Showing preview only (5,565K chars total). Download the full file or copy to clipboard to get everything.
Repository: ciyze0101/Windows-Rootkits
Branch: master
Commit: c7ed346f1001
Files: 530
Total size: 5.2 MB
Directory structure:
gitextract_9k0zxvbv/
├── .gitattributes
├── .gitignore
├── CheckKernelEATHook/
│ ├── CheckKernelHook/
│ │ ├── CheckKernelHook/
│ │ │ ├── AddService.cpp
│ │ │ ├── AddService.h
│ │ │ ├── CheckKernelHook.aps
│ │ │ ├── CheckKernelHook.cpp
│ │ │ ├── CheckKernelHook.h
│ │ │ ├── CheckKernelHook.rc
│ │ │ ├── CheckKernelHook.vcxproj
│ │ │ ├── CheckKernelHook.vcxproj.filters
│ │ │ ├── CheckKernelHookDlg.cpp
│ │ │ ├── CheckKernelHookDlg.h
│ │ │ ├── res/
│ │ │ │ ├── CheckKernelHook.rc2
│ │ │ │ └── ReadMe.txt
│ │ │ ├── resource.h
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ │ └── CheckKernelHook.sln
│ ├── CheckKernelHookDrv/
│ │ ├── CheckKernelHook/
│ │ │ ├── CheckKernelHook.vcxproj
│ │ │ ├── CheckKernelHook.vcxproj.filters
│ │ │ ├── Common.c
│ │ │ ├── Common.h
│ │ │ ├── DriverEntry.c
│ │ │ ├── DriverEntry.h
│ │ │ ├── FileSystem.c
│ │ │ ├── FileSystem.h
│ │ │ ├── FixRelocation.c
│ │ │ ├── FixRelocation.h
│ │ │ ├── KernelHookCheck.c
│ │ │ ├── KernelHookCheck.h
│ │ │ ├── KernelReload.c
│ │ │ ├── KernelReload.h
│ │ │ ├── ReadMe.txt
│ │ │ ├── Reload.c
│ │ │ ├── Reload.h
│ │ │ ├── libdasm.c
│ │ │ ├── libdasm.h
│ │ │ ├── sources
│ │ │ └── tables.h
│ │ └── CheckKernelHook.sln
│ └── ReadMe.txt
├── GetKernel32Addressx64/
│ ├── GetKernel32Addressx64/
│ │ ├── GetKernel32Addressx64.cpp
│ │ ├── GetKernel32Addressx64.h
│ │ ├── GetKernel32Addressx64.rc
│ │ ├── GetKernel32Addressx64.vcxproj
│ │ ├── GetKernel32Addressx64.vcxproj.filters
│ │ ├── GetPeb.asm
│ │ ├── Resource.h
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
│ ├── GetKernel32Addressx64.sln
│ └── ReadMe.txt
├── HideProcess/
│ ├── HideProcess.c
│ ├── HideProcess.h
│ ├── HideProcess.sln
│ ├── HideProcess.vcxproj
│ ├── ReadMe.txt
│ ├── common.h
│ ├── readme.txt
│ ├── sources
│ └── struct.h
├── HookDeviceIocontrlFile/
│ ├── HookDeviceIoControlFile/
│ │ └── HookDeviceIoControlFile/
│ │ ├── HookDeviceIoControlFile/
│ │ │ ├── HookDeviceIoControlFile.vcproj
│ │ │ ├── TlHelp32.h
│ │ │ ├── analyzer.cpp
│ │ │ ├── analyzer.h
│ │ │ ├── binres.rc
│ │ │ ├── common.cpp
│ │ │ ├── common.h
│ │ │ ├── dbgsdk/
│ │ │ │ ├── inc/
│ │ │ │ │ ├── dbgeng.h
│ │ │ │ │ ├── dbghelp.h
│ │ │ │ │ ├── engextcpp.cpp
│ │ │ │ │ ├── engextcpp.hpp
│ │ │ │ │ ├── extsfns.h
│ │ │ │ │ └── wdbgexts.h
│ │ │ │ └── lib/
│ │ │ │ ├── amd64/
│ │ │ │ │ ├── dbgeng.lib
│ │ │ │ │ ├── dbghelp.lib
│ │ │ │ │ └── engextcpp.lib
│ │ │ │ ├── i386/
│ │ │ │ │ ├── dbgeng.lib
│ │ │ │ │ ├── dbghelp.lib
│ │ │ │ │ └── engextcpp.lib
│ │ │ │ └── ia64/
│ │ │ │ ├── dbgeng.lib
│ │ │ │ ├── dbghelp.lib
│ │ │ │ └── engextcpp.lib
│ │ │ ├── debug.cpp
│ │ │ ├── debug.h
│ │ │ ├── default.manifest
│ │ │ ├── drvcomm.h
│ │ │ ├── ioctlfuzzer.cpp
│ │ │ ├── ioctlfuzzer.log
│ │ │ ├── ioctlfuzzer.rc
│ │ │ ├── lib/
│ │ │ │ ├── amd64/
│ │ │ │ │ └── comsupp.lib
│ │ │ │ └── comsupp.lib
│ │ │ ├── ntdll_defs.h
│ │ │ ├── options.h
│ │ │ ├── resource.h
│ │ │ ├── service.cpp
│ │ │ ├── service.h
│ │ │ ├── stdafx.h
│ │ │ ├── symbols.cpp
│ │ │ ├── symbols.h
│ │ │ ├── undocnt.h
│ │ │ ├── xml.cpp
│ │ │ └── xml.h
│ │ ├── HookDeviceIoControlFile.sln
│ │ └── ioctlfuzzer.xml
│ ├── HookDeviceIoControlFileDrv/
│ │ ├── HookDeviceIoControlFile/
│ │ │ ├── HookDeviceIoControlFile.vcproj
│ │ │ ├── common.c
│ │ │ ├── common.h
│ │ │ ├── common_asm.h
│ │ │ ├── common_change_asm.cpp
│ │ │ ├── debug.c
│ │ │ ├── debug.h
│ │ │ ├── driver.c
│ │ │ ├── driver.h
│ │ │ ├── drvcomm.h
│ │ │ ├── extern.h
│ │ │ ├── handlers.c
│ │ │ ├── handlers.h
│ │ │ ├── hook.c
│ │ │ ├── hook.h
│ │ │ ├── log.c
│ │ │ ├── log.h
│ │ │ ├── lst.c
│ │ │ ├── lst.h
│ │ │ ├── options.h
│ │ │ ├── rng.c
│ │ │ ├── rng.h
│ │ │ ├── rules.c
│ │ │ ├── rules.h
│ │ │ ├── sources
│ │ │ ├── stdafx.h
│ │ │ ├── udis86/
│ │ │ │ ├── build.bat
│ │ │ │ ├── build64.bat
│ │ │ │ ├── extern.h
│ │ │ │ ├── itab.h
│ │ │ │ ├── makefile.inc
│ │ │ │ ├── makefile_amd64
│ │ │ │ ├── makefile_i386
│ │ │ │ ├── src/
│ │ │ │ │ ├── decode.c
│ │ │ │ │ ├── decode.h
│ │ │ │ │ ├── extern.h
│ │ │ │ │ ├── input.c
│ │ │ │ │ ├── input.h
│ │ │ │ │ ├── itab.c
│ │ │ │ │ ├── itab.h
│ │ │ │ │ ├── syn-att.c
│ │ │ │ │ ├── syn-intel.c
│ │ │ │ │ ├── syn.c
│ │ │ │ │ ├── syn.h
│ │ │ │ │ ├── types.h
│ │ │ │ │ └── udis86.c
│ │ │ │ ├── types.h
│ │ │ │ ├── udis86_amd64.lib
│ │ │ │ └── udis86_i386.lib
│ │ │ ├── undocnt.h
│ │ │ └── version.rc
│ │ └── HookDeviceIoControlFile.sln
│ └── ReadMe.txt
├── Inject/
│ ├── CreateRemoteThread/
│ │ ├── CreateRemoteThread/
│ │ │ ├── CreateRemoteThread.cpp
│ │ │ ├── CreateRemoteThread.h
│ │ │ ├── CreateRemoteThread.rc
│ │ │ ├── CreateRemoteThread.vcxproj
│ │ │ ├── CreateRemoteThread.vcxproj.filters
│ │ │ ├── ReadMe.txt
│ │ │ ├── Resource.h
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ │ ├── CreateRemoteThread.sln
│ │ └── ReadMe.txt
│ ├── ExtraWindowInject/
│ │ ├── README.md
│ │ └── src/
│ │ ├── CMakeLists.txt
│ │ ├── add_apc.h
│ │ ├── add_thread.h
│ │ ├── createproc.h
│ │ ├── enumproc.h
│ │ ├── kernel32_undoc.h
│ │ ├── main.cpp
│ │ ├── main.h
│ │ ├── map_buffer_into_process.h
│ │ ├── ntddk.h
│ │ ├── ntdll_undoc.h
│ │ ├── patch_context.h
│ │ ├── patch_ep.h
│ │ ├── payload.h
│ │ ├── pe_hdrs_helper.cpp
│ │ ├── pe_hdrs_helper.h
│ │ ├── sysutil.cpp
│ │ ├── sysutil.h
│ │ ├── target_util.h
│ │ ├── util.h
│ │ ├── window_long_inject.cpp
│ │ └── window_long_inject.h
│ ├── Process-Hollowing/
│ │ ├── Readme.txt
│ │ └── sourcecode/
│ │ ├── HelloWorld/
│ │ │ ├── HelloWorld.cpp
│ │ │ ├── HelloWorld.vcproj
│ │ │ ├── HelloWorld.vcxproj
│ │ │ ├── HelloWorld.vcxproj.filters
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ │ ├── ProcessHollowing/
│ │ │ ├── PE.cpp
│ │ │ ├── PE.h
│ │ │ ├── ProcessHollowing.cpp
│ │ │ ├── ProcessHollowing.vcproj
│ │ │ ├── ProcessHollowing.vcxproj
│ │ │ ├── ProcessHollowing.vcxproj.filters
│ │ │ ├── internals.h
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ │ └── ProcessHollowing.sln
│ ├── ProcessDoppelgänging/
│ │ ├── .gitignore
│ │ ├── LICENSE.md
│ │ ├── MalExe/
│ │ │ ├── MalExe.vcxproj
│ │ │ ├── MalExe.vcxproj.filters
│ │ │ └── main.c
│ │ ├── README.md
│ │ ├── processrefund/
│ │ │ ├── main.c
│ │ │ ├── ntdefs.h
│ │ │ ├── processrefund.vcxproj
│ │ │ └── processrefund.vcxproj.filters
│ │ └── processrefund.sln
│ ├── ReflectiveDLLInjection/
│ │ ├── ReadMe.txt
│ │ ├── dll/
│ │ │ ├── reflective_dll.sln
│ │ │ ├── reflective_dll.vcxproj
│ │ │ ├── reflective_dll.vcxproj.filters
│ │ │ └── src/
│ │ │ ├── ReflectiveDLLInjection.h
│ │ │ ├── ReflectiveDll.c
│ │ │ ├── ReflectiveLoader.c
│ │ │ └── ReflectiveLoader.h
│ │ └── inject/
│ │ ├── inject.sln
│ │ ├── inject.vcxproj
│ │ ├── inject.vcxproj.filters
│ │ └── src/
│ │ ├── GetProcAddressR.c
│ │ ├── GetProcAddressR.h
│ │ ├── Inject.c
│ │ ├── LoadLibraryR.c
│ │ ├── LoadLibraryR.h
│ │ └── ReflectiveDLLInjection.h
│ ├── SetThreadContext/
│ │ ├── InjectDllBySetThreadContextx64/
│ │ │ ├── InjectDllBySetThreadContextx64.cpp
│ │ │ ├── InjectDllBySetThreadContextx64.vcxproj
│ │ │ ├── InjectDllBySetThreadContextx64.vcxproj.filters
│ │ │ ├── ReadMe.txt
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ │ ├── InjectDllBySetThreadContextx64.sln
│ │ └── ReadMe.txt
│ ├── SetWindowsHookEx/
│ │ ├── ReadMe.txt
│ │ ├── SetWindowsHookEx/
│ │ │ ├── SetWindowsHookEx.cpp
│ │ │ ├── SetWindowsHookEx.vcxproj
│ │ │ ├── SetWindowsHookEx.vcxproj.filters
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ │ └── SetWindowsHookEx.sln
│ ├── UserApcInject/
│ │ ├── ReadMe.txt
│ │ ├── UserAPC/
│ │ │ ├── Resource.h
│ │ │ ├── UserAPC.cpp
│ │ │ ├── UserAPC.h
│ │ │ ├── UserAPC.rc
│ │ │ ├── UserAPC.vcxproj
│ │ │ ├── UserAPC.vcxproj.filters
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ │ └── UserAPC.sln
│ ├── atom-bombing-master/
│ │ ├── .gitignore
│ │ ├── AtomBombing/
│ │ │ ├── AtomBombing.vcxproj
│ │ │ ├── AtomBombing.vcxproj.filters
│ │ │ └── main.cpp
│ │ ├── AtomBombing.sln
│ │ ├── AtomBombingShellcode/
│ │ │ ├── AtomBombingShellcode.vcxproj
│ │ │ ├── AtomBombingShellcode.vcxproj.filters
│ │ │ ├── Scripts/
│ │ │ │ └── Post_Link.py
│ │ │ └── main.c
│ │ └── README.md
│ └── herpaderping-main/
│ ├── .gitignore
│ ├── .gitmodules
│ ├── LICENSE
│ ├── README.md
│ ├── _config.yml
│ ├── ext/
│ │ └── submodules/
│ │ ├── phnt/
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ ├── ntdbg.h
│ │ │ ├── ntexapi.h
│ │ │ ├── ntgdi.h
│ │ │ ├── ntioapi.h
│ │ │ ├── ntkeapi.h
│ │ │ ├── ntldr.h
│ │ │ ├── ntlpcapi.h
│ │ │ ├── ntmisc.h
│ │ │ ├── ntmmapi.h
│ │ │ ├── ntnls.h
│ │ │ ├── ntobapi.h
│ │ │ ├── ntpebteb.h
│ │ │ ├── ntpfapi.h
│ │ │ ├── ntpnpapi.h
│ │ │ ├── ntpoapi.h
│ │ │ ├── ntpsapi.h
│ │ │ ├── ntregapi.h
│ │ │ ├── ntrtl.h
│ │ │ ├── ntsam.h
│ │ │ ├── ntseapi.h
│ │ │ ├── ntsmss.h
│ │ │ ├── nttmapi.h
│ │ │ ├── nttp.h
│ │ │ ├── ntwow64.h
│ │ │ ├── ntxcapi.h
│ │ │ ├── ntzwapi.h
│ │ │ ├── phnt.h
│ │ │ ├── phnt_ntdef.h
│ │ │ ├── phnt_windows.h
│ │ │ ├── subprocesstag.h
│ │ │ └── winsta.h
│ │ └── wil/
│ │ ├── com.h
│ │ ├── common.h
│ │ ├── cppwinrt.h
│ │ ├── filesystem.h
│ │ ├── registry.h
│ │ ├── resource.h
│ │ ├── result.h
│ │ ├── result_macros.h
│ │ ├── result_originate.h
│ │ ├── rpc_helpers.h
│ │ ├── safecast.h
│ │ ├── stl.h
│ │ ├── token_helpers.h
│ │ ├── win32_helpers.h
│ │ ├── winrt.h
│ │ ├── wistd_config.h
│ │ ├── wistd_functional.h
│ │ ├── wistd_memory.h
│ │ ├── wistd_type_traits.h
│ │ └── wrl.h
│ ├── herpaderping.sln
│ └── source/
│ └── ProcessHerpaderping/
│ ├── ProcessHerpaderping.vcxproj
│ ├── ProcessHerpaderping.vcxproj.filters
│ ├── herpaderp.cpp
│ ├── herpaderp.hpp
│ ├── main.cpp
│ ├── pch.hpp
│ ├── res/
│ │ ├── resource.h
│ │ ├── resource.rc
│ │ └── version.h
│ ├── utils.cpp
│ └── utils.hpp
├── KernelHiddenExecute-master/
│ ├── .gitattributes
│ ├── KernelHiddenExcute/
│ │ ├── Head.h
│ │ ├── HiddenCallApiTransfer.h
│ │ ├── HiddenExecute.h
│ │ ├── HiddenFunctions.h
│ │ ├── KernelHiddenExcute.inf
│ │ ├── KernelHiddenExcute.vcxproj
│ │ ├── KernelHiddenExcute.vcxproj.filters
│ │ ├── MyDebugPrint.h
│ │ ├── PhysicalMemoryOperation.h
│ │ ├── SectionOperation.h
│ │ └── main.c
│ ├── KernelHiddenExcute.sln
│ └── LICENSE
├── LoadImageCallBack/
│ ├── Dll/
│ │ ├── Dll/
│ │ │ ├── Dll.cpp
│ │ │ ├── Dll.vcxproj
│ │ │ ├── Dll.vcxproj.filters
│ │ │ ├── ReadMe.txt
│ │ │ ├── dllmain.cpp
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ │ └── Dll.sln
│ ├── LoadImageCallBack/
│ │ ├── ModuleCallBack.c
│ │ ├── ModuleCallBack.h
│ │ ├── ModuleCallBack.sln
│ │ ├── ModuleCallBack.vcxproj
│ │ ├── ReadMe.txt
│ │ ├── common.h
│ │ ├── sources
│ │ └── struct.h
│ ├── ReadMe.txt
│ └── inject/
│ ├── Inject/
│ │ ├── Inject.cpp
│ │ ├── Inject.h
│ │ ├── Inject.rc
│ │ ├── Inject.vcxproj
│ │ ├── Inject.vcxproj.filters
│ │ ├── ReadMe.txt
│ │ ├── Resource.h
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
│ └── Inject.sln
├── MmLoadDriver/
│ ├── MemLoadDriver/
│ │ ├── MAKEFILE
│ │ ├── MemLoadDriver.c
│ │ ├── MemLoadDriver.h
│ │ ├── SOURCES
│ │ ├── main.c
│ │ ├── main.h
│ │ └── precomp.h
│ └── test/
│ ├── MAKEFILE
│ ├── SOURCES
│ ├── main.c
│ ├── main.h
│ └── precomp.h
├── ProcessManager/
│ ├── ProcessManager/
│ │ ├── CEnumProcess.cpp
│ │ ├── CEnumProcess.h
│ │ ├── Common.cpp
│ │ ├── Common.h
│ │ ├── Monitor.cpp
│ │ ├── Monitor.h
│ │ ├── MonitorProcess.cpp
│ │ ├── MonitorProcess.h
│ │ ├── ProcessManager.cpp
│ │ ├── ProcessManager.h
│ │ ├── ProcessManager.rc
│ │ ├── ProcessManager.vcxproj
│ │ ├── ProcessManager.vcxproj.filters
│ │ ├── ProcessManagerDlg.cpp
│ │ ├── ProcessManagerDlg.h
│ │ ├── res/
│ │ │ └── ProcessManager.rc2
│ │ ├── resource.h
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
│ ├── ProcessManager.sln
│ ├── ProcessManagerDrv/
│ │ ├── Common.c
│ │ ├── Common.h
│ │ ├── EnumProcess.c
│ │ ├── EnumProcess.h
│ │ ├── HideProcess.c
│ │ ├── HideProcess.h
│ │ ├── MonitorWin7.c
│ │ ├── MonitorWin7.h
│ │ ├── ProcessManagerDrv.c
│ │ ├── ProcessManagerDrv.h
│ │ ├── ProcessManagerDrv.vcxproj
│ │ ├── ProcessManagerDrv.vcxproj.filters
│ │ └── sources
│ └── ReadMe
├── ProtectFilex64/
│ ├── FileProtectX64.c
│ ├── FileProtectX64.h
│ ├── FileProtectX64.sln
│ ├── FileProtectX64.vcxproj
│ ├── ReadMe.txt
│ ├── common.h
│ ├── sources
│ └── struct.h
├── ProtectFilex86/
│ ├── FileProtectX86.c
│ ├── FileProtectX86.h
│ ├── FileProtectX86.sln
│ ├── FileProtectX86.vcxproj
│ ├── ReadMe.txt
│ ├── common.h
│ ├── sources
│ └── struct.h
├── ProtectProcessx64/
│ ├── ProtectProcessx64.c
│ ├── ProtectProcessx64.h
│ ├── ProtectProcessx64.sln
│ ├── ProtectProcessx64.vcxproj
│ ├── ReadMe.txt
│ ├── common.h
│ ├── sources
│ └── struct.h
├── README.md
├── ReloadKernel-XP/
│ ├── ReadMe.txt
│ ├── ReloadKernel/
│ │ ├── FileSystem.c
│ │ ├── FileSystem.h
│ │ ├── FixRelocation.c
│ │ ├── FixRelocation.h
│ │ ├── KernelReload.c
│ │ ├── KernelReload.h
│ │ ├── ReadMe.txt
│ │ ├── Reload.c
│ │ ├── Reload.h
│ │ ├── ReloadKernel.filters
│ │ ├── ReloadKernel.vcxproj
│ │ ├── ReloadKernel.vcxproj.filters
│ │ └── sources
│ └── ReloadKernel.sln
├── SSDT-SSSDT-Manager/
│ ├── EnumSSSDTManager/
│ │ ├── EnumSSSDTManager/
│ │ │ ├── EnumSSSDTManager.aps
│ │ │ ├── EnumSSSDTManager.cpp
│ │ │ ├── EnumSSSDTManager.h
│ │ │ ├── EnumSSSDTManager.idc
│ │ │ ├── EnumSSSDTManager.rc
│ │ │ ├── EnumSSSDTManager.vcxproj
│ │ │ ├── EnumSSSDTManager.vcxproj.filters
│ │ │ ├── EnumSSSDTManagerDlg.cpp
│ │ │ ├── EnumSSSDTManagerDlg.h
│ │ │ ├── OpenDevice.cpp
│ │ │ ├── OpenDevice.h
│ │ │ ├── SSDT.cpp
│ │ │ ├── SSDT.h
│ │ │ ├── SSDTFunc.h
│ │ │ ├── SSSDT.cpp
│ │ │ ├── SSSDT.h
│ │ │ ├── SSSDTFunc.h
│ │ │ ├── res/
│ │ │ │ ├── EnumSSSDTManager.rc2
│ │ │ │ └── ReadMe.txt
│ │ │ ├── resource.h
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ │ └── EnumSSSDTManager.sln
│ ├── EnumSSSDTManagerRing0/
│ │ ├── GetService.c
│ │ ├── GetService.h
│ │ ├── ReadMe.txt
│ │ ├── SSDT.c
│ │ ├── SSDT.h
│ │ ├── SSSDT.c
│ │ ├── SSSDT.h
│ │ ├── SSSDTManager.c
│ │ ├── SSSDTManager.h
│ │ ├── SSSDTManager.sln
│ │ ├── SSSDTManager.vcxproj
│ │ ├── SSSDTManager.vcxproj.filters
│ │ ├── common.c
│ │ ├── common.h
│ │ └── sources
│ └── ReadMe.txt
└── ZwQueryVirtualMemory/
├── Common.c
├── Common.h
├── GetSSDTFuncAddress.c
├── GetSSDTFuncAddress.h
├── ReadMe.txt
├── ZwQueryVirtualMemory.c
├── ZwQueryVirtualMemory.h
├── ZwQueryVirtualMemory.sln
├── ZwQueryVirtualMemory.vcxproj
└── sources
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitattributes
================================================
# Auto detect text files and perform LF normalization
* text=auto
# Custom for Visual Studio
*.cs diff=csharp
# Standard to msysgit
*.doc diff=astextplain
*.DOC diff=astextplain
*.docx diff=astextplain
*.DOCX diff=astextplain
*.dot diff=astextplain
*.DOT diff=astextplain
*.pdf diff=astextplain
*.PDF diff=astextplain
*.rtf diff=astextplain
*.RTF diff=astextplain
================================================
FILE: .gitignore
================================================
# Windows image file caches
Thumbs.db
ehthumbs.db
# Folder config file
Desktop.ini
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Windows Installer files
*.cab
*.msi
*.msm
*.msp
# Windows shortcuts
*.lnk
# =========================
# Operating System Files
# =========================
# OSX
# =========================
.DS_Store
.AppleDouble
.LSOverride
# Thumbnails
._*
# Files that might appear on external disk
.Spotlight-V100
.Trashes
# Directories potentially created on remote AFP share
.AppleDB
.AppleDesktop
Network Trash Folder
Temporary Items
.apdisk
================================================
FILE: CheckKernelEATHook/CheckKernelHook/CheckKernelHook/AddService.cpp
================================================
#include "AddService.h"
#include "stdafx.h"
#include "CheckKernelHookDlg.h"
#include <Winsvc.h>
#pragma once
BOOL Release(){
// HRSRC res = FindResource(NULL,MAKEINTRESOURCE(IDR_SYS),TEXT("BINARY"));
// if(!res)
// return FALSE;
// HGLOBAL resGlobal = LoadResource(NULL,res);
// if(!resGlobal)
// return FALSE;
// DWORD size=SizeofResource(NULL,res);
// BYTE* ptr=(BYTE*)LockResource(resGlobal);
// if(!ptr)
// return FALSE;
HANDLE hFile=CreateFile(TEXT("ReloadKernel.sys"), GENERIC_WRITE,
0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFile==INVALID_HANDLE_VALUE)
return FALSE;
DWORD dw;
// if(!WriteFile(hFile,ptr,size,&dw,NULL)){
// CloseHandle(hFile);
// return FALSE;
// }
CloseHandle(hFile);
return TRUE;
}
BOOL UnloadDrv(TCHAR* DriverName){
SC_HANDLE hSCManager;
SC_HANDLE hService;
SERVICE_STATUS ss;
hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (!hSCManager){
return FALSE;
}
hService = OpenService( hSCManager,DriverName,SERVICE_ALL_ACCESS);
if( !hService ) {
CloseServiceHandle(hSCManager);
return FALSE;
}
ControlService(hService, SERVICE_CONTROL_STOP, &ss);
DeleteService(hService);
CloseServiceHandle(hService);
CloseServiceHandle(hSCManager);
return TRUE;
}
BOOL LoadDrv(TCHAR* DriverName){
TCHAR DrvFullPathName[MAX_PATH];
SC_HANDLE schSCManager;
SC_HANDLE schService;
UnloadDrv(L"CheckKernelHook");
// if(!Release())
// return FALSE;
GetFullPathName(TEXT("CheckKernelHook.sys"), MAX_PATH, DrvFullPathName, NULL);
schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (!schSCManager)
return FALSE;
schService = CreateService(
schSCManager,DriverName,DriverName,
SERVICE_ALL_ACCESS,
SERVICE_KERNEL_DRIVER,
SERVICE_DEMAND_START,
SERVICE_ERROR_NORMAL,
DrvFullPathName,
NULL,NULL,NULL,NULL,NULL
);
if (!schService){
if (GetLastError() == ERROR_SERVICE_EXISTS){
schService = OpenService(schSCManager,DriverName,SERVICE_ALL_ACCESS);
if (!schService){
CloseServiceHandle(schSCManager);
return FALSE;
}
}else{
CloseServiceHandle(schSCManager);
return FALSE;
}
}
if (!StartService(schService,0,NULL)){
if ( !(GetLastError()==ERROR_SERVICE_ALREADY_RUNNING ) ){
CloseServiceHandle(schService);
CloseServiceHandle(schSCManager);
return FALSE;
}
}
CloseServiceHandle(schService);
CloseServiceHandle(schSCManager);
return TRUE;
}
================================================
FILE: CheckKernelEATHook/CheckKernelHook/CheckKernelHook/AddService.h
================================================
#include "stdafx.h"
BOOL Release();
BOOL UnloadDrv(TCHAR* DriverName);
BOOL LoadDrv(TCHAR* DriverName);
================================================
FILE: CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHook.cpp
================================================
// CheckKernelHook.cpp : ӦóΪ
//
#include "stdafx.h"
#include "CheckKernelHook.h"
#include "CheckKernelHookDlg.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#endif
// CCheckKernelHookApp
BEGIN_MESSAGE_MAP(CCheckKernelHookApp, CWinApp)
ON_COMMAND(ID_HELP, &CWinApp::OnHelp)
END_MESSAGE_MAP()
// CCheckKernelHookApp
CCheckKernelHookApp::CCheckKernelHookApp()
{
// ֧
m_dwRestartManagerSupportFlags = AFX_RESTART_MANAGER_SUPPORT_RESTART;
// TODO: ڴ˴ӹ룬
// Ҫijʼ InitInstance
}
// Ψһһ CCheckKernelHookApp
CCheckKernelHookApp theApp;
// CCheckKernelHookApp ʼ
BOOL CCheckKernelHookApp::InitInstance()
{
// һ Windows XP ϵӦó嵥ָҪ
// ʹ ComCtl32.dll 汾 6 ߰汾ÿӻʽ
//Ҫ InitCommonControlsEx()ڡ
INITCOMMONCONTROLSEX InitCtrls;
InitCtrls.dwSize = sizeof(InitCtrls);
// ΪҪӦóʹõ
// ؼࡣ
InitCtrls.dwICC = ICC_WIN95_CLASSES;
InitCommonControlsEx(&InitCtrls);
CWinApp::InitInstance();
AfxEnableControlContainer();
// shell ԷԻ
// κ shell ͼؼ shell бͼؼ
CShellManager *pShellManager = new CShellManager;
// ʼ
// δʹЩܲϣС
// տִļĴСӦƳ
// Ҫضʼ
// ڴ洢õע
// TODO: Ӧʵĸַ
// Ϊ˾֯
SetRegistryKey(_T("ӦóɵıӦó"));
CCheckKernelHookDlg dlg;
m_pMainWnd = &dlg;
INT_PTR nResponse = dlg.DoModal();
if (nResponse == IDOK)
{
// TODO: ڴ˷ôʱ
// ȷرնԻĴ
}
else if (nResponse == IDCANCEL)
{
// TODO: ڴ˷ôʱ
// ȡرնԻĴ
}
// ɾ洴 shell
if (pShellManager != NULL)
{
delete pShellManager;
}
// ڶԻѹرգԽ FALSE Ա˳Ӧó
// ӦóϢá
return FALSE;
}
================================================
FILE: CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHook.h
================================================
// CheckKernelHook.h : PROJECT_NAME Ӧóͷļ
//
#pragma once
#ifndef __AFXWIN_H__
#error "ڰļ֮ǰstdafx.h PCH ļ"
#endif
#include "resource.h" //
// CCheckKernelHookApp:
// йشʵ֣ CheckKernelHook.cpp
//
class CCheckKernelHookApp : public CWinApp
{
public:
CCheckKernelHookApp();
// д
public:
virtual BOOL InitInstance();
// ʵ
DECLARE_MESSAGE_MAP()
};
extern CCheckKernelHookApp theApp;
================================================
FILE: CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHook.vcxproj
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{D49C7CB9-A5C2-4377-A234-7C440407A30E}</ProjectGuid>
<RootNamespace>CheckKernelHook</RootNamespace>
<Keyword>MFCProj</Keyword>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
<UseOfMfc>Dynamic</UseOfMfc>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<UseOfMfc>Dynamic</UseOfMfc>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_WINDOWS;_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
<Midl>
<MkTypLibCompatible>false</MkTypLibCompatible>
<ValidateAllParameters>true</ValidateAllParameters>
<PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</Midl>
<ResourceCompile>
<Culture>0x0804</Culture>
<PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>$(IntDir);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ResourceCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;_WINDOWS;NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
<Midl>
<MkTypLibCompatible>false</MkTypLibCompatible>
<ValidateAllParameters>true</ValidateAllParameters>
<PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</Midl>
<ResourceCompile>
<Culture>0x0804</Culture>
<PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AdditionalIncludeDirectories>$(IntDir);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
</ResourceCompile>
</ItemDefinitionGroup>
<ItemGroup>
<None Include="ReadMe.txt" />
<None Include="res\CheckKernelHook.ico" />
<None Include="res\CheckKernelHook.rc2" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="AddService.h" />
<ClInclude Include="CheckKernelHook.h" />
<ClInclude Include="CheckKernelHookDlg.h" />
<ClInclude Include="Resource.h" />
<ClInclude Include="stdafx.h" />
<ClInclude Include="targetver.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="AddService.cpp" />
<ClCompile Include="CheckKernelHook.cpp" />
<ClCompile Include="CheckKernelHookDlg.cpp" />
<ClCompile Include="stdafx.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="CheckKernelHook.rc" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
<ProjectExtensions>
<VisualStudio>
<UserProperties RESOURCE_FILE="CheckKernelHook.rc" />
</VisualStudio>
</ProjectExtensions>
</Project>
================================================
FILE: CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHook.vcxproj.filters
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="源文件">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="头文件">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="资源文件">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<None Include="ReadMe.txt" />
<None Include="res\CheckKernelHook.rc2">
<Filter>资源文件</Filter>
</None>
<None Include="res\CheckKernelHook.ico">
<Filter>资源文件</Filter>
</None>
</ItemGroup>
<ItemGroup>
<ClInclude Include="CheckKernelHook.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="CheckKernelHookDlg.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="stdafx.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="targetver.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="Resource.h">
<Filter>头文件</Filter>
</ClInclude>
<ClInclude Include="AddService.h">
<Filter>源文件</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="CheckKernelHook.cpp">
<Filter>源文件</Filter>
</ClCompile>
<ClCompile Include="CheckKernelHookDlg.cpp">
<Filter>源文件</Filter>
</ClCompile>
<ClCompile Include="stdafx.cpp">
<Filter>源文件</Filter>
</ClCompile>
<ClCompile Include="AddService.cpp">
<Filter>源文件</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="CheckKernelHook.rc">
<Filter>资源文件</Filter>
</ResourceCompile>
</ItemGroup>
</Project>
================================================
FILE: CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHookDlg.cpp
================================================
// CheckKernelHookDlg.cpp : ʵļ
//
#include "stdafx.h"
#include "CheckKernelHook.h"
#include "CheckKernelHookDlg.h"
#include "afxdialogex.h"
#include "AddService.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#endif
HANDLE g_hDevice = NULL;
typedef struct
{
WCHAR* szTitle; //б
int nWidth; //бĿ
}COLUMNSTRUCT;
COLUMNSTRUCT g_Column_Data_Online[] =
{
{L"ԭʼַ", 148 },
{L"", 150 },
{L"Hookַ", 160 },
{L"ģ", 300 },
{L"ģַ", 80 },
{L"ģС", 81 },
{L"", 81 }
};
int g_Column_Count_Online = 7; //бĸ
int g_Column_Online_Width = 0;
// Ӧóڡ˵ CAboutDlg Ի
class CAboutDlg : public CDialogEx
{
public:
CAboutDlg();
// Ի
enum { IDD = IDD_ABOUTBOX };
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV ֧
// ʵ
protected:
DECLARE_MESSAGE_MAP()
};
CAboutDlg::CAboutDlg() : CDialogEx(CAboutDlg::IDD)
{
}
void CAboutDlg::DoDataExchange(CDataExchange* pDX)
{
CDialogEx::DoDataExchange(pDX);
}
BEGIN_MESSAGE_MAP(CAboutDlg, CDialogEx)
END_MESSAGE_MAP()
// CCheckKernelHookDlg Ի
CCheckKernelHookDlg::CCheckKernelHookDlg(CWnd* pParent /*=NULL*/)
: CDialogEx(CCheckKernelHookDlg::IDD, pParent)
{
m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
}
void CCheckKernelHookDlg::DoDataExchange(CDataExchange* pDX)
{
CDialogEx::DoDataExchange(pDX);
DDX_Control(pDX, IDC_LIST, m_List);
}
BEGIN_MESSAGE_MAP(CCheckKernelHookDlg, CDialogEx)
ON_WM_SYSCOMMAND()
ON_WM_PAINT()
ON_WM_QUERYDRAGICON()
END_MESSAGE_MAP()
// CCheckKernelHookDlg Ϣ
BOOL CCheckKernelHookDlg::OnInitDialog()
{
CDialogEx::OnInitDialog();
// ...˵ӵϵͳ˵С
// IDM_ABOUTBOX ϵͳΧڡ
ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
ASSERT(IDM_ABOUTBOX < 0xF000);
CMenu* pSysMenu = GetSystemMenu(FALSE);
if (pSysMenu != NULL)
{
BOOL bNameValid;
CString strAboutMenu;
bNameValid = strAboutMenu.LoadString(IDS_ABOUTBOX);
ASSERT(bNameValid);
if (!strAboutMenu.IsEmpty())
{
pSysMenu->AppendMenu(MF_SEPARATOR);
pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
}
}
// ô˶ԻͼꡣӦóڲǶԻʱܽԶ
// ִд˲
SetIcon(m_hIcon, TRUE); // ôͼ
SetIcon(m_hIcon, FALSE); // Сͼ
m_List.SetExtendedStyle(LVS_EX_FULLROWSELECT);
for (int i = 0; i < g_Column_Count_Online; i++)
{
m_List.InsertColumn(i, g_Column_Data_Online[i].szTitle,LVCFMT_CENTER,g_Column_Data_Online[i].nWidth);
g_Column_Online_Width+=g_Column_Data_Online[i].nWidth;
}
//LoadDrv(L"CheckKernelHook");
g_hDevice = OpenDevice(L"\\\\.\\CheckKernelHookLinkName");
if (g_hDevice==(HANDLE)-1)
{
MessageBox(L"豸ʧ");
return TRUE;
}
CheckKernelHook();
return TRUE; // ǽõؼ TRUE
}
VOID CCheckKernelHookDlg::CheckKernelHook()
{
ULONG_PTR ulCount = 0x1000;
PINLINEHOOKINFO PInlineHookInfo = NULL;
BOOL bRet = FALSE;
DWORD ulReturnSize = 0;
do
{
ULONG_PTR ulSize = 0;
if (PInlineHookInfo)
{
free(PInlineHookInfo);
PInlineHookInfo = NULL;
}
ulSize = sizeof(INLINEHOOKINFO) + ulCount * sizeof(INLINEHOOKINFO_INFORMATION);
PInlineHookInfo = (PINLINEHOOKINFO)malloc(ulSize);
if (!PInlineHookInfo)
{
break;
}
memset(PInlineHookInfo,0,ulSize);
bRet = DeviceIoControl(g_hDevice,CTL_CHECKKERNELMODULE,
NULL,
0,
PInlineHookInfo,
ulSize,
&ulReturnSize,
NULL);
ulCount = PInlineHookInfo->ulCount + 1000;
} while (bRet == FALSE && GetLastError() == ERROR_INSUFFICIENT_BUFFER);
if(PInlineHookInfo->ulCount==0)
{
MessageBox(L"ǰں˰ȫ",L"");
}
else
{
InsertDataToList(PInlineHookInfo);
}
if (PInlineHookInfo)
{
free(PInlineHookInfo);
PInlineHookInfo = NULL;
}
}
VOID CCheckKernelHookDlg::InsertDataToList(PINLINEHOOKINFO PInlineHookInfo)
{
CString OrgAddress,CurAddress,ModuleBase,ModuleSize;
for(int i=0;i<PInlineHookInfo->ulCount;i++)
{
OrgAddress.Format(L"0x%p",PInlineHookInfo->InlineHook[i].ulMemoryFunctionBase);
CurAddress.Format(L"0x%p",PInlineHookInfo->InlineHook[i].ulMemoryHookBase);
ModuleBase.Format(L"0x%p",PInlineHookInfo->InlineHook[i].ulHookModuleBase);
ModuleSize.Format(L"%d",PInlineHookInfo->InlineHook[i].ulHookModuleSize);
int n = m_List.InsertItem(m_List.GetItemCount(),OrgAddress,0); //עi Icon λ
CString szFunc=L"";
CString ModuleName = L"";
szFunc +=PInlineHookInfo->InlineHook[i].lpszFunction;
ModuleName += PInlineHookInfo->InlineHook[i].lpszHookModuleImage;
m_List.SetItemText(n,1,szFunc);
m_List.SetItemText(n,2,CurAddress);
m_List.SetItemText(n,3,ModuleName);
m_List.SetItemText(n,4,ModuleBase);
m_List.SetItemText(n,5,ModuleSize);
CString Type= L"";
if(PInlineHookInfo->InlineHook[i].ulHookType==1)
{
Type +=L"SSDT Hook";
}
else if(PInlineHookInfo->InlineHook[i].ulHookType==2)
{
Type +=L"Next Call Hook";
}
else if(PInlineHookInfo->InlineHook[i].ulHookType==0)
{
Type +=L"Inline Hook";
}
m_List.SetItemText(n,6,Type);
}
UpdateData(TRUE);
}
void CCheckKernelHookDlg::OnSysCommand(UINT nID, LPARAM lParam)
{
if ((nID & 0xFFF0) == IDM_ABOUTBOX)
{
CAboutDlg dlgAbout;
dlgAbout.DoModal();
}
else
{
CDialogEx::OnSysCommand(nID, lParam);
}
}
// ԻСťҪĴ
// Ƹͼꡣʹĵ/ͼģ͵ MFC Ӧó
// ⽫ɿԶɡ
void CCheckKernelHookDlg::OnPaint()
{
if (IsIconic())
{
CPaintDC dc(this); // ڻƵ豸
SendMessage(WM_ICONERASEBKGND, reinterpret_cast<WPARAM>(dc.GetSafeHdc()), 0);
// ʹͼڹо
int cxIcon = GetSystemMetrics(SM_CXICON);
int cyIcon = GetSystemMetrics(SM_CYICON);
CRect rect;
GetClientRect(&rect);
int x = (rect.Width() - cxIcon + 1) / 2;
int y = (rect.Height() - cyIcon + 1) / 2;
// ͼ
dc.DrawIcon(x, y, m_hIcon);
}
else
{
CDialogEx::OnPaint();
}
}
//û϶Сʱϵͳô˺ȡù
//ʾ
HCURSOR CCheckKernelHookDlg::OnQueryDragIcon()
{
return static_cast<HCURSOR>(m_hIcon);
}
================================================
FILE: CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHookDlg.h
================================================
// CheckKernelHookDlg.h : ͷļ
//
#pragma once
#include "afxcmn.h"
#include "resource.h"
#include <WinIoCtl.h>
typedef struct _INLINEHOOKINFO_INFORMATION { //INLINEHOOKINFO_INFORMATION
ULONG ulHookType;
ULONG ulMemoryFunctionBase; //ԭʼַ
ULONG ulMemoryHookBase; //HOOK ַ
CHAR lpszFunction[256];
CHAR lpszHookModuleImage[256];
ULONG ulHookModuleBase;
ULONG ulHookModuleSize;
} INLINEHOOKINFO_INFORMATION, *PINLINEHOOKINFO_INFORMATION;
typedef struct _INLINEHOOKINFO { //InlineHook
ULONG ulCount;
INLINEHOOKINFO_INFORMATION InlineHook[1];
} INLINEHOOKINFO, *PINLINEHOOKINFO;
#define CTL_CHECKKERNELMODULE \
CTL_CODE(FILE_DEVICE_UNKNOWN,0x830,METHOD_NEITHER,FILE_ANY_ACCESS)
// CCheckKernelHookDlg Ի
class CCheckKernelHookDlg : public CDialogEx
{
//
public:
CCheckKernelHookDlg(CWnd* pParent = NULL); // 캯
// Ի
enum { IDD = IDD_CHECKKERNELHOOK_DIALOG };
VOID CheckKernelHook();
VOID InsertDataToList(PINLINEHOOKINFO PInlineHookInfo);
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV ֧
HANDLE OpenDevice(LPCTSTR wzLinkPath)
{
HANDLE hDevice = CreateFile(wzLinkPath,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (hDevice == INVALID_HANDLE_VALUE)
{
}
return hDevice;
}
// ʵ
protected:
HICON m_hIcon;
// ɵϢӳ亯
virtual BOOL OnInitDialog();
afx_msg void OnSysCommand(UINT nID, LPARAM lParam);
afx_msg void OnPaint();
afx_msg HCURSOR OnQueryDragIcon();
DECLARE_MESSAGE_MAP()
public:
CListCtrl m_List;
};
================================================
FILE: CheckKernelEATHook/CheckKernelHook/CheckKernelHook/res/ReadMe.txt
================================================
Check Kernel EAT Hook
================================================
FILE: CheckKernelEATHook/CheckKernelHook/CheckKernelHook/stdafx.cpp
================================================
// stdafx.cpp : ֻļԴļ
// CheckKernelHook.pch ΪԤͷ
// stdafx.obj ԤϢ
#include "stdafx.h"
================================================
FILE: CheckKernelEATHook/CheckKernelHook/CheckKernelHook/stdafx.h
================================================
// stdafx.h : ϵͳļİļ
// Ǿʹõĵ
// ضĿİļ
#pragma once
#ifndef _SECURE_ATL
#define _SECURE_ATL 1
#endif
#ifndef VC_EXTRALEAN
#define VC_EXTRALEAN // Windows ͷųʹõ
#endif
#include "targetver.h"
#define _ATL_CSTRING_EXPLICIT_CONSTRUCTORS // ijЩ CString 캯ʽ
// ر MFC ijЩɷĺԵľϢ
#define _AFX_ALL_WARNINGS
#include <afxwin.h> // MFC ͱ
#include <afxext.h> // MFC չ
#include <afxdisp.h> // MFC Զ
#ifndef _AFX_NO_OLE_SUPPORT
#include <afxdtctl.h> // MFC Internet Explorer 4 ؼ֧
#endif
#ifndef _AFX_NO_AFXCMN_SUPPORT
#include <afxcmn.h> // MFC Windows ؼ֧
#endif // _AFX_NO_AFXCMN_SUPPORT
#include <afxcontrolbars.h> // Ϳؼ MFC ֧
#ifdef _UNICODE
#if defined _M_IX86
#pragma comment(linker,"/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*'\"")
#elif defined _M_X64
#pragma comment(linker,"/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='amd64' publicKeyToken='6595b64144ccf1df' language='*'\"")
#else
#pragma comment(linker,"/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'\"")
#endif
#endif
================================================
FILE: CheckKernelEATHook/CheckKernelHook/CheckKernelHook/targetver.h
================================================
#pragma once
// SDKDDKVer.h ߰汾Ŀ Windows ƽ̨
// ҪΪǰ Windows ƽ̨Ӧó WinSDKVer.h
// WIN32_WINNT ΪҪֵ֧ƽ̨Ȼٰ SDKDDKVer.h
#include <SDKDDKVer.h>
================================================
FILE: CheckKernelEATHook/CheckKernelHook/CheckKernelHook.sln
================================================
Microsoft Visual Studio Solution File, Format Version 11.00
# Visual Studio 2010
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CheckKernelHook", "CheckKernelHook\CheckKernelHook.vcxproj", "{D49C7CB9-A5C2-4377-A234-7C440407A30E}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Release|Win32 = Release|Win32
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{D49C7CB9-A5C2-4377-A234-7C440407A30E}.Debug|Win32.ActiveCfg = Debug|Win32
{D49C7CB9-A5C2-4377-A234-7C440407A30E}.Debug|Win32.Build.0 = Debug|Win32
{D49C7CB9-A5C2-4377-A234-7C440407A30E}.Release|Win32.ActiveCfg = Release|Win32
{D49C7CB9-A5C2-4377-A234-7C440407A30E}.Release|Win32.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
================================================
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/CheckKernelHook.vcxproj
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="WinDDK|Win32">
<Configuration>WinDDK</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
</ItemGroup>
<ItemGroup>
<ClCompile Include="Common.c" />
<ClCompile Include="DriverEntry.c" />
<ClCompile Include="FileSystem.c" />
<ClCompile Include="FixRelocation.c" />
<ClCompile Include="KernelHookCheck.c" />
<ClCompile Include="KernelReload.c" />
<ClCompile Include="libdasm.c" />
<ClCompile Include="Reload.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="Common.h" />
<ClInclude Include="DriverEntry.h" />
<ClInclude Include="FileSystem.h" />
<ClInclude Include="FixRelocation.h" />
<ClInclude Include="KernelHookCheck.h" />
<ClInclude Include="KernelReload.h" />
<ClInclude Include="libdasm.h" />
<ClInclude Include="Reload.h" />
<ClInclude Include="tables.h" />
</ItemGroup>
<ItemGroup>
<None Include="sources" />
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>"CheckKernelHook"</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='WinDDK|Win32'">
<TargetExt>.sys</TargetExt>
<GenerateManifest>false</GenerateManifest>
<ExecutablePath>$(WLHBASE)\bin\x86\x86;$(WLHBASE)\bin\x86</ExecutablePath>
<IncludePath>$(WLHBASE)\inc\api;$(WLHBASE)\inc\crt;$(WLHBASE)\inc\ddk;$(WLHBASE)\inc</IncludePath>
<ReferencePath />
<LibraryPath>$(WLHBASE)\lib\win7\i386</LibraryPath>
<SourcePath />
<ExcludePath />
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='WinDDK|Win32'">
<ClCompile>
<PreprocessorDefinitions>_X86_;DBG=1</PreprocessorDefinitions>
<ExceptionHandling>false</ExceptionHandling>
<BufferSecurityCheck>false</BufferSecurityCheck>
<CallingConvention>StdCall</CallingConvention>
<CompileAs>CompileAsC</CompileAs>
<AdditionalIncludeDirectories>
</AdditionalIncludeDirectories>
</ClCompile>
<Link>
<AdditionalDependencies>ntoskrnl.lib;hal.lib;wdm.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<Link>
<IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
<SubSystem>Native</SubSystem>
<Driver>Driver</Driver>
<EntryPointSymbol>DriverEntry</EntryPointSymbol>
<SetChecksum>true</SetChecksum>
<BaseAddress>0x10000</BaseAddress>
<RandomizedBaseAddress>
</RandomizedBaseAddress>
<DataExecutionPrevention>
</DataExecutionPrevention>
</Link>
</ItemDefinitionGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
================================================
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/CheckKernelHook.vcxproj.filters
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<ClCompile Include="Common.c" />
<ClCompile Include="DriverEntry.c" />
<ClCompile Include="KernelHookCheck.c" />
<ClCompile Include="libdasm.c" />
<ClCompile Include="FileSystem.c">
<Filter>Reload</Filter>
</ClCompile>
<ClCompile Include="FixRelocation.c">
<Filter>Reload</Filter>
</ClCompile>
<ClCompile Include="KernelReload.c">
<Filter>Reload</Filter>
</ClCompile>
<ClCompile Include="Reload.c">
<Filter>Reload</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="Common.h" />
<ClInclude Include="DriverEntry.h" />
<ClInclude Include="KernelHookCheck.h" />
<ClInclude Include="libdasm.h" />
<ClInclude Include="tables.h" />
<ClInclude Include="FileSystem.h">
<Filter>Reload</Filter>
</ClInclude>
<ClInclude Include="FixRelocation.h">
<Filter>Reload</Filter>
</ClInclude>
<ClInclude Include="KernelReload.h">
<Filter>Reload</Filter>
</ClInclude>
<ClInclude Include="Reload.h">
<Filter>Reload</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<None Include="sources" />
</ItemGroup>
<ItemGroup>
<Filter Include="Reload">
<UniqueIdentifier>{7f84aa62-4fe1-452a-a193-32b7b7a3e2db}</UniqueIdentifier>
</Filter>
</ItemGroup>
</Project>
================================================
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/Common.c
================================================
#include "Common.h"
#include "Reload.h"
UCHAR OpcodeFlags[256] =
{
OP_MODRM, // 00
OP_MODRM, // 01
OP_MODRM, // 02
OP_MODRM, // 03
OP_DATA_I8, // 04
OP_DATA_PRE66_67, // 05
OP_NONE, // 06
OP_NONE, // 07
OP_MODRM, // 08
OP_MODRM, // 09
OP_MODRM, // 0A
OP_MODRM, // 0B
OP_DATA_I8, // 0C
OP_DATA_PRE66_67, // 0D
OP_NONE, // 0E
OP_NONE, // 0F
OP_MODRM, // 10
OP_MODRM, // 11
OP_MODRM, // 12
OP_MODRM, // 13
OP_DATA_I8, // 14
OP_DATA_PRE66_67, // 15
OP_NONE, // 16
OP_NONE, // 17
OP_MODRM, // 18
OP_MODRM, // 19
OP_MODRM, // 1A
OP_MODRM, // 1B
OP_DATA_I8, // 1C
OP_DATA_PRE66_67, // 1D
OP_NONE, // 1E
OP_NONE, // 1F
OP_MODRM, // 20
OP_MODRM, // 21
OP_MODRM, // 22
OP_MODRM, // 23
OP_DATA_I8, // 24
OP_DATA_PRE66_67, // 25
OP_NONE, // 26
OP_NONE, // 27
OP_MODRM, // 28
OP_MODRM, // 29
OP_MODRM, // 2A
OP_MODRM, // 2B
OP_DATA_I8, // 2C
OP_DATA_PRE66_67, // 2D
OP_NONE, // 2E
OP_NONE, // 2F
OP_MODRM, // 30
OP_MODRM, // 31
OP_MODRM, // 32
OP_MODRM, // 33
OP_DATA_I8, // 34
OP_DATA_PRE66_67, // 35
OP_NONE, // 36
OP_NONE, // 37
OP_MODRM, // 38
OP_MODRM, // 39
OP_MODRM, // 3A
OP_MODRM, // 3B
OP_DATA_I8, // 3C
OP_DATA_PRE66_67, // 3D
OP_NONE, // 3E
OP_NONE, // 3F
OP_NONE, // 40
OP_NONE, // 41
OP_NONE, // 42
OP_NONE, // 43
OP_NONE, // 44
OP_NONE, // 45
OP_NONE, // 46
OP_NONE, // 47
OP_NONE, // 48
OP_NONE, // 49
OP_NONE, // 4A
OP_NONE, // 4B
OP_NONE, // 4C
OP_NONE, // 4D
OP_NONE, // 4E
OP_NONE, // 4F
OP_NONE, // 50
OP_NONE, // 51
OP_NONE, // 52
OP_NONE, // 53
OP_NONE, // 54
OP_NONE, // 55
OP_NONE, // 56
OP_NONE, // 57
OP_NONE, // 58
OP_NONE, // 59
OP_NONE, // 5A
OP_NONE, // 5B
OP_NONE, // 5C
OP_NONE, // 5D
OP_NONE, // 5E
OP_NONE, // 5F
OP_NONE, // 60
OP_NONE, // 61
OP_MODRM, // 62
OP_MODRM, // 63
OP_NONE, // 64
OP_NONE, // 65
OP_NONE, // 66
OP_NONE, // 67
OP_DATA_PRE66_67, // 68
OP_MODRM | OP_DATA_PRE66_67, // 69
OP_DATA_I8, // 6A
OP_MODRM | OP_DATA_I8, // 6B
OP_NONE, // 6C
OP_NONE, // 6D
OP_NONE, // 6E
OP_NONE, // 6F
OP_DATA_I8, // 70
OP_DATA_I8, // 71
OP_DATA_I8, // 72
OP_DATA_I8, // 73
OP_DATA_I8, // 74
OP_DATA_I8, // 75
OP_DATA_I8, // 76
OP_DATA_I8, // 77
OP_DATA_I8, // 78
OP_DATA_I8, // 79
OP_DATA_I8, // 7A
OP_DATA_I8, // 7B
OP_DATA_I8, // 7C
OP_DATA_I8, // 7D
OP_DATA_I8, // 7E
OP_DATA_I8, // 7F
OP_MODRM | OP_DATA_I8, // 80
OP_MODRM | OP_DATA_PRE66_67, // 81
OP_MODRM | OP_DATA_I8, // 82
OP_MODRM | OP_DATA_I8, // 83
OP_MODRM, // 84
OP_MODRM, // 85
OP_MODRM, // 86
OP_MODRM, // 87
OP_MODRM, // 88
OP_MODRM, // 89
OP_MODRM, // 8A
OP_MODRM, // 8B
OP_MODRM, // 8C
OP_MODRM, // 8D
OP_MODRM, // 8E
OP_MODRM, // 8F
OP_NONE, // 90
OP_NONE, // 91
OP_NONE, // 92
OP_NONE, // 93
OP_NONE, // 94
OP_NONE, // 95
OP_NONE, // 96
OP_NONE, // 97
OP_NONE, // 98
OP_NONE, // 99
OP_DATA_I16 | OP_DATA_PRE66_67,// 9A
OP_NONE, // 9B
OP_NONE, // 9C
OP_NONE, // 9D
OP_NONE, // 9E
OP_NONE, // 9F
OP_DATA_PRE66_67, // A0
OP_DATA_PRE66_67, // A1
OP_DATA_PRE66_67, // A2
OP_DATA_PRE66_67, // A3
OP_NONE, // A4
OP_NONE, // A5
OP_NONE, // A6
OP_NONE, // A7
OP_DATA_I8, // A8
OP_DATA_PRE66_67, // A9
OP_NONE, // AA
OP_NONE, // AB
OP_NONE, // AC
OP_NONE, // AD
OP_NONE, // AE
OP_NONE, // AF
OP_DATA_I8, // B0
OP_DATA_I8, // B1
OP_DATA_I8, // B2
OP_DATA_I8, // B3
OP_DATA_I8, // B4
OP_DATA_I8, // B5
OP_DATA_I8, // B6
OP_DATA_I8, // B7
OP_DATA_PRE66_67, // B8
OP_DATA_PRE66_67, // B9
OP_DATA_PRE66_67, // BA
OP_DATA_PRE66_67, // BB
OP_DATA_PRE66_67, // BC
OP_DATA_PRE66_67, // BD
OP_DATA_PRE66_67, // BE
OP_DATA_PRE66_67, // BF
OP_MODRM | OP_DATA_I8, // C0
OP_MODRM | OP_DATA_I8, // C1
OP_DATA_I16, // C2
OP_NONE, // C3
OP_MODRM, // C4
OP_MODRM, // C5
OP_MODRM | OP_DATA_I8, // C6
OP_MODRM | OP_DATA_PRE66_67, // C7
OP_DATA_I8 | OP_DATA_I16, // C8
OP_NONE, // C9
OP_DATA_I16, // CA
OP_NONE, // CB
OP_NONE, // CC
OP_DATA_I8, // CD
OP_NONE, // CE
OP_NONE, // CF
OP_MODRM, // D0
OP_MODRM, // D1
OP_MODRM, // D2
OP_MODRM, // D3
OP_DATA_I8, // D4
OP_DATA_I8, // D5
OP_NONE, // D6
OP_NONE, // D7
OP_WORD, // D8
OP_WORD, // D9
OP_WORD, // DA
OP_WORD, // DB
OP_WORD, // DC
OP_WORD, // DD
OP_WORD, // DE
OP_WORD, // DF
OP_DATA_I8, // E0
OP_DATA_I8, // E1
OP_DATA_I8, // E2
OP_DATA_I8, // E3
OP_DATA_I8, // E4
OP_DATA_I8, // E5
OP_DATA_I8, // E6
OP_DATA_I8, // E7
OP_DATA_PRE66_67 | OP_REL32, // E8
OP_DATA_PRE66_67 | OP_REL32, // E9
OP_DATA_I16 | OP_DATA_PRE66_67,// EA
OP_DATA_I8, // EB
OP_NONE, // EC
OP_NONE, // ED
OP_NONE, // EE
OP_NONE, // EF
OP_NONE, // F0
OP_NONE, // F1
OP_NONE, // F2
OP_NONE, // F3
OP_NONE, // F4
OP_NONE, // F5
OP_MODRM, // F6
OP_MODRM, // F7
OP_NONE, // F8
OP_NONE, // F9
OP_NONE, // FA
OP_NONE, // FB
OP_NONE, // FC
OP_NONE, // FD
OP_MODRM, // FE
OP_MODRM | OP_REL32 // FF
};
UCHAR OpcodeFlagsExt[256] =
{
OP_MODRM, // 00
OP_MODRM, // 01
OP_MODRM, // 02
OP_MODRM, // 03
OP_NONE, // 04
OP_NONE, // 05
OP_NONE, // 06
OP_NONE, // 07
OP_NONE, // 08
OP_NONE, // 09
OP_NONE, // 0A
OP_NONE, // 0B
OP_NONE, // 0C
OP_MODRM, // 0D
OP_NONE, // 0E
OP_MODRM | OP_DATA_I8, // 0F
OP_MODRM, // 10
OP_MODRM, // 11
OP_MODRM, // 12
OP_MODRM, // 13
OP_MODRM, // 14
OP_MODRM, // 15
OP_MODRM, // 16
OP_MODRM, // 17
OP_MODRM, // 18
OP_NONE, // 19
OP_NONE, // 1A
OP_NONE, // 1B
OP_NONE, // 1C
OP_NONE, // 1D
OP_NONE, // 1E
OP_NONE, // 1F
OP_MODRM, // 20
OP_MODRM, // 21
OP_MODRM, // 22
OP_MODRM, // 23
OP_MODRM, // 24
OP_NONE, // 25
OP_MODRM, // 26
OP_NONE, // 27
OP_MODRM, // 28
OP_MODRM, // 29
OP_MODRM, // 2A
OP_MODRM, // 2B
OP_MODRM, // 2C
OP_MODRM, // 2D
OP_MODRM, // 2E
OP_MODRM, // 2F
OP_NONE, // 30
OP_NONE, // 31
OP_NONE, // 32
OP_NONE, // 33
OP_NONE, // 34
OP_NONE, // 35
OP_NONE, // 36
OP_NONE, // 37
OP_NONE, // 38
OP_NONE, // 39
OP_NONE, // 3A
OP_NONE, // 3B
OP_NONE, // 3C
OP_NONE, // 3D
OP_NONE, // 3E
OP_NONE, // 3F
OP_MODRM, // 40
OP_MODRM, // 41
OP_MODRM, // 42
OP_MODRM, // 43
OP_MODRM, // 44
OP_MODRM, // 45
OP_MODRM, // 46
OP_MODRM, // 47
OP_MODRM, // 48
OP_MODRM, // 49
OP_MODRM, // 4A
OP_MODRM, // 4B
OP_MODRM, // 4C
OP_MODRM, // 4D
OP_MODRM, // 4E
OP_MODRM, // 4F
OP_MODRM, // 50
OP_MODRM, // 51
OP_MODRM, // 52
OP_MODRM, // 53
OP_MODRM, // 54
OP_MODRM, // 55
OP_MODRM, // 56
OP_MODRM, // 57
OP_MODRM, // 58
OP_MODRM, // 59
OP_MODRM, // 5A
OP_MODRM, // 5B
OP_MODRM, // 5C
OP_MODRM, // 5D
OP_MODRM, // 5E
OP_MODRM, // 5F
OP_MODRM, // 60
OP_MODRM, // 61
OP_MODRM, // 62
OP_MODRM, // 63
OP_MODRM, // 64
OP_MODRM, // 65
OP_MODRM, // 66
OP_MODRM, // 67
OP_MODRM, // 68
OP_MODRM, // 69
OP_MODRM, // 6A
OP_MODRM, // 6B
OP_MODRM, // 6C
OP_MODRM, // 6D
OP_MODRM, // 6E
OP_MODRM, // 6F
OP_MODRM | OP_DATA_I8, // 70
OP_MODRM | OP_DATA_I8, // 71
OP_MODRM | OP_DATA_I8, // 72
OP_MODRM | OP_DATA_I8, // 73
OP_MODRM, // 74
OP_MODRM, // 75
OP_MODRM, // 76
OP_NONE, // 77
OP_NONE, // 78
OP_NONE, // 79
OP_NONE, // 7A
OP_NONE, // 7B
OP_MODRM, // 7C
OP_MODRM, // 7D
OP_MODRM, // 7E
OP_MODRM, // 7F
OP_DATA_PRE66_67 | OP_REL32, // 80
OP_DATA_PRE66_67 | OP_REL32, // 81
OP_DATA_PRE66_67 | OP_REL32, // 82
OP_DATA_PRE66_67 | OP_REL32, // 83
OP_DATA_PRE66_67 | OP_REL32, // 84
OP_DATA_PRE66_67 | OP_REL32, // 85
OP_DATA_PRE66_67 | OP_REL32, // 86
OP_DATA_PRE66_67 | OP_REL32, // 87
OP_DATA_PRE66_67 | OP_REL32, // 88
OP_DATA_PRE66_67 | OP_REL32, // 89
OP_DATA_PRE66_67 | OP_REL32, // 8A
OP_DATA_PRE66_67 | OP_REL32, // 8B
OP_DATA_PRE66_67 | OP_REL32, // 8C
OP_DATA_PRE66_67 | OP_REL32, // 8D
OP_DATA_PRE66_67 | OP_REL32, // 8E
OP_DATA_PRE66_67 | OP_REL32, // 8F
OP_MODRM, // 90
OP_MODRM, // 91
OP_MODRM, // 92
OP_MODRM, // 93
OP_MODRM, // 94
OP_MODRM, // 95
OP_MODRM, // 96
OP_MODRM, // 97
OP_MODRM, // 98
OP_MODRM, // 99
OP_MODRM, // 9A
OP_MODRM, // 9B
OP_MODRM, // 9C
OP_MODRM, // 9D
OP_MODRM, // 9E
OP_MODRM, // 9F
OP_NONE, // A0
OP_NONE, // A1
OP_NONE, // A2
OP_MODRM, // A3
OP_MODRM | OP_DATA_I8, // A4
OP_MODRM, // A5
OP_NONE, // A6
OP_NONE, // A7
OP_NONE, // A8
OP_NONE, // A9
OP_NONE, // AA
OP_MODRM, // AB
OP_MODRM | OP_DATA_I8, // AC
OP_MODRM, // AD
OP_MODRM, // AE
OP_MODRM, // AF
OP_MODRM, // B0
OP_MODRM, // B1
OP_MODRM, // B2
OP_MODRM, // B3
OP_MODRM, // B4
OP_MODRM, // B5
OP_MODRM, // B6
OP_MODRM, // B7
OP_NONE, // B8
OP_NONE, // B9
OP_MODRM | OP_DATA_I8, // BA
OP_MODRM, // BB
OP_MODRM, // BC
OP_MODRM, // BD
OP_MODRM, // BE
OP_MODRM, // BF
OP_MODRM, // C0
OP_MODRM, // C1
OP_MODRM | OP_DATA_I8, // C2
OP_MODRM, // C3
OP_MODRM | OP_DATA_I8, // C4
OP_MODRM | OP_DATA_I8, // C5
OP_MODRM | OP_DATA_I8, // C6
OP_MODRM, // C7
OP_NONE, // C8
OP_NONE, // C9
OP_NONE, // CA
OP_NONE, // CB
OP_NONE, // CC
OP_NONE, // CD
OP_NONE, // CE
OP_NONE, // CF
OP_MODRM, // D0
OP_MODRM, // D1
OP_MODRM, // D2
OP_MODRM, // D3
OP_MODRM, // D4
OP_MODRM, // D5
OP_MODRM, // D6
OP_MODRM, // D7
OP_MODRM, // D8
OP_MODRM, // D9
OP_MODRM, // DA
OP_MODRM, // DB
OP_MODRM, // DC
OP_MODRM, // DD
OP_MODRM, // DE
OP_MODRM, // DF
OP_MODRM, // E0
OP_MODRM, // E1
OP_MODRM, // E2
OP_MODRM, // E3
OP_MODRM, // E4
OP_MODRM, // E5
OP_MODRM, // E6
OP_MODRM, // E7
OP_MODRM, // E8
OP_MODRM, // E9
OP_MODRM, // EA
OP_MODRM, // EB
OP_MODRM, // EC
OP_MODRM, // ED
OP_MODRM, // EE
OP_MODRM, // EF
OP_MODRM, // F0
OP_MODRM, // F1
OP_MODRM, // F2
OP_MODRM, // F3
OP_MODRM, // F4
OP_MODRM, // F5
OP_MODRM, // F6
OP_MODRM, // F7
OP_MODRM, // F8
OP_MODRM, // F9
OP_MODRM, // FA
OP_MODRM, // FB
OP_MODRM, // FC
OP_MODRM, // FD
OP_MODRM, // FE
OP_NONE // FF
};
NTSTATUS
MapFileInUserSpace(WCHAR* wzFilePath,IN HANDLE hProcess OPTIONAL,
OUT PVOID *BaseAddress,
OUT PSIZE_T ViewSize OPTIONAL)
{
NTSTATUS Status = STATUS_INVALID_PARAMETER;
HANDLE hFile = NULL;
HANDLE hSection = NULL;
OBJECT_ATTRIBUTES oa;
SIZE_T MapViewSize = 0;
IO_STATUS_BLOCK Iosb;
UNICODE_STRING uniFilePath;
if (!wzFilePath || !BaseAddress){
return Status;
}
RtlInitUnicodeString(&uniFilePath, wzFilePath);
InitializeObjectAttributes(&oa,
&uniFilePath,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL
);
Status = IoCreateFile(&hFile,
GENERIC_READ | SYNCHRONIZE,
&oa,
&Iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0,
CreateFileTypeNone,
NULL,
IO_NO_PARAMETER_CHECKING
);
if (!NT_SUCCESS(Status))
{
return Status;
}
oa.ObjectName = NULL;
Status = ZwCreateSection(&hSection,
SECTION_QUERY | SECTION_MAP_READ,
&oa,
NULL,
PAGE_WRITECOPY,
SEC_IMAGE,
hFile
);
ZwClose(hFile);
if (!NT_SUCCESS(Status))
{
return Status;
}
if (!hProcess){
hProcess = NtCurrentProcess();
}
Status = ZwMapViewOfSection(hSection,
hProcess,
BaseAddress,
0,
0,
0,
ViewSize ? ViewSize : &MapViewSize,
ViewUnmap,
0,
PAGE_WRITECOPY
);
ZwClose(hSection);
if (!NT_SUCCESS(Status))
{
return Status;
}
return Status;
}
//ָͨúС
unsigned long __fastcall GetFunctionCodeSize(void *Proc)
{
ULONG Length;
PUCHAR pOpcode;
ULONG Result = 0;
ULONG CCINT3Count=0;
do
{
Length = SizeOfCode(Proc, &pOpcode);
Result += Length;
if ((Length == 1) && (*pOpcode == 0xCC||*pOpcode==0x90)) CCINT3Count++;
if (CCINT3Count>1 ||
*pOpcode == 0x00)
{
break; //ж˳ָ
}
Proc = (PVOID)((ULONG)Proc + Length);
} while (Length);
return Result;
}
unsigned long __fastcall SizeOfCode(void *Code, unsigned char **pOpcode)
{
PUCHAR cPtr;
UCHAR Flags;
BOOLEAN PFX66, PFX67;
BOOLEAN SibPresent;
UCHAR iMod, iRM, iReg;
UCHAR OffsetSize, Add;
UCHAR Opcode;
OffsetSize = 0;
PFX66 = FALSE;
PFX67 = FALSE;
cPtr = (PUCHAR)Code;
while ((*cPtr == 0x2E) || (*cPtr == 0x3E) || (*cPtr == 0x36) ||
(*cPtr == 0x26) || (*cPtr == 0x64) || (*cPtr == 0x65) ||
