├── .gitignore
├── NTDLLMemes.sln
├── NTDLLMemes
    ├── Functions.cpp
    ├── Functions.hpp
    ├── NTDLLMemes.vcxproj
    ├── NTDLLMemes.vcxproj.filters
    ├── main.cpp
    └── structures.hpp
└── README.md


/.gitignore:
--------------------------------------------------------------------------------
  1 | Debug/
  2 | Release/
  3 | ipch
  4 | *.db
  5 | *.opendb
  6 | 
  7 | # Compiled Object files
  8 | *.slo
  9 | *.lo
 10 | *.o
 11 | *.obj
 12 | 
 13 | # Precompiled Headers
 14 | *.gch
 15 | *.pch
 16 | 
 17 | # Compiled Dynamic libraries
 18 | *.so
 19 | *.dylib
 20 | *.dll
 21 | 
 22 | # Fortran module files
 23 | *.mod
 24 | 
 25 | # Compiled Static libraries
 26 | *.lai
 27 | *.la
 28 | *.a
 29 | *.lib
 30 | 
 31 | # Executables
 32 | *.exe
 33 | *.out
 34 | *.app
 35 | *.opensdf
 36 | *.user
 37 | 
 38 | ## Ignore Visual Studio temporary files, build results, and
 39 | ## files generated by popular Visual Studio add-ons.
 40 | 
 41 | # User-specific files
 42 | *.suo
 43 | *.user
 44 | *.userosscache
 45 | *.sln.docstates
 46 | 
 47 | # User-specific files (MonoDevelop/Xamarin Studio)
 48 | *.userprefs
 49 | 
 50 | # Build results
 51 | [Dd]ebug/
 52 | [Dd]ebugPublic/
 53 | [Rr]elease/
 54 | [Rr]eleases/
 55 | x64/
 56 | x86/
 57 | build/
 58 | bld/
 59 | [Bb]in/
 60 | [Oo]bj/
 61 | 
 62 | # Visual Studio 2015 cache/options directory
 63 | .vs/
 64 | 
 65 | # MSTest test Results
 66 | [Tt]est[Rr]esult*/
 67 | [Bb]uild[Ll]og.*
 68 | 
 69 | # NUNIT
 70 | *.VisualState.xml
 71 | TestResult.xml
 72 | 
 73 | # Build Results of an ATL Project
 74 | [Dd]ebugPS/
 75 | [Rr]eleasePS/
 76 | dlldata.c
 77 | 
 78 | # DNX
 79 | project.lock.json
 80 | artifacts/
 81 | 
 82 | *_i.c
 83 | *_p.c
 84 | *_i.h
 85 | *.ilk
 86 | *.meta
 87 | *.obj
 88 | *.pch
 89 | *.pdb
 90 | *.pgc
 91 | *.pgd
 92 | *.rsp
 93 | *.sbr
 94 | *.tlb
 95 | *.tli
 96 | *.tlh
 97 | *.tmp
 98 | *.tmp_proj
 99 | *.log
100 | *.vspscc
101 | *.vssscc
102 | .builds
103 | *.pidb
104 | *.svclog
105 | *.scc
106 | 
107 | # Chutzpah Test files
108 | _Chutzpah*
109 | 
110 | # Visual C++ cache files
111 | ipch/
112 | *.aps
113 | *.ncb
114 | *.opensdf
115 | *.sdf
116 | *.cachefile
117 | 
118 | # Visual Studio profiler
119 | *.psess
120 | *.vsp
121 | *.vspx
122 | 
123 | # TFS 2012 Local Workspace
124 | $tf/
125 | 
126 | # Guidance Automation Toolkit
127 | *.gpState
128 | 
129 | # ReSharper is a .NET coding add-in
130 | _ReSharper*/
131 | *.[Rr]e[Ss]harper
132 | *.DotSettings.user
133 | 
134 | # JustCode is a .NET coding add-in
135 | .JustCode
136 | 
137 | # TeamCity is a build add-in
138 | _TeamCity*
139 | 
140 | # DotCover is a Code Coverage Tool
141 | *.dotCover
142 | 
143 | # NCrunch
144 | _NCrunch_*
145 | .*crunch*.local.xml
146 | 
147 | # MightyMoose
148 | *.mm.*
149 | AutoTest.Net/
150 | 
151 | # Web workbench (sass)
152 | .sass-cache/
153 | 
154 | # Installshield output folder
155 | [Ee]xpress/
156 | 
157 | # DocProject is a documentation generator add-in
158 | DocProject/buildhelp/
159 | DocProject/Help/*.HxT
160 | DocProject/Help/*.HxC
161 | DocProject/Help/*.hhc
162 | DocProject/Help/*.hhk
163 | DocProject/Help/*.hhp
164 | DocProject/Help/Html2
165 | DocProject/Help/html
166 | 
167 | # Click-Once directory
168 | publish/
169 | 
170 | # Publish Web Output
171 | *.[Pp]ublish.xml
172 | *.azurePubxml
