├── .gitignore ├── 64IN32 ├── 64IN32.map ├── 64IN32.vcxproj ├── 64IN32.vcxproj.filters ├── 64IN32.vcxproj.user ├── GetFuncAddr.cpp ├── code64.asm └── nobase.cpp ├── INC ├── GetFuncAddr.cpp ├── ObLock.h ├── amd64plat.h ├── asmfunc.h ├── dump.h ├── idcres.h ├── initterm.h ├── krbcon.h ├── md5.h ├── mini_yvals.h ├── misc.h ├── msdis170.h ├── netlogon.h ├── nobase.h ├── nobase64.inc ├── ntdbg.h ├── ntfs structs.h ├── ntjob.h ├── ntlpcapi.h ├── ntpebteb.h ├── ntsam.h ├── ntsam2.h ├── ntsamp.h ├── rtf.h ├── rtlenv.h ├── rtlframe.h ├── rundown.h ├── rundownT.h ├── samisrv.h ├── samrpc.h ├── stdafx.h ├── sys api.h ├── sysinfo.h ├── winsta.h ├── wmium.h └── x86plat.h ├── LdrpKernel32.dll ├── LdrpKernel32 ├── LdrpKernel32.vcxproj ├── LdrpKernel32.vcxproj.filters ├── LdrpKernel32.vcxproj.user ├── exports.def └── main.cpp ├── LdrpKernel32DllName.sln ├── LdrpKernel64.dll ├── MSBuild └── v4.0 │ ├── Microsoft.Cpp.Win32.user.props │ └── Microsoft.Cpp.x64.user.props ├── Payload32.dll ├── Payload64.dll ├── detour ├── LDasm.c ├── LDasm.h ├── TRAMPOLINE.cpp ├── TRAMPOLINE.h ├── detour.cpp ├── detour.h ├── detour.vcxproj ├── detour.vcxproj.filters ├── detour.vcxproj.user ├── readme.md ├── stdafx.cpp ├── stdafx.h ├── threads.cpp ├── threads.h ├── x64 │ └── detour.lib └── x86 │ └── detour.lib ├── readme.md ├── release ├── LdrpKernel32.dll ├── LdrpKernel32.lib ├── Payload32.dll ├── cta.exe └── detour.lib ├── test32.bat ├── test64.bat ├── x64 └── Release │ ├── 64IN32.map │ ├── 64btr.asm │ ├── LdrpKernel64.dll │ ├── Payload64.dll │ ├── detour.lib │ └── detour.pdb └── yYy ├── code32.asm ├── exports.def ├── hook.cpp ├── inject.h ├── inject32.cpp ├── inject64.cpp ├── stdafx.cpp ├── stdafx.h ├── yYy.vcxproj ├── yYy.vcxproj.filters └── yYy.vcxproj.user /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | *.obj 3 | -------------------------------------------------------------------------------- /64IN32/64IN32.map: -------------------------------------------------------------------------------- 1 | 64IN32 2 | 3 | Timestamp is 64a0a934 (Sun Jul 2 01:31:16 2023) 4 | 5 | Preferred load address is 0000000140000000 6 | 7 | Start Length Name Class 8 | 0001:00000000 00000158H .text$mn CODE 9 | 0001:00000158 00000368H .text$nm CODE 10 | 0001:000004c0 0000001aH .text$nm$s CODE 11 | 0002:00000000 0000001cH .rdata DATA 12 | 0002:0000001c 00000028H .rdata$voltmd DATA 13 | 0002:00000044 000000b0H .rdata$zzzdbg DATA 14 | 0002:000000f4 00000048H .xdata DATA 15 | 0003:00000000 00000024H .pdata DATA 16 | 17 | Address Publics by Value Rva+Base Lib:Object 18 | 19 | 0000:00000000 __AbsoluteZero 0000000000000000 20 | 0000:00000000 __arm64x_extra_rfe_table 0000000000000000 21 | 0000:00000000 __arm64x_extra_rfe_table_size 0000000000000000 22 | 0000:00000000 __arm64x_native_entrypoint 0000000000000000 23 | 0000:00000000 __arm64x_redirection_metadata 0000000000000000 24 | 0000:00000000 __arm64x_redirection_metadata_count 0000000000000000 25 | 0000:00000000 __dynamic_value_reloc_table 0000000000000000 26 | 0000:00000000 __enclave_config 0000000000000000 27 | 0000:00000000 __guard_check_icall_a64n_fptr 0000000000000000 28 | 0000:00000000 __guard_eh_cont_count 0000000000000000 29 | 0000:00000000 __guard_eh_cont_table 0000000000000000 30 | 0000:00000000 __guard_fids_count 0000000000000000 31 | 0000:00000000 __guard_fids_table 0000000000000000 32 | 0000:00000000 __guard_flags 0000000000000000 33 | 0000:00000000 __guard_iat_count 0000000000000000 34 | 0000:00000000 __guard_iat_table 0000000000000000 35 | 0000:00000000 __guard_longjmp_count 0000000000000000 36 | 0000:00000000 __guard_longjmp_table 0000000000000000 37 | 0000:00000000 __hybrid_auxiliary_delayload_iat 0000000000000000 38 | 0000:00000000 __hybrid_auxiliary_delayload_iat_copy 0000000000000000 39 | 0000:00000000 __hybrid_auxiliary_iat 0000000000000000 40 | 0000:00000000 __hybrid_auxiliary_iat_copy 0000000000000000 41 | 0000:00000000 __hybrid_code_map 0000000000000000 42 | 0000:00000000 __hybrid_code_map_count 0000000000000000 43 | 0000:00000000 __x64_code_ranges_to_entry_points 0000000000000000 44 | 0000:00000000 __x64_code_ranges_to_entry_points_count 0000000000000000 45 | 0001:00000000 ep 0000000140000230 f code64.obj 46 | 0001:00000056 ?fmemcmp@NT@@YADPEBX0_K@Z 0000000140000286 f code64.obj 47 | 0001:00000076 NtAllocateVirtualMemory 00000001400002a6 f code64.obj 48 | 0001:00000097 NtWriteVirtualMemory 00000001400002c7 f code64.obj 49 | 0001:000000b5 NtProtectVirtualMemory 00000001400002e5 f code64.obj 50 | 0001:000000d8 NtFreeVirtualMemory 0000000140000308 f code64.obj 51 | 0001:000000f8 RtlImageNtHeader 0000000140000328 f code64.obj 52 | 0001:00000115 RtlEqualUnicodeString 0000000140000345 f code64.obj 53 | 0001:00000137 RtlInitUnicodeString 0000000140000367 f code64.obj 54 | 0001:00000158 ?GetFuncAddress@NT@@YAPEAXPEBD@Z 0000000140000388 f GetFuncAddr.obj 55 | 0001:0000024c ?FindLdrpKernel32DllName@NT@@YAPEAXPEA_K@Z 000000014000047c f nobase.obj 56 | 0001:00000388 ?InitBootstrapI@NT@@YAJPEAXPEAPEAXPEB_WK@Z 00000001400005b8 f nobase.obj 57 | 0001:000004c0 ??_C@_1BK@MGMFAEKH@?$AAk?$AAe?$AAr?$AAn?$AAe?$AAl?$AA3?$AA2?$AA?4?$AAd?$AAl?$AAl@FNODOBFM@ 00000001400006f0 nobase.obj 58 | 0002:0000001c __volatile_metadata 000000014000072c 59 | 60 | entry point at 0001:00000000 61 | 62 | Static symbols 63 | 64 | 0001:00000038 common_imp_call 0000000140000268 f code64.obj 65 | 0002:000000f4 $unwind$?GetFuncAddress@NT@@YAPEAXPEBD@Z 0000000140000804 GetFuncAddr.obj 66 | 0002:0000010c $unwind$?FindLdrpKernel32DllName@NT@@YAPEAXPEA_K@Z 000000014000081c nobase.obj 67 | 0002:00000124 $unwind$?InitBootstrapI@NT@@YAJPEAXPEAPEAXPEB_WK@Z 0000000140000834 nobase.obj 68 | -------------------------------------------------------------------------------- /64IN32/64IN32.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Release 6 | x64 7 | 8 | 9 | 10 | 17.0 11 | {A9A11BB8-D35C-4CF1-A325-ACD39DB5CE8B} 12 | My64IN32 13 | Win32Proj 14 | $(SolutionDir)MSBuild\v4.0 15 | 16 | 17 | 18 | Application 19 | v143 20 | Unicode 21 | true 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | <_ProjectFileVersion>17.0.32819.101 32 | 33 | 34 | $(SolutionDir)$(Platform)\$(Configuration)\ 35 | $(SolutionDir)tmp\$(Platform)\$(Configuration)\$(ProjectName)\ 36 | false 37 | false 38 | true 39 | 40 | 41 | 42 | X64 43 | 44 | 45 | MaxSpeed 46 | Size 47 | true 48 | false 49 | WIN32;NDEBUG;_WINDOWS;_USRDLL;MY64IN32_EXPORTS;%(PreprocessorDefinitions) 50 | true 51 | 52 | MultiThreadedDLL 53 | false 54 | false 55 | NotUsing 56 | Level4 57 | None 58 | StdCall 59 | /cbstring %(AdditionalOptions) 60 | 61 | 62 | /ALIGN:16 %(AdditionalOptions) 63 | true 64 | false 65 | true 66 | Windows 67 | true 68 | true 69 | ep 70 | 71 | MachineX64 72 | false 73 | 74 | Driver 75 | 76 | 77 | 78 | cd $(OutDir) 79 | $(SolutionDir)release\cta.exe *.text*64btr.asm*$(TargetFileName)*toasm*nowait 80 | 81 | 82 | 83 | 84 | 85 | ml64 /c /Cp %(Filename)%(Extension) 86 | 87 | %(Filename).obj;%(Outputs) 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | -------------------------------------------------------------------------------- /64IN32/64IN32.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | 26 | 27 | Source Files 28 | 29 | 30 | -------------------------------------------------------------------------------- /64IN32/64IN32.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /64IN32/GetFuncAddr.cpp: -------------------------------------------------------------------------------- 1 | #define WIN32_LEAN_AND_MEAN 2 | #include "../inc/StdAfx.h" 3 | 4 | _NT_BEGIN 5 | #include "../inc/nobase.h" 6 | 7 | //#define _PRINT_CPP_NAMES_ 8 | #include "../inc/asmfunc.h" 9 | 10 | PIMAGE_DOS_HEADER GetNtBase() 11 | { 12 | return (PIMAGE_DOS_HEADER)CONTAINING_RECORD( 13 | reinterpret_cast<_TEB*>(NtCurrentTeb())->ProcessEnvironmentBlock->Ldr->InInitializationOrderModuleList.Flink, 14 | _LDR_DATA_TABLE_ENTRY, InInitializationOrderLinks)->DllBase; 15 | } 16 | 17 | PVOID __fastcall GetFuncAddress(PCSTR lpsz) 18 | { 19 | CPP_FUNCTION; 20 | 21 | PIMAGE_DOS_HEADER pidh = GetNtBase(); 22 | 23 | PIMAGE_NT_HEADERS pinth = (PIMAGE_NT_HEADERS)RtlOffsetToPointer(pidh, pidh->e_lfanew); 24 | 25 | PIMAGE_EXPORT_DIRECTORY pied = (PIMAGE_EXPORT_DIRECTORY)RtlOffsetToPointer(pidh, 26 | pinth->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); 27 | 28 | PDWORD AddressOfNames = (PDWORD)RtlOffsetToPointer(pidh, pied->AddressOfNames); 29 | PDWORD AddressOfFunctions = (PDWORD)RtlOffsetToPointer(pidh, pied->AddressOfFunctions); 30 | PWORD AddressOfNameOrdinals = (PWORD)RtlOffsetToPointer(pidh, pied->AddressOfNameOrdinals); 31 | 32 | DWORD a = 0, b, o; 33 | 34 | if (b = pied->NumberOfNames) 35 | { 36 | do 37 | { 38 | int i = strcmp(lpsz, RtlOffsetToPointer(pidh, AddressOfNames[o = (a + b) >> 1])); 39 | if (!i) 40 | { 41 | PVOID pv = RtlOffsetToPointer(pidh, AddressOfFunctions[AddressOfNameOrdinals[o]]); 42 | 43 | if ((ULONG_PTR)pv - (ULONG_PTR)pied < pinth->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size) 44 | { 45 | __debugbreak(); 46 | return 0; 47 | } 48 | 49 | return pv; 50 | } 51 | 52 | if (0 > i) b = o; else a = o + 1; 53 | 54 | } while (a < b); 55 | } 56 | 57 | __debugbreak(); 58 | return 0; 59 | } 60 | 61 | _NT_END 62 | -------------------------------------------------------------------------------- /64IN32/code64.asm: -------------------------------------------------------------------------------- 1 | 2 | ; void *__cdecl NT::FindLdrpKernel32DllName(unsigned __int64 *) 3 | extern ?FindLdrpKernel32DllName@NT@@YAPEAXPEA_K@Z : PROC 4 | 5 | ; long __cdecl NT::InitBootstrapI(void *,void **,const wchar_t *,unsigned long) 6 | extern ?InitBootstrapI@NT@@YAJPEAXPEAPEAXPEB_WK@Z : PROC 7 | 8 | ; void *__cdecl NT::GetFuncAddress(const char *) 9 | extern ?GetFuncAddress@NT@@YAPEAXPEBD@Z : PROC 10 | 11 | .code 12 | 13 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 14 | ;; must be first function in .text section ! 15 | 16 | ep proc 17 | mov rax,gs:[10h] 18 | xchg rsp,rax 19 | push rax 20 | sub rsp,28h 21 | 22 | mov ecx,ecx 23 | mov edx,edx 24 | mov r8d,edi 25 | mov r9d,esi 26 | 27 | test rdx,rdx 28 | jz @@0 29 | call ?InitBootstrapI@NT@@YAJPEAXPEAPEAXPEB_WK@Z 30 | jmp @@1 31 | @@0: 32 | call ?FindLdrpKernel32DllName@NT@@YAPEAXPEA_K@Z 33 | @@1: 34 | mov rdx,rax 35 | shr rdx,32 36 | add rsp,28h 37 | pop rsp 38 | ret 39 | ep endp 40 | 41 | common_imp_call proc private 42 | push r9 43 | push r8 44 | push rdx 45 | push rcx 46 | sub rsp,28h 47 | mov rcx,rax 48 | call ?GetFuncAddress@NT@@YAPEAXPEBD@Z 49 | add rsp,28h 50 | pop rcx 51 | pop rdx 52 | pop r8 53 | pop r9 54 | jmp rax 55 | common_imp_call endp 56 | 57 | NtApi MACRO name 58 | name proc 59 | lea rax,@@1 60 | jmp common_imp_call 61 | @@1: 62 | DB '&name',0 63 | name endp 64 | ENDM 65 | 66 | NtApi NtAllocateVirtualMemory 67 | NtApi NtWriteVirtualMemory 68 | NtApi NtProtectVirtualMemory 69 | NtApi NtFreeVirtualMemory 70 | NtApi RtlImageNtHeader 71 | NtApi RtlEqualUnicodeString 72 | NtApi RtlInitUnicodeString 73 | 74 | end -------------------------------------------------------------------------------- /64IN32/nobase.cpp: -------------------------------------------------------------------------------- 1 | #include "../inc/StdAfx.h" 2 | 3 | _NT_BEGIN 4 | 5 | #include "../inc/nobase.h" 6 | //#define _PRINT_CPP_NAMES_ 7 | #include "../inc/asmfunc.h" 8 | 9 | ULONG GetSectionSize(PIMAGE_SECTION_HEADER pish) 10 | { 11 | if ((pish->Characteristics & (IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE)) == IMAGE_SCN_MEM_READ) 12 | { 13 | ULONG VirtualSize = pish->Misc.VirtualSize, SizeOfRawData = pish->SizeOfRawData; 14 | 15 | return SizeOfRawData < VirtualSize ? SizeOfRawData : VirtualSize; 16 | } 17 | 18 | return 0; 19 | } 20 | 21 | PVOID FindLdrpKernel32DllName(_Out_ PULONG_PTR pBuffer) 22 | { 23 | CPP_FUNCTION; 24 | 25 | if (PVOID hmod = GetNtBase()) 26 | { 27 | if (PIMAGE_NT_HEADERS pinth = RtlImageNtHeader(hmod)) 28 | { 29 | if (ULONG NumberOfSections = pinth->FileHeader.NumberOfSections) 30 | { 31 | PVOID pstr = 0; 32 | 33 | PIMAGE_SECTION_HEADER pish = IMAGE_FIRST_SECTION(pinth); 34 | do 35 | { 36 | ULONG VirtualSize = GetSectionSize(pish); 37 | 38 | if (VirtualSize > sizeof(UNICODE_STRING)) 39 | { 40 | ULONG n = 1 + (VirtualSize - sizeof(UNICODE_STRING)) / __alignof(UNICODE_STRING); 41 | 42 | union { 43 | PVOID pv; 44 | PUNICODE_STRING str; 45 | ULONG_PTR up; 46 | }; 47 | 48 | PVOID VirtualAddress = RtlOffsetToPointer(hmod, pish->VirtualAddress); 49 | pv = VirtualAddress; 50 | 51 | UNICODE_STRING kernel32; 52 | RtlInitUnicodeString(&kernel32, L"kernel32.dll"); 53 | 54 | do 55 | { 56 | if (str->Length == kernel32.Length && 57 | str->MaximumLength == kernel32.MaximumLength) 58 | { 59 | ULONG_PTR Buffer = (ULONG_PTR)str->Buffer; 60 | 61 | if (!(Buffer & (__alignof(WCHAR) - 1))) 62 | { 63 | if (Buffer - (ULONG_PTR)VirtualAddress < VirtualSize) 64 | { 65 | if (RtlEqualUnicodeString(str, &kernel32, TRUE)) 66 | { 67 | if (pstr) 68 | { 69 | return 0; 70 | } 71 | 72 | pstr = pv, *pBuffer = Buffer; 73 | } 74 | } 75 | } 76 | } 77 | } while (up += __alignof(UNICODE_STRING), --n); 78 | } 79 | 80 | } while (pish++, --NumberOfSections); 81 | 82 | return pstr; 83 | } 84 | } 85 | } 86 | 87 | return 0; 88 | } 89 | 90 | NTSTATUS InitBootstrapI(HANDLE hProcess, PVOID* ppKernel32, PCWSTR pszBootstrapDll, ULONG cb) 91 | { 92 | CPP_FUNCTION; 93 | 94 | UNICODE_STRING str; 95 | 96 | RtlInitUnicodeString(&str, pszBootstrapDll); 97 | 98 | PVOID Buffer = 0; 99 | SIZE_T s = cb; 100 | NTSTATUS status = NtAllocateVirtualMemory(hProcess, &Buffer, 0, &s, MEM_COMMIT, PAGE_READWRITE); 101 | 102 | if (0 <= status) 103 | { 104 | if (0 <= (status = NtWriteVirtualMemory(hProcess, Buffer, const_cast(pszBootstrapDll), cb, 0))) 105 | { 106 | ULONG op; 107 | PVOID pKernel32 = *ppKernel32, BaseAddress = pKernel32; 108 | str.Buffer = (PWSTR)Buffer; 109 | 110 | if (0 <= (status = NtProtectVirtualMemory(hProcess, &BaseAddress, &(s = sizeof(UNICODE_STRING)), PAGE_READWRITE, &op))) 111 | { 112 | status = NtWriteVirtualMemory(hProcess, pKernel32, &str, sizeof(UNICODE_STRING), 0); 113 | NtProtectVirtualMemory(hProcess, &BaseAddress, &s, op, &op); 114 | } 115 | } 116 | 117 | if (0 > status) 118 | { 119 | NtFreeVirtualMemory(hProcess, (void**)&Buffer, &(s = 0), MEM_RELEASE); 120 | } 121 | } 122 | 123 | return status; 124 | } 125 | 126 | _NT_END -------------------------------------------------------------------------------- /INC/GetFuncAddr.cpp: -------------------------------------------------------------------------------- 1 | #define WIN32_LEAN_AND_MEAN 2 | #include "../inc/StdAfx.h" 3 | 4 | _NT_BEGIN 5 | #include "../inc/nobase.h" 6 | 7 | //#define _PRINT_CPP_NAMES_ 8 | #include "../inc/asmfunc.h" 9 | 10 | char __fastcall fmemcmp( 11 | const void *buf1, 12 | const void *buf2, 13 | size_t count 14 | )ASM_FUNCTION; 15 | 16 | PVOID __fastcall get_hmod(PCWSTR lpModuleName) 17 | { 18 | CPP_FUNCTION; 19 | 20 | if (!*lpModuleName) 21 | { 22 | return CONTAINING_RECORD(((NT::_TEB*)NtCurrentTeb())->ProcessEnvironmentBlock->Ldr->InMemoryOrderModuleList.Flink->Flink, 23 | _LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks)->DllBase; 24 | } 25 | 26 | HMODULE hmod; 27 | UNICODE_STRING DllName = { 28 | (USHORT)wcslen(lpModuleName) * sizeof(WCHAR), 29 | DllName.Length, 30 | const_cast(lpModuleName) 31 | }; 32 | if (0 > LdrLoadDll(0, 0, &DllName, &hmod)) __debugbreak(); 33 | return hmod; 34 | } 35 | 36 | PVOID __fastcall GetFuncAddressEx(PIMAGE_DOS_HEADER pidh, PCSTR lpsz) 37 | { 38 | CPP_FUNCTION; 39 | 40 | PIMAGE_NT_HEADERS pinth = (PIMAGE_NT_HEADERS)RtlOffsetToPointer(pidh, pidh->e_lfanew); 41 | 42 | PIMAGE_EXPORT_DIRECTORY pied = (PIMAGE_EXPORT_DIRECTORY)RtlOffsetToPointer(pidh, 43 | pinth->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); 44 | 45 | PDWORD AddressOfNames = (PDWORD)RtlOffsetToPointer(pidh, pied->AddressOfNames); 46 | PDWORD AddressOfFunctions = (PDWORD)RtlOffsetToPointer(pidh, pied->AddressOfFunctions); 47 | PWORD AddressOfNameOrdinals = (PWORD)RtlOffsetToPointer(pidh, pied->AddressOfNameOrdinals); 48 | 49 | DWORD a = 0, b = pied->NumberOfNames, o; 50 | 51 | SIZE_T len = strlen(lpsz) + 1; 52 | 53 | if (b) 54 | { 55 | do 56 | { 57 | char i = fmemcmp(lpsz, RtlOffsetToPointer(pidh, AddressOfNames[o = (a + b) >> 1]), len); 58 | if (!i) 59 | { 60 | PVOID pv = RtlOffsetToPointer(pidh, AddressOfFunctions[AddressOfNameOrdinals[o]]); 61 | 62 | if ((ULONG_PTR)pv - (ULONG_PTR)pied < pinth->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size) 63 | { 64 | ANSI_STRING as = { (USHORT)len-1, as.Length, const_cast(lpsz) }; 65 | if (0 > LdrGetProcedureAddress((HMODULE)pidh, &as, 0, &pv)) return 0; 66 | } 67 | 68 | return pv; 69 | } 70 | 71 | if (0 > i) b = o; else a = o + 1; 72 | 73 | } while (a < b); 74 | } 75 | 76 | return 0; 77 | } 78 | 79 | _NT_END 80 | -------------------------------------------------------------------------------- /INC/ObLock.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define RUNDOWN_INIT_VALUE 0x80000000 4 | #define RUNDOWN_COMPLETE_VALUE 0 5 | #define ObpBeginRundown(p) _interlockedbittestandreset(p, 31) 6 | #define ObpUnlock _InterlockedDecrement 7 | 8 | __inline BOOL ObpLock(PLONG pLock) 9 | { 10 | LONG Value, NewValue; 11 | 12 | if (Value = *pLock) 13 | { 14 | do 15 | { 16 | NewValue = _InterlockedCompareExchange(pLock, Value + 1, Value); 17 | 18 | if (NewValue == Value) return TRUE; 19 | 20 | } while (Value = NewValue); 21 | } 22 | 23 | return FALSE; 24 | } 25 | 26 | __inline BOOL ObpAcquireRundownProtection(PLONG pLock) 27 | { 28 | LONG Value, NewValue; 29 | 30 | if (0 > (Value = *pLock)) 31 | { 32 | do 33 | { 34 | NewValue = _InterlockedCompareExchange(pLock, Value + 1, Value); 35 | 36 | if (NewValue == Value) return TRUE; 37 | 38 | } while (0 > (Value = NewValue)); 39 | } 40 | 41 | return FALSE; 42 | } 43 | -------------------------------------------------------------------------------- /INC/amd64plat.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | union DR6 4 | { 5 | __int64 Value; 6 | struct 7 | { 8 | unsigned B0 : 1; 9 | unsigned B1 : 1; 10 | unsigned B2 : 1; 11 | unsigned B3 : 1; 12 | unsigned : 9; 13 | unsigned BD : 1; 14 | unsigned BS : 1; 15 | unsigned BT : 1; 16 | unsigned : 16; 17 | }; 18 | }; 19 | 20 | union DR7 21 | { 22 | __int64 Value; 23 | struct 24 | { 25 | unsigned L0 : 1; 26 | unsigned G0 : 1; 27 | unsigned L1 : 1; 28 | unsigned G1 : 1; 29 | unsigned L2 : 1; 30 | unsigned G2 : 1; 31 | unsigned L3 : 1; 32 | unsigned G3 : 1; 33 | unsigned LE : 1; 34 | unsigned GE : 1; 35 | unsigned : 3; 36 | unsigned GD : 1; 37 | unsigned : 2; 38 | unsigned RWE0:2; 39 | unsigned LEN0:2; 40 | unsigned RWE1:2; 41 | unsigned LEN1:2; 42 | unsigned RWE2:2; 43 | unsigned LEN2:2; 44 | unsigned RWE3:2; 45 | unsigned LEN3:2; 46 | }; 47 | }; 48 | 49 | enum BREAKPOINT_TYPE 50 | { 51 | Execute, WriteData, ReadData = 3 52 | }; 53 | 54 | #define TRACE_FLAG 0x100 55 | #define RESUME_FLAG 0x10000 56 | 57 | #define DbgBreak() __debugbreak() 58 | #define __DbgBreak() if (IsDebuggerPresent()) __debugbreak() 59 | #define __DbgPrint if (IsDebuggerPresent()) DbgPrint 60 | #define DbgBreakEx(condition) if (condition) __debugbreak() 61 | 62 | //#define _PX_SELFMAP ((ULONGLONG)0x1ED) 63 | 64 | #define PTE_SHIFT 3 65 | #define PTI_SHIFT 12 66 | #define PDI_SHIFT 21 67 | #define PPI_SHIFT 30 68 | #define PXI_SHIFT 39 69 | 70 | #define PTE_PER_PAGE 512 71 | #define PDE_PER_PAGE 512 72 | #define PPE_PER_PAGE 512 73 | #define PXE_PER_PAGE 512 74 | 75 | #define PTI_MASK_AMD64 (PTE_PER_PAGE - 1) 76 | #define PDI_MASK_AMD64 (PDE_PER_PAGE - 1) 77 | #define PPI_MASK (PPE_PER_PAGE - 1) 78 | #define PXI_MASK (PXE_PER_PAGE - 1) 79 | // 80 | // Page protections 81 | // 82 | 83 | #define MM_ZERO_ACCESS 0 // this value is not used. 84 | #define MM_READONLY 1 85 | #define MM_EXECUTE 2 86 | #define MM_EXECUTE_READ 3 87 | #define MM_READWRITE 4 // bit 2 is set if this is writable. 88 | #define MM_WRITECOPY 5 89 | #define MM_EXECUTE_READWRITE 6 90 | #define MM_EXECUTE_WRITECOPY 7 91 | 92 | #define MM_NOCACHE 0x8 93 | #define MM_GUARD_PAGE 0x10 94 | #define MM_DECOMMIT 0x10 //NO_ACCESS, Guard page 95 | #define MM_NOACCESS 0x18 //NO_ACCESS, Guard_page, nocache. 96 | #define MM_UNKNOWN_PROTECTION 0x100 //bigger than 5 bits! 97 | #define MM_LARGE_PAGES 0x111 98 | 99 | #define MM_PROTECTION_WRITE_MASK 4 100 | #define MM_PROTECTION_COPY_MASK 1 101 | #define MM_PROTECTION_OPERATION_MASK 7 // mask off guard page and nocache. 102 | #define MM_PROTECTION_EXECUTE_MASK 2 103 | 104 | union _PTE 105 | { 106 | ULONGLONG Value; 107 | 108 | struct 109 | { 110 | ULONGLONG Valid : 01;//00 111 | ULONGLONG Write : 01;//01 112 | ULONGLONG Owner : 01;//02 113 | ULONGLONG WriteThrough : 01;//03 114 | ULONGLONG CacheDisable : 01;//04 115 | ULONGLONG Accessed : 01;//05 116 | ULONGLONG Dirty : 01;//06 117 | ULONGLONG LargePage : 01;//07 118 | ULONGLONG Global : 01;//08 119 | ULONGLONG CopyOnWrite : 01;//09 120 | ULONGLONG Prototype : 01;//10 121 | ULONGLONG reserved0 : 01;//11 122 | ULONGLONG PageFrameNumber : 36;//12 123 | ULONGLONG reserved1 : 04;//40 124 | ULONGLONG SoftwareWsIndex : 11;//52 125 | ULONGLONG NoExecute : 01;//63 126 | }; 127 | 128 | struct 129 | { 130 | ULONGLONG Valid : 01;//00 131 | ULONGLONG PageFileLow : 04;//01 132 | ULONGLONG Protection : 05;//05 133 | ULONGLONG Prototype : 01;//10 134 | ULONGLONG Transition : 01;//11 135 | ULONGLONG UsedPageTableEntries : 10;//12 136 | ULONGLONG Reserved : 10;//22 137 | ULONGLONG PageFileHigh : 32;//32 138 | }; 139 | }; 140 | 141 | extern ULONGLONG PTE_BASE_X64, PDE_BASE_X64, PPE_BASE_X64, PXE_BASE_X64, PX_SELFMAP; 142 | 143 | #define VIRTUAL_ADDRESS_BITS 48 144 | #define VIRTUAL_ADDRESS_MASK ((((ULONGLONG)1) << VIRTUAL_ADDRESS_BITS) - 1) 145 | #define VIRTUAL_ADDRESS(va) (VIRTUAL_ADDRESS_MASK & (ULONGLONG)(va)) 146 | 147 | #define PX_SELFMAP_MIN 0x100 148 | #define PX_SELFMAP_MAX 0x1FF 149 | 150 | #define INIT_PTE_CONSTS(i) PX_SELFMAP = i;\ 151 | PTE_BASE_X64 = (~VIRTUAL_ADDRESS_MASK) + (PX_SELFMAP << PXI_SHIFT);\ 152 | PDE_BASE_X64 = PTE_BASE_X64 + (PX_SELFMAP << PPI_SHIFT);\ 153 | PPE_BASE_X64 = PDE_BASE_X64 + (PX_SELFMAP << PDI_SHIFT);\ 154 | PXE_BASE_X64 = PPE_BASE_X64 + (PX_SELFMAP << PTI_SHIFT); 155 | 156 | #define PTE(i, j, k, m) ((_PTE*)((~VIRTUAL_ADDRESS_MASK) + (PX_SELFMAP << PXI_SHIFT) + ((ULONGLONG)(i) << PPI_SHIFT) + ((ULONGLONG)(j) << PDI_SHIFT) + ((ULONGLONG)(k) << PTI_SHIFT) + ((ULONGLONG)(m) << PTE_SHIFT) )) 157 | #define PDE(j, k, m) PTE(PX_SELFMAP, j, k, m) 158 | #define PPE(k, m) PTE(PX_SELFMAP, PX_SELFMAP, k, m) 159 | #define PXE(m) PTE(PX_SELFMAP, PX_SELFMAP, PX_SELFMAP, m) 160 | 161 | #define PTE_X64_MASK ((VIRTUAL_ADDRESS_MASK >> PTI_SHIFT) << PTE_SHIFT) 162 | #define PDE_X64_MASK ((VIRTUAL_ADDRESS_MASK >> PDI_SHIFT) << PTE_SHIFT) 163 | #define PPE_X64_MASK ((VIRTUAL_ADDRESS_MASK >> PPI_SHIFT) << PTE_SHIFT) 164 | #define PXE_X64_MASK ((VIRTUAL_ADDRESS_MASK >> PXI_SHIFT) << PTE_SHIFT) 165 | 166 | #define PTE_X64_OFS(V) (PTE_X64_MASK & ((ULONGLONG)(V) >> (PTI_SHIFT - PTE_SHIFT))) 167 | #define PDE_X64_OFS(V) (PDE_X64_MASK & ((ULONGLONG)(V) >> (PDI_SHIFT - PTE_SHIFT))) 168 | #define PPE_X64_OFS(V) (PPE_X64_MASK & ((ULONGLONG)(V) >> (PPI_SHIFT - PTE_SHIFT))) 169 | #define PXE_X64_OFS(V) (PXE_X64_MASK & ((ULONGLONG)(V) >> (PXI_SHIFT - PTE_SHIFT))) 170 | 171 | #define PTE_X64_L(V) ((_PTE*)(PTE_BASE_X64 + PTE_X64_OFS(V))) 172 | #define PDE_X64_L(V) ((_PTE*)(PDE_BASE_X64 + PDE_X64_OFS(V))) 173 | #define PPE_X64_L(V) ((_PTE*)(PPE_BASE_X64 + PPE_X64_OFS(V))) 174 | #define PXE_X64_L(V) ((_PTE*)(PXE_BASE_X64 + PXE_X64_OFS(V))) 175 | 176 | #define PTE_X64_L_(V) (&((_PTE*)PTE_BASE_X64)[VIRTUAL_ADDRESS(V) >> PTI_SHIFT]) 177 | #define PDE_X64_L_(V) (&((_PTE*)PDE_BASE_X64)[VIRTUAL_ADDRESS(V) >> PDI_SHIFT]) 178 | #define PPE_X64_L_(V) (&((_PTE*)PPE_BASE_X64)[VIRTUAL_ADDRESS(V) >> PPI_SHIFT]) 179 | #define PXE_X64_L_(V) (&((_PTE*)PXE_BASE_X64)[VIRTUAL_ADDRESS(V) >> PXI_SHIFT]) 180 | -------------------------------------------------------------------------------- /INC/asmfunc.h: -------------------------------------------------------------------------------- 1 | // helper for get complex c++ names for use in asm code 2 | #ifdef ASM_FUNCTION 3 | #undef ASM_FUNCTION 4 | #endif 5 | 6 | #ifdef CPP_FUNCTION 7 | #undef CPP_FUNCTION 8 | #endif 9 | 10 | #ifdef _PRINT_CPP_NAMES_ 11 | 12 | #define ASM_FUNCTION {__pragma(message(__FUNCDNAME__" proc\r\n" __FUNCDNAME__ " endp"))} 13 | #define CPP_FUNCTION __pragma(message("; " __FUNCSIG__ "\r\nextern " __FUNCDNAME__ " : PROC")) 14 | 15 | #pragma warning(disable : 4100) 16 | __pragma(message(__FILE__ "(" _CRT_STRINGIZE(__LINE__) "): !! undef _PRINT_CPP_NAMES_ !!")) 