start working on import encryption. Simple avx xoring atm need 2 learn MORE!

driver/common.h

@@ -41,6 +41,7 @@
                    ##__VA_ARGS__)
 
 #define STATIC static
+#define INLINE inline
 
 #define MAX_MODULE_PATH 256
 

driver/cpp.hint

@@ -7,3 +7,4 @@
 #define _In_
 #define STATIC
 #define VOID
+#define INLINE

driver/crypt.c

@@ -1,22 +1,126 @@
 #include "crypt.h"
 
 #include <immintrin.h>
+#include "imports.h"
 
-#define TEMP_KEY 0x5a
+#define XOR_KEY_1 0x1122334455667788
+#define XOR_KEY_2 0x0011223344556677
+#define XOR_KEY_3 0x5566778899AABBCC
+#define XOR_KEY_4 0x66778899AABBCCDD
 
-VOID
+STATIC
-CryptEncryptBufferInPlace(_In_ PVOID Buffer, _In_ UINT32 Size)
+__m256i
+CryptGenerateSseXorKey()
 {
-        PCHAR entry = (PCHAR)Buffer;
+        return _mm256_set_epi64x(XOR_KEY_1, XOR_KEY_2, XOR_KEY_3, XOR_KEY_4);
-
-        for (UINT32 index = 0; index < Size; index++)
-        {
-                entry[index] ^= TEMP_KEY;
-        }
 }
 
 VOID
-CryptDecryptBufferInPlace(_In_ PVOID Buffer, _In_ UINT32 Size)
+CryptEncryptImportsArray(_In_ PUINT64 Array, _In_ UINT32 Entries)
 {
-        CryptEncryptBufferInPlace(Buffer, Size);
+        UINT32 block_size  = sizeof(__m256i) / sizeof(UINT64);
+        UINT32 block_count = Entries / block_size;
+
+        /*
+         * Here we break down the import array into blocks of 32 bytes. Each block is loaded into an
+         * SSE register, xored with the key, and then copied back into the array.
+         */
+        for (UINT32 block_index = 0; block_index < block_count; block_index++)
+        {
+                __m256i current_block = {0};
+                __m256i load_block    = {0};
+                __m256i xored_block   = {0};
+
+                RtlCopyMemory(&current_block, &Array[block_index * block_size], sizeof(__m256i));
+
+                load_block  = _mm256_loadu_si256(&current_block);
+                xored_block = _mm256_xor_si256(load_block, CryptGenerateSseXorKey());
+
+                RtlCopyMemory(&Array[block_index * block_size], &xored_block, sizeof(__m256i));
+        }
+}
+
+STATIC
+INLINE
+__m256i
+CryptDecryptImportBlock(_In_ PUINT64 Array, _In_ UINT32 BlockIndex)
+{
+        __m256i load_block = {0};
+        UINT32  block_size = sizeof(__m256i) / sizeof(UINT64);
+
+        RtlCopyMemory(&load_block, &Array[BlockIndex * block_size], sizeof(__m256i));
+
+        return _mm256_xor_si256(load_block, CryptGenerateSseXorKey());
+}
+
+STATIC
+INLINE
+VOID
+CryptFindContainingBlockForArrayIndex(_In_ UINT32   EntryIndex,
+                                      _In_ UINT32   BlockSize,
+                                      _Out_ PUINT32 ContainingBlockIndex,
+                                      _Out_ PUINT32 BlockSubIndex)
+{
+        UINT32 containing_block = EntryIndex;
+        UINT32 block_index      = 0;
+
+        if (EntryIndex < BlockSize)
+        {
+                *ContainingBlockIndex = 0;
+                *BlockSubIndex        = EntryIndex;
+                return;
+        }
+
+        if (EntryIndex == BlockSize)
+        {
+                *ContainingBlockIndex = 1;
+                *BlockSubIndex        = 0;
+                return;
+        }
+
+        while (containing_block % BlockSize != 0)
+        {
+                containing_block--;
+                block_index++;
+        }
+
+        *ContainingBlockIndex = containing_block / BlockSize;
+        *BlockSubIndex        = block_index;
+}
+
+UINT64
+CryptDecryptImportsArrayEntry(_In_ PUINT64 Array, _In_ UINT32 Entries, _In_ UINT32 EntryIndex)
+{
+        __m256i original_block         = {0};
+        __m128i original_half          = {0};
+        UINT32  block_size             = sizeof(__m256i) / sizeof(UINT64);
+        UINT32  containing_block_index = 0;
+        UINT32  block_sub_index        = 0;
+        UINT64  pointer                = 0;
+
+        CryptFindContainingBlockForArrayIndex(
+            EntryIndex, block_size, &containing_block_index, &block_sub_index);
+
+        original_block = CryptDecryptImportBlock(Array, containing_block_index);
+
+        if (block_sub_index < 2)
+        {
+                original_half = _mm256_extracti128_si256(original_block, 0);
+
+                if (block_sub_index < 1)
+                        pointer = _mm_extract_epi64(original_half, 0);
+                else
+                        pointer = _mm_extract_epi64(original_half, 1);
+        }
+        else
+        {
+                original_half = _mm256_extracti128_si256(original_block, 1);
+
+                if (block_sub_index == 2)
+                        pointer = _mm_extract_epi64(original_half, 0);
+                else
+                        pointer = _mm_extract_epi64(original_half, 1);
+        }
+
+        return pointer;
 }

driver/crypt.h

@@ -4,9 +4,9 @@
 #include "common.h"
 
 VOID
-CryptEncryptBufferInPlace(_In_ PVOID Buffer, _In_ UINT32 Size);
+CryptEncryptImportsArray(_In_ PUINT64 Array, _In_ UINT32 Entries);
 
-VOID
+UINT64
-CryptDecryptBufferInPlace(_In_ PVOID Buffer, _In_ UINT32 Size);
+CryptDecryptImportsArrayEntry(_In_ PUINT64 Array, _In_ UINT32 Entries, _In_ UINT32 EntryIndex);
 
 #endif

driver/driver.c

@@ -11,6 +11,7 @@
 #include "integrity.h"
 #include "imports.h"
 #include "apc.h"
+#include "crypt.h"
 
 STATIC
 VOID
@@ -50,7 +51,7 @@ NTSTATUS
 DrvLoadEnableNotifyRoutines();
 
 STATIC
-NTSTATUS
+VOID
 DrvLoadInitialiseObCbConfig();
 