(*cPtr == 0xF0) || (*cPtr == 0xF2) || (*cPtr == 0xF3) ||
(*cPtr == 0x66) || (*cPtr == 0x67))
{
if (*cPtr == 0x66) PFX66 = TRUE;
if (*cPtr == 0x67) PFX67 = TRUE;
cPtr++;
if (cPtr > (PUCHAR)Code + 16) return 0;
}
Opcode = *cPtr;
if (pOpcode) *pOpcode = cPtr;
if (*cPtr == 0x0F)
{
cPtr++;
Flags = OpcodeFlagsExt[*cPtr];
} else
{
Flags = OpcodeFlags[Opcode];
if (Opcode >= 0xA0 && Opcode <= 0xA3) PFX66 = PFX67;
}
cPtr++;
if (Flags & OP_WORD) cPtr++;
if (Flags & OP_MODRM)
{
iMod = *cPtr >> 6;
iReg = (*cPtr & 0x38) >> 3;
iRM = *cPtr & 7;
cPtr++;
if ((Opcode == 0xF6) && !iReg) Flags |= OP_DATA_I8;
if ((Opcode == 0xF7) && !iReg) Flags |= OP_DATA_PRE66_67;
SibPresent = !PFX67 & (iRM == 4);
switch (iMod)
{
case 0:
if ( PFX67 && (iRM == 6)) OffsetSize = 2;
if (!PFX67 && (iRM == 5)) OffsetSize = 4;
break;
case 1: OffsetSize = 1;
break;
case 2: if (PFX67) OffsetSize = 2; else OffsetSize = 4;
break;
case 3: SibPresent = FALSE;
}
if (SibPresent)
{
if (((*cPtr & 7) == 5) && ( (!iMod) || (iMod == 2) )) OffsetSize = 4;
cPtr++;
}
cPtr = (PUCHAR)(ULONG)cPtr + OffsetSize;
}
if (Flags & OP_DATA_I8) cPtr ++;
if (Flags & OP_DATA_I16) cPtr += 2;
if (Flags & OP_DATA_I32) cPtr += 4;
if (PFX66) Add = 2;
else Add = 4;
if (Flags & OP_DATA_PRE66_67) cPtr += Add;
return (ULONG)cPtr - (ULONG)Code;
}
BOOL IsAddressInSystem(ULONG ulDriverBase,ULONG *ulSysModuleBase,ULONG *ulSize,char *lpszSysModuleImage)
{
NTSTATUS status;
ULONG NeededSize,i;
PMODULES pModuleList;
BOOL bRet = FALSE;
BOOL bInit = FALSE;
if (ZwQuerySystemInformation &&
ExAllocatePool &&
ExFreePool)
{
bInit = TRUE;
}
if (!bInit)
return FALSE;
__try
{
status=ZwQuerySystemInformation(
SystemModuleInformation,
NULL,
0,
&NeededSize);
if (status!=STATUS_INFO_LENGTH_MISMATCH)
{
//KdPrint(("ZwQuerySystemInformation failed:%d",RtlNtStatusToDosError(status)));
return bRet;
}
pModuleList=(PMODULES)ExAllocatePool(NonPagedPool,NeededSize);
if (pModuleList)
{
status=ZwQuerySystemInformation(
SystemModuleInformation,
pModuleList,
NeededSize,
&NeededSize);
if (NT_SUCCESS(status))
{
for (i=0;i<pModuleList->ulCount;i++)
{
if (ulDriverBase > pModuleList->smi[i].Base && ulDriverBase < pModuleList->smi[i].Base + pModuleList->smi[i].Size)
{
bRet = TRUE;
__try
{
*ulSysModuleBase = pModuleList->smi[i].Base;
*ulSize = pModuleList->smi[i].Size;
memset(lpszSysModuleImage,0,sizeof(lpszSysModuleImage));
strcat(lpszSysModuleImage,pModuleList->smi[i].ImageName);
}__except(EXCEPTION_EXECUTE_HANDLER){
}
break;
}
}
}
//else
// KdPrint(("@@ZwQuerySystemInformation failed:%d",RtlNtStatusToDosError(status)));
ExFreePool(pModuleList);
pModuleList = NULL;
}
//else
// KdPrint(("ExAllocatePool failed"));
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
if (pModuleList)
ExFreePool(pModuleList);
return bRet;
}
================================================
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/Common.h
================================================
#include "DriverEntry.h"
#include <ntimage.h>
typedef unsigned long DWORD;
typedef void *HANDLE;
typedef unsigned char BOOL, *PBOOL;
#define SEC_IMAGE 0x01000000
NTSYSAPI
PIMAGE_NT_HEADERS
NTAPI
RtlImageNtHeader(PVOID Base);
NTSTATUS
MapFileInUserSpace(WCHAR* wzFilePath,IN HANDLE hProcess OPTIONAL,
OUT PVOID *BaseAddress,
OUT PSIZE_T ViewSize OPTIONAL);
LONG GetSSDTApiFunctionIndexFromNtdll(char* szFindFunctionName);
BOOL IsAddressInSystem(ULONG ulDriverBase,ULONG *ulSysModuleBase,ULONG *ulSize,char *lpszSysModuleImage);
#define OP_NONE 0x00
#define OP_MODRM 0x01
#define OP_DATA_I8 0x02
#define OP_DATA_I16 0x04
#define OP_DATA_I32 0x08
#define OP_DATA_PRE66_67 0x10
#define OP_WORD 0x20
#define OP_REL32 0x40
unsigned long __fastcall GetFunctionCodeSize(void *Proc);
unsigned long __fastcall SizeOfCode(void *Code, unsigned char **pOpcode);
================================================
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/DriverEntry.c
================================================
#include "DriverEntry.h"
#include "KernelHookCheck.h"
#include "Reload.h"
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath)
{
ULONG ImageBase = 0;
NTSTATUS Status = STATUS_SUCCESS;
UNICODE_STRING uniDeviceName;
UNICODE_STRING uniLinkName;
PDEVICE_OBJECT DeviceObject = NULL;
ULONG_PTR i = 0;
RtlInitUnicodeString(&uniDeviceName,DEVICE_NAME);
RtlInitUnicodeString(&uniLinkName,LINK_NAME);
for (i=0;i<IRP_MJ_MAXIMUM_FUNCTION;i++)
{
DriverObject->MajorFunction[i] = DefaultPassThrough;
}
DriverObject->DriverUnload = UnloadDriver;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ControlPassThrough;
//豸
Status = IoCreateDevice(DriverObject,0,&uniDeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,&DeviceObject);
if (!NT_SUCCESS(Status))
{
return Status;
}
Status = IoCreateSymbolicLink(&uniLinkName,&uniDeviceName);
if (!NT_SUCCESS(Status))
{
IoDeleteDevice(DeviceObject);
return Status;
}
//PINLINEHOOKINFO InlineHookInfo ;
//InlineHookInfo = ExAllocatePool(1,sizeof(INLINEHOOKINFO)+0x1000*sizeof(INLINEHOOKINFO_INFORMATION));
//memset(InlineHookInfo,0,sizeof(INLINEHOOKINFO)+0x1000*sizeof(INLINEHOOKINFO_INFORMATION));
//DriverObject->DriverUnload = UnloadDriver;
ReLoadNtos(DriverObject,ImageBase);
//KernelHookCheck(InlineHookInfo);
return STATUS_SUCCESS;
}
NTSTATUS
ControlPassThrough(PDEVICE_OBJECT DeviceObject,PIRP Irp)
{
NTSTATUS Status = STATUS_SUCCESS;
PIO_STACK_LOCATION IrpSp;
PVOID InputBuffer = NULL;
PVOID OutputBuffer = NULL;
ULONG_PTR InputSize = 0;
ULONG_PTR OutputSize = 0;
ULONG_PTR IoControlCode = 0;
IrpSp = IoGetCurrentIrpStackLocation(Irp);
InputBuffer = IrpSp->Parameters.DeviceIoControl.Type3InputBuffer;
OutputBuffer = Irp->UserBuffer;
InputSize = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
OutputSize = IrpSp->Parameters.DeviceIoControl.OutputBufferLength;
IoControlCode = IrpSp->Parameters.DeviceIoControl.IoControlCode;
switch(IoControlCode)
{
case CTL_CHECKKERNELMODULE:
{
if (!MmIsAddressValid(OutputBuffer))
{
Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
Irp->IoStatus.Information = 0;
break;
}
__try
{
ProbeForWrite(OutputBuffer,OutputSize,sizeof(PVOID));
Status = KernelHookCheck((PINLINEHOOKINFO)OutputBuffer);
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = Status;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
}
Irp->IoStatus.Information = 0;
Status = Irp->IoStatus.Status = Status;
break;
}
default:
{
Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
Irp->IoStatus.Information = 0;
break;
}
}
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return Status;
}
NTSTATUS
DefaultPassThrough(PDEVICE_OBJECT DeviceObject,PIRP Irp)
{
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
VOID UnloadDriver(PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING uniLinkName;
PDEVICE_OBJECT CurrentDeviceObject;
PDEVICE_OBJECT NextDeviceObject;
RtlInitUnicodeString(&uniLinkName,LINK_NAME);
IoDeleteSymbolicLink(&uniLinkName);
if (DriverObject->DeviceObject!=NULL)
{
CurrentDeviceObject = DriverObject->DeviceObject;
while(CurrentDeviceObject!=NULL)
{
NextDeviceObject = CurrentDeviceObject->NextDevice;
IoDeleteDevice(CurrentDeviceObject);
CurrentDeviceObject = NextDeviceObject;
}
}
DbgPrint("UnloadDriver\r\n");
}
================================================
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/DriverEntry.h
================================================
#include <ntifs.h>
#include <devioctl.h>
#pragma once
#define DEVICE_NAME L"\\Device\\CheckKernelHookDeviceName"
#define LINK_NAME L"\\DosDevices\\CheckKernelHookLinkName"
#define CTL_CHECKKERNELMODULE \
CTL_CODE(FILE_DEVICE_UNKNOWN,0x830,METHOD_NEITHER,FILE_ANY_ACCESS)
NTSTATUS
DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath);
VOID UnloadDriver(PDRIVER_OBJECT DriverObject);
NTSTATUS
DefaultPassThrough(PDEVICE_OBJECT DeviceObject,PIRP Irp);
NTSTATUS
ControlPassThrough(PDEVICE_OBJECT DeviceObject,PIRP Irp);
typedef struct _INLINEHOOKINFO_INFORMATION { //INLINEHOOKINFO_INFORMATION
ULONG ulHookType;
ULONG ulMemoryFunctionBase; //ԭʼַ
ULONG ulMemoryHookBase; //HOOK ַ
CHAR lpszFunction[256];
CHAR lpszHookModuleImage[256];
ULONG ulHookModuleBase;
ULONG ulHookModuleSize;
} INLINEHOOKINFO_INFORMATION, *PINLINEHOOKINFO_INFORMATION;
typedef struct _INLINEHOOKINFO { //InlineHook
ULONG ulCount;
INLINEHOOKINFO_INFORMATION InlineHook[1];
} INLINEHOOKINFO, *PINLINEHOOKINFO;
================================================
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/FileSystem.c
================================================
#include "FileSystem.h"
/*ļ൱ԼʵIoCreateFile FileObjectеIrpListѭָ*/
NTSTATUS
IrpCreateFile(
IN PUNICODE_STRING FilePath,
IN ACCESS_MASK DesiredAccess,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PDEVICE_OBJECT DeviceObject,
IN PDEVICE_OBJECT RealDevice,
OUT PFILE_OBJECT *FileObject
)
{
NTSTATUS ntStatus;
HANDLE hFile;
PFILE_OBJECT _FileObject;
UNICODE_STRING UniDeviceNameString;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK IoStatusBlock;
WCHAR *FileNameBuffer=NULL;
WORD FileObjectSize;
PIRP Irp;
KEVENT kEvent;
PIO_STACK_LOCATION IrpSp;
ACCESS_STATE AccessState;
AUX_ACCESS_DATA AuxData;
IO_SECURITY_CONTEXT SecurityContext;
PLIST_ENTRY IrpList;
InitializeObjectAttributes(&ObjectAttributes, NULL, OBJ_CASE_INSENSITIVE, 0, NULL);
//in win7 x86
FileObjectSize=0x80;
//ļ
ntStatus = ObCreateObject(KernelMode,
*IoFileObjectType,
&ObjectAttributes,
KernelMode,
NULL,
FileObjectSize,
0,
0,
&_FileObject);
if(!NT_SUCCESS(ntStatus))
{
return ntStatus;
}
Irp = IoAllocateIrp(DeviceObject->StackSize, FALSE); //Irpջڴռ СΪ֮ǰѯDeviceObject->Size
if(Irp == NULL)
{
ObDereferenceObject(_FileObject);
return STATUS_INSUFFICIENT_RESOURCES;
}
KeInitializeEvent(&kEvent, SynchronizationEvent, FALSE);
RtlZeroMemory(_FileObject, FileObjectSize);
_FileObject->Type = IO_TYPE_FILE; //ļ
_FileObject->Size = FileObjectSize; //ļС
_FileObject->DeviceObject = RealDevice; //ѯľ豸
_FileObject->Flags = FO_SYNCHRONOUS_IO;
FileNameBuffer=ExAllocatePool(NonPagedPool,FilePath->MaximumLength);
if (FileNameBuffer==NULL)
{
ObDereferenceObject(_FileObject);
return STATUS_INSUFFICIENT_RESOURCES;
}
RtlCopyMemory(FileNameBuffer,FilePath->Buffer,FilePath->Length);//ļеļ·
_FileObject->FileName.Buffer=FileNameBuffer; //
_FileObject->FileName.Length=FilePath->Length;
_FileObject->FileName.MaximumLength=FilePath->MaximumLength;
IrpList=(PLIST_ENTRY)((DWORD)FileObject+0x74); //IrpList ѭָ
IrpList->Flink=IrpList;
IrpList->Blink=IrpList;
KeInitializeEvent(&_FileObject->Lock, SynchronizationEvent, FALSE);
KeInitializeEvent(&_FileObject->Event, NotificationEvent, FALSE);
RtlZeroMemory(&AuxData, sizeof(AUX_ACCESS_DATA));
ntStatus = SeCreateAccessState( &AccessState, //Ȩ
&AuxData,
DesiredAccess,
IoGetFileObjectGenericMapping());
if (!NT_SUCCESS(ntStatus))
{
IoFreeIrp(Irp);
ObDereferenceObject(_FileObject);
ExFreePool(FileNameBuffer);
return ntStatus;
}
SecurityContext.SecurityQos = NULL;
SecurityContext.AccessState = &AccessState;
SecurityContext.DesiredAccess = DesiredAccess;
SecurityContext.FullCreateOptions = 0;
Irp->MdlAddress = NULL;
Irp->AssociatedIrp.SystemBuffer = NULL;
Irp->Flags = IRP_CREATE_OPERATION|IRP_SYNCHRONOUS_API;
Irp->RequestorMode = KernelMode;
Irp->UserIosb = &IoStatusBlock;
Irp->UserEvent = &kEvent;
Irp->PendingReturned = FALSE;
Irp->Cancel = FALSE;
Irp->CancelRoutine = NULL;
Irp->Tail.Overlay.Thread = PsGetCurrentThread();
Irp->Tail.Overlay.AuxiliaryBuffer = NULL;
Irp->Tail.Overlay.OriginalFileObject = _FileObject;
IrpSp = IoGetNextIrpStackLocation(Irp);
IrpSp->MajorFunction = IRP_MJ_CREATE;
IrpSp->DeviceObject = DeviceObject;
IrpSp->FileObject = _FileObject;
IrpSp->Parameters.Create.SecurityContext = &SecurityContext;
IrpSp->Parameters.Create.Options = (CreateDisposition << 24) | CreateOptions;
IrpSp->Parameters.Create.FileAttributes = (USHORT)FileAttributes;
IrpSp->Parameters.Create.ShareAccess = (USHORT)ShareAccess;
IrpSp->Parameters.Create.EaLength = 0;
IoSetCompletionRoutine(Irp, IoCompletionRoutine, 0, TRUE, TRUE, TRUE);
ntStatus = IoCallDriver(DeviceObject, Irp);
if(ntStatus == STATUS_PENDING)
KeWaitForSingleObject(&kEvent, Executive, KernelMode, TRUE, 0);
ntStatus = IoStatusBlock.Status;
if(!NT_SUCCESS(ntStatus))
{
_FileObject->DeviceObject = NULL;
ObDereferenceObject(_FileObject);
}
else
{//ü
InterlockedIncrement(&_FileObject->DeviceObject->ReferenceCount);
if (_FileObject->Vpb)
InterlockedIncrement(&_FileObject->Vpb->ReferenceCount);
*FileObject = _FileObject;
}
return ntStatus;
}
NTSTATUS
IoCompletionRoutine(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context)
{
*Irp->UserIosb = Irp->IoStatus;
if (Irp->UserEvent)
KeSetEvent(Irp->UserEvent, IO_NO_INCREMENT, 0);
if (Irp->MdlAddress)
{
IoFreeMdl(Irp->MdlAddress);
Irp->MdlAddress = NULL;
}
IoFreeIrp(Irp);
return STATUS_MORE_PROCESSING_REQUIRED;
}
//ѯirpջϢFileObject
NTSTATUS
IrpQueryInformationFile(
IN PFILE_OBJECT FileObject,
IN PDEVICE_OBJECT DeviceObject,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass)
{
NTSTATUS ntStatus;
PIRP Irp;
KEVENT kEvent;
PIO_STACK_LOCATION IrpSp;
IO_STATUS_BLOCK IoStatusBlock;
// if (FileObject->Vpb == 0 || FileObject->Vpb->DeviceObject == NULL)
// return STATUS_UNSUCCESSFUL;
Irp = IoAllocateIrp(DeviceObject->StackSize, FALSE);
if(Irp == NULL)
return STATUS_INSUFFICIENT_RESOURCES;
KeInitializeEvent(&kEvent, SynchronizationEvent, FALSE);
RtlZeroMemory(FileInformation, Length);
Irp->AssociatedIrp.SystemBuffer = FileInformation;
Irp->UserEvent = &kEvent;
Irp->UserIosb = &IoStatusBlock;
Irp->RequestorMode = KernelMode;
Irp->Tail.Overlay.Thread = PsGetCurrentThread();
Irp->Tail.Overlay.OriginalFileObject = FileObject;
IrpSp = IoGetNextIrpStackLocation(Irp);
IrpSp->MajorFunction = IRP_MJ_QUERY_INFORMATION;
IrpSp->DeviceObject = DeviceObject;
IrpSp->FileObject = FileObject;
IrpSp->Parameters.QueryFile.Length = Length;
IrpSp->Parameters.QueryFile.FileInformationClass = FileInformationClass;
IoSetCompletionRoutine(Irp, IoCompletionRoutine, 0, TRUE, TRUE, TRUE);
ntStatus = IoCallDriver(DeviceObject, Irp);
if (ntStatus == STATUS_PENDING)
KeWaitForSingleObject(&kEvent, Executive, KernelMode, TRUE, 0);
return IoStatusBlock.Status;
}
//Irpļ뻺
NTSTATUS
IrpReadFile(
IN PFILE_OBJECT FileObject,
IN PDEVICE_OBJECT DeviceObject,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL)
{
NTSTATUS ntStatus;
PIRP Irp;
KEVENT kEvent;
PIO_STACK_LOCATION IrpSp;
//
if(ByteOffset == NULL)
{
if(!(FileObject->Flags & FO_SYNCHRONOUS_IO))
return STATUS_INVALID_PARAMETER;
ByteOffset = &FileObject->CurrentByteOffset;
}
Irp = IoAllocateIrp(DeviceObject->StackSize, FALSE);
if(Irp == NULL) return STATUS_INSUFFICIENT_RESOURCES;
RtlZeroMemory(Buffer, Length);
if(FileObject->DeviceObject->Flags & DO_BUFFERED_IO) //巽ʽ
{
Irp->AssociatedIrp.SystemBuffer = Buffer;
}
else if(FileObject->DeviceObject->Flags & DO_DIRECT_IO) //ֱӷʽ
{
Irp->MdlAddress = IoAllocateMdl(Buffer, Length, 0, 0, 0);
if (Irp->MdlAddress == NULL)
{
IoFreeIrp(Irp);
return STATUS_INSUFFICIENT_RESOURCES;
}
MmBuildMdlForNonPagedPool(Irp->MdlAddress);
}
else //ʽ
{
Irp->UserBuffer = Buffer;
}
KeInitializeEvent(&kEvent, SynchronizationEvent, FALSE);
Irp->UserEvent = &kEvent;
Irp->UserIosb = IoStatusBlock;
Irp->RequestorMode = KernelMode;
Irp->Flags = IRP_READ_OPERATION;
Irp->Tail.Overlay.Thread = PsGetCurrentThread();
Irp->Tail.Overlay.OriginalFileObject = FileObject;
IrpSp = IoGetNextIrpStackLocation(Irp);
IrpSp->MajorFunction = IRP_MJ_READ;
IrpSp->MinorFunction = IRP_MN_NORMAL;
IrpSp->DeviceObject = DeviceObject;
IrpSp->FileObject = FileObject;
IrpSp->Parameters.Read.Length = Length;
IrpSp->Parameters.Read.ByteOffset = *ByteOffset;
IoSetCompletionRoutine(Irp, IoCompletionRoutine, 0, TRUE, TRUE, TRUE);
ntStatus = IoCallDriver(DeviceObject, Irp);
if (ntStatus == STATUS_PENDING)
KeWaitForSingleObject(&kEvent, Executive, KernelMode, TRUE, 0);
return IoStatusBlock->Status;
}
================================================
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/FileSystem.h
================================================
#include "Reload.h"
NTSTATUS
IrpCreateFile(
IN PUNICODE_STRING FilePath,
IN ACCESS_MASK DesiredAccess,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PDEVICE_OBJECT DeviceObject,
IN PDEVICE_OBJECT RealDevice,
OUT PFILE_OBJECT *FileObject
);
NTSTATUS
IoCompletionRoutine(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context);
NTSTATUS
IrpQueryInformationFile(
IN PFILE_OBJECT FileObject,
IN PDEVICE_OBJECT DeviceObject,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass);
//Irpļ뻺
NTSTATUS
IrpReadFile(
IN PFILE_OBJECT FileObject,
IN PDEVICE_OBJECT DeviceObject,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL);
================================================
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/FixRelocation.c
================================================
#include "FixRelocation.h"
/*
ضλ
*/
BOOLEAN
FixBaseRelocTable (
PVOID NewImageBase,
DWORD ExistImageBase
)
{
LONGLONG Diff;
ULONG TotalCountBytes = 0;
ULONG_PTR VA;
ULONGLONG OriginalImageBase;
ULONG SizeOfBlock;
PUCHAR FixupVA;
USHORT Offset;
PUSHORT NextOffset = NULL;
PIMAGE_NT_HEADERS NtHeaders;
PIMAGE_BASE_RELOCATION NextBlock;
NtHeaders = RtlImageNtHeader( NewImageBase );
if (NtHeaders == NULL)
{
return FALSE;
}
switch (NtHeaders->OptionalHeader.Magic) {
case IMAGE_NT_OPTIONAL_HDR32_MAGIC:
OriginalImageBase =
((PIMAGE_NT_HEADERS32)NtHeaders)->OptionalHeader.ImageBase;
break;
case IMAGE_NT_OPTIONAL_HDR64_MAGIC:
OriginalImageBase =
((PIMAGE_NT_HEADERS64)NtHeaders)->OptionalHeader.ImageBase;
break;
default:
return FALSE;
}
//
// Locate the relocation section.
//
NextBlock = (PIMAGE_BASE_RELOCATION)RtlImageDirectoryEntryToData(
NewImageBase, TRUE, IMAGE_DIRECTORY_ENTRY_BASERELOC, &TotalCountBytes);
//
// It is possible for a file to have no relocations, but the relocations
// must not have been stripped.
//
if (!NextBlock || !TotalCountBytes)
{
if (NtHeaders->FileHeader.Characteristics & IMAGE_FILE_RELOCS_STRIPPED)
{
DbgPrint("Image can't be relocated, no fixup information.\n");
return FALSE;
}
else
{
return TRUE;
}
}
//
// If the image has a relocation table, then apply the specified fixup
// information to the image.
//
Diff = (ULONG_PTR)ExistImageBase - OriginalImageBase;
while (TotalCountBytes)
{
SizeOfBlock = NextBlock->SizeOfBlock;
TotalCountBytes -= SizeOfBlock;
SizeOfBlock -= sizeof(IMAGE_BASE_RELOCATION);
SizeOfBlock /= sizeof(USHORT);
NextOffset = (PUSHORT)((PCHAR)NextBlock + sizeof(IMAGE_BASE_RELOCATION));
VA = (ULONG_PTR)NewImageBase + NextBlock->VirtualAddress;
if ( !(NextBlock = LdrProcessRelocationBlockLongLong( VA,
SizeOfBlock,
NextOffset,
Diff)) )
{
DbgPrint("%s: Unknown base relocation type\n");
return FALSE;
}
}
return TRUE;
}
/*ضλ*/
PIMAGE_BASE_RELOCATION
LdrProcessRelocationBlockLongLong(
IN ULONG_PTR VA,
IN ULONG SizeOfBlock,
IN PUSHORT NextOffset,
IN LONGLONG Diff
)
{
PUCHAR FixupVA;
USHORT Offset;
LONG Temp;
ULONG Temp32;
ULONGLONG Value64;
LONGLONG Temp64;
while (SizeOfBlock--) {
Offset = *NextOffset & (USHORT)0xfff;
FixupVA = (PUCHAR)(VA + Offset);
//
// Apply the fixups.
//
switch ((*NextOffset) >> 12) {
case IMAGE_REL_BASED_HIGHLOW :
//
// HighLow - (32-bits) relocate the high and low half
// of an address.
//
*(LONG UNALIGNED *)FixupVA += (ULONG) Diff;
break;
case IMAGE_REL_BASED_HIGH :
//
// High - (16-bits) relocate the high half of an address.
//
Temp = *(PUSHORT)FixupVA << 16;
Temp += (ULONG) Diff;
*(PUSHORT)FixupVA = (USHORT)(Temp >> 16);
break;
case IMAGE_REL_BASED_HIGHADJ :
//
// Adjust high - (16-bits) relocate the high half of an
// address and adjust for sign extension of low half.
//
//
// If the address has already been relocated then don't
// process it again now or information will be lost.
//
if (Offset & LDRP_RELOCATION_FINAL) {
++NextOffset;
--SizeOfBlock;
break;
}
Temp = *(PUSHORT)FixupVA << 16;
++NextOffset;
--SizeOfBlock;
Temp += (LONG)(*(PSHORT)NextOffset);
Temp += (ULONG) Diff;
Temp += 0x8000;
*(PUSHORT)FixupVA = (USHORT)(Temp >> 16);
break;
case IMAGE_REL_BASED_LOW :
//
// Low - (16-bit) relocate the low half of an address.
//
Temp = *(PSHORT)FixupVA;
Temp += (ULONG) Diff;
*(PUSHORT)FixupVA = (USHORT)Temp;
break;
case IMAGE_REL_BASED_IA64_IMM64:
//
// Align it to bundle address before fixing up the
// 64-bit immediate value of the movl instruction.
//
FixupVA = (PUCHAR)((ULONG_PTR)FixupVA & ~(15));
Value64 = (ULONGLONG)0;
//
// Extract the lower 32 bits of IMM64 from bundle
//
EXT_IMM64(Value64,
(PULONG)FixupVA + EMARCH_ENC_I17_IMM7B_INST_WORD_X,
EMARCH_ENC_I17_IMM7B_SIZE_X,
EMARCH_ENC_I17_IMM7B_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM7B_VAL_POS_X);
EXT_IMM64(Value64,
(PULONG)FixupVA + EMARCH_ENC_I17_IMM9D_INST_WORD_X,
EMARCH_ENC_I17_IMM9D_SIZE_X,
EMARCH_ENC_I17_IMM9D_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM9D_VAL_POS_X);
EXT_IMM64(Value64,
(PULONG)FixupVA + EMARCH_ENC_I17_IMM5C_INST_WORD_X,
EMARCH_ENC_I17_IMM5C_SIZE_X,
EMARCH_ENC_I17_IMM5C_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM5C_VAL_POS_X);
EXT_IMM64(Value64,
(PULONG)FixupVA + EMARCH_ENC_I17_IC_INST_WORD_X,
EMARCH_ENC_I17_IC_SIZE_X,
EMARCH_ENC_I17_IC_INST_WORD_POS_X,
EMARCH_ENC_I17_IC_VAL_POS_X);
EXT_IMM64(Value64,
(PULONG)FixupVA + EMARCH_ENC_I17_IMM41a_INST_WORD_X,
EMARCH_ENC_I17_IMM41a_SIZE_X,
EMARCH_ENC_I17_IMM41a_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM41a_VAL_POS_X);
EXT_IMM64(Value64,
((PULONG)FixupVA + EMARCH_ENC_I17_IMM41b_INST_WORD_X),
EMARCH_ENC_I17_IMM41b_SIZE_X,
EMARCH_ENC_I17_IMM41b_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM41b_VAL_POS_X);
EXT_IMM64(Value64,
((PULONG)FixupVA + EMARCH_ENC_I17_IMM41c_INST_WORD_X),
EMARCH_ENC_I17_IMM41c_SIZE_X,
EMARCH_ENC_I17_IMM41c_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM41c_VAL_POS_X);
EXT_IMM64(Value64,
((PULONG)FixupVA + EMARCH_ENC_I17_SIGN_INST_WORD_X),
EMARCH_ENC_I17_SIGN_SIZE_X,
EMARCH_ENC_I17_SIGN_INST_WORD_POS_X,
EMARCH_ENC_I17_SIGN_VAL_POS_X);
//
// Update 64-bit address
//
Value64+=Diff;
//
// Insert IMM64 into bundle
//
INS_IMM64(Value64,
((PULONG)FixupVA + EMARCH_ENC_I17_IMM7B_INST_WORD_X),
EMARCH_ENC_I17_IMM7B_SIZE_X,
EMARCH_ENC_I17_IMM7B_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM7B_VAL_POS_X);
INS_IMM64(Value64,
((PULONG)FixupVA + EMARCH_ENC_I17_IMM9D_INST_WORD_X),
EMARCH_ENC_I17_IMM9D_SIZE_X,
EMARCH_ENC_I17_IMM9D_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM9D_VAL_POS_X);
INS_IMM64(Value64,
((PULONG)FixupVA + EMARCH_ENC_I17_IMM5C_INST_WORD_X),
EMARCH_ENC_I17_IMM5C_SIZE_X,
EMARCH_ENC_I17_IMM5C_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM5C_VAL_POS_X);
INS_IMM64(Value64,
((PULONG)FixupVA + EMARCH_ENC_I17_IC_INST_WORD_X),
EMARCH_ENC_I17_IC_SIZE_X,
EMARCH_ENC_I17_IC_INST_WORD_POS_X,
EMARCH_ENC_I17_IC_VAL_POS_X);
INS_IMM64(Value64,
((PULONG)FixupVA + EMARCH_ENC_I17_IMM41a_INST_WORD_X),
EMARCH_ENC_I17_IMM41a_SIZE_X,
EMARCH_ENC_I17_IMM41a_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM41a_VAL_POS_X);
INS_IMM64(Value64,
((PULONG)FixupVA + EMARCH_ENC_I17_IMM41b_INST_WORD_X),
EMARCH_ENC_I17_IMM41b_SIZE_X,
EMARCH_ENC_I17_IMM41b_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM41b_VAL_POS_X);
INS_IMM64(Value64,
((PULONG)FixupVA + EMARCH_ENC_I17_IMM41c_INST_WORD_X),
EMARCH_ENC_I17_IMM41c_SIZE_X,
EMARCH_ENC_I17_IMM41c_INST_WORD_POS_X,
EMARCH_ENC_I17_IMM41c_VAL_POS_X);
INS_IMM64(Value64,
((PULONG)FixupVA + EMARCH_ENC_I17_SIGN_INST_WORD_X),
EMARCH_ENC_I17_SIGN_SIZE_X,
EMARCH_ENC_I17_SIGN_INST_WORD_POS_X,
EMARCH_ENC_I17_SIGN_VAL_POS_X);
break;
case IMAGE_REL_BASED_DIR64:
*(ULONGLONG UNALIGNED *)FixupVA += Diff;
break;
case IMAGE_REL_BASED_MIPS_JMPADDR :
//
// JumpAddress - (32-bits) relocate a MIPS jump address.
//
Temp = (*(PULONG)FixupVA & 0x3ffffff) << 2;
Temp += (ULONG) Diff;
*(PULONG)FixupVA = (*(PULONG)FixupVA & ~0x3ffffff) |
((Temp >> 2) & 0x3ffffff);
break;
case IMAGE_REL_BASED_ABSOLUTE :
//
// Absolute - no fixup required.
//
break;
case IMAGE_REL_BASED_SECTION :
//
// Section Relative reloc. Ignore for now.
//
break;
case IMAGE_REL_BASED_REL32 :
//
// Relative intrasection. Ignore for now.
//
break;
default :
//
// Illegal - illegal relocation type.
//
return (PIMAGE_BASE_RELOCATION)NULL;
}
++NextOffset;
}
return (PIMAGE_BASE_RELOCATION)NextOffset;
}
/*
NtHeader
*/
NTSTATUS
NTAPI
RtlImageNtHeaderEx(
ULONG Flags,
PVOID Base,
ULONG64 Size,
OUT PIMAGE_NT_HEADERS * OutHeaders
)
{
PIMAGE_NT_HEADERS NtHeaders = 0;
ULONG e_lfanew = 0;
BOOLEAN RangeCheck = 0;
NTSTATUS Status = 0;
const ULONG ValidFlags =
RTL_IMAGE_NT_HEADER_EX_FLAG_NO_RANGE_CHECK;
if (OutHeaders != NULL) {
*OutHeaders = NULL;
}
if (OutHeaders == NULL) {
Status = STATUS_INVALID_PARAMETER;
goto Exit;
}
if ((Flags & ~ValidFlags) != 0) {
Status = STATUS_INVALID_PARAMETER;
goto Exit;
}
if (Base == NULL || Base == (PVOID)(LONG_PTR)-1) {
Status = STATUS_INVALID_PARAMETER;
goto Exit;
}
RangeCheck = ((Flags & RTL_IMAGE_NT_HEADER_EX_FLAG_NO_RANGE_CHECK) == 0);
if (RangeCheck) {
if (Size < sizeof(IMAGE_DOS_HEADER)) {
Status = STATUS_INVALID_IMAGE_FORMAT;
goto Exit;
}
}
//
// Exception handling is not available in the boot loader, and exceptions
// were not historically caught here in kernel mode. Drivers are considered
// trusted, so we can't get an exception here due to a bad file, but we
// could take an inpage error.
//
#define EXIT goto Exit
if (((PIMAGE_DOS_HEADER)Base)->e_magic != IMAGE_DOS_SIGNATURE) {
Status = STATUS_INVALID_IMAGE_FORMAT;
EXIT;
}
e_lfanew = ((PIMAGE_DOS_HEADER)Base)->e_lfanew;
if (RangeCheck) {
if (e_lfanew >= Size
#define SIZEOF_PE_SIGNATURE 4
|| e_lfanew >= (MAXULONG - SIZEOF_PE_SIGNATURE - sizeof(IMAGE_FILE_HEADER))
|| (e_lfanew + SIZEOF_PE_SIGNATURE + sizeof(IMAGE_FILE_HEADER)) >= Size
) {
Status = STATUS_INVALID_IMAGE_FORMAT;
EXIT;
}
}
NtHeaders = (PIMAGE_NT_HEADERS)((PCHAR)Base + e_lfanew);
//
// In kernelmode, do not cross from usermode address to kernelmode address.
//
if (Base < MM_HIGHEST_USER_ADDRESS) {
if ((PVOID)NtHeaders >= MM_HIGHEST_USER_ADDRESS) {
Status = STATUS_INVALID_IMAGE_FORMAT;
EXIT;
}
//
// Note that this check is slightly overeager since IMAGE_NT_HEADERS has
// a builtin array of data_directories that may be larger than the image
// actually has. A better check would be to add FileHeader.SizeOfOptionalHeader,
// after ensuring that the FileHeader does not cross the u/k boundary.
//
if ((PVOID)((PCHAR)NtHeaders + sizeof (IMAGE_NT_HEADERS)) >= MM_HIGHEST_USER_ADDRESS) {
Status = STATUS_INVALID_IMAGE_FORMAT;
EXIT;
}
}
if (NtHeaders->Signature != IMAGE_NT_SIGNATURE) {
Status = STATUS_INVALID_IMAGE_FORMAT;
EXIT;
}
Status = STATUS_SUCCESS;
Exit:
if (NT_SUCCESS(Status)) {
*OutHeaders = NtHeaders;
}
return Status;
}
//
// PIMAGE_NT_HEADERS
// NTAPI
// RtlImageNtHeader(
// PVOID Base
// )
// {
// PIMAGE_NT_HEADERS NtHeaders = NULL;
// (VOID)RtlImageNtHeaderEx(RTL_IMAGE_NT_HEADER_EX_FLAG_NO_RANGE_CHECK, Base, 0, &NtHeaders);
// return NtHeaders;
// }
//
//
================================================
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/FixRelocation.h
================================================
#include "Reload.h"
BOOLEAN
FixBaseRelocTable (
PVOID NewImageBase,
DWORD ExistImageBase
);
PIMAGE_BASE_RELOCATION
LdrProcessRelocationBlockLongLong(
IN ULONG_PTR VA,
IN ULONG SizeOfBlock,
IN PUSHORT NextOffset,
IN LONGLONG Diff
);
NTSTATUS
NTAPI
RtlImageNtHeaderEx(
ULONG Flags,
PVOID Base,
ULONG64 Size,
OUT PIMAGE_NT_HEADERS * OutHeaders
);
PIMAGE_NT_HEADERS
NTAPI
RtlImageNtHeader(
PVOID Base
);
================================================
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/KernelHookCheck.c
================================================
#include "KernelHookCheck.h"
#include "libdasm.h"
#include "Common.h"
#include "Reload.h"
ULONG IntHookCount; //¼Hook
extern DWORD OriginalKiServiceTable;
extern PSERVICE_DESCRIPTOR_TABLE OriginalServiceDescriptorTable;
extern ULONG_PTR SystemKernelModuleBase;
extern ULONG_PTR SystemKernelModuleSize;
extern ULONG_PTR ImageModuleBase;
BOOLEAN KernelHookCheck(PINLINEHOOKINFO InlineHookInfo)
{
NTSTATUS Status = STATUS_UNSUCCESSFUL;
PIMAGE_NT_HEADERS NtHeader;
PIMAGE_EXPORT_DIRECTORY ExportTable;
ULONG* FunctionAddresses;
ULONG* FunctionNames;
USHORT* FunctionIndexs;
ULONG ulIndex;
ULONG i;
CHAR* szFunctionName;
SIZE_T ViewSize=0;
ULONG_PTR ulFunctionAddress;
BOOL bIsZwFunction = FALSE;
ULONG ulOldAddress;
ULONG ulReloadAddress;
PUCHAR ulTemp;
__try{
NtHeader = RtlImageNtHeader((PVOID)ImageModuleBase);
if (NtHeader && NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress){
ExportTable =(IMAGE_EXPORT_DIRECTORY*)((ULONG_PTR)ImageModuleBase + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
FunctionAddresses = (ULONG*)((ULONG_PTR)ImageModuleBase + ExportTable->AddressOfFunctions);
FunctionNames = (ULONG*)((ULONG_PTR)ImageModuleBase + ExportTable->AddressOfNames);
FunctionIndexs = (USHORT*)((ULONG_PTR)ImageModuleBase + ExportTable->AddressOfNameOrdinals);
for(i = 0; i < ExportTable->NumberOfNames; i++)
{
szFunctionName = (LPSTR)((ULONG_PTR)ImageModuleBase + FunctionNames[i]);
ulIndex = FunctionIndexs[i];
ulFunctionAddress = (ULONG_PTR)((ULONG_PTR)ImageModuleBase + FunctionAddresses[ulIndex]);
// ulIndex=*(ULONG*)(ulFunctionAddress+1); //32 bit 1 64 bit 4 //
//ڷZwϵк ƫƵϵͳĸúַ
ulReloadAddress = ulFunctionAddress;
ulOldAddress = ulReloadAddress - (ULONG)ImageModuleBase + SystemKernelModuleBase;
if (!ulOldAddress ||
!MmIsAddressValid((PVOID)ulOldAddress) ||
!ulReloadAddress ||
!MmIsAddressValid((PVOID)ulReloadAddress))
{
continue;
}
bIsZwFunction = FALSE;
//һһcallĺhook
if (*szFunctionName == 'Z' &&
*(szFunctionName+1) == 'w')
{
bIsZwFunction = TRUE;
ulIndex = *((WORD*)(ulFunctionAddress + 1)); //õ
if (ulIndex > 0 &&
ulIndex <= OriginalServiceDescriptorTable->TableSize)
{
//Zwϵк ϵͳNtos ӦNtĵַ
ulReloadAddress = OriginalServiceDescriptorTable->ServiceTable[ulIndex];
ulOldAddress = ulReloadAddress - (ULONG)ImageModuleBase + SystemKernelModuleBase;
}
}
if (bIsZwFunction)
{
// bIsZwFunction == TRUE ЧһµַЧ
if (!ulOldAddress ||
!MmIsAddressValid((PVOID)ulOldAddress) ||
!ulReloadAddress ||
!MmIsAddressValid((PVOID)ulReloadAddress))
{
continue;
}
}
else //һ㺯ֻɨZwͷģֻɨδ
{
GetNextFunctionAddress(ImageModuleBase,ulOldAddress,szFunctionName,InlineHookInfo);
}
ulTemp = NULL;
//ZwеNt
//жǷNtos Hook
//ulOldAddress Ǹصַ - Base + KernelBase ĵַ
ulTemp = (PUCHAR)GetEatHook(ulOldAddress,i,SystemKernelModuleBase,SystemKernelModuleSize); //ȽEAT Hook
if(ulTemp)
{//Hook
FillInlineHookInfo(ulTemp,InlineHookInfo,szFunctionName,ulOldAddress,1); //EAT Hook 1
}
//ǷInlineHook
CheckFuncByOpcode((PVOID)ulReloadAddress,InlineHookInfo,szFunctionName,(PVOID)ulOldAddress);
}
}
}__except(EXCEPTION_EXECUTE_HANDLER)
{
}
return STATUS_SUCCESS;
}
VOID FillInlineHookInfo(PUCHAR ulTemp,PINLINEHOOKINFO InlineHookInfo,CHAR* szFunctionName,ULONG ulOldAddress,ULONG HookType)
{
ULONG ulHookModuleBase;
ULONG ulHookModuleSize;
char lpszHookModuleImage[256];
ULONG IntHookCount = InlineHookInfo->ulCount;
memset(lpszHookModuleImage,0,sizeof(lpszHookModuleImage));
if (!IsAddressInSystem(
(ULONG)ulTemp,
&ulHookModuleBase,
&ulHookModuleSize,
lpszHookModuleImage))
{
memset(lpszHookModuleImage,0,sizeof(lpszHookModuleImage));
strcat(lpszHookModuleImage,"Unknown4");
ulHookModuleBase = 0;
ulHookModuleSize = 0;
}
InlineHookInfo->InlineHook[IntHookCount].ulMemoryHookBase = (ULONG)ulTemp;
memset(InlineHookInfo->InlineHook[IntHookCount].lpszFunction,0,sizeof(InlineHookInfo->InlineHook[IntHookCount].lpszFunction));
memset(InlineHookInfo->InlineHook[IntHookCount].lpszHookModuleImage,0,sizeof(InlineHookInfo->InlineHook[IntHookCount].lpszHookModuleImage));
memcpy(InlineHookInfo->InlineHook[IntHookCount].lpszFunction,szFunctionName,strlen(szFunctionName));
memcpy(InlineHookInfo->InlineHook[IntHookCount].lpszHookModuleImage,lpszHookModuleImage,strlen(lpszHookModuleImage));
InlineHookInfo->InlineHook[IntHookCount].ulMemoryFunctionBase = (ULONG)ulOldAddress;
InlineHookInfo->InlineHook[IntHookCount].ulHookModuleBase = ulHookModuleBase;
InlineHookInfo->InlineHook[IntHookCount].ulHookModuleSize = ulHookModuleSize;
InlineHookInfo->InlineHook[IntHookCount].ulHookType = HookType; //eat hook 1 Inline Hook 0
IntHookCount++;
InlineHookInfo->ulCount++;
}
VOID CheckFuncByOpcode(PVOID ulReloadAddress,PINLINEHOOKINFO InlineHookInfo,CHAR* szFunctionName,PVOID ulOldAddress)
{
INSTRUCTION Inst;
INSTRUCTION Instb;
ULONG ulHookFunctionAddress;
size_t ulCodeSize;
PUCHAR p;
PUCHAR ulTemp;
int Flagss;
if (GetFunctionCodeSize(ulOldAddress) == GetFunctionCodeSize(ulReloadAddress) &&
memcmp(ulReloadAddress,ulOldAddress,GetFunctionCodeSize(ulOldAddress)) != 0)
{//Hook
//ʼɨhooksss
ulCodeSize = GetFunctionCodeSize(ulOldAddress);
for (p = (PUCHAR)ulOldAddress ;(ULONG)p < (ULONG)ulOldAddress+ulCodeSize; p++)
{
//۰ɨ裬ǰһһʼɨһ
if (memcmp(ulReloadAddress,ulOldAddress,ulCodeSize/2) == 0)
{
ulCodeSize = ulCodeSize + ulCodeSize/2;
continue;
}
if (*p == 0xcc ||
*p == 0xc2)
{
break;
}
ulHookFunctionAddress = (*(PULONG)(p + 1) + (ULONG)p + 5); //õhookĵַ
if (!MmIsAddressValid((PVOID)ulHookFunctionAddress))
{
continue;
}
ulTemp = NULL;
get_instruction(&Inst,p,MODE_32);
switch (Inst.type)
{
case INSTRUCTION_TYPE_JMP:
if(Inst.opcode==0xFF&&Inst.modrm==0x25)
{
//DIRECT_JMP
ulTemp = (PUCHAR)Inst.op1.displacement;
}
else if (Inst.opcode==0xEB)
{
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
}
else if(Inst.opcode==0xE9)
{
//RELATIVE_JMP;
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
}
break;
case INSTRUCTION_TYPE_CALL:
if(Inst.opcode==0xFF&&Inst.modrm==0x15)
{
//DIRECT_CALL
ulTemp = (PUCHAR)Inst.op1.displacement;
}
else if (Inst.opcode==0x9A)
{
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
}
else if(Inst.opcode==0xE8)
{
//RELATIVE_CALL;
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
}
break;
case INSTRUCTION_TYPE_PUSH:
if(!RMmIsAddressValid((PVOID)(p)))
{
break;
}
get_instruction(&Instb,(BYTE*)(p),MODE_32);
if(Instb.type == INSTRUCTION_TYPE_RET)
{
//StartAddress+len-inst.length-instb.length;
ulTemp = (PUCHAR)Instb.op1.displacement;
}
break;
}
if (ulTemp &&
RMmIsAddressValid(ulTemp) &&
RMmIsAddressValid(p)) //hookĵַҲҪЧſŶ
{
if ((ULONG)ulTemp > SystemKernelModuleBase &&
(ULONG)ulTemp < SystemKernelModuleBase+SystemKernelModuleSize) //̫Ҳ
{
goto Next;
}
//ulTempҲС SystemKernelModuleBase
if ((ULONG)ulTemp < SystemKernelModuleBase)
{
goto Next;
}
//KdPrint(("%08x-%08x-%08x",p,ulTemp,(SystemKernelModuleBase + SystemKernelModuleSize + 0xfffffff)));
if (*(ULONG *)ulTemp == 0x00000000 ||
*(ULONG *)ulTemp == 0x00000005 ||
*(ULONG *)ulTemp == 0xc0000012)
{
goto Next;
}
Flagss = 0;
__asm{
mov esi,ulTemp
mov ax,word ptr [esi]
cmp ax,0x0000
jz Cont//add byte ptr [eax],al
//
mov Flagss,1
Cont:
}
if (Flagss != 1)
goto Next;
ulTemp = ulTemp+0x5;
//һ¶
if (*ulTemp == 0xe9 ||
*ulTemp == 0xe8)
{
ulTemp = (PUCHAR)(*(PULONG)(ulTemp+1)+(ULONG)(ulTemp+5));
}
FillInlineHookInfo(ulTemp,InlineHookInfo,szFunctionName,(ULONG)p,0); //Inline Hook
Next:
_asm{nop}
}
}
}
}
//ȡһ0xe8 callinlinehookcheck
ULONG GetNextFunctionAddress(ULONG ulNtDllModuleBase,ULONG ulOldAddress,char *functionName,PINLINEHOOKINFO InlineHookInfo)
{
ULONG ulCodeSize;
ULONG ulNextFunCodeSize;
ULONG ulNextFunReloadCodeSize;
PUCHAR i;
PUCHAR ulNextFunctionAddress = NULL;
PUCHAR ulReloadNextFunctionAddress = NULL;
BOOL bRetOK = FALSE;
PUCHAR ulTemp;
ULONG ulHookFunctionAddress;
PUCHAR p;
INSTRUCTION Inst;
INSTRUCTION Instb;
char lpszHookModuleImage[256];
ULONG ulHookModuleBase;
ULONG ulHookModuleSize;
int Flagss;
if (!MmIsAddressValid((PVOID)ulOldAddress))
{
return bRetOK;
}
__try
{
ulCodeSize = GetFunctionCodeSize((PVOID)ulOldAddress);
for (i=(PUCHAR)ulOldAddress;i < i+ulCodeSize;i++)
{
//ɨת
if (*i == 0xe8)
{
ulNextFunctionAddress = (PUCHAR)(*(PULONG)(i+1)+(ULONG)(i+5));
if (MmIsAddressValid((PVOID)ulNextFunctionAddress))
{
//жһǷǵ
if (IsFunctionInExportTable(ulNtDllModuleBase,(ULONG)ulNextFunctionAddress))
{
return 0;
}
//hook ɨ
ulReloadNextFunctionAddress = ulNextFunctionAddress - SystemKernelModuleBase + ImageModuleBase;
if (MmIsAddressValid(ulReloadNextFunctionAddress) &&
MmIsAddressValid(ulNextFunctionAddress))
{
ulNextFunCodeSize = GetFunctionCodeSize(ulNextFunctionAddress);
ulNextFunReloadCodeSize = GetFunctionCodeSize(ulReloadNextFunctionAddress);
if (ulNextFunCodeSize == ulNextFunReloadCodeSize &&
memcmp(ulReloadNextFunctionAddress,ulNextFunctionAddress,ulNextFunCodeSize) != 0)
{
//hook
for (p = (PUCHAR)ulNextFunctionAddress ;(ULONG)p < (ULONG)ulNextFunctionAddress+ulNextFunCodeSize; p++)
{
//۰ɨ裬ǰһһʼɨһ
if (memcmp(ulReloadNextFunctionAddress, ulNextFunctionAddress,ulNextFunCodeSize/2) == 0)
{
ulNextFunCodeSize = ulNextFunCodeSize + ulNextFunCodeSize/2;
continue;
}
//Ƿ
if (*p == 0xcc ||
*p == 0xc2)
{
break;
}
ulHookFunctionAddress = (*(PULONG)(p + 1) + (ULONG)p + 5); //õַ
if (!RMmIsAddressValid((PVOID)ulHookFunctionAddress))
{
continue;
}
ulTemp = NULL;
get_instruction(&Inst,p,MODE_32);
switch (Inst.type)
{
case INSTRUCTION_TYPE_JMP:
if(Inst.opcode==0xFF&&Inst.modrm==0x25)
{
//DIRECT_JMP
ulTemp = (PUCHAR)Inst.op1.displacement;
}
else if (Inst.opcode==0xEB)
{
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
}
else if(Inst.opcode==0xE9)
{
//RELATIVE_JMP;
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
}
break;
case INSTRUCTION_TYPE_CALL:
if(Inst.opcode==0xFF&&Inst.modrm==0x15)
{
//DIRECT_CALL
ulTemp = (PUCHAR)Inst.op1.displacement;
}
else if (Inst.opcode==0x9A)
{
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
}
else if(Inst.opcode==0xE8)
{
//RELATIVE_CALL;
ulTemp = (PUCHAR)(p+Inst.op1.immediate);
}
break;
case INSTRUCTION_TYPE_PUSH:
if(!RMmIsAddressValid((PVOID)(p)))
{
break;
}
get_instruction(&Instb,(BYTE*)(p),MODE_32);
if(Instb.type == INSTRUCTION_TYPE_RET)
{
//StartAddress+len-inst.length-instb.length;
ulTemp = (PUCHAR)Instb.op1.displacement;
}
break;
}
if (ulTemp &&
MmIsAddressValid(ulTemp) &&
MmIsAddressValid(p)) //hookĵַҲҪЧſŶ
{
if ((ULONG)ulTemp > SystemKernelModuleBase &&
(ULONG)ulTemp < SystemKernelModuleBase+SystemKernelModuleSize) //̫Ҳ
{
goto Next;
}
//ulTempҲС SystemKernelModuleBase
if ((ULONG)ulTemp < SystemKernelModuleBase)
{
goto Next;
}
if (*(ULONG *)ulTemp == 0x00000000 ||
*(ULONG *)ulTemp == 0x00000005)
{
goto Next;
}
Flagss = 0;
__asm{
mov esi,ulTemp
mov ax,word ptr [esi]
cmp ax,0x0000
jz Cont//add byte ptr [eax],al
mov Flagss,1
Cont:
}
if (Flagss != 1)
goto Next;
ulTemp = ulTemp+0x5;
//һ¶
if (*ulTemp == 0xe9 ||
*ulTemp == 0xe8)
{
ulTemp = (PUCHAR)(*(PULONG)(ulTemp+1)+(ULONG)(ulTemp+5));
}
FillInlineHookInfo(ulTemp+0x5,InlineHookInfo,functionName,(ULONG)p,2);
Next:
_asm{nop}
}
}
}
}
}
}
//
if (*i == 0xcc ||
*i == 0xc2)
{
return 0;
}
}
}__except(EXCEPTION_EXECUTE_HANDLER){
}
return 0;
}
BOOLEAN IsFunctionInExportTable(ULONG ulModuleBase,ULONG ulFunctionAddress)
{
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS NtDllHeader;
IMAGE_OPTIONAL_HEADER opthdr;
DWORD* arrayOfFunctionAddresses;
DWORD* arrayOfFunctionNames;
WORD* arrayOfFunctionOrdinals;
DWORD functionOrdinal;
DWORD Base, x, functionAddress,ulOldAddress;
IMAGE_EXPORT_DIRECTORY *pExportTable;
char *functionName;
__try
{
pDosHeader=(PIMAGE_DOS_HEADER)ulModuleBase;
if (pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
{
KdPrint(("failed to find NtHeader\r\n"));
return FALSE;
}
NtDllHeader=(PIMAGE_NT_HEADERS)(ULONG)((ULONG)pDosHeader+pDosHeader->e_lfanew);
if (NtDllHeader->Signature!=IMAGE_NT_SIGNATURE)
{
KdPrint(("failed to find NtHeader\r\n"));
return FALSE;
}
opthdr = NtDllHeader->OptionalHeader;
pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*)ulModuleBase + opthdr.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress); //õ
arrayOfFunctionAddresses = (DWORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfFunctions); //ַ
arrayOfFunctionNames = (DWORD*)((BYTE*)ulModuleBase + pExportTable->AddressOfNames); //
arrayOfFunctionOrdinals = (WORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfNameOrdinals);
Base = pExportTable->Base;
for(x = 0; x < pExportTable->NumberOfFunctions; x++) //ɨ
{
//functionName = (char*)((BYTE*)ulModuleBase + arrayOfFunctionNames[x]);
functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1;
functionAddress = (DWORD)((BYTE*)ulModuleBase + arrayOfFunctionAddresses[functionOrdinal]);
//KdPrint(("%08x:%s\r\n",functionAddress,functionName));
//ulOldAddress = GetSystemRoutineAddress(0,functionName);
ulOldAddress = functionAddress - ulModuleBase + SystemKernelModuleBase;
if (ulFunctionAddress == ulOldAddress)
{
//ǵ˳
return TRUE;
}
}
}__except(EXCEPTION_EXECUTE_HANDLER){
}
return FALSE;
}
BOOLEAN ReSetEatHook(CHAR *lpszFunction,ULONG ulReloadKernelModule,ULONG ulKernelModule)
{
ULONG ulModuleBase;
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS NtDllHeader;
IMAGE_OPTIONAL_HEADER opthdr;
DWORD* arrayOfFunctionAddresses;
DWORD* arrayOfFunctionNames;
WORD* arrayOfFunctionOrdinals;
DWORD functionOrdinal;
DWORD Base,x,functionAddress;
IMAGE_EXPORT_DIRECTORY *pExportTable;
char *functionName = NULL;
BOOL bIsEatHooked = FALSE;
int position;
ULONG ulFunctionOrdinal;
//ָʱ reloadImageModuleBase
ulModuleBase = ulReloadKernelModule;
pDosHeader = (PIMAGE_DOS_HEADER)ulModuleBase;
if (pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
{
KdPrint(("failed to find NtHeader\r\n"));
return 0;
}
NtDllHeader=(PIMAGE_NT_HEADERS)(ULONG)((ULONG)pDosHeader+pDosHeader->e_lfanew);
if (NtDllHeader->Signature!=IMAGE_NT_SIGNATURE)
{
KdPrint(("failed to find NtHeader\r\n"));
return 0;
}
opthdr = NtDllHeader->OptionalHeader;
pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*)ulModuleBase + opthdr.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress); //õ
arrayOfFunctionAddresses = (DWORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfFunctions); //ַ
arrayOfFunctionNames = (DWORD*)((BYTE*)ulModuleBase + pExportTable->AddressOfNames); //
arrayOfFunctionOrdinals = (WORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfNameOrdinals);
Base = pExportTable->Base;
for(x = 0; x < pExportTable->NumberOfFunctions; x++) //ɨ
{
functionName = (char*)((BYTE*)ulModuleBase + arrayOfFunctionNames[x]);
ulFunctionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1;
ulFunctionOrdinal = arrayOfFunctionAddresses[ulFunctionOrdinal];
functionAddress = (DWORD)((BYTE*)ulModuleBase + ulFunctionOrdinal);
if (_stricmp(lpszFunction,functionName) == 0)
{
KdPrint(("reload ulFunctionOrdinal:%08x:%s",ulFunctionOrdinal,functionName));
//ʼָ
ulModuleBase = ulKernelModule;
pDosHeader = (PIMAGE_DOS_HEADER)ulModuleBase;
if (pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
{
KdPrint(("failed to find NtHeader\r\n"));
return 0;
}
NtDllHeader=(PIMAGE_NT_HEADERS)(ULONG)((ULONG)pDosHeader+pDosHeader->e_lfanew);
if (NtDllHeader->Signature!=IMAGE_NT_SIGNATURE)
{
KdPrint(("failed to find NtHeader\r\n"));
return 0;
}
opthdr = NtDllHeader->OptionalHeader;
pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*)ulModuleBase + opthdr.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress); //õ
arrayOfFunctionAddresses = (DWORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfFunctions); //ַ
arrayOfFunctionNames = (DWORD*)((BYTE*)ulModuleBase + pExportTable->AddressOfNames); //
arrayOfFunctionOrdinals = (WORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfNameOrdinals);
Base = pExportTable->Base;
_asm
{
CLI
MOV EAX, CR0
AND EAX, NOT 10000H
MOV CR0, EAX
}
arrayOfFunctionAddresses[arrayOfFunctionOrdinals[x] + Base - 1] = ulFunctionOrdinal;
_asm
{
MOV EAX, CR0
OR EAX, 10000H
MOV CR0, EAX
STI
}
break;
}
}
return TRUE;
}
ULONG GetEatHook(ULONG ulOldAddress,int x,ULONG ulSystemKernelModuleBase,ULONG ulSystemKernelModuleSize)
{
ULONG ulModuleBase;
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS NtDllHeader;
IMAGE_OPTIONAL_HEADER opthdr;
DWORD* arrayOfFunctionAddresses;
DWORD* arrayOfFunctionNames;
WORD* arrayOfFunctionOrdinals;
DWORD functionOrdinal;
DWORD Base,functionAddress;
IMAGE_EXPORT_DIRECTORY *pExportTable;
char *functionName = NULL;
BOOL bIsEatHooked = FALSE;
ULONG position = 0;
ULONG ulFunctionOrdinal;
ulModuleBase = ulSystemKernelModuleBase;
pDosHeader = (PIMAGE_DOS_HEADER)ulModuleBase;
if (pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
{
KdPrint(("failed to find NtHeader\r\n"));
return 0;
}
NtDllHeader=(PIMAGE_NT_HEADERS)(ULONG)((ULONG)pDosHeader+pDosHeader->e_lfanew);
if (NtDllHeader->Signature!=IMAGE_NT_SIGNATURE)
{
KdPrint(("failed to find NtHeader\r\n"));
return 0;
}
opthdr = NtDllHeader->OptionalHeader;
pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*)ulModuleBase + opthdr.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress); //õ
arrayOfFunctionAddresses = (DWORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfFunctions); //ַ
arrayOfFunctionNames = (DWORD*)((BYTE*)ulModuleBase + pExportTable->AddressOfNames); //
arrayOfFunctionOrdinals = (WORD*)( (BYTE*)ulModuleBase + pExportTable->AddressOfNameOrdinals);
Base = pExportTable->Base;
functionName = (char*)((BYTE*)ulModuleBase + arrayOfFunctionNames[x]);
ulFunctionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1;
functionAddress = (DWORD)((BYTE*)ulModuleBase + arrayOfFunctionAddresses[ulFunctionOrdinal]);
if (*functionName == 'Z' &&
*(functionName+1) == 'w')
{
position = *((WORD*)(functionAddress + 1)); //õ
if (position > 0 &&
position <= OriginalServiceDescriptorTable->TableSize)
{
//õԭʼַ
functionAddress = OriginalServiceDescriptorTable->ServiceTable[position] - (ULONG)ImageModuleBase + SystemKernelModuleBase;
}
}
if (ulOldAddress != functionAddress)
{
KdPrint(("EAT HOOK %08x:%s\r\n",functionAddress,functionName));
return functionAddress;
}
return 0;
}
================================================
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/KernelHookCheck.h
================================================
#include "DriverEntry.h"
BOOLEAN KernelHookCheck(PINLINEHOOKINFO InlineHookInfo);
VOID FillInlineHookInfo(PUCHAR ulTemp,PINLINEHOOKINFO InlineHookInfo,CHAR* szFunctionName,ULONG ulOldAddress,ULONG HookType);
VOID CheckFuncByOpcode(PVOID ulReloadAddress,PINLINEHOOKINFO InlineHookInfo,CHAR* szFunctionName,PVOID ulOldAddress);
ULONG GetNextFunctionAddress(ULONG ulNtDllModuleBase,ULONG ulOldAddress,char *functionName,PINLINEHOOKINFO InlineHookInfo);
BOOLEAN ReSetEatHook(CHAR *lpszFunction,ULONG ulReloadKernelModule,ULONG ulKernelModule);
ULONG GetEatHook(ULONG ulOldAddress,int x,ULONG ulSystemKernelModuleBase,ULONG ulSystemKernelModuleSize);
BOOLEAN IsFunctionInExportTable(ULONG ulModuleBase,ULONG ulFunctionAddress);
================================================
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/KernelReload.c
================================================
#include "KernelReload.h"
#include "FileSystem.h"
#include "FixRelocation.h"
/*ZwQuerySystemInformation öģϢ õһģ Ntos..*/
BOOLEAN GetSystemKernelModuleInfo(WCHAR **SystemKernelModulePath,PDWORD SystemKernelModuleBase,PDWORD SystemKernelModuleSize)
{
NTSTATUS status;
ULONG ulSize,i;
PMODULES pModuleList;
char *lpszKernelName=NULL;
ANSI_STRING AnsiKernelModule;
UNICODE_STRING UnicodeKernelModule;
BOOLEAN bRet=TRUE;
__try
{
status=ZwQuerySystemInformation(
SystemModuleInformation,
NULL,
0,
&ulSize
);
if (status != STATUS_INFO_LENGTH_MISMATCH)
{
return FALSE;
}
pModuleList=(PMODULES)ExAllocatePool(NonPagedPool,ulSize);
if (pModuleList)
{
status=ZwQuerySystemInformation(
SystemModuleInformation,
pModuleList,
ulSize,
&ulSize
);
if (!NT_SUCCESS(status))
{
bRet = FALSE;
}
}
if (!bRet)
{
if (pModuleList)
ExFreePool(pModuleList);
return FALSE;
}
*SystemKernelModulePath=ExAllocatePool(NonPagedPool,260*2);
if (*SystemKernelModulePath==NULL)
{
*SystemKernelModuleBase=0;
*SystemKernelModuleSize=0;
return FALSE;
}
lpszKernelName = pModuleList->smi[0].ModuleNameOffset+pModuleList->smi[0].ImageName; //һģ
RtlInitAnsiString(&AnsiKernelModule,lpszKernelName);
RtlAnsiStringToUnicodeString(&UnicodeKernelModule,&AnsiKernelModule,TRUE);
RtlZeroMemory(*SystemKernelModulePath,260*2);
wcscat(*SystemKernelModulePath,L"\\SystemRoot\\system32\\");
memcpy(
*SystemKernelModulePath+wcslen(L"\\SystemRoot\\system32\\"), //һģ·
UnicodeKernelModule.Buffer,
UnicodeKernelModule.Length
);
*SystemKernelModuleBase=(DWORD)pModuleList->smi[0].Base; //õһģַ
*SystemKernelModuleSize=(DWORD)pModuleList->smi[0].Size; //õһģС
ExFreePool(pModuleList);
RtlFreeUnicodeString(&UnicodeKernelModule);
}__except(EXCEPTION_EXECUTE_HANDLER){
}
return TRUE;
}
/*ļDeviceObjectRealDevice*/
BOOLEAN IoGetFileSystemVpbInfo(IN PFILE_OBJECT FileObject,PDEVICE_OBJECT *DeviceObject,PDEVICE_OBJECT *RealDevice)
{
//PDEVICE_OBJECT deviceObject;
// If the file object has a mounted Vpb, use its DeviceObject.
if(FileObject->Vpb != NULL && FileObject->Vpb->DeviceObject != NULL)
{
*DeviceObject = FileObject->Vpb->DeviceObject;
*RealDevice= FileObject->Vpb->RealDevice;
// Otherwise, if the real device has a VPB that indicates that it is mounted,
// then use the file system device object associated with the VPB.
