├── LICENSE ├── README.md ├── libraries ├── leechcore.lib └── vmm.lib ├── rust_dma.sln └── rust_dma ├── entry.cpp ├── entry.hpp ├── globals.hpp ├── includes.hpp ├── includes ├── dokan.h ├── fileinfo.h ├── leechcore.h ├── leechcore_device.h ├── libpdbcrust.h ├── public.h ├── vmmdll.h └── vmmyara.h ├── memory.cpp ├── memory.hpp ├── rust_dma.vcxproj ├── rust_dma.vcxproj.filters ├── rust_dma.vcxproj.user ├── threads.cpp └── threads.hpp /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 konstantin 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # rust_dma 2 | a rust dma base, has no fall, fake admin, no recoil 3 | 4 | ____________________________________________________ 5 | 6 | MIT License 7 | 8 | Copyright (c) 2023 konstantin 9 | 10 | Permission is hereby granted, free of charge, to any person obtaining a copy 11 | of this software and associated documentation files (the "Software"), to deal 12 | in the Software without restriction, including without limitation the rights 13 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 14 | copies of the Software, and to permit persons to whom the Software is 15 | furnished to do so, subject to the following conditions: 16 | 17 | The above copyright notice and this permission notice shall be included in all 18 | copies or substantial portions of the Software. 19 | 20 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 21 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 22 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 23 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 24 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 25 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 26 | SOFTWARE. 27 | -------------------------------------------------------------------------------- /libraries/leechcore.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/peheader1337/rust_dma/1569d39ce63d77fdd5e4403779f7896090ff0d64/libraries/leechcore.lib -------------------------------------------------------------------------------- /libraries/vmm.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/peheader1337/rust_dma/1569d39ce63d77fdd5e4403779f7896090ff0d64/libraries/vmm.lib -------------------------------------------------------------------------------- /rust_dma.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.4.33213.308 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "rust_dma", "rust_dma\rust_dma.vcxproj", "{073130AA-021A-44C3-B20E-3642D029A106}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {073130AA-021A-44C3-B20E-3642D029A106}.Debug|x64.ActiveCfg = Debug|x64 17 | {073130AA-021A-44C3-B20E-3642D029A106}.Debug|x64.Build.0 = Debug|x64 18 | {073130AA-021A-44C3-B20E-3642D029A106}.Debug|x86.ActiveCfg = Debug|Win32 19 | {073130AA-021A-44C3-B20E-3642D029A106}.Debug|x86.Build.0 = Debug|Win32 20 | {073130AA-021A-44C3-B20E-3642D029A106}.Release|x64.ActiveCfg = Release|x64 21 | {073130AA-021A-44C3-B20E-3642D029A106}.Release|x64.Build.0 = Release|x64 22 | {073130AA-021A-44C3-B20E-3642D029A106}.Release|x86.ActiveCfg = Release|Win32 23 | {073130AA-021A-44C3-B20E-3642D029A106}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {A3BED6F6-2DFB-49E5-A478-B5964E771AEC} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /rust_dma/entry.cpp: -------------------------------------------------------------------------------- 1 | #include "entry.hpp" 2 | #include "memory.hpp" 3 | #include "threads.hpp" 4 | #include "globals.hpp" 5 | 6 | auto main() -> void 7 | { 8 | SetConsoleTitleA("geroin"); 9 | 10 | printf("[ * ] loading...\n"); 11 | 12 | vector arguments = { (LPSTR)"", (LPSTR)"-device", (LPSTR)"fpga" }; 13 | 14 | globals::vmm_handle = VMMDLL_Initialize(3, arguments.data()); 15 | globals::game_pid = memory::get_process_id("RustClient.exe"); 16 | 17 | printf("[ * ] game_pid : %i\n", globals::game_pid); 18 | 19 | globals::game_assembly = memory::get_module_handle("GameAssembly.dll"); 20 | globals::unity_player = memory::get_module_handle("UnityPlayer.dll"); 21 | 22 | printf("[ * ] creating threads...\n"); 23 | 24 | CreateThread(0, 0, reinterpret_cast(threads::memory_loop), 0, 0, 0); 25 | 26 | printf("[ * ] done\n"); 27 | 28 | Sleep(-1); 29 | } -------------------------------------------------------------------------------- /rust_dma/entry.hpp: -------------------------------------------------------------------------------- 1 | #include "includes.hpp" 2 | 3 | auto main() -> void; -------------------------------------------------------------------------------- /rust_dma/globals.hpp: -------------------------------------------------------------------------------- 1 | #include "includes.hpp" 2 | #include "includes/vmmdll.h" 3 | 4 | namespace globals 5 | { 6 | inline VMM_HANDLE vmm_handle = 0; 7 | inline uint32_t game_pid = 0; 8 | inline uint64_t game_assembly = 0; 9 | inline uint64_t unity_player = 0; 10 | } -------------------------------------------------------------------------------- /rust_dma/includes.hpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #pragma comment(lib, "ntdll.lib") 12 | 13 | using namespace std; -------------------------------------------------------------------------------- /rust_dma/includes/dokan.h: -------------------------------------------------------------------------------- 1 | /* 2 | Dokan : user-mode file system library for Windows 3 | 4 | Copyright (C) 2015 - 2019 Adrien J. and Maxime C. 5 | Copyright (C) 2020 Google, Inc. 6 | Copyright (C) 2007 - 2011 Hiroki Asakawa 7 | 8 | http://dokan-dev.github.io 9 | 10 | This program is free software; you can redistribute it and/or modify it under 11 | the terms of the GNU Lesser General Public License as published by the Free 12 | Software Foundation; either version 3 of the License, or (at your option) any 13 | later version. 14 | 15 | This program is distributed in the hope that it will be useful, but WITHOUT ANY 16 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS 17 | FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. 18 | 19 | You should have received a copy of the GNU Lesser General Public License along 20 | with this program. If not, see . 21 | */ 22 | 23 | #ifndef DOKAN_H_ 24 | #define DOKAN_H_ 25 | 26 | /** Do not include NTSTATUS. Fix duplicate preprocessor definitions */ 27 | #define WIN32_NO_STATUS 28 | #include 29 | #undef WIN32_NO_STATUS 30 | #include 31 | 32 | #include "fileinfo.h" 33 | #include "public.h" 34 | 35 | #ifdef _EXPORTING 36 | /** Export dokan API see also dokan.def for export */ 37 | #define DOKANAPI __stdcall 38 | #else 39 | /** Import dokan API */ 40 | #define DOKANAPI __declspec(dllimport) __stdcall 41 | #endif 42 | 43 | /** Change calling convention to standard call */ 44 | #define DOKAN_CALLBACK __stdcall 45 | 46 | #ifdef __cplusplus 47 | extern "C" { 48 | #endif 49 | 50 | /** @file */ 51 | 52 | /** 53 | * \defgroup Dokan Dokan 54 | * \brief Dokan Library const and methods 55 | */ 56 | /** @{ */ 57 | 58 | /** The current Dokan version (200 means ver 2.0.0). \ref DOKAN_OPTIONS.Version */ 59 | #define DOKAN_VERSION 200 60 | /** Minimum Dokan version (ver 2.0.0) accepted. */ 61 | #define DOKAN_MINIMUM_COMPATIBLE_VERSION 200 62 | /** Driver file name including the DOKAN_MAJOR_API_VERSION */ 63 | #define DOKAN_DRIVER_NAME L"dokan" DOKAN_MAJOR_API_VERSION L".sys" 64 | /** Network provider name including the DOKAN_MAJOR_API_VERSION */ 65 | #define DOKAN_NP_NAME L"Dokan" DOKAN_MAJOR_API_VERSION 66 | 67 | /** @} */ 68 | 69 | /** 70 | * \defgroup DOKAN_OPTION DOKAN_OPTION 71 | * \brief All DOKAN_OPTION flags used in DOKAN_OPTIONS.Options 72 | * \see DOKAN_FILE_INFO 73 | */ 74 | /** @{ */ 75 | 76 | /** Enable ouput debug message */ 77 | #define DOKAN_OPTION_DEBUG 1 78 | /** Enable ouput debug message to stderr */ 79 | #define DOKAN_OPTION_STDERR (1 << 1) 80 | /** 81 | * Enable the use of alternate stream paths in the form 82 | * :. If this is not specified then the driver will 83 | * fail any attempt to access a path with a colon. 84 | */ 85 | #define DOKAN_OPTION_ALT_STREAM (1 << 2) 86 | /** Enable mount drive as write-protected */ 87 | #define DOKAN_OPTION_WRITE_PROTECT (1 << 3) 88 | /** Use network drive - Dokan network provider needs to be installed */ 89 | #define DOKAN_OPTION_NETWORK (1 << 4) 90 | /** 91 | * Use removable drive 92 | * Be aware that on some environments, the userland application will be denied 93 | * to communicate with the drive which will result in a unwanted unmount. 94 | * \see Issue #843 95 | */ 96 | #define DOKAN_OPTION_REMOVABLE (1 << 5) 97 | /** 98 | * Use Windows Mount Manager. 99 | * This option is highly recommended to use for better system integration 100 | * 101 | * If a drive letter is used but is busy, Mount manager will assign one for us and 102 | * \ref DOKAN_OPERATIONS.Mounted parameters will contain the new mount point. 103 | */ 104 | #define DOKAN_OPTION_MOUNT_MANAGER (1 << 6) 105 | /** Mount the drive on current session only */ 106 | #define DOKAN_OPTION_CURRENT_SESSION (1 << 7) 107 | /** Enable Lockfile/Unlockfile operations. Otherwise Dokan will take care of it */ 108 | #define DOKAN_OPTION_FILELOCK_USER_MODE (1 << 8) 109 | /** 110 | * Enable Case sensitive path. 111 | * By default all path are case insensitive. 112 | * For case sensitive: \dir\File & \diR\file are different files 113 | * but for case insensitive they are the same. 114 | */ 115 | #define DOKAN_OPTION_CASE_SENSITIVE (1 << 9) 116 | /** Allows unmounting of network drive via explorer */ 117 | #define DOKAN_OPTION_ENABLE_UNMOUNT_NETWORK_DRIVE (1 << 10) 118 | /** 119 | * Forward the kernel driver global and volume logs to the userland. 120 | * Can be very slow if single thread is enabled. 121 | */ 122 | #define DOKAN_OPTION_DISPATCH_DRIVER_LOGS (1 << 11) 123 | 124 | /** @} */ 125 | 126 | typedef VOID *DOKAN_HANDLE, **PDOKAN_HANDLE; 127 | 128 | /** 129 | * \struct DOKAN_OPTIONS 130 | * \brief Dokan mount options used to describe Dokan device behavior. 131 | * \see DokanMain 132 | */ 133 | typedef struct _DOKAN_OPTIONS { 134 | /** Version of the Dokan features requested without dots (version "123" is equal to Dokan version 1.2.3). */ 135 | USHORT Version; 136 | /** Only use a single thread to process events. This is highly not recommended as can easily create a bottleneck. */ 137 | BOOLEAN SingleThread; 138 | /** Features enabled for the mount. See \ref DOKAN_OPTION. */ 139 | ULONG Options; 140 | /** FileSystem can store anything here. */ 141 | ULONG64 GlobalContext; 142 | /** Mount point. It can be a driver letter like "M:\" or a folder path "C:\mount\dokan" on a NTFS partition. */ 143 | LPCWSTR MountPoint; 144 | /** 145 | * UNC Name for the Network Redirector 146 | * \see Support for UNC Naming 147 | */ 148 | LPCWSTR UNCName; 149 | /** 150 | * Max timeout in milliseconds of each request before Dokan gives up to wait events to complete. 151 | * A timeout request is a sign that the userland implementation is no longer able to properly manage requests in time. 152 | * The driver will therefore unmount the device when a timeout trigger in order to keep the system stable. 153 | * The default timeout value is 15 seconds. 154 | */ 155 | ULONG Timeout; 156 | /** Allocation Unit Size of the volume. This will affect the file size. */ 157 | ULONG AllocationUnitSize; 158 | /** Sector Size of the volume. This will affect the file size. */ 159 | ULONG SectorSize; 160 | /** Length of the optional VolumeSecurityDescriptor provided. Set 0 will disable the option. */ 161 | ULONG VolumeSecurityDescriptorLength; 162 | /** Optional Volume Security descriptor. See InitializeSecurityDescriptor */ 163 | CHAR VolumeSecurityDescriptor[VOLUME_SECURITY_DESCRIPTOR_MAX_SIZE]; 164 | } DOKAN_OPTIONS, *PDOKAN_OPTIONS; 165 | 166 | /** 167 | * \struct DOKAN_FILE_INFO 168 | * \brief Dokan file information on the current operation. 169 | */ 170 | typedef struct _DOKAN_FILE_INFO { 171 | /** 172 | * Context that can be used to carry information between operations. 173 | * The context can carry whatever type like \c HANDLE, struct, int, 174 | * internal reference that will help the implementation understand the request context of the event. 175 | */ 176 | ULONG64 Context; 177 | /** Reserved. Used internally by Dokan library. Never modify. */ 178 | ULONG64 DokanContext; 179 | /** A pointer to DOKAN_OPTIONS which was passed to \ref DokanMain or \ref DokanCreateFileSystem. */ 180 | PDOKAN_OPTIONS DokanOptions; 181 | /** 182 | * Reserved. Used internally by Dokan library. Never modify. 183 | * If the processing for the event requires extra data to be associated with it 184 | * then a pointer to that data can be placed here 185 | */ 186 | PVOID ProcessingContext; 187 | /** 188 | * Process ID for the thread that originally requested a given I/O operation. 189 | */ 190 | ULONG ProcessId; 191 | /** 192 | * Requesting a directory file. 193 | * Must be set in \ref DOKAN_OPERATIONS.ZwCreateFile if the file appears to be a folder. 194 | */ 195 | UCHAR IsDirectory; 196 | /** Flag if the file has to be deleted during DOKAN_OPERATIONS. Cleanup event. */ 197 | UCHAR DeleteOnClose; 198 | /** Read or write is paging IO. */ 199 | UCHAR PagingIo; 200 | /** Read or write is synchronous IO. */ 201 | UCHAR SynchronousIo; 202 | /** Read or write directly from data source without cache */ 203 | UCHAR Nocache; 204 | /** If \c TRUE, write to the current end of file instead of using the Offset parameter. */ 205 | UCHAR WriteToEndOfFile; 206 | } DOKAN_FILE_INFO, *PDOKAN_FILE_INFO; 207 | 208 | #define DOKAN_EXCEPTION_NOT_INITIALIZED 0x0f0ff0ff 209 | #define DOKAN_EXCEPTION_INITIALIZATION_FAILED 0x0fbadbad 210 | #define DOKAN_EXCEPTION_SHUTDOWN_FAILED 0x0fbadf00 211 | 212 | /** 213 | * \brief FillFindData Used to add an entry in FindFiles operation 214 | * \return 1 if buffer is full, otherwise 0 (currently it never returns 1) 215 | */ 216 | typedef int(WINAPI *PFillFindData)(PWIN32_FIND_DATAW, PDOKAN_FILE_INFO); 217 | 218 | /** 219 | * \brief FillFindStreamData Used to add an entry in FindStreams 220 | * \return FALSE if the buffer is full, otherwise TRUE 221 | */ 222 | typedef BOOL(WINAPI *PFillFindStreamData)(PWIN32_FIND_STREAM_DATA, PVOID); 223 | 224 | // clang-format off 225 | 226 | /** 227 | * \struct DOKAN_OPERATIONS 228 | * \brief Dokan API callbacks interface 229 | * 230 | * DOKAN_OPERATIONS is a struct of callbacks that describe all Dokan API operations 231 | * that will be called when Windows access to the filesystem. 232 | * 233 | * If an error occurs, return NTSTATUS (https://support.microsoft.com/en-us/kb/113996). 234 | * Win32 Error can be converted to \c NTSTATUS with \ref DokanNtStatusFromWin32 235 | * 236 | * All callbacks can be set to \c NULL or return \c STATUS_NOT_IMPLEMENTED 237 | * if supporting one of them is not desired. Be aware that returning such values to important callbacks 238 | * such as DOKAN_OPERATIONS.ZwCreateFile / DOKAN_OPERATIONS.ReadFile / ... would make the filesystem not work or become unstable. 239 | */ 240 | typedef struct _DOKAN_OPERATIONS { 241 | /** 242 | * \brief CreateFile Dokan API callback 243 | * 244 | * CreateFile is called each time a request is made on a file system object. 245 | * 246 | * In case \c OPEN_ALWAYS & \c CREATE_ALWAYS are successfully opening an 247 | * existing file, \c STATUS_OBJECT_NAME_COLLISION should be returned instead of \c STATUS_SUCCESS . 248 | * This will inform Dokan that the file has been opened and not created during the request. 249 | * 250 | * If the file is a directory, CreateFile is also called. 251 | * In this case, CreateFile should return \c STATUS_SUCCESS when that directory 252 | * can be opened and DOKAN_FILE_INFO.IsDirectory has to be set to \c TRUE. 253 | * On the other hand, if DOKAN_FILE_INFO.IsDirectory is set to \c TRUE 254 | * but the path targets a file, \c STATUS_NOT_A_DIRECTORY must be returned. 255 | * 256 | * DOKAN_FILE_INFO.Context can be used to store Data (like \c HANDLE) 257 | * that can be retrieved in all other requests related to the Context. 258 | * To avoid memory leak, Context needs to be released in DOKAN_OPERATIONS.Cleanup. 259 | * 260 | * \param FileName File path requested by the Kernel on the FileSystem. 261 | * \param SecurityContext SecurityContext, see https://msdn.microsoft.com/en-us/library/windows/hardware/ff550613(v=vs.85).aspx 262 | * \param DesiredAccess Specifies an ACCESS_MASK value that determines the requested access to the object. 263 | * \param FileAttributes Specifies one or more FILE_ATTRIBUTE_XXX flags, which represent the file attributes to set if a file is created or overwritten. 264 | * \param ShareAccess Type of share access, which is specified as zero or any combination of FILE_SHARE_* flags. 265 | * \param CreateDisposition Specifies the action to perform if the file does or does not exist. 266 | * \param CreateOptions Specifies the options to apply when the driver creates or opens the file. 267 | * \param DokanFileInfo Information about the file or directory. 268 | * \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result. 269 | * \see See ZwCreateFile for more information about the parameters of this callback (MSDN). 270 | * \see DokanMapKernelToUserCreateFileFlags 271 | */ 272 | NTSTATUS(DOKAN_CALLBACK *ZwCreateFile)(LPCWSTR FileName, 273 | PDOKAN_IO_SECURITY_CONTEXT SecurityContext, 274 | ACCESS_MASK DesiredAccess, 275 | ULONG FileAttributes, 276 | ULONG ShareAccess, 277 | ULONG CreateDisposition, 278 | ULONG CreateOptions, 279 | PDOKAN_FILE_INFO DokanFileInfo); 280 | 281 | /** 282 | * \brief Cleanup Dokan API callback 283 | * 284 | * Cleanup request before \ref CloseFile is called. 285 | * 286 | * When DOKAN_FILE_INFO.DeleteOnClose is \c TRUE, the file in Cleanup must be deleted. 287 | * The function cannot fail therefore the filesystem need to ensure ahead 288 | * that a the delete can safely happen during Cleanup. 289 | * See DeleteFile documentation for explanation. 290 | * 291 | * \param FileName File path requested by the Kernel on the FileSystem. 292 | * \param DokanFileInfo Information about the file or directory. 293 | * \see DeleteFile 294 | * \see DeleteDirectory 295 | */ 296 | void(DOKAN_CALLBACK *Cleanup)(LPCWSTR FileName, 297 | PDOKAN_FILE_INFO DokanFileInfo); 298 | 299 | /** 300 | * \brief CloseFile Dokan API callback 301 | * 302 | * Clean remaining Context 303 | * 304 | * CloseFile is called at the end of the life of the context. 305 | * Anything remaining in \ref DOKAN_FILE_INFO.Context must be cleared before returning. 306 | * 307 | * \param FileName File path requested by the Kernel on the FileSystem. 308 | * \param DokanFileInfo Information about the file or directory. 309 | */ 310 | void(DOKAN_CALLBACK *CloseFile)(LPCWSTR FileName, 311 | PDOKAN_FILE_INFO DokanFileInfo); 312 | 313 | /** 314 | * \brief ReadFile Dokan API callback 315 | * 316 | * ReadFile callback on the file previously opened in DOKAN_OPERATIONS.ZwCreateFile. 317 | * It can be called by different threads at the same time, so the read/context has to be thread safe. 318 | * 319 | * \param FileName File path requested by the Kernel on the FileSystem. 320 | * \param Buffer Read buffer that has to be filled with the read result. 321 | * \param BufferLength Buffer length and read size to continue with. 322 | * \param ReadLength Total data size that has been read. 323 | * \param Offset Offset from where the read has to be continued. 324 | * \param DokanFileInfo Information about the file or directory. 325 | * \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result. 326 | * \see WriteFile 327 | */ 328 | NTSTATUS(DOKAN_CALLBACK *ReadFile)(LPCWSTR FileName, 329 | LPVOID Buffer, 330 | DWORD BufferLength, 331 | LPDWORD ReadLength, 332 | LONGLONG Offset, 333 | PDOKAN_FILE_INFO DokanFileInfo); 334 | 335 | /** 336 | * \brief WriteFile Dokan API callback 337 | * 338 | * WriteFile callback on the file previously opened in DOKAN_OPERATIONS.ZwCreateFile 339 | * It can be called by different threads at the same time, sp the write/context has to be thread safe. 340 | * 341 | * \param FileName File path requested by the Kernel on the FileSystem. 342 | * \param Buffer Data that has to be written. 343 | * \param NumberOfBytesToWrite Buffer length and write size to continue with. 344 | * \param NumberOfBytesWritten Total number of bytes that have been written. 345 | * \param Offset Offset from where the write has to be continued. 346 | * \param DokanFileInfo Information about the file or directory. 347 | * \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result. 348 | * \see ReadFile 349 | */ 350 | NTSTATUS(DOKAN_CALLBACK *WriteFile)(LPCWSTR FileName, 351 | LPCVOID Buffer, 352 | DWORD NumberOfBytesToWrite, 353 | LPDWORD NumberOfBytesWritten, 354 | LONGLONG Offset, 355 | PDOKAN_FILE_INFO DokanFileInfo); 356 | 357 | /** 358 | * \brief FlushFileBuffers Dokan API callback 359 | * 360 | * Clears buffers for this context and causes any buffered data to be written to the file. 361 | * 362 | * \param FileName File path requested by the Kernel on the FileSystem. 363 | * \param DokanFileInfo Information about the file or directory. 364 | * \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result. 365 | */ 366 | NTSTATUS(DOKAN_CALLBACK *FlushFileBuffers)(LPCWSTR FileName, 367 | PDOKAN_FILE_INFO DokanFileInfo); 368 | 369 | /** 370 | * \brief GetFileInformation Dokan API callback 371 | * 372 | * Get specific information on a file. 373 | * 374 | * \param FileName File path requested by the Kernel on the FileSystem. 375 | * \param Buffer BY_HANDLE_FILE_INFORMATION struct to fill. 376 | * \param DokanFileInfo Information about the file or directory. 377 | * \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result. 378 | */ 379 | NTSTATUS(DOKAN_CALLBACK *GetFileInformation)(LPCWSTR FileName, 380 | LPBY_HANDLE_FILE_INFORMATION Buffer, 381 | PDOKAN_FILE_INFO DokanFileInfo); 382 | 383 | /** 384 | * \brief FindFiles Dokan API callback 385 | * 386 | * List all files in the requested path 387 | * \ref DOKAN_OPERATIONS.FindFilesWithPattern is checked first. If it is not implemented or 388 | * returns \c STATUS_NOT_IMPLEMENTED, then FindFiles is called, if implemented. 389 | * 390 | * \param FileName File path requested by the Kernel on the FileSystem. 391 | * \param FillFindData Callback that has to be called with PWIN32_FIND_DATAW that contain file information. 392 | * \param DokanFileInfo Information about the file or directory. 393 | * \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result. 394 | * \see FindFilesWithPattern 395 | */ 396 | NTSTATUS(DOKAN_CALLBACK *FindFiles)(LPCWSTR FileName, 397 | PFillFindData FillFindData, 398 | PDOKAN_FILE_INFO DokanFileInfo); 399 | 400 | /** 401 | * \brief FindFilesWithPattern Dokan API callback 402 | * 403 | * Same as \ref DOKAN_OPERATIONS.FindFiles but with a search pattern.\n 404 | * The search pattern is a Windows MS-DOS-style expression. 