2023-08-17 10:45:50 +02:00
|
|
|
#ifndef COMMON_H
|
|
|
|
#define COMMON_H
|
|
|
|
|
|
|
|
#include <ntifs.h>
|
|
|
|
#include <wdftypes.h>
|
|
|
|
|
|
|
|
#define DEBUG_LOG(fmt, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, 0, "[+] " fmt "\n", ##__VA_ARGS__)
|
|
|
|
#define DEBUG_ERROR(fmt, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, 0, "[-] " fmt "\n", ##__VA_ARGS__)
|
|
|
|
|
2023-08-19 04:52:57 +02:00
|
|
|
#define NMI_CONTEXT_POOL '7331'
|
|
|
|
#define STACK_FRAMES_POOL 'loop'
|
|
|
|
#define INVALID_DRIVER_LIST_HEAD_POOL 'rwar'
|
|
|
|
#define INVALID_DRIVER_LIST_ENTRY_POOL 'gaah'
|
|
|
|
#define SYSTEM_MODULES_POOL 'halb'
|
|
|
|
#define THREAD_DATA_POOL 'doof'
|
|
|
|
#define PROC_AFFINITY_POOL 'eeee'
|
2023-08-20 07:46:02 +02:00
|
|
|
#define TEMP_BUFFER_POOL 'ffff'
|
2023-09-02 15:47:15 +02:00
|
|
|
#define DRIVER_PATH_POOL_TAG 'path'
|
|
|
|
#define POOL_TAG_INTEGRITY 'intg'
|
2023-09-05 18:04:06 +02:00
|
|
|
#define POOL_TAG_MODULE_MEMORY_BUF 'lolo'
|
|
|
|
#define POOL_TAG_MODULE_MEMORY_BUF_2 'leeo'
|
|
|
|
#define POOL_TAG_HASH_OBJECT 'hobj'
|
|
|
|
#define POOL_TAG_RESULTING_HASH 'hash'
|
|
|
|
#define POOL_TAG_SAVE_EX_REGIONS 'sexc'
|
2023-09-02 15:47:15 +02:00
|
|
|
#define POOL_DUMP_BLOCK_TAG 'dump'
|
|
|
|
#define POOL_DEBUGGER_DATA_TAG 'data'
|
|
|
|
#define PROCESS_ADDRESS_LIST_TAG 'addr'
|
|
|
|
#define ANALYSE_PROCESS_TAG 'anls'
|
|
|
|
#define INVALID_PROCESS_REPORT_TAG 'invd'
|
|
|
|
#define QUEUE_POOL_TAG 'qqqq'
|
|
|
|
#define REPORT_QUEUE_TEMP_BUFFER_TAG 'temp'
|
|
|
|
#define REPORT_POOL_TAG 'repo'
|
2023-08-19 04:52:57 +02:00
|
|
|
|
|
|
|
#define ERROR -1
|
|
|
|
#define STACK_FRAME_POOL_SIZE 0x200
|
|
|
|
#define NUMBER_HASH_BUCKETS 37
|
|
|
|
|
|
|
|
#define KTHREAD_STACK_BASE_OFFSET 0x030
|
|
|
|
#define KTHREAD_STACK_LIMIT_OFFSET 0x038
|
2023-09-02 15:47:15 +02:00
|
|
|
#define KTHREAD_THREADLIST_OFFSET 0x2f8
|
|
|
|
#define KTHREAD_APC_STATE_OFFSET 0x258
|
2023-08-19 04:52:57 +02:00
|
|
|
#define KTHREAD_START_ADDRESS_OFFSET 0x450
|
|
|
|
|
2023-09-02 15:47:15 +02:00
|
|
|
#define EPROCESS_VIRTUAL_SIZE_OFFSET 0x498
|
|
|
|
#define EPROCESS_IMAGE_NAME_OFFSET 0x5a8
|
|
|
|
|
|
|
|
#define KPROCESS_THREADLIST_OFFSET 0x030
|
|
|
|
|
|
|
|
#define KPCRB_CURRENT_THREAD 0x8
|
|
|
|
|
|
|
|
#define IA32_GS_BASE 0xc0000101
|
|
|
|
#define KPRCB_OFFSET_FROM_GS_BASE 0x180
|
|
|
|
|
|
|
|
#define MODULE_VALIDATION_FAILURE_MAX_REPORT_COUNT 20
|
|
|
|
#define REPORT_NMI_CALLBACK_FAILURE 50
|
|
|
|
#define REPORT_MODULE_VALIDATION_FAILURE 60
|
|
|
|
#define REPORT_ILLEGAL_HANDLE_OPERATION 70
|
|
|
|
#define REPORT_INVALID_PROCESS_ALLOCATION 80
|
|
|
|
#define REPORT_HIDDEN_SYSTEM_THREAD 90
|
|
|
|
#define REPORT_ILLEGAL_ATTACH_PROCESS 100
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Generic macros that allow you to quickly determine whether
|
|
|
|
* or not a page table entry is present or may forward to a
|
|
|
|
* large page of data, rather than another page table (applies
|
|
|
|
* only to PDPTEs and PDEs)
|
|
|
|
*
|
|
|
|
* Some nice macros courtesy of:
|
|
|
|
* https://www.unknowncheats.me/forum/general-programming-and-reversing/523359-introduction-physical-memory.html
|
|
|
|
*/
|
|
|
|
#define IS_LARGE_PAGE(x) ( (BOOLEAN)((x >> 7) & 1) )
|
|
|
|
#define IS_PAGE_PRESENT(x) ( (BOOLEAN)(x & 1) )
|
|
|
|
|
|
|
|
#define PAGE_1GB_SHIFT 30
|
|
|
|
#define PAGE_1GB_OFFSET(x) ( x & (~(MAXUINT64 << PAGE_1GB_SHIFT)) )
|
|
|
|
|
|
|
|
#define PAGE_2MB_SHIFT 21
|
|
|
|
#define PAGE_2MB_OFFSET(x) ( x & (~(MAXUINT64 << PAGE_2MB_SHIFT)) )
|
|
|
|
|
|
|
|
#define PAGE_4KB_SHIFT 12
|
|
|
|
#define PAGE_4KB_OFFSET(x) ( x & (~(MAXUINT64 << PAGE_4KB_SHIFT)) )
|
|
|
|
|
2023-08-19 04:52:57 +02:00
|
|
|
typedef struct _KAFFINITY_EX
|
|
|
|
{
|
|
|
|
USHORT Count;
|
|
|
|
USHORT Size;
|
|
|
|
ULONG Reserved;
|
|
|
|
ULONGLONG Bitmap[ 20 ];
|
|
|
|
|
|
|
|
} KAFFINITY_EX, * PKAFFINITY_EX;
|
|
|
|
|
|
|
|
typedef struct _OBJECT_DIRECTORY_ENTRY
|
|
|
|
{
|
|
|
|
struct _OBJECT_DIRECTORY_ENTRY* ChainLink;
|
|
|
|
PVOID Object;
|
|
|
|
ULONG HashValue;
|
|
|
|
|
|
|
|
} OBJECT_DIRECTORY_ENTRY, * POBJECT_DIRECTORY_ENTRY;
|
|
|
|
|
|
|
|
typedef struct _OBJECT_DIRECTORY
|
|
|
|
{
|
|
|
|
POBJECT_DIRECTORY_ENTRY HashBuckets[ NUMBER_HASH_BUCKETS ];
|
|
|
|
EX_PUSH_LOCK Lock;
|
|
|
|
struct _DEVICE_MAP* DeviceMap;
|
|
|
|
ULONG SessionId;
|
|
|
|
PVOID NamespaceEntry;
|
|
|
|
ULONG Flags;
|
|
|
|
|
|
|
|
} OBJECT_DIRECTORY, * POBJECT_DIRECTORY;
|
|
|
|
|
|
|
|
typedef struct _DEVICE_MAP
|
|
|
|
{
|
|
|
|
struct _OBJECT_DIRECTORY* DosDevicesDirectory;
|
|
|
|
struct _OBJECT_DIRECTORY* GlobalDosDevicesDirectory;
|
|
|
|
ULONG ReferenceCount;
|
|
|
|
ULONG DriveMap;
|
|
|
|
UCHAR DriveType[ 32 ];
|
|
|
|
|
|
|
|
} DEVICE_MAP, * PDEVICE_MAP;
|
|
|
|
|
|
|
|
typedef struct _RTL_MODULE_EXTENDED_INFO
|
|
|
|
{
|
|
|
|
PVOID ImageBase;
|
|
|
|
ULONG ImageSize;
|
|
|
|
USHORT FileNameOffset;
|
|
|
|
CHAR FullPathName[ 0x100 ];
|
|
|
|
|
|
|
|
} RTL_MODULE_EXTENDED_INFO, * PRTL_MODULE_EXTENDED_INFO;
|
|
|
|
|
|
|
|
/*
|
|
|
|
Thread Information Block: (GS register)
|
|
|
|
|
|
|
|
SEH frame: 0x00
|
|
|
|
Stack Base: 0x08
|
|
|
|
Stack Limit: 0x10
|
|
|
|
SubSystemTib: 0x18
|
|
|
|
Fiber Data: 0x20
|
|
|
|
Arbitrary Data: 0x28
|
|
|
|
TEB: 0x30
|
|
|
|
Environment Pointer: 0x38
|
|
|
|
Process ID: 0x40
|
|
|
|
Current Thread ID: 0x48
|
|
|
|
Active RPC Handle: 0x50
|
|
|
|
Thread Local Storage Array: 0x58
|
|
|
|
PEB: 0x60
|
|
|
|
Last error number: 0x68
|
|
|
|
Count Owned Critical Sections: 0x6C
|
|
|
|
CSR Client Thread: 0x70
|
|
|
|
Win32 Thread Information: 0x78
|
|
|
|
...