173 | # TODO: Comment the next line if you want to checkin your web deploy settings
174 | # but database connection strings (with potential passwords) will be unencrypted
175 | *.pubxml
176 | *.publishproj
177 | 
178 | # NuGet Packages
179 | *.nupkg
180 | # The packages folder can be ignored because of Package Restore
181 | **/packages/*
182 | # except build/, which is used as an MSBuild target.
183 | !**/packages/build/
184 | # Uncomment if necessary however generally it will be regenerated when needed
185 | #!**/packages/repositories.config
186 | 
187 | # Windows Azure Build Output
188 | csx/
189 | *.build.csdef
190 | 
191 | # Windows Store app package directory
192 | AppPackages/
193 | 
194 | # Visual Studio cache files
195 | # files ending in .cache can be ignored
196 | *.[Cc]ache
197 | # but keep track of directories ending in .cache
198 | !*.[Cc]ache/
199 | 
200 | # Others
201 | ClientBin/
202 | [Ss]tyle[Cc]op.*
203 | ~$*
204 | *~
205 | *.dbmdl
206 | *.dbproj.schemaview
207 | *.pfx
208 | *.publishsettings
209 | node_modules/
210 | orleans.codegen.cs
211 | 
212 | # RIA/Silverlight projects
213 | Generated_Code/
214 | 
215 | # Backup & report files from converting an old project file
216 | # to a newer Visual Studio version. Backup files are not needed,
217 | # because we have git ;-)
218 | _UpgradeReport_Files/
219 | Backup*/
220 | UpgradeLog*.XML
221 | UpgradeLog*.htm
222 | 
223 | # SQL Server files
224 | *.mdf
225 | *.ldf
226 | 
227 | # Business Intelligence projects
228 | *.rdl.data
229 | *.bim.layout
230 | *.bim_*.settings
231 | 
232 | # Microsoft Fakes
233 | FakesAssemblies/
234 | 
235 | # Node.js Tools for Visual Studio
236 | .ntvs_analysis.dat
237 | 
238 | # Visual Studio 6 build log
239 | *.plg
240 | 
241 | # Visual Studio 6 workspace options file
242 | *.opt
243 | /.project
244 | *.ini


--------------------------------------------------------------------------------
/NTDLLMemes.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 14
 4 | VisualStudioVersion = 14.0.25123.0
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NTDLLMemes", "NTDLLMemes\NTDLLMemes.vcxproj", "{7F04A04D-2A93-4F3A-8571-FBBD2F073CFD}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{7F04A04D-2A93-4F3A-8571-FBBD2F073CFD}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{7F04A04D-2A93-4F3A-8571-FBBD2F073CFD}.Debug|x64.Build.0 = Debug|x64
18 | 		{7F04A04D-2A93-4F3A-8571-FBBD2F073CFD}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{7F04A04D-2A93-4F3A-8571-FBBD2F073CFD}.Debug|x86.Build.0 = Debug|Win32
20 | 		{7F04A04D-2A93-4F3A-8571-FBBD2F073CFD}.Release|x64.ActiveCfg = Release|x64
21 | 		{7F04A04D-2A93-4F3A-8571-FBBD2F073CFD}.Release|x64.Build.0 = Release|x64
22 | 		{7F04A04D-2A93-4F3A-8571-FBBD2F073CFD}.Release|x86.ActiveCfg = Release|Win32
23 | 		{7F04A04D-2A93-4F3A-8571-FBBD2F073CFD}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | EndGlobal
29 | 


--------------------------------------------------------------------------------
/NTDLLMemes/Functions.cpp:
--------------------------------------------------------------------------------
  1 | #include "Functions.hpp"
  2 | 
  3 | NTDLL::NTDLL() 
  4 | {
  5 | }
  6 | 
  7 | NTDLL::~NTDLL()
  8 | {
  9 | }
 10 | 
 11 | bool NTDLL::NTSUCCESS(NTSTATUS successStatus)
 12 | {
 13 | 	if (!NT_SUCCESS(successStatus)) {