17 | 18 | #else 19 | 20 | #define ASM_FUNCTION 21 | #define CPP_FUNCTION 22 | 23 | #endif 24 | -------------------------------------------------------------------------------- /INC/initterm.h: -------------------------------------------------------------------------------- 1 | typedef void (__cdecl *_PVFV)(void); 2 | 3 | #ifdef _PAGE_ 4 | #pragma comment(linker, "/merge:.CRT=PAGER") 5 | #else 6 | #pragma comment(linker, "/merge:.CRT=.rdata") 7 | #endif 8 | 9 | extern "C" 10 | { 11 | #pragma const_seg(".CRT$XCA") 12 | const _PVFV __xc_a = 0; 13 | #pragma const_seg(".CRT$XCZ") 14 | const _PVFV __xc_z = 0; 15 | 16 | #pragma const_seg(".CRT$XIA") 17 | const _PVFV __xi_a = 0; 18 | #pragma const_seg(".CRT$XIZ") 19 | const _PVFV __xi_z = 0; 20 | 21 | #pragma const_seg() 22 | 23 | void __initterm(const _PVFV *ppfn, const _PVFV *end) 24 | { 25 | do 26 | { 27 | if (_PVFV pfn = *ppfn++) 28 | { 29 | pfn(); 30 | } 31 | } while (ppfn < end); 32 | } 33 | 34 | void initterm() 35 | { 36 | __initterm(&__xi_a, &__xi_z); 37 | __initterm(&__xc_a, &__xc_z); 38 | } 39 | 40 | SLIST_HEADER g__onexit; 41 | 42 | struct ONEXIT : SLIST_ENTRY 43 | { 44 | _PVFV func; 45 | #ifdef _KERNEL_MODE 46 | void operator delete(void* p) 47 | { 48 | ExFreePool(p); 49 | } 50 | 51 | void* operator new(size_t cb) 52 | { 53 | return ExAllocatePool(PagedPool, cb); 54 | } 55 | #endif 56 | }; 57 | 58 | int __cdecl atexit(_PVFV func) 59 | { 60 | if (ONEXIT* p = new ONEXIT) 61 | { 62 | p->func = func; 63 | InterlockedPushEntrySList(&g__onexit, p); 64 | return 0; 65 | } 66 | 67 | __debugbreak(); 68 | return -1; 69 | } 70 | void destroyterm() 71 | { 72 | while (ONEXIT* p = static_cast(InterlockedPopEntrySList(&g__onexit))) 73 | { 74 | p->func(); 75 | delete p; 76 | } 77 | } 78 | }; 79 | -------------------------------------------------------------------------------- /INC/md5.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | struct MD5_CTX { 4 | ULONG ib[2]; /* number of _bits_ handled mod 2^64 */ 5 | ULONG sbuf[4]; /* scratch buffer */ 6 | UCHAR in[64]; /* input buffer */ 7 | union { /* actual digest after MD5Final call */ 8 | UCHAR digest[16]; 9 | USHORT us_digest[8]; 10 | ULONG ul_digest[4]; 11 | ULONG64 u64_digest[2]; 12 | UUID ui_digest; 13 | }; 14 | } ; 15 | 16 | NTDLL_V MD5Init(MD5_CTX *); 17 | NTDLL_V MD5Update(MD5_CTX *, const void *, unsigned int); 18 | NTDLL_V MD5Final(MD5_CTX *); 19 | 20 | #define MD5_HASH_LEN 16 21 | -------------------------------------------------------------------------------- /INC/mini_yvals.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifndef _HAS_CXX17 4 | #ifdef _MSVC_LANG 5 | #if _MSVC_LANG > 201402 6 | #define _HAS_CXX17 1 7 | #else /* _MSVC_LANG > 201402 */ 8 | #define _HAS_CXX17 0 9 | #endif /* _MSVC_LANG > 201402 */ 10 | #else /* _MSVC_LANG */ 11 | #if __cplusplus > 201402 12 | #define _HAS_CXX17 1 13 | #else /* __cplusplus > 201402 */ 14 | #define _HAS_CXX17 0 15 | #endif /* __cplusplus > 201402 */ 16 | #endif /* _MSVC_LANG */ 17 | #endif /* _HAS_CXX17 */ 18 | 19 | #ifndef _NODISCARD 20 | #if _HAS_CXX17 21 | #define _NODISCARD [[nodiscard]] 22 | #else 23 | #define _NODISCARD 24 | #endif 25 | #endif//_NODISCARD 26 | 27 | #ifndef _CRT_STRINGIZE 28 | #define _CRT_STRINGIZE_(x) #x 29 | #define _CRT_STRINGIZE(x) _CRT_STRINGIZE_(x) 30 | #endif 31 | 32 | #ifndef _CRT_WIDE 33 | #define _CRT_WIDE_(s) L ## s 34 | #define _CRT_WIDE(s) _CRT_WIDE_(s) 35 | #endif 36 | 37 | #ifndef _CRT_CONCATENATE 38 | #define _CRT_CONCATENATE_(a, b) a ## b 39 | #define _CRT_CONCATENATE(a, b) _CRT_CONCATENATE_(a, b) 40 | #endif 41 | 42 | 43 | #ifndef _CRT_UNPARENTHESIZE 44 | #define _CRT_UNPARENTHESIZE_(...) __VA_ARGS__ 45 | #define _CRT_UNPARENTHESIZE(...) _CRT_UNPARENTHESIZE_ __VA_ARGS__ 46 | #endif 47 | 48 | 49 | -------------------------------------------------------------------------------- /INC/misc.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | extern "C" { 4 | extern IMAGE_DOS_HEADER __ImageBase; 5 | } 6 | 7 | typedef int (__cdecl * QSORTFN) (const void *, const void *); 8 | typedef int (__cdecl * QSORTFN_S)(void *, const void *, const void *); 9 | 10 | #ifndef _NTDRIVER_ 11 | 12 | NTDLL_(LONGLONG) 13 | RtlInterlockedCompareExchange64 ( 14 | LONGLONG volatile *Destination, 15 | LONGLONG Exchange, 16 | LONGLONG Comperand 17 | ); 18 | 19 | #define InterlockedPopEntrySList(Head) RtlInterlockedPopEntrySList(Head) 20 | #define InterlockedPushEntrySList(Head, Entry) RtlInterlockedPushEntrySList(Head, Entry) 21 | #define InterlockedFlushSList(Head) RtlInterlockedFlushSList(Head) 22 | #define QueryDepthSList(Head) RtlQueryDepthSList(Head) 23 | #define FirstEntrySList(Head) RtlFirstEntrySList(Head) 24 | 25 | #ifndef _WIN64 26 | #define InterlockedCompareExchange64(Destination, ExChange, Comperand) RtlInterlockedCompareExchange64(Destination, ExChange, Comperand) 27 | #endif 28 | 29 | #endif//_NTDRIVER_ 30 | 31 | #ifndef _WIN64 32 | #define InterlockedCompareExchangePointer(Destination, ExChange, Comperand) \ 33 | (PVOID)(LONG_PTR)InterlockedCompareExchange((PLONG)(Destination), (LONG)(LONG_PTR)(ExChange), (LONG)(LONG_PTR)(Comperand)) 34 | 35 | #define InterlockedExchangePointer(Destination, ExChange) \ 36 | (PVOID)(LONG_PTR)InterlockedExchange((PLONG)(Destination), (LONG)(LONG_PTR)(ExChange)) 37 | #endif 38 | 39 | #if 0//ndef _WIN64 40 | #ifdef SetWindowLongPtrW 41 | #undef SetWindowLongPtrW 42 | #endif 43 | #define SetWindowLongPtrW(hwnd, i, val) ((LPARAM)SetWindowLongW(hwnd, i, (LONG)(LPARAM)(val))) 44 | #ifdef GetWindowLongPtrW 45 | #undef GetWindowLongPtrW 46 | #endif 47 | #define GetWindowLongPtrW(hwnd, i) ((LPARAM)GetWindowLongW(hwnd, i)) 48 | #endif 49 | 50 | #ifdef _WIN64 51 | #define GetArbitraryUserPointer() (PVOID)__readgsqword(FIELD_OFFSET(NT_TIB, ArbitraryUserPointer)) 52 | #define SetArbitraryUserPointer(p) __writegsqword(FIELD_OFFSET(NT_TIB, ArbitraryUserPointer), (DWORD_PTR)(p)) 53 | #else 54 | #define GetArbitraryUserPointer() (PVOID)__readfsdword(FIELD_OFFSET(NT_TIB, ArbitraryUserPointer)) 55 | #define SetArbitraryUserPointer(p) __writefsdword(FIELD_OFFSET(NT_TIB, ArbitraryUserPointer), (DWORD_PTR)(p)) 56 | #endif 57 | 58 | ////////////////////////////////////////////////////////////////////////// 59 | 60 | template 61 | T ToError(ULONG& dwError, T v) 62 | { 63 | dwError = v ? NOERROR : GetLastError(); 64 | return v; 65 | } 66 | 67 | #define GLE(x) ToError(dwError, x) 68 | 69 | template 70 | T ToHr(HRESULT& hr, T v) 71 | { 72 | hr = v ? S_OK : HRESULT_FROM_WIN32(GetLastError()); 73 | return v; 74 | } 75 | 76 | #define GLH(x) ToHr(hr, x) 77 | 78 | inline ULONG BOOL_TO_ERROR(BOOL f) 79 | { 80 | return f ? NOERROR : GetLastError(); 81 | } 82 | 83 | inline HANDLE fixH(HANDLE hFile) 84 | { 85 | return hFile == INVALID_HANDLE_VALUE ? 0 : hFile; 86 | } 87 | 88 | #ifdef _malloca 89 | #undef _malloca 90 | #endif 91 | #ifdef _freea 92 | #undef _freea 93 | #endif 94 | 95 | #define _malloca(size) ((size) < _ALLOCA_S_THRESHOLD ? alloca(size) : new BYTE[size]) 96 | 97 | inline void _freea(PVOID pv) 98 | { 99 | PNT_TIB tib = (PNT_TIB)NtCurrentTeb(); 100 | if (pv < tib->StackLimit || tib->StackBase <= pv) delete [] pv; 101 | } 102 | 103 | inline HRESULT GetLastHr(ULONG dwError = GetLastError()) 104 | { 105 | return dwError ? HRESULT_FROM_WIN32(dwError) : S_OK; 106 | } 107 | 108 | inline HRESULT GetLastHr(BOOL fOk) 109 | { 110 | return fOk ? S_OK : HRESULT_FROM_WIN32(GetLastError()); 111 | } 112 | 113 | inline HRESULT VtoHr(ULONG_PTR r) 114 | { 115 | return r ? S_OK : GetLastHr(); 116 | } 117 | 118 | #define PtoHr(r) VtoHr((ULONG_PTR)(r)) 119 | 120 | //////////////////////////////////////////////////////////////// 121 | // CID 122 | 123 | struct CID : CLIENT_ID 124 | { 125 | CID(HANDLE _UniqueProcess, HANDLE _UniqueThread = 0) 126 | { 127 | UniqueThread = _UniqueThread; 128 | UniqueProcess = _UniqueProcess; 129 | } 130 | }; 131 | 132 | /////////////////////////////////////////////////////////////// 133 | // CUnicodeString 134 | 135 | class CUnicodeString : public UNICODE_STRING 136 | { 137 | public: 138 | CUnicodeString(PCWSTR String) 139 | { 140 | RtlInitUnicodeString(this,String); 141 | } 142 | }; 143 | 144 | /////////////////////////////////////////////////////////////// 145 | // CObjectAttributes 146 | 147 | struct CObjectAttributes : public OBJECT_ATTRIBUTES 148 | { 149 | CObjectAttributes(LPCWSTR _ObjectName, 150 | HANDLE _RootDirectory = 0, 151 | ULONG _Attributes = OBJ_CASE_INSENSITIVE, 152 | PVOID _SecurityDescriptor = 0, 153 | PVOID _SecurityQualityOfService = 0 154 | ) 155 | { 156 | Length = sizeof OBJECT_ATTRIBUTES; 157 | RtlInitUnicodeString(ObjectName = &mus,_ObjectName); 158 | RootDirectory = _RootDirectory; 159 | Attributes = _Attributes; 160 | SecurityDescriptor = _SecurityDescriptor; 161 | SecurityQualityOfService = _SecurityQualityOfService; 162 | } 163 | CObjectAttributes(PCUNICODE_STRING _ObjectName, 164 | HANDLE _RootDirectory = 0, 165 | ULONG _Attributes = OBJ_CASE_INSENSITIVE, 166 | PVOID _SecurityDescriptor = 0, 167 | PVOID _SecurityQualityOfService = 0 168 | ) 169 | { 170 | Length = sizeof OBJECT_ATTRIBUTES; 171 | ObjectName = (PUNICODE_STRING)_ObjectName; 172 | RootDirectory = _RootDirectory; 173 | Attributes = _Attributes; 174 | SecurityDescriptor = _SecurityDescriptor; 175 | SecurityQualityOfService = _SecurityQualityOfService; 176 | } 177 | private: 178 | UNICODE_STRING mus; 179 | }; 180 | 181 | #include "mini_yvals.h" 182 | 183 | #define _makeachar(x) #@x 184 | #define makeachar(x) _makeachar(x) 185 | #define _makewchar(x) L## #@x 186 | #define makewchar(x) _makewchar(x) 187 | #define echo(x) x 188 | #define label(x) echo(x)##__LINE__ 189 | #define showmacro(x) __pragma(message(__FILE__ _CRT_STRINGIZE((__LINE__): \nmacro\t)#x" expand to\n" _CRT_STRINGIZE(x))) 190 | 191 | #define IID_PPV(pItf) __uuidof(*pItf),(void**)&pItf 192 | 193 | #define RTL_CONSTANT_STRINGA(s) { sizeof( s ) - sizeof( (s)[0] ), sizeof( s ), const_cast(s) } 194 | #define RTL_CONSTANT_STRINGW_(s) { sizeof( s ) - sizeof( (s)[0] ), sizeof( s ), const_cast(s) } 195 | #define RTL_CONSTANT_STRINGW(s) RTL_CONSTANT_STRINGW_(echo(L)echo(s)) 196 | 197 | #define STATIC_UNICODE_STRING(name, str) \ 198 | static const WCHAR label(__)[] = echo(L)str;\ 199 | static const UNICODE_STRING name = RTL_CONSTANT_STRINGW_(label(__)) 200 | 201 | #define STATIC_ANSI_STRING(name, str) \ 202 | static const CHAR label(__)[] = str;\ 203 | static const ANSI_STRING name = RTL_CONSTANT_STRINGA(label(__)) 204 | 205 | #define STATIC_ASTRING(name, str) static const CHAR name[] = str 206 | #define STATIC_WSTRING(name, str) static const WCHAR name[] = echo(L)str 207 | 208 | #define STATIC_UNICODE_STRING_(name) STATIC_UNICODE_STRING(name, #name) 209 | #define STATIC_WSTRING_(name) STATIC_WSTRING(name, #name) 210 | #define STATIC_ANSI_STRING_(name) STATIC_ANSI_STRING(name, #name) 211 | #define STATIC_ASTRING_(name) STATIC_ASTRING(name, #name) 212 | 213 | #define STATIC_OBJECT_ATTRIBUTES(oa, name)\ 214 | STATIC_UNICODE_STRING(label(m), name);\ 215 | static OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, const_cast(&label(m)), OBJ_CASE_INSENSITIVE } 216 | 217 | #define STATIC_OBJECT_ATTRIBUTES_EX(oa, name, a, sd, sqs)\ 218 | STATIC_UNICODE_STRING(label(m), name);\ 219 | static OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, const_cast(&label(m)), a, sd, sqs } 220 | 221 | 222 | #define BEGIN_PRIVILEGES(name, n) static const union { TOKEN_PRIVILEGES name;\ 223 | struct { ULONG PrivilegeCount; LUID_AND_ATTRIBUTES Privileges[n];} label(_) = { n, { 224 | 225 | #define LAA(se) {{se}, SE_PRIVILEGE_ENABLED } 226 | #define LAA_D(se) {{se} } 227 | 228 | #define END_PRIVILEGES }};}; 229 | 230 | #pragma warning(default : 4005) 231 | -------------------------------------------------------------------------------- /INC/msdis170.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | class __declspec(dllimport) __declspec(novtable) DIS 4 | { 5 | public: 6 | enum DIST{ arm, cee, ia64, mips, mips16, ppc, ppc2, shcompact, arm2, ia32, ia16, amd64, invalid }; 7 | enum REGA{ eax,ecx,edx,ebx,esp,ebp,esi,edi }; 8 | enum MEMREFT{ }; 9 | enum TRMT{ }; 10 | enum TRMTA { 11 | a_gen = 1, 12 | a_int = 2, 13 | a_div = 3, 14 | a_jmp_u_2 = 4, 15 | a_jmp_u_5 = 5, 16 | a_jmp_rm = 7, 17 | a_ret = 8, 18 | a_iret = 9, 19 | a_jmp_c_2=10, 20 | a_jmp_c_6=11, 21 | a_loop=12, 22 | a_jcx=13, 23 | a_call=15, 24 | a_call_rm=17 25 | }; 26 | enum OPA{ }; 27 | enum OPREFT{ }; 28 | 29 | virtual ~DIS() = 0; 30 | virtual unsigned __int64 AddrAddress(UINT_PTR) = 0; 31 | virtual unsigned __int64 AddrInstruction()const = 0; 32 | virtual unsigned __int64 AddrJumpTable() = 0; 33 | virtual unsigned __int64 AddrOperand(UINT_PTR) = 0; 34 | virtual unsigned __int64 AddrTarget(UINT_PTR) = 0; 35 | virtual UINT Cb()const = 0; 36 | virtual UINT CbAssemble(void *,size_t) = 0; 37 | virtual UINT CbDisassemble(unsigned __int64,void const *,size_t) = 0; 38 | virtual UINT CbJumpEntry() = 0; 39 | virtual UINT CbOperand(size_t) = 0; 40 | virtual UINT CcchFormatInstrStops(UINT_PTR *,size_t) = 0; 41 | virtual UINT CchFormatBytes(wchar_t *,size_t)const = 0; 42 | virtual UINT CchFormatBytesMax() = 0; 43 | virtual UINT Cinstruction()const = 0; 44 | virtual UINT Coperand()const = 0; 45 | virtual unsigned long DwModifiers() = 0; 46 | virtual bool FDecode(struct INSTRUCTION *,struct OPERAND *,UINT_PTR) = 0; 47 | virtual bool FEncode(unsigned __int64,struct INSTRUCTION const *,struct OPERAND const *,UINT_PTR,UINT_PTR) = 0; 48 | virtual void FormatAddr(void*,size_t) = 0; 49 | virtual void FormatInstr(void*) = 0; 50 | virtual bool FSelectInstruction(UINT_PTR) = 0; 51 | virtual bool FSetFormatInstrStops(UINT_PTR const *,UINT_PTR) = 0; 52 | virtual OPA Opa()const = 0; 53 | virtual OPREFT Opreft(UINT_PTR)const = 0; 54 | virtual TRMT Trmt()const = 0; 55 | virtual TRMTA Trmta()const = 0; 56 | 57 | static DIS * __stdcall PdisNew(DIST); 58 | DIST Dist()const; 59 | void SetAddr64(bool); 60 | void * PvClientSet(void *); 61 | void * PvClient()const; 62 | unsigned __int64 Addr()const; 63 | 64 | size_t CchFormatInstr(wchar_t *,size_t)const; 65 | size_t CchFormatAddr(unsigned __int64,wchar_t *,size_t)const; 66 | 67 | unsigned __int64 (__stdcall* PfndwgetregSet(unsigned __int64 (__stdcall*)(DIS const *,REGA)))(DIS const *,REGA); 68 | size_t (__stdcall* PfncchregrelSet(size_t (__stdcall*)(DIS const *,REGA,unsigned long,wchar_t *,size_t,unsigned long *)))(DIS const *,REGA,unsigned long,wchar_t *,size_t,unsigned long *); 69 | size_t (__stdcall* PfncchregSet(size_t (__stdcall*)(DIS const *,REGA,wchar_t *,size_t)))(DIS const *,REGA,wchar_t *,size_t); 70 | size_t (__stdcall* PfncchfixupSet(size_t (__stdcall*)(DIS const *,unsigned __int64,size_t,wchar_t *,size_t,unsigned __int64 *)))(DIS const *,unsigned __int64,size_t,wchar_t *,size_t,unsigned __int64 *); 71 | size_t (__stdcall* PfncchaddrSet(size_t (__stdcall*)(DIS const *,unsigned __int64,wchar_t *,size_t,unsigned __int64 *)))(DIS const *,unsigned __int64,wchar_t *,size_t,unsigned __int64 *); 72 | }; 73 | -------------------------------------------------------------------------------- /INC/netlogon.h: -------------------------------------------------------------------------------- 1 | typedef struct LM_OWF_PASSWORD { 2 | UCHAR data[16]; 3 | } NT_OWF_PASSWORD; 4 | 5 | typedef struct USER_SESSION_KEY { 6 | UCHAR data[16]; 7 | }* PUSER_SESSION_KEY; 8 | 9 | typedef struct NETLOGON_VALIDATION_SAM_INFO4 { 10 | LARGE_INTEGER LogonTime; 11 | LARGE_INTEGER LogoffTime; 12 | LARGE_INTEGER KickOffTime; 13 | LARGE_INTEGER PasswordLastSet; 14 | LARGE_INTEGER PasswordCanChange; 15 | LARGE_INTEGER PasswordMustChange; 16 | UNICODE_STRING EffectiveName; 17 | UNICODE_STRING FullName; 18 | UNICODE_STRING LogonScript; 19 | UNICODE_STRING ProfilePath; 20 | UNICODE_STRING HomeDirectory; 21 | UNICODE_STRING HomeDirectoryDrive; 22 | USHORT LogonCount; 23 | USHORT BadPasswordCount; 24 | ULONG UserId; 25 | ULONG PrimaryGroupId; 26 | ULONG GroupCount; 27 | PGROUP_MEMBERSHIP GroupIds; 28 | ULONG UserFlags; 29 | USER_SESSION_KEY UserSessionKey; 30 | UNICODE_STRING LogonServer; 31 | UNICODE_STRING LogonDomainName; 32 | PSID LogonDomainId; 33 | UCHAR LMKey[8]; 34 | ULONG UserAccountControl; 35 | ULONG SubAuthStatus; 36 | LARGE_INTEGER LastSuccessfulILogon; 37 | LARGE_INTEGER LastFailedILogon; 38 | ULONG FailedILogonCount; 39 | ULONG Reserved4; 40 | ULONG SidCount; 41 | PSID_AND_ATTRIBUTES ExtraSids; 42 | UNICODE_STRING DnsLogonDomainName; 43 | UNICODE_STRING Upn; 44 | UNICODE_STRING ExpansionString1; 45 | UNICODE_STRING ExpansionString2; 46 | UNICODE_STRING ExpansionString3; 47 | UNICODE_STRING ExpansionString4; 48 | UNICODE_STRING ExpansionString5; 49 | UNICODE_STRING ExpansionString6; 50 | UNICODE_STRING ExpansionString7; 51 | UNICODE_STRING ExpansionString8; 52 | UNICODE_STRING ExpansionString9; 53 | UNICODE_STRING ExpansionString10; 54 | } *PNETLOGON_VALIDATION_SAM_INFO4; 55 | 56 | typedef union NETLOGON_VALIDATION { 57 | PNETLOGON_VALIDATION_SAM_INFO4 ValidationSam4; 58 | } *PNETLOGON_VALIDATION; 59 | 60 | typedef struct NETLOGON_LOGON_IDENTITY_INFO { 61 | UNICODE_STRING LogonDomainName; 62 | ULONG ParameterControl; 63 | LUID LogonId; 64 | UNICODE_STRING UserName; 65 | UNICODE_STRING Workstation; 66 | } *PNETLOGON_LOGON_IDENTITY_INFO; 67 | 68 | typedef struct NETLOGON_INTERACTIVE_INFO : public NETLOGON_LOGON_IDENTITY_INFO { 69 | LM_OWF_PASSWORD LmOwfPassword; 70 | NT_OWF_PASSWORD NtOwfPassword; 71 | } *PNETLOGON_INTERACTIVE_INFO; 72 | 73 | typedef union NETLOGON_LEVEL { 74 | PNETLOGON_INTERACTIVE_INFO LogonInteractive; 75 | } *PNETLOGON_LEVEL; 76 | 77 | typedef struct NETLOGON_CREDENTIAL { 78 | UCHAR data[8]; 79 | } *PNETLOGON_CREDENTIAL; 80 | 81 | typedef struct NETLOGON_AUTHENTICATOR : public NETLOGON_CREDENTIAL { 82 | ULONG Timestamp; 83 | } *PNETLOGON_AUTHENTICATOR; 84 | 85 | enum NETLOGON_VALIDATION_INFO_CLASS 86 | { 87 | NetlogonValidationUasInfo = 1, 88 | NetlogonValidationSamInfo, 89 | NetlogonValidationSamInfo2, 90 | NetlogonValidationGenericInfo, 91 | NetlogonValidationGenericInfo2, 92 | NetlogonValidationSamInfo4 93 | }; 94 | 95 | enum NETLOGON_LOGON_INFO_CLASS { 96 | NetlogonInteractiveInformation = 1, 97 | NetlogonNetworkInformation, 98 | NetlogonServiceInformation, 99 | NetlogonGenericInformation, 100 | NetlogonInteractiveTransitiveInformation, 101 | NetlogonNetworkTransitiveInformation, 102 | NetlogonServiceTransitiveInformation 103 | }; 104 | -------------------------------------------------------------------------------- /INC/nobase.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #pragma code_seg(".text$nm") 6 | 7 | #pragma intrinsic(memcpy, strcmp, wcslen, strlen) 8 | 9 | EXTERN_C_START 10 | 11 | #pragma warning(disable : 4273) 12 | 13 | // General 14 | NTSTATUS NTAPI NtClose( _In_ HANDLE Handle ); 15 | 16 | // System 17 | NTSTATUS NTAPI NtQuerySystemInformation ( _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, _In_ ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL ); 18 | 19 | // Section 20 | NTSTATUS NTAPI NtOpenSection( _Out_ PHANDLE SectionHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes ); 21 | NTSTATUS NTAPI NtQuerySection ( _In_ HANDLE SectionHandle, _In_ ULONG SectionInformationClass, OUT PVOID SectionInformation, _In_ ULONG SectionInformationLength, OUT PULONG ResultLength OPTIONAL ); 22 | NTSTATUS NTAPI NtUnmapViewOfSection( _In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress ); 23 | 24 | // Memory 25 | NTSTATUS NTAPI NtAllocateVirtualMemory( _In_ HANDLE ProcessHandle, _Inout_ PVOID *BaseAddress, _In_ ULONG_PTR ZeroBits, _Inout_ PSIZE_T RegionSize, _In_ ULONG AllocationType, _In_ ULONG Protect ); 26 | NTSTATUS NTAPI NtQueryVirtualMemory ( _In_ HANDLE ProcessHandle, _In_ PVOID BaseAddres, _In_ MEMORY_INFORMATION_CLASS MemoryInformationClass, OUT PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, OUT PSIZE_T ReturnLength OPTIONAL ); 27 | NTSTATUS NTAPI NtProtectVirtualMemory ( _In_ HANDLE ProcessHandle, _In_ OUT PVOID* BaseAddres, _In_ OUT PSIZE_T ProtectSize, _In_ ULONG NewProtect, OUT PULONG OldProtect ); 28 | NTSTATUS NTAPI NtWriteVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddres, PVOID Buffer, SIZE_T BufferLength, PSIZE_T ReturnLength); 29 | NTSTATUS NTAPI NtFreeVirtualMemory( _In_ HANDLE ProcessHandle, _Inout_ PVOID *BaseAddress, _Inout_ PSIZE_T RegionSize, _In_ ULONG FreeType ); 30 | 31 | // Process/Thread 32 | NTSTATUS NTAPI NtOpenProcess(PHANDLE ProcessHandle, ULONG DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID Cid); 33 | NTSTATUS NTAPI NtOpenThread(PHANDLE ThreadHandle, ULONG DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID Cid); 34 | NTSTATUS NTAPI NtQueryInformationThread(HANDLE hThread, THREADINFOCLASS InformationClass, PVOID Information, ULONG InformationLength, PULONG ReturnLength ); 35 | NTSTATUS NTAPI NtQueueApcThread(HANDLE hThread, PKNORMAL_ROUTINE ApcRoutine, PVOID ApcContext, PVOID Argument1, PVOID Argument2); 36 | NTSTATUS NTAPI NtSetContextThread ( _In_ HANDLE ThreadHandle, _In_ _CONTEXT* Context ); 37 | 38 | // Ldr 39 | NTSTATUS NTAPI LdrUnloadDll(HMODULE DllBase); 40 | NTSTATUS NTAPI LdrLoadDll ( PCWSTR SearchPaths, PULONG pFlags, PCUNICODE_STRING DllName, HMODULE* pDllBase ); 41 | NTSTATUS NTAPI LdrGetProcedureAddress ( HMODULE hModule, const ANSI_STRING* ProcedureName, ULONG Ordinal, void** pAddress ); 42 | NTSTATUS NTAPI LdrEnumerateLoadedModules ( int, PFNENUMERATEMODULES pfn, PVOID UserData ); 43 | NTSTATUS NTAPI LdrGetDllHandle(LPCWSTR szPath, int, PCUNICODE_STRING DllName, HMODULE* phmod); 44 | PIMAGE_BASE_RELOCATION NTAPI LdrProcessRelocationBlock(PVOID VirtualAddress, ULONG RelocCount, PUSHORT TypeOffset, LONG_PTR Delta); 45 | 46 | // RtlImage 47 | PIMAGE_NT_HEADERS NTAPI RtlImageNtHeader ( PVOID Base ); 48 | PVOID NTAPI RtlAddressInSectionTable ( PIMAGE_NT_HEADERS NtHeaders, PVOID Base, ULONG Rva ); 49 | PVOID NTAPI RtlImageDirectoryEntryToData ( PVOID Base, BOOLEAN MappedAsImage, USHORT DirectoryEntry, PULONG Size ); 50 | 51 | // RtlStrings 52 | BOOLEAN NTAPI RtlCreateUnicodeStringFromAsciiz ( OUT PUNICODE_STRING DestinationString, _In_ const char* SourceString ); 53 | BOOLEAN NTAPI RtlEqualUnicodeString(PCUNICODE_STRING String1, PCUNICODE_STRING String2, _In_ BOOLEAN CaseInSensitive ); 54 | VOID NTAPI RtlInitAnsiString( _Out_ PANSI_STRING DestinationString, _In_opt_z_ __drv_aliasesMem PCSZ SourceString ); 55 | VOID NTAPI RtlInitUnicodeString( _Out_ PUNICODE_STRING DestinationString, _In_opt_z_ __drv_aliasesMem PCWSTR SourceString ); 56 | VOID NTAPI RtlFreeUnicodeString( _Inout_ _At_(UnicodeString->Buffer, _Frees_ptr_opt_) PUNICODE_STRING UnicodeString ); 57 | 58 | // Vex 59 | PVOID NTAPI RtlAddVectoredExceptionHandler( _In_ ULONG FirstHandler, _In_ PVECTORED_EXCEPTION_HANDLER VectoredHandler ); 60 | ULONG NTAPI RtlRemoveVectoredExceptionHandler( _In_ PVOID Handle ); 61 | 62 | // Frame 63 | TEB_ACTIVE_FRAME* NTAPI RtlGetFrame(); 64 | VOID NTAPI RtlPushFrame(TEB_ACTIVE_FRAME* Frame); 65 | VOID NTAPI RtlPopFrame(TEB_ACTIVE_FRAME* Frame); 66 | 67 | // runtime 68 | wchar_t * __cdecl wcsrchr(_In_z_ const wchar_t *_Str, _In_ wchar_t _Ch); 69 | int __cdecl wcscmp(const wchar_t *, const wchar_t *); 70 | void* __cdecl memcpy(void* Destination, const void* Source, size_t Length ); 71 | void * __cdecl memset(void *dest, int c, size_t count ); 72 | ULONG 73 | __cdecl 74 | DbgPrint ( 75 | _In_z_ _Printf_format_string_ PCSTR Format, 76 | ... 