Showing preview only (1,879K chars total). Download the full file or copy to clipboard to get everything.
Repository: donnaskiez/ac
Branch: master
Commit: bd7ecfd50348
Files: 79
Total size: 1.8 MB
Directory structure:
gitextract_efljrolz/
├── .clang-format
├── .clang-format-cpp
├── .gitattributes
├── .gitignore
├── LICENSE.md
├── README.md
├── ac.sln
├── driver/
│ ├── apc.c
│ ├── apc.h
│ ├── arch.asm
│ ├── callbacks.c
│ ├── callbacks.h
│ ├── common.h
│ ├── containers/
│ │ ├── map.c
│ │ ├── map.h
│ │ ├── tree.c
│ │ └── tree.h
│ ├── cpp.hint
│ ├── crypt.c
│ ├── crypt.h
│ ├── driver.c
│ ├── driver.h
│ ├── driver.inf
│ ├── driver.vcxproj
│ ├── driver.vcxproj.filters
│ ├── hv.c
│ ├── hv.h
│ ├── hw.c
│ ├── hw.h
│ ├── ia32.h
│ ├── imports.c
│ ├── imports.h
│ ├── integrity.c
│ ├── integrity.h
│ ├── io.c
│ ├── io.h
│ ├── lib/
│ │ ├── stdlib.c
│ │ └── stdlib.h
│ ├── modules.c
│ ├── modules.h
│ ├── pe.c
│ ├── pe.h
│ ├── pool.c
│ ├── pool.h
│ ├── session.c
│ ├── session.h
│ ├── thread.c
│ ├── thread.h
│ ├── types/
│ │ ├── tpm12.h
│ │ ├── tpm20.h
│ │ ├── tpmptp.h
│ │ └── types.h
│ ├── util.c
│ └── util.h
├── module/
│ ├── client/
│ │ ├── message_queue.cpp
│ │ ├── message_queue.h
│ │ ├── pipe.cpp
│ │ └── pipe.h
│ ├── common.h
│ ├── crypt/
│ │ ├── crypt.cpp
│ │ └── crypt.h
│ ├── dispatcher/
│ │ ├── dispatcher.cpp
│ │ ├── dispatcher.h
│ │ ├── threadpool.cpp
│ │ ├── threadpool.h
│ │ ├── timer.cpp
│ │ └── timer.h
│ ├── helper.cpp
│ ├── helper.h
│ ├── imports.cpp
│ ├── imports.h
│ ├── kernel_interface/
│ │ ├── kernel_interface.cpp
│ │ └── kernel_interface.h
│ ├── main.cpp
│ ├── module.cpp
│ ├── module.h
│ ├── module.vcxproj
│ └── module.vcxproj.filters
└── server/
└── main.go
================================================
FILE CONTENTS
================================================
================================================
FILE: .clang-format
================================================
BasedOnStyle: webkit
AccessModifierOffset: -4
AlignAfterOpenBracket: AlwaysBreak
AlignConsecutiveAssignments: false
AlignConsecutiveDeclarations: false
AlignConsecutiveMacros: true
AlignEscapedNewlines: Left
AlignOperands: true
AlignTrailingComments: true
AllowAllArgumentsOnNextLine: false
AllowShortBlocksOnASingleLine: true
AllowShortCaseLabelsOnASingleLine: true
AllowShortIfStatementsOnASingleLine: false
AllowShortLoopsOnASingleLine: false
AlwaysBreakAfterReturnType: TopLevel
AlwaysBreakBeforeMultilineStrings: false
AlwaysBreakTemplateDeclarations: true #false
BinPackArguments: false
BinPackParameters: false
AllowShortFunctionsOnASingleLine: false
AllowAllParametersOfDeclarationOnNextLine: true
PenaltyBreakBeforeFirstCallParameter: 0
BreakBeforeBraces: Stroustrup
BraceWrapping:
AfterCaseLabel: true
AfterClass: true
AfterControlStatement: true
AfterEnum: true
AfterFunction: true
AfterNamespace: false
AfterStruct: true
AfterUnion: true
AfterExternBlock: false
BeforeCatch: true
BeforeElse: true
BreakBeforeBinaryOperators: None
BreakBeforeTernaryOperators: true
BreakConstructorInitializers: AfterColon
BreakStringLiterals: false
ColumnLimit: 80
CommentPragmas: '^begin_wpp|^end_wpp|^FUNC |^USESUFFIX |^USESUFFIX '
ConstructorInitializerAllOnOneLineOrOnePerLine: true
ConstructorInitializerIndentWidth: 4
ContinuationIndentWidth: 4
Cpp11BracedListStyle: true
DerivePointerAlignment: false
ExperimentalAutoDetectBinPacking: false
IndentCaseLabels: false
IndentPPDirectives: AfterHash
IndentWidth: 4
KeepEmptyLinesAtTheStartOfBlocks: false
Language: Cpp
MacroBlockBegin: '^BEGIN_MODULE$|^BEGIN_TEST_CLASS$|^BEGIN_TEST_METHOD$'
MacroBlockEnd: '^END_MODULE$|^END_TEST_CLASS$|^END_TEST_METHOD$'
MaxEmptyLinesToKeep: 1
NamespaceIndentation: None #All
PointerAlignment: Left
ReflowComments: true
SortIncludes: true
SpaceAfterCStyleCast: false
SpaceBeforeAssignmentOperators: true
SpaceBeforeCtorInitializerColon: true
SpaceBeforeParens: ControlStatements
SpaceBeforeRangeBasedForLoopColon: true
SpaceInEmptyParentheses: false
SpacesInAngles: false
SpacesInCStyleCastParentheses: false
SpacesInParentheses: false
SpacesInSquareBrackets: false
Standard: Cpp11
StatementMacros: [
'EXTERN_C',
'PAGED',
'PAGEDX',
'NONPAGED',
'PNPCODE',
'INITCODE',
'_At_',
'_When_',
'_Success_',
'_Check_return_',
'_Must_inspect_result_',
'_IRQL_requires_same_',
'_IRQL_requires_',
'_IRQL_requires_max_',
'_IRQL_requires_min_',
'_IRQL_saves_',
'_IRQL_restores_',
'_IRQL_saves_global_',
'_IRQL_restores_global_',
'_IRQL_raises_',
'_IRQL_lowers_',
'_Acquires_lock_',
'_Releases_lock_',
'_Acquires_exclusive_lock_',
'_Releases_exclusive_lock_',
'_Acquires_shared_lock_',
'_Releases_shared_lock_',
'_Requires_lock_held_',
'_Use_decl_annotations_',
'_Guarded_by_',
'__drv_preferredFunction',
'__drv_allocatesMem',
'__drv_freesMem',
]
TabWidth: '4'
UseTab: Never
================================================
FILE: .clang-format-cpp
================================================
---
BasedOnStyle: LLVM
...
================================================
FILE: .gitattributes
================================================
###############################################################################
# Set default behavior to automatically normalize line endings.
###############################################################################
* text=auto
###############################################################################
# Set default behavior for command prompt diff.
#
# This is need for earlier builds of msysgit that does not have it on by
# default for csharp files.
# Note: This is only used by command line
###############################################################################
#*.cs diff=csharp
###############################################################################
# Set the merge driver for project and solution files
#
# Merging from the command prompt will add diff markers to the files if there
# are conflicts (Merging from VS is not affected by the settings below, in VS
# the diff markers are never inserted). Diff markers may cause the following
# file extensions to fail to load in VS. An alternative would be to treat
# these files as binary and thus will always conflict and require user
# intervention with every merge. To do so, just uncomment the entries below
###############################################################################
#*.sln merge=binary
#*.csproj merge=binary
#*.vbproj merge=binary
#*.vcxproj merge=binary
#*.vcproj merge=binary
#*.dbproj merge=binary
#*.fsproj merge=binary
#*.lsproj merge=binary
#*.wixproj merge=binary
#*.modelproj merge=binary
#*.sqlproj merge=binary
#*.wwaproj merge=binary
###############################################################################
# behavior for image files
#
# image files are treated as binary by default.
###############################################################################
#*.jpg binary
#*.png binary
#*.gif binary
###############################################################################
# diff behavior for common document formats
#
# Convert binary document formats to text before diffing them. This feature
# is only available from the command line. Turn it on by uncommenting the
# entries below.
###############################################################################
#*.doc diff=astextplain
#*.DOC diff=astextplain
#*.docx diff=astextplain
#*.DOCX diff=astextplain
#*.dot diff=astextplain
#*.DOT diff=astextplain
#*.pdf diff=astextplain
#*.PDF diff=astextplain
#*.rtf diff=astextplain
#*.RTF diff=astextplain
================================================
FILE: .gitignore
================================================
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
##
## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
# User-specific files
*.rsuser
*.suo
*.user
*.userosscache
*.sln.docstates
# User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs
# Mono auto generated files
mono_crash.*
# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
x64/
x86/
[Ww][Ii][Nn]32/
[Aa][Rr][Mm]/
[Aa][Rr][Mm]64/
bld/
[Bb]in/
[Oo]bj/
[Oo]ut/
[Ll]og/
[Ll]ogs/
# Visual Studio 2015/2017 cache/options directory
.vs/
# Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/
# Visual Studio 2017 auto generated files
Generated\ Files/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
# NUnit
*.VisualState.xml
TestResult.xml
nunit-*.xml
# Build Results of an ATL Project
[Dd]ebugPS/
[Rr]eleasePS/
dlldata.c
# Benchmark Results
BenchmarkDotNet.Artifacts/
# .NET Core
project.lock.json
project.fragment.lock.json
artifacts/
# ASP.NET Scaffolding
ScaffoldingReadMe.txt
# StyleCop
StyleCopReport.xml
# Files built by Visual Studio
*_i.c
*_p.c
*_h.h
*.ilk
*.meta
*.obj
*.iobj
*.pch
*.pdb
*.ipdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*_wpftmp.csproj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.svclog
*.scc
# Chutzpah Test files
_Chutzpah*
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb
# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap
# Visual Studio Trace Files
*.e2e
# TFS 2012 Local Workspace
$tf/
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
*.DotSettings.user
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# AxoCover is a Code Coverage Tool
.axoCover/*
!.axoCover/settings.json
# Coverlet is a free, cross platform Code Coverage Tool
coverage*.json
coverage*.xml
coverage*.info
# Visual Studio code coverage results
*.coverage
*.coveragexml
# NCrunch
_NCrunch_*
.*crunch*.local.xml
nCrunchTemp_*
# MightyMoose
*.mm.*
AutoTest.Net/
# Web workbench (sass)
.sass-cache/
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.[Pp]ublish.xml
*.azurePubxml
# Note: Comment the next line if you want to checkin your web deploy settings,
# but database connection strings (with potential passwords) will be unencrypted
*.pubxml
*.publishproj
# Microsoft Azure Web App publish settings. Comment the next line if you want to
# checkin your Azure Web App publish settings, but sensitive information contained
# in these scripts will be unencrypted
PublishScripts/
# NuGet Packages
*.nupkg
# NuGet Symbol Packages
*.snupkg
# The packages folder can be ignored because of Package Restore
**/[Pp]ackages/*
# except build/, which is used as an MSBuild target.
!**/[Pp]ackages/build/
# Uncomment if necessary however generally it will be regenerated when needed
#!**/[Pp]ackages/repositories.config
# NuGet v3's project.json files produces more ignorable files
*.nuget.props
*.nuget.targets
# Microsoft Azure Build Output
csx/
*.build.csdef
# Microsoft Azure Emulator
ecf/
rcf/
# Windows Store app package directories and files
AppPackages/
BundleArtifacts/
Package.StoreAssociation.xml
_pkginfo.txt
*.appx
*.appxbundle
*.appxupload
# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!?*.[Cc]ache/
# Others
ClientBin/
~$*
*~
*.dbmdl
*.dbproj.schemaview
*.jfm
*.pfx
*.publishsettings
orleans.codegen.cs
# Including strong name files can present a security risk
# (https://github.com/github/gitignore/pull/2483#issue-259490424)
#*.snk
# Since there are multiple workflows, uncomment next line to ignore bower_components
# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
#bower_components/
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file
# to a newer Visual Studio version. Backup files are not needed,
# because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
ServiceFabricBackup/
*.rptproj.bak
# SQL Server files
*.mdf
*.ldf
*.ndf
# Business Intelligence projects
*.rdl.data
*.bim.layout
*.bim_*.settings
*.rptproj.rsuser
*- [Bb]ackup.rdl
*- [Bb]ackup ([0-9]).rdl
*- [Bb]ackup ([0-9][0-9]).rdl
# Microsoft Fakes
FakesAssemblies/
# GhostDoc plugin setting file
*.GhostDoc.xml
# Node.js Tools for Visual Studio
.ntvs_analysis.dat
node_modules/
# Visual Studio 6 build log
*.plg
# Visual Studio 6 workspace options file
*.opt
# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
*.vbw
# Visual Studio LightSwitch build output
**/*.HTMLClient/GeneratedArtifacts
**/*.DesktopClient/GeneratedArtifacts
**/*.DesktopClient/ModelManifest.xml
**/*.Server/GeneratedArtifacts
**/*.Server/ModelManifest.xml
_Pvt_Extensions
# Paket dependency manager
.paket/paket.exe
paket-files/
# FAKE - F# Make
.fake/
# CodeRush personal settings
.cr/personal
# Python Tools for Visual Studio (PTVS)
__pycache__/
*.pyc
# Cake - Uncomment if you are using it
# tools/**
# !tools/packages.config
# Tabs Studio
*.tss
# Telerik's JustMock configuration file
*.jmconfig
# BizTalk build output
*.btp.cs
*.btm.cs
*.odx.cs
*.xsd.cs
# OpenCover UI analysis results
OpenCover/
# Azure Stream Analytics local run output
ASALocalRun/
# MSBuild Binary and Structured Log
*.binlog
# NVidia Nsight GPU debugger configuration file
*.nvuser
# MFractors (Xamarin productivity tool) working folder
.mfractor/
# Local History for Visual Studio
.localhistory/
# BeatPulse healthcheck temp database
healthchecksdb
# Backup folder for Package Reference Convert tool in Visual Studio 2017
MigrationBackup/
# Ionide (cross platform F# VS Code tools) working folder
.ionide/
# Fody - auto-generated XML schema
FodyWeavers.xsd
================================================
FILE: LICENSE.md
================================================
GNU AFFERO GENERAL PUBLIC LICENSE
Version 3, 19 November 2007
Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU Affero General Public License is a free, copyleft license for
software and other kinds of works, specifically designed to ensure
cooperation with the community in the case of network server software.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
our General Public Licenses are intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
Developers that use our General Public Licenses protect your rights
with two steps: (1) assert copyright on the software, and (2) offer
you this License which gives you legal permission to copy, distribute
and/or modify the software.