 STATIC
@@ -525,6 +526,8 @@ DrvLoadSetupDriverLists()
 
         if (!NT_SUCCESS(status))
         {
+                UnregisterProcessCreateNotifyRoutine();
+                UnregisterThreadCreateNotifyRoutine();
                 UnregisterImageLoadNotifyRoutine();
                 DEBUG_ERROR("InitialiseDriverList failed with status %x", status);
                 return status;
@@ -535,6 +538,7 @@ DrvLoadSetupDriverLists()
         if (!NT_SUCCESS(status))
         {
                 DEBUG_ERROR("InitialiseThreadList failed with status %x", status);
+                UnregisterProcessCreateNotifyRoutine();
                 UnregisterThreadCreateNotifyRoutine();
                 UnregisterImageLoadNotifyRoutine();
                 CleanupDriverListOnDriverUnload();
@@ -566,7 +570,7 @@ DrvLoadInitialiseProcessConfig()
 }
 
 STATIC
-NTSTATUS
+VOID
 DrvLoadInitialiseObCbConfig()
 {
         PAGED_CODE();
@@ -895,7 +899,9 @@ DrvLoadInitialiseDriverConfig(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_ST
         NTSTATUS status = STATUS_UNSUCCESSFUL;
 
         ImpKeInitializeGuardedMutex(&g_DriverConfig->lock);
+
         IrpQueueInitialise();
+        DrvLoadInitialiseObCbConfig();
 
         g_DriverConfig->unload_in_progress                         = FALSE;
         g_DriverConfig->system_information.virtualised_environment = FALSE;
@@ -918,14 +924,6 @@ DrvLoadInitialiseDriverConfig(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_ST
                 return status;
         }
 
-        status = DrvLoadInitialiseObCbConfig();
-
-        if (!NT_SUCCESS(status))
-        {
-                DEBUG_ERROR("AllocateCallbackStructure failed with status %x", status);
-                return status;
-        }
-
         status = InitialiseTimerObject(&g_DriverConfig->timer);
 
         if (!NT_SUCCESS(status))

driver/imports.h

@@ -434,8 +434,8 @@ void (*pKeInitializeAffinityEx)(
 
 typedef 
 void (*pKeAddProcessorAffinityEx)(
-        PKAFFINITY_EX affinity, 
+        PKAFFINITY_EX Affinity, 
-        INT num
+        INT CoreNumber
         );
 
