├── .gitattributes
├── .gitignore
├── KernelDraw.sln
├── KernelDraw
    ├── Imports.h
    ├── KernelDraw.inf
    ├── KernelDraw.vcxproj
    ├── KernelDraw.vcxproj.filters
    ├── NativeEnums.h
    ├── NativeStructs.h
    ├── NativeStructs10.h
    ├── NativeStructs7.h
    ├── NativeStructs8.h
    ├── NativeStructs81.h
    ├── PEStructs.h
    ├── Render.cpp
    ├── Render.hpp
    ├── Utils.cpp
    ├── Utils.hpp
    ├── entry.cpp
    └── includes.h
└── README.md


/.gitattributes:
--------------------------------------------------------------------------------
 1 | ###############################################################################
 2 | # Set default behavior to automatically normalize line endings.
 3 | ###############################################################################
 4 | * text=auto
 5 | 
 6 | ###############################################################################
 7 | # Set default behavior for command prompt diff.
 8 | #
 9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs     diff=csharp
14 | 
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following 
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln       merge=binary
26 | #*.csproj    merge=binary
27 | #*.vbproj    merge=binary
28 | #*.vcxproj   merge=binary
29 | #*.vcproj    merge=binary
30 | #*.dbproj    merge=binary
31 | #*.fsproj    merge=binary
32 | #*.lsproj    merge=binary
33 | #*.wixproj   merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj   merge=binary
36 | #*.wwaproj   merge=binary
37 | 
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg   binary
44 | #*.png   binary
45 | #*.gif   binary
46 | 
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | # 
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the 
52 | # entries below.
53 | ###############################################################################
54 | #*.doc   diff=astextplain
55 | #*.DOC   diff=astextplain
56 | #*.docx  diff=astextplain
57 | #*.DOCX  diff=astextplain
58 | #*.dot   diff=astextplain
59 | #*.DOT   diff=astextplain
60 | #*.pdf   diff=astextplain
61 | #*.PDF   diff=astextplain
62 | #*.rtf   diff=astextplain
63 | #*.RTF   diff=astextplain
64 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | ##
  4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
  5 | 
  6 | # User-specific files
  7 | *.rsuser
  8 | *.suo
  9 | *.user
 10 | *.userosscache
 11 | *.sln.docstates
 12 | 
 13 | # User-specific files (MonoDevelop/Xamarin Studio)
 14 | *.userprefs
 15 | 
 16 | # Mono auto generated files
 17 | mono_crash.*
 18 | 
 19 | # Build results
 20 | [Dd]ebug/
 21 | [Dd]ebugPublic/
 22 | [Rr]elease/
 23 | [Rr]eleases/
 24 | x64/
 25 | x86/
 26 | [Ww][Ii][Nn]32/
 27 | [Aa][Rr][Mm]/
 28 | [Aa][Rr][Mm]64/
 29 | bld/
 30 | [Bb]in/
 31 | [Oo]bj/
 32 | [Oo]ut/
 33 | [Ll]og/
 34 | [Ll]ogs/
 35 | 
 36 | # Visual Studio 2015/2017 cache/options directory
 37 | .vs/
 38 | # Uncomment if you have tasks that create the project's static files in wwwroot
 39 | #wwwroot/
 40 | 
 41 | # Visual Studio 2017 auto generated files
 42 | Generated\ Files/
 43 | 
 44 | # MSTest test Results
 45 | [Tt]est[Rr]esult*/
 46 | [Bb]uild[Ll]og.*
 47 | 
 48 | # NUnit
 49 | *.VisualState.xml
 50 | TestResult.xml
 51 | nunit-*.xml
 52 | 
 53 | # Build Results of an ATL Project
 54 | [Dd]ebugPS/
 55 | [Rr]eleasePS/
 56 | dlldata.c
 57 | 
 58 | # Benchmark Results
 59 | BenchmarkDotNet.Artifacts/
 60 | 
 61 | # .NET Core
 62 | project.lock.json
 63 | project.fragment.lock.json
 64 | artifacts/
 65 | 
 66 | # ASP.NET Scaffolding
 67 | ScaffoldingReadMe.txt
 68 | 
 69 | # StyleCop
 70 | StyleCopReport.xml
 71 | 
 72 | # Files built by Visual Studio
 73 | *_i.c
 74 | *_p.c
 75 | *_h.h
 76 | *.ilk
 77 | *.meta
 78 | *.obj
 79 | *.iobj
 80 | *.pch
 81 | *.pdb
 82 | *.ipdb
 83 | *.pgc
 84 | *.pgd
 85 | *.rsp
 86 | *.sbr
 87 | *.tlb
 88 | *.tli
 89 | *.tlh
 90 | *.tmp
 91 | *.tmp_proj
 92 | *_wpftmp.csproj
 93 | *.log
 94 | *.vspscc
 95 | *.vssscc
 96 | .builds
 97 | *.pidb
 98 | *.svclog
 99 | *.scc
100 | 
101 | # Chutzpah Test files
102 | _Chutzpah*
103 | 
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 | 
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 | 
121 | # Visual Studio Trace Files
122 | *.e2e
123 | 
124 | # TFS 2012 Local Workspace
125 | $tf/
126 | 
127 | # Guidance Automation Toolkit
128 | *.gpState
129 | 
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 | 
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 | 
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 | 
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 | 
145 | # Coverlet is a free, cross platform Code Coverage Tool
146 | coverage*.json
147 | coverage*.xml
148 | coverage*.info
149 | 
150 | # Visual Studio code coverage results
151 | *.coverage
152 | *.coveragexml
153 | 
154 | # NCrunch
155 | _NCrunch_*
156 | .*crunch*.local.xml
157 | nCrunchTemp_*
158 | 
159 | # MightyMoose
160 | *.mm.*
161 | AutoTest.Net/
162 | 
163 | # Web workbench (sass)
164 | .sass-cache/
165 | 
166 | # Installshield output folder
167 | [Ee]xpress/
168 | 
169 | # DocProject is a documentation generator add-in
170 | DocProject/buildhelp/
171 | DocProject/Help/*.HxT
172 | DocProject/Help/*.HxC
173 | DocProject/Help/*.hhc
174 | DocProject/Help/*.hhk
175 | DocProject/Help/*.hhp
176 | DocProject/Help/Html2
177 | DocProject/Help/html
178 | 
179 | # Click-Once directory
180 | publish/
181 | 
182 | # Publish Web Output
183 | *.[Pp]ublish.xml
184 | *.azurePubxml
185 | # Note: Comment the next line if you want to checkin your web deploy settings,
186 | # but database connection strings (with potential passwords) will be unencrypted
187 | *.pubxml
188 | *.publishproj
189 | 
190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
191 | # checkin your Azure Web App publish settings, but sensitive information contained
192 | # in these scripts will be unencrypted
193 | PublishScripts/
194 | 
195 | # NuGet Packages
196 | *.nupkg
197 | # NuGet Symbol Packages
198 | *.snupkg
199 | # The packages folder can be ignored because of Package Restore
200 | **/[Pp]ackages/*
201 | # except build/, which is used as an MSBuild target.
202 | !**/[Pp]ackages/build/
203 | # Uncomment if necessary however generally it will be regenerated when needed
204 | #!**/[Pp]ackages/repositories.config
205 | # NuGet v3's project.json files produces more ignorable files
206 | *.nuget.props
207 | *.nuget.targets
208 | 
209 | # Microsoft Azure Build Output
210 | csx/
211 | *.build.csdef
212 | 
213 | # Microsoft Azure Emulator
214 | ecf/
215 | rcf/
216 | 
217 | # Windows Store app package directories and files
218 | AppPackages/
219 | BundleArtifacts/
220 | Package.StoreAssociation.xml
221 | _pkginfo.txt
222 | *.appx
223 | *.appxbundle
224 | *.appxupload
225 | 
226 | # Visual Studio cache files
227 | # files ending in .cache can be ignored
228 | *.[Cc]ache
229 | # but keep track of directories ending in .cache
230 | !?*.[Cc]ache/
231 | 
232 | # Others
233 | ClientBin/
234 | ~$*
235 | *~
236 | *.dbmdl
237 | *.dbproj.schemaview
238 | *.jfm
239 | *.pfx
240 | *.publishsettings
241 | orleans.codegen.cs
242 | 
243 | # Including strong name files can present a security risk
244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
245 | #*.snk
246 | 
247 | # Since there are multiple workflows, uncomment next line to ignore bower_components
248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
249 | #bower_components/
250 | 
251 | # RIA/Silverlight projects
252 | Generated_Code/
253 | 
254 | # Backup & report files from converting an old project file
255 | # to a newer Visual Studio version. Backup files are not needed,
256 | # because we have git ;-)
257 | _UpgradeReport_Files/
258 | Backup*/
259 | UpgradeLog*.XML
260 | UpgradeLog*.htm
261 | ServiceFabricBackup/
262 | *.rptproj.bak
263 | 
264 | # SQL Server files
265 | *.mdf
266 | *.ldf
267 | *.ndf
268 | 
269 | # Business Intelligence projects
270 | *.rdl.data
271 | *.bim.layout
272 | *.bim_*.settings
273 | *.rptproj.rsuser
274 | *- [Bb]ackup.rdl
275 | *- [Bb]ackup ([0-9]).rdl
276 | *- [Bb]ackup ([0-9][0-9]).rdl
277 | 
278 | # Microsoft Fakes
279 | FakesAssemblies/
280 | 
281 | # GhostDoc plugin setting file
282 | *.GhostDoc.xml
283 | 
284 | # Node.js Tools for Visual Studio
285 | .ntvs_analysis.dat
286 | node_modules/
287 | 
288 | # Visual Studio 6 build log
289 | *.plg
290 | 
291 | # Visual Studio 6 workspace options file
292 | *.opt
293 | 
294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
295 | *.vbw
296 | 
297 | # Visual Studio LightSwitch build output
298 | **/*.HTMLClient/GeneratedArtifacts
299 | **/*.DesktopClient/GeneratedArtifacts
300 | **/*.DesktopClient/ModelManifest.xml
301 | **/*.Server/GeneratedArtifacts
302 | **/*.Server/ModelManifest.xml
303 | _Pvt_Extensions
304 | 
305 | # Paket dependency manager
306 | .paket/paket.exe
307 | paket-files/
308 | 
309 | # FAKE - F# Make
310 | .fake/
311 | 
312 | # CodeRush personal settings
313 | .cr/personal
314 | 
315 | # Python Tools for Visual Studio (PTVS)
316 | __pycache__/
317 | *.pyc
318 | 
319 | # Cake - Uncomment if you are using it
320 | # tools/**
321 | # !tools/packages.config
322 | 
323 | # Tabs Studio
324 | *.tss
325 | 
326 | # Telerik's JustMock configuration file
327 | *.jmconfig
328 | 
329 | # BizTalk build output
330 | *.btp.cs
331 | *.btm.cs
332 | *.odx.cs
333 | *.xsd.cs
334 | 
335 | # OpenCover UI analysis results
336 | OpenCover/
337 | 
338 | # Azure Stream Analytics local run output
339 | ASALocalRun/
340 | 
341 | # MSBuild Binary and Structured Log
342 | *.binlog
343 | 
344 | # NVidia Nsight GPU debugger configuration file
345 | *.nvuser
346 | 
347 | # MFractors (Xamarin productivity tool) working folder
348 | .mfractor/
349 | 
350 | # Local History for Visual Studio
351 | .localhistory/
352 | 
353 | # BeatPulse healthcheck temp database
354 | healthchecksdb
355 | 
356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
357 | MigrationBackup/
358 | 
359 | # Ionide (cross platform F# VS Code tools) working folder
360 | .ionide/
361 | 
362 | # Fody - auto-generated XML schema
363 | FodyWeavers.xsd


--------------------------------------------------------------------------------
/KernelDraw.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.32602.291
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "KernelDraw", "KernelDraw\KernelDraw.vcxproj", "{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|ARM = Debug|ARM
11 | 		Debug|ARM64 = Debug|ARM64
12 | 		Debug|x64 = Debug|x64
13 | 		Debug|x86 = Debug|x86
14 | 		Release|ARM = Release|ARM
15 | 		Release|ARM64 = Release|ARM64
16 | 		Release|x64 = Release|x64
17 | 		Release|x86 = Release|x86
18 | 	EndGlobalSection
19 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
20 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Debug|ARM.ActiveCfg = Debug|ARM
21 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Debug|ARM.Build.0 = Debug|ARM
22 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Debug|ARM.Deploy.0 = Debug|ARM
23 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Debug|ARM64.ActiveCfg = Debug|ARM64
24 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Debug|ARM64.Build.0 = Debug|ARM64
25 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Debug|ARM64.Deploy.0 = Debug|ARM64
26 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Debug|x64.ActiveCfg = Debug|x64
27 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Debug|x64.Build.0 = Debug|x64
28 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Debug|x64.Deploy.0 = Debug|x64
29 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Debug|x86.ActiveCfg = Debug|Win32
30 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Debug|x86.Build.0 = Debug|Win32
31 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Debug|x86.Deploy.0 = Debug|Win32
32 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Release|ARM.ActiveCfg = Release|ARM
33 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Release|ARM.Build.0 = Release|ARM
34 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Release|ARM.Deploy.0 = Release|ARM
35 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Release|ARM64.ActiveCfg = Release|ARM64
36 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Release|ARM64.Build.0 = Release|ARM64
37 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Release|ARM64.Deploy.0 = Release|ARM64
38 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Release|x64.ActiveCfg = Release|x64
39 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Release|x64.Build.0 = Release|x64
40 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Release|x64.Deploy.0 = Release|x64
41 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Release|x86.ActiveCfg = Release|Win32
42 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Release|x86.Build.0 = Release|Win32
43 | 		{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}.Release|x86.Deploy.0 = Release|Win32
44 | 	EndGlobalSection
45 | 	GlobalSection(SolutionProperties) = preSolution
46 | 		HideSolutionNode = FALSE
47 | 	EndGlobalSection
48 | 	GlobalSection(ExtensibilityGlobals) = postSolution
49 | 		SolutionGuid = {751FAC5F-3E50-413A-9126-EE3184481750}
50 | 	EndGlobalSection
51 | EndGlobal
52 | 


--------------------------------------------------------------------------------
/KernelDraw/Imports.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | 
  3 | #include "NativeEnums.h"
  4 | #include "NativeStructs.h"
  5 | 
  6 | 
  7 | EXTERN_C_START
  8 | 
  9 | NTSYSAPI
 10 | NTSTATUS
 11 | NTAPI
 12 | ZwQuerySystemInformation(
 13 |     IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
 14 |     OUT PVOID SystemInformation,
 15 |     IN ULONG SystemInformationLength,
 16 |     OUT PULONG ReturnLength OPTIONAL
 17 |     );
 18 | 
 19 | NTSYSAPI
 20 | NTSTATUS
 21 | NTAPI
 22 | ZwSetSystemInformation(
 23 |     IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
 24 |     IN PVOID SystemInformation,
 25 |     IN ULONG SystemInformationLength
 26 |     );
 27 | 
 28 | NTSYSAPI
 29 | NTSTATUS
 30 | NTAPI
 31 | ZwQueryInformationProcess(
 32 |     IN  HANDLE ProcessHandle,
 33 |     IN  PROCESSINFOCLASS ProcessInformationClass,
 34 |     OUT PVOID ProcessInformation,
 35 |     IN  ULONG ProcessInformationLength,
 36 |     IN  PULONG ReturnLength
 37 |     );
 38 | 
 39 | NTSYSAPI
 40 | NTSTATUS
 41 | NTAPI
 42 | ZwQueryInformationThread(
 43 |     IN HANDLE ThreadHandle,
 44 |     IN THREADINFOCLASS ThreadInformationClass,
 45 |     OUT PVOID ThreadInformation,
 46 |     IN ULONG ThreadInformationLength,
 47 |     OUT PULONG ReturnLength OPTIONAL
 48 |     );
 49 | 
 50 | NTSYSAPI
 51 | NTSTATUS
 52 | NTAPI
 53 | ZwQueryVirtualMemory(
 54 |     IN HANDLE ProcessHandle,
 55 |     IN PVOID BaseAddress, OPTIONAL
 56 |     IN MEMORY_INFORMATION_CLASS MemoryInformationClass,
 57 |     OUT PVOID MemoryInformation,
 58 |     IN SIZE_T MemoryInformationLength,
 59 |     OUT PSIZE_T ReturnLength OPTIONAL
 60 | );
 61 | 
 62 | NTSTATUS
 63 | NTAPI
 64 | ZwCreateThreadEx(
 65 |     OUT PHANDLE hThread,
 66 |     IN ACCESS_MASK DesiredAccess,
 67 |     IN PVOID ObjectAttributes,
 68 |     IN HANDLE ProcessHandle,
 69 |     IN PVOID lpStartAddress,
 70 |     IN PVOID lpParameter,
 71 |     IN ULONG Flags,
 72 |     IN SIZE_T StackZeroBits,
 73 |     IN SIZE_T SizeOfStackCommit,
 74 |     IN SIZE_T SizeOfStackReserve,
 75 |     IN PNT_PROC_THREAD_ATTRIBUTE_LIST AttributeList
 76 |     );
 77 | 
 78 | NTSTATUS
 79 | NTAPI
 80 | ZwTerminateThread(
 81 |     IN HANDLE ThreadHandle,
 82 |     IN NTSTATUS ExitStatus
 83 |     );
 84 | 
 85 | 
 86 | 
 87 | NTKERNELAPI
 88 | NTSTATUS
 89 | NTAPI
 90 | MmCopyVirtualMemory(
 91 |     IN PEPROCESS FromProcess,
 92 |     IN PVOID FromAddress,
 93 |     IN PEPROCESS ToProcess,
 94 |     OUT PVOID ToAddress,
 95 |     IN SIZE_T BufferSize,
 96 |     IN KPROCESSOR_MODE PreviousMode,
 97 |     OUT PSIZE_T NumberOfBytesCopied
 98 |     );
 99 | 
100 | NTKERNELAPI
101 | PPEB
102 | NTAPI
103 | PsGetProcessPeb(IN PEPROCESS Process);
104 | 
105 | NTKERNELAPI
106 | PVOID
107 | NTAPI
108 | PsGetThreadTeb(IN PETHREAD Thread);
109 | 
110 | NTKERNELAPI
111 | PVOID
112 | NTAPI
113 | PsGetProcessWow64Process(IN PEPROCESS Process);
114 | 
115 | NTKERNELAPI
116 | PVOID
117 | NTAPI
118 | PsGetCurrentProcessWow64Process();
119 | 
120 | NTKERNELAPI
121 | BOOLEAN
122 | NTAPI
123 | KeTestAlertThread(IN KPROCESSOR_MODE AlertMode);
124 | 
125 | NTKERNELAPI
126 | BOOLEAN
127 | NTAPI
128 | PsIsProtectedProcess(IN PEPROCESS Process);
129 | 
130 | typedef VOID(NTAPI* PKNORMAL_ROUTINE)(
131 |         PVOID NormalContext,
132 |         PVOID SystemArgument1,
133 |         PVOID SystemArgument2
134 |     );
135 | 
136 | typedef VOID(NTAPI* PKKERNEL_ROUTINE)(
137 |         PRKAPC Apc,
138 |         PKNORMAL_ROUTINE* NormalRoutine,
139 |         PVOID* NormalContext,
140 |         PVOID* SystemArgument1,
141 |         PVOID* SystemArgument2
142 |     );
143 | 
144 | typedef VOID(NTAPI* PKRUNDOWN_ROUTINE)(PRKAPC Apc);
145 | 
146 | NTKERNELAPI
147 | VOID
148 | NTAPI
149 | KeInitializeApc(
150 |     IN PKAPC Apc,
151 |     IN PKTHREAD Thread,
152 |     IN KAPC_ENVIRONMENT ApcStateIndex,
153 |     IN PKKERNEL_ROUTINE KernelRoutine,
154 |     IN PKRUNDOWN_ROUTINE RundownRoutine,
155 |     IN PKNORMAL_ROUTINE NormalRoutine,
156 |     IN KPROCESSOR_MODE ApcMode,
157 |     IN PVOID NormalContext
158 |     );
159 | 
160 | NTKERNELAPI
161 | BOOLEAN
162 | NTAPI
163 | KeInsertQueueApc(
164 |     PKAPC Apc,
165 |     PVOID SystemArgument1,
166 |     PVOID SystemArgument2,
167 |     KPRIORITY Increment
168 |     );
169 | 
170 | NTSYSAPI
171 | PIMAGE_NT_HEADERS
172 | NTAPI
173 | RtlImageNtHeader(PVOID Base);
174 | 
175 | NTSYSAPI
176 | PVOID
177 | NTAPI
178 | RtlImageDirectoryEntryToData(
179 |     PVOID ImageBase,
180 |     BOOLEAN MappedAsImage,
181 |     USHORT DirectoryEntry,
182 |     PULONG Size
183 |     );
184 | 
185 | 
186 | typedef BOOLEAN(*EX_ENUMERATE_HANDLE_ROUTINE)(
187 | #if !defined(_WIN7_)
188 |     IN PHANDLE_TABLE HandleTable,
189 | #endif
190 |     IN PHANDLE_TABLE_ENTRY HandleTableEntry,
191 |     IN HANDLE Handle,
192 |     IN PVOID EnumParameter
193 |     );
194 | 
195 | NTKERNELAPI
196 | BOOLEAN
197 | ExEnumHandleTable(
198 |     IN PHANDLE_TABLE HandleTable,
199 |     IN EX_ENUMERATE_HANDLE_ROUTINE EnumHandleProcedure,
200 |     IN PVOID EnumParameter,
201 |     OUT PHANDLE Handle
202 |     );
203 | 
204 | NTKERNELAPI
205 | VOID
206 | FASTCALL
207 | ExfUnblockPushLock(
208 |     IN OUT PEX_PUSH_LOCK PushLock,
209 |     IN OUT PVOID WaitBlock
210 |     );
211 | 
212 | NTKERNELAPI
213 | PCHAR
214 | PsGetProcessImageFileName(
215 |     __in PEPROCESS Process
216 |     );
217 | 
218 | NTSYSAPI
219 | NTSTATUS
220 | NTAPI
221 | NtTraceControl(
222 |     _In_ ULONG FunctionCode,
223 |     _In_reads_bytes_opt_(InBufferLen) PVOID InBuffer,
224 |     _In_ ULONG InBufferLen,
225 |     _Out_writes_bytes_opt_(OutBufferLen) PVOID OutBuffer,
226 |     _In_ ULONG OutBufferLen,
227 |     _Out_ PULONG ReturnLength);
228 | 
229 | 
230 | NTKERNELAPI 
231 | PVOID 
232 | NTAPI 
233 | RtlFindExportedRoutineByName(
234 |     PVOID ImageBase, 
235 |     PCCH RoutineNam);
236 | 
237 | 
238 | NTKERNELAPI
239 | PVOID
240 | NTAPI
241 | PsGetCurrentThreadWin32Thread();
242 | 
243 | 
244 | NTSYSAPI
245 | NTSTATUS
246 | NTAPI
247 | ZwGetNextThread(
248 |     __in HANDLE ProcessHandle,
249 |     __in HANDLE ThreadHandle,
250 |     __in ACCESS_MASK DesiredAccess,
251 |     __in ULONG HandleAttributes,
252 |     __in ULONG Flags,
253 |     __out PHANDLE NewThreadHandle);
254 | 
255 | NTKERNELAPI
256 | PVOID
257 | NTAPI
258 | PsGetThreadWin32Thread(
259 |     _In_ PETHREAD Thread
260 | );
261 | 
262 | NTKERNELAPI
263 | VOID
264 | PsSetThreadWin32Thread(
265 |     IN OUT PETHREAD Thread,
266 |     IN PVOID Win32Thread,
267 |     IN PVOID PrevWin32Thread
268 | );
269 | 
270 | 
271 | EXTERN_C_END