77 | ); 78 | 79 | #pragma warning(default : 4273) 80 | 81 | EXTERN_C_END 82 | 83 | PVOID __fastcall GetFuncAddress(PCSTR lpsz); 84 | 85 | PIMAGE_DOS_HEADER GetNtBase(); 86 | -------------------------------------------------------------------------------- /INC/nobase64.inc: -------------------------------------------------------------------------------- 1 | 2 | NtApi macro name, string 3 | name proc 4 | lea rax,@@1 5 | jmp common_imp_call 6 | @@1: 7 | DB string,0 8 | NtApi endp 9 | endm 10 | 11 | ; void *__cdecl NT::GetFuncAddress(const char *) 12 | extern ?GetFuncAddress@NT@@YAPEAXPEBD@Z : PROC 13 | 14 | .code 15 | 16 | common_imp_call proc private 17 | push r9 18 | push r8 19 | push rdx 20 | push rcx 21 | sub rsp,28h 22 | mov rcx,rax 23 | call ?GetFuncAddress@NT@@YAPEAXPEBD@Z 24 | add rsp,28h 25 | pop rcx 26 | pop rdx 27 | pop r8 28 | pop r9 29 | jmp rax 30 | common_imp_call endp 31 | 32 | ?fmemcmp@NT@@YADPEBX0_K@Z proc 33 | mov rax,rsi 34 | mov rsi,rcx 35 | xchg rdi,rdx 36 | mov ecx,r8d 37 | repe cmpsb 38 | mov rsi,rax 39 | mov rdi,rdx 40 | mov al,0 41 | jz @@2 42 | js @@1 43 | inc al 44 | @@2: 45 | ret 46 | @@1: 47 | dec al 48 | ret 49 | ?fmemcmp@NT@@YADPEBX0_K@Z endp 50 | 51 | -------------------------------------------------------------------------------- /INC/ntdbg.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef __cplusplus 4 | extern "C" { 5 | #endif 6 | 7 | typedef struct _DBGKM_EXCEPTION 8 | { 9 | EXCEPTION_RECORD ExceptionRecord; 10 | ULONG FirstChance; 11 | } DBGKM_EXCEPTION, *PDBGKM_EXCEPTION; 12 | 13 | typedef struct _DBGKM_CREATE_THREAD 14 | { 15 | ULONG SubSystemKey; 16 | PVOID StartAddress; 17 | } DBGKM_CREATE_THREAD, *PDBGKM_CREATE_THREAD; 18 | 19 | typedef struct _DBGKM_CREATE_PROCESS 20 | { 21 | ULONG SubSystemKey; 22 | HANDLE FileHandle; 23 | PVOID BaseOfImage; 24 | ULONG DebugInfoFileOffset; 25 | ULONG DebugInfoSize; 26 | DBGKM_CREATE_THREAD InitialThread; 27 | } DBGKM_CREATE_PROCESS, *PDBGKM_CREATE_PROCESS; 28 | 29 | typedef struct _DBGKM_EXIT_THREAD 30 | { 31 | NTSTATUS ExitStatus; 32 | } DBGKM_EXIT_THREAD, *PDBGKM_EXIT_THREAD; 33 | 34 | typedef struct _DBGKM_EXIT_PROCESS 35 | { 36 | NTSTATUS ExitStatus; 37 | } DBGKM_EXIT_PROCESS, *PDBGKM_EXIT_PROCESS; 38 | 39 | typedef struct _DBGKM_LOAD_DLL 40 | { 41 | HANDLE FileHandle; 42 | PVOID BaseOfDll; 43 | ULONG DebugInfoFileOffset; 44 | ULONG DebugInfoSize; 45 | PVOID NamePointer; 46 | } DBGKM_LOAD_DLL, *PDBGKM_LOAD_DLL; 47 | 48 | typedef struct _DBGKM_UNLOAD_DLL 49 | { 50 | PVOID BaseAddress; 51 | } DBGKM_UNLOAD_DLL, *PDBGKM_UNLOAD_DLL; 52 | 53 | typedef enum _DBG_STATE 54 | { 55 | DbgIdle, 56 | DbgReplyPending, 57 | DbgCreateThreadStateChange, 58 | DbgCreateProcessStateChange, 59 | DbgExitThreadStateChange, 60 | DbgExitProcessStateChange, 61 | DbgExceptionStateChange, 62 | DbgBreakpointStateChange, 63 | DbgSingleStepStateChange, 64 | DbgLoadDllStateChange, 65 | DbgUnloadDllStateChange 66 | } DBG_STATE, *PDBG_STATE; 67 | 68 | typedef struct _DBGUI_CREATE_THREAD 69 | { 70 | HANDLE HandleToThread; 71 | DBGKM_CREATE_THREAD NewThread; 72 | } DBGUI_CREATE_THREAD, *PDBGUI_CREATE_THREAD; 73 | 74 | typedef struct _DBGUI_CREATE_PROCESS 75 | { 76 | HANDLE HandleToProcess; 77 | HANDLE HandleToThread; 78 | DBGKM_CREATE_PROCESS NewProcess; 79 | } DBGUI_CREATE_PROCESS, *PDBGUI_CREATE_PROCESS; 80 | 81 | typedef struct _DBGUI_WAIT_STATE_CHANGE 82 | { 83 | DBG_STATE NewState; 84 | CLIENT_ID AppClientId; 85 | union 86 | { 87 | DBGKM_EXCEPTION Exception; 88 | DBGUI_CREATE_THREAD CreateThread; 89 | DBGUI_CREATE_PROCESS CreateProcessInfo; 90 | DBGKM_EXIT_THREAD ExitThread; 91 | DBGKM_EXIT_PROCESS ExitProcess; 92 | DBGKM_LOAD_DLL LoadDll; 93 | DBGKM_UNLOAD_DLL UnloadDll; 94 | }; 95 | } DBGUI_WAIT_STATE_CHANGE, *PDBGUI_WAIT_STATE_CHANGE; 96 | 97 | // System calls 98 | 99 | #define DEBUG_READ_EVENT 0x0001 100 | #define DEBUG_PROCESS_ASSIGN 0x0002 101 | #define DEBUG_SET_INFORMATION 0x0004 102 | #define DEBUG_QUERY_INFORMATION 0x0008 103 | #define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \ 104 | DEBUG_READ_EVENT | DEBUG_PROCESS_ASSIGN | DEBUG_SET_INFORMATION | \ 105 | DEBUG_QUERY_INFORMATION) 106 | 107 | #define DEBUG_KILL_ON_CLOSE 0x1 108 | 109 | typedef enum _DEBUGOBJECTINFOCLASS 110 | { 111 | DebugObjectFlags = 1, 112 | MaxDebugObjectInfoClass 113 | } DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS; 114 | 115 | NTSYSCALLAPI 116 | NTSTATUS 117 | NTAPI 118 | NtCreateDebugObject( 119 | _Out_ PHANDLE DebugObjectHandle, 120 | _In_ ACCESS_MASK DesiredAccess, 121 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 122 | _In_ ULONG Flags 123 | ); 124 | 125 | NTSYSCALLAPI 126 | NTSTATUS 127 | NTAPI 128 | NtDebugActiveProcess( 129 | _In_ HANDLE ProcessHandle, 130 | _In_ HANDLE DebugObjectHandle 131 | ); 132 | 133 | NTSYSCALLAPI 134 | NTSTATUS 135 | NTAPI 136 | NtDebugContinue( 137 | _In_ HANDLE DebugObjectHandle, 138 | _In_ PCLIENT_ID ClientId, 139 | _In_ NTSTATUS ContinueStatus 140 | ); 141 | 142 | NTSYSCALLAPI 143 | NTSTATUS 144 | NTAPI 145 | NtRemoveProcessDebug( 146 | _In_ HANDLE ProcessHandle, 147 | _In_ HANDLE DebugObjectHandle 148 | ); 149 | 150 | NTSYSCALLAPI 151 | NTSTATUS 152 | NTAPI 153 | NtSetInformationDebugObject( 154 | _In_ HANDLE DebugObjectHandle, 155 | _In_ DEBUGOBJECTINFOCLASS DebugObjectInformationClass, 156 | _In_ PVOID DebugInformation, 157 | _In_ ULONG DebugInformationLength, 158 | _Out_opt_ PULONG ReturnLength 159 | ); 160 | 161 | NTSYSCALLAPI 162 | NTSTATUS 163 | NTAPI 164 | NtWaitForDebugEvent( 165 | _In_ HANDLE DebugObjectHandle, 166 | _In_ BOOLEAN Alertable, 167 | _In_opt_ PLARGE_INTEGER Timeout, 168 | _Out_ PVOID WaitStateChange 169 | ); 170 | 171 | // Debugging UI 172 | 173 | NTSYSAPI 174 | NTSTATUS 175 | NTAPI 176 | DbgUiConnectToDbg(); 177 | 178 | NTSYSAPI 179 | HANDLE 180 | NTAPI 181 | DbgUiGetThreadDebugObject(); 182 | 183 | NTSYSAPI 184 | VOID 185 | NTAPI 186 | DbgUiSetThreadDebugObject( 187 | _In_ HANDLE DebugObject 188 | ); 189 | 190 | NTSYSAPI 191 | NTSTATUS 192 | NTAPI 193 | DbgUiWaitStateChange( 194 | _Out_ PDBGUI_WAIT_STATE_CHANGE StateChange, 195 | _In_opt_ PLARGE_INTEGER Timeout 196 | ); 197 | 198 | NTSYSAPI 199 | NTSTATUS 200 | NTAPI 201 | DbgUiContinue( 202 | _In_ PCLIENT_ID AppClientId, 203 | _In_ NTSTATUS ContinueStatus 204 | ); 205 | 206 | NTSYSAPI 207 | NTSTATUS 208 | NTAPI 209 | DbgUiStopDebugging( 210 | _In_ HANDLE Process 211 | ); 212 | 213 | NTSYSAPI 214 | NTSTATUS 215 | NTAPI 216 | DbgUiDebugActiveProcess( 217 | _In_ HANDLE Process 218 | ); 219 | 220 | NTSYSAPI 221 | VOID 222 | NTAPI 223 | DbgUiRemoteBreakin( 224 | _In_ PVOID Context 225 | ); 226 | 227 | NTSYSAPI 228 | NTSTATUS 229 | NTAPI 230 | DbgUiIssueRemoteBreakin( 231 | _In_ HANDLE Process 232 | ); 233 | 234 | NTSYSAPI 235 | NTSTATUS 236 | NTAPI 237 | DbgUiConvertStateChangeStructure( 238 | _In_ PDBGUI_WAIT_STATE_CHANGE StateChange, 239 | _Out_ DEBUG_EVENT *DebugEvent 240 | ); 241 | 242 | #ifdef __cplusplus 243 | } 244 | #endif 245 | -------------------------------------------------------------------------------- /INC/ntfs structs.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | union NTFS_FILE_ID 4 | { 5 | LONGLONG IndexNumber; 6 | 7 | struct 8 | { 9 | LONGLONG MftRecordIndex : 48; 10 | LONGLONG SequenceNumber : 16; 11 | }; 12 | }; 13 | 14 | struct NTFS_RECORD_HEADER 15 | { 16 | enum { 17 | FILE = 'ELIF', 18 | INDX = 'XDNI', 19 | BAAD = 'DAAB', 20 | HOLE = 'ELOH', 21 | CHKD = 'DKHC' 22 | } Type; 23 | USHORT UsaOffset; 24 | USHORT UsaCount; 25 | USN Usn; 26 | }; 27 | 28 | struct NTFS_FILE_RECORD_HEADER : public NTFS_RECORD_HEADER 29 | { 30 | USHORT SequenceNumber; 31 | USHORT LinkCount; 32 | USHORT AttributesOffset; 33 | USHORT Flags; 34 | ULONG BytesInUse; 35 | ULONG BytesAllocated; 36 | ULONGLONG BaseFileRecord; 37 | USHORT NextAttributeNumber; 38 | 39 | enum{ 40 | flgInUse = 1, flgDirectory = 2 41 | }; 42 | }; 43 | 44 | struct NTFS_ATTRIBUTE 45 | { 46 | enum ATTRIBUTE_TYPE { 47 | StandardInformation = 0x10, 48 | AttributeList = 0x20, 49 | FileName = 0x30, 50 | ObjectId = 0x40, 51 | SecurityDescriptor = 0x50, 52 | VolumeName = 0x60, 53 | VolumeInformation = 0x70, 54 | Data = 0x80, 55 | IndexRoot = 0x90, 56 | IndexAllocation = 0xa0, 57 | Bitmap = 0xb0, 58 | ReparsePoint = 0xc0, 59 | EAInformation = 0xd0, 60 | EA = 0xe0, 61 | PropertySet = 0xf0, 62 | LoggedUtilityStream = 0x100, 63 | StopTag = MAXDWORD 64 | } Type; 65 | ULONG Length; 66 | BOOLEAN Nonresident; 67 | UCHAR NameLength; 68 | USHORT NameOffset; 69 | USHORT Flags;// 1 = Compresed 70 | USHORT AttributeNumber; 71 | }; 72 | 73 | struct NTFS_RESIDENT_ATTRIBUTE : public NTFS_ATTRIBUTE 74 | { 75 | ULONG ValueLength; 76 | USHORT ValueOffset; 77 | USHORT Flags; 78 | }; 79 | 80 | struct NTFS_NONRESIDENT_ATTRIBUTE : public NTFS_ATTRIBUTE 81 | { 82 | LONGLONG LowVcn; 83 | LONGLONG HighVcn; 84 | USHORT RunArrayOffset; 85 | UCHAR CompressionUnit; 86 | UCHAR Unknown[5]; 87 | LONGLONG AllocationSize; 88 | LONGLONG DataSize; 89 | LONGLONG InitializedSize; 90 | LONGLONG CompressedSize; 91 | }; 92 | 93 | struct NTFS_ATTRIBUTE_LIST 94 | { 95 | NTFS_ATTRIBUTE::ATTRIBUTE_TYPE Type; 96 | USHORT Length; 97 | UCHAR NameLength; 98 | UCHAR NameOffset; 99 | LONGLONG LowVcn; 100 | NTFS_FILE_ID FileReferenceNumber; 101 | USHORT AttributeNumber; 102 | USHORT Unknown[3]; 103 | }; 104 | 105 | struct NTFS_STANDARD_ATTRIBUTE 106 | { 107 | LONGLONG CreationTime; 108 | LONGLONG ChangeTime; 109 | LONGLONG LastWriteTime; 110 | LONGLONG LastAccessTime; 111 | ULONG FileAttributes; 112 | ULONG Unknown[3]; 113 | ULONG QuotaId; 114 | ULONG SecurityId; 115 | ULONGLONG QuotaChange; 116 | USN Usn; 117 | }; 118 | 119 | struct NTFS_FILENAME_ATTRIBUTE 120 | { 121 | NTFS_FILE_ID DirectoryId; 122 | LONGLONG CreationTime; 123 | LONGLONG ChangeTime; 124 | LONGLONG LastWriteTime; 125 | LONGLONG LastAccessTime; 126 | LONGLONG AllocationSize; 127 | LONGLONG DataSize; 128 | ULONG FileAttributes; 129 | ULONG EaSize; 130 | UCHAR FileNameLength; 131 | UCHAR NameType; 132 | WCHAR FileName[]; 133 | 134 | enum { 135 | systemName , longName, shortName, systemName2 136 | }; 137 | }; -------------------------------------------------------------------------------- /INC/ntjob.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | EXTERN_C_START 4 | 5 | // Job objects 6 | 7 | NTSYSCALLAPI 8 | NTSTATUS 9 | NTAPI 10 | NtCreateJobObject( 11 | _Out_ PHANDLE JobHandle, 12 | _In_ ACCESS_MASK DesiredAccess, 13 | _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes 14 | ); 15 | 16 | NTSYSCALLAPI 17 | NTSTATUS 18 | NTAPI 19 | NtOpenJobObject( 20 | _Out_ PHANDLE JobHandle, 21 | _In_ ACCESS_MASK DesiredAccess, 22 | _In_ POBJECT_ATTRIBUTES ObjectAttributes 23 | ); 24 | 25 | NTSYSCALLAPI 26 | NTSTATUS 27 | NTAPI 28 | NtAssignProcessToJobObject( 29 | _In_ HANDLE JobHandle, 30 | _In_ HANDLE ProcessHandle 31 | ); 32 | 33 | NTSYSCALLAPI 34 | NTSTATUS 35 | NTAPI 36 | NtTerminateJobObject( 37 | _In_ HANDLE JobHandle, 38 | _In_ NTSTATUS ExitStatus 39 | ); 40 | 41 | NTSYSCALLAPI 42 | NTSTATUS 43 | NTAPI 44 | NtIsProcessInJob( 45 | _In_ HANDLE ProcessHandle, 46 | _In_opt_ HANDLE JobHandle 47 | ); 48 | 49 | NTSYSCALLAPI 50 | NTSTATUS 51 | NTAPI 52 | NtQueryInformationJobObject( 53 | _In_opt_ HANDLE JobHandle, 54 | _In_ JOBOBJECTINFOCLASS JobObjectInformationClass, 55 | _Out_writes_bytes_(JobObjectInformationLength) PVOID JobObjectInformation, 56 | _In_ ULONG JobObjectInformationLength, 57 | _Out_opt_ PULONG ReturnLength 58 | ); 59 | 60 | NTSYSCALLAPI 61 | NTSTATUS 62 | NTAPI 63 | NtSetInformationJobObject( 64 | _In_ HANDLE JobHandle, 65 | _In_ JOBOBJECTINFOCLASS JobObjectInformationClass, 66 | _In_reads_bytes_(JobObjectInformationLength) PVOID JobObjectInformation, 67 | _In_ ULONG JobObjectInformationLength 68 | ); 69 | 70 | NTSYSCALLAPI 71 | NTSTATUS 72 | NTAPI 73 | NtCreateJobSet( 74 | _In_ ULONG NumJob, 75 | _In_reads_(NumJob) PJOB_SET_ARRAY UserJobSet, 76 | _In_ ULONG Flags 77 | ); 78 | 79 | NTSYSCALLAPI 80 | NTSTATUS 81 | NTAPI 82 | NtRevertContainerImpersonation( 83 | VOID 84 | ); 85 | 86 | EXTERN_C_END -------------------------------------------------------------------------------- /INC/ntpebteb.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define GDI_HANDLE_BUFFER_SIZE32 34 4 | #define GDI_HANDLE_BUFFER_SIZE64 60 5 | 6 | #ifndef _WIN64 7 | #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32 8 | #else 9 | #define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64 10 | #endif 11 | 12 | #define FLS_MAXIMUM_AVAILABLE 128 13 | #define TLS_MINIMUM_AVAILABLE 64 14 | #define TLS_EXPANSION_SLOTS 1024 15 | 16 | struct _ACTIVATION_CONTEXT; 17 | struct _ACTIVATION_CONTEXT_DATA; 18 | struct _ASSEMBLY_STORAGE_MAP; 19 | 20 | struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME 21 | { 22 | _RTL_ACTIVATION_CONTEXT_STACK_FRAME *Previous; 23 | _ACTIVATION_CONTEXT *ActivationContext; 24 | ULONG Flags; 25 | }; 26 | 27 | struct _ACTIVATION_CONTEXT_STACK 28 | { 29 | _RTL_ACTIVATION_CONTEXT_STACK_FRAME *ActiveFrame; 30 | _LIST_ENTRY FrameListCache; 31 | ULONG Flags; 32 | ULONG NextCookieSequenceNumber; 33 | ULONG StackId; 34 | }; 35 | 36 | struct _LDR_DATA_TABLE_ENTRY 37 | { 38 | LIST_ENTRY InLoadOrderLinks; 39 | LIST_ENTRY InMemoryOrderLinks; 40 | LIST_ENTRY InInitializationOrderLinks; 41 | void *DllBase; 42 | void *EntryPoint; 43 | ULONG SizeOfImage; 44 | UNICODE_STRING FullDllName; 45 | UNICODE_STRING BaseDllName; 46 | ULONG Flags; 47 | USHORT LoadCount; 48 | USHORT TlsIndex; 49 | union { 50 | LIST_ENTRY HashLinks; 51 | struct { 52 | void *SectionPointer; 53 | ULONG CheckSum; 54 | }; 55 | }; 56 | union{ 57 | ULONG TimeDateStamp; 58 | void *LoadedImports; 59 | }; 60 | _ACTIVATION_CONTEXT *EntryPointActivationContext; 61 | void *PatchInformation; 62 | }; 63 | 64 | #define DOS_MAX_COMPONENT_LENGTH 255 65 | #define DOS_MAX_PATH_LENGTH (DOS_MAX_COMPONENT_LENGTH + 5) 66 | 67 | typedef struct _CURDIR 68 | { 69 | UNICODE_STRING DosPath; 70 | HANDLE Handle; 71 | } CURDIR, *PCURDIR; 72 | 73 | #define RTL_USER_PROC_CURDIR_CLOSE 0x00000002 74 | #define RTL_USER_PROC_CURDIR_INHERIT 0x00000003 75 | 76 | typedef struct _RTL_DRIVE_LETTER_CURDIR 77 | { 78 | USHORT Flags; 79 | USHORT Length; 80 | ULONG TimeStamp; 81 | STRING DosPath; 82 | } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; 83 | 84 | #define RTL_MAX_DRIVE_LETTERS 32 85 | #define RTL_DRIVE_LETTER_VALID (USHORT)0x0001 86 | 87 | typedef struct _RTL_USER_PROCESS_PARAMETERS 88 | { 89 | ULONG MaximumLength; 90 | ULONG Length; 91 | 92 | ULONG Flags; 93 | ULONG DebugFlags; 94 | 95 | HANDLE ConsoleHandle; 96 | ULONG ConsoleFlags; 97 | HANDLE StandardInput; 98 | HANDLE StandardOutput; 99 | HANDLE StandardError; 100 | 101 | CURDIR CurrentDirectory; 102 | UNICODE_STRING DllPath; 103 | UNICODE_STRING ImagePathName; 104 | UNICODE_STRING CommandLine; 105 | PVOID Environment; 106 | 107 | ULONG StartingX; 108 | ULONG StartingY; 109 | ULONG CountX; 110 | ULONG CountY; 111 | ULONG CountCharsX; 112 | ULONG CountCharsY; 113 | ULONG FillAttribute; 114 | 115 | ULONG WindowFlags; 116 | ULONG ShowWindowFlags; 117 | UNICODE_STRING WindowTitle; 118 | UNICODE_STRING DesktopInfo; 119 | UNICODE_STRING ShellInfo; 120 | UNICODE_STRING RuntimeData; 121 | RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS]; 122 | 123 | ULONG_PTR EnvironmentSize; 124 | ULONG_PTR EnvironmentVersion; 125 | 126 | PVOID PackageDependencyData; 127 | ULONG ProcessGroupId; 128 | ULONG LoaderThreads; 129 | 130 | UNICODE_STRING RedirectionDllName; // REDSTONE4 131 | UNICODE_STRING HeapPartitionName; // 19H1 132 | ULONG_PTR DefaultThreadpoolCpuSetMasks; 133 | ULONG DefaultThreadpoolCpuSetMaskCount; 134 | } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; 135 | 136 | 137 | struct _PEB_FREE_BLOCK 138 | { 139 | /*000*/ _PEB_FREE_BLOCK *Next; 140 | /*008*/ ULONG Size; 141 | }; 142 | 143 | struct _PEB_LDR_DATA 144 | { 145 | ULONG Length; 146 | UCHAR Initialized; 147 | void *SsHandle; 148 | LIST_ENTRY InLoadOrderModuleList; 149 | LIST_ENTRY InMemoryOrderModuleList; 150 | LIST_ENTRY InInitializationOrderModuleList; 151 | void *EntryInProgress; 152 | }; 153 | 154 | typedef struct _INITIAL_TEB 155 | { 156 | PVOID OldStackBase; 157 | PVOID OldStackLimit; 158 | PVOID StackBase; 159 | PVOID StackLimit; 160 | PVOID StackAllocationBase; 161 | } INITIAL_TEB, *PINITIAL_TEB; 162 | 163 | typedef struct USER_STACK 164 | { 165 | LPVOID FixedStackBase; 166 | LPVOID FixedStackLimit; 167 | LPVOID ExpandableStackBase; 168 | LPVOID ExpandableStackLimit; 169 | LPVOID ExpandableStackBottom; 170 | } *PUSER_STACK; 171 | 172 | typedef NTSTATUS (CALLBACK * WIN32CALLBACK)(PULONG argv, ULONG argc); 173 | 174 | struct WIN32CALLBACK_ARRAY 175 | { 176 | WIN32CALLBACK pfn[]; 177 | }; 178 | 179 | 180 | // symbols 181 | typedef struct _PEB 182 | { 183 | BOOLEAN InheritedAddressSpace; 184 | BOOLEAN ReadImageFileExecOptions; 185 | BOOLEAN BeingDebugged; 186 | union 187 | { 188 | BOOLEAN BitField; 189 | struct 190 | { 191 | BOOLEAN ImageUsesLargePages : 1; 192 | BOOLEAN IsProtectedProcess : 1; 193 | BOOLEAN IsImageDynamicallyRelocated : 1; 194 | BOOLEAN SkipPatchingUser32Forwarders : 1; 195 | BOOLEAN IsPackagedProcess : 1; 196 | BOOLEAN IsAppContainer : 1; 197 | BOOLEAN IsProtectedProcessLight : 1; 198 | BOOLEAN SpareBits : 1; 199 | }; 200 | }; 201 | HANDLE Mutant; 202 | PVOID ImageBaseAddress; 203 | _PEB_LDR_DATA* Ldr; 204 | _RTL_USER_PROCESS_PARAMETERS* ProcessParameters; 205 | PVOID SubSystemData; 206 | PVOID ProcessHeap; 207 | PRTL_CRITICAL_SECTION FastPebLock; 208 | PVOID AtlThunkSListPtr; 209 | PVOID IFEOKey; 210 | union 211 | { 212 | ULONG CrossProcessFlags; 213 | struct 214 | { 215 | ULONG ProcessInJob : 1; 216 | ULONG ProcessInitializing : 1; 217 | ULONG ProcessUsingVEH : 1; 218 | ULONG ProcessUsingVCH : 1; 219 | ULONG ProcessUsingFTH : 1; 220 | ULONG ReservedBits0 : 27; 221 | }; 222 | ULONG EnvironmentUpdateCount; 223 | }; 224 | union 225 | { 226 | WIN32CALLBACK_ARRAY* KernelCallbackTable; 227 | PVOID UserSharedInfoPtr; 228 | }; 229 | ULONG SystemReserved[1]; 230 | ULONG AtlThunkSListPtr32; 231 | PVOID ApiSetMap; 232 | ULONG TlsExpansionCounter; 233 | PVOID TlsBitmap; 234 | ULONG TlsBitmapBits[2]; 235 | PVOID ReadOnlySharedMemoryBase; 236 | PVOID HotpatchInformation; 237 | PVOID *ReadOnlyStaticServerData; 238 | PVOID AnsiCodePageData; 239 | PVOID OemCodePageData; 240 | PVOID UnicodeCaseTableData; 241 | 242 | ULONG NumberOfProcessors; 243 | ULONG NtGlobalFlag; 244 | 245 | LARGE_INTEGER CriticalSectionTimeout; 246 | SIZE_T HeapSegmentReserve; 247 | SIZE_T HeapSegmentCommit; 248 | SIZE_T HeapDeCommitTotalFreeThreshold; 249 | SIZE_T HeapDeCommitFreeBlockThreshold; 250 | 251 | ULONG NumberOfHeaps; 252 | ULONG MaximumNumberOfHeaps; 253 | PVOID *ProcessHeaps; 254 | 255 | PVOID GdiSharedHandleTable; 256 | PVOID ProcessStarterHelper; 257 | ULONG GdiDCAttributeList; 258 | 259 | PRTL_CRITICAL_SECTION LoaderLock; 260 | 261 | ULONG OSMajorVersion; 262 | ULONG OSMinorVersion; 263 | USHORT OSBuildNumber; 264 | USHORT OSCSDVersion; 265 | ULONG OSPlatformId; 266 | ULONG ImageSubsystem; 267 | ULONG ImageSubsystemMajorVersion; 268 | ULONG ImageSubsystemMinorVersion; 269 | ULONG_PTR ImageProcessAffinityMask; 270 | ULONG GdiHandleBuffer[GDI_HANDLE_BUFFER_SIZE]; 271 | void (* PostProcessInitRoutine)(); 272 | 273 | PVOID TlsExpansionBitmap; 274 | ULONG TlsExpansionBitmapBits[32]; 275 | 276 | ULONG SessionId; 277 | 278 | ULARGE_INTEGER AppCompatFlags; 279 | ULARGE_INTEGER AppCompatFlagsUser; 280 | PVOID pShimData; 281 | PVOID AppCompatInfo; 282 | 283 | UNICODE_STRING CSDVersion; 284 | 285 | PVOID ActivationContextData; 286 | PVOID ProcessAssemblyStorageMap; 287 | PVOID SystemDefaultActivationContextData; 288 | PVOID SystemAssemblyStorageMap; 289 | 290 | SIZE_T MinimumStackCommit; 291 | 292 | PVOID *FlsCallback; 293 | LIST_ENTRY FlsListHead; 294 | PVOID FlsBitmap; 295 | ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)]; 296 | ULONG FlsHighIndex; 297 | 298 | PVOID WerRegistrationData; 299 | PVOID WerShipAssertPtr; 300 | PVOID pContextData; 301 | PVOID pImageHeaderHash; 302 | union 303 | { 304 | ULONG TracingFlags; 305 | struct 306 | { 307 | ULONG HeapTracingEnabled : 1; 308 | ULONG CritSecTracingEnabled : 1; 309 | ULONG LibLoaderTracingEnabled : 1; 310 | ULONG SpareTracingBits : 29; 311 | }; 312 | }; 313 | ULONGLONG CsrServerReadOnlySharedMemoryBase; 314 | } PEB, *PPEB; 315 | 316 | #define GDI_BATCH_BUFFER_SIZE 310 317 | 318 | typedef struct _GDI_TEB_BATCH 319 | { 320 | ULONG Offset; 321 | ULONG_PTR HDC; 322 | ULONG Buffer[GDI_BATCH_BUFFER_SIZE]; 323 | } GDI_TEB_BATCH, *PGDI_TEB_BATCH; 324 | 325 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT 326 | { 327 | ULONG Flags; 328 | PCSTR FrameName; 329 | } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT; 330 | 331 | typedef struct _TEB_ACTIVE_FRAME 332 | { 333 | ULONG Flags; 334 | _TEB_ACTIVE_FRAME *Previous; 335 | const TEB_ACTIVE_FRAME_CONTEXT* Context; 336 | } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME; 337 | 338 | typedef struct _TEB 339 | { 340 | NT_TIB NtTib; 341 | 342 | PVOID EnvironmentPointer; 343 | CLIENT_ID ClientId; 344 | PVOID ActiveRpcHandle; 345 | PVOID ThreadLocalStoragePointer; 346 | PPEB ProcessEnvironmentBlock; 347 | 348 | ULONG LastErrorValue; 349 | ULONG CountOfOwnedCriticalSections; 350 | PVOID CsrClientThread; 351 | PVOID Win32ThreadInfo; 352 | ULONG User32Reserved[26]; 353 | ULONG UserReserved[5]; 354 | PVOID WOW32Reserved; 355 | LCID CurrentLocale; 356 | ULONG FpSoftwareStatusRegister; 357 | PVOID SystemReserved1[54]; 358 | NTSTATUS ExceptionCode; 359 | PVOID ActivationContextStackPointer; 360 | #ifdef _WIN64 361 | UCHAR SpareBytes[24]; 362 | #else 363 | UCHAR SpareBytes[36]; 364 | #endif 365 | ULONG TxFsContext; 366 | 367 | GDI_TEB_BATCH GdiTebBatch; 368 | CLIENT_ID RealClientId; 369 | HANDLE GdiCachedProcessHandle; 370 | ULONG GdiClientPID; 371 | ULONG GdiClientTID; 372 | PVOID GdiThreadLocalInfo; 373 | ULONG_PTR Win32ClientInfo[62]; 374 | PVOID glDispatchTable[233]; 375 | ULONG_PTR glReserved1[29]; 376 | PVOID glReserved2; 377 | PVOID glSectionInfo; 378 | PVOID glSection; 379 | PVOID glTable; 380 | PVOID glCurrentRC; 381 | PVOID glContext; 382 | 383 | NTSTATUS LastStatusValue; 384 | UNICODE_STRING StaticUnicodeString; 385 | WCHAR StaticUnicodeBuffer[261]; 386 | 387 | PVOID DeallocationStack; 388 | PVOID TlsSlots[64]; 389 | LIST_ENTRY TlsLinks; 390 | 391 | PVOID Vdm; 392 | PVOID ReservedForNtRpc; 393 | PVOID DbgSsReserved[2]; 394 | 395 | ULONG HardErrorMode; 396 | #ifdef _WIN64 397 | PVOID Instrumentation[11]; 398 | #else 399 | PVOID Instrumentation[9]; 400 | #endif 401 | GUID ActivityId; 402 | 403 | PVOID SubProcessTag; 404 | PVOID EtwLocalData; 405 | PVOID EtwTraceData; 406 | PVOID WinSockData; 407 | ULONG GdiBatchCount; 408 | 409 | union 410 | { 411 | PROCESSOR_NUMBER CurrentIdealProcessor; 412 | ULONG IdealProcessorValue; 413 | struct 414 | { 415 | UCHAR ReservedPad0; 416 | UCHAR ReservedPad1; 417 | UCHAR ReservedPad2; 418 | UCHAR IdealProcessor; 419 | }; 420 | }; 421 | 422 | ULONG GuaranteedStackBytes; 423 | PVOID ReservedForPerf; 424 | PVOID ReservedForOle; 425 | ULONG WaitingOnLoaderLock; 426 | PVOID SavedPriorityState; 427 | ULONG_PTR SoftPatchPtr1; 428 | PVOID ThreadPoolData; 429 | PVOID *TlsExpansionSlots; 430 | #ifdef _WIN64 431 | PVOID DeallocationBStore; 432 | PVOID BStoreLimit; 433 | #endif 434 | ULONG MuiGeneration; 435 | ULONG IsImpersonating; 436 | PVOID NlsCache; 437 | PVOID pShimData; 438 | ULONG HeapVirtualAffinity; 439 | HANDLE CurrentTransactionHandle; 440 | PTEB_ACTIVE_FRAME ActiveFrame; 441 | PVOID FlsData; 442 | 443 | PVOID PreferredLanguages; 444 | PVOID UserPrefLanguages; 445 | PVOID MergedPrefLanguages; 446 | ULONG MuiImpersonation; 447 | 448 | union 449 | { 450 | USHORT CrossTebFlags; 451 | USHORT SpareCrossTebBits : 16; 452 | }; 453 | union 454 | { 455 | USHORT SameTebFlags; 456 | struct 457 | { 458 | USHORT SafeThunkCall : 1; 459 | USHORT InDebugPrint : 1; 460 | USHORT HasFiberData : 1; 461 | USHORT SkipThreadAttach : 1; 462 | USHORT WerInShipAssertCode : 1; 463 | USHORT RanProcessInit : 1; 464 | USHORT ClonedThread : 1; 465 | USHORT SuppressDebugMsg : 1; 466 | USHORT DisableUserStackWalk : 1; 467 | USHORT RtlExceptionAttached : 1; 468 | USHORT InitialThread : 1; 469 | USHORT SessionAware : 1; 470 | USHORT SpareSameTebBits : 4; 471 | }; 472 | }; 473 | 474 | PVOID TxnScopeEnterCallback; 475 | PVOID TxnScopeExitCallback; 476 | PVOID TxnScopeContext; 477 | ULONG LockCount; 478 | ULONG SpareUlong0; 479 | PVOID ResourceRetValue; 480 | PVOID ReservedForWdf; 481 | } TEB, *PTEB; 482 | 483 | -------------------------------------------------------------------------------- /INC/ntsamp.h: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Copyright (c) 1992 Microsoft Corporation 4 | 5 | Module Name: 6 | 7 | ntsamp.h 8 | 9 | Abstract: 10 | 11 | This file contains structures that would normally be part of ntsam.h 12 | but are intended for system use only. 13 | 14 | Author: 15 | 16 | David Chalmers (Davidc) 27-Mar-1992 17 | 18 | Environment: 19 | 20 | User Mode - Win32 21 | 22 | Revision History: 23 | 24 | 25 | --*/ 26 | 27 | 28 | #ifndef _NTSAMPRIVATE_ 29 | #define _NTSAMPRIVATE_ 30 | 31 | // Structures usable in SetUserInformation and QueryUserInformation API calls 32 | // by trusted clients only 33 | // 34 | 35 | 36 | typedef struct _USER_INTERNAL1_INFORMATION { 37 | NT_OWF_PASSWORD NtOwfPassword; 38 | LM_OWF_PASSWORD LmOwfPassword; 39 | BOOLEAN NtPasswordPresent; 40 | BOOLEAN LmPasswordPresent; 41 | BOOLEAN PasswordExpired; // A 'write-only' flag 42 | } USER_INTERNAL1_INFORMATION, *PUSER_INTERNAL1_INFORMATION; 43 | 44 | 45 | typedef struct _USER_INTERNAL2_INFORMATION { 46 | ULONG StatisticsToApply; 47 | LARGE_INTEGER LastLogon; 48 | LARGE_INTEGER LastLogoff; 49 | USHORT BadPasswordCount; 50 | USHORT LogonCount; 51 | } USER_INTERNAL2_INFORMATION; 52 | 53 | typedef struct _USER_INTERNAL2A_INFORMATION { 54 | ULONG StatisticsToApply; 55 | LARGE_INTEGER LastLogon; 56 | LARGE_INTEGER LastLogoff; 57 | USHORT BadPasswordCount; 58 | USHORT LogonCount; 59 | UNICODE_STRING Workstation; 60 | } USER_INTERNAL2A_INFORMATION, *PUSER_INTERNAL2A_INFORMATION; 61 | 62 | // 63 | // 64 | // 65 | // The following flags may be used in the StatisticsToApply field. 