405 | * It can contain wild cards and extended characters or none of them. See \ref DokanIsNameInExpression. 406 | * 407 | * If the function is not implemented, \ref DOKAN_OPERATIONS.FindFiles 408 | * will be called instead and the result will be filtered internally by the library. 409 | * 410 | * \param PathName Path requested by the Kernel on the FileSystem. 411 | * \param SearchPattern Search pattern. 412 | * \param FillFindData Callback that has to be called with PWIN32_FIND_DATAW that contains file information. 413 | * \param DokanFileInfo Information about the file or directory. 414 | * \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result. 415 | * \see FindFiles 416 | * \see DokanIsNameInExpression 417 | */ 418 | NTSTATUS(DOKAN_CALLBACK *FindFilesWithPattern)(LPCWSTR PathName, 419 | LPCWSTR SearchPattern, 420 | PFillFindData FillFindData, 421 | PDOKAN_FILE_INFO DokanFileInfo); 422 | 423 | /** 424 | * \brief SetFileAttributes Dokan API callback 425 | * 426 | * Set file attributes on a specific file 427 | * 428 | * \param FileName File path requested by the Kernel on the FileSystem. 429 | * \param FileAttributes FileAttributes to set on file. 430 | * \param DokanFileInfo Information about the file or directory. 431 | * \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result. 432 | */ 433 | NTSTATUS(DOKAN_CALLBACK *SetFileAttributes)(LPCWSTR FileName, 434 | DWORD FileAttributes, 435 | PDOKAN_FILE_INFO DokanFileInfo); 436 | 437 | /** 438 | * \brief SetFileTime Dokan API callback 439 | * 440 | * Set file attributes on a specific file 441 | * 442 | * \param FileName File path requested by the Kernel on the FileSystem. 443 | * \param CreationTime Creation FILETIME. 444 | * \param LastAccessTime LastAccess FILETIME. 445 | * \param LastWriteTime LastWrite FILETIME. 446 | * \param DokanFileInfo Information about the file or directory. 447 | * \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result. 448 | */ 449 | NTSTATUS(DOKAN_CALLBACK *SetFileTime)(LPCWSTR FileName, 450 | CONST FILETIME *CreationTime, 451 | CONST FILETIME *LastAccessTime, 452 | CONST FILETIME *LastWriteTime, 453 | PDOKAN_FILE_INFO DokanFileInfo); 454 | 455 | /** 456 | * \brief DeleteFile Dokan API callback 457 | * 458 | * Check if it is possible to delete a file. 459 | * 460 | * DeleteFile will also be called with DOKAN_FILE_INFO.DeleteOnClose set to \c FALSE 461 | * to notify the driver when the file is no longer requested to be deleted. 462 | * 463 | * The file in DeleteFile should not be deleted, but instead the file 464 | * must be checked as to whether or not it can be deleted, 465 | * and \c STATUS_SUCCESS should be returned (when it can be deleted) or 466 | * appropriate error codes, such as \c STATUS_ACCESS_DENIED or 467 | * \c STATUS_OBJECT_NAME_NOT_FOUND, should be returned. 468 | * 469 | * When \c STATUS_SUCCESS is returned, a Cleanup call is received afterwards with 470 | * DOKAN_FILE_INFO.DeleteOnClose set to \c TRUE. Only then must the closing file 471 | * be deleted. 472 | * 473 | * \param FileName File path requested by the Kernel on the FileSystem. 474 | * \param DokanFileInfo Information about the file or directory. 475 | * \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result. 476 | * \see DeleteDirectory 477 | * \see Cleanup 478 | */ 479 | NTSTATUS(DOKAN_CALLBACK *DeleteFile)(LPCWSTR FileName, 480 | PDOKAN_FILE_INFO DokanFileInfo); 481 | 482 | /** 483 | * \brief DeleteDirectory Dokan API callback 484 | * 485 | * Check if it is possible to delete a directory. 486 | * 487 | * DeleteDirectory will also be called with DOKAN_FILE_INFO.DeleteOnClose set to \c FALSE 488 | * to notify the driver when the file is no longer requested to be deleted. 489 | * 490 | * The Directory in DeleteDirectory should not be deleted, but instead 491 | * must be checked as to whether or not it can be deleted, 492 | * and \c STATUS_SUCCESS should be returned (when it can be deleted) or 493 | * appropriate error codes, such as \c STATUS_ACCESS_DENIED, 494 | * \c STATUS_OBJECT_PATH_NOT_FOUND, or \c STATUS_DIRECTORY_NOT_EMPTY, should 495 | * be returned. 496 | * 497 | * When \c STATUS_SUCCESS is returned, a Cleanup call is received afterwards with 498 | * DOKAN_FILE_INFO.DeleteOnClose set to \c TRUE. Only then must the closing file 499 | * be deleted. 500 | * 501 | * \param FileName File path requested by the Kernel on the FileSystem. 502 | * \param DokanFileInfo Information about the file or directory. 503 | * \return \c STATUS_SUCCESS on success or \c NTSTATUS appropriate to the request result. 504 | * \ref DeleteFile 505 | * \ref Cleanup 506 | */ 507 | NTSTATUS(DOKAN_CALLBACK *DeleteDirectory)(LPCWSTR FileName, 508 | PDOKAN_FILE_INFO DokanFileInfo); 509 | 510 | /** 511 | * \brief MoveFile Dokan API callback 512 | * 513 | * Move a file or directory to a new destination 514 | * 515 | * \param FileName Path for the file to be moved. 516 | * \param NewFileName Path for the new location of the file. 517 | * \param ReplaceIfExisting If destination already exists, can it be replaced? 518 | * \param DokanFileInfo Information about the file or directory. 519 | * \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result. 520 | */ 521 | NTSTATUS(DOKAN_CALLBACK *MoveFile)(LPCWSTR FileName, 522 | LPCWSTR NewFileName, 523 | BOOL ReplaceIfExisting, 524 | PDOKAN_FILE_INFO DokanFileInfo); 525 | 526 | /** 527 | * \brief SetEndOfFile Dokan API callback 528 | * 529 | * SetEndOfFile is used to truncate or extend a file (physical file size). 530 | * 531 | * \param FileName File path requested by the Kernel on the FileSystem. 532 | * \param ByteOffset File length to set. 533 | * \param DokanFileInfo Information about the file or directory. 534 | * \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result. 535 | */ 536 | NTSTATUS(DOKAN_CALLBACK *SetEndOfFile)(LPCWSTR FileName, 537 | LONGLONG ByteOffset, 538 | PDOKAN_FILE_INFO DokanFileInfo); 539 | 540 | /** 541 | * \brief SetAllocationSize Dokan API callback 542 | * 543 | * SetAllocationSize is used to truncate or extend a file. 544 | * 545 | * \param FileName File path requested by the Kernel on the FileSystem. 546 | * \param AllocSize File length to set. 547 | * \param DokanFileInfo Information about the file or directory. 548 | * \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result. 549 | */ 550 | NTSTATUS(DOKAN_CALLBACK *SetAllocationSize)(LPCWSTR FileName, 551 | LONGLONG AllocSize, 552 | PDOKAN_FILE_INFO DokanFileInfo); 553 | 554 | /** 555 | * \brief LockFile Dokan API callback 556 | * 557 | * Lock file at a specific offset and data length. 558 | * This is only used if \ref DOKAN_OPTION_FILELOCK_USER_MODE is enabled. 559 | * 560 | * \param FileName File path requested by the Kernel on the FileSystem. 561 | * \param ByteOffset Offset from where the lock has to be continued. 562 | * \param Length Data length to lock. 563 | * \param DokanFileInfo Information about the file or directory. 564 | * \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result. 565 | * \see UnlockFile 566 | */ 567 | NTSTATUS(DOKAN_CALLBACK *LockFile)(LPCWSTR FileName, 568 | LONGLONG ByteOffset, 569 | LONGLONG Length, 570 | PDOKAN_FILE_INFO DokanFileInfo); 571 | 572 | /** 573 | * \brief UnlockFile Dokan API callback 574 | * 575 | * Unlock file at a specific offset and data length. 576 | * This is only used if \ref DOKAN_OPTION_FILELOCK_USER_MODE is enabled. 577 | * 578 | * \param FileName File path requested by the Kernel on the FileSystem. 579 | * \param ByteOffset Offset from where the lock has to be continued. 580 | * \param Length Data length to lock. 581 | * \param DokanFileInfo Information about the file or directory. 582 | * \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result. 583 | * \see LockFile 584 | */ 585 | NTSTATUS(DOKAN_CALLBACK *UnlockFile)(LPCWSTR FileName, 586 | LONGLONG ByteOffset, 587 | LONGLONG Length, 588 | PDOKAN_FILE_INFO DokanFileInfo); 589 | 590 | /** 591 | * \brief GetDiskFreeSpace Dokan API callback 592 | * 593 | * Retrieves information about the amount of space that is available on a disk volume. 594 | * It consits of the total amount of space, the total amount of free space, and 595 | * the total amount of free space available to the user that is associated with the calling thread. 596 | * 597 | * Neither GetDiskFreeSpace nor \ref GetVolumeInformation 598 | * save the DOKAN_FILE_INFO.Context. 599 | * Before these methods are called, \ref ZwCreateFile may not be called. 600 | * (ditto \ref CloseFile and \ref Cleanup) 601 | * 602 | * \param FreeBytesAvailable Amount of available space. 603 | * \param TotalNumberOfBytes Total size of storage space 604 | * \param TotalNumberOfFreeBytes Amount of free space 605 | * \param DokanFileInfo Information about the file or directory. 606 | * \return \c STATUS_SUCCESS on success or \c NTSTATUS appropriate to the request result. 607 | * \see GetDiskFreeSpaceEx function (MSDN) 608 | * \see GetVolumeInformation 609 | */ 610 | NTSTATUS(DOKAN_CALLBACK *GetDiskFreeSpace)(PULONGLONG FreeBytesAvailable, 611 | PULONGLONG TotalNumberOfBytes, 612 | PULONGLONG TotalNumberOfFreeBytes, 613 | PDOKAN_FILE_INFO DokanFileInfo); 614 | 615 | /** 616 | * \brief GetVolumeInformation Dokan API callback 617 | * 618 | * Retrieves information about the file system and volume associated with the specified root directory. 619 | * 620 | * Neither GetVolumeInformation nor GetDiskFreeSpace 621 | * save the \ref DOKAN_FILE_INFO#Context. 622 | * Before these methods are called, \ref ZwCreateFile may not be called. 623 | * (ditto \ref CloseFile and \ref Cleanup) 624 | * 625 | * VolumeName length can be anything that fit in the provided buffer. 626 | * But some Windows component expect it to be no longer than 32 characters 627 | * that why it is recommended to set a value under this limit. 628 | * 629 | * FileSystemName could be anything up to 10 characters. 630 | * But Windows check few feature availability based on file system name. 631 | * For this, it is recommended to set NTFS or FAT here. 632 | * 633 | * \c FILE_READ_ONLY_VOLUME is automatically added to the 634 | * FileSystemFlags if \ref DOKAN_OPTION_WRITE_PROTECT was 635 | * specified in DOKAN_OPTIONS when the volume was mounted. 636 | * 637 | * \param VolumeNameBuffer A pointer to a buffer that receives the name of a specified volume. 638 | * \param VolumeNameSize The length of a volume name buffer. 639 | * \param VolumeSerialNumber A pointer to a variable that receives the volume serial number. 640 | * \param MaximumComponentLength A pointer to a variable that receives the maximum length. 641 | * \param FileSystemFlags A pointer to a variable that receives flags associated with the specified file system. 642 | * \param FileSystemNameBuffer A pointer to a buffer that receives the name of the file system. 643 | * \param FileSystemNameSize The length of the file system name buffer. 644 | * \param DokanFileInfo Information about the file or directory. 645 | * \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result. 646 | * \see GetVolumeInformation function (MSDN) 647 | * \see GetDiskFreeSpace 648 | */ 649 | NTSTATUS(DOKAN_CALLBACK *GetVolumeInformation)(LPWSTR VolumeNameBuffer, 650 | DWORD VolumeNameSize, 651 | LPDWORD VolumeSerialNumber, 652 | LPDWORD MaximumComponentLength, 653 | LPDWORD FileSystemFlags, 654 | LPWSTR FileSystemNameBuffer, 655 | DWORD FileSystemNameSize, 656 | PDOKAN_FILE_INFO DokanFileInfo); 657 | 658 | /** 659 | * \brief Mounted Dokan API callback 660 | * 661 | * Called when Dokan successfully mounts the volume. 662 | * 663 | * If \ref DOKAN_OPTION_MOUNT_MANAGER is enabled and the drive letter requested is busy, 664 | * the MountPoint can contain a different drive letter that the mount manager assigned us. 665 | * 666 | * \param MountPoint The mount point assign to the instance. 667 | * \param DokanFileInfo Information about the file or directory. 668 | * \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result. 669 | * \see Unmounted 670 | */ 671 | NTSTATUS(DOKAN_CALLBACK *Mounted)(LPCWSTR MountPoint, PDOKAN_FILE_INFO DokanFileInfo); 672 | 673 | /** 674 | * \brief Unmounted Dokan API callback 675 | * 676 | * Called when Dokan is unmounting the volume. 677 | * 678 | * \param DokanFileInfo Information about the file or directory. 679 | * \return \c STATUS_SUCCESS on success or \c NTSTATUS appropriate to the request result. 680 | * \see Mounted 681 | */ 682 | NTSTATUS(DOKAN_CALLBACK *Unmounted)(PDOKAN_FILE_INFO DokanFileInfo); 683 | 684 | /** 685 | * \brief GetFileSecurity Dokan API callback 686 | * 687 | * Get specified information about the security of a file or directory. 688 | * 689 | * Return \c STATUS_NOT_IMPLEMENTED to let dokan library build a sddl of the current process user with authenticate user rights for context menu. 690 | * Return \c STATUS_BUFFER_OVERFLOW if buffer size is too small. 691 | * 692 | * \since Supported since version 0.6.0. The version must be specified in \ref DOKAN_OPTIONS.Version. 693 | * \param FileName File path requested by the Kernel on the FileSystem. 694 | * \param SecurityInformation A SECURITY_INFORMATION value that identifies the security information being requested. 695 | * \param SecurityDescriptor A pointer to a buffer that receives a copy of the security descriptor of the requested file. 696 | * \param BufferLength Specifies the size, in bytes, of the buffer. 697 | * \param LengthNeeded A pointer to the variable that receives the number of bytes necessary to store the complete security descriptor. 698 | * \param DokanFileInfo Information about the file or directory. 699 | * \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result. 700 | * \see SetFileSecurity 701 | * \see GetFileSecurity function (MSDN) 702 | */ 703 | NTSTATUS(DOKAN_CALLBACK *GetFileSecurity)(LPCWSTR FileName, 704 | PSECURITY_INFORMATION SecurityInformation, 705 | PSECURITY_DESCRIPTOR SecurityDescriptor, 706 | ULONG BufferLength, 707 | PULONG LengthNeeded, 708 | PDOKAN_FILE_INFO DokanFileInfo); 709 | 710 | /** 711 | * \brief SetFileSecurity Dokan API callback 712 | * 713 | * Sets the security of a file or directory object. 714 | * 715 | * \since Supported since version 0.6.0. The version must be specified in \ref DOKAN_OPTIONS.Version. 716 | * \param FileName File path requested by the Kernel on the FileSystem. 717 | * \param SecurityInformation Structure that identifies the contents of the security descriptor pointed by \a SecurityDescriptor param. 718 | * \param SecurityDescriptor A pointer to a SECURITY_DESCRIPTOR structure. 719 | * \param BufferLength Specifies the size, in bytes, of the buffer. 720 | * \param DokanFileInfo Information about the file or directory. 721 | * \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result. 722 | * \see GetFileSecurity 723 | * \see SetFileSecurity function (MSDN) 724 | */ 725 | NTSTATUS(DOKAN_CALLBACK *SetFileSecurity)(LPCWSTR FileName, 726 | PSECURITY_INFORMATION SecurityInformation, 727 | PSECURITY_DESCRIPTOR SecurityDescriptor, 728 | ULONG BufferLength, 729 | PDOKAN_FILE_INFO DokanFileInfo); 730 | 731 | /** 732 | * \brief FindStreams Dokan API callback 733 | * 734 | * Retrieve all NTFS Streams informations on the file. 735 | * This is only called if \ref DOKAN_OPTION_ALT_STREAM is enabled. 736 | * 737 | * \since Supported since version 0.8.0. The version must be specified in \ref DOKAN_OPTIONS.Version. 738 | * \param FileName File path requested by the Kernel on the FileSystem. 739 | * \param FillFindStreamData Callback that has to be called with PWIN32_FIND_STREAM_DATA that contain stream information. 740 | * \param FindStreamContext Context for the event to pass to the callback FillFindStreamData. 741 | * \param DokanFileInfo Information about the file or directory. 742 | * \return \c STATUS_SUCCESS on success or NTSTATUS appropriate to the request result. 743 | */ 744 | NTSTATUS(DOKAN_CALLBACK *FindStreams)(LPCWSTR FileName, 745 | PFillFindStreamData FillFindStreamData, 746 | PVOID FindStreamContext, 747 | PDOKAN_FILE_INFO DokanFileInfo); 748 | 749 | } DOKAN_OPERATIONS, *PDOKAN_OPERATIONS; 750 | 751 | // clang-format on 752 | 753 | /** 754 | * \defgroup DokanMainResult DokanMainResult 755 | * \brief \ref DokanMain \ref DokanCreateFileSystem returns error codes 756 | */ 757 | /** @{ */ 758 | 759 | /** Dokan mount succeed. */ 760 | #define DOKAN_SUCCESS 0 761 | /** Dokan mount error. */ 762 | #define DOKAN_ERROR -1 763 | /** Dokan mount failed - Bad drive letter. */ 764 | #define DOKAN_DRIVE_LETTER_ERROR -2 765 | /** Dokan mount failed - Can't install driver. */ 766 | #define DOKAN_DRIVER_INSTALL_ERROR -3 767 | /** Dokan mount failed - Driver answer that something is wrong. */ 768 | #define DOKAN_START_ERROR -4 769 | /** 770 | * Dokan mount failed. 771 | * Can't assign a drive letter or mount point. 772 | * Probably already used by another volume. 773 | */ 774 | #define DOKAN_MOUNT_ERROR -5 775 | /** 776 | * Dokan mount failed. 777 | * Mount point is invalid. 778 | */ 779 | #define DOKAN_MOUNT_POINT_ERROR -6 780 | /** 781 | * Dokan mount failed. 782 | * Requested an incompatible version. 783 | */ 784 | #define DOKAN_VERSION_ERROR -7 785 | 786 | /** @} */ 787 | 788 | /** 789 | * \defgroup Dokan Dokan 790 | */ 791 | /** @{ */ 792 | 793 | /** 794 | * \brief Initialize all required Dokan internal resources. 795 | * 796 | * This needs to be called only once before trying to use \ref DokanMain or \ref DokanCreateFileSystem for the first time. 797 | * Otherwise both will fail and raise an exception. 798 | */ 799 | VOID DOKANAPI DokanInit(); 800 | 801 | /** 802 | * \brief Release all allocated resources by \ref DokanInit when they are no longer needed. 803 | * 804 | * This should be called when the application no longer expects to create a new FileSystem with 805 | * \ref DokanMain or \ref DokanCreateFileSystem and after all devices are unmount. 806 | */ 807 | VOID DOKANAPI DokanShutdown(); 808 | 809 | /** 810 | * \brief Mount a new Dokan Volume. 811 | * 812 | * This function block until the device is unmounted. 813 | * If the mount fails, it will directly return a \ref DokanMainResult error. 814 | * 815 | * See \ref DokanCreateFileSystem to create mount Dokan Volume asynchronously. 816 | * 817 | * \param DokanOptions a \ref DOKAN_OPTIONS that describe the mount. 818 | * \param DokanOperations Instance of \ref DOKAN_OPERATIONS that will be called for each request made by the kernel. 819 | * \return \ref DokanMainResult status. 820 | */ 821 | int DOKANAPI DokanMain(PDOKAN_OPTIONS DokanOptions, 822 | PDOKAN_OPERATIONS DokanOperations); 823 | 824 | /** 825 | * \brief Mount a new Dokan Volume. 826 | * 827 | * It is mandatory to have called \ref DokanInit previously to use this API. 828 | * 829 | * This function returns directly on device mount or on failure. 830 | * See \ref DokanMainResult for possible errors. 831 | * 832 | * \ref DokanWaitForFileSystemClosed can be used to wait until the device is unmount. 833 | * 834 | * \param DokanOptions a \ref DOKAN_OPTIONS that describe the mount. 835 | * \param DokanOperations Instance of \ref DOKAN_OPERATIONS that will be called for each request made by the kernel. 836 | * \param DokanInstance Dokan mount instance context that can be used for related instance calls like \ref DokanIsFileSystemRunning . 837 | * \return \ref DokanMainResult status. 838 | */ 839 | int DOKANAPI DokanCreateFileSystem(_In_ PDOKAN_OPTIONS DokanOptions, 840 | _In_ PDOKAN_OPERATIONS DokanOperations, 841 | _Out_ DOKAN_HANDLE *DokanInstance); 842 | 843 | /** 844 | * \brief Check if the FileSystem is still running or not. 845 | * 846 | * \param DokanInstance The dokan mount context created by \ref DokanCreateFileSystem . 847 | * \return Whether the FileSystem is still running or not. 848 | */ 849 | BOOL DOKANAPI DokanIsFileSystemRunning(_In_ DOKAN_HANDLE DokanInstance); 850 | 851 | /** 852 | * \brief Wait until the FileSystem is unmount. 853 | * 854 | * \param DokanInstance The dokan mount context created by \ref DokanCreateFileSystem . 855 | * \return See WaitForSingleObject for a description of return values. 856 | */ 857 | DWORD DOKANAPI DokanWaitForFileSystemClosed(_In_ DOKAN_HANDLE DokanInstance, 858 | _In_ DWORD dwMilliseconds); 859 | 860 | /** 861 | * \brief Unmount the Dokan instance. 862 | * 863 | * Unmount and wait until all resources of the \c DokanInstance are released. 864 | * 865 | * \param DokanInstance The dokan mount context created by \ref DokanCreateFileSystem . 866 | */ 867 | VOID DOKANAPI DokanCloseHandle(_In_ DOKAN_HANDLE DokanInstance); 868 | 869 | /** 870 | * \brief Unmount a Dokan device from a driver letter. 871 | * 872 | * \param DriveLetter Dokan driver letter to unmount. 873 | * \return \c TRUE if device was unmounted or \c FALSE in case of failure or device not found. 874 | */ 875 | BOOL DOKANAPI DokanUnmount(WCHAR DriveLetter); 876 | 877 | /** 878 | * \brief Unmount a Dokan device from a mount point 879 | * 880 | * \param MountPoint Mount point to unmount ("Z", "Z:", "Z:\", "Z:\MyMountPoint"). 881 | * \return \c TRUE if device was unmounted or \c FALSE in case of failure or device not found. 882 | */ 883 | BOOL DOKANAPI DokanRemoveMountPoint(LPCWSTR MountPoint); 884 | 885 | /** 886 | * \brief Checks whether Name matches Expression 887 | * 888 | * Behave like \c FsRtlIsNameInExpression routine from Microsoft\n 889 | * \c * (asterisk) Matches zero or more characters.\n 890 | * ? (question mark) Matches a single character.\n 891 | * \c DOS_DOT (\c " quotation mark) Matches either a period or zero characters beyond the name string.\n 892 | * \c DOS_QM (\c > greater than) Matches any single character or, upon encountering a period or end 893 | * of name string, advances the expression to the end of the set of 894 | * contiguous DOS_QMs.\n 895 | * \c DOS_STAR (\c < less than) Matches zero or more characters until encountering and matching 896 | * the final \c . in the name. 897 | * 898 | * \param Expression Expression can contain any of the above characters. 899 | * \param Name Name to check 900 | * \param IgnoreCase Case sensitive or not 901 | * \return result if name matches the expression 902 | */ 903 | BOOL DOKANAPI DokanIsNameInExpression(LPCWSTR Expression, LPCWSTR Name, 904 | BOOL IgnoreCase); 905 | 906 | /** 907 | * \brief Get the version of Dokan. 908 | * The returned ULONG is the version number without the dots. 909 | * \return The version of Dokan 910 | */ 911 | ULONG DOKANAPI DokanVersion(); 912 | 913 | /** 914 | * \brief Get the version of the Dokan driver. 915 | * The returned ULONG is the version number without the dots. 916 | * \return The version of Dokan driver. 917 | */ 918 | ULONG DOKANAPI DokanDriverVersion(); 919 | 920 | /** 921 | * \brief Extends the timeout of the current IO operation in driver. 