A secondary benefit of defending all users' freedom is that
improvements made in alternate versions of the program, if they
receive widespread use, become available for other developers to
incorporate. Many developers of free software are heartened and
encouraged by the resulting cooperation. However, in the case of
software used on network servers, this result may fail to come about.
The GNU General Public License permits making a modified version and
letting the public access it on a server without ever releasing its
source code to the public.
The GNU Affero General Public License is designed specifically to
ensure that, in such cases, the modified source code becomes available
to the community. It requires the operator of a network server to
provide the source code of the modified version running there to the
users of that server. Therefore, public use of a modified version, on
a publicly accessible server, gives the public access to the source
code of the modified version.
An older license, called the Affero General Public License and
published by Affero, was designed to accomplish similar goals. This is
a different license, not a version of the Affero GPL, but Affero has
released a new version of the Affero GPL which permits relicensing under
this license.
The precise terms and conditions for copying, distribution and
modification follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU Affero General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.
The Corresponding Source for a work in source code form is that
same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or
e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
13. Remote Network Interaction; Use with the GNU General Public License.
Notwithstanding any other provision of this License, if you modify the
Program, your modified version must prominently offer all users
interacting with it remotely through a computer network (if your version
supports such interaction) an opportunity to receive the Corresponding
Source of your version by providing access to the Corresponding Source
from a network server at no charge, through some standard or customary
means of facilitating copying of software. This Corresponding Source
shall include the Corresponding Source for any work covered by version 3
of the GNU General Public License that is incorporated pursuant to the
following paragraph.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the work with which it is combined will remain governed by version
3 of the GNU General Public License.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of
the GNU Affero General Public License from time to time. Such new versions
will be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU Affero General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU Affero General Public License, you may choose any version ever published
by the Free Software Foundation.
If the Program specifies that a proxy can decide which future
versions of the GNU Affero General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published
by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
If your software can interact with users remotely through a computer
network, you should also make sure that it provides a way for users to
get its source. For example, if your program is a web application, its
interface could display a "Source" link that leads users to an archive
of the code. There are many ways you could offer source, and different
solutions will be better for different programs; see section 13 for the
specific requirements.
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU AGPL, see
<https://www.gnu.org/licenses/>.
================================================
FILE: README.md
================================================
# ac
open source anti cheat (lol) which I made for fun.
# features
- Attached thread detection
- Process module .text section integrity checks
- NMI stackwalking via isr iretq
- APC, DPC stackwalking
- Return address exception hooking detection
- Chained .data pointer detection (iffy)
- Handle stripping via obj callbacks
- Process handle table enumeration
- System module device object verification
- System module .text integrity checks
- Removal of threads cid table entry detection
- Driver dispatch routine validation
- Extraction of various hardware identifiers
- EPT hook detection
- Various image integrity checks both of driver + module
- Hypervisor detection
- HalDispatch and HalPrivateDispatch routine validation
- Dynamic import resolving & encryption
- Malicious PCI device detection via configuration space scanning
- Win32kBase_DxgInterface routine validation
# architecuture
- todo!
# planned features
Theres a long list of features I still want to implement, the question is whether I can be bothored implementing them. I would say I'd accept pull requests for new features but I would expect high quality code and thorough testing with verifier (both inside a vm and bare metal).
# example
- I have recorded an example of the program running with CS2. Note that vac was obviously disabled. *If you decide to test with a steam game do not forget to launch in insecure mode*
- Shown are the kernel `VERBOSE` level logs in DebugView along with the usermode application console and some additional performance benchmarking things.
- (You can find the video here)[https://youtu.be/b3mH7w8pOxs]
# known issues
- [See the issues page](https://github.com/donnaskiez/ac/issues)
- Feel free to open a new issue if you find any bugs
# windows versions tested:
- Win10 22H2
- Win11 22H2
# how to build
Requires [Visual Studio](https://visualstudio.microsoft.com/downloads/) and the [WDK](https://learn.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk) for compilation.
## test signing mode
Before we continue, ensure you enable test signing mode as this driver is not signed.
1. Open a command prompt as Administrator
2. Enter the following commands:
```bash
bcdedit -set TESTSIGNING on
bcdedit /debug on
```
3. Restart Windows
## building and running the project
1. Clone the project i.e `git clone git@github.com:donnaskiez/ac.git`
2. Open the project in visual studio
3. Select `Release - No Server - Win10` or `Release - No Server - Win11` depending on the version of Windows you will be running the driver on.
4. Build the project in visual studio, if you experience any build issues - check the drivers project settings are the following:
- `Inf2Cat -> General -> Use Local Time` to `Yes`
- `C/C++ -> Treat Warnings As Errors` to `No`
- `C/C++ -> Spectre Mitigation` to `Disabled`
5. Move the `driver.sys` file located in `ac\x64\Release - No Server\` into the `Windows\System32\Drivers` directory
- You can rename the driver if you would like
6. Use the [OSR Loader](https://www.osronline.com/article.cfm%5Earticle=157.htm) and select `driver.sys` (or whatever you named it) that you moved to the Windows drivers folder. *DO NOT REGISTER THE SERVICE YET*.
7. Under `Service Start` select `System`. This is VERY important!
8. Click `Register Service`. *Do NOT click* `Start Service`!
9. Restart Windows.
10. Once restarted, open the program you would like to protect. This could be anything i.e cs2, notepad etc.
- if you do use a game to test, ensure the games anti-cheat is turned off before testing
11. Open your dll injector of choice (I simply use [Process Hacker](https://processhacker.sourceforge.io/))
12. Inject the dll found in `ac\x64\Release - No Server\` named `user.dll` into the target program
Logs will be printed to both the terminal output and the kernel debugger. See below for configuring kernel debugger output.
Note: The server is not needed for the program to function properly.
# how to configure kernel debugging output
The kernel driver is setup to log at 4 distinct levels:
```C
#define LOG_ERROR_LEVEL
#define LOG_WARNING_LEVEL
#define LOG_INFO_LEVEL
#define LOG_VERBOSE_LEVEL
```
As the names suggest, `ERROR_LEVEL` is for errors, `WARNING_LEVEL` is for warnings. `INFO_LEVEL` is for general information regarding what requests the driver is processing and `VERBOSE_LEVEL` contains very detailed information for each request.
## creating the registry key
If you are unfamiliar with the kernel debugging mask, you probably need to set one up. If you already have a debugging mask setup, you can skip to `setting the mask` below.
1. Open the Registry Editor
2. Copy and pase `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager` into the bar at the top and press enter
3. On the left hand side, right click `Session Manager` and select `New -> Key`
4. Name the key `Debug Print Filter`
5. On the left hand side you should now see `Debug Print Filter`, right click and select `New -> DWORD (32 bit) Value`
6. Name the key `DEFAULT`
## setting the mask
1. Within the `Debug Print Filter` registry, double click the key named `DEFAULT`
2. Determine the level(s) of logging you would like to see. For most people interested I would set either `INFO_LEVEL` or `VERBOSE_LEVEL`. Remember that if you set `INFO_LEVEL`, you will see all `INFO_LEVEL`, `WARNING_LEVEL` and `ERROR_LEVEL` logs. Ie you see all logs above and including your set level.
```
ERROR_LEVEL = 0x3
WARNING_LEVEL = 0x7
INFO_LEVEL = 0xf
VERBOSE_LEVEL = 0x1f
```
3. Enter the value for the given logging level (seen above)
4. Click `Ok` and restart Windows.
## filtering debug output
If you choose to use `INFO_LEVEL` or `VERBOSE_LEVEL` there may be many logs from the kernel so we want to filter them out.
### windbg
With WinDbg connected to the target:
1. Pause the target using the `Break` button
2. Use the command: `.ofilter donna-ac*`
### debugview
1. Click `Edit -> Filter/Highlight`
2. Set the `Include` string to `donna-ac*`
## License
We have decided to put this Project under **AGPL-3.0**!
https://choosealicense.com/licenses/agpl-3.0/
# contact
feel free to dm me on discord or uc @donnaskiez
================================================
FILE: ac.sln
================================================
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 17
VisualStudioVersion = 17.5.33502.453
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "driver", "driver\driver.vcxproj", "{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "module", "module\module.vcxproj", "{3B18467A-4358-45EF-81B1-5C6F9B0B6728}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Debug|ARM64 = Debug|ARM64
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release - No Server - Win10|Any CPU = Release - No Server - Win10|Any CPU
Release - No Server - Win10|ARM64 = Release - No Server - Win10|ARM64
Release - No Server - Win10|x64 = Release - No Server - Win10|x64
Release - No Server - Win10|x86 = Release - No Server - Win10|x86
Release - No Server - Win11|Any CPU = Release - No Server - Win11|Any CPU
Release - No Server - Win11|ARM64 = Release - No Server - Win11|ARM64
Release - No Server - Win11|x64 = Release - No Server - Win11|x64
Release - No Server - Win11|x86 = Release - No Server - Win11|x86
Release|Any CPU = Release|Any CPU
Release|ARM64 = Release|ARM64
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Debug|Any CPU.ActiveCfg = Debug|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Debug|Any CPU.Build.0 = Debug|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Debug|Any CPU.Deploy.0 = Debug|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Debug|ARM64.ActiveCfg = Debug|ARM64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Debug|ARM64.Build.0 = Debug|ARM64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Debug|ARM64.Deploy.0 = Debug|ARM64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Debug|x64.ActiveCfg = Debug|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Debug|x64.Build.0 = Debug|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Debug|x64.Deploy.0 = Debug|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Debug|x86.ActiveCfg = Debug|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Debug|x86.Build.0 = Debug|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Debug|x86.Deploy.0 = Debug|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win10|Any CPU.ActiveCfg = Release - Win10|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win10|Any CPU.Build.0 = Release - Win10|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win10|Any CPU.Deploy.0 = Release - Win10|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win10|ARM64.ActiveCfg = Release - Win10|ARM64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win10|ARM64.Build.0 = Release - Win10|ARM64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win10|ARM64.Deploy.0 = Release - Win10|ARM64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win10|x64.ActiveCfg = Release - Win10|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win10|x64.Build.0 = Release - Win10|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win10|x64.Deploy.0 = Release - Win10|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win10|x86.ActiveCfg = Release - Win10|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win10|x86.Build.0 = Release - Win10|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win10|x86.Deploy.0 = Release - Win10|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win11|Any CPU.ActiveCfg = Release - Win11|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win11|Any CPU.Build.0 = Release - Win11|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win11|Any CPU.Deploy.0 = Release - Win11|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win11|ARM64.ActiveCfg = Release - Win10|ARM64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win11|ARM64.Build.0 = Release - Win10|ARM64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win11|ARM64.Deploy.0 = Release - Win10|ARM64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win11|x64.ActiveCfg = Release - Win10|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win11|x64.Build.0 = Release - Win10|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win11|x64.Deploy.0 = Release - Win10|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win11|x86.ActiveCfg = Release - Win10|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win11|x86.Build.0 = Release - Win10|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server - Win11|x86.Deploy.0 = Release - Win10|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release|Any CPU.ActiveCfg = Release|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release|Any CPU.Build.0 = Release|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release|Any CPU.Deploy.0 = Release|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release|ARM64.ActiveCfg = Release|ARM64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release|ARM64.Build.0 = Release|ARM64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release|ARM64.Deploy.0 = Release|ARM64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release|x64.ActiveCfg = Release|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release|x64.Build.0 = Release|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release|x64.Deploy.0 = Release|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release|x86.ActiveCfg = Release|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release|x86.Build.0 = Release|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release|x86.Deploy.0 = Release|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Debug|Any CPU.ActiveCfg = Debug|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Debug|Any CPU.Build.0 = Debug|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Debug|ARM64.ActiveCfg = Debug|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Debug|ARM64.Build.0 = Debug|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Debug|x64.ActiveCfg = Debug|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Debug|x64.Build.0 = Debug|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Debug|x86.ActiveCfg = Debug|Win32
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Debug|x86.Build.0 = Debug|Win32
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|Any CPU.ActiveCfg = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|Any CPU.Build.0 = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|ARM64.ActiveCfg = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|ARM64.Build.0 = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|x64.ActiveCfg = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|x64.Build.0 = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|x86.ActiveCfg = Release - No Server|Win32
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|x86.Build.0 = Release - No Server|Win32
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|Any CPU.ActiveCfg = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|Any CPU.Build.0 = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|ARM64.ActiveCfg = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|ARM64.Build.0 = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|x64.ActiveCfg = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|x64.Build.0 = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|x86.ActiveCfg = Release - No Server|Win32
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|x86.Build.0 = Release - No Server|Win32
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|Any CPU.ActiveCfg = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|Any CPU.Build.0 = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|ARM64.ActiveCfg = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|ARM64.Build.0 = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|x64.ActiveCfg = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|x64.Build.0 = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|x86.ActiveCfg = Release - No Server|Win32
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|x86.Build.0 = Release - No Server|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {5F2C89ED-CBEA-4DAD-8576-94C53821D2E8}
EndGlobalSection
EndGlobal
================================================
FILE: driver/apc.c
================================================
#include "apc.h"
#include "driver.h"
#include "imports.h"
#include "lib/stdlib.h"
VOID
GetApcContextByIndex(_Out_ PVOID* Context, _In_ UINT32 Index)
{
NT_ASSERT(Index <= MAXIMUM_APC_CONTEXTS);
AcquireDriverConfigLock();
*Context = (PVOID)GetApcContextArray()[Index];
ReleaseDriverConfigLock();
}
VOID
GetApcContext(_Out_ PVOID* Context, _In_ UINT32 ContextIdentifier)
{
NT_ASSERT(ContextIdentifier <= MAXIMUM_APC_CONTEXTS);
PAPC_CONTEXT_HEADER header = NULL;
AcquireDriverConfigLock();
for (UINT32 index = 0; index < MAXIMUM_APC_CONTEXTS; index++) {
header = GetApcContextArray()[index];
if (!header)
continue;
if (header->context_id != ContextIdentifier)
continue;
*Context = header;
goto unlock;
}
unlock:
ReleaseDriverConfigLock();
}
/*
* No need to hold the lock here as the thread freeing the APCs will
* already hold the configuration lock. We also dont want to release and
* reclaim the lock before calling this function since we need to ensure
* we hold the lock during the entire decrement and free process.