66 | // 67 | // USER_LOGON_STAT_LAST_LOGOFF - Replace the LastLogoff time in the 68 | // user record. 69 | // 70 | // USER_LOGON_STATUS_LAST_LOGON - Replace the LastLogon time in the 71 | // user record. 72 | // 73 | // USER_LOGON_STATUS_BAD_PWD_COUNT - Replace the BadPasswordCount 74 | // field in the user record. 75 | // 76 | // USER_LOGON_STATUS_LOGON_COUNT - Replace the LogonCount field in the 77 | // user record. 78 | // 79 | // USER_LOGON_SUCCESSFUL_LOGON - Change user field values to indicate 80 | // that a successful logon has occurred. 81 | // 82 | // USER_LOGON_SUCCESSFUL_LOGOFF - Change user field values to indicate 83 | // that a successful logoff has occurred. 84 | // 85 | // USER_LOGON_BAD_PASSWORD - Change user field values to indicate that 86 | // an attempt was made to logon to the account with a bad password. 87 | // 88 | // USER_LOGON_BAD_PASSWORD_WKSTA - Change user field values to indicate that 89 | // an attempt was made to logon to the account with a bad password. 90 | // The client workstation name is being supplied in the INTERNAL2A 91 | // structure. 92 | // 93 | // USER_LOGON_TYPE_KERBEROS - Indicates the authentication type was 94 | // KERBEROS. 95 | // 96 | // USER_LOGON_TYPE_NTLM - Indicates the authentication type was NTLM. 97 | // 98 | // USER_LOGON_NO_LOGON_SERVERS -- Indicates that no logon servers could be 99 | // found (specifically no GC's could be found) 100 | // (this is a failure case). 101 | // 102 | // USER_LOGON_NO_WRITE -- Indicates to SAM not to update the logon statistics 103 | // This can be useful to notify SAM that a logon 104 | // has completed, but not have the penalty of writing 105 | // to the disk 106 | // 107 | // USER_LOGON_INTER_FAILURE -- this indicates that it was an interactive 108 | // logon that failed 109 | // 110 | // USER_LOGON_PDC_RETRY_SUCCESS -- this indicates that the authentication 111 | // had previously failed locally but 112 | // succeeded at the PDC 113 | // 114 | // NOTE: 115 | // USER_LOGON_INTER_SUCCESS_LOGOFF 116 | // USER_LOGON_NET_SUCCESS_LOGOFF 117 | // 118 | // may not be used in conjunction with ANY other flags (including 119 | // each other). That is, when one of these flags is used, there 120 | // may be NO other flags set in StatisticsToApply. 121 | // 122 | // NOTE2: 123 | // 124 | // USER_LOGON_BAD_PASSWORD 125 | // USER_LOGON_INTER_SUCCESS_LOGON 126 | // USER_LOGON_NET_SUCCESS_LOGON 127 | // 128 | // may be used in conjunction ONLY with ONE of USER_LOGON_TYPE_KERBEROS or 129 | // USER_LOGON_TYPE_NTLM. 130 | 131 | #define USER_LOGON_STAT_LAST_LOGOFF (0x00000001L) 132 | #define USER_LOGON_STAT_LAST_LOGON (0x00000002L) 133 | #define USER_LOGON_STAT_BAD_PWD_COUNT (0x00000004L) 134 | #define USER_LOGON_STAT_LOGON_COUNT (0x00000008L) 135 | 136 | #define USER_LOGON_PDC_RETRY_SUCCESS (0x00100000L) 137 | #define USER_LOGON_INTER_FAILURE (0x00200000L) 138 | #define USER_LOGON_NO_WRITE (0x00400000L) 139 | #define USER_LOGON_NO_LOGON_SERVERS (0x00800000L) 140 | #define USER_LOGON_INTER_SUCCESS_LOGON (0x01000000L) 141 | #define USER_LOGON_TYPE_NTLM (0x02000000L) 142 | #define USER_LOGON_TYPE_KERBEROS (0x04000000L) 143 | #define USER_LOGON_BAD_PASSWORD (0x08000000L) 144 | #define USER_LOGON_BAD_PASSWORD_WKSTA (0x10000000L) 145 | #define USER_LOGON_INTER_SUCCESS_LOGOFF (0x20000000L) 146 | #define USER_LOGON_NET_SUCCESS_LOGON (0x40000000L) 147 | #define USER_LOGON_NET_SUCCESS_LOGOFF (0x80000000L) 148 | 149 | typedef struct _USER_INTERNAL3_INFORMATION { 150 | USER_ALL_INFORMATION I1; 151 | LARGE_INTEGER LastBadPasswordTime; 152 | } USER_INTERNAL3_INFORMATION, *PUSER_INTERNAL3_INFORMATION; 153 | 154 | typedef struct _USER_INTERNAL4_INFORMATION 155 | { 156 | USER_ALL_INFORMATION I1; 157 | SAMPR_ENCRYPTED_USER_PASSWORD UserPassword; 158 | } USER_INTERNAL4_INFORMATION, *PUSER_INTERNAL4_INFORMATION; 159 | 160 | typedef struct _USER_INTERNAL5_INFORMATION 161 | { 162 | SAMPR_ENCRYPTED_USER_PASSWORD UserPassword; 163 | BOOLEAN PasswordExpired; 164 | } USER_INTERNAL5_INFORMATION, *PUSER_INTERNAL5_INFORMATION; 165 | 166 | typedef struct _ENCRYPTED_USER_PASSWORD_NEW 167 | { 168 | UCHAR Buffer[(SAM_MAX_PASSWORD_LENGTH * 2) + 4 + SAM_PASSWORD_ENCRYPTION_SALT_LEN]; 169 | } ENCRYPTED_USER_PASSWORD_NEW, *PENCRYPTED_USER_PASSWORD_NEW; 170 | 171 | typedef struct _USER_INTERNAL4_INFORMATION_NEW 172 | { 173 | USER_ALL_INFORMATION I1; 174 | ENCRYPTED_USER_PASSWORD_NEW UserPassword; 175 | } USER_INTERNAL4_INFORMATION_NEW, *PUSER_INTERNAL4_INFORMATION_NEW; 176 | 177 | typedef struct _USER_INTERNAL5_INFORMATION_NEW 178 | { 179 | ENCRYPTED_USER_PASSWORD_NEW UserPassword; 180 | BOOLEAN PasswordExpired; 181 | } USER_INTERNAL5_INFORMATION_NEW, *PUSER_INTERNAL5_INFORMATION_NEW; 182 | 183 | typedef struct USER_ALLOWED_TO_DELEGATE_TO_LIST 184 | { 185 | ULONG Size; 186 | ULONG NumSPNs; 187 | UNICODE_STRING SPNList[ANYSIZE_ARRAY]; 188 | } USER_SPN_LIST, *PUSER_SPN_LIST; 189 | 190 | typedef struct _USER_INTERNAL6_INFORMATION { 191 | USER_ALL_INFORMATION I1; 192 | LARGE_INTEGER LastBadPasswordTime; 193 | ULONG ExtendedFields; 194 | BOOLEAN UPNDefaulted; 195 | UNICODE_STRING UPN; 196 | PUSER_SPN_LIST A2D2List; 197 | PUSER_SPN_LIST RegisteredSPNs; 198 | ULONG KeyVersionNumber; 199 | ULONG LockoutThreshold; 200 | } USER_INTERNAL6_INFORMATION, *PUSER_INTERNAL6_INFORMATION; 201 | 202 | // 203 | // The following fields are to be used in the extended fields 204 | // member of USER_INTERNAL6_INFORMATION 205 | // 206 | 207 | 208 | #define USER_EXTENDED_FIELD_UPN (0x00000001L) 209 | #define USER_EXTENDED_FIELD_A2D2 (0x00000002L) 210 | #define USER_EXTENDED_FIELD_SPN (0x00000004L) 211 | #define USER_EXTENDED_FIELD_KVNO (0x00000008L) 212 | #define USER_EXTENDED_FIELD_LOCKOUT_THRESHOLD (0x00000010L) 213 | 214 | // Reserved for internal use 215 | #define USER_EXTENDED_FIELD_RESERVED (0xFF000000L) 216 | 217 | // 218 | // The following is for SamrGetUserDomainPasswordInformation(), which is 219 | // only used in wrappers.c. 220 | // 221 | 222 | typedef struct _USER_DOMAIN_PASSWORD_INFORMATION { 223 | USHORT MinPasswordLength; 224 | ULONG PasswordProperties; 225 | } USER_DOMAIN_PASSWORD_INFORMATION, *PUSER_DOMAIN_PASSWORD_INFORMATION; 226 | 227 | 228 | // 229 | // This flag may be or'd with the length field of SAMP_USER_PASSWORD to 230 | // indicate that the password is not case sensitive. 231 | // 232 | 233 | #define SAM_PASSWORD_CASE_INSENSITIVE 0x80000000 234 | 235 | // 236 | // Structure to pass an encrypted password over the wire. The Length is the 237 | // length of the password, which should be placed at the end of the buffer. 238 | // The size of the buffer (256) should be kept in sync with 239 | // SAM_MAX_PASSWORD_LENGTH, which is defined in ntsam.h. Unfortunately, 240 | // MIDL does not let #define'd constants be imported, so we have to 241 | // use 256 instead of the constant here. 242 | // 243 | 244 | typedef struct _SAMPR_USER_PASSWORD { 245 | WCHAR Buffer[SAM_MAX_PASSWORD_LENGTH]; 246 | ULONG Length; 247 | } SAMPR_USER_PASSWORD, *PSAMPR_USER_PASSWORD; 248 | 249 | typedef struct _SAMPR_USER_PASSWORD_NEW { 250 | WCHAR Buffer[SAM_MAX_PASSWORD_LENGTH]; 251 | ULONG Length; 252 | UCHAR ClearSalt[SAM_PASSWORD_ENCRYPTION_SALT_LEN]; 253 | } SAMPR_USER_PASSWORD_NEW, *PSAMPR_USER_PASSWORD_NEW; 254 | 255 | 256 | // 257 | // Buffer - contains random fill with the password filling up the end 258 | // of the buffer (the last Length bytes). 259 | // Length - Length, in bytes, of the buffer. 260 | // 261 | 262 | // 263 | // This is the encrypted version of the above structure, and is passed 264 | // on the wire. 265 | // 266 | 267 | 268 | typedef struct _SAMPR_ENCRYPTED_USER_PASSWORD_NEW { 269 | UCHAR Buffer[ (SAM_MAX_PASSWORD_LENGTH * 2) + 4 + 16]; 270 | } SAMPR_ENCRYPTED_USER_PASSWORD_NEW, *PSAMPR_ENCRYPTED_USER_PASSWORD_NEW; 271 | 272 | 273 | typedef enum _SAMPR_BOOT_TYPE { 274 | SamBootKeyNone = 0, 275 | SamBootKeyStored, 276 | SamBootKeyPassword, 277 | SamBootKeyDisk, 278 | SamBootChangePasswordEncryptionKey 279 | } SAMPR_BOOT_TYPE, *PSAMPR_BOOT_TYPE; 280 | 281 | typedef struct SAMPR_ULONG_ARRAY 282 | { 283 | ULONG Count; 284 | /* [size_is] */ ULONG *Element; 285 | } *PSAMPR_ULONG_ARRAY; 286 | 287 | typedef struct SAMPR_GET_GROUPS_BUFFER 288 | { 289 | ULONG MembershipCount; 290 | /* [size_is] */ PGROUP_MEMBERSHIP Groups; 291 | } *PSAMPR_GET_GROUPS_BUFFER; 292 | 293 | EXTERN_C_START 294 | 295 | NTSYSAPI 296 | NTSTATUS 297 | NTAPI 298 | SamIConnect( 299 | _In_ PCUNICODE_STRING ServerName, 300 | _Out_ SAM_HANDLE *ServerHandle, 301 | _In_ ACCESS_MASK DesiredAccess, 302 | _In_ BOOLEAN TrustedClient 303 | ); 304 | 305 | NTSYSAPI 306 | NTSTATUS 307 | NTAPI 308 | SamrCloseHandle( _Inout_ SAM_HANDLE *SamHandle); 309 | 310 | NTSYSAPI 311 | NTSTATUS 312 | NTAPI 313 | SamILookupSidsByName( 314 | _In_ SAM_HANDLE SamHandle, 315 | _In_ ULONG Flags, // 0x4200 316 | _In_ ULONG Count, // <= 0x5000 317 | _In_ PCUNICODE_STRING Names, 318 | _Out_ PVOID* pv 319 | ); 320 | NTSYSAPI 321 | VOID 322 | NTAPI 323 | SamIFreeVoid(_In_ PVOID ptr); 324 | 325 | NTSYSAPI 326 | VOID 327 | NTAPI 328 | SamIFree_SAMPR_USER_INFO_BUFFER(_In_ PVOID ptr, _In_ USER_INFORMATION_CLASS UserInformationClass); 329 | 330 | NTSYSAPI 331 | VOID 332 | NTAPI 333 | SamIFree_SAMPR_ULONG_ARRAY(_In_ PSAMPR_ULONG_ARRAY ptr); 334 | 335 | NTSYSAPI 336 | VOID 337 | NTAPI 338 | SamIFree_SAMPR_GET_GROUPS_BUFFER(_In_ PSAMPR_GET_GROUPS_BUFFER Groups); 339 | 340 | NTSYSAPI 341 | VOID 342 | NTAPI 343 | SamIFreeLookupSidsInfo(_In_ PVOID ptr); 344 | 345 | NTSTATUS 346 | NTAPI 347 | SamrOpenDomain( 348 | _In_ SAM_HANDLE ServerHandle, 349 | _In_ ACCESS_MASK DesiredAccess, 350 | _In_ PSID DomainId, 351 | _Out_ SAM_HANDLE *DomainHandle); 352 | 353 | NTSYSAPI 354 | NTSTATUS 355 | NTAPI 356 | SamrLookupNamesInDomain( 357 | _In_ SAM_HANDLE DomainHandle, 358 | _In_ ULONG Count, 359 | _In_reads_(Count) PCUNICODE_STRING Names, 360 | _Out_ _Deref_post_count_(Count) PSAMPR_ULONG_ARRAY RelativeIds, 361 | _Out_ _Deref_post_count_(Count) PSAMPR_ULONG_ARRAY Use 362 | ); 363 | 364 | NTSYSAPI 365 | NTSTATUS 366 | NTAPI 367 | SamrOpenUser( 368 | _In_ SAM_HANDLE DomainHandle, 369 | _In_ ACCESS_MASK DesiredAccess, 370 | _In_ ULONG UserId, 371 | _Out_ PSAM_HANDLE UserHandle 372 | ); 373 | 374 | NTSYSAPI 375 | NTSTATUS 376 | NTAPI 377 | SamrQueryInformationUser( 378 | _In_ SAM_HANDLE UserHandle, 379 | _In_ USER_INFORMATION_CLASS UserInformationClass, 380 | _Outptr_ PVOID *Buffer 381 | ); 382 | 383 | NTSYSAPI 384 | NTSTATUS 385 | NTAPI 386 | SamrGetGroupsForUser( 387 | _In_ SAM_HANDLE UserHandle, 388 | _Out_ PSAMPR_GET_GROUPS_BUFFER *Groups 389 | ); 390 | 391 | NTSYSAPI 392 | NTSTATUS 393 | NTAPI 394 | SampRetrieveUserPasswords( 395 | _In_ SAM_HANDLE UserHandle, 396 | _Out_ UCHAR LmOwfPassword[], 397 | _Out_ PBOOLEAN LmPasswordNonNull, 398 | _Out_ UCHAR NtOwfPassword[], 399 | _Out_ PBOOLEAN NtPasswordPresent, 400 | _Out_ PBOOLEAN NtPasswordNonNull 401 | ); 402 | 403 | NTSYSAPI 404 | NTSTATUS 405 | NTAPI 406 | SampGetAccountDomainInfo(_In_ BOOLEAN bLocal, 407 | _Out_ PPOLICY_ACCOUNT_DOMAIN_INFO *PolicyAccountDomainInfo 408 | ); 409 | 410 | NTSYSAPI 411 | NTSTATUS 412 | NTAPI 413 | LsaIFree_LSAPR_POLICY_INFORMATION( 414 | _In_ POLICY_INFORMATION_CLASS InformationClass, 415 | _In_ PVOID PolicyInformation 416 | ); 417 | 418 | 419 | EXTERN_C_END 420 | 421 | #endif // _NTSAMPRIVATE_ 422 | -------------------------------------------------------------------------------- /INC/rtf.h: -------------------------------------------------------------------------------- 1 | typedef enum _UNWIND_OP_CODES { 2 | UWOP_PUSH_NONVOL = 0, 3 | UWOP_ALLOC_LARGE, 4 | UWOP_ALLOC_SMALL, 5 | UWOP_SET_FPREG, 6 | UWOP_SAVE_NONVOL, 7 | UWOP_SAVE_NONVOL_FAR, 8 | UWOP_SAVE_XMM, 9 | UWOP_SAVE_XMM_FAR, 10 | UWOP_SAVE_XMM128, 11 | UWOP_SAVE_XMM128_FAR, 12 | UWOP_PUSH_MACHFRAME 13 | } UNWIND_CODE_OPS; 14 | 15 | typedef union _UNWIND_CODE { 16 | struct { 17 | BYTE CodeOffset; 18 | BYTE UnwindOp : 4; 19 | BYTE OpInfo : 4; 20 | }; 21 | USHORT FrameOffset; 22 | } UNWIND_CODE, *PUNWIND_CODE; 23 | 24 | //#define UNW_FLAG_EHANDLER 0x01 25 | //#define UNW_FLAG_UHANDLER 0x02 26 | //#define UNW_FLAG_CHAININFO 0x04 27 | 28 | typedef struct _UNWIND_INFO { 29 | BYTE Version : 3; 30 | BYTE Flags : 5; 31 | BYTE SizeOfProlog; 32 | BYTE CountOfCodes; 33 | BYTE FrameRegister : 4; 34 | BYTE FrameOffset : 4; 35 | UNWIND_CODE UnwindCode[1]; 36 | /* UNWIND_CODE MoreUnwindCode[((CountOfCodes + 1) & ~1) - 1]; 37 | * union { 38 | * OPTIONAL ULONG ExceptionHandler; 39 | * OPTIONAL ULONG FunctionEntry; 40 | * }; 41 | * OPTIONAL ULONG ExceptionData[]; */ 42 | } UNWIND_INFO, *PUNWIND_INFO; 43 | 44 | #define GetUnwindCodeEntry(info, index) ((info)->UnwindCode[index]) 45 | 46 | #define GetLanguageSpecificDataPtr(info) ((PVOID)&GetUnwindCodeEntry((info),((info)->CountOfCodes + 1) & ~1)) 47 | 48 | #define GetChainedFunctionEntry(info) ((PRUNTIME_FUNCTION)GetLanguageSpecificDataPtr(info)) 49 | 50 | #define GetExceptionHandler(base, info) ((PEXCEPTION_HANDLER)((ULONG_PTR)(base) + *(PULONG)GetLanguageSpecificDataPtr(info))) 51 | 52 | #define GetExceptionDataPtr(info) ((PSCOPE_TABLE_AMD64)((PULONG)GetLanguageSpecificDataPtr(info) + 1)) 53 | 54 | #define UNWIND_HISTORY_TABLE_SIZE 12 55 | 56 | #define UNWIND_HISTORY_TABLE_NONE 0 57 | #define UNWIND_HISTORY_TABLE_GLOBAL 1 58 | #define UNWIND_HISTORY_TABLE_LOCAL 2 59 | 60 | typedef struct DISPATCHER_CONTEXT *PDISPATCHER_CONTEXT; 61 | 62 | typedef EXCEPTION_DISPOSITION (*PEXCEPTION_HANDLER) ( 63 | IN PEXCEPTION_RECORD ExceptionRecord, 64 | IN PVOID EstablisherFrame, 65 | IN OUT PCONTEXT ContextRecord, 66 | IN OUT PDISPATCHER_CONTEXT DispatcherContext 67 | ); 68 | 69 | typedef struct SCOPE_RECORD 70 | { 71 | DWORD BeginAddress; 72 | DWORD EndAddress; 73 | DWORD HandlerAddress; 74 | DWORD JumpTarget; 75 | } * PSCOPE_RECORD; -------------------------------------------------------------------------------- /INC/rtlenv.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | _EXTERN_C_BEGIN 4 | // Environment 5 | 6 | NTSYSAPI 7 | NTSTATUS 8 | NTAPI 9 | RtlCreateEnvironment( 10 | _In_ BOOLEAN CloneCurrentEnvironment, 11 | _Out_ PVOID *Environment 12 | ); 13 | 14 | // begin_rev 15 | #define RTL_CREATE_ENVIRONMENT_TRANSLATE 0x1 // translate from multi-byte to Unicode 16 | #define RTL_CREATE_ENVIRONMENT_TRANSLATE_FROM_OEM 0x2 // translate from OEM to Unicode (Translate flag must also be set) 17 | #define RTL_CREATE_ENVIRONMENT_EMPTY 0x4 // create empty environment block 18 | // end_rev 19 | 20 | #if (_WIN32_WINNT >= _WIN32_WINNT_VISTA) 21 | // private 22 | NTSYSAPI 23 | NTSTATUS 24 | NTAPI 25 | RtlCreateEnvironmentEx( 26 | _In_ PVOID SourceEnv, 27 | _Out_ PVOID *Environment, 28 | _In_ ULONG Flags 29 | ); 30 | #endif 31 | 32 | NTSYSAPI 33 | NTSTATUS 34 | NTAPI 35 | RtlDestroyEnvironment( 36 | _In_ PVOID Environment 37 | ); 38 | 39 | NTSYSAPI 40 | NTSTATUS 41 | NTAPI 42 | RtlSetCurrentEnvironment( 43 | _In_ PVOID Environment, 44 | _Out_opt_ PVOID *PreviousEnvironment 45 | ); 46 | 47 | #if (_WIN32_WINNT >= _WIN32_WINNT_VISTA) 48 | // private 49 | NTSYSAPI 50 | NTSTATUS 51 | NTAPI 52 | RtlSetEnvironmentVar( 53 | _In_opt_ PWSTR *Environment, 54 | _In_reads_(NameLength) PCWSTR Name, 55 | _In_ SIZE_T NameLength, 56 | _In_reads_(ValueLength) PCWSTR Value, 57 | _In_ SIZE_T ValueLength 58 | ); 59 | #endif 60 | 61 | NTSYSAPI 62 | NTSTATUS 63 | NTAPI 64 | RtlSetEnvironmentVariable( 65 | _In_opt_ PVOID *Environment, 66 | _In_ PCUNICODE_STRING Name, 67 | _In_opt_ PCUNICODE_STRING Value 68 | ); 69 | 70 | #if (PHNT_VERSION >= PHNT_VISTA) 71 | // private 72 | NTSYSAPI 73 | NTSTATUS 74 | NTAPI 75 | RtlQueryEnvironmentVariable( 76 | _In_opt_ PVOID Environment, 77 | _In_reads_(NameLength) PCWSTR Name, 78 | _In_ SIZE_T NameLength, 79 | _Out_writes_(ValueLength) PWSTR Value, 80 | _In_ SIZE_T ValueLength, 81 | _Out_ PSIZE_T ReturnLength 82 | ); 83 | #endif 84 | 85 | NTSYSAPI 86 | NTSTATUS 87 | NTAPI 88 | RtlQueryEnvironmentVariable_U( 89 | _In_opt_ PVOID Environment, 90 | _In_ PCUNICODE_STRING Name, 91 | _Out_ PUNICODE_STRING Value 92 | ); 93 | 94 | #if (_WIN32_WINNT >= _WIN32_WINNT_VISTA) 95 | // private 96 | NTSYSAPI 97 | NTSTATUS 98 | NTAPI 99 | RtlExpandEnvironmentStrings( 100 | _In_opt_ PVOID Environment, 101 | _In_reads_(SrcLength) PCWSTR Src, 102 | _In_ SIZE_T SrcLength, 103 | _Out_writes_(DstLength) PWSTR Dst, 104 | _In_ SIZE_T DstLength, 105 | _Out_opt_ PSIZE_T ReturnLength 106 | ); 107 | #endif 108 | 109 | NTSYSAPI 110 | NTSTATUS 111 | NTAPI 112 | RtlExpandEnvironmentStrings_U( 113 | _In_opt_ PVOID Environment, 114 | _In_ PCUNICODE_STRING Source, 115 | _Out_ PUNICODE_STRING Destination, 116 | _Out_opt_ PULONG ReturnedLength 117 | ); 118 | 119 | NTSYSAPI 120 | NTSTATUS 121 | NTAPI 122 | RtlSetEnvironmentStrings( 123 | _In_ PWCHAR NewEnvironment, 124 | _In_ SIZE_T NewEnvironmentSize 125 | ); 126 | 127 | _EXTERN_C_END -------------------------------------------------------------------------------- /INC/rtlframe.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | struct _RTL_FRAME : TEB_ACTIVE_FRAME 4 | { 5 | _RTL_FRAME(const TEB_ACTIVE_FRAME_CONTEXT* ctx) 6 | { 7 | Context = ctx; 8 | Flags = 0; 9 | RtlPushFrame(this); 10 | } 11 | 12 | ~_RTL_FRAME() 13 | { 14 | RtlPopFrame(this); 15 | } 16 | 17 | static TEB_ACTIVE_FRAME* get(const TEB_ACTIVE_FRAME_CONTEXT* ctx) 18 | { 19 | if (TEB_ACTIVE_FRAME* prf = RtlGetFrame()) 20 | { 21 | do 22 | { 23 | if (prf->Context == ctx) return prf; 24 | } while (prf = prf->Previous); 25 | } 26 | 27 | return 0; 28 | } 29 | }; 30 | 31 | template struct RTL_FRAME : public _RTL_FRAME, public C 32 | { 33 | static const TEB_ACTIVE_FRAME_CONTEXT* getContext() 34 | { 35 | static const TEB_ACTIVE_FRAME_CONTEXT s = { 0, __FUNCDNAME__ }; 36 | return &s; 37 | } 38 | 39 | RTL_FRAME() : _RTL_FRAME(getContext()) 40 | { 41 | } 42 | 43 | static C* get() 44 | { 45 | return static_cast(_RTL_FRAME::get(getContext())); 46 | } 47 | }; 48 | -------------------------------------------------------------------------------- /INC/rundown.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "mini_yvals.h" 4 | 5 | class RundownProtection 6 | { 7 | LONG _Value; 8 | 9 | public: 10 | 11 | enum { 12 | v_complete = 0, v_init = 0x80000000 13 | }; 14 | 15 | _NODISCARD BOOL IsRundownBegin() 16 | { 17 | return 0 <= _Value; 18 | } 19 | 20 | _NODISCARD BOOL Acquire() 21 | { 22 | LONG Value, NewValue; 23 | 24 | if (0 > (Value = _Value)) 25 | { 26 | do 27 | { 28 | NewValue = InterlockedCompareExchangeNoFence(&_Value, Value + 1, Value); 29 | 30 | if (NewValue == Value) return TRUE; 31 | 32 | } while (0 > (Value = NewValue)); 33 | } 34 | 35 | return FALSE; 36 | } 37 | 38 | _NODISCARD BOOL Release() 39 | { 40 | return InterlockedDecrement(&_Value) == v_complete; 41 | } 42 | 43 | // if (Acquire()) { Rundown_l(); Release(); } 44 | void Rundown_l() 45 | { 46 | InterlockedBitTestAndReset(&_Value, 31); 47 | } 48 | 49 | RundownProtection(LONG Value = v_complete) : _Value(Value) 50 | { 51 | } 52 | 53 | BOOL Init() 54 | { 55 | return InterlockedCompareExchange(&_Value, v_init, v_complete) == v_complete; 56 | } 57 | }; 58 | 59 | class __declspec(novtable) RUNDOWN_REF : public RundownProtection 60 | { 61 | protected: 62 | 63 | virtual void RundownCompleted() = 0; 64 | 65 | public: 66 | 67 | void BeginRundown() 68 | { 69 | if (Acquire()) 70 | { 71 | Rundown_l(); 72 | Release(); 73 | } 74 | } 75 | 76 | void Release() 77 | { 78 | if (RundownProtection::Release()) 79 | { 80 | RundownCompleted(); 81 | } 82 | } 83 | 84 | RUNDOWN_REF(LONG Value = RundownProtection::v_init) : RundownProtection(Value) {} 85 | }; 86 | 87 | // */*/ bool _Ref_count_base::_Incref_nz() 88 | // increment (*pLock) if not zero, return true if successful 89 | inline _NODISCARD BOOL ObpLock(PLONG pLock) 90 | { 91 | LONG Value, NewValue; 92 | 93 | if (Value = *pLock) 94 | { 95 | do 96 | { 97 | NewValue = InterlockedCompareExchangeNoFence(pLock, Value + 1, Value); 98 | 99 | if (NewValue == Value) return TRUE; 100 | 101 | } while (Value = NewValue); 102 | } 103 | 104 | return FALSE; 105 | } 106 | -------------------------------------------------------------------------------- /INC/rundownT.