}
else if
(
!(FileObject->Flags & FO_DIRECT_DEVICE_OPEN)
&&
FileObject->DeviceObject->Vpb != NULL
&&
FileObject->DeviceObject->Vpb->DeviceObject != NULL
)
{
*DeviceObject = FileObject->DeviceObject->Vpb->DeviceObject;
*RealDevice = FileObject->DeviceObject->Vpb->RealDevice;
// Otherwise, just return the real device object.
}
else
{
*DeviceObject = FileObject->DeviceObject;
*RealDevice=NULL;
}
if (*RealDevice==NULL||*DeviceObject==NULL)
{
return FALSE;
}
// Simply return the resultant file object.
return TRUE;
}
//FileObjectеRealDeviceDeviceObject
BOOLEAN GetDeviceObjectFromFileFullName(WCHAR *FileFullName,PDEVICE_OBJECT *RealDevice, PDEVICE_OBJECT *DeviceObject)
{
WCHAR wRootName[32]={0};
UNICODE_STRING RootName;
OBJECT_ATTRIBUTES ObjectAttributes={0};
NTSTATUS status;
HANDLE hFile;
IO_STATUS_BLOCK IoStatus;
PFILE_OBJECT FileObject;
if (FileFullName[0]==0x005C)
{//in \Windows\system32\ntkrnlpa.exe
wcscpy(wRootName,L"\\SystemRoot");
}
else
{
wcscpy(wRootName,L"\\DosDevices\\*:\\");
wRootName[12]=FileFullName[0];
}
RtlInitUnicodeString(&RootName,wRootName);
InitializeObjectAttributes(&ObjectAttributes, &RootName,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
//RootName.Buffer = "\SystemRoot"
status = IoCreateFile(
&hFile,
SYNCHRONIZE,
&ObjectAttributes,
&IoStatus,
0,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ|FILE_SHARE_WRITE,
FILE_OPEN,
FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0,
0,
NULL,
IO_NO_PARAMETER_CHECKING);
if (!NT_SUCCESS(status))
{
return FALSE;
}
status=ObReferenceObjectByHandle(hFile,1,*IoFileObjectType,KernelMode,&FileObject,NULL);
if (!NT_SUCCESS(status))
{
ZwClose(hFile);
return FALSE;
}
if(!IoGetFileSystemVpbInfo(FileObject,DeviceObject,RealDevice)) //FileObjectеdeviceObjectRealDevice
{
ObfDereferenceObject(FileObject);
ZwClose(hFile);
return FALSE;
}
ObfDereferenceObject(FileObject);
ZwClose(hFile);
return TRUE;
}
/*ϵͳĿ¼*/
BOOLEAN GetWindowsRootName(WCHAR *WindowsRootName)
{
UNICODE_STRING RootName,ObjectName;
OBJECT_ATTRIBUTES ObjectAttributes;
HANDLE hLink;
NTSTATUS status;
WCHAR *SystemRootName=(WCHAR*)0x7FFE0030;
WCHAR *ObjectNameBuffer=(WCHAR*)ExAllocatePool(NonPagedPool,260*2);
if (ObjectNameBuffer==NULL)
{
return FALSE;
}
RtlZeroMemory(ObjectNameBuffer,260*2);
RtlInitUnicodeString(&RootName,L"\\SystemRoot");
InitializeObjectAttributes(&ObjectAttributes,&RootName,OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
status=ZwOpenSymbolicLinkObject(&hLink,1,&ObjectAttributes);
if (NT_SUCCESS(status))
{
ObjectName.Buffer=ObjectNameBuffer;
ObjectName.Length=0;
ObjectName.MaximumLength=260*2;
status=ZwQuerySymbolicLinkObject(hLink,&ObjectName,NULL);
//ObjectNameBuffer \Device\Harddisk0\Partition1\Windows
if (NT_SUCCESS(status))
{
int ObjectNameLength=ObjectName.Length/2;
int Index;
for (Index=ObjectNameLength-1;Index>0;Index--)
{
if (ObjectNameBuffer[Index]==0x005C)
{
if (!MmIsAddressValid(&WindowsRootName[ObjectNameLength-Index]))
{
break;
}
//\Windows WindowsRootName
RtlCopyMemory(WindowsRootName,&ObjectNameBuffer[Index],(ObjectNameLength-Index)*2);
ExFreePool(ObjectNameBuffer);
return TRUE;
}
}
}
}
ExFreePool(ObjectNameBuffer);
if (!MmIsAddressValid(SystemRootName))
{
return FALSE;
}
if (SystemRootName[1]!=0x003A||SystemRootName[2]!=0x005C)
{
return FALSE;
}
wcscpy(WindowsRootName,&SystemRootName[2]);
return TRUE;
}
/*
ԼļFileObject->IrpList ļ
*/
//\SystemRoot\system32\ntkrnlpa.exe
NTSTATUS KernelOpenFile(wchar_t *FileFullName,
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions)
{
WCHAR SystemRootName[32]=L"\\SystemRoot";
WCHAR *FileNodeName=NULL;
UNICODE_STRING FilePath;
PDEVICE_OBJECT RealDevice,DeviceObject;
NTSTATUS status=STATUS_UNSUCCESSFUL;
PFILE_OBJECT FileObject;
FileNodeName=ExAllocatePool(NonPagedPool,260*2);
if (FileNodeName==NULL)
{
return status;
}
RtlZeroMemory(FileNodeName,260*2);
if (_wcsnicmp(FileFullName,SystemRootName,wcslen(SystemRootName))==0) //ȷʲô ӦDz·
{
//in
int Len;
if(!GetWindowsRootName(FileNodeName)) // \Windows
{
ExFreePool(FileNodeName);
return status;
}
Len=wcslen(SystemRootName);
wcscat(FileNodeName,&FileFullName[Len]);
//FileNodeName == \Windows\system32\ntkrnlpa.exe
//FileFullName == \SystemRoot\system32\ntkrnlpa.exe
}
else
{
if (FileFullName[1]!=0x003A||FileFullName[2]!=0x005C)
{
return status;
}
wcscpy(FileNodeName,&FileFullName[2]);
}
if(!GetDeviceObjectFromFileFullName(FileFullName,&RealDevice,&DeviceObject)) //FileObjectеDeviceObjectRealDevice
{
ExFreePool(FileNodeName);
return status;
}
//FileNodeName == \Windows\system32\ntkrnlpa.exe
RtlInitUnicodeString(&FilePath,FileNodeName);
status=IrpCreateFile(&FilePath,DesiredAccess,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,DeviceObject,RealDevice,&FileObject);
//ļ FileObject->IrpList
if (!NT_SUCCESS(status))
{
ExFreePool(FileNodeName);
return status;
}
//ļļ
status=ObOpenObjectByPointer(
FileObject,
OBJ_KERNEL_HANDLE, //verifier²ҪָOBJ_KERNEL_HANDLE
0,
DesiredAccess|0x100000,
*IoFileObjectType,
0,
FileHandle);
ObfDereferenceObject(FileObject);
return status;
}
//ѯirpϢfilesize
NTSTATUS KernelGetFileSize(HANDLE hFile, PLARGE_INTEGER FileSize)
{
NTSTATUS status;
PFILE_OBJECT FileObject;
PDEVICE_OBJECT DeviceObject,RealDevice;
FILE_STANDARD_INFORMATION FileInformation;
status=ObReferenceObjectByHandle(hFile, 0, *IoFileObjectType, KernelMode, &FileObject, 0);
if (!NT_SUCCESS(status))
{
return status;
}
if(!IoGetFileSystemVpbInfo(FileObject,&DeviceObject,&RealDevice))
{
ObDereferenceObject(FileObject);
return STATUS_UNSUCCESSFUL;
}
//ѯirpջϢFileObject
status=IrpQueryInformationFile(FileObject,DeviceObject,&FileInformation,sizeof(FILE_STANDARD_INFORMATION),FileStandardInformation);
if (!NT_SUCCESS(status))
{
ObDereferenceObject(FileObject);
return status;
}
FileSize->HighPart=FileInformation.EndOfFile.HighPart;
FileSize->LowPart=FileInformation.EndOfFile.LowPart;
ObDereferenceObject(FileObject);
return status;
}
/*
ļļСȡļڴ
*/
NTSTATUS KernelReadFile(HANDLE hFile, PLARGE_INTEGER ByteOffset, ULONG Length, PVOID FileBuffer, PIO_STATUS_BLOCK IoStatusBlock)
{
NTSTATUS status;
PFILE_OBJECT FileObject;
PDEVICE_OBJECT DeviceObject,RealDevice;
FILE_STANDARD_INFORMATION FileInformation;
status=ObReferenceObjectByHandle(hFile, 0, *IoFileObjectType, KernelMode, &FileObject, 0);
if (!NT_SUCCESS(status))
{
return status;
}
if(!IoGetFileSystemVpbInfo(FileObject,&DeviceObject,&RealDevice))
{
ObDereferenceObject(FileObject);
return STATUS_UNSUCCESSFUL;
}
status=IrpReadFile(FileObject,DeviceObject,IoStatusBlock,FileBuffer,Length,ByteOffset); //Irpļ뻺
ObDereferenceObject(FileObject);
return status;
}
/*
FileBufferеƫ VirtualAglin
filebuffer Ϊȡڴ ImageModuleBaseΪϵͳеģַ
*/
BOOLEAN ImageFile(BYTE *FileBuffer,BYTE **ImageModuleBase)
{
PIMAGE_DOS_HEADER ImageDosHeader;
PIMAGE_NT_HEADERS ImageNtHeaders;
PIMAGE_SECTION_HEADER ImageSectionHeader;
DWORD FileAlignment,SectionAlignment,NumberOfSections,SizeOfImage,SizeOfHeaders;
DWORD Index;
BYTE *ImageBase;
DWORD SizeOfNtHeaders;
ImageDosHeader=(PIMAGE_DOS_HEADER)FileBuffer;
if (ImageDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
{
return FALSE;
}
ImageNtHeaders=(PIMAGE_NT_HEADERS)(FileBuffer+ImageDosHeader->e_lfanew);
if (ImageNtHeaders->Signature!=IMAGE_NT_SIGNATURE)
{
return FALSE;
}
FileAlignment=ImageNtHeaders->OptionalHeader.FileAlignment;//0x200
SectionAlignment=ImageNtHeaders->OptionalHeader.SectionAlignment;//0x1000
NumberOfSections=ImageNtHeaders->FileHeader.NumberOfSections;//0x16
SizeOfImage=ImageNtHeaders->OptionalHeader.SizeOfImage;//0x412000
SizeOfHeaders=ImageNtHeaders->OptionalHeader.SizeOfHeaders;//0x800
SizeOfImage=AlignSize(SizeOfImage,SectionAlignment);//0x412000
ImageBase=ExAllocatePool(NonPagedPool,SizeOfImage);
if (ImageBase==NULL)
{
return FALSE;
}
RtlZeroMemory(ImageBase,SizeOfImage);
//0xf8
SizeOfNtHeaders=sizeof(ImageNtHeaders->FileHeader) + sizeof(ImageNtHeaders->Signature)+ImageNtHeaders->FileHeader.SizeOfOptionalHeader;
ImageSectionHeader=(PIMAGE_SECTION_HEADER)((DWORD)ImageNtHeaders+SizeOfNtHeaders);
for (Index=0;Index<NumberOfSections;Index++)
{
ImageSectionHeader[Index].SizeOfRawData=AlignSize(ImageSectionHeader[Index].SizeOfRawData,FileAlignment);
ImageSectionHeader[Index].Misc.VirtualSize=AlignSize(ImageSectionHeader[Index].Misc.VirtualSize,SectionAlignment);
}
if (ImageSectionHeader[NumberOfSections-1].VirtualAddress+ImageSectionHeader[NumberOfSections-1].SizeOfRawData>SizeOfImage)
{//no in
ImageSectionHeader[NumberOfSections-1].SizeOfRawData = SizeOfImage-ImageSectionHeader[NumberOfSections-1].VirtualAddress;
}
RtlCopyMemory(ImageBase,FileBuffer,SizeOfHeaders);
for (Index=0;Index<NumberOfSections;Index++)
{
DWORD FileOffset=ImageSectionHeader[Index].PointerToRawData;
DWORD Length=ImageSectionHeader[Index].SizeOfRawData;
DWORD ImageOffset=ImageSectionHeader[Index].VirtualAddress;
RtlCopyMemory(&ImageBase[ImageOffset],&FileBuffer[FileOffset],Length);
}
*ImageModuleBase=ImageBase;
return TRUE;
}
ULONG AlignSize(ULONG nSize, ULONG nAlign)
{
return ((nSize + nAlign - 1) / nAlign * nAlign);
}
/*
ͨDriverObject->DriverSection ںģ
*/
PVOID GetKernelModuleBase(PDRIVER_OBJECT DriverObject,char *KernelModuleName)
{
PLDR_DATA_TABLE_ENTRY DriverSection,LdrEntry;
ANSI_STRING AnsiKernelModuleName;
UNICODE_STRING UniKernelModuleName;
UNICODE_STRING ModuleName;
WCHAR *Buffer;
int Lentgh,Index;
RtlInitAnsiString(&AnsiKernelModuleName,KernelModuleName);
RtlAnsiStringToUnicodeString(&UniKernelModuleName,&AnsiKernelModuleName,TRUE);
Buffer=ExAllocatePool(NonPagedPool,260*2);
if (Buffer==NULL)
{
return NULL;
}
RtlZeroMemory(Buffer,206*2);
DriverSection=DriverObject->DriverSection;
LdrEntry=(PLDR_DATA_TABLE_ENTRY)DriverSection->InLoadOrderLinks.Flink;
while (LdrEntry&&DriverSection!=LdrEntry)
{
//(DWORD)LdrEntry->DllBase>=*(DWORD*)MmSystemRangeStart&&
if (LdrEntry->FullDllName.Length>0&&
LdrEntry->FullDllName.Buffer!=NULL)
{
if (MmIsAddressValid(&LdrEntry->FullDllName.Buffer[LdrEntry->FullDllName.Length/2-1]))
{
Lentgh=LdrEntry->FullDllName.Length/2;
for (Index=Lentgh-1;Index>0;Index--)
{
if (LdrEntry->FullDllName.Buffer[Index]==0x005C)
{
break;
}
}
if (LdrEntry->FullDllName.Buffer[Index]==0x005C)
{
RtlCopyMemory(Buffer,&(LdrEntry->FullDllName.Buffer[Index+1]),(Lentgh-Index-1)*2);
ModuleName.Buffer=Buffer;
ModuleName.Length=(Lentgh-Index-1)*2;
ModuleName.MaximumLength=260*2;
}
else
{
RtlCopyMemory(Buffer,LdrEntry->FullDllName.Buffer,Lentgh*2);
ModuleName.Buffer=Buffer;
ModuleName.Length=Lentgh*2;
ModuleName.MaximumLength=260*2;
}
if (RtlEqualUnicodeString(&ModuleName,&UniKernelModuleName,TRUE))
{
ExFreePool(Buffer);
return LdrEntry->DllBase;
}
}
}
LdrEntry=(PLDR_DATA_TABLE_ENTRY)LdrEntry->InLoadOrderLinks.Flink;
}
ExFreePool(Buffer);
return NULL;
}
/*
ͨúַ
*/
PVOID
MiFindExportedRoutine (
IN PVOID DllBase,
BOOLEAN ByName,
IN char *RoutineName,
DWORD Ordinal
)
{
USHORT OrdinalNumber;
PULONG NameTableBase;
PUSHORT NameOrdinalTableBase;
PULONG AddressTableBase;
PULONG Addr;
LONG High;
LONG Low;
LONG Middle;
LONG Result;
ULONG ExportSize;
PVOID FunctionAddress;
PIMAGE_EXPORT_DIRECTORY ExportDirectory;
PAGED_CODE();
//õ
ExportDirectory = (PIMAGE_EXPORT_DIRECTORY) RtlImageDirectoryEntryToData (
DllBase,
TRUE,
IMAGE_DIRECTORY_ENTRY_EXPORT,
&ExportSize);
if (ExportDirectory == NULL) {
return NULL;
}
NameTableBase = (PULONG)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfNames);
NameOrdinalTableBase = (PUSHORT)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfNameOrdinals);
AddressTableBase=(PULONG)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfFunctions);
if (!ByName)
{
return (PVOID)AddressTableBase[Ordinal];
}
Low = 0;
Middle = 0;
High = ExportDirectory->NumberOfNames - 1;
while (High >= Low) {
Middle = (Low + High) >> 1;
Result = strcmp (RoutineName,
(PCHAR)DllBase + NameTableBase[Middle]);
if (Result < 0) {
High = Middle - 1;
}
else if (Result > 0) {
Low = Middle + 1;
}
else {
break;
}
}
if (High < Low) {
return NULL;
}
OrdinalNumber = NameOrdinalTableBase[Middle];
if ((ULONG)OrdinalNumber >= ExportDirectory->NumberOfFunctions) {
return NULL;
}
Addr = (PULONG)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfFunctions);
FunctionAddress = (PVOID)((PCHAR)DllBase + Addr[OrdinalNumber]);
//
// Forwarders are not used by the kernel and HAL to each other.
//
ASSERT ((FunctionAddress <= (PVOID)ExportDirectory) ||
(FunctionAddress >= (PVOID)((PCHAR)ExportDirectory + ExportSize)));
return FunctionAddress;
}
BOOLEAN InsertOriginalFirstThunk(DWORD ImageBase,DWORD ExistImageBase,PIMAGE_THUNK_DATA FirstThunk)
{
DWORD Offset;
PIMAGE_THUNK_DATA OriginalFirstThunk;
Offset=(DWORD)FirstThunk-ImageBase;
OriginalFirstThunk=(PIMAGE_THUNK_DATA)(ExistImageBase+Offset);
while (OriginalFirstThunk->u1.Function)
{
FirstThunk->u1.Function=OriginalFirstThunk->u1.Function;
OriginalFirstThunk++;
FirstThunk++;
}
return TRUE;
}
//
BOOLEAN FixImportTable(BYTE *ImageBase,DWORD ExistImageBase,PDRIVER_OBJECT DriverObject)
{
PIMAGE_IMPORT_DESCRIPTOR ImageImportDescriptor=NULL;
PIMAGE_THUNK_DATA ImageThunkData,FirstThunk;
PIMAGE_IMPORT_BY_NAME ImortByName;
DWORD ImportSize;
PVOID ModuleBase;
char ModuleName[260];
DWORD FunctionAddress;
//õַ
ImageImportDescriptor=(PIMAGE_IMPORT_DESCRIPTOR)RtlImageDirectoryEntryToData(ImageBase,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,&ImportSize);
if (ImageImportDescriptor==NULL)
{
return FALSE;
}
while (ImageImportDescriptor->OriginalFirstThunk&&ImageImportDescriptor->Name)
{
strcpy(ModuleName,(char*)(ImageBase+ImageImportDescriptor->Name)); //Ϣ
//ntoskrnl.exe(NTKRNLPA.exentkrnlmp.exentkrpamp.exe)
if (_stricmp(ModuleName,"ntkrnlpa.exe")==0||
_stricmp(ModuleName,"ntoskrnl.exe")==0||
_stricmp(ModuleName,"ntkrnlmp.exe")==0||
_stricmp(ModuleName,"ntkrpamp.exe")==0)
{//no in
ModuleBase=GetKernelModuleBase(DriverObject,"ntkrnlpa.exe"); //ͨDriverObject->DriverSection ںģ
if (ModuleBase==NULL)
{
ModuleBase=GetKernelModuleBase(DriverObject,"ntoskrnl.exe");
if (ModuleBase==NULL)
{
ModuleBase=GetKernelModuleBase(DriverObject,"ntkrnlmp.exe");
if (ModuleBase==NULL)
{
ModuleBase=GetKernelModuleBase(DriverObject,"ntkrpamp.exe");
}
}
}
}
else
{
ModuleBase=GetKernelModuleBase(DriverObject,ModuleName);
}
if (ModuleBase==NULL)
{
FirstThunk=(PIMAGE_THUNK_DATA)(ImageBase+ImageImportDescriptor->FirstThunk);
InsertOriginalFirstThunk((DWORD)ImageBase,ExistImageBase,FirstThunk);
ImageImportDescriptor++;
continue;
}
//PSHED.dll
ImageThunkData=(PIMAGE_THUNK_DATA)(ImageBase+ImageImportDescriptor->OriginalFirstThunk);
FirstThunk=(PIMAGE_THUNK_DATA)(ImageBase+ImageImportDescriptor->FirstThunk);
while(ImageThunkData->u1.Ordinal)
{
//ŵ
if(IMAGE_SNAP_BY_ORDINAL32(ImageThunkData->u1.Ordinal))
{
//ͨϵͳں˵ĵ - ַ
FunctionAddress=(DWORD)MiFindExportedRoutine(ModuleBase,FALSE,NULL,ImageThunkData->u1.Ordinal & ~IMAGE_ORDINAL_FLAG32);
if (FunctionAddress==0)
{
return FALSE;
}
FirstThunk->u1.Function=FunctionAddress;
}
//
else
{
//
ImortByName=(PIMAGE_IMPORT_BY_NAME)(ImageBase+ImageThunkData->u1.AddressOfData);
FunctionAddress=(DWORD)MiFindExportedRoutine(ModuleBase,TRUE,ImortByName->Name,0);
if (FunctionAddress==0)
{
return FALSE;
}
FirstThunk->u1.Function=FunctionAddress;
}
FirstThunk++;
ImageThunkData++;
}
ImageImportDescriptor++;
}
return TRUE;
}
/*
system32//NtosKrnl.exe ..
*/
BOOLEAN PeLoad(
WCHAR *FileFullPath,
BYTE **ImageModeleBase,
PDRIVER_OBJECT DeviceObject,
DWORD ExistImageBase
)
{
NTSTATUS Status;
HANDLE hFile;
LARGE_INTEGER FileSize;
DWORD Length;
BYTE *FileBuffer;
BYTE *ImageBase;
IO_STATUS_BLOCK IoStatus;
//\SystemRoot\system32\ntkrnlpa.exe
Status=KernelOpenFile(FileFullPath,&hFile,0x100020,0x80,1,1,0x20); //ԼļFileObject->IrpList ļ
if (!NT_SUCCESS(Status))
{
return FALSE;
}
Status=KernelGetFileSize(hFile,&FileSize); //ȡirpϢfilesize
if (!NT_SUCCESS(Status))
{
ZwClose(hFile);
return FALSE;
}
Length=FileSize.LowPart;
FileBuffer=ExAllocatePool(PagedPool,Length);
if (FileBuffer==NULL)
{
ZwClose(hFile);
return FALSE;
}
Status=KernelReadFile(hFile,NULL,Length,FileBuffer,&IoStatus); //ļļС ͨirpȡļڴ
if (!NT_SUCCESS(Status))
{
ZwClose(hFile);
ExFreePool(FileBuffer);
return FALSE;
}
ZwClose(hFile);
if(!ImageFile(FileBuffer,&ImageBase)) //FileBufferеƫ VirtualAglin õȫImageModuleBase
{
ExFreePool(FileBuffer);
return FALSE;
}
ExFreePool(FileBuffer);
//2k3MiFindExportedRoutineʧ
if(!FixImportTable(ImageBase,ExistImageBase,DeviceObject)) //
{
ExFreePool(ImageBase);
return FALSE;
}
if(!FixBaseRelocTable(ImageBase,ExistImageBase)) //ضλ
{
ExFreePool(ImageBase);
return FALSE;
}
*ImageModeleBase=ImageBase; //õĻַ ԭڴиʽһ һntos
return TRUE;
}
================================================
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/KernelReload.h
================================================
#include "Reload.h"
BOOLEAN GetSystemKernelModuleInfo(WCHAR **SystemKernelModulePath,PDWORD SystemKernelModuleBase,PDWORD SystemKernelModuleSize);
BOOLEAN IoGetFileSystemVpbInfo(IN PFILE_OBJECT FileObject,PDEVICE_OBJECT *DeviceObject,PDEVICE_OBJECT *RealDevice);
BOOLEAN GetDeviceObjectFromFileFullName(WCHAR *FileFullName,PDEVICE_OBJECT *RealDevice, PDEVICE_OBJECT *DeviceObject);
BOOLEAN GetWindowsRootName(WCHAR *WindowsRootName);
NTSTATUS KernelOpenFile(wchar_t *FileFullName,
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions);
NTSTATUS KernelGetFileSize(HANDLE hFile, PLARGE_INTEGER FileSize);
NTSTATUS KernelReadFile(HANDLE hFile, PLARGE_INTEGER ByteOffset, ULONG Length, PVOID FileBuffer, PIO_STATUS_BLOCK IoStatusBlock);
BOOLEAN ImageFile(BYTE *FileBuffer,BYTE **ImageModuleBase);
ULONG AlignSize(ULONG nSize, ULONG nAlign);
PVOID GetKernelModuleBase(PDRIVER_OBJECT DriverObject,char *KernelModuleName);
BOOLEAN InsertOriginalFirstThunk(DWORD ImageBase,DWORD ExistImageBase,PIMAGE_THUNK_DATA FirstThunk);
PVOID
MiFindExportedRoutine (
IN PVOID DllBase,
BOOLEAN ByName,
IN char *RoutineName,
DWORD Ordinal
);
BOOLEAN FixImportTable(BYTE *ImageBase,DWORD ExistImageBase,PDRIVER_OBJECT DriverObject);
BOOLEAN PeLoad(
WCHAR *FileFullPath,
BYTE **ImageModeleBase,
PDRIVER_OBJECT DeviceObject,
DWORD ExistImageBase
);
================================================
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/ReadMe.txt
================================================
Check Kernel EAT Hook
================================================
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/Reload.c
================================================
#include "Reload.h"
#include "KernelReload.h"
WCHAR* SystemKernelFilePath = NULL;
ULONG_PTR SystemKernelModuleBase = 0;
ULONG_PTR SystemKernelModuleSize = 0;
ULONG_PTR ImageModuleBase;
PVOID OriginalKiServiceTable;
extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
PSERVICE_DESCRIPTOR_TABLE OriginalServiceDescriptorTable;
PSERVICE_DESCRIPTOR_TABLE Safe_ServiceDescriptorTable;
/*
FuncName ԭNtosַ Լ Ntosַ
//һζͨ ϵͳԭƫ + NewBase úַ
//ȻͨԼRMmGetSystemRoutineAddress ƫ+NewBase úַ
ҵ
*/
ULONG ReLoadNtosCALL(WCHAR *lpwzFuncTion,ULONG ulOldNtosBase,ULONG ulReloadNtosBase)
{
UNICODE_STRING UnicodeFunctionName;
ULONG ulOldFunctionAddress;
PUCHAR ulReloadFunctionAddress = NULL;
int index=0;
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS NtDllHeader;
IMAGE_OPTIONAL_HEADER opthdr;
DWORD* arrayOfFunctionAddresses;
DWORD* arrayOfFunctionNames;
WORD* arrayOfFunctionOrdinals;
DWORD functionOrdinal;
DWORD Base, x, functionAddress,position;
char* functionName;
IMAGE_EXPORT_DIRECTORY *pExportTable;
ULONG ulNtDllModuleBase;
UNICODE_STRING UnicodeFunction;
UNICODE_STRING UnicodeExportTableFunction;
ANSI_STRING ExportTableFunction;
//һζͨ ϵͳԭƫ + NewBase úַ
//ȻͨԼRMmGetSystemRoutineAddress ƫ+NewBase úַ
__try
{
if (RRtlInitUnicodeString &&
RRtlCompareUnicodeString &&
RMmGetSystemRoutineAddress &&
RMmIsAddressValid)
{
RRtlInitUnicodeString(&UnicodeFunctionName,lpwzFuncTion);
ulOldFunctionAddress = (DWORD)RMmGetSystemRoutineAddress(&UnicodeFunctionName);
ulReloadFunctionAddress = (PUCHAR)(ulOldFunctionAddress - ulOldNtosBase + ulReloadNtosBase); //صFuncAddr
if (RMmIsAddressValid(ulReloadFunctionAddress)) //Чʹ ȡ ӦòЧ
{
return (ULONG)ulReloadFunctionAddress;
}
//ӵȡ
ulNtDllModuleBase = ulReloadNtosBase;
pDosHeader = (PIMAGE_DOS_HEADER)ulReloadNtosBase;
if (pDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
{
KdPrint(("failed to find NtHeader\r\n"));
return 0;
}
NtDllHeader=(PIMAGE_NT_HEADERS)(ULONG)((ULONG)pDosHeader+pDosHeader->e_lfanew);
if (NtDllHeader->Signature!=IMAGE_NT_SIGNATURE)
{
KdPrint(("failed to find NtHeader\r\n"));
return 0;
}
opthdr = NtDllHeader->OptionalHeader;
pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*)ulNtDllModuleBase + opthdr.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress); //õ
arrayOfFunctionAddresses = (DWORD*)( (BYTE*)ulNtDllModuleBase + pExportTable->AddressOfFunctions); //ַ
arrayOfFunctionNames = (DWORD*)((BYTE*)ulNtDllModuleBase + pExportTable->AddressOfNames); //
arrayOfFunctionOrdinals = (WORD*)((BYTE*)ulNtDllModuleBase + pExportTable->AddressOfNameOrdinals);
Base = pExportTable->Base;
for(x = 0; x < pExportTable->NumberOfFunctions; x++) //ɨ
{
functionName = (char*)( (BYTE*)ulNtDllModuleBase + arrayOfFunctionNames[x]);
functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1;
functionAddress = (DWORD)((BYTE*)ulNtDllModuleBase + arrayOfFunctionAddresses[functionOrdinal]);
RtlInitAnsiString(&ExportTableFunction,functionName);
RtlAnsiStringToUnicodeString(&UnicodeExportTableFunction,&ExportTableFunction,TRUE);
RRtlInitUnicodeString(&UnicodeFunction,lpwzFuncTion);
if (RRtlCompareUnicodeString(&UnicodeExportTableFunction,&UnicodeFunction,TRUE) == 0)
{
RtlFreeUnicodeString(&UnicodeExportTableFunction);
return functionAddress;
}
RtlFreeUnicodeString(&UnicodeExportTableFunction);
}
return 0;
}
RtlInitUnicodeString(&UnicodeFunctionName,lpwzFuncTion);
ulOldFunctionAddress = (DWORD)MmGetSystemRoutineAddress(&UnicodeFunctionName);
ulReloadFunctionAddress = (PUCHAR)(ulOldFunctionAddress - ulOldNtosBase + ulReloadNtosBase);
//KdPrint(("%ws:%08x:%08x",lpwzFuncTion,ulOldFunctionAddress,ulReloadFunctionAddress));
if (MmIsAddressValid(ulReloadFunctionAddress))
{
return (ULONG)ulReloadFunctionAddress;
}
//
}__except(EXCEPTION_EXECUTE_HANDLER){
KdPrint(("EXCEPTION_EXECUTE_HANDLER"));
}
return 0;
}
/*Ntos*/
NTSTATUS ReLoadNtos(PDRIVER_OBJECT DriverObject,DWORD RetAddress)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
ULONG ulKeAddSystemServiceTable;
PULONG p;
if (!GetSystemKernelModuleInfo(
&SystemKernelFilePath,
&SystemKernelModuleBase,
&SystemKernelModuleSize
))
{
KdPrint(("Get System Kernel Module failed"));
return status;
}
if (InitSafeOperationModule(
DriverObject,
SystemKernelFilePath,
SystemKernelModuleBase
))
{
KdPrint(("Init Ntos module success\r\n"));
RRtlInitUnicodeString = NULL;
RMmGetSystemRoutineAddress = NULL;
RMmIsAddressValid = NULL;
RRtlCompareUnicodeString = NULL;
RPsGetCurrentProcess = NULL;
status = STATUS_UNSUCCESSFUL;
//һζͨ ϵͳԭƫ + NewBase úַ
//ȻͨԼRMmGetSystemRoutineAddress ƫ+NewBase úַ
RRtlInitUnicodeString = (ReloadRtlInitUnicodeString)ReLoadNtosCALL(L"RtlInitUnicodeString",SystemKernelModuleBase,ImageModuleBase);
RRtlCompareUnicodeString = (ReloadRtlCompareUnicodeString)ReLoadNtosCALL(L"RtlCompareUnicodeString",SystemKernelModuleBase,ImageModuleBase);
RMmGetSystemRoutineAddress = (ReloadMmGetSystemRoutineAddress)ReLoadNtosCALL(L"MmGetSystemRoutineAddress",SystemKernelModuleBase,ImageModuleBase);
RMmIsAddressValid = (ReloadMmIsAddressValid)ReLoadNtosCALL(L"MmIsAddressValid",SystemKernelModuleBase,ImageModuleBase);
RPsGetCurrentProcess = (ReloadPsGetCurrentProcess)ReLoadNtosCALL(L"PsGetCurrentProcess",SystemKernelModuleBase,ImageModuleBase);
if (!RRtlInitUnicodeString ||
!RRtlCompareUnicodeString ||
!RMmGetSystemRoutineAddress ||
!RMmIsAddressValid ||
!RPsGetCurrentProcess)
{
KdPrint(("Init NtosCALL failed"));
return status;
}
}
return status;
}
BOOLEAN InitSafeOperationModule(PDRIVER_OBJECT pDriverObject,WCHAR *SystemModulePath,ULONG KernelModuleBase)
{
UNICODE_STRING FileName;
HANDLE hSection;
PDWORD FixdOriginalKiServiceTable;
PDWORD CsRootkitOriginalKiServiceTable;
ULONG i = 0;
//Լpeload һntos*ͽ˸ȫijͻ~
if (!PeLoad(SystemModulePath,(BYTE**)&ImageModuleBase,pDriverObject,KernelModuleBase))
{
return FALSE;
}
OriginalKiServiceTable = ExAllocatePool(NonPagedPool,KeServiceDescriptorTable->TableSize*sizeof(DWORD));
if (!OriginalKiServiceTable)
{
return FALSE;
}
//SSDTַͨضλȽϵõ
if(!GetOriginalKiServiceTable((BYTE*)ImageModuleBase,KernelModuleBase,(DWORD*)&OriginalKiServiceTable))
{
ExFreePool(OriginalKiServiceTable);
return FALSE;
}
//SSDTַ ԼReloadĺַ ɾ
FixOriginalKiServiceTable((PDWORD)OriginalKiServiceTable,(DWORD)ImageModuleBase,KernelModuleBase);
OriginalServiceDescriptorTable = (PSERVICE_DESCRIPTOR_TABLE)ExAllocatePool(NonPagedPool,sizeof(SERVICE_DESCRIPTOR_TABLE)*4);
if (OriginalServiceDescriptorTable == NULL)
{
ExFreePool(OriginalKiServiceTable);
return FALSE;
}
RtlZeroMemory(OriginalServiceDescriptorTable,sizeof(SERVICE_DESCRIPTOR_TABLE)*4);
//SERVICE_DESCRIPTOR_TABLE ṹ
OriginalServiceDescriptorTable->ServiceTable = (PDWORD)OriginalKiServiceTable;
OriginalServiceDescriptorTable->CounterTable = KeServiceDescriptorTable->CounterTable;
OriginalServiceDescriptorTable->TableSize = KeServiceDescriptorTable->TableSize;
OriginalServiceDescriptorTable->ArgumentTable = KeServiceDescriptorTable->ArgumentTable;
CsRootkitOriginalKiServiceTable = (PDWORD)ExAllocatePool(NonPagedPool,KeServiceDescriptorTable->TableSize*sizeof(DWORD));
if (CsRootkitOriginalKiServiceTable==NULL)
{
ExFreePool(OriginalServiceDescriptorTable);
ExFreePool(OriginalKiServiceTable);
return FALSE;
}
RtlZeroMemory(CsRootkitOriginalKiServiceTable,KeServiceDescriptorTable->TableSize*sizeof(DWORD));
Safe_ServiceDescriptorTable = (PSERVICE_DESCRIPTOR_TABLE)ExAllocatePool(NonPagedPool,sizeof(SERVICE_DESCRIPTOR_TABLE)*4);
if (Safe_ServiceDescriptorTable == NULL)
{
ExFreePool(OriginalServiceDescriptorTable);
ExFreePool(CsRootkitOriginalKiServiceTable);
ExFreePool(OriginalKiServiceTable);
return FALSE;
}
//һɾԭʼÿӦSSDTĵַԭʼ
RtlZeroMemory(Safe_ServiceDescriptorTable,sizeof(SERVICE_DESCRIPTOR_TABLE)*4);
//ԭʼַ
for (i = 0; i < KeServiceDescriptorTable->TableSize; i++)
{
CsRootkitOriginalKiServiceTable[i] = OriginalServiceDescriptorTable->ServiceTable[i];
}
Safe_ServiceDescriptorTable->ServiceTable = (PDWORD)CsRootkitOriginalKiServiceTable;
Safe_ServiceDescriptorTable->CounterTable = KeServiceDescriptorTable->CounterTable;
Safe_ServiceDescriptorTable->TableSize = KeServiceDescriptorTable->TableSize;
Safe_ServiceDescriptorTable->ArgumentTable = KeServiceDescriptorTable->ArgumentTable;
//ͷžͻbsod
//ExFreePool(OriginalKiServiceTable);
return TRUE;
}
VOID FixOriginalKiServiceTable(PDWORD OriginalKiServiceTable,DWORD ModuleBase,DWORD ExistImageBase)
{
DWORD FuctionCount;
DWORD Index;
FuctionCount=KeServiceDescriptorTable->TableSize; //
KdPrint(("ssdt funcion count:%X---KiServiceTable:%X\n",FuctionCount,KeServiceDescriptorTable->ServiceTable));
for (Index=0;Index<FuctionCount;Index++)
{
OriginalKiServiceTable[Index]=OriginalKiServiceTable[Index]-ExistImageBase+ModuleBase; //SSDTַ
}
}
//ͨKeServiceDescriptorTableRVAضλĵַRVAȽϣһȡеSSDTַ
BOOLEAN GetOriginalKiServiceTable(BYTE *NewImageBase,DWORD ExistImageBase,DWORD *NewKiServiceTable)
{
PIMAGE_DOS_HEADER ImageDosHeader;
PIMAGE_NT_HEADERS ImageNtHeaders;
DWORD KeServiceDescriptorTableRva;
PIMAGE_BASE_RELOCATION ImageBaseReloc=NULL;
DWORD RelocSize;
int ItemCount,Index;
int Type;
PDWORD RelocAddress;
DWORD RvaData;
DWORD count=0;
WORD *TypeOffset;
ImageDosHeader=(PIMAGE_DOS_HEADER)NewImageBase;
if (ImageDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
{
return FALSE;
}
ImageNtHeaders=(PIMAGE_NT_HEADERS)(NewImageBase+ImageDosHeader->e_lfanew);
if (ImageNtHeaders->Signature!=IMAGE_NT_SIGNATURE)
{
return FALSE;
}
KeServiceDescriptorTableRva=(DWORD)MiFindExportedRoutine(NewImageBase,TRUE,"KeServiceDescriptorTable",0);
if (KeServiceDescriptorTableRva==0)
{
return FALSE;
}
KeServiceDescriptorTableRva=KeServiceDescriptorTableRva-(DWORD)NewImageBase;
ImageBaseReloc=RtlImageDirectoryEntryToData(NewImageBase,TRUE,IMAGE_DIRECTORY_ENTRY_BASERELOC,&RelocSize);
if (ImageBaseReloc==NULL)
{
return FALSE;
}
while (ImageBaseReloc->SizeOfBlock)
{
count++;
ItemCount=(ImageBaseReloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION))/2;
TypeOffset=(WORD*)((DWORD)ImageBaseReloc+sizeof(IMAGE_BASE_RELOCATION));
for (Index=0;Index<ItemCount;Index++)
{
Type=TypeOffset[Index]>>12; //4λ 12λλҳƫ 4k
if (Type==3)
{
//Base + Virtual λҳ + 12λ = RelocAddress Ҫĵַ
RelocAddress=(PDWORD)((DWORD)(TypeOffset[Index]&0x0fff)+ImageBaseReloc->VirtualAddress+(DWORD)NewImageBase);
RvaData=*RelocAddress-ExistImageBase;
if (RvaData==KeServiceDescriptorTableRva) //ضλеrva KeServiceDescriptorTable
{
if(*(USHORT*)((DWORD)RelocAddress-2)==0x05c7)
{
/*
1: kd> dd 0x89651c12 RelocAddress - 2
89651c12 79c005c7 bd9c83f8
1: kd> dd KeServiceDescriptorTable
83f879c0 83e9bd9c 00000000 00000191 83e9c3e4
83f879d0 00000000 00000000 00000000 00000000
1: kd> dd 0x89651c14 RelocAddress
89651c14 83f879c0 83e9bd9c 79c41589 c8a383f8
89651c24 c783f879 f879cc05 e9c3e483 d8158983
*/
//RelocAddress KeServiceDesriptorTableַ
//RelocAddress + 4 KeServiceDesriptorTableһԱҲSSDTַ
*NewKiServiceTable=*(DWORD*)((DWORD)RelocAddress+4)-ExistImageBase+(DWORD)NewImageBase;
return TRUE;
}
}
}
}
ImageBaseReloc=(PIMAGE_BASE_RELOCATION)((DWORD)ImageBaseReloc+ImageBaseReloc->SizeOfBlock);
}
return FALSE;
}
================================================
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/Reload.h
================================================
#include "DriverEntry.h"
#include <ntimage.h>
#pragma once
typedef unsigned long DWORD;
typedef DWORD * PDWORD;
typedef unsigned char BYTE, *PBYTE;
typedef unsigned short WORD, *PWORD;
typedef struct _SYSTEM_MODULE_INFORMATION // ϵͳģϢ
{
ULONG Reserved[2];
ULONG Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef struct _tagSysModuleList { //ģṹ
ULONG ulCount;
SYSTEM_MODULE_INFORMATION smi[1];
} MODULES, *PMODULES;
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation, // 0 Y N
SystemProcessorInformation, // 1 Y N
SystemPerformanceInformation, // 2 Y N
SystemTimeOfDayInformation, // 3 Y N
SystemNotImplemented1, // 4 Y N
SystemProcessesAndThreadsInformation, // 5 Y N
SystemCallCounts, // 6 Y N
SystemConfigurationInformation, // 7 Y N
SystemProcessorTimes, // 8 Y N
SystemGlobalFlag, // 9 Y Y
SystemNotImplemented2, // 10 Y N
SystemModuleInformation, // 11 Y N
SystemLockInformation, // 12 Y N
SystemNotImplemented3, // 13 Y N
SystemNotImplemented4, // 14 Y N
SystemNotImplemented5, // 15 Y N
SystemHandleInformation, // 16 Y N
SystemObjectInformation, // 17 Y N
SystemPagefileInformation, // 18 Y N
SystemInstructionEmulationCounts, // 19 Y N
SystemInvalidInfoClass1, // 20
SystemCacheInformation, // 21 Y Y
SystemPoolTagInformation, // 22 Y N
SystemProcessorStatistics, // 23 Y N
SystemDpcInformation, // 24 Y Y
SystemNotImplemented6, // 25 Y N
SystemLoadImage, // 26 N Y
SystemUnloadImage, // 27 N Y
SystemTimeAdjustment, // 28 Y Y
SystemNotImplemented7, // 29 Y N
SystemNotImplemented8, // 30 Y N
SystemNotImplemented9, // 31 Y N
SystemCrashDumpInformation, // 32 Y N
SystemExceptionInformation, // 33 Y N
SystemCrashDumpStateInformation, // 34 Y Y/N
SystemKernelDebuggerInformation, // 35 Y N
SystemContextSwitchInformation, // 36 Y N
SystemRegistryQuotaInformation, // 37 Y Y
SystemLoadAndCallImage, // 38 N Y
SystemPrioritySeparation, // 39 N Y
SystemNotImplemented10, // 40 Y N
SystemNotImplemented11, // 41 Y N
SystemInvalidInfoClass2, // 42
SystemInvalidInfoClass3, // 43
SystemTimeZoneInformation, // 44 Y N
SystemLookasideInformation, // 45 Y N
SystemSetTimeSlipEvent, // 46 N Y
SystemCreateSession, // 47 N Y
SystemDeleteSession, // 48 N Y
SystemInvalidInfoClass4, // 49
SystemRangeStartInformation, // 50 Y N
SystemVerifierInformation, // 51 Y Y
SystemAddVerifier, // 52 N Y
SystemSessionProcessesInformation // 53 Y N
} SYSTEM_INFORMATION_CLASS;
#define LDRP_RELOCATION_FINAL 0x2
#define RTL_IMAGE_NT_HEADER_EX_FLAG_NO_RANGE_CHECK (0x00000001)
typedef struct _AUX_ACCESS_DATA {
PPRIVILEGE_SET PrivilegesUsed;
GENERIC_MAPPING GenericMapping;
ACCESS_MASK AccessesToAudit;
ACCESS_MASK MaximumAuditMask;
ULONG Unknown[41];
} AUX_ACCESS_DATA, *PAUX_ACCESS_DATA;
typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
union
{
LIST_ENTRY HashLinks;
struct
{
PVOID SectionPointer;
ULONG CheckSum;
};
};
union
{
ULONG TimeDateStamp;
PVOID LoadedImports;
};
PVOID EntryPointActivationContext;
PVOID PatchInformation;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
// typedef struct _IMAGE_BASE_RELOCATION {
// DWORD VirtualAddress;
// DWORD SizeOfBlock;
// // WORD TypeOffset[1];
// } IMAGE_BASE_RELOCATION,*PIMAGE_BASE_RELOCATION;
// typedef IMAGE_BASE_RELOCATION UNALIGNED * PIMAGE_BASE_RELOCATION;
typedef struct _SERVICE_DESCRIPTOR_TABLE {
/*
* Table containing cServices elements of pointers to service handler
* functions, indexed by service ID.
*/
PDWORD ServiceTable;
/*
* Table that counts how many times each service is used. This table
* is only updated in checked builds.
*/
PULONG CounterTable;
/*
* Number of services contained in this table.
*/
ULONG TableSize;
/*
* Table containing the number of bytes of parameters the handler
* function takes.
*/
PUCHAR ArgumentTable;
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;
NTSTATUS ReLoadNtos(PDRIVER_OBJECT DriverObject,DWORD RetAddress);
NTSTATUS
NTAPI
ZwQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInfoClass,
OUT PVOID SystemInfoBuffer,
IN ULONG SystemInfoBufferSize,
OUT PULONG BytesReturned OPTIONAL
);
NTSTATUS
NTAPI
ObCreateObject (
IN KPROCESSOR_MODE ObjectAttributesAccessMode OPTIONAL,
IN POBJECT_TYPE ObjectType,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
IN OUT PVOID ParseContext OPTIONAL,
IN ULONG ObjectSize,
IN ULONG PagedPoolCharge OPTIONAL,
IN ULONG NonPagedPoolCharge OPTIONAL,
OUT PVOID *Object
);
NTSTATUS
NTAPI
SeCreateAccessState(
PACCESS_STATE AccessState,
PAUX_ACCESS_DATA AuxData,
ACCESS_MASK Access,
PGENERIC_MAPPING GenericMapping
);
NTSYSAPI
PVOID
NTAPI
RtlImageDirectoryEntryToData (
IN PVOID Base,
IN BOOLEAN MappedAsImage,
IN USHORT DirectoryEntry,
OUT PULONG Size
);
BOOLEAN InitSafeOperationModule(PDRIVER_OBJECT pDriverObject,WCHAR *SystemModulePath,ULONG KernelModuleBase);
typedef VOID (__stdcall *ReloadRtlInitUnicodeString)(
__inout PUNICODE_STRING DestinationString,
__in_opt PCWSTR SourceString
);
ReloadRtlInitUnicodeString RRtlInitUnicodeString;
typedef LONG (__stdcall * ReloadRtlCompareUnicodeString)(
__in PCUNICODE_STRING String1,
__in PCUNICODE_STRING String2,
__in BOOLEAN CaseInSensitive
);
ReloadRtlCompareUnicodeString RRtlCompareUnicodeString;
typedef PVOID (__stdcall *ReloadMmGetSystemRoutineAddress)(
__in PUNICODE_STRING SystemRoutineName
);
ReloadMmGetSystemRoutineAddress RMmGetSystemRoutineAddress;
typedef BOOLEAN (__stdcall * ReloadMmIsAddressValid)(
__in PVOID VirtualAddress
);
ReloadMmIsAddressValid RMmIsAddressValid;
typedef PEPROCESS (__stdcall *ReloadPsGetCurrentProcess)(void);
ReloadPsGetCurrentProcess RPsGetCurrentProcess;
BOOLEAN GetOriginalKiServiceTable(BYTE *NewImageBase,DWORD ExistImageBase,DWORD *NewKiServiceTable);
VOID FixOriginalKiServiceTable(PDWORD OriginalKiServiceTable,DWORD ModuleBase,DWORD ExistImageBase);
================================================
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/libdasm.c
================================================
/*
* libdasm -- simple x86 disassembly library
* (c) 2004 - 2005 jt / nologin.org
*
*
* TODO:
* - more documentation
* - do more code validation
*
*/
#include <stdio.h>
#include <string.h>
#include "libdasm.h"
#include "tables.h"
// Endianess conversion routines (thanks Ero)
__inline__ BYTE FETCH8(BYTE *addr) {
// So far byte cast seems to work on all tested platforms
return *(BYTE *)addr;
}
__inline__ WORD FETCH16(BYTE *addr) {
#if defined __X86__
// Direct cast only for x86
return *(WORD *)addr;
#else
// Revert to memcpy
WORD val;
memcpy(&val, addr, 2);
#if defined __LITTLE_ENDIAN__
return val;
#else
return ((val & 0xff00) >> 8) |
((val & 0x00ff) << 8);
#endif // __LITTLE_ENDIAN__
#endif // __X86__
}
__inline__ DWORD FETCH32(BYTE *addr) {
#if defined __X86__
return *(DWORD *)addr;
#else
DWORD val;
memcpy(&val, addr, 4);
#if defined __LITTLE_ENDIAN__
return val;
#else
return ((val & (0xff000000)) >> 24) |
((val & (0x00ff0000)) >> 8) |
((val & (0x0000ff00)) << 8) |
((val & (0x000000ff)) << 24);
#endif // __LITTLE_ENDIAN__
#endif // __X86__
}
// Parse 2 and 3-byte opcodes
int get_real_instruction2(BYTE *addr, int *flags) {
switch (*addr) {
// opcode extensions for 2-byte opcodes
case 0x00:
// Clear extension
*flags &= 0xFFFFFF00;
*flags |= EXT_G6;
break;
case 0x01:
*flags &= 0xFFFFFF00;
*flags |= EXT_G7;
break;
case 0x71:
*flags &= 0xFFFFFF00;
*flags |= EXT_GC;
break;
case 0x72:
*flags &= 0xFFFFFF00;
*flags |= EXT_GD;
break;
case 0x73:
*flags &= 0xFFFFFF00;
*flags |= EXT_GE;
break;
case 0xae:
*flags &= 0xFFFFFF00;
*flags |= EXT_GF;
break;
case 0xba:
*flags &= 0xFFFFFF00;
*flags |= EXT_G8;
break;
case 0xc7:
*flags &= 0xFFFFFF00;
*flags |= EXT_G9;
break;
default:
break;
}
return 0;
}
// Parse instruction flags, get opcode index
int get_real_instruction(BYTE *addr, int *index, int *flags) {
switch (*addr) {
// 2-byte opcode
case 0x0f:
*index += 1;
*flags |= EXT_T2;
break;
// Prefix group 2
case 0x2e:
*index += 1;
// Clear previous flags from same group (undefined effect)
*flags &= 0xFF00FFFF;
*flags |= PREFIX_CS_OVERRIDE;
get_real_instruction(addr + 1, index, flags);
break;
case 0x36:
*index += 1;
*flags &= 0xFF00FFFF;
*flags |= PREFIX_SS_OVERRIDE;
get_real_instruction(addr + 1, index, flags);
break;
case 0x3e:
*index += 1;
*flags &= 0xFF00FFFF;
*flags |= PREFIX_DS_OVERRIDE;
get_real_instruction(addr + 1, index, flags);
break;
case 0x26:
*index += 1;
*flags &= 0xFF00FFFF;
*flags |= PREFIX_ES_OVERRIDE;
get_real_instruction(addr + 1, index, flags);
break;
case 0x64:
*index += 1;
*flags &= 0xFF00FFFF;
*flags |= PREFIX_FS_OVERRIDE;
get_real_instruction(addr + 1, index, flags);
break;
case 0x65:
*index += 1;
*flags &= 0xFF00FFFF;
*flags |= PREFIX_GS_OVERRIDE;
get_real_instruction(addr + 1, index, flags);
break;
// Prefix group 3 or 3-byte opcode
case 0x66:
// Do not clear flags from the same group!!!!
*index += 1;
*flags |= PREFIX_OPERAND_SIZE_OVERRIDE;
get_real_instruction(addr + 1, index, flags);
break;
// Prefix group 4
case 0x67:
// Do not clear flags from the same group!!!!
*index += 1;
*flags |= PREFIX_ADDR_SIZE_OVERRIDE;
get_real_instruction(addr + 1, index, flags);
break;
// Extension group 1
case 0x80:
case 0x81:
case 0x82:
case 0x83:
*flags |= EXT_G1;
break;
// Extension group 2
case 0xc0:
case 0xc1:
case 0xd0:
case 0xd1:
case 0xd2:
case 0xd3:
*flags |= EXT_G2;
break;
// Escape to co-processor
case 0xd8:
case 0xd9:
case 0xda:
case 0xdb:
case 0xdc:
case 0xdd:
case 0xde:
case 0xdf:
*index += 1;
*flags |= EXT_CP;
break;
// Prefix group 1 or 3-byte opcode
case 0xf0:
*index += 1;
*flags &= 0x00FFFFFF;
*flags |= PREFIX_LOCK;
get_real_instruction(addr + 1, index, flags);
break;
case 0xf2:
*index += 1;
*flags &= 0x00FFFFFF;
*flags |= PREFIX_REPNE;
get_real_instruction(addr + 1, index, flags);
break;
case 0xf3:
*index += 1;
*flags &= 0x00FFFFFF;
*flags |= PREFIX_REP;
get_real_instruction(addr + 1, index, flags);
break;
// Extension group 3
case 0xf6:
case 0xf7:
*flags |= EXT_G3;
break;
// Extension group 4
case 0xfe:
*flags |= EXT_G4;
break;
// Extension group 5
case 0xff:
*flags |= EXT_G5;
break;
default:
break;
}
return 0;
}
// Parse operand and fill OPERAND structure
int get_operand(PINST inst, int oflags, PINSTRUCTION instruction,
POPERAND op, BYTE *data, int offset, enum Mode mode, int iflags) {
BYTE *addr = data + offset;
int index = 0, sib = 0, scale = 0;
int reg = REG_NOP;
int basereg = REG_NOP;
int indexreg = REG_NOP;
int dispbytes = 0;
enum Mode pmode;
// Is this valid operand?
if (oflags == FLAGS_NONE) {
op->type = OPERAND_TYPE_NONE;
return 1;
}
// Copy flags
op->flags = oflags;
// Set operand registers
op->reg = REG_NOP;
op->basereg = REG_NOP;
op->indexreg = REG_NOP;
// Offsets
op->dispoffset = 0;
op->immoffset = 0;
// Parse modrm and sib
if (inst->modrm) {
// 32-bit mode
if (((mode == MODE_32) && (MASK_PREFIX_ADDR(iflags) == 0)) ||
((mode == MODE_16) && (MASK_PREFIX_ADDR(iflags) == 1)))
pmode = MODE_32;
else
pmode = MODE_16;
// Update length only once!
if (!instruction->length) {
instruction->modrm = *addr;
instruction->length += 1;
}
// Register
reg = MASK_MODRM_REG(*addr);
// Displacement bytes
// SIB can also specify additional displacement, see below
if (MASK_MODRM_MOD(*addr) == 0) {
if ((pmode == MODE_32) && (MASK_MODRM_RM(*addr) == REG_EBP))
dispbytes = 4;
if ((pmode == MODE_16) && (MASK_MODRM_RM(*addr) == REG_ESI))
dispbytes = 2;
} else if (MASK_MODRM_MOD(*addr) == 1) {
dispbytes = 1;
} else if (MASK_MODRM_MOD(*addr) == 2) {
dispbytes = (pmode == MODE_32) ? 4 : 2;
}
// Base and index registers
// 32-bit mode
if (pmode == MODE_32) {
if ((MASK_MODRM_RM(*addr) == REG_ESP) &&
(MASK_MODRM_MOD(*addr) != 3)) {
sib = 1;
instruction->sib = *(addr + 1);
// Update length only once!
if (instruction->length == 1) {
instruction->sib = *(addr + 1);
instruction->length += 1;
}
basereg = MASK_SIB_BASE( *(addr + 1));
indexreg = MASK_SIB_INDEX(*(addr + 1));
scale = MASK_SIB_SCALE(*(addr + 1)) * 2;
// Fix scale *8
if (scale == 6)
scale += 2;
// Special case where base=ebp and MOD = 0
if ((basereg == REG_EBP) && !MASK_MODRM_MOD(*addr)) {
basereg = REG_NOP;
dispbytes = 4;
}
if (indexreg == REG_ESP)
indexreg = REG_NOP;
} else {
if (!MASK_MODRM_MOD(*addr) && (MASK_MODRM_RM(*addr) == REG_EBP))
basereg = REG_NOP;
else
basereg = MASK_MODRM_RM(*addr);
}
// 16-bit
} else {
switch (MASK_MODRM_RM(*addr)) {
case 0:
basereg = REG_EBX;
indexreg = REG_ESI;
break;
case 1:
basereg = REG_EBX;
indexreg = REG_EDI;
break;
case 2:
basereg = REG_EBP;
indexreg = REG_ESI;
break;
case 3:
basereg = REG_EBP;
indexreg = REG_EDI;
break;
case 4:
basereg = REG_ESI;
indexreg = REG_NOP;
break;
case 5:
basereg = REG_EDI;
indexreg = REG_NOP;
break;
case 6:
if (!MASK_MODRM_MOD(*addr))
basereg = REG_NOP;
else
basereg = REG_EBP;
indexreg = REG_NOP;
break;
case 7:
basereg = REG_EBX;
indexreg = REG_NOP;
break;
}
if (MASK_MODRM_MOD(*addr) == 3) {
basereg = MASK_MODRM_RM(*addr);
indexreg = REG_NOP;
}
}
}
// Operand addressing mode -specific parsing
switch (MASK_AM(oflags)) {
// Register encoded in instruction
case AM_REG:
op->type = OPERAND_TYPE_REGISTER;
op->reg = MASK_REG(oflags);
break;
// Register/memory encoded in MODRM
case AM_M:
if (MASK_MODRM_MOD(*addr) == 3)
return 0;
goto skip_rest;
case AM_R:
if (MASK_MODRM_MOD(*addr) != 3)
return 0;
skip_rest:
case AM_Q:
case AM_W:
case AM_E:
op->type = OPERAND_TYPE_MEMORY;
op->dispbytes = dispbytes;
instruction->dispbytes = dispbytes;
op->basereg = basereg;
op->indexreg = indexreg;
op->scale = scale;
index = (sib) ? 1 : 0;
if (dispbytes)
op->dispoffset = index + 1 + offset;
switch (dispbytes) {
case 0:
break;
case 1:
op->displacement = FETCH8(addr + 1 + index);
// Always sign-extend
if (op->displacement >= 0x80)
op->displacement |= 0xffffff00;
break;
case 2:
op->displacement = FETCH16(addr + 1 + index);
// Malformed opcode
if (op->displacement < 0x80)
return 0;
break;
case 4:
op->displacement = FETCH32(addr + 1 + index);
// XXX: problems with [index*scale + disp] addressing
//if (op->displacement < 0x80)
// return 0;
break;
}
// MODRM defines register
if ((basereg != REG_NOP) && (MASK_MODRM_MOD(*addr) == 3)) {
op->type = OPERAND_TYPE_REGISTER;
op->reg = basereg;
}
break;
// Immediate byte 1 encoded in instruction
case AM_I1:
op->type = OPERAND_TYPE_IMMEDIATE;
op->immbytes = 1;
op->immediate = 1;
break;
// Immediate value
case AM_J:
op->type = OPERAND_TYPE_IMMEDIATE;
// Always sign-extend
oflags |= F_s;
case AM_I:
op->type = OPERAND_TYPE_IMMEDIATE;
index = (inst->modrm) ? 1 : 0;
index += (sib) ? 1 : 0;
index += instruction->immbytes;
index += instruction->dispbytes;
op->immoffset = index + offset;
// 32-bit mode
if (((mode == MODE_32) && (MASK_PREFIX_OPERAND(iflags) == 0)) ||
((mode == MODE_16) && (MASK_PREFIX_OPERAND(iflags) == 1)))
mode = MODE_32;
else
mode = MODE_16;
switch (MASK_OT(oflags)) {
case OT_b:
op->immbytes = 1;
op->immediate = FETCH8(addr + index);
if ((op->immediate >= 0x80) &&
(MASK_FLAGS(oflags) == F_s))
op->immediate |= 0xffffff00;
break;
case OT_v:
op->immbytes = (mode == MODE_32) ?
4 : 2;
op->immediate = (mode == MODE_32) ?
FETCH32(addr + index) :
FETCH16(addr + index);
break;
case OT_w:
op->immbytes = 2;
op->immediate = FETCH16(addr + index);
break;
}
instruction->immbytes += op->immbytes;
break;
// 32-bit or 48-bit address
case AM_A:
op->type = OPERAND_TYPE_IMMEDIATE;
// 32-bit mode
if (((mode == MODE_32) && (MASK_PREFIX_OPERAND(iflags) == 0)) ||
((mode == MODE_16) && (MASK_PREFIX_OPERAND(iflags) == 1)))
mode = MODE_32;
else
mode = MODE_16;
op->dispbytes = (mode == MODE_32) ? 6 : 4;
op->displacement = (mode == MODE_32) ?
FETCH32(addr) : FETCH16(addr);
op->section = FETCH16(addr + op->dispbytes - 2);
instruction->dispbytes = op->dispbytes;
instruction->sectionbytes = 2;
break;
// Plain displacement without MODRM/SIB
case AM_O:
op->type = OPERAND_TYPE_MEMORY;
switch (MASK_OT(oflags)) {
case OT_b:
op->dispbytes = 1;
op->displacement = FETCH8(addr);
break;
case OT_v:
op->dispbytes = (mode == MODE_32) ? 4 : 2;
op->displacement = (mode == MODE_32) ?
FETCH32(addr) : FETCH16(addr);
break;
}
instruction->dispbytes = op->dispbytes;
op->dispoffset = offset;
break;
// General-purpose register encoded in MODRM
case AM_G:
op->type = OPERAND_TYPE_REGISTER;
op->reg = reg;
break;
// control register encoded in MODRM
case AM_C:
// debug register encoded in MODRM
case AM_D:
// Segment register encoded in MODRM
case AM_S:
// TEST register encoded in MODRM
case AM_T:
// MMX register encoded in MODRM
case AM_P:
// XMM register encoded in MODRM
case AM_V:
op->type = OPERAND_TYPE_REGISTER;
op->reg = MASK_MODRM_REG(instruction->modrm);
break;
}
return 1;
}
// Print operand string
#if !defined NOSTR
int get_operand_string(INSTRUCTION *inst, OPERAND *op,
enum Format format, DWORD offset, char *string, int length) {
enum Mode mode;
int regtype = 0;
DWORD tmp;
memset(string, 0, length);
if (op->type == OPERAND_TYPE_REGISTER) {
// 32-bit mode
if (((inst->mode == MODE_32) && (MASK_PREFIX_OPERAND(inst->flags) == 0)) ||
((inst->mode == MODE_16) && (MASK_PREFIX_OPERAND(inst->flags) == 1)))
mode = MODE_32;
else
mode = MODE_16;
if (format == FORMAT_ATT)
snprintf(string + strlen(string), length - strlen(string), "%%");
// Determine register type
switch (MASK_AM(op->flags)) {
case AM_REG:
if (MASK_FLAGS(op->flags) == F_r)
regtype = REG_SEGMENT;
else if (MASK_FLAGS(op->flags) == F_f)
regtype = REG_FPU;
else
regtype = REG_GEN_DWORD;
break;
case AM_E:
case AM_G:
case AM_R:
regtype = REG_GEN_DWORD;
break;
// control register encoded in MODRM
case AM_C:
regtype = REG_CONTROL;
break;
// debug register encoded in MODRM
case AM_D:
regtype = REG_DEBUG;
break;
// Segment register encoded in MODRM
case AM_S:
regtype = REG_SEGMENT;
break;
// TEST register encoded in MODRM
case AM_T:
regtype = REG_TEST;
break;
// MMX register encoded in MODRM
case AM_P:
case AM_Q:
regtype = REG_MMX;
break;
// XMM register encoded in MODRM
case AM_V:
case AM_W:
regtype = REG_XMM;
break;
}
if (regtype == REG_GEN_DWORD) {
switch (MASK_OT(op->flags)) {
case OT_b:
snprintf(string + strlen(string), length - strlen(string),
"%s", reg_table[REG_GEN_BYTE][op->reg]);
break;
case OT_v:
snprintf(string + strlen(string), length - strlen(string),
"%s", (mode == MODE_32) ?
reg_table[REG_GEN_DWORD][op->reg] :
reg_table[REG_GEN_WORD][op->reg]);
break;
case OT_w:
snprintf(string + strlen(string), length - strlen(string),
"%s", reg_table[REG_GEN_WORD][op->reg]);
break;
case OT_d:
snprintf(string + strlen(string), length - strlen(string),
"%s", reg_table[REG_GEN_DWORD][op->reg]);
break;
}
} else
snprintf(string + strlen(string), length - strlen(string),
"%s", reg_table[regtype][op->reg]);
} else if (op->type == OPERAND_TYPE_MEMORY) {
// 32-bit mode
if (((inst->mode == MODE_32) && (MASK_PREFIX_ADDR(inst->flags) == 0)) ||
((inst->mode == MODE_16) && (MASK_PREFIX_ADDR(inst->flags) == 1)))
mode = MODE_32;
else
mode = MODE_16;
// Segment register prefix (only in memory operands)
if (MASK_PREFIX_G2(inst->flags)) {
if (format == FORMAT_ATT)
snprintf(string + strlen(string),
length - strlen(string), "%%");
snprintf(string + strlen(string), length - strlen(string),
"%s:", reg_table[REG_SEGMENT][(MASK_PREFIX_G2(inst->flags)) - 1]);
}
// Displacement in ATT
if (op->dispbytes && (format == FORMAT_ATT))
snprintf(string + strlen(string), length - strlen(string),
"0x%x", op->displacement);
// Open memory addressing brackets
snprintf(string + strlen(string), length - strlen(string),
"%s", (format == FORMAT_ATT) ? "(" : "[");
// Base register
if (op->basereg != REG_NOP) {
snprintf(string + strlen(string), length - strlen(string),
"%s%s", (format == FORMAT_ATT) ? "%" : "",
(mode == MODE_32) ?
reg_table[REG_GEN_DWORD][op->basereg] :
reg_table[REG_GEN_WORD][op->basereg]);
}
// Index register
if (op->indexreg != REG_NOP) {
if (op->basereg != REG_NOP)
snprintf(string + strlen(string), length - strlen(string),
"%s%s", (format == FORMAT_ATT) ? ",%" : "+",
(mode == MODE_32) ?
reg_table[REG_GEN_DWORD][op->indexreg] :
reg_table[REG_GEN_WORD][op->indexreg]);
else
snprintf(string + strlen(string), length - strlen(string),
"%s%s", (format == FORMAT_ATT) ? "%" : "",
(mode == MODE_32) ?
reg_table[REG_GEN_DWORD][op->indexreg] :
reg_table[REG_GEN_WORD][op->indexreg]);
switch (op->scale) {
case 2:
snprintf(string + strlen(string), length - strlen(string),
"%s", (format == FORMAT_ATT) ?