--------------------------------------------------------------------------------
/KernelDraw/KernelDraw.inf:
--------------------------------------------------------------------------------
 1 | ;
 2 | ; KernelDraw.inf
 3 | ;
 4 | 
 5 | [Version]
 6 | Signature="$WINDOWS NT$"
 7 | Class=System
 8 | ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}
 9 | Provider=%ManufacturerName%
10 | DriverVer=
11 | CatalogFile=KernelDraw.cat
12 | PnpLockDown=1
13 | 
14 | [DestinationDirs]
15 | DefaultDestDir = 12
16 | 
17 | 
18 | [SourceDisksNames]
19 | 1 = %DiskName%,,,""
20 | 
21 | [SourceDisksFiles]
22 | 
23 | 
24 | [Manufacturer]
25 | %ManufacturerName%=Standard,NT$ARCH$
26 | 
27 | [Standard.NT$ARCH$]
28 | 
29 | 
30 | [Strings]
31 | ManufacturerName="<Your manufacturer name>" ;TODO: Replace with your manufacturer name
32 | ClassName=""
33 | DiskName="KernelDraw Source Disk"
34 | 


--------------------------------------------------------------------------------
/KernelDraw/KernelDraw.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |     <ProjectConfiguration Include="Debug|ARM">
 21 |       <Configuration>Debug</Configuration>
 22 |       <Platform>ARM</Platform>
 23 |     </ProjectConfiguration>
 24 |     <ProjectConfiguration Include="Release|ARM">
 25 |       <Configuration>Release</Configuration>
 26 |       <Platform>ARM</Platform>
 27 |     </ProjectConfiguration>
 28 |     <ProjectConfiguration Include="Debug|ARM64">
 29 |       <Configuration>Debug</Configuration>
 30 |       <Platform>ARM64</Platform>
 31 |     </ProjectConfiguration>
 32 |     <ProjectConfiguration Include="Release|ARM64">
 33 |       <Configuration>Release</Configuration>
 34 |       <Platform>ARM64</Platform>
 35 |     </ProjectConfiguration>
 36 |   </ItemGroup>
 37 |   <PropertyGroup Label="Globals">
 38 |     <ProjectGuid>{13A92D52-E22C-4482-ACAA-3F4177C2AEA8}</ProjectGuid>
 39 |     <TemplateGuid>{dd38f7fc-d7bd-488b-9242-7d8754cde80d}</TemplateGuid>
 40 |     <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
 41 |     <MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
 42 |     <Configuration>Debug</Configuration>
 43 |     <Platform Condition="'$(Platform)' == ''">Win32</Platform>
 44 |     <RootNamespace>KernelDraw</RootNamespace>
 45 |   </PropertyGroup>
 46 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 47 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 48 |     <TargetVersion>
 49 |     </TargetVersion>
 50 |     <UseDebugLibraries>true</UseDebugLibraries>
 51 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 52 |     <ConfigurationType>Driver</ConfigurationType>
 53 |     <DriverType>WDM</DriverType>
 54 |     <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
 55 |   </PropertyGroup>
 56 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 57 |     <TargetVersion>
 58 |     </TargetVersion>
 59 |     <UseDebugLibraries>false</UseDebugLibraries>
 60 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 61 |     <ConfigurationType>Driver</ConfigurationType>
 62 |     <DriverType>WDM</DriverType>
 63 |     <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
 64 |   </PropertyGroup>
 65 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 66 |     <TargetVersion>
 67 |     </TargetVersion>
 68 |     <UseDebugLibraries>true</UseDebugLibraries>
 69 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 70 |     <ConfigurationType>Driver</ConfigurationType>
 71 |     <DriverType>WDM</DriverType>
 72 |     <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
 73 |   </PropertyGroup>
 74 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 75 |     <TargetVersion>
 76 |     </TargetVersion>
 77 |     <UseDebugLibraries>false</UseDebugLibraries>
 78 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 79 |     <ConfigurationType>Driver</ConfigurationType>
 80 |     <DriverType>WDM</DriverType>
 81 |     <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
 82 |   </PropertyGroup>
 83 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
 84 |     <TargetVersion>Windows10</TargetVersion>
 85 |     <UseDebugLibraries>true</UseDebugLibraries>
 86 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 87 |     <ConfigurationType>Driver</ConfigurationType>
 88 |     <DriverType>WDM</DriverType>
 89 |   </PropertyGroup>
 90 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
 91 |     <TargetVersion>Windows10</TargetVersion>
 92 |     <UseDebugLibraries>false</UseDebugLibraries>
 93 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
 94 |     <ConfigurationType>Driver</ConfigurationType>
 95 |     <DriverType>WDM</DriverType>
 96 |   </PropertyGroup>
 97 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
 98 |     <TargetVersion>Windows10</TargetVersion>
 99 |     <UseDebugLibraries>true</UseDebugLibraries>
100 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
101 |     <ConfigurationType>Driver</ConfigurationType>
102 |     <DriverType>WDM</DriverType>
103 |   </PropertyGroup>
104 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
105 |     <TargetVersion>Windows10</TargetVersion>
106 |     <UseDebugLibraries>false</UseDebugLibraries>
107 |     <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
108 |     <ConfigurationType>Driver</ConfigurationType>
109 |     <DriverType>WDM</DriverType>
110 |   </PropertyGroup>
111 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
112 |   <ImportGroup Label="ExtensionSettings">
113 |   </ImportGroup>
114 |   <ImportGroup Label="PropertySheets">
115 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
116 |   </ImportGroup>
117 |   <PropertyGroup Label="UserMacros" />
118 |   <PropertyGroup />
119 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
120 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
121 |     <EnableInf2cat>false</EnableInf2cat>
122 |   </PropertyGroup>
123 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
124 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
125 |     <EnableInf2cat>false</EnableInf2cat>
126 |   </PropertyGroup>
127 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
128 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
129 |     <EnableInf2cat>false</EnableInf2cat>
130 |   </PropertyGroup>
131 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
132 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
133 |     <EnableInf2cat>false</EnableInf2cat>
134 |   </PropertyGroup>
135 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
136 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
137 |   </PropertyGroup>
138 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
139 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
140 |   </PropertyGroup>
141 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
142 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
143 |   </PropertyGroup>
144 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
145 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
146 |   </PropertyGroup>
147 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
148 |     <ClCompile>
149 |       <TreatWarningAsError>false</TreatWarningAsError>
150 |     </ClCompile>
151 |   </ItemDefinitionGroup>
152 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
153 |     <ClCompile>
154 |       <TreatWarningAsError>false</TreatWarningAsError>
155 |     </ClCompile>
156 |   </ItemDefinitionGroup>
157 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
158 |     <ClCompile>
159 |       <TreatWarningAsError>false</TreatWarningAsError>
160 |     </ClCompile>
161 |     <Link>
162 |       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
163 |     </Link>
164 |   </ItemDefinitionGroup>
165 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
166 |     <ClCompile>
167 |       <TreatWarningAsError>false</TreatWarningAsError>
168 |     </ClCompile>
169 |     <Link>
170 |       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
171 |     </Link>
172 |   </ItemDefinitionGroup>
173 |   <ItemGroup>
174 |     <FilesToPackage Include="$(TargetPath)" />
175 |   </ItemGroup>
176 |   <ItemGroup>
177 |     <ClCompile Include="entry.cpp" />
178 |     <ClCompile Include="Render.cpp" />
179 |     <ClCompile Include="Utils.cpp" />
180 |   </ItemGroup>
181 |   <ItemGroup>
182 |     <ClInclude Include="Imports.h" />
183 |     <ClInclude Include="includes.h" />
184 |     <ClInclude Include="NativeEnums.h" />
185 |     <ClInclude Include="NativeStructs.h" />
186 |     <ClInclude Include="PEStructs.h" />
187 |     <ClInclude Include="Render.hpp" />
188 |     <ClInclude Include="Utils.hpp" />
189 |   </ItemGroup>
190 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
191 |   <ImportGroup Label="ExtensionTargets">
192 |   </ImportGroup>
193 | </Project>


--------------------------------------------------------------------------------
/KernelDraw/KernelDraw.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |     <Filter Include="Driver Files">
17 |       <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
18 |       <Extensions>inf;inv;inx;mof;mc;</Extensions>
19 |     </Filter>
20 |   </ItemGroup>
21 |   <ItemGroup>
22 |     <ClCompile Include="entry.cpp">
23 |       <Filter>Source Files</Filter>
24 |     </ClCompile>
25 |     <ClCompile Include="Render.cpp">
26 |       <Filter>Source Files</Filter>
27 |     </ClCompile>
28 |     <ClCompile Include="Utils.cpp">
29 |       <Filter>Source Files</Filter>
30 |     </ClCompile>
31 |   </ItemGroup>
32 |   <ItemGroup>
33 |     <ClInclude Include="includes.h">
34 |       <Filter>Header Files</Filter>
35 |     </ClInclude>
36 |     <ClInclude Include="Render.hpp">
37 |       <Filter>Header Files</Filter>
38 |     </ClInclude>
39 |     <ClInclude Include="Utils.hpp">
40 |       <Filter>Header Files</Filter>
41 |     </ClInclude>
42 |     <ClInclude Include="NativeEnums.h">
43 |       <Filter>Header Files</Filter>
44 |     </ClInclude>
45 |     <ClInclude Include="NativeStructs.h">
46 |       <Filter>Header Files</Filter>
47 |     </ClInclude>
48 |     <ClInclude Include="PEStructs.h">
49 |       <Filter>Header Files</Filter>
50 |     </ClInclude>
51 |     <ClInclude Include="Imports.h">
52 |       <Filter>Header Files</Filter>
53 |     </ClInclude>
54 |   </ItemGroup>
55 | </Project>


--------------------------------------------------------------------------------
/KernelDraw/NativeEnums.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | 
  3 | typedef enum _MEMORY_INFORMATION_CLASS_EX
  4 | {
  5 |     MemoryBasicInformationEx = 0,
  6 |     MemoryWorkingSetInformation = 1,
  7 |     MemoryMappedFilenameInformation = 2,
  8 |     MemoryRegionInformation = 3,
  9 |     MemoryWorkingSetExInformation = 4,
 10 | } MEMORY_INFORMATION_CLASS_EX;
 11 | 
 12 | typedef enum _PS_PROTECTED_SIGNER
 13 | {
 14 |     PsProtectedSignerNone = 0,
 15 |     PsProtectedSignerAuthenticode = 1,
 16 |     PsProtectedSignerCodeGen = 2,
 17 |     PsProtectedSignerAntimalware = 3,
 18 |     PsProtectedSignerLsa = 4,
 19 |     PsProtectedSignerWindows = 5,
 20 |     PsProtectedSignerWinTcb = 6,
 21 |     PsProtectedSignerMax = 7
 22 | } PS_PROTECTED_SIGNER;
 23 | 
 24 | typedef enum _PS_PROTECTED_TYPE
 25 | {
 26 |     PsProtectedTypeNone = 0,
 27 |     PsProtectedTypeProtectedLight = 1,
 28 |     PsProtectedTypeProtected = 2,
 29 |     PsProtectedTypeMax = 3
 30 | } PS_PROTECTED_TYPE;
 31 | 
 32 | typedef enum _SYSTEM_INFORMATION_CLASS
 33 | {
 34 |     SystemBasicInformation = 0x0,
 35 |     SystemProcessorInformation = 0x1,
 36 |     SystemPerformanceInformation = 0x2,
 37 |     SystemTimeOfDayInformation = 0x3,
 38 |     SystemPathInformation = 0x4,
 39 |     SystemProcessInformation = 0x5,
 40 |     SystemCallCountInformation = 0x6,
 41 |     SystemDeviceInformation = 0x7,
 42 |     SystemProcessorPerformanceInformation = 0x8,
 43 |     SystemFlagsInformation = 0x9,
 44 |     SystemCallTimeInformation = 0xa,
 45 |     SystemModuleInformation = 0xb,
 46 |     SystemLocksInformation = 0xc,
 47 |     SystemStackTraceInformation = 0xd,
 48 |     SystemPagedPoolInformation = 0xe,
 49 |     SystemNonPagedPoolInformation = 0xf,
 50 |     SystemHandleInformation = 0x10,
 51 |     SystemObjectInformation = 0x11,
 52 |     SystemPageFileInformation = 0x12,
 53 |     SystemVdmInstemulInformation = 0x13,
 54 |     SystemVdmBopInformation = 0x14,
 55 |     SystemFileCacheInformation = 0x15,
 56 |     SystemPoolTagInformation = 0x16,
 57 |     SystemInterruptInformation = 0x17,
 58 |     SystemDpcBehaviorInformation = 0x18,
 59 |     SystemFullMemoryInformation = 0x19,
 60 |     SystemLoadGdiDriverInformation = 0x1a,
 61 |     SystemUnloadGdiDriverInformation = 0x1b,
 62 |     SystemTimeAdjustmentInformation = 0x1c,
 63 |     SystemSummaryMemoryInformation = 0x1d,
 64 |     SystemMirrorMemoryInformation = 0x1e,
 65 |     SystemPerformanceTraceInformation = 0x1f,
 66 |     SystemObsolete0 = 0x20,
 67 |     SystemExceptionInformation = 0x21,
 68 |     SystemCrashDumpStateInformation = 0x22,
 69 |     SystemKernelDebuggerInformation = 0x23,
 70 |     SystemContextSwitchInformation = 0x24,
 71 |     SystemRegistryQuotaInformation = 0x25,
 72 |     SystemExtendServiceTableInformation = 0x26,
 73 |     SystemPrioritySeperation = 0x27,
 74 |     SystemVerifierAddDriverInformation = 0x28,
 75 |     SystemVerifierRemoveDriverInformation = 0x29,
 76 |     SystemProcessorIdleInformation = 0x2a,
 77 |     SystemLegacyDriverInformation = 0x2b,
 78 |     SystemCurrentTimeZoneInformation = 0x2c,
 79 |     SystemLookasideInformation = 0x2d,
 80 |     SystemTimeSlipNotification = 0x2e,
 81 |     SystemSessionCreate = 0x2f,
 82 |     SystemSessionDetach = 0x30,
 83 |     SystemSessionInformation = 0x31,
 84 |     SystemRangeStartInformation = 0x32,
 85 |     SystemVerifierInformation = 0x33,
 86 |     SystemVerifierThunkExtend = 0x34,
 87 |     SystemSessionProcessInformation = 0x35,
 88 |     SystemLoadGdiDriverInSystemSpace = 0x36,
 89 |     SystemNumaProcessorMap = 0x37,
 90 |     SystemPrefetcherInformation = 0x38,
 91 |     SystemExtendedProcessInformation = 0x39,
 92 |     SystemRecommendedSharedDataAlignment = 0x3a,
 93 |     SystemComPlusPackage = 0x3b,
 94 |     SystemNumaAvailableMemory = 0x3c,
 95 |     SystemProcessorPowerInformation = 0x3d,
 96 |     SystemEmulationBasicInformation = 0x3e,
 97 |     SystemEmulationProcessorInformation = 0x3f,
 98 |     SystemExtendedHandleInformation = 0x40,
 99 |     SystemLostDelayedWriteInformation = 0x41,
100 |     SystemBigPoolInformation = 0x42,
101 |     SystemSessionPoolTagInformation = 0x43,
102 |     SystemSessionMappedViewInformation = 0x44,
103 |     SystemHotpatchInformation = 0x45,
104 |     SystemObjectSecurityMode = 0x46,
105 |     SystemWatchdogTimerHandler = 0x47,
106 |     SystemWatchdogTimerInformation = 0x48,
107 |     SystemLogicalProcessorInformation = 0x49,
108 |     SystemWow64SharedInformationObsolete = 0x4a,
109 |     SystemRegisterFirmwareTableInformationHandler = 0x4b,
110 |     SystemFirmwareTableInformation = 0x4c,
111 |     SystemModuleInformationEx = 0x4d,
112 |     SystemVerifierTriageInformation = 0x4e,
113 |     SystemSuperfetchInformation = 0x4f,
114 |     SystemMemoryListInformation = 0x50,
115 |     SystemFileCacheInformationEx = 0x51,
116 |     SystemThreadPriorityClientIdInformation = 0x52,
117 |     SystemProcessorIdleCycleTimeInformation = 0x53,
118 |     SystemVerifierCancellationInformation = 0x54,
119 |     SystemProcessorPowerInformationEx = 0x55,
120 |     SystemRefTraceInformation = 0x56,
121 |     SystemSpecialPoolInformation = 0x57,
122 |     SystemProcessIdInformation = 0x58,
123 |     SystemErrorPortInformation = 0x59,
124 |     SystemBootEnvironmentInformation = 0x5a,
125 |     SystemHypervisorInformation = 0x5b,
126 |     SystemVerifierInformationEx = 0x5c,
127 |     SystemTimeZoneInformation = 0x5d,
128 |     SystemImageFileExecutionOptionsInformation = 0x5e,
129 |     SystemCoverageInformation = 0x5f,
130 |     SystemPrefetchPatchInformation = 0x60,
131 |     SystemVerifierFaultsInformation = 0x61,
132 |     SystemSystemPartitionInformation = 0x62,
133 |     SystemSystemDiskInformation = 0x63,
134 |     SystemProcessorPerformanceDistribution = 0x64,
135 |     SystemNumaProximityNodeInformation = 0x65,
136 |     SystemDynamicTimeZoneInformation = 0x66,
137 |     SystemCodeIntegrityInformation = 0x67,
138 |     SystemProcessorMicrocodeUpdateInformation = 0x68,
139 |     SystemProcessorBrandString = 0x69,
140 |     SystemVirtualAddressInformation = 0x6a,
141 |     SystemLogicalProcessorAndGroupInformation = 0x6b,
142 |     SystemProcessorCycleTimeInformation = 0x6c,
143 |     SystemStoreInformation = 0x6d,
144 |     SystemRegistryAppendString = 0x6e,
145 |     SystemAitSamplingValue = 0x6f,
146 |     SystemVhdBootInformation = 0x70,
147 |     SystemCpuQuotaInformation = 0x71,
148 |     SystemNativeBasicInformation = 0x72,
149 |     SystemErrorPortTimeouts = 0x73,
150 |     SystemLowPriorityIoInformation = 0x74,
151 |     SystemBootEntropyInformation = 0x75,
152 |     SystemVerifierCountersInformation = 0x76,
153 |     SystemPagedPoolInformationEx = 0x77,
154 |     SystemSystemPtesInformationEx = 0x78,
155 |     SystemNodeDistanceInformation = 0x79,
156 |     SystemAcpiAuditInformation = 0x7a,
157 |     SystemBasicPerformanceInformation = 0x7b,
158 |     SystemQueryPerformanceCounterInformation = 0x7c,
159 |     SystemSessionBigPoolInformation = 0x7d,
160 |     SystemBootGraphicsInformation = 0x7e,
161 |     SystemScrubPhysicalMemoryInformation = 0x7f,
162 |     SystemBadPageInformation = 0x80,
163 |     SystemProcessorProfileControlArea = 0x81,
164 |     SystemCombinePhysicalMemoryInformation = 0x82,
165 |     SystemEntropyInterruptTimingInformation = 0x83,
166 |     SystemConsoleInformation = 0x84,
167 |     SystemPlatformBinaryInformation = 0x85,
168 |     SystemThrottleNotificationInformation = 0x86,
169 |     SystemHypervisorProcessorCountInformation = 0x87,
170 |     SystemDeviceDataInformation = 0x88,
171 |     SystemDeviceDataEnumerationInformation = 0x89,
172 |     SystemMemoryTopologyInformation = 0x8a,
173 |     SystemMemoryChannelInformation = 0x8b,
174 |     SystemBootLogoInformation = 0x8c,
175 |     SystemProcessorPerformanceInformationEx = 0x8d,
176 |     SystemSpare0 = 0x8e,
177 |     SystemSecureBootPolicyInformation = 0x8f,
178 |     SystemPageFileInformationEx = 0x90,
179 |     SystemSecureBootInformation = 0x91,
180 |     SystemEntropyInterruptTimingRawInformation = 0x92,
181 |     SystemPortableWorkspaceEfiLauncherInformation = 0x93,
182 |     SystemFullProcessInformation = 0x94,
183 |     SystemKernelDebuggerInformationEx = 0x95,
184 |     SystemBootMetadataInformation = 0x96,
185 |     SystemSoftRebootInformation = 0x97,
186 |     SystemElamCertificateInformation = 0x98,
187 |     SystemOfflineDumpConfigInformation = 0x99,
188 |     SystemProcessorFeaturesInformation = 0x9a,
189 |     SystemRegistryReconciliationInformation = 0x9b,
190 |     MaxSystemInfoClass = 0x9c,
191 | } SYSTEM_INFORMATION_CLASS;
192 | 
193 | typedef enum _PROCESS_INFORMATION_CLASS {
194 |     ProcessMemoryPriority,
195 |     ProcessMemoryExhaustionInfo,
196 |     ProcessAppMemoryInfo,
197 |     ProcessInPrivateInfo,
198 |     ProcessPowerThrottling,
199 |     ProcessReservedValue1,           // Used to be for ProcessActivityThrottlePolicyInfo
200 |     ProcessTelemetryCoverageInfo,
201 |     ProcessProtectionLevelInfo,
202 |     ProcessLeapSecondInfo,
203 |     ProcessInformationClassMax
204 | } PROCESS_INFORMATION_CLASS;
205 | 
206 | typedef enum _KAPC_ENVIRONMENT
207 | {
208 |     OriginalApcEnvironment,
209 |     AttachedApcEnvironment,
210 |     CurrentApcEnvironment,
211 |     InsertApcEnvironment
212 | } KAPC_ENVIRONMENT, *PKAPC_ENVIRONMENT;
213 | 
214 | typedef enum _MI_VAD_TYPE
215 | {
216 |     VadNone,
217 |     VadDevicePhysicalMemory,
218 |     VadImageMap,
219 |     VadAwe,
220 |     VadWriteWatch,
221 |     VadLargePages,
222 |     VadRotatePhysical,
223 |     VadLargePageSection
224 | } MI_VAD_TYPE, *PMI_VAD_TYPE;
225 | 
226 | typedef enum _MMSYSTEM_PTE_POOL_TYPE
227 | {
228 |     SystemPteSpace,
229 |     NonPagedPoolExpansion,
230 |     MaximumPtePoolTypes
231 | } MMSYSTEM_PTE_POOL_TYPE;