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "mini_yvals.h" 4 | 5 | enum RundownState { 6 | v_complete = 0, v_init = 0x80000000 7 | }; 8 | 9 | template 10 | class RundownProtection_NC 11 | { 12 | protected: 13 | LONG _Value = V; 14 | 15 | public: 16 | 17 | _NODISCARD BOOL IsRundownBegin() 18 | { 19 | return 0 <= _Value; 20 | } 21 | 22 | _NODISCARD BOOL AcquireRP() 23 | { 24 | LONG Value, NewValue; 25 | 26 | if (0 > (Value = _Value)) 27 | { 28 | do 29 | { 30 | NewValue = InterlockedCompareExchangeNoFence(&_Value, Value + 1, Value); 31 | 32 | if (NewValue == Value) return TRUE; 33 | 34 | } while (0 > (Value = NewValue)); 35 | } 36 | 37 | return FALSE; 38 | } 39 | 40 | void ReleaseRP() 41 | { 42 | if (InterlockedDecrement(&_Value) == v_complete) 43 | { 44 | static_cast(this)->RundownCompleted(); 45 | } 46 | } 47 | 48 | void Rundown_l() 49 | { 50 | InterlockedBitTestAndResetNoFence(&_Value, 31); 51 | } 52 | 53 | void Rundown() 54 | { 55 | if (AcquireRP()) 56 | { 57 | Rundown_l(); 58 | ReleaseRP(); 59 | } 60 | } 61 | 62 | void Init() 63 | { 64 | _Value = v_init; 65 | } 66 | }; 67 | -------------------------------------------------------------------------------- /INC/stdafx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifndef __cplusplus 4 | # error requires C++ 5 | #endif 6 | 7 | #define DECLSPEC_DEPRECATED_DDK 8 | 9 | #define _CRT_SECURE_NO_DEPRECATE 10 | #define _CRT_NON_CONFORMING_SWPRINTFS 11 | #define _NO_CRT_STDIO_INLINE 12 | #define _CRT_SECURE_CPP_OVERLOAD_SECURE_NAMES 0 13 | 14 | #define _NT_BEGIN namespace NT { 15 | #define _NT_END } 16 | 17 | #pragma warning(disable : 4073 4074 4075 4097 4514 4005 4200 4201 4238 4307 4324 4480 4530 4706 5040) 18 | 19 | _NT_BEGIN 20 | 21 | struct _SECURITY_QUALITY_OF_SERVICE; 22 | struct _CONTEXT; 23 | 24 | _NT_END 25 | 26 | #include 27 | //#include 28 | #include 29 | #include 30 | 31 | 32 | #define RtlInitializeCorrelationVector _RtlInitializeCorrelationVector_ 33 | #define RtlIncrementCorrelationVector _RtlIncrementCorrelationVector_ 34 | #define RtlExtendCorrelationVector _RtlExtendCorrelationVector_ 35 | #define RtlValidateCorrelationVector _RtlValidateCorrelationVector_ 36 | #define RtlRaiseCustomSystemEventTrigger _RtlRaiseCustomSystemEventTrigger_ 37 | #define RtlCaptureContext _RtlCaptureContext_ 38 | #define RtlGetNonVolatileToken _RtlGetNonVolatileToken_ 39 | #define RtlFreeNonVolatileToken _RtlFreeNonVolatileToken_ 40 | #define RtlFlushNonVolatileMemory _RtlFlushNonVolatileMemory_ 41 | #define RtlDrainNonVolatileFlush _RtlDrainNonVolatileFlush_ 42 | #define RtlWriteNonVolatileMemory _RtlWriteNonVolatileMemory_ 43 | #define RtlFillNonVolatileMemory _RtlFillNonVolatileMemory_ 44 | #define RtlFlushNonVolatileMemoryRanges _RtlFlushNonVolatileMemoryRanges_ 45 | #define RtlCaptureContext2 _RtlCaptureContext2_ 46 | #define RtlGetSystemGlobalData _RtlGetSystemGlobalData_ 47 | #define RtlSetSystemGlobalData _RtlSetSystemGlobalData_ 48 | 49 | #define _INC_MMSYSTEM /* Prevent inclusion of mmsystem.h in windows.h */ 50 | 51 | #include 52 | #include 53 | 54 | #undef RtlInitializeCorrelationVector 55 | #undef RtlIncrementCorrelationVector 56 | #undef RtlExtendCorrelationVector 57 | #undef RtlValidateCorrelationVector 58 | #undef RtlRaiseCustomSystemEventTrigger 59 | #undef RtlCaptureContext 60 | #undef RtlGetNonVolatileToken 61 | #undef RtlFreeNonVolatileToken 62 | #undef RtlFlushNonVolatileMemory 63 | #undef RtlDrainNonVolatileFlush 64 | #undef RtlWriteNonVolatileMemory 65 | #undef RtlFillNonVolatileMemory 66 | #undef RtlFlushNonVolatileMemoryRanges 67 | #undef RtlCaptureContext2 68 | #undef RtlGetSystemGlobalData 69 | #undef RtlSetSystemGlobalData 70 | 71 | #ifdef SECURITY_WIN32 72 | #define InitSecurityInterfaceW _InitSecurityInterfaceW_ 73 | #include 74 | #undef InitSecurityInterfaceW 75 | #endif // SECURITY_WIN32 76 | 77 | #undef _INC_MMSYSTEM 78 | 79 | _NT_BEGIN 80 | 81 | #define RtlCompareMemory ::RtlCompareMemory 82 | 83 | #ifdef _RTL_RUN_ONCE_DEF 84 | #undef _RTL_RUN_ONCE_DEF 85 | #endif 86 | 87 | typedef 88 | VOID 89 | NTAPI 90 | KNORMAL_ROUTINE ( 91 | __in_opt PVOID NormalContext, 92 | __in_opt PVOID SystemArgument1, 93 | __in_opt PVOID SystemArgument2 94 | ); 95 | typedef KNORMAL_ROUTINE *PKNORMAL_ROUTINE; 96 | 97 | typedef 98 | VOID 99 | NTAPI 100 | KKERNEL_ROUTINE ( 101 | __in struct _KAPC *Apc, 102 | __deref_inout_opt PKNORMAL_ROUTINE *NormalRoutine, 103 | __deref_inout_opt PVOID *NormalContext, 104 | __deref_inout_opt PVOID *SystemArgument1, 105 | __deref_inout_opt PVOID *SystemArgument2 106 | ); 107 | typedef KKERNEL_ROUTINE *PKKERNEL_ROUTINE; 108 | 109 | typedef 110 | VOID 111 | NTAPI 112 | KRUNDOWN_ROUTINE ( 113 | __in struct _KAPC *Apc 114 | ); 115 | typedef KRUNDOWN_ROUTINE *PKRUNDOWN_ROUTINE; 116 | 117 | #ifdef NOWINBASEINTERLOCK 118 | 119 | #if !defined(_X86_) 120 | 121 | #define InterlockedPopEntrySList(Head) ExpInterlockedPopEntrySList(Head) 122 | 123 | #define InterlockedPushEntrySList(Head, Entry) ExpInterlockedPushEntrySList(Head, Entry) 124 | 125 | #define InterlockedFlushSList(Head) ExpInterlockedFlushSList(Head) 126 | 127 | #else // !defined(_X86_) 128 | 129 | EXTERN_C_START 130 | 131 | __declspec(dllimport) 132 | PSLIST_ENTRY 133 | __fastcall 134 | InterlockedPopEntrySList (PSLIST_HEADER ListHead); 135 | 136 | __declspec(dllimport) 137 | PSLIST_ENTRY 138 | __fastcall 139 | InterlockedPushEntrySList (PSLIST_HEADER ListHead,PSLIST_ENTRY ListEntry); 140 | 141 | EXTERN_C_END 142 | 143 | #define InterlockedFlushSList(Head) \ 144 | ExInterlockedFlushSList(Head) 145 | 146 | #endif // !defined(_X86_) 147 | 148 | #endif//NOWINBASEINTERLOCK 149 | 150 | #define RtlOsDeploymentState _RtlOsDeploymentState_ 151 | #define CUSTOM_SYSTEM_EVENT_TRIGGER_INIT _CUSTOM_SYSTEM_EVENT_TRIGGER_INIT_ 152 | 153 | #include 154 | 155 | #undef RtlOsDeploymentState 156 | #undef CUSTOM_SYSTEM_EVENT_TRIGGER_INIT 157 | 158 | #include "ntpebteb.h" 159 | #include "sysinfo.h" 160 | #include "sys api.h" 161 | #include "misc.h" 162 | 163 | _NT_END 164 | 165 | #pragma warning(disable : 4312 4838) 166 | //#pragma warning(disable : 4312 4838 4456 4457 4458 4459) 167 | 168 | //warning C4312: 'type cast': conversion from '' to '' of greater size 169 | //warning C4838: conversion from 'unsigned long' to 'LONG' requires a narrowing conversion 170 | //warning C4456: declaration of '' hides previous local declaration 171 | //warning C4457: declaration of '' hides function parameter 172 | //warning C4458: declaration of '' hides class member 173 | //warning C4459: declaration of '' hides global declaration 174 | 175 | #define ZwSetValueKey(KeyHandle,ValueName,TitleIndex,Type,Data,DataSize) \ 176 | ZwSetValueKey(KeyHandle,const_cast(ValueName),TitleIndex,Type,Data,DataSize) 177 | 178 | #define ZwQueryValueKey(KeyHandle,ValueName,KeyValueInformationClass,KeyValueInformation,Length,ResultLength) \ 179 | ZwQueryValueKey(KeyHandle,const_cast(ValueName),KeyValueInformationClass,KeyValueInformation,Length,ResultLength) 180 | 181 | #define ZwDeleteValueKey(KeyHandle,ValueName) ZwDeleteValueKey(KeyHandle,const_cast(ValueName)) 182 | 183 | enum __MEMORY_INFORMATION_CLASS { 184 | MemoryBasicInformation, 185 | MemoryWorkingSetInformation, 186 | MemoryMappedFilenameInformation, 187 | MemoryRegionInformation, 188 | MemoryWorkingSetExInformation 189 | }; 190 | 191 | #define MemoryWorkingSetInformation ((MEMORY_INFORMATION_CLASS)MemoryWorkingSetInformation) 192 | #define MemoryMappedFilenameInformation ((MEMORY_INFORMATION_CLASS)MemoryMappedFilenameInformation) 193 | #define MemoryRegionInformation ((MEMORY_INFORMATION_CLASS)MemoryRegionInformation) 194 | #define MemoryWorkingSetExInformation ((MEMORY_INFORMATION_CLASS)MemoryWorkingSetExInformation) 195 | 196 | enum __OBJECT_INFORMATION_CLASS { 197 | ObjectBasicInformation, 198 | ObjectNameInformation, 199 | ObjectTypeInformation, 200 | ObjectTypesInformation, 201 | ObjectAllTypeInformation = ObjectTypesInformation, 202 | ObjectHandleInformation 203 | }; 204 | 205 | #define ObjectNameInformation ((OBJECT_INFORMATION_CLASS)ObjectNameInformation) 206 | #define ObjectTypesInformation ((OBJECT_INFORMATION_CLASS)ObjectTypesInformation) 207 | #define ObjectAllTypeInformation ((OBJECT_INFORMATION_CLASS)ObjectAllTypeInformation) 208 | #define ObjectHandleInformation ((OBJECT_INFORMATION_CLASS)ObjectHandleInformation) 209 | 210 | #define swprintf _swprintf 211 | #define vswprintf _vswprintf 212 | #define _swprintf_l __swprintf_l 213 | #define _vswprintf_l __vswprintf_l 214 | -------------------------------------------------------------------------------- /INC/wmium.h: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Copyright (c) 1995 Microsoft Corporation 4 | 5 | Module Name: 6 | 7 | Wmium.h 8 | 9 | Abstract: 10 | 11 | Public headers for WMI data consumers and providers 12 | 13 | Author: 14 | 15 | 16-Jan-1997 AlanWar 16 | 17 | Revision History: 18 | 19 | --*/ 20 | 21 | #ifndef _WMIUM_ 22 | #define _WMIUM_ 23 | 24 | #ifndef MIDL_PASS 25 | #ifdef _WMI_SOURCE_ 26 | #define WMIAPI __stdcall 27 | #else 28 | #define WMIAPI DECLSPEC_IMPORT __stdcall 29 | #endif 30 | #endif 31 | 32 | #include 33 | 34 | #include 35 | #include 36 | 37 | typedef PVOID WMIHANDLE, *PWMIHANDLE, MOFHANDLE, *PMOFHANDLE; 38 | 39 | 40 | // 41 | // When set the guid can be opened and accessed 42 | #define MOFCI_RESERVED0 0x00000001 43 | 44 | #define MOFCI_RESERVED1 0x00000002 45 | #define MOFCI_RESERVED2 0x00000004 46 | 47 | typedef struct 48 | { 49 | #ifdef MIDL_PASS 50 | [string] PDFTCHAR 51 | #else 52 | LPWSTR 53 | #endif 54 | ImagePath; // Path to image containing MOF resource 55 | #ifdef MIDL_PASS 56 | [string] PDFTCHAR 57 | #else 58 | LPWSTR 59 | #endif 60 | ResourceName; // Name of resource in image 61 | ULONG ResourceSize; // Number of bytes in resource 62 | #ifdef MIDL_PASS 63 | [size_is(0)] PDFBYTE 64 | #else 65 | PUCHAR 66 | #endif 67 | ResourceBuffer; // Reserved 68 | } MOFRESOURCEINFOW, *PMOFRESOURCEINFOW; 69 | 70 | 71 | typedef struct 72 | { 73 | LPSTR 74 | ImagePath; // Path to image containing MOF resource 75 | LPSTR 76 | ResourceName; // Name of resource in image 77 | ULONG ResourceSize; // Number of bytes in resource 78 | UCHAR 79 | *ResourceBuffer; // Reserved 80 | } MOFRESOURCEINFOA, *PMOFRESOURCEINFOA; 81 | 82 | #ifdef UNICODE 83 | typedef MOFRESOURCEINFOW MOFRESOURCEINFO; 84 | typedef PMOFRESOURCEINFOW PMOFRESOURCEINFO; 85 | #else 86 | typedef MOFRESOURCEINFOA MOFRESOURCEINFO; 87 | typedef PMOFRESOURCEINFOA PMOFRESOURCEINFO; 88 | #endif 89 | 90 | #ifdef __cplusplus 91 | extern "C" { 92 | #endif 93 | 94 | // 95 | // Data consumer apis 96 | ULONG 97 | WMIAPI 98 | WmiOpenBlock( 99 | IN GUID *Guid, 100 | IN ULONG DesiredAccess, 101 | OUT WMIHANDLE *DataBlockHandle 102 | ); 103 | 104 | ULONG 105 | WMIAPI 106 | WmiCloseBlock( 107 | IN WMIHANDLE DataBlockHandle 108 | ); 109 | 110 | ULONG 111 | WMIAPI 112 | WmiQueryAllDataA( 113 | IN WMIHANDLE DataBlockHandle, 114 | IN OUT ULONG *BufferSize, 115 | OUT PVOID Buffer 116 | ); 117 | 118 | 119 | ULONG 120 | WMIAPI 121 | WmiQueryAllDataW( 122 | IN WMIHANDLE DataBlockHandle, 123 | IN OUT ULONG *BufferSize, 124 | OUT PVOID Buffer 125 | ); 126 | 127 | #ifdef UNICODE 128 | #define WmiQueryAllData WmiQueryAllDataW 129 | #else 130 | #define WmiQueryAllData WmiQueryAllDataA 131 | #endif 132 | 133 | ULONG 134 | WMIAPI 135 | WmiQuerySingleInstanceA( 136 | IN WMIHANDLE DataBlockHandle, 137 | IN LPCSTR InstanceName, 138 | IN OUT ULONG *BufferSize, 139 | OUT PVOID Buffer 140 | ); 141 | 142 | ULONG 143 | WMIAPI 144 | WmiQuerySingleInstanceW( 145 | IN WMIHANDLE DataBlockHandle, 146 | IN LPCWSTR InstanceName, 147 | IN OUT ULONG *BufferSize, 148 | OUT PVOID Buffer 149 | ); 150 | #ifdef UNICODE 151 | #define WmiQuerySingleInstance WmiQuerySingleInstanceW 152 | #else 153 | #define WmiQuerySingleInstance WmiQuerySingleInstanceA 154 | #endif 155 | 156 | ULONG 157 | WMIAPI 158 | WmiSetSingleInstanceA( 159 | IN WMIHANDLE DataBlockHandle, 160 | IN LPCSTR InstanceName, 161 | IN ULONG Reserved, 162 | IN ULONG ValueBufferSize, 163 | IN PVOID ValueBuffer 164 | ); 165 | 166 | ULONG 167 | WMIAPI 168 | WmiSetSingleInstanceW( 169 | IN WMIHANDLE DataBlockHandle, 170 | IN LPCWSTR InstanceName, 171 | IN ULONG Reserved, 172 | IN ULONG ValueBufferSize, 173 | IN PVOID ValueBuffer 174 | ); 175 | #ifdef UNICODE 176 | #define WmiSetSingleInstance WmiSetSingleInstanceW 177 | #else 178 | #define WmiSetSingleInstance WmiSetSingleInstanceA 179 | #endif 180 | 181 | ULONG 182 | WMIAPI 183 | WmiSetSingleItemA( 184 | IN WMIHANDLE DataBlockHandle, 185 | IN LPCSTR InstanceName, 186 | IN ULONG DataItemId, 187 | IN ULONG Reserved, 188 | IN ULONG ValueBufferSize, 189 | IN PVOID ValueBuffer 190 | ); 191 | 192 | ULONG 193 | WMIAPI 194 | WmiSetSingleItemW( 195 | IN WMIHANDLE DataBlockHandle, 196 | IN LPCWSTR InstanceName, 197 | IN ULONG DataItemId, 198 | IN ULONG Reserved, 199 | IN ULONG ValueBufferSize, 200 | IN PVOID ValueBuffer 201 | ); 202 | #ifdef UNICODE 203 | #define WmiSetSingleItem WmiSetSingleItemW 204 | #else 205 | #define WmiSetSingleItem WmiSetSingleItemA 206 | #endif 207 | 208 | ULONG 209 | WMIAPI 210 | WmiExecuteMethodA( 211 | IN WMIHANDLE MethodDataBlockHandle, 212 | IN LPCSTR MethodInstanceName, 213 | IN ULONG MethodId, 214 | IN ULONG InputValueBufferSize, 215 | IN PVOID InputValueBuffer, 216 | IN OUT ULONG *OutputBufferSize, 217 | OUT PVOID OutputBuffer 218 | ); 219 | 220 | ULONG 221 | WMIAPI 222 | WmiExecuteMethodW( 223 | IN WMIHANDLE MethodDataBlockHandle, 224 | IN LPCWSTR MethodInstanceName, 225 | IN ULONG MethodId, 226 | IN ULONG InputValueBufferSize, 227 | IN PVOID InputValueBuffer, 228 | IN OUT ULONG *OutputBufferSize, 229 | OUT PVOID OutputBuffer 230 | ); 231 | 232 | #ifdef UNICODE 233 | #define WmiExecuteMethod WmiExecuteMethodW 234 | #else 235 | #define WmiExecuteMethod WmiExecuteMethodA 236 | #endif 237 | 238 | // Set this Flag when calling NotficationRegistration to enable or 239 | // disable a trace logging guid 240 | #define NOTIFICATION_TRACE_FLAG 0x00010000 241 | 242 | // Set this flag when enabling a notification that should be delivered via 243 | // a direct callback. Any notifications received will be given their own 244 | // thread and the callback function called immediately. 245 | #define NOTIFICATION_CALLBACK_DIRECT 0x00000004 246 | 247 | // 248 | // Set this flag (and only this flag) when you want to only check if the 249 | // caller has permission to receive events for the guid 250 | // 251 | #define NOTIFICATION_CHECK_ACCESS 0x00000008 252 | 253 | // 254 | // Event notification callback function prototype 255 | typedef void ( 256 | #ifndef MIDL_PASS 257 | WINAPI 258 | #endif 259 | *NOTIFICATIONCALLBACK)( 260 | PWNODE_HEADER Wnode, 261 | UINT_PTR NotificationContext 262 | ); 263 | 264 | #ifndef MIDL_PASS 265 | // 266 | // This guid is for notifications of changes to registration 267 | // {B48D49A1-E777-11d0-A50C-00A0C9062910} 268 | DEFINE_GUID(GUID_REGISTRATION_CHANGE_NOTIFICATION, 269 | 0xb48d49a1, 0xe777, 0x11d0, 0xa5, 0xc, 0x0, 0xa0, 0xc9, 0x6, 0x29, 0x10); 270 | 271 | // 272 | // This guid id for notifications of new mof resources being added 273 | // {B48D49A2-E777-11d0-A50C-00A0C9062910} 274 | DEFINE_GUID(GUID_MOF_RESOURCE_ADDED_NOTIFICATION, 275 | 0xb48d49a2, 0xe777, 0x11d0, 0xa5, 0xc, 0x0, 0xa0, 0xc9, 0x6, 0x29, 0x10); 276 | 277 | // 278 | // This guid id for notifications of new mof resources being added 279 | // {B48D49A3-E777-11d0-A50C-00A0C9062910} 280 | DEFINE_GUID(GUID_MOF_RESOURCE_REMOVED_NOTIFICATION, 281 | 0xb48d49a3, 0xe777, 0x11d0, 0xa5, 0xc, 0x0, 0xa0, 0xc9, 0x6, 0x29, 0x10); 282 | #endif 283 | 284 | ULONG 285 | WMIAPI 286 | WmiNotificationRegistrationA( 287 | IN LPGUID Guid, 288 | IN BOOLEAN Enable, 289 | IN NOTIFICATIONCALLBACK DeliveryInfo, 290 | IN ULONG_PTR DeliveryContext, 291 | IN ULONG Flags 292 | ); 293 | 294 | ULONG 295 | WMIAPI 296 | WmiNotificationRegistrationW( 297 | IN LPCGUID Guid, 298 | IN BOOLEAN Enable, 299 | IN NOTIFICATIONCALLBACK DeliveryInfo, 300 | IN ULONG_PTR DeliveryContext, 301 | IN ULONG Flags 302 | ); 303 | #ifdef UNICODE 304 | #define WmiNotificationRegistration WmiNotificationRegistrationW 305 | #else 306 | #define WmiNotificationRegistration WmiNotificationRegistrationA 307 | #endif 308 | 309 | void 310 | WMIAPI 311 | WmiFreeBuffer( 312 | IN PVOID Buffer 313 | ); 314 | 315 | 316 | ULONG 317 | WMIAPI 318 | WmiEnumerateGuids( 319 | OUT LPGUID GuidList, 320 | IN OUT ULONG *GuidCount 321 | ); 322 | 323 | ULONG 324 | WMIAPI 325 | WmiMofEnumerateResourcesW( 326 | IN MOFHANDLE MofResourceHandle, 327 | OUT ULONG *MofResourceCount, 328 | OUT PMOFRESOURCEINFOW *MofResourceInfo 329 | ); 330 | 331 | ULONG 332 | WMIAPI 333 | WmiMofEnumerateResourcesA( 334 | IN MOFHANDLE MofResourceHandle, 335 | OUT ULONG *MofResourceCount, 336 | OUT PMOFRESOURCEINFOA *MofResourceInfo 337 | ); 338 | #ifdef UNICODE 339 | #define WmiMofEnumerateResources WmiMofEnumerateResourcesW 340 | #else 341 | #define WmiMofEnumerateResources WmiMofEnumerateResourcesA 342 | #endif 343 | 344 | ULONG 345 | WMIAPI 346 | WmiFileHandleToInstanceNameA( 347 | IN WMIHANDLE DataBlockHandle, 348 | IN HANDLE FileHandle, 349 | IN OUT ULONG *NumberCharacters, 350 | OUT CHAR *InstanceNames 351 | ); 352 | 353 | ULONG 354 | WMIAPI 355 | WmiFileHandleToInstanceNameW( 356 | IN WMIHANDLE DataBlockHandle, 357 | IN HANDLE FileHandle, 358 | IN OUT ULONG *NumberCharacters, 359 | OUT WCHAR *InstanceNames 360 | ); 361 | #ifdef UNICODE 362 | #define WmiFileHandleToInstanceName WmiFileHandleToInstanceNameW 363 | #else 364 | #define WmiFileHandleToInstanceName WmiFileHandleToInstanceNameA 365 | #endif 366 | 367 | #define WmiInsertTimestamp(WnodeHeader) GetSystemTimeAsFileTime((FILETIME *)&((PWNODE_HEADER)WnodeHeader)->TimeStamp) 368 | 369 | ULONG 370 | WMIAPI 371 | WmiDevInstToInstanceNameA( 372 | OUT CHAR *InstanceName, 373 | IN ULONG InstanceNameLength, 374 | IN CHAR *DevInst, 375 | IN ULONG InstanceIndex 376 | ); 377 | 378 | ULONG 379 | WMIAPI 380 | WmiDevInstToInstanceNameW( 381 | OUT WCHAR *InstanceName, 382 | IN ULONG InstanceNameLength, 383 | IN WCHAR *DevInst, 384 | IN ULONG InstanceIndex 385 | ); 386 | #ifdef UNICODE 387 | #define WmiDevInstToInstanceName WmiDevInstToInstanceNameW 388 | #else 389 | #define WmiDevInstToInstanceName WmiDevInstToInstanceNameA 390 | #endif 391 | 392 | typedef struct _WMIGUIDINFORMATION 393 | { 394 | ULONG Size; 395 | BOOLEAN IsExpensive; 396 | BOOLEAN IsEventOnly; 397 | } WMIGUIDINFORMATION, *PWMIGUIDINFORMATION; 398 | 399 | 400 | ULONG 401 | WMIAPI 402 | WmiQueryGuidInformation( 403 | IN WMIHANDLE GuidHandle, 404 | OUT PWMIGUIDINFORMATION GuidInfo 405 | ); 406 | 407 | #ifdef __cplusplus 408 | } 409 | #endif 410 | 411 | #endif // _WMIUM_ -------------------------------------------------------------------------------- /INC/x86plat.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #pragma pack(push,1) 4 | 5 | typedef struct SEGMENT_ENTRY 6 | { 7 | unsigned Limit0 : 16; 8 | unsigned Base0 : 16; 9 | unsigned Base1 : 8; 10 | unsigned Type : 4; 11 | unsigned IsGegment : 1; 12 | unsigned DPL : 2; 13 | unsigned P : 1; 14 | unsigned Limit1 : 4; 15 | unsigned AVL : 1; 16 | unsigned Reserv : 1; 17 | unsigned D : 1; 18 | unsigned G : 1; 19 | unsigned Base2 : 8; 20 | }*PSEGMENT_ENTRY; 21 | 22 | typedef struct GATE_ENTRY 23 | { 24 | unsigned Offset0 : 16; 25 | unsigned Selector : 16; 26 | unsigned Parametrs : 5; 27 | unsigned Reserv : 3; 28 | unsigned Type : 4; 29 | unsigned IsGegment : 1; 30 | unsigned DPL : 2; 31 | unsigned P : 1; 32 | unsigned Offset1 : 16; 33 | }*PGATE_ENTRY; 34 | 35 | typedef union DT_ENTRY 36 | { 37 | GATE_ENTRY Gate; 38 | SEGMENT_ENTRY Segment; 39 | } *PDT_ENTRY; 40 | 41 | struct GATE_REF 42 | { 43 | ULONG Offset; 44 | USHORT Selector; 45 | }; 46 | 47 | typedef struct X86_TAB 48 | { 49 | unsigned short Reserv; 50 | unsigned short Limit; 51 | PDT_ENTRY Table; 52 | } *PX86_TAB; 53 | 54 | struct _KiIoAccessMap 55 | { 56 | /*000*/ UCHAR DirectionMap[0x20]; 57 | /*020*/ UCHAR IoMap[0x2004]; 58 | }; 59 | 60 | struct _EXCEPTION_REGISTRATION_RECORD; 61 | 62 | struct _KTRAP_FRAME 63 | { 64 | /*000*/ ULONG DbgEbp; 65 | /*004*/ ULONG DbgEip; 66 | /*008*/ ULONG DbgArgMark; 67 | /*00C*/ ULONG DbgArgPointer; 68 | /*010*/ ULONG TempSegCs; 69 | /*014*/ ULONG TempEsp; 70 | /*018*/ ULONG Dr0; 71 | /*01C*/ ULONG Dr1; 72 | /*020*/ ULONG Dr2; 73 | /*024*/ ULONG Dr3; 74 | /*028*/ ULONG Dr6; 75 | /*02C*/ ULONG Dr7; 76 | /*030*/ ULONG SegGs; 77 | /*034*/ ULONG SegEs; 78 | /*038*/ ULONG SegDs; 79 | /*03C*/ ULONG Edx; 80 | /*040*/ ULONG Ecx; 81 | /*044*/ ULONG Eax; 82 | /*048*/ ULONG PreviousPreviousMode; 83 | /*04C*/ _EXCEPTION_REGISTRATION_RECORD *ExceptionList; 84 | /*050*/ ULONG SegFs; 85 | /*054*/ ULONG Edi; 86 | /*058*/ ULONG Esi; 87 | /*05C*/ ULONG Ebx; 88 | /*060*/ ULONG Ebp; 89 | /*064*/ ULONG ErrCode; 90 | /*068*/ ULONG Eip; 91 | /*06C*/ ULONG SegCs; 92 | /*070*/ ULONG EFlags; 93 | /*074*/ ULONG HardwareEsp; 94 | /*078*/ ULONG HardwareSegSs; 95 | /*07C*/ ULONG V86Es; 96 | /*080*/ ULONG V86Ds; 97 | /*084*/ ULONG V86Fs; 98 | /*088*/ ULONG V86Gs; 99 | }; 100 | 101 | struct _KTSS 102 | { 103 | /*000*/ USHORT Backlink; 104 | /*002*/ USHORT Reserved0; 105 | /*004*/ ULONG Esp0; 106 | /*008*/ USHORT Ss0; 107 | /*00A*/ USHORT Reserved1; 108 | /*00C*/ ULONG NotUsed1[0x4]; 109 | /*01C*/ ULONG CR3; 110 | /*020*/ ULONG Eip; 111 | /*024*/ ULONG EFlags; 112 | /*028*/ ULONG Eax; 113 | /*02C*/ ULONG Ecx; 114 | /*030*/ ULONG Edx; 115 | /*034*/ ULONG Ebx; 116 | /*038*/ ULONG Esp; 117 | /*03C*/ ULONG Ebp; 118 | /*040*/ ULONG Esi; 119 | /*044*/ ULONG Edi; 120 | /*048*/ USHORT Es; 121 | /*04A*/ USHORT Reserved2; 122 | /*04C*/ USHORT Cs; 123 | /*04E*/ USHORT Reserved3; 124 | /*050*/ USHORT Ss; 125 | /*052*/ USHORT Reserved4; 126 | /*054*/ USHORT Ds; 127 | /*056*/ USHORT Reserved5; 128 | /*058*/ USHORT Fs; 129 | /*05A*/ USHORT Reserved6; 130 | /*05C*/ USHORT Gs; 131 | /*05E*/ USHORT Reserved7; 132 | /*060*/ USHORT LDT; 133 | /*062*/ USHORT Reserved8; 134 | /*064*/ USHORT Flags; 135 | /*066*/ USHORT IoMapBase; 136 | /*068*/ _KiIoAccessMap IoMaps; 137 | /*208C*/ UCHAR IntDirectionMap[0x20]; 138 | }; 139 | 140 | union DR6 141 | { 142 | DWORD Value; 143 | struct 144 | { 145 | unsigned B0 : 1; 146 | unsigned B1 : 1; 147 | unsigned B2 : 1; 148 | unsigned B3 : 1; 149 | unsigned : 9; 150 | unsigned BD : 1; 151 | unsigned BS : 1; 152 | unsigned BT : 1; 153 | unsigned : 16; 154 | }; 155 | }; 156 | 157 | union DR7 158 | { 159 | DWORD Value; 160 | struct 161 | { 162 | unsigned L0 : 1; 163 | unsigned G0 : 1; 164 | unsigned L1 : 1; 165 | unsigned G1 : 1; 166 | unsigned L2 : 1; 167 | unsigned G2 : 1; 168 | unsigned L3 : 1; 169 | unsigned G3 : 1; 170 | unsigned LE : 1; 171 | unsigned GE : 1; 172 | unsigned : 3; 173 | unsigned GD : 1; 174 | unsigned : 2; 175 | unsigned RWE0:2; 176 | unsigned LEN0:2; 177 | unsigned RWE1:2; 178 | unsigned LEN1:2; 179 | unsigned RWE2:2; 180 | unsigned LEN2:2; 181 | unsigned RWE3:2; 182 | unsigned LEN3:2; 183 | }; 184 | }; 185 | 186 | union _PTE_PAE 187 | { 188 | ULONGLONG Value; 189 | union 190 | { 191 | struct 192 | { 193 | ULONG Valid : 01;//00 194 | ULONG Write : 01;//01 195 | ULONG Owner : 01;//02 196 | ULONG WriteThrough : 01;//03 197 | ULONG CacheDisable : 01;//04 198 | ULONG Accessed : 01;//05 199 | ULONG Dirty : 01;//06 200 | ULONG LargePage : 01;//07 201 | ULONG Global : 01;//08 202 | ULONG CopyOnWrite : 01;//09 203 | ULONG Prototype : 01;//10 204 | ULONG reserved0 : 01;//11 205 | }; 206 | struct 207 | { 208 | ULONGLONG Flags : 12; 209 | ULONGLONG PageFrameNumber : 26;//12 210 | ULONGLONG reserved1 : 26;//38 211 | }; 212 | }; 213 | struct 214 | { 215 | struct 216 | { 217 | /*0000*/ULONG Valid : 01;//00 218 | /*0000*/ULONG PageFileLow : 04;//01 219 | /*0000*/ULONG Protection : 05;//05 220 | /*0000*/ULONG Prototype : 01;//10 221 | /*0000*/ULONG Transition : 01;//11 222 | /*0000*/ULONG Unused : 20;//12 223 | }; 224 | ULONG PageFileHigh; 225 | }; 226 | }; 227 | #define PDI_SHIFT_X86 22 228 | #define PDI_SHIFT_X86PAE 21 229 | 230 | const ULONG PX_SELFMAP_PAE = 3; 231 | const ULONG PTE_BASE_PAE = PX_SELFMAP_PAE << 30; 232 | const ULONG PDE_BASE_PAE = PTE_BASE_PAE + (PX_SELFMAP_PAE << 21); 233 | const ULONG PPE_BASE_PAE = PDE_BASE_PAE + (PX_SELFMAP_PAE << 12); 234 | 235 | #define PTE_PAE(i, j, k) ((_PTE_PAE*)((PX_SELFMAP_PAE << 30) + ((ULONG)(i) << 21) + ((ULONG)(j) << 12) + ((ULONG)(k) << 3) )) 236 | #define PDE_PAE(j, k) PTE_PAE(PX_SELFMAP_PAE, j, k) 237 | #define PPE_PAE(k) PTE_PAE(PX_SELFMAP_PAE, PX_SELFMAP_PAE, k) 238 | 239 | #define PTE_PAE_L(V) (&((_PTE_PAE*)PTE_BASE_PAE)[(DWORD)(V) >> 12]) 240 | #define PDE_PAE_L(V) (&((_PTE_PAE*)PDE_BASE_PAE)[(DWORD)(V) >> 21]) 241 | #define PPE_PAE_L(V) (&((_PTE_PAE*)PPE_BASE_PAE)[(DWORD)(V) >> 30]) 242 | 243 | // 244 | // Page protections 245 | // 246 | 247 | #define MM_ZERO_ACCESS 0 // this value is not used. 248 | #define MM_READONLY 1 249 | #define MM_EXECUTE 2 250 | #define MM_EXECUTE_READ 3 251 | #define MM_READWRITE 4 // bit 2 is set if this is writable. 252 | #define MM_WRITECOPY 5 253 | #define MM_EXECUTE_READWRITE 6 254 | #define MM_EXECUTE_WRITECOPY 7 255 | 256 | #define MM_NOCACHE 0x8 257 | #define MM_GUARD_PAGE 0x10 258 | #define MM_DECOMMIT 0x10 //NO_ACCESS, Guard page 259 | #define MM_NOACCESS 0x18 //NO_ACCESS, Guard_page, nocache. 260 | #define MM_UNKNOWN_PROTECTION 0x100 //bigger than 5 bits! 261 | #define MM_LARGE_PAGES 0x111 262 | 263 | #define MM_PROTECTION_WRITE_MASK 4 264 | #define MM_PROTECTION_COPY_MASK 1 265 | #define MM_PROTECTION_OPERATION_MASK 7 // mask off guard page and nocache. 