 14 | 		std::cout << "NT_SUCCESS failed";
 15 | 		delete[] buffer;
 16 | 		return FALSE;
 17 | 	}
 18 | 	else
 19 | 		return TRUE;
 20 | }
 21 | 
 22 | bool NTDLL::bufferAlloc(size_t SIZE)
 23 | {
 24 | 	buffer = new PVOID[SIZE];
 25 | 	if (!buffer) {
 26 | 		std::cout << "Buffer allocation failed";
 27 | 		delete[] buffer;
 28 | 		return FALSE;
 29 | 	}
 30 | 	else
 31 | 		return TRUE;
 32 | }
 33 | 
 34 | NTSTATUS NTDLL::GetProcessList() 
 35 | {
 36 | 	if (!bufferAlloc(bufferSize))
 37 | 		return STATUS_UNSUCCESSFUL;
 38 | 		
 39 | 	pSystemInfo = reinterpret_cast<PSYSTEM_PINFO>(buffer);
 40 | 	status = NtQuerySystemInformation(SystemProcessInformation, pSystemInfo, bufferSize, NULL);
 41 | 
 42 | 	if (!NTSUCCESS(status))
 43 | 		return STATUS_UNSUCCESSFUL;
 44 | 
 45 | 	std::cout << "Process List - by xenocidewiki" << std::endl << std::endl;
 46 | 
 47 | 	do {
 48 | 		printf("Process name: %ws\t | pID: %d\n", pSystemInfo->ImageName.Buffer, pSystemInfo->ProcessId);
 49 | 		pSystemInfo = reinterpret_cast<PSYSTEM_PINFO>((reinterpret_cast<BYTE*>(pSystemInfo) + pSystemInfo->NextEntryOffset));
 50 | 	} while (pSystemInfo->NextEntryOffset);
 51 | 
 52 | 	delete[] buffer;
 53 | 	std::cin.get();
 54 | 
 55 | 	return STATUS_SUCCESS;
 56 | }
 57 | 
 58 | NTSTATUS NTDLL::EnumerateDrivers()
 59 | {
 60 | 	if (!bufferAlloc(bufferSize))
 61 | 		return STATUS_UNSUCCESSFUL;
 62 | 
 63 | 	pProcessModules = reinterpret_cast<PRTL_PROCESS_MODULES>(buffer);
 64 | 	status = NtQuerySystemInformation(SystemModuleInformation, pProcessModules, bufferSize, NULL); //NOTE: I manually edited winternl.h because I'm lazy. There are many other (better) ways of getting the SystemModuleInformation defined and working without having to modify things like winternl.h
 65 | 	
 66 | 	if (!NTSUCCESS(status))
 67 | 		return STATUS_UNSUCCESSFUL;
 68 | 
 69 | 	std::cout << "Driver List - by xenocidewiki" << std::endl << std::endl;
 70 | 
 71 | 	for (ULONG i = 0; i < pProcessModules->NumberOfModules; i++) {
 72 | 		printf("%d:\t%s\n", i, pProcessModules->Modules[i].FullPathName + pProcessModules->Modules[i].OffsetToFileName);
 73 | 	}
 74 | 
 75 | 	delete[] buffer;
 76 | 	std::cin.get();
 77 | 
 78 | 	return STATUS_SUCCESS;
 79 | }
 80 | 
 81 | void NTDLL::init() 
 82 | {
 83 | 	int input;
 84 | 
 85 | 	std::cout << "Welcome to NTDLL memes - by xenocidewiki\nPlease pick one of the following:\n1. Get Process List\n2. Get Driver List" << std::endl;
 86 | 	std::cin >> input;
 87 | 
 88 | 	switch (input) {
 89 | 	case 1:
 90 | 		GetProcessList();
 91 | 		break;
 92 | 	case 2:
 93 | 		EnumerateDrivers();
 94 | 		break;
 95 | 	default:
 96 | 		std::cout << "No choice availble with that number, please restart and try again";
 97 | 		break;
 98 | 	}
 99 | 
100 | 	std::cin.get();
101 | }


--------------------------------------------------------------------------------
/NTDLLMemes/Functions.hpp:
--------------------------------------------------------------------------------
 1 | #ifndef NTDLLMEMES_FUNCTIONS_H
 2 | #define NTDLLMEMES_FUNCTIONS_H
 3 | #include "structures.hpp"
 4 | 
 5 | class NTDLL {
 6 | 	public:
 7 | 		NTDLL();
 8 | 		~NTDLL();
 9 | 
10 | 		NTSTATUS GetProcessList();
11 | 		NTSTATUS EnumerateDrivers();
12 | 		void init();
13 | 
14 | 	private:
15 | 		bool NTSUCCESS(NTSTATUS successStatus);
