 field_E7; 450 | __unaligned __declspec(align(1)) __int64 field_EF; 451 | __unaligned __declspec(align(1)) __int64 field_F7; 452 | __unaligned __declspec(align(1)) __int64 field_FF; 453 | __unaligned __declspec(align(1)) __int64 field_107; 454 | __unaligned __declspec(align(1)) __int64 field_10F; 455 | char field_117; 456 | int field_118; 457 | int field_11C; 458 | __int64 FileId; 459 | _QWORD qword110; 460 | int RequestorMode; 461 | int field_134; 462 | _QWORD qword120; 463 | ACCESS_MASK DesiredAccess; 464 | int ShareAccess; 465 | _DWORD CreateOptions; 466 | _DWORD dword134; 467 | _DWORD AccessStateFlags; 468 | _DWORD dword13C; 469 | _DWORD BackingFileInfo; 470 | _DWORD dword144; 471 | __int64 field_160; 472 | __int64 field_168; 473 | __int64 field_170; 474 | __int64 field_178; 475 | FILE_BASIC_INFORMATION FileBasicInformation; 476 | int field_1A8; 477 | __int16 field_1AC; 478 | __int16 field_1AE; 479 | _OWORD oword190; 480 | _QWORD qword1A0; 481 | _DWORD dword1A8; 482 | _WORD word1AC; 483 | _WORD word1AE; 484 | char char1B0; 485 | __unaligned __declspec(align(1)) __int64 field_1D1; 486 | __unaligned __declspec(align(1)) int field_1D9; 487 | } MP_SCAN_FILE, *PMP_SCAN_FILE; 488 | 489 | typedef struct _MP_EP_GLOBALS 490 | { 491 | UNICODE_STRING RegistryPath; 492 | PVOID pHandleRegistration; 493 | PVOID IoUnregisterBootDriverCallback; 494 | DWORD Magic; 495 | DWORD SignaturesVersionMajor; 496 | DWORD SignaturesVersionMinor; 497 | LIST_ENTRY DriversListEntry; 498 | PSLIST_ENTRY ElamRegistryEntries; 499 | PCALLBACK_OBJECT pWdCallbackObject; 500 | LARGE_INTEGER Cookie; 501 | _QWORD Unk_Unused1; 502 | SLIST_HEADER SlistHeader; 503 | DWORD LoadedDriversCount; 504 | DWORD LoadedDriversArrayLen; 505 | PVOID LoadedDriversArray; 506 | DWORD TotalModulesEntryLen; 507 | BYTE EntryPointWdFilter[32]; 508 | BYTE FlagWdOrMp; 509 | BYTE FlagTestMode; 510 | BYTE FlagPersistElamInfo; 511 | _QWORD Unk_Unused2; 512 | } MP_EP_GLOBALS, *PMP_EP_GLOBALS; 513 | 514 | typedef struct _MP_DRIVER_INFO_EX 515 | { 516 | __int16 Magic; 517 | __int16 Size; 518 | _QWORD WdFilterFlag; 519 | PVOID SameIndexList; 520 | _QWORD IndexHash; 521 | MP_DRIVER_INFO DriverInfo; 522 | } MP_DRIVER_INFO_EX, *PMP_DRIVER_INFO_EX; 523 | 524 | struct MP_ELAM_REGISTRY_ENTRY 525 | { 526 | PSLIST_ENTRY SlistEntry; 527 | __int64 field_8; 528 | UNICODE_STRING field_10; 529 | UNICODE_STRING field_20; 530 | int field_30; 531 | int field_34; 532 | int field_38; 533 | int field_3C; 534 | }; 535 | 536 | typedef struct _MP_DRIVER_INFO 537 | { 538 | LIST_ENTRY DriverInfoList; 539 | UNICODE_STRING ImageName; 540 | UNICODE_STRING DriverRegistryPath; 541 | UNICODE_STRING CertPublisher; 542 | UNICODE_STRING CertIssuer; 543 | PVOID ImageHash; 544 | int ImageHashAlgorithm; 545 | int ImageHashLength; 546 | PVOID CertThumbprint; 547 | int ThumbprintHashAlgorithm; 548 | int CertificateThumbprintLength; 549 | PVOID ImageBase; 550 | __int64 ImageSize; 551 | int ImageFlags; 552 | int DriverClassification; 553 | int ModuleEntryEnd; 554 | } MP_DRIVER_INFO, *PMP_DRIVER_INFO; 555 | 556 | typedef struct _MP_REG_DATA_ENTRY 557 | { 558 | LIST_ENTRY RegDataEntriesList; 559 | MP_KEY_ENTRY *RegKeyEntry; 560 | UNICODE_STRING RegKeyName; 561 | } MP_REG_DATA_ENTRY, *PMP_REG_DATA_ENTRY; 562 | 563 | typedef struct _MP_REG_MATCH_INFO 564 | { 565 | unsigned int HashesCount; 566 | _DWORD HashesArrayLen; 567 | _OWORD (*HashesArray)[]; 568 | char KeyValueInfoFlag; 569 | int KeyRules; 570 | 571 | } MP_REG_MATCH_INFO, *PMP_REG_MATCH_INFO; 572 | 573 | typedef struct _MP_CLIENT_VALUE 574 | { 575 | PMP_CLIENT_VALUE NextClientValue; 576 | BYTE ValueHash[16]; 577 | int KeyRules; 578 | } MP_CLIENT_VALUE, *PMP_CLIENT_VALUE; 579 | 580 | typedef struct _MP_KEY_VALUE 581 | { 582 | PMP_KEY_VALUE NextKeyValue; 583 | PWSTR KeyValueName; 584 | PMP_CLIENT_VALUE ClientValue; 585 | } MP_KEY_VALUE, *PMP_KEY_VALUE; 586 | 587 | typedef struct _MP_KEY_ENTRY 588 | { 589 | PMP_KEY_ENTRY SubKey; 590 | PMP_KEY_ENTRY NextKey; 591 | PWSTR KeyName; 592 | USHORT KeysToSkip; 593 | PMP_CLIENT_VALUE ClientList; 594 | PMP_KEY_VALUE ValueList; 595 | } MP_KEY_ENTRY, *PMP_KEY_ENTRY; 596 | 597 | typedef struct _MP_REG_USER_DATA 598 | { 599 | int DataSize; 600 | int NumberOfEntries; 601 | PMP_KEY_ENTRY MonitoredKeys; 602 | __int64 SomeCrcOrSig; 603 | } MP_REG_USER_DATA, *PMP_REG_USER_DATA; 604 | 605 | 606 | enum MP_REG_RULES 607 | { 608 | CreateKeyOperation = 0x1, 609 | RenameKeyOperation = 0x4, 610 | DeleteKeyOperation = 0x10, 611 | SetValueKeyOperation = 0x100, 612 | SetValueRetrieveKeyValueInfo = 0x400, 613 | DeleteValueKeyOperation = 0x800, 614 | DeleteValueRetrieveKeyValueInfo = 0x2000, 615 | RestoreKeyOperation = 0x4000, 616 | ReplaceKeyOperation = 0x8000, 617 | CreateDenied = 0x10000, 618 | RenameDenied = 0x20000, 619 | DeleteDenied = 0x40000, 620 | SetValueDenied = 0x80000, 621 | ReplaceDenied = 0x100000, 622 | RestoreDenied = 0x200000, 623 | TamperProtectionActive = 0x400000, 624 | Unk = 0x800000, 625 | Unk1 = 0x1000000, 626 | }; 627 | 628 | 629 | -------------------------------------------------------------------------------- /WdFilterAux.h: -------------------------------------------------------------------------------- 1 | typedef struct __unaligned _AuxPidCreationTime 2 | { 3 | int ProcessId; 4 | LONGLONG CreationTime; 5 | } AuxPidCreationTime, *PAuxPidCreationTime; 6 | 7 | typedef struct __unaligned _AuxTidCreationTime 8 | { 9 | int ThreadId; 10 | LONGLONG CreationTime; 11 | } AuxTidCreationTime, *PAuxTidCreationTime; 12 | 13 | struct ExcludedHardenedProcess 14 | { 15 | PWSTR ProcessName; 16 | int Flag; 17 | int ProcessFlag; 18 | }; --------------------------------------------------------------------------------