266 | #define MM_PROTECTION_EXECUTE_MASK 2 267 | 268 | union _PTE_X86 269 | { 270 | ULONG Value; 271 | struct 272 | { 273 | ULONG Valid : 01;//00 274 | ULONG Write : 01;//01 275 | ULONG Owner : 01;//02 276 | ULONG WriteThrough : 01;//03 277 | ULONG CacheDisable : 01;//04 278 | ULONG Accessed : 01;//05 279 | ULONG Dirty : 01;//06 280 | ULONG LargePage : 01;//07 281 | ULONG Global : 01;//08 282 | ULONG CopyOnWrite : 01;//09 283 | ULONG Prototype : 01;//10 284 | ULONG reserved : 01;//11 285 | ULONG PageFrameNumber : 20;//12 286 | }; 287 | struct 288 | { 289 | /*0000*/ULONG Valid : 01;//00 290 | /*0000*/ULONG PageFileLow : 04;//01 291 | /*0000*/ULONG Protection : 05;//05 292 | /*0000*/ULONG Prototype : 01;//10 293 | /*0000*/ULONG Transition : 01;//11 294 | /*0000*/ULONG PageFileHigh : 20;//12 295 | }; 296 | }; 297 | 298 | extern ULONG PX_SELFMAP_X86, PTE_BASE_X86, PDE_BASE_X86; 299 | 300 | #define INIT_PTE_CONSTS_X86(i) PX_SELFMAP_X86 = i;\ 301 | PTE_BASE_X86 = PX_SELFMAP_X86 << 22;\ 302 | PDE_BASE_X86 = PTE_BASE_X86 + (PX_SELFMAP_X86 << 12); 303 | 304 | #define PTE_X86(i, j) ((_PTE_X86*)((PX_SELFMAP_X86 << 22) + ((ULONG)(i) << 12) + ((ULONG)(j) << 2) )) 305 | #define PDE_X86(j) PTE_X86(PX_SELFMAP_X86, j) 306 | 307 | #define PTE_X86_L(V) (&((_PTE_X86*)PTE_BASE_X86)[(DWORD)(V) >> 12]) 308 | #define PDE_X86_L(V) (&((_PTE_X86*)PDE_BASE_X86)[(DWORD)(V) >> 22]) 309 | 310 | #pragma pack(pop) 311 | 312 | enum BREAKPOINT_TYPE 313 | { 314 | Execute, WriteData, ReadData = 3 315 | }; 316 | 317 | #define TRACE_FLAG 0x100 318 | #define RESUME_FLAG 0x10000 319 | 320 | #define SET_TRACE_FLAG() \ 321 | {\ 322 | __asm{ pushfd }\ 323 | __asm{ or dword ptr [esp],TRACE_FLAG }\ 324 | __asm{ popfd }\ 325 | __asm{ nop }\ 326 | } 327 | 328 | #define DEL_TRACE_FLAG() \ 329 | {\ 330 | __asm{ pushfd }\ 331 | __asm{ and dword ptr [esp],~TRACE_FLAG }\ 332 | __asm{ popfd }\ 333 | __asm{ nop }\ 334 | } 335 | 336 | #define DbgBreak() SET_TRACE_FLAG() 337 | #define __DbgBreak() if (IsDebuggerPresent()) SET_TRACE_FLAG() 338 | #define __DbgPrint if (IsDebuggerPresent()) DbgPrint 339 | #define DbgBreakEx(condition) if (condition) SET_TRACE_FLAG() 340 | #define SET_TIMEOUT(time,seconds) time.QuadPart = -(__int64)(10000000 * (seconds)); 341 | 342 | #pragma warning(disable : 4035 ) 343 | 344 | inline ULONG bswap_4(ULONG u) 345 | { 346 | __asm { mov eax,u } 347 | __asm { bswap eax } 348 | } 349 | 350 | inline USHORT bswap_2(USHORT s) 351 | { 352 | __asm { mov ax,s } 353 | __asm { bswap eax } 354 | __asm { rol eax,16} 355 | } 356 | 357 | #pragma warning(default : 4035 ) 358 | -------------------------------------------------------------------------------- /LdrpKernel32.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/LdrpKernel32DllName/3aec3c76ab82e59654e4c4fab091ad58eead7c43/LdrpKernel32.dll -------------------------------------------------------------------------------- /LdrpKernel32/LdrpKernel32.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Release 6 | Win32 7 | 8 | 9 | Release 10 | x64 11 | 12 | 13 | 14 | 17.0 15 | {937A010C-CEF6-77C8-3490-FF98598A0187} 16 | LdrpKernel32 17 | Win32Proj 18 | $(SolutionDir)MSBuild\v4.0 19 | 10.0 20 | 21 | 22 | 23 | DynamicLibrary 24 | v143 25 | Unicode 26 | true 27 | 28 | 29 | DynamicLibrary 30 | v143 31 | Unicode 32 | true 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | <_ProjectFileVersion>17.0.32819.101 46 | 47 | 48 | $(SolutionDir)$(Configuration)\ 49 | $(SolutionDir)tmp\$(Platform)\$(Configuration)\$(ProjectName)\ 50 | false 51 | false 52 | 53 | 54 | $(SolutionDir)$(Platform)\$(Configuration)\ 55 | $(SolutionDir)tmp\$(Platform)\$(Configuration)\$(ProjectName)\ 56 | false 57 | false 58 | 59 | 60 | 61 | /std:c++latest /permissive- %(AdditionalOptions) 62 | MaxSpeed 63 | Size 64 | true 65 | true 66 | 67 | MultiThreadedDLL 68 | false 69 | false 70 | 71 | Level4 72 | ProgramDatabase 73 | StdCall 74 | 75 | 76 | /EMITPOGOPHASEINFO %(AdditionalOptions) 77 | ntdllp.lib 78 | $(OutDir);%(AdditionalLibraryDirectories) 79 | true 80 | exports.def 81 | false 82 | Windows 83 | true 84 | true 85 | 86 | true 87 | 88 | MachineX86 89 | 90 | 91 | 92 | 93 | X64 94 | 95 | 96 | /std:c++latest /permissive- %(AdditionalOptions) 97 | MaxSpeed 98 | Size 99 | true 100 | true 101 | 102 | MultiThreadedDLL 103 | false 104 | false 105 | 106 | Level4 107 | ProgramDatabase 108 | StdCall 109 | 110 | 111 | /EMITPOGOPHASEINFO %(AdditionalOptions) 112 | ntdllp.lib 113 | $(OutDir)LdrpKernel64.dll 114 | $(OutDir);%(AdditionalLibraryDirectories) 115 | true 116 | exports.def 117 | false 118 | Windows 119 | true 120 | true 121 | 122 | true 123 | 124 | MachineX64 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | -------------------------------------------------------------------------------- /LdrpKernel32/LdrpKernel32.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | -------------------------------------------------------------------------------- /LdrpKernel32/LdrpKernel32.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /LdrpKernel32/exports.def: -------------------------------------------------------------------------------- 1 | EXPORTS 2 | 3 | BaseThreadInitThunk PRIVATE 4 | TermsrvGetWindowsDirectoryW=kernel32.TermsrvGetWindowsDirectoryW PRIVATE -------------------------------------------------------------------------------- /LdrpKernel32/main.cpp: -------------------------------------------------------------------------------- 1 | #define SECURITY_WIN32 2 | #include "../inc/stdafx.h" 3 | 4 | _NT_BEGIN 5 | 6 | EXTERN_C 7 | WINBASEAPI 8 | NTSTATUS 9 | FASTCALL 10 | K32BaseThreadInitThunk( 11 | BOOL bInitializeTermsrv, 12 | LPTHREAD_START_ROUTINE lpStartAddress, 13 | PVOID lpParameter 14 | ); 15 | 16 | EXTERN_C PVOID __imp_K32BaseThreadInitThunk = 0; 17 | 18 | #ifdef _M_IX86 19 | #pragma comment(linker, "/alternatename:__imp_@K32BaseThreadInitThunk@12=___imp_K32BaseThreadInitThunk") 20 | #endif 21 | 22 | void TermsrvGetWindowsDirectoryW() 23 | { 24 | __debugbreak(); 25 | } 26 | 27 | void LoadMainDll(PWSTR Buffer) 28 | { 29 | UNICODE_STRING us; 30 | RtlInitUnicodeString(&us, Buffer); 31 | 32 | if (ULONG ordinal = wcstoul(Buffer + wcslen(Buffer) + 1, &Buffer, 16)) 33 | { 34 | if (!*Buffer && ordinal < MAXUSHORT) 35 | { 36 | HMODULE hmod; 37 | 38 | if (0 <= LdrLoadDll(0, 0, &us, &hmod)) 39 | { 40 | FARPROC fp; 41 | if (0 > LdrGetProcedureAddress(hmod, 0, ordinal, (void**)&fp) || fp()) 42 | { 43 | LdrUnloadDll(hmod); 44 | } 45 | } 46 | } 47 | } 48 | } 49 | 50 | void RevertLdrpKernel32DllName(PUNICODE_STRING pKernel32DllName) 51 | { 52 | PWSTR Buffer = pKernel32DllName->Buffer; 53 | 54 | PWSTR kernel32 = (PWSTR)(ULONG_PTR)_wcstoui64(Buffer + wcslen(Buffer) + 1, &Buffer, 16); 55 | 56 | if (*Buffer == '*') 57 | { 58 | LoadMainDll(Buffer + 1); 59 | 60 | PVOID BaseAddress = pKernel32DllName; 61 | SIZE_T s = sizeof(UNICODE_STRING), r; 62 | ULONG op; 63 | if (0 <= ZwProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, &s, PAGE_READWRITE, &op)) 64 | { 65 | ZwFreeVirtualMemory(NtCurrentProcess(), (void**)&pKernel32DllName->Buffer, &(r = 0), MEM_RELEASE); 66 | RtlInitUnicodeString(pKernel32DllName, kernel32); 67 | ZwProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, &s, op, &op); 68 | } 69 | } 70 | } 71 | 72 | NTSTATUS 73 | FASTCALL 74 | BaseThreadInitThunk( 75 | BOOL bInitializeTermsrv, 76 | LPTHREAD_START_ROUTINE lpStartAddress, 77 | PVOID lpParameter 78 | ) 79 | { 80 | union { 81 | PVOID func; 82 | HMODULE hmod; 83 | }; 84 | 85 | if (!__imp_K32BaseThreadInitThunk) 86 | { 87 | static HMODULE shmod = 0; 88 | 89 | NTSTATUS status; 90 | 91 | if (!shmod) 92 | { 93 | STATIC_UNICODE_STRING_(kernel32); 94 | if (0 > (status = LdrGetDllHandle(0, 0, &kernel32, &hmod))) 95 | { 96 | return status; 97 | } 98 | shmod = hmod; 99 | } 100 | 101 | STATIC_ANSI_STRING(aBaseThreadInitThunk, "BaseThreadInitThunk"); 102 | 103 | if (0 > (status = LdrGetProcedureAddress(shmod, &aBaseThreadInitThunk, 0, &func))) 104 | { 105 | return status; 106 | } 107 | 108 | __imp_K32BaseThreadInitThunk = func; 109 | } 110 | 111 | if (bInitializeTermsrv) 112 | { 113 | PUNICODE_STRING CommandLine = &RtlGetCurrentPeb()->ProcessParameters->CommandLine; 114 | if (PWSTR Buffer = CommandLine->Buffer) 115 | { 116 | 117 | #ifndef _WIN64 118 | ULONG_PTR pKernel32DllNameWow = (ULONG_PTR) 119 | #endif 120 | _wcstoui64(Buffer, &Buffer, 16); 121 | 122 | if (*Buffer == '*') 123 | { 124 | 125 | #ifdef _WIN64 126 | ULONG_PTR pKernel32DllName = (ULONG_PTR) 127 | #endif 128 | _wcstoui64(Buffer + 1, &Buffer, 16); 129 | 130 | if (*Buffer == '*') 131 | { 132 | RtlInitUnicodeString(CommandLine, Buffer + 1); 133 | 134 | RevertLdrpKernel32DllName((PUNICODE_STRING) 135 | #ifdef _WIN64 136 | pKernel32DllName 137 | #else 138 | pKernel32DllNameWow 139 | #endif 140 | ); 141 | } 142 | } 143 | } 144 | } 145 | 146 | return K32BaseThreadInitThunk(bInitializeTermsrv, lpStartAddress, lpParameter); 147 | } 148 | 149 | _NT_END -------------------------------------------------------------------------------- /LdrpKernel32DllName.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.3.32901.215 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "64IN32", "64IN32\64IN32.vcxproj", "{A9A11BB8-D35C-4CF1-A325-ACD39DB5CE8B}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "LdrpKernel32", "LdrpKernel32\LdrpKernel32.vcxproj", "{937A010C-CEF6-77C8-3490-FF98598A0187}" 9 | EndProject 10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "detour", "detour\detour.vcxproj", "{9CD908E6-3DCA-40C4-9299-D81AD0B88E0D}" 11 | EndProject 12 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "yYy", "yYy\yYy.vcxproj", "{0FDB181E-9880-9B2C-B1F8-62FB9D86679B}" 13 | EndProject 14 | Global 15 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 16 | Release|x64 = Release|x64 17 | Release|x86 = Release|x86 18 | EndGlobalSection 19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 20 | {A9A11BB8-D35C-4CF1-A325-ACD39DB5CE8B}.Release|x64.ActiveCfg = Release|x64 21 | {A9A11BB8-D35C-4CF1-A325-ACD39DB5CE8B}.Release|x64.Build.0 = Release|x64 22 | {A9A11BB8-D35C-4CF1-A325-ACD39DB5CE8B}.Release|x86.ActiveCfg = Release|x64 23 | {937A010C-CEF6-77C8-3490-FF98598A0187}.Release|x64.ActiveCfg = Release|x64 24 | {937A010C-CEF6-77C8-3490-FF98598A0187}.Release|x64.Build.0 = Release|x64 25 | {937A010C-CEF6-77C8-3490-FF98598A0187}.Release|x86.ActiveCfg = Release|Win32 26 | {937A010C-CEF6-77C8-3490-FF98598A0187}.Release|x86.Build.0 = Release|Win32 27 | {9CD908E6-3DCA-40C4-9299-D81AD0B88E0D}.Release|x64.ActiveCfg = Release|x64 28 | {9CD908E6-3DCA-40C4-9299-D81AD0B88E0D}.Release|x64.Build.0 = Release|x64 29 | {9CD908E6-3DCA-40C4-9299-D81AD0B88E0D}.Release|x86.ActiveCfg = Release|Win32 30 | {9CD908E6-3DCA-40C4-9299-D81AD0B88E0D}.Release|x86.Build.0 = Release|Win32 31 | {0FDB181E-9880-9B2C-B1F8-62FB9D86679B}.Release|x64.ActiveCfg = Release|x64 32 | {0FDB181E-9880-9B2C-B1F8-62FB9D86679B}.Release|x64.Build.0 = Release|x64 33 | {0FDB181E-9880-9B2C-B1F8-62FB9D86679B}.Release|x86.ActiveCfg = Release|Win32 34 | {0FDB181E-9880-9B2C-B1F8-62FB9D86679B}.Release|x86.Build.0 = Release|Win32 35 | EndGlobalSection 36 | GlobalSection(SolutionProperties) = preSolution 37 | HideSolutionNode = FALSE 38 | EndGlobalSection 39 | GlobalSection(ExtensibilityGlobals) = postSolution 40 | SolutionGuid = {B2E0885A-64E4-426D-91DC-53B356E0E26C} 41 | EndGlobalSection 42 | EndGlobal 43 | -------------------------------------------------------------------------------- /LdrpKernel64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/LdrpKernel32DllName/3aec3c76ab82e59654e4c4fab091ad58eead7c43/LdrpKernel64.dll -------------------------------------------------------------------------------- /MSBuild/v4.0/Microsoft.Cpp.Win32.user.props: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | $(WindowsSdkDir)Include\$(TargetPlatformVersion)\ 7 | $(WindowsSdkDir)Lib\$(TargetPlatformVersion)\ 8 | 9 | 10 | $(INC_ROOT)shared;$(INC_ROOT)km;$(INC_ROOT)um;$(INC_ROOT)km\crt 11 | $(LIB_ROOT)km\x86;$(LIB_ROOT)um\x86;$(LIB_ROOT)ucrt\x86 12 | $(SolutionDir)tmp\$(Platform)\$(Configuration)\$(ProjectName)\ 13 | 14 | 15 | 16 | 17 | 18 | false 19 | false 20 | 21 | 22 | 23 | BufferOverflow.lib;ntdllp.lib;kernel32.lib;advapi32.lib;user32.lib 24 | true 25 | false 26 | "$(OutDir)" 27 | true 28 | UseLinkTimeCodeGeneration 29 | MachineX86 30 | 31 | 32 | Level4 33 | Classic 34 | Size 35 | true 36 | false 37 | true 38 | false 39 | true 40 | stdcpplatest 41 | Use 42 | StdCall 43 | true 44 | true 45 | true 46 | false 47 | 48 | 49 | 50 | 51 | $(LIB_ROOT) 52 | 53 | 54 | $(INC_ROOT) 55 | 56 | 57 | -------------------------------------------------------------------------------- /MSBuild/v4.0/Microsoft.Cpp.x64.user.props: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | $(WindowsSdkDir)Include\$(TargetPlatformVersion)\ 7 | $(WindowsSdkDir)Lib\$(TargetPlatformVersion)\ 8 | 9 | 10 | $(INC_ROOT)shared;$(INC_ROOT)km;$(INC_ROOT)um;$(INC_ROOT)km\crt 11 | $(LIB_ROOT)km\x64;$(LIB_ROOT)um\x64;$(LIB_ROOT)ucrt\x64 12 | $(SolutionDir)tmp\$(Platform)\$(Configuration)\$(ProjectName)\ 13 | 14 | 15 | 16 | 17 | 18 | false 19 | false 20 | 21 | 22 | 23 | BufferOverflow.lib;ntdllp.lib;kernel32.lib;advapi32.lib;user32.lib 24 | true 25 | false 26 | "$(OutDir)" 27 | true 28 | UseLinkTimeCodeGeneration 29 | MachineX64 30 | 31 | 32 | Level4 33 | Classic 34 | Size 35 | true 36 | false 37 | true 38 | false 39 | true 40 | stdcpplatest 41 | Use 42 | StdCall 43 | true 44 | true 45 | true 46 | false 47 | 48 | 49 | 50 | 51 | $(LIB_ROOT) 52 | 53 | 54 | $(INC_ROOT) 55 | 56 | 57 | -------------------------------------------------------------------------------- /Payload32.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/LdrpKernel32DllName/3aec3c76ab82e59654e4c4fab091ad58eead7c43/Payload32.dll -------------------------------------------------------------------------------- /Payload64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/LdrpKernel32DllName/3aec3c76ab82e59654e4c4fab091ad58eead7c43/Payload64.dll -------------------------------------------------------------------------------- /detour/LDasm.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #if defined (_M_AMD64) 4 | #define USE64 5 | #elif defined (_M_IX86) 6 | #define USE32 7 | #else 8 | #error "Unknown or unsupported platform" 9 | #endif 10 | 11 | typedef signed __int8 int8_t; 12 | typedef signed __int16 int16_t; 13 | typedef signed __int32 int32_t; 14 | typedef signed __int64 int64_t; 15 | 16 | typedef unsigned __int8 uint8_t; 17 | typedef unsigned __int16 uint16_t; 18 | typedef unsigned __int32 uint32_t; 19 | typedef unsigned __int64 uint64_t; 20 | 21 | #ifdef USE64 22 | #define is_x64 1 23 | #else 24 | #define is_x64 0 25 | #endif//USE64 26 | 27 | #ifdef __cplusplus 28 | extern "C" 29 | { 30 | #endif 31 | 32 | #define F_INVALID 0x01 33 | #define F_PREFIX 0x02 34 | #define F_REX 0x04 35 | #define F_MODRM 0x08 36 | #define F_SIB 0x10 37 | #define F_DISP 0x20 38 | #define F_IMM 0x40 39 | #define F_RELATIVE 0x80 40 | 41 | typedef struct _ldasm_data 42 | { 43 | uint8_t flags; 44 | uint8_t rex; 45 | uint8_t modrm; 46 | uint8_t sib; 47 | uint8_t opcd_offset; 48 | uint8_t opcd_size; 49 | uint8_t disp_offset; 50 | uint8_t disp_size; 51 | uint8_t imm_offset; 52 | uint8_t imm_size; 53 | } ldasm_data; 54 | 55 | uint8_t __fastcall ldasm( void *code, ldasm_data *ld, uint32_t is64 ); 56 | 57 | #ifdef __cplusplus 58 | } 59 | #endif -------------------------------------------------------------------------------- /detour/TRAMPOLINE.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | struct DTA; 4 | 5 | enum { 6 | SIZE_OF_JMP = 5 7 | }; 8 | 9 | union Z_DETOUR_TRAMPOLINE 10 | { 11 | Z_DETOUR_TRAMPOLINE* Next; 12 | 13 | struct 14 | { 15 | union { 16 | ULONG ff250000; 17 | struct { 18 | USHORT cbRestore; // size of original target code. 19 | USHORT ff25; // jmp [pvDetour] 20 | }; 21 | }; 22 | ULONG disp; 23 | PVOID pvDetour; // address of detour function. 24 | PVOID pvJmp; // address of modification in original code 25 | PVOID pvAfter; // first instruction after moved code. 26 | BYTE rbCode[23]; // target code + Jmp pvAfter 27 | BYTE cbCode; 28 | BYTE rbRestore[7]; // saved original code. 29 | 30 | union { 31 | UCHAR o; 32 | struct { 33 | // Jxx rel8 -> Jxx rel32 ( + 4 bytes ) 34 | UCHAR o1 : 4; 35 | UCHAR o2 : 4; 36 | }; 37 | }; 38 | }; 39 | 40 | ~Z_DETOUR_TRAMPOLINE(){} 41 | 42 | Z_DETOUR_TRAMPOLINE(PVOID pvDetour) : pvDetour(pvDetour), pvAfter(0), pvJmp(0), cbCode(0), o(0) 43 | { 44 | ff250000 = 0x25ff0000; 45 | #if defined(_M_X64) 46 | disp = 0; 47 | #elif defined (_M_IX86) 48 | disp = (ULONG_PTR)&pvDetour; 49 | #else 50 | #error ## 51 | #endif 52 | RtlFillMemoryUlong(rbCode, sizeof(rbCode), 0xcccccccc); 53 | } 54 | 55 | void* operator new(size_t, void* pvTarget); 56 | 57 | void operator delete(PVOID pv); 58 | 59 | PVOID Init(PVOID pvTarget); 60 | 61 | NTSTATUS Set(); 62 | 63 | NTSTATUS Remove(); 64 | 65 | void Expand(_Inout_ DTA* Lens); 66 | }; 67 | -------------------------------------------------------------------------------- /detour/detour.cpp: -------------------------------------------------------------------------------- 1 | #include "StdAfx.h" 2 | #include "LDasm.h" 3 | 4 | _NT_BEGIN 5 | 6 | #include "TRAMPOLINE.h" 7 | #include "detour.h" 8 | #include "threads.h" 9 | 10 | // check for JMP [m64] // import 11 | PVOID TestJmp(PBYTE pv) 12 | { 13 | __loop: 14 | ldasm_data ld; 15 | [[maybe_unused]] BYTE len = ldasm( pv, &ld, is_x64 ); 16 | 17 | if (((ld.flags & (F_INVALID|F_DISP|F_MODRM|F_IMM)) == (F_DISP|F_MODRM)) && 18 | ld.disp_size == 4 && ld.modrm == 0x25 && ld.opcd_size == 1 && 19 | pv[ld.opcd_offset] == 0xff) 20 | { 21 | #if defined(_M_IX86) 22 | void** ppv = *(void***)(pv + ld.disp_offset); 23 | #elif defined (_M_X64) 24 | void** ppv = (void**)(pv + len + (LONG_PTR)*(LONG*)(pv + ld.disp_offset)); 25 | #else 26 | #error 27 | #endif 28 | 29 | if (!((ULONG_PTR)ppv & (sizeof(PVOID) - 1))) 30 | { 31 | pv = (PBYTE)*ppv; 32 | goto __loop; 33 | } 34 | } 35 | 36 | return pv; 37 | } 38 | 39 | NTSTATUS NTAPI TrInit(PVOID ImageBase) 40 | { 41 | ULONG op, size; 42 | if (PVOID pIAT = RtlImageDirectoryEntryToData(ImageBase, TRUE, IMAGE_DIRECTORY_ENTRY_IAT, &size)) 43 | { 44 | SIZE_T ProtectSize = size; 45 | 46 | return ZwProtectVirtualMemory(NtCurrentProcess(), &pIAT, &ProtectSize, PAGE_READWRITE, &op); 47 | } 48 | 49 | return STATUS_NOT_FOUND; 50 | } 51 | 52 | NTSTATUS NTAPI TrHook(_In_ PVOID pv, T_HOOK_ENTRY* entry, _In_opt_ ThreadInfo* pti) 53 | { 54 | NTSTATUS status = STATUS_UNSUCCESSFUL; 55 | 56 | pv = TestJmp((PBYTE)pv); 57 | 58 | if (Z_DETOUR_TRAMPOLINE* pTramp = new (pv) Z_DETOUR_TRAMPOLINE(entry->hook)) 59 | { 60 | if (pv = pTramp->Init(pv)) 61 | { 62 | PVOID pThunk = *entry->pThunk; 63 | *entry->pThunk = pv; 64 | 65 | if (0 <= (status = pTramp->Set())) 66 | { 67 | Dbg_Print("0x%p -> 0x%p -> 0x%p [0x%p]\n", pThunk, entry->hook, pv, pTramp); 68 | 69 | if (pTramp->pvAfter) 70 | { 71 | DTA Lens { }; 72 | 73 | pTramp->Expand(&Lens); 74 | 75 | MovePc(pti, (ULONG_PTR)pTramp->pvJmp, (ULONG_PTR)pTramp->rbCode, SIZE_OF_JMP, &Lens); 76 | } 77 | 78 | entry->hook = pThunk; 79 | entry->pTramp = pTramp; 80 | return STATUS_SUCCESS; 81 | } 82 | 83 | *entry->pThunk = pThunk; 84 | } 85 | delete pTramp; 86 | } 87 | 88 | return status; 89 | } 90 | 91 | NTSTATUS NTAPI TrUnHook(_In_ T_HOOK_ENTRY* entry, _In_opt_ ThreadInfo* pti) 92 | { 93 | if (Z_DETOUR_TRAMPOLINE* pTramp = entry->pTramp) 94 | { 95 | NTSTATUS status = pTramp->Remove(); 96 | 97 | if (0 > status) 98 | { 99 | return status; 100 | } 101 | 102 | DTA Lens { }; 103 | pTramp->Expand(&Lens); 104 | 105 | if (Lens.ofs1) 106 | { 107 | Lens.add1 = -4; 108 | Lens.ofs1 += 4; 109 | } 110 | 111 | if (Lens.ofs2) 112 | { 113 | Lens.add2 = -4; 114 | Lens.ofs2 += 8; 115 | } 116 | 117 | MovePc(pti, (ULONG_PTR)&pTramp->ff25, (ULONG_PTR)pTramp->pvDetour, 1, &Lens); 118 | 119 | if (pTramp->pvAfter) 120 | { 121 | ULONG cbCode = pTramp->cbCode; 122 | MovePc(pti, (ULONG_PTR)pTramp->rbCode, (ULONG_PTR)pTramp->pvJmp, cbCode, &Lens); 123 | MovePc(pti, (ULONG_PTR)pTramp->rbCode + cbCode, (ULONG_PTR)pTramp->pvAfter, 1, &Lens); 124 | } 125 | 126 | *entry->pThunk = entry->hook; 127 | entry->hook = pTramp->pvDetour; 128 | entry->pTramp = 0; 129 | 130 | delete pTramp; 131 | } 132 | 133 | return STATUS_SUCCESS; 134 | } 135 | 136 | void NTAPI TrUnHook(_In_ T_HOOK_ENTRY* entry, _In_ ULONG n, _In_opt_ ThreadInfo* pti) 137 | { 138 | do 139 | { 140 | TrUnHook(entry++, pti); 141 | } while (--n); 142 | } 143 | 144 | void NTAPI TrHook(_In_ T_HOOK_ENTRY* entry, _In_ ULONG n, _In_opt_ ThreadInfo* pti) 145 | { 146 | do 147 | { 148 | TrHook(*entry->pThunk, entry, pti); 149 | } while (entry++, --n); 150 | } 151 | 152 | NTSTATUS NTAPI TrHook(_Inout_ void** p__imp, _In_ PVOID hook, _In_opt_ ThreadInfo* pti) 153 | { 154 | T_HOOK_ENTRY entry = { p__imp, hook }; 155 | return TrHook(*p__imp, &entry, pti); 156 | } 157 | 158 | _NT_END -------------------------------------------------------------------------------- /detour/detour.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | struct T_HOOK_ENTRY 4 | { 5 | _Inout_ void** pThunk; 6 | // pointer on variable which hold: 7 | // In: where to put the hook ( *pThunk -> func) 8 | // Out: pointer to place to execute original code ( *pThunk -> trump) 9 | _Inout_ PVOID hook; 10 | // In: pointer to hook function. so *pThunk redirected to hook 11 | // Out: original value of *pThunk ( func ) 12 | union Z_DETOUR_TRAMPOLINE* pTramp; 13 | }; 14 | 15 | /************************************************************************/ 16 | /* 17 | typical case: 18 | 19 | before: 20 | ------------------------------------------------------------------------- 21 | EXTERN_C PVOID __imp_RtlDispatchAPC = RtlDispatchAPC; // initialized by loader 22 | 23 | RtlDispatchAPC: 24 | 00007FFAB20AF6D0 mov r11,rsp 25 | 00007FFAB20AF6D3 mov qword ptr [r11+8],rbx 26 | 00007FFAB20AF6D7 mov qword ptr [r11+10h],rsi 27 | 28 | 29 | -------------------------------------------------------------------------- 30 | after: TrHook(&__imp_RtlDispatchAPC, hook_RtlDispatchAPC); 31 | -------------------------------------------------------------------------- 32 | 33 | RtlDispatchAPC: 34 | 00007FFB876AF6D0 jmp hook_RtlDispatchAPC 35 | 00007FFB876AF6D7 mov qword ptr [r11+10h],rsi 36 | 37 | trampoline: 38 | 00007FFA3225FFB8 mov r11,rsp 39 | 00007FFA3225FFBB mov qword ptr [r11+8],rbx 40 | 00007FFA3225FFBF jmp RtlDispatchAPC + 7 (7FFB876AF6D7h) 41 | 42 | 43 | __imp_RtlDispatchAPC = trampoline; 44 | 45 | ////////////////////////////////////////////////////////////////////////// 46 | x86: 47 | before: 48 | ------------------------------------------------------------------------- 49 | #pragma comment(linker, "/alternatename:___imp_RtlActivateActivationContextUnsafeFast=__imp_@RtlActivateActivationContextUnsafeFast@8") 50 | 51 | EXTERN_C PVOID __imp_RtlActivateActivationContextUnsafeFast = RtlActivateActivationContextUnsafeFast; // initialized by loader 52 | 53 | 771F6FBB int 3 54 | 771F6FBC int 3 55 | 771F6FBD int 3 56 | 771F6FBE int 3 57 | 771F6FBF int 3 58 | RtlActivateActivationContextUnsafeFast: 59 | 771F6FC0 mov edi,edi 60 | 771F6FC2 push ebp 61 | 62 | -------------------------------------------------------------------------- 63 | after: TrHook(&__imp_RtlActivateActivationContextUnsafeFast, hook_RtlActivateActivationContextUnsafeFast); 64 | -------------------------------------------------------------------------- 65 | 66 | __imp_RtlActivateActivationContextUnsafeFast = 771F6FC2 ( RtlActivateActivationContextUnsafeFast + 2 ) 67 | 68 | 771F6FBB jmp hook_RtlActivateActivationContextUnsafeFast 69 | RtlActivateActivationContextUnsafeFast: 70 | 771F6FC0 jmp 771F6FBB 71 | 771F6FC2 push ebp 72 | 73 | */ 74 | /************************************************************************/ 75 | 76 | 77 | ////////////////////////////////////////////////////////////////////////// 78 | // 79 | 80 | void __cdecl Nop_Print(_In_z_ _Printf_format_string_ PCSTR , ...); 81 | 82 | #ifdef _X86_ 83 | #define __IMP(x) _imp__ ## x 84 | #else 85 | #define __IMP(x) __imp_ ## x 86 | #endif 87 | 88 | EXTERN_C PVOID __IMP(DbgPrint); 89 | EXTERN_C PVOID __IMP(Dbg_Print); 90 | 91 | // enable debug output 92 | #define DBG_PRINT_ON() __IMP(Dbg_Print) = __IMP(DbgPrint) 93 | 94 | // disable debug output ( this is by default) 95 | #define DBG_PRINT_OFF() __IMP(Dbg_Print) = Nop_Print 96 | 97 | struct ThreadInfo; 98 | 99 | // suspend all threads in process, except current 100 | NTSTATUS NTAPI SuspendAll(_Out_ ThreadInfo** ppti); 101 | 102 | // resume all suspended threads and free pti 103 | void NTAPI ResumeAndFree(_In_ ThreadInfo* pti); 104 | 105 | // make IAT writable 106 | NTSTATUS NTAPI TrInit(PVOID ImageBase = &__ImageBase); 107 | 108 | void NTAPI TrHook(_In_ T_HOOK_ENTRY* entry, _In_ ULONG n, _In_opt_ ThreadInfo* pti = 0); 109 | 110 | void NTAPI TrUnHook(_In_ T_HOOK_ENTRY* entry, _In_ ULONG n, _In_opt_ ThreadInfo* pti = 0); 111 | 112 | // identical by sense ( first 2 parameters) to DetourAttach ( https://github.com/microsoft/Detours/wiki/DetourAttach ) 113 | // if not need unhook 114 | // same as: 115 | // T_HOOK_ENTRY entry = { p__imp, hook }; 116 | // return TrHook(&entry, 1, pti); 117 | NTSTATUS NTAPI TrHook(_Inout_ void** p__imp, _In_ PVOID hook, _In_opt_ ThreadInfo* pti = 0); 118 | 119 | #define _DECLARE_T_HOOK(pfn) EXTERN_C extern PVOID __imp_ ## pfn; 120 | 121 | #define DECLARE_T_HOOK_X86(pfn, n) _DECLARE_T_HOOK(pfn) __pragma(comment(linker, _CRT_STRINGIZE(/alternatename:___imp_##pfn##=__imp__##pfn##@##n))) 122 | 123 | #ifdef _M_IX86 124 | #define DECLARE_T_HOOK(pfn, n) DECLARE_T_HOOK_X86(pfn, n) 125 | #else 126 | #define DECLARE_T_HOOK(pfn, n) _DECLARE_T_HOOK(pfn) 127 | #endif 128 | 129 | #define T_HOOKS_BEGIN(name) T_HOOK_ENTRY name[] = { 130 | #define T_HOOK(pfn) { &__imp_ ## pfn, hook_ ## pfn } 131 | #define T_HOOKS_END() }; 132 | 133 | -------------------------------------------------------------------------------- /detour/detour.