16 | 		bool bufferAlloc(size_t SIZE);
17 | 
18 | 		const int bufferSize		= 1024 * 1024;
19 | 
20 | 		PVOID					buffer;
21 | 		NTSTATUS					status;
22 | 		PSYSTEM_PINFO			pSystemInfo;
23 | 		PRTL_PROCESS_MODULES		pProcessModules;
24 | };
25 | 
26 | #endif


--------------------------------------------------------------------------------
/NTDLLMemes/NTDLLMemes.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <ProjectGuid>{7F04A04D-2A93-4F3A-8571-FBBD2F073CFD}</ProjectGuid>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <RootNamespace>NTDLLMemes</RootNamespace>
 25 |     <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
 26 |   </PropertyGroup>
 27 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 28 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 29 |     <ConfigurationType>Application</ConfigurationType>
 30 |     <UseDebugLibraries>true</UseDebugLibraries>
 31 |     <PlatformToolset>v140</PlatformToolset>
 32 |     <CharacterSet>Unicode</CharacterSet>
 33 |   </PropertyGroup>
 34 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 35 |     <ConfigurationType>Application</ConfigurationType>
 36 |     <UseDebugLibraries>false</UseDebugLibraries>
 37 |     <PlatformToolset>v140</PlatformToolset>
 38 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 39 |     <CharacterSet>Unicode</CharacterSet>
 40 |   </PropertyGroup>
 41 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 42 |     <ConfigurationType>Application</ConfigurationType>
 43 |     <UseDebugLibraries>true</UseDebugLibraries>
 44 |     <PlatformToolset>v140</PlatformToolset>
 45 |     <CharacterSet>Unicode</CharacterSet>
 46 |   </PropertyGroup>
 47 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 48 |     <ConfigurationType>Application</ConfigurationType>
 49 |     <UseDebugLibraries>false</UseDebugLibraries>
 50 |     <PlatformToolset>v140</PlatformToolset>
 51 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 52 |     <CharacterSet>Unicode</CharacterSet>
 53 |   </PropertyGroup>
 54 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 55 |   <ImportGroup Label="ExtensionSettings">
 56 |   </ImportGroup>
 57 |   <ImportGroup Label="Shared">
 58 |   </ImportGroup>
 59 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 60 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 61 |   </ImportGroup>
 62 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 63 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 64 |   </ImportGroup>
 65 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 66 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 67 |   </ImportGroup>
 68 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 69 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 70 |   </ImportGroup>
 71 |   <PropertyGroup Label="UserMacros" />
 72 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 73 |     <LinkIncremental>true</LinkIncremental>
 74 |     <LibraryPath>C:\Program Files (x86)\Windows Kits\8.1\Lib\winv6.3\um\x86;$(LibraryPath)</LibraryPath>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 77 |     <LinkIncremental>true</LinkIncremental>
 78 |     <LibraryPath>C:\Program Files %28x86%29\Windows Kits\8.1\Lib\winv6.3\um\x64;$(LibraryPath)</LibraryPath>
 79 |   </PropertyGroup>
 80 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 81 |     <LinkIncremental>false</LinkIncremental>