--------------------------------------------------------------------------------
/KernelDraw/NativeStructs.h:
--------------------------------------------------------------------------------
   1 | #pragma once
   2 | #define _WIN10_
   3 | 
   4 | #include "PEStructs.h"
   5 | 
   6 | #ifdef _WIN10_
   7 | #include "NativeStructs10.h"
   8 | #elif _WIN81_
   9 | #include "NativeStructs81.h"
  10 | #elif _WIN8_
  11 | #include "NativeStructs8.h"
  12 | #elif _WIN7_
  13 | #include "NativeStructs7.h"
  14 | #else
  15 | #error Unsupported OS build version
  16 | #endif
  17 | 
  18 | #define MAKEINTRESOURCEW(i) ((PWCH)((ULONG_PTR)((USHORT)(i))))
  19 | 
  20 | typedef struct _SYSTEM_SERVICE_DESCRIPTOR_TABLE 
  21 | {
  22 |     PULONG_PTR ServiceTableBase;
  23 |     PULONG ServiceCounterTableBase;
  24 |     ULONG_PTR NumberOfServices;
  25 |     PUCHAR ParamTableBase;
  26 | } SYSTEM_SERVICE_DESCRIPTOR_TABLE, *PSYSTEM_SERVICE_DESCRIPTOR_TABLE;
  27 | 
  28 | typedef NTSTATUS(NTAPI* NTPROC)();
  29 | typedef NTPROC* PNTPROC;
  30 | 
  31 | typedef struct _SYSTEM_SERVICE_TABLE {
  32 |     PNTPROC ServiceTable;
  33 |     PULONG CounterTable;
  34 |     ULONG ServiceLimit;
  35 |     PUCHAR ArgumentTable;
  36 | } SYSTEM_SERVICE_TABLE, * PSYSTEM_SERVICE_TABLE;
  37 | 
  38 | typedef struct _SERVICE_DESCRIPTOR_TABLE {
  39 |     SYSTEM_SERVICE_TABLE ntoskrnl;
  40 |     SYSTEM_SERVICE_TABLE win32k;
  41 |     SYSTEM_SERVICE_TABLE Table3;
  42 |     SYSTEM_SERVICE_TABLE Table4;
  43 | }SERVICE_DESCRIPTOR_TABLE, * PSERVICE_DESCRIPTOR_TABLE;
  44 | 
  45 | 
  46 | typedef union _PS_PROTECTION
  47 | {
  48 |     UCHAR Level;
  49 |     struct
  50 |     {
  51 |         int Type : 3;
  52 |         int Audit : 1;
  53 |         int Signer : 4;
  54 |     } Flags;
  55 | } PS_PROTECTION, *PPS_PROTECTION;
  56 | 
  57 | typedef union _KEXECUTE_OPTIONS
  58 | {
  59 |     struct
  60 |     {
  61 |         int ExecuteDisable : 1;                     // 0x01
  62 |         int ExecuteEnable : 1;                      // 0x02
  63 |         int DisableThunkEmulation : 1;              // 0x04
  64 |         int Permanent : 1;                          // 0x08
  65 |         int ExecuteDispatchEnable : 1;              // 0x10
  66 |         int ImageDispatchEnable : 1;                // 0x20
  67 |         int DisableExceptionChainValidation : 1;    // 0x40
  68 |         int Spare : 1;
  69 |     } Flags;
  70 | 
  71 |     UCHAR ExecuteOptions;
  72 | } KEXECUTE_OPTIONS, *PKEXECUTE_OPTIONS;
  73 | 
  74 | typedef struct _EPROCESS_FLAGS2
  75 | {
  76 |     unsigned int JobNotReallyActive : 1;
  77 |     unsigned int AccountingFolded : 1;
  78 |     unsigned int NewProcessReported : 1;
  79 |     unsigned int ExitProcessReported : 1;
  80 |     unsigned int ReportCommitChanges : 1;
  81 |     unsigned int LastReportMemory : 1;
  82 |     unsigned int ForceWakeCharge : 1;
  83 |     unsigned int CrossSessionCreate : 1;
  84 |     unsigned int NeedsHandleRundown : 1;
  85 |     unsigned int RefTraceEnabled : 1;
  86 |     unsigned int DisableDynamicCode : 1;
  87 |     unsigned int EmptyJobEvaluated : 1;
  88 |     unsigned int DefaultPagePriority : 3;
  89 |     unsigned int PrimaryTokenFrozen : 1;
  90 |     unsigned int ProcessVerifierTarget : 1;
  91 |     unsigned int StackRandomizationDisabled : 1;
  92 |     unsigned int AffinityPermanent : 1;
  93 |     unsigned int AffinityUpdateEnable : 1;
  94 |     unsigned int PropagateNode : 1;
  95 |     unsigned int ExplicitAffinity : 1;
  96 |     unsigned int ProcessExecutionState : 2;
  97 |     unsigned int DisallowStrippedImages : 1;
  98 |     unsigned int HighEntropyASLREnabled : 1;
  99 |     unsigned int ExtensionPointDisable : 1;
 100 |     unsigned int ForceRelocateImages : 1;
 101 |     unsigned int ProcessStateChangeRequest : 2;
 102 |     unsigned int ProcessStateChangeInProgress : 1;
 103 |     unsigned int DisallowWin32kSystemCalls : 1;
 104 | } EPROCESS_FLAGS2, *PEPROCESS_FLAGS2;
 105 | 
 106 | typedef struct _MITIGATION_FLAGS
 107 | {
 108 |     unsigned int ControlFlowGuardEnabled : 1;
 109 |     unsigned int ControlFlowGuardExportSuppressionEnabled : 1;
 110 |     unsigned int ControlFlowGuardStrict : 1;
 111 |     unsigned int DisallowStrippedImages : 1;
 112 |     unsigned int ForceRelocateImages : 1;
 113 |     unsigned int HighEntropyASLREnabled : 1;
 114 |     unsigned int StackRandomizationDisabled : 1;
 115 |     unsigned int ExtensionPointDisable : 1;
 116 |     unsigned int DisableDynamicCode : 1;
 117 |     unsigned int DisableDynamicCodeAllowOptOut : 1;
 118 |     unsigned int DisableDynamicCodeAllowRemoteDowngrade : 1;
 119 |     unsigned int AuditDisableDynamicCode : 1;
 120 |     unsigned int DisallowWin32kSystemCalls : 1;
 121 |     unsigned int AuditDisallowWin32kSystemCalls : 1;
 122 |     unsigned int EnableFilteredWin32kAPIs : 1;
 123 |     unsigned int AuditFilteredWin32kAPIs : 1;
 124 |     unsigned int DisableNonSystemFonts : 1;
 125 |     unsigned int AuditNonSystemFontLoading : 1;
 126 |     unsigned int PreferSystem32Images : 1;
 127 |     unsigned int ProhibitRemoteImageMap : 1;
 128 |     unsigned int AuditProhibitRemoteImageMap : 1;
 129 |     unsigned int ProhibitLowILImageMap : 1;
 130 |     unsigned int AuditProhibitLowILImageMap : 1;
 131 |     unsigned int SignatureMitigationOptIn : 1;
 132 |     unsigned int AuditBlockNonMicrosoftBinaries : 1;
 133 |     unsigned int AuditBlockNonMicrosoftBinariesAllowStore : 1;
 134 |     unsigned int LoaderIntegrityContinuityEnabled : 1;
 135 |     unsigned int AuditLoaderIntegrityContinuity : 1;
 136 |     unsigned int EnableModuleTamperingProtection : 1;
 137 |     unsigned int EnableModuleTamperingProtectionNoInherit : 1;
 138 |     unsigned int RestrictIndirectBranchPrediction;
 139 |     unsigned int IsolateSecurityDomain;
 140 | } MITIGATION_FLAGS, *PMITIGATION_FLAGS;
 141 | 
 142 | typedef union _EXHANDLE
 143 | {
 144 |     struct
 145 |     {
 146 |         int TagBits : 2;
 147 |         int Index : 30;
 148 |     } u;
 149 |     void * GenericHandleOverlay;
 150 |     ULONG_PTR Value;
 151 | } EXHANDLE, *PEXHANDLE;
 152 | 
 153 | #pragma warning(disable : 4214 4201)
 154 | 
 155 | #pragma pack(push, 1)
 156 | typedef struct _POOL_HEADER // Size=16
 157 | {
 158 |     union
 159 |     {
 160 |         struct
 161 |         {
 162 |             unsigned long PreviousSize : 8; // Size=4 Offset=0 BitOffset=0 BitCount=8
 163 |             unsigned long PoolIndex : 8; // Size=4 Offset=0 BitOffset=8 BitCount=8
 164 |             unsigned long BlockSize : 8; // Size=4 Offset=0 BitOffset=16 BitCount=8
 165 |             unsigned long PoolType : 8; // Size=4 Offset=0 BitOffset=24 BitCount=8
 166 |         };
 167 |         unsigned long Ulong1; // Size=4 Offset=0
 168 |     };
 169 |     unsigned long PoolTag; // Size=4 Offset=4
 170 |     union
 171 |     {
 172 |         struct _EPROCESS * ProcessBilled; // Size=8 Offset=8
 173 |         struct
 174 |         {
 175 |             unsigned short AllocatorBackTraceIndex; // Size=2 Offset=8
 176 |             unsigned short PoolTagHash; // Size=2 Offset=10
 177 |         };
 178 |     };
 179 | } POOL_HEADER, *PPOOL_HEADER;
 180 | #pragma pack(pop)
 181 | 
 182 | /*
 183 | typedef struct _HANDLE_TABLE_ENTRY // Size=16
 184 | {
 185 |     union
 186 |     {
 187 |         ULONG_PTR VolatileLowValue; // Size=8 Offset=0
 188 |         ULONG_PTR LowValue; // Size=8 Offset=0
 189 |         struct _HANDLE_TABLE_ENTRY_INFO * InfoTable; // Size=8 Offset=0
 190 |         struct
 191 |         {
 192 |             ULONG_PTR Unlocked : 1; // Size=8 Offset=0 BitOffset=0 BitCount=1
 193 |             ULONG_PTR RefCnt : 16; // Size=8 Offset=0 BitOffset=1 BitCount=16
 194 |             ULONG_PTR Attributes : 3; // Size=8 Offset=0 BitOffset=17 BitCount=3
 195 |             ULONG_PTR ObjectPointerBits : 44; // Size=8 Offset=0 BitOffset=20 BitCount=44
 196 |         };
 197 |     };
 198 |     union
 199 |     {
 200 |         ULONG_PTR HighValue; // Size=8 Offset=8
 201 |         struct _HANDLE_TABLE_ENTRY * NextFreeHandleEntry; // Size=8 Offset=8
 202 |         union _EXHANDLE LeafHandleValue; // Size=8 Offset=8
 203 |         struct
 204 |         {
 205 |             ULONG GrantedAccessBits : 25; // Size=4 Offset=8 BitOffset=0 BitCount=25
 206 |             ULONG NoRightsUpgrade : 1; // Size=4 Offset=8 BitOffset=25 BitCount=1
 207 |             ULONG Spare : 6; // Size=4 Offset=8 BitOffset=26 BitCount=6
 208 |         };
 209 |     };
 210 |     ULONG TypeInfo; // Size=4 Offset=12
 211 | } HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
 212 | */
 213 | 
 214 | 
 215 | //0x10 bytes (sizeof)
 216 | typedef union _HANDLE_TABLE_ENTRY
 217 | {
 218 |     volatile LONGLONG VolatileLowValue;                                        //0x0
 219 |     LONGLONG LowValue;                                                         //0x0
 220 |     struct
 221 |     {
 222 |         struct _HANDLE_TABLE_ENTRY_INFO* volatile InfoTable;                   //0x0
 223 |         LONGLONG HighValue;                                                        //0x8
 224 |         union _HANDLE_TABLE_ENTRY* NextFreeHandleEntry;                            //0x8
 225 |         EXHANDLE LeafHandleValue;                                      //0x8
 226 |     };
 227 |     LONGLONG RefCountField;                                                    //0x0
 228 |     ULONGLONG Unlocked : 1;                                                      //0x0
 229 |     ULONGLONG RefCnt : 16;                                                       //0x0
 230 |     ULONGLONG Attributes : 3;                                                    //0x0
 231 |     struct
 232 |     {
 233 |         ULONGLONG ObjectPointerBits : 44;                                        //0x0
 234 |         ULONG GrantedAccessBits : 25;                                                //0x8
 235 |         ULONG NoRightsUpgrade : 1;                                                   //0x8
 236 |         ULONG Spare1 : 6;                                                        //0x8
 237 |     };
 238 |     ULONG Spare2;                                                              //0xc
 239 | } HANDLE_TABLE_ENTRY, * PHANDLE_TABLE_ENTRY;
 240 | 
 241 | 
 242 | 
 243 | typedef struct _OBJECT_HEADER // Size=56
 244 | {
 245 |     ULONG_PTR PointerCount; // Size=8 Offset=0
 246 |     union
 247 |     {
 248 |         ULONG_PTR HandleCount; // Size=8 Offset=8
 249 |         void * NextToFree; // Size=8 Offset=8
 250 |     };
 251 |     void* Lock; // Size=8 Offset=16
 252 |     UCHAR TypeIndex; // Size=1 Offset=24
 253 |     union
 254 |     {
 255 |         UCHAR TraceFlags; // Size=1 Offset=25
 256 |         struct
 257 |         {
 258 |             UCHAR DbgRefTrace : 1; // Size=1 Offset=25 BitOffset=0 BitCount=1
 259 |             UCHAR DbgTracePermanent : 1; // Size=1 Offset=25 BitOffset=1 BitCount=1
 260 |         };
 261 |     };
 262 |     UCHAR InfoMask; // Size=1 Offset=26
 263 |     union
 264 |     {
 265 |         UCHAR Flags; // Size=1 Offset=27
 266 |         struct
 267 |         {
 268 |             UCHAR NewObject : 1; // Size=1 Offset=27 BitOffset=0 BitCount=1
 269 |             UCHAR KernelObject : 1; // Size=1 Offset=27 BitOffset=1 BitCount=1
 270 |             UCHAR KernelOnlyAccess : 1; // Size=1 Offset=27 BitOffset=2 BitCount=1
 271 |             UCHAR ExclusiveObject : 1; // Size=1 Offset=27 BitOffset=3 BitCount=1
 272 |             UCHAR PermanentObject : 1; // Size=1 Offset=27 BitOffset=4 BitCount=1
 273 |             UCHAR DefaultSecurityQuota : 1; // Size=1 Offset=27 BitOffset=5 BitCount=1
 274 |             UCHAR SingleHandleEntry : 1; // Size=1 Offset=27 BitOffset=6 BitCount=1
 275 |             UCHAR DeletedInline : 1; // Size=1 Offset=27 BitOffset=7 BitCount=1
 276 |         };
 277 |     };
 278 |     ULONG Spare; // Size=4 Offset=28
 279 |     union
 280 |     {
 281 |         struct _OBJECT_CREATE_INFORMATION * ObjectCreateInfo; // Size=8 Offset=32
 282 |         void * QuotaBlockCharged; // Size=8 Offset=32
 283 |     };
 284 |     void * SecurityDescriptor; // Size=8 Offset=40
 285 |     struct _QUAD Body; // Size=8 Offset=48
 286 | } OBJECT_HEADER, *POBJECT_HEADER;
 287 | 
 288 | typedef union _EX_FAST_REF // Size=8
 289 | {
 290 |     void * Object;
 291 |     struct
 292 |     {
 293 |         unsigned __int64 RefCnt : 4; 
 294 |     };
 295 |     unsigned __int64 Value;
 296 | } EX_FAST_REF, *PEX_FAST_REF;
 297 | 
 298 | typedef struct _CONTROL_AREA // Size=120
 299 | {
 300 |     struct _SEGMENT * Segment;
 301 |     struct _LIST_ENTRY ListHead;
 302 |     unsigned __int64 NumberOfSectionReferences;
 303 |     unsigned __int64 NumberOfPfnReferences; 
 304 |     unsigned __int64 NumberOfMappedViews;
 305 |     unsigned __int64 NumberOfUserReferences;
 306 |     unsigned long f1; 
 307 |     unsigned long f2;
 308 |     EX_FAST_REF FilePointer;
 309 |     // Other fields
 310 | } CONTROL_AREA, *PCONTROL_AREA;
 311 | 
 312 | typedef struct _SUBSECTION // Size=56
 313 | {
 314 |     PCONTROL_AREA ControlArea;
 315 |     // Other fields
 316 | } SUBSECTION, *PSUBSECTION;
 317 | 
 318 | typedef struct _MEMORY_BASIC_INFORMATION_EX
 319 | {
 320 |     PVOID BaseAddress;
 321 |     PVOID AllocationBase;
 322 |     ULONG AllocationProtect;
 323 |     SIZE_T RegionSize;
 324 |     ULONG State;
 325 |     ULONG Protect;
 326 |     ULONG Type;
 327 | } MEMORY_BASIC_INFORMATION_EX, *PMEMORY_BASIC_INFORMATION_EX;
 328 | 
 329 | typedef struct _SYSTEM_CALL_COUNT_INFORMATION
 330 | {
 331 |     ULONG Length;
 332 |     ULONG NumberOfTables;
 333 |     ULONG limits[2];
 334 |  } SYSTEM_CALL_COUNT_INFORMATION, *PSYSTEM_CALL_COUNT_INFORMATION;
 335 | 
 336 | typedef struct _SYSTEM_THREAD_INFORMATION
 337 | {
 338 |     LARGE_INTEGER KernelTime;
 339 |     LARGE_INTEGER UserTime;
 340 |     LARGE_INTEGER CreateTime;
 341 |     ULONG WaitTime;
 342 |     PVOID StartAddress;
 343 |     CLIENT_ID ClientId;
 344 |     KPRIORITY Priority;
 345 |     LONG BasePriority;
 346 |     ULONG ContextSwitches;
 347 |     ULONG ThreadState;
 348 |     KWAIT_REASON WaitReason;
 349 | }SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
 350 | 
 351 | typedef struct _THREAD_BASIC_INFORMATION
 352 | {
 353 |     NTSTATUS ExitStatus;
 354 |     PVOID TebBaseAddress;
 355 |     CLIENT_ID ClientId;
 356 |     ULONG_PTR AffinityMask;
 357 |     LONG Priority;
 358 |     LONG BasePriority;
 359 | } THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;
 360 | 
 361 | typedef struct _SYSTEM_PROCESS_INFO
 362 | {
 363 |     ULONG NextEntryOffset;
 364 |     ULONG NumberOfThreads;
 365 |     LARGE_INTEGER WorkingSetPrivateSize;
 366 |     ULONG HardFaultCount;
 367 |     ULONG NumberOfThreadsHighWatermark;
 368 |     ULONGLONG CycleTime;
 369 |     LARGE_INTEGER CreateTime;
 370 |     LARGE_INTEGER UserTime;
 371 |     LARGE_INTEGER KernelTime;
 372 |     UNICODE_STRING ImageName;
 373 |     KPRIORITY BasePriority;
 374 |     HANDLE UniqueProcessId;
 375 |     HANDLE InheritedFromUniqueProcessId;
 376 |     ULONG HandleCount;
 377 |     ULONG SessionId;
 378 |     ULONG_PTR UniqueProcessKey;
 379 |     SIZE_T PeakVirtualSize;
 380 |     SIZE_T VirtualSize;
 381 |     ULONG PageFaultCount;
 382 |     SIZE_T PeakWorkingSetSize;
 383 |     SIZE_T WorkingSetSize;
 384 |     SIZE_T QuotaPeakPagedPoolUsage;
 385 |     SIZE_T QuotaPagedPoolUsage;
 386 |     SIZE_T QuotaPeakNonPagedPoolUsage;
 387 |     SIZE_T QuotaNonPagedPoolUsage;
 388 |     SIZE_T PagefileUsage;
 389 |     SIZE_T PeakPagefileUsage;
 390 |     SIZE_T PrivatePageCount;
 391 |     LARGE_INTEGER ReadOperationCount;
 392 |     LARGE_INTEGER WriteOperationCount;
 393 |     LARGE_INTEGER OtherOperationCount;
 394 |     LARGE_INTEGER ReadTransferCount;
 395 |     LARGE_INTEGER WriteTransferCount;
 396 |     LARGE_INTEGER OtherTransferCount;
 397 |     SYSTEM_THREAD_INFORMATION Threads[1];
 398 | }SYSTEM_PROCESS_INFO, *PSYSTEM_PROCESS_INFO;
 399 | 
 400 | typedef struct _SYSTEM_MODULE
 401 | {
 402 |     ULONG_PTR Reserved[2];
 403 |     PVOID Base;
 404 |     ULONG Size;
 405 |     ULONG Flags;
 406 |     USHORT Index;
 407 |     USHORT Unknown;
 408 |     USHORT LoadCount;
 409 |     USHORT ModuleNameOffset;
 410 |     CHAR ImageName[256];
 411 | } SYSTEM_MODULE, * PSYSTEM_MODULE;
 412 | typedef struct _SYSTEM_MODULE_INFORMATION
 413 | {
 414 |     ULONG_PTR ulModuleCount;
 415 |     SYSTEM_MODULE Modules[1];
 416 | } SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
 417 | 
 418 | #pragma warning(disable : 4214)
 419 | typedef struct _MMPTE_HARDWARE64
 420 | {
 421 |     ULONGLONG Valid : 1;
 422 |     ULONGLONG Dirty1 : 1;
 423 |     ULONGLONG Owner : 1;
 424 |     ULONGLONG WriteThrough : 1;
 425 |     ULONGLONG CacheDisable : 1;
 426 |     ULONGLONG Accessed : 1;
 427 |     ULONGLONG Dirty : 1;
 428 |     ULONGLONG LargePage : 1;
 429 |     ULONGLONG Global : 1;
 430 |     ULONGLONG CopyOnWrite : 1;
 431 |     ULONGLONG Unused : 1;
 432 |     ULONGLONG Write : 1;
 433 |     ULONGLONG PageFrameNumber : 36;
 434 |     ULONGLONG reserved1 : 4;
 435 |     ULONGLONG SoftwareWsIndex : 11;
 436 |     ULONGLONG NoExecute : 1;
 437 | } MMPTE_HARDWARE64, *PMMPTE_HARDWARE64;
 438 | 
 439 | typedef struct _MMPTE 
 440 | {
 441 |     union  
 442 |     {
 443 |         ULONG_PTR Long;
 444 |         MMPTE_HARDWARE64 Hard;
 445 |     } u;
 446 | } MMPTE;
 447 | typedef MMPTE *PMMPTE;
 448 | 
 449 | #pragma warning(default : 4214)
 450 | 
 451 | typedef struct _NT_PROC_THREAD_ATTRIBUTE_ENTRY
 452 | {
 453 |     ULONG Attribute;    // PROC_THREAD_ATTRIBUTE_XXX
 454 |     SIZE_T Size;
 455 |     ULONG_PTR Value;
 456 |     ULONG Unknown;
 457 | } NT_PROC_THREAD_ATTRIBUTE_ENTRY, *NT_PPROC_THREAD_ATTRIBUTE_ENTRY;
 458 | 
 459 | typedef struct _NT_PROC_THREAD_ATTRIBUTE_LIST
 460 | {
 461 |     ULONG Length;
 462 |     NT_PROC_THREAD_ATTRIBUTE_ENTRY Entry[1];
 463 | } NT_PROC_THREAD_ATTRIBUTE_LIST, *PNT_PROC_THREAD_ATTRIBUTE_LIST;
 464 | 
 465 | 
 466 | typedef struct _RTL_PROCESS_MODULE_INFORMATION
 467 | {
 468 |     HANDLE Section;         // Not filled in
 469 |     PVOID MappedBase;
 470 |     PVOID ImageBase;
 471 |     ULONG ImageSize;
 472 |     ULONG Flags;
 473 |     USHORT LoadOrderIndex;
 474 |     USHORT InitOrderIndex;
 475 |     USHORT LoadCount;
 476 |     USHORT OffsetToFileName;
 477 |     UCHAR  FullPathName[MAXIMUM_FILENAME_LENGTH];
 478 | } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
 479 | 
 480 | typedef struct _RTL_PROCESS_MODULES
 481 | {
 482 |     ULONG NumberOfModules;
 483 |     RTL_PROCESS_MODULE_INFORMATION Modules[1];
 484 | } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
 485 | 
 486 | #pragma warning(disable : 4214)
 487 | typedef union _MEMORY_WORKING_SET_EX_BLOCK 
 488 | {
 489 |     ULONG_PTR Flags;
 490 |     struct
 491 |     {
 492 |         ULONG_PTR Valid : 1;
 493 |         ULONG_PTR ShareCount : 3;
 494 |         ULONG_PTR Win32Protection : 11;
 495 |         ULONG_PTR Shared : 1;
 496 |         ULONG_PTR Node : 6;
 497 |         ULONG_PTR Locked : 1;
 498 |         ULONG_PTR LargePage : 1;
 499 |         ULONG_PTR Reserved : 7;
 500 |         ULONG_PTR Bad : 1;
 501 | 
 502 | #if defined(_WIN64)
 503 |         ULONG_PTR ReservedUlong : 32;
 504 | #endif
 505 |     };
 506 | } MEMORY_WORKING_SET_EX_BLOCK, *PMEMORY_WORKING_SET_EX_BLOCK;
 507 | 
 508 | typedef struct _MEMORY_WORKING_SET_EX_INFORMATION 
 509 | {
 510 |     PVOID VirtualAddress;
 511 |     MEMORY_WORKING_SET_EX_BLOCK VirtualAttributes;
 512 | } MEMORY_WORKING_SET_EX_INFORMATION, *PMEMORY_WORKING_SET_EX_INFORMATION;
 513 | 
 514 | #pragma warning(default : 4214)
 515 | 
 516 | 
 517 | typedef struct _PEB_LDR_DATA 
 518 | {
 519 |     ULONG Length;
 520 |     UCHAR Initialized;
 521 |     PVOID SsHandle;
 522 |     LIST_ENTRY InLoadOrderModuleList;
 523 |     LIST_ENTRY InMemoryOrderModuleList;
 524 |     LIST_ENTRY InInitializationOrderModuleList;
 525 | } PEB_LDR_DATA, *PPEB_LDR_DATA;
 526 | 
 527 | typedef struct _LDR_DATA_TABLE_ENTRY 
 528 | {
 529 |     LIST_ENTRY InLoadOrderLinks;
 530 |     LIST_ENTRY InMemoryOrderLinks;
 531 |     LIST_ENTRY InInitializationOrderLinks;
 532 |     PVOID DllBase;
 533 |     PVOID EntryPoint;
 534 |     ULONG SizeOfImage;
 535 |     UNICODE_STRING FullDllName;
 536 |     UNICODE_STRING BaseDllName;
 537 |     ULONG Flags;
 538 |     USHORT LoadCount;
 539 |     USHORT TlsIndex;
 540 |     LIST_ENTRY HashLinks;
 541 |     ULONG TimeDateStamp;
 542 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
 543 | 
 544 | 
 545 | typedef struct _PEB 
 546 | {
 547 |     UCHAR InheritedAddressSpace;
 548 |     UCHAR ReadImageFileExecOptions;
 549 |     UCHAR BeingDebugged;
 550 |     UCHAR BitField;
 551 |     PVOID Mutant;
 552 |     PVOID ImageBaseAddress;
 553 |     PPEB_LDR_DATA Ldr;
 554 |     PVOID ProcessParameters;
 555 |     PVOID SubSystemData;
 556 |     PVOID ProcessHeap;
 557 |     PVOID FastPebLock;
 558 |     PVOID AtlThunkSListPtr;
 559 |     PVOID IFEOKey;
 560 |     PVOID CrossProcessFlags;
 561 |     PVOID KernelCallbackTable;
 562 |     ULONG SystemReserved;
 563 |     ULONG AtlThunkSListPtr32;
 564 |     PVOID ApiSetMap;
 565 | } PEB, *PPEB;
 566 | 
 567 | typedef struct _PEB_LDR_DATA32
 568 | {
 569 |     ULONG Length;
 570 |     UCHAR Initialized;
 571 |     ULONG SsHandle;
 572 |     LIST_ENTRY32 InLoadOrderModuleList;
 573 |     LIST_ENTRY32 InMemoryOrderModuleList;
 574 |     LIST_ENTRY32 InInitializationOrderModuleList;
 575 | } PEB_LDR_DATA32, *PPEB_LDR_DATA32;
 576 | 
 577 | typedef struct _LDR_DATA_TABLE_ENTRY32
 578 | {
 579 |     LIST_ENTRY32 InLoadOrderLinks;
 580 |     LIST_ENTRY32 InMemoryOrderLinks;
 581 |     LIST_ENTRY32 InInitializationOrderLinks;
 582 |     ULONG DllBase;
 583 |     ULONG EntryPoint;
 584 |     ULONG SizeOfImage;
 585 |     UNICODE_STRING32 FullDllName;
 586 |     UNICODE_STRING32 BaseDllName;
 587 |     ULONG Flags;
 588 |     USHORT LoadCount;
 589 |     USHORT TlsIndex;
 590 |     LIST_ENTRY32 HashLinks;
 591 |     ULONG TimeDateStamp;
 592 | } LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32;
 593 | 
 594 | typedef struct _PEB32
 595 | {
 596 |     UCHAR InheritedAddressSpace;
 597 |     UCHAR ReadImageFileExecOptions;
 598 |     UCHAR BeingDebugged;
 599 |     UCHAR BitField;
 600 |     ULONG Mutant;
 601 |     ULONG ImageBaseAddress;
 602 |     ULONG Ldr;
 603 |     ULONG ProcessParameters;
 604 |     ULONG SubSystemData;
 605 |     ULONG ProcessHeap;
 606 |     ULONG FastPebLock;
 607 |     ULONG AtlThunkSListPtr;
 608 |     ULONG IFEOKey;
 609 |     ULONG CrossProcessFlags;
 610 |     ULONG UserSharedInfoPtr;
 611 |     ULONG SystemReserved;
 612 |     ULONG AtlThunkSListPtr32;
 613 |     ULONG ApiSetMap;
 614 | } PEB32, *PPEB32;
 615 | 
 616 | typedef struct _WOW64_PROCESS 
 617 | {
 618 |     PPEB32 Wow64;
 619 | } WOW64_PROCESS, *PWOW64_PROCESS;
 620 | 
 621 | typedef union _WOW64_APC_CONTEXT 
 622 | {
 623 |     struct 
 624 |     {
 625 |         ULONG Apc32BitContext;
 626 |         ULONG Apc32BitRoutine;
 627 |     };
 628 | 
 629 |     PVOID Apc64BitContext;
 630 | 
 631 | } WOW64_APC_CONTEXT, *PWOW64_APC_CONTEXT;
 632 | 
 633 | typedef struct _NON_PAGED_DEBUG_INFO
 634 | {
 635 |     USHORT      Signature;
 636 |     USHORT      Flags;
 637 |     ULONG       Size;
 638 |     USHORT      Machine;
 639 |     USHORT      Characteristics;
 640 |     ULONG       TimeDateStamp;
 641 |     ULONG       CheckSum;
 642 |     ULONG       SizeOfImage;
 643 |     ULONGLONG   ImageBase;
 644 | } NON_PAGED_DEBUG_INFO, *PNON_PAGED_DEBUG_INFO;
 645 | 
 646 | typedef struct _KLDR_DATA_TABLE_ENTRY
 647 | {
 648 |     LIST_ENTRY InLoadOrderLinks;
 649 |     PVOID ExceptionTable;
 650 |     ULONG ExceptionTableSize;
 651 |     // ULONG padding on IA64
 652 |     PVOID GpValue;
 653 |     PNON_PAGED_DEBUG_INFO NonPagedDebugInfo;
 654 |     PVOID DllBase;
 655 |     PVOID EntryPoint;
 656 |     ULONG SizeOfImage;
 657 |     UNICODE_STRING FullDllName;
 658 |     UNICODE_STRING BaseDllName;
 659 |     ULONG Flags;
 660 |     USHORT LoadCount;
 661 |     USHORT __Unused5;
 662 |     PVOID SectionPointer;
 663 |     ULONG CheckSum;
 664 |     // ULONG padding on IA64
 665 |     PVOID LoadedImports;
 666 |     PVOID PatchInformation;
 667 | } KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;
 668 | 
 669 | 
 670 | //
 671 | // This structure is used by the debugger for all targets
 672 | // It is the same size as DBGKD_DATA_HEADER on all systems
 673 | //
 674 | typedef struct _DBGKD_DEBUG_DATA_HEADER64 {
 675 | 
 676 |     //
 677 |     // Link to other blocks
 678 |     //
 679 | 
 680 |     LIST_ENTRY64 List;
 681 | 
 682 |     //
 683 |     // This is a unique tag to identify the owner of the block.
 684 |     // If your component only uses one pool tag, use it for this, too.
 685 |     //
 686 | 
 687 |     ULONG           OwnerTag;
 688 | 
 689 |     //
 690 |     // This must be initialized to the size of the data block,
 691 |     // including this structure.
 692 |     //
 693 | 
 694 |     ULONG           Size;
 695 | 
 696 | } DBGKD_DEBUG_DATA_HEADER64, *PDBGKD_DEBUG_DATA_HEADER64;
 697 | 
 698 | 
 699 | //
 700 | // This structure is the same size on all systems.  The only field
 701 | // which must be translated by the debugger is Header.List.
 702 | //
 703 | 
 704 | //
 705 | // DO NOT ADD OR REMOVE FIELDS FROM THE MIDDLE OF THIS STRUCTURE!!!
 706 | //
 707 | // If you remove a field, replace it with an "unused" placeholder.
 708 | // Do not reuse fields until there has been enough time for old debuggers
 709 | // and extensions to age out.
 710 | //
 711 | typedef struct _KDDEBUGGER_DATA64 {
 712 | 
 713 |     DBGKD_DEBUG_DATA_HEADER64 Header;
 714 | 
 715 |     //
 716 |     // Base address of kernel image
 717 |     //
 718 | 
 719 |     ULONG64   KernBase;
 720 | 
 721 |     //
 722 |     // DbgBreakPointWithStatus is a function which takes an argument
 723 |     // and hits a breakpoint.  This field contains the address of the
 724 |     // breakpoint instruction.  When the debugger sees a breakpoint
 725 |     // at this address, it may retrieve the argument from the first
 726 |     // argument register, or on x86 the eax register.
 727 |     //
 728 | 
 729 |     ULONG64   BreakpointWithStatus;       // address of breakpoint
 730 | 
 731 |     //
 732 |     // Address of the saved context record during a bugcheck
 733 |     //
 734 |     // N.B. This is an automatic in KeBugcheckEx's frame, and
 735 |     // is only valid after a bugcheck.
 736 |     //
 737 | 
 738 |     ULONG64   SavedContext;
 739 | 
 740 |     //
 741 |     // help for walking stacks with user callbacks:
 742 |     //
 743 | 
 744 |     //
 745 |     // The address of the thread structure is provided in the
 746 |     // WAIT_STATE_CHANGE packet.  This is the offset from the base of
 747 |     // the thread structure to the pointer to the kernel stack frame
 748 |     // for the currently active usermode callback.
 749 |     //
 750 | 
 751 |     USHORT  ThCallbackStack;            // offset in thread data
 752 | 
 753 |     //
 754 |     // these values are offsets into that frame:
 755 |     //
 756 | 
 757 |     USHORT  NextCallback;               // saved pointer to next callback frame
 758 |     USHORT  FramePointer;               // saved frame pointer
 759 | 
 760 |     //
 761 |     // pad to a quad boundary
 762 |     //
 763 |     USHORT  PaeEnabled;
 764 | 
 765 |     //
 766 |     // Address of the kernel callout routine.
 767 |     //
 768 | 
 769 |     ULONG64   KiCallUserMode;             // kernel routine
 770 | 
 771 |     //
 772 |     // Address of the usermode entry point for callbacks.
 773 |     //
 774 | 
 775 |     ULONG64   KeUserCallbackDispatcher;   // address in ntdll
 776 | 
 777 | 
 778 |     //
 779 |     // Addresses of various kernel data structures and lists
 780 |     // that are of interest to the kernel debugger.
 781 |     //
 782 | 
 783 |     ULONG64   PsLoadedModuleList;
 784 |     ULONG64   PsActiveProcessHead;
 785 |     ULONG64   PspCidTable;
 786 | 
 787 |     ULONG64   ExpSystemResourcesList;
 788 |     ULONG64   ExpPagedPoolDescriptor;
 789 |     ULONG64   ExpNumberOfPagedPools;
 790 | 
 791 |     ULONG64   KeTimeIncrement;
 792 |     ULONG64   KeBugCheckCallbackListHead;
 793 |     ULONG64   KiBugcheckData;
 794 | 
 795 |     ULONG64   IopErrorLogListHead;
 796 | 
 797 |     ULONG64   ObpRootDirectoryObject;
 798 |     ULONG64   ObpTypeObjectType;
 799 | 
 800 |     ULONG64   MmSystemCacheStart;
 801 |     ULONG64   MmSystemCacheEnd;
 802 |     ULONG64   MmSystemCacheWs;
 803 | 
 804 |     ULONG64   MmPfnDatabase;
 805 |     ULONG64   MmSystemPtesStart;
 806 |     ULONG64   MmSystemPtesEnd;
 807 |     ULONG64   MmSubsectionBase;
 808 |     ULONG64   MmNumberOfPagingFiles;
 809 | 
 810 |     ULONG64   MmLowestPhysicalPage;
 811 |     ULONG64   MmHighestPhysicalPage;
 812 |     ULONG64   MmNumberOfPhysicalPages;
 813 | 
 814 |     ULONG64   MmMaximumNonPagedPoolInBytes;
 815 |     ULONG64   MmNonPagedSystemStart;
 816 |     ULONG64   MmNonPagedPoolStart;
 817 |     ULONG64   MmNonPagedPoolEnd;
 818 | 
 819 |     ULONG64   MmPagedPoolStart;
 820 |     ULONG64   MmPagedPoolEnd;
 821 |     ULONG64   MmPagedPoolInformation;
 822 |     ULONG64   MmPageSize;
 823 | 
 824 |     ULONG64   MmSizeOfPagedPoolInBytes;
 825 | 
 826 |     ULONG64   MmTotalCommitLimit;
 827 |     ULONG64   MmTotalCommittedPages;
 828 |     ULONG64   MmSharedCommit;
 829 |     ULONG64   MmDriverCommit;
 830 |     ULONG64   MmProcessCommit;
 831 |     ULONG64   MmPagedPoolCommit;
 832 |     ULONG64   MmExtendedCommit;
 833 | 
 834 |     ULONG64   MmZeroedPageListHead;
 835 |     ULONG64   MmFreePageListHead;
 836 |     ULONG64   MmStandbyPageListHead;
 837 |     ULONG64   MmModifiedPageListHead;
 838 |     ULONG64   MmModifiedNoWritePageListHead;
 839 |     ULONG64   MmAvailablePages;
 840 |     ULONG64   MmResidentAvailablePages;
 841 | 
 842 |     ULONG64   PoolTrackTable;
 843 |     ULONG64   NonPagedPoolDescriptor;
 844 | 
 845 |     ULONG64   MmHighestUserAddress;
 846 |     ULONG64   MmSystemRangeStart;
 847 |     ULONG64   MmUserProbeAddress;
 848 | 
 849 |     ULONG64   KdPrintCircularBuffer;
 850 |     ULONG64   KdPrintCircularBufferEnd;
 851 |     ULONG64   KdPrintWritePointer;
 852 |     ULONG64   KdPrintRolloverCount;
 853 | 
 854 |     ULONG64   MmLoadedUserImageList;
 855 | 
 856 |     // NT 5.1 Addition
 857 | 
 858 |     ULONG64   NtBuildLab;
 859 |     ULONG64   KiNormalSystemCall;
 860 | 
 861 |     // NT 5.0 hotfix addition
 862 | 
 863 |     ULONG64   KiProcessorBlock;
 864 |     ULONG64   MmUnloadedDrivers;
 865 |     ULONG64   MmLastUnloadedDriver;
 866 |     ULONG64   MmTriageActionTaken;
 867 |     ULONG64   MmSpecialPoolTag;
 868 |     ULONG64   KernelVerifier;
 869 |     ULONG64   MmVerifierData;
 870 |     ULONG64   MmAllocatedNonPagedPool;
 871 |     ULONG64   MmPeakCommitment;
 872 |     ULONG64   MmTotalCommitLimitMaximum;
 873 |     ULONG64   CmNtCSDVersion;
 874 | 
 875 |     // NT 5.1 Addition
 876 | 
 877 |     ULONG64   MmPhysicalMemoryBlock;
 878 |     ULONG64   MmSessionBase;
 879 |     ULONG64   MmSessionSize;
 880 |     ULONG64   MmSystemParentTablePage;
 881 | 
 882 |     // Server 2003 addition
 883 | 
 884 |     ULONG64   MmVirtualTranslationBase;
 885 | 
 886 |     USHORT    OffsetKThreadNextProcessor;
 887 |     USHORT    OffsetKThreadTeb;
 888 |     USHORT    OffsetKThreadKernelStack;
 889 |     USHORT    OffsetKThreadInitialStack;
 890 | 
 891 |     USHORT    OffsetKThreadApcProcess;
 892 |     USHORT    OffsetKThreadState;
 893 |     USHORT    OffsetKThreadBStore;
 894 |     USHORT    OffsetKThreadBStoreLimit;
 895 | 
 896 |     USHORT    SizeEProcess;
 897 |     USHORT    OffsetEprocessPeb;
 898 |     USHORT    OffsetEprocessParentCID;
 899 |     USHORT    OffsetEprocessDirectoryTableBase;
 900 | 
 901 |     USHORT    SizePrcb;
 902 |     USHORT    OffsetPrcbDpcRoutine;
 903 |     USHORT    OffsetPrcbCurrentThread;
 904 |     USHORT    OffsetPrcbMhz;
 905 | 
 906 |     USHORT    OffsetPrcbCpuType;
 907 |     USHORT    OffsetPrcbVendorString;
 908 |     USHORT    OffsetPrcbProcStateContext;
 909 |     USHORT    OffsetPrcbNumber;
 910 | 
 911 |     USHORT    SizeEThread;
 912 | 
 913 |     ULONG64   KdPrintCircularBufferPtr;
 914 |     ULONG64   KdPrintBufferSize;
 915 | 
 916 |     ULONG64   KeLoaderBlock;
 917 | 
 918 |     USHORT    SizePcr;
 919 |     USHORT    OffsetPcrSelfPcr;
 920 |     USHORT    OffsetPcrCurrentPrcb;
 921 |     USHORT    OffsetPcrContainedPrcb;
 922 | 
 923 |     USHORT    OffsetPcrInitialBStore;
 924 |     USHORT    OffsetPcrBStoreLimit;
 925 |     USHORT    OffsetPcrInitialStack;
 926 |     USHORT    OffsetPcrStackLimit;
 927 | 
 928 |     USHORT    OffsetPrcbPcrPage;
 929 |     USHORT    OffsetPrcbProcStateSpecialReg;
 930 |     USHORT    GdtR0Code;
 931 |     USHORT    GdtR0Data;
 932 | 
 933 |     USHORT    GdtR0Pcr;
 934 |     USHORT    GdtR3Code;
 935 |     USHORT    GdtR3Data;
 936 |     USHORT    GdtR3Teb;
 937 | 
 938 |     USHORT    GdtLdt;
 939 |     USHORT    GdtTss;
 940 |     USHORT    Gdt64R3CmCode;
 941 |     USHORT    Gdt64R3CmTeb;
 942 | 
 943 |     ULONG64   IopNumTriageDumpDataBlocks;
 944 |     ULONG64   IopTriageDumpDataBlocks;
 945 | 
 946 |     // Longhorn addition
 947 | 
 948 |     ULONG64   VfCrashDataBlock;
 949 |     ULONG64   MmBadPagesDetected;
 950 |     ULONG64   MmZeroedPageSingleBitErrorsDetected;
 951 | 
 952 |     // Windows 7 addition
 953 | 
 954 |     ULONG64   EtwpDebuggerData;
 955 |     USHORT    OffsetPrcbContext;
 956 | 
 957 |     // Windows 8 addition
 958 | 
 959 |     USHORT    OffsetPrcbMaxBreakpoints;
 960 |     USHORT    OffsetPrcbMaxWatchpoints;
 961 | 
 962 |     ULONG     OffsetKThreadStackLimit;
 963 |     ULONG     OffsetKThreadStackBase;
 964 |     ULONG     OffsetKThreadQueueListEntry;
 965 |     ULONG     OffsetEThreadIrpList;
 966 | 
 967 |     USHORT    OffsetPrcbIdleThread;
 968 |     USHORT    OffsetPrcbNormalDpcState;
 969 |     USHORT    OffsetPrcbDpcStack;
 970 |     USHORT    OffsetPrcbIsrStack;
 971 | 
 972 |     USHORT    SizeKDPC_STACK_FRAME;
 973 | 
 974 |     // Windows 8.1 Addition
 975 | 
 976 |     USHORT    OffsetKPriQueueThreadListHead;
 977 |     USHORT    OffsetKThreadWaitReason;
 978 | 
 979 |     // Windows 10 RS1 Addition
 980 | 
 981 |     USHORT    Padding;
 982 |     ULONG64   PteBase;
 983 | 
 984 |     // Windows 10 RS5 Addition
 985 | 
 986 |     ULONG64 RetpolineStubFunctionTable;
 987 |     ULONG RetpolineStubFunctionTableSize;
 988 |     ULONG RetpolineStubOffset;
 989 |     ULONG RetpolineStubSize;
 990 | 
 991 | } KDDEBUGGER_DATA64, *PKDDEBUGGER_DATA64;
 992 | 
 993 | 
 994 | typedef struct _DUMP_HEADER
 995 | {
 996 |     ULONG Signature;
 997 |     ULONG ValidDump;
 998 |     ULONG MajorVersion;
 999 |     ULONG MinorVersion;
1000 |     ULONG_PTR DirectoryTableBase;
1001 |     ULONG_PTR PfnDataBase;
1002 |     PLIST_ENTRY PsLoadedModuleList;
1003 |     PLIST_ENTRY PsActiveProcessHead;
1004 |     ULONG MachineImageType;
1005 |     ULONG NumberProcessors;
1006 |     ULONG BugCheckCode;
1007 |     ULONG_PTR BugCheckParameter1;
1008 |     ULONG_PTR BugCheckParameter2;
1009 |     ULONG_PTR BugCheckParameter3;
1010 |     ULONG_PTR BugCheckParameter4;
1011 |     CHAR VersionUser[32];
1012 |     struct _KDDEBUGGER_DATA64 *KdDebuggerDataBlock;
1013 | } DUMP_HEADER, *PDUMP_HEADER;
1014 | 
1015 | /*
1016 | C_ASSERT( FIELD_OFFSET( DUMP_HEADER, Signature ) == 0 );
1017 | C_ASSERT( FIELD_OFFSET( DUMP_HEADER, ValidDump ) == 4 );
1018 | C_ASSERT( FIELD_OFFSET( DUMP_HEADER, MajorVersion ) == 8 );
1019 | C_ASSERT( FIELD_OFFSET( DUMP_HEADER, MinorVersion ) == 0xc );
1020 | C_ASSERT( FIELD_OFFSET( DUMP_HEADER, DirectoryTableBase ) == 0x10 );
1021 | C_ASSERT( FIELD_OFFSET( DUMP_HEADER, PfnDataBase ) == 0x18 );
1022 | C_ASSERT( FIELD_OFFSET( DUMP_HEADER, PsLoadedModuleList ) == 0x20 );
1023 | C_ASSERT( FIELD_OFFSET( DUMP_HEADER, PsActiveProcessHead ) == 0x28 );
1024 | C_ASSERT( FIELD_OFFSET( DUMP_HEADER, MachineImageType ) == 0x30 );
1025 | C_ASSERT( FIELD_OFFSET( DUMP_HEADER, NumberProcessors ) == 0x34 );
1026 | C_ASSERT( FIELD_OFFSET( DUMP_HEADER, BugCheckCode ) == 0x38 );
1027 | C_ASSERT( FIELD_OFFSET( DUMP_HEADER, BugCheckParameter1 ) == 0x40 );
1028 | C_ASSERT( FIELD_OFFSET( DUMP_HEADER, BugCheckParameter2 ) == 0x48 );
1029 | C_ASSERT( FIELD_OFFSET( DUMP_HEADER, BugCheckParameter3 ) == 0x50 );
1030 | C_ASSERT( FIELD_OFFSET( DUMP_HEADER, BugCheckParameter4 ) == 0x58 );
1031 | C_ASSERT( FIELD_OFFSET( DUMP_HEADER, KdDebuggerDataBlock ) == 0x80 );
1032 | */
1033 | 
1034 | extern KDDEBUGGER_DATA64 g_KdBlock;