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Release 6 | Win32 7 | 8 | 9 | Release 10 | x64 11 | 12 | 13 | 14 | 17.0 15 | {9CD908E6-3DCA-40C4-9299-D81AD0B88E0D} 16 | detour 17 | Win32Proj 18 | $(SolutionDir)MSBuild\v4.0 19 | 10.0 20 | 21 | 22 | 23 | StaticLibrary 24 | v143 25 | Unicode 26 | true 27 | 28 | 29 | StaticLibrary 30 | v143 31 | Unicode 32 | true 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | <_ProjectFileVersion>17.0.32819.101 46 | 47 | 48 | $(SolutionDir)$(Configuration)\ 49 | 50 | 51 | $(SolutionDir)$(Platform)\$(Configuration)\ 52 | 53 | 54 | 55 | MaxSpeed 56 | Default 57 | true 58 | Size 59 | true 60 | WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions) 61 | true 62 | 63 | MultiThreadedDLL 64 | false 65 | false 66 | NotUsing 67 | Level4 68 | ProgramDatabase 69 | StdCall 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | 78 | 79 | X64 80 | 81 | 82 | MaxSpeed 83 | Default 84 | true 85 | Size 86 | true 87 | WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions) 88 | true 89 | 90 | MultiThreadedDLL 91 | false 92 | false 93 | NotUsing 94 | Level4 95 | ProgramDatabase 96 | StdCall 97 | 98 | 99 | true 100 | 101 | 102 | 103 | 104 | 105 | NotUsing 106 | NotUsing 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | -------------------------------------------------------------------------------- /detour/detour.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | Source Files 26 | 27 | 28 | Source Files 29 | 30 | 31 | 32 | 33 | Header Files 34 | 35 | 36 | Header Files 37 | 38 | 39 | Header Files 40 | 41 | 42 | Header Files 43 | 44 | 45 | Header Files 46 | 47 | 48 | 49 | 50 | 51 | -------------------------------------------------------------------------------- /detour/detour.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /detour/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // detour.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /detour/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | 9 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 10 | 11 | #include "../inc/StdAfx.h" 12 | 13 | // TODO: reference additional headers your program requires here 14 | #pragma init_seg(lib) -------------------------------------------------------------------------------- /detour/threads.cpp: -------------------------------------------------------------------------------- 1 | #include "StdAfx.h" 2 | 3 | _NT_BEGIN 4 | #include "threads.h" 5 | 6 | #ifdef _X86_ 7 | #define __IMP(x) _imp__ ## x 8 | #pragma comment(linker, "/include:__imp__Dbg_Print") 9 | #else 10 | #define __IMP(x) __imp_ ## x 11 | #pragma comment(linker, "/include:__imp_Dbg_Print") 12 | #endif 13 | 14 | EXTERN_C 15 | NTSYSAPI 16 | NTSTATUS NTAPI NtGetNextThread( 17 | _In_ HANDLE ProcessHandle, 18 | _In_ HANDLE ThreadHandle, 19 | _In_ ACCESS_MASK DesiredAccess, 20 | _In_ ULONG HandleAttributes, 21 | _In_ ULONG Flags, 22 | _Out_ PHANDLE NewThreadHandle 23 | ); 24 | 25 | void __cdecl Nop_Print(_In_z_ _Printf_format_string_ PCSTR , ...) 26 | { 27 | } 28 | 29 | EXTERN_C PVOID __IMP(Dbg_Print) = Nop_Print; 30 | 31 | struct ThreadInfo : CONTEXT 32 | { 33 | HANDLE hThread = 0; 34 | ThreadInfo* next = 0; 35 | HANDLE UniqueThread; // for debug only 36 | 37 | ~ThreadInfo() 38 | { 39 | Dbg_Print("%s<%p>(%p)\n", __FUNCTION__, this, UniqueThread); 40 | } 41 | 42 | ThreadInfo(HANDLE UniqueThread) : UniqueThread(UniqueThread) 43 | { 44 | RtlZeroMemory(static_cast(this), sizeof(CONTEXT)); 45 | ContextFlags = CONTEXT_CONTROL; 46 | Dbg_Print("%s<%p>(%p)\n", __FUNCTION__, this, UniqueThread); 47 | } 48 | }; 49 | 50 | void ResumeAndFree(_In_ ThreadInfo* next) 51 | { 52 | if (ThreadInfo* pti = next) 53 | { 54 | do 55 | { 56 | next = pti->next; 57 | 58 | if (HANDLE hThread = pti->hThread) 59 | { 60 | ZwResumeThread(hThread, 0); 61 | NtClose(hThread); 62 | } 63 | 64 | delete pti; 65 | 66 | } while (pti = next); 67 | } 68 | } 69 | 70 | NTSTATUS SuspendAll(_Out_ ThreadInfo** ppti) 71 | { 72 | ThreadInfo* pti = 0; 73 | HANDLE ThreadHandle = 0, hThread; 74 | NTSTATUS status; 75 | BOOL bClose = FALSE; 76 | 77 | HANDLE UniqueThread = (HANDLE)GetCurrentThreadId(); 78 | 79 | loop: 80 | status = NtGetNextThread(NtCurrentProcess(), ThreadHandle, 81 | THREAD_QUERY_LIMITED_INFORMATION|THREAD_SUSPEND_RESUME|THREAD_GET_CONTEXT|THREAD_SET_CONTEXT, 82 | 0, 0, &hThread); 83 | 84 | if (bClose) 85 | { 86 | NtClose(ThreadHandle); 87 | bClose = FALSE; 88 | } 89 | 90 | if (0 <= status) 91 | { 92 | ThreadHandle = hThread; 93 | 94 | THREAD_BASIC_INFORMATION tbi; 95 | 96 | if (0 <= (status = ZwQueryInformationThread(hThread, ThreadBasicInformation, &tbi, sizeof(tbi), 0))) 97 | { 98 | if (tbi.ClientId.UniqueThread == UniqueThread) 99 | { 100 | bClose = TRUE; 101 | goto loop; 102 | } 103 | 104 | if (0 <= (status = ZwSuspendThread(hThread, 0))) 105 | { 106 | status = STATUS_NO_MEMORY; 107 | 108 | if (ThreadInfo* next = new ThreadInfo(tbi.ClientId.UniqueThread)) 109 | { 110 | if (0 <= (status = ZwGetContextThread(hThread, next))) 111 | { 112 | next->next = pti; 113 | pti = next; 114 | next->hThread = hThread; 115 | goto loop; 116 | } 117 | 118 | delete next; 119 | } 120 | 121 | ZwResumeThread(hThread, 0); 122 | } 123 | } 124 | 125 | if (status == STATUS_THREAD_IS_TERMINATING) 126 | { 127 | bClose = TRUE; 128 | goto loop; 129 | } 130 | 131 | NtClose(hThread); 132 | } 133 | 134 | switch (status) 135 | { 136 | case STATUS_NO_MORE_ENTRIES: 137 | case STATUS_SUCCESS: 138 | *ppti = pti; 139 | return STATUS_SUCCESS; 140 | } 141 | 142 | ResumeAndFree(pti); 143 | 144 | *ppti = 0; 145 | return status; 146 | } 147 | 148 | #if defined(_M_IX86) 149 | #define Xip Eip 150 | #elif defined (_M_X64) 151 | #define Xip Rip 152 | #else 153 | #error 154 | #endif 155 | 156 | #include "threads.h" 157 | 158 | BOOLEAN MovePc(_In_ ThreadInfo* pti, _In_ ULONG_PTR PcFrom, _In_ ULONG_PTR PcTo, _In_ ULONG cb, _In_ DTA* Lens) 159 | { 160 | BOOLEAN fOk = FALSE; 161 | 162 | if (pti) 163 | { 164 | do 165 | { 166 | SIZE_T s = pti->Xip - PcFrom; 167 | 168 | if (s < cb) 169 | { 170 | pti->Xip = PcTo + s; 171 | 172 | ULONG ofs; 173 | 174 | if (ofs = Lens->ofs1) 175 | { 176 | if (ofs <= s) 177 | { 178 | pti->Xip += Lens->add1; 179 | } 180 | } 181 | 182 | if (ofs = Lens->ofs2) 183 | { 184 | if (ofs <= s) 185 | { 186 | pti->Xip += Lens->add2; 187 | } 188 | } 189 | 190 | Dbg_Print("MovePc: %p -> %p\n", PcFrom + s, pti->Xip); 191 | 192 | if (0 > ZwSetContextThread(pti->hThread, pti)) 193 | { 194 | fOk = FALSE; 195 | } 196 | } 197 | 198 | } while (pti = pti->next); 199 | } 200 | 201 | return fOk; 202 | } 203 | 204 | _NT_END -------------------------------------------------------------------------------- /detour/threads.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | struct DTA 4 | { 5 | ULONG ofs1, ofs2; 6 | LONG add1, add2; 7 | }; 8 | 9 | struct ThreadInfo; 10 | 11 | BOOLEAN MovePc(_In_ ThreadInfo* pti, _In_ ULONG_PTR PcFrom, _In_ ULONG_PTR PcTo, _In_ ULONG cb, _In_ DTA* Lens); 12 | 13 | EXTERN_C 14 | NTSYSAPI 15 | ULONG 16 | __cdecl 17 | Dbg_Print ( 18 | _In_z_ _Printf_format_string_ PCSTR Format, 19 | ... 20 | ); -------------------------------------------------------------------------------- /detour/x64/detour.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/LdrpKernel32DllName/3aec3c76ab82e59654e4c4fab091ad58eead7c43/detour/x64/detour.lib -------------------------------------------------------------------------------- /detour/x86/detour.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/LdrpKernel32DllName/3aec3c76ab82e59654e4c4fab091ad58eead7c43/detour/x86/detour.lib -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | code in Payload<32|64>.dll search for 2 | 3 | ```cpp 4 | UNICODE_STRING LdrpKernel32DllName = RTL_CONSTANT_STRING(L"KERNEL32.DLL"); 5 | ``` 6 | 7 | inside ntdll, and if found - in new created process overwrite `KERNEL32.DLL` to own "bootstrap" dll name ( LdrpKernel<32|64>.dll ) 8 | as result LdrpKernel<32|64>.dll loaded to new process. currently it mast export 2 api: 9 | BaseThreadInitThunk and TermsrvGetWindowsDirectoryW 10 | 11 | ```cpp 12 | EXTERN_C 13 | WINBASEAPI 14 | NTSTATUS 15 | FASTCALL 16 | BaseThreadInitThunk(BOOL bInitializeTermsrv, 17 | LPTHREAD_START_ROUTINE lpStartAddress, 18 | PVOID lpParameter 19 | ); 20 | ``` 21 | 22 | `BaseThreadInitThunk` with `bInitializeTermsrv = true` called just before loader begin initialize static linked dlls from exe 23 | we can here load Payload<32|64>.dll and initiaize it 24 | as result code of Payload<32|64>.dll will be called not only before exe entry point (for this enough inject apc in first thread of new process) 25 | but and before tls initializers and other dlls. sense only in early control. 26 | inject work for all 4 cases ( 32-> 32, 32->64, 64->64, 64->32) 27 | for 32->64 case need execute 64 bit code in wow process ( 64IN32 project) 28 | 29 | test<64|32>.bat for test 30 | 31 | Payload<32|64>.dll loaded to regsvr32.exe and started cmd.exe with inject 32 | Payload<32|64>.dll hook CreateProcessInternalW for do inject to new created processes (if any) -------------------------------------------------------------------------------- /release/LdrpKernel32.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/LdrpKernel32DllName/3aec3c76ab82e59654e4c4fab091ad58eead7c43/release/LdrpKernel32.dll -------------------------------------------------------------------------------- /release/LdrpKernel32.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/LdrpKernel32DllName/3aec3c76ab82e59654e4c4fab091ad58eead7c43/release/LdrpKernel32.lib -------------------------------------------------------------------------------- /release/Payload32.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/LdrpKernel32DllName/3aec3c76ab82e59654e4c4fab091ad58eead7c43/release/Payload32.dll -------------------------------------------------------------------------------- /release/cta.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/LdrpKernel32DllName/3aec3c76ab82e59654e4c4fab091ad58eead7c43/release/cta.exe -------------------------------------------------------------------------------- /release/detour.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/LdrpKernel32DllName/3aec3c76ab82e59654e4c4fab091ad58eead7c43/release/detour.lib -------------------------------------------------------------------------------- /test32.bat: -------------------------------------------------------------------------------- 1 | %systemroot%\syswow64\regsvr32.exe /s payload32.dll -------------------------------------------------------------------------------- /test64.bat: -------------------------------------------------------------------------------- 1 | %systemroot%\system32\regsvr32.exe /s payload64.dll -------------------------------------------------------------------------------- /x64/Release/64IN32.map: -------------------------------------------------------------------------------- 1 | 64IN32 2 | 3 | Timestamp is 65e1b9c1 (Fri Mar 1 13:19:29 2024) 4 | 5 | Preferred load address is 0000000140000000 6 | 7 | Start Length Name Class 8 | 0001:00000000 00000138H .text$mn CODE 9 | 0001:00000138 00000398H .text$nm CODE 10 | 0001:000004d0 0000001aH .text$nm$s CODE 11 | 0002:00000000 0000001cH .rdata DATA 12 | 0002:0000001c 00000028H .rdata$voltmd DATA 13 | 0002:00000044 000000b0H .rdata$zzzdbg DATA 14 | 0002:000000f4 0000004cH .xdata DATA 15 | 0003:00000000 00000024H .pdata DATA 16 | 17 | Address Publics by Value Rva+Base Lib:Object 18 | 19 | 0000:00000000 __AbsoluteZero 0000000000000000 20 | 0000:00000000 __arm64x_extra_rfe_table 0000000000000000 21 | 0000:00000000 __arm64x_extra_rfe_table_size 0000000000000000 22 | 0000:00000000 __arm64x_native_entrypoint 0000000000000000 23 | 0000:00000000 __arm64x_redirection_metadata 0000000000000000 24 | 0000:00000000 __arm64x_redirection_metadata_count 0000000000000000 25 | 0000:00000000 __dynamic_value_reloc_table 0000000000000000 26 | 0000:00000000 __enclave_config 0000000000000000 27 | 0000:00000000 __guard_check_icall_a64n_fptr 0000000000000000 28 | 0000:00000000 __guard_eh_cont_count 0000000000000000 29 | 0000:00000000 __guard_eh_cont_table 0000000000000000 30 | 0000:00000000 __guard_fids_count 0000000000000000 31 | 0000:00000000 __guard_fids_table 0000000000000000 32 | 0000:00000000 __guard_flags 0000000000000000 33 | 0000:00000000 __guard_iat_count 0000000000000000 34 | 0000:00000000 __guard_iat_table 0000000000000000 35 | 0000:00000000 __guard_longjmp_count 0000000000000000 36 | 0000:00000000 __guard_longjmp_table 0000000000000000 37 | 0000:00000000 __hybrid_auxiliary_delayload_iat 0000000000000000 38 | 0000:00000000 __hybrid_auxiliary_delayload_iat_copy 0000000000000000 39 | 0000:00000000 __hybrid_auxiliary_iat 0000000000000000 40 | 0000:00000000 __hybrid_auxiliary_iat_copy 0000000000000000 41 | 0000:00000000 __hybrid_code_map 0000000000000000 42 | 0000:00000000 __hybrid_code_map_count 0000000000000000 43 | 0000:00000000 __x64_code_ranges_to_entry_points 0000000000000000 44 | 0000:00000000 __x64_code_ranges_to_entry_points_count 0000000000000000 45 | 0001:00000000 ep 0000000140000230 f code64.obj 46 | 0001:00000056 NtAllocateVirtualMemory 0000000140000286 f code64.obj 47 | 0001:00000077 NtWriteVirtualMemory 00000001400002a7 f code64.obj 48 | 0001:00000095 NtProtectVirtualMemory 00000001400002c5 f code64.obj 49 | 0001:000000b5 NtFreeVirtualMemory 00000001400002e5 f code64.obj 50 | 0001:000000d5 RtlImageNtHeader 0000000140000305 f code64.obj 51 | 0001:000000f2 RtlEqualUnicodeString 0000000140000322 f code64.obj 52 | 0001:00000114 RtlInitUnicodeString 0000000140000344 f code64.obj 53 | 0001:00000138 ?GetFuncAddress@NT@@YAPEAXPEBD@Z 0000000140000368 f GetFuncAddr.obj 54 | 0001:00000254 ?FindLdrpKernel32DllName@NT@@YAPEAXPEA_K@Z 0000000140000484 f nobase.obj 55 | 0001:00000390 ?InitBootstrapI@NT@@YAJPEAXPEAPEAXPEB_WK@Z 00000001400005c0 f nobase.obj 56 | 0001:000004d0 ??_C@_1BK@MGMFAEKH@?$AAk?$AAe?$AAr?$AAn?$AAe?$AAl?$AA3?$AA2?$AA?4?$AAd?$AAl?$AAl@FNODOBFM@ 0000000140000700 nobase.obj 57 | 0002:0000001c __volatile_metadata 000000014000073c 58 | 59 | entry point at 0001:00000000 60 | 61 | Static symbols 62 | 63 | 0001:00000038 common_imp_call 0000000140000268 f code64.obj 64 | 0002:000000f4 $unwind$?GetFuncAddress@NT@@YAPEAXPEBD@Z 0000000140000814 GetFuncAddr.obj 65 | 0002:00000110 $unwind$?FindLdrpKernel32DllName@NT@@YAPEAXPEA_K@Z 0000000140000830 nobase.obj 66 | 0002:00000128 $unwind$?InitBootstrapI@NT@@YAJPEAXPEAPEAXPEB_WK@Z 0000000140000848 nobase.obj 67 | -------------------------------------------------------------------------------- /x64/Release/64btr.asm: -------------------------------------------------------------------------------- 1 | DQ 000001025048B4865h 2 | DQ 028EC834850944800h 3 | DQ 044C78B44D28BC98Bh 4 | DQ 0E80774D28548CE8Bh 5 | DQ 029E805EB0000036Ch 6 | DQ 0C148D08B48000002h 7 | DQ 0C35C28C4834820EAh 8 | DQ 08348515250415141h 9 | DQ 000EEE8C88B4828ECh 10 | DQ 05A5928C483480000h 11 | DQ 08D48E0FF59415841h 12 | DQ 04ED9EB0000000205h 13 | DQ 07461636F6C6C4174h 14 | DQ 06C61757472695665h 15 | DQ 0480079726F6D654Dh 16 | DQ 0B8EB00000002058Dh 17 | DQ 0566574697257744Eh 18 | DQ 0654D6C6175747269h 19 | DQ 0058D480079726F6Dh 20 | DQ 0744E9AEB00000002h 21 | DQ 056746365746F7250h 22 | DQ 0654D6C6175747269h 23 | DQ 0058D480079726F6Dh 24 | DQ 0FFFF77E900000005h 25 | DQ 05665657246744EFFh 26 | DQ 0654D6C6175747269h 27 | DQ 0058D480079726F6Dh 28 | DQ 0FFFF57E900000005h 29 | DQ 067616D496C7452FFh 30 | DQ 06564616548744E65h 31 | DQ 0000005058D480072h 32 | DQ 07452FFFFFF3AE900h 33 | DQ 06E556C617571456Ch 34 | DQ 072745365646F6369h 35 | DQ 005058D4800676E69h 36 | DQ 0FFFFFF18E9000000h 37 | DQ 05574696E496C7452h 38 | DQ 0745365646F63696Eh 39 | DQ 0CCCCCC00676E6972h 40 | DQ 04808588948C48B48h 41 | DQ 04818708948106889h 42 | DQ 04155415441207889h 43 | DQ 025048B4865574156h 44 | DQ 048E18B4C00000030h 45 | DQ 04818428B4860508Bh 46 | DQ 04910428B4C30508Bh 47 | DQ 088038C8B463C5863h 48 | DQ 08B41C8034D000000h 49 | DQ 003491C718B452069h 50 | DQ 0F0034D24798B45E8h 51 | DQ 045F8034D18598B45h 52 | DQ 000000093840FDB85h 53 | DQ 0EAD141F633D38B45h 54 | DQ 08B41EA8B45C48B49h 55 | DQ 0034900954C8B42FAh 56 | DQ 0143A108ACC2B49C8h 57 | DQ 0D284C0FF48487508h 58 | DQ 0D3490F453BEBF275h 59 | DQ 045F0490F01458D41h 60 | DQ 0445473F23B41DA8Bh 61 | DQ 0EAD141C48B49D603h 62 | DQ 08B42FA8B41EA8B45h 63 | DQ 02B49D00349009554h 64 | DQ 00B75100C3A088AD4h 65 | DQ 033F275C984C0FF48h 66 | DQ 001C983C91B05EBC9h 67 | DQ 004B70F41B875C985h 68 | DQ 000008C038C8B427Fh 69 | DQ 0C0034986048B4100h 70 | DQ 03B48D12B49D08B48h 71 | DQ 08B48C033CC0373D1h 72 | DQ 030246C8B4828245Ch 73 | DQ 07C8B483824748B48h 74 | DQ 05D415E415F414024h 75 | DQ 0245C8948CCC35C41h 76 | DQ 0565508244C894818h 77 | DQ 04156415541544157h 78 | DQ 08B486530EC834857h 79 | DQ 08B48000000302504h 80 | DQ 08B4818428B486050h 81 | DQ 0854D10628B4C3050h 82 | DQ 049000000E6840FE4h 83 | DQ 048FFFFFE3EE8CC8Bh 84 | DQ 0000000D5840FC085h 85 | DQ 0840FF6850670B70Fh 86 | DQ 01478B70F000000C9h 87 | DQ 0034820C78348ED33h 88 | DQ 0000000251C478BF8h 89 | DQ 0850F400000003DC0h 90 | DQ 04739078B00000097h 91 | DQ 010F8830847420F08h 92 | DQ 08B4400000085860Fh 93 | DQ 0C149F0788D4C046Fh 94 | DQ 00001DF158D4803EFh 95 | DQ 024448948EC034D00h 96 | DQ 0244C8D48C7FF4178h 97 | DQ 0FFFE0BE8DD8B4920h 98 | DQ 03966202444B70FFFh 99 | DQ 0222444B70F467503h 100 | DQ 08B4C3B7502433966h 101 | DQ 0317501C6F6410873h 102 | DQ 03B48C52B49C68B49h 103 | DQ 001B0412473782444h 104 | DQ 0CB8B482024548D48h 105 | DQ 074C084FFFFFDADE8h 106 | DQ 08B482775ED854810h 107 | DQ 0894CEB8B48702444h 108 | DQ 0C7834108C3834830h 109 | DQ 08328C78348A675FFh 110 | DQ 0FFFFFF49850FFFC6h 111 | DQ 048C03302EBC58B48h 112 | DQ 04800000080249C8Bh 113 | DQ 0415E415F4130C483h 114 | DQ 0CCC35D5E5F5C415Dh 115 | DQ 074894808245C8948h 116 | DQ 05518247C89481024h 117 | DQ 048EC8B4857415641h 118 | DQ 08B45FA8B4C60EC83h 119 | DQ 048D08B49F98B48F1h 120 | DQ 051E8F08B49E84D8Dh 121 | DQ 000D8658348FFFFFDh 122 | DQ 0C7C03345D04D8D4Ch 123 | DQ 04800000004282444h 124 | DQ 048D075894CD8558Dh 125 | DQ 01000202444C7CF8Bh 126 | DQ 08BFFFFFC67E80000h 127 | DQ 00000B0880FC085D8h 128 | DQ 0CE8B45D8558B4800h 129 | DQ 08B4C002024648348h 130 | DQ 0FFFC66E8CF8B48C6h 131 | DQ 0487778C085D88BFFh 132 | DQ 049D0458D4CD8458Bh 133 | DQ 0BE41E0558D48378Bh 134 | DQ 0F045894800000010h 135 | DQ 0E075894838458D48h 136 | DQ 048D075894CCF8B48h 137 | DQ 0F44E8D4520244489h 138 | DQ 085D88BFFFFFC48E8h 139 | DQ 020246483483B78C0h 140 | DQ 0CE8B45E8458D4C00h 141 | DQ 00CE8CF8B48D68B48h 142 | DQ 04C384D8B44FFFFFCh 143 | DQ 0558D48D88BD0458Dh 144 | DQ 0CF8B4838458D48E0h 145 | DQ 0FC0BE82024448948h 146 | DQ 083481B79DB85FFFFh 147 | DQ 041D0458D4C00D065h 148 | DQ 0558D4800008000B9h 149 | DQ 0FFFC0CE8CF8B48D8h 150 | DQ 0C38B60245C8D4CFFh 151 | DQ 028738B49205B8B49h 152 | DQ 041E38B49307B8B49h 153 | DQ 0CCCCCCC35D5E415Fh 154 | DQ 0CCCCCCCCCCCCCCCCh 155 | DQ 0006E00720065006Bh 156 | DQ 000320033006C0065h 157 | DQ 0006C006C0064002Eh 158 | DQ 00000000000000000h 159 | -------------------------------------------------------------------------------- /x64/Release/LdrpKernel64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/LdrpKernel32DllName/3aec3c76ab82e59654e4c4fab091ad58eead7c43/x64/Release/LdrpKernel64.dll -------------------------------------------------------------------------------- /x64/Release/Payload64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/LdrpKernel32DllName/3aec3c76ab82e59654e4c4fab091ad58eead7c43/x64/Release/Payload64.dll -------------------------------------------------------------------------------- /x64/Release/detour.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/LdrpKernel32DllName/3aec3c76ab82e59654e4c4fab091ad58eead7c43/x64/Release/detour.lib -------------------------------------------------------------------------------- /x64/Release/detour.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rbmm/LdrpKernel32DllName/3aec3c76ab82e59654e4c4fab091ad58eead7c43/x64/Release/detour.pdb -------------------------------------------------------------------------------- /yYy/code32.asm: -------------------------------------------------------------------------------- 1 | .686 2 | 3 | .MODEL FLAT 4 | 5 | .code 6 | 7 | ?FindLdrpKernel3264DllName@NT@@YI_KPA_K@Z proc 8 | xor edx,edx 9 | mov eax,[esp] 10 | push eax 11 | push eax 12 | jmp ?InitBootstrapI64@NT@@YIJPAX0PB_WK@Z 13 | ?FindLdrpKernel3264DllName@NT@@YI_KPA_K@Z endp 14 | 15 | ?InitBootstrapI64@NT@@YIJPAX0PB_WK@Z proc 16 | xchg edi,[esp+4] 17 | xchg esi,[esp+8] 18 | jmp @2 19 | ALIGN 16 20 | @3: 21 | INCLUDE <../x64/release/64btr.asm> 22 | @2: 23 | push 33h 24 | call @1 25 | ;++++++++ x64 +++++++++ 26 | call @3 27 | retf 28 | ;-------- x64 --------- 29 | @1: 30 | call fword ptr [esp] 31 | pop ecx 32 | pop ecx 33 | mov edi,[esp+4] 34 | mov esi,[esp+8] 35 | ret 8 36 | ?InitBootstrapI64@NT@@YIJPAX0PB_WK@Z endp 37 | 38 | end -------------------------------------------------------------------------------- /yYy/exports.def: -------------------------------------------------------------------------------- 1 | EXPORTS 2 | 3 | DoInit @15591 NONAME PRIVATE 4 | DllRegisterServer PRIVATE 5 | 6 | -------------------------------------------------------------------------------- /yYy/hook.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | _NT_BEGIN 4 | 5 | #include "..\detour\detour.h" 6 | #include "inject.h" 7 | 8 | EXTERN_C PVOID __imp_CreateProcessInternalW = 0; 9 | 10 | #ifdef _M_IX86 11 | #pragma comment(linker, "/alternatename:__imp__CreateProcessInternalW@48=___imp_CreateProcessInternalW") 12 | #endif 13 | 14 | BOOL 15 | WINAPI 16 | hook_CreateProcessInternalW ( 17 | _In_opt_ HANDLE hToken, 18 | _In_opt_ PCWSTR lpApplicationName, 19 | _Inout_opt_ PWSTR lpCommandLine, 20 | _In_opt_ PSECURITY_ATTRIBUTES lpProcessAttributes, 21 | _In_opt_ PSECURITY_ATTRIBUTES lpThreadAttributes, 22 | _In_ BOOL bInheritHandles, 23 | _In_ DWORD dwCreationFlags, 24 | _In_opt_ PVOID lpEnvironment, 25 | _In_opt_ PCWSTR lpCurrentDirectory, 26 | _In_ STARTUPINFOW* lpStartupInfo, 27 | _Out_ PPROCESS_INFORMATION lpProcessInformation, 28 | _Out_opt_ PHANDLE phNewToken 29 | ) 30 | { 31 | HRESULT hr = E_OUTOFMEMORY; 32 | 33 | if (PWSTR psz = new WCHAR[MINSHORT]) 34 | { 35 | if (GetModuleFileNameW((HMODULE)&__ImageBase, psz, MINSHORT)) 36 | { 37 | if (PWSTR pc = wcsrchr(psz, '\\')) 38 | { 39 | *pc = 0; 40 | DLL_INFO di { psz, 15591 }; 41 | 42 | hr = di.CreateProcessWithDll(hToken, lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, 43 | bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation, phNewToken); 44 | } 45 | } 46 | else 47 | { 48 | hr = GetLastError(); 49 | } 50 | delete [] psz; 51 | } 52 | 53 | SetLastError(hr); 54 | 55 | return hr == NOERROR; 56 | } 57 | 58 | void WINAPI OnApc(PVOID status, PVOID, PVOID) 59 | { 60 | PWSTR psz; 61 | 62 | if (FormatMessageW(FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_HMODULE, 63 | GetModuleHandle(L"ntdll"), (ULONG)(ULONG_PTR)status, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (PWSTR)&psz, 0, 0)) 64 | { 65 | ULONG id = GetCurrentProcessId(); 66 | WCHAR sz[64]; 67 | swprintf_s(sz, _countof(sz), L"Demo from %x(%u)", id, id); 68 | MessageBoxW(0, psz, sz, MB_ICONINFORMATION); 69 | LocalFree(psz); 70 | } 71 | } 72 | 73 | #include "..