|
|
|
|
*/
|
|
|
|
|
2023-08-20 16:12:04 +02:00
|
|
|
typedef struct _OBJECT_TYPE
|
|
|
|
{
|
|
|
|
LIST_ENTRY TypeList;
|
|
|
|
UNICODE_STRING Name;
|
|
|
|
PVOID DefaultObject;
|
|
|
|
UCHAR Index;
|
|
|
|
ULONG TotalNumberOfObjects;
|
|
|
|
ULONG TotalNumberOfHandles;
|
|
|
|
ULONG HighWaterNumberOfObjects;
|
|
|
|
ULONG HighWaterNumberOfHandles;
|
|
|
|
PVOID TypeInfo; //_OBJECT_TYPE_INITIALIZER
|
|
|
|
EX_PUSH_LOCK TypeLock;
|
|
|
|
ULONG Key;
|
|
|
|
LIST_ENTRY CallbackList;
|
|
|
|
|
|
|
|
} OBJECT_TYPE, * POBJECT_TYPE;
|
|
|
|
|
|
|
|
typedef struct _PEB_LDR_DATA {
|
|
|
|
BYTE Reserved1[ 8 ];
|
|
|
|
PVOID Reserved2[ 3 ];
|
|
|
|
LIST_ENTRY InMemoryOrderModuleList;
|
|
|
|
} PEB_LDR_DATA, * PPEB_LDR_DATA;
|
|
|
|
|
|
|
|
typedef struct _LDR_DATA_TABLE_ENTRY {
|
|
|
|
PVOID Reserved1[ 2 ];
|
|
|
|
LIST_ENTRY InMemoryOrderLinks;
|
|
|
|
PVOID Reserved2[ 2 ];
|
|
|
|
PVOID DllBase;
|
|
|
|
PVOID Reserved3[ 2 ];
|
|
|
|
UNICODE_STRING FullDllName;
|
|
|
|
BYTE Reserved4[ 8 ];
|
|
|
|
PVOID Reserved5[ 3 ];
|
|
|
|
#pragma warning(push)
|
|
|
|
#pragma warning(disable: 4201) // we'll always use the Microsoft compiler
|
|
|
|
union {
|
|
|
|
ULONG CheckSum;
|
|
|
|
PVOID Reserved6;
|
|
|
|
} DUMMYUNIONNAME;
|
|
|
|
#pragma warning(pop)
|
|
|
|
ULONG TimeDateStamp;
|
|
|
|
} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
|
|
|
|
|
|
|
|
typedef struct _PEB {
|
|
|
|
BYTE Reserved1[ 2 ];
|
|
|
|
BYTE BeingDebugged;
|
|
|
|
BYTE Reserved2[ 1 ];
|
|
|
|
PVOID Reserved3[ 2 ];
|
|
|
|
PPEB_LDR_DATA Ldr;
|
|
|
|
PVOID ProcessParameters;
|
|
|
|
PVOID Reserved4[ 3 ];
|
|
|
|
PVOID AtlThunkSListPtr;
|
|
|
|
PVOID Reserved5;
|
|
|
|
ULONG Reserved6;
|
|
|
|
PVOID Reserved7;
|
|
|
|
ULONG Reserved8;
|
|
|
|
ULONG AtlThunkSListPtr32;
|
|
|
|
PVOID Reserved9[ 45 ];
|
|
|
|
BYTE Reserved10[ 96 ];
|
|
|
|
PVOID PostProcessInitRoutine;
|
|
|
|
BYTE Reserved11[ 128 ];
|
|
|
|
PVOID Reserved12[ 1 ];
|
|
|
|
ULONG SessionId;
|
|
|
|
} PEB, * PPEB;
|
|
|
|
|
|
|
|
typedef struct _PEB32 {
|
|
|
|
UCHAR InheritedAddressSpace;
|
|
|
|
UCHAR ReadImageFileExecOptions;
|
|
|
|
UCHAR BeingDebugged;
|
|
|
|
UCHAR BitField;
|
|
|
|
ULONG Mutant;
|
|
|
|
ULONG ImageBaseAddress;
|
|
|
|
ULONG Ldr;
|
|
|
|
ULONG ProcessParameters;
|
|
|
|
ULONG SubSystemData;
|
|
|
|
ULONG ProcessHeap;
|
|
|
|
ULONG FastPebLock;
|
|
|
|
ULONG AtlThunkSListPtr;
|
|
|
|
ULONG IFEOKey;
|
|
|
|
ULONG CrossProcessFlags;
|
|
|
|
ULONG UserSharedInfoPtr;
|
|
|
|
ULONG SystemReserved;
|
|
|
|
ULONG AtlThunkSListPtr32;
|
|
|
|
ULONG ApiSetMap;
|
|
|
|
} PEB32, * PPEB32;
|
|
|
|
|
|
|
|
typedef struct _PEB_LDR_DATA32 {
|
|
|
|
ULONG Length;
|
|
|
|
UCHAR Initialized;
|
|
|
|
ULONG SsHandle;
|
|
|
|
LIST_ENTRY32 InLoadOrderModuleList;
|
|
|
|
LIST_ENTRY32 InMemoryOrderModuleList;
|
|
|
|
LIST_ENTRY32 InInitializationOrderModuleList;
|
|
|
|
} PEB_LDR_DATA32, * PPEB_LDR_DATA32;
|
|
|
|
|
|
|
|
typedef struct _LDR_DATA_TABLE_ENTRY32 {
|
|
|
|
LIST_ENTRY32 InLoadOrderLinks;
|
|
|
|
LIST_ENTRY32 InMemoryOrderLinks;
|
|
|
|
LIST_ENTRY32 InInitializationOrderLinks;
|
|
|
|
ULONG DllBase;
|
|
|
|
ULONG EntryPoint;
|
|
|
|
ULONG SizeOfImage;
|
|
|
|
UNICODE_STRING32 FullDllName;
|
|
|
|
UNICODE_STRING32 BaseDllName;
|
|
|
|
ULONG Flags;
|
|
|
|
USHORT LoadCount;
|
|
|
|
USHORT TlsIndex;
|
|
|
|
LIST_ENTRY32 HashLinks;
|
|
|
|
ULONG TimeDateStamp;
|
|
|
|
} LDR_DATA_TABLE_ENTRY32, * PLDR_DATA_TABLE_ENTRY32;
|
|
|
|
|
|
|
|
typedef struct _HANDLE_TABLE_ENTRY_INFO
|
|
|
|
{
|
|
|
|
ULONG AuditMask;
|
|
|
|
ULONG MaxRelativeAccessMask;
|
|
|
|
|
|
|
|
} HANDLE_TABLE_ENTRY_INFO, * PHANDLE_TABLE_ENTRY_INFO;
|
|
|
|
|
|
|
|
typedef union _EXHANDLE
|
|
|
|
{
|
|
|
|
struct
|
|
|
|
{
|
|
|
|
int TagBits : 2;
|
|
|
|
int Index : 30;
|
|
|
|
} u;
|
|
|
|
void* GenericHandleOverlay;
|
|
|
|
ULONG_PTR Value;
|
|
|
|
} EXHANDLE, * PEXHANDLE;
|
|
|
|
|
|
|
|
#pragma warning(disable : 4214 4201)
|
|
|
|
|
|
|
|
#pragma pack(push, 1)
|
|
|
|
typedef struct _POOL_HEADER // Size=16
|
|
|
|
{
|
|
|
|
union
|
|
|
|
{
|
|
|
|
struct
|
|
|
|
{
|
|
|
|
unsigned long PreviousSize : 8; // Size=4 Offset=0 BitOffset=0 BitCount=8
|
|
|
|
unsigned long PoolIndex : 8; // Size=4 Offset=0 BitOffset=8 BitCount=8
|
|
|
|
unsigned long BlockSize : 8; // Size=4 Offset=0 BitOffset=16 BitCount=8
|
|
|
|
unsigned long PoolType : 8; // Size=4 Offset=0 BitOffset=24 BitCount=8
|
|
|
|
};
|
|
|
|
unsigned long Ulong1; // Size=4 Offset=0
|
|
|
|
};
|
|
|
|
unsigned long PoolTag; // Size=4 Offset=4
|
|
|
|
union
|
|
|
|
{
|
|
|
|
struct _EPROCESS* ProcessBilled; // Size=8 Offset=8
|
|
|
|
struct
|
|
|
|
{
|
|
|
|
unsigned short AllocatorBackTraceIndex; // Size=2 Offset=8
|
|
|
|
unsigned short PoolTagHash; // Size=2 Offset=10
|
|
|
|
};
|
|
|
|
};
|
|
|
|
} POOL_HEADER, * PPOOL_HEADER;
|
|
|
|
#pragma pack(pop)
|
|
|
|
|
|
|
|
typedef struct _HANDLE_TABLE_ENTRY // Size=16
|
|
|
|
{
|
|
|
|
union
|
|
|
|
{
|
|
|
|
ULONG_PTR VolatileLowValue; // Size=8 Offset=0
|
|
|
|
ULONG_PTR LowValue; // Size=8 Offset=0
|
|
|
|
struct _HANDLE_TABLE_ENTRY_INFO* InfoTable; // Size=8 Offset=0
|
|
|
|
struct
|
|