 82 |   </PropertyGroup>
 83 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 84 |     <LinkIncremental>false</LinkIncremental>
 85 |   </PropertyGroup>
 86 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 87 |     <ClCompile>
 88 |       <PrecompiledHeader>
 89 |       </PrecompiledHeader>
 90 |       <WarningLevel>Level3</WarningLevel>
 91 |       <Optimization>Disabled</Optimization>
 92 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 93 |     </ClCompile>
 94 |     <Link>
 95 |       <SubSystem>Console</SubSystem>
 96 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 97 |     </Link>
 98 |   </ItemDefinitionGroup>
 99 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
100 |     <ClCompile>
101 |       <PrecompiledHeader>
102 |       </PrecompiledHeader>
103 |       <WarningLevel>Level3</WarningLevel>
104 |       <Optimization>Disabled</Optimization>
105 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
106 |     </ClCompile>
107 |     <Link>
108 |       <SubSystem>Console</SubSystem>
109 |       <GenerateDebugInformation>true</GenerateDebugInformation>
110 |     </Link>
111 |   </ItemDefinitionGroup>
112 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
113 |     <ClCompile>
114 |       <WarningLevel>Level3</WarningLevel>
115 |       <PrecompiledHeader>
116 |       </PrecompiledHeader>
117 |       <Optimization>MaxSpeed</Optimization>
118 |       <FunctionLevelLinking>true</FunctionLevelLinking>
119 |       <IntrinsicFunctions>true</IntrinsicFunctions>
120 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
121 |     </ClCompile>
122 |     <Link>
123 |       <SubSystem>Console</SubSystem>
124 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
125 |       <OptimizeReferences>true</OptimizeReferences>
126 |       <GenerateDebugInformation>true</GenerateDebugInformation>
127 |     </Link>
128 |   </ItemDefinitionGroup>
129 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
130 |     <ClCompile>
131 |       <WarningLevel>Level3</WarningLevel>
132 |       <PrecompiledHeader>
133 |       </PrecompiledHeader>
134 |       <Optimization>MaxSpeed</Optimization>
135 |       <FunctionLevelLinking>true</FunctionLevelLinking>
136 |       <IntrinsicFunctions>true</IntrinsicFunctions>
137 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
138 |     </ClCompile>
139 |     <Link>
140 |       <SubSystem>Console</SubSystem>
141 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
142 |       <OptimizeReferences>true</OptimizeReferences>
143 |       <GenerateDebugInformation>true</GenerateDebugInformation>
144 |     </Link>
145 |   </ItemDefinitionGroup>
146 |   <ItemGroup>
147 |     <ClInclude Include="Functions.hpp" />
148 |     <ClInclude Include="structures.hpp" />
149 |   </ItemGroup>
150 |   <ItemGroup>
151 |     <ClCompile Include="Functions.cpp" />
152 |     <ClCompile Include="main.cpp" />
153 |   </ItemGroup>
154 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
155 |   <ImportGroup Label="ExtensionTargets">
156 |   </ImportGroup>
157 | </Project>


--------------------------------------------------------------------------------
/NTDLLMemes/NTDLLMemes.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClInclude Include="Functions.hpp">
19 |       <Filter>Header Files</Filter>