 typedef 
@@ -542,175 +542,535 @@ void (*pRtlFreeUnicodeString)(
 
 // clang-format on
 
+#define OB_DEREFERENCE_OBJECT_INDEX                0
+#define PS_LOOKUP_THREAD_BY_THREAD_ID_INDEX        1
+#define MM_IS_ADDRESS_VALID_INDEX                  2
+#define PS_SET_CREATE_PROCESS_NOTIFY_ROUTINE_INDEX 3
+
+#define PS_REMOVE_CREATE_THREAD_NOTIFY_ROUTINE_INDEX 4
+#define PS_GET_CURRENT_THREAD_ID_INDEX               5
+#define PS_GET_PROCESS_ID_INDEX                      6
+#define PS_LOOKUP_PROCESS_BY_PROCESS_ID_INDEX        7
+
+#define EX_ENUM_HANDLE_TABLE_INDEX           8
+#define OB_GET_OBJECT_TYPE_INDEX             9
+#define EXF_UNBLOCK_PUSH_LOCK_INDEX          10
+#define PS_GET_PROCESS_IMAGE_FILE_NAME_INDEX 11
+
+#define STRSTR_INDEX                        12
+#define RTL_INIT_UNICODE_STRING_INDEX       13
+#define RTL_QUERY_REGISTRY_VALUES_INDEX     14
+#define MM_GET_SYSTEM_ROUTINE_ADDRESS_INDEX 15
+
+#define RTL_UNICODE_STRING_TO_ANSI_STRING_INDEX 16
+#define RTL_COPY_UNICODE_STRING_INDEX           17
+#define RTL_FREE_ANSI_STRING_INDEX              18
+#define KE_INITIALIZE_GUARDED_MUTEX_INDEX       19
+
+#define IO_CREATE_DEVICE_INDEX        20
+#define IO_CREATE_SYMBOLIC_LINK_INDEX 21
+#define IO_DELETE_DEVICE_INDEX        22
+#define IO_DELETE_SYMBOLIC_LINK_INDEX 23
+
+#define OB_REGISTER_CALLBACKS_INDEX                24
+#define OB_UNREGISTER_CALLBACKS_INDEX              25
+#define PS_SET_CREATE_THREAD_NOTIFY_ROUTINE_INDEX  26
+#define KE_REVERT_TO_USER_AFFINITY_THREAD_EX_INDEX 27
+
+#define KE_SET_SYSTEM_AFFINITY_THREAD_EX_INDEX  28
+#define STRNLEN_INDEX                           29
+#define RTL_INIT_ANSI_STRING_INDEX              30
+#define RTL_ANSI_STRING_TO_UNICODE_STRING_INDEX 31
+
+#define IO_GET_CURRENT_PROCESS_INDEX       32
+#define RTL_GET_VERSION_INDEX              33
+#define RTL_COMPARE_MEMORY_INDEX           34
+#define EX_GET_SYSTEM_FIRMWARE_TABLE_INDEX 35
+
+#define IO_ALLOCATE_WORK_ITEM_INDEX 36
+#define IO_FREE_WORK_ITEM_INDEX     37
+#define IO_QUEUE_WORK_ITEM_INDEX    38
+#define ZW_OPEN_FILE_INDEX          39
+
+#define ZW_CLOSE_INDEX                 40
+#define ZW_CREATE_SECTION_INDEX        41
+#define ZW_MAP_VIEW_OF_SECTION_INDEX   42
+#define ZW_UNMAP_VIEW_OF_SECTION_INDEX 43
+
+#define MM_COPY_MEMORY_INDEX            44
+#define ZW_DEVICE_IO_CONTROL_FILE_INDEX 45
+#define KE_STACK_ATTACH_PROCESS_INDEX   46
+#define KE_UNSTACK_DETACH_PROCESS_INDEX 47
+
+#define KE_WAIT_FOR_SINGLE_OBJECT_INDEX     48
+#define PS_CREATE_SYSTEM_THREAD_INDEX       49
+#define IOF_COMPLETE_REQUEST_INDEX          50
+#define OB_REFERENCE_OBJECT_BY_HANDLE_INDEX 51
+
+#define KE_DELAY_EXECUTION_THREAD_INDEX       52
+#define KE_REGISTER_NMI_CALLBACK_INDEX        53
+#define KE_DEREGISTER_NMI_CALLBACK_INDEX      54
+#define KE_QUERY_ACTIVE_PROCESSOR_COUNT_INDEX 55
+
+#define EX_ACQUIRE_PUSH_LOCK_EXCLUSIVE_EX_INDEX 56
+#define EX_RELEASE_PUSH_LOCK_EXCLUSIVE_EX_INDEX 57
+#define PS_GET_THREAD_ID_INDEX                  58
+#define RTL_CAPTURE_STACK_BACK_TRACE_INDEX      59
+
+#define ZW_OPEN_DIRECTORY_OBJECT_INDEX     60
+#define KE_INITIALIZE_AFFINITY_EX_INDEX    61
+#define KE_ADD_PROCESSOR_AFFINITY_EX_INDEX 62
+#define RTL_QUERY_MODULE_INFORMATION_INDEX 63
+
+#define KE_INITIALIZE_APC_INDEX       64
+#define KE_INSERT_QUEUE_APC_INDEX     65
+#define KE_GENERIC_CALL_DPC_INDEX     66
+#define KE_SIGNAL_CALL_DPC_DONE_INDEX 67
+
+#define MM_GET_PHYSICAL_MEMORY_RANGES_EX2_INDEX 68
+#define MM_GET_VIRTUAL_FOR_PHYSICAL_INDEX       69
+#define OBF_REFERENCE_OBJECT_INDEX              70
+#define EX_FREE_POOL_WITH_TAG_INDEX             71
+
+#define EX_ALLOCATE_POOL2_INDEX        72
+#define KE_RELEASE_GUARDED_MUTEX_INDEX 73
+#define KE_ACQUIRE_GUARDED_MUTEX_INDEX 74
+#define DBG_PRINT_EX_INDEX             75
+
+#define RTL_COMPARE_UNICODE_STRING_INDEX     76
+#define RTL_FREE_UNICODE_STRING_INDEX        77
+#define PS_GET_PROCESS_IMAGE_FILE_NAME_INDEX 78
+
 typedef struct _DRIVER_IMPORTS
 {
-        pObDereferenceObject               DrvImpObDereferenceObject;
+        pObDereferenceObject             DrvImpObDereferenceObject;
-        pIoGetCurrentIrpStackLocation      DrvImpIoGetCurrentIrpStackLocation;
+        pPsLookupThreadByThreadId        DrvImpPsLookupThreadByThreadId;
-        pPsLookupThreadByThreadId          DrvImpPsLookupThreadByThreadId;
+        pMmIsAddressValid                DrvImpMmIsAddressValid;
-        pMmIsAddressValid                  DrvImpMmIsAddressValid;
+        pPsSetCreateProcessNotifyRoutine DrvImpPsSetCreateProcessNotifyRoutine;
-        pPsSetCreateProcessNotifyRoutine   DrvImpPsSetCreateProcessNotifyRoutine;
+
         pPsRemoveCreateThreadNotifyRoutine DrvImpPsRemoveCreateThreadNotifyRoutine;
         pPsGetCurrentThreadId              DrvImpPsGetCurrentThreadId;
         pPsGetProcessId                    DrvImpPsGetProcessId;
         pPsLookupProcessByProcessId        DrvImpPsLookupProcessByProcessId;
-        pExEnumHandleTable                 DrvImpExEnumHandleTable;
+
-        pObGetObjectType                   DrvImpObGetObjectType;
+        pExEnumHandleTable         DrvImpExEnumHandleTable;
-        pExfUnblockPushLock                DrvImpExfUnblockPushLock;
+        pObGetObjectType           DrvImpObGetObjectType;
-        pPsGetProcessImageFileName         DrvImpPsGetProcessImage;
+        pExfUnblockPushLock        DrvImpExfUnblockPushLock;
-        pstrstr                            DrvImpstrstr;
+        pPsGetProcessImageFileName DrvImpPsGetProcessImage;
-        pRtlInitUnicodeString              DrvImpRtlInitUnicodeString;
+
-        pRtlQueryRegistryValues            DrvImpRtlQueryRegistryValues;
+        pstrstr                    DrvImpstrstr;
-        pMmGetSystemRoutineAddress         DrvImpMmGetSystemRoutineAddress;
+        pRtlInitUnicodeString      DrvImpRtlInitUnicodeString;
-        pRtlUnicodeStringToAnsiString      DrvImpRtlUnicodeStringToAnsiString;
+        pRtlQueryRegistryValues    DrvImpRtlQueryRegistryValues;
-        pRtlCopyUnicodeString              DrvImpRtlCopyUnicodeString;
+        pMmGetSystemRoutineAddress DrvImpMmGetSystemRoutineAddress;
-        pRtlFreeAnsiString                 DrvImpRtlFreeAnsiString;
+
-        pKeInitializeGuardedMutex          DrvImpKeInitializeGuardedMutex;
+        pRtlUnicodeStringToAnsiString DrvImpRtlUnicodeStringToAnsiString;
-        pIoCreateDevice                    DrvImpIoCreateDevice;
+        pRtlCopyUnicodeString         DrvImpRtlCopyUnicodeString;
-        pIoCreateSymbolicLink              DrvImpIoCreateSymbolicLink;
+        pRtlFreeAnsiString            DrvImpRtlFreeAnsiString;
-        pIoDeleteDevice                    DrvImpIoDeleteDevice;
+        pKeInitializeGuardedMutex     DrvImpKeInitializeGuardedMutex;
-        pIoDeleteSymbolicLink              DrvImpIoDeleteSymbolicLink;
+
-        pObRegisterCallbacks               DrvImpObRegisterCallbacks;
+        pIoCreateDevice       DrvImpIoCreateDevice;
-        pObUnRegisterCallbacks             DrvImpObUnRegisterCallbacks;
+        pIoCreateSymbolicLink DrvImpIoCreateSymbolicLink;
-        pPsSetCreateThreadNotifyRoutine    DrvImpPsSetCreateThreadNotifyRoutine;
+        pIoDeleteDevice       DrvImpIoDeleteDevice;
-        pKeRevertToUserAffinityThreadEx    DrvImpKeRevertToUserAffinityThreadEx;