922 | * 923 | * \param Timeout Extended time in milliseconds requested. 924 | * \param DokanFileInfo \ref DOKAN_FILE_INFO of the operation to extend. 925 | * \return If the operation was successful. 926 | */ 927 | BOOL DOKANAPI DokanResetTimeout(ULONG Timeout, PDOKAN_FILE_INFO DokanFileInfo); 928 | 929 | /** 930 | * \brief Get the handle to Access Token. 931 | * 932 | * This method needs be called in \ref DOKAN_OPERATIONS.ZwCreateFile callback. 933 | * The caller must call CloseHandle 934 | * for the returned handle. 935 | * 936 | * \param DokanFileInfo \ref DOKAN_FILE_INFO of the operation to extend. 937 | * \return A handle to the account token for the user on whose behalf the code is running. 938 | */ 939 | HANDLE DOKANAPI DokanOpenRequestorToken(PDOKAN_FILE_INFO DokanFileInfo); 940 | 941 | /** 942 | * \brief Get active Dokan mount points. 943 | * 944 | * Returned array need to be released by calling \ref DokanReleaseMountPointList 945 | * 946 | * \param uncOnly Get only instances that have UNC Name. 947 | * \param nbRead Number of instances successfully retrieved. 948 | * \return Allocate array of DOKAN_MOUNT_POINT_INFO. 949 | */ 950 | PDOKAN_MOUNT_POINT_INFO DOKANAPI DokanGetMountPointList(BOOL uncOnly, PULONG nbRead); 951 | 952 | /** 953 | * \brief Release Mount point list resources from \ref DokanGetMountPointList. 954 | * 955 | * After \ref DokanGetMountPointList call you will receive a dynamically allocated array of DOKAN_MOUNT_POINT_INFO. 956 | * This array needs to be released when no longer needed by calling this function. 957 | * 958 | * \param list Allocated array of DOKAN_MOUNT_POINT_INFO from \ref DokanGetMountPointList. 959 | * \return Nothing. 960 | */ 961 | VOID DOKANAPI DokanReleaseMountPointList(PDOKAN_MOUNT_POINT_INFO list); 962 | 963 | /** 964 | * \brief Convert \ref DOKAN_OPERATIONS.ZwCreateFile parameters to CreateFile parameters. 965 | * 966 | * Dokan Kernel forward the DesiredAccess directly from the IRP_MJ_CREATE. 967 | * This DesiredAccess has been converted from generic rights (user CreateFile request) to standard rights and will be converted back here. 968 | * https://msdn.microsoft.com/windows/hardware/drivers/ifs/access-mask 969 | * 970 | * \param DesiredAccess DesiredAccess from \ref DOKAN_OPERATIONS.ZwCreateFile. 971 | * \param FileAttributes FileAttributes from \ref DOKAN_OPERATIONS.ZwCreateFile. 972 | * \param CreateOptions CreateOptions from \ref DOKAN_OPERATIONS.ZwCreateFile. 973 | * \param CreateDisposition CreateDisposition from \ref DOKAN_OPERATIONS.ZwCreateFile. 974 | * \param outDesiredAccess New CreateFile dwDesiredAccess. 975 | * \param outFileAttributesAndFlags New CreateFile dwFlagsAndAttributes. 976 | * \param outCreationDisposition New CreateFile dwCreationDisposition. 977 | * \see CreateFile function (MSDN) 978 | */ 979 | VOID DOKANAPI DokanMapKernelToUserCreateFileFlags( 980 | ACCESS_MASK DesiredAccess, ULONG FileAttributes, ULONG CreateOptions, 981 | ULONG CreateDisposition, ACCESS_MASK *outDesiredAccess, 982 | DWORD *outFileAttributesAndFlags, DWORD *outCreationDisposition); 983 | 984 | /** 985 | * \defgroup DokanNotify Dokan Notify 986 | * \brief Dokan User FS file-change notification 987 | * 988 | * The application implementing the user file system can notify 989 | * the Dokan kernel driver of external file- and directory-changes. 990 | * 991 | * For example, the mirror application can notify the driver about 992 | * changes made in the mirrored directory so that those changes will 993 | * be automatically reflected in the implemented mirror file system. 994 | * 995 | * This requires the FilePath passed to the respective DokanNotify*-functions 996 | * to include the absolute path of the changed file including the drive-letter 997 | * and the path to the mount point, e.g. "C:\Dokan\ChangedFile.txt". 998 | * 999 | * These functions SHOULD NOT be called from within the implemented 1000 | * file system and thus be independent of any Dokan file system operation. 1001 | * @{ 1002 | */ 1003 | 1004 | /** 1005 | * \brief Notify dokan that a file or a directory has been created. 1006 | * 1007 | * \param DokanInstance The dokan mount context created by \ref DokanCreateFileSystem . 1008 | * \param FilePath Absolute path to the file or directory, including the mount-point of the file system. 1009 | * \param IsDirectory Indicates if the path is a directory. 1010 | * \return \c TRUE if notification succeeded. 1011 | */ 1012 | BOOL DOKANAPI DokanNotifyCreate(_In_ DOKAN_HANDLE DokanInstance, 1013 | _In_ LPCWSTR FilePath, _In_ BOOL IsDirectory); 1014 | 1015 | /** 1016 | * \brief Notify dokan that a file or a directory has been deleted. 1017 | * 1018 | * \param DokanInstance The dokan mount context created by \ref DokanCreateFileSystem . 1019 | * \param FilePath Absolute path to the file or directory, including the mount-point of the file system. 1020 | * \param IsDirectory Indicates if the path was a directory. 1021 | * \return \c TRUE if notification succeeded. 1022 | */ 1023 | BOOL DOKANAPI DokanNotifyDelete(_In_ DOKAN_HANDLE DokanInstance, 1024 | _In_ LPCWSTR FilePath, _In_ BOOL IsDirectory); 1025 | 1026 | /** 1027 | * \brief Notify dokan that file or directory attributes have changed. 1028 | * 1029 | * \param DokanInstance The dokan mount context created by \ref DokanCreateFileSystem . 1030 | * \param FilePath Absolute path to the file or directory, including the mount-point of the file system. 1031 | * \return \c TRUE if notification succeeded. 1032 | */ 1033 | BOOL DOKANAPI DokanNotifyUpdate(_In_ DOKAN_HANDLE DokanInstance, 1034 | _In_ LPCWSTR FilePath); 1035 | 1036 | /** 1037 | * \brief Notify dokan that file or directory extended attributes have changed. 1038 | * 1039 | * \param DokanInstance The dokan mount context created by \ref DokanCreateFileSystem . 1040 | * \param FilePath Absolute path to the file or directory, including the mount-point of the file system. 1041 | * \return \c TRUE if notification succeeded. 1042 | */ 1043 | BOOL DOKANAPI DokanNotifyXAttrUpdate(_In_ DOKAN_HANDLE DokanInstance, 1044 | _In_ LPCWSTR FilePath); 1045 | 1046 | /** 1047 | * \brief Notify dokan that a file or a directory has been renamed. This method 1048 | * supports in-place rename for file/directory within the same parent. 1049 | * 1050 | * \param DokanInstance The dokan mount context created by \ref DokanCreateFileSystem . 1051 | * \param OldPath Old, absolute path to the file or directory, including the mount-point of the file system. 1052 | * \param NewPath New, absolute path to the file or directory, including the mount-point of the file system. 1053 | * \param IsDirectory Indicates if the path is a directory. 1054 | * \param IsInSameDirectory Indicates if the file or directory have the same parent directory. 1055 | * \return \c TRUE if notification succeeded. 1056 | */ 1057 | BOOL DOKANAPI DokanNotifyRename(_In_ DOKAN_HANDLE DokanInstance, 1058 | _In_ LPCWSTR OldPath, _In_ LPCWSTR NewPath, 1059 | _In_ BOOL IsDirectory, 1060 | _In_ BOOL IsInSameDirectory); 1061 | 1062 | /**@}*/ 1063 | 1064 | /** 1065 | * \brief Convert WIN32 error to NTSTATUS 1066 | * 1067 | * https://support.microsoft.com/en-us/kb/113996 1068 | * 1069 | * \param Error Win32 Error to convert 1070 | * \return NTSTATUS associate to the ERROR. 1071 | */ 1072 | NTSTATUS DOKANAPI DokanNtStatusFromWin32(DWORD Error); 1073 | 1074 | /** @} */ 1075 | 1076 | #ifdef __cplusplus 1077 | } 1078 | #endif 1079 | 1080 | #endif // DOKAN_H_ 1081 | -------------------------------------------------------------------------------- /rust_dma/includes/fileinfo.h: -------------------------------------------------------------------------------- 1 | /* 2 | Dokan : user-mode file system library for Windows 3 | 4 | Copyright (C) 2015 - 2019 Adrien J. and Maxime C. 5 | Copyright (C) 2007 - 2011 Hiroki Asakawa 6 | 7 | http://dokan-dev.github.io 8 | 9 | This program is free software; you can redistribute it and/or modify it under 10 | the terms of the GNU Lesser General Public License as published by the Free 11 | Software Foundation; either version 3 of the License, or (at your option) any 12 | later version. 13 | 14 | This program is distributed in the hope that it will be useful, but WITHOUT ANY 15 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS 16 | FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. 17 | 18 | You should have received a copy of the GNU Lesser General Public License along 19 | with this program. If not, see . 20 | */ 21 | 22 | #ifndef FILEINFO_H_ 23 | #define FILEINFO_H_ 24 | 25 | #define IRP_MJ_CREATE 0x00 26 | #define IRP_MJ_CREATE_NAMED_PIPE 0x01 27 | #define IRP_MJ_CLOSE 0x02 28 | #define IRP_MJ_READ 0x03 29 | #define IRP_MJ_WRITE 0x04 30 | #define IRP_MJ_QUERY_INFORMATION 0x05 31 | #define IRP_MJ_SET_INFORMATION 0x06 32 | #define IRP_MJ_QUERY_EA 0x07 33 | #define IRP_MJ_SET_EA 0x08 34 | #define IRP_MJ_FLUSH_BUFFERS 0x09 35 | #define IRP_MJ_QUERY_VOLUME_INFORMATION 0x0a 36 | #define IRP_MJ_SET_VOLUME_INFORMATION 0x0b 37 | #define IRP_MJ_DIRECTORY_CONTROL 0x0c 38 | #define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d 39 | #define IRP_MJ_DEVICE_CONTROL 0x0e 40 | #define IRP_MJ_INTERNAL_DEVICE_CONTROL 0x0f 41 | #define IRP_MJ_SHUTDOWN 0x10 42 | #define IRP_MJ_LOCK_CONTROL 0x11 43 | #define IRP_MJ_CLEANUP 0x12 44 | #define IRP_MJ_CREATE_MAILSLOT 0x13 45 | #define IRP_MJ_QUERY_SECURITY 0x14 46 | #define IRP_MJ_SET_SECURITY 0x15 47 | #define IRP_MJ_POWER 0x16 48 | #define IRP_MJ_SYSTEM_CONTROL 0x17 49 | #define IRP_MJ_DEVICE_CHANGE 0x18 50 | #define IRP_MJ_QUERY_QUOTA 0x19 51 | #define IRP_MJ_SET_QUOTA 0x1a 52 | #define IRP_MJ_PNP 0x1b 53 | #define IRP_MJ_PNP_POWER IRP_MJ_PNP 54 | #define IRP_MJ_MAXIMUM_FUNCTION 0x1b 55 | 56 | #define IRP_MN_LOCK 0x01 57 | #define IRP_MN_UNLOCK_SINGLE 0x02 58 | #define IRP_MN_UNLOCK_ALL 0x03 59 | #define IRP_MN_UNLOCK_ALL_BY_KEY 0x04 60 | 61 | typedef enum _FILE_INFORMATION_CLASS { 62 | FileDirectoryInformation = 1, 63 | FileFullDirectoryInformation, // 2 64 | FileBothDirectoryInformation, // 3 65 | FileBasicInformation, // 4 66 | FileStandardInformation, // 5 67 | FileInternalInformation, // 6 68 | FileEaInformation, // 7 69 | FileAccessInformation, // 8 70 | FileNameInformation, // 9 71 | FileRenameInformation, // 10 72 | FileLinkInformation, // 11 73 | FileNamesInformation, // 12 74 | FileDispositionInformation, // 13 75 | FilePositionInformation, // 14 76 | FileFullEaInformation, // 15 77 | FileModeInformation, // 16 78 | FileAlignmentInformation, // 17 79 | FileAllInformation, // 18 80 | FileAllocationInformation, // 19 81 | FileEndOfFileInformation, // 20 82 | FileAlternateNameInformation, // 21 83 | FileStreamInformation, // 22 84 | FilePipeInformation, // 23 85 | FilePipeLocalInformation, // 24 86 | FilePipeRemoteInformation, // 25 87 | FileMailslotQueryInformation, // 26 88 | FileMailslotSetInformation, // 27 89 | FileCompressionInformation, // 28 90 | FileObjectIdInformation, // 29 91 | FileCompletionInformation, // 30 92 | FileMoveClusterInformation, // 31 93 | FileQuotaInformation, // 32 94 | FileReparsePointInformation, // 33 95 | FileNetworkOpenInformation, // 34 96 | FileAttributeTagInformation, // 35 97 | FileTrackingInformation, // 36 98 | FileIdBothDirectoryInformation, // 37 99 | FileIdFullDirectoryInformation, // 38 100 | FileValidDataLengthInformation, // 39 101 | FileShortNameInformation, // 40 102 | FileIoCompletionNotificationInformation, // 41 103 | FileIoStatusBlockRangeInformation, // 42 104 | FileIoPriorityHintInformation, // 43 105 | FileSfioReserveInformation, // 44 106 | FileSfioVolumeInformation, // 45 107 | FileHardLinkInformation, // 46 108 | FileProcessIdsUsingFileInformation, // 47 109 | FileNormalizedNameInformation, // 48 110 | FileNetworkPhysicalNameInformation, // 49 111 | FileIdGlobalTxDirectoryInformation, // 50 112 | FileIsRemoteDeviceInformation, // 51 113 | FileUnusedInformation, // 52 114 | FileNumaNodeInformation, // 53 115 | FileStandardLinkInformation, // 54 116 | FileRemoteProtocolInformation, // 55 117 | 118 | // 119 | // These are special versions of these operations (defined earlier) 120 | // which can be used by kernel mode drivers only to bypass security 121 | // access checks for Rename and HardLink operations. These operations 122 | // are only recognized by the IOManager, a file system should never 123 | // receive these. 124 | // 125 | 126 | FileRenameInformationBypassAccessCheck, // 56 127 | FileLinkInformationBypassAccessCheck, // 57 128 | 129 | // 130 | // End of special information classes reserved for IOManager. 131 | // 132 | 133 | FileVolumeNameInformation, // 58 134 | FileIdInformation, // 59 135 | FileIdExtdDirectoryInformation, // 60 136 | FileReplaceCompletionInformation, // 61 137 | FileHardLinkFullIdInformation, // 62 138 | FileIdExtdBothDirectoryInformation, // 63 139 | FileDispositionInformationEx, // 64 140 | FileRenameInformationEx, // 65 141 | FileRenameInformationExBypassAccessCheck, // 66 142 | FileDesiredStorageClassInformation, // 67 143 | FileStatInformation, // 68 144 | FileMemoryPartitionInformation, // 69 145 | 146 | FileMaximumInformation 147 | } FILE_INFORMATION_CLASS, 148 | *PFILE_INFORMATION_CLASS; 149 | 150 | typedef enum _FSINFOCLASS { 151 | FileFsVolumeInformation = 1, 152 | FileFsLabelInformation, // 2 153 | FileFsSizeInformation, // 3 154 | FileFsDeviceInformation, // 4 155 | FileFsAttributeInformation, // 5 156 | FileFsControlInformation, // 6 157 | FileFsFullSizeInformation, // 7 158 | FileFsObjectIdInformation, // 8 159 | FileFsDriverPathInformation, // 9 160 | FileFsVolumeFlagsInformation, // 10 161 | FileFsMaximumInformation 162 | } FS_INFORMATION_CLASS, 163 | *PFS_INFORMATION_CLASS; 164 | 165 | /** 166 | * \struct FILE_ALIGNMENT_INFORMATION 167 | * \brief Used as an argument to the ZwQueryInformationFile routine. 168 | * 169 | * The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileAllInformation 170 | */ 171 | typedef struct _FILE_ALIGNMENT_INFORMATION { 172 | /** 173 | * The buffer alignment required by the underlying device. For a list of system-defined values, see DEVICE_OBJECT. 174 | * The value must be one of the FILE_XXX_ALIGNMENT values defined in Wdm.h. 175 | * For more information, see DEVICE_OBJECT and Initializing a Device Object. 176 | */ 177 | ULONG AlignmentRequirement; 178 | } FILE_ALIGNMENT_INFORMATION, *PFILE_ALIGNMENT_INFORMATION; 179 | 180 | /** 181 | * \struct FILE_NAME_INFORMATION 182 | * \brief Used as argument to the ZwQueryInformationFile and ZwSetInformationFile routines. 183 | * 184 | * The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileNameInformation 185 | */ 186 | typedef struct _FILE_NAME_INFORMATION { 187 | /** 188 | * Specifies the length, in bytes, of the file name string. 189 | */ 190 | ULONG FileNameLength; 191 | /** 192 | * Specifies the first character of the file name string. This is followed in memory by the remainder of the string. 193 | */ 194 | WCHAR FileName[1]; 195 | } FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION; 196 | 197 | /** 198 | * \struct FILE_ATTRIBUTE_TAG_INFORMATION 199 | * \brief Used as an argument to ZwQueryInformationFile. 200 | * 201 | * The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileAttributeTagInformation 202 | */ 203 | typedef struct _FILE_ATTRIBUTE_TAG_INFORMATION { 204 | /** 205 | * Specifies one or more FILE_ATTRIBUTE_XXX flags. 206 | * For descriptions of these flags, see the documentation of the GetFileAttributes function in the Microsoft Windows SDK. 207 | */ 208 | ULONG FileAttributes; 209 | /** 210 | * Specifies the reparse point tag. If the FileAttributes member includes the FILE_ATTRIBUTE_REPARSE_POINT attribute flag, 211 | * this member specifies the reparse tag. Otherwise, this member is unused. 212 | */ 213 | ULONG ReparseTag; 214 | } FILE_ATTRIBUTE_TAG_INFORMATION, *PFILE_ATTRIBUTE_TAG_INFORMATION; 215 | 216 | /** 217 | * \struct FILE_DISPOSITION_INFORMATION 218 | * \brief Used as an argument to the ZwSetInformationFile routine. 219 | * 220 | * The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileDispositionInformation 221 | */ 222 | typedef struct _FILE_DISPOSITION_INFORMATION { 223 | /** 224 | * Indicates whether the operating system file should delete the file when the file is closed. 225 | * Set this member to TRUE to delete the file when it is closed. 226 | * Otherwise, set to FALSE. Setting this member to FALSE has no effect if the handle was opened with FILE_FLAG_DELETE_ON_CLOSE. 227 | */ 228 | BOOLEAN DeleteFile; 229 | } FILE_DISPOSITION_INFORMATION, *PFILE_DISPOSITION_INFORMATION; 230 | 231 | #define FILE_DISPOSITION_DO_NOT_DELETE 0x00000000 // Specifies the system should not delete a file. 232 | #define FILE_DISPOSITION_DELETE 0x00000001 // Specifies the system should delete a file. 233 | #define FILE_DISPOSITION_POSIX_SEMANTICS 0x00000002 // Specifies the system should perform a POSIX - style delete. 234 | #define FILE_DISPOSITION_FORCE_IMAGE_SECTION_CHECK 0x00000004 // Specifies the system should force an image section check. 235 | #define FILE_DISPOSITION_ON_CLOSE 0x00000008 // Specifies if the system sets or clears the on - close state. 236 | 237 | /** 238 | * \struct FILE_DISPOSITION_INFORMATION_EX 239 | * \brief Used as an argument to the ZwSetInformationFile routine. 240 | * 241 | * The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileDispositionInformationEx 242 | */ 243 | typedef struct _FILE_DISPOSITION_INFORMATION_EX { 244 | /** 245 | * Specifies what action(s) the system should take with a specific file while deleting. 246 | * 247 | * \li \c FILE_DISPOSITION_DO_NOT_DELETE Specifies the system should not delete a file. 248 | * \li \c FILE_DISPOSITION_DELETE Specifies the system should delete a file. 249 | * \li \c FILE_DISPOSITION_POSIX_SEMANTICS Specifies the system should perform a POSIX-style delete. 250 | * \li \c FILE_DISPOSITION_FORCE_IMAGE_SECTION_CHECK Specifies the system should force an image section check. 251 | * \li \c FILE_DISPOSITION_ON_CLOSE Specifies if the system sets or clears the on-close state. 252 | */ 253 | ULONG Flags; 254 | } FILE_DISPOSITION_INFORMATION_EX, *PFILE_DISPOSITION_INFORMATION_EX; 255 | 256 | /** 257 | * \struct FILE_END_OF_FILE_INFORMATION 258 | * \brief Used as an argument to the ZwSetInformationFile routine. 259 | * 260 | * The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileEndOfFileInformation 261 | */ 262 | typedef struct _FILE_END_OF_FILE_INFORMATION { 263 | /** 264 | * The absolute new end of file position as a byte offset from the start of the file. 265 | */ 266 | LARGE_INTEGER EndOfFile; 267 | } FILE_END_OF_FILE_INFORMATION, *PFILE_END_OF_FILE_INFORMATION; 268 | 269 | /** 270 | * \struct FILE_VALID_DATA_LENGTH_INFORMATION 271 | * \brief Used as an argument to ZwSetInformationFile. 272 | * 273 | * The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileValidDataLengthInformation 274 | */ 275 | typedef struct _FILE_VALID_DATA_LENGTH_INFORMATION { 276 | /** 277 | * Specifies the new valid data length for the file. 278 | * This parameter must be a positive value that is greater than the current valid data length, but less than or equal to the current file size. 279 | */ 280 | LARGE_INTEGER ValidDataLength; 281 | } FILE_VALID_DATA_LENGTH_INFORMATION, *PFILE_VALID_DATA_LENGTH_INFORMATION; 282 | 283 | /** 284 | * \struct FILE_BASIC_INFORMATION 285 | * \brief Used as an argument to routines that query or set file information. 286 | * 287 | * The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileBasicInformation and FileAllInformation 288 | */ 289 | typedef struct _FILE_BASIC_INFORMATION { 290 | /** 291 | * Specifies the time that the file was created. 292 | */ 293 | LARGE_INTEGER CreationTime; 294 | /** 295 | * Specifies the time that the file was last accessed. 296 | */ 297 | LARGE_INTEGER LastAccessTime; 298 | /** 299 | * Specifies the time that the file was last written to. 300 | */ 301 | LARGE_INTEGER LastWriteTime; 302 | /** 303 | * Specifies the last time the file was changed. 304 | */ 305 | LARGE_INTEGER ChangeTime; 306 | /** 307 | * Specifies one or more FILE_ATTRIBUTE_XXX flags. For descriptions of these flags, 308 | * see the documentation for the GetFileAttributes function in the Microsoft Windows SDK. 309 | */ 310 | ULONG FileAttributes; 311 | } FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION; 312 | 313 | /** 314 | * \struct FILE_STANDARD_INFORMATION 315 | * \brief Used as an argument to routines that query or set file information. 316 | * 317 | * The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileStandardInformation and FileAllInformation 318 | */ 319 | typedef struct _FILE_STANDARD_INFORMATION { 320 | /** 321 | * The file allocation size in bytes. Usually, this value is a multiple of the sector or cluster size of the underlying physical device. 322 | */ 323 | LARGE_INTEGER AllocationSize; 324 | /** 325 | * The end of file location as a byte offset. 326 | */ 327 | LARGE_INTEGER EndOfFile; 328 | /** 329 | * The number of hard links to the file. 330 | */ 331 | ULONG NumberOfLinks; 332 | /** 333 | * The delete pending status. TRUE indicates that a file deletion has been requested. 334 | */ 335 | BOOLEAN DeletePending; 336 | /** 337 | * The file directory status. TRUE indicates the file object represents a directory. 338 | */ 339 | BOOLEAN Directory; 340 | } FILE_STANDARD_INFORMATION, *PFILE_STANDARD_INFORMATION; 341 | 342 | /** 343 | * \struct FILE_POSITION_INFORMATION 344 | * \brief Used as an argument to routines that query or set file information. 345 | * 346 | * The struct is requested during IRP_MJ_QUERY_INFORMATION with query FilePositionInformation and FileAllInformation 347 | */ 348 | typedef struct _FILE_POSITION_INFORMATION { 349 | /** 350 | * The byte offset of the current file pointer. 351 | */ 352 | LARGE_INTEGER CurrentByteOffset; 353 | } FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION; 354 | 355 | /** 356 | * \struct FILE_DIRECTORY_INFORMATION 357 | * \brief Used to query detailed information for the files in a directory. 358 | */ 359 | typedef struct _FILE_DIRECTORY_INFORMATION { 360 | /** 361 | * Byte offset of the next FILE_DIRECTORY_INFORMATION entry, if multiple entries are present in a buffer. 362 | * This member is zero if no other entries follow this one. 363 | */ 364 | ULONG NextEntryOffset; 365 | /** 366 | * Byte offset of the file within the parent directory. This member is undefined for file systems, such as NTFS, 367 | * in which the position of a file within the parent directory is not fixed and can be changed at any time to maintain sort order. 368 | */ 369 | ULONG FileIndex; 370 | /** 371 | * Time when the file was created. 372 | */ 373 | LARGE_INTEGER CreationTime; 374 | /** 375 | * Last time the file was accessed. 