|
|
{
|
|
|
|
ULONG_PTR Unlocked : 1; // Size=8 Offset=0 BitOffset=0 BitCount=1
|
|
|
|
ULONG_PTR RefCnt : 16; // Size=8 Offset=0 BitOffset=1 BitCount=16
|
|
|
|
ULONG_PTR Attributes : 3; // Size=8 Offset=0 BitOffset=17 BitCount=3
|
|
|
|
ULONG_PTR ObjectPointerBits : 44; // Size=8 Offset=0 BitOffset=20 BitCount=44
|
|
|
|
};
|
|
|
|
};
|
|
|
|
union
|
|
|
|
{
|
|
|
|
ULONG_PTR HighValue; // Size=8 Offset=8
|
|
|
|
struct _HANDLE_TABLE_ENTRY* NextFreeHandleEntry; // Size=8 Offset=8
|
|
|
|
union _EXHANDLE LeafHandleValue; // Size=8 Offset=8
|
|
|
|
struct
|
|
|
|
{
|
|
|
|
ULONG GrantedAccessBits : 25; // Size=4 Offset=8 BitOffset=0 BitCount=25
|
|
|
|
ULONG NoRightsUpgrade : 1; // Size=4 Offset=8 BitOffset=25 BitCount=1
|
|
|
|
ULONG Spare : 6; // Size=4 Offset=8 BitOffset=26 BitCount=6
|
|
|
|
};
|
|
|
|
};
|
|
|
|
ULONG TypeInfo; // Size=4 Offset=12
|
|
|
|
} HANDLE_TABLE_ENTRY, * PHANDLE_TABLE_ENTRY;
|
|
|
|
|
|
|
|
typedef struct _HANDLE_TABLE_FREE_LIST
|
|
|
|
{
|
|
|
|
EX_PUSH_LOCK FreeListLock;
|
|
|
|
PHANDLE_TABLE_ENTRY FirstFreeHandleEntry;
|
|
|
|
PHANDLE_TABLE_ENTRY LastFreeHandleEntry;
|
|
|
|
LONG HandleCount;
|
|
|
|
ULONG HighWaterMark;
|
|
|
|
} HANDLE_TABLE_FREE_LIST, * PHANDLE_TABLE_FREE_LIST;
|
|
|
|
|
|
|
|
typedef struct _HANDLE_TRACE_DB_ENTRY
|
|
|
|
{
|
|
|
|
CLIENT_ID ClientId;
|
|
|
|
PVOID Handle;
|
|
|
|
ULONG Type;
|
|
|
|
PVOID StackTrace[ 16 ];
|
|
|
|
|
|
|
|
} HANDLE_TRACE_DB_ENTRY, * PHANDLE_TRACE_DB_ENTRY;
|
|
|
|
|
|
|
|
typedef struct _HANDLE_TRACE_DEBUG_INFO
|
|
|
|
{
|
|
|
|
LONG RefCount;
|
|
|
|
ULONG TableSize;
|
|
|
|
ULONG BitMaskFlags;
|
|
|
|
FAST_MUTEX CloseCompactionLock;
|
|
|
|
ULONG CurrentStackIndex;
|
|
|
|
HANDLE_TRACE_DB_ENTRY TraceDb[ 1 ];
|
|
|
|
|
|
|
|
} HANDLE_TRACE_DEBUG_INFO, * PHANDLE_TRACE_DEBUG_INFO;
|
|
|
|
|
|
|
|
typedef struct _HANDLE_TABLE
|
|
|
|
{
|
|
|
|
ULONG NextHandleNeedingPool;
|
|
|
|
LONG ExtraInfoPages;
|
|
|
|
ULONGLONG TableCode;
|
|
|
|
PEPROCESS QuotaProcess;
|
|
|
|
LIST_ENTRY HandleTableList;
|
|
|
|
ULONG UniqueProcessId;
|
|
|
|
union {
|
|
|
|
ULONG Flags;
|
|
|
|
struct {
|
|
|
|
UCHAR StrictFIFO : 1;
|
|
|
|
UCHAR EnableHandleExceptions : 1;
|
|
|
|
UCHAR Rundown : 1;
|
|
|
|
UCHAR Duplicated : 1;
|
|
|
|
UCHAR RaiseUMExceptionOnInvalidHandleClose : 1;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
EX_PUSH_LOCK HandleContentionEvent;
|
|
|
|
EX_PUSH_LOCK HandleTableLock;
|
|
|
|
union {
|
|
|
|
HANDLE_TABLE_FREE_LIST FreeLists[ 1 ];
|
|
|
|
UCHAR ActualEntry[ 32 ];
|
|
|
|
};
|
|
|
|
|
|
|
|
struct _HANDLE_TRACE_DEBUG_INFO* DebugInfo;
|
|
|
|
|
|
|
|
} HANDLE_TABLE, * PHANDLE_TABLE;
|
|
|
|
|
|
|
|
typedef BOOLEAN( *EX_ENUMERATE_HANDLE_ROUTINE )(
|
|
|
|
IN PHANDLE_TABLE_ENTRY HandleTableEntry,
|
|
|
|
IN HANDLE Handle,
|
|
|
|
IN PVOID EnumParameter
|
|
|
|
);
|
|
|
|
|
|
|
|
typedef struct _OBJECT_CREATE_INFORMATION
|
|
|
|
{
|
|
|
|
ULONG Attributes;
|
|
|
|
PVOID RootDirectory;
|
|
|
|
CHAR ProbeMode;
|
|
|
|
ULONG PagedPoolCharge;
|
|
|
|
ULONG NonPagedPoolCharge;
|
|
|
|
ULONG SecurityDescriptorCharge;
|
|
|
|
PVOID SecurityDescriptor;
|
|
|
|
struct _SECURITY_QUALITY_OF_SERVICE* SecurityQos;
|
|
|
|
struct _SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
|
|
|
|
|
|
|
|
} OBJECT_CREATE_INFORMATION, * POBJECT_CREATE_INFORMATION;
|
|
|
|
|
|
|
|
typedef struct _OBJECT_HEADER
|
|
|
|
{
|
|
|
|
LONGLONG PointerCount;
|
|
|
|
union {
|
|
|
|
LONGLONG HandleCount;
|
|
|
|
PVOID NextToFree;
|
|
|
|
};
|
|
|
|
EX_PUSH_LOCK Lock;
|
|
|
|
UCHAR TypeIndex;
|
|
|
|
union {
|
|
|
|
UCHAR TraceFlags;
|
|
|
|
struct {
|
|
|
|
UCHAR DbgRefTrace : 1;
|
|
|
|
UCHAR DbgTracePermanent : 1;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
UCHAR InfoMask;
|
|
|
|
union {
|
|
|
|
UCHAR Flags;
|
|
|
|
struct {
|
|
|
|
UCHAR NewObject : 1;
|
|
|
|
UCHAR KernelObject : 1;
|
|
|
|
UCHAR KernelOnlyAccess : 1;
|
|
|
|
UCHAR ExclusiveObject : 1;
|
|
|
|
UCHAR PermanentObject : 1;
|
|
|
|
UCHAR DefaultSecurityQuota : 1;
|
|
|
|
UCHAR SingleHandleEntry : 1;
|
|
|
|
UCHAR DeletedInline : 1;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
ULONG Reserved;
|
|
|
|
union {
|
|
|
|
POBJECT_CREATE_INFORMATION ObjectCreateInfo;
|
|
|
|
PVOID QuotaBlockCharged;
|
|
|
|
};
|
|
|
|
PVOID SecurityDescriptor;
|
|
|
|
QUAD Body;
|
|
|
|
} OBJECT_HEADER, * POBJECT_HEADER;
|
|
|
|
|
2023-09-02 15:47:15 +02:00
|
|
|
#define IMAGE_SCN_MEM_EXECUTE 0x20000000
|
|
|
|
|
|
|
|
#define IMAGE_SIZEOF_SHORT_NAME 8
|
|
|
|
|
|
|
|
typedef struct _IMAGE_SECTION_HEADER {
|
|
|
|
unsigned char Name[ IMAGE_SIZEOF_SHORT_NAME ];
|
|
|
|
union {
|
|
|
|
unsigned long PhysicalAddress;
|
|
|
|
unsigned long VirtualSize;
|
|
|
|
} Misc;
|
|
|
|
unsigned long VirtualAddress;
|
|
|
|
unsigned long SizeOfRawData;
|
|
|
|
unsigned long PointerToRawData;
|
|
|
|
unsigned long PointerToRelocations;
|
|
|
|
unsigned long PointerToLinenumbers;
|
|
|
|
unsigned short NumberOfRelocations;
|
|
|
|
unsigned short NumberOfLinenumbers;
|
|
|
|
unsigned long Characteristics;
|
|
|
|
} IMAGE_SECTION_HEADER, * PIMAGE_SECTION_HEADER;
|
|
|
|
|
|
|
|