+        pIoDeleteSymbolicLink DrvImpIoDeleteSymbolicLink;
-        pKeSetSystemAffinityThreadEx       DrvImpKeSetSystemAffinityThreadEx;
+
-        pstrnlen                           DrvImpstrnlen;
+        pObRegisterCallbacks            DrvImpObRegisterCallbacks;
-        pRtlInitAnsiString                 DrvImpRtlInitAnsiString;
+        pObUnRegisterCallbacks          DrvImpObUnRegisterCallbacks;
-        pRtlAnsiStringToUnicodeString      DrvImpRtlAnsiStringToUnicodeString;
+        pPsSetCreateThreadNotifyRoutine DrvImpPsSetCreateThreadNotifyRoutine;
-        pIoGetCurrentProcess               DrvImpIoGetCurrentProcess;
+        pKeRevertToUserAffinityThreadEx DrvImpKeRevertToUserAffinityThreadEx;
-        pRtlGetVersion                     DrvImpRtlGetVersion;
+
-        pRtlCompareMemory                  DrvImpRtlCompareMemory;
+        pKeSetSystemAffinityThreadEx  DrvImpKeSetSystemAffinityThreadEx;
-        pExGetSystemFirmwareTable          DrvImpExGetSystemFirmwareTable;
+        pstrnlen                      DrvImpstrnlen;
-        pIoAllocateWorkItem                DrvImpIoAllocateWorkItem;
+        pRtlInitAnsiString            DrvImpRtlInitAnsiString;
-        pIoFreeWorkItem                    DrvImpIoFreeWorkItem;
+        pRtlAnsiStringToUnicodeString DrvImpRtlAnsiStringToUnicodeString;
-        pIoQueueWorkItem                   DrvImpIoQueueWorkItem;
+
-        pZwOpenFile                        DrvImpZwOpenFile;
+        pIoGetCurrentProcess      DrvImpIoGetCurrentProcess;
-        pZwClose                           DrvImpZwClose;
+        pRtlGetVersion            DrvImpRtlGetVersion;
-        pZwCreateSection                   DrvImpZwCreateSection;
+        pRtlCompareMemory         DrvImpRtlCompareMemory;
-        pZwMapViewOfSection                DrvImpZwMapViewOfSection;
+        pExGetSystemFirmwareTable DrvImpExGetSystemFirmwareTable;
-        pZwUnmapViewOfSection              DrvImpZwUnmapViewOfSection;
+
-        pMmCopyMemory                      DrvImpMmCopyMemory;
+        pIoAllocateWorkItem DrvImpIoAllocateWorkItem;
-        pZwDeviceIoControlFile             DrvImpZwDeviceIoControlFile;
+        pIoFreeWorkItem     DrvImpIoFreeWorkItem;
-        pKeStackAttachProcess              DrvImpKeStackAttachProcess;
+        pIoQueueWorkItem    DrvImpIoQueueWorkItem;
-        pKeUnstackDetachProcess            DrvImpKeUnstackDetachProcess;
+        pZwOpenFile         DrvImpZwOpenFile;
-        pKeWaitForSingleObject             DrvImpKeWaitForSingleObject;
+
-        pPsCreateSystemThread              DrvImpPsCreateSystemThread;
+        pZwClose              DrvImpZwClose;
-        pIofCompleteRequest                DrvImpIofCompleteRequest;
+        pZwCreateSection      DrvImpZwCreateSection;
-        pObReferenceObjectByHandle         DrvImpObReferenceObjectByHandle;
+        pZwMapViewOfSection   DrvImpZwMapViewOfSection;
-        pKeDelayExecutionThread            DrvImpKeDelayExecutionThread;
+        pZwUnmapViewOfSection DrvImpZwUnmapViewOfSection;
-        pKeRegisterNmiCallback             DrvImpKeRegisterNmiCallback;
+
-        pKeDeregisterNmiCallback           DrvImpKeDeregisterNmiCallback;
+        pMmCopyMemory           DrvImpMmCopyMemory;
-        pKeQueryActiveProcessorCount       DrvImpKeQueryActiveProcessorCount;
+        pZwDeviceIoControlFile  DrvImpZwDeviceIoControlFile;
-        pExAcquirePushLockExclusiveEx      DrvImpExAcquirePushLockExclusiveEx;
+        pKeStackAttachProcess   DrvImpKeStackAttachProcess;
-        pExReleasePushLockExclusiveEx      DrvImpExReleasePushLockExclusiveEx;
+        pKeUnstackDetachProcess DrvImpKeUnstackDetachProcess;
-        pPsGetThreadId                     DrvImpPsGetThreadId;
+
-        pRtlCaptureStackBackTrace          DrvImpRtlCaptureStackBackTrace;
+        pKeWaitForSingleObject     DrvImpKeWaitForSingleObject;
-        pZwOpenDirectoryObject             DrvImpZwOpenDirectoryObject;
+        pPsCreateSystemThread      DrvImpPsCreateSystemThread;
-        pKeInitializeAffinityEx            DrvImpKeInitializeAffinityEx;
+        pIofCompleteRequest        DrvImpIofCompleteRequest;
-        pKeAddProcessorAffinityEx          DrvImpKeAddProcessorAffinityEx;
+        pObReferenceObjectByHandle DrvImpObReferenceObjectByHandle;
-        pRtlQueryModuleInformation         DrvImpRtlQueryModuleInformation;
+
-        pKeInitializeApc                   DrvImpKeInitializeApc;
+        pKeDelayExecutionThread      DrvImpKeDelayExecutionThread;
-        pKeInsertQueueApc                  DrvImpKeInsertQueueApc;
+        pKeRegisterNmiCallback       DrvImpKeRegisterNmiCallback;
-        pKeGenericCallDpc                  DrvImpKeGenericCallDpc;
+        pKeDeregisterNmiCallback     DrvImpKeDeregisterNmiCallback;
-        pKeSignalCallDpcDone               DrvImpKeSignalCallDpcDone;
+        pKeQueryActiveProcessorCount DrvImpKeQueryActiveProcessorCount;
-        pMmGetPhysicalMemoryRangesEx2      DrvImpMmGetPhysicalMemoryRangesEx2;
+
-        pMmGetVirtualForPhysical           DrvImpMmGetVirtualForPhysical;
+        pExAcquirePushLockExclusiveEx DrvImpExAcquirePushLockExclusiveEx;
-        pObfReferenceObject                DrvImpObfReferenceObject;
+        pExReleasePushLockExclusiveEx DrvImpExReleasePushLockExclusiveEx;
-        pExFreePoolWithTag                 DrvImpExFreePoolWithTag;
+        pPsGetThreadId                DrvImpPsGetThreadId;
-        pExAllocatePool2                   DrvImpExAllocatePool2;
+        pRtlCaptureStackBackTrace     DrvImpRtlCaptureStackBackTrace;
-        pKeReleaseGuardedMutex             DrvImpKeReleaseGuardedMutex;
+
-        pKeAcquireGuardedMutex             DrvImpKeAcquireGuardedMutex;
+        pZwOpenDirectoryObject     DrvImpZwOpenDirectoryObject;
-        pDbgPrintEx                        DrvImpDbgPrintEx;
+        pKeInitializeAffinityEx    DrvImpKeInitializeAffinityEx;
-        pRtlCompareUnicodeString           DrvImpRtlCompareUnicodeString;
+        pKeAddProcessorAffinityEx  DrvImpKeAddProcessorAffinityEx;
-        pRtlFreeUnicodeString              DrvImpRtlFreeUnicodeString;
+        pRtlQueryModuleInformation DrvImpRtlQueryModuleInformation;
-        pPsGetProcessImageFileName         DrvImpPsGetProcessImageFileName;
+
+        pKeInitializeApc     DrvImpKeInitializeApc;
+        pKeInsertQueueApc    DrvImpKeInsertQueueApc;
+        pKeGenericCallDpc    DrvImpKeGenericCallDpc;
+        pKeSignalCallDpcDone DrvImpKeSignalCallDpcDone;
+
+        pMmGetPhysicalMemoryRangesEx2 DrvImpMmGetPhysicalMemoryRangesEx2;
+        pMmGetVirtualForPhysical      DrvImpMmGetVirtualForPhysical;
+        pObfReferenceObject           DrvImpObfReferenceObject;
+        pExFreePoolWithTag            DrvImpExFreePoolWithTag;
+
+        pExAllocatePool2       DrvImpExAllocatePool2;
+        pKeReleaseGuardedMutex DrvImpKeReleaseGuardedMutex;
+        pKeAcquireGuardedMutex DrvImpKeAcquireGuardedMutex;
+        pDbgPrintEx            DrvImpDbgPrintEx;
+
+        pRtlCompareUnicodeString   DrvImpRtlCompareUnicodeString;
+        pRtlFreeUnicodeString      DrvImpRtlFreeUnicodeString;
+        pPsGetProcessImageFileName DrvImpPsGetProcessImageFileName;
+        UINT64                     dummy;
+
 } DRIVER_IMPORTS, *PDRIVER_IMPORTS;
 
