├── .gitignore ├── Images ├── Diagram.svg └── WID.svg ├── LICENSE ├── README.md ├── Src ├── Functions │ ├── KERNEL32.cpp │ ├── KERNEL32.h │ ├── NT.cpp │ ├── NT.h │ ├── Syscalls.asm │ └── Undocumented.h ├── Includes.h ├── Loader │ ├── Loader.cpp │ └── Loader.h ├── Main.cpp ├── WID.cpp └── WID.h ├── WID_LoadLibrary.sln ├── WID_LoadLibrary.vcxproj └── WID_LoadLibrary.vcxproj.filters /.gitignore: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # Bu .gitignore dosyası Microsoft(R) Visual Studio tarafından otomatik olarak oluşturulmuştur. 3 | ################################################################################ 4 | 5 | /.vs 6 | /WID_LoadLibrary.vcxproj.user 7 | /x64/Debug 8 | /Debug/WID_LoadLibrary.tlog 9 | /Debug 10 | -------------------------------------------------------------------------------- /Images/WID.svg: -------------------------------------------------------------------------------- 1 | 2 | WinSeries 3 | 4 | 5 | 6 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 Paskalian 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Src/Functions/KERNEL32.cpp: -------------------------------------------------------------------------------- 1 | #include "KERNEL32.h" 2 | 3 | ULONG* KernelBaseGlobalData = nullptr; 4 | 5 | tBasep8BitStringToDynamicUnicodeString Basep8BitStringToDynamicUnicodeString = nullptr; 6 | tBaseSetLastNTError BaseSetLastNTError = nullptr; 7 | 8 | // Signatured 9 | tBasepLoadLibraryAsDataFileInternal BasepLoadLibraryAsDataFileInternal = nullptr; -------------------------------------------------------------------------------- /Src/Functions/KERNEL32.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "..\Includes.h" 4 | #include "Undocumented.h" 5 | 6 | extern ULONG* KernelBaseGlobalData; 7 | 8 | typedef BOOLEAN(WINAPI* tBasep8BitStringToDynamicUnicodeString)(PUNICODE_STRING pConvertedStr, LPCSTR pszAnsiStr); 9 | extern tBasep8BitStringToDynamicUnicodeString Basep8BitStringToDynamicUnicodeString; 10 | 11 | typedef DWORD(WINAPI* tBaseSetLastNTError)(IN NTSTATUS Status); 12 | extern tBaseSetLastNTError BaseSetLastNTError; 13 | 14 | // Signatured 15 | #define BASEP_LLASDATAFILE_INTERNAL_PATTERN "\x48\x89\x5C\x24\x20\x55\x56\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x8D\xAC\x24\x10\xFF\xFF\xFF" 16 | typedef NTSTATUS(__fastcall* tBasepLoadLibraryAsDataFileInternal)(PUNICODE_STRING DllName, PWSTR Path, PWSTR Unknown, DWORD dwFlags, HMODULE* pBaseOfLoadedModule); 17 | extern tBasepLoadLibraryAsDataFileInternal BasepLoadLibraryAsDataFileInternal; -------------------------------------------------------------------------------- /Src/Functions/NT.cpp: -------------------------------------------------------------------------------- 1 | #include "NT.h" 2 | 3 | // Implemented. 4 | // Variables 5 | DWORD* LdrpPolicyBits = nullptr; 6 | HANDLE* LdrpMainThreadToken = nullptr; 7 | DWORD* LdrInitState = nullptr; 8 | DWORD* LoadFailure = nullptr; 9 | PRTL_CRITICAL_SECTION LdrpWorkQueueLock = nullptr; 10 | DWORD* LdrpWorkInProgress = nullptr; 11 | LIST_ENTRY** LdrpWorkQueue = nullptr; 12 | PHANDLE LdrpWorkCompleteEvent = nullptr; 13 | KUSER_SHARED_DATA* kUserSharedData = (KUSER_SHARED_DATA*)0x7FFE0000; 14 | DWORD* LdrpUseImpersonatedDeviceMap = nullptr; 15 | DWORD* LdrpAuditIntegrityContinuity = nullptr; 16 | DWORD* LdrpEnforceIntegrityContinuity = nullptr; 17 | DWORD* LdrpFatalHardErrorCount = nullptr; 18 | DWORD* UseWOW64 = nullptr; 19 | PRTL_SRWLOCK LdrpModuleDatatableLock = nullptr; 20 | PHANDLE qword_17E238 = nullptr; 21 | LDR_DATA_TABLE_ENTRY** LdrpImageEntry = nullptr; 22 | PUNICODE_STRING LdrpKernel32DllName = nullptr; 23 | UINT_PTR* LdrpAppHeaders = nullptr; 24 | PHANDLE LdrpLargePageDllKeyHandle = nullptr; 25 | ULONG** LdrpLockMemoryPrivilege = nullptr; 26 | ULONG64* LdrpMaximumUserModeAddress = nullptr; 27 | UINT_PTR* LdrpMapAndSnapWork = nullptr; 28 | LIST_ENTRY* LdrpHashTable = nullptr; 29 | PVOID* LdrpHeap = nullptr; 30 | BOOLEAN* LdrpIsHotPatchingEnabled = nullptr; 31 | LDR_DATA_TABLE_ENTRY** LdrpRedirectionModule = nullptr; 32 | ULONG64** qword_1993A8 = nullptr; 33 | LONG* NtdllBaseTag = nullptr; 34 | FUNCTION_TABLE_DATA* stru_199520 = nullptr; 35 | UINT_PTR* qword_199530 = nullptr; 36 | LDR_DATA_TABLE_ENTRY** LdrpNtDllDataTableEntry = nullptr; 37 | UINT_PTR* qword_1993B8 = nullptr; 38 | DWORD* dword_19939C = nullptr; 39 | DWORD* LoadFailureOperational = nullptr; 40 | DWORD* dword_199398 = nullptr; 41 | UINT_PTR*** qword_1843B8 = nullptr; 42 | UINT_PTR* qword_1843B0 = nullptr; 43 | UINT_PTR* LdrpCurrentDllInitializer = nullptr; 44 | LPVOID** LdrpProcessInitContextRecord = nullptr; 45 | PRTL_SRWLOCK LdrpTlsLock = nullptr; 46 | TLS_ENTRY** LdrpTlsList = nullptr; 47 | 48 | tLdrpManifestProberRoutine LdrpManifestProberRoutine = nullptr; 49 | tLdrpRedirectionCalloutFunc LdrpRedirectionCalloutFunc = nullptr; 50 | 51 | // Functions 52 | PEB* NtCurrentPeb() 53 | { 54 | return NtCurrentTeb()->ProcessEnvironmentBlock; 55 | } 56 | 57 | VOID __fastcall NtdllpFreeStringRoutine(PWCH Buffer) // CHECKED. 58 | { 59 | RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Buffer); 60 | } 61 | 62 | NTSTATUS __fastcall LdrpFastpthReloadedDll(PUNICODE_STRING FullPath, ULONG Flags, PLDR_DATA_TABLE_ENTRY LdrEntry, LDR_DATA_TABLE_ENTRY** DllEntry) 63 | { 64 | NTSTATUS Status; 65 | 66 | PUNICODE_STRING PathUsed; 67 | LDR_DATA_TABLE_ENTRY* pDllEntry; 68 | LDR_DDAG_STATE DdagState; 69 | 70 | DdagState = LdrModulesPlaceHolder; 71 | Status = STATUS_NOT_FOUND; 72 | 73 | if (Flags & LOAD_LIBRARY_AS_IMAGE_RESOURCE) 74 | { 75 | PathUsed = FullPath; 76 | FullPath = 0; 77 | } 78 | else 79 | { 80 | // If an absolute path was sent from LoadLibrary it will have 0x200 (LOAD_LIBRARY_SEARCH_APPLICATION_DIR), but the if is checking for not so it can be ignored. 81 | if ((Flags & LOAD_LIBRARY_SEARCH_APPLICATION_DIR) == 0) 82 | return Status; 83 | 84 | PathUsed = nullptr; 85 | } 86 | 87 | Status = LdrpFindLoadedDllByName(PathUsed, FullPath, Flags, DllEntry, &DdagState); 88 | if (NT_SUCCESS(Status)) 89 | { 90 | pDllEntry = *DllEntry; 91 | if (pDllEntry->LoadReason == LoadReasonPatchImage) 92 | { 93 | Status = STATUS_IMAGE_LOADED_AS_PATCH_IMAGE; 94 | LdrpLogEtwHotPatchStatus(&(*LdrpImageEntry)->BaseDllName, pDllEntry, 0, STATUS_IMAGE_LOADED_AS_PATCH_IMAGE, 2u); 95 | } 96 | else 97 | { 98 | Status = STATUS_NOT_FOUND; 99 | if (DdagState == LdrModulesReadyToRun) 100 | { 101 | Status = LdrpIncrementModuleLoadCount(pDllEntry); 102 | if (NT_SUCCESS(Status)) 103 | { 104 | Status = LdrpBuildForwarderLink(LdrEntry, pDllEntry); 105 | // This is where we most likely end up on a normal call from LoadLibraryExW 106 | if (NT_SUCCESS(Status)) 107 | return Status; 108 | 109 | BOOLEAN IsWorkerThread = (!(NtCurrentTeb()->SameTebFlags & LoadOwner)); 110 | if (IsWorkerThread) 111 | LdrpDrainWorkQueue(WaitLoadComplete); 112 | 113 | LdrpDecrementModuleLoadCountEx(pDllEntry, 0); 114 | if (IsWorkerThread) 115 | LdrpDropLastInProgressCount(); 116 | } 117 | } 118 | } 119 | 120 | LdrpDereferenceModule(*DllEntry); 121 | *DllEntry = nullptr; 122 | } 123 | 124 | return Status; 125 | } 126 | 127 | NTSTATUS __fastcall LdrpIncrementModuleLoadCount(LDR_DATA_TABLE_ENTRY* LdrEntry) 128 | { 129 | NTSTATUS Status = STATUS_SUCCESS; 130 | 131 | RtlAcquireSRWLockExclusive(LdrpModuleDatatableLock); 132 | 133 | LDR_DDAG_NODE* DdagNode = LdrEntry->DdagNode; 134 | ULONG LoadCount = DdagNode->LoadCount; 135 | if (LoadCount != -1) 136 | { 137 | if (LoadCount) 138 | { 139 | DdagNode->LoadCount = LoadCount + 1; 140 | } 141 | else if (NtCurrentTeb()->SameTebFlags & LoadOwner) 142 | { 143 | ++DdagNode->LoadWhileUnloadingCount; 144 | } 145 | else 146 | { 147 | Status = STATUS_DLL_NOT_FOUND; 148 | } 149 | } 150 | 151 | RtlReleaseSRWLockExclusive(LdrpModuleDatatableLock); 152 | 153 | return Status; 154 | } 155 | 156 | VOID __fastcall RtlFreeUnicodeString(PUNICODE_STRING UnicodeString) // CHECKED. 157 | { 158 | WCHAR* Buffer; 159 | 160 | Buffer = UnicodeString->Buffer; 161 | if (Buffer) 162 | { 163 | NtdllpFreeStringRoutine(Buffer); 164 | //*UnicodeString = 0; 165 | memset(UnicodeString, 0, sizeof(UNICODE_STRING)); 166 | } 167 | } 168 | 169 | VOID __fastcall LdrpFreeUnicodeString(PUNICODE_STRING String) 170 | { 171 | WCHAR* Buffer; 172 | 173 | Buffer = String->Buffer; 174 | if (Buffer) 175 | { 176 | NtdllpFreeStringRoutine(Buffer); 177 | String->Buffer = 0; 178 | } 179 | String->Length = 0; 180 | String->MaximumLength = 0; 181 | } 182 | 183 | ULONG __fastcall RtlGetCurrentServiceSessionId(VOID) // CHECKED ? 184 | { 185 | LPVOID Return = NtCurrentPeb()->SharedData; 186 | 187 | if (Return) 188 | Return = (LPVOID)(*(DWORD*)Return); 189 | return (ULONG)Return; 190 | } 191 | 192 | USHORT __fastcall LdrpGetBaseNameFromFullName(PUNICODE_STRING BaseName, PUNICODE_STRING FullName) 193 | { 194 | USHORT StrLen = BaseName->Length >> 1; 195 | if (StrLen) 196 | { 197 | PWCHAR Buffer = BaseName->Buffer; 198 | do 199 | { 200 | if (Buffer[StrLen - 1] == '\\') 201 | break; 202 | if (Buffer[StrLen - 1] == '/') 203 | break; 204 | --StrLen; 205 | } while (StrLen); 206 | } 207 | 208 | USHORT ByteLen = 2 * StrLen; 209 | 210 | USHORT Return = BaseName->MaximumLength - ByteLen; 211 | FullName->Length = BaseName->Length - ByteLen; 212 | FullName->MaximumLength = Return; 213 | FullName->Buffer = &BaseName->Buffer[StrLen]; 214 | return Return; 215 | } 216 | 217 | PWCHAR __fastcall RtlGetNtSystemRoot() 218 | { 219 | if (RtlGetCurrentServiceSessionId()) 220 | return (PWCHAR)((char*)NtCurrentPeb()->SharedData + 30); 221 | else 222 | return kUserSharedData->NtSystemRoot; 223 | } 224 | 225 | BOOLEAN __fastcall LdrpHpatAllocationOptOut(PUNICODE_STRING FullDllName) 226 | { 227 | UNICODE_STRING NtString; // [rsp+30h] [rbp-18h] BYREF 228 | 229 | if ((NtCurrentPeb()->ProcessParameters->Flags & 0x2000000) == 0 || *FullDllName->Buffer == '\\') 230 | return 0; 231 | PWSTR NtSystemRoot = RtlGetNtSystemRoot(); 232 | RtlInitUnicodeStringEx(&NtString, NtSystemRoot); 233 | return FullDllName->Length < NtString.Length || RtlCompareUnicodeStrings(FullDllName->Buffer, NtString.Length >> 1, NtString.Buffer, NtString.Length >> 1, 1u) != 0; 234 | } 235 | 236 | NTSTATUS __fastcall LdrpCorValidateImage(PIMAGE_DOS_HEADER DosHeader) 237 | { 238 | NTSTATUS Status; 239 | 240 | PIMAGE_FILE_HEADER ImageFileHeader; 241 | UINT_PTR LastRVASection; 242 | Status = RtlpImageDirectoryEntryToDataEx(DosHeader, TRUE, IMAGE_FILE_RELOCS_STRIPPED | IMAGE_FILE_LOCAL_SYMS_STRIPPED, &LastRVASection, (PIMAGE_FILE_HEADER*)&ImageFileHeader); 243 | if (!NT_SUCCESS(Status)) 244 | ImageFileHeader = 0; 245 | return ImageFileHeader != 0 ? STATUS_INVALID_IMAGE_FORMAT : 0; 246 | } 247 | 248 | NTSTATUS __fastcall LdrpCorFixupImage(PIMAGE_DOS_HEADER DosHeader) 249 | { 250 | NTSTATUS Status; 251 | 252 | PIMAGE_NT_HEADERS NtHeader = RtlImageNtHeader(DosHeader); 253 | ULONG64 LastRVASection; 254 | PIMAGE_COR20_HEADER CorHeader = nullptr; 255 | Status = RtlpImageDirectoryEntryToDataEx(DosHeader, 1, IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR, &LastRVASection, &CorHeader); 256 | if (!NT_SUCCESS(Status) || !CorHeader) 257 | return Status; 258 | 259 | if (NtHeader->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC && NtHeader->FileHeader.Machine == IMAGE_FILE_MACHINE_I386 && (CorHeader->Flags & 2) == 0) 260 | { 261 | ULONG64* pSizeOfHeapCommit = &NtHeader->OptionalHeader.SizeOfHeapCommit; 262 | PBYTE UnknownCalc = (PBYTE)&NtHeader->OptionalHeader + 263 | (32 * NtHeader->FileHeader.NumberOfSections) + 264 | (8 * NtHeader->FileHeader.NumberOfSections) + 265 | NtHeader->FileHeader.SizeOfOptionalHeader; 266 | 267 | UINT_PTR NumberOfBytesToProtect = 0x1000; 268 | if ((unsigned __int64)(UnknownCalc - (PBYTE)DosHeader + 0x10) <= 0x1000) 269 | { 270 | ULONG OldAccessProtection; 271 | Status = ZwProtectVirtualMemory((HANDLE)-1, (PVOID*)&DosHeader, (PULONG)&NumberOfBytesToProtect, PAGE_READWRITE, &OldAccessProtection); 272 | if (NT_SUCCESS(Status)) 273 | { 274 | memmove(NtHeader->OptionalHeader.DataDirectory, &NtHeader->OptionalHeader.SizeOfHeapCommit, UnknownCalc - (PBYTE)pSizeOfHeapCommit); 275 | *(ULONG64*)&NtHeader->OptionalHeader.LoaderFlags = NtHeader->OptionalHeader.SizeOfHeapReserve; 276 | *pSizeOfHeapCommit = (NtHeader->OptionalHeader.SizeOfStackCommit) & 0xFFFFFFFF00000000; 277 | 278 | NtHeader->OptionalHeader.SizeOfHeapReserve = (NtHeader->OptionalHeader.SizeOfStackCommit) & UINT_MAX; 279 | NtHeader->OptionalHeader.SizeOfStackCommit = (NtHeader->OptionalHeader.SizeOfStackReserve) & 0xFFFFFFFF00000000; 280 | NtHeader->OptionalHeader.SizeOfStackReserve = (NtHeader->OptionalHeader.SizeOfStackReserve) & UINT_MAX; 281 | NtHeader->OptionalHeader.ImageBase = (NtHeader->OptionalHeader.ImageBase) & 0xFFFFFFFF00000000; 282 | NtHeader->FileHeader.SizeOfOptionalHeader += 0x10; 283 | 284 | NtHeader->OptionalHeader.Magic = IMAGE_NT_OPTIONAL_HDR64_MAGIC; 285 | ZwProtectVirtualMemory((HANDLE)-1, (PVOID*)&DosHeader, (PULONG)&NumberOfBytesToProtect, OldAccessProtection, &OldAccessProtection); 286 | } 287 | } 288 | else 289 | { 290 | return STATUS_INVALID_IMAGE_FORMAT; 291 | } 292 | } 293 | else 294 | { 295 | WORD Machine = NtHeader->FileHeader.Machine; 296 | if (Machine < kUserSharedData->ImageNumberLow) 297 | return STATUS_INVALID_IMAGE_FORMAT; 298 | 299 | Status = STATUS_SUCCESS; 300 | if (Machine > kUserSharedData->ImageNumberHigh) 301 | return STATUS_INVALID_IMAGE_FORMAT; 302 | } 303 | return Status; 304 | } 305 | 306 | NTSTATUS __fastcall LdrpFindLoadedDllByNameLockHeld(PUNICODE_STRING BaseDllName, PUNICODE_STRING FullDllName, ULONG64 Flags, LDR_DATA_TABLE_ENTRY** pLdrEntry, ULONG BaseNameHashValue) 307 | { 308 | LIST_ENTRY* pHashIdx; 309 | 310 | LDR_DDAG_NODE* DdagNode; 311 | 312 | // Parse entire hash table. Maybe I use it later on. 313 | //for (int idx = 0; idx < 32; idx++) 314 | //{ 315 | // LIST_ENTRY* IdxHead = &LdrpHashTable[idx]; 316 | // LIST_ENTRY* IdxEntry = IdxHead->Flink; 317 | // while (IdxEntry != IdxHead) 318 | // { 319 | // LDR_DATA_TABLE_ENTRY* IdxLdrEntry = CONTAINING_RECORD(IdxEntry, LDR_DATA_TABLE_ENTRY, HashLinks); 320 | // 321 | // printf("[Name: %ws]\n", IdxLdrEntry->BaseDllName.Buffer); 322 | // 323 | // LIST_ENTRY* LdrHead = &IdxLdrEntry->InLoadOrderLinks; 324 | // LIST_ENTRY* LdrEntry = LdrHead->Flink; 325 | // while (LdrEntry != LdrHead) 326 | // { 327 | // LDR_DATA_TABLE_ENTRY* IdxLdrEntryMod = CONTAINING_RECORD(LdrEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); 328 | // 329 | // printf(" -> [Name: %ws]\n", IdxLdrEntryMod->BaseDllName.Buffer); 330 | // 331 | // LdrEntry = LdrEntry->Flink; 332 | // } 333 | // 334 | // IdxEntry = IdxEntry->Flink; 335 | // } 336 | //} 337 | 338 | pHashIdx = (LIST_ENTRY*)&(LdrpHashTable)[(BaseNameHashValue & 0x1F)]; 339 | BOOLEAN DllFound = FALSE; 340 | for (LIST_ENTRY* HashEntry = pHashIdx->Flink; HashEntry != pHashIdx; HashEntry = HashEntry->Flink) 341 | { 342 | LDR_DATA_TABLE_ENTRY* DllEntry = (LDR_DATA_TABLE_ENTRY*)&HashEntry[-7]; 343 | //LDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(HashEntry, LDR_DATA_TABLE_ENTRY, HashLinks); 344 | 345 | //LDR_DATA_TABLE_ENTRY* DllEntry = (PLDR_DATA_TABLE_ENTRY)CONTAINING_RECORD(HashEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); 346 | if (BaseNameHashValue == (DllEntry->BaseNameHashValue) && ((Flags & 8) == 0 || (DllEntry->FlagGroup[0] & 1) != 0)) 347 | { 348 | if (FullDllName) 349 | { 350 | DllFound = RtlEqualUnicodeString(FullDllName, &DllEntry->FullDllName, TRUE); 351 | if (DllFound) 352 | goto DLL_FOUND; 353 | } 354 | else 355 | { 356 | if ((DllEntry->Flags & Redirected) == 0 && RtlEqualUnicodeString(BaseDllName, &DllEntry->BaseDllName, TRUE)) 357 | { 358 | DllFound = TRUE; 359 | DLL_FOUND: 360 | DdagNode = DllEntry->DdagNode; 361 | if (DdagNode->LoadCount != -1 && ((__int64)DdagNode->Modules.Flink[-4].Blink & 0x20) == 0) 362 | _InterlockedIncrement(&DllEntry->ReferenceCount); 363 | 364 | *pLdrEntry = DllEntry; 365 | return DllFound ? STATUS_SUCCESS : STATUS_DLL_NOT_FOUND; 366 | } 367 | DllFound = FALSE; 368 | } 369 | } 370 | } 371 | return DllFound ? STATUS_SUCCESS : STATUS_DLL_NOT_FOUND; 372 | } 373 | 374 | BOOLEAN __fastcall LdrpIsILOnlyImage(PIMAGE_DOS_HEADER DllBase) 375 | { 376 | NTSTATUS Status; 377 | 378 | UINT_PTR LastRVASection; 379 | PIMAGE_COR20_HEADER CorHeader; 380 | Status = RtlpImageDirectoryEntryToDataEx(DllBase, 1u, 0xEu, &LastRVASection, (PVOID*)&CorHeader); 381 | if (Status < 0) 382 | return Status; 383 | 384 | return CorHeader && LastRVASection >= 0x48 && (CorHeader->Flags & 1) != 0; 385 | } 386 | 387 | VOID __fastcall LdrpAddNodeServiceTag(LDR_DDAG_NODE* DdagNode, UINT_PTR ServiceTag) 388 | { 389 | //LDR_DATA_TABLE_ENTRY* LdrEntry = CONTAINING_RECORD(DdagNode->Modules.Flink, LDR_DATA_TABLE_ENTRY, DdagNode); 390 | if (DdagNode->LoadCount != -1 && ((__int64)DdagNode->Modules.Flink[-4].Blink & 0x20) == 0) 391 | //if (DdagNode->LoadCount != -1 && (LdrEntry->FlagGroup[0] & 0x20) == 0) 392 | { 393 | for (LDR_SERVICE_TAG_RECORD* i = DdagNode->ServiceTagList; i; i = i->Next) 394 | { 395 | if (i->ServiceTag == ServiceTag) 396 | return; 397 | } 398 | 399 | LDR_SERVICE_TAG_RECORD* Heap = (LDR_SERVICE_TAG_RECORD*)RtlAllocateHeap(*LdrpHeap, 0, 0x10); 400 | if (Heap) 401 | { 402 | Heap->ServiceTag = ServiceTag; 403 | Heap->Next = DdagNode->ServiceTagList; 404 | DdagNode->ServiceTagList = Heap; 405 | 406 | SINGLE_LIST_ENTRY* Tail = DdagNode->Dependencies.Tail; 407 | if (Tail) 408 | { 409 | SINGLE_LIST_ENTRY* Tail_2 = Tail; 410 | do 411 | { 412 | Tail_2 = Tail_2->Next; 413 | // LDR_DDAG_NODE* NextNode = CONTAINING_RECORD(Tail_2, LDR_DDAG_NODE, CondenseLink); 414 | LdrpAddNodeServiceTag((LDR_DDAG_NODE*)Tail_2[1].Next, ServiceTag); 415 | //LdrpAddNodeServiceTag(NextNode, ServiceTag); 416 | } while (Tail_2 != Tail); 417 | } 418 | } 419 | } 420 | } 421 | 422 | PIMAGE_LOAD_CONFIG_DIRECTORY LdrImageDirectoryEntryToLoadConfig(PIMAGE_DOS_HEADER DllBase) 423 | { 424 | NTSTATUS Status = STATUS_SUCCESS; 425 | 426 | PIMAGE_NT_HEADERS OutHeaders = nullptr; 427 | RtlImageNtHeaderEx(1u, DllBase, 0, &OutHeaders); 428 | if (!DllBase) 429 | return nullptr; 430 | 431 | UINT_PTR LastRVASection = 0; 432 | PIMAGE_LOAD_CONFIG_DIRECTORY LoadConfigDirectory = nullptr; 433 | Status = RtlpImageDirectoryEntryToDataEx(DllBase, 1u, 0xAu, &LastRVASection, (PVOID*)&LoadConfigDirectory); 434 | if (!NT_SUCCESS(Status)) 435 | return nullptr; 436 | 437 | if (LoadConfigDirectory && (DWORD)LastRVASection && (DWORD)LastRVASection == LoadConfigDirectory->Size && OutHeaders->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64) 438 | return LoadConfigDirectory; 439 | 440 | return nullptr; 441 | } 442 | 443 | BOOLEAN __fastcall LdrpShouldModuleImportBeRedirected(LDR_DATA_TABLE_ENTRY* DllEntry) 444 | { 445 | if (!DllEntry || !*LdrpRedirectionModule || *LdrpRedirectionModule == DllEntry) 446 | return FALSE; 447 | 448 | if ((NtCurrentPeb()->BitField & IsPackagedProcess) != 0) 449 | return DllEntry->FlagGroup[0] & PackagedBinary; 450 | 451 | // LdrpRedirectionCalloutFunc is a function pointer. 452 | if (*LdrpRedirectionCalloutFunc) 453 | return (*LdrpRedirectionCalloutFunc)(DllEntry->FullDllName.Buffer); 454 | else 455 | return TRUE; 456 | } 457 | 458 | PIMAGE_IMPORT_DESCRIPTOR __fastcall LdrpGetImportDescriptorForSnap(LDRP_LOAD_CONTEXT* LoadContext) 459 | { 460 | NTSTATUS Status; 461 | 462 | // [CORRECT] 463 | //LDR_DATA_TABLE_ENTRY* DllEntry = (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink; 464 | LDR_DATA_TABLE_ENTRY* DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); 465 | 466 | UINT_PTR LastRVASection; 467 | PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor; 468 | Status = RtlpImageDirectoryEntryToDataEx(DllEntry->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &LastRVASection, (PVOID*)&pImageImportDescriptor); 469 | if (!NT_SUCCESS(Status)) 470 | return nullptr; 471 | if (DllEntry == *LdrpImageEntry && (((ULONG64)(*qword_1993A8) >> 44) & 3) == 1) 472 | { 473 | PIMAGE_NT_HEADERS pImageNtHeaders = nullptr; 474 | RtlImageNtHeaderEx(3, DllEntry->DllBase, 0, (PIMAGE_NT_HEADERS*)&pImageNtHeaders); 475 | if (!