--------------------------------------------------------------------------------
/KernelDraw/NativeStructs10.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | 
  3 | //
  4 | // Native structures W10 technical preview x64, build 9841
  5 | //
  6 | #pragma warning(disable : 4214 4201)
  7 | #pragma pack(push, 1)
  8 | 
  9 | typedef struct _MM_AVL_NODE // Size=24
 10 | {
 11 |     struct _MM_AVL_NODE * LeftChild; // Size=8 Offset=0
 12 |     struct _MM_AVL_NODE * RightChild; // Size=8 Offset=8
 13 | 
 14 |     union ___unnamed1666 // Size=8
 15 |     {
 16 |         struct
 17 |         {
 18 |             __int64 Balance : 2; // Size=8 Offset=0 BitOffset=0 BitCount=2
 19 |         };
 20 |         struct _MM_AVL_NODE * Parent; // Size=8 Offset=0
 21 |     } u1;
 22 | } MM_AVL_NODE, *PMM_AVL_NODE, *PMMADDRESS_NODE;
 23 | 
 24 | typedef struct _RTL_AVL_TREE // Size=8
 25 | {
 26 |     PMM_AVL_NODE BalancedRoot;
 27 |     void * NodeHint;
 28 |     unsigned __int64 NumberGenericTableElements; 
 29 | } RTL_AVL_TREE, *PRTL_AVL_TREE, MM_AVL_TABLE, *PMM_AVL_TABLE;
 30 | 
 31 | union _EX_PUSH_LOCK // Size=8
 32 | {
 33 |     struct
 34 |     {
 35 |         unsigned __int64 Locked : 1; // Size=8 Offset=0 BitOffset=0 BitCount=1
 36 |         unsigned __int64 Waiting : 1; // Size=8 Offset=0 BitOffset=1 BitCount=1
 37 |         unsigned __int64 Waking : 1; // Size=8 Offset=0 BitOffset=2 BitCount=1
 38 |         unsigned __int64 MultipleShared : 1; // Size=8 Offset=0 BitOffset=3 BitCount=1
 39 |         unsigned __int64 Shared : 60; // Size=8 Offset=0 BitOffset=4 BitCount=60
 40 |     };
 41 |     unsigned __int64 Value; // Size=8 Offset=0
 42 |     void * Ptr; // Size=8 Offset=0
 43 | };
 44 | 
 45 | struct _MMVAD_FLAGS // Size=4
 46 | {
 47 |     unsigned long VadType: 3; // Size=4 Offset=0 BitOffset=0 BitCount=3
 48 |     unsigned long Protection: 5; // Size=4 Offset=0 BitOffset=3 BitCount=5
 49 |     unsigned long PreferredNode: 6; // Size=4 Offset=0 BitOffset=8 BitCount=6
 50 |     unsigned long NoChange: 1; // Size=4 Offset=0 BitOffset=14 BitCount=1
 51 |     unsigned long PrivateMemory: 1; // Size=4 Offset=0 BitOffset=15 BitCount=1
 52 |     unsigned long Teb: 1; // Size=4 Offset=0 BitOffset=16 BitCount=1
 53 |     unsigned long PrivateFixup: 1; // Size=4 Offset=0 BitOffset=17 BitCount=1
 54 |     unsigned long ManySubsections: 1; // Size=4 Offset=0 BitOffset=18 BitCount=1
 55 |     unsigned long Spare: 12; // Size=4 Offset=0 BitOffset=19 BitCount=12
 56 |     unsigned long DeleteInProgress: 1; // Size=4 Offset=0 BitOffset=31 BitCount=1
 57 | };
 58 | struct _MMVAD_FLAGS1 // Size=4
 59 | {
 60 |     unsigned long CommitCharge : 31; // Size=4 Offset=0 BitOffset=0 BitCount=31
 61 |     unsigned long MemCommit : 1; // Size=4 Offset=0 BitOffset=31 BitCount=1
 62 | };
 63 | 
 64 | struct _MMVAD_FLAGS2 // Size=4
 65 | {
 66 |     unsigned long FileOffset : 24; // Size=4 Offset=0 BitOffset=0 BitCount=24
 67 |     unsigned long Large : 1; // Size=4 Offset=0 BitOffset=24 BitCount=1
 68 |     unsigned long TrimBehind : 1; // Size=4 Offset=0 BitOffset=25 BitCount=1
 69 |     unsigned long Inherit : 1; // Size=4 Offset=0 BitOffset=26 BitCount=1
 70 |     unsigned long CopyOnWrite : 1; // Size=4 Offset=0 BitOffset=27 BitCount=1
 71 |     unsigned long NoValidationNeeded : 1; // Size=4 Offset=0 BitOffset=28 BitCount=1
 72 |     unsigned long Spare : 3; // Size=4 Offset=0 BitOffset=29 BitCount=3
 73 | };
 74 | 
 75 | struct _MI_VAD_SEQUENTIAL_INFO // Size=8
 76 | {
 77 |     unsigned __int64 Length : 12; // Size=8 Offset=0 BitOffset=0 BitCount=12
 78 |     unsigned __int64 Vpn : 52; // Size=8 Offset=0 BitOffset=12 BitCount=52
 79 | };
 80 | 
 81 | union ___unnamed1951 // Size=4
 82 | {
 83 |     unsigned long LongFlags; // Size=4 Offset=0
 84 |     struct _MMVAD_FLAGS VadFlags; // Size=4 Offset=0
 85 | };
 86 | 
 87 | union ___unnamed1952 // Size=4
 88 | {
 89 |     unsigned long LongFlags1; // Size=4 Offset=0
 90 |     struct _MMVAD_FLAGS1 VadFlags1; // Size=4 Offset=0
 91 | };
 92 | 
 93 | union ___unnamed2047 // Size=4
 94 | {
 95 |     unsigned long LongFlags2; // Size=4 Offset=0
 96 |     struct _MMVAD_FLAGS2 VadFlags2; // Size=4 Offset=0
 97 | };
 98 | 
 99 | union ___unnamed2048 // Size=8
100 | {
101 |     struct _MI_VAD_SEQUENTIAL_INFO SequentialVa; // Size=8 Offset=0
102 |     struct _MMEXTEND_INFO * ExtendedInfo; // Size=8 Offset=0
103 | };
104 | 
105 | typedef struct _MMVAD_SHORT // Size=64
106 | {
107 |     union
108 |     {
109 |         struct _RTL_BALANCED_NODE VadNode; // Size=24 Offset=0
110 |         struct _MMVAD_SHORT * NextVad; // Size=8 Offset=0
111 |     };
112 |     unsigned long StartingVpn; // Size=4 Offset=24
113 |     unsigned long EndingVpn; // Size=4 Offset=28
114 |     unsigned char StartingVpnHigh; // Size=1 Offset=32
115 |     unsigned char EndingVpnHigh; // Size=1 Offset=33
116 |     unsigned char CommitChargeHigh; // Size=1 Offset=34
117 |     unsigned char SpareNT64VadUChar; // Size=1 Offset=35
118 |     long ReferenceCount; // Size=4 Offset=36
119 |     union _EX_PUSH_LOCK PushLock; // Size=8 Offset=40
120 |     union ___unnamed1951 u; // Size=4 Offset=48
121 |     union ___unnamed1952 u1; // Size=4 Offset=52
122 |     struct _MI_VAD_EVENT_BLOCK * EventList; // Size=8 Offset=56
123 | } MMVAD_SHORT, *PMMVAD_SHORT;
124 | 
125 | 
126 | typedef struct _MMVAD // Size=128
127 | {
128 |     struct _MMVAD_SHORT Core; // Size=64 Offset=0
129 |     union ___unnamed2047 u2; // Size=4 Offset=64
130 |     unsigned long pad0;  // Size=4 Offset=68
131 |     struct _SUBSECTION * Subsection; // Size=8 Offset=72
132 |     struct _MMPTE * FirstPrototypePte; // Size=8 Offset=80
133 |     struct _MMPTE * LastContiguousPte; // Size=8 Offset=88
134 |     struct _LIST_ENTRY ViewLinks; // Size=16 Offset=96
135 |     struct _EPROCESS * VadsProcess; // Size=8 Offset=112
136 |     union ___unnamed2048 u4; // Size=8 Offset=120
137 |     struct _FILE_OBJECT * FileObject; // Size=8 Offset=128
138 | } MMVAD, *PMMVAD;
139 | #pragma pack(pop)
140 | 
141 | typedef struct _HANDLE_TABLE
142 | {
143 |     ULONG NextHandleNeedingPool;
144 |     long ExtraInfoPages;
145 |     LONG_PTR TableCode;
146 |     PEPROCESS QuotaProcess;
147 |     LIST_ENTRY HandleTableList;
148 |     ULONG UniqueProcessId;
149 |     ULONG Flags;
150 |     EX_PUSH_LOCK HandleContentionEvent;
151 |     EX_PUSH_LOCK HandleTableLock;
152 |     // More fields here...
153 | } HANDLE_TABLE, *PHANDLE_TABLE;
154 | 
155 | typedef struct _API_SET_VALUE_ENTRY_10
156 | {
157 |     ULONG Flags;
158 |     ULONG NameOffset;
159 |     ULONG NameLength;
160 |     ULONG ValueOffset;
161 |     ULONG ValueLength;
162 | } API_SET_VALUE_ENTRY_10, *PAPI_SET_VALUE_ENTRY_10;
163 | 
164 | typedef struct _API_SET_VALUE_ARRAY_10
165 | {
166 |     ULONG Flags;
167 |     ULONG NameOffset;
168 |     ULONG Unk;
169 |     ULONG NameLength;
170 |     ULONG DataOffset;
171 |     ULONG Count;
172 | } API_SET_VALUE_ARRAY_10, *PAPI_SET_VALUE_ARRAY_10;
173 | 
174 | typedef struct _API_SET_NAMESPACE_ENTRY_10
175 | {
176 |     ULONG Limit;
177 |     ULONG Size;
178 | } API_SET_NAMESPACE_ENTRY_10, *PAPI_SET_NAMESPACE_ENTRY_10;
179 | 
180 | typedef struct _API_SET_NAMESPACE_ARRAY_10
181 | {
182 |     ULONG Version;
183 |     ULONG Size;
184 |     ULONG Flags;
185 |     ULONG Count;
186 |     ULONG Start;
187 |     ULONG End;
188 |     ULONG Unk[2];
189 | } API_SET_NAMESPACE_ARRAY_10, *PAPI_SET_NAMESPACE_ARRAY_10;
190 | 
191 | #pragma warning(default : 4214 4201)
192 | 
193 | #define GET_VAD_ROOT(Table) Table->BalancedRoot