",2" : "*2");
break;
case 4:
snprintf(string + strlen(string), length - strlen(string),
"%s", (format == FORMAT_ATT) ?
",4" : "*4");
break;
case 8:
snprintf(string + strlen(string), length - strlen(string),
"%s", (format == FORMAT_ATT) ?
",8" : "*8");
break;
}
}
// INTEL displacement
if (inst->dispbytes && (format != FORMAT_ATT)) {
if ((op->basereg != REG_NOP) || (op->indexreg != REG_NOP)) {
// Negative displacement
if (op->displacement & (1<<(op->dispbytes*8-1))) {
tmp = op->displacement;
switch (op->dispbytes) {
case 1:
tmp = ~tmp & 0xff;
break;
case 2:
tmp = ~tmp & 0xffff;
break;
case 4:
tmp = ~tmp;
break;
}
snprintf(string + strlen(string),
length - strlen(string),
"-0x%x", tmp + 1);
// Positive displacement
} else
snprintf(string + strlen(string),
length - strlen(string),
"+0x%x", op->displacement);
// Plain displacement
} else {
snprintf(string + strlen(string),
length - strlen(string),
"0x%x", op->displacement);
}
}
// Close memory addressing brackets
snprintf(string + strlen(string), length - strlen(string),
"%s", (format == FORMAT_ATT) ? ")" : "]");
} else if (op->type == OPERAND_TYPE_IMMEDIATE) {
// 32-bit mode
if (((inst->mode == MODE_32) && (MASK_PREFIX_OPERAND(inst->flags) == 0)) ||
((inst->mode == MODE_16) && (MASK_PREFIX_OPERAND(inst->flags) == 1)))
mode = MODE_32;
else
mode = MODE_16;
switch (MASK_AM(op->flags)) {
case AM_J:
snprintf(string + strlen(string), length - strlen(string),
"0x%x", op->immediate + inst->length + offset);
break;
case AM_I1:
case AM_I:
if (format == FORMAT_ATT)
snprintf(string + strlen(string), length - strlen(string), "$");
snprintf(string + strlen(string), length - strlen(string),
"0x%x", op->immediate);
break;
// 32-bit or 48-bit address
case AM_A:
snprintf(string + strlen(string), length - strlen(string),
"%s0x%x:%s0x%x",
(format == FORMAT_ATT) ? "$" : "",
op->section,
(format == FORMAT_ATT) ? "$" : "",
op->displacement);
break;
}
} else
return 0;
return 1;
}
#endif
// Fetch instruction
int get_instruction(PINSTRUCTION inst, BYTE *addr, enum Mode mode) {
PINST ptr;
int index = 0;
int flags = 0;
const char *ext = NULL;
memset(inst, 0, sizeof(INSTRUCTION));
// Parse flags, skip prefixes etc.
get_real_instruction(addr, &index, &flags);
// Select instruction table
// FPU opcodes
if (MASK_EXT(flags) == EXT_CP) {
if (*(addr + index) < 0xc0) {
// MODRM byte adds the additional byte
index--;
inst->fpuindex = *(addr + index) - 0xd8;
inst->opcode = *(addr + index + 1);
ptr = &inst_table4[inst->fpuindex]
[MASK_MODRM_REG(inst->opcode)];
} else {
inst->fpuindex = *(addr + index - 1) - 0xd8;
inst->opcode = *(addr + index);
ptr = &inst_table4[inst->fpuindex]
[inst->opcode - 0xb8];
}
// 2 or 3-byte opcodes
} else if (MASK_EXT(flags) == EXT_T2) {
inst->opcode = *(addr + index);
get_real_instruction2(addr + index, &flags);
// 3-byte opcode tables
// prefix 0x66
if (MASK_PREFIX_OPERAND(flags) == 1) {
ptr = &inst_table3_66[inst->opcode];
// prefix 0xf2
} else if (MASK_PREFIX_G1(flags) == 2) {
ptr = &inst_table3_f2[inst->opcode];
// prefix 0xf3
} else if (MASK_PREFIX_G1(flags) == 3) {
ptr = &inst_table3_f3[inst->opcode];
// normal 2-byte opcode table
} else {
ptr = &inst_table2[inst->opcode];
}
// extension group 3 "test" (<-- stupid hack)
} else if ((MASK_EXT(flags) == EXT_G3) &&
!MASK_MODRM_REG(*(addr + index + 1))) {
inst->opcode = *(addr + index);
ptr = &inst_table_test[inst->opcode - 0xf6];
// finally, the default 1-byte opcode table
} else {
inst->opcode = *(addr + index);
ptr = &inst_table1[inst->opcode];
}
// Illegal instruction
if (!ptr->mnemonic) return 0;
// Copy instruction type
inst->type = ptr->type;
// Pointer to instruction table
inst->ptr = ptr;
// Index points now to first byte after prefixes/escapes
index++;
// Opcode extensions
if (MASK_EXT(flags) && (MASK_EXT(flags) < EXT_T2)) {
inst->extindex = MASK_MODRM_REG(*(addr + index));
ext = ext_name_table[(MASK_EXT(flags)) - 1][inst->extindex];
if (ext == NULL)
return 0;
/*
* Copy instruction type from extension table
* except for groups 12-14. These are special groups
* that are either MMX/SSE instructions. For these,
* just use the type in INST structure.
*
*/
if ((MASK_EXT(flags) < 12) || (MASK_EXT(flags) > 14))
inst->type =
ext_type_table[(MASK_EXT(flags)) - 1][inst->extindex];
}
// Parse operands
if (!get_operand(ptr, ptr->flags1, inst, &inst->op1, addr, index,
mode, flags))
return 0;
if (!get_operand(ptr, ptr->flags2, inst, &inst->op2, addr, index,
mode, flags))
return 0;
if (!get_operand(ptr, ptr->flags3, inst, &inst->op3, addr, index,
mode, flags))
return 0;
// Add modrm/sib, displacement and immediate bytes in size
inst->length += index + inst->immbytes + inst->dispbytes;
// Copy addressing mode
inst->mode = mode;
// Copy instruction flags
inst->flags = flags;
return inst->length;
}
// Print instruction mnemonic
#if !defined NOSTR
int get_mnemonic_string(INSTRUCTION *inst, enum Format format, char *string, int length) {
const char *ext;
memset(string, 0, length);
// Segment override
if (MASK_PREFIX_G2(inst->flags) &&
(inst->op1.type != OPERAND_TYPE_MEMORY) &&
(inst->op2.type != OPERAND_TYPE_MEMORY))
snprintf(string + strlen(string), length - strlen(string),
"%s ", reg_table[REG_SEGMENT][(MASK_PREFIX_G2(inst->flags)) - 1]);
// Rep, lock etc.
if (MASK_PREFIX_G1(inst->flags) &&
(MASK_EXT(inst->flags) != EXT_T2))
snprintf(string + strlen(string), length - strlen(string),
"%s", rep_table[(MASK_PREFIX_G1(inst->flags)) - 1]);
// Opcode extensions
if (MASK_EXT(inst->flags) &&
(MASK_EXT(inst->flags) != EXT_T2) &&
(MASK_EXT(inst->flags) != EXT_CP)) {
ext = ext_name_table[(MASK_EXT(inst->flags)) - 1][inst->extindex];
snprintf(string + strlen(string), length - strlen(string),
"%s", ext);
} else {
snprintf(string + strlen(string), length - strlen(string),
"%s", inst->ptr->mnemonic);
}
gitextract_9k0zxvbv/
├── .gitattributes
├── .gitignore
├── CheckKernelEATHook/
│ ├── CheckKernelHook/
│ │ ├── CheckKernelHook/
│ │ │ ├── AddService.cpp
│ │ │ ├── AddService.h
│ │ │ ├── CheckKernelHook.aps
│ │ │ ├── CheckKernelHook.cpp
│ │ │ ├── CheckKernelHook.h
│ │ │ ├── CheckKernelHook.rc
│ │ │ ├── CheckKernelHook.vcxproj
│ │ │ ├── CheckKernelHook.vcxproj.filters
│ │ │ ├── CheckKernelHookDlg.cpp
│ │ │ ├── CheckKernelHookDlg.h
│ │ │ ├── res/
│ │ │ │ ├── CheckKernelHook.rc2
│ │ │ │ └── ReadMe.txt
│ │ │ ├── resource.h
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ │ └── CheckKernelHook.sln
│ ├── CheckKernelHookDrv/
│ │ ├── CheckKernelHook/
│ │ │ ├── CheckKernelHook.vcxproj
│ │ │ ├── CheckKernelHook.vcxproj.filters
│ │ │ ├── Common.c
│ │ │ ├── Common.h
│ │ │ ├── DriverEntry.c
│ │ │ ├── DriverEntry.h
│ │ │ ├── FileSystem.c
│ │ │ ├── FileSystem.h
│ │ │ ├── FixRelocation.c
│ │ │ ├── FixRelocation.h
│ │ │ ├── KernelHookCheck.c
│ │ │ ├── KernelHookCheck.h
│ │ │ ├── KernelReload.c
│ │ │ ├── KernelReload.h
│ │ │ ├── ReadMe.txt
│ │ │ ├── Reload.c
│ │ │ ├── Reload.h
│ │ │ ├── libdasm.c
│ │ │ ├── libdasm.h
│ │ │ ├── sources
│ │ │ └── tables.h
│ │ └── CheckKernelHook.sln
│ └── ReadMe.txt
├── GetKernel32Addressx64/
│ ├── GetKernel32Addressx64/
│ │ ├── GetKernel32Addressx64.cpp
│ │ ├── GetKernel32Addressx64.h
│ │ ├── GetKernel32Addressx64.rc
│ │ ├── GetKernel32Addressx64.vcxproj
│ │ ├── GetKernel32Addressx64.vcxproj.filters
│ │ ├── GetPeb.asm
│ │ ├── Resource.h
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
│ ├── GetKernel32Addressx64.sln
│ └── ReadMe.txt
├── HideProcess/
│ ├── HideProcess.c
│ ├── HideProcess.h
│ ├── HideProcess.sln
│ ├── HideProcess.vcxproj
│ ├── ReadMe.txt
│ ├── common.h
│ ├── readme.txt
│ ├── sources
│ └── struct.h
├── HookDeviceIocontrlFile/
│ ├── HookDeviceIoControlFile/
│ │ └── HookDeviceIoControlFile/
│ │ ├── HookDeviceIoControlFile/
│ │ │ ├── HookDeviceIoControlFile.vcproj
│ │ │ ├── TlHelp32.h
│ │ │ ├── analyzer.cpp
│ │ │ ├── analyzer.h
│ │ │ ├── binres.rc
│ │ │ ├── common.cpp
│ │ │ ├── common.h
│ │ │ ├── dbgsdk/
│ │ │ │ ├── inc/
│ │ │ │ │ ├── dbgeng.h
│ │ │ │ │ ├── dbghelp.h
│ │ │ │ │ ├── engextcpp.cpp
│ │ │ │ │ ├── engextcpp.hpp
│ │ │ │ │ ├── extsfns.h
│ │ │ │ │ └── wdbgexts.h
│ │ │ │ └── lib/
│ │ │ │ ├── amd64/
│ │ │ │ │ ├── dbgeng.lib
│ │ │ │ │ ├── dbghelp.lib
│ │ │ │ │ └── engextcpp.lib
│ │ │ │ ├── i386/
│ │ │ │ │ ├── dbgeng.lib
│ │ │ │ │ ├── dbghelp.lib
│ │ │ │ │ └── engextcpp.lib
│ │ │ │ └── ia64/
│ │ │ │ ├── dbgeng.lib
│ │ │ │ ├── dbghelp.lib
│ │ │ │ └── engextcpp.lib
│ │ │ ├── debug.cpp
│ │ │ ├── debug.h
│ │ │ ├── default.manifest
│ │ │ ├── drvcomm.h
│ │ │ ├── ioctlfuzzer.cpp
│ │ │ ├── ioctlfuzzer.log
│ │ │ ├── ioctlfuzzer.rc
│ │ │ ├── lib/
│ │ │ │ ├── amd64/
│ │ │ │ │ └── comsupp.lib
│ │ │ │ └── comsupp.lib
│ │ │ ├── ntdll_defs.h
│ │ │ ├── options.h
│ │ │ ├── resource.h
│ │ │ ├── service.cpp
│ │ │ ├── service.h
│ │ │ ├── stdafx.h
│ │ │ ├── symbols.cpp
│ │ │ ├── symbols.h
│ │ │ ├── undocnt.h
│ │ │ ├── xml.cpp
│ │ │ └── xml.h
│ │ ├── HookDeviceIoControlFile.sln
│ │ └── ioctlfuzzer.xml
│ ├── HookDeviceIoControlFileDrv/
│ │ ├── HookDeviceIoControlFile/
│ │ │ ├── HookDeviceIoControlFile.vcproj
│ │ │ ├── common.c
│ │ │ ├── common.h
│ │ │ ├── common_asm.h
│ │ │ ├── common_change_asm.cpp
│ │ │ ├── debug.c
│ │ │ ├── debug.h
│ │ │ ├── driver.c
│ │ │ ├── driver.h
│ │ │ ├── drvcomm.h
│ │ │ ├── extern.h
│ │ │ ├── handlers.c
│ │ │ ├── handlers.h
│ │ │ ├── hook.c
│ │ │ ├── hook.h
│ │ │ ├── log.c
│ │ │ ├── log.h
│ │ │ ├── lst.c
│ │ │ ├── lst.h
│ │ │ ├── options.h
│ │ │ ├── rng.c
│ │ │ ├── rng.h
│ │ │ ├── rules.c
│ │ │ ├── rules.h
│ │ │ ├── sources
│ │ │ ├── stdafx.h
│ │ │ ├── udis86/
│ │ │ │ ├── build.bat
│ │ │ │ ├── build64.bat
│ │ │ │ ├── extern.h
│ │ │ │ ├── itab.h
│ │ │ │ ├── makefile.inc
│ │ │ │ ├── makefile_amd64
│ │ │ │ ├── makefile_i386
│ │ │ │ ├── src/
│ │ │ │ │ ├── decode.c
│ │ │ │ │ ├── decode.h
│ │ │ │ │ ├── extern.h
│ │ │ │ │ ├── input.c
│ │ │ │ │ ├── input.h
│ │ │ │ │ ├── itab.c
│ │ │ │ │ ├── itab.h
│ │ │ │ │ ├── syn-att.c
│ │ │ │ │ ├── syn-intel.c
│ │ │ │ │ ├── syn.c
│ │ │ │ │ ├── syn.h
│ │ │ │ │ ├── types.h
│ │ │ │ │ └── udis86.c
│ │ │ │ ├── types.h
│ │ │ │ ├── udis86_amd64.lib
│ │ │ │ └── udis86_i386.lib
│ │ │ ├── undocnt.h
│ │ │ └── version.rc
│ │ └── HookDeviceIoControlFile.sln
│ └── ReadMe.txt
├── Inject/
│ ├── CreateRemoteThread/
│ │ ├── CreateRemoteThread/
│ │ │ ├── CreateRemoteThread.cpp
│ │ │ ├── CreateRemoteThread.h
│ │ │ ├── CreateRemoteThread.rc
│ │ │ ├── CreateRemoteThread.vcxproj
│ │ │ ├── CreateRemoteThread.vcxproj.filters
│ │ │ ├── ReadMe.txt
│ │ │ ├── Resource.h
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ │ ├── CreateRemoteThread.sln
│ │ └── ReadMe.txt
│ ├── ExtraWindowInject/
│ │ ├── README.md
│ │ └── src/
│ │ ├── CMakeLists.txt
│ │ ├── add_apc.h
│ │ ├── add_thread.h
│ │ ├── createproc.h
│ │ ├── enumproc.h
│ │ ├── kernel32_undoc.h
│ │ ├── main.cpp
│ │ ├── main.h
│ │ ├── map_buffer_into_process.h
│ │ ├── ntddk.h
│ │ ├── ntdll_undoc.h
│ │ ├── patch_context.h
│ │ ├── patch_ep.h
│ │ ├── payload.h
│ │ ├── pe_hdrs_helper.cpp
│ │ ├── pe_hdrs_helper.h
│ │ ├── sysutil.cpp
│ │ ├── sysutil.h
│ │ ├── target_util.h
│ │ ├── util.h
│ │ ├── window_long_inject.cpp
│ │ └── window_long_inject.h
│ ├── Process-Hollowing/
│ │ ├── Readme.txt
│ │ └── sourcecode/
│ │ ├── HelloWorld/
│ │ │ ├── HelloWorld.cpp
│ │ │ ├── HelloWorld.vcproj
│ │ │ ├── HelloWorld.vcxproj
│ │ │ ├── HelloWorld.vcxproj.filters
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ │ ├── ProcessHollowing/
│ │ │ ├── PE.cpp
│ │ │ ├── PE.h
│ │ │ ├── ProcessHollowing.cpp
│ │ │ ├── ProcessHollowing.vcproj
│ │ │ ├── ProcessHollowing.vcxproj
│ │ │ ├── ProcessHollowing.vcxproj.filters
│ │ │ ├── internals.h
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ │ └── ProcessHollowing.sln
│ ├── ProcessDoppelgänging/
│ │ ├── .gitignore
│ │ ├── LICENSE.md
│ │ ├── MalExe/
│ │ │ ├── MalExe.vcxproj
│ │ │ ├── MalExe.vcxproj.filters
│ │ │ └── main.c
│ │ ├── README.md
│ │ ├── processrefund/
│ │ │ ├── main.c
│ │ │ ├── ntdefs.h
│ │ │ ├── processrefund.vcxproj
│ │ │ └── processrefund.vcxproj.filters
│ │ └── processrefund.sln
│ ├── ReflectiveDLLInjection/
│ │ ├── ReadMe.txt
│ │ ├── dll/
│ │ │ ├── reflective_dll.sln
│ │ │ ├── reflective_dll.vcxproj
│ │ │ ├── reflective_dll.vcxproj.filters
│ │ │ └── src/
│ │ │ ├── ReflectiveDLLInjection.h
│ │ │ ├── ReflectiveDll.c
│ │ │ ├── ReflectiveLoader.c
│ │ │ └── ReflectiveLoader.h
│ │ └── inject/
│ │ ├── inject.sln
│ │ ├── inject.vcxproj
│ │ ├── inject.vcxproj.filters
│ │ └── src/
│ │ ├── GetProcAddressR.c
│ │ ├── GetProcAddressR.h
│ │ ├── Inject.c
│ │ ├── LoadLibraryR.c
│ │ ├── LoadLibraryR.h
│ │ └── ReflectiveDLLInjection.h
│ ├── SetThreadContext/
│ │ ├── InjectDllBySetThreadContextx64/
│ │ │ ├── InjectDllBySetThreadContextx64.cpp
│ │ │ ├── InjectDllBySetThreadContextx64.vcxproj
│ │ │ ├── InjectDllBySetThreadContextx64.vcxproj.filters
│ │ │ ├── ReadMe.txt
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ │ ├── InjectDllBySetThreadContextx64.sln
│ │ └── ReadMe.txt
│ ├── SetWindowsHookEx/
│ │ ├── ReadMe.txt
│ │ ├── SetWindowsHookEx/
│ │ │ ├── SetWindowsHookEx.cpp
│ │ │ ├── SetWindowsHookEx.vcxproj
│ │ │ ├── SetWindowsHookEx.vcxproj.filters
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ │ └── SetWindowsHookEx.sln
│ ├── UserApcInject/
│ │ ├── ReadMe.txt
│ │ ├── UserAPC/
│ │ │ ├── Resource.h
│ │ │ ├── UserAPC.cpp
│ │ │ ├── UserAPC.h
│ │ │ ├── UserAPC.rc
│ │ │ ├── UserAPC.vcxproj
│ │ │ ├── UserAPC.vcxproj.filters
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ │ └── UserAPC.sln
│ ├── atom-bombing-master/
│ │ ├── .gitignore
│ │ ├── AtomBombing/
│ │ │ ├── AtomBombing.vcxproj
│ │ │ ├── AtomBombing.vcxproj.filters
│ │ │ └── main.cpp
│ │ ├── AtomBombing.sln
│ │ ├── AtomBombingShellcode/
│ │ │ ├── AtomBombingShellcode.vcxproj
│ │ │ ├── AtomBombingShellcode.vcxproj.filters
│ │ │ ├── Scripts/
│ │ │ │ └── Post_Link.py
│ │ │ └── main.c
│ │ └── README.md
│ └── herpaderping-main/
│ ├── .gitignore
│ ├── .gitmodules
│ ├── LICENSE
│ ├── README.md
│ ├── _config.yml
│ ├── ext/
│ │ └── submodules/
│ │ ├── phnt/
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ ├── ntdbg.h
│ │ │ ├── ntexapi.h
│ │ │ ├── ntgdi.h
│ │ │ ├── ntioapi.h
│ │ │ ├── ntkeapi.h
│ │ │ ├── ntldr.h
│ │ │ ├── ntlpcapi.h
│ │ │ ├── ntmisc.h
│ │ │ ├── ntmmapi.h
│ │ │ ├── ntnls.h
│ │ │ ├── ntobapi.h
│ │ │ ├── ntpebteb.h
│ │ │ ├── ntpfapi.h
│ │ │ ├── ntpnpapi.h
│ │ │ ├── ntpoapi.h
│ │ │ ├── ntpsapi.h
│ │ │ ├── ntregapi.h
│ │ │ ├── ntrtl.h
│ │ │ ├── ntsam.h
│ │ │ ├── ntseapi.h
│ │ │ ├── ntsmss.h
│ │ │ ├── nttmapi.h
│ │ │ ├── nttp.h
│ │ │ ├── ntwow64.h
│ │ │ ├── ntxcapi.h
│ │ │ ├── ntzwapi.h
│ │ │ ├── phnt.h
│ │ │ ├── phnt_ntdef.h
│ │ │ ├── phnt_windows.h
│ │ │ ├── subprocesstag.h
│ │ │ └── winsta.h
│ │ └── wil/
│ │ ├── com.h
│ │ ├── common.h
│ │ ├── cppwinrt.h
│ │ ├── filesystem.h
│ │ ├── registry.h
│ │ ├── resource.h
│ │ ├── result.h
│ │ ├── result_macros.h
│ │ ├── result_originate.h
│ │ ├── rpc_helpers.h
│ │ ├── safecast.h
│ │ ├── stl.h
│ │ ├── token_helpers.h
│ │ ├── win32_helpers.h
│ │ ├── winrt.h
│ │ ├── wistd_config.h
│ │ ├── wistd_functional.h
│ │ ├── wistd_memory.h
│ │ ├── wistd_type_traits.h
│ │ └── wrl.h
│ ├── herpaderping.sln
│ └── source/
│ └── ProcessHerpaderping/
│ ├── ProcessHerpaderping.vcxproj
│ ├── ProcessHerpaderping.vcxproj.filters
│ ├── herpaderp.cpp
│ ├── herpaderp.hpp
│ ├── main.cpp
│ ├── pch.hpp
│ ├── res/
│ │ ├── resource.h
│ │ ├── resource.rc
│ │ └── version.h
│ ├── utils.cpp
│ └── utils.hpp
├── KernelHiddenExecute-master/
│ ├── .gitattributes
│ ├── KernelHiddenExcute/
│ │ ├── Head.h
│ │ ├── HiddenCallApiTransfer.h
│ │ ├── HiddenExecute.h
│ │ ├── HiddenFunctions.h
│ │ ├── KernelHiddenExcute.inf
│ │ ├── KernelHiddenExcute.vcxproj
│ │ ├── KernelHiddenExcute.vcxproj.filters
│ │ ├── MyDebugPrint.h
│ │ ├── PhysicalMemoryOperation.h
│ │ ├── SectionOperation.h
│ │ └── main.c
│ ├── KernelHiddenExcute.sln
│ └── LICENSE
├── LoadImageCallBack/
│ ├── Dll/
│ │ ├── Dll/
│ │ │ ├── Dll.cpp
│ │ │ ├── Dll.vcxproj
│ │ │ ├── Dll.vcxproj.filters
│ │ │ ├── ReadMe.txt
│ │ │ ├── dllmain.cpp
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ │ └── Dll.sln
│ ├── LoadImageCallBack/
│ │ ├── ModuleCallBack.c
│ │ ├── ModuleCallBack.h
│ │ ├── ModuleCallBack.sln
│ │ ├── ModuleCallBack.vcxproj
│ │ ├── ReadMe.txt
│ │ ├── common.h
│ │ ├── sources
│ │ └── struct.h
│ ├── ReadMe.txt
│ └── inject/
│ ├── Inject/
│ │ ├── Inject.cpp
│ │ ├── Inject.h
│ │ ├── Inject.rc
│ │ ├── Inject.vcxproj
│ │ ├── Inject.vcxproj.filters
│ │ ├── ReadMe.txt
│ │ ├── Resource.h
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
│ └── Inject.sln
├── MmLoadDriver/
│ ├── MemLoadDriver/
│ │ ├── MAKEFILE
│ │ ├── MemLoadDriver.c
│ │ ├── MemLoadDriver.h
│ │ ├── SOURCES
│ │ ├── main.c
│ │ ├── main.h
│ │ └── precomp.h
│ └── test/
│ ├── MAKEFILE
│ ├── SOURCES
│ ├── main.c
│ ├── main.h
│ └── precomp.h
├── ProcessManager/
│ ├── ProcessManager/
│ │ ├── CEnumProcess.cpp
│ │ ├── CEnumProcess.h
│ │ ├── Common.cpp
│ │ ├── Common.h
│ │ ├── Monitor.cpp
│ │ ├── Monitor.h
│ │ ├── MonitorProcess.cpp
│ │ ├── MonitorProcess.h
│ │ ├── ProcessManager.cpp
│ │ ├── ProcessManager.h
│ │ ├── ProcessManager.rc
│ │ ├── ProcessManager.vcxproj
│ │ ├── ProcessManager.vcxproj.filters
│ │ ├── ProcessManagerDlg.cpp
│ │ ├── ProcessManagerDlg.h
│ │ ├── res/
│ │ │ └── ProcessManager.rc2
│ │ ├── resource.h
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
│ ├── ProcessManager.sln
│ ├── ProcessManagerDrv/
│ │ ├── Common.c
│ │ ├── Common.h
│ │ ├── EnumProcess.c
│ │ ├── EnumProcess.h
│ │ ├── HideProcess.c
│ │ ├── HideProcess.h
│ │ ├── MonitorWin7.c
│ │ ├── MonitorWin7.h
│ │ ├── ProcessManagerDrv.c
│ │ ├── ProcessManagerDrv.h
│ │ ├── ProcessManagerDrv.vcxproj
│ │ ├── ProcessManagerDrv.vcxproj.filters
│ │ └── sources
│ └── ReadMe
├── ProtectFilex64/
│ ├── FileProtectX64.c
│ ├── FileProtectX64.h
│ ├── FileProtectX64.sln
│ ├── FileProtectX64.vcxproj
│ ├── ReadMe.txt
│ ├── common.h
│ ├── sources
│ └── struct.h
├── ProtectFilex86/
│ ├── FileProtectX86.c
│ ├── FileProtectX86.h
│ ├── FileProtectX86.sln
│ ├── FileProtectX86.vcxproj
│ ├── ReadMe.txt
│ ├── common.h
│ ├── sources
│ └── struct.h
├── ProtectProcessx64/
│ ├── ProtectProcessx64.c
│ ├── ProtectProcessx64.h
│ ├── ProtectProcessx64.sln
│ ├── ProtectProcessx64.vcxproj
│ ├── ReadMe.txt
│ ├── common.h
│ ├── sources
│ └── struct.h
├── README.md
├── ReloadKernel-XP/
│ ├── ReadMe.txt
│ ├── ReloadKernel/
│ │ ├── FileSystem.c
│ │ ├── FileSystem.h
│ │ ├── FixRelocation.c
│ │ ├── FixRelocation.h
│ │ ├── KernelReload.c
│ │ ├── KernelReload.h
│ │ ├── ReadMe.txt
│ │ ├── Reload.c
│ │ ├── Reload.h
│ │ ├── ReloadKernel.filters
│ │ ├── ReloadKernel.vcxproj
│ │ ├── ReloadKernel.vcxproj.filters
│ │ └── sources
│ └── ReloadKernel.sln
├── SSDT-SSSDT-Manager/
│ ├── EnumSSSDTManager/
│ │ ├── EnumSSSDTManager/
│ │ │ ├── EnumSSSDTManager.aps
│ │ │ ├── EnumSSSDTManager.cpp
│ │ │ ├── EnumSSSDTManager.h
│ │ │ ├── EnumSSSDTManager.idc
│ │ │ ├── EnumSSSDTManager.rc
│ │ │ ├── EnumSSSDTManager.vcxproj
│ │ │ ├── EnumSSSDTManager.vcxproj.filters
│ │ │ ├── EnumSSSDTManagerDlg.cpp
│ │ │ ├── EnumSSSDTManagerDlg.h
│ │ │ ├── OpenDevice.cpp
│ │ │ ├── OpenDevice.h
│ │ │ ├── SSDT.cpp
│ │ │ ├── SSDT.h
│ │ │ ├── SSDTFunc.h
│ │ │ ├── SSSDT.cpp
│ │ │ ├── SSSDT.h
│ │ │ ├── SSSDTFunc.h
│ │ │ ├── res/
│ │ │ │ ├── EnumSSSDTManager.rc2
│ │ │ │ └── ReadMe.txt
│ │ │ ├── resource.h
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ │ └── EnumSSSDTManager.sln
│ ├── EnumSSSDTManagerRing0/
│ │ ├── GetService.c
│ │ ├── GetService.h
│ │ ├── ReadMe.txt
│ │ ├── SSDT.c
│ │ ├── SSDT.h
│ │ ├── SSSDT.c
│ │ ├── SSSDT.h
│ │ ├── SSSDTManager.c
│ │ ├── SSSDTManager.h
│ │ ├── SSSDTManager.sln
│ │ ├── SSSDTManager.vcxproj
│ │ ├── SSSDTManager.vcxproj.filters
│ │ ├── common.c
│ │ ├── common.h
│ │ └── sources
│ └── ReadMe.txt
└── ZwQueryVirtualMemory/
├── Common.c
├── Common.h
├── GetSSDTFuncAddress.c
├── GetSSDTFuncAddress.h
├── ReadMe.txt
├── ZwQueryVirtualMemory.c
├── ZwQueryVirtualMemory.h
├── ZwQueryVirtualMemory.sln
├── ZwQueryVirtualMemory.vcxproj
└── sources
Showing preview only (307K chars total). Download the full file or copy to clipboard to get everything.
SYMBOL INDEX (3730 symbols across 233 files)
FILE: CheckKernelEATHook/CheckKernelHook/CheckKernelHook/AddService.cpp
function BOOL (line 8) | BOOL Release(){
function BOOL (line 35) | BOOL UnloadDrv(TCHAR* DriverName){
function BOOL (line 62) | BOOL LoadDrv(TCHAR* DriverName){
FILE: CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHook.cpp
function BOOL (line 40) | BOOL CCheckKernelHookApp::InitInstance()
FILE: CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHook.h
function class (line 18) | class CCheckKernelHookApp : public CWinApp
FILE: CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHookDlg.cpp
class CAboutDlg (line 40) | class CAboutDlg : public CDialogEx
function BOOL (line 95) | BOOL CCheckKernelHookDlg::OnInitDialog()
function VOID (line 150) | VOID CCheckKernelHookDlg::CheckKernelHook()
function VOID (line 198) | VOID CCheckKernelHookDlg::InsertDataToList(PINLINEHOOKINFO PInlineHookInfo)
function HCURSOR (line 279) | HCURSOR CCheckKernelHookDlg::OnQueryDragIcon()
FILE: CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHookDlg.h
type INLINEHOOKINFO_INFORMATION (line 11) | typedef struct _INLINEHOOKINFO_INFORMATION { //INLINEHOOKINFO_I...
type INLINEHOOKINFO (line 22) | typedef struct _INLINEHOOKINFO { //InlineHook
function class (line 34) | class CCheckKernelHookDlg : public CDialogEx
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/Common.c
function NTSTATUS (line 527) | NTSTATUS
function GetFunctionCodeSize (line 608) | unsigned long __fastcall GetFunctionCodeSize(void *Proc)
function SizeOfCode (line 629) | unsigned long __fastcall SizeOfCode(void *Code, unsigned char **pOpcode)
function BOOL (line 708) | BOOL IsAddressInSystem(ULONG ulDriverBase,ULONG *ulSysModuleBase,ULONG *...
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/Common.h
type DWORD (line 4) | typedef unsigned long DWORD;
type BOOL (line 6) | typedef unsigned char BOOL, *PBOOL;
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/DriverEntry.c
function NTSTATUS (line 8) | NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING ...
function NTSTATUS (line 53) | NTSTATUS
function NTSTATUS (line 108) | NTSTATUS
function VOID (line 117) | VOID UnloadDriver(PDRIVER_OBJECT DriverObject)
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/DriverEntry.h
type INLINEHOOKINFO_INFORMATION (line 20) | typedef struct _INLINEHOOKINFO_INFORMATION { //INLINEHOOKINFO_I...
type INLINEHOOKINFO (line 31) | typedef struct _INLINEHOOKINFO { //InlineHook
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/FileSystem.c
function NTSTATUS (line 7) | NTSTATUS
function NTSTATUS (line 165) | NTSTATUS
function NTSTATUS (line 187) | NTSTATUS
function NTSTATUS (line 237) | NTSTATUS
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/FixRelocation.c
function BOOLEAN (line 8) | BOOLEAN
function PIMAGE_BASE_RELOCATION (line 111) | PIMAGE_BASE_RELOCATION
function NTSTATUS (line 350) | NTSTATUS
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/KernelHookCheck.c
function BOOLEAN (line 16) | BOOLEAN KernelHookCheck(PINLINEHOOKINFO InlineHookInfo)
function VOID (line 119) | VOID FillInlineHookInfo(PUCHAR ulTemp,PINLINEHOOKINFO InlineHookInfo,CHA...
function VOID (line 155) | VOID CheckFuncByOpcode(PVOID ulReloadAddress,PINLINEHOOKINFO InlineHookI...
function ULONG (line 288) | ULONG GetNextFunctionAddress(ULONG ulNtDllModuleBase,ULONG ulOldAddress,...
function BOOLEAN (line 481) | BOOLEAN IsFunctionInExportTable(ULONG ulModuleBase,ULONG ulFunctionAddress)
function ULONG (line 634) | ULONG GetEatHook(ULONG ulOldAddress,int x,ULONG ulSystemKernelModuleBase...
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/KernelReload.c
function BOOLEAN (line 8) | BOOLEAN GetSystemKernelModuleInfo(WCHAR **SystemKernelModulePath,PDWORD ...
function BOOLEAN (line 84) | BOOLEAN IoGetFileSystemVpbInfo(IN PFILE_OBJECT FileObject,PDEVICE_OBJECT...
function BOOLEAN (line 125) | BOOLEAN GetDeviceObjectFromFileFullName(WCHAR *FileFullName,PDEVICE_OBJE...
function BOOLEAN (line 190) | BOOLEAN GetWindowsRootName(WCHAR *WindowsRootName)
function NTSTATUS (line 257) | NTSTATUS KernelOpenFile(wchar_t *FileFullName,
function NTSTATUS (line 340) | NTSTATUS KernelGetFileSize(HANDLE hFile, PLARGE_INTEGER FileSize)
function NTSTATUS (line 376) | NTSTATUS KernelReadFile(HANDLE hFile, PLARGE_INTEGER ByteOffset, ULONG L...
function BOOLEAN (line 404) | BOOLEAN ImageFile(BYTE *FileBuffer,BYTE **ImageModuleBase)
function ULONG (line 465) | ULONG AlignSize(ULONG nSize, ULONG nAlign)
function PVOID (line 475) | PVOID GetKernelModuleBase(PDRIVER_OBJECT DriverObject,char *KernelModule...
function PVOID (line 545) | PVOID
function BOOLEAN (line 636) | BOOLEAN InsertOriginalFirstThunk(DWORD ImageBase,DWORD ExistImageBase,PI...
function BOOLEAN (line 658) | BOOLEAN FixImportTable(BYTE *ImageBase,DWORD ExistImageBase,PDRIVER_OBJE...
function BOOLEAN (line 752) | BOOLEAN PeLoad(
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/Reload.c
function ULONG (line 21) | ULONG ReLoadNtosCALL(WCHAR *lpwzFuncTion,ULONG ulOldNtosBase,ULONG ulRel...
function NTSTATUS (line 119) | NTSTATUS ReLoadNtos(PDRIVER_OBJECT DriverObject,DWORD RetAddress)
function BOOLEAN (line 177) | BOOLEAN InitSafeOperationModule(PDRIVER_OBJECT pDriverObject,WCHAR *Syst...
function VOID (line 259) | VOID FixOriginalKiServiceTable(PDWORD OriginalKiServiceTable,DWORD Modul...
function BOOLEAN (line 273) | BOOLEAN GetOriginalKiServiceTable(BYTE *NewImageBase,DWORD ExistImageBas...
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/Reload.h
type DWORD (line 5) | typedef unsigned long DWORD;
type DWORD (line 6) | typedef DWORD * PDWORD;
type BYTE (line 7) | typedef unsigned char BYTE, *PBYTE;
type WORD (line 8) | typedef unsigned short WORD, *PWORD;
type SYSTEM_MODULE_INFORMATION (line 11) | typedef struct _SYSTEM_MODULE_INFORMATION // ϵͳģϢ
type MODULES (line 24) | typedef struct _tagSysModuleList { //ģṹ
type SYSTEM_INFORMATION_CLASS (line 29) | typedef enum _SYSTEM_INFORMATION_CLASS
type AUX_ACCESS_DATA (line 91) | typedef struct _AUX_ACCESS_DATA {
type LDR_DATA_TABLE_ENTRY (line 101) | typedef struct _LDR_DATA_TABLE_ENTRY
type SERVICE_DESCRIPTOR_TABLE (line 138) | typedef struct _SERVICE_DESCRIPTOR_TABLE {
type VOID (line 211) | typedef VOID (__stdcall *ReloadRtlInitUnicodeString)(
type LONG (line 217) | typedef LONG (__stdcall * ReloadRtlCompareUnicodeString)(
type PVOID (line 225) | typedef PVOID (__stdcall *ReloadMmGetSystemRoutineAddress)(
type BOOLEAN (line 232) | typedef BOOLEAN (__stdcall * ReloadMmIsAddressValid)(
type PEPROCESS (line 238) | typedef PEPROCESS (__stdcall *ReloadPsGetCurrentProcess)(void);
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/libdasm.c
function BYTE (line 21) | __inline__ BYTE FETCH8(BYTE *addr) {
function WORD (line 26) | __inline__ WORD FETCH16(BYTE *addr) {
function DWORD (line 44) | __inline__ DWORD FETCH32(BYTE *addr) {
function get_real_instruction2 (line 65) | int get_real_instruction2(BYTE *addr, int *flags) {
function get_real_instruction (line 110) | int get_real_instruction(BYTE *addr, int *index, int *flags) {
function get_operand (line 246) | int get_operand(PINST inst, int oflags, PINSTRUCTION instruction,
function get_operand_string (line 560) | int get_operand_string(INSTRUCTION *inst, OPERAND *op,
function get_instruction (line 790) | int get_instruction(PINSTRUCTION inst, BYTE *addr, enum Mode mode) {
function get_mnemonic_string (line 912) | int get_mnemonic_string(INSTRUCTION *inst, enum Format format, char *str...
function get_operands_string (line 981) | int get_operands_string(INSTRUCTION *inst, enum Format format, DWORD off...
function get_instruction_string (line 1020) | int get_instruction_string(INSTRUCTION *inst, enum Format format, DWORD ...
function get_register_type (line 1040) | int get_register_type(POPERAND op) {
function get_operand_type (line 1076) | int get_operand_type(POPERAND op) {
function get_operand_register (line 1080) | int get_operand_register(POPERAND op) {
function get_operand_basereg (line 1084) | int get_operand_basereg(POPERAND op) {
function get_operand_indexreg (line 1088) | int get_operand_indexreg(POPERAND op) {
function get_operand_scale (line 1092) | int get_operand_scale(POPERAND op) {
function get_operand_immediate (line 1096) | int get_operand_immediate(POPERAND op, DWORD *imm) {
function get_operand_displacement (line 1104) | int get_operand_displacement(POPERAND op, DWORD *disp) {
function POPERAND (line 1114) | POPERAND get_source_operand(PINSTRUCTION inst) {
function POPERAND (line 1120) | POPERAND get_destination_operand(PINSTRUCTION inst) {
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/libdasm.h
type QWORD (line 34) | typedef unsigned __int64 QWORD;
type SBYTE (line 35) | typedef signed __int8 SBYTE;
type SWORD (line 36) | typedef signed __int16 SWORD;
type SDWORD (line 37) | typedef signed __int32 SDWORD;
type SQWORD (line 38) | typedef signed __int64 SQWORD;
type u_int8_t (line 51) | typedef u_int8_t BYTE;
type u_int16_t (line 52) | typedef u_int16_t WORD;
type u_int32_t (line 53) | typedef u_int32_t DWORD;
type u_int64_t (line 54) | typedef u_int64_t QWORD;
type SBYTE (line 55) | typedef int8_t SBYTE;
type SWORD (line 56) | typedef int16_t SWORD;
type SDWORD (line 57) | typedef int32_t SDWORD;
type SQWORD (line 58) | typedef int64_t SQWORD;
type DWORD (line 77) | typedef unsigned long DWORD;
type WORD (line 79) | typedef unsigned short WORD;
type BYTE (line 80) | typedef unsigned char BYTE;
type Mode (line 150) | enum Mode {
type Format (line 156) | enum Format {
type Instruction (line 162) | enum Instruction {
type Operand (line 272) | enum Operand {
type INST (line 282) | typedef struct _INST {
type OPERAND (line 292) | typedef struct _OPERAND {
type INSTRUCTION (line 310) | typedef struct _INSTRUCTION {
type Mode (line 335) | enum Mode
type Format (line 341) | enum Format
type Format (line 350) | enum Format
type Format (line 359) | enum Format
FILE: CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/tables.h
type Instruction (line 71) | enum Instruction
FILE: GetKernel32Addressx64/GetKernel32Addressx64/GetKernel32Addressx64.cpp
type _UNICODE_STRING (line 22) | struct _UNICODE_STRING {
function _tmain (line 28) | int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
FILE: HideProcess/HideProcess.c
function NTSTATUS (line 10) | NTSTATUS
function VOID (line 48) | VOID HideProcess(char* ProcessName)
function VOID (line 78) | VOID UnloadDriver(PDRIVER_OBJECT DriverObject)
function WIN_VERSION (line 83) | WIN_VERSION GetWindowsVersion()
function PVOID (line 161) | PVOID
FILE: HideProcess/HideProcess.h
type WIN_VERSION (line 6) | typedef enum WIN_VERSION {
type NTSTATUS (line 27) | typedef
FILE: HideProcess/struct.h
type LONG (line 21) | typedef long LONG;
type BOOL (line 22) | typedef unsigned char BOOL, *PBOOL;
type BYTE (line 23) | typedef unsigned char BYTE, *PBYTE;
type DWORD (line 24) | typedef unsigned long DWORD, *PDWORD;
type WORD (line 25) | typedef unsigned short WORD, *PWORD;
type NTSTATUS (line 28) | typedef long NTSTATUS, *PNTSTATUS;
type DWORD (line 29) | typedef unsigned long DWORD;
type DWORD (line 30) | typedef DWORD * PDWORD;
type ULONG (line 31) | typedef unsigned long ULONG;
type ULONG_PTR (line 32) | typedef unsigned long ULONG_PTR;
type ULONG (line 33) | typedef ULONG *PULONG;
type WORD (line 34) | typedef unsigned short WORD;
type BYTE (line 35) | typedef unsigned char BYTE;
type UCHAR (line 36) | typedef unsigned char UCHAR;
type USHORT (line 37) | typedef unsigned short USHORT;
type BYTE (line 39) | typedef BYTE BOOLEAN;
type PEB_LDR_DATA (line 47) | typedef struct _PEB_LDR_DATA
type PEB_ORIG (line 58) | typedef struct _PEB_ORIG {
type _PEB_FREE_BLOCK (line 68) | struct _PEB_FREE_BLOCK {
type PEB_FREE_BLOCK (line 72) | typedef struct _PEB_FREE_BLOCK PEB_FREE_BLOCK;
type _PEB_FREE_BLOCK (line 73) | struct _PEB_FREE_BLOCK
type RTL_DRIVE_LETTER_CURDIR (line 75) | typedef struct _RTL_DRIVE_LETTER_CURDIR {
type RTL_USER_PROCESS_PARAMETERS (line 82) | typedef struct _RTL_USER_PROCESS_PARAMETERS {
type PEB (line 114) | typedef struct _PEB {
type SYSTEM_PROCESS_INFORMATION (line 171) | typedef struct _SYSTEM_PROCESS_INFORMATION {
type SYSTEM_THREAD_INFORMATION (line 201) | typedef struct _SYSTEM_THREAD_INFORMATION {
type _SYSTEM_THREADS (line 215) | struct _SYSTEM_THREADS
type _SYSTEM_PROCESSES (line 230) | struct _SYSTEM_PROCESSES
type HANDLE_TABLE_ENTRY_INFO (line 249) | typedef struct _HANDLE_TABLE_ENTRY_INFO
type HANDLE_TABLE_ENTRY (line 254) | typedef struct _HANDLE_TABLE_ENTRY
type HANDLE_TABLE (line 275) | typedef struct _HANDLE_TABLE
type OBJECT_TYPE_INITIALIZER (line 296) | typedef struct _OBJECT_TYPE_INITIALIZER {
type OBJECT_TYPE (line 320) | typedef struct _OBJECT_TYPE {
type OBJECT_DIRECTORY (line 335) | typedef struct _OBJECT_DIRECTORY {
type KAPC_ENVIRONMENT (line 353) | typedef enum
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/TlHelp32.h
type HEAPLIST32 (line 62) | typedef struct tagHEAPLIST32
type HEAPLIST32 (line 69) | typedef HEAPLIST32 * PHEAPLIST32;
type HEAPLIST32 (line 70) | typedef HEAPLIST32 * LPHEAPLIST32;
type HEAPENTRY32 (line 91) | typedef struct tagHEAPENTRY32
type HEAPENTRY32 (line 103) | typedef HEAPENTRY32 * PHEAPENTRY32;
type HEAPENTRY32 (line 104) | typedef HEAPENTRY32 * LPHEAPENTRY32;
type PROCESSENTRY32W (line 138) | typedef struct tagPROCESSENTRY32W
type PROCESSENTRY32W (line 151) | typedef PROCESSENTRY32W * PPROCESSENTRY32W;
type PROCESSENTRY32W (line 152) | typedef PROCESSENTRY32W * LPPROCESSENTRY32W;
type PROCESSENTRY32 (line 168) | typedef struct tagPROCESSENTRY32
type PROCESSENTRY32 (line 181) | typedef PROCESSENTRY32 * PPROCESSENTRY32;
type PROCESSENTRY32 (line 182) | typedef PROCESSENTRY32 * LPPROCESSENTRY32;
type THREADENTRY32 (line 208) | typedef struct tagTHREADENTRY32
type THREADENTRY32 (line 218) | typedef THREADENTRY32 * PTHREADENTRY32;
type THREADENTRY32 (line 219) | typedef THREADENTRY32 * LPTHREADENTRY32;
type MODULEENTRY32W (line 237) | typedef struct tagMODULEENTRY32W
type MODULEENTRY32W (line 250) | typedef MODULEENTRY32W * PMODULEENTRY32W;
type MODULEENTRY32W (line 251) | typedef MODULEENTRY32W * LPMODULEENTRY32W;
type MODULEENTRY32 (line 268) | typedef struct tagMODULEENTRY32
type MODULEENTRY32 (line 281) | typedef MODULEENTRY32 * PMODULEENTRY32;
type MODULEENTRY32 (line 282) | typedef MODULEENTRY32 * LPMODULEENTRY32;
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/analyzer.cpp
type _DRVINFO (line 3) | struct _DRVINFO
type _DEVINFO_ACCESS (line 16) | enum _DEVINFO_ACCESS
type _DEVINFO (line 25) | struct _DEVINFO
type _PROCESSINFO (line 34) | struct _PROCESSINFO
function DWORD (line 57) | DWORD GetObjectTypeIndex(HANDLE hObject)
function DWORD (line 83) | DWORD GetFileObjectTypeIndex(void)
function DWORD (line 110) | DWORD CollectFileHandles(void)
function BOOL (line 363) | BOOL GetDescrAndCompanyInfo(char *lpszFilePath, char **lpszDescr, char *...
function BOOL (line 458) | BOOL GetDeviceInfo(
function BOOL (line 521) | BOOL PrintObjectPermissions(HANDLE hObject, SE_OBJECT_TYPE ObjectType)
function BOOL (line 608) | BOOL GetDesiredPermissions(HANDLE hObject, SE_OBJECT_TYPE ObjectType, PD...
function DWORD (line 709) | DWORD ParseIoctlsLog(char *lpszIoctlsLogPath)
function PrintDeviceObjectsInfo (line 845) | void PrintDeviceObjectsInfo(char *lpszIoctlsLogPath)
function CollectDeviceObjectsInfo (line 1081) | void CollectDeviceObjectsInfo(LPWSTR lpRoot)
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/common.cpp
function BOOL (line 3) | BOOL LoadPrivileges(char *lpszName)
function BOOL (line 41) | BOOL DumpToFile(char *lpszFileName, PVOID pData, ULONG DataSize)
function BOOL (line 61) | BOOL ReadFromFile(LPCTSTR lpszFileName, PVOID *pData, PDWORD lpdwDataSize)
function wchar_t (line 122) | wchar_t *GetNameFromFullPathW(wchar_t *lpwcPath)
function BOOL (line 137) | BOOL IsFileExists(char *lpszFileName)
function PVOID (line 153) | PVOID GetSysInf(SYSTEM_INFORMATION_CLASS InfoClass)
function BOOL (line 210) | BOOL GetProcessNameById(DWORD dwProcessId, char *lpszName, size_t NameLen)
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/dbgeng.h
type _WINDBG_EXTENSION_APIS32 (line 16) | struct _WINDBG_EXTENSION_APIS32
type _WINDBG_EXTENSION_APIS64 (line 17) | struct _WINDBG_EXTENSION_APIS64
type _MEMORY_BASIC_INFORMATION64 (line 21) | struct _MEMORY_BASIC_INFORMATION64
type DEBUG_OFFSET_REGION (line 276) | typedef struct _DEBUG_OFFSET_REGION
type DEBUG_READ_USER_MINIDUMP_STREAM (line 322) | typedef struct _DEBUG_READ_USER_MINIDUMP_STREAM
type DEBUG_GET_TEXT_COMPLETIONS_IN (line 336) | typedef struct _DEBUG_GET_TEXT_COMPLETIONS_IN
type DEBUG_GET_TEXT_COMPLETIONS_OUT (line 348) | typedef struct _DEBUG_GET_TEXT_COMPLETIONS_OUT
type DEBUG_CACHED_SYMBOL_INFO (line 361) | typedef struct _DEBUG_CACHED_SYMBOL_INFO
type DEBUG_THREAD_BASIC_INFORMATION (line 570) | typedef struct _DEBUG_THREAD_BASIC_INFORMATION
function STDMETHOD (line 743) | STDMETHOD(Request)(
function STDMETHOD (line 905) | STDMETHOD(QueryInterface)(
type DEBUG_LAST_EVENT_INFO_BREAKPOINT (line 4562) | typedef struct _DEBUG_LAST_EVENT_INFO_BREAKPOINT
type DEBUG_LAST_EVENT_INFO_EXCEPTION (line 4567) | typedef struct _DEBUG_LAST_EVENT_INFO_EXCEPTION
type DEBUG_LAST_EVENT_INFO_EXIT_THREAD (line 4573) | typedef struct _DEBUG_LAST_EVENT_INFO_EXIT_THREAD
type DEBUG_LAST_EVENT_INFO_EXIT_PROCESS (line 4578) | typedef struct _DEBUG_LAST_EVENT_INFO_EXIT_PROCESS
type DEBUG_LAST_EVENT_INFO_LOAD_MODULE (line 4583) | typedef struct _DEBUG_LAST_EVENT_INFO_LOAD_MODULE
type DEBUG_LAST_EVENT_INFO_UNLOAD_MODULE (line 4588) | typedef struct _DEBUG_LAST_EVENT_INFO_UNLOAD_MODULE
type DEBUG_LAST_EVENT_INFO_SYSTEM_ERROR (line 4593) | typedef struct _DEBUG_LAST_EVENT_INFO_SYSTEM_ERROR
type DEBUG_VALUE (line 4633) | typedef struct _DEBUG_VALUE
function STDMETHOD (line 4697) | STDMETHOD(QueryInterface)(
type DEBUG_PROCESSOR_IDENTIFICATION_IA64 (line 9079) | typedef struct _DEBUG_PROCESSOR_IDENTIFICATION_IA64
type DEBUG_PROCESSOR_IDENTIFICATION_X86 (line 9088) | typedef struct _DEBUG_PROCESSOR_IDENTIFICATION_X86
type DEBUG_PROCESSOR_IDENTIFICATION_ARM (line 9096) | typedef struct _DEBUG_PROCESSOR_IDENTIFICATION_ARM
type DEBUG_PROCESSOR_IDENTIFICATION_ALL (line 9102) | typedef union _DEBUG_PROCESSOR_IDENTIFICATION_ALL
type DEBUG_SYMBOL_PARAMETERS (line 11389) | typedef struct _DEBUG_SYMBOL_PARAMETERS
function STDMETHOD (line 12920) | STDMETHOD(QueryInterface)(
type PDEBUG_EXTENSION_KNOWN_STRUCT (line 15443) | typedef PDEBUG_EXTENSION_KNOWN_STRUCT PDEBUG_ENTENSION_KNOWNSTRUCT;
function class (line 15517) | class DebugBaseEventCallbacks : public IDebugEventCallbacks
function STDMETHOD (line 15549) | STDMETHOD(Breakpoint)(
function STDMETHOD (line 15557) | STDMETHOD(Exception)(
function STDMETHOD (line 15567) | STDMETHOD(CreateThread)(
function STDMETHOD (line 15579) | STDMETHOD(ExitThread)(
function STDMETHOD (line 15587) | STDMETHOD(CreateProcess)(
function STDMETHOD (line 15615) | STDMETHOD(ExitProcess)(
function STDMETHOD (line 15623) | STDMETHOD(LoadModule)(
function STDMETHOD (line 15643) | STDMETHOD(UnloadModule)(
function STDMETHOD (line 15653) | STDMETHOD(SystemError)(
function STDMETHOD (line 15663) | STDMETHOD(SessionStatus)(
function STDMETHOD (line 15671) | STDMETHOD(ChangeDebuggeeState)(
function STDMETHOD (line 15681) | STDMETHOD(ChangeEngineState)(
function STDMETHOD (line 15691) | STDMETHOD(ChangeSymbolState)(
function class (line 15703) | class DebugBaseEventCallbacksWide : public IDebugEventCallbacksWide
function STDMETHOD (line 15735) | STDMETHOD(Breakpoint)(
function STDMETHOD (line 15743) | STDMETHOD(Exception)(
function STDMETHOD (line 15753) | STDMETHOD(CreateThread)(
function STDMETHOD (line 15765) | STDMETHOD(ExitThread)(
function STDMETHOD (line 15773) | STDMETHOD(CreateProcess)(
function STDMETHOD (line 15801) | STDMETHOD(ExitProcess)(
function STDMETHOD (line 15809) | STDMETHOD(LoadModule)(
function STDMETHOD (line 15829) | STDMETHOD(UnloadModule)(
function STDMETHOD (line 15839) | STDMETHOD(SystemError)(
function STDMETHOD (line 15849) | STDMETHOD(SessionStatus)(
function STDMETHOD (line 15857) | STDMETHOD(ChangeDebuggeeState)(
function STDMETHOD (line 15867) | STDMETHOD(ChangeEngineState)(
function STDMETHOD (line 15877) | STDMETHOD(ChangeSymbolState)(
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/dbghelp.h
type LOADED_IMAGE (line 133) | typedef struct _LOADED_IMAGE {
type IMAGE_DEBUG_INFORMATION (line 376) | typedef struct _IMAGE_DEBUG_INFORMATION {
type MODLOAD_DATA (line 548) | typedef struct _MODLOAD_DATA {
type MODLOAD_CVMISC (line 556) | typedef struct _MODLOAD_CVMISC {
type MODLOAD_PDBGUID_PDBAGE (line 565) | typedef struct _MODLOAD_PDBGUID_PDBAGE {
type ADDRESS_MODE (line 574) | typedef enum {
type ADDRESS64 (line 581) | typedef struct _tagADDRESS64 {
type ADDRESS (line 591) | typedef struct _tagADDRESS {
function Address32To64 (line 597) | __inline
function Address64To32 (line 609) | __inline
type KDHELP64 (line 633) | typedef struct _KDHELP64 {
type KDHELP (line 698) | typedef struct _KDHELP {
function KdHelp32To64 (line 758) | __inline
type STACKFRAME64 (line 778) | typedef struct _tagSTACKFRAME64 {
type STACKFRAME (line 796) | typedef struct _tagSTACKFRAME {
type BOOL (line 812) | typedef
type PVOID (line 822) | typedef
type DWORD64 (line 829) | typedef
type DWORD64 (line 836) | typedef
type BOOL (line 869) | typedef
type PVOID (line 879) | typedef
type DWORD (line 886) | typedef
type DWORD (line 893) | typedef
type API_VERSION (line 920) | typedef struct API_VERSION {
type SymTagEnum (line 1083) | enum SymTagEnum
type SYM_TYPE (line 1151) | typedef enum {
type IMAGEHLP_SYMBOL64 (line 1168) | typedef struct _IMAGEHLP_SYMBOL64 {
type IMAGEHLP_SYMBOL64_PACKAGE (line 1177) | typedef struct _IMAGEHLP_SYMBOL64_PACKAGE {
type IMAGEHLP_SYMBOLW64 (line 1182) | typedef struct _IMAGEHLP_SYMBOLW64 {
type IMAGEHLP_SYMBOLW64_PACKAGE (line 1191) | typedef struct _IMAGEHLP_SYMBOLW64_PACKAGE {
type IMAGEHLP_SYMBOL (line 1209) | typedef struct _IMAGEHLP_SYMBOL {
type IMAGEHLP_SYMBOL_PACKAGE (line 1218) | typedef struct _IMAGEHLP_SYMBOL_PACKAGE {
type IMAGEHLP_SYMBOLW (line 1223) | typedef struct _IMAGEHLP_SYMBOLW {
type IMAGEHLP_SYMBOLW_PACKAGE (line 1232) | typedef struct _IMAGEHLP_SYMBOLW_PACKAGE {
type IMAGEHLP_MODULE64 (line 1243) | typedef struct _IMAGEHLP_MODULE64 {
type IMAGEHLP_MODULEW64 (line 1271) | typedef struct _IMAGEHLP_MODULEW64 {
type IMAGEHLP_MODULE (line 1305) | typedef struct _IMAGEHLP_MODULE {
type IMAGEHLP_MODULEW (line 1318) | typedef struct _IMAGEHLP_MODULEW {
type IMAGEHLP_LINE64 (line 1336) | typedef struct _IMAGEHLP_LINE64 {
type IMAGEHLP_LINEW64 (line 1344) | typedef struct _IMAGEHLP_LINEW64 {
type IMAGEHLP_LINE (line 1356) | typedef struct _IMAGEHLP_LINE {
type IMAGEHLP_LINEW (line 1364) | typedef struct _IMAGEHLP_LINEW {
type SOURCEFILE (line 1377) | typedef struct _SOURCEFILE {
type SOURCEFILEW (line 1382) | typedef struct _SOURCEFILEW {
type IMAGEHLP_CBA_READ_MEMORY (line 1405) | typedef struct _IMAGEHLP_CBA_READ_MEMORY {
type IMAGEHLP_CBA_EVENT (line 1424) | typedef struct _IMAGEHLP_CBA_EVENT {
type IMAGEHLP_CBA_EVENTW (line 1431) | typedef struct _IMAGEHLP_CBA_EVENTW {
type IMAGEHLP_DEFERRED_SYMBOL_LOAD64 (line 1438) | typedef struct _IMAGEHLP_DEFERRED_SYMBOL_LOAD64 {
type IMAGEHLP_DEFERRED_SYMBOL_LOADW64 (line 1449) | typedef struct _IMAGEHLP_DEFERRED_SYMBOL_LOADW64 {
type IMAGEHLP_DEFERRED_SYMBOL_LOAD (line 1467) | typedef struct _IMAGEHLP_DEFERRED_SYMBOL_LOAD {
type IMAGEHLP_DUPLICATE_SYMBOL64 (line 1478) | typedef struct _IMAGEHLP_DUPLICATE_SYMBOL64 {
type IMAGEHLP_DUPLICATE_SYMBOL (line 1489) | typedef struct _IMAGEHLP_DUPLICATE_SYMBOL {
type OMAP (line 1542) | typedef struct _OMAP {
type SRCCODEINFO (line 1822) | typedef struct _SRCCODEINFO {
type SRCCODEINFOW (line 1832) | typedef struct _SRCCODEINFOW {
type IMAGEHLP_SYMBOL_SRC (line 2333) | typedef struct _IMAGEHLP_SYMBOL_SRC {
type MODULE_TYPE_INFO (line 2339) | typedef struct _MODULE_TYPE_INFO { // AKA TYPTYP
type SYMBOL_INFO (line 2345) | typedef struct _SYMBOL_INFO {
type SYMBOL_INFO_PACKAGE (line 2363) | typedef struct _SYMBOL_INFO_PACKAGE {
type SYMBOL_INFOW (line 2368) | typedef struct _SYMBOL_INFOW {
type SYMBOL_INFO_PACKAGEW (line 2386) | typedef struct _SYMBOL_INFO_PACKAGEW {
type IMAGEHLP_STACK_FRAME (line 2391) | typedef struct _IMAGEHLP_STACK_FRAME
type VOID (line 2405) | typedef VOID IMAGEHLP_CONTEXT, *PIMAGEHLP_CONTEXT;
type IMAGEHLP_SYMBOL_TYPE_INFO (line 2651) | typedef enum _IMAGEHLP_SYMBOL_TYPE_INFO {
type TI_FINDCHILDREN_PARAMS (line 2688) | typedef struct _TI_FINDCHILDREN_PARAMS {
type IMAGEHLP_GET_TYPE_INFO_PARAMS (line 2707) | typedef struct _IMAGEHLP_GET_TYPE_INFO_PARAMS {
type ULONG64 (line 2850) | typedef BOOL (WINAPI *SYMADDSOURCESTREAM)(HANDLE, ULONG64, PCSTR, PBYTE,...
type ULONG64 (line 2862) | typedef BOOL (WINAPI *SYMADDSOURCESTREAMA)(HANDLE, ULONG64, PCSTR, PBYTE...
type SYMSRV_INDEX_INFO (line 2968) | typedef struct {
type SYMSRV_INDEX_INFOW (line 2981) | typedef struct {
type PCSTR (line 3168) | typedef BOOL (WINAPI *PSYMBOLSERVERPROC)(PCSTR, PCSTR, PVOID, DWORD, DWO...
type PCSTR (line 3169) | typedef BOOL (WINAPI *PSYMBOLSERVERPROCA)(PCSTR, PCSTR, PVOID, DWORD, DW...
type PCWSTR (line 3170) | typedef BOOL (WINAPI *PSYMBOLSERVERPROCW)(PCWSTR, PCWSTR, PVOID, DWORD, ...
type PCSTR (line 3171) | typedef BOOL (WINAPI *PSYMBOLSERVERBYINDEXPROC)(PCSTR, PCSTR, PCSTR, PSTR);
type PCSTR (line 3172) | typedef BOOL (WINAPI *PSYMBOLSERVERBYINDEXPROCA)(PCSTR, PCSTR, PCSTR, PS...
type PCWSTR (line 3173) | typedef BOOL (WINAPI *PSYMBOLSERVERBYINDEXPROCW)(PCWSTR, PCWSTR, PCWSTR,...
type PVOID (line 3184) | typedef BOOL (WINAPI *PSYMBOLSERVERDELTANAME)(PCSTR, PVOID, DWORD, DWORD...
type PVOID (line 3185) | typedef BOOL (WINAPI *PSYMBOLSERVERDELTANAMEW)(PCWSTR, PVOID, DWORD, DWO...
type PCSTR (line 3186) | typedef BOOL (WINAPI *PSYMBOLSERVERGETSUPPLEMENT)(PCSTR, PCSTR, PCSTR, P...
type PCWSTR (line 3187) | typedef BOOL (WINAPI *PSYMBOLSERVERGETSUPPLEMENTW)(PCWSTR, PCWSTR, PCWST...
type PCSTR (line 3188) | typedef BOOL (WINAPI *PSYMBOLSERVERSTORESUPPLEMENT)(PCSTR, PCSTR, PCSTR,...
type PCWSTR (line 3189) | typedef BOOL (WINAPI *PSYMBOLSERVERSTORESUPPLEMENTW)(PCWSTR, PCWSTR, PCW...