*/
BOOLEAN
FreeApcContextStructure(_Inout_ PAPC_CONTEXT_HEADER Context)
{
NT_ASSERT(Context <= MAXIMUM_APC_CONTEXTS);
PUINT64 entry = NULL;
for (UINT32 index = 0; index < MAXIMUM_APC_CONTEXTS; index++) {
entry = GetApcContextArray();
if (entry[index] != (UINT64)Context)
continue;
if (Context->count > 0)
return FALSE;
ImpExFreePoolWithTag(Context, POOL_TAG_APC);
entry[index] = NULL;
return TRUE;
}
return FALSE;
}
VOID
IncrementApcCount(_In_ UINT32 ContextId)
{
NT_ASSERT(ContextId <= MAXIMUM_APC_CONTEXTS);
PAPC_CONTEXT_HEADER header = NULL;
GetApcContext(&header, ContextId);
if (!header)
return;
AcquireDriverConfigLock();
header->count += 1;
ReleaseDriverConfigLock();
}
VOID
FreeApcAndDecrementApcCount(_Inout_ PRKAPC Apc, _In_ UINT32 ContextId)
{
NT_ASSERT(Apc != NULL);
NT_ASSERT(ContextId <= MAXIMUM_APC_CONTEXTS);
PAPC_CONTEXT_HEADER context = NULL;
ImpExFreePoolWithTag(Apc, POOL_TAG_APC);
GetApcContext(&context, ContextId);
if (!context)
return;
AcquireDriverConfigLock();
context->count -= 1;
ReleaseDriverConfigLock();
}
/*
* The reason we use a query model rather then checking the count of queued APCs
* after each APC free and decrement is that the lock will be recursively
* acquired by freeing threads (i.e executing APCs) rather then APC allocation
* threads. The reason for this being that freeing threads are executing at a
* higher IRQL then the APC allocation thread, hence they are granted higher
* priority by the scheduler when determining which thread will accquire the
* lock next:
*
* [+] Freeing thread -> ApcKernelRoutine IRQL: 1 (APC_LEVEL)
* [+] Allocation thread -> ValidateThreadViaKernelApcCallback IRQL: 0
* (PASSIVE_LEVEL)
*
* As a result, once an APC is executed and reaches the freeing stage, it will
* acquire the lock and decrement it. Then, if atleast 1 APC execution thread is
* waiting on the lock, it will be prioritised due to its higher IRQL and the
* cycle will continue. Eventually, the count will reach 0 due to recursive
* acquisition by the executing APC threads and then the function will free the
* APC context structure. This will then cause a bug check the next time a
* thread accesses the context structure and hence not good :c.
*
* So to combat this, we add in a flag specifying whether or not an allocation
* of APCs is in progress, and even if the count is 0 we will not free the
* context structure until the count is 0 and allocation_in_progress is 0. We
* can then call this function alongside other query callbacks via IOCTL to
* constantly monitor the status of open APC contexts.
*/
NTSTATUS
QueryActiveApcContextsForCompletion()
{
PAPC_CONTEXT_HEADER entry = NULL;
AcquireDriverConfigLock();
for (UINT32 index = 0; index < MAXIMUM_APC_CONTEXTS; index++) {
GetApcContextByIndex(&entry, index);
if (!entry)
continue;
if (entry->count > 0 || entry->allocation_in_progress == TRUE)
continue;
switch (entry->context_id) {
case APC_CONTEXT_ID_STACKWALK:
FreeApcStackwalkApcContextInformation(entry);
FreeApcContextStructure(entry);
break;
}
}
ReleaseDriverConfigLock();
return STATUS_SUCCESS;
}
VOID
InsertApcContext(_In_ PVOID Context)
{
NT_ASSERT(Context != NULL);
PUINT64 entry = NULL;
if (IsDriverUnloading())
return;
AcquireDriverConfigLock();
for (UINT32 index = 0; index < MAXIMUM_APC_CONTEXTS; index++) {
entry = GetApcContextArray();
if (entry[index] == NULL) {
entry[index] = (UINT64)Context;
goto end;
}
}
end:
ReleaseDriverConfigLock();
}
/*
* The driver config structure holds an array of pointers to APC context
* structures. These APC context structures are unique to each APC operation
* that this driver will perform. For example, a single context will manage all
* APCs that are used to stackwalk, whilst another context will be used to
* manage all APCs used to query a threads memory for example.
*
* Due to the nature of APCs, its important to keep a total or count of the
* number of APCs we have allocated and queued to threads. This information is
* stored in the APC_CONTEXT_HEADER which all APC context structures will
* contain as the first entry in their structure. It holds the ContextId which
* is a unique identifier for the type of APC operation it is managing aswell as
* the number of currently queued APCs.
*
* When an APC is allocated a queued, we increment this count. When an APC is
* completed and freed, we decrement this counter and free the APC itself. If
* all APCs have been freed and the counter is 0,the following objects will be
* freed:
*
* 1. Any additional allocations used by the APC stored in the context structure
* 2. The APC context structure for the given APC operation
* 3. The APC context entry in g_DriverConfig->>apc_contexts will be zero'd.
*
* It's important to remember that the driver can unload when pending APC's have
* not been freed due to the limitations windows places on APCs, however I am in
* the process of finding a solution for this.
*/
BOOLEAN
DrvUnloadFreeAllApcContextStructures()
{
PUINT64 entry = NULL;
PAPC_CONTEXT_HEADER context = NULL;
LARGE_INTEGER delay = {.QuadPart = -ABSOLUTE(SECONDS(1))};
AcquireDriverConfigLock();
for (UINT32 index = 0; index < MAXIMUM_APC_CONTEXTS; index++) {
entry = GetApcContextArray();
if (entry[index] == NULL)
continue;
context = entry[index];
if (context->count > 0) {
DEBUG_VERBOSE(
"Still active APCs: Index: %lx, Count: %lx",
index,
context->count);
KeDelayExecutionThread(KernelMode, FALSE, &delay);
ReleaseDriverConfigLock();
return FALSE;
}
ImpExFreePoolWithTag(context, POOL_TAG_APC);
}
ReleaseDriverConfigLock();
return TRUE;
}
================================================
FILE: driver/apc.h
================================================
#ifndef APC_H
#define APC_H
#include "common.h"
#include "apc.h"
#include "driver.h"
#include "imports.h"
VOID
GetApcContextByIndex(_Out_ PVOID* Context, _In_ UINT32 Index);
VOID
GetApcContext(_Out_ PVOID* Context, _In_ UINT32 ContextIdentifier);
BOOLEAN
FreeApcContextStructure(_Inout_ PAPC_CONTEXT_HEADER Context);
VOID
IncrementApcCount(_In_ UINT32 ContextId);
VOID
FreeApcAndDecrementApcCount(_Inout_ PRKAPC Apc, _In_ UINT32 ContextId);
NTSTATUS
QueryActiveApcContextsForCompletion();
VOID
InsertApcContext(_In_ PVOID Context);
BOOLEAN
DrvUnloadFreeAllApcContextStructures();
#endif
================================================
FILE: driver/arch.asm
================================================
.code
; Tests the emulation of the INVD instruction
;
; source and references:
;
; https://secret.club/2020/04/13/how-anti-cheats-detect-system-emulation.html#invdwbinvd
; https://www.felixcloutier.com/x86/invd
; https://www.felixcloutier.com/x86/wbinvd
;
; Returns int
TestINVDEmulation PROC
pushfq
cli
push 1 ; push some dummy data onto the stack which will exist in writeback cache
wbinvd ; flush the internal cpu caches and write back all modified cache
; lines to main memory
mov byte ptr [rsp], 0 ; set our dummy value to 0, this takes place inside writeback memory
invd ; flush the internal caches, however this instruction will not write
; back to system memory as opposed to wbinvd, meaning our previous
; instruction which only operated on cached writeback data and not
; system memory has been invalidated.
pop rax ; on a real system as a result of our data update instruction being
; invalidated, the result will be 1. On a system that does not
; properly implement INVD, the result will be 0 as the instruction does
; not properly flush the caches.
xor rax, 1 ; invert result so function returns same way as all verification methods
popfq
ret
TestINVDEmulation ENDP
END
================================================
FILE: driver/callbacks.c
================================================
#include "callbacks.h"
#include "containers/map.h"
#include "containers/tree.h"
#include "crypt.h"
#include "driver.h"
#include "imports.h"
#include "lib/stdlib.h"
#include "modules.h"
#include "pool.h"
#include "session.h"
#include "thread.h"
#include "util.h"
#define PROCESS_HASHMAP_BUCKET_COUNT 101
STATIC
BOOLEAN
EnumHandleCallback(
_In_ PHANDLE_TABLE HandleTable,
_In_ PHANDLE_TABLE_ENTRY Entry,
_In_ HANDLE Handle,
_In_ PVOID Context);
#ifdef ALLOC_PRAGMA
# pragma alloc_text(PAGE, ObPostOpCallbackRoutine)
# pragma alloc_text(PAGE, ObPreOpCallbackRoutine)
# pragma alloc_text(PAGE, EnumHandleCallback)
# pragma alloc_text(PAGE, EnumerateProcessHandles)
# pragma alloc_text(PAGE, InitialiseThreadList)
# pragma alloc_text(PAGE, ExUnlockHandleTableEntry)
#endif
VOID
CleanupThreadListFreeCallback(_In_ PTHREAD_LIST_ENTRY ThreadListEntry)
{
ImpObDereferenceObject(ThreadListEntry->thread);
ImpObDereferenceObject(ThreadListEntry->owning_process);
}
VOID
UnregisterProcessCreateNotifyRoutine()
{
RtlHashmapSetInactive(GetProcessHashmap());
ImpPsSetCreateProcessNotifyRoutine(ProcessCreateNotifyRoutine, TRUE);
}
VOID
UnregisterImageLoadNotifyRoutine()
{
InterlockedExchange(&GetDriverList()->active, FALSE);
PsRemoveLoadImageNotifyRoutine(ImageLoadNotifyRoutineCallback);
}
VOID
UnregisterThreadCreateNotifyRoutine()
{
InterlockedExchange(&GetThreadTree()->active, FALSE);
ImpPsRemoveCreateThreadNotifyRoutine(ThreadCreateNotifyRoutine);
}
VOID
CleanupThreadListOnDriverUnload()
{
RtlRbTreeEnumerate(GetThreadTree(), CleanupThreadListFreeCallback, NULL);
RtlRbTreeDeleteTree(GetThreadTree());
}
VOID
CleanupDriverListOnDriverUnload()
{
PLIST_ENTRY entry = NULL;
PDRIVER_LIST_HEAD head = GetDriverList();
PDRIVER_LIST_ENTRY driver = NULL;
ImpKeAcquireGuardedMutex(&head->lock);
while (!IsListEmpty(&head->list_entry)) {
entry = RemoveHeadList(&head->list_entry);
driver = CONTAINING_RECORD(entry, DRIVER_LIST_ENTRY, list_entry);
ExFreePoolWithTag(entry, POOL_TAG_DRIVER_LIST);
}
ImpKeReleaseGuardedMutex(&head->lock);
}
VOID
EnumerateDriverListWithCallbackRoutine(
_In_ DRIVERLIST_CALLBACK_ROUTINE CallbackRoutine, _In_opt_ PVOID Context)
{
NT_ASSERT(CallbackRoutine != NULL);
PDRIVER_LIST_HEAD head = GetDriverList();
PLIST_ENTRY entry = NULL;
PDRIVER_LIST_ENTRY driver = NULL;
ImpKeAcquireGuardedMutex(&head->lock);
if (CallbackRoutine) {
entry = head->list_entry.Flink;
while (entry != &head->list_entry) {
driver = CONTAINING_RECORD(entry, DRIVER_LIST_ENTRY, list_entry);
CallbackRoutine(driver, Context);
entry = entry->Flink;
}
}
ImpKeReleaseGuardedMutex(&head->lock);
}
VOID
DriverListEntryToExtendedModuleInfo(
_In_ PDRIVER_LIST_ENTRY Entry, _Out_ PRTL_MODULE_EXTENDED_INFO Extended)
{
Extended->ImageBase = Entry->ImageBase;
Extended->ImageSize = Entry->ImageSize;
IntCopyMemory(
Extended->FullPathName,
Entry->path,
sizeof(Extended->FullPathName));
}
NTSTATUS
InitialiseDriverList()
{
PAGED_CODE();
NTSTATUS status = STATUS_UNSUCCESSFUL;
SYSTEM_MODULES modules = {0};
PDRIVER_LIST_ENTRY entry = NULL;
PRTL_MODULE_EXTENDED_INFO module_entry = NULL;
PDRIVER_LIST_HEAD head = GetDriverList();
InterlockedExchange(&head->active, TRUE);
InitializeListHead(&head->list_entry);
InitializeListHead(&head->deferred_list);
KeInitializeGuardedMutex(&head->lock);
head->can_hash_x86 = FALSE;
head->work_item = IoAllocateWorkItem(GetDriverDeviceObject());
if (!head->work_item)
return STATUS_INSUFFICIENT_RESOURCES;
status = GetSystemModuleInformation(&modules);
if (!NT_SUCCESS(status)) {
DEBUG_ERROR("GetSystemModuleInformation failed with status %x", status);
return status;
}
KeAcquireGuardedMutex(&head->lock);
/* skip hal.dll and ntoskrnl.exe */
for (UINT32 index = 2; index < modules.module_count; index++) {
entry = ImpExAllocatePool2(
POOL_FLAG_NON_PAGED,
sizeof(DRIVER_LIST_ENTRY),
POOL_TAG_DRIVER_LIST);
if (!entry)
continue;
module_entry = &((PRTL_MODULE_EXTENDED_INFO)modules.address)[index];
entry->hashed = TRUE;
entry->ImageBase = module_entry->ImageBase;
entry->ImageSize = module_entry->ImageSize;
IntCopyMemory(
entry->path,
module_entry->FullPathName,
sizeof(module_entry->FullPathName));
status = HashModule(module_entry, entry->text_hash);
if (status == STATUS_INVALID_IMAGE_WIN_32) {
DEBUG_ERROR(
"32 bit module not hashed, will hash later. %x",
status);
entry->hashed = FALSE;
entry->x86 = TRUE;
InsertHeadList(&head->deferred_list, &entry->deferred_entry);
}
else if (!NT_SUCCESS(status)) {
DEBUG_ERROR("HashModule failed with status %x", status);
entry->hashed = FALSE;
}
InsertHeadList(&head->list_entry, &entry->list_entry);
}
KeReleaseGuardedMutex(&head->lock);
head->active = TRUE;
if (modules.address)
ImpExFreePoolWithTag(modules.address, SYSTEM_MODULES_POOL);
return STATUS_SUCCESS;
}
/*
* I actually think a spinlock here for the driver list is what we want rather
* then a mutex, but implementing a spinlock has its challenges... todo: have a
* think!