-extern DRIVER_IMPORTS driver_imports;
+#define IMPORTS_LENGTH sizeof(DRIVER_IMPORTS) / sizeof(UINT64)
 
-#define DRVIMPORTS driver_imports
+VOID
+ImpObDereferenceObject(_In_ PVOID Object);
 
-#define ImpIoGetCurrentIrpStackLocation      DRVIMPORTS.DrvImpIoGetCurrentIrpStackLocation
+NTSTATUS
-#define ImpObDereferenceObject               DRVIMPORTS.DrvImpObDereferenceObject
+ImpPsLookupThreadByThreadId(HANDLE ThreadId, PETHREAD* Thread);
-#define ImpPsLookupThreadByThreadId          DRVIMPORTS.DrvImpPsLookupThreadByThreadId
+
-#define ImpMmIsAddressValid                  DRVIMPORTS.DrvImpMmIsAddressValid
+BOOLEAN
-#define ImpPsSetCreateProcessNotifyRoutine   DRVIMPORTS.DrvImpPsSetCreateProcessNotifyRoutine
+ImpMmIsAddressValid(_In_ PVOID VirtualAddress);
-#define ImpPsRemoveCreateThreadNotifyRoutine DRVIMPORTS.DrvImpPsRemoveCreateThreadNotifyRoutine
+
-#define ImpPsGetCurrentThreadId              DRVIMPORTS.DrvImpPsGetCurrentThreadId
+NTSTATUS
-#define ImpPsGetProcessId                    DRVIMPORTS.DrvImpPsGetProcessId
+ImpPsSetCreateProcessNotifyRoutine(PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine, BOOLEAN Remove);
-#define ImpPsLookupProcessByProcessId        DRVIMPORTS.DrvImpPsLookupProcessByProcessId
+
-#define ImpExEnumHandleTable                 DRVIMPORTS.DrvImpExEnumHandleTable
+NTSTATUS
-#define ImpObGetObjectType                   DRVIMPORTS.DrvImpObGetObjectType
+ImpPsRemoveCreateThreadNotifyRoutine(PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine);
-#define ImpExfUnblockPushLock                DRVIMPORTS.DrvImpExfUnblockPushLock
+
-#define ImpPsGetProcessImageFileName         DRVIMPORTS.DrvImpPsGetProcessImageFileName
+HANDLE
-#define Impstrstr                            DRVIMPORTS.DrvImpstrstr
+ImpPsGetCurrentThreadId();
-#define ImpRtlInitUnicodeString              DRVIMPORTS.DrvImpRtlInitUnicodeString
+
-#define ImpRtlQueryRegistryValues            DRVIMPORTS.DrvImpRtlQueryRegistryValues
+HANDLE
-#define ImpMmGetSystemRoutineAddress         DRVIMPORTS.DrvImpMmGetSystemRoutineAddress
+ImpPsGetProcessId(PEPROCESS Process);
-#define ImpRtlUnicodeStringToAnsiString      DRVIMPORTS.DrvImpRtlUnicodeStringToAnsiString
+
-#define ImpRtlCopyUnicodeString              DRVIMPORTS.DrvImpRtlCopyUnicodeString
+NTSTATUS
-#define ImpRtlFreeAnsiString                 DRVIMPORTS.DrvImpRtlFreeAnsiString
+ImpPsLookupProcessByProcessId(HANDLE ProcessId, PEPROCESS* Process);
-#define ImpKeInitializeGuardedMutex          DRVIMPORTS.DrvImpKeInitializeGuardedMutex
+
-#define ImpIoCreateDevice                    DRVIMPORTS.DrvImpIoCreateDevice
+PVOID
-#define ImpIoCreateSymbolicLink              DRVIMPORTS.DrvImpIoCreateSymbolicLink
+ImpExEnumHandleTable(_In_ PHANDLE_TABLE HandleTable,
-#define ImpIoDeleteDevice                    DRVIMPORTS.DrvImpIoDeleteDevice
+                     _In_ PVOID         Callback,
-#define ImpIoDeleteSymbolicLink              DRVIMPORTS.DrvImpIoDeleteSymbolicLink
+                     _In_opt_ PVOID     Context,
-#define ImpObRegisterCallbacks               DRVIMPORTS.DrvImpObRegisterCallbacks
+                     _Out_opt_ PHANDLE  Handle);
-#define ImpObUnRegisterCallbacks             DRVIMPORTS.DrvImpObUnRegisterCallbacks
+
-#define ImpPsSetCreateThreadNotifyRoutine    DRVIMPORTS.DrvImpPsSetCreateThreadNotifyRoutine
+POBJECT_TYPE
-#define ImpPsProcessType                     DRVIMPORTS.DrvImpPsProcessType
+ImpObGetObjectType(_In_ PVOID Object);
-#define ImpKeRevertToUserAffinityThreadEx    DRVIMPORTS.DrvImpKeRevertToUserAffinityThreadEx
+
-#define ImpKeSetSystemAffinityThreadEx       DRVIMPORTS.DrvImpKeSetSystemAffinityThreadEx
+VOID
-#define Impstrnlen                           DRVIMPORTS.DrvImpstrnlen
+ImpExfUnblockPushLock(_In_ PEX_PUSH_LOCK PushLock, _In_ PVOID WaitBlock);
-#define ImpRtlInitAnsiString                 DRVIMPORTS.DrvImpRtlInitAnsiString
+
-#define ImpRtlAnsiStringToUnicodeString      DRVIMPORTS.DrvImpRtlAnsiStringToUnicodeString
+LPCSTR
-#define ImpIoGetCurrentProcess               DRVIMPORTS.DrvImpIoGetCurrentProcess
+ImpPsGetProcessImageFileName(PEPROCESS Process);
-#define ImpRtlGetVersion                     DRVIMPORTS.DrvImpRtlGetVersion
+
-#define ImpRtlCompareMemory                  DRVIMPORTS.DrvImpRtlCompareMemory
+INT
-#define ImpExGetSystemFirmwareTable          DRVIMPORTS.DrvImpExGetSystemFirmwareTable
+ImpStrStr(_In_ CHAR* haystack, _In_ CHAR* needle);
-#define ImpIoAllocateWorkItem                DRVIMPORTS.DrvImpIoAllocateWorkItem
+
-#define ImpIoFreeWorkItem                    DRVIMPORTS.DrvImpIoFreeWorkItem
+void
-#define ImpIoQueueWorkItem                   DRVIMPORTS.DrvImpIoQueueWorkItem
+ImpRtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString);
-#define ImpZwOpenFile                        DRVIMPORTS.DrvImpZwOpenFile
+
-#define ImpZwClose                           DRVIMPORTS.DrvImpZwClose
+NTSTATUS
-#define ImpZwCreateSection                   DRVIMPORTS.DrvImpZwCreateSection
+ImpRtlQueryRegistryValues(ULONG                     RelativeTo,
-#define ImpZwMapViewOfSection                DRVIMPORTS.DrvImpZwMapViewOfSection
+                          PCWSTR                    Path,
-#define ImpZwUnmapViewOfSection              DRVIMPORTS.DrvImpZwUnmapViewOfSection
+                          PRTL_QUERY_REGISTRY_TABLE QueryTable,
-#define ImpMmCopyMemory                      DRVIMPORTS.DrvImpMmCopyMemory
+                          void*                     Context,
-#define ImpZwDeviceIoControlFile             DRVIMPORTS.DrvImpZwDeviceIoControlFile
+                          void*                     Environment);
-#define ImpKeStackAttachProcess              DRVIMPORTS.DrvImpKeStackAttachProcess
+
-#define ImpKeUnstackDetachProcess            DRVIMPORTS.DrvImpKeUnstackDetachProcess
+void*
-#define ImpKeWaitForSingleObject             DRVIMPORTS.DrvImpKeWaitForSingleObject
+ImpMmGetSystemRoutineAddress(PUNICODE_STRING SystemRoutineName);
-#define ImpPsCreateSystemThread              DRVIMPORTS.DrvImpPsCreateSystemThread
+
-#define ImpIofCompleteRequest                DRVIMPORTS.DrvImpIofCompleteRequest