type DWORD (line 3190) | typedef BOOL (WINAPI *PSYMBOLSERVERGETINDEXSTRING)(PVOID, DWORD, DWORD, ...
type DWORD (line 3191) | typedef BOOL (WINAPI *PSYMBOLSERVERGETINDEXSTRINGW)(PVOID, DWORD, DWORD,...
type PCSTR (line 3192) | typedef BOOL (WINAPI *PSYMBOLSERVERSTOREFILE)(PCSTR, PCSTR, PVOID, DWORD...
type PCWSTR (line 3193) | typedef BOOL (WINAPI *PSYMBOLSERVERSTOREFILEW)(PCWSTR, PCWSTR, PVOID, DW...
type DWORD (line 3582) | typedef DWORD RVA;
type ULONG64 (line 3583) | typedef ULONG64 RVA64;
type MINIDUMP_LOCATION_DESCRIPTOR (line 3585) | typedef struct _MINIDUMP_LOCATION_DESCRIPTOR {
type MINIDUMP_LOCATION_DESCRIPTOR64 (line 3590) | typedef struct _MINIDUMP_LOCATION_DESCRIPTOR64 {
type MINIDUMP_MEMORY_DESCRIPTOR (line 3596) | typedef struct _MINIDUMP_MEMORY_DESCRIPTOR {
type MINIDUMP_MEMORY_DESCRIPTOR64 (line 3606) | typedef struct _MINIDUMP_MEMORY_DESCRIPTOR64 {
type MINIDUMP_HEADER (line 3612) | typedef struct _MINIDUMP_HEADER {
type MINIDUMP_DIRECTORY (line 3630) | typedef struct _MINIDUMP_DIRECTORY {
type MINIDUMP_STRING (line 3636) | typedef struct _MINIDUMP_STRING {
type MINIDUMP_STREAM_TYPE (line 3651) | typedef enum _MINIDUMP_STREAM_TYPE {
type CPU_INFORMATION (line 3709) | typedef union _CPU_INFORMATION {
type MINIDUMP_SYSTEM_INFO (line 3758) | typedef struct _MINIDUMP_SYSTEM_INFO {
type MINIDUMP_THREAD (line 3821) | typedef struct _MINIDUMP_THREAD {
type MINIDUMP_THREAD_LIST (line 3835) | typedef struct _MINIDUMP_THREAD_LIST {
type MINIDUMP_THREAD_EX (line 3841) | typedef struct _MINIDUMP_THREAD_EX {
type MINIDUMP_THREAD_EX_LIST (line 3856) | typedef struct _MINIDUMP_THREAD_EX_LIST {
type MINIDUMP_EXCEPTION (line 3866) | typedef struct _MINIDUMP_EXCEPTION {
type MINIDUMP_EXCEPTION_STREAM (line 3884) | typedef struct MINIDUMP_EXCEPTION_STREAM {
type MINIDUMP_MODULE (line 3899) | typedef struct _MINIDUMP_MODULE {
type MINIDUMP_MODULE_LIST (line 3917) | typedef struct _MINIDUMP_MODULE_LIST {
type MINIDUMP_MEMORY_LIST (line 3927) | typedef struct _MINIDUMP_MEMORY_LIST {
type MINIDUMP_MEMORY64_LIST (line 3932) | typedef struct _MINIDUMP_MEMORY64_LIST {
type MINIDUMP_EXCEPTION_INFORMATION (line 3943) | typedef struct _MINIDUMP_EXCEPTION_INFORMATION {
type MINIDUMP_EXCEPTION_INFORMATION64 (line 3949) | typedef struct _MINIDUMP_EXCEPTION_INFORMATION64 {
type MINIDUMP_HANDLE_OBJECT_INFORMATION_TYPE (line 3966) | typedef enum _MINIDUMP_HANDLE_OBJECT_INFORMATION_TYPE {
type MINIDUMP_HANDLE_OBJECT_INFORMATION (line 3976) | typedef struct _MINIDUMP_HANDLE_OBJECT_INFORMATION {
type MINIDUMP_HANDLE_DESCRIPTOR (line 3983) | typedef struct _MINIDUMP_HANDLE_DESCRIPTOR {
type MINIDUMP_HANDLE_DESCRIPTOR_2 (line 3993) | typedef struct _MINIDUMP_HANDLE_DESCRIPTOR_2 {
type MINIDUMP_HANDLE_DESCRIPTOR_2 (line 4006) | typedef MINIDUMP_HANDLE_DESCRIPTOR_2 MINIDUMP_HANDLE_DESCRIPTOR_N;
type MINIDUMP_HANDLE_DESCRIPTOR_N (line 4007) | typedef MINIDUMP_HANDLE_DESCRIPTOR_N *PMINIDUMP_HANDLE_DESCRIPTOR_N;
type MINIDUMP_HANDLE_DATA_STREAM (line 4009) | typedef struct _MINIDUMP_HANDLE_DATA_STREAM {
type MINIDUMP_HANDLE_OPERATION_LIST (line 4022) | typedef struct _MINIDUMP_HANDLE_OPERATION_LIST {
type MINIDUMP_FUNCTION_TABLE_DESCRIPTOR (line 4034) | typedef struct _MINIDUMP_FUNCTION_TABLE_DESCRIPTOR {
type MINIDUMP_FUNCTION_TABLE_STREAM (line 4042) | typedef struct _MINIDUMP_FUNCTION_TABLE_STREAM {
type MINIDUMP_UNLOADED_MODULE (line 4059) | typedef struct _MINIDUMP_UNLOADED_MODULE {
type MINIDUMP_UNLOADED_MODULE_LIST (line 4072) | typedef struct _MINIDUMP_UNLOADED_MODULE_LIST {
type MINIDUMP_MISC_INFO (line 4094) | typedef struct _MINIDUMP_MISC_INFO {
type MINIDUMP_MISC_INFO_2 (line 4103) | typedef struct _MINIDUMP_MISC_INFO_2 {
type MINIDUMP_MISC_INFO_3 (line 4117) | typedef struct _MINIDUMP_MISC_INFO_3 {
type MINIDUMP_MISC_INFO_3 (line 4137) | typedef MINIDUMP_MISC_INFO_3 MINIDUMP_MISC_INFO_N;
type MINIDUMP_MISC_INFO_N (line 4138) | typedef MINIDUMP_MISC_INFO_N* PMINIDUMP_MISC_INFO_N;
type MINIDUMP_MEMORY_INFO (line 4148) | typedef struct _MINIDUMP_MEMORY_INFO {
type MINIDUMP_MEMORY_INFO_LIST (line 4160) | typedef struct _MINIDUMP_MEMORY_INFO_LIST {
type MINIDUMP_THREAD_INFO (line 4182) | typedef struct _MINIDUMP_THREAD_INFO {
type MINIDUMP_THREAD_INFO_LIST (line 4195) | typedef struct _MINIDUMP_THREAD_INFO_LIST {
type MINIDUMP_TOKEN_INFO_HEADER (line 4204) | typedef struct _MINIDUMP_TOKEN_INFO_HEADER {
type MINIDUMP_TOKEN_INFO_LIST (line 4210) | typedef struct _MINIDUMP_TOKEN_INFO_LIST {
type MINIDUMP_USER_RECORD (line 4221) | typedef struct _MINIDUMP_USER_RECORD {
type MINIDUMP_USER_STREAM (line 4227) | typedef struct _MINIDUMP_USER_STREAM {
type MINIDUMP_USER_STREAM_INFORMATION (line 4235) | typedef struct _MINIDUMP_USER_STREAM_INFORMATION {
type MINIDUMP_CALLBACK_TYPE (line 4244) | typedef enum _MINIDUMP_CALLBACK_TYPE {
type MINIDUMP_THREAD_CALLBACK (line 4264) | typedef struct _MINIDUMP_THREAD_CALLBACK {
type MINIDUMP_THREAD_EX_CALLBACK (line 4274) | typedef struct _MINIDUMP_THREAD_EX_CALLBACK {
type MINIDUMP_INCLUDE_THREAD_CALLBACK (line 4286) | typedef struct _MINIDUMP_INCLUDE_THREAD_CALLBACK {
type THREAD_WRITE_FLAGS (line 4291) | typedef enum _THREAD_WRITE_FLAGS {
type MINIDUMP_MODULE_CALLBACK (line 4301) | typedef struct _MINIDUMP_MODULE_CALLBACK {
type MINIDUMP_INCLUDE_MODULE_CALLBACK (line 4315) | typedef struct _MINIDUMP_INCLUDE_MODULE_CALLBACK {
type MODULE_WRITE_FLAGS (line 4320) | typedef enum _MODULE_WRITE_FLAGS {
type MINIDUMP_IO_CALLBACK (line 4331) | typedef struct _MINIDUMP_IO_CALLBACK {
type MINIDUMP_READ_MEMORY_FAILURE_CALLBACK (line 4339) | typedef struct _MINIDUMP_READ_MEMORY_FAILURE_CALLBACK
type MINIDUMP_CALLBACK_INPUT (line 4348) | typedef struct _MINIDUMP_CALLBACK_INPUT {
type MINIDUMP_CALLBACK_OUTPUT (line 4365) | typedef struct _MINIDUMP_CALLBACK_OUTPUT {
type MINIDUMP_TYPE (line 4463) | typedef enum _MINIDUMP_TYPE {
type MINIDUMP_SECONDARY_FLAGS (line 4498) | typedef enum _MINIDUMP_SECONDARY_FLAGS {
type MINIDUMP_CALLBACK_INFORMATION (line 4519) | typedef struct _MINIDUMP_CALLBACK_INFORMATION {
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/engextcpp.cpp
function PSTR (line 197) | PSTR
function HRESULT (line 809) | HRESULT
function PSTR (line 1137) | PSTR
function PSTR (line 1157) | PSTR
function PSTR (line 1169) | PSTR
function PSTR (line 1177) | PSTR WINAPIV
function ULONG (line 1253) | ULONG
function ULONG (line 1315) | ULONG
function PCSTR (line 1490) | PCSTR
function ULONG64 (line 1507) | ULONG64
function PCSTR (line 1524) | PCSTR
function ULONG64 (line 1541) | ULONG64
function PCSTR (line 1612) | PCSTR
function HRESULT (line 1727) | HRESULT
function HRESULT (line 1879) | HRESULT
function HRESULT (line 1939) | HRESULT
function HRESULT (line 1964) | HRESULT
function HRESULT (line 1992) | HRESULT
function HRESULT (line 2021) | HRESULT
function HRESULT (line 2117) | HRESULT
function HRESULT (line 2173) | HRESULT
function HRESULT (line 2202) | HRESULT
function PCSTR (line 2272) | PCSTR
function ExtOut (line 2994) | void WINAPIV
function ExtWarn (line 3007) | void WINAPIV
function ExtErr (line 3020) | void WINAPIV
function ExtVerb (line 3033) | void WINAPIV
function ULONG64 (line 3102) | ULONG64
function ULONG (line 3121) | ULONG
function ULONG (line 3173) | ULONG
function PSTR (line 3227) | PSTR
function PWSTR (line 3268) | PWSTR
function ULONG (line 3469) | ULONG
function ExtRemoteTyped (line 3481) | ExtRemoteTyped
function ExtRemoteTyped (line 3493) | ExtRemoteTyped
function ExtRemoteTyped (line 3506) | ExtRemoteTyped
function ExtRemoteTyped (line 3516) | ExtRemoteTyped
function ExtRemoteTyped (line 3526) | ExtRemoteTyped
function PSTR (line 3538) | PSTR
function ULONG (line 3546) | ULONG
function HRESULT (line 3567) | HRESULT
function ULONG64 (line 3716) | ULONG64
function ExtRemoteTypedList (line 3724) | ExtRemoteTypedList
function ExtRemoteTyped (line 3738) | ExtRemoteTyped
function ULONG64 (line 3751) | ULONG64
function ExtRemoteTypedList (line 3759) | ExtRemoteTypedList
function ExtRemoteTyped (line 3773) | ExtRemoteTyped
function ULONG64 (line 3786) | ULONG64
function ExtRemoteTypedList (line 3795) | ExtRemoteTypedList
function ExtRemoteTyped (line 3809) | ExtRemoteTyped
function ULONG64 (line 3822) | ULONG64
function ExtRemoteTypedList (line 3853) | ExtRemoteTypedList
function ExtRemoteTyped (line 3883) | ExtRemoteTyped
function ULONG64 (line 3909) | ULONG64
function ExtRemoteTyped (line 3925) | ExtRemoteTyped
function ULONG64 (line 3934) | ULONG64
function ExtRemoteTyped (line 3950) | ExtRemoteTyped
function ULONG64 (line 3959) | ULONG64
function ExtRemoteTyped (line 3966) | ExtRemoteTyped
function ULONG64 (line 3975) | ULONG64
function ExtRemoteTyped (line 3995) | ExtRemoteTyped
function ULONG64 (line 4004) | ULONG64
function ExtRemoteTyped (line 4011) | ExtRemoteTyped
function ULONG64 (line 4018) | ULONG64
function ExtRemoteTyped (line 4025) | ExtRemoteTyped
function ULONG64 (line 4032) | ULONG64
function ExtDefine (line 4072) | ExtDefine*
function PCSTR (line 4099) | PCSTR
function EXTERN_C (line 4238) | EXTERN_C BOOL WINAPI
function EXTERN_C (line 4253) | EXTERN_C HRESULT CALLBACK
function EXTERN_C (line 4280) | EXTERN_C void CALLBACK
function EXTERN_C (line 4291) | EXTERN_C void CALLBACK
function EXTERN_C (line 4319) | EXTERN_C HRESULT CALLBACK
function EXTERN_C (line 4336) | EXTERN_C HRESULT CALLBACK
function EXTERN_C (line 4352) | EXTERN_C HRESULT CALLBACK
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/engextcpp.hpp
class ExtExtension (line 58) | class ExtExtension
method IsUserMode (line 732) | bool IsUserMode(void)
method IsKernelMode (line 736) | bool IsKernelMode(void)
method IsLiveLocalUser (line 740) | bool IsLiveLocalUser(void)
method IsMachine32 (line 746) | bool IsMachine32(__in ULONG Machine)
method IsCurMachine32 (line 752) | bool IsCurMachine32(void)
method IsMachine64 (line 756) | bool IsMachine64(__in ULONG Machine)
method IsCurMachine64 (line 762) | bool IsCurMachine64(void)
method Is32On64 (line 766) | bool Is32On64(void)
method CanQueryVirtual (line 770) | bool CanQueryVirtual(void)
method HasFullMemBasic (line 776) | bool HasFullMemBasic(void)
method IsExtensionRemote (line 787) | bool IsExtensionRemote(void)
method AreOutputCallbacksDmlAware (line 791) | bool AreOutputCallbacksDmlAware(void)
method RequireUserMode (line 807) | void RequireUserMode(void)
method RequireKernelMode (line 814) | void RequireKernelMode(void)
method DmlCmdLink (line 866) | void DmlCmdLink(__in PCSTR Text,
method DmlCmdExec (line 871) | void DmlCmdExec(__in PCSTR Text,
method RefreshOutputCallbackFlags (line 877) | void RefreshOutputCallbackFlags(void)
method DemandWrap (line 913) | bool DemandWrap(__in ULONG Chars)
method AllowWrap (line 927) | void AllowWrap(__in bool Allow)
method TestWrap (line 935) | void TestWrap(__in bool Test)
method IsAppendStart (line 973) | bool IsAppendStart(void)
method ULONG (line 1022) | ULONG GetNumUnnamedArgs(void)
method HasUnnamedArg (line 1029) | bool HasUnnamedArg(__in ULONG Index)
method HasArg (line 1038) | bool HasArg(__in PCSTR Name)
method HasCharArg (line 1042) | bool HasCharArg(__in CHAR Name)
method SetUnnamedArgStr (line 1052) | bool SetUnnamedArgStr(__in ULONG Index,
method SetUnnamedArgU64 (line 1058) | bool SetUnnamedArgU64(__in ULONG Index,
method SetArgStr (line 1069) | bool SetArgStr(__in PCSTR Name,
method SetArgU64 (line 1075) | bool SetArgU64(__in PCSTR Name,
method PCSTR (line 1082) | PCSTR GetRawArgStr(void)
method PSTR (line 1086) | PSTR GetRawArgCopy(void)
method PCSTR (line 1097) | PCSTR GetExprU64(__in PCSTR Str,
method PCSTR (line 1103) | PCSTR GetExprS64(__in PCSTR Str,
method ThrowCommandHelp (line 1110) | ThrowCommandHelp(void) throw(...)
method ThrowInterrupt (line 1118) | void ThrowInterrupt(void) throw(...)
method ThrowOutOfMemory (line 1125) | ThrowOutOfMemory(void) throw(...)
method ThrowContinueSearch (line 1129) | ThrowContinueSearch(void) throw(...)
method ThrowReloadExtension (line 1133) | ThrowReloadExtension(void) throw(...)
method WINAPIV (line 1145) | WINAPIV
type ArgVal (line 1167) | struct ArgVal
class ExtCommandDesc (line 59) | class ExtCommandDesc
type ArgDesc (line 525) | struct ArgDesc
class ExtException (line 72) | class ExtException
method ExtException (line 75) | ExtException(__in HRESULT Status,
method HRESULT (line 82) | HRESULT GetStatus(void)
method HRESULT (line 86) | HRESULT SetStatus(__in HRESULT Status)
method PCSTR (line 92) | PCSTR GetMessage(void)
method SetMessage (line 96) | void SetMessage(__in_opt PCSTR Message)
class ExtRemoteException (line 115) | class ExtRemoteException : public ExtException
method ExtRemoteException (line 118) | ExtRemoteException(__in HRESULT Status,
class ExtStatusException (line 123) | class ExtStatusException : public ExtException
method ExtStatusException (line 126) | ExtStatusException(__in HRESULT Status,
class ExtInterruptException (line 131) | class ExtInterruptException : public ExtException
method ExtInterruptException (line 134) | ExtInterruptException(void)
class ExtCheckedPointerException (line 139) | class ExtCheckedPointerException : public ExtException
method ExtCheckedPointerException (line 142) | ExtCheckedPointerException(__in PCSTR Message)
class ExtInvalidArgumentException (line 146) | class ExtInvalidArgumentException : public ExtException
method ExtInvalidArgumentException (line 149) | ExtInvalidArgumentException(__in PCSTR Message)
class ExtCheckedPointer (line 164) | class ExtCheckedPointer
method ExtCheckedPointer (line 167) | ExtCheckedPointer(__in PCSTR Message)
method IsSet (line 173) | bool IsSet(void)
method Throw (line 177) | void Throw(void) throw(...)
method _T (line 184) | _T* Get(void) throw(...)
method Set (line 189) | void Set(__in_opt _T* Ptr)
method _T (line 207) | _T* operator->(void) throw(...)
method _T (line 211) | _T** operator&(void)
class ExtUnknownHolder (line 240) | class ExtUnknownHolder
method ExtUnknownHolder (line 243) | ExtUnknownHolder(void)
method _T (line 252) | _T* Get(void) throw(...)
method Set (line 261) | void Set(__in_opt _T* Unk)
method Relinquish (line 266) | void Relinquish(void)
method _T (line 284) | _T* operator->(void) throw(...)
method _T (line 288) | _T** operator&(void)
class ExtDeleteHolder (line 321) | class ExtDeleteHolder
method ExtDeleteHolder (line 324) | ExtDeleteHolder(void)
method _T (line 333) | _T* New(void) throw(...)
method _T (line 343) | _T* New(ULONG Elts) throw(...)
method _T (line 360) | _T* Get(void) throw(...)
method Set (line 369) | void Set(__in_opt _T* Ptr)
method Relinquish (line 374) | void Relinquish(void)
method _T (line 392) | _T* operator->(void) throw(...)
method _T (line 396) | _T** operator&(void)
class ExtCurrentThreadHolder (line 427) | class ExtCurrentThreadHolder
method ExtCurrentThreadHolder (line 430) | ExtCurrentThreadHolder(void)
method ExtCurrentThreadHolder (line 434) | ExtCurrentThreadHolder(__in ULONG Id)
method ExtCurrentThreadHolder (line 438) | ExtCurrentThreadHolder(__in bool DoRefresh)
class ExtCurrentProcessHolder (line 463) | class ExtCurrentProcessHolder
method ExtCurrentProcessHolder (line 466) | ExtCurrentProcessHolder(void)
method ExtCurrentProcessHolder (line 470) | ExtCurrentProcessHolder(__in ULONG Id)
method ExtCurrentProcessHolder (line 474) | ExtCurrentProcessHolder(__in bool DoRefresh)
class ExtCommandDesc (line 504) | class ExtCommandDesc
type ArgDesc (line 525) | struct ArgDesc
type ExtKnownStruct (line 587) | struct ExtKnownStruct
type ExtProvidedValue (line 615) | struct ExtProvidedValue
class ExtExtension (line 631) | class ExtExtension
method IsUserMode (line 732) | bool IsUserMode(void)
method IsKernelMode (line 736) | bool IsKernelMode(void)
method IsLiveLocalUser (line 740) | bool IsLiveLocalUser(void)
method IsMachine32 (line 746) | bool IsMachine32(__in ULONG Machine)
method IsCurMachine32 (line 752) | bool IsCurMachine32(void)
method IsMachine64 (line 756) | bool IsMachine64(__in ULONG Machine)
method IsCurMachine64 (line 762) | bool IsCurMachine64(void)
method Is32On64 (line 766) | bool Is32On64(void)
method CanQueryVirtual (line 770) | bool CanQueryVirtual(void)
method HasFullMemBasic (line 776) | bool HasFullMemBasic(void)
method IsExtensionRemote (line 787) | bool IsExtensionRemote(void)
method AreOutputCallbacksDmlAware (line 791) | bool AreOutputCallbacksDmlAware(void)
method RequireUserMode (line 807) | void RequireUserMode(void)
method RequireKernelMode (line 814) | void RequireKernelMode(void)
method DmlCmdLink (line 866) | void DmlCmdLink(__in PCSTR Text,
method DmlCmdExec (line 871) | void DmlCmdExec(__in PCSTR Text,
method RefreshOutputCallbackFlags (line 877) | void RefreshOutputCallbackFlags(void)
method DemandWrap (line 913) | bool DemandWrap(__in ULONG Chars)
method AllowWrap (line 927) | void AllowWrap(__in bool Allow)
method TestWrap (line 935) | void TestWrap(__in bool Test)
method IsAppendStart (line 973) | bool IsAppendStart(void)
method ULONG (line 1022) | ULONG GetNumUnnamedArgs(void)
method HasUnnamedArg (line 1029) | bool HasUnnamedArg(__in ULONG Index)
method HasArg (line 1038) | bool HasArg(__in PCSTR Name)
method HasCharArg (line 1042) | bool HasCharArg(__in CHAR Name)
method SetUnnamedArgStr (line 1052) | bool SetUnnamedArgStr(__in ULONG Index,
method SetUnnamedArgU64 (line 1058) | bool SetUnnamedArgU64(__in ULONG Index,
method SetArgStr (line 1069) | bool SetArgStr(__in PCSTR Name,
method SetArgU64 (line 1075) | bool SetArgU64(__in PCSTR Name,
method PCSTR (line 1082) | PCSTR GetRawArgStr(void)
method PSTR (line 1086) | PSTR GetRawArgCopy(void)
method PCSTR (line 1097) | PCSTR GetExprU64(__in PCSTR Str,
method PCSTR (line 1103) | PCSTR GetExprS64(__in PCSTR Str,
method ThrowCommandHelp (line 1110) | ThrowCommandHelp(void) throw(...)
method ThrowInterrupt (line 1118) | void ThrowInterrupt(void) throw(...)
method ThrowOutOfMemory (line 1125) | ThrowOutOfMemory(void) throw(...)
method ThrowContinueSearch (line 1129) | ThrowContinueSearch(void) throw(...)
method ThrowReloadExtension (line 1133) | ThrowReloadExtension(void) throw(...)
method WINAPIV (line 1145) | WINAPIV
type ArgVal (line 1167) | struct ArgVal
class ExtRemoteData (line 1453) | class ExtRemoteData
method ExtRemoteData (line 1456) | ExtRemoteData(void)
method ExtRemoteData (line 1460) | ExtRemoteData(__in ULONG64 Offset,
method ExtRemoteData (line 1466) | ExtRemoteData(__in_opt PCSTR Name,
method Set (line 1475) | void Set(__in ULONG64 Offset,
method CHAR (line 1503) | CHAR GetChar(void) throw(...)
method UCHAR (line 1507) | UCHAR GetUchar(void) throw(...)
method BOOLEAN (line 1511) | BOOLEAN GetBoolean(void) throw(...)
method GetStdBool (line 1515) | bool GetStdBool(void) throw(...)
method BOOL (line 1519) | BOOL GetW32Bool(void) throw(...)
method SHORT (line 1523) | SHORT GetShort(void) throw(...)
method USHORT (line 1527) | USHORT GetUshort(void) throw(...)
method LONG (line 1531) | LONG GetLong(void) throw(...)
method ULONG (line 1535) | ULONG GetUlong(void) throw(...)
method LONG64 (line 1539) | LONG64 GetLong64(void) throw(...)
method ULONG64 (line 1543) | ULONG64 GetUlong64(void) throw(...)
method GetFloat (line 1547) | float GetFloat(void) throw(...)
method GetDouble (line 1552) | double GetDouble(void) throw(...)
method LONG64 (line 1564) | LONG64 GetLongPtr(void) throw(...)
method ULONG64 (line 1570) | ULONG64 GetUlongPtr(void) throw(...)
method ULONG64 (line 1579) | ULONG64 GetPtr(void) throw(...)
method Clear (line 1620) | void Clear(void)
class ExtRemoteTyped (line 1644) | class ExtRemoteTyped : public ExtRemoteData
method ExtRemoteTyped (line 1647) | ExtRemoteTyped(void)
method ExtRemoteTyped (line 1651) | ExtRemoteTyped(__in PCSTR Expr) throw(...)
method ExtRemoteTyped (line 1656) | ExtRemoteTyped(__in const DEBUG_TYPED_DATA* Typed) throw(...)
method ExtRemoteTyped (line 1661) | ExtRemoteTyped(__in const ExtRemoteTyped& Typed) throw(...)
method ExtRemoteTyped (line 1666) | ExtRemoteTyped(__in PCSTR Expr,
method ExtRemoteTyped (line 1672) | ExtRemoteTyped(__in PCSTR Type,
method ExtRemoteTyped (line 1686) | ExtRemoteTyped& operator=(__in const DEBUG_TYPED_DATA* Typed) throw(...)
method ExtRemoteTyped (line 1691) | ExtRemoteTyped& operator=(__in const ExtRemoteTyped& Typed) throw(...)
method Copy (line 1698) | void Copy(__in const ExtRemoteTyped& Typed) throw(...)
method HasField (line 1727) | bool HasField(__in PCSTR Field)
method ULONG (line 1735) | ULONG GetTypeSize(void) throw(...)
method ExtRemoteTyped (line 1752) | ExtRemoteTyped operator[](__in LONG Index)
method ExtRemoteTyped (line 1756) | ExtRemoteTyped operator[](__in ULONG Index)
method ExtRemoteTyped (line 1760) | ExtRemoteTyped operator[](__in LONG64 Index)
method ExtRemoteTyped (line 1764) | ExtRemoteTyped operator[](__in ULONG64 Index)
method ExtRemoteTyped (line 1774) | ExtRemoteTyped operator*(void)
method OutTypeName (line 1782) | void OutTypeName(void) throw(...)
method OutSimpleValue (line 1786) | void OutSimpleValue(void) throw(...)
method OutFullValue (line 1790) | void OutFullValue(void) throw(...)
method OutTypeDefinition (line 1794) | void OutTypeDefinition(void) throw(...)
method Release (line 1799) | void Release(void)
class ExtRemoteList (line 1844) | class ExtRemoteList
method ExtRemoteList (line 1847) | ExtRemoteList(__in ULONG64 Head,
method ExtRemoteList (line 1856) | ExtRemoteList(__in ExtRemoteData& Head,
method StartHead (line 1866) | void StartHead(void)
method StartTail (line 1871) | void StartTail(void)
method HasNode (line 1882) | bool HasNode(void)
method ULONG64 (line 1888) | ULONG64 GetNodeOffset(void)
method Next (line 1892) | void Next(void)
method Prev (line 1902) | void Prev(void)
class ExtRemoteTypedList (line 1937) | class ExtRemoteTypedList : public ExtRemoteList
method ExtRemoteTypedList (line 1940) | ExtRemoteTypedList(__in ULONG64 Head,
method ExtRemoteTypedList (line 1951) | ExtRemoteTypedList(__in ExtRemoteData& Head,
method SetTypeAndLink (line 1963) | void SetTypeAndLink(__in PCSTR Type,
method ExtRemoteTyped (line 1986) | ExtRemoteTyped GetTypedNodePtr(void) throw(...)
method ExtRemoteTyped (line 2009) | ExtRemoteTyped GetTypedNode(void) throw(...)
class ExtNtOsInformation (line 2043) | class ExtNtOsInformation
method ExtRemoteTyped (line 2083) | static ExtRemoteTyped GetOsPeb(void)
method ExtRemoteTyped (line 2090) | static ExtRemoteTyped GetOsTeb(void)
method ExtRemoteTyped (line 2097) | static ExtRemoteTyped GetAltPeb(void)
method ExtRemoteTyped (line 2104) | static ExtRemoteTyped GetAltTeb(void)
method ExtRemoteTyped (line 2111) | static ExtRemoteTyped GetCurPeb(void)
method ExtRemoteTyped (line 2118) | static ExtRemoteTyped GetCurTeb(void)
type ExtDefine (line 2219) | struct ExtDefine
class ExtDefineMap (line 2225) | class ExtDefineMap
method ExtDefineMap (line 2228) | ExtDefineMap(__in ExtDefine* Defines,
class ExtCaptureOutput (line 2271) | class ExtCaptureOutput : public _BaseClass
method ExtCaptureOutput (line 2274) | ExtCaptureOutput(void)
method Start (line 2382) | void Start(void)
method Stop (line 2425) | void Stop(void)
method Delete (line 2455) | void Delete(void)
method Execute (line 2468) | void Execute(__in PCSTR Command)
method _CharType (line 2484) | const _CharType* GetTextNonNull(void)
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/extsfns.h
type DEBUG_DEVICE_OBJECT_INFO (line 45) | typedef struct _DEBUG_DEVICE_OBJECT_INFO {
type DEBUG_DRIVER_OBJECT_INFO (line 68) | typedef struct _DEBUG_DRIVER_OBJECT_INFO {
type DEBUG_CPU_SPEED_INFO (line 92) | typedef struct _DEBUG_CPU_SPEED_INFO {
type DEBUG_CPU_MICROCODE_VERSION (line 104) | typedef struct _DEBUG_CPU_MICROCODE_VERSION {
type DEBUG_SMBIOS_INFO (line 119) | typedef struct _DEBUG_SMBIOS_INFO {
type DEBUG_IRP_STACK_INFO (line 154) | typedef struct _DEBUG_IRP_STACK_INFO {
type DEBUG_IRP_INFO (line 163) | typedef struct _DEBUG_IRP_INFO {
type DEBUG_PNP_TRIAGE_INFO (line 187) | typedef struct _DDEBUG_PNP_TRIAGE_INFO {
type DEBUG_POOL_DATA (line 214) | typedef struct _DEBUG_POOL_DATA {
type DEBUG_POOL_REGION (line 247) | typedef enum _DEBUG_POOL_REGION {
type KDEXT_THREAD_FIND_PARAMS (line 269) | typedef struct _KDEXT_THREAD_FIND_PARAMS {
type KDEXT_FILELOCK_OWNER (line 285) | typedef struct _KDEXT_FILELOCK_OWNER {
type KDEXTS_LOCK_INFO (line 303) | typedef struct _KDEXTS_LOCK_INFO {
type KDEXTS_PTE_INFO (line 340) | typedef struct _KDEXTS_PTE_INFO {
type DEBUG_POOLTAG_DESCRIPTION (line 384) | typedef struct _DEBUG_POOLTAG_DESCRIPTION {
type DEBUG_FAILURE_TYPE (line 415) | typedef enum _DEBUG_FAILURE_TYPE {
type DEBUG_FLR_PARAM_TYPE (line 428) | typedef enum _DEBUG_FLR_PARAM_TYPE {
type DBG_THREAD_ATTRIBUTES (line 896) | typedef struct _DBG_THREAD_ATTRIBUTES
type DEBUG_FLR_PARAM_TYPE (line 932) | typedef DEBUG_FLR_PARAM_TYPE FA_TAG;
type FA_ENTRY_TYPE (line 938) | typedef enum _FA_ENTRY_TYPE
function STDMETHOD (line 986) | STDMETHOD(SetType)(
type OS_TYPE (line 1461) | typedef enum _OS_TYPE {
type OS_INFO (line 1478) | typedef struct _OS_INFO {
type CPU_INFO (line 1502) | typedef struct _CPU_INFO {
type TARGET_DEBUG_INFO (line 1512) | typedef struct _TARGET_DEBUG_INFO {
type DEBUG_DECODE_ERROR (line 1532) | typedef struct _DEBUG_DECODE_ERROR {
type DEBUG_TRIAGE_FOLLOWUP_INFO (line 1553) | typedef struct _DEBUG_TRIAGE_FOLLOWUP_INFO {
type EXT_CAB_XML_DATA (line 1575) | typedef struct _EXT_CAB_XML_DATA {
type __in (line 1605) | typedef HRESULT
type DEBUG_ANALYSIS_PROCESSOR_INFO (line 1621) | typedef struct _DEBUG_ANALYSIS_PROCESSOR_INFO {
type TANALYZE_RETURN (line 1709) | typedef enum _TANALYZE_RETURN{
type CKCL_DATA (line 1719) | typedef struct _CKCL_DATA{
type CKCL_LISTHEAD (line 1726) | typedef struct _CKCL_LISTHEAD{
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/wdbgexts.h
type CONST (line 56) | typedef CONST void *LPCVOID;
type ULONGLONG (line 60) | typedef unsigned __int64 ULONGLONG;
type ULONGLONG (line 61) | typedef ULONGLONG *PULONGLONG;
type EXTSTACKTRACE (line 247) | typedef struct _EXTSTACKTRACE {
type EXTSTACKTRACE32 (line 254) | typedef struct _EXTSTACKTRACE32 {
type EXTSTACKTRACE64 (line 261) | typedef struct _EXTSTACKTRACE64 {
type WINDBG_EXTENSION_APIS (line 299) | typedef struct _WINDBG_EXTENSION_APIS {
type WINDBG_EXTENSION_APIS32 (line 314) | typedef struct _WINDBG_EXTENSION_APIS32 {
type WINDBG_EXTENSION_APIS64 (line 329) | typedef struct _WINDBG_EXTENSION_APIS64 {
type WINDBG_OLD_EXTENSION_APIS (line 345) | typedef struct _WINDBG_OLD_EXTENSION_APIS {
type WINDBG_OLDKD_EXTENSION_APIS (line 354) | typedef struct _WINDBG_OLDKD_EXTENSION_APIS {
type EXT_API_VERSION (line 447) | typedef struct EXT_API_VERSION {
type PROCESSORINFO (line 512) | typedef struct _PROCESSORINFO {
type READCONTROLSPACE (line 517) | typedef struct _READCONTROLSPACE {
type READCONTROLSPACE32 (line 524) | typedef struct _READCONTROLSPACE32 {
type READCONTROLSPACE64 (line 531) | typedef struct _READCONTROLSPACE64 {
type IOSPACE (line 538) | typedef struct _IOSPACE {
type IOSPACE32 (line 544) | typedef struct _IOSPACE32 {
type IOSPACE64 (line 550) | typedef struct _IOSPACE64 {
type IOSPACE_EX (line 556) | typedef struct _IOSPACE_EX {
type IOSPACE_EX32 (line 565) | typedef struct _IOSPACE_EX32 {
type IOSPACE_EX64 (line 574) | typedef struct _IOSPACE_EX64 {
type BUSDATA (line 583) | typedef struct _GETSETBUSDATA {
type SEARCHMEMORY (line 592) | typedef struct _SEARCHMEMORY {
type PHYSICAL (line 600) | typedef struct _PHYSICAL {
type PHYSICAL_WITH_FLAGS (line 611) | typedef struct _PHYSICAL_WITH_FLAGS {
type READ_WRITE_MSR (line 618) | typedef struct _READ_WRITE_MSR {
type GET_SET_SYMPATH (line 623) | typedef struct _GET_SET_SYMPATH {
type GET_TEB_ADDRESS (line 629) | typedef struct _GET_TEB_ADDRESS {
type GET_PEB_ADDRESS (line 633) | typedef struct _GET_PEB_ADDRESS {
type GET_CURRENT_THREAD_ADDRESS (line 638) | typedef struct _GET_CURRENT_THREAD_ADDRESS {
type GET_CURRENT_PROCESS_ADDRESS (line 643) | typedef struct _GET_CURRENT_PROCESS_ADDRESS {
type GET_INPUT_LINE (line 649) | typedef struct _GET_INPUT_LINE {
type GET_EXPRESSION_EX (line 656) | typedef struct _GET_EXPRESSION_EX {
type TRANSLATE_VIRTUAL_TO_PHYSICAL (line 662) | typedef struct _TRANSLATE_VIRTUAL_TO_PHYSICAL {
type VIRTUAL_TO_PHYSICAL (line 667) | typedef struct _VIRTUAL_TO_PHYSICAL {
type PHYSICAL_TO_VIRTUAL (line 675) | typedef struct _PHYSICAL_TO_VIRTUAL {
type GET_CONTEXT_EX (line 681) | typedef struct _GET_CONTEXT_EX {
type POINTER_SEARCH_PHYSICAL (line 696) | typedef struct _POINTER_SEARCH_PHYSICAL {
type WDBGEXTS_THREAD_OS_INFO (line 707) | typedef struct _WDBGEXTS_THREAD_OS_INFO {
type WDBGEXTS_CLR_DATA_INTERFACE (line 732) | typedef struct _WDBGEXTS_CLR_DATA_INTERFACE {
type EXT_MATCH_PATTERN_A (line 739) | typedef struct _EXT_MATCH_PATTERN_A {
type EXT_FIND_FILE (line 747) | typedef struct _EXT_FIND_FILE {
type DEBUG_TYPED_DATA (line 775) | typedef struct _DEBUG_TYPED_DATA
type EXT_TDOP (line 790) | typedef enum _EXT_TDOP {
type EXT_TYPED_DATA (line 823) | typedef struct _EXT_TYPED_DATA {
type WDBGEXTS_QUERY_INTERFACE (line 844) | typedef struct _WDBGEXTS_QUERY_INTERFACE {
type WDBGEXTS_DISASSEMBLE_BUFFER (line 856) | typedef struct _WDBGEXTS_DISASSEMBLE_BUFFER {
type WDBGEXTS_MODULE_IN_RANGE (line 870) | typedef struct _WDBGEXTS_MODULE_IN_RANGE {
type DBGKD_MAJOR_TYPES (line 898) | typedef enum _DBGKD_MAJOR_TYPES
type DBGKD_GET_VERSION32 (line 928) | typedef struct _DBGKD_GET_VERSION32 {
type DBGKD_DEBUG_DATA_HEADER32 (line 995) | typedef struct _DBGKD_DEBUG_DATA_HEADER32 {
type KDDEBUGGER_DATA32 (line 1003) | typedef struct _KDDEBUGGER_DATA32 {
type DBGKD_GET_VERSION64 (line 1118) | typedef struct _DBGKD_GET_VERSION64 {
type DBGKD_DEBUG_DATA_HEADER64 (line 1166) | typedef struct _DBGKD_DEBUG_DATA_HEADER64 {
type KDDEBUGGER_DATA64 (line 1203) | typedef struct _KDDEBUGGER_DATA64 {
type FIELD_INFO (line 1617) | typedef struct _FIELD_INFO {
type SYM_DUMP_PARAM (line 1642) | typedef struct _SYM_DUMP_PARAM {
function VOID (line 1756) | __inline VOID
function VOID (line 1780) | __inline VOID
function VOID (line 1804) | __inline VOID
function VOID (line 1830) | __inline VOID
function VOID (line 1856) | __inline VOID
function VOID (line 1870) | __inline VOID
function VOID (line 1883) | __inline VOID
function VOID (line 1891) | __inline VOID
function VOID (line 1899) | __inline VOID
function VOID (line 1908) | __inline VOID
function VOID (line 1931) | __inline VOID
function VOID (line 1957) | __inline VOID
function VOID (line 1983) | __inline VOID
function VOID (line 2008) | __inline VOID
function VOID (line 2023) | __inline VOID
function VOID (line 2038) | __inline VOID
function VOID (line 2053) | __inline VOID
function VOID (line 2068) | __inline VOID
function VOID (line 2083) | __inline VOID
function VOID (line 2098) | __inline VOID
function VOID (line 2120) | __inline VOID
function VOID (line 2142) | __inline VOID
function VOID (line 2164) | __inline VOID
function VOID (line 2185) | __inline VOID
function VOID (line 2206) | __inline VOID
function VOID (line 2227) | __inline VOID
function VOID (line 2257) | __inline VOID
function ULONG (line 2295) | __inline
function ULONG (line 2312) | __inline
function ULONG (line 2339) | __inline
function ULONG (line 2365) | __inline
function ULONG (line 2391) | __inline
function ULONG (line 2421) | __inline
function ULONG64 (line 2464) | __inline
function ULONG (line 2520) | __inline
function ULONG (line 2556) | __inline
function ULONG (line 2592) | __inline
function VOID (line 2631) | __inline VOID
function VOID (line 2639) | __inline VOID
function VOID (line 2650) | __inline VOID
function VOID (line 2663) | __inline VOID
function VOID (line 2675) | __inline VOID
function VOID (line 2689) | __inline VOID
function ULONG (line 2708) | __inline ULONG
function BOOL (line 2729) | __inline BOOL
function BOOL (line 2753) | __inline BOOL
function BOOL (line 2770) | __inline BOOL
function BOOL (line 2778) | __inline BOOL
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/debug.cpp
function DbgMsgLogWrite (line 8) | void DbgMsgLogWrite(char *lpszBuff)
function DbgMsg (line 53) | void DbgMsg(char *lpszFile, int Line, char *lpszMsg, ...)
function DWORD (line 99) | DWORD WINAPI PipeInstanceThread(LPVOID lpParam)
function DWORD (line 162) | DWORD WINAPI PipeServerThread(LPVOID lpParam)
function DbgInit (line 208) | void DbgInit(char *lpszDebugPipeName, char *lpszLogFileName)
function WORD (line 265) | WORD ccol(WORD wColor)
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/drvcomm.h
type ULONG (line 32) | typedef ULONG FUZZING_TYPE;
type USER_MODE_DATA (line 39) | typedef struct _USER_MODE_DATA
type REQUEST_BUFFER (line 50) | typedef struct _REQUEST_BUFFER
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/ioctlfuzzer.cpp
function BOOL (line 52) | BOOL GetOption(IXMLDOMNode *pIDOMNode, PWSTR lpwcName, PBOOL pbVal)
function ParseAllowDenySection (line 81) | void ParseAllowDenySection(IXMLDOMNode *pIDOMNode, BOOL bAllow, BOOL bDb...
function BOOL (line 336) | BOOL SetOptions(DWORD dwOptions, FUZZING_TYPE FuzzingType)
function BOOL (line 354) | BOOL SetDefaultOptions(void)
function BOOL (line 370) | BOOL ParseConfig(char *lpszCfgFileName)
function DWORD (line 513) | DWORD WINAPI ApcThread(LPVOID lpParam)
function BOOL (line 523) | BOOL WINAPI CtrlHandler(DWORD fdwCtrlType)
function BOOL (line 539) | BOOL GetResPayload(HMODULE hModule, char *lpszResourceName, PVOID *Data,...
function LRESULT (line 583) | LRESULT CALLBACK MainDlg(HWND hDlg, UINT message, WPARAM wParam, LPARAM ...
function _tmain (line 668) | int _tmain(int argc, _TCHAR* argv[])
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/ntdll_defs.h
type LONG (line 1) | typedef LONG NTSTATUS;
type IO_STATUS_BLOCK (line 3) | typedef struct _IO_STATUS_BLOCK
type UNICODE_STRING (line 16) | typedef struct _UNICODE_STRING
type OBJECT_ATTRIBUTES (line 33) | typedef struct _OBJECT_ATTRIBUTES
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/service.cpp
function BOOL (line 6) | BOOL DrvOpenDevice(PWSTR DriverName, HANDLE *lphDevice)
function BOOL (line 42) | BOOL DrvDeviceRequest(PREQUEST_BUFFER Request, DWORD dwRequestSize)
function BOOL (line 96) | BOOL DrvServiceStart(char *lpszServiceName, char *lpszPath, PBOOL bAllre...
function BOOL (line 183) | BOOL DrvServiceStop(char *lpszServiceName)
function BOOL (line 230) | BOOL DrvServiceRemove(char *lpszServiceName)
function DWORD (line 276) | DWORD DrvServiceGetStartType(char *lpszServiceName)
function BOOL (line 321) | BOOL DrvServiceSetStartType(char *lpszServiceName, DWORD dwStartType)
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/symbols.cpp
function BOOL (line 3) | BOOL GetNormalizedSymbolName(char *lpszName, char *lpszNormalizedName, i...
type _ENUM_SYM_PARAM (line 43) | struct _ENUM_SYM_PARAM
function BOOL (line 51) | BOOL CALLBACK EnumSymbolsProc(
function ULONGLONG (line 71) | ULONGLONG GetSymbolByName(char *lpszModuleName, HMODULE hModule, char *l...
function DWORD (line 114) | DWORD GetKernelSymbolOffset(char *lpszSymbolName)
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/undocnt.h
type SYSTEM_INFORMATION_CLASS (line 8) | typedef enum _SYSTEM_INFORMATION_CLASS
type RTL_PROCESS_MODULE_INFORMATION (line 96) | typedef struct _RTL_PROCESS_MODULE_INFORMATION
type RTL_PROCESS_MODULES (line 112) | typedef struct _RTL_PROCESS_MODULES
type SHUTDOWN_ACTION (line 120) | typedef enum _SHUTDOWN_ACTION
type DIRECTORY_BASIC_INFORMATION (line 129) | typedef struct _DIRECTORY_BASIC_INFORMATION
type SYSTEM_HANDLE_TABLE_ENTRY_INFO (line 137) | typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
type SYSTEM_HANDLE_INFORMATION (line 150) | typedef struct _SYSTEM_HANDLE_INFORMATION
type FILE_INFORMATION_CLASS (line 158) | typedef enum _FILE_INFORMATION_CLASS
type SYSTEM_KERNEL_DEBUGGER_INFORMATION (line 205) | typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION
type FILE_NAME_INFORMATION (line 213) | typedef struct _FILE_NAME_INFORMATION
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/xml.cpp
function BOOL (line 8) | BOOL XmlLoad(PWSTR lpwcData, IXMLDOMDocument **pXMLDoc, IXMLDOMNode **pI...
function IXMLDOMNode (line 78) | IXMLDOMNode * ConfGetListNodeByName(BSTR NodeName, IXMLDOMNodeList *pIDO...
function IXMLDOMNode (line 144) | IXMLDOMNode * ConfGetNodeByName(BSTR NodeName, IXMLDOMNode *pIDOMNode)
function BOOL (line 177) | BOOL ConfGetNodeTextW(IXMLDOMNode *pIDOMNode, PWSTR *str)
function BOOL (line 223) | BOOL ConfGetNodeTextA(IXMLDOMNode *pIDOMNode, PCHAR *str)
function BOOL (line 260) | BOOL ConfAllocGetTextByNameW(IXMLDOMNode *pIDOMNode, PWSTR name, PWSTR *...
function BOOL (line 287) | BOOL ConfAllocGetTextByNameA(IXMLDOMNode *pIDOMNode, PWSTR name, PCHAR *...
function BOOL (line 312) | BOOL ConfGetNodeAttributeW(IXMLDOMNode *pIDOMNode, PWSTR name, PWSTR *va...
function BOOL (line 359) | BOOL ConfGetNodeAttributeA(IXMLDOMNode *pIDOMNode, PWSTR name, PCHAR *va...
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/common.c
type ACE_HEADER (line 5) | typedef struct _ACE_HEADER
type ACE_HEADER (line 12) | typedef ACE_HEADER *PACE_HEADER;
type ACCESS_ALLOWED_ACE (line 14) | typedef struct _ACCESS_ALLOWED_ACE
type SID (line 22) | typedef struct _SID
function BOOLEAN (line 34) | BOOLEAN SetObjectSecurityWorld(HANDLE hObject, ACCESS_MASK AccessMask)
function PVOID (line 166) | PVOID KernelGetModuleBase(char *ModuleName)
function ULONG (line 288) | ULONG KernelGetExportAddress(PVOID Image, char *lpszFunctionName)
function POBJECT_NAME_INFORMATION (line 356) | POBJECT_NAME_INFORMATION GetObjectName(PVOID pObject)
function POBJECT_NAME_INFORMATION (line 390) | POBJECT_NAME_INFORMATION GetObjectNameByHandle(HANDLE hObject)
function POBJECT_NAME_INFORMATION (line 408) | POBJECT_NAME_INFORMATION GetFullNtPath(PUNICODE_STRING Name)
function BOOLEAN (line 438) | BOOLEAN GetNormalizedModulePath(PANSI_STRING asPath, PANSI_STRING asNorm...
function PVOID (line 585) | PVOID GetSysInf(SYSTEM_INFORMATION_CLASS InfoClass)
function BOOLEAN (line 630) | BOOLEAN AllocUnicodeString(PUNICODE_STRING us, USHORT MaximumLength)
function BOOLEAN (line 650) | BOOLEAN AppendUnicodeToString(PUNICODE_STRING Dest, PCWSTR Source, USHOR...
function ULONG (line 665) | ULONG GetFileSize(HANDLE hFile, PULONG FileSizeHigh)
function BOOLEAN (line 689) | BOOLEAN ReadFromFile(PUNICODE_STRING FileName, PVOID *Data, PULONG DataS...
function BOOLEAN (line 746) | BOOLEAN DumpToFile(PUNICODE_STRING FileName, PVOID Data, ULONG DataSize)
function BOOLEAN (line 788) | BOOLEAN DeleteFile(PUNICODE_STRING usFileName)
function BOOLEAN (line 876) | BOOLEAN LoadImageAsDataFile(PUNICODE_STRING usName, PVOID *Image, PULONG...
function VOID (line 955) | VOID WPOFFx64()
function VOID (line 962) | VOID WPONx64()
type PROCESSOR_THREAD_PARAM (line 1003) | typedef struct _PROCESSOR_THREAD_PARAM
function ProcessorThread (line 1012) | void NTAPI ProcessorThread(PVOID Param)
function ForEachProcessor (line 1023) | void ForEachProcessor(PKSTART_ROUTINE Routine, PVOID Param)
function ULONG (line 1091) | ULONG GetSyscallNumber(char *lpszName)
function BOOLEAN (line 1123) | BOOLEAN RegQueryValueKey(HANDLE hKey, PWSTR lpwcName, ULONG Type, PVOID ...
function BOOLEAN (line 1224) | BOOLEAN RegSetValueKey(HANDLE hKey, PWSTR lpwcName, ULONG Type, PVOID Da...
function BOOLEAN (line 1252) | BOOLEAN GetProcessFullImagePath(PEPROCESS Process, PUNICODE_STRING Image...
function BOOLEAN (line 1357) | BOOLEAN AllocateUserMemory(ULONG Size, PMAPPED_MDL MdlInfo)
function FreeUserMemory (line 1428) | void FreeUserMemory(PMAPPED_MDL MdlInfo)
function BOOLEAN (line 1443) | BOOLEAN IsWow64Process(PEPROCESS Process, BOOLEAN *bIsWow64)
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/common.h
type MAPPED_MDL (line 70) | typedef struct _MAPPED_MDL
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/debug.c
function DbgMsg (line 26) | void DbgMsg(char *lpszFile, int Line, char *lpszMsg, ...)
function DbgOpenPipe (line 92) | void DbgOpenPipe(void)
function DbgClosePipe (line 129) | void DbgClosePipe(void)
function DbgOpenLogFile (line 146) | void DbgOpenLogFile(void)
function DbgClose (line 182) | void DbgClose(void)
function DbgInit (line 201) | void DbgInit(void)
function DbgHexdump (line 214) | void DbgHexdump(PUCHAR Data, ULONG Length)
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/driver.c
function ULONG (line 67) | ULONG GetPrevModeOffset(void)
function PVOID (line 132) | PVOID GetKeSDT(void)
function ULONG (line 252) | ULONG LoadSyscallNumber(char *lpszName)
function BOOLEAN (line 316) | BOOLEAN InitSdtNumbers(void)
function BOOLEAN (line 384) | BOOLEAN SetUpHooks(void)
function BOOLEAN (line 481) | BOOLEAN RemoveHooks(void)
function SetPreviousMode (line 522) | void SetPreviousMode(KPROCESSOR_MODE Mode)
function BOOLEAN (line 528) | BOOLEAN SaveFuzzerOptions(void)
function BOOLEAN (line 566) | BOOLEAN DeleteSavedFuzzerOptions(void)
function BOOLEAN (line 600) | BOOLEAN LoadFuzzerOptions(void)
function PFILE_OBJECT (line 675) | PFILE_OBJECT GetDeviceObjectPointer(PUNICODE_STRING usDeviceName)
function NTSTATUS (line 714) | NTSTATUS DriverDispatch(PDEVICE_OBJECT DeviceObject, PIRP Irp)
function DriverUnload (line 1214) | void DriverUnload(PDRIVER_OBJECT DriverObject)
function NTSTATUS (line 1249) | NTSTATUS NTAPI DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING ...
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/drvcomm.h
type ULONG (line 32) | typedef ULONG FUZZING_TYPE;
type USER_MODE_DATA (line 39) | typedef struct _USER_MODE_DATA
type REQUEST_BUFFER (line 50) | typedef struct _REQUEST_BUFFER
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/extern.h
type ud (line 20) | struct ud
type ud (line 22) | struct ud
type ud (line 24) | struct ud
type ud (line 26) | struct ud
type ud (line 26) | struct ud
type ud (line 28) | struct ud
type ud (line 31) | struct ud
type ud (line 34) | struct ud
type ud (line 36) | struct ud
type ud (line 36) | struct ud
type ud (line 38) | struct ud
type ud (line 40) | struct ud
type ud (line 42) | struct ud
type ud (line 44) | struct ud
type ud (line 46) | struct ud
type ud (line 48) | struct ud
type ud (line 50) | struct ud
type ud (line 52) | struct ud
type ud (line 54) | struct ud
type ud (line 56) | struct ud
type ud (line 58) | struct ud
type ud_mnemonic_code (line 60) | enum ud_mnemonic_code
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/handlers.c
function PCOMMON_LST_ENTRY (line 66) | PCOMMON_LST_ENTRY LookupProcessInfo(PEPROCESS Process)
function FreeProcessInfo (line 100) | void FreeProcessInfo(void)
function ProcessNotifyRoutine (line 131) | void NTAPI ProcessNotifyRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLE...
function PUNICODE_STRING (line 211) | PUNICODE_STRING LookupProcessName(PEPROCESS TargetProcess)
function BOOLEAN (line 279) | BOOLEAN ValidateUnicodeString(PUNICODE_STRING usStr)
function NTSTATUS (line 305) | NTSTATUS NTAPI new_NtDeviceIoControlFile(
function VOID (line 549) | VOID WaitHookRemoveComplete()
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/handlers.h
type LST_PROCESS_INFO (line 2) | typedef struct _LST_PROCESS_INFO
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/hook.c
function PVOID (line 3) | PVOID Hook(PVOID Function, PVOID Handler, PULONG pBytesPatched)
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/log.c
function LogData (line 17) | void LogData(char *lpszFormat, ...)
function BOOLEAN (line 63) | BOOLEAN LogDataIoctlsInitLogFile(void)
function LogDataIoctls (line 162) | void LogDataIoctls(char *lpszFormat, ...)
function LogDataHexdump (line 200) | void LogDataHexdump(PUCHAR Data, ULONG Size)
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/lst.c
function PCOMMON_LST_ENTRY (line 3) | PCOMMON_LST_ENTRY LstFindEntry(
function PCOMMON_LST_ENTRY (line 36) | PCOMMON_LST_ENTRY LstAddEntry(
function LstFlush (line 113) | void LstFlush(PCOMMON_LST list)
function LstDelEntry (line 161) | void LstDelEntry(PCOMMON_LST list, PCOMMON_LST_ENTRY e)
function PCOMMON_LST (line 197) | PCOMMON_LST LstInit(void)
function LstFree (line 215) | void LstFree(PCOMMON_LST list)
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/lst.h
type COMMON_LST_ENTRY (line 5) | typedef struct _COMMON_LST_ENTRY
type COMMON_LST (line 18) | typedef struct _COMMON_LST
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/rng.c
function init_genrand (line 57) | void init_genrand(unsigned long s)
function init_by_array (line 76) | void init_by_array(unsigned long init_key[], int key_length)
function genrand_int32 (line 102) | unsigned long genrand_int32(void)
function getrand (line 139) | unsigned long getrand(unsigned long min, unsigned long max)
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/rules.c
function FORCEINLINE (line 13) | FORCEINLINE
function FORCEINLINE (line 26) | FORCEINLINE
function NTSTATUS (line 34) | NTSTATUS FltInitRuleList()
function VOID (line 51) | VOID FltUnInitRuleList()
function wchar_t (line 63) | wchar_t xchrlower_w(wchar_t chr)
function BOOLEAN (line 73) | BOOLEAN EqualUnicodeString_r(PUNICODE_STRING Str1, PUNICODE_STRING Str2,...
function PIOCTL_FILTER (line 97) | PIOCTL_FILTER FltAdd(PIOCTL_FILTER f, PLIST_ENTRY ListEntry, ULONG KdCom...
function VOID (line 124) | VOID DeferenceRuleCount(PIOCTL_FILTER Item)
function PIOCTL_FILTER (line 134) | PIOCTL_FILTER FltAddDenyRule(PIOCTL_FILTER f, ULONG KdCommandLength)
function PIOCTL_FILTER (line 149) | PIOCTL_FILTER FltAddAllowRule(PIOCTL_FILTER f, ULONG KdCommandLength)
function PIOCTL_FILTER (line 164) | PIOCTL_FILTER FltAddDbgcbRule(PIOCTL_FILTER f, ULONG KdCommandLength)
function FltFlushList (line 180) | void FltFlushList(PLIST_ENTRY ListEntryHead)
function FltFlushAllList (line 215) | void FltFlushAllList()
function PIOCTL_FILTER (line 227) | PIOCTL_FILTER FltMatch(
function BOOLEAN (line 293) | BOOLEAN FltMatchDeny(
function BOOLEAN (line 314) | BOOLEAN FltMatchAllow(
function BOOLEAN (line 405) | BOOLEAN FltIsMatchedRequest(
function BOOLEAN (line 424) | BOOLEAN SaveRules(PLIST_ENTRY ListEntryHead, HANDLE hKey, PUNICODE_STRIN...
function BOOLEAN (line 524) | BOOLEAN SaveDenyRules(HANDLE hKey, PUNICODE_STRING usValueName)
function BOOLEAN (line 538) | BOOLEAN SaveAllowRules(HANDLE hKey, PUNICODE_STRING usValueName)
function BOOLEAN (line 552) | BOOLEAN LoadRules(PLIST_ENTRY ListEntryHead, HANDLE hKey, PUNICODE_STRIN...
function BOOLEAN (line 668) | BOOLEAN LoadDenyRules(HANDLE hKey, PUNICODE_STRING usValueName)
function BOOLEAN (line 682) | BOOLEAN LoadAllowRules(HANDLE hKey, PUNICODE_STRING usValueName)
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/rules.h
type IOCTL_FILTER (line 10) | typedef struct _IOCTL_FILTER
type IOCTL_FILTER_SERIALIZED (line 24) | typedef struct _IOCTL_FILTER_SERIALIZED
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/extern.h
type ud (line 20) | struct ud
type ud (line 22) | struct ud
type ud (line 24) | struct ud
type ud (line 26) | struct ud
type ud (line 26) | struct ud
type ud (line 28) | struct ud
type ud (line 31) | struct ud
type ud (line 34) | struct ud
type ud (line 36) | struct ud
type ud (line 36) | struct ud
type ud (line 38) | struct ud
type ud (line 40) | struct ud
type ud (line 42) | struct ud
type ud (line 44) | struct ud
type ud (line 46) | struct ud
type ud (line 48) | struct ud
type ud (line 50) | struct ud
type ud (line 52) | struct ud
type ud (line 54) | struct ud
type ud (line 56) | struct ud
type ud (line 58) | struct ud
type ud_mnemonic_code (line 60) | enum ud_mnemonic_code
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/itab.h
type ud_itab_vendor_index (line 9) | enum ud_itab_vendor_index {
type ud_itab_mode_index (line 15) | enum ud_itab_mode_index {
type ud_itab_mod_index (line 22) | enum ud_itab_mod_index {
type ud_itab_index (line 28) | enum ud_itab_index {
type ud_mnemonic_code (line 151) | enum ud_mnemonic_code {
type ud_itab_entry (line 717) | struct ud_itab_entry
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/decode.c
type ud_itab_entry (line 21) | struct ud_itab_entry
type ud_itab_entry (line 22) | struct ud_itab_entry
type ud_itab_entry (line 23) | struct ud_itab_entry
type ud_mnemonic_code (line 29) | enum ud_mnemonic_code
function get_prefixes (line 39) | static int get_prefixes( struct ud* u )
function search_itab (line 160) | static int search_itab( struct ud * u )
function resolve_operand_size (line 334) | static unsigned int resolve_operand_size( const struct ud * u, unsigned ...
function resolve_mnemonic (line 354) | static int resolve_mnemonic( struct ud* u )
function decode_a (line 393) | static void
function decode_gpr (line 415) | static enum ud_type
function resolve_gpr64 (line 444) | static enum ud_type
function resolve_gpr32 (line 465) | static enum ud_type
function resolve_reg (line 480) | static enum ud_type
function decode_imm (line 498) | static void
function decode_modrm (line 517) | static void
function decode_o (line 670) | static void
function disasm_operands (line 697) | static int disasm_operands(register struct ud* u)
function clear_insn (line 1049) | static int clear_insn(register struct ud* u)
function do_mode (line 1072) | static int do_mode( struct ud* u )
function gen_hex (line 1132) | static int gen_hex( struct ud *u )
function ud_decode (line 1154) | unsigned int ud_decode( struct ud* u )
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/decode.h
type ud_operand_code (line 67) | enum ud_operand_code {
type ud_operand_size (line 108) | enum ud_operand_size {
type ud_itab_entry_operand (line 248) | struct ud_itab_entry_operand
type ud_itab_entry (line 258) | struct ud_itab_entry
type ud_mnemonic_code (line 267) | enum ud_mnemonic_code
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/extern.h
type ud (line 20) | struct ud
type ud (line 22) | struct ud
type ud (line 24) | struct ud
type ud (line 26) | struct ud
type ud (line 26) | struct ud
type ud (line 28) | struct ud
type ud (line 31) | struct ud
type ud (line 34) | struct ud
type ud (line 36) | struct ud
type ud (line 36) | struct ud
type ud (line 38) | struct ud
type ud (line 40) | struct ud
type ud (line 42) | struct ud
type ud (line 44) | struct ud
type ud (line 46) | struct ud
type ud (line 48) | struct ud
type ud (line 50) | struct ud
type ud (line 52) | struct ud
type ud (line 54) | struct ud
type ud (line 56) | struct ud
type ud (line 58) | struct ud
type ud_mnemonic_code (line 60) | enum ud_mnemonic_code
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/input.c
function inp_buff_hook (line 16) | static int
function inp_file_hook (line 29) | static int
function ud_set_input_hook (line 40) | extern void
function ud_set_input_buffer (line 51) | extern void
function ud_set_input_file (line 65) | extern void
function ud_input_skip (line 78) | extern void
function ud_input_end (line 90) | extern int
function inp_next (line 107) | extern uint8_t inp_next(struct ud* u)
function inp_back (line 140) | extern void
function inp_peek (line 153) | extern uint8_t
function inp_move (line 165) | extern void
function inp_uint8 (line 176) | extern uint8_t
function inp_uint16 (line 182) | extern uint16_t
function inp_uint32 (line 192) | extern uint32_t
function inp_uint64 (line 206) | extern uint64_t
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/input.h
type ud (line 13) | struct ud
type ud (line 14) | struct ud
type ud (line 15) | struct ud
type ud (line 16) | struct ud
type ud (line 17) | struct ud
type ud (line 18) | struct ud
type ud (line 19) | struct ud
type ud (line 20) | struct ud
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/itab.c
type ud_itab_entry (line 562) | struct ud_itab_entry
type ud_itab_entry (line 821) | struct ud_itab_entry
type ud_itab_entry (line 832) | struct ud_itab_entry
type ud_itab_entry (line 843) | struct ud_itab_entry
type ud_itab_entry (line 848) | struct ud_itab_entry
type ud_itab_entry (line 859) | struct ud_itab_entry
type ud_itab_entry (line 864) | struct ud_itab_entry
type ud_itab_entry (line 869) | struct ud_itab_entry
type ud_itab_entry (line 874) | struct ud_itab_entry
type ud_itab_entry (line 879) | struct ud_itab_entry
type ud_itab_entry (line 890) | struct ud_itab_entry
type ud_itab_entry (line 895) | struct ud_itab_entry
type ud_itab_entry (line 900) | struct ud_itab_entry
type ud_itab_entry (line 911) | struct ud_itab_entry
type ud_itab_entry (line 916) | struct ud_itab_entry
type ud_itab_entry (line 921) | struct ud_itab_entry
type ud_itab_entry (line 926) | struct ud_itab_entry
type ud_itab_entry (line 931) | struct ud_itab_entry
type ud_itab_entry (line 936) | struct ud_itab_entry
type ud_itab_entry (line 941) | struct ud_itab_entry
type ud_itab_entry (line 946) | struct ud_itab_entry
type ud_itab_entry (line 951) | struct ud_itab_entry
type ud_itab_entry (line 956) | struct ud_itab_entry
type ud_itab_entry (line 961) | struct ud_itab_entry
type ud_itab_entry (line 966) | struct ud_itab_entry
type ud_itab_entry (line 977) | struct ud_itab_entry
type ud_itab_entry (line 982) | struct ud_itab_entry
type ud_itab_entry (line 993) | struct ud_itab_entry
type ud_itab_entry (line 1004) | struct ud_itab_entry
type ud_itab_entry (line 1015) | struct ud_itab_entry
type ud_itab_entry (line 1026) | struct ud_itab_entry
type ud_itab_entry (line 1037) | struct ud_itab_entry
type ud_itab_entry (line 1048) | struct ud_itab_entry
type ud_itab_entry (line 1053) | struct ud_itab_entry
type ud_itab_entry (line 1064) | struct ud_itab_entry
type ud_itab_entry (line 1069) | struct ud_itab_entry
type ud_itab_entry (line 1080) | struct ud_itab_entry
type ud_itab_entry (line 1085) | struct ud_itab_entry
type ud_itab_entry (line 1096) | struct ud_itab_entry
type ud_itab_entry (line 1107) | struct ud_itab_entry
type ud_itab_entry (line 1118) | struct ud_itab_entry
type ud_itab_entry (line 1123) | struct ud_itab_entry
type ud_itab_entry (line 1128) | struct ud_itab_entry
type ud_itab_entry (line 1133) | struct ud_itab_entry
type ud_itab_entry (line 1200) | struct ud_itab_entry
type ud_itab_entry (line 1459) | struct ud_itab_entry
type ud_itab_entry (line 1465) | struct ud_itab_entry
type ud_itab_entry (line 1471) | struct ud_itab_entry
type ud_itab_entry (line 1477) | struct ud_itab_entry
type ud_itab_entry (line 1483) | struct ud_itab_entry
type ud_itab_entry (line 1489) | struct ud_itab_entry
type ud_itab_entry (line 1500) | struct ud_itab_entry
type ud_itab_entry (line 1511) | struct ud_itab_entry
type ud_itab_entry (line 1522) | struct ud_itab_entry
type ud_itab_entry (line 1533) | struct ud_itab_entry
type ud_itab_entry (line 1544) | struct ud_itab_entry
type ud_itab_entry (line 1550) | struct ud_itab_entry
type ud_itab_entry (line 1556) | struct ud_itab_entry
type ud_itab_entry (line 1562) | struct ud_itab_entry
type ud_itab_entry (line 1568) | struct ud_itab_entry
type ud_itab_entry (line 1574) | struct ud_itab_entry
type ud_itab_entry (line 1580) | struct ud_itab_entry
type ud_itab_entry (line 1586) | struct ud_itab_entry
type ud_itab_entry (line 1592) | struct ud_itab_entry
type ud_itab_entry (line 1598) | struct ud_itab_entry
type ud_itab_entry (line 1604) | struct ud_itab_entry
type ud_itab_entry (line 1610) | struct ud_itab_entry
type ud_itab_entry (line 1616) | struct ud_itab_entry
type ud_itab_entry (line 1621) | struct ud_itab_entry
type ud_itab_entry (line 1632) | struct ud_itab_entry
type ud_itab_entry (line 1638) | struct ud_itab_entry
type ud_itab_entry (line 1649) | struct ud_itab_entry
type ud_itab_entry (line 1660) | struct ud_itab_entry
type ud_itab_entry (line 1671) | struct ud_itab_entry
type ud_itab_entry (line 1682) | struct ud_itab_entry
type ud_itab_entry (line 1688) | struct ud_itab_entry
type ud_itab_entry (line 1699) | struct ud_itab_entry
type ud_itab_entry (line 1710) | struct ud_itab_entry
type ud_itab_entry (line 1721) | struct ud_itab_entry
type ud_itab_entry (line 1732) | struct ud_itab_entry
type ud_itab_entry (line 1737) | struct ud_itab_entry
type ud_itab_entry (line 1748) | struct ud_itab_entry
type ud_itab_entry (line 1815) | struct ud_itab_entry
type ud_itab_entry (line 1820) | struct ud_itab_entry
type ud_itab_entry (line 1831) | struct ud_itab_entry
type ud_itab_entry (line 1898) | struct ud_itab_entry
type ud_itab_entry (line 1903) | struct ud_itab_entry
type ud_itab_entry (line 1914) | struct ud_itab_entry
type ud_itab_entry (line 1981) | struct ud_itab_entry
type ud_itab_entry (line 1986) | struct ud_itab_entry
type ud_itab_entry (line 1997) | struct ud_itab_entry
type ud_itab_entry (line 2064) | struct ud_itab_entry
type ud_itab_entry (line 2069) | struct ud_itab_entry
type ud_itab_entry (line 2080) | struct ud_itab_entry
type ud_itab_entry (line 2147) | struct ud_itab_entry
type ud_itab_entry (line 2152) | struct ud_itab_entry
type ud_itab_entry (line 2163) | struct ud_itab_entry
type ud_itab_entry (line 2230) | struct ud_itab_entry
type ud_itab_entry (line 2235) | struct ud_itab_entry
type ud_itab_entry (line 2246) | struct ud_itab_entry
type ud_itab_entry (line 2313) | struct ud_itab_entry
type ud_itab_entry (line 2318) | struct ud_itab_entry
type ud_itab_entry (line 2329) | struct ud_itab_entry
type ud_itab_entry (line 2396) | struct ud_itab_entry
type ud_itab_entry (line 2402) | struct ud_itab_entry
type ud_itab_entry (line 2413) | struct ud_itab_entry
type ud_itab_entry (line 2424) | struct ud_itab_entry
type ud_itab_entry (line 2435) | struct ud_itab_entry
type ud_itab_entry (line 2446) | struct ud_itab_entry
type ud_itab_entry (line 2705) | struct ud_itab_entry
type ud_itab_entry (line 2964) | struct ud_itab_entry
type ud_itab_entry (line 2975) | struct ud_itab_entry
type ud_itab_entry (line 2986) | struct ud_itab_entry
type ud_itab_entry (line 2997) | struct ud_itab_entry
type ud_itab_entry (line 3008) | struct ud_itab_entry
type ud_itab_entry (line 3013) | struct ud_itab_entry
type ud_itab_entry (line 3272) | struct ud_itab_entry
type ud_itab_entry (line 3531) | struct ud_itab_entry
type ud_itab_entry (line 3542) | struct ud_itab_entry
type ud_itab_entry (line 3548) | struct ud_itab_entry
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/itab.h
type ud_itab_vendor_index (line 9) | enum ud_itab_vendor_index {
type ud_itab_mode_index (line 15) | enum ud_itab_mode_index {
type ud_itab_mod_index (line 22) | enum ud_itab_mod_index {
type ud_itab_index (line 28) | enum ud_itab_index {
type ud_mnemonic_code (line 151) | enum ud_mnemonic_code {
type ud_itab_entry (line 717) | struct ud_itab_entry
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/syn-att.c
function opr_cast (line 19) | static void
function gen_operand (line 33) | static void
function ud_translate_att (line 117) | extern void
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/syn-intel.c
function opr_cast (line 19) | static void
function gen_operand (line 40) | static void gen_operand(struct ud* u, struct ud_operand* op, int syn_cast)
function ud_translate_intel (line 149) | extern void ud_translate_intel(struct ud* u)
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/syn.h
function mkasm (line 17) | static void mkasm(struct ud* u, const char* fmt, ...)