20 |     </ClInclude>
21 |     <ClInclude Include="structures.hpp">
22 |       <Filter>Header Files</Filter>
23 |     </ClInclude>
24 |   </ItemGroup>
25 |   <ItemGroup>
26 |     <ClCompile Include="main.cpp">
27 |       <Filter>Source Files</Filter>
28 |     </ClCompile>
29 |     <ClCompile Include="Functions.cpp">
30 |       <Filter>Source Files</Filter>
31 |     </ClCompile>
32 |   </ItemGroup>
33 | </Project>


--------------------------------------------------------------------------------
/NTDLLMemes/main.cpp:
--------------------------------------------------------------------------------
 1 | #include "Functions.hpp"
 2 | 
 3 | int main() 
 4 | {
 5 | 	NTDLL cNtdll;
 6 | 	
 7 | 	cNtdll.init();
 8 | 
 9 | 	return 0;
10 | }
11 | 


--------------------------------------------------------------------------------
/NTDLLMemes/structures.hpp:
--------------------------------------------------------------------------------
 1 | #ifndef NTDLL_STRUCTURES_H
 2 | #define NTDLL_STRUCTURES_H
 3 | 
 4 | #include <iostream>
 5 | #include <windows.h>
 6 | #include <winternl.h>
 7 | 
 8 | #pragma comment (lib, "ntdll.lib") 
 9 | 
10 | #define STATUS_SUCCESS		0x00000000
11 | #define STATUS_UNSUCCESSFUL 0xC0000001
12 | 
13 | typedef struct _SYSTEM_PROCESS_INFO {
14 | 
15 | 	ULONG                   NextEntryOffset;
16 | 	ULONG                   NumberOfThreads;
17 | 	LARGE_INTEGER           Reserved[3];
18 | 	LARGE_INTEGER           CreateTime;
19 | 	LARGE_INTEGER           UserTime;
20 | 	LARGE_INTEGER           KernelTime;
21 | 	UNICODE_STRING          ImageName;
22 | 	ULONG					BasePriority;
23 | 	HANDLE                  ProcessId;
24 | 	HANDLE                  InheritedFromProcessId;
25 | 	ULONG                   HandleCount;
26 | 
27 | } SYSTEM_PINFO, *PSYSTEM_PINFO;
28 | 
29 | typedef struct _SYSTEM_MOD {
30 | 
31 | 	HANDLE				 Section;
32 | 	PVOID				 MappedBaseAddress;
33 | 	PVOID                ImageBaseAddress;
34 | 	ULONG                ImageSize;
35 | 	ULONG                Flags;
36 | 	USHORT				 LoadOrderIndex;
37 | 	USHORT				 InitOrderIndex;
38 | 	USHORT				 LoadCount;
39 | 	USHORT				 NameOffset;
40 | 	UCHAR				 Name[256];
41 | 
42 | } SYSTEM_MOD, *PSYSTEM_MOD;
43 | 
44 | typedef struct _RTL_PROCESS_MODULE_INFORMATION
45 | {
46 | 	void *Section;
47 | 	void *MappedBase;
48 | 	void *ImageBase;
49 | 	unsigned int ImageSize;
50 | 	unsigned int Flags;
51 | 	unsigned __int16 LoadOrderIndex;
52 | 	unsigned __int16 InitOrderIndex;
53 | 	unsigned __int16 LoadCount;
54 | 	unsigned __int16 OffsetToFileName;
55 | 	char FullPathName[256];
56 | } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
57 | 
58 | typedef struct _RTL_PROCESS_MODULES
59 | {
60 | 	ULONG NumberOfModules;
61 | 	RTL_PROCESS_MODULE_INFORMATION Modules[1];
62 | } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
63 | 
64 | #endif


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Undocumented NTAPI
2 | I was challenged by a friend to list all the processes and drivers in a system using more "unusual" methods. By doing this I learned quite a lot about the windows internals. To be specific I learned a lot about the undocumented structures and functions in the NTAPI.
3 | 
4 | #To-do list
5 | * Soon™
6 | 


--------------------------------------------------------------------------------