*/
VOID
FindDriverEntryByBaseAddress(
_In_ PVOID ImageBase, _Out_ PDRIVER_LIST_ENTRY* Entry)
{
NT_ASSERT(ImageBase != NULL);
NT_ASSERT(Entry != NULL);
PDRIVER_LIST_HEAD head = GetDriverList();
PLIST_ENTRY entry = NULL;
PDRIVER_LIST_ENTRY driver = NULL;
*Entry = NULL;
ImpKeAcquireGuardedMutex(&head->lock);
entry = head->list_entry.Flink;
while (entry != &head->list_entry) {
driver = CONTAINING_RECORD(entry, DRIVER_LIST_ENTRY, list_entry);
if (driver->ImageBase == ImageBase) {
*Entry = driver;
goto unlock;
}
entry = entry->Flink;
}
unlock:
ImpKeReleaseGuardedMutex(&head->lock);
}
STATIC
BOOLEAN
ProcessHashmapCompareFunction(_In_ PVOID Struct1, _In_ PVOID Struct2)
{
NT_ASSERT(Struct1 != NULL);
NT_ASSERT(Struct2 != NULL);
HANDLE h1 = *((PHANDLE)Struct1);
HANDLE h2 = *((PHANDLE)Struct2);
return h1 == h2 ? TRUE : FALSE;
}
STATIC
UINT32
ProcessHashmapHashFunction(_In_ UINT64 Key)
{
return ((UINT32)Key) % PROCESS_HASHMAP_BUCKET_COUNT;
}
STATIC
VOID
ImageLoadInsertNonSystemImageIntoProcessHashmap(
_In_ PIMAGE_INFO ImageInfo,
_In_ HANDLE ProcessId,
_In_opt_ PUNICODE_STRING FullImageName)
{
INT32 index = 0;
NTSTATUS status = STATUS_UNSUCCESSFUL;
PEPROCESS process = NULL;
PRTL_HASHMAP map = GetProcessHashmap();
PPROCESS_LIST_ENTRY entry = NULL;
PPROCESS_MAP_MODULE_ENTRY module = NULL;
PPROCESS_MODULE_MAP_CONTEXT context = NULL;
if (!map->active)
return;
status = PsLookupProcessByProcessId(ProcessId, &process);
if (!NT_SUCCESS(status))
return;
index = RtlHashmapHashKeyAndAcquireBucket(map, ProcessId);
if (index == STATUS_INVALID_HASHMAP_INDEX)
return;
entry = RtlHashmapEntryLookup(GetProcessHashmap(), index, &ProcessId);
/* critical error has occured */
if (!entry) {
DEBUG_ERROR("RtlLookupEntryHashmap failed.");
goto end;
}
context = (PPROCESS_MODULE_MAP_CONTEXT)map->context;
module = ExAllocateFromLookasideListEx(&context->pool);
if (!module)
goto end;
/* for now lets just do base and size */
module->base = ImageInfo->ImageBase;
module->size = ImageInfo->ImageSize;
/*
* 1. We dont care if this errors
* 2. There is a bug with the conversion need 2 look into...
*/
if (FullImageName)
UnicodeToCharBufString(
FullImageName,
module->path,
sizeof(module->path));
InsertTailList(&entry->module_list, &module->entry);
entry->list_count++;
end:
RtlHashmapReleaseBucket(map, index);
}
VOID
ImageLoadNotifyRoutineCallback(
_In_opt_ PUNICODE_STRING FullImageName,
_In_ HANDLE ProcessId,
_In_ PIMAGE_INFO ImageInfo)
{
UNREFERENCED_PARAMETER(ProcessId);
NTSTATUS status = STATUS_UNSUCCESSFUL;
PDRIVER_LIST_ENTRY entry = NULL;
RTL_MODULE_EXTENDED_INFO module = {0};
PDRIVER_LIST_HEAD head = GetDriverList();
ANSI_STRING ansi_path = {0};
if (InterlockedExchange(&head->active, head->active) == FALSE)
return;
if (ImageInfo->SystemModeImage == FALSE) {
ImageLoadInsertNonSystemImageIntoProcessHashmap(
ImageInfo,
ProcessId,
FullImageName);
return;
}
FindDriverEntryByBaseAddress(ImageInfo->ImageBase, &entry);
/* if we image exists, exit */
if (entry)
return;
entry = ExAllocatePool2(
POOL_FLAG_NON_PAGED,
sizeof(DRIVER_LIST_ENTRY),
POOL_TAG_DRIVER_LIST);
if (!entry)
return;
entry->hashed = TRUE;
entry->x86 = FALSE;
entry->ImageBase = ImageInfo->ImageBase;
entry->ImageSize = ImageInfo->ImageSize;
module.ImageBase = ImageInfo->ImageBase;
module.ImageSize = ImageInfo->ImageSize;
if (FullImageName) {
UnicodeToCharBufString(
FullImageName,
module.FullPathName,
sizeof(module.FullPathName));
IntCopyMemory(
entry->path,
module.FullPathName,
sizeof(module.FullPathName));
}
DEBUG_VERBOSE("New system image ansi: %s", entry->path);
hash:
status = HashModule(&module, &entry->text_hash);
if (status == STATUS_INVALID_IMAGE_WIN_32) {
DEBUG_ERROR("32 bit module not hashed, will hash later. %x", status);
entry->x86 = TRUE;
entry->hashed = FALSE;
}
else if (!NT_SUCCESS(status)) {
DEBUG_ERROR("HashModule failed with status %x", status);
entry->hashed = FALSE;
}
KeAcquireGuardedMutex(&head->lock);
InsertHeadList(&head->list_entry, &entry->list_entry);
KeReleaseGuardedMutex(&head->lock);
}
/* assumes map lock is held */
VOID
FreeProcessEntryModuleList(
_In_ PPROCESS_LIST_ENTRY Entry, _In_opt_ PVOID Context)
{
UNREFERENCED_PARAMETER(Context);
NT_ASSERT(Entry != NULL);
PRTL_HASHMAP map = GetProcessHashmap();
PLIST_ENTRY list = NULL;
PPROCESS_MAP_MODULE_ENTRY list_entry = NULL;
PPROCESS_MODULE_MAP_CONTEXT context = map->context;
while (!IsListEmpty(&Entry->module_list)) {
list = RemoveTailList(&Entry->module_list);
list_entry = CONTAINING_RECORD(list, PROCESS_MAP_MODULE_ENTRY, entry);
ExFreeToLookasideListEx(&context->pool, list_entry);
}
}
VOID
EnumerateProcessModuleList(
_In_ HANDLE ProcessId,
_In_ PROCESS_MODULE_CALLBACK Callback,
_In_opt_ PVOID Context)
{
INT32 index = 0;
PRTL_HASHMAP map = GetProcessHashmap();
BOOLEAN ret = FALSE;
PPROCESS_LIST_ENTRY entry = NULL;
PLIST_ENTRY list = NULL;
PPROCESS_MAP_MODULE_ENTRY module = NULL;
if (!map->active)
return;
index = RtlHashmapHashKeyAndAcquireBucket(map, ProcessId);
if (index == STATUS_INVALID_HASHMAP_INDEX)
return;
entry = RtlHashmapEntryLookup(map, index, &ProcessId);
if (!entry)
goto end;
for (list = entry->module_list.Flink; list != &entry->module_list;
list = list->Flink) {
module = CONTAINING_RECORD(list, PROCESS_MAP_MODULE_ENTRY, entry);
if (Callback(module, Context))
goto end;
}
end:
RtlHashmapReleaseBucket(map, index);
}
VOID
FindOurUserModeModuleEntry(
_In_ PROCESS_MODULE_CALLBACK Callback, _In_opt_ PVOID Context)
{
NT_ASSERT(Callback != NULL);
INT32 index = 0;
PRTL_HASHMAP map = GetProcessHashmap();
PPROCESS_LIST_ENTRY entry = NULL;
PACTIVE_SESSION session = GetActiveSession();
PLIST_ENTRY list = NULL;
PPROCESS_MAP_MODULE_ENTRY module = NULL;
if (!map->active)
return;
index = RtlHashmapHashKeyAndAcquireBucket(map, session->km_handle);
if (index == STATUS_INVALID_HASHMAP_INDEX)
return;
entry = RtlHashmapEntryLookup(map, index, &session->km_handle);
if (!entry)
return;
for (list = entry->module_list.Flink; list != &entry->module_list;
list = list->Flink) {
module = CONTAINING_RECORD(list, PROCESS_MAP_MODULE_ENTRY, entry);
if (module->base == session->module.base_address &&
module->size == session->module.size) {
Callback(module, Context);
goto end;
}
}
end:
RtlHashmapReleaseBucket(map, index);
}
VOID
CleanupProcessHashmap()
{
PRTL_HASHMAP map = GetProcessHashmap();
PRTL_HASHMAP_ENTRY entry = NULL;
PRTL_HASHMAP_ENTRY temp = NULL;
PLIST_ENTRY list = NULL;
PPROCESS_MODULE_MAP_CONTEXT context = NULL;
RtlHashmapSetInactive(map);
/* First, free all module lists */
RtlHashmapEnumerate(map, FreeProcessEntryModuleList, NULL);
for (UINT32 index = 0; index < map->bucket_count; index++) {
entry = &map->buckets[index];
KeAcquireGuardedMutex(&map->locks[index]);
while (!IsListEmpty(&entry->entry)) {
list = RemoveHeadList(&entry->entry);
temp = CONTAINING_RECORD(list, RTL_HASHMAP_ENTRY, entry);
ExFreePoolWithTag(temp, POOL_TAG_HASHMAP);
}
KeReleaseGuardedMutex(&map->locks[index]);
}
context = map->context;
ExDeleteLookasideListEx(&context->pool);
ExFreePoolWithTag(map->context, POOL_TAG_HASHMAP);
RtlHashmapDelete(map);
}
NTSTATUS
InitialiseProcessHashmap()
{
PAGED_CODE();
NTSTATUS status = STATUS_UNSUCCESSFUL;
PPROCESS_MODULE_MAP_CONTEXT context = NULL;
context = ExAllocatePool2(
POOL_FLAG_NON_PAGED,
sizeof(PROCESS_MODULE_MAP_CONTEXT),
POOL_TAG_HASHMAP);
if (!context)
return STATUS_INSUFFICIENT_RESOURCES;
status = ExInitializeLookasideListEx(
&context->pool,
NULL,
NULL,
NonPagedPoolNx,
0,
sizeof(PROCESS_MAP_MODULE_ENTRY),
POOL_TAG_MODULE_LIST,
0);
if (!NT_SUCCESS(status)) {
ExFreePoolWithTag(context, POOL_TAG_HASHMAP);
return status;
}
status = RtlHashmapCreate(
PROCESS_HASHMAP_BUCKET_COUNT,
sizeof(PROCESS_LIST_ENTRY),
ProcessHashmapHashFunction,
ProcessHashmapCompareFunction,
context,
GetProcessHashmap());
if (!NT_SUCCESS(status)) {
DEBUG_ERROR("RtlCreateHashmap: %lx", status);
ExDeleteLookasideListEx(&context->pool);
ExFreePoolWithTag(context, POOL_TAG_HASHMAP);
return status;
}
return status;
}
STATIC
UINT32
ThreadListTreeCompare(_In_ PVOID Key, _In_ PVOID Object)
{
NT_ASSERT(Key != NULL);
NT_ASSERT(Object != NULL);
HANDLE tid_1 = *((PHANDLE)Object);
HANDLE tid_2 = *((PHANDLE)Key);
if (tid_2 < tid_1)
return RB_TREE_LESS_THAN;
else if (tid_2 > tid_1)
return RB_TREE_GREATER_THAN;
else
return RB_TREE_EQUAL;
}
NTSTATUS
InitialiseThreadList()
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
PRB_TREE tree = GetThreadTree();
status =
RtlRbTreeCreate(ThreadListTreeCompare, sizeof(THREAD_LIST_ENTRY), tree);
if (!NT_SUCCESS(status)) {
DEBUG_ERROR("RtlRbTreeCreate: %x", status);
return status;
}
tree->active = TRUE;
return status;
}
VOID
FindThreadListEntryByThreadAddress(
_In_ HANDLE ThreadId, _Out_ PTHREAD_LIST_ENTRY* Entry)
{
PRB_TREE tree = GetThreadTree();
RtlRbTreeAcquireLock(tree);
*Entry = RtlRbTreeFindNodeObject(tree, &ThreadId);
RtlRbTreeReleaselock(tree);
}
FORCEINLINE
STATIC
BOOLEAN
CanInitiateDeferredHashing(_In_ LPCSTR ProcessName, _In_ PDRIVER_LIST_HEAD Head)
{
return !IntCompareString(ProcessName, "winlogon.exe") && Head->work_item
? TRUE
: FALSE;
}
#ifdef DEBUG
STATIC
VOID
PrintHashmapCallback(_In_ PPROCESS_LIST_ENTRY Entry, _In_opt_ PVOID Context)
{
PPROCESS_MAP_MODULE_ENTRY module = NULL;
PLIST_ENTRY list = NULL;
UNREFERENCED_PARAMETER(Context);
DEBUG_VERBOSE("Process ID: %p", Entry->process_id);
for (list = Entry->module_list.Flink; list != &Entry->module_list;
list = list->Flink) {
module = CONTAINING_RECORD(list, PROCESS_MAP_MODULE_ENTRY, entry);
DEBUG_VERBOSE(
" -> Module Base: %p, size: %lx, path: %s",
(PVOID)module->base,
module->size,
module->path);
}
}
VOID
EnumerateAndPrintProcessHashmap()
{
RtlHashmapEnumerate(GetProcessHashmap(), PrintHashmapCallback, NULL);
}
#endif
VOID
ProcessCreateNotifyRoutine(
_In_ HANDLE ParentId, _In_ HANDLE ProcessId, _In_ BOOLEAN Create)
{
INT32 index = 0;
PKPROCESS parent = NULL;
PKPROCESS process = NULL;
PDRIVER_LIST_HEAD driver_list = GetDriverList();
LPCSTR process_name = NULL;
PRTL_HASHMAP map = GetProcessHashmap();
PPROCESS_LIST_ENTRY entry = NULL;
if (!map->active)
return;
ImpPsLookupProcessByProcessId(ParentId, &parent);
ImpPsLookupProcessByProcessId(ProcessId, &process);
if (!parent || !process)
return;
process_name = ImpPsGetProcessImageFileName(process);
index = RtlHashmapHashKeyAndAcquireBucket(map, ProcessId);
if (index == STATUS_INVALID_HASHMAP_INDEX)
return;
if (Create) {
entry = RtlHashmapEntryInsert(map, index);
if (!entry)
goto end;
entry->process_id = ProcessId;
entry->process = process;
entry->parent = parent;
InitializeListHead(&entry->module_list);
entry->list_count = 0;
/*
* Notify to our driver that we can hash x86 modules, and hash
* any x86 modules that werent hashed.