((LdrpCheckPagesForTampering(&pImageNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT], 8) || LdrpCheckPagesForTampering((PIMAGE_DATA_DIRECTORY)pImageImportDescriptor, (ULONG)LastRVASection)) && NT_SUCCESS(LdrpMapCleanModuleView(LoadContext)))) 476 | { 477 | return nullptr; 478 | } 479 | } 480 | return pImageImportDescriptor; 481 | } 482 | 483 | NTSTATUS __fastcall LdrpMapCleanModuleView(LDRP_LOAD_CONTEXT* LoadContext) 484 | { 485 | NTSTATUS Status; 486 | 487 | HANDLE ProcessInformation = 0; 488 | PIMAGE_DOS_HEADER ImageDosHeader = nullptr; 489 | ULONG64 ViewSize = 0; 490 | if (CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks) != *LdrpImageEntry) 491 | return STATUS_NOT_SUPPORTED; 492 | 493 | Status = NtQueryInformationProcess((HANDLE)-1, ProcessImageSection, &ProcessInformation, 8, 0); 494 | if (NT_SUCCESS(Status)) 495 | { 496 | Status = ZwMapViewOfSection(ProcessInformation, (HANDLE)-1u, &ImageDosHeader, 0, 0, 0, (PULONG)&ViewSize, ViewShare, 0x40000u, 2u); 497 | if (NT_SUCCESS(Status)) 498 | LoadContext->ImageBase = ImageDosHeader; 499 | 500 | NtClose(ProcessInformation); 501 | } 502 | 503 | return Status; 504 | } 505 | 506 | LDR_DATA_TABLE_ENTRY* __fastcall LdrpHandleReplacedModule(LDR_DATA_TABLE_ENTRY* LdrEntry) 507 | { 508 | LDR_DATA_TABLE_ENTRY* DllEntry = LdrEntry; 509 | if (LdrEntry) 510 | { 511 | LDRP_LOAD_CONTEXT* LoadContext = (LDRP_LOAD_CONTEXT*)LdrEntry->LoadContext; 512 | if (LoadContext) 513 | { 514 | if ((LoadContext->Flags & 0x80000) == 0 && (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink != LdrEntry) 515 | { 516 | DllEntry = (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink; 517 | LoadContext->WorkQueueListEntry.Flink = &LdrEntry->InLoadOrderLinks; 518 | } 519 | } 520 | } 521 | return DllEntry; 522 | } 523 | 524 | NTSTATUS __fastcall LdrpFreeReplacedModule(LDR_DATA_TABLE_ENTRY* LdrDataTableEntry) 525 | { 526 | LdrpFreeLoadContext(LdrDataTableEntry->LoadContext); 527 | // Revokes ProcessStaticImport (0x20) flag. 528 | LdrDataTableEntry->Flags &= ~ProcessStaticImport; 529 | LdrDataTableEntry->ReferenceCount = 1; 530 | return LdrpDereferenceModule(LdrDataTableEntry); 531 | } 532 | 533 | VOID __fastcall LdrpHandlePendingModuleReplaced(LDRP_LOAD_CONTEXT* LoadContext) 534 | { 535 | LDR_DATA_TABLE_ENTRY* Entry = (LDR_DATA_TABLE_ENTRY*)LoadContext->pvImports; 536 | if (Entry) 537 | { 538 | LDR_DATA_TABLE_ENTRY* ReturnEntry = LdrpHandleReplacedModule(Entry); 539 | LDR_DATA_TABLE_ENTRY** CompareEntry = LoadContext->pvImports; 540 | if (ReturnEntry != (LDR_DATA_TABLE_ENTRY*)CompareEntry) 541 | LdrpFreeReplacedModule((LDR_DATA_TABLE_ENTRY*)CompareEntry); 542 | LoadContext->pvImports = nullptr; 543 | } 544 | } 545 | 546 | PIMAGE_SECTION_HEADER __fastcall RtlSectionTableFromVirtualAddress(PIMAGE_NT_HEADERS NtHeader, PVOID Base, UINT_PTR Address) 547 | { 548 | PIMAGE_SECTION_HEADER SectionHeader = (PIMAGE_SECTION_HEADER)((char*)&NtHeader->OptionalHeader + NtHeader->FileHeader.SizeOfOptionalHeader); 549 | if (!NtHeader->FileHeader.NumberOfSections) 550 | return nullptr; 551 | 552 | ULONG NumberOfSections = NtHeader->FileHeader.NumberOfSections; 553 | ULONG SectionIdx = 0; 554 | while (TRUE) 555 | { 556 | ULONG VirtualAddress = SectionHeader->VirtualAddress; 557 | if ((unsigned int)Address >= VirtualAddress && (unsigned int)Address < SectionHeader->SizeOfRawData + VirtualAddress) 558 | break; 559 | 560 | ++SectionHeader; 561 | if (++SectionIdx >= NumberOfSections) 562 | return nullptr; 563 | } 564 | return SectionHeader; 565 | } 566 | 567 | PIMAGE_SECTION_HEADER __fastcall RtlAddressInSectionTable(PIMAGE_NT_HEADERS NtHeader, PVOID Base, UINT_PTR Address) 568 | { 569 | PIMAGE_SECTION_HEADER SectionHeader; 570 | 571 | SectionHeader = RtlSectionTableFromVirtualAddress(NtHeader, Base, Address); 572 | if (SectionHeader) 573 | return (PIMAGE_SECTION_HEADER)(SectionHeader->PointerToRawData - SectionHeader->VirtualAddress); 574 | return SectionHeader; 575 | } 576 | 577 | BOOLEAN __fastcall LdrpValidateEntrySection(LDR_DATA_TABLE_ENTRY* DllEntry) 578 | { 579 | PIMAGE_NT_HEADERS OutHeaders; 580 | RtlImageNtHeaderEx(3u, DllEntry->DllBase, 0, &OutHeaders); 581 | ULONG AddressOfEntryPoint = OutHeaders->OptionalHeader.AddressOfEntryPoint; 582 | return !AddressOfEntryPoint || !DllEntry->EntryPoint || AddressOfEntryPoint >= OutHeaders->OptionalHeader.SizeOfHeaders; 583 | } 584 | 585 | BOOL __fastcall LdrpIsExecutableRelocatedImage(PIMAGE_DOS_HEADER DllBase) 586 | { 587 | MEMORY_IMAGE_INFORMATION MemoryInformation; // [rsp+30h] [rbp-28h] BYREF 588 | PIMAGE_NT_HEADERS OutHeaders; // [rsp+68h] [rbp+10h] BYREF 589 | 590 | return NT_SUCCESS(RtlImageNtHeaderEx(3u, DllBase, 0i64, &OutHeaders)) && (PIMAGE_DOS_HEADER)OutHeaders->OptionalHeader.ImageBase == DllBase 591 | && NT_SUCCESS(ZwQueryVirtualMemory((HANDLE)-1, DllBase, MemoryImageInformation, &MemoryInformation, 0x18, 0)) 592 | && MemoryInformation.ImageBase == DllBase 593 | && (MemoryInformation.ImageFlags & 2) == 0 594 | && (MemoryInformation.ImageFlags & 1) == 0; 595 | } 596 | 597 | TLS_ENTRY* __fastcall LdrpFindTlsEntry(LDR_DATA_TABLE_ENTRY* LdrEntry) 598 | { 599 | TLS_ENTRY* TlsEntry; 600 | 601 | for (TlsEntry = *LdrpTlsList; TlsEntry != (TLS_ENTRY*)LdrpTlsList; TlsEntry = (TLS_ENTRY*)TlsEntry->TlsEntry.Flink) 602 | { 603 | if ((LDR_DATA_TABLE_ENTRY*)TlsEntry->ModuleEntry == LdrEntry) 604 | return TlsEntry; 605 | } 606 | return nullptr; 607 | } 608 | 609 | BOOL __fastcall ImageTlsCallbackCaller(HINSTANCE hInstDll, DWORD fdwReason, LPVOID lpvReserved) 610 | { 611 | ((void(__fastcall*)(HINSTANCE, DWORD, LPVOID))lpvReserved)(hInstDll, fdwReason, 0); 612 | return 1; 613 | } 614 | 615 | // Implemented inside LOADLIBRARY class to use WID_HIDDEN 616 | NTSTATUS __fastcall WID::Loader::LOADLIBRARY::LdrpThreadTokenSetMainThreadToken() // CHECKED. 617 | { 618 | NTSTATUS Status; 619 | 620 | HANDLE ReturnToken = NULL; 621 | Status = NtOpenThreadToken((HANDLE)-2, 0x2001C, 0, &ReturnToken); 622 | *LdrpMainThreadToken = ReturnToken; 623 | if (Status != STATUS_NO_TOKEN) 624 | { 625 | WID_HIDDEN( LdrpLogInternal("minkernel\\ntdll\\ldrapi.c", 0xDC8, "LdrpThreadTokenSetMainThreadToken", 2, "Status: 0x%x\n", Status); ) 626 | } 627 | return Status; 628 | } 629 | 630 | NTSTATUS __fastcall WID::Loader::LOADLIBRARY::LdrpThreadTokenUnsetMainThreadToken() // CHECKED. 631 | { 632 | NTSTATUS Status; 633 | 634 | Status = NtClose(*LdrpMainThreadToken); 635 | *LdrpMainThreadToken = NULL; 636 | WID_HIDDEN( LdrpLogInternal("minkernel\\ntdll\\ldrapi.c", 0xDEE, "LdrpThreadTokenUnsetMainThreadToken", 2u, "Status: 0x%x\n", Status); ) 637 | return Status; 638 | } 639 | 640 | LDR_DATA_TABLE_ENTRY* __fastcall WID::Loader::LOADLIBRARY::LdrpHandleReplacedModule(LDR_DATA_TABLE_ENTRY* LdrEntry) // CHECKED. 641 | { 642 | LDR_DATA_TABLE_ENTRY* DllEntry = LdrEntry; 643 | if (LdrEntry) 644 | { 645 | LDRP_LOAD_CONTEXT* LoadContext = LdrEntry->LoadContext; 646 | if (LoadContext) 647 | { 648 | DllEntry = CONTAINING_RECORD(LoadContext->WorkQueueListEntry.Flink, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); 649 | //if ((LoadContext->Flags & SEC_64K_PAGES) == 0 && (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink != LdrEntry) 650 | if ((LoadContext->Flags & SEC_64K_PAGES) == 0 && DllEntry != LdrEntry) 651 | { 652 | //DllEntry = (LDR_DATA_TABLE_ENTRY*)LoadContext->WorkQueueListEntry.Flink; 653 | LoadContext->WorkQueueListEntry.Flink = &LdrEntry->InLoadOrderLinks; 654 | } 655 | } 656 | } 657 | return DllEntry; 658 | } 659 | 660 | NTSTATUS __fastcall WID::Loader::LOADLIBRARY::LdrpFreeReplacedModule(LDR_DATA_TABLE_ENTRY* LdrEntry) // CHECKED. 661 | { 662 | LdrpFreeLoadContext(LdrEntry->LoadContext); 663 | // Resets (sets to 0) flag ProcessStaticImport (0x20) 664 | LdrEntry->Flags &= ~0x20u; 665 | 666 | // Might change if hidden, not touching for now. 667 | LdrEntry->ReferenceCount = 1; 668 | return LdrpDereferenceModule(LdrEntry); 669 | } 670 | 671 | NTSTATUS __fastcall WID::Loader::LOADLIBRARY::LdrpResolveDllName(LDRP_LOAD_CONTEXT* LoadContext, LDRP_FILENAME_BUFFER* FileNameBuffer, PUNICODE_STRING BaseDllName, PUNICODE_STRING FullDllName, DWORD Flags) // CHECKED. 672 | { 673 | NTSTATUS Status; 674 | 675 | PWCHAR FileName; 676 | UNICODE_STRING DllName; 677 | BOOLEAN FileNamesNotEqual = FALSE; 678 | 679 | WID_HIDDEN( LdrpLogInternal("minkernel\\ntdll\\ldrfind.c", 0x6B9, "LdrpResolveDllName", 3u, "DLL name: %wZ\n", LoadContext); ) 680 | 681 | // Converted goto to do-while loop. 682 | do 683 | { 684 | // This if will go in if call stack starts back from LoadLibraryExW with an absolute path. 685 | if (Flags & LOAD_LIBRARY_SEARCH_APPLICATION_DIR) 686 | { 687 | DllName = LoadContext->BaseDllName; 688 | } 689 | else 690 | { 691 | Status = LdrpGetFullPath(LoadContext, &FileNameBuffer->pFileName); 692 | if (!NT_SUCCESS(Status)) 693 | { 694 | if (FileNamesNotEqual) 695 | LdrpFreeUnicodeString(&DllName); 696 | 697 | WID_HIDDEN(LdrpLogInternal("minkernel\\ntdll\\ldrfind.c", 0x742, "LdrpResolveDllName", 4, "Status: 0x%08lx\n", Status); ) 698 | return Status; 699 | } 700 | 701 | FileName = FileNameBuffer->FileName; 702 | DllName = FileNameBuffer->pFileName; 703 | 704 | FileNamesNotEqual = (FileNameBuffer->FileName != FileNameBuffer->pFileName.Buffer); 705 | if (FileNamesNotEqual) 706 | { 707 | FileNameBuffer->pFileName.Buffer = FileName; 708 | FileNameBuffer->pFileName.MaximumLength = MAX_PATH - 4; 709 | *FileName = 0; 710 | break; 711 | } 712 | } 713 | 714 | USHORT Length = DllName.Length; 715 | PWCHAR Buffer = DllName.Buffer; 716 | Status = LdrpAllocateUnicodeString(&DllName, DllName.Length); 717 | if (!NT_SUCCESS(Status)) 718 | { 719 | if (FileNamesNotEqual) 720 | LdrpFreeUnicodeString(&DllName); 721 | 722 | WID_HIDDEN(LdrpLogInternal("minkernel\\ntdll\\ldrfind.c", 0x742, "LdrpResolveDllName", 4, "Status: 0x%08lx\n", Status); ) 723 | return Status; 724 | } 725 | 726 | FileNamesNotEqual = TRUE; 727 | memmove(DllName.Buffer, Buffer, Length + 2); 728 | DllName.Length = Length; 729 | } while (FALSE); 730 | 731 | 732 | FileNameBuffer->pFileName.Length = 0; 733 | if (Flags & 0x10000000) 734 | Status = LdrpAppendUnicodeStringToFilenameBuffer(&FileNameBuffer->pFileName, LoadContext); 735 | else 736 | Status = LdrpGetNtPathFromDosPath(&DllName, FileNameBuffer); 737 | 738 | if (NT_SUCCESS(Status)) 739 | { 740 | *FullDllName = DllName; 741 | LdrpGetBaseNameFromFullName(&DllName, BaseDllName); 742 | WID_HIDDEN(LdrpLogInternal("minkernel\\ntdll\\ldrfind.c", 0x742, "LdrpResolveDllName", 4, "Status: 0x%08lx\n", Status); ) 743 | return Status; 744 | } 745 | 746 | NTSTATUS StatusAdded = (Status + 0x3FFFFFF1); 747 | //LONGLONG BitTestVar = 0x1C3000000011; 748 | LONGLONG BitTestVar = 0b0001'1100'0011'0000'0000'0000'0000'0000'0000'0000'0001'0001; 749 | if (StatusAdded <= 0x2C && (_bittest64(&BitTestVar, StatusAdded)) || Status == STATUS_DEVICE_OFF_LINE || Status == STATUS_DEVICE_NOT_READY) 750 | { 751 | WID_HIDDEN( LdrpLogInternal("minkernel\\ntdll\\ldrfind.c", 0x72D, "LdrpResolveDllName", 2, "Original status: 0x%08lx\n", Status); ) 752 | Status = STATUS_DLL_NOT_FOUND; 753 | } 754 | 755 | if (FileNamesNotEqual) 756 | LdrpFreeUnicodeString(&DllName); 757 | 758 | WID_HIDDEN( LdrpLogInternal("minkernel\\ntdll\\ldrfind.c", 0x742, "LdrpResolveDllName", 4, "Status: 0x%08lx\n", Status); ) 759 | return Status; 760 | } 761 | 762 | NTSTATUS __fastcall WID::Loader::LOADLIBRARY::LdrpFindDllActivationContext(LDR_DATA_TABLE_ENTRY* LdrEntry) // CHECKED. 763 | { 764 | NTSTATUS Status = STATUS_SUCCESS; 765 | 766 | if (*(UINT_PTR*)(*LdrpManifestProberRoutine)) 767 | { 768 | PEB* PEB = NtCurrentPeb(); 769 | if (LdrEntry != *LdrpImageEntry || !PEB->ActivationContextData) 770 | { 771 | PWCHAR Buffer = LdrEntry->FullDllName.Buffer; 772 | if (LdrEntry == *LdrpImageEntry && *Buffer == '\\' && Buffer[1] == '?' && Buffer[2] == '?' && Buffer[3] == '\\' && Buffer[4] && Buffer[5] == ':' && Buffer[6] == '\\') 773 | { 774 | Buffer += 4; 775 | } 776 | 777 | // LdrpManifestProberRoutine is a function pointer. 778 | ACTIVATION_CONTEXT* pActivationCtx = nullptr; 779 | Status = (*LdrpManifestProberRoutine)(LdrEntry->DllBase, Buffer, &pActivationCtx); 780 | if ((unsigned int)(Status + 0x3FFFFF77) <= 2 || Status == STATUS_NOT_SUPPORTED || Status == STATUS_NO_SUCH_FILE || Status == STATUS_NOT_IMPLEMENTED || Status == STATUS_RESOURCE_LANG_NOT_FOUND) 781 | { 782 | WID_HIDDEN(LdrpLogInternal("minkernel\\ntdll\\ldrsnap.c", 733, "LdrpFindDllActivationContext", 2u, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", &LdrEntry->FullDllName, Status); ) 783 | Status = STATUS_SUCCESS; 784 | } 785 | 786 | if (pActivationCtx) 787 | { 788 | if (LdrEntry->EntryPointActivationContext) 789 | { 790 | RtlReleaseActivationContext(LdrEntry->EntryPointActivationContext); 791 | } 792 | 793 | LdrEntry->EntryPointActivationContext = pActivationCtx; 794 | } 795 | 796 | if (!NT_SUCCESS(Status)) 797 | { 798 | WID_HIDDEN(LdrpLogInternal("minkernel\\ntdll\\ldrsnap.c", 0x2FA, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", Status); ) 799 | } 800 | } 801 | } 802 | return Status; 803 | } 804 | 805 | // Planning to implement them all in the future. 806 | tNtOpenThreadToken NtOpenThreadToken = nullptr; 807 | tNtClose NtClose = nullptr; 808 | tRtlAllocateHeap RtlAllocateHeap = nullptr; 809 | tRtlFreeHeap RtlFreeHeap = nullptr; 810 | tLdrGetDllPath LdrGetDllPath = nullptr; 811 | tRtlReleasePath RtlReleasePath = nullptr; 812 | tRtlInitUnicodeStringEx RtlInitUnicodeStringEx = nullptr; 813 | tRtlEnterCriticalSection RtlEnterCriticalSection = nullptr; 814 | tRtlLeaveCriticalSection RtlLeaveCriticalSection = nullptr; 815 | tZwSetEvent ZwSetEvent = nullptr; 816 | tNtOpenFile NtOpenFile = nullptr; 817 | tLdrAppxHandleIntegrityFailure LdrAppxHandleIntegrityFailure = nullptr; 818 | tNtRaiseHardError NtRaiseHardError = nullptr; 819 | tRtlImageNtHeaderEx RtlImageNtHeaderEx = nullptr; 820 | tRtlAcquireSRWLockExclusive RtlAcquireSRWLockExclusive = nullptr; 821 | tRtlReleaseSRWLockExclusive RtlReleaseSRWLockExclusive = nullptr; 822 | tRtlEqualUnicodeString RtlEqualUnicodeString = nullptr; 823 | tRtlAcquirePrivilege RtlAcquirePrivilege = nullptr; 824 | tRtlReleasePrivilege RtlReleasePrivilege = nullptr; 825 | tRtlCompareUnicodeStrings RtlCompareUnicodeStrings = nullptr; 826 | tRtlImageNtHeader RtlImageNtHeader = nullptr; 827 | tRtlReleaseActivationContext RtlReleaseActivationContext = nullptr; 828 | tRtlCharToInteger RtlCharToInteger = nullptr; 829 | tRtlActivateActivationContextUnsafeFast RtlActivateActivationContextUnsafeFast = nullptr; 830 | tRtlDeactivateActivationContextUnsafeFast RtlDeactivateActivationContextUnsafeFast = nullptr; 831 | tRtlAcquireSRWLockShared RtlAcquireSRWLockShared = nullptr; 832 | tRtlReleaseSRWLockShared RtlReleaseSRWLockShared = nullptr; 833 | 834 | // Signatured 835 | tLdrpLogInternal LdrpLogInternal = nullptr; 836 | tLdrpInitializeDllPath LdrpInitializeDllPath = nullptr; 837 | tLdrpDereferenceModule LdrpDereferenceModule = nullptr; 838 | tLdrpLogDllState LdrpLogDllState = nullptr; 839 | tLdrpPreprocessDllName LdrpPreprocessDllName = nullptr; 840 | tLdrpFindLoadedDllByName LdrpFindLoadedDllByName = nullptr; 841 | tLdrpDrainWorkQueue LdrpDrainWorkQueue = nullptr; 842 | tLdrpFindLoadedDllByHandle LdrpFindLoadedDllByHandle = nullptr; 843 | tLdrpDropLastInProgressCount LdrpDropLastInProgressCount = nullptr; 844 | tLdrpQueryCurrentPatch LdrpQueryCurrentPatch = nullptr; 845 | tLdrpUndoPatchImage LdrpUndoPatchImage = nullptr; 846 | tLdrpDetectDetour LdrpDetectDetour = nullptr; 847 | tLdrpFindOrPrepareLoadingModule LdrpFindOrPrepareLoadingModule = nullptr; 848 | tLdrpFreeLoadContext LdrpFreeLoadContext = nullptr; 849 | tLdrpCondenseGraph LdrpCondenseGraph = nullptr; 850 | tLdrpBuildForwarderLink LdrpBuildForwarderLink = nullptr; 851 | tLdrpPinModule LdrpPinModule = nullptr; 852 | tLdrpApplyPatchImage LdrpApplyPatchImage = nullptr; 853 | tLdrpFreeLoadContextOfNode LdrpFreeLoadContextOfNode = nullptr; 854 | tLdrpDecrementModuleLoadCountEx LdrpDecrementModuleLoadCountEx = nullptr; 855 | tLdrpLogError LdrpLogError = nullptr; 856 | tLdrpLogDeprecatedDllEtwEvent LdrpLogDeprecatedDllEtwEvent = nullptr; 857 | tLdrpLogLoadFailureEtwEvent LdrpLogLoadFailureEtwEvent = nullptr; 858 | tLdrpReportError LdrpReportError = nullptr; 859 | tLdrpResolveDllName LdrpResolveDllName = nullptr; 860 | tLdrpAppCompatRedirect LdrpAppCompatRedirect = nullptr; 861 | tLdrpHashUnicodeString LdrpHashUnicodeString = nullptr; 862 | tLdrpFindExistingModule LdrpFindExistingModule = nullptr; 863 | tLdrpLoadContextReplaceModule LdrpLoadContextReplaceModule = nullptr; 864 | tLdrpSearchPath LdrpSearchPath = nullptr; 865 | tLdrpIsSecurityEtwLoggingEnabled LdrpIsSecurityEtwLoggingEnabled = nullptr; 866 | tLdrpLogEtwDllSearchResults LdrpLogEtwDllSearchResults = nullptr; 867 | tLdrpCheckForRetryLoading LdrpCheckForRetryLoading = nullptr; 868 | tLdrpLogEtwEvent LdrpLogEtwEvent = nullptr; 869 | tLdrpCheckComponentOnDemandEtwEvent LdrpCheckComponentOnDemandEtwEvent = nullptr; 870 | tLdrpValidateIntegrityContinuity LdrpValidateIntegrityContinuity = nullptr; 871 | tLdrpSetModuleSigningLevel LdrpSetModuleSigningLevel = nullptr; 872 | tLdrpCodeAuthzCheckDllAllowed LdrpCodeAuthzCheckDllAllowed = nullptr; 873 | tLdrpGetFullPath LdrpGetFullPath = nullptr; 874 | tLdrpAllocateUnicodeString LdrpAllocateUnicodeString = nullptr; 875 | tLdrpAppendUnicodeStringToFilenameBuffer LdrpAppendUnicodeStringToFilenameBuffer = nullptr; 876 | tLdrpGetNtPathFromDosPath LdrpGetNtPathFromDosPath = nullptr; 877 | tLdrpFindLoadedDllByMappingLockHeld LdrpFindLoadedDllByMappingLockHeld = nullptr; 878 | tLdrpInsertDataTableEntry LdrpInsertDataTableEntry = nullptr; 879 | tLdrpInsertModuleToIndexLockHeld LdrpInsertModuleToIndexLockHeld = nullptr; 880 | tLdrpLogEtwHotPatchStatus LdrpLogEtwHotPatchStatus = nullptr; 881 | tLdrpLogNewDllLoad LdrpLogNewDllLoad = nullptr; 882 | tLdrpProcessMachineMismatch LdrpProcessMachineMismatch = nullptr; 883 | tRtlQueryImageFileKeyOption RtlQueryImageFileKeyOption = nullptr; 884 | tRtlpImageDirectoryEntryToDataEx RtlpImageDirectoryEntryToDataEx = nullptr; 885 | tLdrpLogDllRelocationEtwEvent LdrpLogDllRelocationEtwEvent = nullptr; 886 | tLdrpNotifyLoadOfGraph LdrpNotifyLoadOfGraph = nullptr; 887 | tLdrpDynamicShimModule LdrpDynamicShimModule = nullptr; 888 | tLdrpAcquireLoaderLock LdrpAcquireLoaderLock = nullptr; 889 | tLdrpReleaseLoaderLock LdrpReleaseLoaderLock = nullptr; 890 | tLdrpCheckPagesForTampering LdrpCheckPagesForTampering = nullptr; 891 | tLdrpLoadDependentModuleA LdrpLoadDependentModuleA = nullptr; 892 | tLdrpLoadDependentModuleW LdrpLoadDependentModuleW = nullptr; 893 | tLdrpQueueWork LdrpQueueWork = nullptr; 894 | tLdrpHandleTlsData LdrpHandleTlsData = nullptr; 895 | tLdrControlFlowGuardEnforcedWithExportSuppression LdrControlFlowGuardEnforcedWithExportSuppression = nullptr; 896 | tLdrpUnsuppressAddressTakenIat LdrpUnsuppressAddressTakenIat = nullptr; 897 | tLdrControlFlowGuardEnforced LdrControlFlowGuardEnforced = nullptr; 898 | tRtlpxLookupFunctionTable RtlpxLookupFunctionTable = nullptr; 899 | tLdrpCheckRedirection LdrpCheckRedirection = nullptr; 900 | tCompatCachepLookupCdb CompatCachepLookupCdb = nullptr; 901 | tLdrpGenRandom LdrpGenRandom = nullptr; 902 | tLdrInitSecurityCookie LdrInitSecurityCookie = nullptr; 903 | tLdrpCfgProcessLoadConfig LdrpCfgProcessLoadConfig = nullptr; 904 | tRtlInsertInvertedFunctionTable RtlInsertInvertedFunctionTable = nullptr; 905 | tLdrpSignalModuleMapped LdrpSignalModuleMapped = nullptr; 906 | tAVrfDllLoadNotification AVrfDllLoadNotification = nullptr; 907 | tLdrpSendDllNotifications LdrpSendDllNotifications = nullptr; 908 | tLdrpCallTlsInitializers LdrpCallTlsInitializers = nullptr; -------------------------------------------------------------------------------- /Src/Functions/NT.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "..\Includes.h" 4 | #include "..\WID.h" 5 | #include "Undocumented.h" 6 | 7 | 8 | #define NT_SUCCESS(x) ((x)>=0) 9 | #define STATUS_SUCCESS 0x0 10 | #define STATUS_IMAGE_NOT_AT_BASE 0x40000003 11 | #define STATUS_IMAGE_AT_DIFFERENT_BASE 0x40000036 12 | #define STATUS_IMAGE_MACHINE_TYPE_MISMATCH 0x4000000E 13 | #define STATUS_DEVICE_OFF_LINE 0x80000010 14 | #define STATUS_UNSUCCESSFUL 0xC0000001 15 | #define STATUS_NOT_IMPLEMENTED 0xC0000002 16 | #define STATUS_NO_SUCH_FILE 0xC000000F 17 | #define STATUS_CONFLICTING_ADDRESSES 0xC0000018 18 | #define STATUS_ACCESS_DENIED 0xC0000022 19 | #define STATUS_OBJECT_NAME_NOT_FOUND 0xC0000034 20 | #define STATUS_OBJECT_PATH_NOT_FOUND 0xC000003A 21 | #define STATUS_PROCEDURE_NOT_FOUND 0xC000007A 22 | #define STATUS_DEVICE_NOT_READY 0xC00000A3 23 | #define STATUS_INVALID_IMAGE_FORMAT 0xC000007B 24 | #define STATUS_NO_TOKEN 0xC000007C 25 | #define STATUS_INSUFFICIENT_RESOURCES 0xC000009A 26 | #define STATUS_NOT_SUPPORTED 0xC00000BB 27 | #define STATUS_INTERNAL_ERROR 0xC00000E5 28 | #define STATUS_NAME_TOO_LONG 0xC0000106 29 | #define STATUS_COMMITMENT_LIMIT 0xC000012D 30 | #define STATUS_NO_APPLICATION_PACKAGE 0xC00001AA 31 | #define STATUS_RESOURCE_LANG_NOT_FOUND 0xC0000204 32 | #define STATUS_NOT_FOUND 0xC0000225 33 | #define STATUS_RETRY 0xC000022D 34 | #define STATUS_INVALID_IMAGE_HASH 0xC0000428 35 | #define STATUS_NEEDS_REMEDIATION 0xC0000462 36 | #define STATUS_PATCH_CONFLICT 0xC00004AC 37 | #define STATUS_IMAGE_LOADED_AS_PATCH_IMAGE 0xC00004C0 38 | #define STATUS_INVALID_THREAD 0xC000071C 39 | 40 | 41 | // Implemented. 