376 | */ 377 | LARGE_INTEGER LastAccessTime; 378 | /** 379 | * Last time information was written to the file. 380 | */ 381 | LARGE_INTEGER LastWriteTime; 382 | /** 383 | * Last time the file was changed. 384 | */ 385 | LARGE_INTEGER ChangeTime; 386 | /** 387 | * Absolute new end-of-file position as a byte offset from the start of the file. 388 | * EndOfFile specifies the byte offset to the end of the file. 389 | * Because this value is zero-based, it actually refers to the first free byte in the file. In other words, 390 | * EndOfFile is the offset to the byte immediately following the last valid byte in the file. 391 | */ 392 | LARGE_INTEGER EndOfFile; 393 | /** 394 | * File allocation size, in bytes. Usually, this value is a multiple of the sector or cluster size of the underlying physical device. 395 | */ 396 | LARGE_INTEGER AllocationSize; 397 | /** 398 | * File attributes, which can be any valid combination of the following: 399 | * 400 | * \li \c FILE_ATTRIBUTE_READONLY 401 | * \li \c FILE_ATTRIBUTE_HIDDEN 402 | * \li \c FILE_ATTRIBUTE_SYSTEM 403 | * \li \c FILE_ATTRIBUTE_DIRECTORY 404 | * \li \c FILE_ATTRIBUTE_ARCHIVE 405 | * \li \c FILE_ATTRIBUTE_NORMAL 406 | * \li \c FILE_ATTRIBUTE_TEMPORARY 407 | * \li \c FILE_ATTRIBUTE_COMPRESSED 408 | */ 409 | ULONG FileAttributes; 410 | /** 411 | * Specifies the length of the file name string. 412 | */ 413 | ULONG FileNameLength; 414 | /** 415 | * Specifies the first character of the file name string. 416 | * This is followed in memory by the remainder of the string. 417 | */ 418 | WCHAR FileName[1]; 419 | } FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION; 420 | 421 | /** 422 | * \struct FILE_FULL_DIR_INFORMATION 423 | * \brief Used to query detailed information for the files in a directory. 424 | */ 425 | typedef struct _FILE_FULL_DIR_INFORMATION { 426 | /** 427 | * Byte offset of the next FILE_DIRECTORY_INFORMATION entry, if multiple entries are present in a buffer. 428 | * This member is zero if no other entries follow this one. 429 | */ 430 | ULONG NextEntryOffset; 431 | /** 432 | * Byte offset of the file within the parent directory. This member is undefined for file systems, such as NTFS, 433 | * in which the position of a file within the parent directory is not fixed and can be changed at any time to maintain sort order. 434 | */ 435 | ULONG FileIndex; 436 | /** 437 | * Time when the file was created. 438 | */ 439 | LARGE_INTEGER CreationTime; 440 | /** 441 | * Last time the file was accessed. 442 | */ 443 | LARGE_INTEGER LastAccessTime; 444 | /** 445 | * Last time information was written to the file. 446 | */ 447 | LARGE_INTEGER LastWriteTime; 448 | /** 449 | * Last time the file was changed. 450 | */ 451 | LARGE_INTEGER ChangeTime; 452 | /** 453 | * Absolute new end-of-file position as a byte offset from the start of the file. 454 | * EndOfFile specifies the byte offset to the end of the file. 455 | * Because this value is zero-based, it actually refers to the first free byte in the file. In other words, 456 | * EndOfFile is the offset to the byte immediately following the last valid byte in the file. 457 | */ 458 | LARGE_INTEGER EndOfFile; 459 | /** 460 | * File allocation size, in bytes. Usually, this value is a multiple of the sector or cluster size of the underlying physical device. 461 | */ 462 | LARGE_INTEGER AllocationSize; 463 | /** 464 | * File attributes, which can be any valid combination of the following: 465 | * 466 | * \li \c FILE_ATTRIBUTE_READONLY 467 | * \li \c FILE_ATTRIBUTE_HIDDEN 468 | * \li \c FILE_ATTRIBUTE_SYSTEM 469 | * \li \c FILE_ATTRIBUTE_DIRECTORY 470 | * \li \c FILE_ATTRIBUTE_ARCHIVE 471 | * \li \c FILE_ATTRIBUTE_NORMAL 472 | * \li \c FILE_ATTRIBUTE_TEMPORARY 473 | * \li \c FILE_ATTRIBUTE_COMPRESSED 474 | */ 475 | ULONG FileAttributes; 476 | /** 477 | * Specifies the length of the file name string. 478 | */ 479 | ULONG FileNameLength; 480 | /** 481 | * Combined length, in bytes, of the extended attributes (EA) for the file. 482 | */ 483 | ULONG EaSize; 484 | /** 485 | * Specifies the first character of the file name string. 486 | * This is followed in memory by the remainder of the string. 487 | */ 488 | WCHAR FileName[1]; 489 | } FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION; 490 | 491 | /** 492 | * \struct FILE_ID_FULL_DIR_INFORMATION 493 | * \brief Used to query detailed information for the files in a directory. 494 | */ 495 | typedef struct _FILE_ID_FULL_DIR_INFORMATION { 496 | /** 497 | * Byte offset of the next FILE_DIRECTORY_INFORMATION entry, if multiple entries are present in a buffer. 498 | * This member is zero if no other entries follow this one. 499 | */ 500 | ULONG NextEntryOffset; 501 | /** 502 | * Byte offset of the file within the parent directory. This member is undefined for file systems, such as NTFS, 503 | * in which the position of a file within the parent directory is not fixed and can be changed at any time to maintain sort order. 504 | */ 505 | ULONG FileIndex; 506 | /** 507 | * Time when the file was created. 508 | */ 509 | LARGE_INTEGER CreationTime; 510 | /** 511 | * Last time the file was accessed. 512 | */ 513 | LARGE_INTEGER LastAccessTime; 514 | /** 515 | * Last time information was written to the file. 516 | */ 517 | LARGE_INTEGER LastWriteTime; 518 | /** 519 | * Last time the file was changed. 520 | */ 521 | LARGE_INTEGER ChangeTime; 522 | /** 523 | * Absolute new end-of-file position as a byte offset from the start of the file. 524 | * EndOfFile specifies the byte offset to the end of the file. 525 | * Because this value is zero-based, it actually refers to the first free byte in the file. In other words, 526 | * EndOfFile is the offset to the byte immediately following the last valid byte in the file. 527 | */ 528 | LARGE_INTEGER EndOfFile; 529 | /** 530 | * File allocation size, in bytes. Usually, this value is a multiple of the sector or cluster size of the underlying physical device. 531 | */ 532 | LARGE_INTEGER AllocationSize; 533 | /** 534 | * File attributes, which can be any valid combination of the following: 535 | * 536 | * \li \c FILE_ATTRIBUTE_READONLY 537 | * \li \c FILE_ATTRIBUTE_HIDDEN 538 | * \li \c FILE_ATTRIBUTE_SYSTEM 539 | * \li \c FILE_ATTRIBUTE_DIRECTORY 540 | * \li \c FILE_ATTRIBUTE_ARCHIVE 541 | * \li \c FILE_ATTRIBUTE_NORMAL 542 | * \li \c FILE_ATTRIBUTE_TEMPORARY 543 | * \li \c FILE_ATTRIBUTE_COMPRESSED 544 | */ 545 | ULONG FileAttributes; 546 | /** 547 | * Specifies the length of the file name string. 548 | */ 549 | ULONG FileNameLength; 550 | /** 551 | * Combined length, in bytes, of the extended attributes (EA) for the file. 552 | */ 553 | ULONG EaSize; 554 | /** 555 | * The 8-byte file reference number for the file. (Note that this is not the same as the 16-byte 556 | * "file object ID" that was added to NTFS for Microsoft Windows 2000.) 557 | */ 558 | LARGE_INTEGER FileId; 559 | /** 560 | * Specifies the first character of the file name string. 561 | * This is followed in memory by the remainder of the string. 562 | */ 563 | WCHAR FileName[1]; 564 | } FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION; 565 | 566 | /** 567 | * \struct FILE_BOTH_DIR_INFORMATION 568 | * \brief Used to query detailed information for the files in a directory. 569 | */ 570 | typedef struct _FILE_BOTH_DIR_INFORMATION { 571 | /** 572 | * Byte offset of the next FILE_DIRECTORY_INFORMATION entry, if multiple entries are present in a buffer. 573 | * This member is zero if no other entries follow this one. 574 | */ 575 | ULONG NextEntryOffset; 576 | /** 577 | * Byte offset of the file within the parent directory. This member is undefined for file systems, such as NTFS, 578 | * in which the position of a file within the parent directory is not fixed and can be changed at any time to maintain sort order. 579 | */ 580 | ULONG FileIndex; 581 | /** 582 | * Time when the file was created. 583 | */ 584 | LARGE_INTEGER CreationTime; 585 | /** 586 | * Last time the file was accessed. 587 | */ 588 | LARGE_INTEGER LastAccessTime; 589 | /** 590 | * Last time information was written to the file. 591 | */ 592 | LARGE_INTEGER LastWriteTime; 593 | /** 594 | * Last time the file was changed. 595 | */ 596 | LARGE_INTEGER ChangeTime; 597 | /** 598 | * Absolute new end-of-file position as a byte offset from the start of the file. 599 | * EndOfFile specifies the byte offset to the end of the file. 600 | * Because this value is zero-based, it actually refers to the first free byte in the file. In other words, 601 | * EndOfFile is the offset to the byte immediately following the last valid byte in the file. 602 | */ 603 | LARGE_INTEGER EndOfFile; 604 | /** 605 | * File allocation size, in bytes. Usually, this value is a multiple of the sector or cluster size of the underlying physical device. 606 | */ 607 | LARGE_INTEGER AllocationSize; 608 | /** 609 | * File attributes, which can be any valid combination of the following: 610 | * 611 | * \li \c FILE_ATTRIBUTE_READONLY 612 | * \li \c FILE_ATTRIBUTE_HIDDEN 613 | * \li \c FILE_ATTRIBUTE_SYSTEM 614 | * \li \c FILE_ATTRIBUTE_DIRECTORY 615 | * \li \c FILE_ATTRIBUTE_ARCHIVE 616 | * \li \c FILE_ATTRIBUTE_NORMAL 617 | * \li \c FILE_ATTRIBUTE_TEMPORARY 618 | * \li \c FILE_ATTRIBUTE_COMPRESSED 619 | */ 620 | ULONG FileAttributes; 621 | /** 622 | * Specifies the length of the file name string. 623 | */ 624 | ULONG FileNameLength; 625 | /** 626 | * Combined length, in bytes, of the extended attributes (EA) for the file. 627 | */ 628 | ULONG EaSize; 629 | /** 630 | * Specifies the length, in bytes, of the short file name string. 631 | */ 632 | CCHAR ShortNameLength; 633 | /** 634 | * Unicode string containing the short (8.3) name for the file. 635 | */ 636 | WCHAR ShortName[12]; 637 | /** 638 | * Specifies the first character of the file name string. This is followed in memory by the remainder of the string. 639 | */ 640 | WCHAR FileName[1]; 641 | } FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION; 642 | 643 | /** 644 | * \struct FILE_ID_BOTH_DIR_INFORMATION 645 | * \brief Used to query detailed information for the files in a directory. 646 | */ 647 | typedef struct _FILE_ID_BOTH_DIR_INFORMATION { 648 | /** 649 | * Byte offset of the next FILE_DIRECTORY_INFORMATION entry, if multiple entries are present in a buffer. 650 | * This member is zero if no other entries follow this one. 651 | */ 652 | ULONG NextEntryOffset; 653 | /** 654 | * Byte offset of the file within the parent directory. This member is undefined for file systems, such as NTFS, 655 | * in which the position of a file within the parent directory is not fixed and can be changed at any time to maintain sort order. 656 | */ 657 | ULONG FileIndex; 658 | /** 659 | * Time when the file was created. 660 | */ 661 | LARGE_INTEGER CreationTime; 662 | /** 663 | * Last time the file was accessed. 664 | */ 665 | LARGE_INTEGER LastAccessTime; 666 | /** 667 | * Last time information was written to the file. 668 | */ 669 | LARGE_INTEGER LastWriteTime; 670 | /** 671 | * Last time the file was changed. 672 | */ 673 | LARGE_INTEGER ChangeTime; 674 | /** 675 | * Absolute new end-of-file position as a byte offset from the start of the file. 676 | * EndOfFile specifies the byte offset to the end of the file. 677 | * Because this value is zero-based, it actually refers to the first free byte in the file. In other words, 678 | * EndOfFile is the offset to the byte immediately following the last valid byte in the file. 679 | */ 680 | LARGE_INTEGER EndOfFile; 681 | /** 682 | * File allocation size, in bytes. Usually, this value is a multiple of the sector or cluster size of the underlying physical device. 683 | */ 684 | LARGE_INTEGER AllocationSize; 685 | /** 686 | * File attributes, which can be any valid combination of the following: 687 | * 688 | * \li \c FILE_ATTRIBUTE_READONLY 689 | * \li \c FILE_ATTRIBUTE_HIDDEN 690 | * \li \c FILE_ATTRIBUTE_SYSTEM 691 | * \li \c FILE_ATTRIBUTE_DIRECTORY 692 | * \li \c FILE_ATTRIBUTE_ARCHIVE 693 | * \li \c FILE_ATTRIBUTE_NORMAL 694 | * \li \c FILE_ATTRIBUTE_TEMPORARY 695 | * \li \c FILE_ATTRIBUTE_COMPRESSED 696 | */ 697 | ULONG FileAttributes; 698 | /** 699 | * Specifies the length of the file name string. 700 | */ 701 | ULONG FileNameLength; 702 | /** 703 | * Combined length, in bytes, of the extended attributes (EA) for the file. 704 | */ 705 | ULONG EaSize; 706 | /** 707 | * Specifies the length, in bytes, of the short file name string. 708 | */ 709 | CCHAR ShortNameLength; 710 | /** 711 | * Unicode string containing the short (8.3) name for the file. 712 | */ 713 | WCHAR ShortName[12]; 714 | /** 715 | * The 8-byte file reference number for the file. This number is generated and assigned to the file by the file system. 716 | * (Note that the FileId is not the same as the 16-byte "file object ID" that was added to NTFS for Microsoft Windows 2000.) 717 | */ 718 | LARGE_INTEGER FileId; 719 | /** 720 | * Specifies the first character of the file name string. This is followed in memory by the remainder of the string. 721 | */ 722 | WCHAR FileName[1]; 723 | } FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION; 724 | 725 | /** 726 | * \struct FILE_ID_EXTD_BOTH_DIR_INFORMATION 727 | * \brief Used to query detailed information for the files in a directory. 728 | */ 729 | typedef struct _FILE_ID_EXTD_BOTH_DIR_INFORMATION { 730 | /** 731 | * Byte offset of the next FILE_DIRECTORY_INFORMATION entry, if multiple entries are present in a buffer. 732 | * This member is zero if no other entries follow this one. 733 | */ 734 | ULONG NextEntryOffset; 735 | /** 736 | * Byte offset of the file within the parent directory. This member is undefined for file systems, such as NTFS, 737 | * in which the position of a file within the parent directory is not fixed and can be changed at any time to maintain sort order. 738 | */ 739 | ULONG FileIndex; 740 | /** 741 | * Time when the file was created. 742 | */ 743 | LARGE_INTEGER CreationTime; 744 | /** 745 | * Last time the file was accessed. 746 | */ 747 | LARGE_INTEGER LastAccessTime; 748 | /** 749 | * Last time information was written to the file. 750 | */ 751 | LARGE_INTEGER LastWriteTime; 752 | /** 753 | * Last time the file was changed. 754 | */ 755 | LARGE_INTEGER ChangeTime; 756 | /** 757 | * Absolute new end-of-file position as a byte offset from the start of the file. 758 | * EndOfFile specifies the byte offset to the end of the file. 759 | * Because this value is zero-based, it actually refers to the first free byte in the file. In other words, 760 | * EndOfFile is the offset to the byte immediately following the last valid byte in the file. 761 | */ 762 | LARGE_INTEGER EndOfFile; 763 | /** 764 | * File allocation size, in bytes. Usually, this value is a multiple of the sector or cluster size of the underlying physical device. 765 | */ 766 | LARGE_INTEGER AllocationSize; 767 | /** 768 | * File attributes, which can be any valid combination of the following: 769 | * 770 | * \li \c FILE_ATTRIBUTE_READONLY 771 | * \li \c FILE_ATTRIBUTE_HIDDEN 772 | * \li \c FILE_ATTRIBUTE_SYSTEM 773 | * \li \c FILE_ATTRIBUTE_DIRECTORY 774 | * \li \c FILE_ATTRIBUTE_ARCHIVE 775 | * \li \c FILE_ATTRIBUTE_NORMAL 776 | * \li \c FILE_ATTRIBUTE_TEMPORARY 777 | * \li \c FILE_ATTRIBUTE_COMPRESSED 778 | */ 779 | ULONG FileAttributes; 780 | /** 781 | * Specifies the length of the file name string. 782 | */ 783 | ULONG FileNameLength; 784 | /** 785 | * Combined length, in bytes, of the extended attributes (EA) for the file. 786 | */ 787 | ULONG EaSize; 788 | /** 789 | * Tag value for the reparse point. 790 | */ 791 | ULONG ReparsePointTag; 792 | /** 793 | * The 128-byte file reference number for the file. This number is generated and assigned to the file by the file system. 794 | */ 795 | FILE_ID_128 FileId; 796 | /** 797 | * Specifies the length, in bytes, of the short file name string. 798 | */ 799 | CCHAR ShortNameLength; 800 | /** 801 | * Unicode string containing the short (8.3) name for the file. 802 | */ 803 | WCHAR ShortName[12]; 804 | /** 805 | * Specifies the first character of the file name string. This is followed in memory by the remainder of the string. 806 | */ 807 | WCHAR FileName[1]; 808 | } FILE_ID_EXTD_BOTH_DIR_INFORMATION, *PFILE_ID_EXTD_BOTH_DIR_INFORMATION; 809 | 810 | /** 811 | * \struct FILE_NAMES_INFORMATION 812 | * \brief Used to query detailed information about the names of files in a directory. 813 | */ 814 | typedef struct _FILE_NAMES_INFORMATION { 815 | /** 816 | * Byte offset for the next FILE_NAMES_INFORMATION entry, if multiple entries are present in a buffer. 817 | * This member is zero if no other entries follow this one. 818 | */ 819 | ULONG NextEntryOffset; 820 | /** 821 | * Byte offset of the file within the parent directory. This member is undefined for file systems, such as NTFS, 822 | * in which the position of a file within the parent directory is not fixed and can be changed at any time to maintain sort order. 823 | */ 824 | ULONG FileIndex; 825 | /** 826 | * Specifies the length of the file name string. 827 | */ 828 | ULONG FileNameLength; 829 | /** 830 | * Specifies the first character of the file name string. This is followed in memory by the remainder of the string. 831 | */ 832 | WCHAR FileName[1]; 833 | } FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION; 834 | 835 | #define ANSI_DOS_STAR ('<') 836 | #define ANSI_DOS_QM ('>') 837 | #define ANSI_DOS_DOT ('"') 838 | 839 | #define DOS_STAR (L'<') 840 | #define DOS_QM (L'>') 841 | #define DOS_DOT (L'"') 842 | 843 | /** 844 | * \struct FILE_INTERNAL_INFORMATION 845 | * \brief Used to query for the file system's 8-byte file reference number for a file. 846 | * 847 | * The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileInternalInformation 848 | */ 849 | typedef struct _FILE_INTERNAL_INFORMATION { 850 | /** 851 | * The 8-byte file reference number for the file. This number is assigned by the file system and is file-system-specific. 852 | * (Note that this is not the same as the 16-byte "file object ID" that was added to NTFS for Microsoft Windows 2000.) 853 | */ 854 | LARGE_INTEGER IndexNumber; 855 | } FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION; 856 | 857 | /** 858 | * \struct FILE_ID_INFORMATION 859 | * \brief Contains identification information for a file. 860 | * 861 | * This structure is returned from the GetFileInformationByHandleEx function when FileIdInfo is passed in the FileInformationClass parameter. 862 | * 863 | * The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileIdInformation 864 | */ 865 | typedef struct _FILE_ID_INFORMATION { 866 | /** 867 | * The serial number of the volume that contains a file. 868 | */ 869 | ULONGLONG VolumeSerialNumber; 870 | /** 871 | * The 128-bit file identifier for the file. The file identifier and the volume serial number uniquely identify a file on a single computer. 872 | * To determine whether two open handles represent the same file, combine the identifier and the volume serial number for each file and compare them. 873 | */ 874 | FILE_ID_128 FileId; 875 | } FILE_ID_INFORMATION, *PFILE_ID_INFORMATION; 876 | 877 | /** 878 | * \struct FILE_EA_INFORMATION 879 | * \brief Used to query for the size of the extended attributes (EA) for a file. 880 | * 881 | * The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileEaInformation and FileAllInformation 882 | */ 883 | typedef struct _FILE_EA_INFORMATION { 884 | /** 885 | * Specifies the combined length, in bytes, of the extended attributes for the file. 886 | */ 887 | ULONG EaSize; 888 | } FILE_EA_INFORMATION, *PFILE_EA_INFORMATION; 889 | 890 | /** 891 | * \struct FILE_ACCESS_INFORMATION 892 | * \brief Used to query for or set the access rights of a file. 893 | * 894 | * The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileAllInformation 895 | */ 896 | typedef struct _FILE_ACCESS_INFORMATION { 897 | /** 898 | * Flags that specify a set of access rights in the access mask of an access control entry. 899 | * This member is a value of type ACCESS_MASK. 900 | */ 901 | ACCESS_MASK AccessFlags; 902 | } FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION; 903 | 904 | /** 905 | * \struct FILE_MODE_INFORMATION 906 | * \brief Used to query or set the access mode of a file. 907 | * 908 | * The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileAllInformation 909 | */ 910 | typedef struct _FILE_MODE_INFORMATION { 911 | /** 912 | * Specifies the mode in which the file will be accessed following a create-file or open-file operation. 913 | * This parameter is either zero or the bitwise OR of one or more of the following file option flags: 914 | * 915 | * \li \c FILE_WRITE_THROUGH 916 | * \li \c FILE_SEQUENTIAL_ONLY 917 | * \li \c FILE_NO_INTERMEDIATE_BUFFERING 918 | * \li \c FILE_SYNCHRONOUS_IO_ALERT 919 | * \li \c FILE_SYNCHRONOUS_IO_NONALERT 920 | * \li \c FILE_DELETE_ON_CLOSE 921 | */ 922 | ULONG Mode; 923 | } FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION; 924 | 925 | /** 926 | * \struct FILE_ALL_INFORMATION 927 | * \brief Structure is a container for several FILE_XXX_INFORMATION structures. 928 | * 929 | * The struct is requested during IRP_MJ_QUERY_INFORMATION with query FileAllInformation 930 | */ 931 | typedef struct _FILE_ALL_INFORMATION { 932 | /** \see FILE_BASIC_INFORMATION */ 933 | FILE_BASIC_INFORMATION BasicInformation; 934 | /** \see FILE_STANDARD_INFORMATION */ 935 | FILE_STANDARD_INFORMATION StandardInformation; 936 | /** \see FILE_INTERNAL_INFORMATION */ 937 | FILE_INTERNAL_INFORMATION InternalInformation; 938 | /** \see FILE_EA_INFORMATION */ 939 | FILE_EA_INFORMATION EaInformation; 940 | /** \see FILE_ACCESS_INFORMATION */ 941 | FILE_ACCESS_INFORMATION AccessInformation; 942 | /** \see FILE_POSITION_INFORMATION */ 943 | FILE_POSITION_INFORMATION PositionInformation; 944 | /** \see FILE_MODE_INFORMATION */ 945 | FILE_MODE_INFORMATION ModeInformation; 946 | /** \see FILE_ALIGNMENT_INFORMATION */ 947 | FILE_ALIGNMENT_INFORMATION AlignmentInformation; 948 | /** \see FILE_NAME_INFORMATION */ 949 | FILE_NAME_INFORMATION NameInformation; 950 | } FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION; 951 | 952 | /** 953 | * \struct FILE_ALLOCATION_INFORMATION 954 | * \brief Used to set the allocation size for a file. 955 | * 956 | * The struct is requested during IRP_MJ_SET_INFORMATION with query FileAllocationInformation 957 | */ 958 | typedef struct _FILE_ALLOCATION_INFORMATION { 959 | /** 960 | * File allocation size, in bytes. Usually this value is a multiple 961 | * of the sector or cluster size of the underlying physical device. 