typedef struct _IMAGE_FILE_HEADER {
|
|
|
|
unsigned short Machine;
|
|
|
|
unsigned short NumberOfSections;
|
|
|
|
unsigned long TimeDateStamp;
|
|
|
|
unsigned long PointerToSymbolTable;
|
|
|
|
unsigned long NumberOfSymbols;
|
|
|
|
unsigned short SizeOfOptionalHeader;
|
|
|
|
unsigned short Characteristics;
|
|
|
|
} IMAGE_FILE_HEADER, * PIMAGE_FILE_HEADER;
|
|
|
|
|
|
|
|
typedef struct _IMAGE_DATA_DIRECTORY {
|
|
|
|
unsigned long VirtualAddress;
|
|
|
|
unsigned long Size;
|
|
|
|
} IMAGE_DATA_DIRECTORY, * PIMAGE_DATA_DIRECTORY;
|
|
|
|
|
|
|
|
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
|
|
|
|
|
|
|
|
typedef struct _IMAGE_OPTIONAL_HEADER64 {
|
|
|
|
unsigned short Magic;
|
|
|
|
unsigned char MajorLinkerVersion;
|
|
|
|
unsigned char MinorLinkerVersion;
|
|
|
|
unsigned long SizeOfCode;
|
|
|
|
unsigned long SizeOfInitializedData;
|
|
|
|
unsigned long SizeOfUninitializedData;
|
|
|
|
unsigned long AddressOfEntryPoint;
|
|
|
|
unsigned long BaseOfCode;
|
|
|
|
ULONGLONG ImageBase;
|
|
|
|
unsigned long SectionAlignment;
|
|
|
|
unsigned long FileAlignment;
|
|
|
|
unsigned short MajorOperatingSystemVersion;
|
|
|
|
unsigned short MinorOperatingSystemVersion;
|
|
|
|
unsigned short MajorImageVersion;
|
|
|
|
unsigned short MinorImageVersion;
|
|
|
|
unsigned short MajorSubsystemVersion;
|
|
|
|
unsigned short MinorSubsystemVersion;
|
|
|
|
unsigned long Win32VersionValue;
|
|
|
|
unsigned long SizeOfImage;
|
|
|
|
unsigned long SizeOfHeaders;
|
|
|
|
unsigned long CheckSum;
|
|
|
|
unsigned short Subsystem;
|
|
|
|
unsigned short DllCharacteristics;
|
|
|
|
ULONGLONG SizeOfStackReserve;
|
|
|
|
ULONGLONG SizeOfStackCommit;
|
|
|
|
ULONGLONG SizeOfHeapReserve;
|
|
|
|
ULONGLONG SizeOfHeapCommit;
|
|
|
|
unsigned long LoaderFlags;
|
|
|
|
unsigned long NumberOfRvaAndSizes;
|
|
|
|
IMAGE_DATA_DIRECTORY DataDirectory[ IMAGE_NUMBEROF_DIRECTORY_ENTRIES ];
|
|
|
|
} IMAGE_OPTIONAL_HEADER64, * PIMAGE_OPTIONAL_HEADER64;
|
|
|
|
|
|
|
|
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
|
|
|
|
unsigned short e_magic; // Magic number
|
|
|
|
unsigned short e_cblp; // Bytes on last page of file
|
|
|
|
unsigned short e_cp; // Pages in file
|
|
|
|
unsigned short e_crlc; // Relocations
|
|
|
|
unsigned short e_cparhdr; // Size of header in paragraphs
|
|
|
|
unsigned short e_minalloc; // Minimum extra paragraphs needed
|
|
|
|
unsigned short e_maxalloc; // Maximum extra paragraphs needed
|
|
|
|
unsigned short e_ss; // Initial (relative) SS value
|
|
|
|
unsigned short e_sp; // Initial SP value
|
|
|
|
unsigned short e_csum; // Checksum
|
|
|
|
unsigned short e_ip; // Initial IP value
|
|
|
|
unsigned short e_cs; // Initial (relative) CS value
|
|
|
|
unsigned short e_lfarlc; // File address of relocation table
|
|
|
|
unsigned short e_ovno; // Overlay number
|
|
|
|
unsigned short e_res[ 4 ]; // Reserved words
|
|
|
|
unsigned short e_oemid; // OEM identifier (for e_oeminfo)
|
|
|
|
unsigned short e_oeminfo; // OEM information; e_oemid specific
|
|
|
|
unsigned short e_res2[ 10 ]; // Reserved words
|
|
|
|
LONG e_lfanew; // File address of new exe header
|
|
|
|
} IMAGE_DOS_HEADER, * PIMAGE_DOS_HEADER;
|
|
|
|
|
|
|
|
typedef struct _LOCAL_NT_HEADER {
|
|
|
|
unsigned long Signature;
|
|
|
|
IMAGE_FILE_HEADER FileHeader;
|
|
|
|
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
|
|
|
|
} LOCAL_NT_HEADER, * PLOCAL_NT_HEADER;
|
|
|
|
|
|
|
|
#define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) \
|
|
|
|
((ULONG_PTR)(ntheader) + \
|
|
|
|
FIELD_OFFSET( LOCAL_NT_HEADER, OptionalHeader ) + \
|
|
|
|
((ntheader))->FileHeader.SizeOfOptionalHeader \
|
|
|
|
))
|
|
|
|
|
|
|
|
/* creds: https://www.unknowncheats.me/forum/2602838-post2.html */
|
|
|
|
|
|
|
|
typedef struct _DBGKD_DEBUG_DATA_HEADER64
|
|
|
|
{
|
|
|
|
LIST_ENTRY64 List;
|
|
|
|
ULONG OwnerTag;
|
|
|
|
ULONG Size;
|
|
|
|
} DBGKD_DEBUG_DATA_HEADER64, * PDBGKD_DEBUG_DATA_HEADER64;
|
|
|
|
|
|
|
|
typedef struct _KDDEBUGGER_DATA64
|
|
|
|
{
|
|
|
|
DBGKD_DEBUG_DATA_HEADER64 Header;
|
|
|
|
ULONG64 KernBase;
|
|
|
|
ULONG64 BreakpointWithStatus;
|
|
|
|
ULONG64 SavedContext;
|
|
|
|
USHORT ThCallbackStack;
|
|
|
|
USHORT NextCallback;
|
|
|
|
USHORT FramePointer;
|
|
|
|
USHORT PaeEnabled;
|
|
|
|
ULONG64 KiCallUserMode;
|
|
|
|
ULONG64 KeUserCallbackDispatcher;
|
|
|
|
ULONG64 PsLoadedModuleList;
|
|
|
|
ULONG64 PsActiveProcessHead;
|
|
|
|
ULONG64 PspCidTable;
|
|
|
|
ULONG64 ExpSystemResourcesList;
|
|
|
|
ULONG64 ExpPagedPoolDescriptor;
|
|
|
|
ULONG64 ExpNumberOfPagedPools;
|
|
|
|
ULONG64 KeTimeIncrement;
|
|
|
|
ULONG64 KeBugCheckCallbackListHead;
|
|
|
|
ULONG64 KiBugcheckData;
|
|
|
|
ULONG64 IopErrorLogListHead;
|
|
|
|
ULONG64 ObpRootDirectoryObject;
|
|
|
|
ULONG64 ObpTypeObjectType;
|
|
|
|
ULONG64 MmSystemCacheStart;
|
|
|
|
ULONG64 MmSystemCacheEnd;
|
|
|
|
ULONG64 MmSystemCacheWs;
|
|
|
|
ULONG64 MmPfnDatabase;
|
|
|
|
ULONG64 MmSystemPtesStart;
|
|
|
|
ULONG64 MmSystemPtesEnd;
|
|
|
|
ULONG64 MmSubsectionBase;
|
|
|
|
ULONG64 MmNumberOfPagingFiles;
|
|
|
|
ULONG64 MmLowestPhysicalPage;
|
|
|
|