42 | extern DWORD* LdrpPolicyBits; 43 | extern HANDLE* LdrpMainThreadToken; 44 | extern DWORD* LdrInitState; 45 | extern DWORD* LoadFailure; 46 | extern PRTL_CRITICAL_SECTION LdrpWorkQueueLock; 47 | extern DWORD* LdrpWorkInProgress; 48 | extern LIST_ENTRY** LdrpWorkQueue; 49 | extern PHANDLE LdrpWorkCompleteEvent; 50 | extern KUSER_SHARED_DATA* kUserSharedData; 51 | extern DWORD* LdrpUseImpersonatedDeviceMap; 52 | extern DWORD* LdrpAuditIntegrityContinuity; 53 | extern DWORD* LdrpEnforceIntegrityContinuity; 54 | extern DWORD* LdrpFatalHardErrorCount; 55 | extern DWORD* UseWOW64; 56 | extern PRTL_SRWLOCK LdrpModuleDatatableLock; 57 | extern PHANDLE qword_17E238; 58 | extern LDR_DATA_TABLE_ENTRY** LdrpImageEntry; 59 | extern PUNICODE_STRING LdrpKernel32DllName; 60 | extern UINT_PTR* LdrpAppHeaders; 61 | extern PHANDLE LdrpLargePageDllKeyHandle; 62 | extern ULONG** LdrpLockMemoryPrivilege; 63 | extern ULONG64* LdrpMaximumUserModeAddress; 64 | extern UINT_PTR* LdrpMapAndSnapWork; 65 | extern LIST_ENTRY* LdrpHashTable; 66 | extern PVOID* LdrpHeap; 67 | extern BOOLEAN* LdrpIsHotPatchingEnabled; 68 | extern LDR_DATA_TABLE_ENTRY** LdrpRedirectionModule; 69 | extern ULONG64** qword_1993A8; 70 | extern LONG* NtdllBaseTag; 71 | extern FUNCTION_TABLE_DATA* stru_199520; 72 | extern UINT_PTR* qword_199530; 73 | extern LDR_DATA_TABLE_ENTRY** LdrpNtDllDataTableEntry; 74 | extern UINT_PTR* qword_1993B8; 75 | extern DWORD* dword_19939C; 76 | extern DWORD* LoadFailureOperational; 77 | extern DWORD* dword_199398; 78 | extern UINT_PTR*** qword_1843B8; 79 | extern UINT_PTR* qword_1843B0; 80 | extern UINT_PTR* LdrpCurrentDllInitializer; 81 | extern LPVOID** LdrpProcessInitContextRecord; 82 | extern PRTL_SRWLOCK LdrpTlsLock; 83 | extern TLS_ENTRY** LdrpTlsList; 84 | 85 | typedef NTSTATUS(__fastcall** tLdrpManifestProberRoutine)(PIMAGE_DOS_HEADER Base, PWCHAR, PVOID); 86 | extern tLdrpManifestProberRoutine LdrpManifestProberRoutine; 87 | typedef BOOLEAN(__fastcall** tLdrpRedirectionCalloutFunc)(PWCHAR Buffer); 88 | extern tLdrpRedirectionCalloutFunc LdrpRedirectionCalloutFunc; 89 | 90 | 91 | PEB* NtCurrentPeb(); 92 | VOID __fastcall NtdllpFreeStringRoutine(PWCH Buffer); // CHECKED. 93 | NTSTATUS __fastcall LdrpFastpthReloadedDll(PUNICODE_STRING FullPath, ULONG Flags, PLDR_DATA_TABLE_ENTRY LdrEntry, LDR_DATA_TABLE_ENTRY** DllEntry); 94 | NTSTATUS __fastcall LdrpIncrementModuleLoadCount(LDR_DATA_TABLE_ENTRY* LdrEntry); 95 | VOID __fastcall RtlFreeUnicodeString(PUNICODE_STRING UnicodeString); // CHECKED. 96 | VOID __fastcall LdrpFreeUnicodeString(PUNICODE_STRING String); 97 | ULONG __fastcall RtlGetCurrentServiceSessionId(VOID); // CHECKED ? 98 | USHORT __fastcall LdrpGetBaseNameFromFullName(PUNICODE_STRING BaseName, PUNICODE_STRING FullName); 99 | PWCHAR __fastcall RtlGetNtSystemRoot(); 100 | BOOLEAN __fastcall LdrpHpatAllocationOptOut(PUNICODE_STRING FullDllName); 101 | NTSTATUS __fastcall LdrpCorValidateImage(PIMAGE_DOS_HEADER DosHeader); 102 | NTSTATUS __fastcall LdrpCorFixupImage(PIMAGE_DOS_HEADER DosHeader); 103 | NTSTATUS __fastcall LdrpFindLoadedDllByNameLockHeld(PUNICODE_STRING BaseDllName, PUNICODE_STRING FullDllName, ULONG64 Flags, LDR_DATA_TABLE_ENTRY** pLdrEntry, ULONG BaseNameHashValue); 104 | BOOLEAN __fastcall LdrpIsILOnlyImage(PIMAGE_DOS_HEADER DllBase); 105 | VOID __fastcall LdrpAddNodeServiceTag(LDR_DDAG_NODE* DdagNode, UINT_PTR ServiceTag); 106 | PIMAGE_LOAD_CONFIG_DIRECTORY LdrImageDirectoryEntryToLoadConfig(PIMAGE_DOS_HEADER DllBase); 107 | BOOLEAN __fastcall LdrpShouldModuleImportBeRedirected(LDR_DATA_TABLE_ENTRY* DllEntry); 108 | PIMAGE_IMPORT_DESCRIPTOR __fastcall LdrpGetImportDescriptorForSnap(LDRP_LOAD_CONTEXT* LoadContext); 109 | NTSTATUS __fastcall LdrpMapCleanModuleView(LDRP_LOAD_CONTEXT* LoadContext); 110 | LDR_DATA_TABLE_ENTRY* __fastcall LdrpHandleReplacedModule(LDR_DATA_TABLE_ENTRY* LdrEntry); 111 | NTSTATUS __fastcall LdrpFreeReplacedModule(LDR_DATA_TABLE_ENTRY* LdrDataTableEntry); 112 | VOID __fastcall LdrpHandlePendingModuleReplaced(LDRP_LOAD_CONTEXT* LoadContext); 113 | PIMAGE_SECTION_HEADER __fastcall RtlSectionTableFromVirtualAddress(PIMAGE_NT_HEADERS NtHeader, PVOID Base, UINT_PTR Address); 114 | PIMAGE_SECTION_HEADER __fastcall RtlAddressInSectionTable(PIMAGE_NT_HEADERS NtHeader, PVOID Base, UINT_PTR Address); 115 | BOOLEAN __fastcall LdrpValidateEntrySection(LDR_DATA_TABLE_ENTRY* DllEntry); 116 | BOOL __fastcall LdrpIsExecutableRelocatedImage(PIMAGE_DOS_HEADER DllBase); 117 | TLS_ENTRY* __fastcall LdrpFindTlsEntry(LDR_DATA_TABLE_ENTRY* LdrEntry); 118 | BOOL __fastcall ImageTlsCallbackCaller(HINSTANCE hInstDll, DWORD fdwReason, LPVOID lpvReserved); 119 | 120 | extern "C" NTSTATUS __fastcall ZwSystemDebugControl(); 121 | extern "C" NTSTATUS __fastcall NtCreateSection(PHANDLE SectionHandle, ACCESS_MASK DesiredAccess, OBJECT_ATTRIBUTES * ObjectAttributes, PLARGE_INTEGER MaximumSize, ULONG SectionPageProtection, ULONG AllocationAttributes, HANDLE FileHandle); 122 | extern "C" NTSTATUS __fastcall ZwMapViewOfSection(HANDLE SectionHandle, HANDLE ProcessHandle, PIMAGE_DOS_HEADER * BaseAddress, ULONG64 ZeroBits, ULONG64 CommitSize, PLARGE_INTEGER SectionOffset, PULONG ViewSize, SECTION_INHERIT InheritDisposition, ULONG64 AllocationType, ULONG64 Protect); 123 | extern "C" NTSTATUS __fastcall ZwMapViewOfSectionEx(HANDLE SectionHandle, HANDLE ProcessHandle, PIMAGE_DOS_HEADER * DllBase, PLARGE_INTEGER a4, PULONG ViewSize, ULONG a6, ULONG a7, MEM_EXTENDED_PARAMETER * MemExtendedParam, ULONG a9); 124 | extern "C" NTSTATUS __fastcall NtUnmapViewOfSection(HANDLE ProcessHandle, PVOID BaseAddress); 125 | extern "C" NTSTATUS __fastcall ZwProtectVirtualMemory(HANDLE ProcessHandle, PVOID * BaseAddress, PULONG ProtectSize, ULONG NewProtect, PULONG OldProtect); 126 | extern "C" NTSTATUS __fastcall ZwQueryVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddress, MEMORY_INFORMATION_CLASS MemoryInformationClass, PVOID MemoryInformation, SIZE_T MemoryInformationLength, PSIZE_T ReturnLength); 127 | extern "C" NTSTATUS __fastcall NtQueryInformationProcess(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength); 128 | 129 | // Planning to implement them all in the future. 130 | typedef NTSTATUS(__fastcall* tNtOpenThreadToken)(IN HANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN BOOLEAN OpenAsSelf, OUT PHANDLE TokenHandle); 131 | extern tNtOpenThreadToken NtOpenThreadToken; 132 | 133 | typedef NTSTATUS(__fastcall* tNtClose)(HANDLE Handle); 134 | extern tNtClose NtClose; 135 | 136 | typedef PVOID(__fastcall* tRtlAllocateHeap)(IN PVOID HeapHandle, IN OPTIONAL ULONG Flags, IN SIZE_T Size); 137 | extern tRtlAllocateHeap RtlAllocateHeap; 138 | 139 | typedef BOOLEAN(__fastcall* tRtlFreeHeap)(IN PVOID HeapHandle, IN OPTIONAL ULONG Flags, _Frees_ptr_opt_ PVOID BaseAddress); 140 | extern tRtlFreeHeap RtlFreeHeap; 141 | 142 | typedef NTSTATUS(__fastcall* tLdrGetDllPath)(PWCH DllName, DWORD dwFlags, PWSTR* Path, PWSTR* Unknown); 143 | extern tLdrGetDllPath LdrGetDllPath; 144 | 145 | typedef VOID(__fastcall* tRtlReleasePath)(IN PWSTR); 146 | extern tRtlReleasePath RtlReleasePath; 147 | 148 | typedef NTSTATUS(__fastcall* tRtlInitUnicodeStringEx)(PUNICODE_STRING target, PCWSTR source); 149 | extern tRtlInitUnicodeStringEx RtlInitUnicodeStringEx; 150 | 151 | typedef NTSTATUS(__fastcall* tRtlEnterCriticalSection)(PRTL_CRITICAL_SECTION CriticalSection); 152 | extern tRtlEnterCriticalSection RtlEnterCriticalSection; 153 | 154 | typedef NTSTATUS(__fastcall* tRtlLeaveCriticalSection)(PRTL_CRITICAL_SECTION CriticalSection); 155 | extern tRtlLeaveCriticalSection RtlLeaveCriticalSection; 156 | 157 | typedef NTSTATUS(__fastcall* tZwSetEvent)(HANDLE EventHandle, PLONG PreviousState); 158 | extern tZwSetEvent ZwSetEvent; 159 | 160 | typedef NTSTATUS(__fastcall* tNtOpenFile)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, OBJECT_ATTRIBUTES* ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions); 161 | extern tNtOpenFile NtOpenFile; 162 | 163 | typedef NTSTATUS(__fastcall* tLdrAppxHandleIntegrityFailure)(NTSTATUS Status); 164 | extern tLdrAppxHandleIntegrityFailure LdrAppxHandleIntegrityFailure; 165 | 166 | typedef NTSTATUS(__fastcall* tNtRaiseHardError)(NTSTATUS Status, ULONG NumberOfParameters, ULONG UnicodeStringParameterMask, INT* Parameters, HARDERROR_RESPONSE_OPTION ValidResponseOption, HARDERROR_RESPONSE* Response); 167 | extern tNtRaiseHardError NtRaiseHardError; 168 | 169 | typedef NTSTATUS(__fastcall* tRtlImageNtHeaderEx)(ULONG Flags, PVOID Base, ULONG64 Size, PIMAGE_NT_HEADERS* OutHeaders); 170 | extern tRtlImageNtHeaderEx RtlImageNtHeaderEx; 171 | 172 | typedef VOID(__fastcall* tRtlAcquireSRWLockExclusive)(PRTL_SRWLOCK SRWLock); 173 | extern tRtlAcquireSRWLockExclusive RtlAcquireSRWLockExclusive; 174 | 175 | typedef NTSTATUS(__fastcall* tRtlReleaseSRWLockExclusive)(PRTL_SRWLOCK SRWLock); 176 | extern tRtlReleaseSRWLockExclusive RtlReleaseSRWLockExclusive; 177 | 178 | typedef NTSTATUS(__fastcall* tRtlEqualUnicodeString)(PUNICODE_STRING String1, PUNICODE_STRING String2, BOOLEAN CaseInSensitive); 179 | extern tRtlEqualUnicodeString RtlEqualUnicodeString; 180 | 181 | typedef NTSTATUS(__fastcall* tRtlAcquirePrivilege)(ULONG* Privilege,ULONG NumPriv,ULONG Flags,PVOID * ReturnedState); 182 | extern tRtlAcquirePrivilege RtlAcquirePrivilege; 183 | 184 | typedef VOID(__fastcall* tRtlReleasePrivilege)(PVOID ReturnedState); 185 | extern tRtlReleasePrivilege RtlReleasePrivilege; 186 | 187 | typedef NTSTATUS(__fastcall* tRtlCompareUnicodeStrings)(PWCH String1, UINT_PTR String1Length, PWCH String2, UINT_PTR String2Length, BOOLEAN CaseInSensitive); 188 | extern tRtlCompareUnicodeStrings RtlCompareUnicodeStrings; 189 | 190 | typedef PIMAGE_NT_HEADERS(__fastcall* tRtlImageNtHeader)(PIMAGE_DOS_HEADER DosHeader); 191 | extern tRtlImageNtHeader RtlImageNtHeader; 192 | 193 | typedef UINT_PTR(__fastcall* tRtlReleaseActivationContext)(ACTIVATION_CONTEXT* ActivationContext); 194 | extern tRtlReleaseActivationContext RtlReleaseActivationContext; 195 | 196 | typedef NTSTATUS(__fastcall* tRtlCharToInteger)(const PCHAR String, ULONG Base, PULONG Value); 197 | extern tRtlCharToInteger RtlCharToInteger; 198 | 199 | typedef NTSTATUS(__fastcall* tRtlActivateActivationContextUnsafeFast)(RTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_EXTENDED* StackFrameExtended, ACTIVATION_CONTEXT* ActivationContext); 200 | extern tRtlActivateActivationContextUnsafeFast RtlActivateActivationContextUnsafeFast; 201 | 202 | typedef VOID(__fastcall* tRtlDeactivateActivationContextUnsafeFast)(RTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_EXTENDED* StackFrameExtended); 203 | extern tRtlDeactivateActivationContextUnsafeFast RtlDeactivateActivationContextUnsafeFast; 204 | 205 | typedef NTSTATUS(__fastcall* tRtlAcquireSRWLockShared)(PRTL_SRWLOCK SrwLock); 206 | extern tRtlAcquireSRWLockShared RtlAcquireSRWLockShared; 207 | 208 | typedef NTSTATUS(__fastcall* tRtlReleaseSRWLockShared)(PRTL_SRWLOCK SrwLock); 209 | extern tRtlReleaseSRWLockShared RtlReleaseSRWLockShared; 210 | 211 | // Signatured 212 | #define LDRP_LOG_INTERNAL_PATTERN "\x89\x54\x24\x10\x4C\x8B\xDC\x49\x89\x4B\x08" 213 | typedef NTSTATUS(__fastcall* tLdrpLogInternal)(PCHAR, ULONG, PCHAR, ULONG, PCHAR, ...); 214 | extern tLdrpLogInternal LdrpLogInternal; 215 | 216 | #define LDRP_INITIALIZE_DLLPATH_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x10\x57\x48\x83\xEC\x30\x49\x8B\xF8\x48\x8B\xDA\x48\x8B\xF1" 217 | typedef NTSTATUS(__fastcall* tLdrpInitializeDllPath)(PWSTR DllName, PWSTR DllPath, LDR_UNKSTRUCT* ReturnPath); 218 | extern tLdrpInitializeDllPath LdrpInitializeDllPath; 219 | 220 | #define LDRP_DEREFERENCE_MODULE_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x6C\x24\x10\x48\x89\x74\x24\x18\x57\x48\x83\xEC\x20\x48\x8B\x81\x98\x00\x00\x00" 221 | typedef NTSTATUS(__fastcall* tLdrpDereferenceModule)(LDR_DATA_TABLE_ENTRY* DllEntry); 222 | extern tLdrpDereferenceModule LdrpDereferenceModule; 223 | 224 | #define LDRP_LOG_DLLSTATE_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x10\x57\x48\x83\xEC\x30\x65\x48\x8B\x04\x25\x60\x00\x00\x00\x41" 225 | typedef NTSTATUS(__fastcall* tLdrpLogDllState)(UINT_PTR, PUNICODE_STRING, ULONG); 226 | extern tLdrpLogDllState LdrpLogDllState; 227 | 228 | #define LDRP_PREPROCESS_DLLNAME_PATTERN "\x4C\x8B\xDC\x49\x89\x5B\x08\x49\x89\x6B\x10\x49\x89\x73\x18\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x83\xEC\x40" 229 | typedef NTSTATUS(__fastcall* tLdrpPreprocessDllName)(PUNICODE_STRING DllName, PUNICODE_STRING ResName, PULONG pZero, PULONG pFlags); 230 | extern tLdrpPreprocessDllName LdrpPreprocessDllName; 231 | 232 | #define LDRP_FIND_LOADEDDLLBYNAME_PATTERN "\x48\x8B\xC4\x53\x55\x41\x57\x48\x83\xEC\x50" 233 | typedef NTSTATUS(__fastcall* tLdrpFindLoadedDllByName)(PUNICODE_STRING FullPath, PUNICODE_STRING DllName, USHORT Flags, LDR_DATA_TABLE_ENTRY** DllEntry, LDR_DDAG_STATE* ReturnStatus); 234 | extern tLdrpFindLoadedDllByName LdrpFindLoadedDllByName; 235 | 236 | #define LDRP_DRAIN_WORKQUEUE_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x6C\x24\x10\x48\x89\x74\x24\x18\x57\x41\x54\x41\x56\x48\x83\xEC\x20\x4C\x8B\x35\x35\xA3\x15\x00" 237 | typedef TEB* (__fastcall* tLdrpDrainWorkQueue)(DRAIN_TASK DrainTask); 238 | extern tLdrpDrainWorkQueue LdrpDrainWorkQueue; 239 | 240 | #define LDRP_FIND_LOADEDDLL_BYHANDLE_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x10\x48\x89\x7C\x24\x18\x41\x56\x48\x83\xEC\x20\x33\xDB\x49\x8B\xF8\x4C\x8B\xF2" 241 | typedef NTSTATUS(__fastcall* tLdrpFindLoadedDllByHandle)(unsigned __int64 a1, PLDR_DATA_TABLE_ENTRY* ppLdrEntry, DWORD* a3); 242 | extern tLdrpFindLoadedDllByHandle LdrpFindLoadedDllByHandle; 243 | 244 | #define LDRP_DROP_LASTINPROGRESS_COUNT_PATTERN "\x48\x83\xEC\x28\x65\x48\x8B\x04\x25\x30\x00\x00\x00\xB9\xFF\xEF\x00\x00" 245 | typedef NTSTATUS(__fastcall* tLdrpDropLastInProgressCount)(); 246 | extern tLdrpDropLastInProgressCount LdrpDropLastInProgressCount; 247 | 248 | #define LDRP_QUERY_CURRENT_PATCH_PATTERN "\x48\x8B\xC4\x48\x89\x58\x08\x48\x89\x70\x10\x48\x89\x78\x20\x55\x41\x56" 249 | typedef NTSTATUS(__fastcall* tLdrpQueryCurrentPatch)(ULONG Checksum, ULONG TimeDateStamp, PUNICODE_STRING FullPath); 250 | extern tLdrpQueryCurrentPatch LdrpQueryCurrentPatch; 251 | 252 | #define LDRP_UNDO_PATCH_IMAGE_PATTERN "\x4C\x8B\xDC\x53\x48\x83\xEC\x40\x48\x8B\x41\x30\x4D\x8D\x4B\x08" 253 | typedef NTSTATUS(__fastcall* tLdrpUndoPatchImage)(PLDR_DATA_TABLE_ENTRY LdrEntry); 254 | extern tLdrpUndoPatchImage LdrpUndoPatchImage; 255 | 256 | #define LDRP_DETECT_DETOUR_PATTERN "\x40\x57\x48\x83\xEC\x30\x80\x3D\x87\x32\x11\x00\x00\x75\x7B" 257 | typedef VOID(__fastcall* tLdrpDetectDetour)(); 258 | extern tLdrpDetectDetour LdrpDetectDetour; 259 | 260 | #define LDRP_FINDORPREPARE_LOADINGMODULE_PATTERN "\x48\x8B\xC4\x48\x89\x58\x08\x48\x89\x68\x10\x48\x89\x70\x20\x57\x41\x56\x41\x57\x48\x83\xEC\x50" 261 | typedef NTSTATUS(__fastcall* tLdrpFindOrPrepareLoadingModule)(PUNICODE_STRING FullPath, LDR_UNKSTRUCT* DllPathInited, ULONG Flags, ULONG LdrFlags, PLDR_DATA_TABLE_ENTRY LdrEntry, PLDR_DATA_TABLE_ENTRY* pLdrEntryLoaded, NTSTATUS* pStatus); 262 | extern tLdrpFindOrPrepareLoadingModule LdrpFindOrPrepareLoadingModule; 263 | 264 | #define LDRP_FREE_LOAD_CONTEXT_PATTERN "\x48\x89\x5C\x24\x08\x57\x48\x83\xEC\x20\x48\x8B\x41\x38\x48\x8B\xD9\x48\x83\xA0\xB0\x00\x00\x00" 265 | typedef VOID(__fastcall* tLdrpFreeLoadContext)(PLDRP_LOAD_CONTEXT LoadContext); 266 | extern tLdrpFreeLoadContext LdrpFreeLoadContext; 267 | 268 | #define LDRP_CONDENSE_GRAPH_PATTERN "\x48\x8B\xC4\x48\x83\xEC\x28\x83\x79\x38\x06\x7D\x19" 269 | typedef PVOID* (__fastcall* tLdrpCondenseGraph)(LDR_DDAG_NODE* DdagNode); 270 | extern tLdrpCondenseGraph LdrpCondenseGraph; 271 | 272 | #define LDRP_BUILD_FORWARDER_LINK_PATTERN "\x48\x89\x5C\x24\x10\x48\x89\x74\x24\x18\x57\x48\x83\xEC\x20\x33\xDB\x48\x8B\xF2" 273 | typedef NTSTATUS(__fastcall* tLdrpBuildForwarderLink)(PLDR_DATA_TABLE_ENTRY LdrEntry, PLDR_DATA_TABLE_ENTRY LdrEntry2); 274 | extern tLdrpBuildForwarderLink LdrpBuildForwarderLink; 275 | 276 | #define LDRP_PIN_MODULE_PATTERN "\x48\x89\x5C\x24\x08\x57\x48\x83\xEC\x20\x48\x8B\xD9\x33\xFF\x48\x8D\x0D\x02\xBB\x10\x00" 277 | typedef NTSTATUS(__fastcall* tLdrpPinModule)(PLDR_DATA_TABLE_ENTRY LdrEntry); 278 | extern tLdrpPinModule LdrpPinModule; 279 | 280 | #define LDRP_APPLY_PATCH_IMAGE_PATTERN "\x48\x89\x5C\x24\x10\x48\x89\x7C\x24\x18\x55\x41\x56\x41\x57\x48\x8B\xEC" 281 | typedef NTSTATUS(__fastcall* tLdrpApplyPatchImage)(PLDR_DATA_TABLE_ENTRY LdrEntry); 282 | extern tLdrpApplyPatchImage LdrpApplyPatchImage; 283 | 284 | #define LDRP_FREE_LOADCONTEXT_NODE_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x10\x57\x48\x83\xEC\x20\x48\x8B\x19\x48\x8B\xF2" 285 | typedef NTSTATUS(__fastcall* tLdrpFreeLoadContextOfNode)(PLDR_DDAG_NODE DdagNode, NTSTATUS* pStatus); 286 | extern tLdrpFreeLoadContextOfNode LdrpFreeLoadContextOfNode; 287 | 288 | #define LDRP_DECREMENT_MODULELOADCOUNTEX_PATTERN "\x48\x89\x5C\x24\x08\x57\x48\x83\xEC\x20\x8B\xFA\x48\x8B\xD9\x85\xD2" 289 | typedef NTSTATUS(__fastcall* tLdrpDecrementModuleLoadCountEx)(PLDR_DATA_TABLE_ENTRY LdrEntry, PLDR_DATA_TABLE_ENTRY LdrEntry2); 290 | extern tLdrpDecrementModuleLoadCountEx LdrpDecrementModuleLoadCountEx; 291 | 292 | #define LDRP_LOG_ERROR_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x6C\x24\x10\x48\x89\x74\x24\x18\x57\x48\x83\xEC\x30\x49\x8B\xD9" 293 | typedef PEB*(__fastcall* tLdrpLogError)(NTSTATUS Status, ULONG, ULONG, PVOID); 294 | extern tLdrpLogError LdrpLogError; 295 | 296 | #define LDRP_LOG_DEPRECATED_DLL_PATTERN "\x48\x89\x5C\x24\x10\x48\x89\x6C\x24\x18\x48\x89\x74\x24\x20\x57\x48\x83\xEC\x40" 297 | typedef WCHAR*(__fastcall* tLdrpLogDeprecatedDllEtwEvent)(PLDRP_LOAD_CONTEXT LoadContext); 298 | extern tLdrpLogDeprecatedDllEtwEvent LdrpLogDeprecatedDllEtwEvent; 299 | 300 | #define LDRP_LOG_LOAD_FAILURE_PATTERN "\x48\x89\x5C\x24\x08\x44\x89\x44\x24\x18\x55\x56\x57\x48\x8B\xEC\x48\x83\xEC\x70" 301 | typedef VOID(__fastcall* tLdrpLogLoadFailureEtwEvent)(PVOID Unknown, PVOID Unknown2, NTSTATUS Status, PVOID LoadFailure, ULONG Unknown3); 302 | extern tLdrpLogLoadFailureEtwEvent LdrpLogLoadFailureEtwEvent; 303 | 304 | #define LDRP_REPORT_ERROR_PATTERN "\x48\x89\x5C\x24\x20\x55\x56\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x8D\xAC\x24\x50\xFF\xFF\xFF\x48\x81\xEC\xB0\x01\x00\x00\x48\x8B\x05\xEE\x08\x19\x00" 305 | typedef NTSTATUS(__fastcall* tLdrpReportError)(PVOID Report, ULONG Unknown, NTSTATUS Status); 306 | extern tLdrpReportError LdrpReportError; 307 | 308 | #define LDRP_RESOLVE_DLLNAME_PATTERN "\x4C\x8B\xDC\x49\x89\x5B\x08\x49\x89\x6B\x10\x49\x89\x73\x20\x4D\x89\x43\x18\x57\x41\x54\x41\x55\x41\x56" 309 | typedef NTSTATUS(__fastcall* tLdrpResolveDllName)(PLDRP_LOAD_CONTEXT FileName, LDRP_FILENAME_BUFFER* FileNameBuffer, PUNICODE_STRING FullName, PUNICODE_STRING ResolvedName, DWORD Flags); 310 | extern tLdrpResolveDllName LdrpResolveDllName; 311 | 312 | #define LDRP_APP_COMPAT_REDIRECT_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x6C\x24\x10\x48\x89\x74\x24\x18\x57\x41\x56\x41\x57\x48\x83\xEC\x50\x45\x33\xFF\x49\x8B\xF1\x44\x38\x3D\xC3\x3A\x17\x00" 313 | typedef NTSTATUS(__fastcall* tLdrpAppCompatRedirect)(PLDRP_LOAD_CONTEXT LoadContext, PUNICODE_STRING FullDllName, PUNICODE_STRING BaseDllName, LDRP_FILENAME_BUFFER* FileNameBuffer, NTSTATUS Status); 314 | extern tLdrpAppCompatRedirect LdrpAppCompatRedirect; 315 | 316 | #define LDRP_HASH_UNICODE_STRING_PATTERN "\x48\x89\x5C\x24\x08\x57\x48\x83\xEC\x20\x45\x33\xDB" 317 | typedef ULONG(__fastcall* tLdrpHashUnicodeString)(PUNICODE_STRING BaseDllName); 318 | extern tLdrpHashUnicodeString LdrpHashUnicodeString; 319 | 320 | #define LDRP_FIND_EXISTING_MODULE_PATTERN "\x48\x8B\xC4\x48\x89\x58\x08\x48\x89\x68\x10\x48\x89\x70\x18\x48\x89\x78\x20\x41\x56\x48\x83\xEC\x30\x48\x8B\x7C\x24\x60\x48\x8B\xD9" 