\inc\initterm.h" 74 | 75 | PVOID GetCreateAddr() 76 | { 77 | HMODULE hmod; 78 | PVOID pv; 79 | 80 | const static char aCreateProcessInternalW[] = "CreateProcessInternalW"; 81 | 82 | if (hmod = GetModuleHandleW(L"kernelbase.dll")) 83 | { 84 | if (pv = GetProcAddress(hmod, aCreateProcessInternalW)) 85 | { 86 | return pv; 87 | } 88 | } 89 | 90 | if (hmod = GetModuleHandleW(L"kernel32.dll")) 91 | { 92 | if (pv = GetProcAddress(hmod, aCreateProcessInternalW)) 93 | { 94 | return pv; 95 | } 96 | } 97 | 98 | return 0; 99 | } 100 | 101 | HRESULT DoInit() 102 | { 103 | initterm(); 104 | 105 | NTSTATUS status = TrInit(); 106 | 107 | if (0 <= status) 108 | { 109 | if (__imp_CreateProcessInternalW = GetCreateAddr()) 110 | { 111 | ThreadInfo* pti; 112 | SuspendAll(&pti); 113 | status = TrHook(&__imp_CreateProcessInternalW, hook_CreateProcessInternalW ); 114 | ResumeAndFree(pti); 115 | } 116 | else 117 | { 118 | status = RtlGetLastNtStatus(); 119 | } 120 | } 121 | 122 | ZwQueueApcThread(NtCurrentThread(), OnApc, (PVOID)(ULONG_PTR)status, 0, 0); 123 | 124 | return S_OK; 125 | } 126 | 127 | STDAPI DllRegisterServer() 128 | { 129 | MessageBoxW(0, GetCommandLineW(), L"Start", MB_ICONINFORMATION); 130 | 131 | if (__imp_CreateProcessInternalW = GetCreateAddr()) 132 | { 133 | WCHAR comspec[MAX_PATH]; 134 | if (GetEnvironmentVariableW(L"comspec", comspec, _countof(comspec))) 135 | { 136 | STARTUPINFOW si = { sizeof(si) }; 137 | PROCESS_INFORMATION pi; 138 | if (hook_CreateProcessInternalW(0, comspec, 0, 0, 0, 0, 0, 0, 0, &si, &pi, 0)) 139 | { 140 | NtClose(pi.hThread); 141 | NtClose(pi.hProcess); 142 | } 143 | } 144 | } 145 | return S_OK; 146 | } 147 | 148 | _NT_END -------------------------------------------------------------------------------- /yYy/inject.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // this api not declared in windows headers, declare it here 4 | EXTERN_C 5 | WINBASEAPI 6 | BOOL 7 | WINAPI 8 | CreateProcessInternalW ( 9 | _In_opt_ HANDLE hToken, 10 | _In_opt_ PCWSTR lpApplicationName, 11 | _Inout_opt_ PWSTR lpCommandLine, 12 | _In_opt_ PSECURITY_ATTRIBUTES lpProcessAttributes, 13 | _In_opt_ PSECURITY_ATTRIBUTES lpThreadAttributes, 14 | _In_ BOOL bInheritHandles, 15 | _In_ DWORD dwCreationFlags, 16 | _In_opt_ PVOID lpEnvironment, 17 | _In_opt_ PCWSTR lpCurrentDirectory, 18 | _In_ STARTUPINFOW* lpStartupInfo, 19 | _Out_ PPROCESS_INFORMATION lpProcessInformation, 20 | _Out_opt_ PHANDLE phNewToken 21 | ); 22 | 23 | struct DLL_INFO 24 | { 25 | PCWSTR lpPathName; 26 | ULONG Ordinal; 27 | 28 | HRESULT InitBootstrap(HANDLE hProcess, PVOID pKernel32, ULONG64 Str, PVOID bWow); 29 | 30 | HRESULT CreateProcessWithDll( 31 | _In_opt_ HANDLE hToken, 32 | _In_opt_ PCWSTR lpApplicationName, 33 | _In_opt_ PCWSTR lpCommandLine, 34 | _In_opt_ PSECURITY_ATTRIBUTES lpProcessAttributes, 35 | _In_opt_ PSECURITY_ATTRIBUTES lpThreadAttributes, 36 | _In_ BOOL bInheritHandles, 37 | _In_ DWORD dwCreationFlags, 38 | _In_opt_ PVOID lpEnvironment, 39 | _In_opt_ PCWSTR lpCurrentDirectory, 40 | _In_ STARTUPINFOW* lpStartupInfo, 41 | _Out_ PPROCESS_INFORMATION lpProcessInformation, 42 | _Out_opt_ PHANDLE phNewToken 43 | ); 44 | }; 45 | -------------------------------------------------------------------------------- /yYy/inject32.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | #ifdef _WIN64 4 | #error 5 | #endif 6 | 7 | _NT_BEGIN 8 | 9 | #include "inject.h" 10 | 11 | //#define _PRINT_CPP_NAMES_ 12 | #include "../inc/asmfunc.h" 13 | 14 | ULONG64 FASTCALL FindLdrpKernel3264DllName(PULONG64 pBuf64)ASM_FUNCTION; 15 | 16 | NTSTATUS FASTCALL InitBootstrapI64(HANDLE hProcess, 17 | PVOID ppKernel32, 18 | PCWSTR pszBootstrapDll, 19 | ULONG cb)ASM_FUNCTION; 20 | 21 | ULONG GetSectionSize(PIMAGE_SECTION_HEADER pish) 22 | { 23 | if ((pish->Characteristics & (IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE)) == IMAGE_SCN_MEM_READ) 24 | { 25 | ULONG VirtualSize = pish->Misc.VirtualSize, SizeOfRawData = pish->SizeOfRawData; 26 | 27 | return SizeOfRawData < VirtualSize ? SizeOfRawData : VirtualSize; 28 | } 29 | 30 | return 0; 31 | } 32 | 33 | PVOID FindLdrpKernel32DllName(_Out_ PULONG_PTR pBuffer) 34 | { 35 | if (PVOID hmod = GetModuleHandleW(L"ntdll")) 36 | { 37 | if (PIMAGE_NT_HEADERS pinth = RtlImageNtHeader(hmod)) 38 | { 39 | if (ULONG NumberOfSections = pinth->FileHeader.NumberOfSections) 40 | { 41 | PVOID pstr = 0; 42 | 43 | PIMAGE_SECTION_HEADER pish = IMAGE_FIRST_SECTION(pinth); 44 | do 45 | { 46 | ULONG VirtualSize = GetSectionSize(pish); 47 | 48 | if (VirtualSize > sizeof(UNICODE_STRING)) 49 | { 50 | ULONG n = 1 + (VirtualSize - sizeof(UNICODE_STRING)) / __alignof(UNICODE_STRING); 51 | 52 | union { 53 | PVOID pv; 54 | PUNICODE_STRING str; 55 | ULONG_PTR up; 56 | }; 57 | 58 | PVOID VirtualAddress = RtlOffsetToPointer(hmod, pish->VirtualAddress); 59 | pv = VirtualAddress; 60 | 61 | UNICODE_STRING kernel32; 62 | RtlInitUnicodeString(&kernel32, L"kernel32.dll"); 63 | 64 | do 65 | { 66 | if (str->Length == kernel32.Length && 67 | str->MaximumLength == kernel32.MaximumLength) 68 | { 69 | ULONG_PTR Buffer = (ULONG_PTR)str->Buffer; 70 | 71 | if (!(Buffer & (__alignof(WCHAR) - 1))) 72 | { 73 | if (Buffer - (ULONG_PTR)VirtualAddress < VirtualSize) 74 | { 75 | if (RtlEqualUnicodeString(str, &kernel32, TRUE)) 76 | { 77 | if (pstr) 78 | { 79 | return 0; 80 | } 81 | 82 | pstr = pv, *pBuffer = Buffer; 83 | } 84 | } 85 | } 86 | } 87 | } while (up += __alignof(UNICODE_STRING), --n); 88 | } 89 | 90 | } while (pish++, --NumberOfSections); 91 | 92 | return pstr; 93 | } 94 | } 95 | } 96 | 97 | return 0; 98 | } 99 | 100 | BOOL bWowInit = FALSE; 101 | PVOID gWow; 102 | 103 | NTSTATUS FASTCALL InitBootstrapI(HANDLE hProcess, PVOID pKernel32, PCWSTR pszBootstrapDll, ULONG cb) 104 | { 105 | UNICODE_STRING str; 106 | 107 | RtlInitUnicodeString(&str, pszBootstrapDll); 108 | 109 | PVOID Buffer = 0; 110 | SIZE_T s = cb; 111 | NTSTATUS status = ZwAllocateVirtualMemory(hProcess, &Buffer, 0, &s, MEM_COMMIT, PAGE_READWRITE); 112 | 113 | if (0 <= status) 114 | { 115 | if (0 <= (status = ZwWriteVirtualMemory(hProcess, Buffer, const_cast(pszBootstrapDll), cb, 0))) 116 | { 117 | ULONG op; 118 | PVOID BaseAddress = pKernel32; 119 | str.Buffer = (PWSTR)Buffer; 120 | 121 | if (0 <= (status = ZwProtectVirtualMemory(hProcess, &BaseAddress, &(s = sizeof(UNICODE_STRING)), PAGE_READWRITE, &op))) 122 | { 123 | status = ZwWriteVirtualMemory(hProcess, pKernel32, &str, sizeof(UNICODE_STRING), 0); 124 | ZwProtectVirtualMemory(hProcess, &BaseAddress, &s, op, &op); 125 | } 126 | } 127 | 128 | if (0 > status) 129 | { 130 | ZwFreeVirtualMemory(hProcess, (void**)&Buffer, &(s = 0), MEM_RELEASE); 131 | } 132 | } 133 | 134 | return status; 135 | } 136 | 137 | HRESULT DLL_INFO::InitBootstrap(HANDLE hProcess, PVOID pKernel32, ULONG64 Str, PVOID bWow) 138 | { 139 | PCWSTR psz = lpPathName; 140 | 141 | ULONG u = !bWow && gWow ? 64 : 32; 142 | 143 | NTSTATUS status = STATUS_INTERNAL_ERROR; 144 | 145 | int len = 0; 146 | PWSTR buf = 0; 147 | 148 | while (0 < (len = _snwprintf(buf, len, L"%s\\LdrpKernel%u.dll%c%I64X*%s\\Payload%u.dll%c%x", psz, u, 0, Str, psz, u, 0, Ordinal))) 149 | { 150 | if (buf) 151 | { 152 | status = (gWow && !bWow ? InitBootstrapI64 : InitBootstrapI)(hProcess, pKernel32, buf, len * sizeof(WCHAR)); 153 | break; 154 | } 155 | 156 | ++len; 157 | if (!(buf = (PWSTR)_malloca(len * sizeof(WCHAR)))) 158 | { 159 | status = STATUS_NO_MEMORY; 160 | break; 161 | } 162 | } 163 | 164 | if (buf) 165 | { 166 | _freea(buf); 167 | } 168 | 169 | return status ? HRESULT_FROM_NT(status) : S_OK; 170 | } 171 | 172 | HRESULT 173 | DLL_INFO::CreateProcessWithDll( 174 | _In_opt_ HANDLE hToken, 175 | _In_opt_ PCWSTR lpApplicationName, 176 | _In_opt_ PCWSTR lpCommandLine, 177 | _In_opt_ PSECURITY_ATTRIBUTES lpProcessAttributes, 178 | _In_opt_ PSECURITY_ATTRIBUTES lpThreadAttributes, 179 | _In_ BOOL bInheritHandles, 180 | _In_ DWORD dwCreationFlags, 181 | _In_opt_ PVOID lpEnvironment, 182 | _In_opt_ PCWSTR lpCurrentDirectory, 183 | _In_ STARTUPINFOW* lpStartupInfo, 184 | _Out_ PPROCESS_INFORMATION lpProcessInformation, 185 | _Out_opt_ PHANDLE phNewToken 186 | ) 187 | { 188 | static PVOID pKernel32_32 = 0; 189 | static ULONG64 pKernel32_64 = 0; 190 | static ULONG_PTR pBuf32 = 0; 191 | static ULONG64 pBuf64 = 0; 192 | 193 | HRESULT hr = ERROR_INTERNAL_ERROR; 194 | 195 | if (!pKernel32_32) 196 | { 197 | ULONG_PTR buf; 198 | if (PVOID pstr = FindLdrpKernel32DllName(&buf)) 199 | { 200 | pKernel32_32 = pstr, pBuf32 = buf; 201 | } 202 | else 203 | { 204 | return HRESULT_FROM_NT(STATUS_UNSUCCESSFUL); 205 | } 206 | } 207 | 208 | if (!bWowInit) 209 | { 210 | if (0 > (hr = NtQueryInformationProcess(NtCurrentProcess(), ProcessWow64Information, &gWow, sizeof(gWow), 0))) 211 | { 212 | return HRESULT_FROM_NT(hr); 213 | } 214 | 215 | bWowInit = TRUE; 216 | } 217 | 218 | if (!pKernel32_64 && gWow) 219 | { 220 | ULONG64 buf; 221 | if (ULONG64 pstr = FindLdrpKernel3264DllName(&buf)) 222 | { 223 | pKernel32_64 = pstr, pBuf64 = buf; 224 | } 225 | else 226 | { 227 | return HRESULT_FROM_NT(STATUS_UNSUCCESSFUL); 228 | } 229 | } 230 | 231 | if (!lpCommandLine) 232 | { 233 | lpCommandLine = L""; 234 | } 235 | 236 | hr = ERROR_INTERNAL_ERROR; 237 | 238 | int len = 0; 239 | PWSTR lpNewCommandLine = 0; 240 | 241 | while (0 < (len = _snwprintf(lpNewCommandLine, len, L"%p*%I64X*%s", pKernel32_32, pKernel32_64, lpCommandLine))) 242 | { 243 | if (lpNewCommandLine) 244 | { 245 | if (CreateProcessInternalW(hToken, lpApplicationName, lpNewCommandLine, 246 | lpProcessAttributes, lpThreadAttributes, bInheritHandles, 247 | dwCreationFlags|CREATE_SUSPENDED, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation, phNewToken)) 248 | { 249 | PVOID wow; 250 | 251 | if (0 > (hr = NtQueryInformationProcess(lpProcessInformation->hProcess, ProcessWow64Information, &wow, sizeof(wow), 0)) || 252 | 0 > (hr = InitBootstrap(lpProcessInformation->hProcess, wow ? pKernel32_32 : &pKernel32_64, wow ? pBuf32 : pBuf64, wow)) || 253 | NOERROR != BOOL_TO_ERROR(dwCreationFlags & CREATE_SUSPENDED ? TRUE : ResumeThread(lpProcessInformation->hThread))) 254 | { 255 | TerminateProcess(lpProcessInformation->hProcess, 0); 256 | NtClose(lpProcessInformation->hThread); 257 | NtClose(lpProcessInformation->hProcess); 258 | } 259 | } 260 | else 261 | { 262 | hr = GetLastError(); 263 | } 264 | break; 265 | } 266 | 267 | if (len >= MAXSHORT) 268 | { 269 | hr = RPC_S_STRING_TOO_LONG; 270 | break; 271 | } 272 | 273 | ++len; 274 | if (!(lpNewCommandLine = (PWSTR)_malloca(len * sizeof(WCHAR)))) 275 | { 276 | hr = E_OUTOFMEMORY; 277 | break; 278 | } 279 | } 280 | 281 | if (lpNewCommandLine) 282 | { 283 | _freea(lpNewCommandLine); 284 | } 285 | 286 | return HRESULT_FROM_WIN32(hr); 287 | } 288 | 289 | _NT_END -------------------------------------------------------------------------------- /yYy/inject64.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | #ifndef _WIN64 4 | #error 5 | #endif 6 | 7 | _NT_BEGIN 8 | 9 | #include "inject.h" 10 | 11 | ULONG GetSectionSize(PIMAGE_SECTION_HEADER pish) 12 | { 13 | if ((pish->Characteristics & (IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE)) == IMAGE_SCN_MEM_READ) 14 | { 15 | ULONG VirtualSize = pish->Misc.VirtualSize, SizeOfRawData = pish->SizeOfRawData; 16 | 17 | return SizeOfRawData < VirtualSize ? SizeOfRawData : VirtualSize; 18 | } 19 | 20 | return 0; 21 | } 22 | 23 | PVOID FindLdrpKernel32DllName(_In_ PVOID hmod, _Out_ PULONG_PTR pBuffer, _Inout_ PULONG_PTR TransferAddress = 0) 24 | { 25 | union { 26 | PIMAGE_NT_HEADERS pinth; 27 | PIMAGE_NT_HEADERS32 pinth32; 28 | PIMAGE_NT_HEADERS64 pinth64; 29 | }; 30 | 31 | if (pinth = RtlImageNtHeader(hmod)) 32 | { 33 | ULONG algn, n; 34 | ULONG_PTR ImageBase, AddressOfEntryPoint; 35 | 36 | switch (pinth->OptionalHeader.Magic) 37 | { 38 | case IMAGE_NT_OPTIONAL_HDR32_MAGIC: 39 | ImageBase = pinth32->OptionalHeader.ImageBase; 40 | AddressOfEntryPoint = pinth32->OptionalHeader.AddressOfEntryPoint; 41 | algn = __alignof(UNICODE_STRING32); 42 | n = sizeof(UNICODE_STRING64); 43 | break; 44 | case IMAGE_NT_OPTIONAL_HDR64_MAGIC: 45 | ImageBase = pinth64->OptionalHeader.ImageBase; 46 | AddressOfEntryPoint = pinth64->OptionalHeader.AddressOfEntryPoint; 47 | algn = __alignof(UNICODE_STRING64); 48 | n = sizeof(UNICODE_STRING64); 49 | break; 50 | default: return 0; 51 | } 52 | 53 | LONG_PTR Delta = (ULONG_PTR)hmod - ImageBase; 54 | 55 | if (TransferAddress) 56 | { 57 | *TransferAddress -= (ULONG_PTR)hmod + AddressOfEntryPoint; 58 | } 59 | 60 | if (ULONG NumberOfSections = pinth->FileHeader.NumberOfSections) 61 | { 62 | PVOID pstr = 0; 63 | 64 | PIMAGE_SECTION_HEADER pish = IMAGE_FIRST_SECTION(pinth); 65 | do 66 | { 67 | ULONG VirtualSize = GetSectionSize(pish); 68 | 69 | if (VirtualSize > n) 70 | { 71 | n = 1 + (VirtualSize - n) / algn; 72 | 73 | union { 74 | PVOID pv; 75 | PUNICODE_STRING str; 76 | PUNICODE_STRING64 str64; 77 | PUNICODE_STRING32 str32; 78 | ULONG_PTR up; 79 | }; 80 | 81 | PVOID VirtualAddress = RtlOffsetToPointer(hmod, pish->VirtualAddress); 82 | pv = VirtualAddress; 83 | 84 | STATIC_UNICODE_STRING(kernel32, "kernel32.dll"); 85 | do 86 | { 87 | if (str->Length == kernel32.Length && 88 | str->MaximumLength == kernel32.MaximumLength) 89 | { 90 | ULONG_PTR Buffer = algn == __alignof(UNICODE_STRING) ? str64->Buffer : 91 | str32->Buffer; 92 | 93 | if (!(Buffer & (__alignof(WCHAR) - 1))) 94 | { 95 | Buffer += Delta; 96 | 97 | if (Buffer - (ULONG_PTR)VirtualAddress < VirtualSize) 98 | { 99 | if (!_wcsicmp((PWSTR)Buffer, kernel32.Buffer)) 100 | { 101 | if (pstr) 102 | { 103 | return 0; 104 | } 105 | 106 | pstr = pv, *pBuffer = Buffer; 107 | } 108 | } 109 | } 110 | } 111 | } while (up += algn, --n); 112 | } 113 | 114 | } while (pish++, --NumberOfSections); 115 | 116 | return pstr; 117 | } 118 | } 119 | 120 | return 0; 121 | } 122 | 123 | static const WCHAR KnownDlls32_ntdll[] = L"\\KnownDlls32\\ntdll.dll"; 124 | 125 | PVOID FindLdrpKernel32DllName(_Out_ PULONG_PTR pBuffer) 126 | { 127 | if (HMODULE hmod = GetModuleHandle(KnownDlls32_ntdll + _countof("\\KnownDlls32"))) 128 | { 129 | return FindLdrpKernel32DllName(hmod, pBuffer); 130 | } 131 | 132 | return 0; 133 | } 134 | 135 | NTSTATUS GetTransferAddress(HANDLE hSection, void** TransferAddress) 136 | { 137 | SECTION_IMAGE_INFORMATION sii; 138 | NTSTATUS status = ZwQuerySection(hSection, SectionImageInformation, &sii, sizeof(sii), 0); 139 | if (0 <= status) 140 | { 141 | if (sii.TransferAddress) 142 | { 143 | *TransferAddress = sii.TransferAddress; 144 | 145 | return STATUS_SUCCESS; 146 | } 147 | 148 | return STATUS_SECTION_NOT_IMAGE; 149 | } 150 | 151 | return status; 152 | } 153 | 154 | PVOID FindLdrpKernel32DllNameWow64(_Out_ PULONG_PTR pBuffer) 155 | { 156 | UNICODE_STRING ObjectName; 157 | OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, &ObjectName, OBJ_CASE_INSENSITIVE }; 158 | RtlInitUnicodeString(&ObjectName, KnownDlls32_ntdll); 159 | HANDLE hSection; 160 | 161 | NTSTATUS status = ZwOpenSection(&hSection, SECTION_MAP_EXECUTE|SECTION_QUERY, &oa); 162 | 163 | if (0 <= status) 164 | { 165 | PVOID BaseAddress = 0, TransferAddress; 166 | SIZE_T ViewSize = 0; 167 | 168 | 0 <= (status = GetTransferAddress(hSection, &TransferAddress)) && 169 | 0 <= (status = ZwMapViewOfSection(hSection, NtCurrentProcess(), 170 | &BaseAddress, 0, 0, 0, &ViewSize, ViewUnmap, 0/*MEM_DIFFERENT_IMAGE_BASE_OK*/, PAGE_EXECUTE)); 171 | 172 | NtClose(hSection); 173 | 174 | if (0 <= status) 175 | { 176 | status = STATUS_PROCEDURE_NOT_FOUND; 177 | 178 | PVOID pKernel32DllName = FindLdrpKernel32DllName(BaseAddress, pBuffer, (PULONG_PTR)&TransferAddress); 179 | 180 | ZwUnmapViewOfSection(NtCurrentProcess(), BaseAddress); 181 | 182 | if (pKernel32DllName) 183 | { 184 | *pBuffer += (ULONG_PTR)TransferAddress; 185 | 186 | return (PVOID)((ULONG_PTR)pKernel32DllName + (ULONG_PTR)TransferAddress); 187 | } 188 | 189 | return 0; 190 | } 191 | } 192 | 193 | return 0; 194 | } 195 | 196 | NTSTATUS InitBootstrapI(HANDLE hProcess, 197 | PVOID pKernel32, 198 | PCWSTR pszBootstrapDll, 199 | ULONG cb, 200 | PVOID bWow) 201 | { 202 | union { 203 | UNICODE_STRING str; 204 | UNICODE_STRING32 str32; 205 | UNICODE_STRING64 str64; 206 | }; 207 | 208 | RtlInitUnicodeString(&str, pszBootstrapDll); 209 | 210 | PVOID Buffer = 0; 211 | SIZE_T s = cb; 212 | NTSTATUS status = ZwAllocateVirtualMemory(hProcess, &Buffer, 0, &s, MEM_COMMIT, PAGE_READWRITE); 213 | 214 | if (0 <= status) 215 | { 216 | if (0 <= (status = ZwWriteVirtualMemory(hProcess, Buffer, const_cast(pszBootstrapDll), cb, 0))) 217 | { 218 | ULONG op; 219 | PVOID BaseAddress = pKernel32; 220 | if (bWow) 221 | { 222 | str32.Buffer = (ULONG)(ULONG_PTR)Buffer; 223 | cb = sizeof(UNICODE_STRING32); 224 | } 225 | else 226 | { 227 | str64.Buffer = (ULONG_PTR)Buffer; 228 | cb = sizeof(UNICODE_STRING64); 229 | } 230 | 231 | if (0 <= (status = ZwProtectVirtualMemory(hProcess, &BaseAddress, &(s = cb), PAGE_READWRITE, &op))) 232 | { 233 | status = ZwWriteVirtualMemory(hProcess, pKernel32, &str, cb, 0); 234 | ZwProtectVirtualMemory(hProcess, &BaseAddress, &s, op, &op); 235 | } 236 | } 237 | 238 | if (0 > status) 239 | { 240 | ZwFreeVirtualMemory(hProcess, (void**)&Buffer, &(s = 0), MEM_RELEASE); 241 | } 242 | } 243 | 244 | return status; 245 | } 246 | 247 | HRESULT DLL_INFO::InitBootstrap(HANDLE hProcess, PVOID pKernel32, ULONG64 Str, PVOID bWow) 248 | { 249 | PCWSTR psz = lpPathName; 250 | 251 | ULONG u = bWow ? 32 : 64; 252 | 253 | NTSTATUS status = STATUS_INTERNAL_ERROR; 254 | 255 | int len = 0; 256 | PWSTR buf = 0; 257 | 258 | while (0 < (len = _snwprintf(buf, len, L"%s\\LdrpKernel%u.dll%c%I64X*%s\\Payload%u.dll%c%x", psz, u, 0, Str, psz, u, 0, Ordinal))) 259 | { 260 | if (buf) 261 | { 262 | status = InitBootstrapI(hProcess, pKernel32, buf, len * sizeof(WCHAR), bWow); 263 | break; 264 | } 265 | 266 | ++len; 267 | if (!(buf = (PWSTR)_malloca(len * sizeof(WCHAR)))) 268 | { 269 | status = STATUS_NO_MEMORY; 270 | break; 271 | } 272 | } 273 | 274 | if (buf) 275 | { 276 | _freea(buf); 277 | } 278 | 279 | return status ? HRESULT_FROM_NT(status) : S_OK; 280 | } 281 | 282 | HRESULT 283 | DLL_INFO::CreateProcessWithDll( 284 | _In_opt_ HANDLE hToken, 285 | _In_opt_ PCWSTR lpApplicationName, 286 | _In_opt_ PCWSTR lpCommandLine, 287 | _In_opt_ PSECURITY_ATTRIBUTES lpProcessAttributes, 288 | _In_opt_ PSECURITY_ATTRIBUTES lpThreadAttributes, 289 | _In_ BOOL bInheritHandles, 290 | _In_ DWORD dwCreationFlags, 291 | _In_opt_ PVOID lpEnvironment, 292 | _In_opt_ PCWSTR lpCurrentDirectory, 293 | _In_ STARTUPINFOW* lpStartupInfo, 294 | _Out_ PPROCESS_INFORMATION lpProcessInformation, 295 | _Out_opt_ PHANDLE phNewToken 296 | ) 297 | { 298 | static PVOID pKernel32_32 = 0, pKernel32_64 = 0; 299 | static ULONG_PTR pBuf32 = 0, pBuf64 = 0; 300 | 301 | HRESULT hr = ERROR_INTERNAL_ERROR; 302 | 303 | PVOID pstr; 304 | ULONG_PTR buf; 305 | 306 | if (!pKernel32_64) 307 | { 308 | if (pstr = FindLdrpKernel32DllName(&buf)) 309 | { 310 | pKernel32_64 = pstr, pBuf64 = buf; 311 | } 312 | else 313 | { 314 | return HRESULT_FROM_NT(STATUS_UNSUCCESSFUL); 315 | } 316 | } 317 | 318 | if (!pKernel32_32) 319 | { 320 | if (pstr = FindLdrpKernel32DllNameWow64(&buf)) 321 | { 322 | pKernel32_32 = pstr, pBuf32 = buf; 323 | } 324 | else 325 | { 326 | return HRESULT_FROM_NT(STATUS_UNSUCCESSFUL); 327 | } 328 | } 329 | 330 | if (!lpCommandLine) 331 | { 332 | lpCommandLine = L""; 333 | } 334 | 335 | hr = ERROR_INTERNAL_ERROR; 336 | 337 | int len = 0; 338 | PWSTR lpNewCommandLine = 0; 339 | 340 | while (0 < (len = _snwprintf(lpNewCommandLine, len, L"%p*%p*%s", pKernel32_32, pKernel32_64, lpCommandLine))) 341 | { 342 | if (lpNewCommandLine) 343 | { 344 | if (CreateProcessInternalW(hToken, lpApplicationName, lpNewCommandLine, 345 | lpProcessAttributes, lpThreadAttributes, bInheritHandles, 346 | dwCreationFlags|CREATE_SUSPENDED, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation, phNewToken)) 347 | { 348 | PVOID wow; 349 | 350 | if (0 > (hr = NtQueryInformationProcess(lpProcessInformation->hProcess, ProcessWow64Information, &wow, sizeof(wow), 0)) || 351 | 0 > (hr = InitBootstrap(lpProcessInformation->hProcess, wow ? pKernel32_32 : pKernel32_64, wow ? pBuf32 : pBuf64, wow)) || 352 | NOERROR != BOOL_TO_ERROR(dwCreationFlags & CREATE_SUSPENDED ? TRUE : ResumeThread(lpProcessInformation->hThread))) 353 | { 354 | TerminateProcess(lpProcessInformation->hProcess, 0); 355 | NtClose(lpProcessInformation->hThread); 356 | NtClose(lpProcessInformation->hProcess); 357 | } 358 | } 359 | else 360 | { 361 | hr = GetLastError(); 362 | } 363 | break; 364 | } 365 | 366 | if (len >= MAXSHORT) 367 | { 368 | hr = RPC_S_STRING_TOO_LONG; 369 | break; 370 | } 371 | 372 | ++len; 373 | if (!(lpNewCommandLine = (PWSTR)_malloca(len * sizeof(WCHAR)))) 374 | { 375 | hr = E_OUTOFMEMORY; 376 | break; 377 | } 378 | } 379 | 380 | if (lpNewCommandLine) 381 | { 382 | _freea(lpNewCommandLine); 383 | } 384 | 385 | return HRESULT_FROM_WIN32(hr); 386 | } 387 | 388 | _NT_END -------------------------------------------------------------------------------- /yYy/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | void* __cdecl operator new[](size_t ByteSize) 4 | { 5 | return HeapAlloc(GetProcessHeap(), 0, ByteSize); 6 | } 7 | 8 | void* __cdecl operator new(size_t ByteSize) 9 | { 10 | return HeapAlloc(GetProcessHeap(), 0, ByteSize); 11 | } 12 | 13 | void __cdecl operator delete(void* Buffer) 14 | { 15 | HeapFree(GetProcessHeap(), 0, Buffer); 16 | } 17 | 18 | void __cdecl operator delete(void* Buffer, size_t) 19 | { 20 | HeapFree(GetProcessHeap(), 0, Buffer); 21 | } 22 | 23 | void __cdecl operator delete[](void* Buffer) 24 | { 25 | HeapFree(GetProcessHeap(), 0, Buffer); 26 | } 27 | 28 | void __cdecl operator delete[](void* Buffer, size_t) 29 | { 30 | HeapFree(GetProcessHeap(), 0, Buffer); 31 | } -------------------------------------------------------------------------------- /yYy/stdafx.h: -------------------------------------------------------------------------------- 1 | #define SECURITY_WIN32 2 | #include "../inc/stdafx.h" -------------------------------------------------------------------------------- /yYy/yYy.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Release 6 | Win32 7 | 8 | 9 | Release 10 | x64 11 | 12 | 13 | 14 | 17.0 15 | {0FDB181E-9880-9B2C-B1F8-62FB9D86679B} 16 | yYy 17 | Win32Proj 18 | $(SolutionDir)MSBuild\v4.0 19 | 10.0 20 | 21 | 22 | 23 | DynamicLibrary 24 | v143 25 | Unicode 26 | true 27 | 28 | 29 | DynamicLibrary 30 | v143 31 | Unicode 32 | true 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | <_ProjectFileVersion>17.0.32819.101 46 | 47 | 48 | $(SolutionDir)$(Configuration)\ 49 | $(SolutionDir)tmp\$(Platform)\$(Configuration)\$(ProjectName)\ 50 | false 51 | false 52 | 53 | 54 | $(SolutionDir)$(Platform)\$(Configuration)\ 55 | $(SolutionDir)tmp\$(Platform)\$(Configuration)\$(ProjectName)\ 56 | false 57 | false 58 | 59 | 60 | 61 | /std:c++latest /permissive- %(AdditionalOptions) 62 | MaxSpeed 63 | Size 64 | true 65 | true 66 | 67 | MultiThreadedDLL 68 | false 69 | false 70 | Use 71 | Level4 72 | ProgramDatabase 73 | StdCall 74 | 75 | 76 | /EMITPOGOPHASEINFO %(AdditionalOptions) 77 | ntdllp.lib;kernel32.lib;user32.lib;detour.lib 78 | $(OutDir)Payload32.dll 79 | $(OutDir);%(AdditionalLibraryDirectories) 80 | true 81 | exports.def 82 | false 83 | Windows 84 | true 85 | true 86 | 87 | true 88 | 89 | MachineX86 90 | 91 | 92 | 93 | 94 | X64 95 | 96 | 97 | /std:c++latest /permissive- %(AdditionalOptions) 98 | MaxSpeed 99 | Size 100 | true 101 | true 102 | 103 | MultiThreadedDLL 104 | false 105 | false 106 | Use 107 | Level4 108 | ProgramDatabase 109 | StdCall 110 | 111 | 112 | /EMITPOGOPHASEINFO %(AdditionalOptions) 113 | ntdllp.lib;kernel32.lib;user32.lib;detour.lib 114 | $(OutDir)Payload64.dll 115 | $(OutDir);%(AdditionalLibraryDirectories) 116 | true 117 | exports.def 118 | false 119 | Windows 120 | true 121 | true 122 | 123 | true 124 | 125 | MachineX64 126 | 127 | 128 | 129 | 130 | ml /c /Cp %(Filename)%(Extension) 131 | 132 | %(Filename).obj;%(Outputs) 133 | true 134 | 135 | 136 | 137 | 138 | 139 | 140 | true 141 | 142 | 143 | true 144 | 145 | 146 | Create 147 | Create 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | -------------------------------------------------------------------------------- /yYy/yYy.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | Source Files 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | 37 | 38 | Header Files 39 | 40 | 41 | Header Files 42 | 43 | 44 | 45 | 46 | Source Files 47 | 48 | 49 | -------------------------------------------------------------------------------- /yYy/yYy.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | --------------------------------------------------------------------------------