ULONG64 MmHighestPhysicalPage;
|
|
|
|
ULONG64 MmNumberOfPhysicalPages;
|
|
|
|
ULONG64 MmMaximumNonPagedPoolInBytes;
|
|
|
|
ULONG64 MmNonPagedSystemStart;
|
|
|
|
ULONG64 MmNonPagedPoolStart;
|
|
|
|
ULONG64 MmNonPagedPoolEnd;
|
|
|
|
ULONG64 MmPagedPoolStart;
|
|
|
|
ULONG64 MmPagedPoolEnd;
|
|
|
|
ULONG64 MmPagedPoolInformation;
|
|
|
|
ULONG64 MmPageSize;
|
|
|
|
ULONG64 MmSizeOfPagedPoolInBytes;
|
|
|
|
ULONG64 MmTotalCommitLimit;
|
|
|
|
ULONG64 MmTotalCommittedPages;
|
|
|
|
ULONG64 MmSharedCommit;
|
|
|
|
ULONG64 MmDriverCommit;
|
|
|
|
ULONG64 MmProcessCommit;
|
|
|
|
ULONG64 MmPagedPoolCommit;
|
|
|
|
ULONG64 MmExtendedCommit;
|
|
|
|
ULONG64 MmZeroedPageListHead;
|
|
|
|
ULONG64 MmFreePageListHead;
|
|
|
|
ULONG64 MmStandbyPageListHead;
|
|
|
|
ULONG64 MmModifiedPageListHead;
|
|
|
|
ULONG64 MmModifiedNoWritePageListHead;
|
|
|
|
ULONG64 MmAvailablePages;
|
|
|
|
ULONG64 MmResidentAvailablePages;
|
|
|
|
ULONG64 PoolTrackTable;
|
|
|
|
ULONG64 NonPagedPoolDescriptor;
|
|
|
|
ULONG64 MmHighestUserAddress;
|
|
|
|
ULONG64 MmSystemRangeStart;
|
|
|
|
ULONG64 MmUserProbeAddress;
|
|
|
|
ULONG64 KdPrintCircularBuffer;
|
|
|
|
ULONG64 KdPrintCircularBufferEnd;
|
|
|
|
ULONG64 KdPrintWritePointer;
|
|
|
|
ULONG64 KdPrintRolloverCount;
|
|
|
|
ULONG64 MmLoadedUserImageList;
|
|
|
|
ULONG64 NtBuildLab;
|
|
|
|
ULONG64 KiNormalSystemCall;
|
|
|
|
ULONG64 KiProcessorBlock;
|
|
|
|
ULONG64 MmUnloadedDrivers;
|
|
|
|
ULONG64 MmLastUnloadedDriver;
|
|
|
|
ULONG64 MmTriageActionTaken;
|
|
|
|
ULONG64 MmSpecialPoolTag;
|
|
|
|
ULONG64 KernelVerifier;
|
|
|
|
ULONG64 MmVerifierData;
|
|
|
|
ULONG64 MmAllocatedNonPagedPool;
|
|
|
|
ULONG64 MmPeakCommitment;
|
|
|
|
ULONG64 MmTotalCommitLimitMaximum;
|
|
|
|
ULONG64 CmNtCSDVersion;
|
|
|
|
ULONG64 MmPhysicalMemoryBlock;
|
|
|
|
ULONG64 MmSessionBase;
|
|
|
|
ULONG64 MmSessionSize;
|
|
|
|
ULONG64 MmSystemParentTablePage;
|
|
|
|
ULONG64 MmVirtualTranslationBase;
|
|
|
|
USHORT OffsetKThreadNextProcessor;
|
|
|
|
USHORT OffsetKThreadTeb;
|
|
|
|
USHORT OffsetKThreadKernelStack;
|
|
|
|
USHORT OffsetKThreadInitialStack;
|
|
|
|
USHORT OffsetKThreadApcProcess;
|
|
|
|
USHORT OffsetKThreadState;
|
|
|
|
USHORT OffsetKThreadBStore;
|
|
|
|
USHORT OffsetKThreadBStoreLimit;
|
|
|
|
USHORT SizeEProcess;
|
|
|
|
USHORT OffsetEprocessPeb;
|
|
|
|
USHORT OffsetEprocessParentCID;
|
|
|
|
USHORT OffsetEprocessDirectoryTableBase;
|
|
|
|
USHORT SizePrcb;
|
|
|
|
USHORT OffsetPrcbDpcRoutine;
|
|
|
|
USHORT OffsetPrcbCurrentThread;
|
|
|
|
USHORT OffsetPrcbMhz;
|
|
|
|
USHORT OffsetPrcbCpuType;
|
|
|
|
USHORT OffsetPrcbVendorString;
|
|
|
|
USHORT OffsetPrcbProcStateContext;
|
|
|
|
USHORT OffsetPrcbNumber;
|
|
|
|
USHORT SizeEThread;
|
|
|
|
ULONG64 KdPrintCircularBufferPtr;
|
|
|
|
ULONG64 KdPrintBufferSize;
|
|
|
|
ULONG64 KeLoaderBlock;
|
|
|
|
USHORT SizePcr;
|
|
|
|
USHORT OffsetPcrSelfPcr;
|
|
|
|
USHORT OffsetPcrCurrentPrcb;
|
|
|
|
USHORT OffsetPcrContainedPrcb;
|
|
|
|
USHORT OffsetPcrInitialBStore;
|
|
|
|
USHORT OffsetPcrBStoreLimit;
|
|
|
|
USHORT OffsetPcrInitialStack;
|
|
|
|
USHORT OffsetPcrStackLimit;
|
|
|
|
USHORT OffsetPrcbPcrPage;
|
|
|
|
USHORT OffsetPrcbProcStateSpecialReg;
|
|
|
|
USHORT GdtR0Code;
|
|
|
|
USHORT GdtR0Data;
|
|
|
|
USHORT GdtR0Pcr;
|
|
|
|
USHORT GdtR3Code;
|
|
|
|
USHORT GdtR3Data;
|
|
|
|
USHORT GdtR3Teb;
|
|
|
|
USHORT GdtLdt;
|
|
|
|
USHORT GdtTss;
|
|
|
|
USHORT Gdt64R3CmCode;
|
|
|
|
USHORT Gdt64R3CmTeb;
|
|
|
|
ULONG64 IopNumTriageDumpDataBlocks;
|
|
|
|
ULONG64 IopTriageDumpDataBlocks;
|
|
|
|
} KDDEBUGGER_DATA64, * PKDDEBUGGER_DATA64;
|
|
|
|
|
|
|
|
typedef struct _KDDEBUGGER_DATA_ADDITION64
|
|
|
|
{
|
|
|
|
ULONG64 VfCrashDataBlock;
|
|
|
|
ULONG64 MmBadPagesDetected;
|
|
|
|
ULONG64 MmZeroedPageSingleBitErrorsDetected;
|
|
|
|
ULONG64 EtwpDebuggerData;
|
|
|
|
USHORT OffsetPrcbContext;
|
|
|
|
USHORT OffsetPrcbMaxBreakpoints;
|
|
|
|
USHORT OffsetPrcbMaxWatchpoints;
|
|
|
|
ULONG OffsetKThreadStackLimit;
|
|
|
|
ULONG OffsetKThreadStackBase;
|
|
|
|
ULONG OffsetKThreadQueueListEntry;
|
|
|
|
ULONG OffsetEThreadIrpList;
|
|
|
|
USHORT OffsetPrcbIdleThread;
|
|
|
|
USHORT OffsetPrcbNormalDpcState;
|
|
|
|
USHORT OffsetPrcbDpcStack;
|
|
|
|
USHORT OffsetPrcbIsrStack;
|
|
|
|
USHORT SizeKDPC_STACK_FRAME;
|
|
|
|
USHORT OffsetKPriQueueThreadListHead;
|
|
|
|
USHORT OffsetKThreadWaitReason;
|
|
|
|
USHORT Padding;
|
|
|
|
ULONG64 PteBase;
|
|
|
|
ULONG64 RetpolineStubFunctionTable;
|
|
|
|
ULONG RetpolineStubFunctionTableSize;
|
|
|
|
ULONG RetpolineStubOffset;
|
|
|
|
ULONG RetpolineStubSize;
|
|
|
|
}KDDEBUGGER_DATA_ADDITION64, * PKDDEBUGGER_DATA_ADDITION64;
|
|
|
|
|
|
|
|
|
|
|
|
typedef struct _DUMP_HEADER
|
|
|
|
{
|
|
|
|
ULONG Signature;
|
|
|
|
ULONG ValidDump;
|
|
|
|
ULONG MajorVersion;
|
|
|
|
ULONG MinorVersion;
|
|
|
|
ULONG_PTR DirectoryTableBase;
|
|
|
|
ULONG_PTR PfnDataBase;
|
|
|
|
PLIST_ENTRY PsLoadedModuleList;
|
|
|
|
PLIST_ENTRY PsActiveProcessHead;
|
|
|
|
ULONG MachineImageType;
|
|
|
|
ULONG NumberProcessors;
|
|
|
|
ULONG BugCheckCode;
|
|
|
|
ULONG_PTR BugCheckParameter1;
|
|
|
|