--------------------------------------------------------------------------------
/KernelDraw/NativeStructs7.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | 
  3 | //
  4 | // Native structures W7 x64 SP1
  5 | //
  6 | #pragma warning(disable : 4214 4201)
  7 | 
  8 | struct _MMVAD_FLAGS // Size=8
  9 | {
 10 |     unsigned __int64 CommitCharge: 51; // Size=8 Offset=0 BitOffset=0 BitCount=51
 11 |     unsigned __int64 NoChange: 1; // Size=8 Offset=0 BitOffset=51 BitCount=1
 12 |     unsigned __int64 VadType: 3; // Size=8 Offset=0 BitOffset=52 BitCount=3
 13 |     unsigned __int64 MemCommit: 1; // Size=8 Offset=0 BitOffset=55 BitCount=1
 14 |     unsigned __int64 Protection: 5; // Size=8 Offset=0 BitOffset=56 BitCount=5
 15 |     unsigned __int64 Spare: 2; // Size=8 Offset=0 BitOffset=61 BitCount=2
 16 |     unsigned __int64 PrivateMemory: 1; // Size=8 Offset=0 BitOffset=63 BitCount=1
 17 | };
 18 | 
 19 | struct _MMVAD_FLAGS3 // Size=8
 20 | {
 21 |     unsigned __int64 PreferredNode: 6; // Size=8 Offset=0 BitOffset=0 BitCount=6
 22 |     unsigned __int64 Teb: 1; // Size=8 Offset=0 BitOffset=6 BitCount=1
 23 |     unsigned __int64 Spare: 1; // Size=8 Offset=0 BitOffset=7 BitCount=1
 24 |     unsigned __int64 SequentialAccess: 1; // Size=8 Offset=0 BitOffset=8 BitCount=1
 25 |     unsigned __int64 LastSequentialTrim: 15; // Size=8 Offset=0 BitOffset=9 BitCount=15
 26 |     unsigned __int64 Spare2: 8; // Size=8 Offset=0 BitOffset=24 BitCount=8
 27 |     unsigned __int64 LargePageCreating: 1; // Size=8 Offset=0 BitOffset=32 BitCount=1
 28 |     unsigned __int64 Spare3: 31; // Size=8 Offset=0 BitOffset=33 BitCount=31
 29 | };
 30 | 
 31 | struct _MMVAD_FLAGS2 // Size=4
 32 | {
 33 |     unsigned int FileOffset: 24; // Size=4 Offset=0 BitOffset=0 BitCount=24
 34 |     unsigned int SecNoChange: 1; // Size=4 Offset=0 BitOffset=24 BitCount=1
 35 |     unsigned int OneSecured: 1; // Size=4 Offset=0 BitOffset=25 BitCount=1
 36 |     unsigned int MultipleSecured: 1; // Size=4 Offset=0 BitOffset=26 BitCount=1
 37 |     unsigned int Spare: 1; // Size=4 Offset=0 BitOffset=27 BitCount=1
 38 |     unsigned int LongVad: 1; // Size=4 Offset=0 BitOffset=28 BitCount=1
 39 |     unsigned int ExtendableFile: 1; // Size=4 Offset=0 BitOffset=29 BitCount=1
 40 |     unsigned int Inherit: 1; // Size=4 Offset=0 BitOffset=30 BitCount=1
 41 |     unsigned int CopyOnWrite: 1; // Size=4 Offset=0 BitOffset=31 BitCount=1
 42 | };
 43 | 
 44 | struct _MMSECURE_FLAGS // Size=4
 45 | {
 46 |     unsigned long ReadOnly: 1; // Size=4 Offset=0 BitOffset=0 BitCount=1
 47 |     unsigned long NoWrite: 1; // Size=4 Offset=0 BitOffset=1 BitCount=1
 48 |     unsigned long Spare: 10; // Size=4 Offset=0 BitOffset=2 BitCount=10
 49 | };
 50 | 
 51 | union ___unnamed710 // Size=8
 52 | {
 53 |     struct
 54 |     {
 55 |         __int64 Balance: 2; // Size=8 Offset=0 BitOffset=0 BitCount=2
 56 |     };
 57 |     struct _MMADDRESS_NODE * Parent; // Size=8 Offset=0
 58 | };
 59 | 
 60 | union ___unnamed712 // Size=8
 61 | {
 62 |     unsigned __int64 LongFlags; // Size=8 Offset=0
 63 |     struct _MMVAD_FLAGS VadFlags; // Size=8 Offset=0
 64 | };
 65 | union ___unnamed713 // Size=8
 66 | {
 67 |     unsigned __int64 LongFlags3; // Size=8 Offset=0
 68 |     struct _MMVAD_FLAGS3 VadFlags3; // Size=8 Offset=0
 69 | };
 70 | 
 71 | union ___unnamed715 // Size=4
 72 | {
 73 |     unsigned long LongFlags2; // Size=4 Offset=0
 74 |     struct _MMVAD_FLAGS2 VadFlags2; // Size=4 Offset=0
 75 | };
 76 | 
 77 | union ___unnamed1322 // Size=8
 78 | {
 79 |     struct _MMSECURE_FLAGS Flags; // Size=4 Offset=0
 80 |     void * StartVa; // Size=8 Offset=0
 81 | };
 82 | 
 83 | struct _MMADDRESS_LIST // Size=16
 84 | {
 85 |     union ___unnamed1322 u1; // Size=8 Offset=0
 86 |     void * EndVa; // Size=8 Offset=8
 87 | };
 88 | 
 89 | union ___unnamed1319 // Size=16
 90 | {
 91 |     struct _LIST_ENTRY List; // Size=16 Offset=0
 92 |     struct _MMADDRESS_LIST Secured; // Size=16 Offset=0
 93 | };
 94 | 
 95 | union ___unnamed1320 // Size=8
 96 | {
 97 |     struct _MMBANKED_SECTION * Banked; // Size=8 Offset=0
 98 |     struct _MMEXTEND_INFO * ExtendedInfo; // Size=8 Offset=0
 99 | };
100 | 
101 | typedef struct _MMADDRESS_NODE // Size=40
102 | {
103 |     union ___unnamed710 u1;
104 |     struct _MMADDRESS_NODE * LeftChild; // Size=8 Offset=8
105 |     struct _MMADDRESS_NODE * RightChild; // Size=8 Offset=16
106 |     unsigned __int64 StartingVpn; // Size=8 Offset=24
107 |     unsigned __int64 EndingVpn; // Size=8 Offset=32
108 | 
109 | } MMADDRESS_NODE, *PMMADDRESS_NODE, *PMM_AVL_NODE;
110 | 
111 | typedef struct _MM_AVL_TABLE // Size=64
112 | {
113 |     struct _MMADDRESS_NODE BalancedRoot; // Size=40 Offset=0
114 |     struct
115 |     {
116 |         unsigned __int64 DepthOfTree: 5; // Size=8 Offset=40 BitOffset=0 BitCount=5
117 |         unsigned __int64 Unused: 3; // Size=8 Offset=40 BitOffset=5 BitCount=3
118 |         unsigned __int64 NumberGenericTableElements: 56; // Size=8 Offset=40 BitOffset=8 BitCount=56
119 |     };
120 |     void * NodeHint; // Size=8 Offset=48
121 |     void * NodeFreeHint; // Size=8 Offset=56
122 | 
123 | } MM_AVL_TABLE, *PMM_AVL_TABLE;
124 | 
125 | typedef struct _MMVAD_SHORT // Size=64
126 | {
127 |     union ___unnamed710 u1; // Size=8 Offset=0
128 |     struct _MMVAD * LeftChild; // Size=8 Offset=8
129 |     struct _MMVAD * RightChild; // Size=8 Offset=16
130 |     unsigned __int64 StartingVpn; // Size=8 Offset=24
131 |     unsigned __int64 EndingVpn; // Size=8 Offset=32
132 |     union ___unnamed712 u; // Size=8 Offset=40
133 |     void * PushLock; // Size=8 Offset=48
134 |     union ___unnamed713 u5; // Size=8 Offset=56
135 | } MMVAD_SHORT, *PMMVAD_SHORT;
136 | 
137 | typedef struct _MMVAD // Size=120
138 | {
139 |     MMVAD_SHORT vadShort;
140 |     union ___unnamed715 u2; // Size=4 Offset=64
141 |     unsigned long pad0; // Size=4 Offset=68
142 |     struct _SUBSECTION * Subsection; // Size=8 Offset=72
143 |     struct _MMPTE * FirstPrototypePte; // Size=8 Offset=80
144 |     struct _MMPTE * LastContiguousPte; // Size=8 Offset=88
145 |     struct _LIST_ENTRY ViewLinks; // Size=16 Offset=96
146 |     struct _EPROCESS * VadsProcess; // Size=8 Offset=112
147 | } MMVAD, *PMMVAD;
148 | 
149 | typedef struct _MMVAD_LONG // Size=144
150 | {
151 |     MMVAD vad;
152 |     union ___unnamed1319 u3; // Size=16 Offset=120
153 |     union ___unnamed1320 u4; // Size=8 Offset=136
154 | } MMVAD_LONG, *PMMVAD_LONG;
155 | 
156 | typedef struct _HANDLE_TABLE
157 | {
158 |     ULONG_PTR TableCode;
159 |     struct _EPROCESS *QuotaProcess;
160 |     HANDLE UniqueProcessId;
161 |     void* HandleLock;
162 |     struct _LIST_ENTRY HandleTableList;
163 |     EX_PUSH_LOCK HandleContentionEvent;
164 |     struct _HANDLE_TRACE_DEBUG_INFO *DebugInfo;
165 |     int ExtraInfoPages;
166 |     ULONG Flags;
167 |     ULONG FirstFreeHandle;
168 |     struct _HANDLE_TABLE_ENTRY *LastFreeHandleEntry;
169 |     ULONG HandleCount;
170 |     ULONG NextHandleNeedingPool;
171 |     // More fields here...
172 | } HANDLE_TABLE, *PHANDLE_TABLE;
173 | 
174 | #pragma warning(default : 4214 4201)
175 | 
176 | #define GET_VAD_ROOT(Table) &Table->BalancedRoot