321 | typedef NTSTATUS(__fastcall* tLdrpFindExistingModule)(PUNICODE_STRING BaseDllName, PUNICODE_STRING FullDllName, UINT64 Flags, ULONG BaseDllNameHash, PLDR_DATA_TABLE_ENTRY* LoadedDll); 322 | extern tLdrpFindExistingModule LdrpFindExistingModule; 323 | 324 | #define LDRP_LOADCONTEXT_REPLACE_MODULE_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x6C\x24\x10\x48\x89\x74\x24\x18\x57\x48\x83\xEC\x20\x48\x8B\xD9\x48\x8B\xF2" 325 | typedef NTSTATUS(__fastcall* tLdrpLoadContextReplaceModule)(PLDRP_LOAD_CONTEXT LoadContext, PLDR_DATA_TABLE_ENTRY LoadedDll); 326 | extern tLdrpLoadContextReplaceModule LdrpLoadContextReplaceModule; 327 | 328 | #define LDRP_SEARCHPATH_PATTERN "\x48\x89\x5C\x24\x18\x55\x56\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x8D\x6C\x24\xF9\x48\x81\xEC\xD0\x00\x00\x00" 329 | typedef NTSTATUS(__fastcall* tLdrpSearchPath)(LDRP_LOAD_CONTEXT* LoadContext, LDR_UNKSTRUCT* UnkStruct, ULONG Flags, PUNICODE_STRING ReturnPath, LDRP_FILENAME_BUFFER* FileName, PUNICODE_STRING BaseDllName, PUNICODE_STRING UnkStruct3_String, BOOL* a8, LDR_UNKSTRUCT3* UnkStruct3); 330 | extern tLdrpSearchPath LdrpSearchPath; 331 | 332 | #define LDRP_ISSECURITYETW_LOGG_ENABLED_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x10\x57\x48\x83\xEC\x20\xE8\x04\xA2\x02\x00" 333 | typedef BOOLEAN(__fastcall* tLdrpIsSecurityEtwLoggingEnabled)(); 334 | extern tLdrpIsSecurityEtwLoggingEnabled LdrpIsSecurityEtwLoggingEnabled; 335 | 336 | #define LDRP_LOGETW_DLL_SEARCHRESULTS_PATTERN "\x48\x89\x5C\x24\x08\x55\x56\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x8B\xEC\x48\x83\xEC\x60\x44\x8B\xF9" 337 | typedef VOID(__fastcall* tLdrpLogEtwDllSearchResults)(ULONG Flags, LDRP_LOAD_CONTEXT* LoadContext); 338 | extern tLdrpLogEtwDllSearchResults LdrpLogEtwDllSearchResults; 339 | 340 | #define LDRP_CHECKFORRETRY_LOADING_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x6C\x24\x10\x48\x89\x74\x24\x18\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x83\xEC\x20\x33\xDB\x44\x8A\xFA" 341 | typedef BOOLEAN(__fastcall* tLdrpCheckForRetryLoading)(PLDRP_LOAD_CONTEXT LoadContext, BOOLEAN Unknown); 342 | extern tLdrpCheckForRetryLoading LdrpCheckForRetryLoading; 343 | 344 | #define LDRP_LOG_ETWEVENT_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x6C\x24\x10\x48\x89\x74\x24\x18\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x81\xEC\x80\x02\x00\x00" 345 | typedef NTSTATUS(__fastcall* tLdrpLogEtwEvent)(ULONG a1, ULONGLONG a2, ULONG a3, ULONG a4); 346 | extern tLdrpLogEtwEvent LdrpLogEtwEvent; 347 | 348 | #define LDRP_CHECK_COMPONENTONDEMAND_PATTERN "\x48\x89\x5C\x24\x10\x48\x89\x74\x24\x18\x55\x57\x41\x56\x48\x8B\xEC\x48\x81\xEC\x80\x00\x00\x00" 349 | typedef BOOLEAN(__fastcall* tLdrpCheckComponentOnDemandEtwEvent)(LDRP_LOAD_CONTEXT* LoadContext); 350 | extern tLdrpCheckComponentOnDemandEtwEvent LdrpCheckComponentOnDemandEtwEvent; 351 | 352 | #define LDRP_VALIDATE_INTEGRITY_PATTERN "\x44\x88\x44\x24\x18\x53\x56\x57\x48\x83\xEC\x30" 353 | typedef NTSTATUS(__fastcall* tLdrpValidateIntegrityContinuity)(PLDRP_LOAD_CONTEXT LoadContext, HANDLE FileHandle); 354 | extern tLdrpValidateIntegrityContinuity LdrpValidateIntegrityContinuity; 355 | 356 | #define LDRP_SET_MODULE_SIGNINGLEVEL_PATTERN "\x4C\x8B\xDC\x49\x89\x5B\x10\x49\x89\x73\x18\x49\x89\x7B\x20\x49\x89\x4B\x08\x41\x56" 357 | typedef NTSTATUS(__fastcall* tLdrpSetModuleSigningLevel)(HANDLE FileHandle, PLDR_DATA_TABLE_ENTRY LoadContext, PULONG pSigningLevel, ULONG NewSigningLevelMaybe); 358 | extern tLdrpSetModuleSigningLevel LdrpSetModuleSigningLevel; 359 | 360 | #define LDRP_CODE_AUTHZCHECKDLL_ALLOWED_PATTERN "\x48\x83\x3D\xC8\x44\x17\x00\x00\x4C\x8B\xCA" 361 | typedef NTSTATUS(__fastcall* tLdrpCodeAuthzCheckDllAllowed)(LDRP_FILENAME_BUFFER* pFileNameBuffer, HANDLE FileHandle); 362 | extern tLdrpCodeAuthzCheckDllAllowed LdrpCodeAuthzCheckDllAllowed; 363 | 364 | #define LDRP_GET_FULLPATH_PATTERN "\x4C\x8B\xDC\x49\x89\x5B\x08\x55\x56\x57\x41\x56\x41\x57\x48\x83\xEC\x30" 365 | typedef NTSTATUS(__fastcall* tLdrpGetFullPath)(PLDRP_LOAD_CONTEXT LoadContext, PUNICODE_STRING FullPath); 366 | extern tLdrpGetFullPath LdrpGetFullPath; 367 | 368 | #define LDRP_ALLOCATE_UNICODESTRING_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x10\x57\x48\x83\xEC\x20\x33\xDB\x8D\x7A\x02" 369 | typedef NTSTATUS(__fastcall* tLdrpAllocateUnicodeString)(PUNICODE_STRING Allocated, USHORT Length); 370 | extern tLdrpAllocateUnicodeString LdrpAllocateUnicodeString; 371 | 372 | #define LDRP_APPEND_UNICODETOFILENAME_PATTERN "\x48\x8B\xC4\x48\x89\x58\x08\x48\x89\x68\x10\x48\x89\x70\x18\x48\x89\x78\x20\x41\x56\x48\x83\xEC\x20\x45\x33\xF6\x48\x8B\xEA" 373 | typedef NTSTATUS(__fastcall* tLdrpAppendUnicodeStringToFilenameBuffer)(PUNICODE_STRING FileName, PLDRP_LOAD_CONTEXT LoadContext); 374 | extern tLdrpAppendUnicodeStringToFilenameBuffer LdrpAppendUnicodeStringToFilenameBuffer; 375 | 376 | #define LDRP_GET_NTPATH_FROM_DOSPATH_PATTERN "\x48\x89\x5C\x24\x18\x55\x56\x57\x48\x8D\x6C\x24\xB9\x48\x81\xEC\xC0\x00\x00\x00" 377 | typedef NTSTATUS(__fastcall* tLdrpGetNtPathFromDosPath)(PUNICODE_STRING DosPath, LDRP_FILENAME_BUFFER* NtPath); 378 | extern tLdrpGetNtPathFromDosPath LdrpGetNtPathFromDosPath; 379 | 380 | #define LDRP_FIND_LOADEDDLL_MAPLOCK_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x6C\x24\x10\x48\x89\x74\x24\x18\x57\x41\x56\x41\x57\x48\x83\xEC\x30\x4C\x8B\x15\xFD\x89\x15\x00" 381 | typedef NTSTATUS(__fastcall* tLdrpFindLoadedDllByMappingLockHeld)(PIMAGE_DOS_HEADER DllBase, PIMAGE_NT_HEADERS OutHeaders, PVOID Unknown, PLDR_DATA_TABLE_ENTRY* pLdrEntry); 382 | extern tLdrpFindLoadedDllByMappingLockHeld LdrpFindLoadedDllByMappingLockHeld; 383 | 384 | #define LDRP_INSERT_DATATABLEENTRY_PATTERN "\x40\x53\x48\x83\xEC\x20\xF6\x41\x68\x40" 385 | typedef VOID(__fastcall* tLdrpInsertDataTableEntry)(PLDR_DATA_TABLE_ENTRY LdrEntry); 386 | extern tLdrpInsertDataTableEntry LdrpInsertDataTableEntry; 387 | 388 | #define LDRP_INSERT_MODTOIDX_LOCKHELD_PATTERN "\x48\x89\x5C\x24\x08\x57\x48\x83\xEC\x20\x44\x8B\x4A\x08" 389 | typedef NTSTATUS(__fastcall* tLdrpInsertModuleToIndexLockHeld)(PLDR_DATA_TABLE_ENTRY LdrEntry, PIMAGE_NT_HEADERS OutHeaders); 390 | extern tLdrpInsertModuleToIndexLockHeld LdrpInsertModuleToIndexLockHeld; 391 | 392 | #define LDRP_LOGETW_HOTPATCHSTATUS_PATTERN "\x48\x8B\xC4\x48\x89\x58\x08\x48\x89\x70\x10\x48\x89\x78\x18\x4C\x89\x60\x20\x55\x41\x56\x41\x57\x48\x8D\x68\x98" 393 | typedef NTSTATUS(__fastcall* tLdrpLogEtwHotPatchStatus)(PUNICODE_STRING BaseDllName, LDR_DATA_TABLE_ENTRY* LdrEntry, PUNICODE_STRING FullDllName, NTSTATUS Status, ULONG Unknown); 394 | extern tLdrpLogEtwHotPatchStatus LdrpLogEtwHotPatchStatus; 395 | 396 | #define LDRP_LOG_NEWDLL_LOAD_PATTERN "\x48\x8B\xC4\x48\x89\x58\x08\x48\x89\x68\x10\x48\x89\x70\x18\x48\x89\x78\x20\x41\x56\x48\x83\xEC\x30\x48\x8B\xEA\x4C\x8B\xF1" 397 | typedef PEB*(__fastcall* tLdrpLogNewDllLoad)(LDR_DATA_TABLE_ENTRY* LdrEntry, LDR_DATA_TABLE_ENTRY* LdrEntry2); 398 | extern tLdrpLogNewDllLoad LdrpLogNewDllLoad; 399 | 400 | #define LDRP_PROCESS_MACHINE_MISMATCH_PATTERN "\x40\x53\x55\x57\x48\x83\xEC\x40\x48\x8B\x59\x38" 401 | typedef NTSTATUS(__fastcall* tLdrpProcessMachineMismatch)(PLDRP_LOAD_CONTEXT LoadContext); 402 | extern tLdrpProcessMachineMismatch LdrpProcessMachineMismatch; 403 | 404 | #define RTL_QUERY_IMAGEFILE_KEYOPT_PATTERN "\x48\x89\x5C\x24\x10\x55\x56\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x8D\xAC\x24\xA0\xFC\xFF\xFF" 405 | typedef NTSTATUS(__fastcall* tRtlQueryImageFileKeyOption)(HANDLE hKey, PCWSTR lpszOption, ULONG dwType, PVOID lpData, ULONG cbData, ULONG* lpcbData); 406 | extern tRtlQueryImageFileKeyOption RtlQueryImageFileKeyOption; 407 | 408 | #define RTLP_IMAGEDIR_ENTRYTODATA_PATTERN "\x4C\x8B\xDC\x49\x89\x5B\x10\x49\x89\x6B\x18\x49\x89\x73\x20\x57\x41\x56\x41\x57\x48\x83\xEC\x20\x4C\x8B\x74\x24\x60" 409 | typedef NTSTATUS(__fastcall* tRtlpImageDirectoryEntryToDataEx)(PIMAGE_DOS_HEADER DllBase, BOOLEAN Unknown, WORD Characteristics, ULONG64* LastRVASection, PVOID OutHeader); 410 | extern tRtlpImageDirectoryEntryToDataEx RtlpImageDirectoryEntryToDataEx; 411 | 412 | #define LDRP_LOG_DLLRELOCATION_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x6C\x24\x10\x48\x89\x74\x24\x18\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x83\xEC\x20\x4D\x8B\xF1" 413 | typedef PVOID(__fastcall* tLdrpLogDllRelocationEtwEvent)(PUNICODE_STRING FullDllName, ULONGLONG ImageBase, PIMAGE_DOS_HEADER DllBase, SIZE_T Size); 414 | extern tLdrpLogDllRelocationEtwEvent LdrpLogDllRelocationEtwEvent; 415 | 416 | #define LDRP_NOTIFY_LOADOFGRAPH_PATTERN "\x48\x89\x5C\x24\x10\x48\x89\x74\x24\x18\x57\x48\x83\xEC\x20\x48\x8B\x71\x28\x48\x8B\xF9" 417 | typedef NTSTATUS(__fastcall* tLdrpNotifyLoadOfGraph)(LDR_DDAG_NODE* DdagNode); 418 | extern tLdrpNotifyLoadOfGraph LdrpNotifyLoadOfGraph; 419 | 420 | #define LDRP_DYNAMIC_SHIMMODULE_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x6C\x24\x18\x48\x89\x74\x24\x20\x57\x41\x56\x41\x57\x48\x83\xEC\x40" 421 | typedef NTSTATUS(__fastcall* tLdrpDynamicShimModule)(LDR_DDAG_NODE* DdagNode); 422 | extern tLdrpDynamicShimModule LdrpDynamicShimModule; 423 | 424 | #define LDRP_ACQUIRE_LOADERLOCK_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x10\x57\x48\x83\xEC\x30\xE8\xE4\x9E\xFE\xFF" 425 | typedef NTSTATUS(__fastcall* tLdrpAcquireLoaderLock)(); 426 | extern tLdrpAcquireLoaderLock LdrpAcquireLoaderLock; 427 | 428 | #define LDRP_RELEASE_LOADER_LOCK_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x10\x57\x48\x83\xEC\x30\x48\x8D\x0D\x2E\xD8\x12\x00" 429 | typedef NTSTATUS(__fastcall* tLdrpReleaseLoaderLock)(ULONG64 Unused, ULONG Two, ULONG64 LdrFlags); 430 | extern tLdrpReleaseLoaderLock LdrpReleaseLoaderLock; 431 | 432 | #define LDRP_CHECKPAGES_FOR_TAMPERING_PATTERN "\x48\x8B\xC4\x48\x89\x58\x08\x48\x89\x68\x10\x48\x89\x70\x18\x48\x89\x78\x20\x41\x56\x48\x83\xEC\x30\x48\x8D\xBA\xFF\x0F\x00\x00" 433 | typedef BOOLEAN(__fastcall* tLdrpCheckPagesForTampering)(PIMAGE_DATA_DIRECTORY pDataDir, ULONG64 Offset); 434 | extern tLdrpCheckPagesForTampering LdrpCheckPagesForTampering; 435 | 436 | #define LDRP_LOAD_DEPENDENTMODULEA_PATTERN "\x4C\x8B\xDC\x55\x53\x49\x8D\xAB\x48\xFF\xFF\xFF" 437 | typedef NTSTATUS(__fastcall* tLdrpLoadDependentModuleA)(PUNICODE_STRING SourceString, LDRP_LOAD_CONTEXT* LoadContext, LDR_DATA_TABLE_ENTRY* LdrEntry, UINT_PTR Unknown, LDR_DATA_TABLE_ENTRY** pLdrEntry, UINT_PTR Unknown2); 438 | extern tLdrpLoadDependentModuleA LdrpLoadDependentModuleA; 439 | 440 | #define LDRP_LOAD_DEPENDENTMODULEW_PATTERN "\x48\x89\x5C\x24\x20\x55\x56\x57\x41\x56\x41\x57\x48\x81\xEC\x50\x01\x00\x00" 441 | typedef NTSTATUS(__fastcall* tLdrpLoadDependentModuleW)(PUNICODE_STRING SourceString, LDRP_LOAD_CONTEXT* LoadContext, LDR_DATA_TABLE_ENTRY* DllEntry); 442 | extern tLdrpLoadDependentModuleW LdrpLoadDependentModuleW; 443 | 444 | #define LDRP_QUEUE_WORK_PATTERN "\x40\x53\x48\x83\xEC\x20\x48\x8B\x41\x28\x48\x8B\xD9" 445 | typedef NTSTATUS(__fastcall* tLdrpQueueWork)(PLDRP_LOAD_CONTEXT LoadContext); 446 | extern tLdrpQueueWork LdrpQueueWork; 447 | 448 | #define LDRP_HANDLE_TLSDATA_PATTERN "\x48\x89\x5C\x24\x10\x48\x89\x74\x24\x18\x48\x89\x7C\x24\x20\x41\x55\x41\x56\x41\x57\x48\x81\xEC\x00\x01\x00\x00" 449 | typedef NTSTATUS(__fastcall* tLdrpHandleTlsData)(LDR_DATA_TABLE_ENTRY* LdrDataTableEntry); 450 | extern tLdrpHandleTlsData LdrpHandleTlsData; 451 | 452 | #define LDR_CONTROLFLOWGUARD_ENFEXP_PATTERN "\x33\xC0\x48\x39\x05\x8F\x7D\x17\x00" 453 | typedef BOOLEAN(__fastcall* tLdrControlFlowGuardEnforcedWithExportSuppression)(); 454 | extern tLdrControlFlowGuardEnforcedWithExportSuppression LdrControlFlowGuardEnforcedWithExportSuppression; 455 | 456 | #define LDRP_UNSUPPRESS_ADDRESSIAT_PATTERN "\x48\x89\x5C\x24\x18\x55\x56\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x8B\xEC\x48\x83\xEC\x70\x48\x8B\x05\x6E\xC6\x0B\x00" 457 | typedef __int64(__fastcall* tLdrpUnsuppressAddressTakenIat)(PIMAGE_DOS_HEADER DllBase, ULONG Unknown, ULONG Unknown2); 458 | extern tLdrpUnsuppressAddressTakenIat LdrpUnsuppressAddressTakenIat; 459 | 460 | #define LDR_CONTROLFLOWGUARD_ENF_PATTERN "\x48\x83\x3D\x90\xD5\x16\x00\x00" 461 | typedef BOOL(__fastcall* tLdrControlFlowGuardEnforced)(); 462 | extern tLdrControlFlowGuardEnforced LdrControlFlowGuardEnforced; 463 | 464 | #define RTLP_LOOKUP_FUNCTIONTABLE_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x18\x48\x89\x7C\x24\x20\x41\x56\x48\x83\xEC\x20\x33\xDB" 465 | typedef PIMAGE_RUNTIME_FUNCTION_ENTRY(__fastcall* tRtlpxLookupFunctionTable)(PIMAGE_DOS_HEADER DllBase, PIMAGE_RUNTIME_FUNCTION_ENTRY* ppImageFunctionEntry); 466 | extern tRtlpxLookupFunctionTable RtlpxLookupFunctionTable; 467 | 468 | #define LDRP_CHECK_REDIRECTION_PATTERN "\x48\x8B\xC4\x48\x89\x58\x08\x48\x89\x70\x10\x48\x89\x78\x18\x4C\x89\x68\x20\x55\x41\x56\x41\x57\x48\x8D\x68\xA1" 469 | typedef PCHAR(__fastcall* tLdrpCheckRedirection)(LDR_DATA_TABLE_ENTRY* DllEntry, LDR_DATA_TABLE_ENTRY* NtLdrEntry, PCHAR StringToBeHashed); 470 | extern tLdrpCheckRedirection LdrpCheckRedirection; 471 | 472 | #define COMPAT_CACHE_LOOKUPCDB_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x10\x57\x48\x81\xEC\xB0\x01\x00\x00" 473 | typedef BOOL(__fastcall* tCompatCachepLookupCdb)(PWCHAR Buffer, LONG Unknown); 474 | extern tCompatCachepLookupCdb CompatCachepLookupCdb; 475 | 476 | #define LDRP_GEN_RANDOM_PATTERN "\x48\x83\xEC\x28\xB9\x1C\x00\x00\x00\xE8\x0E\x0B\x00\x00" 477 | typedef UINT_PTR(__fastcall* tLdrpGenRandom)(); 478 | extern tLdrpGenRandom LdrpGenRandom; 479 | 480 | #define LDR_INIT_SECURITY_COOKIE_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x10\x48\x89\x7C\x24\x20\x55\x41\x54\x41\x56" 481 | typedef BOOL(__fastcall* tLdrInitSecurityCookie)(PIMAGE_DOS_HEADER DllBase, INT_PTR ImageSize, UINT_PTR* Zero, UINT_PTR RandomNumberStuff, UINT_PTR* Zero_2); 482 | extern tLdrInitSecurityCookie LdrInitSecurityCookie; 483 | 484 | #define LDRP_CFG_PROCESS_LOADCFG_PATTERN "\x48\x89\x5C\x24\x20\x55\x56\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x8D\x6C\x24\xD9\x48\x81\xEC\xF0\x00\x00\x00\x48\x8B\x05\x99\x11\x17\x00" 485 | typedef NTSTATUS(__fastcall* tLdrpCfgProcessLoadConfig)(LDR_DATA_TABLE_ENTRY* DllEntry, PIMAGE_NT_HEADERS NtHeader, __int64 Zero); 486 | extern tLdrpCfgProcessLoadConfig LdrpCfgProcessLoadConfig; 487 | 488 | #define RTL_INSERT_INV_FUNCTIONTABLE_PATTERN "\x48\x89\x5C\x24\x08\x57\x48\x83\xEC\x30\x8B\xDA\x4C\x8D\x44\x24\x50" 489 | typedef NTSTATUS(__fastcall* tRtlInsertInvertedFunctionTable)(PIMAGE_DOS_HEADER DllBase, ULONG ImageSize); 490 | extern tRtlInsertInvertedFunctionTable RtlInsertInvertedFunctionTable; 491 | 492 | #define LDRP_SIGNAL_MODULEMAPPED_PATTERN "\x48\x89\x5C\x24\x08\x57\x48\x83\xEC\x20\x48\x8B\x81\x98\x00\x00\x00\x48\x8B\x78\x30" 493 | typedef LDR_DDAG_NODE*(__fastcall* tLdrpSignalModuleMapped)(LDR_DATA_TABLE_ENTRY* DllEntry); 494 | extern tLdrpSignalModuleMapped LdrpSignalModuleMapped; 495 | 496 | #define AVRF_DLL_LOADNOTIFICATION_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x6C\x24\x10\x48\x89\x74\x24\x18\x57\x48\x83\xEC\x30\x65\x48\x8B\x04\x25\x60\x00\x00\x00" 497 | typedef NTSTATUS(__fastcall* tAVrfDllLoadNotification)(LDR_DATA_TABLE_ENTRY* DllEntry); 498 | extern tAVrfDllLoadNotification AVrfDllLoadNotification; 499 | 500 | #define LDRP_SEND_DLLNOTIFICATIONS_PATTERN "\x4C\x8B\xDC\x49\x89\x5B\x08\x49\x89\x73\x10\x57\x48\x83\xEC\x50\x83\x64\x24\x20\x00" 501 | typedef NTSTATUS(__fastcall* tLdrpSendDllNotifications)(LDR_DATA_TABLE_ENTRY* DllEntry, UINT_PTR Unknown); 502 | extern tLdrpSendDllNotifications LdrpSendDllNotifications; 503 | 504 | #define LDRP_CALL_TLSINIT_PATTERN "\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x10\x48\x89\x7C\x24\x20\x41\x56\x48\x83\xEC\x60" 505 | typedef NTSTATUS(__fastcall* tLdrpCallTlsInitializers)(ULONG One, LDR_DATA_TABLE_ENTRY* LdrEntry); 506 | extern tLdrpCallTlsInitializers LdrpCallTlsInitializers; -------------------------------------------------------------------------------- /Src/Functions/Syscalls.asm: -------------------------------------------------------------------------------- 1 | .code 2 | ZwSystemDebugControl proc 3 | 4 | mov r10, rcx 5 | mov eax, 1CDh 6 | test byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall 7 | jnz short SYSCALL_DEFINED 8 | syscall 9 | ret 10 | SYSCALL_DEFINED: 11 | int 2Eh 12 | 13 | ZwSystemDebugControl endp 14 | 15 | NtCreateSection proc 16 | 17 | mov r10, rcx 18 | mov eax, 4Ah 19 | test byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall 20 | jnz short SYSCALL_DEFINED 21 | syscall 22 | ret 23 | SYSCALL_DEFINED: 24 | int 2Eh 25 | 26 | NtCreateSection endp 27 | 28 | ZwMapViewOfSection proc 29 | 30 | mov r10, rcx 31 | mov eax, 28h 32 | test byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall 33 | jnz short SYSCALL_DEFINED 34 | syscall 35 | ret 36 | SYSCALL_DEFINED: 37 | int 2Eh 38 | 39 | ZwMapViewOfSection endp 40 | 41 | ZwMapViewOfSectionEx proc 42 | 43 | mov r10, rcx 44 | mov eax, 11Ch 45 | test byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall 46 | jnz short SYSCALL_DEFINED 47 | syscall 48 | ret 49 | SYSCALL_DEFINED: 50 | int 2Eh 51 | 52 | ZwMapViewOfSectionEx endp 53 | 54 | NtUnmapViewOfSection proc 55 | 56 | mov r10, rcx 57 | mov eax, 2Ah 58 | test byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall 59 | jnz short SYSCALL_DEFINED 60 | syscall 61 | ret 62 | SYSCALL_DEFINED: 63 | int 2Eh 64 | 65 | NtUnmapViewOfSection endp 66 | 67 | ZwProtectVirtualMemory proc 68 | 69 | mov r10, rcx 70 | mov eax, 50h 71 | test byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall 72 | jnz short SYSCALL_DEFINED 73 | syscall 74 | ret 75 | SYSCALL_DEFINED: 76 | int 2Eh 77 | 78 | ZwProtectVirtualMemory endp 79 | 80 | ZwQueryVirtualMemory proc 81 | 82 | mov r10, rcx 83 | mov eax, 23h 84 | test byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall 85 | jnz short SYSCALL_DEFINED 86 | syscall 87 | ret 88 | SYSCALL_DEFINED: 89 | int 2Eh 90 | 91 | ZwQueryVirtualMemory endp 92 | 93 | NtQueryInformationProcess proc 94 | 95 | mov r10, rcx 96 | mov eax, 19h 97 | test byte ptr [7FFE0308h], 1 ; KUSER_SHARED_DATA.SystemCall 98 | jnz short SYSCALL_DEFINED 99 | syscall 100 | ret 101 | SYSCALL_DEFINED: 102 | int 2Eh 103 | 104 | NtQueryInformationProcess endp 105 | end 106 | 107 | -------------------------------------------------------------------------------- /Src/Functions/Undocumented.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "..\Includes.h" 4 | 5 | typedef void* PPS_POST_PROCESS_INIT_ROUTINE; 6 | 7 | typedef struct _LSA_UNICODE_STRING { 8 | USHORT Length; 9 | USHORT MaximumLength; 10 | PWSTR Buffer; 11 | } LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING; 12 | 13 | typedef struct _STRING { 14 | USHORT Length; 15 | USHORT MaximumLength; 16 | PCHAR Buffer; 17 | } STRING, * PSTRING, ANSI_STRING, * PANSI_STRING; 18 | 19 | #define DOS_MAX_COMPONENT_LENGTH 255 20 | #define DOS_MAX_PATH_LENGTH (DOS_MAX_COMPONENT_LENGTH + 5) 21 | 22 | typedef struct _CURDIR 23 | { 24 | UNICODE_STRING DosPath; 25 | HANDLE Handle; 26 | } CURDIR, * PCURDIR; 27 | 28 | #define RTL_USER_PROC_CURDIR_CLOSE 0x00000002 29 | #define RTL_USER_PROC_CURDIR_INHERIT 0x00000003 30 | 31 | typedef struct _RTL_DRIVE_LETTER_CURDIR 32 | { 33 | USHORT Flags; 34 | USHORT Length; 35 | ULONG TimeStamp; 36 | STRING DosPath; 37 | } RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR; 38 | 39 | #define RTL_MAX_DRIVE_LETTERS 32 40 | #define RTL_DRIVE_LETTER_VALID (USHORT)0x0001 41 | 42 | typedef struct _RTL_USER_PROCESS_PARAMETERS 43 | { 44 | ULONG MaximumLength; 45 | ULONG Length; 46 | 47 | ULONG Flags; 48 | ULONG DebugFlags; 49 | 50 | HANDLE ConsoleHandle; 51 | ULONG ConsoleFlags; 52 | HANDLE StandardInput; 53 | HANDLE StandardOutput; 54 | HANDLE StandardError; 55 | 56 | CURDIR CurrentDirectory; 57 | UNICODE_STRING DllPath; 58 | UNICODE_STRING ImagePathName; 59 | UNICODE_STRING CommandLine; 60 | PVOID Environment; 61 | 62 | ULONG StartingX; 63 | ULONG StartingY; 64 | ULONG CountX; 65 | ULONG CountY; 66 | ULONG CountCharsX; 67 | ULONG CountCharsY; 68 | ULONG FillAttribute; 69 | 70 | ULONG WindowFlags; 71 | ULONG ShowWindowFlags; 72 | UNICODE_STRING WindowTitle; 73 | UNICODE_STRING DesktopInfo; 74 | UNICODE_STRING ShellInfo; 75 | UNICODE_STRING RuntimeData; 76 | 77 | RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; 78 | ULONG EnvironmentSize; 79 | ULONG EnvironmentVersion; 80 | PVOID PackageDependencyData; 81 | ULONG ProcessGroupId; 82 | ULONG LoaderThreads; 83 | } RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS; 84 | 85 | typedef struct _PEB_LDR_DATA { 86 | ULONG Length; 87 | BOOL Initialized; 88 | LPVOID SsHandle; 89 | LIST_ENTRY InLoadOrderModuleList; 90 | LIST_ENTRY InMemoryOrderModuleList; 91 | LIST_ENTRY InInitializationOrderModuleList; 92 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 93 | 94 | typedef BOOLEAN(NTAPI* PLDR_INIT_ROUTINE)( 95 | _In_ PVOID DllHandle, 96 | _In_ ULONG Reason, 97 | _In_opt_ PVOID Context 98 | ); 99 | 100 | typedef struct _RTL_BALANCED_NODE 101 | { 102 | union 103 | { 104 | struct _RTL_BALANCED_NODE* Children[2]; //0x0 105 | struct 106 | { 107 | struct _RTL_BALANCED_NODE* Left; //0x0 108 | struct _RTL_BALANCED_NODE* Right; //0x4 109 | }; 110 | }; 111 | union 112 | { 113 | struct 114 | { 115 | UCHAR Red : 1; //0x8 116 | UCHAR Balance : 2; //0x8 117 | }; 118 | ULONG ParentValue; //0x8 119 | }; 120 | } RTL_BALANCED_NODE, *PRTL_BALANCED_NODE; 121 | 122 | // symbols 123 | typedef struct _LDR_SERVICE_TAG_RECORD 124 | { 125 | struct _LDR_SERVICE_TAG_RECORD* Next; 126 | ULONG ServiceTag; 127 | } LDR_SERVICE_TAG_RECORD, * PLDR_SERVICE_TAG_RECORD; 128 | 129 | // symbols 130 | typedef struct _LDRP_CSLIST 131 | { 132 | PSINGLE_LIST_ENTRY Tail; 133 | } LDRP_CSLIST, * PLDRP_CSLIST; 134 | 135 | // symbols 136 | typedef enum _LDR_DDAG_STATE 137 | { 138 | LdrModulesMerged = -5, 139 | LdrModulesInitError = -4, 140 | LdrModulesSnapError = -3, 141 | LdrModulesUnloaded = -2, 142 | LdrModulesUnloading = -1, 143 | LdrModulesPlaceHolder = 0, 144 | LdrModulesMapping = 1, 145 | LdrModulesMapped = 2, 146 | LdrModulesWaitingForDependencies = 3, 147 | LdrModulesSnapping = 4, 148 | LdrModulesSnapped = 5, 149 | LdrModulesCondensed = 6, 150 | LdrModulesReadyToInit = 7, 151 | LdrModulesInitializing = 8, 152 | LdrModulesReadyToRun = 9 153 | } LDR_DDAG_STATE; 154 | 155 | // symbols 156 | typedef struct _LDR_DDAG_NODE 157 | { 158 | LIST_ENTRY Modules; 159 | PLDR_SERVICE_TAG_RECORD ServiceTagList; 160 | ULONG LoadCount; 161 | ULONG LoadWhileUnloadingCount; 162 | ULONG LowestLink; 163 | union 164 | { 165 | LDRP_CSLIST Dependencies; 166 | SINGLE_LIST_ENTRY* RemovalLink; 167 | }; 168 | LDRP_CSLIST IncomingDependencies; 169 | LDR_DDAG_STATE State; 170 | SINGLE_LIST_ENTRY* CondenseLink; 171 | ULONG PreorderNumber; 172 | ULONG Pad; 173 | } LDR_DDAG_NODE, * PLDR_DDAG_NODE; 174 | 175 | // rev 176 | 177 | 178 | 179 | typedef struct _LDR_DEPENDENCY_RECORD 180 | { 181 | SINGLE_LIST_ENTRY DependencyLink; 182 | PLDR_DDAG_NODE DependencyNode; 183 | SINGLE_LIST_ENTRY IncomingDependencyLink; 184 | PLDR_DDAG_NODE IncomingDependencyNode; 185 | } LDR_DEPENDENCY_RECORD, * PLDR_DEPENDENCY_RECORD; 186 | 187 | // symbols 188 | typedef enum _LDR_DLL_LOAD_REASON 189 | { 190 | LoadReasonStaticDependency, 191 | LoadReasonStaticForwarderDependency, 192 | LoadReasonDynamicForwarderDependency, 193 | LoadReasonDelayloadDependency, 194 | LoadReasonDynamicLoad, 195 | LoadReasonAsImageLoad, 196 | LoadReasonAsDataLoad, 197 | LoadReasonEnclavePrimary, // since REDSTONE3 198 | LoadReasonEnclaveDependency, 199 | LoadReasonPatchImage, // since WIN11 200 | LoadReasonUnknown = -1 201 | } LDR_DLL_LOAD_REASON, * PLDR_DLL_LOAD_REASON; 202 | 203 | typedef enum _LDR_HOT_PATCH_STATE 204 | { 205 | LdrHotPatchBaseImage, 206 | LdrHotPatchNotApplied, 207 | LdrHotPatchAppliedReverse, 208 | LdrHotPatchAppliedForward, 209 | LdrHotPatchFailedToPatch, 210 | LdrHotPatchStateMax, 211 | } LDR_HOT_PATCH_STATE, * PLDR_HOT_PATCH_STATE; 212 | 213 | // LDR_DATA_TABLE_ENTRY->Flags 214 | #define LDRP_PACKAGED_BINARY 0x00000001 215 | #define LDRP_MARKED_FOR_REMOVAL 0x00000002 216 | #define LDRP_IMAGE_DLL 0x00000004 217 | #define LDRP_LOAD_NOTIFICATIONS_SENT 0x00000008 218 | #define LDRP_TELEMETRY_ENTRY_PROCESSED 0x00000010 219 | #define LDRP_PROCESS_STATIC_IMPORT 0x00000020 220 | #define LDRP_IN_LEGACY_LISTS 0x00000040 221 | #define LDRP_IN_INDEXES 0x00000080 222 | #define LDRP_SHIM_DLL 0x00000100 223 | #define LDRP_IN_EXCEPTION_TABLE 0x00000200 224 | #define LDRP_LOAD_IN_PROGRESS 0x00001000 225 | #define LDRP_LOAD_CONFIG_PROCESSED 0x00002000 226 | #define LDRP_ENTRY_PROCESSED 0x00004000 227 | #define LDRP_PROTECT_DELAY_LOAD 0x00008000 228 | #define LDRP_DONT_CALL_FOR_THREADS 0x00040000 229 | #define LDRP_PROCESS_ATTACH_CALLED 0x00080000 230 | #define LDRP_PROCESS_ATTACH_FAILED 0x00100000 231 | #define LDRP_COR_DEFERRED_VALIDATE 0x00200000 232 | #define LDRP_COR_IMAGE 0x00400000 233 | #define LDRP_DONT_RELOCATE 0x00800000 234 | #define LDRP_COR_IL_ONLY 0x01000000 235 | #define LDRP_CHPE_IMAGE 0x02000000 236 | #define LDRP_CHPE_EMULATOR_IMAGE 0x04000000 237 | #define LDRP_REDIRECTED 0x10000000 238 | #define LDRP_COMPAT_DATABASE_PROCESSED 0x80000000 239 | 240 | #define LDR_DATA_TABLE_ENTRY_SIZE_WINXP FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, DdagNode) 241 | #define LDR_DATA_TABLE_ENTRY_SIZE_WIN7 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, BaseNameHashValue) 242 | #define LDR_DATA_TABLE_ENTRY_SIZE_WIN8 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, ImplicitPathOptions) 243 | #define LDR_DATA_TABLE_ENTRY_SIZE_WIN10 FIELD_OFFSET(LDR_DATA_TABLE_ENTRY, SigningLevel) 244 | #define LDR_DATA_TABLE_ENTRY_SIZE_WIN11 sizeof(LDR_DATA_TABLE_ENTRY) 245 | 246 | // symbols 247 | typedef struct _LDR_DATA_TABLE_ENTRY 248 | { 249 | LIST_ENTRY InLoadOrderLinks; 250 | LIST_ENTRY InMemoryOrderLinks; 251 | union 252 | { 253 | LIST_ENTRY InInitializationOrderLinks; 254 | LIST_ENTRY InProgressLinks; 255 | }; 256 | PIMAGE_DOS_HEADER DllBase; 257 | PLDR_INIT_ROUTINE EntryPoint; 258 | ULONG SizeOfImage; 259 | UNICODE_STRING FullDllName; 260 | UNICODE_STRING BaseDllName; 261 | union 262 | { 263 | UCHAR FlagGroup[4]; 264 | ULONG Flags; 265 | struct 266 | { 267 | ULONG PackagedBinary : 1; 268 | ULONG MarkedForRemoval : 1; 269 | ULONG ImageDll : 1; 270 | ULONG LoadNotificationsSent : 1; 271 | ULONG TelemetryEntryProcessed : 1; 272 | ULONG ProcessStaticImport : 1; 273 | ULONG InLegacyLists : 1; 274 | ULONG InIndexes : 1; 275 | ULONG ShimDll : 1; 276 | ULONG InExceptionTable : 1; 277 | ULONG ReservedFlags1 : 2; 278 | ULONG LoadInProgress : 1; 279 | ULONG LoadConfigProcessed : 1; 280 | ULONG EntryProcessed : 1; 281 | ULONG ProtectDelayLoad : 1; 282 | ULONG ReservedFlags3 : 2; 283 | ULONG DontCallForThreads : 1; 284 | ULONG ProcessAttachCalled : 1; 285 | ULONG ProcessAttachFailed : 1; 286 | ULONG CorDeferredValidate : 1; 287 | ULONG CorImage : 1; 288 | ULONG DontRelocate : 1; 289 | ULONG CorILOnly : 1; 290 | ULONG ChpeImage : 1; 291 | ULONG ChpeEmulatorImage : 1; 292 | ULONG ReservedFlags5 : 1; 293 | ULONG Redirected : 1; 294 | ULONG ReservedFlags6 : 2; 295 | ULONG CompatDatabaseProcessed : 1; 296 | }; 297 | }; 298 | USHORT ObsoleteLoadCount; 299 | USHORT TlsIndex; 300 | LIST_ENTRY HashLinks; 301 | ULONG TimeDateStamp; 302 | struct _ACTIVATION_CONTEXT* EntryPointActivationContext; 303 | PVOID Lock; // RtlAcquireSRWLockExclusive 304 | PLDR_DDAG_NODE DdagNode; 305 | LIST_ENTRY NodeModuleLink; 306 | struct _LDRP_LOAD_CONTEXT* LoadContext; 307 | PVOID ParentDllBase; 308 | PVOID SwitchBackContext; 309 | RTL_BALANCED_NODE BaseAddressIndexNode; 310 | RTL_BALANCED_NODE MappingInfoIndexNode; 311 | ULONG_PTR OriginalBase; 312 | LARGE_INTEGER LoadTime; 313 | ULONG BaseNameHashValue; 314 | LDR_DLL_LOAD_REASON LoadReason; // since WIN8 315 | ULONG ImplicitPathOptions; 316 | ULONG ReferenceCount; // since WIN10 317 | ULONG DependentLoadFlags; 318 | UCHAR SigningLevel; // since REDSTONE2 319 | ULONG CheckSum; // since 22H1 320 | PVOID ActivePatchImageBase; 321 | LDR_HOT_PATCH_STATE HotPatchState; 322 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; 323 | 324 | #define PROCESSOR_FEATURE_MAX 64 325 | 326 | typedef struct _KSYSTEM_TIME 327 | { 328 | ULONG LowPart; 329 | LONG High1Time; 330 | LONG High2Time; 331 | } KSYSTEM_TIME, * PKSYSTEM_TIME; 332 | 333 | typedef enum _NT_PRODUCT_TYPE 334 | { 335 | NtProductWinNt = 1, 336 | NtProductLanManNt = 2, 337 | NtProductServer = 3 338 | } NT_PRODUCT_TYPE; 339 | 340 | typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE 341 | { 342 | StandardDesign = 0, 343 | NEC98x86 = 1, 344 | EndAlternatives = 2 345 | } ALTERNATIVE_ARCHITECTURE_TYPE; 346 | 347 | typedef struct _KUSER_SHARED_DATA { 348 | ULONG TickCountLowDeprecated; 349 | ULONG TickCountMultiplier; 350 | KSYSTEM_TIME InterruptTime; 351 | KSYSTEM_TIME SystemTime; 352 | KSYSTEM_TIME TimeZoneBias; 353 | USHORT ImageNumberLow; 354 | USHORT ImageNumberHigh; 355 | WCHAR NtSystemRoot[260]; 356 | ULONG MaxStackTraceDepth; 357 | ULONG CryptoExponent; 358 | ULONG TimeZoneId; 359 | ULONG LargePageMinimum; 360 | ULONG AitSamplingValue; 361 | ULONG AppCompatFlag; 362 | ULONGLONG RNGSeedVersion; 363 | ULONG GlobalValidationRunlevel; 364 | LONG TimeZoneBiasStamp; 365 | ULONG NtBuildNumber; 366 | NT_PRODUCT_TYPE NtProductType; 367 | BOOLEAN ProductTypeIsValid; 368 | BOOLEAN Reserved0[1]; 369 | USHORT NativeProcessorArchitecture; 370 | ULONG NtMajorVersion; 371 | ULONG NtMinorVersion; 372 | BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX]; 373 | ULONG Reserved1; 374 | ULONG Reserved3; 375 | ULONG TimeSlip; 376 | ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture; 377 | ULONG BootId; 378 | LARGE_INTEGER SystemExpirationDate; 379 | ULONG SuiteMask; 380 | BOOLEAN KdDebuggerEnabled; 381 | union { 382 | UCHAR MitigationPolicies; 383 | struct { 384 | UCHAR NXSupportPolicy : 2; 385 | UCHAR SEHValidationPolicy : 2; 386 | UCHAR CurDirDevicesSkippedForDlls : 2; 387 | UCHAR Reserved : 2; 388 | }; 389 | }; 390 | USHORT CyclesPerYield; 391 | ULONG ActiveConsoleId; 392 | ULONG DismountCount; 393 | ULONG ComPlusPackage; 394 | ULONG LastSystemRITEventTickCount; 395 | ULONG NumberOfPhysicalPages; 396 | BOOLEAN SafeBootMode; 397 | union { 398 | UCHAR VirtualizationFlags; 399 | struct { 400 | UCHAR ArchStartedInEl2 : 1; 401 | UCHAR QcSlIsSupported : 1; 402 | }; 403 | }; 404 | UCHAR Reserved12[2]; 405 | union { 406 | ULONG SharedDataFlags; 407 | struct { 408 | ULONG DbgErrorPortPresent : 1; 409 | ULONG DbgElevationEnabled : 1; 410 | ULONG DbgVirtEnabled : 1; 411 | ULONG DbgInstallerDetectEnabled : 1; 412 | ULONG DbgLkgEnabled : 1; 413 | ULONG DbgDynProcessorEnabled : 1; 414 | ULONG DbgConsoleBrokerEnabled : 1; 415 | ULONG DbgSecureBootEnabled : 1; 416 | ULONG DbgMultiSessionSku : 1; 417 | ULONG DbgMultiUsersInSessionSku : 1; 418 | ULONG DbgStateSeparationEnabled : 1; 419 | ULONG SpareBits : 21; 420 | } DUMMYSTRUCTNAME2; 421 | } DUMMYUNIONNAME2; 422 | ULONG DataFlagsPad[1]; 423 | ULONGLONG TestRetInstruction; 424 | LONGLONG QpcFrequency; 425 | ULONG SystemCall; 426 | ULONG Reserved2; 427 | ULONGLONG SystemCallPad[2]; 428 | union { 429 | KSYSTEM_TIME TickCount; 430 | ULONG64 TickCountQuad; 431 | struct { 432 | ULONG ReservedTickCountOverlay[3]; 433 | ULONG TickCountPad[1]; 434 | } DUMMYSTRUCTNAME; 435 | } DUMMYUNIONNAME3; 436 | ULONG Cookie; 437 | ULONG CookiePad[1]; 438 | LONGLONG ConsoleSessionForegroundProcessId; 439 | ULONGLONG TimeUpdateLock; 440 | ULONGLONG BaselineSystemTimeQpc; 441 | ULONGLONG BaselineInterruptTimeQpc; 442 | ULONGLONG QpcSystemTimeIncrement; 443 | ULONGLONG QpcInterruptTimeIncrement; 444 | UCHAR QpcSystemTimeIncrementShift; 445 | UCHAR QpcInterruptTimeIncrementShift; 446 | USHORT UnparkedProcessorCount; 447 | ULONG EnclaveFeatureMask[4]; 448 | ULONG TelemetryCoverageRound; 449 | USHORT UserModeGlobalLogger[16]; 450 | ULONG ImageFileExecutionOptions; 451 | ULONG LangGenerationCount; 452 | ULONGLONG Reserved4; 453 | ULONGLONG InterruptTimeBias; 454 | ULONGLONG QpcBias; 455 | ULONG ActiveProcessorCount; 456 | UCHAR ActiveGroupCount; 457 | UCHAR Reserved9; 458 | union { 459 | USHORT QpcData; 460 | struct { 461 | UCHAR QpcBypassEnabled; 462 | UCHAR QpcShift; 463 | }; 464 | }; 465 | LARGE_INTEGER TimeZoneBiasEffectiveStart; 466 | LARGE_INTEGER TimeZoneBiasEffectiveEnd; 467 | XSTATE_CONFIGURATION XState; 468 | KSYSTEM_TIME FeatureConfigurationChangeStamp; 469 | ULONG Spare; 470 | ULONG64 UserPointerAuthMask; 471 | } KUSER_SHARED_DATA, * PKUSER_SHARED_DATA; 472 | 473 | enum DRAIN_TASK 474 | { 475 | WaitLoadComplete = 0, 476 | WaitWorkComplete 477 | }; 478 | 479 | typedef struct _PEB { 480 | BYTE InheritedAddressSpace; 481 | BYTE ReadImageFileExecOptions; 482 | BYTE BeingDebugged; 483 | union { 484 | UCHAR BitField; 485 | struct { 486 | /* bit fields, follow link */ 487 | }; 488 | }; 489 | 490 | LPVOID Mutant; 491 | LPVOID ImageBaseAddress; 492 | 493 | PPEB_LDR_DATA Ldr; 494 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 495 | LPVOID SubSystemData; 496 | LPVOID ProcessHeap; 497 | LPVOID FastPebLock; 498 | LPVOID _SYSTEM_DEPENDENT_02; 499 | LPVOID _SYSTEM_DEPENDENT_03; 500 | LPVOID _SYSTEM_DEPENDENT_04; 501 | union { 502 | LPVOID KernelCallbackTable; 503 | LPVOID UserSharedInfoPtr; 504 | }; 505 | DWORD SystemReserved; 506 | DWORD _SYSTEM_DEPENDENT_05; 507 | LPVOID _SYSTEM_DEPENDENT_06; 508 | LPVOID TlsExpansionCounter; 509 | LPVOID TlsBitmap; 510 | DWORD TlsBitmapBits[2]; 511 | LPVOID ReadOnlySharedMemoryBase; 512 | KUSER_SHARED_DATA* SharedData; 513 | LPVOID ReadOnlyStaticServerData; 514 | LPVOID AnsiCodePageData; 515 | LPVOID OemCodePageData; 516 | LPVOID UnicodeCaseTableData; 517 | DWORD NumberOfProcessors; 518 | union 519 | { 520 | DWORD NtGlobalFlag; 521 | LPVOID dummy02; 522 | }; 523 | LARGE_INTEGER CriticalSectionTimeout; 524 | LPVOID HeapSegmentReserve; 525 | LPVOID HeapSegmentCommit; 526 | LPVOID HeapDeCommitTotalFreeThreshold; 527 | LPVOID HeapDeCommitFreeBlockThreshold; 528 | DWORD NumberOfHeaps; 529 | DWORD MaximumNumberOfHeaps; 530 | LPVOID ProcessHeaps; 531 | LPVOID GdiSharedHandleTable; 532 | LPVOID ProcessStarterHelper; 533 | LPVOID GdiDCAttributeList; 534 | LPVOID LoaderLock; 535 | DWORD OSMajorVersion; 536 | DWORD OSMinorVersion; 537 | WORD OSBuildNumber; 538 | WORD OSCSDVersion; 539 | DWORD OSPlatformId; 540 | DWORD ImageSubsystem; 541 | DWORD ImageSubsystemMajorVersion; 542 | LPVOID ImageSubsystemMinorVersion; 543 | union 544 | { 545 | LPVOID ImageProcessAffinityMask; 546 | LPVOID ActiveProcessAffinityMask; 547 | }; 548 | #ifdef _WIN64 549 | LPVOID GdiHandleBuffer[64]; 550 | #else 551 | LPVOID GdiHandleBuffer[32]; 552 | #endif 553 | LPVOID PostProcessInitRoutine; 554 | LPVOID TlsExpansionBitmap; 555 | DWORD TlsExpansionBitmapBits[32]; 556 | LPVOID SessionId; 557 | ULARGE_INTEGER AppCompatFlags; 558 | ULARGE_INTEGER AppCompatFlagsUser; 559 | LPVOID pShimData; 560 | LPVOID AppCompatInfo; 561 | PUNICODE_STRING CSDVersion; 562 | LPVOID ActivationContextData; 563 | LPVOID ProcessAssemblyStorageMap; 564 | LPVOID SystemDefaultActivationContextData; 565 | LPVOID SystemAssemblyStorageMap; 566 | LPVOID MinimumStackCommit; 567 | 568 | //Appended for Windows Server 2003 569 | PVOID SparePointers[4]; 570 | LIST_ENTRY FlsListHead; 571 | PVOID FlsBitmap; 572 | ULONG SpareUlongs[5]; 573 | ULONG FlsHighIndex; 574 | 575 | //Appended for Windows Vista 576 | PVOID WerRegistrationData; 577 | PVOID WerShipAssertPtr; 578 | 579 | //Appended for Windows 7 580 | PVOID pUnused; 581 | PVOID pImageHeaderHash; 582 | union { 583 | ULONG TracingFlags; 584 | struct { 585 | /* bit fields, follow link */ 586 | }; 587 | }; 588 | } PEB, * PPEB; 589 | 590 | struct FUNCTION_TABLE_DATA 591 | { 592 | UINT_PTR TableAddress; 593 | PIMAGE_DOS_HEADER ImageBase; 594 | DWORD ImageSize; 595 | DWORD Size; 596 | }; 597 | 598 | typedef struct _OBJECT_ATTRIBUTES { 599 | ULONG Length; 600 | HANDLE RootDirectory; 601 | PUNICODE_STRING ObjectName; 602 | ULONG Attributes; 603 | PVOID SecurityDescriptor; 604 | PVOID SecurityQualityOfService; 605 | } OBJECT_ATTRIBUTES; 606 | 607 | enum HARDERROR_RESPONSE_OPTION 608 | { 609 | OptionAbortRetryIgnore = 0x0, 610 | OptionOk = 0x1, 611 | OptionOkCancel = 0x2, 612 | OptionRetryCancel = 0x3, 613 | OptionYesNo = 0x4, 614 | OptionYesNoCancel = 0x5, 615 | OptionShutdownSystem = 0x6, 616 | }; 617 | 618 | enum HARDERROR_RESPONSE 619 | { 620 | ResponseReturnToCaller = 0x0, 621 | ResponseNotHandled = 0x1, 622 | ResponseAbort = 0x2, 623 | ResponseCancel = 0x3, 624 | ResponseIgnore = 0x4, 625 | ResponseNo = 0x5, 626 | ResponseOk = 0x6, 627 | ResponseRetry = 0x7, 628 | ResponseYes = 0x8, 629 | }; 630 | 631 | typedef struct _IO_STATUS_BLOCK { 632 | union { 633 | NTSTATUS Status; 634 | PVOID Pointer; 635 | }; 636 | ULONG_PTR Information; 637 | } IO_STATUS_BLOCK, * PIO_STATUS_BLOCK; 638 | 639 | typedef struct _CLIENT_ID { 640 | HANDLE UniqueProcess; 641 | HANDLE UniqueThread; 642 | } CLIENT_ID, * PCLIENT_ID; 643 | 644 | typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* PRTL_ACTIVATION_CONTEXT_STACK_FRAME; 645 | typedef struct _ACTIVATION_CONTEXT* PACTIVATION_CONTEXT; 646 | typedef struct _TEB_ACTIVE_FRAME* PTEB_ACTIVE_FRAME; 647 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT* PTEB_ACTIVE_FRAME_CONTEXT; 648 | 649 | typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME { 650 | PRTL_ACTIVATION_CONTEXT_STACK_FRAME Previous; 651 | PACTIVATION_CONTEXT* ActivationContext; 652 | ULONG Flags; 653 | } RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME; 654 | 655 | typedef struct _ACTIVATION_CONTEXT_STACK 656 | { 657 | PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame; 658 | LIST_ENTRY FrameListCache; 659 | ULONG Flags; 660 | ULONG NextCookieSequenceNumber; 661 | ULONG StackId; 662 | } ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK; 663 | 664 | typedef struct _RTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_BASIC 665 | { 666 | SIZE_T Size; 667 | ULONG Format; 668 | RTL_ACTIVATION_CONTEXT_STACK_FRAME Frame; 669 | } RTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_BASIC, * PRTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_BASIC; 670 | 671 | typedef struct _RTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_EXTENDED 672 | { 673 | SIZE_T Size; 674 | ULONG Format; 675 | RTL_ACTIVATION_CONTEXT_STACK_FRAME Frame; 676 | PVOID Extra1; 677 | PVOID Extra2; 678 | PVOID Extra3; 679 | PVOID Extra4; 680 | } RTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_EXTENDED, * PRTL_CALLER_ALLOCATED_ACTIVATION_CONTEXT_STACK_FRAME_EXTENDED; 681 | 682 | #define GDI_BATCH_BUFFER_SIZE 310 683 | 684 | typedef struct _GDI_TEB_BATCH 685 | { 686 | ULONG Offset; 687 | ULONG_PTR HDC; 688 | ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; 689 | } GDI_TEB_BATCH, * PGDI_TEB_BATCH; 690 | 691 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT 692 | { 693 | ULONG Flags; 694 | PSTR FrameName; 695 | } TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT; 696 | 697 | typedef struct _TEB_ACTIVE_FRAME 698 | { 699 | ULONG Flags; 700 | struct _TEB_ACTIVE_FRAME* Previous; 701 | PTEB_ACTIVE_FRAME_CONTEXT Context; 702 | } TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME; 703 | 704 | #if !defined(_MSC_VER) 705 | typedef struct _PROCESSOR_NUMBER { 706 | USHORT Group; 707 | UCHAR Number; 708 | UCHAR Reserved; 709 | } PROCESSOR_NUMBER, * PPROCESSOR_NUMBER; 710 | #endif 711 | 712 | typedef struct _TEB 713 | { 714 | NT_TIB NtTib; 715 | 716 | PVOID EnvironmentPointer; 717 | CLIENT_ID ClientId; 718 | PVOID ActiveRpcHandle; 719 | PVOID ThreadLocalStoragePointer; 720 | PPEB ProcessEnvironmentBlock; 721 | 722 | ULONG LastErrorValue; 723 | ULONG CountOfOwnedCriticalSections; 724 | PVOID CsrClientThread; 725 | PVOID Win32ThreadInfo; 726 | ULONG User32Reserved[26]; 727 | ULONG UserReserved[5]; 728 | PVOID WOW32Reserved; 729 | LCID CurrentLocale; 730 | ULONG FpSoftwareStatusRegister; 731 | PVOID SystemReserved1[54]; 732 | NTSTATUS ExceptionCode; 733 | PVOID ActivationContextStackPointer; 734 | #ifdef _M_X64 735 | UCHAR SpareBytes[24]; 736 | #else 737 | UCHAR SpareBytes[36]; 738 | #endif 739 | ULONG TxFsContext; 740 | 741 | GDI_TEB_BATCH GdiTebBatch; 742 | CLIENT_ID RealClientId; 743 | HANDLE GdiCachedProcessHandle; 744 | ULONG GdiClientPID; 745 | ULONG GdiClientTID; 746 | PVOID GdiThreadLocalInfo; 747 | ULONG_PTR Win32ClientInfo[62]; 748 | PVOID glDispatchTable[233]; 749 | ULONG_PTR glReserved1[29]; 750 | PVOID glReserved2; 751 | PVOID glSectionInfo; 752 | PVOID glSection; 753 | PVOID glTable; 754 | PVOID glCurrentRC; 755 | PVOID glContext; 756 | 757 | NTSTATUS LastStatusValue; 758 | UNICODE_STRING StaticUnicodeString; 759 | WCHAR StaticUnicodeBuffer[261]; 760 | 761 | PVOID DeallocationStack; 762 | PVOID TlsSlots[64]; 763 | LIST_ENTRY TlsLinks; 764 | 765 | PVOID Vdm; 766 | PVOID ReservedForNtRpc; 767 | PVOID DbgSsReserved[2]; 768 | 769 | ULONG HardErrorMode; 770 | #ifdef _M_X64 