ULONG_PTR BugCheckParameter2;
|
|
|
|
ULONG_PTR BugCheckParameter3;
|
|
|
|
ULONG_PTR BugCheckParameter4;
|
|
|
|
CHAR VersionUser[ 32 ];
|
|
|
|
struct _KDDEBUGGER_DATA64* KdDebuggerDataBlock;
|
|
|
|
} DUMP_HEADER, * PDUMP_HEADER;
|
|
|
|
|
|
|
|
typedef union _DIRECTORY_TABLE_BASE
|
|
|
|
{
|
|
|
|
struct
|
|
|
|
{
|
|
|
|
UINT64 Ignored0 : 3; /* 2:0 */
|
|
|
|
UINT64 PageWriteThrough : 1; /* 3 */
|
|
|
|
UINT64 PageCacheDisable : 1; /* 4 */
|
|
|
|
UINT64 _Ignored1 : 7; /* 11:5 */
|
|
|
|
UINT64 PhysicalAddress : 36; /* 47:12 */
|
|
|
|
UINT64 _Reserved0 : 16; /* 63:48 */
|
|
|
|
|
|
|
|
} Bits;
|
|
|
|
|
|
|
|
UINT64 BitAddress;
|
|
|
|
|
|
|
|
} CR3, DIR_TABLE_BASE;
|
|
|
|
|
|
|
|
typedef union _VIRTUAL_MEMORY_ADDRESS
|
|
|
|
{
|
|
|
|
struct
|
|
|
|
{
|
|
|
|
UINT64 PageIndex : 12; /* 0:11 */
|
|
|
|
UINT64 PtIndex : 9; /* 12:20 */
|
|
|
|
UINT64 PdIndex : 9; /* 21:29 */
|
|
|
|
UINT64 PdptIndex : 9; /* 30:38 */
|
|
|
|
UINT64 Pml4Index : 9; /* 39:47 */
|
|
|
|
UINT64 Unused : 16; /* 48:63 */
|
|
|
|
|
|
|
|
} Bits;
|
|
|
|
|
|
|
|
UINT64 BitAddress;
|
|
|
|
|
|
|
|
} VIRTUAL_ADDRESS, * PVIRTUAL_ADDRESS;
|
|
|
|
|
|
|
|
typedef union _PML4_ENTRY
|
|
|
|
{
|
|
|
|
struct
|
|
|
|
{
|
|
|
|
UINT64 Present : 1; /* 0 */
|
|
|
|
UINT64 ReadWrite : 1; /* 1 */
|
|
|
|
UINT64 UserSupervisor : 1; /* 2 */
|
|
|
|
UINT64 PageWriteThrough : 1; /* 3 */
|
|
|
|
UINT64 PageCacheDisable : 1; /* 4 */
|
|
|
|
UINT64 Accessed : 1; /* 5 */
|
|
|
|
UINT64 _Ignored0 : 1; /* 6 */
|
|
|
|
UINT64 _Reserved0 : 1; /* 7 */
|
|
|
|
UINT64 _Ignored1 : 4; /* 11:8 */
|
|
|
|
UINT64 PhysicalAddress : 40; /* 51:12 */
|
|
|
|
UINT64 _Ignored2 : 11; /* 62:52 */
|
|
|
|
UINT64 ExecuteDisable : 1; /* 63 */
|
|
|
|
} Bits;
|
|
|
|
UINT64 BitAddress;
|
|
|
|
} PML4E;
|
|
|
|
|
|
|
|
typedef union _PDPT_ENTRY
|
|
|
|
{
|
|
|
|
struct
|
|
|
|
{
|
|
|
|
UINT64 Present : 1; /* 0 */
|
|
|
|
UINT64 ReadWrite : 1; /* 1 */
|
|
|
|
UINT64 UserSupervisor : 1; /* 2 */
|
|
|
|
UINT64 PageWriteThrough : 1; /* 3 */
|
|
|
|
UINT64 PageCacheDisable : 1; /* 4 */
|
|
|
|
UINT64 Accessed : 1; /* 5 */
|
|
|
|
UINT64 _Ignored0 : 1; /* 6 */
|
|
|
|
UINT64 PageSize : 1; /* 7 */
|
|
|
|
UINT64 _Ignored1 : 4; /* 11:8 */
|
|
|
|
UINT64 PhysicalAddress : 40; /* 51:12 */
|
|
|
|
UINT64 _Ignored2 : 11; /* 62:52 */
|
|
|
|
UINT64 ExecuteDisable : 1; /* 63 */
|
|
|
|
} Bits;
|
|
|
|
UINT64 BitAddress;
|
|
|
|
} PDPTE;
|
|
|
|
|
|
|
|
typedef union _PD_ENTRY
|
|
|
|
{
|
|
|
|
struct
|
|
|
|
{
|
|
|
|
UINT64 Present : 1; /* 0 */
|
|
|
|
UINT64 ReadWrite : 1; /* 1 */
|
|
|
|
UINT64 UserSupervisor : 1; /* 2 */
|
|
|
|
UINT64 PageWriteThrough : 1; /* 3 */
|
|
|
|
UINT64 PageCacheDisable : 1; /* 4 */
|
|
|
|
UINT64 Accessed : 1; /* 5 */
|
|
|
|
UINT64 _Ignored0 : 1; /* 6 */
|
|
|
|
UINT64 PageSize : 1; /* 7 */
|
|
|
|
UINT64 _Ignored1 : 4; /* 11:8 */
|
|
|
|
UINT64 PhysicalAddress : 38; /* 49:12 */
|
|
|
|
UINT64 _Reserved0 : 2; /* 51:50 */
|
|
|
|
UINT64 _Ignored2 : 11; /* 62:52 */
|
|
|
|
UINT64 ExecuteDisable : 1; /* 63 */
|
|
|
|
} Bits;
|
|
|
|
UINT64 BitAddress;
|
|
|
|
} PDE;
|
|
|
|
|
|
|
|
typedef union _PT_ENTRY
|
|
|
|
{
|
|
|
|
struct
|
|
|
|
{
|
|
|
|
UINT64 Present : 1; /* 0 */
|
|
|
|
UINT64 ReadWrite : 1; /* 1 */
|
|
|
|
UINT64 UserSupervisor : 1; /* 2 */
|
|
|
|
UINT64 PageWriteThrough : 1; /* 3 */
|
|
|
|
UINT64 PageCacheDisable : 1; /* 4 */
|
|
|
|
UINT64 Accessed : 1; /* 5 */
|
|
|
|
UINT64 Dirty : 1; /* 6 */
|
|
|
|
UINT64 PageAttributeTable : 1; /* 7 */
|
|
|
|
UINT64 Global : 1; /* 8 */
|
|
|
|
UINT64 _Ignored0 : 3; /* 11:9 */
|
|
|
|
UINT64 PhysicalAddress : 38; /* 49:12 */
|
|
|
|
UINT64 _Reserved0 : 2; /* 51:50 */
|
|
|
|
UINT64 _Ignored1 : 7; /* 58:52 */
|
|
|
|
UINT64 ProtectionKey : 4; /* 62:59 */
|
|
|
|
UINT64 ExecuteDisable : 1; /* 63 */
|
|
|
|
} Bits;
|
|
|
|
UINT64 BitAddress;
|
|
|
|
} PTE;
|
|
|
|
|
|
|
|
typedef union _PDPT_ENTRY_LARGE
|
|
|
|
{
|
|
|
|
struct
|
|
|
|
{
|
|
|
|
UINT64 Present : 1; /* 0 */
|
|
|
|
UINT64 ReadWrite : 1; /* 1 */
|
|
|
|
UINT64 UserSupervisor : 1; /* 2 */
|
|
|
|
UINT64 PageWriteThrough : 1; /* 3 */
|
|
|
|
UINT64 PageCacheDisable : 1; /* 4 */
|
|
|
|
UINT64 Accessed : 1; /* 5 */
|
|
|
|
UINT64 Dirty : 1; /* 6 */
|
|
|
|
UINT64 PageSize : 1; /* 7 */
|
|
|
|
UINT64 Global : 1; /* 8 */
|
|
|
|
UINT64 _Ignored0 : 3; /* 11:9 */
|
|
|
|
UINT64 PageAttributeTable : 1; /* 12 */
|
|
|
|
UINT64 _Reserved0 : 17; /* 29:13 */
|
|
|
|
UINT64 PhysicalAddress : 22; /* 51:30 */
|
|
|
|
UINT64 _Ignored1 : 7; /* 58:52 */
|
|
|
|
UINT64 ProtectionKey : 4; /* 62:59 */
|
|
|
|
UINT64 ExecuteDisable : 1; /* 63 */
|
|
|
|
} Bits;
|
|
|
|
UINT64 BitAddress;
|
|
|
|
} PDPTE_LARGE;
|
|
|
|
|
|
|
|
typedef union _PD_ENTRY_LARGE
|
|
|
|
{
|
|
|
|
struct
|
|
|
|
{
|
|
|
|
UINT64 Present : 1; /* 0 */
|
|
|
|
UINT64 ReadWrite : 1; /* 1 */
|
|
|
|
UINT64 UserSupervisor : 1; /* 2 */
|
|
|
|
UINT64 PageWriteThrough : 1; /* 3 */
|
|
|
|
UINT64 PageCacheDisable : 1; /* 4 */
|
|
|
|
UINT64 Accessed : 1; /* 5 */
|
|
|
|
UINT64 Dirty : 1; /* 6 */
|
|
|
|
UINT64 PageSize : 1; /* 7 */
|
|
|
|
UINT64 Global : 1; /* 8 */
|
|
|
|
UINT64 _Ignored0 : 3; /* 11:9 */