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/types.h
type __int8 (line 19) | typedef __int8 int8_t;
type __int16 (line 20) | typedef __int16 int16_t;
type __int32 (line 21) | typedef __int32 int32_t;
type __int64 (line 22) | typedef __int64 int64_t;
type ud_type (line 34) | enum ud_type
type ud_operand (line 104) | struct ud_operand
type ud (line 134) | struct ud
type ud_type_t (line 183) | typedef enum ud_type ud_type_t;
type ud_mnemonic_code_t (line 184) | typedef enum ud_mnemonic_code ud_mnemonic_code_t;
type ud_t (line 186) | typedef struct ud ud_t;
type ud_operand_t (line 187) | typedef struct ud_operand ud_operand_t;
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/udis86.c
function ud_init (line 20) | extern void
function ud_disassemble (line 37) | extern unsigned int
function ud_set_mode (line 58) | extern void
function ud_set_vendor (line 73) | extern void
function ud_set_pc (line 89) | extern void
function ud_set_syntax (line 99) | extern void
type ud (line 110) | struct ud
function ud_insn_off (line 119) | extern uint64_t
type ud (line 131) | struct ud
type ud (line 141) | struct ud
function ud_insn_len (line 150) | extern unsigned int
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/types.h
type __int8 (line 19) | typedef __int8 int8_t;
type __int16 (line 20) | typedef __int16 int16_t;
type __int32 (line 21) | typedef __int32 int32_t;
type __int64 (line 22) | typedef __int64 int64_t;
type ud_type (line 34) | enum ud_type
type ud_operand (line 104) | struct ud_operand
type ud (line 134) | struct ud
type ud_type_t (line 183) | typedef enum ud_type ud_type_t;
type ud_mnemonic_code_t (line 184) | typedef enum ud_mnemonic_code ud_mnemonic_code_t;
type ud_t (line 186) | typedef struct ud ud_t;
type ud_operand_t (line 187) | typedef struct ud_operand ud_operand_t;
FILE: HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/undocnt.h
type LDR_DATA_TABLE_ENTRY (line 5) | typedef struct _LDR_DATA_TABLE_ENTRY
type PEB_LDR_DATA (line 26) | typedef struct _PEB_LDR_DATA
type SERVICE_DESCRIPTOR_ENTRY (line 40) | typedef struct SERVICE_DESCRIPTOR_ENTRY
type SERVICE_DESCRIPTOR_TABLE (line 50) | typedef struct _SERVICE_DESCRIPTOR_TABLE
type SYSTEM_INFORMATION_CLASS (line 57) | typedef enum _SYSTEM_INFORMATION_CLASS
type RTL_PROCESS_MODULE_INFORMATION (line 145) | typedef struct _RTL_PROCESS_MODULE_INFORMATION
type RTL_PROCESS_MODULES (line 161) | typedef struct _RTL_PROCESS_MODULES
type SYSTEM_HANDLE_TABLE_ENTRY_INFO (line 169) | typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
type SYSTEM_HANDLE_INFORMATION (line 182) | typedef struct _SYSTEM_HANDLE_INFORMATION
type FILE_DIRECTORY_INFORMATION (line 192) | typedef struct _FILE_DIRECTORY_INFORMATION
type FILE_NAMES_INFORMATION (line 209) | typedef struct _FILE_NAMES_INFORMATION
type FILE_FULL_DIRECTORY_INFORMATION (line 221) | typedef struct _FILE_FULL_DIRECTORY_INFORMATION
type FILE_BOTH_DIRECTORY_INFORMATION (line 239) | typedef struct _FILE_BOTH_DIRECTORY_INFORMATION
type FILE_ID_BOTH_DIRECTORY_INFORMATION (line 259) | typedef struct _FILE_ID_BOTH_DIRECTORY_INFORMATION
type FILE_ID_FULL_DIRECTORY_INFORMATION (line 280) | typedef struct _FILE_ID_FULL_DIRECTORY_INFORMATION
type SYSTEM_OBJECT_TYPE_INFORMATION (line 299) | typedef struct _SYSTEM_OBJECT_TYPE_INFORMATION
type SYSTEM_OBJECT_INFORMATION (line 315) | typedef struct _SYSTEM_OBJECT_INFORMATION
type SYSTEM_PROCESS_INFORMATION (line 350) | typedef struct _SYSTEM_PROCESS_INFORMATION {
type THREAD_BASIC_INFORMATION (line 387) | typedef struct THREAD_BASIC_INFORMATION
type SID_IDENTIFIER_AUTHORITY (line 527) | typedef struct _SID_IDENTIFIER_AUTHORITY
type _SID_IDENTIFIER_AUTHORITY (line 533) | struct _SID_IDENTIFIER_AUTHORITY
type KAPC_STATE (line 590) | typedef struct _KAPC_STATE
type KAPC_ENVIRONMENT (line 690) | typedef enum
FILE: Inject/CreateRemoteThread/CreateRemoteThread/CreateRemoteThread.cpp
type _WIN_VERSION (line 20) | enum _WIN_VERSION
function _tmain (line 45) | int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
function VOID (line 59) | VOID InjectDll(ULONG_PTR ProcessID, WCHAR* strPath)
function BOOL (line 98) | BOOL InjectDllByRemoteThreadWin7(const TCHAR* wzDllFile, ULONG_PTR Proce...
function BOOL (line 187) | BOOL InjectDllByRemoteThreadXP(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
function WIN_VERSION (line 265) | WIN_VERSION GetWindowsVersion()
function BOOL (line 312) | BOOL EnableDebugPrivilege()
FILE: Inject/ExtraWindowInject/src/add_apc.h
function add_shellcode_to_apc (line 5) | bool add_shellcode_to_apc(HANDLE hThread, LPVOID remote_shellcode_ptr)
FILE: Inject/ExtraWindowInject/src/add_thread.h
type THREAD_CREATION_METHOD (line 6) | typedef enum {
function run_shellcode_in_new_thread1 (line 14) | bool run_shellcode_in_new_thread1(HANDLE hProcess, LPVOID remote_shellco...
function run_shellcode_in_new_thread2 (line 32) | bool run_shellcode_in_new_thread2(HANDLE hProcess, LPVOID remote_shellco...
function run_shellcode_in_new_thread3 (line 48) | bool run_shellcode_in_new_thread3(HANDLE hProcess, LPVOID remote_shellco...
function run_shellcode_in_new_thread (line 67) | bool run_shellcode_in_new_thread(HANDLE hProcess, LPVOID remote_shellcod...
FILE: Inject/ExtraWindowInject/src/enumproc.h
function get_process_name (line 4) | bool get_process_name(IN HANDLE hProcess, OUT LPWSTR nameBuf, IN SIZE_T ...
function is_searched_process (line 16) | bool is_searched_process( DWORD processID, LPWSTR searchedName)
function HANDLE (line 33) | HANDLE find_running_process(LPWSTR searchedName)
FILE: Inject/ExtraWindowInject/src/kernel32_undoc.h
function BOOL (line 25) | BOOL load_kernel32_functions()
FILE: Inject/ExtraWindowInject/src/main.cpp
function inject_in_new_process (line 27) | bool inject_in_new_process(INJECTION_POINT mode)
function inject_in_existing_process (line 71) | bool inject_in_existing_process()
function main (line 81) | int main()
FILE: Inject/ExtraWindowInject/src/map_buffer_into_process.h
function PVOID (line 8) | PVOID map_buffer_into_process1(HANDLE hProcess, LPBYTE buffer, SIZE_T bu...
function LPVOID (line 55) | LPVOID map_buffer_into_process2(HANDLE hProcess, LPBYTE buffer, SIZE_T b...
FILE: Inject/ExtraWindowInject/src/ntddk.h
type NTSTATUS (line 28) | typedef long NTSTATUS;
type EVENT_TYPE (line 53) | typedef enum _EVENT_TYPE
type STRING (line 66) | typedef struct _STRING
type UNICODE_STRING (line 79) | typedef struct _UNICODE_STRING
type STRING (line 88) | typedef STRING ANSI_STRING;
type PSTRING (line 89) | typedef PSTRING PANSI_STRING;
type STRING (line 91) | typedef STRING OEM_STRING;
type PSTRING (line 92) | typedef PSTRING POEM_STRING;
type CONST (line 93) | typedef CONST STRING* PCOEM_STRING;
type UNICODE_STRING (line 95) | typedef const UNICODE_STRING *PCUNICODE_STRING;
type OBJECT_ATTRIBUTES (line 118) | typedef struct _OBJECT_ATTRIBUTES
type IO_STATUS_BLOCK (line 134) | typedef struct _IO_STATUS_BLOCK
type CLIENT_ID (line 150) | typedef struct _CLIENT_ID
type CURDIR (line 162) | typedef struct _CURDIR
type POOL_TYPE (line 520) | typedef enum _POOL_TYPE {
type OBJECT_INFORMATION_CLASS (line 536) | typedef enum _OBJECT_INFORMATION_CLASS {
type OBJECT_BASIC_INFORMATION (line 548) | typedef struct _OBJECT_BASIC_INFORMATION {
type OBJECT_NAME_INFORMATION (line 566) | typedef struct _OBJECT_NAME_INFORMATION {
type OBJECT_TYPE_INFORMATION (line 574) | typedef struct _OBJECT_TYPE_INFORMATION {
type OBJECT_HANDLE_FLAG_INFORMATION (line 603) | typedef struct _OBJECT_HANDLE_FLAG_INFORMATION {
type OBJECT_DIRECTORY_INFORMATION (line 612) | typedef struct _OBJECT_DIRECTORY_INFORMATION {
type RTL_GENERIC_COMPARE_RESULTS (line 708) | typedef enum _RTL_GENERIC_COMPARE_RESULTS {
type RTL_SPLAY_LINKS (line 715) | typedef struct _RTL_SPLAY_LINKS
type _RTL_GENERIC_TABLE (line 723) | struct _RTL_GENERIC_TABLE
type RTL_GENERIC_TABLE (line 748) | typedef struct _RTL_GENERIC_TABLE {
type RTL_HANDLE_TABLE_ENTRY (line 761) | typedef struct _RTL_HANDLE_TABLE_ENTRY
type RTL_HANDLE_TABLE (line 769) | typedef struct _RTL_HANDLE_TABLE
type KEY_INFORMATION_CLASS (line 944) | typedef enum _KEY_INFORMATION_CLASS
type KEY_BASIC_INFORMATION (line 960) | typedef struct _KEY_BASIC_INFORMATION
type KEY_NODE_INFORMATION (line 970) | typedef struct _KEY_NODE_INFORMATION
type KEY_FULL_INFORMATION (line 982) | typedef struct _KEY_FULL_INFORMATION
type KEY_NAME_INFORMATION (line 1000) | typedef struct _KEY_NAME_INFORMATION
type KEY_CACHED_INFORMATION (line 1007) | typedef struct _KEY_CACHED_INFORMATION
type KEY_FLAGS_INFORMATION (line 1022) | typedef struct _KEY_FLAGS_INFORMATION
type KEY_VALUE_INFORMATION_CLASS (line 1030) | typedef enum _KEY_VALUE_INFORMATION_CLASS {
type KEY_VALUE_FULL_INFORMATION (line 1040) | typedef struct _KEY_VALUE_FULL_INFORMATION {
type KEY_VALUE_PARTIAL_INFORMATION (line 1051) | typedef struct _KEY_VALUE_PARTIAL_INFORMATION {
type RTL_QUERY_REGISTRY_TABLE (line 1214) | typedef struct _RTL_QUERY_REGISTRY_TABLE
type SYSTEM_INFORMATION_CLASS (line 1242) | typedef enum _SYSTEM_INFORMATION_CLASS
type LONG (line 1297) | typedef LONG KPRIORITY;
type SYSTEM_BASIC_INFORMATION (line 1304) | typedef struct _SYSTEM_BASIC_INFORMATION {
type SYSTEM_PROCESSOR_INFORMATION (line 1323) | typedef struct _SYSTEM_PROCESSOR_INFORMATION {
type SYSTEM_PERFORMANCE_INFORMATION (line 1336) | typedef struct _SYSTEM_PERFORMANCE_INFORMATION {
type SYSTEM_TIMEOFDAY_INFORMATION (line 1418) | typedef struct _SYSTEM_TIMEOFDAY_INFORMATION {
type SYSTEM_PROCESS_INFORMATION (line 1431) | typedef struct _SYSTEM_PROCESS_INFORMATION {
type SYSTEM_DEVICE_INFORMATION (line 1454) | typedef struct _SYSTEM_DEVICE_INFORMATION {
type SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION (line 1468) | typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION {
type SYSTEM_FLAGS_INFORMATION (line 1482) | typedef struct _SYSTEM_FLAGS_INFORMATION
type SYSTEM_MODULE (line 1493) | typedef struct _SYSTEM_MODULE
type SYSTEM_MODULE_INFORMATION (line 1509) | typedef struct _SYSTEM_MODULE_INFORMATION
type SHUTDOWN_ACTION (line 1650) | typedef enum _SHUTDOWN_ACTION
type FILE_INFORMATION_CLASS (line 1735) | typedef enum _FILE_INFORMATION_CLASS
type FILE_DIRECTORY_INFORMATION (line 1788) | typedef struct _FILE_DIRECTORY_INFORMATION {
type FILE_FULL_DIR_INFORMATION (line 1803) | typedef struct _FILE_FULL_DIR_INFORMATION {
type FILE_BOTH_DIR_INFORMATION (line 1819) | typedef struct _FILE_BOTH_DIR_INFORMATION {
type FILE_BASIC_INFORMATION (line 1837) | typedef struct _FILE_BASIC_INFORMATION {
type FILE_STANDARD_INFORMATION (line 1846) | typedef struct _FILE_STANDARD_INFORMATION {
type FILE_INTERNAL_INFORMATION (line 1855) | typedef struct _FILE_INTERNAL_INFORMATION {
type FILE_EA_INFORMATION (line 1860) | typedef struct _FILE_EA_INFORMATION {
type FILE_ACCESS_INFORMATION (line 1865) | typedef struct _FILE_ACCESS_INFORMATION {
type FILE_NAME_INFORMATION (line 1870) | typedef struct _FILE_NAME_INFORMATION {
type FILE_RENAME_INFORMATION (line 1876) | typedef struct _FILE_RENAME_INFORMATION {
type FILE_NAMES_INFORMATION (line 1884) | typedef struct _FILE_NAMES_INFORMATION {
type FILE_DISPOSITION_INFORMATION (line 1892) | typedef struct _FILE_DISPOSITION_INFORMATION {
type FILE_POSITION_INFORMATION (line 1897) | typedef struct _FILE_POSITION_INFORMATION {
type FILE_FULL_EA_INFORMATION (line 1902) | typedef struct _FILE_FULL_EA_INFORMATION {
type FILE_MODE_INFORMATION (line 1911) | typedef struct _FILE_MODE_INFORMATION {
type FILE_ALIGNMENT_INFORMATION (line 1916) | typedef struct _FILE_ALIGNMENT_INFORMATION {
type FILE_ALL_INFORMATION (line 1921) | typedef struct _FILE_ALL_INFORMATION {
type FILE_ALLOCATION_INFORMATION (line 1934) | typedef struct _FILE_ALLOCATION_INFORMATION {
type FILE_END_OF_FILE_INFORMATION (line 1939) | typedef struct _FILE_END_OF_FILE_INFORMATION {
type FILE_STREAM_INFORMATION (line 1944) | typedef struct _FILE_STREAM_INFORMATION {
type FILE_PIPE_INFORMATION (line 1952) | typedef struct _FILE_PIPE_INFORMATION {
type FILE_PIPE_LOCAL_INFORMATION (line 1958) | typedef struct _FILE_PIPE_LOCAL_INFORMATION {
type FILE_PIPE_REMOTE_INFORMATION (line 1972) | typedef struct _FILE_PIPE_REMOTE_INFORMATION {
type FILE_MAILSLOT_QUERY_INFORMATION (line 1978) | typedef struct _FILE_MAILSLOT_QUERY_INFORMATION {
type FILE_MAILSLOT_SET_INFORMATION (line 1987) | typedef struct _FILE_MAILSLOT_SET_INFORMATION {
type FILE_COMPRESSION_INFORMATION (line 1992) | typedef struct _FILE_COMPRESSION_INFORMATION {
type FILE_LINK_INFORMATION (line 2002) | typedef struct _FILE_LINK_INFORMATION {
type FILE_OBJECTID_INFORMATION (line 2010) | typedef struct _FILE_OBJECTID_INFORMATION
type FILE_COMPLETION_INFORMATION (line 2025) | typedef struct _FILE_COMPLETION_INFORMATION {
type FILE_MOVE_CLUSTER_INFORMATION (line 2031) | typedef struct _FILE_MOVE_CLUSTER_INFORMATION {
type FILE_NETWORK_OPEN_INFORMATION (line 2039) | typedef struct _FILE_NETWORK_OPEN_INFORMATION {
type FILE_ATTRIBUTE_TAG_INFORMATION (line 2050) | typedef struct _FILE_ATTRIBUTE_TAG_INFORMATION {
type FILE_TRACKING_INFORMATION (line 2056) | typedef struct _FILE_TRACKING_INFORMATION {
type FILE_REPARSE_POINT_INFORMATION (line 2063) | typedef struct _FILE_REPARSE_POINT_INFORMATION {
type FILE_QUOTA_INFORMATION (line 2069) | typedef struct _FILE_QUOTA_INFORMATION {
type FILE_ID_BOTH_DIR_INFORMATION (line 2080) | typedef struct _FILE_ID_BOTH_DIR_INFORMATION {
type FILE_ID_FULL_DIR_INFORMATION (line 2099) | typedef struct _FILE_ID_FULL_DIR_INFORMATION {
type FILE_VALID_DATA_LENGTH_INFORMATION (line 2116) | typedef struct _FILE_VALID_DATA_LENGTH_INFORMATION {
type FILE_LINK_ENTRY_INFORMATION (line 2120) | typedef struct _FILE_LINK_ENTRY_INFORMATION {
type FILE_LINKS_INFORMATION (line 2127) | typedef struct _FILE_LINKS_INFORMATION {
type FS_INFORMATION_CLASS (line 2135) | typedef enum _FSINFOCLASS {
type PROCESSINFOCLASS (line 2537) | typedef enum _PROCESSINFOCLASS {
type THREADINFOCLASS (line 2578) | typedef enum _THREADINFOCLASS {
type RTL_DRIVE_LETTER_CURDIR (line 2599) | typedef struct _RTL_DRIVE_LETTER_CURDIR
type RTL_USER_PROCESS_PARAMETERS (line 2609) | typedef struct _RTL_USER_PROCESS_PARAMETERS
type PEB_FREE_BLOCK (line 2649) | typedef struct _PEB_FREE_BLOCK
type PEB_LDR_DATA (line 2657) | typedef struct _PEB_LDR_DATA
type LDR_DATA_TABLE_ENTRY (line 2670) | typedef struct _LDR_DATA_TABLE_ENTRY
type PEB (line 2697) | typedef struct _PEB
type TEB (line 2787) | typedef struct _TEB
type PROCESS_BASIC_INFORMATION (line 2804) | typedef struct _PROCESS_BASIC_INFORMATION
type LPC_TYPE (line 2893) | typedef enum _LPC_TYPE
type PORT_MESSAGE (line 2913) | typedef struct _PORT_MESSAGE
type PORT_VIEW (line 2933) | typedef struct _PORT_VIEW {
type REMOTE_PORT_VIEW (line 2952) | typedef struct _REMOTE_PORT_VIEW {
type RTL_HEAP_PARAMETERS (line 3329) | typedef struct RTL_HEAP_PARAMETERS {
type SECTION_INHERIT (line 3522) | typedef enum _SECTION_INHERIT
type SECTION_INFORMATION_CLASS (line 3530) | typedef enum _SECTION_INFORMATION_CLASS
type WAIT_TYPE (line 3749) | typedef enum _WAIT_TYPE {
type EVENT_INFORMATION_CLASS (line 3802) | typedef enum _EVENT_INFORMATION_CLASS {
type EVENT_BASIC_INFORMATION (line 3806) | typedef struct _EVENT_BASIC_INFORMATION {
FILE: Inject/ExtraWindowInject/src/ntdll_undoc.h
function BOOL (line 54) | BOOL load_ntdll_functions()
FILE: Inject/ExtraWindowInject/src/patch_context.h
function patch_context (line 6) | bool patch_context(HANDLE hThread, LPVOID remote_shellcode_ptr)
FILE: Inject/ExtraWindowInject/src/patch_ep.h
function LPCVOID (line 8) | LPCVOID getTargetImageBase1(HANDLE hProcess)
function LPCVOID (line 37) | LPCVOID getTargetImageBase2(HANDLE hProcess, HANDLE hThread)
FILE: Inject/ExtraWindowInject/src/pe_hdrs_helper.cpp
function IMAGE_NT_HEADERS32 (line 3) | IMAGE_NT_HEADERS32* get_nt_hrds32(BYTE *pe_buffer)
function IMAGE_DATA_DIRECTORY (line 19) | IMAGE_DATA_DIRECTORY* get_pe_directory32(PVOID pe_buffer, DWORD dir_id)
FILE: Inject/ExtraWindowInject/src/sysutil.cpp
function is_compiled_32b (line 11) | bool is_compiled_32b()
function is_wow64 (line 19) | bool is_wow64()
function is_system32b (line 41) | bool is_system32b()
FILE: Inject/ExtraWindowInject/src/target_util.h
function replace_param (line 4) | void replace_param(LPWSTR cmdBuf, SIZE_T cmdBufSize, LPWSTR paramVal)
function remove_params (line 26) | void remove_params(LPWSTR cmdLine, SIZE_T cmdLineLen)
function get_dir (line 44) | bool get_dir(LPWSTR cmdLine, OUT LPWSTR dirBuf, SIZE_T dirBufLen = MAX_P...
function get_default_browser (line 70) | bool get_default_browser(LPWSTR lpwOutPath, DWORD szOutPath)
function get_calc_path (line 90) | bool get_calc_path(LPWSTR lpwOutPath, DWORD szOutPath)
function get_svchost_path (line 101) | bool get_svchost_path(LPWSTR lpwOutPath, DWORD szOutPath)
function get_explorer_path (line 112) | bool get_explorer_path(LPWSTR lpwOutPath, DWORD szOutPath)
FILE: Inject/ExtraWindowInject/src/util.h
function hex_dump (line 3) | void hex_dump(unsigned char *buf, size_t buf_size)
FILE: Inject/ExtraWindowInject/src/window_long_inject.cpp
function PVOID (line 6) | PVOID map_code_and_addresses_into_process(HANDLE hProcess, LPBYTE shellc...
function inject_into_tray (line 69) | bool inject_into_tray(LPBYTE shellcode, SIZE_T shellcodeSize)
FILE: Inject/Process-Hollowing/sourcecode/HelloWorld/HelloWorld.cpp
function WinMain (line 8) | int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpC...
FILE: Inject/Process-Hollowing/sourcecode/ProcessHollowing/PE.cpp
function DWORD (line 6) | DWORD FindRemotePEB(HANDLE hProcess)
function PEB (line 42) | PEB* ReadRemotePEB(HANDLE hProcess)
function PLOADED_IMAGE (line 63) | PLOADED_IMAGE ReadRemoteImage(HANDLE hProcess, LPCVOID lpImageBaseAddress)
FILE: Inject/Process-Hollowing/sourcecode/ProcessHollowing/PE.h
type RTL_DRIVE_LETTER_CURDIR (line 10) | typedef struct _RTL_DRIVE_LETTER_CURDIR {
type LDR_MODULE (line 17) | typedef struct _LDR_MODULE {
type PEB_LDR_DATA (line 33) | typedef struct _PEB_LDR_DATA {
type RTL_USER_PROCESS_PARAMETERS (line 42) | typedef struct _RTL_USER_PROCESS_PARAMETERS {
type PEB_FREE_BLOCK (line 74) | typedef struct _PEB_FREE_BLOCK {
type PEB (line 83) | typedef struct _PEB {
type BASE_RELOCATION_BLOCK (line 140) | typedef struct BASE_RELOCATION_BLOCK {
type BASE_RELOCATION_ENTRY (line 145) | typedef struct BASE_RELOCATION_ENTRY {
function PEB (line 155) | inline PEB* GetPEB()
function PIMAGE_NT_HEADERS32 (line 160) | inline PIMAGE_NT_HEADERS32 GetNTHeaders(DWORD dwImageBase)
function PLOADED_IMAGE (line 166) | inline PLOADED_IMAGE GetLoadedImage(DWORD dwImageBase)
function IMAGE_DATA_DIRECTORY (line 192) | inline IMAGE_DATA_DIRECTORY GetImportDirectory(PIMAGE_NT_HEADERS32 pFile...
function PIMAGE_IMPORT_DESCRIPTOR (line 197) | inline PIMAGE_IMPORT_DESCRIPTOR GetImportDescriptors(PIMAGE_NT_HEADERS32...
function PIMAGE_THUNK_DATA32 (line 204) | inline PIMAGE_THUNK_DATA32 GetILT(DWORD dwImageBase,
function PIMAGE_THUNK_DATA32 (line 210) | inline PIMAGE_THUNK_DATA32 GetIAT(DWORD dwImageBase,
function PIMAGE_IMPORT_BY_NAME (line 216) | inline PIMAGE_IMPORT_BY_NAME GetImportByName(DWORD dwImageBase,
type IAT_BACKUP_INFO (line 233) | typedef struct _IAT_BACKUP_INFO {
FILE: Inject/Process-Hollowing/sourcecode/ProcessHollowing/ProcessHollowing.cpp
function CreateHollowedProcess (line 8) | void CreateHollowedProcess(char* pDestCmdLine, char* pSourceFile)
function _tmain (line 289) | int _tmain(int argc, _TCHAR* argv[])
FILE: Inject/Process-Hollowing/sourcecode/ProcessHollowing/internals.h
type PROCESS_BASIC_INFORMATION (line 1) | struct PROCESS_BASIC_INFORMATION {
FILE: Inject/ProcessDoppelgänging/MalExe/main.c
function main (line 4) | int main(void)
FILE: Inject/ProcessDoppelgänging/processrefund/main.c
function DisplayErrorText (line 15) | void
function LPVOID (line 86) | LPVOID GetBaseAddressByName(HANDLE hProcess, char *module)
function main (line 109) | int main(int argc,char *argv[] )
FILE: Inject/ProcessDoppelgänging/processrefund/ntdefs.h
type UNICODE_STRING64 (line 10) | typedef struct _UNICODE_STRING_DWORD64
type _LIST_ENTRY_DWORD64 (line 17) | struct _LIST_ENTRY_DWORD64
type CURDIR64 (line 23) | typedef struct _CURDIR_64
type RTL_DRIVE_LETTER_CURDIR64 (line 28) | typedef struct _RTL_DRIVE_LETTER_CURDIR_64
type RTL_USER_PROCESS_PARAMETERS64 (line 35) | typedef struct _RTL_USER_PROCESS_PARAMETERS_64
type CURDIR (line 69) | typedef struct _CURDIR
type RTL_DRIVE_LETTER_CURDIR (line 74) | typedef struct _RTL_DRIVE_LETTER_CURDIR
type my_RTL_USER_PROCESS_PARAMETERS (line 82) | typedef struct my_RTL_USER_PROCESS_PARAMETERS
type PROCESS_BASIC_INFORMATION64 (line 125) | typedef struct _PROCESS_BASIC_INFORMATION64 {
type PEB64 (line 135) | typedef struct _PEB64
FILE: Inject/ReflectiveDLLInjection/dll/src/ReflectiveDLLInjection.h
type DWORD (line 45) | typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID );
FILE: Inject/ReflectiveDLLInjection/dll/src/ReflectiveDll.c
function BOOL (line 13) | BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserv...
FILE: Inject/ReflectiveDLLInjection/dll/src/ReflectiveLoader.c
function ULONG_PTR (line 38) | __declspec(noinline) ULONG_PTR caller( VOID ) { return (ULONG_PTR)_Retur...
function WINAPI (line 49) | WINAPI ReflectiveLoader( LPVOID lpParameter )
function BOOL (line 475) | BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserv...
FILE: Inject/ReflectiveDLLInjection/dll/src/ReflectiveLoader.h
type SIZE_T (line 40) | typedef LPVOID (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD );
type PVOID (line 41) | typedef DWORD (NTAPI * NTFLUSHINSTRUCTIONCACHE)( HANDLE, PVOID, ULONG );
function DWORD (line 63) | __forceinline DWORD ror( DWORD d )
function DWORD (line 68) | __forceinline DWORD hash( char * c )
type UNICODE_STR (line 80) | typedef struct _UNICODE_STR
type LDR_DATA_TABLE_ENTRY (line 89) | typedef struct _LDR_DATA_TABLE_ENTRY
type PEB_LDR_DATA (line 107) | typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
type PEB_FREE_BLOCK (line 119) | typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
type _PEB (line 127) | typedef struct __PEB // 65 elements, 0x210 bytes
type IMAGE_RELOC (line 196) | typedef struct
FILE: Inject/ReflectiveDLLInjection/inject/src/GetProcAddressR.c
function FARPROC (line 32) | FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName )
FILE: Inject/ReflectiveDLLInjection/inject/src/Inject.c
function main (line 39) | int main( int argc, char * argv[] )
FILE: Inject/ReflectiveDLLInjection/inject/src/LoadLibraryR.c
function DWORD (line 31) | DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress )
function DWORD (line 53) | DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer )
function HMODULE (line 135) | HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength )
function HANDLE (line 188) | HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWOR...
FILE: Inject/ReflectiveDLLInjection/inject/src/ReflectiveDLLInjection.h
type DWORD (line 47) | typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID );
FILE: Inject/SetThreadContext/InjectDllBySetThreadContextx64/InjectDllBySetThreadContextx64.cpp
function DWORD (line 65) | DWORD main_GetProcessIdByName(LPWSTR pszProcessName, PDWORD pdwProcessId)
function _tmain (line 118) | int _tmain(int argc, _TCHAR* argv[])
function BOOL (line 183) | BOOL StartHook(HANDLE hProcess,HANDLE hThread)
function BOOL (line 329) | BOOL EnableDebugPriv()
FILE: Inject/SetWindowsHookEx/SetWindowsHookEx/SetWindowsHookEx.cpp
function BOOL (line 17) | BOOL InstallSetWindowsHookEx(ULONG ProcessId,BOOL Hook)
function _tmain (line 69) | int _tmain(int argc, _TCHAR* argv[])
function LRESULT (line 85) | LRESULT CALLBACK HookProc
FILE: Inject/UserApcInject/UserAPC/UserAPC.cpp
function _tmain (line 26) | int _tmain(int argc, _TCHAR* argv[])
function BOOL (line 51) | BOOL InjectModuleToProcessById(DWORD dwProcessId)
function BOOL (line 112) | BOOL AdjustPrivilege()
FILE: Inject/atom-bombing-master/AtomBombing/main.cpp
type _FUNCTIONPOINTERS (line 49) | struct _FUNCTIONPOINTERS
type _ESTATUS (line 56) | enum _ESTATUS
function ESTATUS (line 123) | ESTATUS GetFunctionAddressFromDll(
function ESTATUS (line 154) | ESTATUS main_WasAtomWrittenSuccessfully(
function ESTATUS (line 207) | ESTATUS main_AddNullTerminatedAtomAndVerifyW(LPWSTR pswzBuffer, ATOM *pt...
function ESTATUS (line 263) | ESTATUS main_NtQueueApcThreadWrapper(
function ESTATUS (line 315) | ESTATUS main_NtQueueApcThreadWaitForSingleObjectEx(
function ESTATUS (line 354) | ESTATUS main_QueueUserApcWrapperAndKeepAlertable(
function ESTATUS (line 404) | ESTATUS main_NtQueueApcThreadWrapperAndKeepAlertable(
function ESTATUS (line 460) | ESTATUS main_ApcSetEventAndKeepAlertable(HANDLE hThread, HANDLE hRemoteH...
function ESTATUS (line 480) | ESTATUS main_ApcSetThreadContextInternal(HANDLE hThread, PCONTEXT ptCont...
function ESTATUS (line 515) | ESTATUS main_DoesStringContainNullTerminatorW(
function ESTATUS (line 546) | ESTATUS main_ApcWriteProcessMemoryNullTerminatedInternal(
function ESTATUS (line 625) | ESTATUS main_IsProcessMemoryEqual(
function ESTATUS (line 685) | ESTATUS main_ApcWriteProcessMemoryNullTerminated(
function ESTATUS (line 736) | ESTATUS main_ApcWriteProcessMemoryInternal(
function ESTATUS (line 822) | ESTATUS main_ApcWriteProcessMemory(
function ESTATUS (line 877) | ESTATUS main_ApcSetThreadContext(
function ESTATUS (line 911) | ESTATUS main_ApcCopyFunctionPointers(
function ESTATUS (line 959) | ESTATUS main_GetProcessIdByName(LPWSTR pszProcessName, PDWORD pdwProcessId)
function ESTATUS (line 1012) | ESTATUS main_OpenProcessByName(LPWSTR pszProcessName, PHANDLE phProcess)
function ESTATUS (line 1045) | ESTATUS main_GetSectionHeader(
function ESTATUS (line 1098) | ESTATUS main_GetCodeCaveAddress(PVOID *ppvCodeCave)
function ESTATUS (line 1131) | ESTATUS main_FindRetGadget(PVOID *ppvRetGadget)
type _ROPCHAIN (line 1169) | struct _ROPCHAIN
function ESTATUS (line 1192) | ESTATUS main_BuildROPChain(
function ESTATUS (line 1248) | ESTATUS main_EnumProcessThreadIds(
function VOID (line 1338) | VOID main_CloseLocalHandleArray(PHANDLE phHandles, DWORD cbHandleCount)
function VOID (line 1350) | VOID main_CloseRemoteHandleArray(
function ESTATUS (line 1382) | ESTATUS main_EnumProcessThreads(
function ESTATUS (line 1453) | ESTATUS main_GetThreadContext(
function ESTATUS (line 1494) | ESTATUS main_FindAlertableThread(HANDLE hProcess, PHANDLE phAlertableThr...
function ESTATUS (line 1655) | ESTATUS main_GetThreadTebAddress(HANDLE hThread, PVOID *ppvTebAddress)
function main (line 1692) | int main()
FILE: Inject/atom-bombing-master/AtomBombingShellcode/Scripts/Post_Link.py
function main (line 7) | def main():
FILE: Inject/atom-bombing-master/AtomBombingShellcode/main.c
type FUNCTIONPOINTERS (line 6) | typedef struct _FUNCTIONPOINTERS
function fix_esp (line 16) | __declspec(naked) void fix_esp()
function shellcode_entry (line 31) | void shellcode_entry()
function dummy (line 81) | void dummy()
function main (line 88) | int main()
FILE: Inject/herpaderping-main/ext/submodules/phnt/ntdbg.h
type DBGKM_EXCEPTION (line 113) | typedef struct _DBGKM_EXCEPTION
type DBGKM_CREATE_THREAD (line 119) | typedef struct _DBGKM_CREATE_THREAD
type DBGKM_CREATE_PROCESS (line 125) | typedef struct _DBGKM_CREATE_PROCESS
type DBGKM_EXIT_THREAD (line 135) | typedef struct _DBGKM_EXIT_THREAD
type DBGKM_EXIT_PROCESS (line 140) | typedef struct _DBGKM_EXIT_PROCESS
type DBGKM_LOAD_DLL (line 145) | typedef struct _DBGKM_LOAD_DLL
type DBGKM_UNLOAD_DLL (line 154) | typedef struct _DBGKM_UNLOAD_DLL
type DBG_STATE (line 159) | typedef enum _DBG_STATE
type DBGUI_CREATE_THREAD (line 174) | typedef struct _DBGUI_CREATE_THREAD
type DBGUI_CREATE_PROCESS (line 180) | typedef struct _DBGUI_CREATE_PROCESS
type DBGUI_WAIT_STATE_CHANGE (line 187) | typedef struct _DBGUI_WAIT_STATE_CHANGE
type DEBUGOBJECTINFOCLASS (line 213) | typedef enum _DEBUGOBJECTINFOCLASS
type _EVENT_FILTER_DESCRIPTOR (line 353) | struct _EVENT_FILTER_DESCRIPTOR
type ULONGLONG (line 365) | typedef ULONGLONG REGHANDLE, *PREGHANDLE;
FILE: Inject/herpaderping-main/ext/submodules/phnt/ntexapi.h
type BOOT_ENTRY (line 83) | typedef struct _BOOT_ENTRY
type BOOT_ENTRY_LIST (line 96) | typedef struct _BOOT_ENTRY_LIST
type BOOT_OPTIONS (line 103) | typedef struct _BOOT_OPTIONS
type FILE_PATH (line 114) | typedef struct _FILE_PATH
type EFI_DRIVER_ENTRY (line 123) | typedef struct _EFI_DRIVER_ENTRY
type EFI_DRIVER_ENTRY_LIST (line 133) | typedef struct _EFI_DRIVER_ENTRY_LIST
type FILTER_BOOT_OPTION_OPERATION (line 259) | typedef enum _FILTER_BOOT_OPTION_OPERATION
type EVENT_INFORMATION_CLASS (line 288) | typedef enum _EVENT_INFORMATION_CLASS
type EVENT_BASIC_INFORMATION (line 293) | typedef struct _EVENT_BASIC_INFORMATION
type MUTANT_INFORMATION_CLASS (line 434) | typedef enum _MUTANT_INFORMATION_CLASS
type MUTANT_BASIC_INFORMATION (line 440) | typedef struct _MUTANT_BASIC_INFORMATION
type MUTANT_OWNER_INFORMATION (line 447) | typedef struct _MUTANT_OWNER_INFORMATION
type SEMAPHORE_INFORMATION_CLASS (line 496) | typedef enum _SEMAPHORE_INFORMATION_CLASS
type SEMAPHORE_BASIC_INFORMATION (line 501) | typedef struct _SEMAPHORE_BASIC_INFORMATION
type TIMER_INFORMATION_CLASS (line 549) | typedef enum _TIMER_INFORMATION_CLASS
type TIMER_BASIC_INFORMATION (line 554) | typedef struct _TIMER_BASIC_INFORMATION
type TIMER_SET_INFORMATION_CLASS (line 566) | typedef enum _TIMER_SET_INFORMATION_CLASS
type _COUNTED_REASON_CONTEXT (line 573) | struct _COUNTED_REASON_CONTEXT
type TIMER_SET_COALESCABLE_TIMER_INFO (line 575) | typedef struct _TIMER_SET_COALESCABLE_TIMER_INFO
type T2_SET_PARAMETERS (line 670) | typedef struct _T2_SET_PARAMETERS_V0
type PVOID (line 677) | typedef PVOID PT2_CANCEL_PARAMETERS;
type WNF_STATE_NAME (line 841) | typedef struct _WNF_STATE_NAME
type WNF_STATE_NAME (line 846) | typedef const WNF_STATE_NAME *PCWNF_STATE_NAME;
type WNF_STATE_NAME_LIFETIME (line 848) | typedef enum _WNF_STATE_NAME_LIFETIME
type WNF_STATE_NAME_INFORMATION (line 856) | typedef enum _WNF_STATE_NAME_INFORMATION
type WNF_DATA_SCOPE (line 863) | typedef enum _WNF_DATA_SCOPE
type WNF_TYPE_ID (line 872) | typedef struct _WNF_TYPE_ID
type WNF_TYPE_ID (line 877) | typedef const WNF_TYPE_ID *PCWNF_TYPE_ID;
type ULONG (line 880) | typedef ULONG WNF_CHANGE_STAMP, *PWNF_CHANGE_STAMP;
type WNF_DELIVERY_DESCRIPTOR (line 882) | typedef struct _WNF_DELIVERY_DESCRIPTOR
type WORKERFACTORYINFOCLASS (line 1028) | typedef enum _WORKERFACTORYINFOCLASS
type WORKER_FACTORY_BASIC_INFORMATION (line 1049) | typedef struct _WORKER_FACTORY_BASIC_INFORMATION
type _FILE_IO_COMPLETION_INFORMATION (line 1140) | struct _FILE_IO_COMPLETION_INFORMATION
type SYSTEM_INFORMATION_CLASS (line 1231) | typedef enum _SYSTEM_INFORMATION_CLASS
type SYSTEM_BASIC_INFORMATION (line 1446) | typedef struct _SYSTEM_BASIC_INFORMATION
type SYSTEM_PROCESSOR_INFORMATION (line 1461) | typedef struct _SYSTEM_PROCESSOR_INFORMATION
type SYSTEM_PERFORMANCE_INFORMATION (line 1470) | typedef struct _SYSTEM_PERFORMANCE_INFORMATION
type SYSTEM_TIMEOFDAY_INFORMATION (line 1552) | typedef struct _SYSTEM_TIMEOFDAY_INFORMATION
type SYSTEM_THREAD_INFORMATION (line 1563) | typedef struct _SYSTEM_THREAD_INFORMATION
type _TEB (line 1578) | struct _TEB
type SYSTEM_EXTENDED_THREAD_INFORMATION (line 1581) | typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION
type SYSTEM_PROCESS_INFORMATION (line 1593) | typedef struct _SYSTEM_PROCESS_INFORMATION
type SYSTEM_CALL_COUNT_INFORMATION (line 1634) | typedef struct _SYSTEM_CALL_COUNT_INFORMATION
type SYSTEM_DEVICE_INFORMATION (line 1640) | typedef struct _SYSTEM_DEVICE_INFORMATION
type SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION (line 1650) | typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION
type SYSTEM_FLAGS_INFORMATION (line 1660) | typedef struct _SYSTEM_FLAGS_INFORMATION
type SYSTEM_CALL_TIME_INFORMATION (line 1666) | typedef struct _SYSTEM_CALL_TIME_INFORMATION
type RTL_PROCESS_LOCK_INFORMATION (line 1674) | typedef struct _RTL_PROCESS_LOCK_INFORMATION
type RTL_PROCESS_LOCKS (line 1689) | typedef struct _RTL_PROCESS_LOCKS
type RTL_PROCESS_BACKTRACE_INFORMATION (line 1696) | typedef struct _RTL_PROCESS_BACKTRACE_INFORMATION
type RTL_PROCESS_BACKTRACES (line 1706) | typedef struct _RTL_PROCESS_BACKTRACES
type SYSTEM_HANDLE_TABLE_ENTRY_INFO (line 1715) | typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
type SYSTEM_HANDLE_INFORMATION (line 1726) | typedef struct _SYSTEM_HANDLE_INFORMATION
type SYSTEM_OBJECTTYPE_INFORMATION (line 1732) | typedef struct _SYSTEM_OBJECTTYPE_INFORMATION
type SYSTEM_OBJECT_INFORMATION (line 1747) | typedef struct _SYSTEM_OBJECT_INFORMATION
type SYSTEM_PAGEFILE_INFORMATION (line 1763) | typedef struct _SYSTEM_PAGEFILE_INFORMATION
type SYSTEM_FILECACHE_INFORMATION (line 1777) | typedef struct _SYSTEM_FILECACHE_INFORMATION
type SYSTEM_BASIC_WORKING_SET_INFORMATION (line 1791) | typedef struct _SYSTEM_BASIC_WORKING_SET_INFORMATION
type SYSTEM_POOLTAG (line 1798) | typedef struct _SYSTEM_POOLTAG
type SYSTEM_POOLTAG_INFORMATION (line 1813) | typedef struct _SYSTEM_POOLTAG_INFORMATION
type SYSTEM_INTERRUPT_INFORMATION (line 1819) | typedef struct _SYSTEM_INTERRUPT_INFORMATION
type SYSTEM_DPC_BEHAVIOR_INFORMATION (line 1829) | typedef struct _SYSTEM_DPC_BEHAVIOR_INFORMATION
type SYSTEM_QUERY_TIME_ADJUST_INFORMATION (line 1838) | typedef struct _SYSTEM_QUERY_TIME_ADJUST_INFORMATION
type SYSTEM_QUERY_TIME_ADJUST_INFORMATION_PRECISE (line 1845) | typedef struct _SYSTEM_QUERY_TIME_ADJUST_INFORMATION_PRECISE
type SYSTEM_SET_TIME_ADJUST_INFORMATION (line 1852) | typedef struct _SYSTEM_SET_TIME_ADJUST_INFORMATION
type SYSTEM_SET_TIME_ADJUST_INFORMATION_PRECISE (line 1858) | typedef struct _SYSTEM_SET_TIME_ADJUST_INFORMATION_PRECISE
type EVENT_TRACE_INFORMATION_CLASS (line 1864) | typedef enum _EVENT_TRACE_INFORMATION_CLASS
type EVENT_TRACE_VERSION_INFORMATION (line 1895) | typedef struct _EVENT_TRACE_VERSION_INFORMATION
type PERFINFO_GROUPMASK (line 1901) | typedef struct _PERFINFO_GROUPMASK
type EVENT_TRACE_GROUPMASK_INFORMATION (line 1906) | typedef struct _EVENT_TRACE_GROUPMASK_INFORMATION
type EVENT_TRACE_PERFORMANCE_INFORMATION (line 1913) | typedef struct _EVENT_TRACE_PERFORMANCE_INFORMATION
type EVENT_TRACE_TIME_PROFILE_INFORMATION (line 1919) | typedef struct _EVENT_TRACE_TIME_PROFILE_INFORMATION
type EVENT_TRACE_SESSION_SECURITY_INFORMATION (line 1925) | typedef struct _EVENT_TRACE_SESSION_SECURITY_INFORMATION
type EVENT_TRACE_SPINLOCK_INFORMATION (line 1933) | typedef struct _EVENT_TRACE_SPINLOCK_INFORMATION
type EVENT_TRACE_SYSTEM_EVENT_INFORMATION (line 1942) | typedef struct _EVENT_TRACE_SYSTEM_EVENT_INFORMATION
type EVENT_TRACE_EXECUTIVE_RESOURCE_INFORMATION (line 1949) | typedef struct _EVENT_TRACE_EXECUTIVE_RESOURCE_INFORMATION
type EVENT_TRACE_HEAP_TRACING_INFORMATION (line 1957) | typedef struct _EVENT_TRACE_HEAP_TRACING_INFORMATION
type EVENT_TRACE_TAG_FILTER_INFORMATION (line 1963) | typedef struct _EVENT_TRACE_TAG_FILTER_INFORMATION
type EVENT_TRACE_PROFILE_COUNTER_INFORMATION (line 1970) | typedef struct _EVENT_TRACE_PROFILE_COUNTER_INFORMATION
type EVENT_TRACE_PROFILE_LIST_INFORMATION (line 1987) | typedef struct _EVENT_TRACE_PROFILE_LIST_INFORMATION
type EVENT_TRACE_STACK_CACHING_INFORMATION (line 1994) | typedef struct _EVENT_TRACE_STACK_CACHING_INFORMATION
type EVENT_TRACE_SOFT_RESTART_INFORMATION (line 2004) | typedef struct _EVENT_TRACE_SOFT_RESTART_INFORMATION
type EVENT_TRACE_PROFILE_ADD_INFORMATION (line 2012) | typedef struct _EVENT_TRACE_PROFILE_ADD_INFORMATION
type EVENT_TRACE_PROFILE_REMOVE_INFORMATION (line 2025) | typedef struct _EVENT_TRACE_PROFILE_REMOVE_INFORMATION
type EVENT_TRACE_COVERAGE_SAMPLER_INFORMATION (line 2032) | typedef struct _EVENT_TRACE_COVERAGE_SAMPLER_INFORMATION
type SYSTEM_EXCEPTION_INFORMATION (line 2042) | typedef struct _SYSTEM_EXCEPTION_INFORMATION
type SYSTEM_KERNEL_DEBUGGER_INFORMATION (line 2050) | typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION
type SYSTEM_CONTEXT_SWITCH_INFORMATION (line 2056) | typedef struct _SYSTEM_CONTEXT_SWITCH_INFORMATION
type SYSTEM_REGISTRY_QUOTA_INFORMATION (line 2072) | typedef struct _SYSTEM_REGISTRY_QUOTA_INFORMATION
type SYSTEM_PROCESSOR_IDLE_INFORMATION (line 2079) | typedef struct _SYSTEM_PROCESSOR_IDLE_INFORMATION
type SYSTEM_LEGACY_DRIVER_INFORMATION (line 2091) | typedef struct _SYSTEM_LEGACY_DRIVER_INFORMATION
type SYSTEM_LOOKASIDE_INFORMATION (line 2097) | typedef struct _SYSTEM_LOOKASIDE_INFORMATION
type SYSTEM_RANGE_START_INFORMATION (line 2111) | typedef struct _SYSTEM_RANGE_START_INFORMATION
type SYSTEM_VERIFIER_INFORMATION_LEGACY (line 2116) | typedef struct _SYSTEM_VERIFIER_INFORMATION_LEGACY // pre-19H1
type SYSTEM_VERIFIER_INFORMATION (line 2151) | typedef struct _SYSTEM_VERIFIER_INFORMATION
type SYSTEM_SESSION_PROCESS_INFORMATION (line 2190) | typedef struct _SYSTEM_SESSION_PROCESS_INFORMATION
type SYSTEM_PROCESSOR_POWER_INFORMATION (line 2197) | typedef struct _SYSTEM_PROCESSOR_POWER_INFORMATION
type SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX (line 2221) | typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX
type SYSTEM_HANDLE_INFORMATION_EX (line 2233) | typedef struct _SYSTEM_HANDLE_INFORMATION_EX
type SYSTEM_BIGPOOL_ENTRY (line 2240) | typedef struct _SYSTEM_BIGPOOL_ENTRY
type SYSTEM_BIGPOOL_INFORMATION (line 2255) | typedef struct _SYSTEM_BIGPOOL_INFORMATION
type SYSTEM_POOL_ENTRY (line 2261) | typedef struct _SYSTEM_POOL_ENTRY
type SYSTEM_POOL_INFORMATION (line 2275) | typedef struct _SYSTEM_POOL_INFORMATION
type SYSTEM_SESSION_POOLTAG_INFORMATION (line 2286) | typedef struct _SYSTEM_SESSION_POOLTAG_INFORMATION
type SYSTEM_SESSION_MAPPED_VIEW_INFORMATION (line 2294) | typedef struct _SYSTEM_SESSION_MAPPED_VIEW_INFORMATION
type SYSTEM_FIRMWARE_TABLE_ACTION (line 2305) | typedef enum _SYSTEM_FIRMWARE_TABLE_ACTION
type SYSTEM_FIRMWARE_TABLE_INFORMATION (line 2313) | typedef struct _SYSTEM_FIRMWARE_TABLE_INFORMATION
type SYSTEM_MEMORY_LIST_INFORMATION (line 2324) | typedef struct _SYSTEM_MEMORY_LIST_INFORMATION
type SYSTEM_MEMORY_LIST_COMMAND (line 2337) | typedef enum _SYSTEM_MEMORY_LIST_COMMAND
type SYSTEM_THREAD_CID_PRIORITY_INFORMATION (line 2349) | typedef struct _SYSTEM_THREAD_CID_PRIORITY_INFORMATION
type SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION (line 2356) | typedef struct _SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION
type SYSTEM_REF_TRACE_INFORMATION (line 2362) | typedef struct _SYSTEM_REF_TRACE_INFORMATION
type SYSTEM_PROCESS_ID_INFORMATION (line 2371) | typedef struct _SYSTEM_PROCESS_ID_INFORMATION
type SYSTEM_BOOT_ENVIRONMENT_INFORMATION (line 2378) | typedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION
type SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (line 2399) | typedef struct _SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION
type SYSTEM_VERIFIER_INFORMATION_EX (line 2406) | typedef struct _SYSTEM_VERIFIER_INFORMATION_EX
type SYSTEM_SYSTEM_PARTITION_INFORMATION (line 2421) | typedef struct _SYSTEM_SYSTEM_PARTITION_INFORMATION
type SYSTEM_SYSTEM_DISK_INFORMATION (line 2427) | typedef struct _SYSTEM_SYSTEM_DISK_INFORMATION
type SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT (line 2433) | typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT
type SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8 (line 2440) | typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8
type SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION (line 2447) | typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION
type SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION (line 2455) | typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION
type SYSTEM_CODEINTEGRITY_INFORMATION (line 2477) | typedef struct _SYSTEM_CODEINTEGRITY_INFORMATION
type SYSTEM_VA_TYPE (line 2484) | typedef enum _SYSTEM_VA_TYPE
type SYSTEM_VA_LIST_INFORMATION (line 2496) | typedef struct _SYSTEM_VA_LIST_INFORMATION
type SYSTEM_STORE_INFORMATION_CLASS (line 2505) | typedef enum _SYSTEM_STORE_INFORMATION_CLASS
type SYSTEM_STORE_INFORMATION (line 2514) | typedef struct _SYSTEM_STORE_INFORMATION
type SYSTEM_STORE_COMPRESSION_INFORMATION (line 2526) | typedef struct _SYSTEM_STORE_COMPRESSION_INFORMATION
type SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS (line 2537) | typedef struct _SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS
type SYSTEM_VHD_BOOT_INFORMATION (line 2552) | typedef struct _SYSTEM_VHD_BOOT_INFORMATION
type SYSTEM_LOW_PRIORITY_IO_INFORMATION (line 2560) | typedef struct _SYSTEM_LOW_PRIORITY_IO_INFORMATION
type TPM_BOOT_ENTROPY_RESULT_CODE (line 2575) | typedef enum _TPM_BOOT_ENTROPY_RESULT_CODE
type TPM_BOOT_ENTROPY_NT_RESULT (line 2588) | typedef struct _TPM_BOOT_ENTROPY_NT_RESULT
type SYSTEM_VERIFIER_COUNTERS_INFORMATION (line 2599) | typedef struct _SYSTEM_VERIFIER_COUNTERS_INFORMATION
type SYSTEM_ACPI_AUDIT_INFORMATION (line 2628) | typedef struct _SYSTEM_ACPI_AUDIT_INFORMATION
type SYSTEM_BASIC_PERFORMANCE_INFORMATION (line 2637) | typedef struct _SYSTEM_BASIC_PERFORMANCE_INFORMATION
type QUERY_PERFORMANCE_COUNTER_FLAGS (line 2647) | typedef struct _QUERY_PERFORMANCE_COUNTER_FLAGS
type SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION (line 2660) | typedef struct _SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION
type SYSTEM_PIXEL_FORMAT (line 2670) | typedef enum _SYSTEM_PIXEL_FORMAT
type SYSTEM_BOOT_GRAPHICS_INFORMATION (line 2680) | typedef struct _SYSTEM_BOOT_GRAPHICS_INFORMATION
type MEMORY_SCRUB_INFORMATION (line 2692) | typedef struct _MEMORY_SCRUB_INFORMATION
type PEBS_DS_SAVE_AREA32 (line 2699) | typedef struct _PEBS_DS_SAVE_AREA32
type PEBS_DS_SAVE_AREA64 (line 2714) | typedef struct _PEBS_DS_SAVE_AREA64
type PEBS_DS_SAVE_AREA (line 2729) | typedef union _PEBS_DS_SAVE_AREA
type PROCESSOR_PROFILE_CONTROL_AREA (line 2736) | typedef struct _PROCESSOR_PROFILE_CONTROL_AREA
type SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA (line 2742) | typedef struct _SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA
type MEMORY_COMBINE_INFORMATION (line 2749) | typedef struct _MEMORY_COMBINE_INFORMATION
type MEMORY_COMBINE_INFORMATION_EX (line 2759) | typedef struct _MEMORY_COMBINE_INFORMATION_EX
type MEMORY_COMBINE_INFORMATION_EX2 (line 2767) | typedef struct _MEMORY_COMBINE_INFORMATION_EX2
type SYSTEM_CONSOLE_INFORMATION (line 2776) | typedef struct _SYSTEM_CONSOLE_INFORMATION
type SYSTEM_PLATFORM_BINARY_INFORMATION (line 2783) | typedef struct _SYSTEM_PLATFORM_BINARY_INFORMATION
type SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION (line 2793) | typedef struct _SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION
type SYSTEM_DEVICE_DATA_INFORMATION (line 2800) | typedef struct _SYSTEM_DEVICE_DATA_INFORMATION
type PHYSICAL_CHANNEL_RUN (line 2810) | typedef struct _PHYSICAL_CHANNEL_RUN
type SYSTEM_MEMORY_TOPOLOGY_INFORMATION (line 2820) | typedef struct _SYSTEM_MEMORY_TOPOLOGY_INFORMATION
type SYSTEM_MEMORY_CHANNEL_INFORMATION (line 2829) | typedef struct _SYSTEM_MEMORY_CHANNEL_INFORMATION
type SYSTEM_BOOT_LOGO_INFORMATION (line 2840) | typedef struct _SYSTEM_BOOT_LOGO_INFORMATION
type SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX (line 2847) | typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX
type SYSTEM_SECUREBOOT_POLICY_INFORMATION (line 2862) | typedef struct _SYSTEM_SECUREBOOT_POLICY_INFORMATION
type SYSTEM_PAGEFILE_INFORMATION_EX (line 2870) | typedef struct _SYSTEM_PAGEFILE_INFORMATION_EX
type SYSTEM_SECUREBOOT_INFORMATION (line 2890) | typedef struct _SYSTEM_SECUREBOOT_INFORMATION
type PROCESS_DISK_COUNTERS (line 2897) | typedef struct _PROCESS_DISK_COUNTERS
type ENERGY_STATE_DURATION (line 2907) | typedef union _ENERGY_STATE_DURATION
type PROCESS_ENERGY_VALUES (line 2919) | typedef struct _PROCESS_ENERGY_VALUES
type TIMELINE_BITMAP (line 2945) | typedef struct _TIMELINE_BITMAP
type PROCESS_ENERGY_VALUES_EXTENSION (line 2952) | typedef struct _PROCESS_ENERGY_VALUES_EXTENSION
type PROCESS_EXTENDED_ENERGY_VALUES (line 2993) | typedef struct _PROCESS_EXTENDED_ENERGY_VALUES
type SYSTEM_PROCESS_CLASSIFICATION (line 3000) | typedef enum _SYSTEM_PROCESS_CLASSIFICATION
type SYSTEM_PROCESS_INFORMATION_EXTENSION (line 3011) | typedef struct _SYSTEM_PROCESS_INFORMATION_EXTENSION
type SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION (line 3037) | typedef struct _SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION
type SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX (line 3043) | typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX
type SYSTEM_ELAM_CERTIFICATE_INFORMATION (line 3051) | typedef struct _SYSTEM_ELAM_CERTIFICATE_INFORMATION
type SYSTEM_PROCESSOR_FEATURES_INFORMATION (line 3057) | typedef struct _SYSTEM_PROCESSOR_FEATURES_INFORMATION
type SYSTEM_MANUFACTURING_INFORMATION (line 3064) | typedef struct _SYSTEM_MANUFACTURING_INFORMATION
type SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION (line 3071) | typedef struct _SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION
type HV_DETAILS (line 3077) | typedef struct _HV_DETAILS
type SYSTEM_HYPERVISOR_DETAIL_INFORMATION (line 3083) | typedef struct _SYSTEM_HYPERVISOR_DETAIL_INFORMATION
type SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION (line 3095) | typedef struct _SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION
type SYSTEM_TPM_INFORMATION (line 3101) | typedef struct _SYSTEM_TPM_INFORMATION
type SYSTEM_VSM_PROTECTION_INFORMATION (line 3107) | typedef struct _SYSTEM_VSM_PROTECTION_INFORMATION
type SYSTEM_KERNEL_DEBUGGER_FLAGS (line 3115) | typedef struct _SYSTEM_KERNEL_DEBUGGER_FLAGS
type SYSTEM_CODEINTEGRITYPOLICY_INFORMATION (line 3121) | typedef struct _SYSTEM_CODEINTEGRITYPOLICY_INFORMATION
type SYSTEM_ISOLATED_USER_MODE_INFORMATION (line 3130) | typedef struct _SYSTEM_ISOLATED_USER_MODE_INFORMATION
type SYSTEM_SINGLE_MODULE_INFORMATION (line 3147) | typedef struct _SYSTEM_SINGLE_MODULE_INFORMATION
type SYSTEM_INTERRUPT_CPU_SET_INFORMATION (line 3154) | typedef struct _SYSTEM_INTERRUPT_CPU_SET_INFORMATION
type SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION (line 3162) | typedef struct _SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION
type SYSTEM_ROOT_SILO_INFORMATION (line 3170) | typedef struct _SYSTEM_ROOT_SILO_INFORMATION
type SYSTEM_CPU_SET_TAG_INFORMATION (line 3177) | typedef struct _SYSTEM_CPU_SET_TAG_INFORMATION
type SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION (line 3184) | typedef struct _SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION
type SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION (line 3213) | typedef struct _SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION
type SYSTEM_MEMORY_USAGE_INFORMATION (line 3220) | typedef struct _SYSTEM_MEMORY_USAGE_INFORMATION
type SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION (line 3232) | typedef struct _SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION
type SYSTEM_PHYSICAL_MEMORY_INFORMATION (line 3239) | typedef struct _SYSTEM_PHYSICAL_MEMORY_INFORMATION
type SYSTEM_ACTIVITY_MODERATION_STATE (line 3247) | typedef enum _SYSTEM_ACTIVITY_MODERATION_STATE
type SYSTEM_ACTIVITY_MODERATION_EXE_STATE (line 3256) | typedef struct _SYSTEM_ACTIVITY_MODERATION_EXE_STATE // REDSTONE3: Renam...