771 | PVOID Instrumentation[11]; 772 | #else 773 | PVOID Instrumentation[9]; 774 | #endif 775 | GUID ActivityId; 776 | 777 | PVOID SubProcessTag; 778 | PVOID EtwLocalData; 779 | PVOID EtwTraceData; 780 | PVOID WinSockData; 781 | ULONG GdiBatchCount; 782 | 783 | union 784 | { 785 | PROCESSOR_NUMBER CurrentIdealProcessor; 786 | ULONG IdealProcessorValue; 787 | struct 788 | { 789 | UCHAR ReservedPad0; 790 | UCHAR ReservedPad1; 791 | UCHAR ReservedPad2; 792 | UCHAR IdealProcessor; 793 | }; 794 | }; 795 | 796 | ULONG GuaranteedStackBytes; 797 | PVOID ReservedForPerf; 798 | PVOID ReservedForOle; 799 | ULONG WaitingOnLoaderLock; 800 | PVOID SavedPriorityState; 801 | ULONG_PTR SoftPatchPtr1; 802 | PVOID ThreadPoolData; 803 | PVOID* TlsExpansionSlots; 804 | #ifdef _M_X64 805 | PVOID DeallocationBStore; 806 | PVOID BStoreLimit; 807 | #endif 808 | ULONG MuiGeneration; 809 | ULONG IsImpersonating; 810 | PVOID NlsCache; 811 | PVOID pShimData; 812 | ULONG HeapVirtualAffinity; 813 | HANDLE CurrentTransactionHandle; 814 | PTEB_ACTIVE_FRAME ActiveFrame; 815 | PVOID FlsData; 816 | 817 | PVOID PreferredLanguages; 818 | PVOID UserPrefLanguages; 819 | PVOID MergedPrefLanguages; 820 | ULONG MuiImpersonation; 821 | 822 | union 823 | { 824 | USHORT CrossTebFlags; 825 | USHORT SpareCrossTebBits : 16; 826 | }; 827 | union 828 | { 829 | USHORT SameTebFlags; 830 | struct 831 | { 832 | USHORT SafeThunkCall : 1; 833 | USHORT InDebugPrint : 1; 834 | USHORT HasFiberData : 1; 835 | USHORT SkipThreadAttach : 1; 836 | USHORT WerInShipAssertCode : 1; 837 | USHORT RanProcessInit : 1; 838 | USHORT ClonedThread : 1; 839 | USHORT SuppressDebugMsg : 1; 840 | USHORT DisableUserStackWalk : 1; 841 | USHORT RtlExceptionAttached : 1; 842 | USHORT InitialThread : 1; 843 | USHORT SessionAware : 1; 844 | USHORT SpareSameTebBits : 4; 845 | }; 846 | }; 847 | 848 | PVOID TxnScopeEnterCallback; 849 | PVOID TxnScopeExitCallback; 850 | PVOID TxnScopeContext; 851 | ULONG LockCount; 852 | ULONG SpareUlong0; 853 | PVOID ResourceRetValue; 854 | PVOID ReservedForWdf; 855 | } TEB, * PTEB; 856 | 857 | 858 | struct LDR_UNKSTRUCT 859 | { 860 | PWSTR pInitNameMaybe; 861 | __declspec(align(16)) PWSTR Buffer; 862 | int Flags; 863 | PWSTR pDllName; 864 | char Pad1[84]; 865 | BOOLEAN IsInitedMaybe; 866 | char Pad2[3]; 867 | }; 868 | 869 | struct LDR_UNKSTRUCT2 870 | { 871 | PUNICODE_STRING Name; 872 | UINT64 Status; 873 | }; 874 | 875 | struct LDR_UNKSTRUCT3 876 | { 877 | ULONG Flags; 878 | UNICODE_STRING String; 879 | }; 880 | 881 | typedef struct _LDRP_LOAD_CONTEXT 882 | { 883 | UNICODE_STRING BaseDllName; 884 | LDR_UNKSTRUCT* UnkStruct; 885 | HANDLE SectionHandle; 886 | DWORD Flags; 887 | NTSTATUS* pStatus; 888 | LDR_DATA_TABLE_ENTRY* Entry; 889 | _LIST_ENTRY WorkQueueListEntry; 890 | LDR_DATA_TABLE_ENTRY* ReplacedEntry; 891 | LDR_DATA_TABLE_ENTRY** pvImports; 892 | LDR_DATA_TABLE_ENTRY** IATCheck; 893 | PVOID pvIAT; 894 | ULONG SizeOfIAT; 895 | ULONG CurrentDll; 896 | PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor; 897 | ULONG ImageImportDescriptorLen; 898 | __declspec(align(8)) ULONG OriginalIATProtect; 899 | PVOID GuardCFCheckFunctionPointer; 900 | __int64 GuardFlags; 901 | __int64 DllNameLenCompare; 902 | __int64 UnknownFunc; 903 | SIZE_T Size; 904 | __int64 UnknownPtr; 905 | HANDLE FileHandle; 906 | PIMAGE_DOS_HEADER ImageBase; 907 | wchar_t BaseDllNameBuffer[260]; 908 | } LDRP_LOAD_CONTEXT, *PLDRP_LOAD_CONTEXT; 909 | 910 | struct LDRP_FILENAME_BUFFER 911 | { 912 | UNICODE_STRING pFileName{}; 913 | wchar_t FileName[128]{}; 914 | }; 915 | 916 | typedef struct _MEMORY_IMAGE_INFORMATION 917 | { 918 | PVOID ImageBase; 919 | SIZE_T SizeOfImage; 920 | union 921 | { 922 | ULONG ImageFlags; 923 | struct 924 | { 925 | ULONG ImagePartialMap : 1; 926 | ULONG ImageNotExecutable : 1; 927 | ULONG ImageSigningLevel : 4; // REDSTONE3 928 | ULONG Reserved : 26; 929 | }; 930 | }; 931 | } MEMORY_IMAGE_INFORMATION, * PMEMORY_IMAGE_INFORMATION; 932 | 933 | typedef struct _TLS_ENTRY 934 | { 935 | LIST_ENTRY TlsEntry; 936 | IMAGE_TLS_DIRECTORY TlsDirectory; 937 | PLDR_DATA_TABLE_ENTRY ModuleEntry; 938 | SIZE_T Index; 939 | } TLS_ENTRY, *PTLS_ENTRY; 940 | 941 | enum SECTION_INHERIT 942 | { 943 | ViewShare = 1, 944 | ViewUnmap = 2 945 | }; 946 | 947 | /* 948 | struct MEM_EXTENDED_PARAMETER 949 | { 950 | PVOID Type; 951 | PHANDLE pHandle; 952 | HANDLE Handle; 953 | }; 954 | */ 955 | 956 | typedef struct _MEMORY_WORKING_SET_EX_BLOCK 957 | { 958 | union 959 | { 960 | struct 961 | { 962 | ULONG_PTR Valid : 1; 963 | ULONG_PTR ShareCount : 3; 964 | ULONG_PTR Win32Protection : 11; 965 | ULONG_PTR Shared : 1; 966 | ULONG_PTR Node : 6; 967 | ULONG_PTR Locked : 1; 968 | ULONG_PTR LargePage : 1; 969 | ULONG_PTR Priority : 3; 970 | ULONG_PTR Reserved : 3; 971 | ULONG_PTR SharedOriginal : 1; 972 | ULONG_PTR Bad : 1; 973 | ULONG_PTR Win32GraphicsProtection : 4; // 19H1 974 | #ifdef _WIN64 975 | ULONG_PTR ReservedUlong : 28; 976 | #endif 977 | }; 978 | struct 979 | { 980 | ULONG_PTR Valid : 1; 981 | ULONG_PTR Reserved0 : 14; 982 | ULONG_PTR Shared : 1; 983 | ULONG_PTR Reserved1 : 5; 984 | ULONG_PTR PageTable : 1; 985 | ULONG_PTR Location : 2; 986 | ULONG_PTR Priority : 3; 987 | ULONG_PTR ModifiedList : 1; 988 | ULONG_PTR Reserved2 : 2; 989 | ULONG_PTR SharedOriginal : 1; 990 | ULONG_PTR Bad : 1; 991 | #ifdef _WIN64 992 | ULONG_PTR ReservedUlong : 32; 993 | #endif 994 | } Invalid; 995 | }; 996 | } MEMORY_WORKING_SET_EX_BLOCK, * PMEMORY_WORKING_SET_EX_BLOCK; 997 | 998 | // private 999 | typedef struct _MEMORY_WORKING_SET_EX_INFORMATION 1000 | { 1001 | PVOID VirtualAddress; 1002 | union 1003 | { 1004 | MEMORY_WORKING_SET_EX_BLOCK VirtualAttributes; 1005 | ULONG_PTR Long; 1006 | } u1; 1007 | } MEMORY_WORKING_SET_EX_INFORMATION, * PMEMORY_WORKING_SET_EX_INFORMATION; 1008 | 1009 | typedef enum _MEMORY_INFORMATION_CLASS 1010 | { 1011 | MemoryBasicInformation, // q: MEMORY_BASIC_INFORMATION 1012 | MemoryWorkingSetInformation, // q: MEMORY_WORKING_SET_INFORMATION 1013 | MemoryMappedFilenameInformation, // q: UNICODE_STRING 1014 | MemoryRegionInformation, // q: MEMORY_REGION_INFORMATION 1015 | MemoryWorkingSetExInformation, // q: MEMORY_WORKING_SET_EX_INFORMATION // since VISTA 1016 | MemorySharedCommitInformation, // q: MEMORY_SHARED_COMMIT_INFORMATION // since WIN8 1017 | MemoryImageInformation, // q: MEMORY_IMAGE_INFORMATION 1018 | MemoryRegionInformationEx, // MEMORY_REGION_INFORMATION 1019 | MemoryPrivilegedBasicInformation, // MEMORY_BASIC_INFORMATION 1020 | MemoryEnclaveImageInformation, // MEMORY_ENCLAVE_IMAGE_INFORMATION // since REDSTONE3 1021 | MemoryBasicInformationCapped, // 10 1022 | MemoryPhysicalContiguityInformation, // MEMORY_PHYSICAL_CONTIGUITY_INFORMATION // since 20H1 1023 | MemoryBadInformation, // since WIN11 1024 | MemoryBadInformationAllProcesses, // since 22H1 1025 | MaxMemoryInfoClass 1026 | } MEMORY_INFORMATION_CLASS; 1027 | 1028 | typedef enum _PROCESSINFOCLASS 1029 | { 1030 | ProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION 1031 | ProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX 1032 | ProcessIoCounters, // q: IO_COUNTERS 1033 | ProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX, VM_COUNTERS_EX2 1034 | ProcessTimes, // q: KERNEL_USER_TIMES 1035 | ProcessBasePriority, // s: KPRIORITY 1036 | ProcessRaisePriority, // s: ULONG 1037 | ProcessDebugPort, // q: HANDLE 1038 | ProcessExceptionPort, // s: PROCESS_EXCEPTION_PORT (requires SeTcbPrivilege) 1039 | ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN 1040 | ProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10 1041 | ProcessLdtSize, // s: PROCESS_LDT_SIZE 1042 | ProcessDefaultHardErrorMode, // qs: ULONG 1043 | ProcessIoPortHandlers, // (kernel-mode only) // PROCESS_IO_PORT_HANDLER_INFORMATION 1044 | ProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS 1045 | ProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void 1046 | ProcessUserModeIOPL, // qs: ULONG (requires SeTcbPrivilege) 1047 | ProcessEnableAlignmentFaultFixup, // s: BOOLEAN 1048 | ProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS 1049 | ProcessWx86Information, // qs: ULONG (requires SeTcbPrivilege) (VdmAllowed) 1050 | ProcessHandleCount, // q: ULONG, PROCESS_HANDLE_INFORMATION // 20 1051 | ProcessAffinityMask, // (q >WIN7)s: KAFFINITY, qs: GROUP_AFFINITY 1052 | ProcessPriorityBoost, // qs: ULONG 1053 | ProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX 1054 | ProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION 1055 | ProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND 1056 | ProcessWow64Information, // q: ULONG_PTR 1057 | ProcessImageFileName, // q: UNICODE_STRING 1058 | ProcessLUIDDeviceMapsEnabled, // q: ULONG 1059 | ProcessBreakOnTermination, // qs: ULONG 1060 | ProcessDebugObjectHandle, // q: HANDLE // 30 1061 | ProcessDebugFlags, // qs: ULONG 1062 | ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: size 0 disables, otherwise enables 1063 | ProcessIoPriority, // qs: IO_PRIORITY_HINT 1064 | ProcessExecuteFlags, // qs: ULONG 1065 | ProcessTlsInformation, // PROCESS_TLS_INFORMATION // ProcessResourceManagement 1066 | ProcessCookie, // q: ULONG 1067 | ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION 1068 | ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA 1069 | ProcessPagePriority, // qs: PAGE_PRIORITY_INFORMATION 1070 | ProcessInstrumentationCallback, // s: PVOID or PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION // 40 1071 | ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX 1072 | ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[] 1073 | ProcessImageFileNameWin32, // q: UNICODE_STRING 1074 | ProcessImageFileMapping, // q: HANDLE (input) 1075 | ProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE 1076 | ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE 1077 | ProcessGroupInformation, // q: USHORT[] 1078 | ProcessTokenVirtualizationEnabled, // s: ULONG 1079 | ProcessConsoleHostProcess, // qs: ULONG_PTR // ProcessOwnerInformation 1080 | ProcessWindowInformation, // q: PROCESS_WINDOW_INFORMATION // 50 1081 | ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8 1082 | ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION 1083 | ProcessDynamicFunctionTableInformation, 1084 | ProcessHandleCheckingMode, // qs: ULONG; s: 0 disables, otherwise enables 1085 | ProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION 1086 | ProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION 1087 | ProcessWorkingSetControl, // s: PROCESS_WORKING_SET_CONTROL (requires SeDebugPrivilege) 1088 | ProcessHandleTable, // q: ULONG[] // since WINBLUE 1089 | ProcessCheckStackExtentsMode, // qs: ULONG // KPROCESS->CheckStackExtents (CFG) 1090 | ProcessCommandLineInformation, // q: UNICODE_STRING // 60 1091 | ProcessProtectionInformation, // q: PS_PROTECTION 1092 | ProcessMemoryExhaustion, // PROCESS_MEMORY_EXHAUSTION_INFO // since THRESHOLD 1093 | ProcessFaultInformation, // PROCESS_FAULT_INFORMATION 1094 | ProcessTelemetryIdInformation, // q: PROCESS_TELEMETRY_ID_INFORMATION 1095 | ProcessCommitReleaseInformation, // PROCESS_COMMIT_RELEASE_INFORMATION 1096 | ProcessDefaultCpuSetsInformation, // SYSTEM_CPU_SET_INFORMATION[5] 1097 | ProcessAllowedCpuSetsInformation, // SYSTEM_CPU_SET_INFORMATION[5] 1098 | ProcessSubsystemProcess, 1099 | ProcessJobMemoryInformation, // q: PROCESS_JOB_MEMORY_INFO 1100 | ProcessInPrivate, // s: void // ETW // since THRESHOLD2 // 70 1101 | ProcessRaiseUMExceptionOnInvalidHandleClose, // qs: ULONG; s: 0 disables, otherwise enables 1102 | ProcessIumChallengeResponse, 1103 | ProcessChildProcessInformation, // q: PROCESS_CHILD_PROCESS_INFORMATION 1104 | ProcessHighGraphicsPriorityInformation, // qs: BOOLEAN (requires SeTcbPrivilege) 1105 | ProcessSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2 1106 | ProcessEnergyValues, // q: PROCESS_ENERGY_VALUES, PROCESS_EXTENDED_ENERGY_VALUES 1107 | ProcessPowerThrottlingState, // qs: POWER_THROTTLING_PROCESS_STATE 1108 | ProcessReserved3Information, // ProcessActivityThrottlePolicy // PROCESS_ACTIVITY_THROTTLE_POLICY 1109 | ProcessWin32kSyscallFilterInformation, // q: WIN32K_SYSCALL_FILTER 1110 | ProcessDisableSystemAllowedCpuSets, // 80 1111 | ProcessWakeInformation, // PROCESS_WAKE_INFORMATION 1112 | ProcessEnergyTrackingState, // qs: PROCESS_ENERGY_TRACKING_STATE 1113 | ProcessManageWritesToExecutableMemory, // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3 1114 | ProcessCaptureTrustletLiveDump, 1115 | ProcessTelemetryCoverage, 1116 | ProcessEnclaveInformation, 1117 | ProcessEnableReadWriteVmLogging, // PROCESS_READWRITEVM_LOGGING_INFORMATION 1118 | ProcessUptimeInformation, // q: PROCESS_UPTIME_INFORMATION 1119 | ProcessImageSection, // q: HANDLE 1120 | ProcessDebugAuthInformation, // since REDSTONE4 // 90 1121 | ProcessSystemResourceManagement, // PROCESS_SYSTEM_RESOURCE_MANAGEMENT 1122 | ProcessSequenceNumber, // q: ULONGLONG 1123 | ProcessLoaderDetour, // since REDSTONE5 1124 | ProcessSecurityDomainInformation, // PROCESS_SECURITY_DOMAIN_INFORMATION 1125 | ProcessCombineSecurityDomainsInformation, // PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION 1126 | ProcessEnableLogging, // PROCESS_LOGGING_INFORMATION 1127 | ProcessLeapSecondInformation, // PROCESS_LEAP_SECOND_INFORMATION 1128 | ProcessFiberShadowStackAllocation, // PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION // since 19H1 1129 | ProcessFreeFiberShadowStackAllocation, // PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION 1130 | ProcessAltSystemCallInformation, // since 20H1 // 100 1131 | ProcessDynamicEHContinuationTargets, // PROCESS_DYNAMIC_EH_CONTINUATION_TARGETS_INFORMATION 1132 | ProcessDynamicEnforcedCetCompatibleRanges, // PROCESS_DYNAMIC_ENFORCED_ADDRESS_RANGE_INFORMATION // since 20H2 1133 | ProcessCreateStateChange, // since WIN11 1134 | ProcessApplyStateChange, 1135 | ProcessEnableOptionalXStateFeatures, 1136 | ProcessAltPrefetchParam, // since 22H1 1137 | ProcessAssignCpuPartitions, 1138 | ProcessPriorityClassEx, // s: PROCESS_PRIORITY_CLASS_EX 1139 | ProcessMembershipInformation, // PROCESS_MEMBERSHIP_INFORMATION 1140 | ProcessEffectiveIoPriority, // q: IO_PRIORITY_HINT 1141 | ProcessEffectivePagePriority, // q: ULONG 1142 | MaxProcessInfoClass 1143 | } PROCESSINFOCLASS; 1144 | 1145 | typedef struct _file_info 1146 | { 1147 | ULONG type; 1148 | char info; 1149 | } file_info; 1150 | 1151 | typedef struct _ASSEMBLY_STORAGE_MAP 1152 | { 1153 | ULONG Flags; 1154 | ULONG AssemblyCount; 1155 | PVOID AssemblyArray; 1156 | } ASSEMBLY_STORAGE_MAP; 1157 | 1158 | typedef struct _ASSEMBLY_STORAGE_MAP_ENTRY 1159 | { 1160 | ULONG Flags; 1161 | UNICODE_STRING DosPath; 1162 | HANDLE Handle; 1163 | } ASSEMBLY_STORAGE_MAP_ENTRY; 1164 | 1165 | typedef struct _ACTIVATION_CONTEXT 1166 | { 1167 | LONG RefCount; 1168 | ULONG Flags; 1169 | LIST_ENTRY Links; 1170 | PVOID ActivationContextData; 1171 | PVOID NotificationRoutine; 1172 | PVOID NotificationContext; 1173 | ULONG SentNotifications[8]; 1174 | ULONG DisabledNotifications[8]; 1175 | ASSEMBLY_STORAGE_MAP* StorageMap; 1176 | ASSEMBLY_STORAGE_MAP_ENTRY* InlineStorageMapEntires; 1177 | ULONG StackTraceIndex; 1178 | PVOID StackTraces[4][4]; 1179 | file_info config; 1180 | file_info appdir; 1181 | char pad[256]; 1182 | } ACTIVATION_CONTEXT; 1183 | 1184 | #define SEC_NO_FLAGS 0x000 1185 | 1186 | /* Tells the OS to allocate space for this section when loading. 1187 | This is clear for a section containing debug information 1188 | only. */ 1189 | #define SEC_ALLOC 0x001 1190 | 1191 | /* Tells the OS to load the section from the file when loading. 1192 | This is clear for a .bss section. */ 1193 | #define SEC_LOAD 0x002 1194 | 1195 | /* The section contains data still to be relocated, so there is 1196 | some relocation information too. */ 1197 | #define SEC_RELOC 0x004 1198 | 1199 | #if 0 /* Obsolete ? */ 1200 | #define SEC_BALIGN 0x008 1201 | #endif 1202 | 1203 | /* A signal to the OS that the section contains read only 1204 | data. */ 1205 | #define SEC_READONLY 0x010 1206 | 1207 | /* The section contains code only. */ 1208 | #define SEC_CODE 0x020 1209 | 1210 | /* The section contains data only. */ 1211 | #define SEC_DATA 0x040 1212 | 1213 | /* The section will reside in ROM. */ 1214 | #define SEC_ROM 0x080 1215 | 1216 | /* The section contains constructor information. This section 1217 | type is used by the linker to create lists of constructors and 1218 | destructors used by g++. When a back end sees a symbol 1219 | which should be used in a constructor list, it creates a new 1220 | section for the type of name (e.g., __CTOR_LIST__), attaches 1221 | the symbol to it, and builds a relocation. To build the lists 1222 | of constructors, all the linker has to do is catenate all the 1223 | sections called __CTOR_LIST__ and relocate the data 1224 | contained within - exactly the operations it would peform on 1225 | standard data. */ 1226 | #define SEC_CONSTRUCTOR 0x100 1227 | 1228 | /* The section is a constuctor, and should be placed at the 1229 | end of the text, data, or bss section(?). */ 1230 | #define SEC_CONSTRUCTOR_TEXT 0x1100 1231 | #define SEC_CONSTRUCTOR_DATA 0x2100 1232 | #define SEC_CONSTRUCTOR_BSS 0x3100 1233 | 1234 | /* The section has contents - a data section could be 1235 | SEC_ALLOC | SEC_HAS_CONTENTS; a debug section could be 1236 | SEC_HAS_CONTENTS */ 1237 | #define SEC_HAS_CONTENTS 0x200 1238 | 1239 | /* An instruction to the linker to not output the section 1240 | even if it has information which would normally be written. */ 1241 | #define SEC_NEVER_LOAD 0x400 1242 | 1243 | /* The section is a COFF shared library section. This flag is 1244 | only for the linker. If this type of section appears in 1245 | the input file, the linker must copy it to the output file 1246 | without changing the vma or size. FIXME: Although this 1247 | was originally intended to be general, it really is COFF 1248 | specific (and the flag was renamed to indicate this). It 1249 | might be cleaner to have some more general mechanism to 1250 | allow the back end to control what the linker does with 1251 | sections. */ 1252 | #define SEC_COFF_SHARED_LIBRARY 0x800 1253 | 1254 | /* The section contains common symbols (symbols may be defined 1255 | multiple times, the value of a symbol is the amount of 1256 | space it requires, and the largest symbol value is the one 1257 | used). Most targets have exactly one of these (which we 1258 | translate to bfd_com_section_ptr), but ECOFF has two. */ 1259 | #define SEC_IS_COMMON 0x8000 1260 | 1261 | /* The section contains only debugging information. For 1262 | example, this is set for ELF .debug and .stab sections. 1263 | strip tests this flag to see if a section can be 1264 | discarded. */ 1265 | #define SEC_DEBUGGING 0x10000 1266 | 1267 | /* The contents of this section are held in memory pointed to 1268 | by the contents field. This is checked by 1269 | bfd_get_section_contents, and the data is retrieved from 1270 | memory if appropriate. */ 1271 | #define SEC_IN_MEMORY 0x20000 1272 | 1273 | /* The contents of this section are to be excluded by the 1274 | linker for executable and shared objects unless those 1275 | objects are to be further relocated. */ 1276 | #define SEC_EXCLUDE 0x40000 1277 | 1278 | /* The contents of this section are to be sorted by the 1279 | based on the address specified in the associated symbol 1280 | table. */ 1281 | #define SEC_SORT_ENTRIES 0x80000 1282 | 1283 | /* When linking, duplicate sections of the same name should be 1284 | discarded, rather than being combined into a single section as 1285 | is usually done. This is similar to how common symbols are 1286 | handled. See SEC_LINK_DUPLICATES below. */ 1287 | #define SEC_LINK_ONCE 0x100000 1288 | 1289 | /* If SEC_LINK_ONCE is set, this bitfield describes how the linker 1290 | should handle duplicate sections. */ 1291 | #define SEC_LINK_DUPLICATES 0x600000 1292 | 1293 | /* This value for SEC_LINK_DUPLICATES means that duplicate 1294 | sections with the same name should simply be discarded. */ 1295 | #define SEC_LINK_DUPLICATES_DISCARD 0x0 1296 | 1297 | /* This value for SEC_LINK_DUPLICATES means that the linker 1298 | should warn if there are any duplicate sections, although 1299 | it should still only link one copy. */ 1300 | #define SEC_LINK_DUPLICATES_ONE_ONLY 0x200000 1301 | 1302 | /* This value for SEC_LINK_DUPLICATES means that the linker 1303 | should warn if any duplicate sections are a different size. */ 1304 | #define SEC_LINK_DUPLICATES_SAME_SIZE 0x400000 1305 | 1306 | /* This value for SEC_LINK_DUPLICATES means that the linker 1307 | should warn if any duplicate sections contain different 1308 | contents. */ 1309 | #define SEC_LINK_DUPLICATES_SAME_CONTENTS 0x600000 1310 | 1311 | /* This section was created by the linker as part of dynamic 1312 | relocation or other arcane processing. It is skipped when 1313 | going through the first-pass output, trusting that someone 1314 | else up the line will take care of it later. */ 1315 | #define SEC_LINKER_CREATED 0x800000 -------------------------------------------------------------------------------- /Src/Includes.