|
|
|
|
UINT64 PageAttributeTalbe : 1; /* 12 */
|
|
|
|
UINT64 _Reserved0 : 8; /* 20:13 */
|
|
|
|
UINT64 PhysicalAddress : 29; /* 49:21 */
|
|
|
|
UINT64 _Reserved1 : 2; /* 51:50 */
|
|
|
|
UINT64 _Ignored1 : 7; /* 58:52 */
|
|
|
|
UINT64 ProtectionKey : 4; /* 62:59 */
|
|
|
|
UINT64 ExecuteDisable : 1; /* 63 */
|
|
|
|
} Bits;
|
|
|
|
UINT64 BitAddress;
|
|
|
|
} PDE_LARGE;
|
|
|
|
|
|
|
|
//typedef struct _KAPC_STATE
|
|
|
|
//{
|
|
|
|
// LIST_ENTRY ApcListHead[ MaximumMode ];
|
|
|
|
// struct _KPROCESS* Process;
|
|
|
|
// union {
|
|
|
|
// UCHAR InProgressFlags;
|
|
|
|
// struct
|
|
|
|
// {
|
|
|
|
// BOOLEAN KernelApcInProgress : 1;
|
|
|
|
// BOOLEAN SpecialApcInProgress : 1;
|
|
|
|
// };
|
|
|
|
// };
|
|
|
|
//
|
|
|
|
// BOOLEAN KernelApcPending;
|
|
|
|
// union {
|
|
|
|
// BOOLEAN UserApcPendingAll;
|
|
|
|
// struct
|
|
|
|
// {
|
|
|
|
// BOOLEAN SpecialUserApcPending : 1;
|
|
|
|
// BOOLEAN UserApcPending : 1;
|
|
|
|
// };
|
|
|
|
// };
|
|
|
|
//} KAPC_STATE, * PKAPC_STATE, * PRKAPC_STATE;
|
|
|
|
|
2023-09-04 15:36:26 +02:00
|
|
|
typedef struct _RAW_SMBIOS_DATA
|
|
|
|
{
|
|
|
|
BYTE Used20CallingMethod;
|
|
|
|
BYTE SMBIOSMajorVersion;
|
|
|
|
BYTE SMBIOSMinorVersion;
|
|
|
|
BYTE DmiRevision;
|
|
|
|
UINT32 Length;
|
|
|
|
BYTE SMBIOSTableData[];
|
|
|
|
} RAW_SMBIOS_DATA, * PRAW_SMBIOS_DATA;
|
|
|
|
|
|
|
|
typedef struct _SMBIOS_TABLE_HEADER
|
|
|
|
{
|
|
|
|
UCHAR Type;
|
|
|
|
UCHAR Length;
|
|
|
|
USHORT Handle;
|
|
|
|
PCHAR TableData;
|
|
|
|
|
|
|
|
} SMBIOS_TABLE_HEADER, *PSMBIOS_TABLE_HEADER;
|
|
|
|
|
|
|
|
typedef struct _RAW_SMBIOS_TABLE_01
|
|
|
|
{
|
|
|
|
UCHAR Type;
|
|
|
|
UCHAR Length;
|
|
|
|
USHORT Handle;
|
|
|
|
UCHAR Manufacturer;
|
|
|
|
UCHAR ProductName;
|
|
|
|
UCHAR Version;
|
|
|
|
UCHAR SerialNumber;
|
|
|
|
UCHAR UUID[ 16 ];
|
|
|
|
UCHAR WakeUpType;
|
|
|
|
UCHAR SKUNumber;
|
|
|
|
UCHAR Family;
|
|
|
|
|
|
|
|
} RAW_SMBIOS_TABLE_01, *PRAW_SMBIOS_TABLE_01;
|
|
|
|
|
|
|
|
typedef struct _RAW_SMBIOS_TABLE_02 {
|
|
|
|
UCHAR Type;
|
|
|
|
UCHAR Length;
|
|
|
|
USHORT Handle;
|
|
|
|
BYTE Manufacturer;
|
|
|
|
BYTE Product;
|
|
|
|
BYTE Version;
|
|
|
|
BYTE SerialNumber;
|
|
|
|
BYTE AssetTag;
|
|
|
|
BYTE FeatureFlags;
|
|
|
|
BYTE LocationInChassis;
|
|
|
|
UINT16 ChassisHandle;
|
|
|
|
BYTE BoardType;
|
|
|
|
BYTE NumberOfContainedObjectHandles;
|
|
|
|
BYTE ContainedObjectHandles[ 256 ];
|
|
|
|
|
|
|
|
}RAW_SMBIOS_TABLE_02, *PRAW_SMBIOS_TABLE_02;
|
|
|
|
|
2023-09-05 11:16:32 +02:00
|
|
|
typedef struct _RTL_RELATIVE_NAME {
|
|
|
|
UNICODE_STRING RelativeName;
|
|
|
|
HANDLE ContainingDirectory;
|
|
|
|
void* CurDirRef;
|
|
|
|
} RTL_RELATIVE_NAME, * PRTL_RELATIVE_NAME;
|
|
|
|
|
2023-09-06 17:33:08 +02:00
|
|
|
typedef struct _STORAGE_DESCRIPTOR_HEADER {
|
|
|
|
ULONG Version;
|
|
|
|
ULONG Size;
|
|
|
|
} STORAGE_DESCRIPTOR_HEADER, * PSTORAGE_DESCRIPTOR_HEADER;
|
|
|
|
|
|
|
|
typedef enum _STORAGE_BUS_TYPE {
|
|
|
|
BusTypeUnknown = 0x00,
|
|
|
|
BusTypeScsi,
|
|
|
|
BusTypeAtapi,
|
|
|
|
BusTypeAta,
|
|
|
|
BusType1394,
|
|
|
|
BusTypeSsa,
|
|
|
|
BusTypeFibre,
|
|
|
|
BusTypeUsb,
|
|
|
|
BusTypeRAID,
|
|
|
|
BusTypeMaxReserved = 0x7F
|
|
|
|
} STORAGE_BUS_TYPE, * PSTORAGE_BUS_TYPE;
|
|
|
|
|
|
|
|
typedef enum _STORAGE_SET_TYPE {
|
|
|
|
PropertyStandardSet = 0, // Sets the descriptor
|
|
|
|
PropertyExistsSet, // Used to test whether the descriptor is supported
|
|
|
|
PropertySetMaxDefined // use to validate the value
|
|
|
|
} STORAGE_SET_TYPE, * PSTORAGE_SET_TYPE;
|
|
|
|
|
|
|
|
//
|
|
|
|
// define some initial property id's
|
|
|
|
//
|
|
|
|
|
|
|
|
typedef enum _STORAGE_QUERY_TYPE {
|
|
|
|
PropertyStandardQuery = 0, // Retrieves the descriptor
|
|
|
|
PropertyExistsQuery, // Used to test whether the descriptor is supported
|
|
|
|
PropertyMaskQuery, // Used to retrieve a mask of writeable fields in the descriptor
|
|
|
|
PropertyQueryMaxDefined // use to validate the value
|
|
|
|
} STORAGE_QUERY_TYPE, * PSTORAGE_QUERY_TYPE;
|
|
|
|
|
|
|
|
typedef enum _STORAGE_PROPERTY_ID {
|
|
|
|
StorageDeviceProperty = 0,
|
|
|
|
StorageAdapterProperty,
|
|
|
|
StorageDeviceIdProperty,
|
|
|
|
StorageDeviceUniqueIdProperty, // See storduid.h for details
|
|
|
|
StorageDeviceWriteCacheProperty,
|
|
|
|
StorageMiniportProperty,
|
|
|
|
StorageAccessAlignmentProperty,
|
|
|
|
StorageDeviceSeekPenaltyProperty,
|
|
|
|
StorageDeviceTrimProperty,
|
|
|
|
StorageDeviceWriteAggregationProperty,
|
|
|
|
StorageDeviceDeviceTelemetryProperty,
|
|
|
|
StorageDeviceLBProvisioningProperty,
|
|
|
|
StorageDevicePowerProperty,
|
|
|
|
StorageDeviceCopyOffloadProperty,
|
|
|
|
StorageDeviceResiliencyProperty,
|
|
|
|
StorageDeviceMediumProductType,
|
|
|
|
StorageAdapterRpmbProperty,
|
|
|
|
StorageAdapterCryptoProperty,
|
|
|
|
StorageDeviceIoCapabilityProperty = 48,
|
|
|
|
StorageAdapterProtocolSpecificProperty,
|
|
|
|
StorageDeviceProtocolSpecificProperty,
|
|
|
|
StorageAdapterTemperatureProperty,
|
|
|
|
StorageDeviceTemperatureProperty,
|
|
|
|
StorageAdapterPhysicalTopologyProperty,
|
|
|
|
StorageDevicePhysicalTopologyProperty,