962 | */ 963 | LARGE_INTEGER AllocationSize; 964 | } FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION; 965 | 966 | /** 967 | * \struct FILE_LINK_INFORMATION 968 | * \brief Used to create an NTFS hard link to an existing file. 969 | * 970 | * The struct is requested during IRP_MJ_SET_INFORMATION with query FileLinkInformation 971 | */ 972 | typedef struct _FILE_LINK_INFORMATION { 973 | /** 974 | * Set to TRUE to specify that if the link already exists, it should be replaced with the new link. 975 | * Set to FALSE if the link creation operation should fail if the link already exists. 976 | */ 977 | BOOLEAN ReplaceIfExists; 978 | /** 979 | * If the link is to be created in the same directory as the file that is being linked to, 980 | * or if the FileName member contains the full pathname for the link to be created, this is NULL. 981 | * Otherwise it is a handle for the directory where the link is to be created. 982 | */ 983 | HANDLE RootDirectory; 984 | /** 985 | * Length, in bytes, of the file name string. 986 | */ 987 | ULONG FileNameLength; 988 | /** 989 | * The first character of the name to be assigned to the newly created link. 990 | * This is followed in memory by the remainder of the string. 991 | * If the RootDirectory member is NULL and the link is to be created in a different directory from the file that is being linked to, 992 | * this member specifies the full pathname for the link to be created. Otherwise, it specifies only the file name. 993 | * (See the Remarks section for ZwQueryInformationFile for details on the syntax of this file name string.) 994 | */ 995 | WCHAR FileName[1]; 996 | } FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION; 997 | 998 | /** 999 | * \struct FILE_RENAME_INFORMATION 1000 | * \brief Used to rename a file. 1001 | * 1002 | * The struct is requested during IRP_MJ_SET_INFORMATION with query FileRenameInformation 1003 | */ 1004 | typedef struct _FILE_RENAME_INFORMATION { 1005 | /** 1006 | * Set to TRUE to specify that if a file with the given name already exists, it should be replaced with the given file. 1007 | * Set to FALSE if the rename operation should fail if a file with the given name already exists. 1008 | */ 1009 | BOOLEAN ReplaceIfExists; 1010 | /** 1011 | * If the file is not being moved to a different directory, 1012 | * or if the FileName member contains the full pathname, this member is NULL. Otherwise, 1013 | * it is a handle for the root directory under which the file will reside after it is renamed. 1014 | */ 1015 | HANDLE RootDirectory; 1016 | /** 1017 | * Length, in bytes, of the new name for the file. 1018 | */ 1019 | ULONG FileNameLength; 1020 | /** 1021 | * The first character of a wide-character string containing the new name for the file. 1022 | * This is followed in memory by the remainder of the string. If the RootDirectory member is NULL, 1023 | * and the file is being moved to a different directory, this member specifies the full pathname to be assigned to the file. 1024 | * Otherwise, it specifies only the file name or a relative pathname. 1025 | */ 1026 | WCHAR FileName[1]; 1027 | } FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION; 1028 | 1029 | /** 1030 | * \struct FILE_STREAM_INFORMATION 1031 | * \brief Used to enumerate the streams for a file. 1032 | * 1033 | * The struct is requested during IRP_MJ_SET_INFORMATION query FileStreamInformation 1034 | */ 1035 | typedef struct _FILE_STREAM_INFORMATION { 1036 | /** 1037 | * The offset of the next FILE_STREAM_INFORMATION entry. 1038 | * This member is zero if no other entries follow this one. 1039 | */ 1040 | ULONG NextEntryOffset; 1041 | /** 1042 | * Length, in bytes, of the StreamName string. 1043 | */ 1044 | ULONG StreamNameLength; 1045 | /** 1046 | * Size, in bytes, of the stream. 1047 | */ 1048 | LARGE_INTEGER StreamSize; 1049 | /** 1050 | * File stream allocation size, in bytes. Usually this value is a multiple of the sector 1051 | * or cluster size of the underlying physical device. 1052 | */ 1053 | LARGE_INTEGER StreamAllocationSize; 1054 | /** 1055 | * Unicode string that contains the name of the stream. 1056 | */ 1057 | WCHAR StreamName[1]; 1058 | } FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION; 1059 | 1060 | /** 1061 | * \struct FILE_FS_LABEL_INFORMATION 1062 | * \brief Used to set the label for a file system volume. 1063 | * 1064 | * The struct is requested during IRP_MJ_SET_VOLUME_INFORMATION query FileFsLabelInformation 1065 | */ 1066 | typedef struct _FILE_FS_LABEL_INFORMATION { 1067 | /** 1068 | * Length, in bytes, of the name for the volume. 1069 | */ 1070 | ULONG VolumeLabelLength; 1071 | /** 1072 | * Name for the volume. 1073 | */ 1074 | WCHAR VolumeLabel[1]; 1075 | } FILE_FS_LABEL_INFORMATION, *PFILE_FS_LABEL_INFORMATION; 1076 | 1077 | /** 1078 | * \struct FILE_FS_VOLUME_INFORMATION 1079 | * \brief Used to query information about a volume on which a file system is mounted. 1080 | * 1081 | * The struct is requested during IRP_MJ_QUERY_VOLUME_INFORMATION query FileFsVolumeInformation 1082 | */ 1083 | typedef struct _FILE_FS_VOLUME_INFORMATION { 1084 | /** 1085 | * Time when the volume was created. 1086 | */ 1087 | LARGE_INTEGER VolumeCreationTime; 1088 | /** 1089 | * Serial number of the volume. 1090 | */ 1091 | ULONG VolumeSerialNumber; 1092 | /** 1093 | * Length, in bytes, of the name of the volume. 1094 | */ 1095 | ULONG VolumeLabelLength; 1096 | /** 1097 | * TRUE if the file system supports object-oriented file system objects, FALSE otherwise. 1098 | */ 1099 | BOOLEAN SupportsObjects; 1100 | /** 1101 | * Name of the volume. 1102 | */ 1103 | WCHAR VolumeLabel[1]; 1104 | } FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION; 1105 | 1106 | /** 1107 | * \struct FILE_FS_SIZE_INFORMATION 1108 | * \brief Used to query sector size information for a file system volume. 1109 | * 1110 | * The struct is requested during IRP_MJ_QUERY_VOLUME_INFORMATION query FileFsSizeInformation 1111 | */ 1112 | typedef struct _FILE_FS_SIZE_INFORMATION { 1113 | /** 1114 | * Total number of allocation units on the volume that are available to the user associated with the calling thread. 1115 | * If per-user quotas are in use, this value may be less than the total number of allocation units on the disk. 1116 | */ 1117 | LARGE_INTEGER TotalAllocationUnits; 1118 | /** 1119 | * Total number of free allocation units on the volume that are available to the user associated with the calling thread. 1120 | * If per-user quotas are in use, this value may be less than the total number of free allocation units on the disk. 1121 | */ 1122 | LARGE_INTEGER AvailableAllocationUnits; 1123 | /** 1124 | * Number of sectors in each allocation unit. 1125 | */ 1126 | ULONG SectorsPerAllocationUnit; 1127 | /** 1128 | * Number of bytes in each sector. 1129 | */ 1130 | ULONG BytesPerSector; 1131 | } FILE_FS_SIZE_INFORMATION, *PFILE_FS_SIZE_INFORMATION; 1132 | 1133 | /** 1134 | * \struct FILE_FS_FULL_SIZE_INFORMATION 1135 | * \brief Used to query sector size information for a file system volume. 1136 | * 1137 | * The struct is requested during IRP_MJ_QUERY_VOLUME_INFORMATION query FileFsFullSizeInformation 1138 | */ 1139 | typedef struct _FILE_FS_FULL_SIZE_INFORMATION { 1140 | /** 1141 | * Total number of allocation units on the volume that are available to the user associated with the calling thread. 1142 | * If per-user quotas are in use, this value may be less than the total number of allocation units on the disk. 1143 | */ 1144 | LARGE_INTEGER TotalAllocationUnits; 1145 | /** 1146 | * Total number of free allocation units on the volume that are available to the user associated with the calling thread. 1147 | * If per-user quotas are in use, this value may be less than the total number of free allocation units on the disk. 1148 | */ 1149 | LARGE_INTEGER CallerAvailableAllocationUnits; 1150 | /** 1151 | * Total number of free allocation units on the volume. 1152 | */ 1153 | LARGE_INTEGER ActualAvailableAllocationUnits; 1154 | /** 1155 | * Number of sectors in each allocation unit. 1156 | */ 1157 | ULONG SectorsPerAllocationUnit; 1158 | /** 1159 | * Number of bytes in each sector. 1160 | */ 1161 | ULONG BytesPerSector; 1162 | } FILE_FS_FULL_SIZE_INFORMATION, *PFILE_FS_FULL_SIZE_INFORMATION; 1163 | 1164 | /** 1165 | * \struct FILE_FS_ATTRIBUTE_INFORMATION 1166 | * \brief Used to query attribute information for a file system. 1167 | * 1168 | * The struct is requested during IRP_MJ_QUERY_VOLUME_INFORMATION query FileFsAttributeInformation 1169 | */ 1170 | typedef struct _FILE_FS_ATTRIBUTE_INFORMATION { 1171 | /** 1172 | * Bitmask of flags specifying attributes of the specified file system. 1173 | * \see https://msdn.microsoft.com/en-us/library/windows/hardware/ff540251(v=vs.85).aspx 1174 | */ 1175 | ULONG FileSystemAttributes; 1176 | /** 1177 | * Maximum file name component length, in bytes, supported by the specified file system. 1178 | * A file name component is that portion of a file name between backslashes. 1179 | */ 1180 | LONG MaximumComponentNameLength; 1181 | /** 1182 | * Length, in bytes, of the file system name. 1183 | */ 1184 | ULONG FileSystemNameLength; 1185 | /** 1186 | * File system name. 1187 | */ 1188 | WCHAR FileSystemName[1]; 1189 | } FILE_FS_ATTRIBUTE_INFORMATION, *PFILE_FS_ATTRIBUTE_INFORMATION; 1190 | 1191 | /** 1192 | * \struct FILE_NETWORK_OPEN_INFORMATION 1193 | * \brief Used as an argument to ZwQueryInformationFile. 1194 | * 1195 | * The struct is requested during IRP_MJ_QUERY_VOLUME_INFORMATION query FileNetworkOpenInformation 1196 | */ 1197 | typedef struct _FILE_NETWORK_OPEN_INFORMATION { 1198 | /** 1199 | * Specifies the time that the file was created. 1200 | */ 1201 | LARGE_INTEGER CreationTime; 1202 | /** 1203 | * Specifies the time that the file was last accessed. 1204 | */ 1205 | LARGE_INTEGER LastAccessTime; 1206 | /** 1207 | * Specifies he time that the file was last written to. 1208 | */ 1209 | LARGE_INTEGER LastWriteTime; 1210 | /** 1211 | * Specifies the time that the file was last changed. 1212 | */ 1213 | LARGE_INTEGER ChangeTime; 1214 | /** 1215 | * Specifies the file allocation size, in bytes. Usually, 1216 | * this value is a multiple of the sector or cluster size of the underlying physical device. 1217 | */ 1218 | LARGE_INTEGER AllocationSize; 1219 | /** 1220 | * Specifies the absolute end-of-file position as a byte offset from the start of the file. 1221 | * EndOfFile specifies the byte offset to the end of the file. Because this value is zero-based, 1222 | * it actually refers to the first free byte in the file. In other words, 1223 | * EndOfFile is the offset to the byte immediately following the last valid byte in the file. 1224 | */ 1225 | LARGE_INTEGER EndOfFile; 1226 | /** 1227 | * Specifies one or more FILE_ATTRIBUTE_XXX flags. For descriptions of these flags, 1228 | * see the documentation of the GetFileAttributes function in the Microsoft Windows SDK. 1229 | */ 1230 | ULONG FileAttributes; 1231 | } FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION; 1232 | 1233 | /** 1234 | * \struct FILE_NETWORK_PHYSICAL_NAME_INFORMATION 1235 | * \brief Contains the full UNC physical pathname for a file or directory on a remote file share. 1236 | * 1237 | * The struct is requested during IRP_MJ_QUERY_VOLUME_INFORMATION query FileNetworkPhysicalNameInformation 1238 | */ 1239 | typedef struct _FILE_NETWORK_PHYSICAL_NAME_INFORMATION { 1240 | /** 1241 | * The length, in bytes, of the physical name in FileName. 1242 | */ 1243 | ULONG FileNameLength; 1244 | /** 1245 | * The full UNC path of the network file share of the target. 1246 | */ 1247 | WCHAR FileName[1]; 1248 | } FILE_NETWORK_PHYSICAL_NAME_INFORMATION, 1249 | *PFILE_NETWORK_PHYSICAL_NAME_INFORMATION; 1250 | 1251 | #define SL_RESTART_SCAN 0x01 1252 | #define SL_RETURN_SINGLE_ENTRY 0x02 1253 | #define SL_INDEX_SPECIFIED 0x04 1254 | #define SL_FORCE_ACCESS_CHECK 0x01 1255 | 1256 | #define SL_OPEN_PAGING_FILE 0x02 1257 | #define SL_OPEN_TARGET_DIRECTORY 0x04 1258 | #define SL_CASE_SENSITIVE 0x80 1259 | 1260 | #define ALIGN_DOWN(length, type) ((ULONG)(length) & ~(sizeof(type) - 1)) 1261 | 1262 | #define ALIGN_UP(length, type) \ 1263 | (ALIGN_DOWN(((ULONG)(length) + sizeof(type) - 1), type)) 1264 | 1265 | #define ALIGN_DOWN_POINTER(address, type) \ 1266 | ((PVOID)((ULONG_PTR)(address) & ~((ULONG_PTR)sizeof(type) - 1))) 1267 | 1268 | #define ALIGN_UP_POINTER(address, type) \ 1269 | (ALIGN_DOWN_POINTER(((ULONG_PTR)(address) + sizeof(type) - 1), type)) 1270 | 1271 | #define WordAlign(Val) (ALIGN_UP(Val, WORD)) 1272 | 1273 | #define WordAlignPtr(Ptr) (ALIGN_UP_POINTER(Ptr, WORD)) 1274 | 1275 | #define LongAlign(Val) (ALIGN_UP(Val, LONG)) 1276 | 1277 | #define LongAlignPtr(Ptr) (ALIGN_UP_POINTER(Ptr, LONG)) 1278 | 1279 | #define QuadAlign(Val) (ALIGN_UP(Val, ULONGLONG)) 1280 | 1281 | #define QuadAlignPtr(Ptr) (ALIGN_UP_POINTER(Ptr, ULONGLONG)) 1282 | 1283 | #define IsPtrQuadAligned(Ptr) (QuadAlignPtr(Ptr) == (PVOID)(Ptr)) 1284 | 1285 | // from wdm.h 1286 | #define FILE_SUPERSEDE 0x00000000 1287 | #define FILE_OPEN 0x00000001 1288 | #define FILE_CREATE 0x00000002 1289 | #define FILE_OPEN_IF 0x00000003 1290 | #define FILE_OVERWRITE 0x00000004 1291 | #define FILE_OVERWRITE_IF 0x00000005 1292 | #define FILE_MAXIMUM_DISPOSITION 0x00000005 1293 | 1294 | #define FILE_DIRECTORY_FILE 0x00000001 1295 | #define FILE_WRITE_THROUGH 0x00000002 1296 | #define FILE_SEQUENTIAL_ONLY 0x00000004 1297 | #define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008 1298 | 1299 | #define FILE_SYNCHRONOUS_IO_ALERT 0x00000010 1300 | #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020 1301 | #define FILE_NON_DIRECTORY_FILE 0x00000040 1302 | #define FILE_CREATE_TREE_CONNECTION 0x00000080 1303 | 1304 | #define FILE_COMPLETE_IF_OPLOCKED 0x00000100 1305 | #define FILE_NO_EA_KNOWLEDGE 0x00000200 1306 | #define FILE_OPEN_REMOTE_INSTANCE 0x00000400 1307 | #define FILE_RANDOM_ACCESS 0x00000800 1308 | 1309 | #define FILE_DELETE_ON_CLOSE 0x00001000 1310 | #define FILE_OPEN_BY_FILE_ID 0x00002000 1311 | #define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000 1312 | #define FILE_NO_COMPRESSION 0x00008000 1313 | 1314 | #if (_WIN32_WINNT >= _WIN32_WINNT_WIN7) 1315 | #define FILE_OPEN_REQUIRING_OPLOCK 0x00010000 1316 | #define FILE_DISALLOW_EXCLUSIVE 0x00020000 1317 | #endif /* _WIN32_WINNT >= _WIN32_WINNT_WIN7 */ 1318 | #if (_WIN32_WINNT >= _WIN32_WINNT_WIN8) 1319 | #define FILE_SESSION_AWARE 0x00040000 1320 | #endif /* _WIN32_WINNT >= _WIN32_WINNT_WIN7 */ 1321 | 1322 | #define FILE_RESERVE_OPFILTER 0x00100000 1323 | #define FILE_OPEN_REPARSE_POINT 0x00200000 1324 | #define FILE_OPEN_NO_RECALL 0x00400000 1325 | #define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000 1326 | 1327 | #define FILE_VALID_OPTION_FLAGS 0x00ffffff 1328 | 1329 | #define FILE_SUPERSEDED 0x00000000 1330 | #define FILE_OPENED 0x00000001 1331 | #define FILE_CREATED 0x00000002 1332 | #define FILE_OVERWRITTEN 0x00000003 1333 | #define FILE_EXISTS 0x00000004 1334 | #define FILE_DOES_NOT_EXIST 0x00000005 1335 | 1336 | #define FILE_WRITE_TO_END_OF_FILE 0xffffffff 1337 | #define FILE_USE_FILE_POINTER_POSITION 0xfffffffe 1338 | 1339 | /** 1340 | * \struct UNICODE_STRING 1341 | * \brief Structure is used to define Unicode strings. 1342 | */ 1343 | typedef struct _UNICODE_STRING { 1344 | /** 1345 | * The length, in bytes, of the string stored in Buffer. 1346 | */ 1347 | USHORT Length; 1348 | /** 1349 | * The length, in bytes, of Buffer. 1350 | */ 1351 | USHORT MaximumLength; 1352 | /** 1353 | * Pointer to a buffer used to contain a string of wide characters. 1354 | */ 1355 | PWSTR Buffer; 1356 | } UNICODE_STRING, *PUNICODE_STRING; 1357 | 1358 | #endif // FILEINFO_H_ 1359 | -------------------------------------------------------------------------------- /rust_dma/includes/leechcore.h: -------------------------------------------------------------------------------- 1 | // leechcore.h : external header of the LeechCore library. 2 | // 3 | // LeechCore is a library which abstracts away reading and writing to various 4 | // software and hardware acquisition sources. Sources ranges from memory dump 5 | // files to driver backed live memory to hardware (FPGA) DMA backed memory. 6 | // 7 | // LeechCore built-in device support may be extended with external plugin 8 | // device drivers placed as .dll or .so files in the same folder as LeechCore. 9 | // 10 | // For more information please consult the LeechCore information on Github: 11 | // - README: https://github.com/ufrisk/LeechCore 12 | // - GUIDE: https://github.com/ufrisk/LeechCore/wiki 13 | // 14 | // (c) Ulf Frisk, 2020-2023 15 | // Author: Ulf Frisk, pcileech@frizk.net 16 | // 17 | // Header Version: 2.9.1 18 | // 19 | 20 | #ifndef __LEECHCORE_H__ 21 | #define __LEECHCORE_H__ 22 | #ifdef __cplusplus 23 | extern "C" { 24 | #endif /* __cplusplus */ 25 | 26 | //----------------------------------------------------------------------------- 27 | // OS COMPATIBILITY BELOW: 28 | //----------------------------------------------------------------------------- 29 | 30 | #ifdef _WIN32 31 | 32 | #include 33 | #define EXPORTED_FUNCTION __declspec(dllexport) 34 | typedef unsigned __int64 QWORD, *PQWORD; 35 | 36 | #endif /* _WIN32 */ 37 | #ifdef LINUX 38 | 39 | #include 40 | #include 41 | #define EXPORTED_FUNCTION __attribute__((visibility("default"))) 42 | typedef void VOID, *PVOID, *HANDLE, **PHANDLE, *HMODULE; 43 | typedef long long unsigned int QWORD, *PQWORD, ULONG64, *PULONG64; 44 | typedef size_t SIZE_T, *PSIZE_T; 45 | typedef uint64_t FILETIME, *PFILETIME; 46 | typedef uint32_t DWORD, *PDWORD, *LPDWORD, BOOL, *PBOOL, NTSTATUS; 47 | typedef uint16_t WORD, *PWORD; 48 | typedef uint8_t BYTE, *PBYTE, *LPBYTE, UCHAR; 49 | typedef char CHAR, *PCHAR, *LPSTR, *LPCSTR; 50 | typedef uint16_t WCHAR, *PWCHAR, *LPWSTR, *LPCWSTR; 51 | #define MAX_PATH 260 52 | #define _In_ 53 | #define _In_z_ 54 | #define _In_opt_ 55 | #define _In_reads_(x) 56 | #define _In_reads_opt_(x) 57 | #define _Inout_ 58 | #define _Inout_bytecount_(x) 59 | #define _Inout_opt_ 60 | #define _Inout_updates_opt_(x) 61 | #define _Out_ 62 | #define _Out_opt_ 63 | #define _Out_writes_(x) 64 | #define _Out_writes_bytes_opt_(x) 65 | #define _Out_writes_opt_(x) 66 | #define _Out_writes_to_(x,y) 67 | #define _When_(x,y) 68 | #define _Frees_ptr_opt_ 69 | #define _Post_ptr_invalid_ 70 | #define _Check_return_opt_ 71 | #define _Printf_format_string_ 72 | #define _Success_(x) 73 | 74 | #endif /* LINUX */ 75 | 76 | 77 | 78 | //----------------------------------------------------------------------------- 79 | // Create and Close LeechCore devices: 80 | // It's possible to create multiple LeechCore devices in parallel and also of 81 | // different types if the underlying device will allow this. LeechCore will 82 | // automatically take care of and abstract away any hardware/software issues 83 | // with regards to the underlying devices. 84 | // 85 | // For more information about supported devices please check out the LeechCore 86 | // guide at: https://github.com/ufrisk/LeechCore/wiki 87 | //----------------------------------------------------------------------------- 88 | 89 | #define LC_CONFIG_VERSION 0xc0fd0002 90 | #define LC_CONFIG_ERRORINFO_VERSION 0xc0fe0002 91 | 92 | #define LC_CONFIG_PRINTF_ENABLED 0x01 93 | #define LC_CONFIG_PRINTF_V 0x02 94 | #define LC_CONFIG_PRINTF_VV 0x04 95 | #define LC_CONFIG_PRINTF_VVV 0x08 96 | 97 | typedef struct LC_CONFIG { 98 | // below are set by caller 99 | DWORD dwVersion; // must equal LC_CREATE_VERSION 100 | DWORD dwPrintfVerbosity; // printf verbosity according to LC_PRINTF_* 101 | CHAR szDevice[MAX_PATH]; // device connection string - see wiki for additional info. 102 | CHAR szRemote[MAX_PATH]; // remote connection striLC_CONFIG_VERSIONng - see wiki for additional info. 103 | _Check_return_opt_ int(*pfn_printf_opt)(_In_z_ _Printf_format_string_ char const *const _Format, ...); 104 | // below are set by caller, updated by LeecCore 105 | QWORD paMax; // max physical address (disables any max address auto-detect). 106 | // below are set by LeechCore 107 | BOOL fVolatile; 108 | BOOL fWritable; 109 | BOOL fRemote; 110 | BOOL fRemoteDisableCompress; 111 | CHAR szDeviceName[MAX_PATH]; // device name - such as 'fpga' or 'file'. 112 | } LC_CONFIG, *PLC_CONFIG; 113 | 114 | typedef struct tdLC_CONFIG_ERRORINFO { 115 | DWORD dwVersion; // must equal LC_CONFIG_ERRORINFO_VERSION 116 | DWORD cbStruct; 117 | DWORD _FutureUse[16]; 118 | BOOL fUserInputRequest; 119 | DWORD cwszUserText; 120 | WCHAR wszUserText[]; 121 | } LC_CONFIG_ERRORINFO, *PLC_CONFIG_ERRORINFO, **PPLC_CONFIG_ERRORINFO; 122 | 123 | /* 124 | * Create a new LeechCore device according to the supplied configuration. 125 | * CALLER LcMemFree: ppLcCreateErrorInfo 126 | * -- pLcCreateConfig 127 | * -- ppLcCreateErrorInfo = ptr to receive function allocated struct with error 128 | * information upon function failure. This info may contain a user message 129 | * requesting user action as an example. Any returned struct should be 130 | * free'd by a call to LcMemFree(). 131 | * -- return 132 | */ 133 | _Success_(return != NULL) 134 | EXPORTED_FUNCTION HANDLE LcCreate( 135 | _Inout_ PLC_CONFIG pLcCreateConfig 136 | ); 137 | 138 | _Success_(return != NULL) 139 | EXPORTED_FUNCTION HANDLE LcCreateEx( 140 | _Inout_ PLC_CONFIG pLcCreateConfig, 141 | _Out_opt_ PPLC_CONFIG_ERRORINFO ppLcCreateErrorInfo 142 | ); 143 | 144 | /* 145 | * Close a LeechCore handle and free any resources no longer needed. 146 | */ 147 | EXPORTED_FUNCTION VOID LcClose( 148 | _In_opt_ _Post_ptr_invalid_ HANDLE hLC 149 | ); 150 | 151 | 152 | 153 | //----------------------------------------------------------------------------- 154 | // Read and Write memory from underlying device either using contiguous method 155 | // or more recommended scatter method. 156 | // 157 | // The MEM_SCATTER struct allows reading and writing of discontiguous memory 158 | // chunks which must adhere to the following rules: 159 | // - maximum size = 0x1000 (4096) bytes = recommended size. 160 | // - minimum size = 2 DWORDs (8 bytes). 161 | // - must be DWORD (4 byte) aligned. 162 | // - must never cross 0x1000 page boundary. 163 | // - max value of iStack = MEM_SCATTER_STACK_SIZE - 2. 164 | //----------------------------------------------------------------------------- 165 | 166 | #define MEM_SCATTER_VERSION 0xc0fe0002 167 | #define MEM_SCATTER_STACK_SIZE 12 168 | 169 | typedef struct tdMEM_SCATTER { 170 | DWORD version; // MEM_SCATTER_VERSION 171 | BOOL f; // TRUE = success data in pb, FALSE = fail or not yet read. 172 | QWORD qwA; // address of memory to read 173 | union { 174 | PBYTE pb; // buffer to hold memory contents 175 | QWORD _Filler; 176 | }; 177 | DWORD cb; // size of buffer to hold memory contents. 