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include -------------------------------------------------------------------------------- /Src/Loader/Loader.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/paskalian/WID_LoadLibrary/e3f55b6f40ba20ec397704222960e0e4548e228f/Src/Loader/Loader.cpp -------------------------------------------------------------------------------- /Src/Loader/Loader.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "..\WID.h" 4 | 5 | #define LLEXW_ISDATAFILE (LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE | LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE) 6 | #define LLEXW_7F08 (LOAD_LIBRARY_SEARCH_SYSTEM32_NO_FORWARDER | LOAD_LIBRARY_SAFE_CURRENT_DIRS | LOAD_LIBRARY_SEARCH_DEFAULT_DIRS | LOAD_LIBRARY_SEARCH_SYSTEM32 | LOAD_LIBRARY_SEARCH_USER_DIRS | LOAD_LIBRARY_SEARCH_APPLICATION_DIR | LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR | LOAD_WITH_ALTERED_SEARCH_PATH) 7 | #define LLEXW_ASDATAFILE (LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE | LOAD_LIBRARY_AS_DATAFILE) 8 | #define LLDLL_401 (LOAD_LIBRARY_SEARCH_USER_DIRS | DONT_RESOLVE_DLL_REFERENCES) 9 | 10 | #define CNVTD_DONT_RESOLVE_DLL_REFERENCES 0x2 11 | #define LOAD_PACKAGED_LIBRARY 0x4 12 | #define CNVTD_LOAD_LIBRARY_REQUIRE_SIGNED_TARGET 0x800000 13 | #define CNVTD_LOAD_LIBRARY_OS_INTEGRITY_CONTINUITY 0x80000000 14 | 15 | #define LoadOwner 0x1000 16 | #define LoaderWorker 0x2000 17 | 18 | #define FLG_ENABLE_KDEBUG_SYMBOL_LOAD 0x40000 19 | 20 | // OBJECT_ATTRIBUTES.Attributes 21 | #define OBJ_INHERIT 0x00000002 22 | #define OBJ_PERMANENT 0x00000010 23 | #define OBJ_EXCLUSIVE 0x00000020 24 | #define OBJ_CASE_INSENSITIVE 0x00000040 25 | #define OBJ_OPENIF 0x00000080 26 | #define OBJ_OPENLINK 0x00000100 27 | #define OBJ_KERNEL_HANDLE 0x00000200 28 | #define OBJ_FORCE_ACCESS_CHECK 0x00000400 29 | #define OBJ_VALID_ATTRIBUTES 0x000007f2 30 | #define OBJ_IGNORE_IMPERSONATED_DEVICEMAP 0x800 31 | 32 | // PEB.Bitfield 33 | #define IsPackagedProcess 0x10 34 | 35 | // PEB.TracingFlags 36 | #define HeapTracingEnabled 0x1 37 | #define CritSecTracingEnabled 0x2 38 | #define LibLoaderTracingEnabled 0x4 39 | 40 | // LDR_DATA_TABLE_ENTRY.Flags 41 | #define PackagedBinary 0x00000001 42 | #define MarkedForRemoval 0x00000002 43 | #define ImageDll 0x00000004 44 | #define LoadNotificationsSent 0x00000008 45 | #define TelemetryEntryProcessed 0x00000010 46 | #define ProcessStaticImport 0x00000020 47 | #define InLegacyLists 0x00000040 48 | #define InIndexes 0x00000080 49 | #define ShimDll 0x00000100 50 | #define InExceptionTable 0x00000200 51 | #define ReservedFlags1 0x00000C00 52 | #define LoadInProgress 0x00001000 53 | #define LoadConfigProcessed 0x00002000 54 | #define EntryProcessed 0x00004000 55 | #define ProtectDelayLoad 0x00008000 56 | #define ReservedFlags3 0x00030000 57 | #define DontCallForThreads 0x00040000 58 | #define ProcessAttachCalled 0x00080000 59 | #define ProcessAttachFailed 0x00100000 60 | #define CorDeferredValidate 0x00200000 61 | #define CorImage 0x00400000 62 | #define DontRelocate 0x00800000 63 | #define CorILOnly 0x01000000 64 | #define ReservedFlags5 0x0E000000 65 | #define Redirected 0x10000000 66 | #define ReservedFlags6 0x60000000 67 | #define CompatDatabaseProcessed 0x80000000 68 | 69 | namespace WID 70 | { 71 | namespace Loader 72 | { 73 | enum class LOADTYPE 74 | { 75 | DEFAULT = 0, 76 | HIDDEN 77 | }; 78 | 79 | class LOADLIBRARY 80 | { 81 | private: 82 | NTSTATUS Load(); 83 | 84 | // NT Functions 85 | NTSTATUS __fastcall LdrpThreadTokenSetMainThreadToken(); // CHECKED. 86 | NTSTATUS __fastcall LdrpThreadTokenUnsetMainThreadToken(); // CHECKED. 87 | 88 | LDR_DATA_TABLE_ENTRY* __fastcall LdrpHandleReplacedModule(LDR_DATA_TABLE_ENTRY* LdrEntry); // CHECKED. 89 | NTSTATUS __fastcall LdrpFreeReplacedModule(LDR_DATA_TABLE_ENTRY* LdrEntry); // CHECKED. 90 | NTSTATUS __fastcall LdrpResolveDllName(LDRP_LOAD_CONTEXT* LoadContext, LDRP_FILENAME_BUFFER* FileNameBuffer, PUNICODE_STRING BaseDllName, PUNICODE_STRING FullDllName, DWORD Flags); // CHECKED. 91 | NTSTATUS __fastcall LdrpFindDllActivationContext(LDR_DATA_TABLE_ENTRY* LdrEntry); // CHECKED. 92 | 93 | // Using directly is not recommended. 94 | HMODULE __fastcall fLoadLibrary(PTCHAR lpLibFileName); // CHECKED. 95 | HMODULE __fastcall fLoadLibraryA(LPCSTR lpLibFileName); // CHECKED. 96 | HMODULE __fastcall fLoadLibraryW(LPCWSTR lpLibFileName); // CHECKED. 97 | HMODULE __fastcall fLoadLibraryExA(LPCSTR lpLibFileName, HANDLE hFile, DWORD dwFlags); // CHECKED. 98 | HMODULE __fastcall fLoadLibraryExW(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags); // CHECKED. 99 | 100 | NTSTATUS __fastcall fLdrLoadDll(PWSTR DllPath, PULONG pFlags, PUNICODE_STRING DllName, PVOID* BaseAddress); // CHECKED. 101 | NTSTATUS __fastcall fLdrpLoadDll(PUNICODE_STRING DllName, LDR_UNKSTRUCT* DllPathInited, ULONG Flags, LDR_DATA_TABLE_ENTRY** DllEntry); // CHECKED. 102 | NTSTATUS __fastcall fLdrpLoadDllInternal(PUNICODE_STRING FullPath, LDR_UNKSTRUCT* DllPathInited, ULONG Flags, ULONG LdrFlags, PLDR_DATA_TABLE_ENTRY LdrEntry, PLDR_DATA_TABLE_ENTRY LdrEntry2, PLDR_DATA_TABLE_ENTRY* DllEntry, NTSTATUS* pStatus, ULONG Zero); // CHECKED. // This function is responsible for the linking issue. 103 | 104 | NTSTATUS __fastcall fLdrpProcessWork(PLDRP_LOAD_CONTEXT LoadContext, BOOLEAN IsLoadOwner); // CHECKED. 105 | NTSTATUS __fastcall fLdrpSnapModule(PLDRP_LOAD_CONTEXT LoadContext); 106 | NTSTATUS __fastcall fLdrpDoPostSnapWork(LDRP_LOAD_CONTEXT* LoadContext); 107 | 108 | NTSTATUS __fastcall fLdrpMapDllRetry(PLDRP_LOAD_CONTEXT LoadContext); 109 | NTSTATUS __fastcall fLdrpMapDllFullPath(PLDRP_LOAD_CONTEXT LoadContext); // CHECKED. 110 | NTSTATUS __fastcall fLdrpMapDllSearchPath(PLDRP_LOAD_CONTEXT LoadContext); 111 | 112 | NTSTATUS __fastcall fLdrpMapDllNtFileName(PLDRP_LOAD_CONTEXT LoadContext, LDRP_FILENAME_BUFFER* FileNameBuffer); // CHECKED. 113 | NTSTATUS __fastcall fLdrpMapDllWithSectionHandle(PLDRP_LOAD_CONTEXT LoadContext, HANDLE SectionHandle); // CHECKED. 114 | 115 | NTSTATUS __fastcall fLdrpMinimalMapModule(PLDRP_LOAD_CONTEXT LoadContext, HANDLE SectionHandle); 116 | NTSTATUS __fastcall fLdrpMapViewOfSection(HANDLE SectionHandle, ULONG ProtectFlags, PIMAGE_DOS_HEADER* BaseAddress, DWORD Unknown, PULONG ViewSize, ULONG AllocationType, ULONG Win32Protect, PUNICODE_STRING FullDllName); 117 | NTSTATUS __fastcall fLdrpCompleteMapModule(PLDRP_LOAD_CONTEXT LoadContext, PIMAGE_NT_HEADERS OutHeaders, NTSTATUS Status); 118 | NTSTATUS __fastcall fLdrpRelocateImage(PIMAGE_DOS_HEADER DllBase, SIZE_T Size, PIMAGE_NT_HEADERS OutHeaders, PUNICODE_STRING FullDllName); 119 | NTSTATUS __fastcall fLdrpProtectAndRelocateImage(PIMAGE_DOS_HEADER DllBase, SIZE_T Size, PIMAGE_NT_HEADERS OutHeader); 120 | NTSTATUS __fastcall fLdrpSetProtection(PIMAGE_DOS_HEADER DllBase, BOOLEAN Unknown); 121 | NTSTATUS __fastcall fLdrRelocateImageWithBias(PIMAGE_DOS_HEADER DllBase, SIZE_T Size, PIMAGE_NT_HEADERS OutHeader); 122 | PIMAGE_NT_HEADERS __fastcall fLdrProcessRelocationBlockLongLong(USHORT Machine, ULONG64 Signature, ULONG64 Unknown, PIMAGE_NT_HEADERS64 NtHeader, ULONG64 Unknown2); 123 | 124 | NTSTATUS __fastcall fLdrpProcessMappedModule(PLDR_DATA_TABLE_ENTRY DllEntry, UINT_PTR Flags, ULONG One); 125 | NTSTATUS __fastcall fLdrpCorProcessImports(PLDR_DATA_TABLE_ENTRY DllEntry); 126 | NTSTATUS __fastcall fLdrpMapAndSnapDependency(PLDRP_LOAD_CONTEXT LoadContext); 127 | NTSTATUS __fastcall fLdrpPrepareImportAddressTableForSnap(LDRP_LOAD_CONTEXT* LoadContext); 128 | 129 | NTSTATUS __fastcall fLdrpPrepareModuleForExecution(PLDR_DATA_TABLE_ENTRY LdrEntry, NTSTATUS* pStatus); 130 | NTSTATUS __fastcall fLdrpInitializeGraphRecurse(LDR_DDAG_NODE* DdagNode, NTSTATUS* pStatus, char* Unknown); 131 | NTSTATUS __fastcall fLdrpInitializeNode(_LDR_DDAG_NODE* DdagNode); 132 | BOOL __fastcall fLdrpCallTlsInitializers(DWORD fdwReason, LDR_DATA_TABLE_ENTRY* LdrEntry); 133 | BOOLEAN __fastcall fLdrpCallInitRoutine(BOOL(__fastcall* DllMain)(HINSTANCE hInstDll, DWORD fdwReason, LPVOID lpvReserved), PIMAGE_DOS_HEADER DllBase, unsigned int One, LPVOID ContextRecord); 134 | 135 | NTSTATUS __fastcall fBasepLoadLibraryAsDataFileInternal(PUNICODE_STRING DllName, PWSTR Path, PWSTR Unknown, DWORD dwFlags, HMODULE* pBaseOfLoadedModule); 136 | public: 137 | LOADLIBRARY(TCHAR* DllPath, DWORD Flags = 0, LOADTYPE LoadType = LOADTYPE::DEFAULT); 138 | ~LOADLIBRARY(); 139 | 140 | NTSTATUS Unload(); 141 | 142 | struct CREATIONINFO 143 | { 144 | TCHAR DllPath[MAX_PATH]; 145 | DWORD Flags; 146 | LOADTYPE LoadType; 147 | } CreationInfo; 148 | 149 | 150 | HMODULE DllHandle; 151 | }; 152 | } 153 | } -------------------------------------------------------------------------------- /Src/Main.cpp: -------------------------------------------------------------------------------- 1 | #include "WID.h" 2 | 3 | #pragma warning(disable : 6031) 4 | 5 | int main() 6 | { 7 | { 8 | WID::Loader::LOADLIBRARY Test(TEXT("PATH_TO_DLL.dll")); 9 | 10 | getchar(); 11 | } 12 | 13 | getchar(); 14 | } -------------------------------------------------------------------------------- /Src/WID.cpp: -------------------------------------------------------------------------------- 1 | #include "WID.h" 2 | 3 | BOOLEAN WID::bInitialized = FALSE; 4 | MODULEINFO WID::Kernel32ModuleInfo = {}; 5 | MODULEINFO WID::KernelBaseModuleInfo = {}; 6 | MODULEINFO WID::NtdllModuleInfo = {}; 7 | 8 | NTSTATUS WID::Init() 9 | { 10 | if (!bInitialized) 11 | { 12 | // MODULE INITIALIZATION 13 | HMODULE Kernel32Module = GetModuleHandle(TEXT("KERNEL32.DLL")); 14 | assert(Kernel32Module); 15 | 16 | HMODULE KernelBaseModule = GetModuleHandle(TEXT("KERNELBASE.DLL")); 17 | assert(KernelBaseModule); 18 | 19 | HMODULE NtdllModule = GetModuleHandle(TEXT("NTDLL.DLL")); 20 | assert(NtdllModule); 21 | 22 | (GetModuleInformation(GetCurrentProcess(), Kernel32Module, &Kernel32ModuleInfo, sizeof(MODULEINFO)), assert(Kernel32ModuleInfo.lpBaseOfDll)); 23 | (GetModuleInformation(GetCurrentProcess(), KernelBaseModule, &KernelBaseModuleInfo, sizeof(MODULEINFO)), assert(KernelBaseModuleInfo.lpBaseOfDll)); 24 | (GetModuleInformation(GetCurrentProcess(), NtdllModule, &NtdllModuleInfo, sizeof(MODULEINFO)), assert(NtdllModuleInfo.lpBaseOfDll)); 25 | 26 | // KERNEL32 27 | // Variables 28 | (KernelBaseGlobalData = (ULONG*) ((PCHAR)Kernel32Module + 0x34DE80) ,assert(KernelBaseGlobalData)); 29 | 30 | // Exported functions 31 | (Basep8BitStringToDynamicUnicodeString = (tBasep8BitStringToDynamicUnicodeString)GetProcAddress(Kernel32Module, "Basep8BitStringToDynamicUnicodeString") ,assert(Basep8BitStringToDynamicUnicodeString)); 32 | (BaseSetLastNTError = (tBaseSetLastNTError)GetProcAddress(Kernel32Module, "BaseSetLastNTError") ,assert(BaseSetLastNTError)); 33 | 34 | // KERNELBASE 35 | // Signatured 36 | (BasepLoadLibraryAsDataFileInternal = (tBasepLoadLibraryAsDataFileInternal) Helper::SigScan((PCHAR)KernelBaseModule, KernelBaseModuleInfo.SizeOfImage, BASEP_LLASDATAFILE_INTERNAL_PATTERN, ARRAYSIZE(BASEP_LLASDATAFILE_INTERNAL_PATTERN) - 1), assert(BasepLoadLibraryAsDataFileInternal)); 37 | 38 | // NTDLL 39 | // Variables 40 | (LdrpPolicyBits = (DWORD*) ((PCHAR)NtdllModule + 0x181694) ,assert(LdrpPolicyBits)); 41 | (LdrpMainThreadToken = (HANDLE*) ((PCHAR)NtdllModule + 0x1842C8) ,assert(LdrpMainThreadToken)); 42 | (LdrInitState = (DWORD*) ((PCHAR)NtdllModule + 0x185220) ,assert(LdrInitState)); 43 | (LoadFailure = (DWORD*) ((PCHAR)NtdllModule + 0x135CA0) ,assert(LoadFailure)); 44 | (LdrpWorkQueueLock = (PRTL_CRITICAL_SECTION) ((PCHAR)NtdllModule + 0x184280) ,assert(LdrpWorkQueueLock)); 45 | (LdrpWorkInProgress = (DWORD*) ((PCHAR)NtdllModule + 0x1842A8) ,assert(LdrpWorkInProgress)); 46 | (LdrpWorkQueue = (LIST_ENTRY**) ((PCHAR)NtdllModule + 0x1842B0) ,assert(LdrpWorkQueue)); 47 | (LdrpWorkCompleteEvent = (PHANDLE) ((PCHAR)NtdllModule + 0x184260) ,assert(LdrpWorkCompleteEvent)); 48 | (LdrpUseImpersonatedDeviceMap = (DWORD*) ((PCHAR)NtdllModule + 0x184350) ,assert(LdrpUseImpersonatedDeviceMap)); 49 | (LdrpAuditIntegrityContinuity = (DWORD*) ((PCHAR)NtdllModule + 0x184328) ,assert(LdrpAuditIntegrityContinuity)); 50 | (LdrpEnforceIntegrityContinuity = (DWORD*) ((PCHAR)NtdllModule + 0x1842D8) ,assert(LdrpEnforceIntegrityContinuity)); 51 | (LdrpFatalHardErrorCount = (DWORD*) ((PCHAR)NtdllModule + 0x183EE8) ,assert(LdrpFatalHardErrorCount)); 52 | (UseWOW64 = (DWORD*) ((PCHAR)NtdllModule + 0x1843E8) ,assert(UseWOW64)); 53 | (LdrpModuleDatatableLock = (PRTL_SRWLOCK) ((PCHAR)NtdllModule + 0x184D40) ,assert(LdrpModuleDatatableLock)); 54 | (qword_17E238 = (PHANDLE) ((PCHAR)NtdllModule + 0x17E238) ,assert(qword_17E238)); 55 | (LdrpImageEntry = (LDR_DATA_TABLE_ENTRY**) ((PCHAR)NtdllModule + 0x183F88) ,assert(LdrpImageEntry)); 56 | (LdrpKernel32DllName = (PUNICODE_STRING) ((PCHAR)NtdllModule + 0x1311C0) ,assert(LdrpKernel32DllName)); 57 | (LdrpAppHeaders = (UINT_PTR*) ((PCHAR)NtdllModule + 0x1842D0) ,assert(LdrpAppHeaders)); 58 | (LdrpLargePageDllKeyHandle = (PHANDLE) ((PCHAR)NtdllModule + 0x183EE0) ,assert(LdrpLargePageDllKeyHandle)); 59 | (LdrpLockMemoryPrivilege = (ULONG**) ((PCHAR)NtdllModule + 0x14DAC0) ,assert(LdrpLockMemoryPrivilege)); 60 | (LdrpMaximumUserModeAddress = (ULONG64*) ((PCHAR)NtdllModule + 0x199280) ,assert(LdrpMaximumUserModeAddress)); 61 | (LdrpMapAndSnapWork = (UINT_PTR*) ((PCHAR)NtdllModule + 0x184238) ,assert(LdrpMapAndSnapWork)); 62 | (LdrpHashTable = (LIST_ENTRY*) ((PCHAR)NtdllModule + 0x183FE0) ,assert(LdrpHashTable)); 63 | (LdrpHeap = (PVOID*) ((PCHAR)NtdllModule + 0x1843E0) ,assert(LdrpHeap)); 64 | (LdrpIsHotPatchingEnabled = (BOOLEAN*) ((PCHAR)NtdllModule + 0x185258) ,assert(LdrpIsHotPatchingEnabled)); 65 | (LdrpRedirectionModule = (LDR_DATA_TABLE_ENTRY**) ((PCHAR)NtdllModule + 0x184218) ,assert(LdrpRedirectionModule)); 66 | (LdrpManifestProberRoutine = (tLdrpManifestProberRoutine) ((PCHAR)NtdllModule + 0x184C20) ,assert(LdrpManifestProberRoutine)); 67 | (LdrpRedirectionCalloutFunc = (tLdrpRedirectionCalloutFunc) ((PCHAR)NtdllModule + 0x184228) ,assert(LdrpRedirectionCalloutFunc)); 68 | (qword_1993A8 = (ULONG64**) ((PCHAR)NtdllModule + 0x1993A8) ,assert(qword_1993A8)); 69 | (NtdllBaseTag = (LONG*) ((PCHAR)NtdllModule + 0x1843F0) ,assert(NtdllBaseTag)); 70 | (stru_199520 = (FUNCTION_TABLE_DATA*) ((PCHAR)NtdllModule + 0x199520) ,assert(stru_199520)); 71 | (qword_199530 = (UINT_PTR*) ((PCHAR)NtdllModule + 0x199530) ,assert(qword_199530)); 72 | (LdrpNtDllDataTableEntry = (LDR_DATA_TABLE_ENTRY**) ((PCHAR)NtdllModule + 0x184370) ,assert(LdrpNtDllDataTableEntry)); 73 | (qword_1993B8 = (UINT_PTR*) ((PCHAR)NtdllModule + 0x1993B8) ,assert(qword_1993B8)); 74 | (dword_19939C = (DWORD*) ((PCHAR)NtdllModule + 0x19939C) ,assert(dword_19939C)); 75 | (LoadFailureOperational = (DWORD*) ((PCHAR)NtdllModule + 0x14BA98) ,assert(LoadFailureOperational)); 76 | (dword_199398 = (DWORD*) ((PCHAR)NtdllModule + 0x199398) ,assert(dword_199398)); 77 | (qword_1843B8 = (UINT_PTR***) ((PCHAR)NtdllModule + 0x1843B8) ,assert(qword_1843B8)); 78 | (qword_1843B0 = (UINT_PTR*) ((PCHAR)NtdllModule + 0x1843B0) ,assert(qword_1843B0)); 79 | (LdrpCurrentDllInitializer = (UINT_PTR*) ((PCHAR)NtdllModule + 0x184A88) ,assert(LdrpCurrentDllInitializer)); 80 | (LdrpProcessInitContextRecord = (LPVOID**) ((PCHAR)NtdllModule + 0x184358) ,assert(LdrpProcessInitContextRecord)); 81 | (LdrpTlsLock = (PRTL_SRWLOCK) ((PCHAR)NtdllModule + 0x184EF8) ,assert(LdrpTlsLock)); 82 | (LdrpTlsList = (TLS_ENTRY**) ((PCHAR)NtdllModule + 0x17E2B0) ,assert(LdrpTlsList)); 83 | 84 | // Exported functions 85 | (NtOpenThreadToken = (tNtOpenThreadToken) GetProcAddress(NtdllModule, "NtOpenThreadToken") ,assert(NtOpenThreadToken)); 86 | (NtClose = (tNtClose) GetProcAddress(NtdllModule, "NtClose") ,assert(NtClose)); 87 | (RtlAllocateHeap = (tRtlAllocateHeap) GetProcAddress(NtdllModule, "RtlAllocateHeap") ,assert(RtlAllocateHeap)); 88 | (RtlFreeHeap = (tRtlFreeHeap) GetProcAddress(NtdllModule, "RtlFreeHeap") ,assert(RtlFreeHeap)); 89 | (LdrGetDllPath = (tLdrGetDllPath) GetProcAddress(NtdllModule, "LdrGetDllPath") ,assert(LdrGetDllPath)); 90 | (RtlReleasePath = (tRtlReleasePath) GetProcAddress(NtdllModule, "RtlReleasePath") ,assert(RtlReleasePath)); 91 | (RtlInitUnicodeStringEx = (tRtlInitUnicodeStringEx) GetProcAddress(NtdllModule, "RtlInitUnicodeStringEx") ,assert(RtlInitUnicodeStringEx)); 92 | (RtlEnterCriticalSection = (tRtlEnterCriticalSection) GetProcAddress(NtdllModule, "RtlEnterCriticalSection") ,assert(RtlEnterCriticalSection)); 93 | (RtlLeaveCriticalSection = (tRtlLeaveCriticalSection) GetProcAddress(NtdllModule, "RtlLeaveCriticalSection") ,assert(RtlLeaveCriticalSection)); 94 | (ZwSetEvent = (tZwSetEvent) GetProcAddress(NtdllModule, "ZwSetEvent") ,assert(ZwSetEvent)); 95 | (NtOpenFile = (tNtOpenFile) GetProcAddress(NtdllModule, "NtOpenFile") ,assert(NtOpenFile)); 96 | (LdrAppxHandleIntegrityFailure = (tLdrAppxHandleIntegrityFailure) GetProcAddress(NtdllModule, "LdrAppxHandleIntegrityFailure") ,assert(LdrAppxHandleIntegrityFailure)); 97 | (NtRaiseHardError = (tNtRaiseHardError) GetProcAddress(NtdllModule, "NtRaiseHardError") ,assert(NtRaiseHardError)); 98 | (RtlImageNtHeaderEx = (tRtlImageNtHeaderEx) GetProcAddress(NtdllModule, "RtlImageNtHeaderEx") ,assert(RtlImageNtHeaderEx)); 99 | (RtlAcquireSRWLockExclusive = (tRtlAcquireSRWLockExclusive) GetProcAddress(NtdllModule, "RtlAcquireSRWLockExclusive") ,assert(RtlAcquireSRWLockExclusive)); 100 | (RtlReleaseSRWLockExclusive = (tRtlReleaseSRWLockExclusive) GetProcAddress(NtdllModule, "RtlReleaseSRWLockExclusive") ,assert(RtlReleaseSRWLockExclusive)); 101 | (RtlEqualUnicodeString = (tRtlEqualUnicodeString) GetProcAddress(NtdllModule, "RtlEqualUnicodeString") ,assert(RtlEqualUnicodeString)); 102 | (RtlAcquirePrivilege = (tRtlAcquirePrivilege) GetProcAddress(NtdllModule, "RtlAcquirePrivilege") ,assert(RtlAcquirePrivilege)); 103 | (RtlReleasePrivilege = (tRtlReleasePrivilege) GetProcAddress(NtdllModule, "RtlReleasePrivilege") ,assert(RtlReleasePrivilege)); 104 | (RtlCompareUnicodeStrings = (tRtlCompareUnicodeStrings) GetProcAddress(NtdllModule, "RtlCompareUnicodeStrings") ,assert(RtlCompareUnicodeStrings)); 105 | (RtlImageNtHeader = (tRtlImageNtHeader) GetProcAddress(NtdllModule, "RtlImageNtHeader") ,assert(RtlImageNtHeader)); 106 | (RtlReleaseActivationContext = (tRtlReleaseActivationContext) GetProcAddress(NtdllModule, "RtlReleaseActivationContext") ,assert(RtlReleaseActivationContext)); 107 | (RtlCharToInteger = (tRtlCharToInteger) GetProcAddress(NtdllModule, "RtlCharToInteger") ,assert(RtlCharToInteger)); 108 | (RtlActivateActivationContextUnsafeFast = (tRtlActivateActivationContextUnsafeFast) GetProcAddress(NtdllModule, "RtlActivateActivationContextUnsafeFast") ,assert(RtlActivateActivationContextUnsafeFast)); 109 | (RtlDeactivateActivationContextUnsafeFast = (tRtlDeactivateActivationContextUnsafeFast) GetProcAddress(NtdllModule, "RtlDeactivateActivationContextUnsafeFast") ,assert(RtlDeactivateActivationContextUnsafeFast)); 110 | (RtlAcquireSRWLockShared = (tRtlAcquireSRWLockShared) GetProcAddress(NtdllModule, "RtlAcquireSRWLockShared") ,assert(RtlAcquireSRWLockShared)); 111 | (RtlReleaseSRWLockShared = (tRtlReleaseSRWLockShared) GetProcAddress(NtdllModule, "RtlReleaseSRWLockShared") ,assert(RtlReleaseSRWLockShared)); 112 | 113 | // Signatured. 114 | // I don't think the signatures will ever change, you can go with the offsets though. 