type SYSTEM_ACTIVITY_MODERATION_APP_TYPE (line 3262) | typedef enum _SYSTEM_ACTIVITY_MODERATION_APP_TYPE
type SYSTEM_ACTIVITY_MODERATION_INFO (line 3270) | typedef struct _SYSTEM_ACTIVITY_MODERATION_INFO
type SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS (line 3278) | typedef struct _SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS
type SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION (line 3284) | typedef struct _SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION
type SYSTEM_FLUSH_INFORMATION (line 3301) | typedef struct _SYSTEM_FLUSH_INFORMATION
type SYSTEM_WRITE_CONSTRAINT_INFORMATION (line 3310) | typedef struct _SYSTEM_WRITE_CONSTRAINT_INFORMATION
type SYSTEM_KERNEL_VA_SHADOW_INFORMATION (line 3317) | typedef struct _SYSTEM_KERNEL_VA_SHADOW_INFORMATION
type SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION (line 3339) | typedef struct _SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION
type SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION (line 3347) | typedef struct _SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION
type SYSTEM_FIRMWARE_PARTITION_INFORMATION (line 3353) | typedef struct _SYSTEM_FIRMWARE_PARTITION_INFORMATION
type SYSTEM_SPECULATION_CONTROL_INFORMATION (line 3359) | typedef struct _SYSTEM_SPECULATION_CONTROL_INFORMATION
type SYSTEM_DMA_GUARD_POLICY_INFORMATION (line 3399) | typedef struct _SYSTEM_DMA_GUARD_POLICY_INFORMATION
type SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION (line 3405) | typedef struct _SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION
type SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION (line 3411) | typedef struct _SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION
type SYSTEM_SECURITY_MODEL_INFORMATION (line 3418) | typedef struct _SYSTEM_SECURITY_MODEL_INFORMATION
type SYSDBG_COMMAND (line 3470) | typedef enum _SYSDBG_COMMAND
type SYSDBG_VIRTUAL (line 3512) | typedef struct _SYSDBG_VIRTUAL
type SYSDBG_PHYSICAL (line 3519) | typedef struct _SYSDBG_PHYSICAL
type SYSDBG_CONTROL_SPACE (line 3526) | typedef struct _SYSDBG_CONTROL_SPACE
type _INTERFACE_TYPE (line 3534) | enum _INTERFACE_TYPE
type SYSDBG_IO_SPACE (line 3536) | typedef struct _SYSDBG_IO_SPACE
type SYSDBG_MSR (line 3546) | typedef struct _SYSDBG_MSR
type _BUS_DATA_TYPE (line 3552) | enum _BUS_DATA_TYPE
type SYSDBG_BUS_DATA (line 3554) | typedef struct _SYSDBG_BUS_DATA
type SYSDBG_TRIAGE_DUMP (line 3565) | typedef struct _SYSDBG_TRIAGE_DUMP
type SYSDBG_LIVEDUMP_CONTROL_FLAGS (line 3579) | typedef union _SYSDBG_LIVEDUMP_CONTROL_FLAGS
type SYSDBG_LIVEDUMP_CONTROL_ADDPAGES (line 3593) | typedef union _SYSDBG_LIVEDUMP_CONTROL_ADDPAGES
type SYSDBG_LIVEDUMP_CONTROL (line 3606) | typedef struct _SYSDBG_LIVEDUMP_CONTROL
type HARDERROR_RESPONSE_OPTION (line 3634) | typedef enum _HARDERROR_RESPONSE_OPTION
type HARDERROR_RESPONSE (line 3647) | typedef enum _HARDERROR_RESPONSE
type ALTERNATIVE_ARCHITECTURE_TYPE (line 3678) | typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE
type KUSER_SHARED_DATA (line 3695) | typedef struct _KUSER_SHARED_DATA
function FORCEINLINE (line 3874) | FORCEINLINE ULONGLONG NtGetTickCount64()
function FORCEINLINE (line 3901) | FORCEINLINE ULONG NtGetTickCount()
type ATOM_INFORMATION_CLASS (line 4117) | typedef enum _ATOM_INFORMATION_CLASS
type ATOM_BASIC_INFORMATION (line 4123) | typedef struct _ATOM_BASIC_INFORMATION
type ATOM_TABLE_INFORMATION (line 4131) | typedef struct _ATOM_TABLE_INFORMATION
type SHUTDOWN_ACTION (line 4249) | typedef enum _SHUTDOWN_ACTION
FILE: Inject/herpaderping-main/ext/submodules/phnt/ntgdi.h
type GDI_HANDLE_ENTRY (line 104) | typedef struct _GDI_HANDLE_ENTRY
type GDI_SHARED_MEMORY (line 127) | typedef struct _GDI_SHARED_MEMORY
FILE: Inject/herpaderping-main/ext/submodules/phnt/ntioapi.h
type IO_STATUS_BLOCK (line 162) | typedef struct _IO_STATUS_BLOCK
type FILE_IO_COMPLETION_INFORMATION (line 179) | typedef struct _FILE_IO_COMPLETION_INFORMATION
type FILE_INFORMATION_CLASS (line 186) | typedef enum _FILE_INFORMATION_CLASS
type FILE_BASIC_INFORMATION (line 268) | typedef struct _FILE_BASIC_INFORMATION
type FILE_STANDARD_INFORMATION (line 277) | typedef struct _FILE_STANDARD_INFORMATION
type FILE_STANDARD_INFORMATION_EX (line 286) | typedef struct _FILE_STANDARD_INFORMATION_EX
type FILE_INTERNAL_INFORMATION (line 297) | typedef struct _FILE_INTERNAL_INFORMATION
type FILE_EA_INFORMATION (line 302) | typedef struct _FILE_EA_INFORMATION
type FILE_ACCESS_INFORMATION (line 307) | typedef struct _FILE_ACCESS_INFORMATION
type FILE_POSITION_INFORMATION (line 312) | typedef struct _FILE_POSITION_INFORMATION
type FILE_MODE_INFORMATION (line 317) | typedef struct _FILE_MODE_INFORMATION
type FILE_ALIGNMENT_INFORMATION (line 322) | typedef struct _FILE_ALIGNMENT_INFORMATION
type FILE_NAME_INFORMATION (line 327) | typedef struct _FILE_NAME_INFORMATION
type FILE_ALL_INFORMATION (line 333) | typedef struct _FILE_ALL_INFORMATION
type FILE_NETWORK_OPEN_INFORMATION (line 346) | typedef struct _FILE_NETWORK_OPEN_INFORMATION
type FILE_ATTRIBUTE_TAG_INFORMATION (line 357) | typedef struct _FILE_ATTRIBUTE_TAG_INFORMATION
type FILE_ALLOCATION_INFORMATION (line 363) | typedef struct _FILE_ALLOCATION_INFORMATION
type FILE_COMPRESSION_INFORMATION (line 368) | typedef struct _FILE_COMPRESSION_INFORMATION
type FILE_DISPOSITION_INFORMATION (line 378) | typedef struct _FILE_DISPOSITION_INFORMATION
type FILE_END_OF_FILE_INFORMATION (line 383) | typedef struct _FILE_END_OF_FILE_INFORMATION
type FILE_VALID_DATA_LENGTH_INFORMATION (line 388) | typedef struct _FILE_VALID_DATA_LENGTH_INFORMATION
type FILE_LINK_INFORMATION (line 393) | typedef struct _FILE_LINK_INFORMATION
type FILE_LINK_INFORMATION_EX (line 417) | typedef struct _FILE_LINK_INFORMATION_EX
type FILE_MOVE_CLUSTER_INFORMATION (line 425) | typedef struct _FILE_MOVE_CLUSTER_INFORMATION
type FILE_RENAME_INFORMATION (line 433) | typedef struct _FILE_RENAME_INFORMATION
type FILE_RENAME_INFORMATION_EX (line 464) | typedef struct _FILE_RENAME_INFORMATION_EX
type FILE_STREAM_INFORMATION (line 472) | typedef struct _FILE_STREAM_INFORMATION
type FILE_TRACKING_INFORMATION (line 481) | typedef struct _FILE_TRACKING_INFORMATION
type FILE_COMPLETION_INFORMATION (line 488) | typedef struct _FILE_COMPLETION_INFORMATION
type FILE_PIPE_INFORMATION (line 494) | typedef struct _FILE_PIPE_INFORMATION
type FILE_PIPE_LOCAL_INFORMATION (line 500) | typedef struct _FILE_PIPE_LOCAL_INFORMATION
type FILE_PIPE_REMOTE_INFORMATION (line 514) | typedef struct _FILE_PIPE_REMOTE_INFORMATION
type FILE_MAILSLOT_QUERY_INFORMATION (line 520) | typedef struct _FILE_MAILSLOT_QUERY_INFORMATION
type FILE_MAILSLOT_SET_INFORMATION (line 529) | typedef struct _FILE_MAILSLOT_SET_INFORMATION
type FILE_REPARSE_POINT_INFORMATION (line 534) | typedef struct _FILE_REPARSE_POINT_INFORMATION
type FILE_LINK_ENTRY_INFORMATION (line 540) | typedef struct _FILE_LINK_ENTRY_INFORMATION
type FILE_LINKS_INFORMATION (line 548) | typedef struct _FILE_LINKS_INFORMATION
type FILE_NETWORK_PHYSICAL_NAME_INFORMATION (line 555) | typedef struct _FILE_NETWORK_PHYSICAL_NAME_INFORMATION
type FILE_STANDARD_LINK_INFORMATION (line 561) | typedef struct _FILE_STANDARD_LINK_INFORMATION
type FILE_SFIO_RESERVE_INFORMATION (line 569) | typedef struct _FILE_SFIO_RESERVE_INFORMATION
type FILE_SFIO_VOLUME_INFORMATION (line 579) | typedef struct _FILE_SFIO_VOLUME_INFORMATION
type IO_PRIORITY_HINT (line 586) | typedef enum _IO_PRIORITY_HINT
type FILE_IO_PRIORITY_HINT_INFORMATION (line 596) | typedef struct _FILE_IO_PRIORITY_HINT_INFORMATION
type FILE_IO_PRIORITY_HINT_INFORMATION_EX (line 601) | typedef struct _FILE_IO_PRIORITY_HINT_INFORMATION_EX
type FILE_IO_COMPLETION_NOTIFICATION_INFORMATION (line 611) | typedef struct _FILE_IO_COMPLETION_NOTIFICATION_INFORMATION
type FILE_PROCESS_IDS_USING_FILE_INFORMATION (line 616) | typedef struct _FILE_PROCESS_IDS_USING_FILE_INFORMATION
type FILE_IS_REMOTE_DEVICE_INFORMATION (line 622) | typedef struct _FILE_IS_REMOTE_DEVICE_INFORMATION
type FILE_NUMA_NODE_INFORMATION (line 627) | typedef struct _FILE_NUMA_NODE_INFORMATION
type FILE_IOSTATUSBLOCK_RANGE_INFORMATION (line 632) | typedef struct _FILE_IOSTATUSBLOCK_RANGE_INFORMATION
type FILE_REMOTE_PROTOCOL_INFORMATION (line 638) | typedef struct _FILE_REMOTE_PROTOCOL_INFORMATION
type FILE_INTEGRITY_STREAM_INFORMATION (line 689) | typedef struct _FILE_INTEGRITY_STREAM_INFORMATION
type FILE_VOLUME_NAME_INFORMATION (line 697) | typedef struct _FILE_VOLUME_NAME_INFORMATION
type FILE_ID_INFORMATION (line 703) | typedef struct _FILE_ID_INFORMATION
type FILE_ID_EXTD_DIR_INFORMATION (line 709) | typedef struct _FILE_ID_EXTD_DIR_INFORMATION
type FILE_LINK_ENTRY_FULL_ID_INFORMATION (line 727) | typedef struct _FILE_LINK_ENTRY_FULL_ID_INFORMATION
type FILE_ID_EXTD_BOTH_DIR_INFORMATION (line 735) | typedef struct _FILE_ID_EXTD_BOTH_DIR_INFORMATION
type FILE_STAT_INFORMATION (line 756) | typedef struct _FILE_STAT_INFORMATION
type FILE_MEMORY_PARTITION_INFORMATION (line 772) | typedef struct _FILE_MEMORY_PARTITION_INFORMATION
type FILE_STAT_LX_INFORMATION (line 787) | typedef struct _FILE_STAT_LX_INFORMATION
type FILE_CASE_SENSITIVE_INFORMATION (line 809) | typedef struct _FILE_CASE_SENSITIVE_INFORMATION
type FILE_DIRECTORY_INFORMATION (line 816) | typedef struct _FILE_DIRECTORY_INFORMATION
type FILE_FULL_DIR_INFORMATION (line 831) | typedef struct _FILE_FULL_DIR_INFORMATION
type FILE_ID_FULL_DIR_INFORMATION (line 847) | typedef struct _FILE_ID_FULL_DIR_INFORMATION
type FILE_BOTH_DIR_INFORMATION (line 864) | typedef struct _FILE_BOTH_DIR_INFORMATION
type FILE_ID_BOTH_DIR_INFORMATION (line 882) | typedef struct _FILE_ID_BOTH_DIR_INFORMATION
type FILE_NAMES_INFORMATION (line 901) | typedef struct _FILE_NAMES_INFORMATION
type FILE_ID_GLOBAL_TX_DIR_INFORMATION (line 909) | typedef struct _FILE_ID_GLOBAL_TX_DIR_INFORMATION
type FILE_OBJECTID_INFORMATION (line 931) | typedef struct _FILE_OBJECTID_INFORMATION
type FILE_FULL_EA_INFORMATION (line 949) | typedef struct _FILE_FULL_EA_INFORMATION
type FILE_GET_EA_INFORMATION (line 958) | typedef struct _FILE_GET_EA_INFORMATION
type FILE_GET_QUOTA_INFORMATION (line 967) | typedef struct _FILE_GET_QUOTA_INFORMATION
type FILE_QUOTA_INFORMATION (line 974) | typedef struct _FILE_QUOTA_INFORMATION
type FSINFOCLASS (line 985) | typedef enum _FSINFOCLASS
type FILE_FS_VOLUME_INFORMATION (line 1007) | typedef struct _FILE_FS_VOLUME_INFORMATION
type FILE_FS_LABEL_INFORMATION (line 1017) | typedef struct _FILE_FS_LABEL_INFORMATION
type FILE_FS_SIZE_INFORMATION (line 1024) | typedef struct _FILE_FS_SIZE_INFORMATION
type FILE_FS_CONTROL_INFORMATION (line 1033) | typedef struct _FILE_FS_CONTROL_INFORMATION
type FILE_FS_FULL_SIZE_INFORMATION (line 1044) | typedef struct _FILE_FS_FULL_SIZE_INFORMATION
type FILE_FS_OBJECTID_INFORMATION (line 1054) | typedef struct _FILE_FS_OBJECTID_INFORMATION
type FILE_FS_DEVICE_INFORMATION (line 1061) | typedef struct _FILE_FS_DEVICE_INFORMATION
type FILE_FS_ATTRIBUTE_INFORMATION (line 1068) | typedef struct _FILE_FS_ATTRIBUTE_INFORMATION
type FILE_FS_DRIVER_PATH_INFORMATION (line 1077) | typedef struct _FILE_FS_DRIVER_PATH_INFORMATION
type FILE_FS_VOLUME_FLAGS_INFORMATION (line 1085) | typedef struct _FILE_FS_VOLUME_FLAGS_INFORMATION
type FILE_FS_SECTOR_SIZE_INFORMATION (line 1096) | typedef struct _FILE_FS_SECTOR_SIZE_INFORMATION
type FILE_FS_DATA_COPY_INFORMATION (line 1108) | typedef struct _FILE_FS_DATA_COPY_INFORMATION
type FILE_FS_METADATA_SIZE_INFORMATION (line 1114) | typedef struct _FILE_FS_METADATA_SIZE_INFORMATION
type FILE_FS_FULL_SIZE_INFORMATION_EX (line 1122) | typedef struct _FILE_FS_FULL_SIZE_INFORMATION_EX
type DIRECTORY_NOTIFY_INFORMATION_CLASS (line 1559) | typedef enum _DIRECTORY_NOTIFY_INFORMATION_CLASS
type IO_COMPLETION_INFORMATION_CLASS (line 1603) | typedef enum _IO_COMPLETION_INFORMATION_CLASS
type IO_COMPLETION_BASIC_INFORMATION (line 1608) | typedef struct _IO_COMPLETION_BASIC_INFORMATION
type IO_SESSION_EVENT (line 1732) | typedef enum _IO_SESSION_EVENT
type IO_SESSION_STATE (line 1744) | typedef enum _IO_SESSION_STATE
type INTERFACE_TYPE (line 1775) | typedef enum _INTERFACE_TYPE
type DMA_WIDTH (line 1798) | typedef enum _DMA_WIDTH
type DMA_SPEED (line 1806) | typedef enum _DMA_SPEED
type BUS_DATA_TYPE (line 1816) | typedef enum _BUS_DATA_TYPE
type REPARSE_DATA_BUFFER (line 1840) | typedef struct _REPARSE_DATA_BUFFER
type FILE_PIPE_ASSIGN_EVENT_BUFFER (line 1904) | typedef struct _FILE_PIPE_ASSIGN_EVENT_BUFFER
type FILE_PIPE_PEEK_BUFFER (line 1911) | typedef struct _FILE_PIPE_PEEK_BUFFER
type FILE_PIPE_EVENT_BUFFER (line 1921) | typedef struct _FILE_PIPE_EVENT_BUFFER
type FILE_PIPE_WAIT_FOR_BUFFER (line 1931) | typedef struct _FILE_PIPE_WAIT_FOR_BUFFER
type FILE_PIPE_CLIENT_PROCESS_BUFFER (line 1940) | typedef struct _FILE_PIPE_CLIENT_PROCESS_BUFFER
type FILE_PIPE_CLIENT_PROCESS_BUFFER_EX (line 1954) | typedef struct _FILE_PIPE_CLIENT_PROCESS_BUFFER_EX
type FILE_MAILSLOT_PEEK_BUFFER (line 1975) | typedef struct _FILE_MAILSLOT_PEEK_BUFFER
type MOUNTMGR_CREATE_POINT_INPUT (line 2006) | typedef struct _MOUNTMGR_CREATE_POINT_INPUT
type MOUNTMGR_MOUNT_POINT (line 2015) | typedef struct _MOUNTMGR_MOUNT_POINT
type MOUNTMGR_MOUNT_POINTS (line 2029) | typedef struct _MOUNTMGR_MOUNT_POINTS
type MOUNTMGR_DRIVE_LETTER_TARGET (line 2037) | typedef struct _MOUNTMGR_DRIVE_LETTER_TARGET
type MOUNTMGR_DRIVE_LETTER_INFORMATION (line 2044) | typedef struct _MOUNTMGR_DRIVE_LETTER_INFORMATION
type MOUNTMGR_VOLUME_MOUNT_POINT (line 2052) | typedef struct _MOUNTMGR_VOLUME_MOUNT_POINT
type MOUNTMGR_CHANGE_NOTIFY_INFO (line 2062) | typedef struct _MOUNTMGR_CHANGE_NOTIFY_INFO
type MOUNTMGR_TARGET_NAME (line 2073) | typedef struct _MOUNTMGR_TARGET_NAME
type MOUNTDEV_NAME (line 2123) | typedef struct _MOUNTDEV_NAME
type MOUNTMGR_VOLUME_PATHS (line 2130) | typedef struct _MOUNTMGR_VOLUME_PATHS
FILE: Inject/herpaderping-main/ext/submodules/phnt/ntkeapi.h
type KTHREAD_STATE (line 22) | typedef enum _KTHREAD_STATE
type KHETERO_CPU_POLICY (line 38) | typedef enum _KHETERO_CPU_POLICY
type KWAIT_REASON (line 55) | typedef enum _KWAIT_REASON
type KPROFILE_SOURCE (line 99) | typedef enum _KPROFILE_SOURCE
FILE: Inject/herpaderping-main/ext/submodules/phnt/ntldr.h
type LDR_SERVICE_TAG_RECORD (line 26) | typedef struct _LDR_SERVICE_TAG_RECORD
type LDRP_CSLIST (line 33) | typedef struct _LDRP_CSLIST
type LDR_DDAG_STATE (line 39) | typedef enum _LDR_DDAG_STATE
type LDR_DDAG_NODE (line 59) | typedef struct _LDR_DDAG_NODE
type LDR_DEPENDENCY_RECORD (line 78) | typedef struct _LDR_DEPENDENCY_RECORD
type LDR_DLL_LOAD_REASON (line 87) | typedef enum _LDR_DLL_LOAD_REASON
type LDR_DATA_TABLE_ENTRY (line 131) | typedef struct _LDR_DATA_TABLE_ENTRY
type LDR_IMPORT_CALLBACK_INFO (line 444) | typedef struct _LDR_IMPORT_CALLBACK_INFO
type LDR_SECTION_INFO (line 451) | typedef struct _LDR_SECTION_INFO
type LDR_VERIFY_IMAGE_INFO (line 461) | typedef struct _LDR_VERIFY_IMAGE_INFO
type LDR_DLL_LOADED_NOTIFICATION_DATA (line 498) | typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA
type LDR_DLL_UNLOADED_NOTIFICATION_DATA (line 507) | typedef struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA
type LDR_DLL_NOTIFICATION_DATA (line 516) | typedef union _LDR_DLL_NOTIFICATION_DATA
type PS_MITIGATION_OPTIONS_MAP (line 560) | typedef struct _PS_MITIGATION_OPTIONS_MAP
type PS_MITIGATION_AUDIT_OPTIONS_MAP (line 566) | typedef struct _PS_MITIGATION_AUDIT_OPTIONS_MAP
type PS_SYSTEM_DLL_INIT_BLOCK (line 572) | typedef struct _PS_SYSTEM_DLL_INIT_BLOCK
type LDR_RESOURCE_INFO (line 662) | typedef struct _LDR_RESOURCE_INFO
type LDR_ENUM_RESOURCE_ENTRY (line 695) | typedef struct _LDR_ENUM_RESOURCE_ENTRY
type RTL_PROCESS_MODULE_INFORMATION (line 738) | typedef struct _RTL_PROCESS_MODULE_INFORMATION
type RTL_PROCESS_MODULES (line 752) | typedef struct _RTL_PROCESS_MODULES
type RTL_PROCESS_MODULE_INFORMATION_EX (line 759) | typedef struct _RTL_PROCESS_MODULE_INFORMATION_EX
type DELAYLOAD_PROC_DESCRIPTOR (line 841) | typedef struct _DELAYLOAD_PROC_DESCRIPTOR
type DELAYLOAD_INFO (line 852) | typedef struct _DELAYLOAD_INFO
FILE: Inject/herpaderping-main/ext/submodules/phnt/ntlpcapi.h
type PORT_MESSAGE (line 20) | typedef struct _PORT_MESSAGE
type PORT_DATA_ENTRY (line 53) | typedef struct _PORT_DATA_ENTRY
type PORT_DATA_INFORMATION (line 59) | typedef struct _PORT_DATA_INFORMATION
type LPC_CLIENT_DIED_MSG (line 92) | typedef struct _LPC_CLIENT_DIED_MSG
type PORT_VIEW (line 98) | typedef struct _PORT_VIEW
type REMOTE_PORT_VIEW (line 108) | typedef struct _REMOTE_PORT_VIEW
type PORT_MESSAGE64 (line 121) | typedef struct _PORT_MESSAGE64
type LPC_CLIENT_DIED_MSG64 (line 154) | typedef struct _LPC_CLIENT_DIED_MSG64
type PORT_VIEW64 (line 160) | typedef struct _PORT_VIEW64
type REMOTE_PORT_VIEW64 (line 170) | typedef struct _REMOTE_PORT_VIEW64
type PORT_INFORMATION_CLASS (line 349) | typedef enum _PORT_INFORMATION_CLASS
type HANDLE (line 369) | typedef HANDLE ALPC_HANDLE, *PALPC_HANDLE;
type ALPC_PORT_ATTRIBUTES (line 376) | typedef struct _ALPC_PORT_ATTRIBUTES
type ALPC_MESSAGE_ATTRIBUTES (line 400) | typedef struct _ALPC_MESSAGE_ATTRIBUTES
type ALPC_COMPLETION_LIST_STATE (line 407) | typedef struct _ALPC_COMPLETION_LIST_STATE
type DECLSPEC_ALIGN (line 424) | struct DECLSPEC_ALIGN
type ALPC_CONTEXT_ATTR (line 450) | typedef struct _ALPC_CONTEXT_ATTR
type ALPC_HANDLE_ATTR32 (line 466) | typedef struct _ALPC_HANDLE_ATTR32
type ALPC_HANDLE_ATTR (line 482) | typedef struct _ALPC_HANDLE_ATTR
type ALPC_SECURITY_ATTR (line 502) | typedef struct _ALPC_SECURITY_ATTR
type ALPC_DATA_VIEW_ATTR (line 514) | typedef struct _ALPC_DATA_VIEW_ATTR
type ALPC_PORT_INFORMATION_CLASS (line 523) | typedef enum _ALPC_PORT_INFORMATION_CLASS
type ALPC_BASIC_INFORMATION (line 540) | typedef struct _ALPC_BASIC_INFORMATION
type ALPC_PORT_ASSOCIATE_COMPLETION_PORT (line 548) | typedef struct _ALPC_PORT_ASSOCIATE_COMPLETION_PORT
type ALPC_SERVER_INFORMATION (line 555) | typedef struct _ALPC_SERVER_INFORMATION
type ALPC_PORT_MESSAGE_ZONE_INFORMATION (line 573) | typedef struct _ALPC_PORT_MESSAGE_ZONE_INFORMATION
type ALPC_PORT_COMPLETION_LIST_INFORMATION (line 580) | typedef struct _ALPC_PORT_COMPLETION_LIST_INFORMATION
type ALPC_MESSAGE_INFORMATION_CLASS (line 589) | typedef enum _ALPC_MESSAGE_INFORMATION_CLASS
type ALPC_MESSAGE_HANDLE_INFORMATION (line 598) | typedef struct _ALPC_MESSAGE_HANDLE_INFORMATION
FILE: Inject/herpaderping-main/ext/submodules/phnt/ntmisc.h
type VDMSERVICECLASS (line 22) | typedef enum _VDMSERVICECLASS
type TRACE_CONTROL_INFORMATION_CLASS (line 61) | typedef enum _TRACE_CONTROL_INFORMATION_CLASS
FILE: Inject/herpaderping-main/ext/submodules/phnt/ntmmapi.h
type MEMORY_INFORMATION_CLASS (line 78) | typedef enum _MEMORY_INFORMATION_CLASS
type MEMORY_WORKING_SET_BLOCK (line 106) | typedef struct _MEMORY_WORKING_SET_BLOCK
type MEMORY_WORKING_SET_INFORMATION (line 119) | typedef struct _MEMORY_WORKING_SET_INFORMATION
type MEMORY_REGION_INFORMATION (line 126) | typedef struct _MEMORY_REGION_INFORMATION
type MEMORY_WORKING_SET_EX_LOCATION (line 153) | typedef enum _MEMORY_WORKING_SET_EX_LOCATION
type MEMORY_WORKING_SET_EX_BLOCK (line 162) | typedef struct _MEMORY_WORKING_SET_EX_BLOCK
type MEMORY_WORKING_SET_EX_INFORMATION (line 205) | typedef struct _MEMORY_WORKING_SET_EX_INFORMATION
type MEMORY_SHARED_COMMIT_INFORMATION (line 216) | typedef struct _MEMORY_SHARED_COMMIT_INFORMATION
type MEMORY_IMAGE_INFORMATION (line 222) | typedef struct _MEMORY_IMAGE_INFORMATION
type MEMORY_ENCLAVE_IMAGE_INFORMATION (line 240) | typedef struct _MEMORY_ENCLAVE_IMAGE_INFORMATION
type MEMORY_FRAME_INFORMATION (line 298) | typedef struct _MEMORY_FRAME_INFORMATION
type FILEOFFSET_INFORMATION (line 310) | typedef struct _FILEOFFSET_INFORMATION
type PAGEDIR_INFORMATION (line 318) | typedef struct _PAGEDIR_INFORMATION
type UNIQUE_PROCESS_INFORMATION (line 326) | typedef struct _UNIQUE_PROCESS_INFORMATION
type MMPFN_IDENTITY (line 334) | typedef struct _MMPFN_IDENTITY
type MMPFN_MEMSNAP_INFORMATION (line 362) | typedef struct _MMPFN_MEMSNAP_INFORMATION
type SECTION_INFORMATION_CLASS (line 368) | typedef enum _SECTION_INFORMATION_CLASS
type SECTION_BASIC_INFORMATION (line 378) | typedef struct _SECTION_BASIC_INFORMATION
type SECTION_IMAGE_INFORMATION (line 386) | typedef struct _SECTION_IMAGE_INFORMATION
type SECTION_INTERNAL_IMAGE_INFORMATION (line 435) | typedef struct _SECTION_INTERNAL_IMAGE_INFORMATION
type SECTION_INHERIT (line 450) | typedef enum _SECTION_INHERIT
type VIRTUAL_MEMORY_INFORMATION_CLASS (line 544) | typedef enum _VIRTUAL_MEMORY_INFORMATION_CLASS
type MEMORY_RANGE_ENTRY (line 553) | typedef struct _MEMORY_RANGE_ENTRY
type CFG_CALL_TARGET_LIST_INFORMATION (line 559) | typedef struct _CFG_CALL_TARGET_LIST_INFORMATION
type MEMORY_PARTITION_INFORMATION_CLASS (line 732) | typedef enum _MEMORY_PARTITION_INFORMATION_CLASS
type MEMORY_PARTITION_CONFIGURATION_INFORMATION (line 744) | typedef struct _MEMORY_PARTITION_CONFIGURATION_INFORMATION
type MEMORY_PARTITION_TRANSFER_INFORMATION (line 767) | typedef struct _MEMORY_PARTITION_TRANSFER_INFORMATION
type MEMORY_PARTITION_PAGEFILE_INFORMATION (line 775) | typedef struct _MEMORY_PARTITION_PAGEFILE_INFORMATION
type MEMORY_PARTITION_PAGE_COMBINE_INFORMATION (line 784) | typedef struct _MEMORY_PARTITION_PAGE_COMBINE_INFORMATION
type MEMORY_PARTITION_PAGE_RANGE (line 792) | typedef struct _MEMORY_PARTITION_PAGE_RANGE
type MEMORY_PARTITION_INITIAL_ADD_INFORMATION (line 799) | typedef struct _MEMORY_PARTITION_INITIAL_ADD_INFORMATION
type MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION (line 808) | typedef struct _MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION
FILE: Inject/herpaderping-main/ext/submodules/phnt/ntnls.h
type CPTABLEINFO (line 17) | typedef struct _CPTABLEINFO
type NLSTABLEINFO (line 33) | typedef struct _NLSTABLEINFO
FILE: Inject/herpaderping-main/ext/submodules/phnt/ntobapi.h
type OBJECT_INFORMATION_CLASS (line 40) | typedef enum _OBJECT_INFORMATION_CLASS
type OBJECT_BASIC_INFORMATION (line 60) | typedef struct _OBJECT_BASIC_INFORMATION
type OBJECT_NAME_INFORMATION (line 76) | typedef struct _OBJECT_NAME_INFORMATION
type OBJECT_TYPE_INFORMATION (line 82) | typedef struct _OBJECT_TYPE_INFORMATION
type OBJECT_TYPES_INFORMATION (line 109) | typedef struct _OBJECT_TYPES_INFORMATION
type OBJECT_HANDLE_FLAG_INFORMATION (line 114) | typedef struct _OBJECT_HANDLE_FLAG_INFORMATION
type OBJECT_DIRECTORY_INFORMATION (line 293) | typedef struct _OBJECT_DIRECTORY_INFORMATION
FILE: Inject/herpaderping-main/ext/submodules/phnt/ntpebteb.h
type _RTL_USER_PROCESS_PARAMETERS (line 15) | struct _RTL_USER_PROCESS_PARAMETERS
type _RTL_CRITICAL_SECTION (line 16) | struct _RTL_CRITICAL_SECTION
type ACTIVATION_CONTEXT_STACK (line 19) | typedef struct _ACTIVATION_CONTEXT_STACK
type API_SET_NAMESPACE (line 29) | typedef struct _API_SET_NAMESPACE
type API_SET_HASH_ENTRY (line 41) | typedef struct _API_SET_HASH_ENTRY
type API_SET_NAMESPACE_ENTRY (line 48) | typedef struct _API_SET_NAMESPACE_ENTRY
type API_SET_VALUE_ENTRY (line 59) | typedef struct _API_SET_VALUE_ENTRY
type PEB (line 69) | typedef struct _PEB
type GDI_TEB_BATCH (line 245) | typedef struct _GDI_TEB_BATCH
type TEB_ACTIVE_FRAME_CONTEXT (line 252) | typedef struct _TEB_ACTIVE_FRAME_CONTEXT
type TEB_ACTIVE_FRAME (line 258) | typedef struct _TEB_ACTIVE_FRAME
type TEB (line 265) | typedef struct _TEB
FILE: Inject/herpaderping-main/ext/submodules/phnt/ntpfapi.h
type PF_BOOT_PHASE_ID (line 19) | typedef enum _PF_BOOT_PHASE_ID
type PF_ENABLE_STATUS (line 33) | typedef enum _PF_ENABLE_STATUS
type PF_TRACE_LIMITS (line 41) | typedef struct _PF_TRACE_LIMITS
type PF_SYSTEM_PREFETCH_PARAMETERS (line 48) | typedef struct _PF_SYSTEM_PREFETCH_PARAMETERS
type PF_BOOT_CONTROL (line 60) | typedef struct _PF_BOOT_CONTROL
type PREFETCHER_INFORMATION_CLASS (line 66) | typedef enum _PREFETCHER_INFORMATION_CLASS
type PREFETCHER_INFORMATION (line 78) | typedef struct _PREFETCHER_INFORMATION
type PF_SYSTEM_SUPERFETCH_PARAMETERS (line 89) | typedef struct _PF_SYSTEM_SUPERFETCH_PARAMETERS
type PF_PFN_PRIO_REQUEST (line 103) | typedef struct _PF_PFN_PRIO_REQUEST
type PFS_PRIVATE_PAGE_SOURCE_TYPE (line 112) | typedef enum _PFS_PRIVATE_PAGE_SOURCE_TYPE
type PFS_PRIVATE_PAGE_SOURCE (line 120) | typedef struct _PFS_PRIVATE_PAGE_SOURCE
type PF_PRIVSOURCE_INFO (line 132) | typedef struct _PF_PRIVSOURCE_INFO
type PF_PRIVSOURCE_QUERY_REQUEST (line 156) | typedef struct _PF_PRIVSOURCE_QUERY_REQUEST
type PF_PHASED_SCENARIO_TYPE (line 164) | typedef enum _PF_PHASED_SCENARIO_TYPE
type PF_SCENARIO_PHASE_INFO (line 175) | typedef struct _PF_SCENARIO_PHASE_INFO
type PF_MEMORY_LIST_NODE (line 185) | typedef struct _PF_MEMORY_LIST_NODE
type PF_MEMORY_LIST_INFO (line 198) | typedef struct _PF_MEMORY_LIST_INFO
type PF_PHYSICAL_MEMORY_RANGE (line 206) | typedef struct _PF_PHYSICAL_MEMORY_RANGE
type PF_PHYSICAL_MEMORY_RANGE_INFO_V1 (line 214) | typedef struct _PF_PHYSICAL_MEMORY_RANGE_INFO_V1
type PF_PHYSICAL_MEMORY_RANGE_INFO_V2 (line 223) | typedef struct _PF_PHYSICAL_MEMORY_RANGE_INFO_V2
type PF_REPURPOSED_BY_PREFETCH_INFO (line 235) | typedef struct _PF_REPURPOSED_BY_PREFETCH_INFO
type SUPERFETCH_INFORMATION_CLASS (line 243) | typedef enum _SUPERFETCH_INFORMATION_CLASS
type SUPERFETCH_INFORMATION (line 271) | typedef struct _SUPERFETCH_INFORMATION
FILE: Inject/herpaderping-main/ext/submodules/phnt/ntpnpapi.h
type PLUGPLAY_EVENT_CATEGORY (line 15) | typedef enum _PLUGPLAY_EVENT_CATEGORY
type PLUGPLAY_EVENT_BLOCK (line 30) | typedef struct _PLUGPLAY_EVENT_BLOCK
type PLUGPLAY_CONTROL_CLASS (line 84) | typedef enum _PLUGPLAY_CONTROL_CLASS
FILE: Inject/herpaderping-main/ext/submodules/phnt/ntpoapi.h
type POWER_STATE (line 15) | typedef union _POWER_STATE
type POWER_STATE_TYPE (line 21) | typedef enum _POWER_STATE_TYPE
type SYSTEM_POWER_STATE_CONTEXT (line 29) | typedef struct _SYSTEM_POWER_STATE_CONTEXT
type COUNTED_REASON_CONTEXT (line 51) | typedef struct _COUNTED_REASON_CONTEXT
type POWER_STATE_HANDLER_TYPE (line 70) | typedef enum _POWER_STATE_HANDLER_TYPE
type POWER_STATE_HANDLER (line 94) | typedef struct _POWER_STATE_HANDLER
type POWER_STATE_NOTIFY_HANDLER (line 109) | typedef struct _POWER_STATE_NOTIFY_HANDLER
type PROCESSOR_POWER_INFORMATION (line 115) | typedef struct _PROCESSOR_POWER_INFORMATION
type SYSTEM_POWER_INFORMATION (line 125) | typedef struct _SYSTEM_POWER_INFORMATION
FILE: Inject/herpaderping-main/ext/submodules/phnt/ntpsapi.h
type ULONG (line 64) | typedef ULONG GDI_HANDLE_BUFFER[GDI_HANDLE_BUFFER_SIZE];
type ULONG (line 66) | typedef ULONG GDI_HANDLE_BUFFER32[GDI_HANDLE_BUFFER_SIZE32];
type ULONG (line 67) | typedef ULONG GDI_HANDLE_BUFFER64[GDI_HANDLE_BUFFER_SIZE64];
type PEB_LDR_DATA (line 74) | typedef struct _PEB_LDR_DATA
type INITIAL_TEB (line 87) | typedef struct _INITIAL_TEB
type WOW64_PROCESS (line 99) | typedef struct _WOW64_PROCESS
type PROCESSINFOCLASS (line 107) | typedef enum _PROCESSINFOCLASS
type THREADINFOCLASS (line 214) | typedef enum _THREADINFOCLASS
type PAGE_PRIORITY_INFORMATION (line 273) | typedef struct _PAGE_PRIORITY_INFORMATION
type PROCESS_BASIC_INFORMATION (line 283) | typedef struct _PROCESS_BASIC_INFORMATION
type PROCESS_EXTENDED_BASIC_INFORMATION (line 293) | typedef struct _PROCESS_EXTENDED_BASIC_INFORMATION
type VM_COUNTERS (line 316) | typedef struct _VM_COUNTERS
type VM_COUNTERS_EX (line 331) | typedef struct _VM_COUNTERS_EX
type VM_COUNTERS_EX2 (line 348) | typedef struct _VM_COUNTERS_EX2
type KERNEL_USER_TIMES (line 355) | typedef struct _KERNEL_USER_TIMES
type POOLED_USAGE_AND_LIMITS (line 363) | typedef struct _POOLED_USAGE_AND_LIMITS
type PROCESS_EXCEPTION_PORT (line 379) | typedef struct _PROCESS_EXCEPTION_PORT
type PROCESS_ACCESS_TOKEN (line 385) | typedef struct _PROCESS_ACCESS_TOKEN
type PROCESS_LDT_INFORMATION (line 391) | typedef struct _PROCESS_LDT_INFORMATION
type PROCESS_LDT_SIZE (line 398) | typedef struct _PROCESS_LDT_SIZE
type PROCESS_WS_WATCH_INFORMATION (line 403) | typedef struct _PROCESS_WS_WATCH_INFORMATION
type PROCESS_WS_WATCH_INFORMATION_EX (line 412) | typedef struct _PROCESS_WS_WATCH_INFORMATION_EX
type PROCESS_PRIORITY_CLASS (line 427) | typedef struct _PROCESS_PRIORITY_CLASS
type PROCESS_FOREGROUND_BACKGROUND (line 433) | typedef struct _PROCESS_FOREGROUND_BACKGROUND
type PROCESS_DEVICEMAP_INFORMATION (line 440) | typedef struct _PROCESS_DEVICEMAP_INFORMATION
type PROCESS_DEVICEMAP_INFORMATION_EX (line 458) | typedef struct _PROCESS_DEVICEMAP_INFORMATION_EX
type PROCESS_SESSION_INFORMATION (line 475) | typedef struct _PROCESS_SESSION_INFORMATION
type PROCESS_HANDLE_TRACING_ENABLE (line 485) | typedef struct _PROCESS_HANDLE_TRACING_ENABLE
type PROCESS_HANDLE_TRACING_ENABLE_EX (line 492) | typedef struct _PROCESS_HANDLE_TRACING_ENABLE_EX
type PROCESS_HANDLE_TRACING_ENTRY (line 504) | typedef struct _PROCESS_HANDLE_TRACING_ENTRY
type PROCESS_HANDLE_TRACING_QUERY (line 512) | typedef struct _PROCESS_HANDLE_TRACING_QUERY
type THREAD_TLS_INFORMATION (line 522) | typedef struct _THREAD_TLS_INFORMATION
type PROCESS_TLS_INFORMATION_TYPE (line 531) | typedef enum _PROCESS_TLS_INFORMATION_TYPE
type PROCESS_TLS_INFORMATION (line 539) | typedef struct _PROCESS_TLS_INFORMATION
type PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION (line 550) | typedef struct _PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION
type PROCESS_STACK_ALLOCATION_INFORMATION (line 558) | typedef struct _PROCESS_STACK_ALLOCATION_INFORMATION
type PROCESS_STACK_ALLOCATION_INFORMATION_EX (line 566) | typedef struct _PROCESS_STACK_ALLOCATION_INFORMATION_EX
type PROCESS_AFFINITY_UPDATE_MODE (line 576) | typedef union _PROCESS_AFFINITY_UPDATE_MODE
type PROCESS_MEMORY_ALLOCATION_MODE (line 588) | typedef union _PROCESS_MEMORY_ALLOCATION_MODE
type PROCESS_HANDLE_INFORMATION (line 599) | typedef struct _PROCESS_HANDLE_INFORMATION
type PROCESS_CYCLE_TIME_INFORMATION (line 606) | typedef struct _PROCESS_CYCLE_TIME_INFORMATION
type PROCESS_WINDOW_INFORMATION (line 613) | typedef struct _PROCESS_WINDOW_INFORMATION
type PROCESS_HANDLE_TABLE_ENTRY_INFO (line 621) | typedef struct _PROCESS_HANDLE_TABLE_ENTRY_INFO
type PROCESS_HANDLE_SNAPSHOT_INFORMATION (line 633) | typedef struct _PROCESS_HANDLE_SNAPSHOT_INFORMATION
type PROCESS_MITIGATION_POLICY_INFORMATION (line 643) | typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION
type PROCESS_KEEPALIVE_COUNT_INFORMATION (line 664) | typedef struct _PROCESS_KEEPALIVE_COUNT_INFORMATION
type PROCESS_REVOKE_FILE_HANDLES_INFORMATION (line 670) | typedef struct _PROCESS_REVOKE_FILE_HANDLES_INFORMATION
type PROCESS_WORKING_SET_OPERATION (line 677) | typedef enum _PROCESS_WORKING_SET_OPERATION
type PROCESS_WORKING_SET_CONTROL (line 684) | typedef struct _PROCESS_WORKING_SET_CONTROL
type PS_PROTECTED_TYPE (line 691) | typedef enum _PS_PROTECTED_TYPE
type PS_PROTECTED_SIGNER (line 699) | typedef enum _PS_PROTECTED_SIGNER
type PS_PROTECTION (line 731) | typedef struct _PS_PROTECTION
type PROCESS_FAULT_INFORMATION (line 745) | typedef struct _PROCESS_FAULT_INFORMATION
type PROCESS_TELEMETRY_ID_INFORMATION (line 751) | typedef struct _PROCESS_TELEMETRY_ID_INFORMATION
type PROCESS_COMMIT_RELEASE_INFORMATION (line 772) | typedef struct _PROCESS_COMMIT_RELEASE_INFORMATION
type PROCESS_JOB_MEMORY_INFO (line 787) | typedef struct _PROCESS_JOB_MEMORY_INFO
type PROCESS_CHILD_PROCESS_INFORMATION (line 796) | typedef struct _PROCESS_CHILD_PROCESS_INFORMATION
type PROCESS_WAKE_INFORMATION (line 804) | typedef struct _PROCESS_WAKE_INFORMATION
type PROCESS_ENERGY_TRACKING_STATE (line 811) | typedef struct _PROCESS_ENERGY_TRACKING_STATE
type MANAGE_WRITES_TO_EXECUTABLE_MEMORY (line 820) | typedef struct _MANAGE_WRITES_TO_EXECUTABLE_MEMORY
type PROCESS_READWRITEVM_LOGGING_INFORMATION (line 834) | typedef union _PROCESS_READWRITEVM_LOGGING_INFORMATION
type PROCESS_UPTIME_INFORMATION (line 845) | typedef struct _PROCESS_UPTIME_INFORMATION
type PROCESS_SYSTEM_RESOURCE_MANAGEMENT (line 862) | typedef union _PROCESS_SYSTEM_RESOURCE_MANAGEMENT
type PROCESS_SECURITY_DOMAIN_INFORMATION (line 873) | typedef struct _PROCESS_SECURITY_DOMAIN_INFORMATION
type PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION (line 879) | typedef struct _PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION
type PROCESS_LOGGING_INFORMATION (line 885) | typedef struct _PROCESS_LOGGING_INFORMATION
type PROCESS_LEAP_SECOND_INFORMATION (line 899) | typedef struct _PROCESS_LEAP_SECOND_INFORMATION
type PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION (line 906) | typedef struct _PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION
type PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION (line 916) | typedef struct _PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION
type THREAD_BASIC_INFORMATION (line 927) | typedef struct _THREAD_BASIC_INFORMATION
type THREAD_LAST_SYSCALL_INFORMATION (line 938) | typedef struct _THREAD_LAST_SYSCALL_INFORMATION
type THREAD_CYCLE_TIME_INFORMATION (line 951) | typedef struct _THREAD_CYCLE_TIME_INFORMATION
type THREAD_TEB_INFORMATION (line 958) | typedef struct _THREAD_TEB_INFORMATION
type COUNTER_READING (line 966) | typedef struct _COUNTER_READING
type THREAD_PERFORMANCE_DATA (line 975) | typedef struct _THREAD_PERFORMANCE_DATA
type THREAD_PROFILING_INFORMATION (line 990) | typedef struct _THREAD_PROFILING_INFORMATION
type RTL_UMS_CONTEXT (line 999) | typedef struct _RTL_UMS_CONTEXT
type THREAD_UMS_INFORMATION_COMMAND (line 1024) | typedef enum _THREAD_UMS_INFORMATION_COMMAND
type RTL_UMS_COMPLETION_LIST (line 1033) | typedef struct _RTL_UMS_COMPLETION_LIST
type THREAD_UMS_INFORMATION (line 1042) | typedef struct _THREAD_UMS_INFORMATION
type THREAD_NAME_INFORMATION (line 1060) | typedef struct _THREAD_NAME_INFORMATION
type SUBSYSTEM_INFORMATION_TYPE (line 1067) | typedef enum _SUBSYSTEM_INFORMATION_TYPE
type THREAD_WORKLOAD_CLASS (line 1076) | typedef enum _THREAD_WORKLOAD_CLASS
type VOID (line 1375) | typedef VOID (*PPS_APC_ROUTINE)(
type PS_ATTRIBUTE_NUM (line 1445) | typedef enum _PS_ATTRIBUTE_NUM
type PS_ATTRIBUTE (line 1542) | typedef struct _PS_ATTRIBUTE
type PS_ATTRIBUTE_LIST (line 1554) | typedef struct _PS_ATTRIBUTE_LIST
type PS_MEMORY_RESERVE (line 1560) | typedef struct _PS_MEMORY_RESERVE
type PS_STD_HANDLE_STATE (line 1566) | typedef enum _PS_STD_HANDLE_STATE
type PS_STD_HANDLE_INFO (line 1580) | typedef struct _PS_STD_HANDLE_INFO
type PS_BNO_ISOLATION_PARAMETERS (line 1595) | typedef struct _PS_BNO_ISOLATION_PARAMETERS
type PS_MITIGATION_OPTION (line 1604) | typedef enum _PS_MITIGATION_OPTION
type PS_CREATE_STATE (line 1641) | typedef enum _PS_CREATE_STATE
type PS_CREATE_INFO (line 1653) | typedef struct _PS_CREATE_INFO
type JOBOBJECT_EXTENDED_ACCOUNTING_INFORMATION (line 1850) | typedef struct _JOBOBJECT_EXTENDED_ACCOUNTING_INFORMATION
type JOBOBJECT_WAKE_INFORMATION (line 1862) | typedef struct _JOBOBJECT_WAKE_INFORMATION
type JOBOBJECT_WAKE_INFORMATION_V1 (line 1869) | typedef struct _JOBOBJECT_WAKE_INFORMATION_V1
type JOBOBJECT_INTERFERENCE_INFORMATION (line 1876) | typedef struct _JOBOBJECT_INTERFERENCE_INFORMATION
type JOBOBJECT_WAKE_FILTER (line 1882) | typedef struct _JOBOBJECT_WAKE_FILTER
type JOBOBJECT_FREEZE_INFORMATION (line 1889) | typedef struct _JOBOBJECT_FREEZE_INFORMATION
type JOBOBJECT_MEMORY_USAGE_INFORMATION (line 1909) | typedef struct _JOBOBJECT_MEMORY_USAGE_INFORMATION
type JOBOBJECT_MEMORY_USAGE_INFORMATION_V2 (line 1916) | typedef struct _JOBOBJECT_MEMORY_USAGE_INFORMATION_V2
type SILO_USER_SHARED_DATA (line 1924) | typedef struct _SILO_USER_SHARED_DATA
type SILOOBJECT_ROOT_DIRECTORY (line 1938) | typedef struct _SILOOBJECT_ROOT_DIRECTORY
type JOBOBJECT_ENERGY_TRACKING_STATE (line 1945) | typedef struct _JOBOBJECT_ENERGY_TRACKING_STATE
type MEMORY_RESERVE_TYPE (line 2040) | typedef enum _MEMORY_RESERVE_TYPE
FILE: Inject/herpaderping-main/ext/submodules/phnt/ntregapi.h
type KEY_INFORMATION_CLASS (line 25) | typedef enum _KEY_INFORMATION_CLASS
type KEY_BASIC_INFORMATION (line 40) | typedef struct _KEY_BASIC_INFORMATION
type KEY_NODE_INFORMATION (line 48) | typedef struct _KEY_NODE_INFORMATION
type KEY_FULL_INFORMATION (line 60) | typedef struct _KEY_FULL_INFORMATION
type KEY_NAME_INFORMATION (line 75) | typedef struct _KEY_NAME_INFORMATION
type KEY_CACHED_INFORMATION (line 81) | typedef struct _KEY_CACHED_INFORMATION
type KEY_FLAGS_INFORMATION (line 94) | typedef struct _KEY_FLAGS_INFORMATION
type KEY_VIRTUALIZATION_INFORMATION (line 99) | typedef struct _KEY_VIRTUALIZATION_INFORMATION
type KEY_TRUST_INFORMATION (line 110) | typedef struct _KEY_TRUST_INFORMATION
type KEY_LAYER_INFORMATION (line 117) | typedef struct _KEY_LAYER_INFORMATION
type KEY_SET_INFORMATION_CLASS (line 126) | typedef enum _KEY_SET_INFORMATION_CLASS
type KEY_WRITE_TIME_INFORMATION (line 138) | typedef struct _KEY_WRITE_TIME_INFORMATION
type KEY_WOW64_FLAGS_INFORMATION (line 143) | typedef struct _KEY_WOW64_FLAGS_INFORMATION
type KEY_HANDLE_TAGS_INFORMATION (line 148) | typedef struct _KEY_HANDLE_TAGS_INFORMATION
type KEY_SET_LAYER_INFORMATION (line 153) | typedef struct _KEY_SET_LAYER_INFORMATION
type KEY_CONTROL_FLAGS_INFORMATION (line 162) | typedef struct _KEY_CONTROL_FLAGS_INFORMATION
type KEY_SET_VIRTUALIZATION_INFORMATION (line 167) | typedef struct _KEY_SET_VIRTUALIZATION_INFORMATION
type KEY_VALUE_INFORMATION_CLASS (line 175) | typedef enum _KEY_VALUE_INFORMATION_CLASS
type KEY_VALUE_BASIC_INFORMATION (line 186) | typedef struct _KEY_VALUE_BASIC_INFORMATION
type KEY_VALUE_FULL_INFORMATION (line 194) | typedef struct _KEY_VALUE_FULL_INFORMATION
type KEY_VALUE_PARTIAL_INFORMATION (line 206) | typedef struct _KEY_VALUE_PARTIAL_INFORMATION
type KEY_VALUE_PARTIAL_INFORMATION_ALIGN64 (line 214) | typedef struct _KEY_VALUE_PARTIAL_INFORMATION_ALIGN64
type KEY_VALUE_LAYER_INFORMATION (line 222) | typedef struct _KEY_VALUE_LAYER_INFORMATION
type KEY_VALUE_ENTRY (line 228) | typedef struct _KEY_VALUE_ENTRY
type REG_ACTION (line 236) | typedef enum _REG_ACTION
type REG_NOTIFY_INFORMATION (line 243) | typedef struct _REG_NOTIFY_INFORMATION
type KEY_PID_ARRAY (line 251) | typedef struct _KEY_PID_ARRAY
type KEY_OPEN_SUBKEYS_INFORMATION (line 257) | typedef struct _KEY_OPEN_SUBKEYS_INFORMATION
FILE: Inject/herpaderping-main/ext/submodules/phnt/ntrtl.h
function FORCEINLINE (line 20) | FORCEINLINE VOID InitializeListHead(
function BOOLEAN (line 27) | BOOLEAN IsListEmpty(
function FORCEINLINE (line 34) | FORCEINLINE BOOLEAN RemoveEntryList(
function FORCEINLINE (line 49) | FORCEINLINE PLIST_ENTRY RemoveHeadList(
function FORCEINLINE (line 64) | FORCEINLINE PLIST_ENTRY RemoveTailList(
function FORCEINLINE (line 79) | FORCEINLINE VOID InsertTailList(
function FORCEINLINE (line 93) | FORCEINLINE VOID InsertHeadList(
function FORCEINLINE (line 107) | FORCEINLINE VOID AppendTailList(
function FORCEINLINE (line 120) | FORCEINLINE PSINGLE_LIST_ENTRY PopEntryList(
function FORCEINLINE (line 134) | FORCEINLINE VOID PushEntryList(
type TABLE_SEARCH_RESULT (line 145) | typedef enum _TABLE_SEARCH_RESULT
type RTL_GENERIC_COMPARE_RESULTS (line 153) | typedef enum _RTL_GENERIC_COMPARE_RESULTS
type RTL_BALANCED_LINKS (line 182) | typedef struct _RTL_BALANCED_LINKS
type RTL_AVL_TABLE (line 191) | typedef struct _RTL_AVL_TABLE
type RTL_SPLAY_LINKS (line 332) | typedef struct _RTL_SPLAY_LINKS
type _RTL_GENERIC_TABLE (line 429) | struct _RTL_GENERIC_TABLE
type RTL_GENERIC_TABLE (line 447) | typedef struct _RTL_GENERIC_TABLE
type RTL_RB_TREE (line 564) | typedef struct _RTL_RB_TREE
type RTL_DYNAMIC_HASH_TABLE_ENTRY (line 601) | typedef struct _RTL_DYNAMIC_HASH_TABLE_ENTRY
type RTL_DYNAMIC_HASH_TABLE_CONTEXT (line 609) | typedef struct _RTL_DYNAMIC_HASH_TABLE_CONTEXT
type RTL_DYNAMIC_HASH_TABLE_ENUMERATOR (line 616) | typedef struct _RTL_DYNAMIC_HASH_TABLE_ENUMERATOR
type RTL_DYNAMIC_HASH_TABLE (line 623) | typedef struct _RTL_DYNAMIC_HASH_TABLE
function FORCEINLINE (line 645) | FORCEINLINE
function FORCEINLINE (line 655) | FORCEINLINE
function FORCEINLINE (line 666) | FORCEINLINE
function FORCEINLINE (line 676) | FORCEINLINE
function FORCEINLINE (line 685) | FORCEINLINE
function FORCEINLINE (line 694) | FORCEINLINE
function FORCEINLINE (line 703) | FORCEINLINE
function FORCEINLINE (line 712) | FORCEINLINE
type RTL_RESOURCE (line 966) | typedef struct _RTL_RESOURCE
function FORCEINLINE (line 1240) | FORCEINLINE VOID RtlInitString(
function FORCEINLINE (line 1273) | FORCEINLINE VOID RtlInitAnsiString(
function FORCEINLINE (line 1388) | FORCEINLINE
function NTAPI (line 1399) | NTAPI
function FORCEINLINE (line 1412) | FORCEINLINE VOID RtlInitUnicodeString(
type RTL_NORM_FORM (line 1915) | typedef enum _RTL_NORM_FORM
type PREFIX_TABLE_ENTRY (line 2084) | typedef struct _PREFIX_TABLE_ENTRY
type PREFIX_TABLE (line 2093) | typedef struct _PREFIX_TABLE
type UNICODE_PREFIX_TABLE_ENTRY (line 2132) | typedef struct _UNICODE_PREFIX_TABLE_ENTRY
type UNICODE_PREFIX_TABLE (line 2142) | typedef struct _UNICODE_PREFIX_TABLE
type COMPRESSED_DATA_INFO (line 2193) | typedef struct _COMPRESSED_DATA_INFO
type CURDIR (line 2472) | typedef struct _CURDIR
type RTL_DRIVE_LETTER_CURDIR (line 2481) | typedef struct _RTL_DRIVE_LETTER_CURDIR
type RTL_USER_PROCESS_PARAMETERS (line 2492) | typedef struct _RTL_USER_PROCESS_PARAMETERS
type RTL_USER_PROCESS_INFORMATION (line 2610) | typedef struct _RTL_USER_PROCESS_INFORMATION
function VOID (line 2660) | VOID RtlExitUserProcess_R(
type RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION (line 2707) | typedef struct _RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION
function VOID (line 2819) | VOID RtlExitUserThread_R(
type CONTEXT_CHUNK (line 2867) | typedef struct _CONTEXT_CHUNK
type CONTEXT_EX (line 2873) | typedef struct _CONTEXT_EX
type FUNCTION_TABLE_TYPE (line 3065) | typedef enum _FUNCTION_TABLE_TYPE
type DYNAMIC_FUNCTION_TABLE (line 3074) | typedef struct _DYNAMIC_FUNCTION_TABLE
type RTLP_CURDIR_REF (line 3349) | typedef struct _RTLP_CURDIR_REF
type RTL_RELATIVE_NAME_U (line 3355) | typedef struct _RTL_RELATIVE_NAME_U
type RTL_PATH_TYPE (line 3362) | typedef enum _RTL_PATH_TYPE
type GENERATE_NAME_CONTEXT (line 3617) | typedef struct _GENERATE_NAME_CONTEXT
type RTL_HEAP_ENTRY (line 3713) | typedef struct _RTL_HEAP_ENTRY
type RTL_HEAP_TAG (line 3743) | typedef struct _RTL_HEAP_TAG
type RTL_HEAP_INFORMATION (line 3753) | typedef struct _RTL_HEAP_INFORMATION
type RTL_PROCESS_HEAPS (line 3770) | typedef struct _RTL_PROCESS_HEAPS
type RTL_HEAP_PARAMETERS (line 3782) | typedef struct _RTL_HEAP_PARAMETERS
type RTL_HEAP_TAG_INFO (line 3934) | typedef struct _RTL_HEAP_TAG_INFO
type RTL_HEAP_USAGE_ENTRY (line 4019) | typedef struct _RTL_HEAP_USAGE_ENTRY
type RTL_HEAP_USAGE (line 4028) | typedef struct _RTL_HEAP_USAGE
type RTL_HEAP_WALK_ENTRY (line 4053) | typedef struct _RTL_HEAP_WALK_ENTRY
type HEAP_COMPATIBILITY_MODE (line 4098) | typedef enum _HEAP_COMPATIBILITY_MODE
type PROCESS_HEAP_INFORMATION (line 4105) | typedef struct _PROCESS_HEAP_INFORMATION
type HEAP_INFORMATION (line 4113) | typedef struct _HEAP_INFORMATION
type HEAP_EXTENDED_INFORMATION (line 4123) | typedef struct _HEAP_EXTENDED_INFORMATION
type HEAP_DEBUGGING_INFORMATION (line 4148) | typedef struct _HEAP_DEBUGGING_INFORMATION
type RTL_MEMORY_ZONE_SEGMENT (line 4221) | typedef struct _RTL_MEMORY_ZONE_SEGMENT
type RTL_MEMORY_ZONE (line 4229) | typedef struct _RTL_MEMORY_ZONE
function FORCEINLINE (line 4387) | FORCEINLINE BOOLEAN RtlIsEqualLuid( // RtlEqualLuid
function FORCEINLINE (line 4396) | FORCEINLINE BOOLEAN RtlIsZeroLuid(
function FORCEINLINE (line 4403) | FORCEINLINE LUID RtlConvertLongToLuid(
function FORCEINLINE (line 4417) | FORCEINLINE LUID RtlConvertUlongToLuid(
type RTL_PROCESS_VERIFIER_OPTIONS (line 4479) | typedef struct _RTL_PROCESS_VERIFIER_OPTIONS
type RTL_DEBUG_INFORMATION (line 4487) | typedef struct _RTL_DEBUG_INFORMATION
type PARSE_MESSAGE_CONTEXT (line 4606) | typedef struct _PARSE_MESSAGE_CONTEXT
type in_addr (line 4888) | struct in_addr
type in6_addr (line 4889) | struct in6_addr
type TIME_FIELDS (line 4978) | typedef struct _TIME_FIELDS
type RTL_TIME_ZONE_INFORMATION (line 5074) | typedef struct _RTL_TIME_ZONE_INFORMATION
type RTL_BITMAP (line 5101) | typedef struct _RTL_BITMAP
type RTL_BITMAP_RUN (line 5233) | typedef struct _RTL_BITMAP_RUN
function BOOLEAN (line 5267) | BOOLEAN
type RTL_BITMAP_EX (line 5412) | typedef struct _RTL_BITMAP_EX
type RTL_HANDLE_TABLE_ENTRY (line 5489) | typedef struct _RTL_HANDLE_TABLE_ENTRY
type RTL_HANDLE_TABLE (line 5500) | typedef struct _RTL_HANDLE_TABLE
type RTL_QUERY_REGISTRY_TABLE (line 6917) | typedef struct _RTL_QUERY_REGISTRY_TABLE
type RTL_ELEVATION_FLAGS (line 7233) | typedef union _RTL_ELEVATION_FLAGS
type RTL_UNLOAD_EVENT_TRACE (line 7322) | typedef struct _RTL_UNLOAD_EVENT_TRACE
type RTL_UNLOAD_EVENT_TRACE32 (line 7333) | typedef struct _RTL_UNLOAD_EVENT_TRACE32
type IMAGE_MITIGATION_POLICY (line 7387) | typedef enum _IMAGE_MITIGATION_POLICY
type RTL_IMAGE_MITIGATION_POLICY (line 7408) | typedef union _RTL_IMAGE_MITIGATION_POLICY
type RTL_IMAGE_MITIGATION_DEP_POLICY (line 7427) | typedef struct _RTL_IMAGE_MITIGATION_DEP_POLICY
type RTL_IMAGE_MITIGATION_ASLR_POLICY (line 7433) | typedef struct _RTL_IMAGE_MITIGATION_ASLR_POLICY
type RTL_IMAGE_MITIGATION_DYNAMIC_CODE_POLICY (line 7441) | typedef struct _RTL_IMAGE_MITIGATION_DYNAMIC_CODE_POLICY
type RTL_IMAGE_MITIGATION_STRICT_HANDLE_CHECK_POLICY (line 7447) | typedef struct _RTL_IMAGE_MITIGATION_STRICT_HANDLE_CHECK_POLICY
type RTL_IMAGE_MITIGATION_SYSTEM_CALL_DISABLE_POLICY (line 7453) | typedef struct _RTL_IMAGE_MITIGATION_SYSTEM_CALL_DISABLE_POLICY
type RTL_IMAGE_MITIGATION_EXTENSION_POINT_DISABLE_POLICY (line 7459) | typedef struct _RTL_IMAGE_MITIGATION_EXTENSION_POINT_DISABLE_POLICY
type RTL_IMAGE_MITIGATION_CONTROL_FLOW_GUARD_POLICY (line 7465) | typedef struct _RTL_IMAGE_MITIGATION_CONTROL_FLOW_GUARD_POLICY
type RTL_IMAGE_MITIGATION_BINARY_SIGNATURE_POLICY (line 7472) | typedef struct _RTL_IMAGE_MITIGATION_BINARY_SIGNATURE_POLICY
type RTL_IMAGE_MITIGATION_FONT_DISABLE_POLICY (line 7479) | typedef struct _RTL_IMAGE_MITIGATION_FONT_DISABLE_POLICY
type RTL_IMAGE_MITIGATION_IMAGE_LOAD_POLICY (line 7485) | typedef struct _RTL_IMAGE_MITIGATION_IMAGE_LOAD_POLICY
type RTL_IMAGE_MITIGATION_PAYLOAD_RESTRICTION_POLICY (line 7493) | typedef struct _RTL_IMAGE_MITIGATION_PAYLOAD_RESTRICTION_POLICY
type RTL_IMAGE_MITIGATION_CHILD_PROCESS_POLICY (line 7505) | typedef struct _RTL_IMAGE_MITIGATION_CHILD_PROCESS_POLICY
type RTL_IMAGE_MITIGATION_SEHOP_POLICY (line 7511) | typedef struct _RTL_IMAGE_MITIGATION_SEHOP_POLICY
type RTL_IMAGE_MITIGATION_HEAP_POLICY (line 7517) | typedef struct _RTL_IMAGE_MITIGATION_HEAP_POLICY
type RTL_IMAGE_MITIGATION_OPTION_STATE (line 7522) | typedef enum _RTL_IMAGE_MITIGATION_OPTION_STATE
type APPCONTAINER_SID_TYPE (line 7722) | typedef enum _APPCONTAINER_SID_TYPE
type STATE_LOCATION_TYPE (line 7755) | typedef enum _STATE_LOCATION_TYPE
type PS_PKG_CLAIM (line 7831) | typedef struct _PS_PKG_CLAIM
type RTL_BSD_ITEM_TYPE (line 7893) | typedef enum _RTL_BSD_ITEM_TYPE
type RTL_BSD_ITEM (line 7915) | typedef struct _RTL_BSD_ITEM
FILE: Inject/herpaderping-main/ext/submodules/phnt/ntsam.h
type PVOID (line 20) | typedef PVOID SAM_HANDLE, *PSAM_HANDLE;
type ULONG (line 21) | typedef ULONG SAM_ENUMERATE_HANDLE, *PSAM_ENUMERATE_HANDLE;
type SAM_RID_ENUMERATION (line 23) | typedef struct _SAM_RID_ENUMERATION
type SAM_SID_ENUMERATION (line 29) | typedef struct _SAM_SID_ENUMERATION
type SAM_BYTE_ARRAY (line 35) | typedef struct _SAM_BYTE_ARRAY
type SAM_BYTE_ARRAY_32K (line 41) | typedef struct _SAM_BYTE_ARRAY_32K
type SAM_BYTE_ARRAY_32K (line 47) | typedef SAM_BYTE_ARRAY_32K SAM_SHELL_OBJECT_PROPERTIES, *PSAM_SHELL_OBJE...