+NTSTATUS
-#define ImpObReferenceObjectByHandle         DRVIMPORTS.DrvImpObReferenceObjectByHandle
+ImpRtlUnicodeStringToAnsiString(PANSI_STRING     DestinationString,
-#define ImpPsThreadType                      DRVIMPORTS.DrvImpPsThreadType
+                                PCUNICODE_STRING SourceString,
-#define ImpKeDelayExecutionThread            DRVIMPORTS.DrvImpKeDelayExecutionThread
+                                BOOLEAN          AllocateDestinationString);
-#define ImpKeRegisterNmiCallback             DRVIMPORTS.DrvImpKeRegisterNmiCallback
+
-#define ImpKeDeregisterNmiCallback           DRVIMPORTS.DrvImpKeDeregisterNmiCallback
+void
-#define ImpKeQueryActiveProcessorCount       DRVIMPORTS.DrvImpKeQueryActiveProcessorCount
+ImpRtlCopyUnicodeString(PUNICODE_STRING DestinationString, PCUNICODE_STRING SourceString);
-#define ImpExAcquirePushLockExclusiveEx      DRVIMPORTS.DrvImpExAcquirePushLockExclusiveEx
+
-#define ImpExReleasePushLockExclusiveEx      DRVIMPORTS.DrvImpExReleasePushLockExclusiveEx
+void
-#define ImpPsGetThreadId                     DRVIMPORTS.DrvImpPsGetThreadId
+ImpRtlFreeAnsiString(PANSI_STRING AnsiString);
-#define ImpRtlCaptureStackBackTrace          DRVIMPORTS.DrvImpRtlCaptureStackBackTrace
+
-#define ImpZwOpenDirectoryObject             DRVIMPORTS.DrvImpZwOpenDirectoryObject
+void
-#define ImpKeInitializeAffinityEx            DRVIMPORTS.DrvImpKeInitializeAffinityEx
+ImpKeInitializeGuardedMutex(PKGUARDED_MUTEX GuardedMutex);
-#define ImpKeAddProcessorAffinityEx          DRVIMPORTS.DrvImpKeAddProcessorAffinityEx
+
-#define ImpRtlQueryModuleInformation         DRVIMPORTS.DrvImpRtlQueryModuleInformation
+NTSTATUS
-#define ImpKeInitializeApc                   DRVIMPORTS.DrvImpKeInitializeApc
+ImpIoCreateDevice(PDRIVER_OBJECT  DriverObject,
-#define ImpKeInsertQueueApc                  DRVIMPORTS.DrvImpKeInsertQueueApc
+                  ULONG           DeviceExtensionSize,
-#define ImpKeGenericCallDpc                  DRVIMPORTS.DrvImpKeGenericCallDpc
+                  PUNICODE_STRING DeviceName,
-#define ImpKeSignalCallDpcDone               DRVIMPORTS.DrvImpKeSignalCallDpcDone
+                  DEVICE_TYPE     DeviceType,
-#define ImpMmGetPhysicalMemoryRangesEx2      DRVIMPORTS.DrvImpMmGetPhysicalMemoryRangesEx2
+                  ULONG           DeviceCharacteristics,
-#define ImpMmGetVirtualForPhysical           DRVIMPORTS.DrvImpMmGetVirtualForPhysical
+                  BOOLEAN         Exclusive,
-#define ImpObfReferenceObject                DRVIMPORTS.DrvImpObfReferenceObject
+                  PDEVICE_OBJECT* DeviceObject);
-#define ImpExFreePoolWithTag                 DRVIMPORTS.DrvImpExFreePoolWithTag
+
-#define ImpExAllocatePool2                   DRVIMPORTS.DrvImpExAllocatePool2
+NTSTATUS
-#define ImpKeReleaseGuardedMutex             DRVIMPORTS.DrvImpKeReleaseGuardedMutex
+ImpIoCreateSymbolicLink(PUNICODE_STRING SymbolicLinkName, PUNICODE_STRING DeviceName);
-#define ImpKeAcquireGuardedMutex             DRVIMPORTS.DrvImpKeAcquireGuardedMutex
+
-#define ImpDbgPrintEx                        DRVIMPORTS.DrvImpDbgPrintEx
+void
-#define ImpRtlCompareUnicodeString           DRVIMPORTS.DrvImpRtlCompareUnicodeString
+ImpIoDeleteDevice(PDEVICE_OBJECT DeviceObject);
-#define ImpRtlFreeUnicodeString              DRVIMPORTS.DrvImpRtlFreeUnicodeString
+
-#define ImpPsGetProcessImageFileName         DRVIMPORTS.DrvImpPsGetProcessImageFileName
+void
+ImpIoDeleteSymbolicLink(PUNICODE_STRING SymbolicLinkName);
+
+NTSTATUS
+ImpObRegisterCallbacks(_In_ POB_CALLBACK_REGISTRATION CallbackRegistration,
+                       _Out_ PVOID*                   RegistrationHandle);
+
+VOID
+ImpObUnRegisterCallbacks(_In_ PVOID RegistrationHandle);
+
+NTSTATUS
+ImpPsSetCreateThreadNotifyRoutine(PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine);
+
+void
+ImpKeRevertToUserAffinityThreadEx(KAFFINITY Affinity);
+
+KAFFINITY
+ImpKeSetSystemAffinityThreadEx(KAFFINITY Affinity);
+
+SIZE_T
+ImpStrnlen(_In_ CHAR* str, _In_ SIZE_T maxCount);
+
+void
+ImpRtlInitAnsiString(PANSI_STRING DestinationString, PCSZ SourceString);
+
+NTSTATUS
+ImpRtlAnsiStringToUnicodeString(PUNICODE_STRING DestinationString,
+                                PCANSI_STRING   SourceString,
+                                BOOLEAN         AllocateDestinationString);
+
+PEPROCESS
+ImpIoGetCurrentProcess(void);
+
+NTSTATUS
+ImpRtlGetVersion(PRTL_OSVERSIONINFOW lpVersionInformation);
+
+SIZE_T
+ImpRtlCompareMemory(_In_ PVOID Source1, _In_ PVOID Source2, _In_ SIZE_T Length);
+
+NTSTATUS
+ImpExGetSystemFirmwareTable(_In_ ULONG   FirmwareTableProviderSignature,
+                            _In_ ULONG   FirmwareTableID,
+                            _In_ PVOID   pFirmwareTableBuffer,
+                            _In_ ULONG   BufferLength,
+                            _Out_ PULONG ReturnLength);
+
+PIO_WORKITEM
+ImpIoAllocateWorkItem(PDEVICE_OBJECT DeviceObject);
+
+void
+ImpIoFreeWorkItem(PIO_WORKITEM WorkItem);
+
+VOID
+ImpIoQueueWorkItem(_In_ PIO_WORKITEM         IoWorkItem,
+                   _In_ PIO_WORKITEM_ROUTINE WorkerRoutine,
+                   _In_ WORK_QUEUE_TYPE      QueueType,
+                   _In_opt_ PVOID            Context);
+
+NTSTATUS
+ImpZwOpenFile(PHANDLE            FileHandle,
+              ACCESS_MASK        DesiredAccess,
+              POBJECT_ATTRIBUTES ObjectAttributes,
+              PIO_STATUS_BLOCK   IoStatusBlock,
+              ULONG              ShareAccess,
+              ULONG              OpenOptions);
+
+NTSTATUS
+ImpZwClose(HANDLE Handle);
+
+NTSTATUS
+ImpZwCreateSection(PHANDLE            SectionHandle,
+                   ACCESS_MASK        DesiredAccess,
+                   POBJECT_ATTRIBUTES ObjectAttributes,
+                   PLARGE_INTEGER     MaximumSize,
+                   ULONG              SectionPageProtection,
+                   ULONG              AllocationAttributes,
+                   HANDLE             FileHandle);
+
+NTSTATUS
+ImpZwMapViewOfSection(_In_ HANDLE                SectionHandle,