--------------------------------------------------------------------------------
/KernelDraw/NativeStructs8.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | 
  3 | //
  4 | // Native structures W8 x64
  5 | //
  6 | #pragma warning(disable : 4214 4201)
  7 | 
  8 | struct _MMVAD_FLAGS // Size=4
  9 | {
 10 |     unsigned long VadType: 3; // Size=4 Offset=0 BitOffset=0 BitCount=3
 11 |     unsigned long Protection: 5; // Size=4 Offset=0 BitOffset=3 BitCount=5
 12 |     unsigned long PreferredNode: 6; // Size=4 Offset=0 BitOffset=8 BitCount=6
 13 |     unsigned long NoChange: 1; // Size=4 Offset=0 BitOffset=14 BitCount=1
 14 |     unsigned long PrivateMemory: 1; // Size=4 Offset=0 BitOffset=15 BitCount=1
 15 |     unsigned long Teb: 1; // Size=4 Offset=0 BitOffset=16 BitCount=1
 16 |     unsigned long PrivateFixup: 1; // Size=4 Offset=0 BitOffset=17 BitCount=1
 17 |     unsigned long Spare: 13; // Size=4 Offset=0 BitOffset=18 BitCount=13
 18 |     unsigned long DeleteInProgress: 1; // Size=4 Offset=0 BitOffset=31 BitCount=1
 19 | };
 20 | 
 21 | struct _MMVAD_FLAGS1 // Size=4
 22 | {
 23 |     unsigned long CommitCharge: 31; // Size=4 Offset=0 BitOffset=0 BitCount=31
 24 |     unsigned long MemCommit: 1; // Size=4 Offset=0 BitOffset=31 BitCount=1
 25 | };
 26 | 
 27 | struct _MMVAD_FLAGS2 // Size=4
 28 | {
 29 |     unsigned long FileOffset: 24; // Size=4 Offset=0 BitOffset=0 BitCount=24
 30 |     unsigned long Large: 1; // Size=4 Offset=0 BitOffset=24 BitCount=1
 31 |     unsigned long TrimBehind: 1; // Size=4 Offset=0 BitOffset=25 BitCount=1
 32 |     unsigned long Inherit: 1; // Size=4 Offset=0 BitOffset=26 BitCount=1
 33 |     unsigned long CopyOnWrite: 1; // Size=4 Offset=0 BitOffset=27 BitCount=1
 34 |     unsigned long NoValidationNeeded: 1; // Size=4 Offset=0 BitOffset=28 BitCount=1
 35 |     unsigned long Spare: 3; // Size=4 Offset=0 BitOffset=29 BitCount=3
 36 | };
 37 | 
 38 | struct _MMVAD_FLAGS3 // Size=8
 39 | {
 40 |     unsigned __int64 PreferredNode: 6; // Size=8 Offset=0 BitOffset=0 BitCount=6
 41 |     unsigned __int64 Teb: 1; // Size=8 Offset=0 BitOffset=6 BitCount=1
 42 |     unsigned __int64 Spare: 1; // Size=8 Offset=0 BitOffset=7 BitCount=1
 43 |     unsigned __int64 SequentialAccess: 1; // Size=8 Offset=0 BitOffset=8 BitCount=1
 44 |     unsigned __int64 LastSequentialTrim: 15; // Size=8 Offset=0 BitOffset=9 BitCount=15
 45 |     unsigned __int64 Spare2: 8; // Size=8 Offset=0 BitOffset=24 BitCount=8
 46 |     unsigned __int64 LargePageCreating: 1; // Size=8 Offset=0 BitOffset=32 BitCount=1
 47 |     unsigned __int64 Spare3: 31; // Size=8 Offset=0 BitOffset=33 BitCount=31
 48 | };
 49 | 
 50 | struct _MMSECURE_FLAGS // Size=4
 51 | {
 52 |     unsigned long ReadOnly: 1; // Size=4 Offset=0 BitOffset=0 BitCount=1
 53 |     unsigned long NoWrite: 1; // Size=4 Offset=0 BitOffset=1 BitCount=1
 54 |     unsigned long Spare: 10; // Size=4 Offset=0 BitOffset=2 BitCount=10
 55 | };
 56 | 
 57 | struct _MI_VAD_SEQUENTIAL_INFO // Size=8
 58 | {
 59 |     unsigned __int64 Length: 12; // Size=8 Offset=0 BitOffset=0 BitCount=12
 60 |     unsigned __int64 Vpn: 52; // Size=8 Offset=0 BitOffset=12 BitCount=52
 61 | };
 62 | 
 63 | union ___unnamed1666 // Size=8
 64 | {
 65 |     struct
 66 |     {
 67 |         __int64 Balance: 2; // Size=8 Offset=0 BitOffset=0 BitCount=2
 68 |     };
 69 |     struct _MM_AVL_NODE * Parent; // Size=8 Offset=0
 70 | };
 71 | 
 72 | union ___unnamed1784 // Size=4
 73 | {
 74 |     unsigned long LongFlags; // Size=4 Offset=0
 75 |     struct _MMVAD_FLAGS VadFlags; // Size=4 Offset=0
 76 | };
 77 | union ___unnamed1785 // Size=4
 78 | {
 79 |     unsigned long LongFlags1; // Size=4 Offset=0
 80 |     struct _MMVAD_FLAGS1 VadFlags1; // Size=4 Offset=0
 81 | };
 82 | 
 83 | union ___unnamed1883 // Size=4
 84 | {
 85 |     unsigned long LongFlags2; // Size=4 Offset=0
 86 |     struct _MMVAD_FLAGS2 VadFlags2; // Size=4 Offset=0
 87 | };
 88 | 
 89 | union ___unnamed1885 // Size=8
 90 | {
 91 |     struct _MI_VAD_SEQUENTIAL_INFO SequentialVa; // Size=8 Offset=0
 92 |     struct _MMEXTEND_INFO * ExtendedInfo; // Size=8 Offset=0
 93 | };
 94 | 
 95 | typedef struct _MM_AVL_NODE // Size=24
 96 | {
 97 |     union ___unnamed1666 u1; // Size=8 Offset=0
 98 |     struct _MM_AVL_NODE * LeftChild; // Size=8 Offset=8
 99 |     struct _MM_AVL_NODE * RightChild; // Size=8 Offset=16
100 | } MM_AVL_NODE, *PMM_AVL_NODE, *PMMADDRESS_NODE;
101 | 
102 | typedef struct _MM_AVL_TABLE // Size=48
103 | {
104 |     struct _MM_AVL_NODE BalancedRoot; // Size=24 Offset=0
105 |     struct
106 |     {
107 |         unsigned __int64 DepthOfTree: 5; // Size=8 Offset=24 BitOffset=0 BitCount=5
108 |         unsigned __int64 TableType: 3; // Size=8 Offset=24 BitOffset=5 BitCount=3
109 |         unsigned __int64 NumberGenericTableElements: 56; // Size=8 Offset=24 BitOffset=8 BitCount=56
110 |     };
111 |     void * NodeHint; // Size=8 Offset=32
112 |     void * NodeFreeHint; // Size=8 Offset=40
113 | } MM_AVL_TABLE, *PMM_AVL_TABLE;
114 | 
115 | typedef struct _MMVAD_SHORT // Size=64
116 | {
117 |     struct _MM_AVL_NODE VadNode; // Size=24 Offset=0
118 |     unsigned long StartingVpn; // Size=4 Offset=24
119 |     unsigned long EndingVpn; // Size=4 Offset=28
120 |     void * PushLock; // Size=8 Offset=32
121 |     union ___unnamed1784 u; // Size=4 Offset=40
122 |     union ___unnamed1785 u1; // Size=4 Offset=44
123 |     struct _MI_VAD_EVENT_BLOCK * EventList; // Size=8 Offset=48
124 |     long ReferenceCount; // Size=4 Offset=56
125 | } MMVAD_SHORT, *PMMVAD_SHORT;
126 | 
127 | typedef struct _MMVAD // Size=128
128 | {
129 |     struct _MMVAD_SHORT Core; // Size=64 Offset=0
130 |     union ___unnamed1883 u2; // Size=4 Offset=64
131 |     struct _SUBSECTION * Subsection; // Size=8 Offset=72
132 |     struct _MMPTE * FirstPrototypePte; // Size=8 Offset=80
133 |     struct _MMPTE * LastContiguousPte; // Size=8 Offset=88
134 |     struct _LIST_ENTRY ViewLinks; // Size=16 Offset=96
135 |     struct _EPROCESS * VadsProcess; // Size=8 Offset=112
136 |     union ___unnamed1885 u4; // Size=8 Offset=120
137 | } MMVAD, *PMMVAD;
138 | 
139 | typedef struct _HANDLE_TABLE
140 | {
141 |     ULONG NextHandleNeedingPool;
142 |     long ExtraInfoPages;
143 |     ULONG_PTR TableCode;
144 |     struct _EPROCESS * QuotaProcess;
145 |     LIST_ENTRY HandleTableList;
146 |     ULONG UniqueProcessId;
147 |     ULONG Flags;
148 |     EX_PUSH_LOCK HandleContentionEvent;
149 |     EX_PUSH_LOCK HandleTableLock;
150 |     // More fields here...
151 | } HANDLE_TABLE, *PHANDLE_TABLE;
152 | 
153 | #pragma warning(default : 4214 4201)
154 | 
155 | #define GET_VAD_ROOT(Table) (Table->BalancedRoot.RightChild)


--------------------------------------------------------------------------------
/KernelDraw/NativeStructs81.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | 
  3 | //
  4 | // Native structures W8.1 x64
  5 | //
  6 | #pragma warning(disable : 4214 4201)
  7 | #pragma pack(push, 1)
  8 | 
  9 | typedef struct _MM_AVL_NODE // Size=24
 10 | {
 11 |     struct _MM_AVL_NODE * LeftChild; // Size=8 Offset=0
 12 |     struct _MM_AVL_NODE * RightChild; // Size=8 Offset=8
 13 | 
 14 |     union ___unnamed1666 // Size=8
 15 |     {
 16 |         struct
 17 |         {
 18 |             __int64 Balance : 2; // Size=8 Offset=0 BitOffset=0 BitCount=2
 19 |         };
 20 |         struct _MM_AVL_NODE * Parent; // Size=8 Offset=0
 21 |     } u1;
 22 | } MM_AVL_NODE, *PMM_AVL_NODE, *PMMADDRESS_NODE;
 23 | 
 24 | typedef struct _RTL_AVL_TREE // Size=8
 25 | {
 26 |     PMM_AVL_NODE BalancedRoot; // Size=8 Offset=0
 27 |     void * NodeHint; // Size=8 Offset=1504
 28 |     unsigned __int64 NumberGenericTableElements; // Size=8 Offset=1512
 29 | } RTL_AVL_TREE, *PRTL_AVL_TREE, *PMM_AVL_TABLE;
 30 | 
 31 | union _EX_PUSH_LOCK // Size=8
 32 | {
 33 |     struct
 34 |     {
 35 |         unsigned __int64 Locked : 1; // Size=8 Offset=0 BitOffset=0 BitCount=1
 36 |         unsigned __int64 Waiting : 1; // Size=8 Offset=0 BitOffset=1 BitCount=1
 37 |         unsigned __int64 Waking : 1; // Size=8 Offset=0 BitOffset=2 BitCount=1
 38 |         unsigned __int64 MultipleShared : 1; // Size=8 Offset=0 BitOffset=3 BitCount=1
 39 |         unsigned __int64 Shared : 60; // Size=8 Offset=0 BitOffset=4 BitCount=60
 40 |     };
 41 |     unsigned __int64 Value; // Size=8 Offset=0
 42 |     void * Ptr; // Size=8 Offset=0
 43 | };
 44 | 
 45 | struct _MMVAD_FLAGS // Size=4
 46 | {
 47 |     unsigned long VadType : 3; // Size=4 Offset=0 BitOffset=0 BitCount=3
 48 |     unsigned long Protection : 5; // Size=4 Offset=0 BitOffset=3 BitCount=5
 49 |     unsigned long PreferredNode : 6; // Size=4 Offset=0 BitOffset=8 BitCount=6
 50 |     unsigned long NoChange : 1; // Size=4 Offset=0 BitOffset=14 BitCount=1
 51 |     unsigned long PrivateMemory : 1; // Size=4 Offset=0 BitOffset=15 BitCount=1
 52 |     unsigned long Teb : 1; // Size=4 Offset=0 BitOffset=16 BitCount=1
 53 |     unsigned long PrivateFixup : 1; // Size=4 Offset=0 BitOffset=17 BitCount=1
 54 |     unsigned long Spare : 13; // Size=4 Offset=0 BitOffset=18 BitCount=13
 55 |     unsigned long DeleteInProgress : 1; // Size=4 Offset=0 BitOffset=31 BitCount=1
 56 | };
 57 | struct _MMVAD_FLAGS1 // Size=4
 58 | {
 59 |     unsigned long CommitCharge : 31; // Size=4 Offset=0 BitOffset=0 BitCount=31
 60 |     unsigned long MemCommit : 1; // Size=4 Offset=0 BitOffset=31 BitCount=1
 61 | };
 62 | 
 63 | struct _MMVAD_FLAGS2 // Size=4
 64 | {
 65 |     unsigned long FileOffset : 24; // Size=4 Offset=0 BitOffset=0 BitCount=24
 66 |     unsigned long Large : 1; // Size=4 Offset=0 BitOffset=24 BitCount=1
 67 |     unsigned long TrimBehind : 1; // Size=4 Offset=0 BitOffset=25 BitCount=1
 68 |     unsigned long Inherit : 1; // Size=4 Offset=0 BitOffset=26 BitCount=1
 69 |     unsigned long CopyOnWrite : 1; // Size=4 Offset=0 BitOffset=27 BitCount=1
 70 |     unsigned long NoValidationNeeded : 1; // Size=4 Offset=0 BitOffset=28 BitCount=1
 71 |     unsigned long Spare : 3; // Size=4 Offset=0 BitOffset=29 BitCount=3
 72 | };
 73 | 
 74 | struct _MI_VAD_SEQUENTIAL_INFO // Size=8
 75 | {
 76 |     unsigned __int64 Length : 12; // Size=8 Offset=0 BitOffset=0 BitCount=12
 77 |     unsigned __int64 Vpn : 52; // Size=8 Offset=0 BitOffset=12 BitCount=52
 78 | };
 79 | 
 80 | union ___unnamed1859 // Size=4
 81 | {
 82 |     unsigned long LongFlags; // Size=4 Offset=0
 83 |     struct _MMVAD_FLAGS VadFlags; // Size=4 Offset=0
 84 | };
 85 | union ___unnamed1860 // Size=4
 86 | {
 87 |     unsigned long LongFlags1; // Size=4 Offset=0
 88 |     struct _MMVAD_FLAGS1 VadFlags1; // Size=4 Offset=0
 89 | };
 90 | 
 91 | union ___unnamed1956 // Size=4
 92 | {
 93 |     unsigned long LongFlags2; // Size=4 Offset=0
 94 |     struct _MMVAD_FLAGS2 VadFlags2; // Size=4 Offset=0
 95 | };
 96 | 
 97 | union ___unnamed1957 // Size=8
 98 | {
 99 |     struct _MI_VAD_SEQUENTIAL_INFO SequentialVa; // Size=8 Offset=0
100 |     struct _MMEXTEND_INFO * ExtendedInfo; // Size=8 Offset=0
101 | };
102 | 
103 | typedef struct _MMVAD_SHORT // Size=64
104 | {
105 |     union
106 |     {
107 |         struct _MM_AVL_NODE VadNode; // Size=24 Offset=0
108 |         struct _MMVAD_SHORT * NextVad; // Size=8 Offset=0
109 |     };
110 |     unsigned long StartingVpn; // Size=4 Offset=24
111 |     unsigned long EndingVpn; // Size=4 Offset=28
112 |     unsigned char StartingVpnHigh; // Size=1 Offset=32
113 |     unsigned char EndingVpnHigh; // Size=1 Offset=33
114 |     unsigned char CommitChargeHigh; // Size=1 Offset=34
115 |     unsigned char LargeImageBias; // Size=1 Offset=35
116 |     long ReferenceCount; // Size=4 Offset=36
117 |     union _EX_PUSH_LOCK PushLock; // Size=8 Offset=40
118 |     union ___unnamed1859 u; // Size=4 Offset=48
119 |     union ___unnamed1860 u1; // Size=4 Offset=52
120 |     struct _MI_VAD_EVENT_BLOCK * EventList; // Size=8 Offset=56
121 | } MMVAD_SHORT, *PMMVAD_SHORT;
122 | 
123 | typedef struct _MMVAD // Size=128
124 | {
125 |     struct _MMVAD_SHORT Core; // Size=64 Offset=0
126 |     union ___unnamed1956 u2; // Size=4 Offset=64
127 |     unsigned long pad0; // Size=4 Offset=68
128 |     struct _SUBSECTION * Subsection; // Size=8 Offset=72
129 |     struct _MMPTE * FirstPrototypePte; // Size=8 Offset=80
130 |     struct _MMPTE * LastContiguousPte; // Size=8 Offset=88
131 |     struct _LIST_ENTRY ViewLinks; // Size=16 Offset=96
132 |     struct _EPROCESS * VadsProcess; // Size=8 Offset=112
133 |     union ___unnamed1957 u4; // Size=8 Offset=120
134 | } MMVAD, *PMMVAD;
135 | #pragma pack(pop)
136 | 
137 | typedef struct _HANDLE_TABLE
138 | {
139 |     ULONG NextHandleNeedingPool;
140 |     long ExtraInfoPages;
141 |     LONG_PTR TableCode;
142 |     struct _EPROCESS * QuotaProcess;
143 |     LIST_ENTRY HandleTableList;
144 |     ULONG UniqueProcessId;
145 |     ULONG Flags;
146 |     EX_PUSH_LOCK HandleContentionEvent;
147 |     EX_PUSH_LOCK HandleTableLock;
148 |     // More fields here...
149 | } HANDLE_TABLE, *PHANDLE_TABLE;
150 | 
151 | #pragma warning(default : 4214 4201)
152 | 
153 | #define GET_VAD_ROOT(Table) Table->BalancedRoot