*/
if (CanInitiateDeferredHashing(process_name, driver_list)) {
IoQueueWorkItem(
driver_list->work_item,
DeferredModuleHashingCallback,
NormalWorkQueue,
NULL);
}
}
else {
entry = RtlHashmapEntryLookup(map, ProcessId, &ProcessId);
if (!entry) {
DEBUG_ERROR("UNABLE TO FIND PROCESS NODE!!!");
goto end;
}
ImpObDereferenceObject(entry->parent);
ImpObDereferenceObject(entry->process);
FreeProcessEntryModuleList(entry, NULL);
RtlHashmapEntryDelete(map, index, &ProcessId);
}
end:
RtlHashmapReleaseBucket(map, index);
}
VOID
ThreadCreateNotifyRoutine(
_In_ HANDLE ProcessId, _In_ HANDLE ThreadId, _In_ BOOLEAN Create)
{
PTHREAD_LIST_ENTRY entry = NULL;
PKTHREAD thread = NULL;
PKPROCESS process = NULL;
PRB_TREE tree = GetThreadTree();
/* ensure we don't insert new entries if we are unloading */
if (!tree->active)
return;
ImpPsLookupThreadByThreadId(ThreadId, &thread);
ImpPsLookupProcessByProcessId(ProcessId, &process);
/* ideally we should dereference the other but this shouldnt really ever
* fail */
if (!thread || !process)
return;
RtlRbTreeAcquireLock(tree);
if (Create) {
entry = RtlRbTreeInsertNode(tree, &ThreadId);
if (!entry)
goto end;
entry->thread_id = ThreadId;
entry->thread = thread;
entry->owning_process = process;
entry->apc = NULL;
entry->apc_queued = FALSE;
}
else {
entry = RtlRbTreeFindNodeObject(tree, &ThreadId);
if (!entry)
goto end;
ImpObDereferenceObject(entry->thread);
ImpObDereferenceObject(entry->owning_process);
RtlRbTreeDeleteNode(tree, &ThreadId);
}
end:
RtlRbTreeReleaselock(tree);
}
VOID
ObPostOpCallbackRoutine(
_In_ PVOID RegistrationContext,
_In_ POB_POST_OPERATION_INFORMATION OperationInformation)
{
PAGED_CODE();
UNREFERENCED_PARAMETER(RegistrationContext);
UNREFERENCED_PARAMETER(OperationInformation);
}
#define MAX_PROCESS_NAME_LENGTH 30
#define PROCESS_HANDLE_OPEN_DOWNGRADE_COUNT 4
#define DOWNGRADE_LSASS 0
#define DOWNGRADE_CSRSS 1
#define DOWNGRADE_WERFAULT 2
#define DOWNGRADE_MSMPENG 3
CHAR PROCESS_HANDLE_OPEN_DOWNGRADE[PROCESS_HANDLE_OPEN_DOWNGRADE_COUNT]
[MAX_PROCESS_NAME_LENGTH] = {
"lsass.exe",
"csrss.exe",
"WerFault.exe",
"MsMpEng.exe"};
#define PROCESS_HANDLE_OPEN_WHITELIST_COUNT 3
CHAR PROCESS_HANDLE_OPEN_WHITELIST[PROCESS_HANDLE_OPEN_WHITELIST_COUNT]
[MAX_PROCESS_NAME_LENGTH] = {
"Discord.exe",
"svchost.exe",
"explorer.exe"};
STATIC
BOOLEAN
IsWhitelistedHandleOpenProcess(_In_ LPCSTR ProcessName)
{
for (UINT32 index = 0; index < PROCESS_HANDLE_OPEN_WHITELIST_COUNT;
index++) {
if (!IntCompareString(
ProcessName,
PROCESS_HANDLE_OPEN_WHITELIST[index]))
return TRUE;
}
return FALSE;
}
STATIC
BOOLEAN
IsDowngradeHandleOpenProcess(_In_ LPCSTR ProcessName)
{
for (UINT32 index = 0; index < PROCESS_HANDLE_OPEN_DOWNGRADE_COUNT;
index++) {
if (!IntCompareString(
ProcessName,
PROCESS_HANDLE_OPEN_DOWNGRADE[index]))
return TRUE;
}
return FALSE;
}
// https://www.sysnative.com/forums/threads/object-headers-handles-and-types.34987/
#define GET_OBJECT_HEADER_FROM_HANDLE(x) ((x << 4) | 0xffff000000000000);
OB_PREOP_CALLBACK_STATUS
ObPreOpCallbackRoutine(
_In_ PVOID RegistrationContext,
_In_ POB_PRE_OPERATION_INFORMATION OperationInformation)
{
PAGED_CODE();
UNREFERENCED_PARAMETER(RegistrationContext);
/* access mask to completely strip permissions */
ACCESS_MASK deny_access = SYNCHRONIZE | PROCESS_TERMINATE;
NTSTATUS status = STATUS_UNSUCCESSFUL;
PEPROCESS process_creator = PsGetCurrentProcess();
PEPROCESS protected_process = NULL;
PEPROCESS target_process = (PEPROCESS)OperationInformation->Object;
HANDLE process_creator_id = ImpPsGetProcessId(process_creator);
LONG protected_process_id = 0;
LPCSTR process_creator_name = NULL;
LPCSTR target_process_name = NULL;
LPCSTR protected_process_name = NULL;
POB_CALLBACKS_CONFIG configuration = NULL;
UINT32 report_size = 0;
/*
* This is to prevent the condition where the thread executing this
* function is scheduled whilst we are cleaning up the callbacks on
* driver unload. We must hold the driver config lock to ensure the pool
* containing the callback configuration lock is not freed
*/
SessionGetCallbackConfiguration(&configuration);
if (!configuration)
return OB_PREOP_SUCCESS;
ImpKeAcquireGuardedMutex(&configuration->lock);
SessionGetProcessId(&protected_process_id);
SessionGetProcess(&protected_process);
if (!protected_process_id || !protected_process)
goto end;
process_creator_name = ImpPsGetProcessImageFileName(process_creator);
target_process_name = ImpPsGetProcessImageFileName(target_process);
protected_process_name = ImpPsGetProcessImageFileName(protected_process);
if (!protected_process_name || !target_process_name)
goto end;
if (IntCompareString(protected_process_name, target_process_name))
goto end;
/*
* WerFault is some windows 11 application that cries when it
* cant get a handle, so well allow it for now... todo; learn
* more about it
*
* todo: perform stricter checks rather then the image name.
* perhapds check some certificate or something.
*/
if (IsDowngradeHandleOpenProcess(process_creator_name) ||
!IntCompareString(process_creator_name, target_process_name)) {
/* We will downgrade these handles later */
// DEBUG_LOG("Handles created by CSRSS, LSASS and
// WerFault are allowed for now...");
}
else if (target_process == process_creator) {
// DEBUG_LOG("handles made by NOTEPAD r okay :)");
/* handles created by the game (notepad) are okay */
}
else {
OperationInformation->Parameters->CreateHandleInformation
.DesiredAccess = deny_access;
OperationInformation->Parameters->DuplicateHandleInformation
.DesiredAccess = deny_access;
/*
* These processes will constantly open handles to any
* open process for various reasons, so we will still
* strip them but we won't report them.. for now
* atleast.