+                      _In_ HANDLE                ProcessHandle,
+                      _Inout_ PVOID*             BaseAddress,
+                      _In_ ULONG_PTR             ZeroBits,
+                      _In_ SIZE_T                CommitSize,
+                      _Inout_opt_ PLARGE_INTEGER SectionOffset,
+                      _Inout_ PSIZE_T            ViewSize,
+                      _In_ SECTION_INHERIT       InheritDisposition,
+                      _In_ ULONG                 AllocationType,
+                      _In_ ULONG                 Win32Protect);
+
+NTSTATUS
+ImpZwUnmapViewOfSection(_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress);
+
+NTSTATUS
+ImpMmCopyMemory(PVOID           TargetAddress,
+                MM_COPY_ADDRESS SourceAddress,
+                SIZE_T          NumberOfBytes,
+                ULONG           Flags,
+                PSIZE_T         NumberOfBytesTransferred);
+
+NTSTATUS
+ImpZwDeviceIoControlFile(_In_ HANDLE              FileHandle,
+                         _In_opt_ HANDLE          Event,
+                         _In_opt_ PIO_APC_ROUTINE ApcRoutine,
+                         _In_opt_ PVOID           ApcContext,
+                         _Out_ PIO_STATUS_BLOCK   IoStatusBlock,
+                         _In_ ULONG               IoControlCode,
+                         _In_opt_ PVOID           InputBuffer,
+                         _In_ ULONG               InputBufferLength,
+                         _Out_opt_ PVOID          OutputBuffer,
+                         _In_ ULONG               OutputBufferLength);
+
+void
+ImpKeStackAttachProcess(PRKPROCESS Process, PKAPC_STATE ApcState);
+
+void
+ImpKeUnstackDetachProcess(PKAPC_STATE ApcState);
+
+NTSTATUS
+ImpKeWaitForSingleObject(_In_ PVOID           Object,
+                         _In_ KWAIT_REASON    WaitReason,
+                         _In_ KPROCESSOR_MODE WaitMode,
+                         _In_ BOOLEAN         Alertable,
+                         _In_ PLARGE_INTEGER  Timeout);
+
+NTSTATUS
+ImpPsCreateSystemThread(_Out_ PHANDLE               ThreadHandle,
+                        _In_ ULONG                  DesiredAccess,
+                        _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+                        _In_opt_ HANDLE             ProcessHandle,
+                        _Out_opt_ PCLIENT_ID        ClientId,
+                        _In_ PKSTART_ROUTINE        StartRoutine,
+                        _In_opt_ PVOID              StartContext);
+
+void
+ImpIofCompleteRequest(PIRP Irp, CCHAR PriorityBoost);
+
+NTSTATUS
+ImpObReferenceObjectByHandle(_In_ HANDLE                          Handle,
+                             _In_ ACCESS_MASK                     DesiredAccess,
+                             _In_opt_ POBJECT_TYPE                ObjectType,
+                             _In_ KPROCESSOR_MODE                 AccessMode,
+                             _Out_ PVOID*                         Object,
+                             _Out_opt_ POBJECT_HANDLE_INFORMATION HandleInformation);
+
+NTSTATUS
+ImpKeDelayExecutionThread(KPROCESSOR_MODE WaitMode, BOOLEAN Alertable, PLARGE_INTEGER Interval);
+
+PVOID
+ImpKeRegisterNmiCallback(_In_ PVOID CallbackRoutine, _In_opt_ PVOID Context);
+
+NTSTATUS
+ImpKeDeregisterNmiCallback(_In_ PVOID Handle);
+
+ULONG
+ImpKeQueryActiveProcessorCount(PKAFFINITY ActiveProcessors);
+
+void
+ImpExAcquirePushLockExclusiveEx(PEX_PUSH_LOCK PushLock, ULONG Flags);
+
+void
+ImpExReleasePushLockExclusiveEx(PEX_PUSH_LOCK PushLock, ULONG Flags);
+
+HANDLE
+ImpPsGetThreadId(PETHREAD Thread);
+
+USHORT
+ImpRtlCaptureStackBackTrace(_In_ ULONG       FramesToSkip,
+                            _In_ ULONG       FramesToCapture,
+                            _Out_ PVOID*     BackTrace,
+                            _Out_opt_ PULONG BackTraceHash);
+
+NTSTATUS
+ImpZwOpenDirectoryObject(PHANDLE            DirectoryHandle,
+                         ACCESS_MASK        DesiredAccess,
+                         POBJECT_ATTRIBUTES ObjectAttributes);
+
+void
+ImpKeInitializeAffinityEx(PKAFFINITY_EX AffinityMask);
+
+VOID
+ImpKeAddProcessorAffinityEx(_In_ PKAFFINITY_EX affinity, _In_ INT num);
+
+NTSTATUS
+ImpRtlQueryModuleInformation(_Inout_ ULONG* InformationLength,
+                             _In_ ULONG     SizePerModule,
+                             _In_ PVOID     InformationBuffer);
+
+VOID
+ImpKeInitializeApc(_In_ PKAPC             Apc,
+                   _In_ PKTHREAD          Thread,
+                   _In_ KAPC_ENVIRONMENT  Environment,
+                   _In_ PKKERNEL_ROUTINE  KernelRoutine,
+                   _In_ PKRUNDOWN_ROUTINE RundownRoutine,
+                   _In_ PKNORMAL_ROUTINE  NormalRoutine,
+                   _In_ KPROCESSOR_MODE   ApcMode,
+                   _In_ PVOID             NormalContext);
+
+BOOLEAN
+ImpKeInsertQueueApc(_In_ PKAPC     Apc,
+                    _In_ PVOID     SystemArgument1,
+                    _In_ PVOID     SystemArgument2,
+                    _In_ KPRIORITY Increment);
+
+VOID
+ImpKeGenericCallDpc(_In_ PKDEFERRED_ROUTINE DpcRoutine, _In_ PVOID Context);
+
+VOID
+ImpKeSignalCallDpcDone(_In_ PVOID SystemArgument1);
+
+PPHYSICAL_MEMORY_RANGE
+ImpMmGetPhysicalMemoryRangesEx2(_In_ PVOID PartitionObject, _In_ ULONG Flags);
+
+void*
+ImpMmGetVirtualForPhysical(_In_ PHYSICAL_ADDRESS PhysicalAddress);
+
+LONG_PTR
+ImpObfReferenceObject(_In_ PVOID Object);
+
+VOID
+ImpExFreePoolWithTag(_In_ PVOID P, _In_ ULONG Tag);
+
+void*
+ImpExAllocatePool2(_In_ POOL_FLAGS Flags, _In_ SIZE_T NumberOfBytes, _In_ ULONG Tag);
+
+VOID
+ImpKeReleaseGuardedMutex(_In_ PKGUARDED_MUTEX GuardedMutex);
+
+VOID
+ImpKeAcquireGuardedMutex(_In_ PKGUARDED_MUTEX GuardedMutex);
+
+ULONG
+ImpDbgPrintEx(_In_ ULONG ComponentId, _In_ ULONG Level, _In_ PCSTR Format, ...);
+
+LONG
+ImpRtlCompareUnicodeString(_In_ PCUNICODE_STRING String1,
+                           _In_ PCUNICODE_STRING String2,
+                           _In_ BOOLEAN          CaseInSensitive);
+
+VOID
+ImpRtlFreeUnicodeString(_In_ PUNICODE_STRING UnicodeString);
 