--------------------------------------------------------------------------------
/KernelDraw/PEStructs.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | #include "NativeEnums.h"
  3 | #include <ntifs.h>
  4 | 
  5 | 
  6 | #define IMAGE_DOS_SIGNATURE                     0x5A4D      // MZ
  7 | #define IMAGE_NT_SIGNATURE                      0x00004550  // PE00
  8 | 
  9 | #define IMAGE_NT_OPTIONAL_HDR32_MAGIC           0x10b
 10 | #define IMAGE_NT_OPTIONAL_HDR64_MAGIC           0x20b
 11 | 
 12 | #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES        16
 13 | 
 14 | #define IMAGE_DIRECTORY_ENTRY_EXPORT             0   // Export Directory
 15 | #define IMAGE_DIRECTORY_ENTRY_IMPORT             1   // Import Directory
 16 | #define IMAGE_DIRECTORY_ENTRY_RESOURCE           2   // Resource Directory
 17 | #define IMAGE_DIRECTORY_ENTRY_EXCEPTION          3   // Exception Directory
 18 | #define IMAGE_DIRECTORY_ENTRY_SECURITY           4   // Security Directory
 19 | #define IMAGE_DIRECTORY_ENTRY_BASERELOC          5   // Base Relocation Table
 20 | #define IMAGE_DIRECTORY_ENTRY_DEBUG              6   // Debug Directory
 21 | //      IMAGE_DIRECTORY_ENTRY_COPYRIGHT          7   // (X86 usage)
 22 | #define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE       7   // Architecture Specific Data
 23 | #define IMAGE_DIRECTORY_ENTRY_GLOBALPTR          8   // RVA of GP
 24 | #define IMAGE_DIRECTORY_ENTRY_TLS                9   // TLS Directory
 25 | #define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG       10   // Load Configuration Directory
 26 | #define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT      11   // Bound Import Directory in headers
 27 | #define IMAGE_DIRECTORY_ENTRY_IAT               12   // Import Address Table
 28 | #define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT      13   // Delay Load Import Descriptors
 29 | #define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR    14   // COM Runtime descriptor
 30 | 
 31 | #define IMAGE_REL_BASED_ABSOLUTE                0
 32 | #define IMAGE_REL_BASED_HIGH                    1
 33 | #define IMAGE_REL_BASED_LOW                     2
 34 | #define IMAGE_REL_BASED_HIGHLOW                 3
 35 | #define IMAGE_REL_BASED_HIGHADJ                 4
 36 | #define IMAGE_REL_BASED_MIPS_JMPADDR            5
 37 | #define IMAGE_REL_BASED_SECTION                 6
 38 | #define IMAGE_REL_BASED_REL32                   7
 39 | #define IMAGE_REL_BASED_MIPS_JMPADDR16          9
 40 | #define IMAGE_REL_BASED_IA64_IMM64              9
 41 | #define IMAGE_REL_BASED_DIR64                   10
 42 | 
 43 | #define IMAGE_SIZEOF_BASE_RELOCATION            8
 44 | 
 45 | 
 46 | #define IMAGE_FILE_RELOCS_STRIPPED           0x0001  // Relocation info stripped from file.
 47 | #define IMAGE_FILE_EXECUTABLE_IMAGE          0x0002  // File is executable  (i.e. no unresolved external references).
 48 | #define IMAGE_FILE_LINE_NUMS_STRIPPED        0x0004  // Line nunbers stripped from file.
 49 | #define IMAGE_FILE_LOCAL_SYMS_STRIPPED       0x0008  // Local symbols stripped from file.
 50 | #define IMAGE_FILE_AGGRESIVE_WS_TRIM         0x0010  // Aggressively trim working set
 51 | #define IMAGE_FILE_LARGE_ADDRESS_AWARE       0x0020  // App can handle >2gb addresses
 52 | #define IMAGE_FILE_BYTES_REVERSED_LO         0x0080  // Bytes of machine word are reversed.
 53 | #define IMAGE_FILE_32BIT_MACHINE             0x0100  // 32 bit word machine.
 54 | #define IMAGE_FILE_DEBUG_STRIPPED            0x0200  // Debugging info stripped from file in .DBG file
 55 | #define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP   0x0400  // If Image is on removable media, copy and run from the swap file.
 56 | #define IMAGE_FILE_NET_RUN_FROM_SWAP         0x0800  // If Image is on Net, copy and run from the swap file.
 57 | #define IMAGE_FILE_SYSTEM                    0x1000  // System File.
 58 | #define IMAGE_FILE_DLL                       0x2000  // File is a DLL.
 59 | #define IMAGE_FILE_UP_SYSTEM_ONLY            0x4000  // File should only be run on a UP machine
 60 | #define IMAGE_FILE_BYTES_REVERSED_HI         0x8000  // Bytes of machine word are reversed.
 61 | 
 62 | #define IMAGE_FILE_MACHINE_UNKNOWN           0
 63 | #define IMAGE_FILE_MACHINE_I386              0x014c  // Intel 386.
 64 | #define IMAGE_FILE_MACHINE_R3000             0x0162  // MIPS little-endian, 0x160 big-endian
 65 | #define IMAGE_FILE_MACHINE_R4000             0x0166  // MIPS little-endian
 66 | #define IMAGE_FILE_MACHINE_R10000            0x0168  // MIPS little-endian
 67 | #define IMAGE_FILE_MACHINE_WCEMIPSV2         0x0169  // MIPS little-endian WCE v2
 68 | #define IMAGE_FILE_MACHINE_ALPHA             0x0184  // Alpha_AXP
 69 | #define IMAGE_FILE_MACHINE_SH3               0x01a2  // SH3 little-endian
 70 | #define IMAGE_FILE_MACHINE_SH3DSP            0x01a3
 71 | #define IMAGE_FILE_MACHINE_SH3E              0x01a4  // SH3E little-endian
 72 | #define IMAGE_FILE_MACHINE_SH4               0x01a6  // SH4 little-endian
 73 | #define IMAGE_FILE_MACHINE_SH5               0x01a8  // SH5
 74 | #define IMAGE_FILE_MACHINE_ARM               0x01c0  // ARM Little-Endian
 75 | #define IMAGE_FILE_MACHINE_THUMB             0x01c2  // ARM Thumb/Thumb-2 Little-Endian
 76 | #define IMAGE_FILE_MACHINE_ARMNT             0x01c4  // ARM Thumb-2 Little-Endian
 77 | #define IMAGE_FILE_MACHINE_AM33              0x01d3
 78 | #define IMAGE_FILE_MACHINE_POWERPC           0x01F0  // IBM PowerPC Little-Endian
 79 | #define IMAGE_FILE_MACHINE_POWERPCFP         0x01f1
 80 | #define IMAGE_FILE_MACHINE_IA64              0x0200  // Intel 64
 81 | #define IMAGE_FILE_MACHINE_MIPS16            0x0266  // MIPS
 82 | #define IMAGE_FILE_MACHINE_ALPHA64           0x0284  // ALPHA64
 83 | #define IMAGE_FILE_MACHINE_MIPSFPU           0x0366  // MIPS
 84 | #define IMAGE_FILE_MACHINE_MIPSFPU16         0x0466  // MIPS
 85 | #define IMAGE_FILE_MACHINE_AXP64             IMAGE_FILE_MACHINE_ALPHA64
 86 | #define IMAGE_FILE_MACHINE_TRICORE           0x0520  // Infineon
 87 | #define IMAGE_FILE_MACHINE_CEF               0x0CEF
 88 | #define IMAGE_FILE_MACHINE_EBC               0x0EBC  // EFI Byte Code
 89 | #define IMAGE_FILE_MACHINE_AMD64             0x8664  // AMD64 (K8)
 90 | #define IMAGE_FILE_MACHINE_M32R              0x9041  // M32R little-endian
 91 | #define IMAGE_FILE_MACHINE_CEE               0xC0EE
 92 | 
 93 | #define IMAGE_ORDINAL_FLAG64 0x8000000000000000
 94 | #define IMAGE_ORDINAL_FLAG32 0x80000000
 95 | #define IMAGE_ORDINAL64(Ordinal) (Ordinal & 0xffff)
 96 | #define IMAGE_ORDINAL32(Ordinal) (Ordinal & 0xffff)
 97 | #define IMAGE_SNAP_BY_ORDINAL64(Ordinal) ((Ordinal & IMAGE_ORDINAL_FLAG64) != 0)
 98 | #define IMAGE_SNAP_BY_ORDINAL32(Ordinal) ((Ordinal & IMAGE_ORDINAL_FLAG32) != 0)
 99 | 
100 | //
101 | // Section characteristics.
102 | //
103 | //      IMAGE_SCN_TYPE_REG                   0x00000000  // Reserved.
104 | //      IMAGE_SCN_TYPE_DSECT                 0x00000001  // Reserved.
105 | //      IMAGE_SCN_TYPE_NOLOAD                0x00000002  // Reserved.
106 | //      IMAGE_SCN_TYPE_GROUP                 0x00000004  // Reserved.
107 | #define IMAGE_SCN_TYPE_NO_PAD                0x00000008  // Reserved.
108 | //      IMAGE_SCN_TYPE_COPY                  0x00000010  // Reserved.
109 | 
110 | #define IMAGE_SCN_CNT_CODE                   0x00000020  // Section contains code.
111 | #define IMAGE_SCN_CNT_INITIALIZED_DATA       0x00000040  // Section contains initialized data.
112 | #define IMAGE_SCN_CNT_UNINITIALIZED_DATA     0x00000080  // Section contains uninitialized data.
113 | 
114 | #define IMAGE_SCN_LNK_OTHER                  0x00000100  // Reserved.
115 | #define IMAGE_SCN_LNK_INFO                   0x00000200  // Section contains comments or some other type of information.
116 | //      IMAGE_SCN_TYPE_OVER                  0x00000400  // Reserved.
117 | #define IMAGE_SCN_LNK_REMOVE                 0x00000800  // Section contents will not become part of image.
118 | #define IMAGE_SCN_LNK_COMDAT                 0x00001000  // Section contents comdat.
119 | //                                           0x00002000  // Reserved.
120 | //      IMAGE_SCN_MEM_PROTECTED - Obsolete   0x00004000
121 | #define IMAGE_SCN_NO_DEFER_SPEC_EXC          0x00004000  // Reset speculative exceptions handling bits in the TLB entries for this section.
122 | #define IMAGE_SCN_GPREL                      0x00008000  // Section content can be accessed relative to GP
123 | #define IMAGE_SCN_MEM_FARDATA                0x00008000
124 | //      IMAGE_SCN_MEM_SYSHEAP  - Obsolete    0x00010000
125 | #define IMAGE_SCN_MEM_PURGEABLE              0x00020000
126 | #define IMAGE_SCN_MEM_16BIT                  0x00020000
127 | #define IMAGE_SCN_MEM_LOCKED                 0x00040000
128 | #define IMAGE_SCN_MEM_PRELOAD                0x00080000
129 | 
130 | #define IMAGE_SCN_ALIGN_1BYTES               0x00100000  //
131 | #define IMAGE_SCN_ALIGN_2BYTES               0x00200000  //
132 | #define IMAGE_SCN_ALIGN_4BYTES               0x00300000  //
133 | #define IMAGE_SCN_ALIGN_8BYTES               0x00400000  //
134 | #define IMAGE_SCN_ALIGN_16BYTES              0x00500000  // Default alignment if no others are specified.
135 | #define IMAGE_SCN_ALIGN_32BYTES              0x00600000  //
136 | #define IMAGE_SCN_ALIGN_64BYTES              0x00700000  //
137 | #define IMAGE_SCN_ALIGN_128BYTES             0x00800000  //
138 | #define IMAGE_SCN_ALIGN_256BYTES             0x00900000  //
139 | #define IMAGE_SCN_ALIGN_512BYTES             0x00A00000  //
140 | #define IMAGE_SCN_ALIGN_1024BYTES            0x00B00000  //
141 | #define IMAGE_SCN_ALIGN_2048BYTES            0x00C00000  //
142 | #define IMAGE_SCN_ALIGN_4096BYTES            0x00D00000  //
143 | #define IMAGE_SCN_ALIGN_8192BYTES            0x00E00000  //
144 | // Unused                                    0x00F00000
145 | #define IMAGE_SCN_ALIGN_MASK                 0x00F00000
146 | 
147 | #define IMAGE_SCN_LNK_NRELOC_OVFL            0x01000000  // Section contains extended relocations.
148 | #define IMAGE_SCN_MEM_DISCARDABLE            0x02000000  // Section can be discarded.
149 | #define IMAGE_SCN_MEM_NOT_CACHED             0x04000000  // Section is not cachable.
150 | #define IMAGE_SCN_MEM_NOT_PAGED              0x08000000  // Section is not pageable.
151 | #define IMAGE_SCN_MEM_SHARED                 0x10000000  // Section is shareable.
152 | #define IMAGE_SCN_MEM_EXECUTE                0x20000000  // Section is executable.
153 | #define IMAGE_SCN_MEM_READ                   0x40000000  // Section is readable.
154 | #define IMAGE_SCN_MEM_WRITE                  0x80000000  // Section is writeable.
155 | 
156 | typedef struct _IMAGE_DOS_HEADER
157 | {
158 |     USHORT e_magic;
159 |     USHORT e_cblp;
160 |     USHORT e_cp;
161 |     USHORT e_crlc;
162 |     USHORT e_cparhdr;
163 |     USHORT e_minalloc;
164 |     USHORT e_maxalloc;
165 |     USHORT e_ss;
166 |     USHORT e_sp;
167 |     USHORT e_csum;
168 |     USHORT e_ip;
169 |     USHORT e_cs;
170 |     USHORT e_lfarlc;
171 |     USHORT e_ovno;
172 |     USHORT e_res[4];
173 |     USHORT e_oemid;
174 |     USHORT e_oeminfo;
175 |     USHORT e_res2[10];
176 |     LONG e_lfanew;
177 | } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
178 | 
179 | typedef struct _IMAGE_SECTION_HEADER
180 | {
181 |     UCHAR  Name[8];
182 |     union
183 |     {
184 |         ULONG PhysicalAddress;
185 |         ULONG VirtualSize;
186 |     } Misc;
187 |     ULONG VirtualAddress;
188 |     ULONG SizeOfRawData;
189 |     ULONG PointerToRawData;
190 |     ULONG PointerToRelocations;
191 |     ULONG PointerToLinenumbers;
192 |     USHORT  NumberOfRelocations;
193 |     USHORT  NumberOfLinenumbers;
194 |     ULONG Characteristics;
195 | } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
196 | 
197 | typedef struct _IMAGE_FILE_HEADER // Size=20
198 | {
199 |     USHORT Machine;
200 |     USHORT NumberOfSections;
201 |     ULONG TimeDateStamp;
202 |     ULONG PointerToSymbolTable;
203 |     ULONG NumberOfSymbols;
204 |     USHORT SizeOfOptionalHeader;
205 |     USHORT Characteristics;
206 | } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
207 | 
208 | typedef struct _IMAGE_DATA_DIRECTORY
209 | {
210 |     ULONG VirtualAddress;
211 |     ULONG Size;
212 | } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
213 | 
214 | typedef struct _IMAGE_OPTIONAL_HEADER64
215 | {
216 |     USHORT Magic;
217 |     UCHAR MajorLinkerVersion;
218 |     UCHAR MinorLinkerVersion;
219 |     ULONG SizeOfCode;
220 |     ULONG SizeOfInitializedData;
221 |     ULONG SizeOfUninitializedData;
222 |     ULONG AddressOfEntryPoint;
223 |     ULONG BaseOfCode;
224 |     ULONGLONG ImageBase;
225 |     ULONG SectionAlignment;
226 |     ULONG FileAlignment;
227 |     USHORT MajorOperatingSystemVersion;
228 |     USHORT MinorOperatingSystemVersion;
229 |     USHORT MajorImageVersion;
230 |     USHORT MinorImageVersion;
231 |     USHORT MajorSubsystemVersion;
232 |     USHORT MinorSubsystemVersion;
233 |     ULONG Win32VersionValue;
234 |     ULONG SizeOfImage;
235 |     ULONG SizeOfHeaders;
236 |     ULONG CheckSum;
237 |     USHORT Subsystem;
238 |     USHORT DllCharacteristics;
239 |     ULONGLONG SizeOfStackReserve;
240 |     ULONGLONG SizeOfStackCommit;
241 |     ULONGLONG SizeOfHeapReserve;
242 |     ULONGLONG SizeOfHeapCommit;
243 |     ULONG LoaderFlags;
244 |     ULONG NumberOfRvaAndSizes;
245 |     struct _IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
246 | } IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;
247 | 
248 | typedef struct _IMAGE_OPTIONAL_HEADER32
249 | {
250 |     //
251 |     // Standard fields.
252 |     //
253 | 
254 |     USHORT  Magic;
255 |     UCHAR   MajorLinkerVersion;
256 |     UCHAR   MinorLinkerVersion;
257 |     ULONG   SizeOfCode;
258 |     ULONG   SizeOfInitializedData;
259 |     ULONG   SizeOfUninitializedData;
260 |     ULONG   AddressOfEntryPoint;
261 |     ULONG   BaseOfCode;
262 |     ULONG   BaseOfData;
263 | 
264 |     //
265 |     // NT additional fields.
266 |     //
267 | 
268 |     ULONG   ImageBase;
269 |     ULONG   SectionAlignment;
270 |     ULONG   FileAlignment;
271 |     USHORT  MajorOperatingSystemVersion;
272 |     USHORT  MinorOperatingSystemVersion;
273 |     USHORT  MajorImageVersion;
274 |     USHORT  MinorImageVersion;
275 |     USHORT  MajorSubsystemVersion;
276 |     USHORT  MinorSubsystemVersion;
277 |     ULONG   Win32VersionValue;
278 |     ULONG   SizeOfImage;
279 |     ULONG   SizeOfHeaders;
280 |     ULONG   CheckSum;
281 |     USHORT  Subsystem;
282 |     USHORT  DllCharacteristics;
283 |     ULONG   SizeOfStackReserve;
284 |     ULONG   SizeOfStackCommit;
285 |     ULONG   SizeOfHeapReserve;
286 |     ULONG   SizeOfHeapCommit;
287 |     ULONG   LoaderFlags;
288 |     ULONG   NumberOfRvaAndSizes;
289 |     IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
290 | } IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
291 | 
292 | typedef struct _IMAGE_NT_HEADERS64
293 | {
294 |     ULONG Signature;
295 |     struct _IMAGE_FILE_HEADER FileHeader;
296 |     struct _IMAGE_OPTIONAL_HEADER64 OptionalHeader;
297 | } IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;
298 | 
299 | typedef struct _IMAGE_NT_HEADERS
300 | {
301 |     ULONG Signature;
302 |     IMAGE_FILE_HEADER FileHeader;
303 |     IMAGE_OPTIONAL_HEADER32 OptionalHeader;
304 | } IMAGE_NT_HEADERS;
305 | 
306 | typedef struct _IMAGE_EXPORT_DIRECTORY {
307 |     ULONG   Characteristics;
308 |     ULONG   TimeDateStamp;
309 |     USHORT  MajorVersion;
310 |     USHORT  MinorVersion;
311 |     ULONG   Name;
312 |     ULONG   Base;
313 |     ULONG   NumberOfFunctions;
314 |     ULONG   NumberOfNames;
315 |     ULONG   AddressOfFunctions;     // RVA from base of image
316 |     ULONG   AddressOfNames;         // RVA from base of image
317 |     ULONG   AddressOfNameOrdinals;  // RVA from base of image
318 | } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
319 | 
320 | typedef struct _IMAGE_BASE_RELOCATION {
321 |     ULONG   VirtualAddress;
322 |     ULONG   SizeOfBlock;
323 |     //  USHORT  TypeOffset[1];
324 | } IMAGE_BASE_RELOCATION;
325 | typedef IMAGE_BASE_RELOCATION UNALIGNED * PIMAGE_BASE_RELOCATION;
326 | 
327 | typedef struct _IMAGE_IMPORT_BY_NAME {
328 |     USHORT Hint;
329 |     CHAR   Name[1];
330 | } IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME;
331 | 
332 | 
333 | // warning C4201: nonstandard extension used : nameless struct/union
334 | #pragma warning (disable : 4201)
335 | 
336 | typedef struct _IMAGE_IMPORT_DESCRIPTOR 
337 | {
338 |     union {
339 |         ULONG   Characteristics;            // 0 for terminating null import descriptor
340 |         ULONG   OriginalFirstThunk;         // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
341 |     };
342 |     ULONG   TimeDateStamp;                  // 0 if not bound,
343 |     // -1 if bound, and real date\time stamp
344 |     //     in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
345 |     // O.W. date/time stamp of DLL bound to (Old BIND)
346 | 
347 |     ULONG   ForwarderChain;                 // -1 if no forwarders
348 |     ULONG   Name;
349 |     ULONG   FirstThunk;                     // RVA to IAT (if bound this IAT has actual addresses)
350 | } IMAGE_IMPORT_DESCRIPTOR;
351 | typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED *PIMAGE_IMPORT_DESCRIPTOR;
352 | 
353 | 
354 | typedef struct _IMAGE_THUNK_DATA64 
355 | {
356 |     union 
357 |     {
358 |         ULONGLONG ForwarderString;  // PBYTE 
359 |         ULONGLONG Function;         // PULONG
360 |         ULONGLONG Ordinal;
361 |         ULONGLONG AddressOfData;    // PIMAGE_IMPORT_BY_NAME
362 |     } u1;
363 | } IMAGE_THUNK_DATA64;
364 | typedef IMAGE_THUNK_DATA64 * PIMAGE_THUNK_DATA64;
365 | 
366 | typedef struct _IMAGE_THUNK_DATA32
367 | {
368 |     union
369 |     {
370 |         ULONG ForwarderString;      // PBYTE 
371 |         ULONG Function;             // PULONG
372 |         ULONG Ordinal;
373 |         ULONG AddressOfData;        // PIMAGE_IMPORT_BY_NAME
374 |     } u1;
375 | } IMAGE_THUNK_DATA32;
376 | typedef IMAGE_THUNK_DATA32 * PIMAGE_THUNK_DATA32;
377 | 
378 | typedef struct _IMAGE_RESOURCE_DIRECTORY {
379 |     ULONG   Characteristics;
380 |     ULONG   TimeDateStamp;
381 |     USHORT  MajorVersion;
382 |     USHORT  MinorVersion;
383 |     USHORT  NumberOfNamedEntries;
384 |     USHORT  NumberOfIdEntries;
385 |     //  IMAGE_RESOURCE_DIRECTORY_ENTRY DirectoryEntries[];
386 | } IMAGE_RESOURCE_DIRECTORY, *PIMAGE_RESOURCE_DIRECTORY; 
387 | 
388 | typedef struct _IMAGE_RESOURCE_DIRECTORY_ENTRY {
389 |     union {
390 |         struct {
391 |             INT NameOffset : 31;
392 |             INT NameIsString : 1;
393 |         } DUMMYSTRUCTNAME;
394 |         ULONG   Name;
395 |         USHORT  Id;
396 |     } DUMMYUNIONNAME;
397 |     union {
398 |         ULONG   OffsetToData;
399 |         struct {
400 |             INT   OffsetToDirectory : 31;
401 |             INT   DataIsDirectory : 1;
402 |         } DUMMYSTRUCTNAME2;
403 |     } DUMMYUNIONNAME2;
404 | } IMAGE_RESOURCE_DIRECTORY_ENTRY, *PIMAGE_RESOURCE_DIRECTORY_ENTRY;
405 | 
406 | typedef struct _IMAGE_RESOURCE_DATA_ENTRY {
407 |     ULONG OffsetToData;
408 |     ULONG Size;
409 |     ULONG CodePage;
410 |     ULONG Reserved;
411 | } IMAGE_RESOURCE_DATA_ENTRY, *PIMAGE_RESOURCE_DATA_ENTRY;
412 | 
413 | typedef struct _IMAGE_RUNTIME_FUNCTION_ENTRY {
414 |     ULONG BeginAddress;
415 |     ULONG EndAddress;
416 |     union {
417 |         ULONG UnwindInfoAddress;
418 |         ULONG UnwindData;
419 |     } DUMMYUNIONNAME;
420 | } _IMAGE_RUNTIME_FUNCTION_ENTRY, *_PIMAGE_RUNTIME_FUNCTION_ENTRY;
421 | 
422 | typedef struct _IMAGE_LOAD_CONFIG_DIRECTORY32 {
423 |     ULONG   Size;
424 |     ULONG   TimeDateStamp;
425 |     USHORT  MajorVersion;
426 |     USHORT  MinorVersion;
427 |     ULONG   GlobalFlagsClear;
428 |     ULONG   GlobalFlagsSet;
429 |     ULONG   CriticalSectionDefaultTimeout;
430 |     ULONG   DeCommitFreeBlockThreshold;
431 |     ULONG   DeCommitTotalFreeThreshold;
432 |     ULONG   LockPrefixTable;                // VA
433 |     ULONG   MaximumAllocationSize;
434 |     ULONG   VirtualMemoryThreshold;
435 |     ULONG   ProcessHeapFlags;
436 |     ULONG   ProcessAffinityMask;
437 |     USHORT  CSDVersion;
438 |     USHORT  Reserved1;
439 |     ULONG   EditList;                       // VA
440 |     ULONG   SecurityCookie;                 // VA
441 |     ULONG   SEHandlerTable;                 // VA
442 |     ULONG   SEHandlerCount;
443 |     ULONG   GuardCFCheckFunctionPointer;    // VA
444 |     ULONG   Reserved2;
445 |     ULONG   GuardCFFunctionTable;           // VA
446 |     ULONG   GuardCFFunctionCount;
447 |     ULONG   GuardFlags;
448 | } IMAGE_LOAD_CONFIG_DIRECTORY32, *PIMAGE_LOAD_CONFIG_DIRECTORY32;
449 | 
450 | typedef struct _IMAGE_LOAD_CONFIG_DIRECTORY64 {
451 |     ULONG      Size;
452 |     ULONG      TimeDateStamp;
453 |     USHORT     MajorVersion;
454 |     USHORT     MinorVersion;
455 |     ULONG      GlobalFlagsClear;
456 |     ULONG      GlobalFlagsSet;
457 |     ULONG      CriticalSectionDefaultTimeout;
458 |     ULONGLONG  DeCommitFreeBlockThreshold;
459 |     ULONGLONG  DeCommitTotalFreeThreshold;
460 |     ULONGLONG  LockPrefixTable;             // VA
461 |     ULONGLONG  MaximumAllocationSize;
462 |     ULONGLONG  VirtualMemoryThreshold;
463 |     ULONGLONG  ProcessAffinityMask;
464 |     ULONG      ProcessHeapFlags;
465 |     USHORT     CSDVersion;
466 |     USHORT     Reserved1;
467 |     ULONGLONG  EditList;                    // VA
468 |     ULONGLONG  SecurityCookie;              // VA
469 |     ULONGLONG  SEHandlerTable;              // VA
470 |     ULONGLONG  SEHandlerCount;
471 |     ULONGLONG  GuardCFCheckFunctionPointer; // VA
472 |     ULONGLONG  Reserved2;
473 |     ULONGLONG  GuardCFFunctionTable;        // VA
474 |     ULONGLONG  GuardCFFunctionCount;
475 |     ULONG      GuardFlags;
476 | } IMAGE_LOAD_CONFIG_DIRECTORY64, *PIMAGE_LOAD_CONFIG_DIRECTORY64;
477 | 
478 | typedef struct _IMAGE_TLS_DIRECTORY64 {
479 |     ULONGLONG StartAddressOfRawData;
480 |     ULONGLONG EndAddressOfRawData;
481 |     ULONGLONG AddressOfIndex;         // PULONG
482 |     ULONGLONG AddressOfCallBacks;     // PIMAGE_TLS_CALLBACK *;
483 |     ULONG SizeOfZeroFill;
484 |     union {
485 |         ULONG Characteristics;
486 |         struct {
487 |             INT Reserved0 : 20;
488 |             INT Alignment : 4;
489 |             INT Reserved1 : 8;
490 |         } DUMMYSTRUCTNAME;
491 |     } DUMMYUNIONNAME;
492 | 
493 | } IMAGE_TLS_DIRECTORY64;
494 | 
495 | typedef IMAGE_TLS_DIRECTORY64 * PIMAGE_TLS_DIRECTORY64;
496 | 
497 | typedef struct _IMAGE_TLS_DIRECTORY32 {
498 |     ULONG   StartAddressOfRawData;
499 |     ULONG   EndAddressOfRawData;
500 |     ULONG   AddressOfIndex;             // PULONG
501 |     ULONG   AddressOfCallBacks;         // PIMAGE_TLS_CALLBACK *
502 |     ULONG   SizeOfZeroFill;
503 |     union {
504 |         ULONG Characteristics;
505 |         struct {
506 |             INT Reserved0 : 20;
507 |             INT Alignment : 4;
508 |             INT Reserved1 : 8;
509 |         } DUMMYSTRUCTNAME;
510 |     } DUMMYUNIONNAME;
511 | 
512 | } IMAGE_TLS_DIRECTORY32;
513 | typedef IMAGE_TLS_DIRECTORY32 * PIMAGE_TLS_DIRECTORY32;
514 | 
515 | 
516 | #define ACTCTX_FLAG_PROCESSOR_ARCHITECTURE_VALID    (0x00000001)
517 | #define ACTCTX_FLAG_LANGID_VALID                    (0x00000002)
518 | #define ACTCTX_FLAG_ASSEMBLY_DIRECTORY_VALID        (0x00000004)
519 | #define ACTCTX_FLAG_RESOURCE_NAME_VALID             (0x00000008)
520 | #define ACTCTX_FLAG_SET_PROCESS_DEFAULT             (0x00000010)
521 | #define ACTCTX_FLAG_APPLICATION_NAME_VALID          (0x00000020)
522 | #define ACTCTX_FLAG_SOURCE_IS_ASSEMBLYREF           (0x00000040)
523 | #define ACTCTX_FLAG_HMODULE_VALID                   (0x00000080)
524 | 
525 | typedef struct tagACTCTXW
526 | {
527 |     ULONG  cbSize;
528 |     ULONG  dwFlags;
529 |     PWCH   lpSource;
530 |     USHORT wProcessorArchitecture;
531 |     USHORT wLangId;
532 |     PWCH   lpAssemblyDirectory;
533 |     PWCH   lpResourceName;
534 |     PWCH   lpApplicationName;
535 |     PVOID  hModule;
536 | } ACTCTXW, *PACTCTXW;
537 | 
538 | typedef struct tagACTCTXW32
539 | {
540 |     ULONG  cbSize;
541 |     ULONG  dwFlags;
542 |     ULONG  lpSource;
543 |     USHORT wProcessorArchitecture;
544 |     USHORT wLangId;
545 |     ULONG  lpAssemblyDirectory;
546 |     ULONG  lpResourceName;
547 |     ULONG  lpApplicationName;
548 |     ULONG  hModule;
549 | } ACTCTXW32, *PACTCTXW32;
550 | 
551 | #pragma warning (default : 4201)