*/
if (IsWhitelistedHandleOpenProcess(process_creator_name))
goto end;
report_size = CryptRequestRequiredBufferLength(
sizeof(OPEN_HANDLE_FAILURE_REPORT));
POPEN_HANDLE_FAILURE_REPORT report = ImpExAllocatePool2(
POOL_FLAG_NON_PAGED,
report_size,
REPORT_POOL_TAG);
if (!report)
goto end;
INIT_REPORT_PACKET(report, REPORT_ILLEGAL_HANDLE_OPERATION, 0);
report->is_kernel_handle = OperationInformation->KernelHandle;
report->process_id = process_creator_id;
report->thread_id = ImpPsGetCurrentThreadId();
report->access = OperationInformation->Parameters
->CreateHandleInformation.DesiredAccess;
IntCopyMemory(
report->process_name,
process_creator_name,
HANDLE_REPORT_PROCESS_NAME_MAX_LENGTH);
status = CryptEncryptBuffer(report, report_size);
if (!NT_SUCCESS(status)) {
DEBUG_ERROR("CryptEncryptBuffer: %x", status);
ExFreePoolWithTag(report, report_size);
goto end;
}
IrpQueueSchedulePacket(report, report_size);
}
end:
ImpKeReleaseGuardedMutex(&configuration->lock);
return OB_PREOP_SUCCESS;
}
/* stolen from ReactOS xD */
VOID NTAPI
ExUnlockHandleTableEntry(
IN PHANDLE_TABLE HandleTable, IN PHANDLE_TABLE_ENTRY HandleTableEntry)
{
INT64 old_value;
PAGED_CODE();
/* Set the lock bit and make sure it wasn't earlier */
old_value = InterlockedOr((PLONG)&HandleTableEntry->VolatileLowValue, 1);
/* Unblock any waiters */
#pragma warning(push)
#pragma warning(disable : C6387)
ImpExfUnblockPushLock(&HandleTable->HandleContentionEvent, NULL);
#pragma warning(pop)
}
FORCEINLINE
STATIC
ACCESS_MASK
GetHandleAccessMask(_In_ PHANDLE_TABLE_ENTRY Entry)
{
return (ACCESS_MASK)Entry->GrantedAccessBits;
}
static UNICODE_STRING OBJECT_TYPE_PROCESS = RTL_CONSTANT_STRING(L"Process");
static UNICODE_STRING OBJECT_TYPE_THREAD = RTL_CONSTANT_STRING(L"Thread");
STATIC
BOOLEAN
EnumHandleCallback(
_In_ PHANDLE_TABLE HandleTable,
_In_ PHANDLE_TABLE_ENTRY Entry,
_In_ HANDLE Handle,
_In_ PVOID Context)
{
PAGED_CODE();
UNREFERENCED_PARAMETER(Context);
NTSTATUS status = STATUS_UNSUCCESSFUL;
PVOID object = NULL;
PVOID object_header = NULL;
POBJECT_TYPE object_type = NULL;
PEPROCESS process = NULL;
PEPROCESS protected_process = NULL;
LPCSTR process_name = NULL;
LPCSTR protected_process_name = NULL;
ACCESS_MASK handle_access_mask = 0;
UINT32 report_size = 0;
object_header = GET_OBJECT_HEADER_FROM_HANDLE(Entry->ObjectPointerBits);
/* Object header is the first 30 bytes of the object */
object = (uintptr_t)object_header + OBJECT_HEADER_SIZE;
object_type = ImpObGetObjectType(object);
/* TODO: check for threads aswell */
if (ImpRtlCompareUnicodeString(
&object_type->Name,
&OBJECT_TYPE_PROCESS,
TRUE)) {
goto end;
}
process = (PEPROCESS)object;
process_name = ImpPsGetProcessImageFileName(process);
SessionGetProcess(&protected_process);
protected_process_name = ImpPsGetProcessImageFileName(protected_process);
if (IntCompareString(process_name, protected_process_name))
goto end;
DEBUG_VERBOSE(
"Handle references our protected process with access mask: %lx",
(ACCESS_MASK)Entry->GrantedAccessBits);
handle_access_mask = GetHandleAccessMask(Entry);
/* These permissions can be stripped from every process
* including CSRSS and LSASS */
if (handle_access_mask & PROCESS_CREATE_PROCESS) {
Entry->GrantedAccessBits &= ~PROCESS_CREATE_PROCESS;
DEBUG_VERBOSE("Stripped PROCESS_CREATE_PROCESS");
}
if (handle_access_mask & PROCESS_CREATE_THREAD) {
Entry->GrantedAccessBits &= ~PROCESS_CREATE_THREAD;
DEBUG_VERBOSE("Stripped PROCESS_CREATE_THREAD");
}
if (handle_access_mask & PROCESS_DUP_HANDLE) {
Entry->GrantedAccessBits &= ~PROCESS_DUP_HANDLE;
DEBUG_VERBOSE("Stripped PROCESS_DUP_HANDLE");
}
if (handle_access_mask & PROCESS_QUERY_INFORMATION) {
Entry->GrantedAccessBits &= ~PROCESS_QUERY_INFORMATION;
DEBUG_VERBOSE("Stripped PROCESS_QUERY_INFORMATION");
}
if (handle_access_mask & PROCESS_QUERY_LIMITED_INFORMATION) {
Entry->GrantedAccessBits &= ~PROCESS_QUERY_LIMITED_INFORMATION;
DEBUG_VERBOSE("Stripped PROCESS_QUERY_LIMITED_INFORMATION");
}
if (handle_access_mask & PROCESS_VM_READ) {
Entry->GrantedAccessBits &= ~PROCESS_VM_READ;
DEBUG_VERBOSE("Stripped PROCESS_VM_READ");
}
if (!IntCompareString(process_name, "csrss.exe") ||
!IntCompareString(process_name, "lsass.exe")) {
DEBUG_VERBOSE(
"Required system process allowed, only stripping some permissions");
goto end;
}
/* Permissions beyond here can only be stripped from non
* critical processes */
if (handle_access_mask & PROCESS_SET_INFORMATION) {
Entry->GrantedAccessBits &= ~PROCESS_SET_INFORMATION;
DEBUG_VERBOSE("Stripped PROCESS_SET_INFORMATION");
}
if (handle_access_mask & PROCESS_SET_QUOTA) {
Entry->GrantedAccessBits &= ~PROCESS_SET_QUOTA;
DEBUG_VERBOSE("Stripped PROCESS_SET_QUOTA");
}
if (handle_access_mask & PROCESS_SUSPEND_RESUME) {
Entry->GrantedAccessBits &= ~PROCESS_SUSPEND_RESUME;
DEBUG_VERBOSE("Stripped PROCESS_SUSPEND_RESUME ");
}
if (handle_access_mask & PROCESS_TERMINATE) {
Entry->GrantedAccessBits &= ~PROCESS_TERMINATE;
DEBUG_VERBOSE("Stripped PROCESS_TERMINATE");
}
if (handle_access_mask & PROCESS_VM_OPERATION) {
Entry->GrantedAccessBits &= ~PROCESS_VM_OPERATION;
DEBUG_VERBOSE("Stripped PROCESS_VM_OPERATION");
}
if (handle_access_mask & PROCESS_VM_WRITE) {
Entry->GrantedAccessBits &= ~PROCESS_VM_WRITE;
DEBUG_VERBOSE("Stripped PROCESS_VM_WRITE");
}
report_size =
CryptRequestRequiredBufferLength(sizeof(OPEN_HANDLE_FAILURE_REPORT));
POPEN_HANDLE_FAILURE_REPORT report =
ImpExAllocatePool2(POOL_FLAG_NON_PAGED, report_size, REPORT_POOL_TAG);
if (!report)
goto end;
/*
* Using the same report structure as the ObRegisterCallbacks
* report since both of these reports are closely related by the
* fact they are triggered by a process either opening a handle
* to our protected process or have a valid open handle to it. I
* also don't think its worth creating another queue
* specifically for open handle reports since they will be rare.
*/
INIT_REPORT_PACKET(report, REPORT_ILLEGAL_HANDLE_OPERATION, 0);
report->is_kernel_handle = Entry->Attributes & OBJ_KERNEL_HANDLE;
report->process_id = ImpPsGetProcessId(process);
report->thread_id = 0;
report->access = handle_access_mask;
IntCopyMemory(
&report->process_name,
process_name,
HANDLE_REPORT_PROCESS_NAME_MAX_LENGTH);
status = CryptEncryptBuffer(report, report_size);
if (!NT_SUCCESS(status)) {
DEBUG_ERROR("CryptEncryptBuffer: %lx", status);
ImpExFreePoolWithTag(report, report_size);
goto end;
}
IrpQueueSchedulePacket(report, report_size);
end:
ExUnlockHandleTableEntry(HandleTable, Entry);
return FALSE;
}
NTSTATUS
EnumerateProcessHandles(_In_ PPROCESS_LIST_ENTRY Entry, _In_opt_ PVOID Context)
{
/* Handles are stored in pageable memory */
PAGED_CODE();
UNREFERENCED_PARAMETER(Context);
NT_ASSERT(Entry != NULL);
if (!Entry)
return STATUS_INVALID_PARAMETER;
if (Entry->process == PsInitialSystemProcess)
return STATUS_SUCCESS;
PHANDLE_TABLE handle_table =
*(PHANDLE_TABLE*)((uintptr_t)Entry->process +
EPROCESS_HANDLE_TABLE_OFFSET);
if (!handle_table)
return STATUS_INVALID_ADDRESS;
if (!ImpMmIsAddressValid(handle_table))
return STATUS_INVALID_ADDRESS;
#pragma warning(push)
#pragma warning(suppress : 6387)
ImpExEnumHandleTable(handle_table, EnumHandleCallback, NULL, NULL);
#pragma warning(pop)
return STATUS_SUCCESS;
}
#define REPEAT_TIME_10_SEC 10000
STATIC
VOID
TimerObjectValidateProcessModuleCallback(
_In_ PPROCESS_MAP_MODULE_ENTRY Entry, _In_opt_ PVOID Context)
{
NT_ASSERT(Entry != NULL);
CHAR hash[SHA_256_HASH_LENGTH] = {0};
NTSTATUS status = STATUS_UNSUCCESSFUL;
PACTIVE_SESSION session = (PACTIVE_SESSION)Context;
if (!ARGUMENT_PRESENT(Context))
return;
status = HashUserModule(Entry, hash, sizeof(hash));
if (!NT_SUCCESS(status)) {
DEBUG_ERROR("HashUserModule: %x", status);
return;
}
if (IntCompareMemory(hash, session->module.module_hash, sizeof(hash)) !=
sizeof(hash)) {
DEBUG_ERROR("User module hash not matching!! MODIFIED!");
return;
}
DEBUG_VERBOSE("User module hash valid.");
}
STATIC
VOID
TimerObjectWorkItemRoutine(
_In_ PDEVICE_OBJECT DeviceObject, _In_opt_ PVOID Context)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
PTIMER_OBJECT timer = (PTIMER_OBJECT)Context;
PDRIVER_LIST_HEAD list = GetDriverList();
PACTIVE_SESSION session = GetActiveSession();
UNREFERENCED_PARAMETER(DeviceObject);
if (!ARGUMENT_PRESENT(Context))
return;
if (!list->active)
goto end;
DEBUG_VERBOSE("Integrity check timer callback invoked.");
RtlRbTreePrintCurrentStatistics(GetThreadTree());
if (!ValidateOurDriversDispatchRoutines()) {
DEBUG_VERBOSE("l");
}
status = ValidateOurDriverImage();
if (!NT_SUCCESS(status))
DEBUG_ERROR("ValidateOurDriverImage failed with status %x", status);
KeAcquireGuardedMutex(&session->lock);
if (!session->is_session_active) {
KeReleaseGuardedMutex(&session->lock);
goto end;
}
FindOurUserModeModuleEntry(
TimerObjectValidateProcessModuleCallback,
session);
KeReleaseGuardedMutex(&session->lock);
end:
InterlockedExchange(&timer->state, FALSE);
}
/*
* This routine is executed every x seconds, and is run at IRQL = DISPATCH_LEVEL
*/
STATIC
VOID
TimerObjectCallbackRoutine(
_In_ PKDPC Dpc,
_In_opt_ PVOID DeferredContext,
_In_opt_ PVOID SystemArgument1,
_In_opt_ PVOID SystemArgument2)
{
UNREFERENCED_PARAMETER(Dpc);
UNREFERENCED_PARAMETER(SystemArgument1);
UNREFERENCED_PARAMETER(SystemArgument2);
NT_ASSERT(DeferredContext != NULL);
if (!HasDriverLoaded() || !ARGUMENT_PRESENT(DeferredContext))
return;
PTIMER_OBJECT timer = (PTIMER_OBJECT)DeferredContext;
/* we dont want to queue our work item if it hasnt executed */
if (timer->state)
return;
/* we queue a work item because DPCs run at IRQL = DISPATCH_LEVEL and we
* need certain routines which cannot be run at an IRQL this high.*/
InterlockedExchange(&timer->state, TRUE);
IoQueueWorkItem(
timer->work_item,
TimerObjectWorkItemRoutine,
BackgroundWorkQueue,
timer);
}
NTSTATUS
InitialiseTimerObject(_Out_ PTIMER_OBJECT Timer)
{
LARGE_INTEGER due_time = {.QuadPart = -ABSOLUTE(SECONDS(5))};
Timer->work_item = IoAllocateWorkItem(GetDriverDeviceObject());
if (!Timer->work_item)
return STATUS_MEMORY_NOT_ALLOCATED;
KeInitializeDpc(&Timer->dpc, TimerObjectCallbackRoutine, Timer);
KeInitializeTimer(&Timer->timer);
KeSetTimerEx(&Timer->timer, due_time, REPEAT_TIME_10_SEC, &Timer->dpc);
DEBUG_VERBOSE("Successfully initialised global timer callback.");
return STATUS_SUCCESS;
}
VOID
CleanupDriverTimerObjects(_Inout_ PTIMER_OBJECT Timer)
{
/* this routine blocks until all queued DPCs on all processors have
* executed. */
KeFlushQueuedDpcs();
/* wait for our work item to complete */
while (Timer->state)
YieldProcessor();
/* now its safe to free and cancel our timers, pools etc. */
KeCancelTimer(&Timer->timer);
IoFreeWorkItem(Timer->work_item);
DEBUG_VERBOSE("Freed timer objects.");
}
VOID
UnregisterProcessObCallbacks()
{
PAGED_CODE();
PACTIVE_SESSION config = GetActiveSession();
AcquireDriverConfigLock();
if (config->callback_configuration.registration_handle) {
ImpObUnRegisterCallbacks(
config->callback_configuration.registration_handle);
config->callback_configuration.registration_handle = NULL;
}
ReleaseDriverConfigLock();
}
NTSTATUS
RegisterProcessObCallbacks()
{
PAGED_CODE();
NTSTATUS status = STATUS_UNSUCCESSFUL;
PACTIVE_SESSION config = GetActiveSession();
OB_CALLBACK_REGISTRATION callback_registration = {0};
OB_OPERATION_REGISTRATION operation_registration = {0};
DEBUG_VERBOSE("Enabling ObRegisterCallbacks.");
AcquireDriverConfigLock();
operation_registration.ObjectType = PsProcessType;
operation_registration.Operations |= OB_OPERATION_HANDLE_CREATE;
operation_registration.Operations |= OB_OPERATION_HANDLE_DUPLICATE;
operation_registration.PreOperation = ObPreOpCallbackRoutine;
operation_registration.PostOperation = ObPostOpCallbackRoutine;
callback_registration.Version = OB_FLT_REGISTRATION_VERSION;
callback_registration.OperationRegistration = &operation_registration;
callback_registration.OperationRegistrationCount = 1;
callback_registration.RegistrationContext = NULL;
status = ImpObRegisterCallbacks(
&callback_registration,
&config->callback_configuration.registration_handle);
if (!NT_SUCCESS(status))
DEBUG_ERROR("ObRegisterCallbacks failed with status %x", status);
ReleaseDriverConfigLock();
return status;
}
VOID
InitialiseObCallbacksConfiguration(_Out_ PACTIVE_SESSION ProcessConfig)
{
ImpKeInitializeGuardedMutex(&ProcessConfig->callback_configuration.lock);
}
================================================
FILE: driver/callbacks.h
================================================
#ifndef CALLBACKS_H
#define CALLBACKS_H
#include "driver.h"
#include "common.h"
#include <wdf.h>
typedef void (*THREADLIST_CALLBACK_ROUTINE)(
_In_ PTHREAD_LIST_ENTRY ThreadListEntry, _In_opt_ PVOID Context);
#define DRIVER_PATH_LENGTH 0x100
#define SHA_256_HASH_LENGTH 32
typedef struct _DRIVER_LIST_ENTRY {
LIST_ENTRY list_entry;
PVOID ImageBase;
ULONG ImageSize;
BOOLEAN hashed;
BOOLEAN x86;
CHAR path[DRIVER_PATH_LENGTH];
CHAR text_hash[SHA_256_HASH_LENGTH];
/*
* This LIST_ENTRY is to be used for modules where the hashing needs to
* be deferred. For example, when x86 modules can't be hashed on driver
* load.