178 | DWORD iStack; // internal stack pointer 179 | QWORD vStack[MEM_SCATTER_STACK_SIZE]; // internal stack 180 | } MEM_SCATTER, *PMEM_SCATTER, **PPMEM_SCATTER; 181 | 182 | #define MEM_SCATTER_ADDR_INVALID ((QWORD)-1) 183 | #define MEM_SCATTER_ADDR_ISINVALID(pMEM) (pMEM->qwA == (QWORD)-1) 184 | #define MEM_SCATTER_ADDR_ISVALID(pMEM) (pMEM->qwA != (QWORD)-1) 185 | #define MEM_SCATTER_STACK_PUSH(pMEM, v) (pMEM->vStack[pMEM->iStack++] = (QWORD)v) 186 | #define MEM_SCATTER_STACK_PEEK(pMEM, i) (pMEM->vStack[pMEM->iStack - i]) 187 | #define MEM_SCATTER_STACK_SET(pMEM, i, v) (pMEM->vStack[pMEM->iStack - i] = (QWORD)v) 188 | #define MEM_SCATTER_STACK_ADD(pMEM, i, v) (pMEM->vStack[pMEM->iStack - i] += (QWORD)v) 189 | #define MEM_SCATTER_STACK_POP(pMEM) (pMEM->vStack[--pMEM->iStack]) 190 | 191 | /* 192 | * Free LeechCore allocated memory such as memory allocated by the 193 | * LcAllocScatter / LcCommand functions. 194 | * -- pv 195 | */ 196 | EXPORTED_FUNCTION VOID LcMemFree( 197 | _Frees_ptr_opt_ PVOID pv 198 | ); 199 | 200 | /* 201 | * Allocate and pre-initialize empty MEMs including a 0x1000 buffer for each 202 | * pMEM. The result should be freed by LcFree when its no longer needed. 203 | * -- cMEMs 204 | * -- pppMEMs = pointer to receive ppMEMs 205 | * -- return 206 | */ 207 | _Success_(return) 208 | EXPORTED_FUNCTION BOOL LcAllocScatter1( 209 | _In_ DWORD cMEMs, 210 | _Out_ PPMEM_SCATTER *pppMEMs 211 | ); 212 | 213 | /* 214 | * Allocate and pre-initialize empty MEMs excluding the 0x1000 buffer which 215 | * will be accounted towards the pbData buffer in a contiguous way. 216 | * The result should be freed by LcFree when its no longer needed. 217 | * -- cbData = size of pbData (must be cMEMs * 0x1000) 218 | * -- pbData = buffer used for MEM.pb 219 | * -- cMEMs 220 | * -- pppMEMs = pointer to receive ppMEMs 221 | * -- return 222 | */ 223 | _Success_(return) 224 | EXPORTED_FUNCTION BOOL LcAllocScatter2( 225 | _In_ DWORD cbData, 226 | _Inout_updates_opt_(cbData) PBYTE pbData, 227 | _In_ DWORD cMEMs, 228 | _Out_ PPMEM_SCATTER *pppMEMs 229 | ); 230 | 231 | /* 232 | * Allocate and pre-initialize empty MEMs excluding the 0x1000 buffer which 233 | * will be accounted towards the pbData buffer in a contiguous way. 234 | * -- pbDataFirstPage = optional buffer of first page 235 | * -- pbDataLastPage = optional buffer of last page 236 | * -- cbData = size of pbData 237 | * -- pbData = buffer used for MEM.pb except first/last if exists 238 | * -- cMEMs 239 | * -- pppMEMs = pointer to receive ppMEMs 240 | * -- return 241 | */ 242 | _Success_(return) 243 | EXPORTED_FUNCTION BOOL LcAllocScatter3( 244 | _Inout_updates_opt_(0x1000) PBYTE pbDataFirstPage, 245 | _Inout_updates_opt_(0x1000) PBYTE pbDataLastPage, 246 | _In_ DWORD cbData, 247 | _Inout_updates_opt_(cbData) PBYTE pbData, 248 | _In_ DWORD cMEMs, 249 | _Out_ PPMEM_SCATTER *pppMEMs 250 | ); 251 | 252 | /* 253 | * Read memory in a scattered non-contiguous way. This is recommended for reads. 254 | * -- hLC 255 | * -- cMEMs 256 | * -- ppMEMs 257 | */ 258 | EXPORTED_FUNCTION VOID LcReadScatter( 259 | _In_ HANDLE hLC, 260 | _In_ DWORD cMEMs, 261 | _Inout_ PPMEM_SCATTER ppMEMs 262 | ); 263 | 264 | /* 265 | * Read memory in a contiguous way. Note that if multiple memory segments are 266 | * to be read LcReadScatter() may be more efficient. 267 | * -- hLC, 268 | * -- pa 269 | * -- cb 270 | * -- pb 271 | * -- return 272 | */ 273 | _Success_(return) 274 | EXPORTED_FUNCTION BOOL LcRead( 275 | _In_ HANDLE hLC, 276 | _In_ QWORD pa, 277 | _In_ DWORD cb, 278 | _Out_writes_(cb) PBYTE pb 279 | ); 280 | 281 | /* 282 | * Write memory in a scattered non-contiguous way. 283 | * -- hLC 284 | * -- cMEMs 285 | * -- ppMEMs 286 | */ 287 | EXPORTED_FUNCTION VOID LcWriteScatter( 288 | _In_ HANDLE hLC, 289 | _In_ DWORD cMEMs, 290 | _Inout_ PPMEM_SCATTER ppMEMs 291 | ); 292 | 293 | /* 294 | * Write memory in a contiguous way. 295 | * -- hLC 296 | * -- pa 297 | * -- cb 298 | * -- pb 299 | * -- return 300 | */ 301 | _Success_(return) 302 | EXPORTED_FUNCTION BOOL LcWrite( 303 | _In_ HANDLE hLC, 304 | _In_ QWORD pa, 305 | _In_ DWORD cb, 306 | _In_reads_(cb) PBYTE pb 307 | ); 308 | 309 | 310 | 311 | //----------------------------------------------------------------------------- 312 | // Get/Set/Command functionality may be used to query and/or update LeechCore 313 | // or its devices in various ways. 314 | //----------------------------------------------------------------------------- 315 | 316 | /* 317 | * Set an option as defined by LC_OPT_*. (R option). 318 | * -- hLC 319 | * -- fOption = LC_OPT_* 320 | * -- cbData 321 | * -- pbData 322 | * -- pcbData 323 | */ 324 | _Success_(return) 325 | EXPORTED_FUNCTION BOOL LcGetOption( 326 | _In_ HANDLE hLC, 327 | _In_ QWORD fOption, 328 | _Out_ PQWORD pqwValue 329 | ); 330 | 331 | /* 332 | * Get an option as defined by LC_OPT_*. (W option). 333 | * -- hLC 334 | * -- fOption = LC_OPT_* 335 | * -- cbData 336 | * -- pbData 337 | */ 338 | _Success_(return) 339 | EXPORTED_FUNCTION BOOL LcSetOption( 340 | _In_ HANDLE hLC, 341 | _In_ QWORD fOption, 342 | _In_ QWORD qwValue 343 | ); 344 | 345 | /* 346 | * Execute a command and retrieve a result (if any) at the same time. 347 | * NB! If *ppbDataOut contains a memory allocation on exit this should be free'd 348 | * by calling LcMemFree(). 349 | * CALLER LcFreeMem: *ppbDataOut 350 | * -- hLC 351 | * -- fCommand = LC_CMD_* 352 | * -- cbDataIn 353 | * -- pbDataIn 354 | * -- ppbDataOut 355 | * -- pcbDataOut 356 | */ 357 | _Success_(return) 358 | EXPORTED_FUNCTION BOOL LcCommand( 359 | _In_ HANDLE hLC, 360 | _In_ QWORD fCommand, 361 | _In_ DWORD cbDataIn, 362 | _In_reads_opt_(cbDataIn) PBYTE pbDataIn, 363 | _Out_opt_ PBYTE *ppbDataOut, 364 | _Out_opt_ PDWORD pcbDataOut 365 | ); 366 | 367 | #define LC_OPT_CORE_PRINTF_ENABLE 0x4000000100000000 // RW 368 | #define LC_OPT_CORE_VERBOSE 0x4000000200000000 // RW 369 | #define LC_OPT_CORE_VERBOSE_EXTRA 0x4000000300000000 // RW 370 | #define LC_OPT_CORE_VERBOSE_EXTRA_TLP 0x4000000400000000 // RW 371 | #define LC_OPT_CORE_VERSION_MAJOR 0x4000000500000000 // R 372 | #define LC_OPT_CORE_VERSION_MINOR 0x4000000600000000 // R 373 | #define LC_OPT_CORE_VERSION_REVISION 0x4000000700000000 // R 374 | #define LC_OPT_CORE_ADDR_MAX 0x1000000800000000 // R 375 | #define LC_OPT_CORE_STATISTICS_CALL_COUNT 0x4000000900000000 // R [lo-dword: LC_STATISTICS_ID_*] 376 | #define LC_OPT_CORE_STATISTICS_CALL_TIME 0x4000000a00000000 // R [lo-dword: LC_STATISTICS_ID_*] 377 | #define LC_OPT_CORE_VOLATILE 0x1000000b00000000 // R 378 | #define LC_OPT_CORE_READONLY 0x1000000c00000000 // R 379 | 380 | #define LC_OPT_MEMORYINFO_VALID 0x0200000100000000 // R 381 | #define LC_OPT_MEMORYINFO_FLAG_32BIT 0x0200000300000000 // R 382 | #define LC_OPT_MEMORYINFO_FLAG_PAE 0x0200000400000000 // R 383 | #define LC_OPT_MEMORYINFO_OS_VERSION_MINOR 0x0200000500000000 // R 384 | #define LC_OPT_MEMORYINFO_OS_VERSION_MAJOR 0x0200000600000000 // R 385 | #define LC_OPT_MEMORYINFO_OS_DTB 0x0200000700000000 // R 386 | #define LC_OPT_MEMORYINFO_OS_PFN 0x0200000800000000 // R 387 | #define LC_OPT_MEMORYINFO_OS_PsLoadedModuleList 0x0200000900000000 // R 388 | #define LC_OPT_MEMORYINFO_OS_PsActiveProcessHead 0x0200000a00000000 // R 389 | #define LC_OPT_MEMORYINFO_OS_MACHINE_IMAGE_TP 0x0200000b00000000 // R 390 | #define LC_OPT_MEMORYINFO_OS_NUM_PROCESSORS 0x0200000c00000000 // R 391 | #define LC_OPT_MEMORYINFO_OS_SYSTEMTIME 0x0200000d00000000 // R 392 | #define LC_OPT_MEMORYINFO_OS_UPTIME 0x0200000e00000000 // R 393 | #define LC_OPT_MEMORYINFO_OS_KERNELBASE 0x0200000f00000000 // R 394 | #define LC_OPT_MEMORYINFO_OS_KERNELHINT 0x0200001000000000 // R 395 | #define LC_OPT_MEMORYINFO_OS_KdDebuggerDataBlock 0x0200001100000000 // R 396 | 397 | #define LC_OPT_FPGA_PROBE_MAXPAGES 0x0300000100000000 // RW 398 | #define LC_OPT_FPGA_MAX_SIZE_RX 0x0300000300000000 // RW 399 | #define LC_OPT_FPGA_MAX_SIZE_TX 0x0300000400000000 // RW 400 | #define LC_OPT_FPGA_DELAY_PROBE_READ 0x0300000500000000 // RW - uS 401 | #define LC_OPT_FPGA_DELAY_PROBE_WRITE 0x0300000600000000 // RW - uS 402 | #define LC_OPT_FPGA_DELAY_WRITE 0x0300000700000000 // RW - uS 403 | #define LC_OPT_FPGA_DELAY_READ 0x0300000800000000 // RW - uS 404 | #define LC_OPT_FPGA_RETRY_ON_ERROR 0x0300000900000000 // RW 405 | #define LC_OPT_FPGA_DEVICE_ID 0x0300008000000000 // RW - bus:dev:fn (ex: 04:00.0 == 0x0400). 406 | #define LC_OPT_FPGA_FPGA_ID 0x0300008100000000 // R 407 | #define LC_OPT_FPGA_VERSION_MAJOR 0x0300008200000000 // R 408 | #define LC_OPT_FPGA_VERSION_MINOR 0x0300008300000000 // R 409 | #define LC_OPT_FPGA_ALGO_TINY 0x0300008400000000 // RW - 1/0 use tiny 128-byte/tlp read algorithm. 410 | #define LC_OPT_FPGA_ALGO_SYNCHRONOUS 0x0300008500000000 // RW - 1/0 use synchronous (old) read algorithm. 411 | #define LC_OPT_FPGA_CFGSPACE_XILINX 0x0300008600000000 // RW - [lo-dword: register address in bytes] [bytes: 0-3: data, 4-7: byte_enable(if wr/set); top bit = cfg_mgmt_wr_rw1c_as_rw] 412 | #define LC_OPT_FPGA_TLP_READ_CB_WITHINFO 0x0300009000000000 // RW - 1/0 call TLP read callback with additional string info in szInfo 413 | #define LC_OPT_FPGA_TLP_READ_CB_FILTERCPL 0x0300009100000000 // RW - 1/0 call TLP read callback with memory read completions from read calls filtered 414 | #define LC_OPT_FPGA_TLP_READ_CB_BACKGROUND_THREAD 0x0300009200000000 // RW - 1/0 call TLP read callback auto-read with background thread [requires active callback function] 415 | 416 | #define LC_CMD_FPGA_WRITE_TLP 0x0000010100000000 // R - !!! DEPRECATED DO NOT USE !!! - USE LC_CMD_FPGA_TLP_WRITE_SINGLE! 417 | #define LC_CMD_FPGA_LISTEN_TLP 0x0000010200000000 // R - !!! DEPRECATED DO NOT USE !!! 418 | #define LC_CMD_FPGA_PCIECFGSPACE 0x0000010300000000 // R 419 | #define LC_CMD_FPGA_CFGREGPCIE 0x0000010400000000 // RW - [lo-dword: register address] 420 | #define LC_CMD_FPGA_CFGREGCFG 0x0000010500000000 // RW - [lo-dword: register address] 421 | #define LC_CMD_FPGA_CFGREGDRP 0x0000010600000000 // RW - [lo-dword: register address] 422 | #define LC_CMD_FPGA_CFGREGCFG_MARKWR 0x0000010700000000 // W - write with mask [lo-dword: register address] [bytes: 0-1: data, 2-3: mask] 423 | #define LC_CMD_FPGA_CFGREGPCIE_MARKWR 0x0000010800000000 // W - write with mask [lo-dword: register address] [bytes: 0-1: data, 2-3: mask] 424 | #define LC_CMD_FPGA_CFGREG_DEBUGPRINT 0x0000010a00000000 // N/A 425 | #define LC_CMD_FPGA_PROBE 0x0000010b00000000 // RW 426 | #define LC_CMD_FPGA_CFGSPACE_SHADOW_RD 0x0000010c00000000 // R 427 | #define LC_CMD_FPGA_CFGSPACE_SHADOW_WR 0x0000010d00000000 // W - [lo-dword: config space write base address] 428 | #define LC_CMD_FPGA_TLP_WRITE_SINGLE 0x0000011000000000 // R - write single tlp BYTE:s 429 | #define LC_CMD_FPGA_TLP_WRITE_MULTIPLE 0x0000011100000000 // R - write multiple LC_TLP:s 430 | #define LC_CMD_FPGA_TLP_TOSTRING 0x0000011200000000 // RW - convert single TLP to LPSTR; *pcbDataOut includes NULL terminator. 431 | #define LC_CMD_FPGA_TLP_READ_FUNCTION_CALLBACK 0x0000011300000000 // W - set/unset custom TLP read callback function and fetch TLPs (pbDataIn == PLC_TLP_CALLBACK). 432 | 433 | #define LC_CMD_FILE_DUMPHEADER_GET 0x0000020100000000 // R 434 | 435 | #define LC_CMD_STATISTICS_GET 0x4000010000000000 // R 436 | #define LC_CMD_MEMMAP_GET 0x4000020000000000 // R - MEMMAP as LPSTR 437 | #define LC_CMD_MEMMAP_SET 0x4000030000000000 // W - MEMMAP as LPSTR 438 | #define LC_CMD_MEMMAP_GET_STRUCT 0x4000040000000000 // R - MEMMAP as LC_MEMMAP_ENTRY[] 439 | #define LC_CMD_MEMMAP_SET_STRUCT 0x4000050000000000 // W - MEMMAP as LC_MEMMAP_ENTRY[] 440 | 441 | #define LC_CMD_AGENT_EXEC_PYTHON 0x8000000100000000 // RW - [lo-dword: optional timeout in ms] 442 | #define LC_CMD_AGENT_EXIT_PROCESS 0x8000000200000000 // - [lo-dword: process exit code] 443 | #define LC_CMD_AGENT_VFS_LIST 0x8000000300000000 // RW 444 | #define LC_CMD_AGENT_VFS_READ 0x8000000400000000 // RW 445 | #define LC_CMD_AGENT_VFS_WRITE 0x8000000500000000 // RW 446 | #define LC_CMD_AGENT_VFS_OPT_GET 0x8000000600000000 // RW 447 | #define LC_CMD_AGENT_VFS_OPT_SET 0x8000000700000000 // RW 448 | 449 | #define LC_CMD_AGENT_VFS_REQ_VERSION 0xfeed0001 450 | #define LC_CMD_AGENT_VFS_RSP_VERSION 0xfeee0001 451 | 452 | #define LC_STATISTICS_VERSION 0xe1a10002 453 | #define LC_STATISTICS_ID_OPEN 0x00 454 | #define LC_STATISTICS_ID_READ 0x01 455 | #define LC_STATISTICS_ID_READSCATTER 0x02 456 | #define LC_STATISTICS_ID_WRITE 0x03 457 | #define LC_STATISTICS_ID_WRITESCATTER 0x04 458 | #define LC_STATISTICS_ID_GETOPTION 0x05 459 | #define LC_STATISTICS_ID_SETOPTION 0x06 460 | #define LC_STATISTICS_ID_COMMAND 0x07 461 | #define LC_STATISTICS_ID_MAX 0x07 462 | 463 | typedef struct tdLC_CMD_AGENT_VFS_REQ { 464 | DWORD dwVersion; 465 | DWORD _FutureUse; 466 | CHAR uszPathFile[2*MAX_PATH]; // file path to list/read/write 467 | union { 468 | QWORD qwOffset; // offset to read/write 469 | QWORD fOption; // option to get/set (qword data in *pb) 470 | }; 471 | DWORD dwLength; // length to read 472 | DWORD cb; 473 | BYTE pb[0]; 474 | } LC_CMD_AGENT_VFS_REQ, *PLC_CMD_AGENT_VFS_REQ; 475 | 476 | typedef struct tdLC_CMD_AGENT_VFS_RSP { 477 | DWORD dwVersion; 478 | DWORD dwStatus; // ntstatus of read/write 479 | DWORD cbReadWrite; // number of bytes read/written 480 | DWORD _FutureUse[2]; 481 | DWORD cb; 482 | BYTE pb[0]; 483 | } LC_CMD_AGENT_VFS_RSP, *PLC_CMD_AGENT_VFS_RSP; 484 | 485 | static LPCSTR LC_STATISTICS_NAME[] = { 486 | "LcOpen", 487 | "LcRead", 488 | "LcReadScatter", 489 | "LcWrite", 490 | "LcWriteScatter", 491 | "LcGetOption", 492 | "LcSetOption", 493 | "LcCommand", 494 | }; 495 | 496 | typedef struct tdLC_STATISTICS { 497 | DWORD dwVersion; 498 | DWORD _Reserved; 499 | QWORD qwFreq; 500 | struct { 501 | QWORD c; 502 | QWORD tm; // total time in qwFreq ticks 503 | } Call[LC_STATISTICS_ID_MAX + 1]; 504 | } LC_STATISTICS, *PLC_STATISTICS; 505 | 506 | typedef struct tdLC_MEMMAP_ENTRY { 507 | QWORD pa; 508 | QWORD cb; 509 | QWORD paRemap; 510 | } LC_MEMMAP_ENTRY, *PLC_MEMMAP_ENTRY; 511 | 512 | typedef struct tdLC_TLP { 513 | DWORD cb; 514 | DWORD _Reserved1; 515 | PBYTE pb; 516 | } LC_TLP, *PLC_TLP; 517 | 518 | /* 519 | * Custom FPGA-only callback function to be called whenever a TLP is received if 520 | * set by command LC_CMD_FPGA_TLP_READ_FUNCTION_CALLBACK. 521 | * NOTE! CALLBACK FUNCTION MUST NEVER CALL LEECHCORE DUE TO RISK OF DEADLOCK! 522 | */ 523 | typedef VOID(*PLC_TLP_READ_FUNCTION_CALLBACK)( 524 | _In_opt_ PVOID ctx, 525 | _In_ DWORD cbTlp, 526 | _In_ PBYTE pbTlp, 527 | _In_opt_ DWORD cbInfo, 528 | _In_opt_ LPSTR szInfo 529 | ); 530 | 531 | typedef struct tdLC_TLP_CALLBACK { 532 | PVOID ctx; 533 | PLC_TLP_READ_FUNCTION_CALLBACK pfn; 534 | } LC_TLP_CALLBACK, *PLC_TLP_CALLBACK; 535 | 536 | #ifdef __cplusplus 537 | } 538 | #endif /* __cplusplus */ 539 | #endif /* __LEECHCORE_H__ */ 540 | -------------------------------------------------------------------------------- /rust_dma/includes/leechcore_device.h: -------------------------------------------------------------------------------- 1 | // leechcore_device.h : external header file to be used by LeechCore plug-in 2 | // modules implemented as separate libraries. 3 | // 4 | // A LeechCore device plugin module must be placed alongside leechcore.[dll|so] 5 | // and follow the naming convention leechcore_device_xxxx.[dll|so] where xxxx 6 | // is the name of the device. 7 | // 8 | // The DLL load function must not initialize the device itself or do anything 9 | // special that may take time to perform - since the plugin module will always 10 | // be loaded even if not used. 11 | // 12 | // The plugin module must implement and export the open function: 13 | // BOOL LcPluginCreate(_In_ PLC_CONTEXT ctx); 14 | // The LcPluginCreate() function will be called whenever a new instance of the 15 | // device may be created/opened - if only one instance may be open at the same 16 | // time this should be handled by the plugin module itself. 17 | // 18 | // (c) Ulf Frisk, 2020-2022 19 | // Author: Ulf Frisk, pcileech@frizk.net 20 | // 21 | // Header Version: 2.5 22 | // 23 | 24 | #ifndef __LEECHCORE_DEVICE_H__ 25 | #define __LEECHCORE_DEVICE_H__ 26 | #include 27 | #include "leechcore.h" 28 | 29 | #ifdef LINUX 30 | #include 31 | #include 32 | #ifndef _LINUX_DEF_CRITICAL_SECTION 33 | #define _LINUX_DEF_CRITICAL_SECTION 34 | typedef struct tdCRITICAL_SECTION { 35 | pthread_mutex_t mutex; 36 | pthread_mutexattr_t mta; 37 | } CRITICAL_SECTION, *LPCRITICAL_SECTION; 38 | #endif /* _LINUX_DEF_CRITICAL_SECTION */ 39 | #endif /* LINUX */ 40 | 41 | #define LC_CONTEXT_VERSION 0xc0e10004 42 | #define LC_DEVICE_PARAMETER_MAX_ENTRIES 0x10 43 | 44 | typedef struct tdLC_DEVICE_PARAMETER_ENTRY { 45 | CHAR szName[MAX_PATH]; 46 | CHAR szValue[MAX_PATH]; 47 | QWORD qwValue; 48 | } LC_DEVICE_PARAMETER_ENTRY, *PLC_DEVICE_PARAMETER_ENTRY; 49 | 50 | typedef struct tdLC_CONTEXT LC_CONTEXT, *PLC_CONTEXT; 51 | 52 | typedef struct tdLC_READ_CONTIGIOUS_CONTEXT { 53 | PLC_CONTEXT ctxLC; 54 | HANDLE hEventWakeup; 55 | HANDLE hEventFinish; 56 | HANDLE hThread; 57 | DWORD iRL; 58 | DWORD cMEMs; 59 | PPMEM_SCATTER ppMEMs; 60 | QWORD paBase; 61 | DWORD cbRead; 62 | DWORD cb; 63 | BYTE pb[0]; 64 | } LC_READ_CONTIGIOUS_CONTEXT, *PLC_READ_CONTIGIOUS_CONTEXT; 65 | 66 | #define LC_PRINTF_ENABLE 0 67 | #define LC_PRINTF_V 1 68 | #define LC_PRINTF_VV 2 69 | #define LC_PRINTF_VVV 3 70 | 71 | typedef struct tdLC_CONTEXT { 72 | DWORD version; // LC_CONTEXT_VERSION 73 | DWORD dwHandleCount; 74 | HANDLE FLink; 75 | union { 76 | CRITICAL_SECTION Lock; 77 | BYTE _PadLinux[48]; 78 | }; 79 | QWORD cReadScatterMEM; 80 | LC_STATISTICS CallStat; 81 | HANDLE hDeviceModule; 82 | BOOL(*pfnCreate)(_Inout_ PLC_CONTEXT ctxLC, _Out_opt_ PPLC_CONFIG_ERRORINFO ppLcCreateErrorInfo); 83 | // Config for use by devices below: 84 | LC_CONFIG Config; 85 | DWORD cDeviceParameter; 86 | LC_DEVICE_PARAMETER_ENTRY pDeviceParameter[LC_DEVICE_PARAMETER_MAX_ENTRIES]; 87 | BOOL fWritable; // deprecated - do not use! 88 | BOOL fPrintf[4]; 89 | HANDLE hDevice; 90 | BOOL fMultiThread; 91 | VOID(*pfnReadScatter)(_In_ PLC_CONTEXT ctxLC, _In_ DWORD cpMEMs, _Inout_ PPMEM_SCATTER ppMEMs); 92 | VOID(*pfnReadContigious)(_Inout_ PLC_READ_CONTIGIOUS_CONTEXT ctxReadContigious); 93 | VOID(*pfnWriteScatter)(_In_ PLC_CONTEXT ctxLC, _In_ DWORD cpMEMs, _Inout_ PPMEM_SCATTER ppMEMs); 94 | BOOL(*pfnWriteContigious)(_In_ PLC_CONTEXT ctxLC, _In_ QWORD pa, _In_ DWORD cb, _In_reads_(cb) PBYTE pb); 95 | BOOL(*pfnGetOption)(_In_ PLC_CONTEXT ctxLC, _In_ QWORD fOption, _Out_ PQWORD pqwValue); 96 | BOOL(*pfnSetOption)(_In_ PLC_CONTEXT ctxLC, _In_ QWORD fOption, _In_ QWORD qwValue); 97 | BOOL(*pfnCommand)(_In_ PLC_CONTEXT ctxLC, _In_ QWORD fOption, _In_ DWORD cbDataIn, _In_reads_opt_(cbDataIn) PBYTE pbDataIn, _Out_opt_ PBYTE *ppbDataOut, _Out_opt_ PDWORD pcbDataOut); 98 | VOID(*pfnClose)(_Inout_ PLC_CONTEXT ctxLC); 99 | struct { 100 | DWORD cThread; 101 | DWORD cbChunkSize; 102 | BOOL fLoadBalance; 103 | } ReadContigious; 104 | // Internal ReadContigious functionality: 105 | struct { 106 | BOOL fActive; 107 | HANDLE hEventFinish[8]; 108 | PLC_READ_CONTIGIOUS_CONTEXT ctx[8]; 109 | } RC; 110 | // MemMap functionality: 111 | DWORD cMemMap; 112 | DWORD cMemMapMax; 113 | PLC_MEMMAP_ENTRY pMemMap; 114 | // Remote functionality: 115 | struct { 116 | BOOL fCompress; 117 | DWORD dwRpcClientId; 118 | } Rpc; 119 | } LC_CONTEXT, *PLC_CONTEXT; 120 | 121 | /* 122 | * Retrieve a device parameter by its name (if exists). 123 | * -- ctxLc 124 | * -- szName 125 | * -- return 126 | */ 127 | EXPORTED_FUNCTION PLC_DEVICE_PARAMETER_ENTRY LcDeviceParameterGet(_In_ PLC_CONTEXT ctxLC, _In_ LPSTR szName); 128 | 129 | /* 130 | * Retrieve the numeric value of a device parameter (if exists). 131 | * -- ctxLc 132 | * -- szName 133 | * -- return = the numeric value of the device parameter - 0 on fail. 134 | */ 135 | EXPORTED_FUNCTION QWORD LcDeviceParameterGetNumeric(_In_ PLC_CONTEXT ctxLC, _In_ LPSTR szName); 136 | 137 | #define lcprintf(ctxLC, _Format, ...) { if(ctxLC->fPrintf[0]) { ctxLC->Config.pfn_printf_opt ? ctxLC->Config.pfn_printf_opt(_Format, ##__VA_ARGS__) : printf(_Format, ##__VA_ARGS__); } } 138 | #define lcprintfv(ctxLC, _Format, ...) { if(ctxLC->fPrintf[1]) { lcprintf(ctxLC, _Format, ##__VA_ARGS__); } } 139 | #define lcprintfvv(ctxLC, _Format, ...) { if(ctxLC->fPrintf[2]) { lcprintf(ctxLC, _Format, ##__VA_ARGS__); } } 140 | #define lcprintfvvv(ctxLC, _Format, ...) { if(ctxLC->fPrintf[3]) { lcprintf(ctxLC, _Format, ##__VA_ARGS__); } } 141 | #define lcprintf_fn(ctxLC, _Format, ...) { if(ctxLC->fPrintf[0]) { lcprintf(ctxLC, "%s: "_Format, __func__, ##__VA_ARGS__); } } 142 | #define lcprintfv_fn(ctxLC, _Format, ...) { if(ctxLC->fPrintf[1]) { lcprintf(ctxLC, "%s: "_Format, __func__, ##__VA_ARGS__); } } 143 | #define lcprintfvv_fn(ctxLC, _Format, ...) { if(ctxLC->fPrintf[2]) { lcprintf(ctxLC, "%s: "_Format, __func__, ##__VA_ARGS__); } } 144 | #define lcprintfvvv_fn(ctxLC, _Format, ...) { if(ctxLC->fPrintf[3]) { lcprintf(ctxLC, "%s: "_Format, __func__, ##__VA_ARGS__); } } 145 | 146 | /* 147 | * Check whether the memory map is initialized or not. 148 | * -- ctxLC 149 | * -- return 150 | */ 151 | EXPORTED_FUNCTION BOOL LcMemMap_IsInitialized(_In_ PLC_CONTEXT ctxLC); 152 | 153 | /* 154 | * Add a memory range to the memory map. 155 | * -- ctxLC 156 | * -- pa 157 | * -- cb 158 | * -- paRemap = remap offset within file (if relevant). 159 | * -- return 160 | */ 161 | _Success_(return) 162 | EXPORTED_FUNCTION BOOL LcMemMap_AddRange(_In_ PLC_CONTEXT ctxLC, _In_ QWORD pa, _In_ QWORD cb, _In_opt_ QWORD paRemap); 163 | 164 | /* 165 | * Get the max physical address from the memory map. 166 | * -- ctxLC 167 | * -- return 168 | */ 169 | _Success_(return != 0) 170 | EXPORTED_FUNCTION QWORD LcMemMap_GetMaxAddress(_In_ PLC_CONTEXT ctxLC); 171 | 172 | #endif /* __LEECHCORE_DEVICE_H__ */ 173 | -------------------------------------------------------------------------------- /rust_dma/includes/libpdbcrust.h: -------------------------------------------------------------------------------- 1 | // C library wrapper around the rust PDB crate and related useful utilities. 2 | // 3 | // (c) Ulf Frisk, 2023 4 | // Author: Ulf Frisk, pcileech@frizk.net 5 | // 6 | // Licensed under the Apache License, Version 2.0, or the MIT license , at your option. This file may not be 9 | // copied, modified, or distributed except according to those terms. 10 | // 11 | 12 | #include 13 | #include 14 | 15 | /* 16 | * Open a PDB file given its full path and return a handle to it. 17 | * The handle should be closed by calling pdbcrust_close(). 18 | */ 19 | size_t pdbcrust_open( 20 | char *sz_pdb_full_path 21 | ); 22 | 23 | /* 24 | * Close a PDB handle and free its resources. 25 | */ 26 | void pdbcrust_close( 27 | size_t hnd 28 | ); 29 | 30 | /* 31 | * Ensure that a PDB file exists on the specified path and upon success return 32 | * the full file path in sz_pdb_path_result. If the PDB file does not exist it 33 | * may optionally be downloaded from the Microsoft symbol server. 34 | * -- sz_pdb_basepath = base path (directory must exist). 