2023-08-26 14:07:06 +02:00
|
|
|
#ifndef POOL_H
|
|
|
|
|
#define POOL_H
|
|
|
|
|
|
|
|
|
|
#include <ntifs.h>
|
2023-09-02 15:47:15 +02:00
|
|
|
#include "common.h"
|
2023-08-26 14:07:06 +02:00
|
|
|
|
2023-09-23 13:40:39 +02:00
|
|
|
#define REPORT_INVALID_PROCESS_BUFFER_SIZE 4096
|
2023-08-28 17:00:52 +02:00
|
|
|
|
2023-09-02 15:47:15 +02:00
|
|
|
#define PAGE_BASE_SIZE 0x1000
|
|
|
|
|
#define POOL_TAG_SIZE 0x004
|
2023-08-26 14:07:06 +02:00
|
|
|
|
2023-08-26 15:29:12 +02:00
|
|
|
#define PML4_ENTRY_COUNT 512
|
|
|
|
|
#define PDPT_ENTRY_COUNT 512
|
|
|
|
|
#define PD_ENTRY_COUNT 512
|
|
|
|
|
#define PT_ENTRY_COUNT 512
|
|
|
|
|
|
2023-09-03 19:33:27 +02:00
|
|
|
#define LARGE_PAGE_2MB_ENTRIES 512
|
|
|
|
|
#define LARGE_PAGE_1GB_ENTRIES 0x40000
|
|
|
|
|
|
2023-08-28 11:17:38 +02:00
|
|
|
#define PROCESS_OBJECT_ALLOCATION_MARGIN 0x90
|
|
|
|
|
|
|
|
|
|
/* SIZE_2 = first alloc + 0x10 */
|
2023-08-27 07:49:59 +02:00
|
|
|
#define WIN_PROCESS_ALLOCATION_SIZE 0xcf0
|
2023-08-28 11:17:38 +02:00
|
|
|
#define WIN_PROCESS_ALLOCATION_SIZE_2 0xd00
|
2023-08-27 07:49:59 +02:00
|
|
|
|
|
|
|
|
#define CHUNK_SIZE 16
|
|
|
|
|
|
2023-08-28 17:00:52 +02:00
|
|
|
typedef struct _INVALID_PROCESS_ALLOCATION_REPORT
|
|
|
|
|
{
|
|
|
|
|
INT report_code;
|
|
|
|
|
CHAR process[ REPORT_INVALID_PROCESS_BUFFER_SIZE ];
|
|
|
|
|
|
|
|
|
|
}INVALID_PROCESS_ALLOCATION_REPORT, *PINVALID_PROCESS_ALLOCATION_REPORT;
|
|
|
|
|
|
|
|
|
|
NTSTATUS FindUnlinkedProcesses(
|
|
|
|
|
_In_ PIRP Irp
|
|
|
|
|
);
|
2023-08-28 11:17:38 +02:00
|
|
|
|
2023-08-30 11:19:41 +02:00
|
|
|
VOID GetPsActiveProcessHead(
|
|
|
|
|
_In_ PUINT64 Address
|
|
|
|
|
);
|
|
|
|
|
|
2023-08-29 19:36:58 +02:00
|
|
|
PKDDEBUGGER_DATA64 GetGlobalDebuggerData();
|
|
|
|
|
|
2023-08-26 14:07:06 +02:00
|
|
|
#endif
|