*/
LIST_ENTRY deferred_entry;
} DRIVER_LIST_ENTRY, *PDRIVER_LIST_ENTRY;
typedef void (*DRIVERLIST_CALLBACK_ROUTINE)(
_In_ PDRIVER_LIST_ENTRY DriverListEntry, _In_opt_ PVOID Context);
typedef BOOLEAN (*PROCESS_MODULE_CALLBACK)(_In_ PPROCESS_MAP_MODULE_ENTRY Entry,
_In_opt_ PVOID Context);
NTSTATUS
InitialiseDriverList();
VOID NTAPI
ExUnlockHandleTableEntry(IN PHANDLE_TABLE HandleTable,
IN PHANDLE_TABLE_ENTRY HandleTableEntry);
VOID
ObPostOpCallbackRoutine(_In_ PVOID RegistrationContext,
_In_ POB_POST_OPERATION_INFORMATION
OperationInformation);
OB_PREOP_CALLBACK_STATUS
ObPreOpCallbackRoutine(_In_ PVOID RegistrationContext,
_In_ POB_PRE_OPERATION_INFORMATION OperationInformation);
NTSTATUS
InitialiseThreadList();
VOID
ThreadCreateNotifyRoutine(_In_ HANDLE ProcessId,
_In_ HANDLE ThreadId,
_In_ BOOLEAN Create);
VOID
ProcessCreateNotifyRoutine(_In_ HANDLE ParentId,
_In_ HANDLE ProcessId,
_In_ BOOLEAN Create);
VOID
CleanupThreadListOnDriverUnload();
VOID
FindThreadListEntryByThreadAddress(_In_ HANDLE ThreadId,
_Out_ PTHREAD_LIST_ENTRY* Entry);
VOID
FindDriverEntryByBaseAddress(_In_ PVOID ImageBase,
_Out_ PDRIVER_LIST_ENTRY* Entry);
VOID
CleanupDriverListOnDriverUnload();
VOID
ImageLoadNotifyRoutineCallback(_In_opt_ PUNICODE_STRING FullImageName,
_In_ HANDLE ProcessId,
_In_ PIMAGE_INFO ImageInfo);
NTSTATUS
InitialiseTimerObject(_Out_ PTIMER_OBJECT Timer);
VOID
CleanupDriverTimerObjects(_Inout_ PTIMER_OBJECT Timer);
VOID
UnregisterProcessCreateNotifyRoutine();
VOID
UnregisterImageLoadNotifyRoutine();
VOID
UnregisterThreadCreateNotifyRoutine();
VOID
UnregisterProcessObCallbacks();
NTSTATUS
RegisterProcessObCallbacks();
VOID
InitialiseObCallbacksConfiguration(_Out_ PACTIVE_SESSION ProcessConfig);
VOID
EnumerateDriverListWithCallbackRoutine(
_In_ DRIVERLIST_CALLBACK_ROUTINE CallbackRoutine, _In_opt_ PVOID Context);
VOID
DriverListEntryToExtendedModuleInfo(_In_ PDRIVER_LIST_ENTRY Entry,
_Out_ PRTL_MODULE_EXTENDED_INFO Extended);
NTSTATUS
InitialiseProcessHashmap();
NTSTATUS
EnumerateProcessHandles(_In_ PPROCESS_LIST_ENTRY Entry, _In_opt_ PVOID Context);
VOID
EnumerateAndPrintProcessHashmap();
VOID
CleanupProcessHashmap();
VOID
EnumerateProcessModuleList(_In_ HANDLE ProcessId,
_In_ PROCESS_MODULE_CALLBACK Callback,
_In_opt_ PVOID Context);
VOID
FindOurUserModeModuleEntry(_In_ PROCESS_MODULE_CALLBACK Callback,
_In_opt_ PVOID Context);
#endif
================================================
FILE: driver/common.h
================================================
#ifndef COMMON_H
#define COMMON_H
#include <ntifs.h>
#include <wdftypes.h>
#include "io.h"
#include "types/types.h"
#include <bcrypt.h>
/*
* For numbers < 32, these are equivalent to 0ul << x.
*
* For an item to be printed, its bitwise AND'd with the set filter. If the
* result is non zero the log will be printed.
*/
#define LOG_ERROR_LEVEL 1
#define LOG_WARNING_LEVEL 2
#define LOG_INFO_LEVEL 3
#define LOG_VERBOSE_LEVEL 4
#define DPFLTR_MASK 0x80000000
#define DEBUG_ERROR(fmt, ...) \
DbgPrintEx(DPFLTR_DEFAULT_ID, \
LOG_ERROR_LEVEL, \
"donna-ac : [ERROR] ::: " fmt "\n", \
##__VA_ARGS__)
#define DEBUG_WARNING(fmt, ...) \
DbgPrintEx(DPFLTR_DEFAULT_ID, \
LOG_WARNING_LEVEL, \
"donna-ac : [WARNING] : " fmt "\n", \
##__VA_ARGS__)
#define DEBUG_INFO(fmt, ...) \
DbgPrintEx(DPFLTR_DEFAULT_ID, \
LOG_INFO_LEVEL, \
"donna-ac : [INFO] :::: " fmt "\n", \
##__VA_ARGS__)
#define DEBUG_VERBOSE(fmt, ...) \
DbgPrintEx(DPFLTR_DEFAULT_ID, \
LOG_VERBOSE_LEVEL, \
"donna-ac : [VERBOSE] : " fmt "\n", \
##__VA_ARGS__)
#define HEX_DUMP(fmt, ...) \
DbgPrintEx(DPFLTR_DEFAULT_ID, LOG_VERBOSE_LEVEL, fmt, ##__VA_ARGS__)
#define STATIC static
#define INLINE inline
#define MAX_MODULE_PATH 260
#define RVA(Cast, Base, Rel) \
((Cast)((DWORD_PTR)(Base) + (DWORD_PTR)(Rel)))
#define ARRAYLEN(len, type) ((len) / sizeof(type))
/*
* Interlocked intrinsics are only atomic with respect to other InterlockedXxx
* functions, so all reads and writes to the THREAD_LIST->active flag must be
* with Interlocked instrinsics to ensure atomicity.
*/
typedef struct _THREAD_LIST_HEAD {
SINGLE_LIST_ENTRY start;
volatile BOOLEAN active;
KGUARDED_MUTEX lock;
LOOKASIDE_LIST_EX lookaside_list;
} THREAD_LIST_HEAD, *PTHREAD_LIST_HEAD;
typedef struct _DRIVER_LIST_HEAD {
LIST_ENTRY list_entry;
volatile ULONG count;
volatile BOOLEAN active;
KGUARDED_MUTEX lock;
/* modules that need to be hashed later. */
PIO_WORKITEM work_item;
LIST_ENTRY deferred_list;
volatile BOOLEAN deferred_complete;
volatile LONG can_hash_x86;
} DRIVER_LIST_HEAD, *PDRIVER_LIST_HEAD;
typedef struct _THREAD_LIST_ENTRY {
HANDLE thread_id;
PKTHREAD thread;
PKPROCESS owning_process;
BOOLEAN apc_queued;
PKAPC apc;
} THREAD_LIST_ENTRY, *PTHREAD_LIST_ENTRY;
typedef struct _PROCESS_MODULE_MAP_CONTEXT {
LOOKASIDE_LIST_EX pool;
} PROCESS_MODULE_MAP_CONTEXT, *PPROCESS_MODULE_MAP_CONTEXT;
typedef struct _PROCESS_MAP_MODULE_ENTRY {
LIST_ENTRY entry;
UINT64 base;
UINT32 size;
CHAR path[MAX_MODULE_PATH];
} PROCESS_MAP_MODULE_ENTRY, *PPROCESS_MAP_MODULE_ENTRY;
typedef struct _PROCESS_LIST_ENTRY {
/* IMPORTANT THIS IS FIRST!*/
HANDLE process_id;
PEPROCESS process;
PEPROCESS parent;
LIST_ENTRY module_list;
volatile UINT32 list_count;
} PROCESS_LIST_ENTRY, *PPROCESS_LIST_ENTRY;
/*
* ioctl_flag consists of the first 16 bits of the Function part of the CTL code
* cookie_value consists of a static 16 bit value generated by the user mode app
* on startup which is then passed to the driver and stored.
*/
typedef union _SECURITY_COOKIE {
struct {
UINT32 ioctl_flag : 16;
UINT32 cookie_value : 16;
} bits;
UINT32 flags;
} SECURITY_COOKIE, *PSECURITY_COOKIE;
typedef struct _TIMER_OBJECT {
/*
* state = 1: callback in progress
* state = 0: no callback in progress (i.e safe to free and unregister)
*/
volatile LONG state;
KTIMER timer;
KDPC dpc;
PIO_WORKITEM work_item;
} TIMER_OBJECT, *PTIMER_OBJECT;
typedef enum _ENVIRONMENT_TYPE {
NativeWindows = 0,
Vmware,
VirtualBox
} ENVIRONMENT_TYPE;
typedef enum _PROCESSOR_TYPE {
Unknown = 0,
GenuineIntel,
AuthenticAmd
} PROCESSOR_TYPE;
#define VENDOR_STRING_MAX_LENGTH 256
#define DRIVER_PATH_MAX_LENGTH 512
#define MOTHERBOARD_SERIAL_CODE_LENGTH 64
#define DEVICE_DRIVE_0_SERIAL_CODE_LENGTH 64
#define MAX_REPORTS_PER_IRP 20
#define POOL_TAG_STRINGS 'strs'
#define IOCTL_STORAGE_QUERY_PROPERTY 0x002D1400
#define MAXIMUM_APC_CONTEXTS 10
typedef struct _SYSTEM_INFORMATION {
CHAR motherboard_serial[MOTHERBOARD_SERIAL_CODE_LENGTH];
CHAR drive_0_serial[DEVICE_DRIVE_0_SERIAL_CODE_LENGTH];
CHAR vendor[VENDOR_STRING_MAX_LENGTH];
BOOLEAN virtualised_environment;
ENVIRONMENT_TYPE environment;
PROCESSOR_TYPE processor;
RTL_OSVERSIONINFOW os_information;
} SYSTEM_INFORMATION, *PSYSTEM_INFORMATION;
typedef struct _OB_CALLBACKS_CONFIG {
PVOID registration_handle;
KGUARDED_MUTEX lock;
} OB_CALLBACKS_CONFIG, *POB_CALLBACKS_CONFIG;
typedef struct _DEFERRED_REPORT {
LIST_ENTRY list_entry;
PVOID buffer;
UINT32 buffer_size;
} DEFERRED_REPORT, *PDEFERRED_REPORT;
typedef struct _DEFERRED_REPORTS_LIST {
LIST_ENTRY head;
UINT32 count;
KGUARDED_MUTEX lock;
} DEFERRED_REPORTS_LIST, *PDEFERRED_REPORTS_LIST;
#define EVENT_COUNT 5
typedef struct _IRP_QUEUE_HEAD {
LIST_ENTRY queue;
volatile UINT32 irp_count;
volatile UINT32 total_reports_completed;
volatile UINT32 total_irps_completed;
volatile UINT32 total_heartbeats_completed;
IO_CSQ csq;
KGUARDED_MUTEX lock;
DEFERRED_REPORTS_LIST deferred_reports;
} IRP_QUEUE_HEAD, *PIRP_QUEUE_HEAD;
typedef struct _IRP_QUEUE_ENTRY {
SINGLE_LIST_ENTRY entry;
PIRP irp;
} IRP_QUEUE_ENTRY, *PIRP_QUEUE_ENTRY;
/*
* This structure can change at anytime based on whether
* the target process to protect is open / closed / changes etc.
*/
#define AES_256_KEY_SIZE 32
#define AES_256_IV_SIZE 16
typedef struct _HEARTBEAT_CONFIGURATION {
volatile UINT32 counter;
/* Signifies if a heartbeat callback routine is currently executing. */
volatile UINT32 active;
LARGE_INTEGER seed;
/*
* We actually want the timer and DPC objects to be allocated, so that each
* time our heartbeat callback routine is run, we can remove the timer and
* add a new timer. This makes it harder to identify our heartbeat timers.