 #endif

driver/io.c

@@ -270,11 +270,16 @@ IrpQueueFreeDeferredReports()
         PIRP_QUEUE_HEAD  queue  = GetIrpQueueHead();
         PDEFERRED_REPORT report = NULL;
 
+        /* just in case... */
+        KeAcquireGuardedMutex(&queue->reports.lock);
+
         while (IrpQueueIsThereDeferredReport(queue))
         {
                 report = IrpQueueRemoveDeferredReport(queue);
-                ExFreePoolWithTag(report, REPORT_POOL_TAG);
+                IrpQueueFreeDeferredReport(report);
         }
+
+        KeReleaseGuardedMutex(&queue->reports.lock);
 }
 
 NTSTATUS
@@ -450,6 +455,9 @@ SharedMappingTerminate()
 {
         PSHARED_MAPPING mapping = GetSharedMappingConfig();
 
+        if (!mapping->active)
+                return;
+
         while (mapping->work_item_status)
                 YieldProcessor();
 

driver/modules.c

@@ -1033,7 +1033,10 @@ HandleNmiIOCTL()
                                          NMI_CONTEXT_POOL);
 
         if (!nmi_context)
+        {
+                UnsetNmiInProgressFlag();
                 return STATUS_MEMORY_NOT_ALLOCATED;
+        }
 
         /*
          * We want to register and unregister our callback each time so it becomes harder
@@ -1045,6 +1048,7 @@ HandleNmiIOCTL()
         {
                 DEBUG_ERROR("KeRegisterNmiCallback failed with no status.");
                 ImpExFreePoolWithTag(nmi_context, NMI_CONTEXT_POOL);
+                UnsetNmiInProgressFlag();
                 return STATUS_UNSUCCESSFUL;
         }
 
@@ -1059,6 +1063,7 @@ HandleNmiIOCTL()
                 ImpKeDeregisterNmiCallback(callback_handle);
                 ImpExFreePoolWithTag(nmi_context, NMI_CONTEXT_POOL);
                 DEBUG_ERROR("Error retriving system module information");
+                UnsetNmiInProgressFlag();
                 return status;
         }
 
@@ -1070,6 +1075,7 @@ HandleNmiIOCTL()
                 ImpKeDeregisterNmiCallback(callback_handle);
                 ImpExFreePoolWithTag(system_modules.address, SYSTEM_MODULES_POOL);
                 ImpExFreePoolWithTag(nmi_context, NMI_CONTEXT_POOL);
+                UnsetNmiInProgressFlag();
                 return status;
         }