35 | * -- sz_pdb_guidage = the combined GUID+AGE in uppercase hexascii string. 36 | * -- sz_pdb_name = the pdb file name. 37 | * -- is_mspdb_download = download the PDB from the microsoft symbol server. 38 | * -- len_path_path_result = byte length of sz_pdb_path_result. 39 | * -- sz_pdb_path_result = buffer to receive full pdb file path on success. 40 | * -- return 41 | */ 42 | bool pdbcrust_pdb_download_ensure( 43 | char *sz_pdb_basepath, 44 | char *sz_pdb_guidage, 45 | char *sz_pdb_name, 46 | bool is_mspdb_download, 47 | size_t len_path_path_result, 48 | char *sz_pdb_path_result 49 | ); 50 | 51 | /* 52 | * Retrieve a symbol offset given a symbol name. 53 | * -- hnd 54 | * -- sz_symbol_name = the symbol name to retrieve 55 | * -- return = the symbol offset on success. zero on fail. 56 | */ 57 | unsigned int pdbcrust_symbol_offset( 58 | size_t hnd, 59 | char *sz_symbol_name 60 | ); 61 | 62 | /* 63 | * Retrieve a symbol name given an offset. 64 | * -- hnd 65 | * -- symbol_offset = the symbol offset. 66 | * -- len_symbol_name 67 | * -- sz_symbol_name 68 | * -- displacement = the displacement, currently not functional. 69 | * -- return 70 | */ 71 | bool pdbcrust_symbol_name_from_offset( 72 | size_t hnd, 73 | unsigned int symbol_offset, 74 | size_t len_symbol_name, 75 | char *sz_symbol_name, 76 | unsigned int *displacement 77 | ); 78 | 79 | /* 80 | * Retrieve the size of a type / struct. 81 | * -- hnd 82 | * -- sz_type_name 83 | * -- return = the type size on success, 0 on fail. 84 | */ 85 | unsigned int pdbcrust_type_size( 86 | size_t hnd, 87 | char *sz_type_name 88 | ); 89 | 90 | /* 91 | * Retrieve the child offset inside a type/struct. 92 | * -- hnd 93 | * -- sz_type_name 94 | * -- sz_type_child 95 | * -- offset_type_child = ptr to receive the child offset on success. 96 | * -- return 97 | */ 98 | bool pdbcrust_type_child_offset( 99 | size_t hnd, 100 | char *sz_type_name, 101 | char *sz_type_child, 102 | unsigned int *offset_type_child 103 | ); 104 | -------------------------------------------------------------------------------- /rust_dma/includes/public.h: -------------------------------------------------------------------------------- 1 | /* 2 | Dokan : user-mode file system library for Windows 3 | 4 | Copyright (C) 2017 - 2021 Google, Inc. 5 | Copyright (C) 2015 - 2019 Adrien J. and Maxime C. 6 | Copyright (C) 2007 - 2011 Hiroki Asakawa 7 | 8 | http://dokan-dev.github.io 9 | 10 | This program is free software; you can redistribute it and/or modify it under 11 | the terms of the GNU Lesser General Public License as published by the Free 12 | Software Foundation; either version 3 of the License, or (at your option) any 13 | later version. 14 | 15 | This program is distributed in the hope that it will be useful, but WITHOUT ANY 16 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS 17 | FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. 18 | 19 | You should have received a copy of the GNU Lesser General Public License along 20 | with this program. If not, see . 21 | */ 22 | 23 | #ifndef PUBLIC_H_ 24 | #define PUBLIC_H_ 25 | 26 | #ifndef DOKAN_MAJOR_API_VERSION 27 | #define DOKAN_MAJOR_API_VERSION L"2" 28 | #include 29 | #endif 30 | 31 | #define DOKAN_DRIVER_VERSION 0x0000190 32 | 33 | #define EVENT_CONTEXT_MAX_SIZE (1024 * 32) 34 | // This is arbitrary. There isn't really an absolute max, but we marshal it in 35 | // a fixed-size buffer. 36 | #define VOLUME_SECURITY_DESCRIPTOR_MAX_SIZE (1024 * 16) 37 | 38 | #define FSCTL_GET_VERSION \ 39 | CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS) 40 | 41 | #define FSCTL_SET_DEBUG_MODE \ 42 | CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS) 43 | 44 | #define FSCTL_EVENT_RELEASE \ 45 | CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x804, METHOD_BUFFERED, FILE_ANY_ACCESS) 46 | 47 | #define FSCTL_EVENT_START \ 48 | CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x805, METHOD_BUFFERED, FILE_ANY_ACCESS) 49 | 50 | #define FSCTL_EVENT_WRITE \ 51 | CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x806, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) 52 | 53 | #define FSCTL_RESET_TIMEOUT \ 54 | CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x80B, METHOD_BUFFERED, FILE_ANY_ACCESS) 55 | 56 | #define FSCTL_GET_ACCESS_TOKEN \ 57 | CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x80C, METHOD_BUFFERED, FILE_ANY_ACCESS) 58 | 59 | #define FSCTL_EVENT_MOUNTPOINT_LIST \ 60 | CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x80D, METHOD_BUFFERED, FILE_ANY_ACCESS) 61 | 62 | #define FSCTL_MOUNTPOINT_CLEANUP \ 63 | CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x80E, METHOD_BUFFERED, FILE_ANY_ACCESS) 64 | 65 | // DeviceIoControl code to send to a keepalive handle to activate it (see the 66 | // documentation for the keepalive flags in the DokanFCB struct). 67 | #define FSCTL_ACTIVATE_KEEPALIVE \ 68 | CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x80F, METHOD_BUFFERED, FILE_ANY_ACCESS) 69 | 70 | // DeviceIoControl code to send path notification request. 71 | #define FSCTL_NOTIFY_PATH \ 72 | CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x810, METHOD_BUFFERED, FILE_ANY_ACCESS) 73 | 74 | // DeviceIoControl code to retrieve the VOLUME_METRICS struct for the targeted 75 | // volume. 76 | #define FSCTL_GET_VOLUME_METRICS \ 77 | CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x811, METHOD_BUFFERED, FILE_ANY_ACCESS) 78 | 79 | #define FSCTL_EVENT_PROCESS_N_PULL \ 80 | CTL_CODE(FILE_DEVICE_FILE_SYSTEM, 0x812, METHOD_BUFFERED, FILE_ANY_ACCESS) 81 | 82 | #define DRIVER_FUNC_INSTALL 0x01 83 | #define DRIVER_FUNC_REMOVE 0x02 84 | 85 | #define DOKAN_MOUNTED 1 86 | #define DOKAN_USED 2 87 | #define DOKAN_START_FAILED 3 88 | 89 | #define DOKAN_DEVICE_MAX 10 90 | 91 | #define DOKAN_DEFAULT_SECTOR_SIZE 512 92 | #define DOKAN_DEFAULT_ALLOCATION_UNIT_SIZE 512 93 | #define DOKAN_DEFAULT_DISK_SIZE 1024 * 1024 * 1024 94 | 95 | // used in CCB->Flags and FCB->Flags 96 | #define DOKAN_FILE_DIRECTORY 1 97 | #define DOKAN_FILE_DELETED 2 98 | #define DOKAN_FILE_OPENED 4 99 | #define DOKAN_DIR_MATCH_ALL 8 100 | #define DOKAN_DELETE_ON_CLOSE 16 101 | #define DOKAN_PAGING_IO 32 102 | #define DOKAN_SYNCHRONOUS_IO 64 103 | #define DOKAN_WRITE_TO_END_OF_FILE 128 104 | #define DOKAN_NOCACHE 256 105 | #define DOKAN_RETRY_CREATE 512 106 | #define DOKAN_EVER_USED_IN_NOTIFY_LIST 1024 107 | #define DOKAN_FILE_CHANGE_LAST_WRITE 2048 108 | 109 | // used in DOKAN_START->DeviceType 110 | #define DOKAN_DISK_FILE_SYSTEM 0 111 | #define DOKAN_NETWORK_FILE_SYSTEM 1 112 | 113 | // Special files that are tagged for specfic FS purpose when their FCB is init. 114 | // Note: This file names can no longer be used by userland FS correctly. 115 | #define DOKAN_KEEPALIVE_FILE_NAME L"\\__drive_fs_keepalive" 116 | #define DOKAN_NOTIFICATION_FILE_NAME L"\\drive_fs_notification" 117 | 118 | // The minimum FCB garbage collection interval, below which the parameter is 119 | // ignored (instantaneous deletion with an interval of 0 is more efficient than 120 | // using the machinery with a tight interval). 121 | #define MIN_FCB_GARBAGE_COLLECTION_INTERVAL 500 122 | 123 | /* 124 | * This structure is used for copying UNICODE_STRING from the kernel mode driver 125 | * into the user mode driver. 126 | * https://msdn.microsoft.com/en-us/library/windows/hardware/ff564879(v=vs.85).aspx 127 | */ 128 | typedef struct _DOKAN_UNICODE_STRING_INTERMEDIATE { 129 | USHORT Length; 130 | USHORT MaximumLength; 131 | WCHAR Buffer[1]; 132 | } DOKAN_UNICODE_STRING_INTERMEDIATE, *PDOKAN_UNICODE_STRING_INTERMEDIATE; 133 | 134 | /* 135 | * This structure is used for sending notify path information from the user mode 136 | * driver to the kernel mode driver. See below links for parameter details for 137 | * CompletionFilter and Action, and FsRtlNotifyFullReportChange call. 138 | * https://msdn.microsoft.com/en-us/library/windows/hardware/ff547026(v=vs.85).aspx 139 | * https://msdn.microsoft.com/en-us/library/windows/hardware/ff547041(v=vs.85).aspx 140 | */ 141 | typedef struct _DOKAN_NOTIFY_PATH_INTERMEDIATE { 142 | ULONG CompletionFilter; 143 | ULONG Action; 144 | USHORT Length; 145 | WCHAR Buffer[1]; 146 | } DOKAN_NOTIFY_PATH_INTERMEDIATE, *PDOKAN_NOTIFY_PATH_INTERMEDIATE; 147 | 148 | /* 149 | * This structure is used for copying ACCESS_STATE from the kernel mode driver 150 | * into the user mode driver. 151 | * https://msdn.microsoft.com/en-us/library/windows/hardware/ff538840(v=vs.85).aspx 152 | */ 153 | typedef struct _DOKAN_ACCESS_STATE_INTERMEDIATE { 154 | BOOLEAN SecurityEvaluated; 155 | BOOLEAN GenerateAudit; 156 | BOOLEAN GenerateOnClose; 157 | BOOLEAN AuditPrivileges; 158 | ULONG Flags; 159 | ACCESS_MASK RemainingDesiredAccess; 160 | ACCESS_MASK PreviouslyGrantedAccess; 161 | ACCESS_MASK OriginalDesiredAccess; 162 | 163 | // Offset from the beginning of this structure to a SECURITY_DESCRIPTOR 164 | // if 0 that means there is no security descriptor 165 | ULONG SecurityDescriptorOffset; 166 | 167 | // Offset from the beginning of this structure to a 168 | // DOKAN_UNICODE_STRING_INTERMEDIATE 169 | ULONG UnicodeStringObjectNameOffset; 170 | 171 | // Offset from the beginning of this structure to a 172 | // DOKAN_UNICODE_STRING_INTERMEDIATE 173 | ULONG UnicodeStringObjectTypeOffset; 174 | } DOKAN_ACCESS_STATE_INTERMEDIATE, *PDOKAN_ACCESS_STATE_INTERMEDIATE; 175 | 176 | typedef struct _DOKAN_ACCESS_STATE { 177 | BOOLEAN SecurityEvaluated; 178 | BOOLEAN GenerateAudit; 179 | BOOLEAN GenerateOnClose; 180 | BOOLEAN AuditPrivileges; 181 | ULONG Flags; 182 | ACCESS_MASK RemainingDesiredAccess; 183 | ACCESS_MASK PreviouslyGrantedAccess; 184 | ACCESS_MASK OriginalDesiredAccess; 185 | PSECURITY_DESCRIPTOR SecurityDescriptor; 186 | UNICODE_STRING ObjectName; 187 | UNICODE_STRING ObjectType; 188 | } DOKAN_ACCESS_STATE, *PDOKAN_ACCESS_STATE; 189 | 190 | /* 191 | * This structure is used for copying IO_SECURITY_CONTEXT from the kernel mode 192 | * driver into the user mode driver. 193 | * https://msdn.microsoft.com/en-us/library/windows/hardware/ff550613(v=vs.85).aspx 194 | */ 195 | typedef struct _DOKAN_IO_SECURITY_CONTEXT_INTERMEDIATE { 196 | DOKAN_ACCESS_STATE_INTERMEDIATE AccessState; 197 | ACCESS_MASK DesiredAccess; 198 | } DOKAN_IO_SECURITY_CONTEXT_INTERMEDIATE, 199 | *PDOKAN_IO_SECURITY_CONTEXT_INTERMEDIATE; 200 | 201 | typedef struct _DOKAN_IO_SECURITY_CONTEXT { 202 | DOKAN_ACCESS_STATE AccessState; 203 | ACCESS_MASK DesiredAccess; 204 | } DOKAN_IO_SECURITY_CONTEXT, *PDOKAN_IO_SECURITY_CONTEXT; 205 | 206 | typedef struct _CREATE_CONTEXT { 207 | DOKAN_IO_SECURITY_CONTEXT_INTERMEDIATE SecurityContext; 208 | ULONG FileAttributes; 209 | ULONG CreateOptions; 210 | ULONG ShareAccess; 211 | ULONG FileNameLength; 212 | 213 | // Offset from the beginning of this structure to the string 214 | ULONG FileNameOffset; 215 | } CREATE_CONTEXT, *PCREATE_CONTEXT; 216 | 217 | typedef struct _CLEANUP_CONTEXT { 218 | ULONG FileNameLength; 219 | WCHAR FileName[1]; 220 | 221 | } CLEANUP_CONTEXT, *PCLEANUP_CONTEXT; 222 | 223 | typedef struct _CLOSE_CONTEXT { 224 | ULONG FileNameLength; 225 | WCHAR FileName[1]; 226 | 227 | } CLOSE_CONTEXT, *PCLOSE_CONTEXT; 228 | 229 | typedef struct _DIRECTORY_CONTEXT { 230 | ULONG FileInformationClass; 231 | ULONG FileIndex; 232 | ULONG BufferLength; 233 | ULONG DirectoryNameLength; 234 | ULONG SearchPatternLength; 235 | ULONG SearchPatternOffset; 236 | WCHAR DirectoryName[1]; 237 | WCHAR SearchPatternBase[1]; 238 | 239 | } DIRECTORY_CONTEXT, *PDIRECTORY_CONTEXT; 240 | 241 | typedef struct _READ_CONTEXT { 242 | LARGE_INTEGER ByteOffset; 243 | ULONG BufferLength; 244 | ULONG FileNameLength; 245 | WCHAR FileName[1]; 246 | } READ_CONTEXT, *PREAD_CONTEXT; 247 | 248 | typedef struct _WRITE_CONTEXT { 249 | LARGE_INTEGER ByteOffset; 250 | ULONG BufferLength; 251 | ULONG BufferOffset; 252 | ULONG RequestLength; 253 | ULONG FileNameLength; 254 | WCHAR FileName[2]; 255 | // "2" means to keep last null of contents to write 256 | } WRITE_CONTEXT, *PWRITE_CONTEXT; 257 | 258 | typedef struct _FILEINFO_CONTEXT { 259 | ULONG FileInformationClass; 260 | ULONG BufferLength; 261 | ULONG FileNameLength; 262 | WCHAR FileName[1]; 263 | } FILEINFO_CONTEXT, *PFILEINFO_CONTEXT; 264 | 265 | typedef struct _SETFILE_CONTEXT { 266 | ULONG FileInformationClass; 267 | ULONG BufferLength; 268 | ULONG BufferOffset; 269 | ULONG FileNameLength; 270 | WCHAR FileName[1]; 271 | } SETFILE_CONTEXT, *PSETFILE_CONTEXT; 272 | 273 | typedef struct _VOLUME_CONTEXT { 274 | ULONG FsInformationClass; 275 | ULONG BufferLength; 276 | } VOLUME_CONTEXT, *PVOLUME_CONTEXT; 277 | 278 | typedef struct _LOCK_CONTEXT { 279 | LARGE_INTEGER ByteOffset; 280 | LARGE_INTEGER Length; 281 | ULONG Key; 282 | ULONG FileNameLength; 283 | WCHAR FileName[1]; 284 | } LOCK_CONTEXT, *PLOCK_CONTEXT; 285 | 286 | typedef struct _FLUSH_CONTEXT { 287 | ULONG FileNameLength; 288 | WCHAR FileName[1]; 289 | } FLUSH_CONTEXT, *PFLUSH_CONTEXT; 290 | 291 | typedef struct _UNMOUNT_CONTEXT { 292 | WCHAR DeviceName[64]; 293 | ULONG Option; 294 | } UNMOUNT_CONTEXT, *PUNMOUNT_CONTEXT; 295 | 296 | typedef struct _SECURITY_CONTEXT { 297 | SECURITY_INFORMATION SecurityInformation; 298 | ULONG BufferLength; 299 | ULONG FileNameLength; 300 | WCHAR FileName[1]; 301 | } SECURITY_CONTEXT, *PSECURITY_CONTEXT; 302 | 303 | typedef struct _SET_SECURITY_CONTEXT { 304 | SECURITY_INFORMATION SecurityInformation; 305 | ULONG BufferLength; 306 | ULONG BufferOffset; 307 | ULONG FileNameLength; 308 | WCHAR FileName[1]; 309 | } SET_SECURITY_CONTEXT, *PSET_SECURITY_CONTEXT; 310 | 311 | typedef struct _EVENT_CONTEXT { 312 | ULONG Length; 313 | ULONG MountId; 314 | ULONG SerialNumber; 315 | ULONG ProcessId; 316 | UCHAR MajorFunction; 317 | UCHAR MinorFunction; 318 | ULONG Flags; 319 | ULONG FileFlags; 320 | ULONG64 Context; 321 | union { 322 | DIRECTORY_CONTEXT Directory; 323 | READ_CONTEXT Read; 324 | WRITE_CONTEXT Write; 325 | FILEINFO_CONTEXT File; 326 | CREATE_CONTEXT Create; 327 | CLOSE_CONTEXT Close; 328 | SETFILE_CONTEXT SetFile; 329 | CLEANUP_CONTEXT Cleanup; 330 | LOCK_CONTEXT Lock; 331 | VOLUME_CONTEXT Volume; 332 | FLUSH_CONTEXT Flush; 333 | UNMOUNT_CONTEXT Unmount; 334 | SECURITY_CONTEXT Security; 335 | SET_SECURITY_CONTEXT SetSecurity; 336 | } Operation; 337 | } EVENT_CONTEXT, *PEVENT_CONTEXT; 338 | 339 | // The output from IOCTL_GET_VOLUME_METRICS. 340 | typedef struct _VOLUME_METRICS { 341 | ULONG64 NormalFcbGarbageCollectionCycles; 342 | // A "cycle" can consist of multiple "passes". 343 | ULONG64 NormalFcbGarbageCollectionPasses; 344 | ULONG64 ForcedFcbGarbageCollectionPasses; 345 | ULONG64 FcbAllocations; 346 | ULONG64 FcbDeletions; 347 | // A "cancellation" is when a single FCB's garbage collection gets canceled. 348 | ULONG64 FcbGarbageCollectionCancellations; 349 | // Number of IRPs with a too large buffer that could not be registered for 350 | // being forward to userland. 351 | ULONG64 LargeIRPRegistrationCanceled; 352 | } VOLUME_METRICS, *PVOLUME_METRICS; 353 | 354 | #define WRITE_MAX_SIZE \ 355 | (EVENT_CONTEXT_MAX_SIZE - sizeof(EVENT_CONTEXT) - 256 * sizeof(WCHAR)) 356 | 357 | #define DOKAN_EVENT_INFO_MIN_BUFFER_SIZE 8 358 | #define DOKAN_EVENT_INFO_DEFAULT_BUFFER_SIZE (1024 * 4) 359 | 360 | typedef struct _EVENT_INFORMATION { 361 | ULONG SerialNumber; 362 | NTSTATUS Status; 363 | ULONG Flags; 364 | union { 365 | struct { 366 | ULONG Index; 367 | } Directory; 368 | struct { 369 | ULONG Flags; 370 | ULONG Information; 371 | } Create; 372 | struct { 373 | LARGE_INTEGER CurrentByteOffset; 374 | } Read; 375 | struct { 376 | LARGE_INTEGER CurrentByteOffset; 377 | } Write; 378 | struct { 379 | UCHAR DeleteOnClose; 380 | } Delete; 381 | struct { 382 | ULONG Timeout; 383 | } ResetTimeout; 384 | struct { 385 | HANDLE Handle; 386 | } AccessToken; 387 | } Operation; 388 | ULONG64 Context; 389 | ULONG BufferLength; 390 | ULONG PullEventTimeoutMs; 391 | UCHAR Buffer[DOKAN_EVENT_INFO_MIN_BUFFER_SIZE]; 392 | } EVENT_INFORMATION, *PEVENT_INFORMATION; 393 | 394 | // By default we pool EVENT_INFORMATION objects with a 4k buffer (1 page) as most read/writes are this size 395 | // or smaller 396 | #define DOKAN_EVENT_INFO_DEFAULT_SIZE \ 397 | (FIELD_OFFSET(EVENT_INFORMATION, Buffer) + \ 398 | DOKAN_EVENT_INFO_DEFAULT_BUFFER_SIZE) 399 | 400 | // Dokan mount options 401 | #define DOKAN_EVENT_ALTERNATIVE_STREAM_ON 1 402 | #define DOKAN_EVENT_WRITE_PROTECT (1 << 1) 403 | #define DOKAN_EVENT_REMOVABLE (1 << 2) 404 | #define DOKAN_EVENT_MOUNT_MANAGER (1 << 3) 405 | #define DOKAN_EVENT_CURRENT_SESSION (1 << 4) 406 | #define DOKAN_EVENT_FILELOCK_USER_MODE (1 << 5) 407 | // CaseSenitive FileName: NTFS can look to be case-insensitive 408 | // but in some situation it can also be case-sensitive : 409 | // * NTFS keep the filename casing used during Create internally. 410 | // * Open "MyFile" on NTFS can open "MYFILE" if it exists. 411 | // * FILE_FLAG_POSIX_SEMANTICS (IRP_MJ_CREATE: SL_CASE_SENSITIVE) 412 | // can be used during Create to make the lookup case-sensitive. 413 | // * Since Win10, NTFS can have specific directories 414 | // case-sensitive / insensitive, even if the device tags says otherwise. 415 | // Dokan choose to support case-sensitive or case-insensitive filesystem 416 | // but not those NTFS specific scenarios. 417 | #define DOKAN_EVENT_CASE_SENSITIVE (1 << 6) 418 | // Enables unmounting of network drives via file explorer 419 | #define DOKAN_EVENT_ENABLE_NETWORK_UNMOUNT (1 << 7) 420 | #define DOKAN_EVENT_DISPATCH_DRIVER_LOGS (1 << 8) 421 | #define DOKAN_EVENT_ALLOW_IPC_BATCHING (1 << 9) 422 | #define DOKAN_EVENT_DRIVE_LETTER_IN_USE (1 << 10) 423 | 424 | // Non-exclusive bits that can be set in EVENT_DRIVER_INFO.Flags for the driver 425 | // to send back extra info about what happened during a mount attempt, whether 426 | // or not it succeeded. 427 | 428 | // The volume arrival notification did not trigger mounting as expected, so an 429 | // explicit request was made to the mount manager. 430 | #define DOKAN_DRIVER_INFO_MOUNT_FORCED 1 431 | 432 | // Dokan did not specify a preferred drive letter in response to the suggested 433 | // link name query from the mount manager. This happens if we know the preferred 434 | // drive letter is in use, and want the mount manager to select one. 435 | #define DOKAN_DRIVER_INFO_AUTO_ASSIGN_REQUESTED 2 436 | 437 | // Dokan unmounted and then reused the preferred drive letter, because it was 438 | // determined to be another dokan drive owned by the same Windows user. 439 | #define DOKAN_DRIVER_INFO_OLD_DRIVE_UNMOUNTED 4 440 | 441 | // Dokan determined that the preferred drive letter was in use by a dokan drive 442 | // owned by a different Windows user. If this is set, then 443 | // DOKAN_DRIVER_INFO_AUTO_ASSIGNED is also set. 444 | #define DOKAN_DRIVER_INFO_OLD_DRIVE_LEFT_MOUNTED 8 445 | 446 | // The dokan driver is returning a mount response to the DLL before the mount 447 | // manager has actually assigned a drive letter. We are not sure if this ever 448 | // happens; if so, it should be very rare. 449 | #define DOKAN_DRIVER_INFO_NO_MOUNT_POINT_ASSIGNED 16 450 | 451 | // Dokan failed to set the reparse point for the mount point folder provided. 452 | #define DOKAN_DRIVER_INFO_SET_REPARSE_POINT_FAILED 32 453 | 454 | typedef struct _EVENT_DRIVER_INFO { 455 | ULONG DriverVersion; 456 | ULONG Status; 457 | ULONG Flags; 458 | ULONG DeviceNumber; 459 | ULONG MountId; 460 | WCHAR DeviceName[64]; 461 | WCHAR ActualDriveLetter; 462 | } EVENT_DRIVER_INFO, *PEVENT_DRIVER_INFO; 463 | 464 | typedef struct _EVENT_START { 465 | ULONG UserVersion; 466 | ULONG DeviceType; 467 | ULONG Flags; 468 | WCHAR MountPoint[260]; 469 | WCHAR UNCName[64]; 470 | ULONG IrpTimeout; 471 | ULONG FcbGarbageCollectionIntervalMs; 472 | ULONG VolumeSecurityDescriptorLength; 473 | CHAR VolumeSecurityDescriptor[VOLUME_SECURITY_DESCRIPTOR_MAX_SIZE]; 474 | } EVENT_START, *PEVENT_START; 475 | 476 | #ifdef _MSC_VER 477 | #pragma warning(push) 478 | #pragma warning(disable : 4201) 479 | #endif 480 | typedef struct _DOKAN_RENAME_INFORMATION { 481 | #if (_WIN32_WINNT >= _WIN32_WINNT_WIN10_RS1) 482 | union { 483 | BOOLEAN ReplaceIfExists; // FileRenameInformation 484 | ULONG Flags; // FileRenameInformationEx 485 | } DUMMYUNIONNAME; 486 | #else 487 | BOOLEAN ReplaceIfExists; 488 | #endif 489 | ULONG FileNameLength; 490 | WCHAR FileName[1]; 491 | } DOKAN_RENAME_INFORMATION, *PDOKAN_RENAME_INFORMATION; 492 | #ifdef _MSC_VER 493 | #pragma warning(pop) 494 | #endif 495 | 496 | typedef struct _DOKAN_LINK_INFORMATION { 497 | BOOLEAN ReplaceIfExists; 498 | ULONG FileNameLength; 499 | WCHAR FileName[1]; 500 | } DOKAN_LINK_INFORMATION, *PDOKAN_LINK_INFORMATION; 501 | 502 | /** 503 | * \struct DOKAN_MOUNT_POINT_INFO 504 | * \brief Dokan Mount point information 505 | */ 506 | typedef struct _DOKAN_MOUNT_POINT_INFO { 507 | /** File System Type */ 508 | ULONG Type; 509 | /** Mount point. Can be "M:\" (drive letter) or "C:\mount\dokan" (path in NTFS) */ 510 | WCHAR MountPoint[MAX_PATH]; 511 | /** UNC name used for network volume */ 512 | WCHAR UNCName[64]; 513 | /** Disk Device Name */ 514 | WCHAR DeviceName[64]; 515 | /** Session ID of calling process */ 516 | ULONG SessionId; 517 | /** Contains information about the flags on the mount */ 518 | ULONG MountOptions; 519 | } DOKAN_MOUNT_POINT_INFO, *PDOKAN_MOUNT_POINT_INFO; 520 | 521 | // Dokan Major IRP values dispatched to userland for custom request with 522 | // EVENT_CONTEXT. 523 | #define DOKAN_IRP_LOG_MESSAGE 0x20 524 | 525 | // Driver log message disptached during DOKAN_IRP_LOG_MESSAGE event. 526 | typedef struct _DOKAN_LOG_MESSAGE { 527 | ULONG MessageLength; 528 | CHAR Message[1]; 529 | } DOKAN_LOG_MESSAGE, *PDOKAN_LOG_MESSAGE; 530 | 531 | #endif // PUBLIC_H_ 532 | -------------------------------------------------------------------------------- /rust_dma/includes/vmmyara.h: -------------------------------------------------------------------------------- 1 | // vmmyara.h : External headers of the YARA API wrapper for MemProcFS. 2 | // 3 | // (c) Ulf Frisk, 2023 4 | // Author: Ulf Frisk, pcileech@frizk.net 5 | // 6 | // 7 | // VmmYara is a library that provides a YARA API wrapper for C/C++ projects 8 | // and is used by MemProcFS to provide YARA scanning of memory dumps. 