--------------------------------------------------------------------------------
/KernelDraw/Render.cpp:
--------------------------------------------------------------------------------
  1 | #include "Render.hpp"
  2 | #include "Utils.hpp"
  3 | #include "Imports.h"
  4 | 
  5 | 
  6 | typedef HDC(NTAPI* pfnNtUserGetDC)(HWND hWnd);
  7 | pfnNtUserGetDC NtUserGetDC = NULL;
  8 | 
  9 | typedef int (NTAPI* pfnNtUserReleaseDC)(HDC hDC);
 10 | pfnNtUserReleaseDC NtUserReleaseDC = NULL;
 11 | 
 12 | typedef BOOL(APIENTRY* pfnNtGdiPatBlt)(_In_ HDC hdcDest, _In_ INT x, _In_ INT y, _In_ INT cx, _In_ INT cy, _In_ DWORD dwRop);
 13 | pfnNtGdiPatBlt NtGdiPatBlt = NULL;
 14 | 
 15 | typedef HBRUSH(APIENTRY* pfnGreSelectBrush)(IN HDC hDC, IN HBRUSH hBrush);
 16 | pfnGreSelectBrush GreSelectBrush = NULL;
 17 | 
 18 | typedef HBRUSH(APIENTRY* pfnNtGdiCreateSolidBrush)(_In_ COLORREF cr, _In_opt_ HBRUSH hbr);
 19 | pfnNtGdiCreateSolidBrush NtGdiCreateSolidBrush = NULL;
 20 | 
 21 | typedef BOOL(APIENTRY* pfnNtGdiDeleteObjectApp)(HANDLE hobj);
 22 | pfnNtGdiDeleteObjectApp NtGdiDeleteObjectApp = NULL;
 23 | 
 24 | typedef BOOL(APIENTRY* pfnNtGdiExtTextOutW)(IN HDC hDC, IN INT XStart, IN INT YStart, IN UINT fuOptions, IN OPTIONAL LPRECT UnsafeRect, IN LPWSTR UnsafeString, IN INT Count, IN OPTIONAL LPINT UnsafeDx, IN DWORD dwCodePage);
 25 | pfnNtGdiExtTextOutW NtGdiExtTextOutW = NULL;
 26 | 
 27 | typedef HFONT(APIENTRY* pfnNtGdiHfontCreate)(IN PENUMLOGFONTEXDVW pelfw, IN ULONG cjElfw, IN DWORD lft, IN FLONG fl, IN PVOID pvCliData);
 28 | pfnNtGdiHfontCreate NtGdiHfontCreate = NULL;
 29 | 
 30 | typedef HFONT(APIENTRY* pfnNtGdiSelectFont)(_In_ HDC hdc, _In_ HFONT hf);;
 31 | pfnNtGdiSelectFont NtGdiSelectFont = NULL;
 32 | 
 33 | 
 34 | ULONG ThreadProcessOffset;
 35 | ULONG GetThreadProcessOffset()
 36 | {
 37 | 	UNICODE_STRING FuncName = RTL_CONSTANT_STRING(L"PsGetThreadProcess");
 38 | 	PVOID pfnPsGetThreadProcess = MmGetSystemRoutineAddress(&FuncName);
 39 | 	if (!MmIsAddressValid(pfnPsGetThreadProcess))
 40 | 		return 0;
 41 | 	return *(PULONG)((PUCHAR)pfnPsGetThreadProcess + 3);
 42 | }
 43 | 
 44 | BOOLEAN IsInitialized = FALSE;
 45 | BOOLEAN Render::InitRender()
 46 | {
 47 | 	if (IsInitialized)
 48 | 	{
 49 | 		return TRUE;
 50 | 	}
 51 | 	PVOID win32kase = Utils::GetModuleBase("win32kbase.sys");
 52 | 	PVOID win32kfull = Utils::GetModuleBase("win32kfull.sys");
 53 | 
 54 | 	KdPrint(("win32kase = %p\n", win32kase));
 55 | 	KdPrint(("win32kfull = %p\n", win32kfull));
 56 | 
 57 | 	if (!win32kase || !win32kfull)
 58 | 	{
 59 | 		KdPrint(("Could not find kernel module bases"));
 60 | 		return FALSE;
 61 | 	}
 62 | 
 63 | 	if (!SpoofGuiThread())
 64 | 	{
 65 | 		return FALSE;
 66 | 	}
 67 | 
 68 | 	NtUserGetDC = (pfnNtUserGetDC)Utils::GetProcAddress(win32kase, "NtUserGetDC");
 69 | 	NtUserReleaseDC = (pfnNtUserReleaseDC)Utils::GetProcAddress(win32kase, "NtUserReleaseDC");
 70 | 	NtGdiPatBlt = (pfnNtGdiPatBlt)Utils::GetProcAddress(win32kfull, "NtGdiPatBlt");
 71 | 	GreSelectBrush = (pfnGreSelectBrush)Utils::GetProcAddress(win32kase, "GreSelectBrush");
 72 | 	NtGdiCreateSolidBrush = (pfnNtGdiCreateSolidBrush)Utils::GetProcAddress(win32kfull, "NtGdiCreateSolidBrush");
 73 | 	NtGdiDeleteObjectApp = (pfnNtGdiDeleteObjectApp)Utils::GetProcAddress(win32kase, "NtGdiDeleteObjectApp");
 74 | 	NtGdiExtTextOutW = (pfnNtGdiExtTextOutW)Utils::GetProcAddress(win32kfull, "NtGdiExtTextOutW");
 75 | 	NtGdiHfontCreate = (pfnNtGdiHfontCreate)Utils::GetProcAddress(win32kfull, "NtGdiHfontCreate");
 76 | 	NtGdiSelectFont = (pfnNtGdiSelectFont)Utils::GetProcAddress(win32kfull, "NtGdiSelectFont");
 77 | 
 78 | 	UnspoofGuiThread();
 79 | 
 80 | 	KdPrint(("NtUserGetDC = %p\n", NtUserGetDC));
 81 | 	KdPrint(("NtUserReleaseDC = %p\n", NtUserReleaseDC));
 82 | 	KdPrint(("NtGdiPatBlt = %p\n", NtGdiPatBlt));
 83 | 	KdPrint(("GreSelectBrush = %p\n", GreSelectBrush));
 84 | 	KdPrint(("NtGdiCreateSolidBrush = %p\n", NtGdiCreateSolidBrush));
 85 | 	KdPrint(("NtGdiDeleteObjectApp = %p\n", NtGdiDeleteObjectApp));
 86 | 	KdPrint(("NtGdiExtTextOutW = %p\n", NtGdiExtTextOutW));
 87 | 	KdPrint(("NtGdiHfontCreate = %p\n", NtGdiHfontCreate));
 88 | 	KdPrint(("NtGdiSelectFont = %p\n", NtGdiSelectFont));
 89 | 
 90 | 	if (!NtUserGetDC || !NtGdiPatBlt || !GreSelectBrush ||
 91 | 		!NtUserReleaseDC || !NtGdiCreateSolidBrush || !NtGdiDeleteObjectApp
 92 | 		|| !NtGdiExtTextOutW || !NtGdiHfontCreate || !NtGdiSelectFont)
 93 | 	{
 94 | 		KdPrint(("Could not find kernel functions required for drawing"));
 95 | 		return FALSE;
 96 | 	}
 97 | 
 98 | 	ThreadProcessOffset = GetThreadProcessOffset();
 99 | 
100 | 	IsInitialized = TRUE;
101 | 	return TRUE;
102 | }
103 | 
104 | 
105 | BOOLEAN Render::SpoofGuiThread()
106 | {
107 | 	MaskProcess = Utils::GetProcessByName("dwm.exe");
108 | 	PETHREAD Thread = Utils::GetProcessMainThread(MaskProcess);
109 | 	MaskWin32Thread = PsGetThreadWin32Thread(Thread);
110 | 
111 | 	if (!MaskWin32Thread)
112 | 	{
113 | 		KdPrint(("Failed to Get Win32Thread\n"));
114 | 		return FALSE;
115 | 	}
116 | 
117 | 	PKTHREAD currentThread = KeGetCurrentThread();
118 | 
119 | 	OriginalWin32Thread = PsGetCurrentThreadWin32Thread();
120 | 	OriginalProcess = PsGetThreadProcess(currentThread);
121 | 
122 | 	KeStackAttachProcess(MaskProcess, &apc_state);
123 | 
124 | 	PsSetThreadWin32Thread(currentThread, MaskWin32Thread, PsGetCurrentThreadWin32Thread());
125 | 	*(PEPROCESS*)((char*)currentThread + ThreadProcessOffset) = MaskProcess;
126 | 
127 | 	return TRUE;
128 | }
129 | 
130 | BOOLEAN Render::UnspoofGuiThread()
131 | {
132 | 	PKTHREAD currentThread = KeGetCurrentThread();
133 | 
134 | 	PsSetThreadWin32Thread(currentThread, OriginalWin32Thread, PsGetCurrentThreadWin32Thread());
135 | 	*(PEPROCESS*)((char*)currentThread + ThreadProcessOffset) = OriginalProcess;
136 | 	
137 | 	KeUnstackDetachProcess(&apc_state);
138 | 	return TRUE;
139 | }
140 | 
141 | 
142 | BOOLEAN Render::BeginDraw()
143 | {
144 | 	if (!SpoofGuiThread())
145 | 	{
146 | 		return FALSE;
147 | 	}
148 | 	hdc = NtUserGetDC(0);
149 | 	if (!hdc)
150 | 	{
151 | 		KdPrint(("NtUserGetDC Failed\n"));
152 | 		return FALSE;
153 | 	}
154 | 
155 | 	brush = NtGdiCreateSolidBrush(RGB(255, 0, 0), NULL);
156 | 	if (!brush)
157 | 	{
158 | 		KdPrint(("NtGdiCreateSolidBrush Failed\n"));
159 | 		NtUserReleaseDC(hdc);
160 | 		return FALSE;
161 | 	}
162 | 	return TRUE;
163 | }
164 | 
165 | BOOLEAN Render::EndDraw()
166 | {
167 | 	NtGdiDeleteObjectApp(brush);
168 | 	NtUserReleaseDC(hdc);
169 | 
170 | 	UnspoofGuiThread();
171 | 
172 | 	return TRUE;
173 | }
174 | 
175 | BOOLEAN Render::DrawRect(RECT rect, int thickness)
176 | {
177 | 	HBRUSH oldBrush = GreSelectBrush(hdc, brush);
178 | 	if (!oldBrush)
179 | 	{
180 | 		DbgPrint("failed to get brush");
181 | 		return FALSE;
182 | 	}
183 | 
184 | 	NtGdiPatBlt(hdc, rect.left, rect.top, thickness, rect.bottom - rect.top, PATCOPY);
185 | 	NtGdiPatBlt(hdc, rect.right - thickness, rect.top, thickness, rect.bottom - rect.top, PATCOPY);
186 | 	NtGdiPatBlt(hdc, rect.left, rect.top, rect.right - rect.left, thickness, PATCOPY);
187 | 	NtGdiPatBlt(hdc, rect.left, rect.bottom - thickness, rect.right - rect.left, thickness, PATCOPY);
188 | 
189 | 	GreSelectBrush(hdc, oldBrush);
190 | 	return TRUE;
191 | }
192 | 
193 | /*
194 | BOOLEAN Render::DrawLine(POINT start, POINT end, int thickness)
195 | {
196 | 	HBRUSH oldBrush = GreSelectBrush(hdc, brush);
197 | 	if (!oldBrush)
198 | 	{
199 | 		DbgPrint("failed to get brush");
200 | 		return FALSE;
201 | 	}
202 | 
203 | 
204 | 	GreSelectBrush(hdc, oldBrush);
205 | 	return TRUE;
206 | }
207 | 
208 | BOOLEAN Render::DrawText(POINT pos, PCHAR text)
209 | {
210 | 	return BOOLEAN();
211 | }
212 | */


--------------------------------------------------------------------------------
/KernelDraw/Render.hpp:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include "includes.h"
 3 | 
 4 | namespace Render
 5 | {
 6 | 	namespace {
 7 | 		PVOID OriginalWin32Thread;
 8 | 		PEPROCESS OriginalProcess;
 9 | 
10 | 		PVOID MaskWin32Thread;
11 | 		PEPROCESS MaskProcess;
12 | 
13 | 		KAPC_STATE apc_state;
14 | 
15 | 		HDC hdc;
16 | 		HBRUSH brush;
17 | 	}
18 | 
19 | 	BOOLEAN InitRender();
20 | 
21 | 	BOOLEAN SpoofGuiThread();
22 | 
23 | 	BOOLEAN UnspoofGuiThread();
24 | 
25 | 	BOOLEAN BeginDraw();
26 | 
27 | 	BOOLEAN EndDraw();
28 | 
29 | 	BOOLEAN DrawLine(POINT start, POINT end, int thickness);
30 | 	
31 | 	BOOLEAN DrawRect(RECT rect, int thickness);
32 | 
33 | 	BOOLEAN DrawText(POINT pos, PCHAR text);
34 | };
35 | 
36 | 


--------------------------------------------------------------------------------
/KernelDraw/Utils.cpp:
--------------------------------------------------------------------------------
  1 | #include "Utils.hpp"
  2 | #include "Imports.h"
  3 | 
  4 | PVOID Utils::GetModuleBase(PCHAR szModuleName)
  5 | {
  6 | 	PVOID result = 0;
  7 | 	ULONG length = 0;
  8 | 
  9 | 	ZwQuerySystemInformation(SystemModuleInformation, &length, 0, &length);
 10 | 	if (!length) return result;
 11 | 
 12 | 	const unsigned long tag = 'MEM';
 13 | 	PSYSTEM_MODULE_INFORMATION system_modules = (PSYSTEM_MODULE_INFORMATION)ExAllocatePoolWithTag(NonPagedPool, length, tag);
 14 | 	if (!system_modules) return result;
 15 | 
 16 | 	NTSTATUS status = ZwQuerySystemInformation(SystemModuleInformation, system_modules, length, 0);
 17 | 	if (NT_SUCCESS(status))
 18 | 	{
 19 | 		for (size_t i = 0; i < system_modules->ulModuleCount; i++)
 20 | 		{
 21 | 			char* fileName = (char*)system_modules->Modules[i].ImageName + system_modules->Modules[i].ModuleNameOffset;
 22 | 			if (!strcmp(fileName, szModuleName))
 23 | 			{
 24 | 				result = system_modules->Modules[i].Base;
 25 | 				break;
 26 | 			}
 27 | 		}
 28 | 	}
 29 | 	ExFreePoolWithTag(system_modules, tag);
 30 | 	return result;
 31 | }
 32 | 
 33 | PVOID Utils::GetProcAddress(PVOID ModuleBase, PCHAR szFuncName)
 34 | {
 35 | 	return RtlFindExportedRoutineByName(ModuleBase, szFuncName);
 36 | }
 37 | 
 38 | ULONG Utils::GetActiveProcessLinksOffset()
 39 | {
 40 |     UNICODE_STRING FunName = { 0 };
 41 |     RtlInitUnicodeString(&FunName, L"PsGetProcessId");
 42 | 
 43 |     /*
 44 |     .text:000000014007E054                   PsGetProcessId  proc near
 45 |     .text:000000014007E054
 46 |     .text:000000014007E054 48 8B 81 80 01 00+                mov     rax, [rcx+180h]
 47 |     .text:000000014007E054 00
 48 |     .text:000000014007E05B C3                                retn
 49 |     .text:000000014007E05B                   PsGetProcessId  endp
 50 |     */
 51 | 
 52 |     PUCHAR pfnPsGetProcessId = (PUCHAR)MmGetSystemRoutineAddress(&FunName);
 53 |     if (pfnPsGetProcessId && MmIsAddressValid(pfnPsGetProcessId) && MmIsAddressValid(pfnPsGetProcessId + 0x7))
 54 |     {
 55 |         for (size_t i = 0; i < 0x7; i++)
 56 |         {
 57 |             if (pfnPsGetProcessId[i] == 0x48 && pfnPsGetProcessId[i + 1] == 0x8B)
 58 |             {
 59 |                 return *(PULONG)(pfnPsGetProcessId + i + 3) + 8;
 60 |             }
 61 |         }
 62 |     }
 63 |     return 0;
 64 | }
 65 | 
 66 | HANDLE Utils::GetProcessIdByName(PCHAR szName)
 67 | {
 68 |     PEPROCESS Process = GetProcessByName(szName);
 69 |     if (Process)
 70 |     {
 71 |         return PsGetProcessId(Process);
 72 |     }
 73 |     return NULL;
 74 | }
 75 | 
 76 | PEPROCESS Utils::GetProcessByName(PCHAR szName)
 77 | {
 78 |     PEPROCESS Process = NULL;
 79 |     PCHAR ProcessName = NULL;
 80 |     PLIST_ENTRY pHead = NULL;
 81 |     PLIST_ENTRY pNode = NULL;
 82 | 
 83 |     ULONG64 ActiveProcessLinksOffset = GetActiveProcessLinksOffset();
 84 |     //KdPrint(("ActiveProcessLinksOffset = %llX\n", ActiveProcessLinksOffset));
 85 |     if (!ActiveProcessLinksOffset)
 86 |     {
 87 |         KdPrint(("GetActiveProcessLinksOffset failed\n"));
 88 |         return NULL;
 89 |     }
 90 |     Process = PsGetCurrentProcess();
 91 | 
 92 |     pHead = (PLIST_ENTRY)((ULONG64)Process + ActiveProcessLinksOffset);
 93 |     pNode = pHead;
 94 | 
 95 |     do
 96 |     {
 97 |         Process = (PEPROCESS)((ULONG64)pNode - ActiveProcessLinksOffset);
 98 |         ProcessName = PsGetProcessImageFileName(Process);
 99 |         //KdPrint(("%s\n", ProcessName));
100 |         if (!strcmp(szName, ProcessName))
101 |         {
102 |             return Process;
103 |         }
104 | 
105 |         pNode = pNode->Flink;
106 |     } while (pNode != pHead);
107 | 
108 |     return NULL;
109 | }
110 | 
111 | 
112 | PETHREAD Utils::GetProcessMainThread(PEPROCESS Process)
113 | {
114 |     PETHREAD ethread = NULL;
115 | 
116 |     KAPC_STATE kApcState = { 0 };
117 | 
118 |     KeStackAttachProcess(Process, &kApcState);
119 | 
120 |     HANDLE hThread = NULL;
121 | 
122 |     NTSTATUS status = ZwGetNextThread(NtCurrentProcess(), NULL, THREAD_ALL_ACCESS,
123 |         OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, 0, &hThread);
124 | 
125 |     if (NT_SUCCESS(status))
126 |     {
127 | 
128 |         status = ObReferenceObjectByHandle(hThread, THREAD_ALL_ACCESS,
129 |             *PsThreadType, KernelMode, (PVOID*)&ethread, NULL);
130 |         NtClose(hThread);
131 | 
132 |         if (!NT_SUCCESS(status))
133 |         {
134 |             ethread = NULL;
135 |         }
136 |     }
137 | 
138 |     KeUnstackDetachProcess(&kApcState);
139 |     return ethread;
140 | }
141 | 
142 | 
143 | ULONG64 Utils::FindPattern(ULONG64 base, SIZE_T size, PCHAR pattern, PCHAR mask)
144 | {
145 |     const auto patternSize = strlen(mask);
146 | 
147 |     for (size_t i = 0; i < size - patternSize; i++) {
148 |         for (size_t j = 0; j < patternSize; j++) {
149 |             if (mask[j] != '?' && *reinterpret_cast<PBYTE>(base + i + j) != static_cast<BYTE>(pattern[j]))
150 |                 break;
151 | 
152 |             if (j == patternSize - 1)
153 |                 return (ULONG64)base + i;
154 |         }
155 |     }
156 |     return 0;
157 | }
158 | 
159 | 
160 | ULONG64 Utils::GetImageSectionByName(ULONG64 imageBase, PCHAR sectionName, SIZE_T* sizeOut)
161 | {
162 |     if (reinterpret_cast<PIMAGE_DOS_HEADER>(imageBase)->e_magic != 0x5A4D)
163 |         return 0;
164 | 
165 |     const auto ntHeader = reinterpret_cast<PIMAGE_NT_HEADERS64>(
166 |         imageBase + reinterpret_cast<PIMAGE_DOS_HEADER>(imageBase)->e_lfanew);
167 |     const auto sectionCount = ntHeader->FileHeader.NumberOfSections;
168 | 
169 | #define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER)        \
170 |     ((ULONG_PTR)(ntheader) +                                            \
171 |      FIELD_OFFSET(IMAGE_NT_HEADERS, OptionalHeader) +                   \
172 |      ((ntheader))->FileHeader.SizeOfOptionalHeader))
173 | 
174 |     auto sectionHeader = IMAGE_FIRST_SECTION(ntHeader);
175 |     for (size_t i = 0; i < sectionCount; ++i, ++sectionHeader) {
176 |         if (!strcmp(sectionName, reinterpret_cast<const char*>(sectionHeader->Name))) {
177 |             if (sizeOut)
178 |                 *sizeOut = sectionHeader->Misc.VirtualSize;
179 |             return imageBase + sectionHeader->VirtualAddress;
180 |         }
181 |     }
182 |     return 0;
183 | }
184 | 
185 | PSERVICE_DESCRIPTOR_TABLE Utils::GetKeServiceDescriptorTableShadow()
186 | {
187 |     uintptr_t ntoskrnlBase = (uintptr_t)GetModuleBase("ntoskrnl.exe");
188 | 
189 |     size_t ntoskrnlTextSize = 0;
190 |     const auto ntoskrnlText = GetImageSectionByName(ntoskrnlBase, ".text", &ntoskrnlTextSize);
191 |     if (!ntoskrnlText)
192 |         return 0;
193 | 
194 |     auto keServiceDescriptorTableShadow = FindPattern(ntoskrnlText, ntoskrnlTextSize,
195 |         "\xC1\xEF\x07\x83\xE7\x20\x25\xFF\x0F", "xxxxxxxxx");
196 | 
197 |     if (!keServiceDescriptorTableShadow)
198 |         return 0;
199 | 
200 |     keServiceDescriptorTableShadow += 21;
201 |     keServiceDescriptorTableShadow += *reinterpret_cast<int*>(keServiceDescriptorTableShadow) + sizeof(int);
202 | 
203 |     return (PSERVICE_DESCRIPTOR_TABLE)keServiceDescriptorTableShadow;
204 | }
205 | 
206 | PVOID Utils::GetServiceFunctionByIndex(PSYSTEM_SERVICE_TABLE ServiceTable, ULONG ServiceId)
207 | {
208 |     PULONG ServiceTableBase = (PULONG)ServiceTable->ServiceTable;
209 |     if (!MmIsAddressValid(ServiceTableBase))
210 |         return NULL;
211 |     return (PVOID)((ULONG64)(ServiceTableBase) + (ServiceTableBase[ServiceId & 0xFFF] >> 4));
212 | }
213 | 


--------------------------------------------------------------------------------
/KernelDraw/Utils.hpp:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | #include "includes.h"
 3 | #include "NativeStructs.h"
 4 | 
 5 | 
 6 | namespace Utils
 7 | {
 8 | 	PVOID GetModuleBase(PCHAR szModuleName);
 9 | 
10 | 	PVOID GetProcAddress(PVOID ModuleBase, PCHAR szFuncName);
11 | 
12 | 	ULONG GetActiveProcessLinksOffset();
13 | 
14 | 	HANDLE GetProcessIdByName(PCHAR szName);
15 | 
16 | 	PEPROCESS GetProcessByName(PCHAR szName);
17 | 
18 | 	PETHREAD GetProcessMainThread(PEPROCESS Process);
19 | 
20 | 	ULONG64 FindPattern(ULONG64 base, SIZE_T size, PCHAR pattern, PCHAR mask);
21 | 
22 | 	ULONG64 GetImageSectionByName(ULONG64 imageBase, PCHAR sectionName, SIZE_T* sizeOut);
23 | 
24 | 	PSERVICE_DESCRIPTOR_TABLE GetKeServiceDescriptorTableShadow();
25 | 
26 | 	PVOID GetServiceFunctionByIndex(PSYSTEM_SERVICE_TABLE, ULONG ServiceId);
27 | };
28 | 
29 | 


--------------------------------------------------------------------------------
/KernelDraw/entry.cpp:
--------------------------------------------------------------------------------
 1 | #include "Render.hpp"
 2 | #include "includes.h"
 3 | #include "Utils.hpp"
 4 | #include "Imports.h"
 5 | 
 6 | void MainThread()
 7 | {
 8 | 	while (true)
 9 | 	{
10 | 		Render::BeginDraw();
11 | 		
12 | 		Render::DrawRect({ 100, 100, 200, 200 }, 3);
13 | 		Render::DrawRect({ 500, 500, 700, 700 }, 3);
14 | 
15 | 		Render::EndDraw();
16 | 
17 | 		YieldProcessor();
18 | 	}
19 | 	
20 | 	PsTerminateSystemThread(STATUS_SUCCESS);
21 | }
22 | 
23 | NTSTATUS CreateThread(PVOID entry)
24 | {
25 | 	HANDLE threadHandle = NULL;
26 | 	NTSTATUS status = PsCreateSystemThread(&threadHandle, NULL, NULL, NULL, NULL, (PKSTART_ROUTINE)entry, NULL);
27 | 
28 | 	if (!NT_SUCCESS(status))
29 | 	{
30 | 		KdPrint(("failed to create system thread, %x", status));
31 | 		return status;
32 | 	}
33 | 
34 | 	ZwClose(threadHandle);
35 | 	return status;
36 | }
37 | 
38 | 
39 | EXTERN_C NTSTATUS DriverEntry()
40 | {
41 | 	KdPrint(("DriverEntry"));
42 | 
43 | 	Render::InitRender();
44 | 
45 | 	CreateThread(MainThread);
46 | 
47 | 	return STATUS_SUCCESS;
48 | }
49 | 


--------------------------------------------------------------------------------
/KernelDraw/includes.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include <ntifs.h>
3 | #include <Ntifs.h>
4 | #include <WinDef.h>
5 | #include <wingdi.h>
6 | #include <ntddmou.h>
7 | #include <intrin.h>
8 | //#include <ntimage.h>
9 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # KernelDraw
2 | ## Use GDI in KernelMode
3 | 
4 | Support Mapping
5 | 


--------------------------------------------------------------------------------