|
|
|
|
StorageDeviceAttributesProperty,
|
|
|
|
StorageDeviceManagementStatus,
|
|
|
|
StorageAdapterSerialNumberProperty,
|
|
|
|
StorageDeviceLocationProperty,
|
|
|
|
StorageDeviceNumaProperty,
|
|
|
|
StorageDeviceZonedDeviceProperty,
|
|
|
|
StorageDeviceUnsafeShutdownCount,
|
|
|
|
StorageDeviceEnduranceProperty,
|
|
|
|
StorageDeviceLedStateProperty,
|
|
|
|
StorageDeviceSelfEncryptionProperty = 64,
|
|
|
|
StorageFruIdProperty,
|
|
|
|
} STORAGE_PROPERTY_ID, * PSTORAGE_PROPERTY_ID;
|
|
|
|
|
|
|
|
typedef struct _STORAGE_PROPERTY_QUERY {
|
|
|
|
STORAGE_PROPERTY_ID PropertyId;
|
|
|
|
STORAGE_QUERY_TYPE QueryType;
|
|
|
|
UCHAR AdditionalParameters[ 1 ];
|
|
|
|
} STORAGE_PROPERTY_QUERY, * PSTORAGE_PROPERTY_QUERY;
|
|
|
|
|
|
|
|
typedef struct _STORAGE_DEVICE_DESCRIPTOR {
|
|
|
|
ULONG Version;
|
|
|
|
ULONG Size;
|
|
|
|
UCHAR DeviceType;
|
|
|
|
UCHAR DeviceTypeModifier;
|
|
|
|
BOOLEAN RemovableMedia;
|
|
|
|
BOOLEAN CommandQueueing;
|
|
|
|
ULONG VendorIdOffset;
|
|
|
|
ULONG ProductIdOffset;
|
|
|
|
ULONG ProductRevisionOffset;
|
|
|
|
ULONG SerialNumberOffset;
|
|
|
|
STORAGE_BUS_TYPE BusType;
|
|
|
|
ULONG RawPropertiesLength;
|
|
|
|
UCHAR RawDeviceProperties[ 1 ];
|
|
|
|
} STORAGE_DEVICE_DESCRIPTOR, * PSTORAGE_DEVICE_DESCRIPTOR;
|
|
|
|
|
2023-08-20 16:12:04 +02:00
|
|
|
NTKERNELAPI
|
|
|
|
BOOLEAN
|
|
|
|
ExEnumHandleTable(
|
|
|
|
__in PHANDLE_TABLE HandleTable,
|
|
|
|
__in EX_ENUMERATE_HANDLE_ROUTINE EnumHandleProcedure,
|
|
|
|
__in PVOID EnumParameter,
|
|
|
|
__out_opt PHANDLE Handle
|
|
|
|
);
|
|
|
|
|
|
|
|
NTKERNELAPI
|
|
|
|
POBJECT_TYPE
|
|
|
|
NTAPI
|
|
|
|
ObGetObjectType(
|
|
|
|
_In_ PVOID Object
|
|
|
|
);
|
|
|
|
|
|
|
|
typedef struct _EX_PUSH_LOCK_WAIT_BLOCK* PEX_PUSH_LOCK_WAIT_BLOCK;
|
|
|
|
|
|
|
|
NTKERNELAPI
|
|
|
|
VOID
|
|
|
|
FASTCALL
|
|
|
|
ExfUnblockPushLock(
|
|
|
|
_Inout_ PEX_PUSH_LOCK PushLock,
|
|
|
|
_Inout_opt_ PEX_PUSH_LOCK_WAIT_BLOCK WaitBlock
|
|
|
|
);
|
|
|
|
|
|
|
|
LPCSTR
|
|
|
|
NTSYSAPI
|
|
|
|
NTAPI
|
|
|
|
PsGetProcessImageFileName(
|
|
|
|
PEPROCESS Process
|
|
|
|
);
|
|
|
|
|
2023-09-02 15:47:15 +02:00
|
|
|
EXTERN_C VOID KeInitializeAffinityEx(
|
|
|
|
PKAFFINITY_EX affinity
|
|
|
|
);
|
|
|
|
|
|
|
|
EXTERN_C VOID KeAddProcessorAffinityEx(
|
|
|
|
PKAFFINITY_EX affinity,
|
|
|
|
INT num
|
|
|
|
);
|
|
|
|
|
|
|
|
EXTERN_C VOID HalSendNMI(
|
|
|
|
PKAFFINITY_EX affinity
|
|
|
|
);
|
|
|
|
|
|
|
|
NTSTATUS
|
|
|
|
RtlQueryModuleInformation(
|
|
|
|
ULONG* InformationLength,
|
|
|
|
ULONG SizePerModule,
|
|
|
|
PVOID InformationBuffer
|
|
|
|
);
|
|
|
|
|
|
|
|
NTSTATUS
|
|
|
|
NTAPI
|
|
|
|
NtSetInformationProcess(
|
|
|
|
_In_ HANDLE ProcessHandle,
|
|
|
|
_In_ PROCESSINFOCLASS ProcessInformationClass,
|
|
|
|
_In_ PVOID ProcessInformation,
|
|
|
|
_In_ ULONG ProcessInformationLength
|
|
|
|
);
|
|
|
|
|
|
|
|
NTSYSAPI
|
|
|
|
ULONG
|
|
|
|
NTAPI
|
|
|
|
KeCapturePersistentThreadState(
|
|
|
|
__in PCONTEXT Context,
|
|
|
|
__in_opt PKTHREAD Thread,
|
|
|
|
__in ULONG BugCheckCode,
|
|
|
|
__in ULONG_PTR BugCheckParameter1,
|
|
|
|
__in ULONG_PTR BugCheckParameter2,
|
|
|
|
__in ULONG_PTR BugCheckParameter3,
|
|
|
|
__in ULONG_PTR BugCheckParameter4,
|
|
|
|
__in PDUMP_HEADER DumpHeader
|
|
|
|
);
|
|
|
|
|
2023-09-05 11:16:32 +02:00
|
|
|
BOOLEAN NTAPI RtlDosPathNameToRelativeNtPathName_U(
|
|
|
|
_In_ PCWSTR DosFileName,
|
|
|
|
_Out_ PUNICODE_STRING NtFileName,
|
|
|
|
_Out_opt_ PWSTR* FilePath,
|
|
|
|
_Out_opt_ PRTL_RELATIVE_NAME RelativeName
|
|
|
|
);
|
|
|
|
|
2023-09-02 15:47:15 +02:00
|
|
|
C_ASSERT( FIELD_OFFSET( DUMP_HEADER, Signature ) == 0 );
|
|
|
|
C_ASSERT( FIELD_OFFSET( DUMP_HEADER, ValidDump ) == 4 );
|
|
|
|
C_ASSERT( FIELD_OFFSET( DUMP_HEADER, MajorVersion ) == 8 );
|
|
|
|
C_ASSERT( FIELD_OFFSET( DUMP_HEADER, MinorVersion ) == 0xc );
|
|
|
|
C_ASSERT( FIELD_OFFSET( DUMP_HEADER, DirectoryTableBase ) == 0x10 );
|
|
|
|
C_ASSERT( FIELD_OFFSET( DUMP_HEADER, PfnDataBase ) == 0x18 );
|
|
|
|
C_ASSERT( FIELD_OFFSET( DUMP_HEADER, PsLoadedModuleList ) == 0x20 );
|
|
|
|
C_ASSERT( FIELD_OFFSET( DUMP_HEADER, PsActiveProcessHead ) == 0x28 );
|
|
|
|
C_ASSERT( FIELD_OFFSET( DUMP_HEADER, MachineImageType ) == 0x30 );
|
|
|
|
C_ASSERT( FIELD_OFFSET( DUMP_HEADER, NumberProcessors ) == 0x34 );
|
|
|
|
C_ASSERT( FIELD_OFFSET( DUMP_HEADER, BugCheckCode ) == 0x38 );
|
|
|
|
C_ASSERT( FIELD_OFFSET( DUMP_HEADER, BugCheckParameter1 ) == 0x40 );
|
|
|
|
C_ASSERT( FIELD_OFFSET( DUMP_HEADER, BugCheckParameter2 ) == 0x48 );
|
|
|
|
C_ASSERT( FIELD_OFFSET( DUMP_HEADER, BugCheckParameter3 ) == 0x50 );
|
|
|
|
C_ASSERT( FIELD_OFFSET( DUMP_HEADER, BugCheckParameter4 ) == 0x58 );
|
|
|
|
C_ASSERT( FIELD_OFFSET( DUMP_HEADER, KdDebuggerDataBlock ) == 0x80 );
|
|
|
|
|
|
|
|
#ifndef _WIN64
|
|
|
|
#define KDDEBUGGER_DATA_OFFSET 0x1068
|
|
|
|
#else
|
|
|
|
#define KDDEBUGGER_DATA_OFFSET 0x2080
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifndef _WIN64
|
|
|
|
#define DUMP_BLOCK_SIZE 0x20000
|
|
|
|
#else
|
|
|
|
#define DUMP_BLOCK_SIZE 0x40000
|
|
|
|
#endif
|
|
|
|
|
2023-08-17 10:45:50 +02:00
|
|
|
#endif
|