115 | (LdrpLogInternal = (tLdrpLogInternal) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOG_INTERNAL_PATTERN, ARRAYSIZE(LDRP_LOG_INTERNAL_PATTERN) - 1) ,assert(LdrpLogInternal)); 116 | (LdrpInitializeDllPath = (tLdrpInitializeDllPath) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_INITIALIZE_DLLPATH_PATTERN, ARRAYSIZE(LDRP_INITIALIZE_DLLPATH_PATTERN) - 1) ,assert(LdrpInitializeDllPath)); 117 | (LdrpDereferenceModule = (tLdrpDereferenceModule) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_DEREFERENCE_MODULE_PATTERN, ARRAYSIZE(LDRP_DEREFERENCE_MODULE_PATTERN) - 1) ,assert(LdrpDereferenceModule)); 118 | (LdrpLogDllState = (tLdrpLogDllState) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOG_DLLSTATE_PATTERN, ARRAYSIZE(LDRP_LOG_DLLSTATE_PATTERN) - 1) ,assert(LdrpLogDllState)); 119 | (LdrpPreprocessDllName = (tLdrpPreprocessDllName) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_PREPROCESS_DLLNAME_PATTERN, ARRAYSIZE(LDRP_PREPROCESS_DLLNAME_PATTERN) - 1) ,assert(LdrpPreprocessDllName)); 120 | (LdrpFindLoadedDllByName = (tLdrpFindLoadedDllByName) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_FIND_LOADEDDLLBYNAME_PATTERN, ARRAYSIZE(LDRP_FIND_LOADEDDLLBYNAME_PATTERN) - 1) ,assert(LdrpFindLoadedDllByName)); 121 | (LdrpDrainWorkQueue = (tLdrpDrainWorkQueue) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_DRAIN_WORKQUEUE_PATTERN, ARRAYSIZE(LDRP_DRAIN_WORKQUEUE_PATTERN) - 1) ,assert(LdrpDrainWorkQueue)); 122 | (LdrpFindLoadedDllByHandle = (tLdrpFindLoadedDllByHandle) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_FIND_LOADEDDLL_BYHANDLE_PATTERN, ARRAYSIZE(LDRP_FIND_LOADEDDLL_BYHANDLE_PATTERN) - 1) ,assert(LdrpFindLoadedDllByHandle)); 123 | (LdrpDropLastInProgressCount = (tLdrpDropLastInProgressCount) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_DROP_LASTINPROGRESS_COUNT_PATTERN, ARRAYSIZE(LDRP_DROP_LASTINPROGRESS_COUNT_PATTERN) - 1) ,assert(LdrpDropLastInProgressCount)); 124 | (LdrpQueryCurrentPatch = (tLdrpQueryCurrentPatch) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_QUERY_CURRENT_PATCH_PATTERN, ARRAYSIZE(LDRP_QUERY_CURRENT_PATCH_PATTERN) - 1) ,assert(LdrpQueryCurrentPatch)); 125 | (LdrpUndoPatchImage = (tLdrpUndoPatchImage) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_UNDO_PATCH_IMAGE_PATTERN, ARRAYSIZE(LDRP_UNDO_PATCH_IMAGE_PATTERN) - 1) ,assert(LdrpUndoPatchImage)); 126 | (LdrpDetectDetour = (tLdrpDetectDetour) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_DETECT_DETOUR_PATTERN, ARRAYSIZE(LDRP_DETECT_DETOUR_PATTERN) - 1) ,assert(LdrpDetectDetour)); 127 | (LdrpFindOrPrepareLoadingModule = (tLdrpFindOrPrepareLoadingModule) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_FINDORPREPARE_LOADINGMODULE_PATTERN, ARRAYSIZE(LDRP_FINDORPREPARE_LOADINGMODULE_PATTERN) - 1) ,assert(LdrpFindOrPrepareLoadingModule)); 128 | (LdrpFreeLoadContext = (tLdrpFreeLoadContext) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_FREE_LOAD_CONTEXT_PATTERN, ARRAYSIZE(LDRP_FREE_LOAD_CONTEXT_PATTERN) - 1) ,assert(LdrpFreeLoadContext)); 129 | (LdrpCondenseGraph = (tLdrpCondenseGraph) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_CONDENSE_GRAPH_PATTERN, ARRAYSIZE(LDRP_CONDENSE_GRAPH_PATTERN) - 1) ,assert(LdrpCondenseGraph)); 130 | (LdrpBuildForwarderLink = (tLdrpBuildForwarderLink) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_BUILD_FORWARDER_LINK_PATTERN, ARRAYSIZE(LDRP_BUILD_FORWARDER_LINK_PATTERN) - 1) ,assert(LdrpBuildForwarderLink)); 131 | (LdrpPinModule = (tLdrpPinModule) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_PIN_MODULE_PATTERN, ARRAYSIZE(LDRP_PIN_MODULE_PATTERN) - 1) ,assert(LdrpPinModule)); 132 | (LdrpApplyPatchImage = (tLdrpApplyPatchImage) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_APPLY_PATCH_IMAGE_PATTERN, ARRAYSIZE(LDRP_APPLY_PATCH_IMAGE_PATTERN) - 1) ,assert(LdrpApplyPatchImage)); 133 | (LdrpFreeLoadContextOfNode = (tLdrpFreeLoadContextOfNode) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_FREE_LOADCONTEXT_NODE_PATTERN, ARRAYSIZE(LDRP_FREE_LOADCONTEXT_NODE_PATTERN) - 1) ,assert(LdrpFreeLoadContextOfNode)); 134 | (LdrpDecrementModuleLoadCountEx = (tLdrpDecrementModuleLoadCountEx) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_DECREMENT_MODULELOADCOUNTEX_PATTERN, ARRAYSIZE(LDRP_DECREMENT_MODULELOADCOUNTEX_PATTERN) - 1) ,assert(LdrpDecrementModuleLoadCountEx)); 135 | (LdrpLogError = (tLdrpLogError) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOG_ERROR_PATTERN, ARRAYSIZE(LDRP_LOG_ERROR_PATTERN) - 1) ,assert(LdrpLogError)); 136 | (LdrpLogDeprecatedDllEtwEvent = (tLdrpLogDeprecatedDllEtwEvent) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOG_DEPRECATED_DLL_PATTERN, ARRAYSIZE(LDRP_LOG_DEPRECATED_DLL_PATTERN) - 1) ,assert(LdrpLogDeprecatedDllEtwEvent)); 137 | (LdrpLogLoadFailureEtwEvent = (tLdrpLogLoadFailureEtwEvent) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOG_LOAD_FAILURE_PATTERN, ARRAYSIZE(LDRP_LOG_LOAD_FAILURE_PATTERN) - 1) ,assert(LdrpLogLoadFailureEtwEvent)); 138 | (LdrpReportError = (tLdrpReportError) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_REPORT_ERROR_PATTERN, ARRAYSIZE(LDRP_REPORT_ERROR_PATTERN) - 1) ,assert(LdrpReportError)); 139 | (LdrpResolveDllName = (tLdrpResolveDllName) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_RESOLVE_DLLNAME_PATTERN, ARRAYSIZE(LDRP_RESOLVE_DLLNAME_PATTERN) - 1) ,assert(LdrpResolveDllName)); 140 | (LdrpAppCompatRedirect = (tLdrpAppCompatRedirect) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_APP_COMPAT_REDIRECT_PATTERN, ARRAYSIZE(LDRP_APP_COMPAT_REDIRECT_PATTERN) - 1) ,assert(LdrpAppCompatRedirect)); 141 | (LdrpHashUnicodeString = (tLdrpHashUnicodeString) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_HASH_UNICODE_STRING_PATTERN, ARRAYSIZE(LDRP_HASH_UNICODE_STRING_PATTERN) - 1) ,assert(LdrpHashUnicodeString)); 142 | (LdrpFindExistingModule = (tLdrpFindExistingModule) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_FIND_EXISTING_MODULE_PATTERN, ARRAYSIZE(LDRP_FIND_EXISTING_MODULE_PATTERN) - 1) ,assert(LdrpFindExistingModule)); 143 | (LdrpLoadContextReplaceModule = (tLdrpLoadContextReplaceModule) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOADCONTEXT_REPLACE_MODULE_PATTERN, ARRAYSIZE(LDRP_LOADCONTEXT_REPLACE_MODULE_PATTERN) - 1) ,assert(LdrpLoadContextReplaceModule)); 144 | (LdrpSearchPath = (tLdrpSearchPath) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_SEARCHPATH_PATTERN, ARRAYSIZE(LDRP_SEARCHPATH_PATTERN) - 1) ,assert(LdrpSearchPath)); 145 | (LdrpIsSecurityEtwLoggingEnabled = (tLdrpIsSecurityEtwLoggingEnabled) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_ISSECURITYETW_LOGG_ENABLED_PATTERN, ARRAYSIZE(LDRP_ISSECURITYETW_LOGG_ENABLED_PATTERN) - 1) ,assert(LdrpIsSecurityEtwLoggingEnabled)); 146 | (LdrpLogEtwDllSearchResults = (tLdrpLogEtwDllSearchResults) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOGETW_DLL_SEARCHRESULTS_PATTERN, ARRAYSIZE(LDRP_LOGETW_DLL_SEARCHRESULTS_PATTERN) - 1) ,assert(LdrpLogEtwDllSearchResults)); 147 | (LdrpCheckForRetryLoading = (tLdrpCheckForRetryLoading) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_CHECKFORRETRY_LOADING_PATTERN, ARRAYSIZE(LDRP_CHECKFORRETRY_LOADING_PATTERN) - 1) ,assert(LdrpCheckForRetryLoading)); 148 | (LdrpLogEtwEvent = (tLdrpLogEtwEvent) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOG_ETWEVENT_PATTERN, ARRAYSIZE(LDRP_LOG_ETWEVENT_PATTERN) - 1) ,assert(LdrpLogEtwEvent)); 149 | (LdrpCheckComponentOnDemandEtwEvent = (tLdrpCheckComponentOnDemandEtwEvent) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_CHECK_COMPONENTONDEMAND_PATTERN, ARRAYSIZE(LDRP_CHECK_COMPONENTONDEMAND_PATTERN) - 1) ,assert(LdrpCheckComponentOnDemandEtwEvent)); 150 | (LdrpValidateIntegrityContinuity = (tLdrpValidateIntegrityContinuity) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_VALIDATE_INTEGRITY_PATTERN, ARRAYSIZE(LDRP_VALIDATE_INTEGRITY_PATTERN) - 1) ,assert(LdrpValidateIntegrityContinuity)); 151 | (LdrpSetModuleSigningLevel = (tLdrpSetModuleSigningLevel) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_SET_MODULE_SIGNINGLEVEL_PATTERN, ARRAYSIZE(LDRP_SET_MODULE_SIGNINGLEVEL_PATTERN) - 1) ,assert(LdrpSetModuleSigningLevel)); 152 | (LdrpCodeAuthzCheckDllAllowed = (tLdrpCodeAuthzCheckDllAllowed) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_CODE_AUTHZCHECKDLL_ALLOWED_PATTERN, ARRAYSIZE(LDRP_CODE_AUTHZCHECKDLL_ALLOWED_PATTERN) - 1) ,assert(LdrpCodeAuthzCheckDllAllowed)); 153 | (LdrpGetFullPath = (tLdrpGetFullPath) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_GET_FULLPATH_PATTERN, ARRAYSIZE(LDRP_GET_FULLPATH_PATTERN) - 1) ,assert(LdrpGetFullPath)); 154 | (LdrpAllocateUnicodeString = (tLdrpAllocateUnicodeString) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_ALLOCATE_UNICODESTRING_PATTERN, ARRAYSIZE(LDRP_ALLOCATE_UNICODESTRING_PATTERN) - 1) ,assert(LdrpAllocateUnicodeString)); 155 | (LdrpAppendUnicodeStringToFilenameBuffer = (tLdrpAppendUnicodeStringToFilenameBuffer)Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_APPEND_UNICODETOFILENAME_PATTERN, ARRAYSIZE(LDRP_APPEND_UNICODETOFILENAME_PATTERN) - 1) ,assert(LdrpAppendUnicodeStringToFilenameBuffer)); 156 | (LdrpGetNtPathFromDosPath = (tLdrpGetNtPathFromDosPath) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_GET_NTPATH_FROM_DOSPATH_PATTERN, ARRAYSIZE(LDRP_GET_NTPATH_FROM_DOSPATH_PATTERN) - 1) ,assert(LdrpGetNtPathFromDosPath)); 157 | (LdrpFindLoadedDllByMappingLockHeld = (tLdrpFindLoadedDllByMappingLockHeld) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_FIND_LOADEDDLL_MAPLOCK_PATTERN, ARRAYSIZE(LDRP_FIND_LOADEDDLL_MAPLOCK_PATTERN) - 1) ,assert(LdrpFindLoadedDllByMappingLockHeld)); 158 | (LdrpInsertDataTableEntry = (tLdrpInsertDataTableEntry) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_INSERT_DATATABLEENTRY_PATTERN, ARRAYSIZE(LDRP_INSERT_DATATABLEENTRY_PATTERN) - 1) ,assert(LdrpInsertDataTableEntry)); 159 | (LdrpInsertModuleToIndexLockHeld = (tLdrpInsertModuleToIndexLockHeld) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_INSERT_MODTOIDX_LOCKHELD_PATTERN, ARRAYSIZE(LDRP_INSERT_MODTOIDX_LOCKHELD_PATTERN) - 1) ,assert(LdrpInsertModuleToIndexLockHeld)); 160 | (LdrpLogEtwHotPatchStatus = (tLdrpLogEtwHotPatchStatus) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOGETW_HOTPATCHSTATUS_PATTERN, ARRAYSIZE(LDRP_LOGETW_HOTPATCHSTATUS_PATTERN) - 1) ,assert(LdrpLogEtwHotPatchStatus)); 161 | (LdrpLogNewDllLoad = (tLdrpLogNewDllLoad) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOG_NEWDLL_LOAD_PATTERN, ARRAYSIZE(LDRP_LOG_NEWDLL_LOAD_PATTERN) - 1) ,assert(LdrpLogNewDllLoad)); 162 | (LdrpProcessMachineMismatch = (tLdrpProcessMachineMismatch) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_PROCESS_MACHINE_MISMATCH_PATTERN, ARRAYSIZE(LDRP_PROCESS_MACHINE_MISMATCH_PATTERN) - 1) ,assert(LdrpProcessMachineMismatch)); 163 | (RtlQueryImageFileKeyOption = (tRtlQueryImageFileKeyOption) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, RTL_QUERY_IMAGEFILE_KEYOPT_PATTERN, ARRAYSIZE(RTL_QUERY_IMAGEFILE_KEYOPT_PATTERN) - 1) ,assert(RtlQueryImageFileKeyOption)); 164 | (RtlpImageDirectoryEntryToDataEx = (tRtlpImageDirectoryEntryToDataEx) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, RTLP_IMAGEDIR_ENTRYTODATA_PATTERN, ARRAYSIZE(RTLP_IMAGEDIR_ENTRYTODATA_PATTERN) - 1) ,assert(RtlpImageDirectoryEntryToDataEx)); 165 | (LdrpLogDllRelocationEtwEvent = (tLdrpLogDllRelocationEtwEvent) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOG_DLLRELOCATION_PATTERN, ARRAYSIZE(LDRP_LOG_DLLRELOCATION_PATTERN) - 1) ,assert(LdrpLogDllRelocationEtwEvent)); 166 | (LdrpNotifyLoadOfGraph = (tLdrpNotifyLoadOfGraph) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_NOTIFY_LOADOFGRAPH_PATTERN, ARRAYSIZE(LDRP_NOTIFY_LOADOFGRAPH_PATTERN) - 1) ,assert(LdrpNotifyLoadOfGraph)); 167 | (LdrpDynamicShimModule = (tLdrpDynamicShimModule) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_DYNAMIC_SHIMMODULE_PATTERN, ARRAYSIZE(LDRP_DYNAMIC_SHIMMODULE_PATTERN) - 1) ,assert(LdrpDynamicShimModule)); 168 | (LdrpAcquireLoaderLock = (tLdrpAcquireLoaderLock) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_ACQUIRE_LOADERLOCK_PATTERN, ARRAYSIZE(LDRP_ACQUIRE_LOADERLOCK_PATTERN) - 1) ,assert(LdrpAcquireLoaderLock)); 169 | (LdrpReleaseLoaderLock = (tLdrpReleaseLoaderLock) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_RELEASE_LOADER_LOCK_PATTERN, ARRAYSIZE(LDRP_RELEASE_LOADER_LOCK_PATTERN) - 1) ,assert(LdrpReleaseLoaderLock)); 170 | (LdrpCheckPagesForTampering = (tLdrpCheckPagesForTampering) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_CHECKPAGES_FOR_TAMPERING_PATTERN, ARRAYSIZE(LDRP_CHECKPAGES_FOR_TAMPERING_PATTERN) - 1) ,assert(LdrpCheckPagesForTampering)); 171 | (LdrpLoadDependentModuleA = (tLdrpLoadDependentModuleA) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOAD_DEPENDENTMODULEA_PATTERN, ARRAYSIZE(LDRP_LOAD_DEPENDENTMODULEA_PATTERN) - 1) ,assert(LdrpLoadDependentModuleA)); 172 | (LdrpLoadDependentModuleW = (tLdrpLoadDependentModuleW) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_LOAD_DEPENDENTMODULEW_PATTERN, ARRAYSIZE(LDRP_LOAD_DEPENDENTMODULEW_PATTERN) - 1) ,assert(LdrpLoadDependentModuleW)); 173 | (LdrpQueueWork = (tLdrpQueueWork) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_QUEUE_WORK_PATTERN, ARRAYSIZE(LDRP_QUEUE_WORK_PATTERN) - 1) ,assert(LdrpQueueWork)); 174 | (LdrpHandleTlsData = (tLdrpHandleTlsData) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_HANDLE_TLSDATA_PATTERN, ARRAYSIZE(LDRP_HANDLE_TLSDATA_PATTERN) - 1) ,assert(LdrpHandleTlsData)); 175 | (LdrControlFlowGuardEnforcedWithExportSuppression = (tLdrControlFlowGuardEnforcedWithExportSuppression)Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDR_CONTROLFLOWGUARD_ENFEXP_PATTERN,ARRAYSIZE(LDR_CONTROLFLOWGUARD_ENFEXP_PATTERN) - 1) ,assert(LdrControlFlowGuardEnforcedWithExportSuppression)); 176 | (LdrpUnsuppressAddressTakenIat = (tLdrpUnsuppressAddressTakenIat) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_UNSUPPRESS_ADDRESSIAT_PATTERN, ARRAYSIZE(LDRP_UNSUPPRESS_ADDRESSIAT_PATTERN) - 1) ,assert(LdrpUnsuppressAddressTakenIat)); 177 | (LdrControlFlowGuardEnforced = (tLdrControlFlowGuardEnforced) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDR_CONTROLFLOWGUARD_ENF_PATTERN, ARRAYSIZE(LDR_CONTROLFLOWGUARD_ENF_PATTERN) - 1) ,assert(LdrControlFlowGuardEnforced)); 178 | (RtlpxLookupFunctionTable = (tRtlpxLookupFunctionTable) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, RTLP_LOOKUP_FUNCTIONTABLE_PATTERN, ARRAYSIZE(RTLP_LOOKUP_FUNCTIONTABLE_PATTERN) - 1) ,assert(RtlpxLookupFunctionTable)); 179 | (LdrpCheckRedirection = (tLdrpCheckRedirection) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_CHECK_REDIRECTION_PATTERN, ARRAYSIZE(LDRP_CHECK_REDIRECTION_PATTERN) - 1) ,assert(LdrpCheckRedirection)); 180 | (CompatCachepLookupCdb = (tCompatCachepLookupCdb) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, COMPAT_CACHE_LOOKUPCDB_PATTERN, ARRAYSIZE(COMPAT_CACHE_LOOKUPCDB_PATTERN) - 1) ,assert(CompatCachepLookupCdb)); 181 | (LdrpGenRandom = (tLdrpGenRandom) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_GEN_RANDOM_PATTERN, ARRAYSIZE(LDRP_GEN_RANDOM_PATTERN) - 1) ,assert(LdrpGenRandom)); 182 | (LdrInitSecurityCookie = (tLdrInitSecurityCookie) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDR_INIT_SECURITY_COOKIE_PATTERN, ARRAYSIZE(LDR_INIT_SECURITY_COOKIE_PATTERN) - 1) ,assert(LdrInitSecurityCookie)); 183 | (LdrpCfgProcessLoadConfig = (tLdrpCfgProcessLoadConfig) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_CFG_PROCESS_LOADCFG_PATTERN, ARRAYSIZE(LDRP_CFG_PROCESS_LOADCFG_PATTERN) - 1) ,assert(LdrpCfgProcessLoadConfig)); 184 | (RtlInsertInvertedFunctionTable = (tRtlInsertInvertedFunctionTable) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, RTL_INSERT_INV_FUNCTIONTABLE_PATTERN, ARRAYSIZE(RTL_INSERT_INV_FUNCTIONTABLE_PATTERN) - 1) ,assert(RtlInsertInvertedFunctionTable)); 185 | (LdrpSignalModuleMapped = (tLdrpSignalModuleMapped) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_SIGNAL_MODULEMAPPED_PATTERN, ARRAYSIZE(LDRP_SIGNAL_MODULEMAPPED_PATTERN) - 1) ,assert(LdrpSignalModuleMapped)); 186 | (AVrfDllLoadNotification = (tAVrfDllLoadNotification) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, AVRF_DLL_LOADNOTIFICATION_PATTERN, ARRAYSIZE(AVRF_DLL_LOADNOTIFICATION_PATTERN) - 1) ,assert(AVrfDllLoadNotification)); 187 | (LdrpSendDllNotifications = (tLdrpSendDllNotifications) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_SEND_DLLNOTIFICATIONS_PATTERN, ARRAYSIZE(LDRP_SEND_DLLNOTIFICATIONS_PATTERN) - 1) ,assert(LdrpSendDllNotifications)); 188 | (LdrpCallTlsInitializers = (tLdrpCallTlsInitializers) Helper::SigScan((PCHAR)NtdllModule, NtdllModuleInfo.SizeOfImage, LDRP_CALL_TLSINIT_PATTERN, ARRAYSIZE(LDRP_CALL_TLSINIT_PATTERN) - 1) ,assert(LdrpCallTlsInitializers)); 189 | 190 | WID_DBG(TEXT("[WID] >> Initialized.\n")); 191 | 192 | bInitialized = TRUE; 193 | return STATUS_SUCCESS; 194 | } 195 | 196 | WID_DBG(TEXT("[WID] >> Already initialized.\n")); 197 | return STATUS_SUCCESS; 198 | } 199 | 200 | PVOID WID::Helper::SigScan(PCHAR StartAddress, SIZE_T Len, PCHAR Pattern, SIZE_T PatternLen) 201 | { 202 | bool Found = TRUE; 203 | for (int i1 = 0; i1 < Len; i1++) 204 | { 205 | Found = TRUE; 206 | for (int i2 = 0; i2 < PatternLen; i2++) 207 | { 208 | if (Pattern[i2] != 0x90 && StartAddress[i1 + i2] != Pattern[i2]) 209 | { 210 | Found = FALSE; 211 | break; 212 | } 213 | } 214 | 215 | if (Found) 216 | return StartAddress + i1; 217 | } 218 | 219 | return nullptr; 220 | } -------------------------------------------------------------------------------- /Src/WID.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "Includes.h" 4 | 5 | #include "Functions/KERNEL32.h" 6 | #include "Functions/NT.h" 7 | #include "Functions/Undocumented.h" 8 | #include "Loader/Loader.h" 9 | 10 | #ifdef _DEBUG 11 | #ifdef UNICODE 12 | #define WID_DBG wprintf 13 | #else 14 | #define WID_DBG printf 15 | #endif 16 | #else 17 | #define WID_DBG ; 18 | #endif 19 | #define WID_HIDDEN(x) { if(CreationInfo.LoadType == LOADTYPE::DEFAULT){x} } 20 | 21 | namespace WID 22 | { 23 | extern BOOLEAN bInitialized; 24 | 25 | extern MODULEINFO Kernel32ModuleInfo; 26 | extern MODULEINFO KernelBaseModuleInfo; 27 | extern MODULEINFO NtdllModuleInfo; 28 | 29 | NTSTATUS Init(); 30 | 31 | namespace Helper 32 | { 33 | PVOID SigScan(PCHAR StartAddress, SIZE_T Len, PCHAR Pattern, SIZE_T PatternLen); 34 | } 35 | } -------------------------------------------------------------------------------- /WID_LoadLibrary.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.4.33213.308 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "WID_LoadLibrary", "WID_LoadLibrary.vcxproj", "{096D6383-D4DE-494B-B324-A925C690CD93}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {096D6383-D4DE-494B-B324-A925C690CD93}.Debug|x64.ActiveCfg = Debug|x64 17 | {096D6383-D4DE-494B-B324-A925C690CD93}.Debug|x64.Build.0 = Debug|x64 18 | {096D6383-D4DE-494B-B324-A925C690CD93}.Debug|x86.ActiveCfg = Debug|Win32 19 | {096D6383-D4DE-494B-B324-A925C690CD93}.Debug|x86.Build.0 = Debug|Win32 20 | {096D6383-D4DE-494B-B324-A925C690CD93}.Release|x64.ActiveCfg = Release|x64 21 | {096D6383-D4DE-494B-B324-A925C690CD93}.Release|x64.Build.0 = Release|x64 22 | {096D6383-D4DE-494B-B324-A925C690CD93}.Release|x86.ActiveCfg = Release|Win32 23 | {096D6383-D4DE-494B-B324-A925C690CD93}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {C5486FDA-3A69-4FF4-9FD5-4DCF94799F68} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /WID_LoadLibrary.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 17.0 23 | {096D6383-D4DE-494B-B324-A925C690CD93} 24 | Win32Proj 25 | 26 | 27 | 28 | Application 29 | true 30 | v143 31 | 32 | 33 | Application 34 | false 35 | v143 36 | 37 | 38 | Application 39 | true 40 | v143 41 | Unicode 42 | 43 | 44 | Application 45 | false 46 | v143 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | true 69 | 70 | 71 | true 72 | 73 | 74 | 75 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 76 | MultiThreadedDebugDLL 77 | Level3 78 | ProgramDatabase 79 | Disabled 80 | 81 | 82 | MachineX86 83 | true 84 | Console 85 | 86 | 87 | 88 | 89 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | MultiThreadedDLL 91 | Level3 92 | ProgramDatabase 93 | 94 | 95 | MachineX86 96 | true 97 | Console 98 | true 99 | true 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | Document 120 | 121 | 122 | 123 | 124 | 125 | 126 | -------------------------------------------------------------------------------- /WID_LoadLibrary.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | Source Files 32 | 33 | 34 | 35 | 36 | Header Files 37 | 38 | 39 | Header Files 40 | 41 | 42 | Header Files 43 | 44 | 45 | Header Files 46 | 47 | 48 | Header Files 49 | 50 | 51 | Header Files 52 | 53 | 54 | 55 | 56 | Source Files 57 | 58 | 59 | --------------------------------------------------------------------------------