9 | // 10 | // For more information please consult the VmmYara information on Github: 11 | // - README: https://github.com/ufrisk/vmmyara 12 | // 13 | // (c) Ulf Frisk, 2023 14 | // Author: Ulf Frisk, pcileech@frizk.net 15 | // 16 | // Header Version: 4.3.1.4 17 | // 18 | 19 | #ifndef __VMMYARA_H__ 20 | #define __VMMYARA_H__ 21 | #ifdef __cplusplus 22 | extern "C" { 23 | #endif /* __cplusplus */ 24 | 25 | //----------------------------------------------------------------------------- 26 | // OS COMPATIBILITY BELOW: 27 | //----------------------------------------------------------------------------- 28 | 29 | #ifdef _WIN32 30 | #include 31 | #ifndef EXPORTED_FUNCTION 32 | #define EXPORTED_FUNCTION 33 | #endif /* EXPORTED_FUNCTION */ 34 | #endif /* _WIN32 */ 35 | #ifdef LINUX 36 | #include 37 | #include 38 | #ifndef EXPORTED_FUNCTION 39 | #define EXPORTED_FUNCTION __attribute__((visibility("default"))) 40 | #endif /* EXPORTED_FUNCTION */ 41 | typedef uint32_t BOOL; 42 | typedef void VOID, *PVOID, *HANDLE; 43 | typedef size_t SIZE_T; 44 | typedef uint32_t DWORD, *PDWORD; 45 | typedef uint8_t BYTE, *PBYTE; 46 | typedef char CHAR, *LPSTR; 47 | #define _In_ 48 | #define _In_reads_(x) 49 | #define _In_reads_bytes_(x) 50 | #define _Out_ 51 | #define _Success_(x) 52 | #endif /* LINUX */ 53 | 54 | typedef int VMMYARA_ERROR; // corresponds exactly to YR_ERROR 55 | typedef struct HANDLE *PVMMYARA_RULES; 56 | 57 | // defines from yara error.h 58 | #define VMMYARA_ERROR_SUCCESS 0 59 | #define VMMYARA_ERROR_INSUFFICIENT_MEMORY 1 60 | #define VMMYARA_ERROR_COULD_NOT_ATTACH_TO_PROCESS 2 61 | #define VMMYARA_ERROR_COULD_NOT_OPEN_FILE 3 62 | #define VMMYARA_ERROR_COULD_NOT_MAP_FILE 4 63 | #define VMMYARA_ERROR_INVALID_FILE 6 64 | #define VMMYARA_ERROR_CORRUPT_FILE 7 65 | #define VMMYARA_ERROR_UNSUPPORTED_FILE_VERSION 8 66 | #define VMMYARA_ERROR_INVALID_REGULAR_EXPRESSION 9 67 | #define VMMYARA_ERROR_INVALID_HEX_STRING 10 68 | #define VMMYARA_ERROR_SYNTAX_ERROR 11 69 | #define VMMYARA_ERROR_LOOP_NESTING_LIMIT_EXCEEDED 12 70 | #define VMMYARA_ERROR_DUPLICATED_LOOP_IDENTIFIER 13 71 | #define VMMYARA_ERROR_DUPLICATED_IDENTIFIER 14 72 | #define VMMYARA_ERROR_DUPLICATED_TAG_IDENTIFIER 15 73 | #define VMMYARA_ERROR_DUPLICATED_META_IDENTIFIER 16 74 | #define VMMYARA_ERROR_DUPLICATED_STRING_IDENTIFIER 17 75 | #define VMMYARA_ERROR_UNREFERENCED_STRING 18 76 | #define VMMYARA_ERROR_UNDEFINED_STRING 19 77 | #define VMMYARA_ERROR_UNDEFINED_IDENTIFIER 20 78 | #define VMMYARA_ERROR_MISPLACED_ANONYMOUS_STRING 21 79 | #define VMMYARA_ERROR_INCLUDES_CIRCULAR_REFERENCE 22 80 | #define VMMYARA_ERROR_INCLUDE_DEPTH_EXCEEDED 23 81 | #define VMMYARA_ERROR_WRONG_TYPE 24 82 | #define VMMYARA_ERROR_EXEC_STACK_OVERFLOW 25 83 | #define VMMYARA_ERROR_SCAN_TIMEOUT 26 84 | #define VMMYARA_ERROR_TOO_MANY_SCAN_THREADS 27 85 | #define VMMYARA_ERROR_CALLBACK_ERROR 28 86 | #define VMMYARA_ERROR_INVALID_ARGUMENT 29 87 | #define VMMYARA_ERROR_TOO_MANY_MATCHES 30 88 | #define VMMYARA_ERROR_INTERNAL_FATAL_ERROR 31 89 | #define VMMYARA_ERROR_NESTED_FOR_OF_LOOP 32 90 | #define VMMYARA_ERROR_INVALID_FIELD_NAME 33 91 | #define VMMYARA_ERROR_UNKNOWN_MODULE 34 92 | #define VMMYARA_ERROR_NOT_A_STRUCTURE 35 93 | #define VMMYARA_ERROR_NOT_INDEXABLE 36 94 | #define VMMYARA_ERROR_NOT_A_FUNCTION 37 95 | #define VMMYARA_ERROR_INVALID_FORMAT 38 96 | #define VMMYARA_ERROR_TOO_MANY_ARGUMENTS 39 97 | #define VMMYARA_ERROR_WRONG_ARGUMENTS 40 98 | #define VMMYARA_ERROR_WRONG_RETURN_TYPE 41 99 | #define VMMYARA_ERROR_DUPLICATED_STRUCTURE_MEMBER 42 100 | #define VMMYARA_ERROR_EMPTY_STRING 43 101 | #define VMMYARA_ERROR_DIVISION_BY_ZERO 44 102 | #define VMMYARA_ERROR_REGULAR_EXPRESSION_TOO_LARGE 45 103 | #define VMMYARA_ERROR_TOO_MANY_RE_FIBERS 46 104 | #define VMMYARA_ERROR_COULD_NOT_READ_PROCESS_MEMORY 47 105 | #define VMMYARA_ERROR_INVALID_EXTERNAL_VARIABLE_TYPE 48 106 | #define VMMYARA_ERROR_REGULAR_EXPRESSION_TOO_COMPLEX 49 107 | #define VMMYARA_ERROR_INVALID_MODULE_NAME 50 108 | #define VMMYARA_ERROR_TOO_MANY_STRINGS 51 109 | #define VMMYARA_ERROR_INTEGER_OVERFLOW 52 110 | #define VMMYARA_ERROR_CALLBACK_REQUIRED 53 111 | #define VMMYARA_ERROR_INVALID_OPERAND 54 112 | #define VMMYARA_ERROR_COULD_NOT_READ_FILE 55 113 | #define VMMYARA_ERROR_DUPLICATED_EXTERNAL_VARIABLE 56 114 | #define VMMYARA_ERROR_INVALID_MODULE_DATA 57 115 | #define VMMYARA_ERROR_WRITING_FILE 58 116 | #define VMMYARA_ERROR_INVALID_MODIFIER 59 117 | #define VMMYARA_ERROR_DUPLICATED_MODIFIER 60 118 | #define VMMYARA_ERROR_BLOCK_NOT_READY 61 119 | #define VMMYARA_ERROR_INVALID_PERCENTAGE 62 120 | #define VMMYARA_ERROR_IDENTIFIER_MATCHES_WILDCARD 63 121 | #define VMMYARA_ERROR_INVALID_VALUE 64 122 | 123 | // defines from yara scan.h 124 | #define VMMYARA_SCAN_FLAGS_FAST_MODE 1 125 | #define VMMYARA_SCAN_FLAGS_PROCESS_MEMORY 2 126 | #define VMMYARA_SCAN_FLAGS_NO_TRYCATCH 4 127 | #define VMMYARA_SCAN_FLAGS_REPORT_RULES_MATCHING 8 128 | #define VMMYARA_SCAN_FLAGS_REPORT_RULES_NOT_MATCHING 16 129 | 130 | 131 | 132 | /* 133 | * Load a compiled yara rule file. 134 | * -- szCompiledFileRules = the file path of the compiled yara rule file to load. 135 | * -- phVmmYaraRules = pointer to a PVMMYARA_RULES variable that will receive 136 | * the handle to the loaded rule set on success. 137 | * -- return = VMMYARA_ERROR_SUCCESS on success, otherwise a yara error. 138 | */ 139 | _Success_(return == VMMYARA_ERROR_SUCCESS) 140 | VMMYARA_ERROR VmmYara_RulesLoadCompiled( 141 | _In_ LPSTR szCompiledFileRules, 142 | _Out_ PVMMYARA_RULES *phVmmYaraRules 143 | ); 144 | 145 | /* 146 | * Load one or multiple yara rules from either memory or source files. 147 | * -- cszSourceCombinedRules = the number of source files/strings to load. 148 | * -- pszSourceCombinedRules = array of source file paths/strings to load. 149 | * -- phVmmYaraRules = pointer to a PVMMYARA_RULES variable that will receive the 150 | * handle to the loaded rule set on success. 151 | * -- return = VMMYARA_ERROR_SUCCESS on success, otherwise a yara error. 152 | */ 153 | EXPORTED_FUNCTION 154 | _Success_(return == VMMYARA_ERROR_SUCCESS) 155 | VMMYARA_ERROR VmmYara_RulesLoadSourceCombined( 156 | _In_ DWORD cszSourceCombinedRules, 157 | _In_reads_(cszSourceCombinedRules) LPSTR pszSourceCombinedRules[], 158 | _Out_ PVMMYARA_RULES *phVmmYaraRules 159 | ); 160 | 161 | /* 162 | * Load one or multiple yara rules from source files. 163 | * -- cszSourceFileRules = the number of source files to load. 164 | * -- pszSourceFileRules = array of source file paths to load. 165 | * -- phVmmYaraRules = pointer to a PVMMYARA_RULES variable that will receive 166 | * the handle to the loaded rule set on success. 167 | * -- return = VMMYARA_ERROR_SUCCESS on success, otherwise a yara error. 168 | */ 169 | _Success_(return == VMMYARA_ERROR_SUCCESS) 170 | VMMYARA_ERROR VmmYara_RulesLoadSourceFile( 171 | _In_ DWORD cszSourceFileRules, 172 | _In_reads_(cszSourceFileRules) LPSTR pszSourceFileRules[], 173 | _Out_ PVMMYARA_RULES *phVmmYaraRules 174 | ); 175 | 176 | /* 177 | * Load one or multiple yara rules from in-memory source strings. 178 | * -- cSourceStringRules = the number of source strings to load. 179 | * -- cszSourceStringRules = array of source strings to load. 180 | * -- phVmmYaraRules = pointer to a PVMMYARA_RULES variable that will receive 181 | * the handle to the loaded rule set on success. 182 | * -- return = VMMYARA_ERROR_SUCCESS on success, otherwise a yara error. 183 | */ 184 | _Success_(return == VMMYARA_ERROR_SUCCESS) 185 | VMMYARA_ERROR VmmYara_RulesLoadSourceString( 186 | _In_ DWORD cszSourceStringRules, 187 | _In_reads_(cszSourceStringRules) LPSTR pszSourceStringRules[], 188 | _Out_ PVMMYARA_RULES *phVmmYaraRules 189 | ); 190 | 191 | /* 192 | * Destroy a previously loaded rule set. 193 | * -- hVmmYaraRules = the handle to the rule set to destroy. 194 | * -- return = VMMYARA_ERROR_SUCCESS on success, otherwise a yara error. 195 | */ 196 | _Success_(return == VMMYARA_ERROR_SUCCESS) 197 | VMMYARA_ERROR VmmYara_RulesDestroy(_In_ PVMMYARA_RULES hVmmYaraRules); 198 | 199 | #define VMMYARA_RULE_MATCH_FLAG_MEMPROCFS 1 200 | #define VMMYARA_RULE_MATCH_FLAG_SUPPRESS 2 201 | 202 | 203 | // =========== START SHARED STRUCTS WITH =========== 204 | #ifndef VMMYARA_RULE_MATCH_DEFINED 205 | #define VMMYARA_RULE_MATCH_DEFINED 206 | 207 | #define VMMYARA_RULE_MATCH_VERSION 0xfedc0003 208 | #define VMMYARA_RULE_MATCH_TAG_MAX 8 209 | #define VMMYARA_RULE_MATCH_META_MAX 16 210 | #define VMMYARA_RULE_MATCH_STRING_MAX 8 211 | #define VMMYARA_RULE_MATCH_OFFSET_MAX 16 212 | 213 | /* 214 | * Struct with match information upon a match in VmmYara_RulesScanMemory(). 215 | */ 216 | typedef struct tdVMMYARA_RULE_MATCH { 217 | DWORD dwVersion; // VMMYARA_RULE_MATCH_VERSION 218 | DWORD flags; 219 | LPSTR szRuleIdentifier; 220 | DWORD cTags; 221 | LPSTR szTags[VMMYARA_RULE_MATCH_TAG_MAX]; 222 | DWORD cMeta; 223 | struct { 224 | LPSTR szIdentifier; 225 | LPSTR szString; 226 | } Meta[VMMYARA_RULE_MATCH_META_MAX]; 227 | DWORD cStrings; 228 | struct { 229 | LPSTR szString; 230 | DWORD cMatch; 231 | SIZE_T cbMatchOffset[VMMYARA_RULE_MATCH_OFFSET_MAX]; 232 | } Strings[VMMYARA_RULE_MATCH_STRING_MAX]; 233 | } VMMYARA_RULE_MATCH, *PVMMYARA_RULE_MATCH; 234 | 235 | #endif /* VMMYARA_RULE_MATCH_DEFINED */ 236 | 237 | #ifndef VMMYARA_SCAN_MEMORY_CALLBACK_DEFINED 238 | #define VMMYARA_SCAN_MEMORY_CALLBACK_DEFINED 239 | 240 | /* 241 | * Callback function to be called by VmmYara_RulesScanMemory() upon a match. 242 | * -- pvContext = user context set in call to VmmYara_ScanMemory(). 243 | * -- pRuleMatch = pointer to match information. 244 | * -- pbBuffer = the memory buffer that was scanned. 245 | * -- cbBuffer = the size of the memory buffer that was scanned. 246 | * -- return = return TRUE to continue scanning, FALSE to stop scanning. 247 | */ 248 | typedef BOOL(*VMMYARA_SCAN_MEMORY_CALLBACK)( 249 | _In_ PVOID pvContext, 250 | _In_ PVMMYARA_RULE_MATCH pRuleMatch, 251 | _In_reads_bytes_(cbBuffer) PBYTE pbBuffer, 252 | _In_ SIZE_T cbBuffer 253 | ); 254 | 255 | #endif /* VMMYARA_SCAN_MEMORY_CALLBACK_DEFINED */ 256 | // =========== END SHARED STRUCTS WITH =========== 257 | 258 | /* 259 | * Scan a memory buffer for matches against the specified rule set. 260 | * Upon a match the callback function will be called with the match information. 261 | * -- hVmmYaraRules = the handle to the rule set to scan against. 262 | * -- pbBuffer = the memory buffer to scan. 263 | * -- cbBuffer = the size of the memory buffer to scan. 264 | * -- flags = flags according to yr_rules_scan_mem() to use. 265 | * -- pfnCallback = the callback function to call upon a match. 266 | * -- pvContext = context to pass to the callback function. 267 | * -- timeout = timeout in seconds according to yr_rules_scan_mem(). 268 | * -- return = VMMYARA_ERROR_SUCCESS on success, otherwise a yara error. 269 | */ 270 | _Success_(return == VMMYARA_ERROR_SUCCESS) 271 | VMMYARA_ERROR VmmYara_ScanMemory( 272 | _In_ PVMMYARA_RULES hVmmYaraRules, 273 | _In_reads_bytes_(cbBuffer) PBYTE pbBuffer, 274 | _In_ SIZE_T cbBuffer, 275 | _In_ int flags, 276 | _In_ VMMYARA_SCAN_MEMORY_CALLBACK pfnCallback, 277 | _In_ PVOID pvContext, 278 | _In_ int timeout 279 | ); 280 | 281 | #ifdef __cplusplus 282 | } 283 | #endif /* __cplusplus */ 284 | #endif /* __VMMYARA_H__ */ 285 | -------------------------------------------------------------------------------- /rust_dma/memory.cpp: -------------------------------------------------------------------------------- 1 | #include "memory.hpp" 2 | #include "globals.hpp" 3 | 4 | #pragma comment(lib, "vmm.lib") 5 | 6 | auto memory::get_process_id(const char* process_name) -> DWORD 7 | { 8 | DWORD buffer; 9 | bool ret = VMMDLL_PidGetFromName(globals::vmm_handle, (LPSTR)process_name, &buffer); 10 | 11 | if (ret) 12 | { 13 | return buffer; 14 | } 15 | 16 | return -1; 17 | } 18 | 19 | auto memory::get_module_handle(const char* module_name) -> uint64_t 20 | { 21 | uint64_t address = VMMDLL_ProcessGetModuleBaseU(globals::vmm_handle, globals::game_pid, (LPSTR)module_name); 22 | return address; 23 | } -------------------------------------------------------------------------------- /rust_dma/memory.hpp: -------------------------------------------------------------------------------- 1 | #include "includes.hpp" 2 | 3 | #pragma comment(lib, "vmm.lib") 4 | 5 | namespace memory 6 | { 7 | auto get_process_id(const char* process_name) -> DWORD; 8 | auto get_module_handle(const char* module_name) -> uint64_t; 9 | } -------------------------------------------------------------------------------- /rust_dma/rust_dma.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {073130aa-021a-44c3-b20e-3642d029a106} 25 | rustdma 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | MultiByte 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | $(SolutionDir)build\bin 75 | rust_client 76 | C:\Users\peheader\Documents\projects\rust\rust_dma\libraries;$(LibraryPath) 77 | 78 | 79 | 80 | Level3 81 | true 82 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 83 | true 84 | 85 | 86 | Console 87 | true 88 | 89 | 90 | 91 | 92 | Level3 93 | true 94 | true 95 | true 96 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 97 | true 98 | 99 | 100 | Console 101 | true 102 | true 103 | true 104 | 105 | 106 | 107 | 108 | Level3 109 | true 110 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 111 | true 112 | 113 | 114 | Console 115 | true 116 | 117 | 118 | 119 | 120 | TurnOffAllWarnings 121 | true 122 | true 123 | true 124 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 125 | true 126 | stdcpp20 127 | stdc17 128 | 129 | 130 | Console 131 | true 132 | true 133 | false 134 | RequireAdministrator 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | -------------------------------------------------------------------------------- /rust_dma/rust_dma.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {9eb0e517-bfdc-4fae-b16e-005d445b7e50} 6 | 7 | 8 | {31e5dac7-2dca-4b0e-b380-827e0d1de429} 9 | 10 | 11 | {e24eda06-0b55-402c-ae93-b57f766987bc} 12 | 13 | 14 | {d2841a06-f955-4ad6-95f2-e5d6727a1e69} 15 | 16 | 17 | {c3ab72ca-fcfa-44e1-a529-3c9d94d0f773} 18 | 19 | 20 | {266f1d41-1698-4db5-8a0b-581130c624ef} 21 | 22 | 23 | 24 | 25 | entry 26 | 27 | 28 | threads 29 | 30 | 31 | memory 32 | 33 | 34 | 35 | 36 | entry 37 | 38 | 39 | includes 40 | 41 | 42 | includes 43 | 44 | 45 | threads 46 | 47 | 48 | globals 49 | 50 | 51 | memory 52 | 53 | 54 | includes 55 | 56 | 57 | includes 58 | 59 | 60 | includes 61 | 62 | 63 | includes 64 | 65 | 66 | includes 67 | 68 | 69 | includes 70 | 71 | 72 | includes 73 | 74 | 75 | rust 76 | 77 | 78 | -------------------------------------------------------------------------------- /rust_dma/rust_dma.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /rust_dma/threads.cpp: -------------------------------------------------------------------------------- 1 | #include "threads.hpp" 2 | #include "globals.hpp" 3 | #include "memory.hpp" 4 | 5 | template 6 | auto threads::read(uint64_t address) -> T 7 | { 8 | T buffer; 9 | VMMDLL_MemRead(globals::vmm_handle, globals::game_pid, address, PBYTE(&buffer), sizeof(T)); 10 | return buffer; 11 | } 12 | 13 | template 14 | auto threads::write(uint64_t address, T value) -> void 15 | { 16 | VMMDLL_MemWrite(globals::vmm_handle, globals::game_pid, address, PBYTE(&value), sizeof(T)); 17 | } 18 | 19 | namespace rust 20 | { 21 | namespace offsets 22 | { 23 | auto local_player_c = 0x2FD1080; // LocalPlayer_c* 24 | 25 | namespace base_player 26 | { 27 | auto player_flags = 0x740; // BasePlayer - BasePlayer.PlayerFlags playerFlags 28 | auto base_movement = 0x550; // BasePlayer - BaseMovement movement 29 | auto base_collision = 0x558; // BasePlayer - BaseCollision collision 30 | auto player_input = 0x548; // BasePlayer - PlayerInput input 31 | auto visible_player_list = 0x8; // BasePlayer - ListDictionary visiblePlayerList 32 | auto player_eyes = 0x748; // BasePlayer - PlayerEyes eyes 33 | auto player_inventory = 0x750; // BasePlayer - PlayerInventory inventory 34 | auto active_item_id = 0x668; // BasePlayer - ItemId clActiveItem 35 | } 36 | 37 | namespace player_inventory 38 | { 39 | auto container_belt = 0x28; // PlayerInventory - ItemContainer containerBelt 40 | } 41 | 42 | namespace item_container 43 | { 44 | auto available_slots = 0x38; // ItemContainer - List availableSlots 45 | } 46 | 47 | namespace item 48 | { 49 | auto uid = 0x20; 50 | auto held_entity = 0xA8; // Item - EntityRef heldEntity 51 | } 52 | 53 | namespace base_projectile 54 | { 55 | auto recoil = 0x2E0; // BaseProjectile - RecoilProperties recoil 56 | } 57 | 58 | namespace recoil_properties 59 | { 60 | auto override = 0x78; // RecoilProperties - RecoilProperties newRecoilOverride 61 | auto yaw_min = 0x18; // RecoilProperties - float recoilYawMin 62 | auto yaw_max = 0x1C; // RecoilProperties - float recoilYawMin 63 | auto pitch_min = 0x20; // RecoilProperties - float recoilYawMin 64 | auto pitch_max = 0x24; // RecoilProperties - float recoilYawMin 65 | } 66 | 67 | namespace walk_movement 68 | { 69 | auto ground_angle = 0xC4; // PlayerWalkMovement - float groundAngle 70 | auto ground_angle_new = 0xC8; // PlayerWalkMovement - float groundAngleNew 71 | } 72 | } 73 | 74 | class local_player 75 | { 76 | public: 77 | auto get_entity() -> uint64_t 78 | { 79 | auto static_fields = threads::read(reinterpret_cast(this) + 0xB8); 80 | return threads::read(static_fields + 0x0); 81 | } 82 | }; 83 | 84 | class player_inventory 85 | { 86 | public: 87 | auto get_belt_container() -> uint64_t 88 | { 89 | return threads::read(reinterpret_cast(this) + offsets::player_inventory::container_belt); 90 | } 91 | }; 92 | 93 | class item_container 94 | { 95 | public: 96 | auto get_item_list() -> uint64_t 97 | { 98 | return threads::read(reinterpret_cast(this) + offsets::item_container::available_slots); 99 | } 100 | }; 101 | 102 | class item 103 | { 104 | public: 105 | auto get_id() -> int 106 | { 107 | return threads::read(reinterpret_cast(this) + offsets::item::uid); 108 | } 109 | 110 | auto get_projectile() -> uint64_t 111 | { 112 | return threads::read(reinterpret_cast(this) + offsets::item::held_entity); 113 | } 114 | }; 115 | 116 | class base_player 117 | { 118 | public: 119 | auto get_player_flags() -> int 120 | { 121 | return threads::read(reinterpret_cast(this) + offsets::base_player::player_flags); 122 | } 123 | 124 | auto set_player_flags(int flag) -> void 125 | { 126 | threads::write(reinterpret_cast(this) + offsets::base_player::player_flags, flag); 127 | } 128 | 129 | auto get_movement() -> uint64_t 130 | { 131 | return threads::read(reinterpret_cast(this) + offsets::base_player::base_movement); 132 | } 133 | 134 | auto get_input() -> uint64_t 135 | { 136 | return threads::read(reinterpret_cast(this) + offsets::base_player::player_input); 137 | } 138 | 139 | auto get_eyes() -> uint64_t 140 | { 141 | return threads::read(reinterpret_cast(this) + offsets::base_player::player_eyes); 142 | } 143 | 144 | auto get_inventory() -> uint64_t 145 | { 146 | return threads::read(reinterpret_cast(this) + offsets::base_player::player_inventory); 147 | } 148 | 149 | auto get_player_list() -> uint64_t 150 | { 151 | auto static_fields = threads::read(reinterpret_cast(this) + 0xB8); 152 | return threads::read(static_fields + offsets::base_player::visible_player_list); 153 | } 154 | 155 | auto get_weapon_by_slot(int slot) -> uint64_t 156 | { 157 | auto inventory = (player_inventory*)get_inventory(); 158 | auto belt = (item_container*)inventory->get_belt_container(); 159 | auto item_list = belt->get_item_list(); 160 | auto buffer = threads::read(item_list + 0x20 + (slot * 0x8)); 161 | return buffer; 162 | } 163 | 164 | auto get_active_weapon() -> uint64_t 165 | { 166 | auto active_id = threads::read(reinterpret_cast(this) + offsets::base_player::active_item_id); 167 | if (!active_id) return 0; 168 | 169 | for (auto slot = 0; slot < 6; slot++) 170 | { 171 | auto weapon = (item*)this->get_weapon_by_slot(slot); 172 | 173 | if (active_id == weapon->get_id()) 174 | return (uint64_t)weapon; 175 | } 176 | } 177 | }; 178 | 179 | class base_projectile 180 | { 181 | public: 182 | auto get_recoil_properties() -> uint64_t 183 | { 184 | auto recoil_properties = threads::read(reinterpret_cast(this) + offsets::item::held_entity); 185 | if (!recoil_properties) return 0; 186 | 187 | auto override = threads::read(recoil_properties + offsets::recoil_properties::override); 188 | if (override) 189 | return override; 190 | 191 | return recoil_properties; 192 | } 193 | }; 194 | 195 | class recoil_properties 196 | { 197 | public: 198 | auto set_recoil_yaw(float min, float max) -> void 199 | { 200 | threads::write(reinterpret_cast(this) + offsets::recoil_properties::yaw_min, min); 201 | threads::write(reinterpret_cast(this) + offsets::recoil_properties::yaw_max, max); 202 | } 203 | 204 | auto set_recoil_pitch(float min, float max) -> void 205 | { 206 | threads::write(reinterpret_cast(this) + offsets::recoil_properties::pitch_min, min); 207 | threads::write(reinterpret_cast(this) + offsets::recoil_properties::pitch_max, max); 208 | } 209 | 210 | auto remove_recoil() -> void 211 | { 212 | set_recoil_yaw(0.0f, 0.0f); 213 | set_recoil_pitch(0.0f, 0.0f); 214 | } 215 | }; 216 | 217 | class walk_movement 218 | { 219 | public: 220 | auto get_ground_angle() -> float 221 | { 222 | return threads::read(reinterpret_cast(this) + offsets::walk_movement::ground_angle); 223 | } 224 | 225 | auto set_ground_angle(float angle) -> void 226 | { 227 | threads::write(reinterpret_cast(this) + offsets::walk_movement::ground_angle, angle); 228 | threads::write(reinterpret_cast(this) + offsets::walk_movement::ground_angle_new, angle); 229 | } 230 | 231 | auto remove_fall() -> void 232 | { 233 | this->set_ground_angle(0.0f); 234 | } 235 | }; 236 | } 237 | 238 | auto threads::memory_loop() -> void 239 | { 240 | printf("[ * ] game_assembly : %p\n", globals::game_assembly); 241 | printf("[ * ] unity_player : %p\n", globals::unity_player); 242 | 243 | auto local_player = (rust::local_player*)read(globals::game_assembly + rust::offsets::local_player_c); 244 | 245 | while (1) 246 | { 247 | auto entity = (rust::base_player*)local_player->get_entity(); 248 | 249 | if (entity != 0) 250 | { 251 | auto movement = (rust::walk_movement*)entity->get_movement(); 252 | auto weapon = (rust::item*)entity->get_active_weapon(); 253 | 254 | if (weapon != 0) 255 | { 256 | auto projectile = (rust::base_projectile*)weapon->get_projectile(); 257 | auto recoil = (rust::recoil_properties*)projectile->get_recoil_properties(); 258 | 259 | recoil->remove_recoil(); 260 | } 261 | 262 | if (movement != 0) 263 | { 264 | movement->remove_fall(); 265 | 266 | auto current_flag = entity->get_player_flags(); 267 | entity->set_player_flags(current_flag | 4); 268 | 269 | Sleep(1); 270 | } 271 | } 272 | } 273 | } 274 | -------------------------------------------------------------------------------- /rust_dma/threads.hpp: -------------------------------------------------------------------------------- 1 | #include "includes.hpp" 2 | 3 | namespace threads 4 | { 5 | template 6 | auto read(uint64_t address) -> T; 7 | 8 | template 9 | auto write(uint64_t address, T value) -> void; 10 | 11 | auto memory_loop() -> void; 12 | } --------------------------------------------------------------------------------