type DOMAIN_INFORMATION_CLASS (line 187) | typedef enum _DOMAIN_INFORMATION_CLASS
type DOMAIN_SERVER_ENABLE_STATE (line 204) | typedef enum _DOMAIN_SERVER_ENABLE_STATE
type DOMAIN_SERVER_ROLE (line 210) | typedef enum _DOMAIN_SERVER_ROLE
type DOMAIN_GENERAL_INFORMATION (line 217) | typedef struct _DOMAIN_GENERAL_INFORMATION
type DOMAIN_GENERAL_INFORMATION2 (line 234) | typedef struct _DOMAIN_GENERAL_INFORMATION2
type DOMAIN_UAS_INFORMATION (line 243) | typedef struct _DOMAIN_UAS_INFORMATION
type DOMAIN_PASSWORD_INFORMATION (line 251) | typedef struct _DOMAIN_PASSWORD_INFORMATION
type DOMAIN_PASSWORD_CONSTRUCTION (line 272) | typedef enum _DOMAIN_PASSWORD_CONSTRUCTION
type DOMAIN_LOGOFF_INFORMATION (line 278) | typedef struct _DOMAIN_LOGOFF_INFORMATION
type DOMAIN_OEM_INFORMATION (line 283) | typedef struct _DOMAIN_OEM_INFORMATION
type DOMAIN_NAME_INFORMATION (line 288) | typedef struct _DOMAIN_NAME_INFORMATION
type DOMAIN_SERVER_ROLE_INFORMATION (line 293) | typedef struct _DOMAIN_SERVER_ROLE_INFORMATION
type DOMAIN_REPLICATION_INFORMATION (line 298) | typedef struct _DOMAIN_REPLICATION_INFORMATION
type DOMAIN_MODIFIED_INFORMATION (line 303) | typedef struct _DOMAIN_MODIFIED_INFORMATION
type DOMAIN_MODIFIED_INFORMATION2 (line 309) | typedef struct _DOMAIN_MODIFIED_INFORMATION2
type DOMAIN_STATE_INFORMATION (line 316) | typedef struct _DOMAIN_STATE_INFORMATION
type DOMAIN_LOCKOUT_INFORMATION (line 321) | typedef struct _DOMAIN_LOCKOUT_INFORMATION
type DOMAIN_DISPLAY_INFORMATION (line 330) | typedef enum _DOMAIN_DISPLAY_INFORMATION
type DOMAIN_DISPLAY_USER (line 340) | typedef struct _DOMAIN_DISPLAY_USER
type DOMAIN_DISPLAY_MACHINE (line 350) | typedef struct _DOMAIN_DISPLAY_MACHINE
type DOMAIN_DISPLAY_GROUP (line 359) | typedef struct _DOMAIN_DISPLAY_GROUP
type DOMAIN_DISPLAY_OEM_USER (line 368) | typedef struct _DOMAIN_DISPLAY_OEM_USER
type DOMAIN_DISPLAY_OEM_GROUP (line 374) | typedef struct _DOMAIN_DISPLAY_OEM_GROUP
type DOMAIN_LOCALIZABLE_ACCOUNTS_INFORMATION (line 382) | typedef enum _DOMAIN_LOCALIZABLE_ACCOUNTS_INFORMATION
type DOMAIN_LOCALIZABLE_ACCOUNT_ENTRY (line 387) | typedef struct _DOMAIN_LOCALIZABLE_ACCOUNTS_ENTRY
type DOMAIN_LOCALIZABLE_ACCOUNTS_BASIC (line 395) | typedef struct _DOMAIN_LOCALIZABLE_ACCOUNTS
type DOMAIN_LOCALIZABLE_ACCOUNTS_INFO_BUFFER (line 401) | typedef union _DOMAIN_LOCALIZABLE_INFO_BUFFER
type GROUP_MEMBERSHIP (line 523) | typedef struct _GROUP_MEMBERSHIP
type GROUP_INFORMATION_CLASS (line 531) | typedef enum _GROUP_INFORMATION_CLASS
type GROUP_GENERAL_INFORMATION (line 540) | typedef struct _GROUP_GENERAL_INFORMATION
type GROUP_NAME_INFORMATION (line 548) | typedef struct _GROUP_NAME_INFORMATION
type GROUP_ATTRIBUTE_INFORMATION (line 553) | typedef struct _GROUP_ATTRIBUTE_INFORMATION
type GROUP_ADM_COMMENT_INFORMATION (line 558) | typedef struct _GROUP_ADM_COMMENT_INFORMATION
type ALIAS_INFORMATION_CLASS (line 686) | typedef enum _ALIAS_INFORMATION_CLASS
type ALIAS_GENERAL_INFORMATION (line 695) | typedef struct _ALIAS_GENERAL_INFORMATION
type ALIAS_NAME_INFORMATION (line 702) | typedef struct _ALIAS_NAME_INFORMATION
type ALIAS_ADM_COMMENT_INFORMATION (line 707) | typedef struct _ALIAS_ADM_COMMENT_INFORMATION
type ALIAS_EXTENDED_INFORMATION (line 717) | typedef struct _ALIAS_EXTENDED_INFORMATION
type LOGON_HOURS (line 942) | typedef struct _LOGON_HOURS
type SR_SECURITY_DESCRIPTOR (line 961) | typedef struct _SR_SECURITY_DESCRIPTOR
type USER_INFORMATION_CLASS (line 969) | typedef enum _USER_INFORMATION_CLASS
type USER_GENERAL_INFORMATION (line 1002) | typedef struct _USER_GENERAL_INFORMATION
type USER_PREFERENCES_INFORMATION (line 1011) | typedef struct _USER_PREFERENCES_INFORMATION
type USER_LOGON_INFORMATION (line 1020) | typedef struct _USER_LOGON_INFORMATION
type USER_LOGON_HOURS_INFORMATION (line 1043) | typedef struct _USER_LOGON_HOURS_INFORMATION
type USER_ACCOUNT_INFORMATION (line 1049) | typedef struct _USER_ACCOUNT_INFORMATION
type USER_NAME_INFORMATION (line 1072) | typedef struct _USER_NAME_INFORMATION
type USER_ACCOUNT_NAME_INFORMATION (line 1078) | typedef struct _USER_ACCOUNT_NAME_INFORMATION
type USER_FULL_NAME_INFORMATION (line 1083) | typedef struct _USER_FULL_NAME_INFORMATION
type USER_PRIMARY_GROUP_INFORMATION (line 1088) | typedef struct _USER_PRIMARY_GROUP_INFORMATION
type USER_HOME_INFORMATION (line 1093) | typedef struct _USER_HOME_INFORMATION
type USER_SCRIPT_INFORMATION (line 1099) | typedef struct _USER_SCRIPT_INFORMATION
type USER_PROFILE_INFORMATION (line 1104) | typedef struct _USER_PROFILE_INFORMATION
type USER_ADMIN_COMMENT_INFORMATION (line 1109) | typedef struct _USER_ADMIN_COMMENT_INFORMATION
type USER_WORKSTATIONS_INFORMATION (line 1114) | typedef struct _USER_WORKSTATIONS_INFORMATION
type USER_SET_PASSWORD_INFORMATION (line 1119) | typedef struct _USER_SET_PASSWORD_INFORMATION
type USER_CONTROL_INFORMATION (line 1125) | typedef struct _USER_CONTROL_INFORMATION
type USER_EXPIRES_INFORMATION (line 1130) | typedef struct _USER_EXPIRES_INFORMATION
type USER_PARAMETERS_INFORMATION (line 1135) | typedef struct _USER_PARAMETERS_INFORMATION
type USER_ALL_INFORMATION (line 1281) | typedef struct _USER_ALL_INFORMATION
type SAM_BYTE_ARRAY_32K (line 1319) | typedef SAM_BYTE_ARRAY_32K SAM_USER_TILE, *PSAM_USER_TILE;
type USER_EXTENDED_INFORMATION (line 1328) | typedef struct _USER_EXTENDED_INFORMATION
type USER_LOGON_UI_INFORMATION (line 1338) | typedef struct _USER_LOGON_UI_INFORMATION
type USER_PWD_CHANGE_FAILURE_INFORMATION (line 1355) | typedef struct _USER_PWD_CHANGE_FAILURE_INFORMATION
type SECURITY_DB_DELTA_TYPE (line 1514) | typedef enum _SECURITY_DB_DELTA_TYPE
type SECURITY_DB_OBJECT_TYPE (line 1526) | typedef enum _SECURITY_DB_OBJECT_TYPE
type SAM_ACCOUNT_TYPE (line 1538) | typedef enum _SAM_ACCOUNT_TYPE
type SAM_GROUP_MEMBER_ID (line 1549) | typedef struct _SAM_GROUP_MEMBER_ID
type SAM_ALIAS_MEMBER_ID (line 1554) | typedef struct _SAM_ALIAS_MEMBER_ID
type SAM_DELTA_DATA (line 1559) | typedef union _SAM_DELTA_DATA
type PASSWORD_POLICY_VALIDATION_TYPE (line 1609) | typedef enum _PASSWORD_POLICY_VALIDATION_TYPE
type SAM_VALIDATE_PASSWORD_HASH (line 1616) | typedef struct _SAM_VALIDATE_PASSWORD_HASH
type SAM_VALIDATE_PERSISTED_FIELDS (line 1631) | typedef struct _SAM_VALIDATE_PERSISTED_FIELDS
type SAM_VALIDATE_VALIDATION_STATUS (line 1642) | typedef enum _SAM_VALIDATE_VALIDATION_STATUS
type SAM_VALIDATE_STANDARD_OUTPUT_ARG (line 1657) | typedef struct _SAM_VALIDATE_STANDARD_OUTPUT_ARG
type SAM_VALIDATE_AUTHENTICATION_INPUT_ARG (line 1663) | typedef struct _SAM_VALIDATE_AUTHENTICATION_INPUT_ARG
type SAM_VALIDATE_PASSWORD_CHANGE_INPUT_ARG (line 1669) | typedef struct _SAM_VALIDATE_PASSWORD_CHANGE_INPUT_ARG
type SAM_VALIDATE_PASSWORD_RESET_INPUT_ARG (line 1678) | typedef struct _SAM_VALIDATE_PASSWORD_RESET_INPUT_ARG
type SAM_VALIDATE_INPUT_ARG (line 1688) | typedef union _SAM_VALIDATE_INPUT_ARG
type SAM_VALIDATE_OUTPUT_ARG (line 1695) | typedef union _SAM_VALIDATE_OUTPUT_ARG
type SAM_GENERIC_OPERATION_TYPE (line 1714) | typedef enum _SAM_GENERIC_OPERATION_TYPE
type SAM_OPERATION_OBJCHG_INPUT (line 1719) | typedef struct _SAM_OPERATION_OBJCHG_INPUT
type SAM_OPERATION_OBJCHG_OUTPUT (line 1727) | typedef struct _SAM_OPERATION_OBJCHG_OUTPUT
type SAM_GENERIC_OPERATION_INPUT (line 1732) | typedef union _SAM_GENERIC_OPERATION_INPUT
type SAM_GENERIC_OPERATION_OUTPUT (line 1737) | typedef union _SAM_GENERIC_OPERATION_OUTPUT
FILE: Inject/herpaderping-main/ext/submodules/phnt/ntseapi.h
type TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE (line 94) | typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE
type TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE (line 101) | typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE
type TOKEN_SECURITY_ATTRIBUTE_V1 (line 108) | typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1
type TOKEN_SECURITY_ATTRIBUTES_INFORMATION (line 131) | typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION
type TOKEN_PROCESS_TRUST_LEVEL (line 143) | typedef struct _TOKEN_PROCESS_TRUST_LEVEL
FILE: Inject/herpaderping-main/ext/submodules/phnt/nttp.h
type TP_ALPC (line 17) | typedef struct _TP_ALPC TP_ALPC, *PTP_ALPC;
type TP_TRACE_TYPE (line 442) | typedef enum _TP_TRACE_TYPE
FILE: Inject/herpaderping-main/ext/submodules/phnt/ntwow64.h
type WOW64_SHARED_INFORMATION (line 21) | typedef enum _WOW64_SHARED_INFORMATION
type RTL_BALANCED_NODE32 (line 41) | typedef struct _RTL_BALANCED_NODE32
type RTL_RB_TREE32 (line 60) | typedef struct _RTL_RB_TREE32
type PEB_LDR_DATA32 (line 66) | typedef struct _PEB_LDR_DATA32
type LDR_SERVICE_TAG_RECORD32 (line 79) | typedef struct _LDR_SERVICE_TAG_RECORD32
type LDRP_CSLIST32 (line 85) | typedef struct _LDRP_CSLIST32
type LDR_DDAG_NODE32 (line 90) | typedef struct _LDR_DDAG_NODE32
type LDR_DATA_TABLE_ENTRY32 (line 112) | typedef struct _LDR_DATA_TABLE_ENTRY32
type CURDIR32 (line 185) | typedef struct _CURDIR32
type RTL_DRIVE_LETTER_CURDIR32 (line 191) | typedef struct _RTL_DRIVE_LETTER_CURDIR32
type RTL_USER_PROCESS_PARAMETERS32 (line 199) | typedef struct _RTL_USER_PROCESS_PARAMETERS32
type PEB32 (line 247) | typedef struct _PEB32
type GDI_TEB_BATCH32 (line 402) | typedef struct _GDI_TEB_BATCH32
type TEB32 (line 409) | typedef struct _TEB32
function FORCEINLINE (line 573) | FORCEINLINE VOID UStr32ToUStr(
function FORCEINLINE (line 583) | FORCEINLINE VOID UStrToUStr32(
FILE: Inject/herpaderping-main/ext/submodules/phnt/phnt_ntdef.h
type QUAD (line 27) | typedef struct _QUAD
type DECLSPEC_ALIGN (line 37) | struct DECLSPEC_ALIGN
type ULONG (line 43) | typedef ULONG LOGICAL;
type ULONG (line 44) | typedef ULONG *PLOGICAL;
type NTSTATUS (line 46) | typedef _Success_(return >= 0) LONG NTSTATUS;
type NTSTATUS (line 47) | typedef NTSTATUS *PNTSTATUS;
type CCHAR (line 51) | typedef char CCHAR;
type CSHORT (line 52) | typedef short CSHORT;
type ULONG (line 53) | typedef ULONG CLONG;
type CCHAR (line 55) | typedef CCHAR *PCCHAR;
type CSHORT (line 56) | typedef CSHORT *PCSHORT;
type CLONG (line 57) | typedef CLONG *PCLONG;
type PCSTR (line 59) | typedef PCSTR PCSZ;
type UCHAR (line 63) | typedef UCHAR KIRQL, *PKIRQL;
type LONG (line 64) | typedef LONG KPRIORITY;
type USHORT (line 65) | typedef USHORT RTL_ATOM, *PRTL_ATOM;
type LARGE_INTEGER (line 67) | typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS;
type EVENT_TYPE (line 93) | typedef enum _EVENT_TYPE
type TIMER_TYPE (line 99) | typedef enum _TIMER_TYPE
type WAIT_TYPE (line 105) | typedef enum _WAIT_TYPE
type STRING (line 114) | typedef struct _STRING
type STRING (line 121) | typedef const STRING *PCSTRING;
type ANSI_STRING (line 122) | typedef const ANSI_STRING *PCANSI_STRING;
type OEM_STRING (line 123) | typedef const OEM_STRING *PCOEM_STRING;
type UNICODE_STRING (line 125) | typedef struct _UNICODE_STRING
type UNICODE_STRING (line 132) | typedef const UNICODE_STRING *PCUNICODE_STRING;
type RTL_BALANCED_NODE (line 140) | typedef struct _RTL_BALANCED_NODE
type SINGLE_LIST_ENTRY32 (line 164) | typedef struct _SINGLE_LIST_ENTRY32
type STRING32 (line 169) | typedef struct _STRING32
type STRING32 (line 176) | typedef STRING32 UNICODE_STRING32, *PUNICODE_STRING32;
type STRING32 (line 177) | typedef STRING32 ANSI_STRING32, *PANSI_STRING32;
type STRING64 (line 179) | typedef struct _STRING64
type STRING64 (line 186) | typedef STRING64 UNICODE_STRING64, *PUNICODE_STRING64;
type STRING64 (line 187) | typedef STRING64 ANSI_STRING64, *PANSI_STRING64;
type OBJECT_ATTRIBUTES (line 203) | typedef struct _OBJECT_ATTRIBUTES
type OBJECT_ATTRIBUTES (line 213) | typedef const OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES;
type OBJECT_ATTRIBUTES64 (line 231) | typedef struct _OBJECT_ATTRIBUTES64
type OBJECT_ATTRIBUTES64 (line 241) | typedef const OBJECT_ATTRIBUTES64 *PCOBJECT_ATTRIBUTES64;
type OBJECT_ATTRIBUTES32 (line 243) | typedef struct _OBJECT_ATTRIBUTES32
type OBJECT_ATTRIBUTES32 (line 253) | typedef const OBJECT_ATTRIBUTES32 *PCOBJECT_ATTRIBUTES32;
type NT_PRODUCT_TYPE (line 257) | typedef enum _NT_PRODUCT_TYPE
type SUITE_TYPE (line 264) | typedef enum _SUITE_TYPE
type CLIENT_ID (line 288) | typedef struct _CLIENT_ID
type CLIENT_ID32 (line 294) | typedef struct _CLIENT_ID32
type CLIENT_ID64 (line 300) | typedef struct _CLIENT_ID64
type KSYSTEM_TIME (line 308) | typedef struct _KSYSTEM_TIME
FILE: Inject/herpaderping-main/ext/submodules/phnt/phnt_windows.h
type DOUBLE (line 43) | typedef double DOUBLE;
type GUID (line 44) | typedef GUID *PGUID;
FILE: Inject/herpaderping-main/ext/submodules/phnt/subprocesstag.h
type TAG_INFO_LEVEL (line 17) | typedef enum _TAG_INFO_LEVEL
type TAG_TYPE (line 25) | typedef enum _TAG_TYPE
type TAG_INFO_NAME_FROM_TAG_IN_PARAMS (line 31) | typedef struct _TAG_INFO_NAME_FROM_TAG_IN_PARAMS
type TAG_INFO_NAME_FROM_TAG_OUT_PARAMS (line 37) | typedef struct _TAG_INFO_NAME_FROM_TAG_OUT_PARAMS
type TAG_INFO_NAME_FROM_TAG (line 43) | typedef struct _TAG_INFO_NAME_FROM_TAG
type TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS (line 49) | typedef struct _TAG_INFO_NAMES_REFERENCING_MODULE_IN_PARAMS
type TAG_INFO_NAMES_REFERENCING_MODULE_OUT_PARAMS (line 55) | typedef struct _TAG_INFO_NAMES_REFERENCIN
Condensed preview — 530 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (5,744K chars).
[
{
"path": ".gitattributes",
"chars": 378,
"preview": "# Auto detect text files and perform LF normalization\n* text=auto\n\n# Custom for Visual Studio\n*.cs diff=csharp\n\n# St"
},
{
"path": ".gitignore",
"chars": 574,
"preview": "# Windows image file caches\nThumbs.db\nehthumbs.db\n\n# Folder config file\nDesktop.ini\n\n# Recycle Bin used on file shares\n$"
},
{
"path": "CheckKernelEATHook/CheckKernelHook/CheckKernelHook/AddService.cpp",
"chars": 2569,
"preview": "#include \"AddService.h\"\r\n#include \"stdafx.h\"\r\n#include \"CheckKernelHookDlg.h\"\r\n#include <Winsvc.h>\r\n#pragma once\r\n\r\n\r\nBO"
},
{
"path": "CheckKernelEATHook/CheckKernelHook/CheckKernelHook/AddService.h",
"chars": 108,
"preview": "#include \"stdafx.h\"\r\n\r\nBOOL Release();\r\nBOOL UnloadDrv(TCHAR* DriverName);\r\nBOOL LoadDrv(TCHAR* DriverName);"
},
{
"path": "CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHook.cpp",
"chars": 1536,
"preview": "\r\n// CheckKernelHook.cpp : ӦóΪ\r\n//\r\n\r\n#include \"stdafx.h\"\r\n#include \"CheckKernelHook.h\"\r\n#include \"CheckKernelHookDlg.h\""
},
{
"path": "CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHook.h",
"chars": 423,
"preview": "\r\n// CheckKernelHook.h : PROJECT_NAME Ӧóͷļ\r\n//\r\n\r\n#pragma once\r\n\r\n#ifndef __AFXWIN_H__\r\n\t#error \"ڰļ֮ǰstdafx.h PCH ļ\"\r\n#e"
},
{
"path": "CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHook.vcxproj",
"chars": 6075,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project DefaultTargets=\"Build\" ToolsVersion=\"4.0\" xmlns=\"http://schemas.micros"
},
{
"path": "CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHook.vcxproj.filters",
"chars": 2124,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHookDlg.cpp",
"chars": 5951,
"preview": "\r\n// CheckKernelHookDlg.cpp : ʵļ\r\n//\r\n\r\n#include \"stdafx.h\"\r\n#include \"CheckKernelHook.h\"\r\n#include \"CheckKernelHookDlg."
},
{
"path": "CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHookDlg.h",
"chars": 1665,
"preview": "\r\n// CheckKernelHookDlg.h : ͷļ\r\n//\r\n\r\n#pragma once\r\n#include \"afxcmn.h\"\r\n#include \"resource.h\"\r\n#include <WinIoCtl.h>\r\n\r"
},
{
"path": "CheckKernelEATHook/CheckKernelHook/CheckKernelHook/res/ReadMe.txt",
"chars": 23,
"preview": "Check Kernel EAT Hook \n"
},
{
"path": "CheckKernelEATHook/CheckKernelHook/CheckKernelHook/stdafx.cpp",
"chars": 98,
"preview": "\r\n// stdafx.cpp : ֻļԴļ\r\n// CheckKernelHook.pch ΪԤͷ\r\n// stdafx.obj ԤϢ\r\n\r\n#include \"stdafx.h\"\r\n\r\n\r\n"
},
{
"path": "CheckKernelEATHook/CheckKernelHook/CheckKernelHook/stdafx.h",
"chars": 1427,
"preview": "\r\n// stdafx.h : ϵͳļİļ\r\n// Ǿʹõĵ\r\n// ضĿİļ\r\n\r\n#pragma once\r\n\r\n#ifndef _SECURE_ATL\r\n#define _SECURE_ATL 1\r\n#endif\r\n\r\n#ifnde"
},
{
"path": "CheckKernelEATHook/CheckKernelHook/CheckKernelHook/targetver.h",
"chars": 146,
"preview": "#pragma once\r\n\r\n// SDKDDKVer.h ߰汾Ŀ Windows ƽ̨\r\n\r\n// ҪΪǰ Windows ƽ̨Ӧó WinSDKVer.h\r\n// WIN32_WINNT ΪҪֵ֧ƽ̨Ȼٰ SDKDDKVer.h\r\n"
},
{
"path": "CheckKernelEATHook/CheckKernelHook/CheckKernelHook.sln",
"chars": 910,
"preview": "\r\nMicrosoft Visual Studio Solution File, Format Version 11.00\r\n# Visual Studio 2010\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-"
},
{
"path": "CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/CheckKernelHook.vcxproj",
"chars": 3329,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project DefaultTargets=\"Build\" ToolsVersion=\"4.0\" xmlns=\"http://schemas.micros"
},
{
"path": "CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/CheckKernelHook.vcxproj.filters",
"chars": 1512,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/Common.c",
"chars": 28521,
"preview": "#include \"Common.h\"\r\n#include \"Reload.h\"\r\n\r\n\r\n\r\nUCHAR OpcodeFlags[256] = \r\n{\r\n OP_MODRM, // 00\r\n"
},
{
"path": "CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/Common.h",
"chars": 926,
"preview": "#include \"DriverEntry.h\"\r\n#include <ntimage.h>\r\n\r\ntypedef unsigned long DWORD;\r\ntypedef void *HANDLE;\r\ntypedef unsigned "
},
{
"path": "CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/DriverEntry.c",
"chars": 4248,
"preview": "\r\n\r\n#include \"DriverEntry.h\"\r\n#include \"KernelHookCheck.h\"\r\n#include \"Reload.h\"\r\n\r\n\r\nNTSTATUS DriverEntry(IN PDRIVER_OBJ"
},
{
"path": "CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/DriverEntry.h",
"chars": 1136,
"preview": "#include <ntifs.h>\r\n#include <devioctl.h>\r\n#pragma once\r\n\r\n\r\n#define DEVICE_NAME L\"\\\\Device\\\\CheckKernelHookDeviceNam"
},
{
"path": "CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/FileSystem.c",
"chars": 8952,
"preview": "#include \"FileSystem.h\"\r\n\r\n\r\n\r\n\r\n/*ļ൱ԼʵIoCreateFile FileObjectеIrpListѭָ*/\r\nNTSTATUS\r\n IrpCreateFile(\r\n IN PUNICO"
},
{
"path": "CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/FileSystem.h",
"chars": 941,
"preview": "#include \"Reload.h\"\r\n\r\n\r\n\r\n\r\nNTSTATUS\r\n IrpCreateFile(\r\n IN PUNICODE_STRING FilePath,\r\n IN ACCESS_MASK DesiredA"
},
{
"path": "CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/FixRelocation.c",
"chars": 13853,
"preview": "#include \"FixRelocation.h\"\r\n\r\n\r\n\r\n/*\r\nضλ \r\n*/\r\nBOOLEAN\r\n FixBaseRelocTable (\r\n PVOID NewImageBase,\r\n DWORD Ex"
},
{
"path": "CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/FixRelocation.h",
"chars": 524,
"preview": "#include \"Reload.h\"\r\n\r\n\r\n\r\n\r\nBOOLEAN\r\n FixBaseRelocTable (\r\n PVOID NewImageBase,\r\n DWORD ExistImageBase\r\n );"
},
{
"path": "CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/KernelHookCheck.c",
"chars": 27865,
"preview": "#include \"KernelHookCheck.h\"\r\n#include \"libdasm.h\"\r\n#include \"Common.h\"\r\n#include \"Reload.h\"\r\n\r\nULONG IntHookCount; //¼"
},
{
"path": "CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/KernelHookCheck.h",
"chars": 739,
"preview": "#include \"DriverEntry.h\"\r\n\r\nBOOLEAN KernelHookCheck(PINLINEHOOKINFO InlineHookInfo);\r\n\r\nVOID FillInlineHookInfo(PUCHAR u"
},
{
"path": "CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/KernelReload.c",
"chars": 24387,
"preview": "\r\n#include \"KernelReload.h\"\r\n#include \"FileSystem.h\"\r\n#include \"FixRelocation.h\"\r\n\r\n\r\n/*ZwQuerySystemInformation öģϢ õһ"
},
{
"path": "CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/KernelReload.h",
"chars": 1576,
"preview": "#include \"Reload.h\"\r\n\r\n\r\n\r\n\r\n\r\nBOOLEAN GetSystemKernelModuleInfo(WCHAR **SystemKernelModulePath,PDWORD SystemKernelModul"
},
{
"path": "CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/ReadMe.txt",
"chars": 22,
"preview": "Check Kernel EAT Hook\n"
},
{
"path": "CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/Reload.c",
"chars": 13706,
"preview": "#include \"Reload.h\"\r\n#include \"KernelReload.h\"\r\n\r\nWCHAR* SystemKernelFilePath = NULL;\r\nULONG_PTR SystemKernelModuleBase "
},
{
"path": "CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/Reload.h",
"chars": 8229,
"preview": "#include \"DriverEntry.h\"\r\n#include <ntimage.h>\r\n\r\n#pragma once\r\ntypedef unsigned long DWORD;\r\ntypedef DWORD * PDWORD;\r\n"
},
{
"path": "CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/libdasm.c",
"chars": 35692,
"preview": "\n/*\n * libdasm -- simple x86 disassembly library\n * (c) 2004 - 2005 jt / nologin.org\n *\n *\n * TODO:\n * - more documenta"
},
{
"path": "CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/libdasm.h",
"chars": 15908,
"preview": "\n/*\n * libdasm -- simple x86 disassembly library\n * (c) 2004 - 2005 jt / nologin.org\n *\n */\n\n\n#ifndef _LIBDASM_H\n#defin"
},
{
"path": "CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/sources",
"chars": 250,
"preview": "TARGETNAME=CheckKernelHook\r\n#TARGETPATH=$(BASEDIR)\\lib\r\nTARGETPATH=obj\r\nTARGETTYPE=DRIVER\r\n\r\nINCLUDES=.\\\r\n\r\nSOURCES= \\\r\n"
},
{
"path": "CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook/tables.h",
"chars": 216754,
"preview": "\n/*\n * libdasm -- simple x86 disassembly library\n * (c) 2004 - 2005 jt / nologin.org\n *\n * Opcode tables for FPU, 1, 2 "
},
{
"path": "CheckKernelEATHook/CheckKernelHookDrv/CheckKernelHook.sln",
"chars": 910,
"preview": "\r\nMicrosoft Visual Studio Solution File, Format Version 11.00\r\n# Visual Studio 2010\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-"
},
{
"path": "CheckKernelEATHook/ReadMe.txt",
"chars": 92,
"preview": "1.Reload the first kernel module\n2.check EAT function (Zwxx) \n3.check InlineHook (not Zwxx)\n"
},
{
"path": "GetKernel32Addressx64/GetKernel32Addressx64/GetKernel32Addressx64.cpp",
"chars": 1234,
"preview": "// GetKernel32Addressx64.cpp : ̨Ӧóڵ㡣\r\n//\r\n\r\n#include \"stdafx.h\"\r\n#include \"GetKernel32Addressx64.h\"\r\n\r\n#ifdef _DEBUG\r\n#d"
},
{
"path": "GetKernel32Addressx64/GetKernel32Addressx64/GetKernel32Addressx64.h",
"chars": 39,
"preview": "#pragma once\r\n\r\n#include \"resource.h\"\r\n"
},
{
"path": "GetKernel32Addressx64/GetKernel32Addressx64/GetKernel32Addressx64.vcxproj",
"chars": 8685,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project DefaultTargets=\"Build\" ToolsVersion=\"4.0\" xmlns=\"http://schemas.micros"
},
{
"path": "GetKernel32Addressx64/GetKernel32Addressx64/GetKernel32Addressx64.vcxproj.filters",
"chars": 1707,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "GetKernel32Addressx64/GetKernel32Addressx64/GetPeb.asm",
"chars": 73,
"preview": "\r\n.CODE\r\n GetPeb PROC \r\n mov rax,gs:[60h]\r\n ret\r\n GetPeb ENDP\r\n END"
},
{
"path": "GetKernel32Addressx64/GetKernel32Addressx64/Resource.h",
"chars": 418,
"preview": "//{{NO_DEPENDENCIES}}\r\n// Microsoft Visual C++ generated include file.\r\n// Used by GetKernel32Addressx64.rc\r\n//\r\n\r\n#defi"
},
{
"path": "GetKernel32Addressx64/GetKernel32Addressx64/stdafx.cpp",
"chars": 132,
"preview": "// stdafx.cpp : ֻļԴļ\r\n// GetKernel32Addressx64.pch ΪԤͷ\r\n// stdafx.obj ԤϢ\r\n\r\n#include \"stdafx.h\"\r\n\r\n// TODO: STDAFX.H \r"
},
{
"path": "GetKernel32Addressx64/GetKernel32Addressx64/stdafx.h",
"chars": 649,
"preview": "// stdafx.h : ϵͳļİļ\r\n// Ǿʹõĵ\r\n// ضĿİļ\r\n//\r\n\r\n#pragma once\r\n\r\n#include \"targetver.h\"\r\n\r\n#include <stdio.h>\r\n#include <tc"
},
{
"path": "GetKernel32Addressx64/GetKernel32Addressx64/targetver.h",
"chars": 146,
"preview": "#pragma once\r\n\r\n// SDKDDKVer.h õ߰汾 Windows ƽ̨\r\n\r\n// ҪΪǰ Windows ƽ̨Ӧó WinSDKVer.h\r\n// WIN32_WINNT ΪҪֵ֧ƽ̨Ȼٰ SDKDDKVer.h\r\n"
},
{
"path": "GetKernel32Addressx64/GetKernel32Addressx64.sln",
"chars": 1282,
"preview": "\r\nMicrosoft Visual Studio Solution File, Format Version 11.00\r\n# Visual Studio 2010\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-"
},
{
"path": "GetKernel32Addressx64/ReadMe.txt",
"chars": 343,
"preview": "in x64\n1.get peb from fs:[0x60] by asm file\n2.get Ldr by peb\n3.get kernel32 module in the third module \nntdll->kernelbas"
},
{
"path": "HideProcess/HideProcess.c",
"chars": 4649,
"preview": "#ifndef CXX_HIDEPROCESS_H\r\n#\tinclude \"HideProcess.h\"\r\n#endif\r\n\r\nULONG_PTR ActiveOffsetPre = 0;\r\nULONG_PTR ActiveOffsetN"
},
{
"path": "HideProcess/HideProcess.h",
"chars": 622,
"preview": "#ifndef CXX_HIDEPROCESS_H\r\n#define CXX_HIDEPROCESS_H\r\n\r\n#include <ntifs.h>\r\n\r\ntypedef enum WIN_VERSION {\r\n\tWINDOWS_XP,\r\n"
},
{
"path": "HideProcess/HideProcess.sln",
"chars": 694,
"preview": "Microsoft Visual Studio Solution File, Format Version 11.00\r\n# Visual Studio 2010\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A"
},
{
"path": "HideProcess/HideProcess.vcxproj",
"chars": 2691,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project DefaultTargets=\"Build\" ToolsVersion=\"4.0\" xmlns=\"http://schemas.micros"
},
{
"path": "HideProcess/ReadMe.txt",
"chars": 164,
"preview": "HideProcess by Remove ProcessList in EPROCESS struct.\nSupport Windows xp and windows 7 OS, you can add other os's offset"
},
{
"path": "HideProcess/common.h",
"chars": 1836,
"preview": "/**************************************************************************************\r\n* AUTHOR : MZ\r\n* DATE : 2016-"
},
{
"path": "HideProcess/readme.txt",
"chars": 164,
"preview": "HideProcess by Remove ProcessList in EPROCESS struct.\nSupport Windows xp and windows 7 OS, you can add other os's offset"
},
{
"path": "HideProcess/sources",
"chars": 129,
"preview": "TARGETNAME=HideProcess\r\n#TARGETPATH=$(BASEDIR)\\lib\r\nTARGETPATH=obj\r\nTARGETTYPE=DRIVER\r\n\r\nINCLUDES=.\\\r\n\r\nSOURCES=HideProc"
},
{
"path": "HideProcess/struct.h",
"chars": 10181,
"preview": "/***************************************************************************************\r\n* AUTHOR : MZ\r\n* DATE : 2016"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile.vcproj",
"chars": 8142,
"preview": "<?xml version=\"1.0\" encoding=\"gb2312\"?>\n<VisualStudioProject\n\tProjectType=\"Visual C++\"\n\tVersion=\"9.00\"\n\tName=\"HookDevice"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/TlHelp32.h",
"chars": 8460,
"preview": "/*****************************************************************************\\\n* "
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/analyzer.cpp",
"chars": 44897,
"preview": "#include \"stdafx.h\"\n\ntypedef struct _DRVINFO\n{\n PVOID Object;\n\n std::string ObjectName;\n std::string FilePath;\n"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/analyzer.h",
"chars": 101,
"preview": "\nvoid CollectDeviceObjectsInfo(LPWSTR lpRoot);\nvoid PrintDeviceObjectsInfo(char *lpszIoctlsLogPath);\n"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/binres.rc",
"chars": 4,
"preview": "\n\n\n\n"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/common.cpp",
"chars": 6581,
"preview": "#include \"stdafx.h\"\n//--------------------------------------------------------------------------------------\nBOOL LoadPr"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/common.h",
"chars": 1756,
"preview": "\n#define RVATOVA(_base_, _offset_) ((PUCHAR)(_base_) + (ULONG)(_offset_))\n\n#define XALIGN_DOWN(x, align)(x &~ (align - 1"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/dbgeng.h",
"chars": 518654,
"preview": "//----------------------------------------------------------------------------\n//\n// Debugger engine interfaces.\n//\n// C"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/dbghelp.h",
"chars": 124156,
"preview": "/*++ BUILD Version: 0000 Increment this if a change has global effects\n\nCopyright (c) Microsoft Corporation. All rig"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/engextcpp.cpp",
"chars": 108261,
"preview": "//----------------------------------------------------------------------------\n//\n// C++ dbgeng extension framework.\n//\n"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/engextcpp.hpp",
"chars": 74964,
"preview": "//----------------------------------------------------------------------------\n//\n// C++ dbgeng extension framework.\n//\n"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/extsfns.h",
"chars": 55664,
"preview": "/*++\n\nCopyright (c) 2006 Microsoft Corporation\n\nModule Name:\n\n extsfns.h\n\nAbstract:\n\n This header file must be in"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/wdbgexts.h",
"chars": 73754,
"preview": "/*++\n\nCopyright (c) Microsoft Corporation. All rights reserved.\n\nModule Name:\n\n wdbgexts.h\n\nAbstract:\n\n This file "
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/debug.cpp",
"chars": 9065,
"preview": "#include \"stdafx.h\"\n\n#define DBG_PIPE_BUFFER_SIZE 0x1000\n\nWCHAR m_wcDebugPipeName[MAX_PATH];\nHANDLE hDbgMutex = NULL, hD"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/debug.h",
"chars": 344,
"preview": "\nvoid DbgMsg(char *lpszFile, int Line, char *lpszMsg, ...);\nvoid DbgInit(char *lpszDebugPipeName, char *lpszLogFileName)"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/default.manifest",
"chars": 602,
"preview": "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\n<trustInfo xmlns=\"urn:schemas-microsoft-com:as"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/drvcomm.h",
"chars": 2922,
"preview": "#define DEVICE_NAME L\"IOCTLfuzzer\"\n#define DBG_PIPE_NAME L\"IOCTLfuzzer\"\n#define DBG_PIPE_NAME_A \"IOCTLfuzzer\"\n\n#define I"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/ioctlfuzzer.cpp",
"chars": 31883,
"preview": "#include \"stdafx.h\"\n\n//unresolved external symbol __imp__StrToIntExA@12\n#pragma comment(lib, \"Shlwapi.lib\")\n//unresolved"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/ioctlfuzzer.log",
"chars": 331,
"preview": "[17792] DbgInit(): Log file 'c:\\Users\\minzhen\\Desktop\\8.3 Hook DeviceIoControlFile(x86 x64)\\HookDeviceIoControlFile\\Hook"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/ioctlfuzzer.rc",
"chars": 4426,
"preview": "// Microsoft Visual C++ generated resource script.\r\n//\r\n#include \"resource.h\"\r\n\r\n#define APSTUDIO_READONLY_SYMBOLS\r\n////"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/ntdll_defs.h",
"chars": 1935,
"preview": "typedef LONG NTSTATUS; \n\ntypedef struct _IO_STATUS_BLOCK \n{\n union {\n NTSTATUS Status;\n PVOID Pointer;\n"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/options.h",
"chars": 1003,
"preview": "\n/**\n * Program information, copyright, etc.\n */\n#define PROGRAM_NAME \"IOCTL Fuzzer\"\n#define PROGRAM_AUTHOR \"by Oleksiuk"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/resource.h",
"chars": 23133,
"preview": "//{{NO_DEPENDENCIES}}\n// Microsoft Visual C++ generated include file.\n// Used by ioctlfuzzer.rc\n//\n#define ID_SEPARATOR "
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/service.cpp",
"chars": 10209,
"preview": "#include \"stdafx.h\"\n\n// defined if ioctlfuzzer.cpp\nextern HANDLE hDevice;\n//--------------------------------------------"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/service.h",
"chars": 425,
"preview": "BOOL DrvOpenDevice(PWSTR DriverName, HANDLE *lphDevice);\nBOOL DrvDeviceRequest(PREQUEST_BUFFER Request, DWORD dwRequestS"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/stdafx.h",
"chars": 586,
"preview": "#define _WIN32_WINNT 0x0501\n\n#include <stdio.h>\n#include <tchar.h>\n#include <conio.h>\n#include <windows.h>\n#include <co"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/symbols.cpp",
"chars": 4328,
"preview": "#include \"stdafx.h\"\n//--------------------------------------------------------------------------------------\nBOOL GetNor"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/symbols.h",
"chars": 52,
"preview": "\nDWORD GetKernelSymbolOffset(char *lpszSymbolName);\n"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/undocnt.h",
"chars": 8754,
"preview": "\n/************************************************************/\n/* "
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/xml.cpp",
"chars": 10089,
"preview": "#include \"stdafx.h\"\n//--------------------------------------------------------------------------------------\n/** \n* x"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/xml.h",
"chars": 700,
"preview": "BOOL XmlLoad(PWSTR lpwcData, IXMLDOMDocument **pXMLDoc, IXMLDOMNode **pIDOMRootNode, PWSTR lpwcRootNodeName);\nIXMLDOMNod"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile.sln",
"chars": 1261,
"preview": "\nMicrosoft Visual Studio Solution File, Format Version 10.00\n# Visual Studio 2008\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/ioctlfuzzer.xml",
"chars": 1272,
"preview": "<?xml version=\"1.0\" encoding=\"windows-1251\" ?> \n<cfg>\n <!-- Path to log file. --> \n <log_file>C:\\ioctlfuzzer.log</log_"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/HookDeviceIoControlFile.vcproj",
"chars": 6750,
"preview": "<?xml version=\"1.0\" encoding=\"gb2312\"?>\n<VisualStudioProject\n\tProjectType=\"Visual C++\"\n\tVersion=\"9.00\"\n\tName=\"HookDevice"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/common.c",
"chars": 45594,
"preview": "#include \"stdafx.h\"\n//--------------------------------------------------------------------------------------\n#ifndef _NT"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/common.h",
"chars": 2821,
"preview": "#include <ntifs.h>\n#define XALIGN_DOWN(x, align)(x &~ (align - 1))\n#define XALIGN_UP(x, align)((x & (align - 1))?XALIGN_"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/common_asm.h",
"chars": 334,
"preview": "#ifdef __cplusplus\nextern \"C\" \n{\n#endif\n\nvoid __stdcall _clear_wp(void);\nvoid __stdcall _set_wp(void);\n\nNTSTATUS \nNTAPI "
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/common_change_asm.cpp",
"chars": 32,
"preview": "#include \"common_change_asm.h\"\n\n"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/debug.c",
"chars": 7507,
"preview": "#include \"stdafx.h\"\n\n#define DBGMSG_BUFF_SIZE 0x1000\n\nHANDLE hDbgPipe = NULL, hDbgLogFile = NULL;\nKMUTEX DbgMutex;\n//---"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/debug.h",
"chars": 403,
"preview": "#include <ntifs.h>\n#ifdef DBGMSG_FULL\n\nvoid DbgMsg(char *lpszFile, int Line, char *lpszMsg, ...);\nvoid DbgClose(void);\nv"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/driver.c",
"chars": 47980,
"preview": "#include \"stdafx.h\"\n\n/**\n * Offsets for some undocummented structures\n */\nULONG m_KTHREAD_PrevMode = 0;\n\n/**\n * System s"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/driver.h",
"chars": 45,
"preview": "\nvoid SetPreviousMode(KPROCESSOR_MODE Mode);\n"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/drvcomm.h",
"chars": 2922,
"preview": "#define DEVICE_NAME L\"IOCTLfuzzer\"\n#define DBG_PIPE_NAME L\"IOCTLfuzzer\"\n#define DBG_PIPE_NAME_A \"IOCTLfuzzer\"\n\n#define I"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/extern.h",
"chars": 1622,
"preview": "/* -----------------------------------------------------------------------------\n * extern.h\n *\n * Copyright (c) 2004, 2"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/handlers.c",
"chars": 16634,
"preview": "#include \"stdafx.h\"\n\nNT_DEVICE_IO_CONTROL_FILE old_NtDeviceIoControlFile = NULL;\n\n/**\n * Fuzzing settings\n */\nULONG m_Fu"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/handlers.h",
"chars": 1039,
"preview": "\ntypedef struct _LST_PROCESS_INFO\n{\n PEPROCESS Process;\n HANDLE ProcessId;\n UNICODE_STRING usImagePath;\n\n} LST_"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/hook.c",
"chars": 4193,
"preview": "#include \"stdafx.h\"\n//--------------------------------------------------------------------------------------\nPVOID Hook("
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/hook.h",
"chars": 212,
"preview": "#ifdef _X86_\n\n#define MAX_INST_LEN 16\n#define UD_MODE 32\n\n#elif _AMD64_\n\n#define MAX_INST_LEN 24\n#define U"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/log.c",
"chars": 8046,
"preview": "#include \"stdafx.h\"\n\n// defined in handlers.cpp\nextern ULONG m_FuzzOptions;\n\n// defined in debug.cpp\nextern HANDLE hDbgP"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/log.h",
"chars": 127,
"preview": "\nvoid LogData(char *lpszFormat, ...);\nvoid LogDataIoctls(char *lpszFormat, ...);\nvoid LogDataHexdump(PUCHAR Data, ULONG "
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/lst.c",
"chars": 5579,
"preview": "#include \"stdafx.h\"\n//--------------------------------------------------------------------------------------\nPCOMMON_LST"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/lst.h",
"chars": 789,
"preview": "/*\n Common linked lists structures\n*/\n\ntypedef struct _COMMON_LST_ENTRY\n{\n UNICODE_STRING ObjectName; \n ULON"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/options.h",
"chars": 1004,
"preview": "\n/**\n * Program information, copyright, etc.\n */\n#define PROGRAM_NAME \"IOCTL Fuzzer\"\n#define PROGRAM_AUTHOR \"by Oleksiuk"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/rng.c",
"chars": 5089,
"preview": "/* \n A C-program for MT19937, with initialization improved 2002/1/26.\n Coded by Takuji Nishimura and Makoto Matsumot"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/rng.h",
"chars": 194,
"preview": "void init_genrand(unsigned long s);\nvoid init_by_array(unsigned long init_key[], int key_length);\nunsigned long genrand_"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/rules.c",
"chars": 18251,
"preview": "#include \"stdafx.h\"\n\n// defined in driver.cpp\nextern UNICODE_STRING m_RegistryPath;\nextern KMUTEX m_CommonMutex;\n\nBOOLEA"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/rules.h",
"chars": 2330,
"preview": "\n/**\n* Structures and defines for IOCTL filtering\n*/\n#define FLT_DEVICE_NAME 1\n#define FLT_DRIVER_NAME 2\n#define"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/sources",
"chars": 275,
"preview": "TARGETNAME=IOCTL_fuzzer\nTARGETTYPE=DRIVER\nDRIVERTYPE=FS\n\n\nTARGETLIBS=$(TARGETLIBS) \\\n .\\udis86\\udis86_i386.lib"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/stdafx.h",
"chars": 665,
"preview": "\n\n//extern \"C\"\n//{\n#include <ntifs.h>\n#include <stdio.h>\n#include <stdarg.h>\n#include <ntimage.h>\n#include \"undocnt.h\"\n/"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/build.bat",
"chars": 62,
"preview": "@echo off\nnmake /f makefile_i386\nnmake /f makefile_i386 clean\n"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/build64.bat",
"chars": 64,
"preview": "@echo off\nnmake /f makefile_amd64\nnmake /f makefile_amd64 clean\n"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/extern.h",
"chars": 1622,
"preview": "/* -----------------------------------------------------------------------------\n * extern.h\n *\n * Copyright (c) 2004, 2"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/itab.h",
"chars": 12162,
"preview": "\n/* itab.h -- auto generated by opgen.py, do not edit. */\n\n#ifndef UD_ITAB_H\n#define UD_ITAB_H\n\n\n\nenum ud_itab_vendor_in"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/makefile.inc",
"chars": 515,
"preview": "decode.obj: src/decode.c\n $(CC) $(CFLAGS) src/decode.c\n\ninput.obj: src/input.c\n $(CC) $(CFLAGS) src/input.c\n\nitab."
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/makefile_amd64",
"chars": 335,
"preview": "OUTNAME = udis86_amd64\n\nALL: $(OUTNAME).lib\n\nCC = cl.exe\n\nCFLAGS = /nologo -I\".\\src\" -I\"$(CRT_INC_PATH)\" -D__UD_STANDALO"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/makefile_i386",
"chars": 317,
"preview": "OUTNAME = udis86_i386\n\nALL: $(OUTNAME).lib\n\nCC = cl.exe\n\nCFLAGS=/nologo -I\".\\src\" -I\"$(CRT_INC_PATH)\" -D__UD_STANDALONE_"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/decode.c",
"chars": 34938,
"preview": "/* -----------------------------------------------------------------------------\n * decode.c\n *\n * Copyright (c) 2005, 2"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/decode.h",
"chars": 9114,
"preview": "#ifndef UD_DECODE_H\n#define UD_DECODE_H\n\n#define MAX_INSN_LENGTH 15\n\n/* register classes */\n#define T_NONE 0\n#define T_"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/extern.h",
"chars": 1622,
"preview": "/* -----------------------------------------------------------------------------\n * extern.h\n *\n * Copyright (c) 2004, 2"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/input.c",
"chars": 6114,
"preview": "/* -----------------------------------------------------------------------------\n * input.c\n *\n * Copyright (c) 2004, 20"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/input.h",
"chars": 1280,
"preview": "/* -----------------------------------------------------------------------------\n * input.h\n *\n * Copyright (c) 2006, Vi"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/itab.c",
"chars": 216814,
"preview": "\n/* itab.c -- auto generated by opgen.py, do not edit. */\n\n#include \"types.h\"\n#include \"decode.h\"\n#include \"itab.h\"\n\ncon"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/itab.h",
"chars": 12162,
"preview": "\n/* itab.h -- auto generated by opgen.py, do not edit. */\n\n#ifndef UD_ITAB_H\n#define UD_ITAB_H\n\n\n\nenum ud_itab_vendor_in"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/syn-att.c",
"chars": 4783,
"preview": "/* -----------------------------------------------------------------------------\n * syn-att.c\n *\n * Copyright (c) 2004, "
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/syn-intel.c",
"chars": 4862,
"preview": "/* -----------------------------------------------------------------------------\n * syn-intel.c\n *\n * Copyright (c) 2002"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/syn.c",
"chars": 1689,
"preview": "/* -----------------------------------------------------------------------------\n * syn.c\n *\n * Copyright (c) 2002, 2003"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/syn.h",
"chars": 585,
"preview": "/* -----------------------------------------------------------------------------\n * syn.h\n *\n * Copyright (c) 2006, Vive"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/types.h",
"chars": 5223,
"preview": "/* -----------------------------------------------------------------------------\n * types.h\n *\n * Copyright (c) 2006, Vi"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/udis86.c",
"chars": 4129,
"preview": "/* -----------------------------------------------------------------------------\n * udis86.c\n *\n * Copyright (c) 2004, 2"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/types.h",
"chars": 5223,
"preview": "/* -----------------------------------------------------------------------------\n * types.h\n *\n * Copyright (c) 2006, Vi"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/undocnt.h",
"chars": 15893,
"preview": "\n// ********************************************************\n// some user-mode structures\n\ntypedef struct _LDR_DATA_TABL"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/version.rc",
"chars": 2868,
"preview": "//Microsoft Developer Studio generated resource script.\n//\n\n#ifdef APSTUDIO_INVOKED\n#ifndef APSTUDIO_READONLY_SYMBOLS\n#d"
},
{
"path": "HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile.sln",
"chars": 913,
"preview": "\nMicrosoft Visual Studio Solution File, Format Version 10.00\n# Visual Studio 2008\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A"
},
{
"path": "HookDeviceIocontrlFile/ReadMe.txt",
"chars": 122,
"preview": "change from https://github.com/Cr4sh/ioctlfuzzer\n\nto log DeviceIoControl buffer by xml file. \n\nsupport for 32 and 64 bit"
},
{
"path": "Inject/CreateRemoteThread/CreateRemoteThread/CreateRemoteThread.cpp",
"chars": 10154,
"preview": "/*\r\nx86x64עΪx64ϵͳ˽϶ȨУ飬ҪȨ\r\nx64ȨҪõntdll.dllеδRtlAdjustPrivilege().\r\n*/\r\n#include \"stdafx.h\"\r\n#include \"CreateRemoteThread"
},
{
"path": "Inject/CreateRemoteThread/CreateRemoteThread/CreateRemoteThread.h",
"chars": 39,
"preview": "#pragma once\r\n\r\n#include \"resource.h\"\r\n"
},
{
"path": "Inject/CreateRemoteThread/CreateRemoteThread/CreateRemoteThread.vcxproj",
"chars": 7949,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project DefaultTargets=\"Build\" ToolsVersion=\"4.0\" xmlns=\"http://schemas.micros"
},
{
"path": "Inject/CreateRemoteThread/CreateRemoteThread/CreateRemoteThread.vcxproj.filters",
"chars": 1593,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "Inject/CreateRemoteThread/CreateRemoteThread/ReadMe.txt",
"chars": 231,
"preview": "32 bit process Inject The dll to 32 bit process\n64 bit process Inject The dll to 64 bit process\nsometimes you maybe fail"
},
{
"path": "Inject/CreateRemoteThread/CreateRemoteThread/Resource.h",
"chars": 415,
"preview": "//{{NO_DEPENDENCIES}}\r\n// Microsoft Visual C++ generated include file.\r\n// Used by CreateRemoteThread.rc\r\n//\r\n\r\n#define "
},
{
"path": "Inject/CreateRemoteThread/CreateRemoteThread/stdafx.cpp",
"chars": 129,
"preview": "// stdafx.cpp : ֻļԴļ\r\n// CreateRemoteThread.pch ΪԤͷ\r\n// stdafx.obj ԤϢ\r\n\r\n#include \"stdafx.h\"\r\n\r\n// TODO: STDAFX.H \r\n//"
},
{
"path": "Inject/CreateRemoteThread/CreateRemoteThread/stdafx.h",
"chars": 649,
"preview": "// stdafx.h : ϵͳļİļ\r\n// Ǿʹõĵ\r\n// ضĿİļ\r\n//\r\n\r\n#pragma once\r\n\r\n#include \"targetver.h\"\r\n\r\n#include <stdio.h>\r\n#include <tc"
},
{
"path": "Inject/CreateRemoteThread/CreateRemoteThread/targetver.h",
"chars": 146,
"preview": "#pragma once\r\n\r\n// SDKDDKVer.h õ߰汾 Windows ƽ̨\r\n\r\n// ҪΪǰ Windows ƽ̨Ӧó WinSDKVer.h\r\n// WIN32_WINNT ΪҪֵ֧ƽ̨Ȼٰ SDKDDKVer.h\r\n"
},
{
"path": "Inject/CreateRemoteThread/CreateRemoteThread.sln",
"chars": 1273,
"preview": "\r\nMicrosoft Visual Studio Solution File, Format Version 11.00\r\n# Visual Studio 2010\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-"
},
{
"path": "Inject/CreateRemoteThread/ReadMe.txt",
"chars": 249,
"preview": "32 bit process Inject The dll to 32 bit process\n64 bit process Inject The dll to 64 bit process\nsometimes you maybe fail"
},
{
"path": "Inject/ExtraWindowInject/README.md",
"chars": 484,
"preview": "# inject_shellcode\nSmall compendium of injection techniques commonly used in malware demonstrated on metasploit-generate"
},
{
"path": "Inject/ExtraWindowInject/src/CMakeLists.txt",
"chars": 567,
"preview": "cmake_minimum_required (VERSION 2.8)\nproject (Injections)\n\nadd_definitions(-DUNICODE -D_UNICODE)\n\nset (srcs\n\tmain.cpp\n\tw"
},
{
"path": "Inject/ExtraWindowInject/src/add_apc.h",
"chars": 558,
"preview": "#pragma once\n#include <stdio.h>\n#include \"ntdll_undoc.h\"\n\nbool add_shellcode_to_apc(HANDLE hThread, LPVOID remote_shellc"
},
{
"path": "Inject/ExtraWindowInject/src/add_thread.h",
"chars": 3021,
"preview": "#pragma once\n#include <stdio.h>\n#include \"ntddk.h\"\n#include \"ntdll_undoc.h\"\n\ntypedef enum {\n usingRandomMethod,\n u"
},
{
"path": "Inject/ExtraWindowInject/src/createproc.h",
"chars": 1773,
"preview": "#pragma once\n#include \"kernel32_undoc.h\"\n\nbool create_new_process1(PROCESS_INFORMATION &pi, LPWSTR cmdLine, LPWSTR start"
},
{
"path": "Inject/ExtraWindowInject/src/enumproc.h",
"chars": 1588,
"preview": "#pragma once\n#include <psapi.h>\n\nbool get_process_name(IN HANDLE hProcess, OUT LPWSTR nameBuf, IN SIZE_T nameMax)\n{\n "
},
{
"path": "Inject/ExtraWindowInject/src/kernel32_undoc.h",
"chars": 955,
"preview": "#pragma once\n\n#include <Windows.h>\n\n//don't forget to load functiond before use:\n//load_kernel32_functions();\n//\n\nBOOL \n"
},
{
"path": "Inject/ExtraWindowInject/src/main.cpp",
"chars": 3805,
"preview": "#include <Windows.h>\n#include <iostream>\n\n#include \"main.h\"\n#include \"createproc.h\"\n#include \"enumproc.h\"\n\n#include \"pay"
},
{
"path": "Inject/ExtraWindowInject/src/main.h",
"chars": 239,
"preview": "#pragma once\n\n#include \"ntdll_undoc.h\"\n#include \"kernel32_undoc.h\"\n\n#include \"target_util.h\"\n\n//injection types:\n#includ"
},
{
"path": "Inject/ExtraWindowInject/src/map_buffer_into_process.h",
"chars": 2552,
"preview": "#pragma once\n#include <stdio.h> // for printf\n#include <wchar.h>\n#include \"ntddk.h\"\n\n//set of alternative functions doin"
},
{
"path": "Inject/ExtraWindowInject/src/ntddk.h",
"chars": 100706,
"preview": "#ifndef __NTDLL_H__\n#define __NTDLL_H__\n\n#ifdef __cplusplus\nextern \"C\" {\n#endif\n#include <Windows.h>\n\n#ifdef _NTDDK_\n#er"
},
{
"path": "Inject/ExtraWindowInject/src/ntdll_undoc.h",
"chars": 2368,
"preview": "#pragma once\n\n#include <Windows.h>\n#include \"ntddk.h\"\n\n//undocumented functions from ntdll.dll\n//\n//don't forget to load"
},
{
"path": "Inject/ExtraWindowInject/src/patch_context.h",
"chars": 993,
"preview": "#pragma once\n\n#include <Windows.h>\n\n//32-bit version\nbool patch_context(HANDLE hThread, LPVOID remote_shellcode_ptr)\n{\n "
},
{
"path": "Inject/ExtraWindowInject/src/patch_ep.h",
"chars": 4589,
"preview": "#pragma once\n#include <stdio.h>\n#include \"ntddk.h\"\n#include \"pe_hdrs_helper.h\"\n#define PAGE_SIZE 0x1000\n\n// Get image ba"
},
{
"path": "Inject/ExtraWindowInject/src/payload.h",
"chars": 1382,
"preview": "#pragma once\n\n/*\nmsfvenom -a x86 --platform Windows\n-p windows/messagebox \nTEXT=\"This is an injection demo!\" \nTITLE=\"Inj"
},
{
"path": "Inject/ExtraWindowInject/src/pe_hdrs_helper.cpp",
"chars": 951,
"preview": "#include \"pe_hdrs_helper.h\"\n\nIMAGE_NT_HEADERS32* get_nt_hrds32(BYTE *pe_buffer)\n{\n if (pe_buffer == NULL) return NULL"
},
{
"path": "Inject/ExtraWindowInject/src/pe_hdrs_helper.h",
"chars": 160,
"preview": "#pragma once\n#include <Windows.h>\n\nIMAGE_NT_HEADERS32* get_nt_hrds32(BYTE *pe_buffer);\nIMAGE_DATA_DIRECTORY* get_pe_dire"
},
{
"path": "Inject/ExtraWindowInject/src/sysutil.cpp",
"chars": 1174,
"preview": "#pragma once\n#include \"sysutil.h\"\n\n#include <windows.h>\n#include <stdio.h>\n\n#include \"pe_hdrs_helper.h\"\n\ntypedef BOOL(WI"
},
{
"path": "Inject/ExtraWindowInject/src/sysutil.h",
"chars": 180,
"preview": "#pragma once\n#include <windows.h>\n\n#define PAGE_SIZE 0x1000\n\nbool is_compiled_32b();\nbool is_wow64();\nbool is_system32b("
},
{
"path": "Inject/ExtraWindowInject/src/target_util.h",
"chars": 3256,
"preview": "#pragma once\n#include <wchar.h>\n\nvoid replace_param(LPWSTR cmdBuf, SIZE_T cmdBufSize, LPWSTR paramVal)\n{\n wchar_t * pwc"
},
{
"path": "Inject/ExtraWindowInject/src/util.h",
"chars": 333,
"preview": "#pragma once\n\nvoid hex_dump(unsigned char *buf, size_t buf_size)\n{\n size_t pad = 8;\n size_t col = 16;\n putchar("
},
{
"path": "Inject/ExtraWindowInject/src/window_long_inject.cpp",
"chars": 4338,
"preview": "#include \"window_long_inject.h\"\n\n#include <stdio.h>\n\n//for injection into Shell_TrayWnd\nPVOID map_code_and_addresses_int"
},
{
"path": "Inject/ExtraWindowInject/src/window_long_inject.h",
"chars": 118,
"preview": "#pragma once\n\n#include <Windows.h>\n#include \"ntddk.h\"\n\nbool inject_into_tray(LPBYTE shellcode, SIZE_T shellcodeSize);\n"
},
{
"path": "Inject/Process-Hollowing/Readme.txt",
"chars": 44,
"preview": "https://github.com/m0n0ph1/Process-Hollowing"
},
{
"path": "Inject/Process-Hollowing/sourcecode/HelloWorld/HelloWorld.cpp",
"chars": 280,
"preview": "// HelloWorld.cpp : Defines the entry point for the console application.\n//\n\n#include \"stdafx.h\"\n#include <windows.h>\n\n\n"
},
{
"path": "Inject/Process-Hollowing/sourcecode/HelloWorld/HelloWorld.vcproj",
"chars": 4306,
"preview": "<?xml version=\"1.0\" encoding=\"Windows-1252\"?>\n<VisualStudioProject\n\tProjectType=\"Visual C++\"\n\tVersion=\"9.00\"\n\tName=\"Hell"
},
{
"path": "Inject/Process-Hollowing/sourcecode/HelloWorld/HelloWorld.vcxproj",
"chars": 5687,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"4.0\" xmlns=\"http://schemas.microso"
},
{
"path": "Inject/Process-Hollowing/sourcecode/HelloWorld/HelloWorld.vcxproj.filters",
"chars": 1284,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
},
{
"path": "Inject/Process-Hollowing/sourcecode/HelloWorld/stdafx.cpp",
"chars": 289,
"preview": "// stdafx.cpp : source file that includes just the standard includes\n// HelloWorld.pch will be the pre-compiled header\n/"
},
{
"path": "Inject/Process-Hollowing/sourcecode/HelloWorld/stdafx.h",
"chars": 305,
"preview": "// stdafx.h : include file for standard system include files,\n// or project specific include files that are used frequen"
},
{
"path": "Inject/Process-Hollowing/sourcecode/HelloWorld/targetver.h",
"chars": 752,
"preview": "#pragma once\n\n// The following macros define the minimum required platform. The minimum required platform\n// is the ear"
},
{
"path": "Inject/Process-Hollowing/sourcecode/ProcessHollowing/PE.cpp",
"chars": 1940,
"preview": "#include \"stdafx.h\"\n#include \"windows.h\"\n#include \"internals.h\"\n#include \"pe.h\"\n\nDWORD FindRemotePEB(HANDLE hProcess)\n{\n"
},
{
"path": "Inject/Process-Hollowing/sourcecode/ProcessHollowing/PE.h",
"chars": 8905,
"preview": "#pragma once\n\n#include <vector>\n#include <map>\n#include <Ntsecapi.h>\n#include <DbgHelp.h>\n\n#define BUFFER_SIZE 0x2000\n\nt"
},
{
"path": "Inject/Process-Hollowing/sourcecode/ProcessHollowing/ProcessHollowing.cpp",
"chars": 7911,
"preview": "// ProcessHollowing.cpp : Defines the entry point for the console application.\n\n#include \"stdafx.h\"\n#include <windows.h>"
},
{
"path": "Inject/Process-Hollowing/sourcecode/ProcessHollowing/ProcessHollowing.vcproj",
"chars": 4489,
"preview": "<?xml version=\"1.0\" encoding=\"Windows-1252\"?>\n<VisualStudioProject\n\tProjectType=\"Visual C++\"\n\tVersion=\"9.00\"\n\tName=\"Proc"
},
{
"path": "Inject/Process-Hollowing/sourcecode/ProcessHollowing/ProcessHollowing.vcxproj",
"chars": 5813,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"4.0\" xmlns=\"http://schemas.microso"
},
{
"path": "Inject/Process-Hollowing/sourcecode/ProcessHollowing/ProcessHollowing.vcxproj.filters",
"chars": 1551,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
},
{
"path": "Inject/Process-Hollowing/sourcecode/ProcessHollowing/internals.h",
"chars": 661,
"preview": "struct PROCESS_BASIC_INFORMATION {\n PVOID Reserved1;\n DWORD PebBaseAddress;\n PVOID Reserved2[2];\n DWORD Uniq"
},
{
"path": "Inject/Process-Hollowing/sourcecode/ProcessHollowing/stdafx.cpp",
"chars": 295,
"preview": "// stdafx.cpp : source file that includes just the standard includes\n// ProcessHollowing.pch will be the pre-compiled he"
},
{
"path": "Inject/Process-Hollowing/sourcecode/ProcessHollowing/stdafx.h",
"chars": 305,
"preview": "// stdafx.h : include file for standard system include files,\n// or project specific include files that are used frequen"
},
{
"path": "Inject/Process-Hollowing/sourcecode/ProcessHollowing/targetver.h",
"chars": 752,
"preview": "#pragma once\n\n// The following macros define the minimum required platform. The minimum required platform\n// is the ear"
},
{
"path": "Inject/Process-Hollowing/sourcecode/ProcessHollowing.sln",
"chars": 1356,
"preview": "\nMicrosoft Visual Studio Solution File, Format Version 11.00\n# Visual Studio 2010\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A"
},
{
"path": "Inject/ProcessDoppelgänging/.gitignore",
"chars": 3443,
"preview": "## Ignore Visual Studio temporary files, build results, and\n## files generated by popular Visual Studio add-ons.\n\n# User"
},
{
"path": "Inject/ProcessDoppelgänging/LICENSE.md",
"chars": 1468,
"preview": "\nCopyright (c) 2017, \nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodificat"
},
{
"path": "Inject/ProcessDoppelgänging/MalExe/MalExe.vcxproj",
"chars": 5747,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"14.0\" xmlns=\"http://schemas.micros"
},
{
"path": "Inject/ProcessDoppelgänging/MalExe/MalExe.vcxproj.filters",
"chars": 931,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
},
{
"path": "Inject/ProcessDoppelgänging/MalExe/main.c",
"chars": 131,
"preview": "#include <stdio.h>\n#include <Windows.h>\n\nint main(void)\n{\n\t//__asm int 3;\n\tMessageBox(0, \"Message body\", \"Message title\""
}
]
// ... and 330 more files (download for full content)
About this extraction
This page contains the full source code of the ciyze0101/Windows-Rootkits GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 530 files (5.2 MB), approximately 1.4M tokens, and a symbol index with 3730 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.