*/
PKTIMER timer;
PKDPC dpc;
PIO_WORKITEM work_item;
} HEARTBEAT_CONFIGURATION, *PHEARTBEAT_CONFIGURATION;
#define SHA_256_HASH_LENGTH 32
/* Contains information on our user mode module. */
typedef struct _MODULE_INFORMATION {
PVOID base_address;
UINT32 size;
CHAR path[MAX_MODULE_PATH];
CHAR module_hash[SHA_256_HASH_LENGTH];
} MODULE_INFORMATION, *PMODULE_INFORMATION;
typedef struct _SESSION_INITIATION_PACKET {
UINT32 cookie;
PVOID process_id;
UCHAR aes_key[AES_256_KEY_SIZE];
UCHAR aes_iv[AES_256_IV_SIZE];
MODULE_INFORMATION module_info;
} SESSION_INITIATION_PACKET, *PSESSION_INITIATION_PACKET;
typedef struct _ACTIVE_SESSION {
volatile BOOLEAN is_session_active;
PVOID um_handle;
PVOID km_handle;
PEPROCESS process;
OB_CALLBACKS_CONFIG callback_configuration;
struct {
UINT32 cookie;
UINT32 magic_number;
PUCHAR aes_key[AES_256_KEY_SIZE];
PUCHAR iv[AES_256_IV_SIZE];
BCRYPT_KEY_HANDLE key_handle;
PUCHAR key_object;
UINT32 key_object_length;
};
struct SESSION_STATISTICS {
UINT32 irps_received;
UINT32 report_count;
UINT32 heartbeat_count;
};
MODULE_INFORMATION module;
HEARTBEAT_CONFIGURATION heartbeat_config;
KGUARDED_MUTEX lock;
} ACTIVE_SESSION, *PACTIVE_SESSION;
#define NMI_CONTEXT_POOL '7331'
#define STACK_FRAMES_POOL 'loop'
#define INVALID_DRIVER_LIST_HEAD_POOL 'rwar'
#define INVALID_DRIVER_LIST_ENTRY_POOL 'gaah'
#define POOL_TAG_APC 'apcc'
#define POOL_TAG_CRYPT 'tpcr'
#define POOL_TAG_HW 'hwhw'
#define POOL_TAG_DPC 'apcc'
#define POOL_TAG_HEARTBEAT 'teab'
#define SYSTEM_MODULES_POOL 'halb'
#define THREAD_DATA_POOL 'doof'
#define PROC_AFFINITY_POOL 'eeee'
#define TEMP_BUFFER_POOL 'ffff'
#define DRIVER_PATH_POOL_TAG 'path'
#define POOL_TAG_INTEGRITY 'intg'
#define POOL_TAG_MODULE_MEMORY_BUF 'lolo'
#define POOL_TAG_MODULE_MEMORY_BUF_2 'leeo'
#define POOL_TAG_HASH_OBJECT 'hobj'
#define POOL_TAG_RESULTING_HASH 'hash'
#define POOL_TAG_SAVE_EX_REGIONS 'sexc'
#define POOL_DUMP_BLOCK_TAG 'dump'
#define POOL_DEBUGGER_DATA_TAG 'data'
#define PROCESS_ADDRESS_LIST_TAG 'addr'
#define ANALYSE_PROCESS_TAG 'anls'
#define INVALID_PROCESS_REPORT_TAG 'invd'
#define QUEUE_POOL_TAG 'qqqq'
#define REPORT_QUEUE_TEMP_BUFFER_TAG 'temp'
#define REPORT_POOL_TAG 'repo'
#define MODULES_REPORT_POOL_TAG 'modu'
#define POOL_TAG_LIST_ITEM 'tsil'
#define POOL_TAG_THREAD_LIST 'list'
#define POOL_TAG_PROCESS_LIST 'plis'
#define POOL_TAG_USER_MODULE_LIST 'resu'
#define POOL_TAG_USER_MODULE_NODE 'edon'
#define POOL_TAG_DRIVER_LIST 'drvl'
#define POOL_TAG_IRP_QUEUE 'irpp'
#define POOL_TAG_TIMER 'time'
#define POOL_TAG_MODULE_LIST 'elom'
#define POOL_TAG_RB_TREE 'eert'
#define POOL_TAG_HASHMAP 'hsah'
#define IA32_APERF_MSR 0x000000E8
#define ERROR -1
#define STACK_FRAME_POOL_SIZE 0x200
#define NUMBER_HASH_BUCKETS 37
#define KTHREAD_STACK_BASE_OFFSET 0x030
#define KTHREAD_STACK_LIMIT_OFFSET 0x038
#define KTHREAD_THREADLIST_OFFSET 0x2f8
#define KTHREAD_APC_STATE_OFFSET 0x098
#define KTHREAD_START_ADDRESS_OFFSET 0x450
#define KTHREAD_MISC_FLAGS_OFFSET 0x074
#define KTHREAD_WAIT_IRQL_OFFSET 0x186
#define KTHREAD_PREVIOUS_MODE_OFFSET 0x232
#define KTHREAD_STATE_OFFSET 0x184
#define KTHREAD_MISC_FLAGS_APC_QUEUEABLE 14
#define KTHREAD_MISC_FLAGS_ALERTABLE 4
#define EPROCESS_PEAK_VIRTUAL_SIZE_OFFSET 0x490
#define EPROCESS_VAD_ROOT_OFFSET 0x7d8
#define EPROCESS_OBJECT_TABLE_OFFSET 0x570
#define EPROCESS_IMAGE_NAME_OFFSET 0x5a8
#define EPROCESS_PEB_OFFSET 0x550
#define EPROCESS_SECTION_BASE_OFFSET 0x520
#define EPROCESS_IMAGE_FILE_NAME_OFFSET 0x5a8
#define EPROCESS_HANDLE_TABLE_OFFSET 0x570
#define EPROCESS_PLIST_ENTRY_OFFSET 0x448
#define KPROCESS_THREADLIST_OFFSET 0x030
#define KPROCESS_DIRECTORY_TABLE_BASE_OFFSET 0x028
#define OBJECT_HEADER_SIZE 0x30
#define OBJECT_HEADER_TYPE_INDEX_OFFSET 0x018
#define POOL_HEADER_BLOCK_SIZE_OFFSET 0x02
#define POOL_HEADER_TAG_OFFSET 0x04
#define KPROCESS_OFFSET_FROM_POOL_HEADER_SIZE_1 0x70
#define KPROCESS_OFFSET_FROM_POOL_HEADER_SIZE_2 0x80
#define KPROCESS_OFFSET_FROM_POOL_HEADER_SIZE_3 0x30
#define EPROCESS_SIZE 0xa40
#define KPCRB_CURRENT_THREAD 0x8
#define IA32_GS_BASE 0xc0000101
#define KPRCB_OFFSET_FROM_GS_BASE 0x180
#define MODULE_VALIDATION_FAILURE_MAX_REPORT_COUNT 20
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1
#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3
#define IMAGE_DIRECTORY_ENTRY_SECURITY 4
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5
#define IMAGE_DIRECTORY_ENTRY_DEBUG 6
#define IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 /* (MIPS GP) */
#define IMAGE_DIRECTORY_ENTRY_TLS 9
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11
#define IMAGE_DIRECTORY_ENTRY_IAT 12 /* Import Address Table */
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14
/*
* Generic macros that allow you to quickly determine whether
* or not a page table entry is present or may forward to a
* large page of data, rather than another page table (applies
* only to PDPTEs and PDEs)
*
* Some nice macros courtesy of:
* https://www.unknowncheats.me/forum/general-programming-and-reversing/523359-introduction-physical-memory.html
*/
#define PAGE_1GB_SHIFT 30
#define PAGE_1GB_OFFSET(x) (x & (~(MAXUINT64 << PAGE_1GB_SHIFT)))
#define PAGE_2MB_SHIFT 21
#define PAGE_2MB_OFFSET(x) (x & (~(MAXUINT64 << PAGE_2MB_SHIFT)))
#define PAGE_4KB_SHIFT 12
#define PAGE_4KB_OFFSET(x) (x & (~(MAXUINT64 << PAGE_4KB_SHIFT)))
typedef struct _KAFFINITY_EX {
USHORT Count;
USHORT Size;
ULONG Reserved;
ULONGLONG Bitmap[20];
} KAFFINITY_EX, *PKAFFINITY_EX;
typedef struct _OBJECT_DIRECTORY_ENTRY {
struct _OBJECT_DIRECTORY_ENTRY* ChainLink;
PVOID Object;
ULONG HashValue;
} OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY;
typedef struct _OBJECT_DIRECTORY {
POBJECT_DIRECTORY_ENTRY HashBuckets[NUMBER_HASH_BUCKETS];
EX_PUSH_LOCK Lock;
struct _DEVICE_MAP* DeviceMap;
ULONG SessionId;
PVOID NamespaceEntry;
ULONG Flags;
} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;
typedef struct _DEVICE_MAP {
struct _OBJECT_DIRECTORY* DosDevicesDirectory;
struct _OBJECT_DIRECTORY* GlobalDosDevicesDirectory;
ULONG ReferenceCount;
ULONG DriveMap;
UCHAR DriveType[32];
} DEVICE_MAP, *PDEVICE_MAP;
typedef struct _RTL_MODULE_EXTENDED_INFO {
PVOID ImageBase;
ULONG ImageSize;
USHORT FileNameOffset;
CHAR FullPathName[0x100];
} RTL_MODULE_EXTENDED_INFO, *PRTL_MODULE_EXTENDED_INFO;
/*
Thread Information Block: (GS register)
SEH frame: 0x00
Stack Base: 0x08
Stack Limit: 0x10
SubSystemTib: 0x18
Fiber Data: 0x20
Arbitrary Data: 0x28
TEB: 0x30
Environment Pointer: 0x38
Process ID: 0x40
Current Thread ID: 0x48
Active RPC Handle: 0x50
Thread Local Storage Array: 0x58
PEB: 0x60
Last error number: 0x68
Count Owned Critical Sections: 0x6C
CSR Client Thread: 0x70
Win32 Thread Information: 0x78
...
*/
typedef struct _OBJECT_TYPE {
LIST_ENTRY TypeList;
UNICODE_STRING Name;
PVOID DefaultObject;
UCHAR Index;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
PVOID TypeInfo; //_OBJECT_TYPE_INITIALIZER
EX_PUSH_LOCK TypeLock;
ULONG Key;
LIST_ENTRY CallbackList;
} OBJECT_TYPE, *POBJECT_TYPE;
typedef struct _PEB_LDR_DATA {
BYTE Reserved1[8];
PVOID Reserved2[3];
LIST_ENTRY InMemoryOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
typedef struct _LDR_DATA_TABLE_ENTRY {
PVOID Reserved1[2];
LIST_ENTRY InMemoryOrderLinks;
PVOID Reserved2[2];
PVOID DllBase;
PVOID Reserved3[2];
UNICODE_STRING FullDllName;
BYTE Reserved4[8];
PVOID Reserved5[3];
#pragma warning(push)
#pragma warning(disable : 4201) // we'll always use the Microsoft compiler
union {
ULONG CheckSum;
PVOID Reserved6;
} DUMMYUNIONNAME;
#pragma warning(pop)
ULONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PVOID ProcessParameters;
PVOID Reserved4[3];
PVOID AtlThunkSListPtr;
PVOID Reserved5;
ULONG Reserved6;
PVOID Reserved7;
ULONG Reserved8;
ULONG AtlThunkSListPtr32;
PVOID Reserved9[45];
BYTE Reserved10[96];
PVOID PostProcessInitRoutine;
BYTE Reserved11[128];
PVOID Reserved12[1];
ULONG SessionId;
} PEB, *PPEB;
typedef struct _PEB32 {
UCHAR InheritedAddressSpace;
UCHAR ReadImageFileExecOptions;
UCHAR BeingDebugged;
UCHAR BitField;
ULONG Mutant;
ULONG ImageBaseAddress;
ULONG Ldr;
ULONG ProcessParameters;
ULONG SubSystemData;
ULONG ProcessHeap;
ULONG FastPebLock;
ULONG AtlThunkSListPtr;
ULONG IFEOKey;
ULONG CrossProcessFlags;
ULONG UserSharedInfoPtr;
ULONG SystemReserved;
ULONG AtlThunkSListPtr32;
ULONG ApiSetMap;
} PEB32, *PPEB32;
typedef struct _PEB_LDR_DATA32 {
ULONG Length;
UCHAR Initialized;
ULONG SsHandle;
LIST_ENTRY32 InLoadOrderModuleList;
LIST_ENTRY32 InMemoryOrderModuleList;
LIST_ENTRY32 InInitializationOrderModuleList;
} PEB_LDR_DATA32, *PPEB_LDR_DATA32;
typedef struct _LDR_DATA_TABLE_ENTRY32 {
LIST_ENTRY32 InLoadOrderLinks;
LIST_ENTRY32 InMemoryOrderLinks;
LIST_ENTRY32 InInitializationOrderLinks;
ULONG DllBase;
ULONG EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING32 FullDllName;
UNICODE_STRING32 BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
LIST_ENTRY32 HashLinks;
ULONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32;
typedef struct _HANDLE_TABLE_ENTRY_INFO {
ULONG AuditMask;
ULONG MaxRelativeAccessMask;
} HANDLE_TABLE_ENTRY_INFO, *PHANDLE_TABLE_ENTRY_INFO;
typedef union _EXHANDLE {
struct {
int TagBits : 2;
int Index : 30;
} u;
void* GenericHandleOverlay;
ULONG_PTR Value;
} EXHANDLE, *PEXHANDLE;
#pragma warning(disable : 4214 4201)
#pragma pack(push, 1)
typedef struct _POOL_HEADER // Size=16
{
union {
struct {
unsigned long PreviousSize : 8; // Size=4 Offset=0 BitOffset=0
// BitCount=8
unsigned long PoolIndex : 8; // Size=4 Offset=0
// BitOffset=8 BitCount=8
unsigned long BlockSize : 8; // Size=4 Offset=0
// BitOffset=16 BitCount=8
unsigned long PoolType : 8; // Size=4 Offset=0
// BitOffset=24 BitCount=8
};
unsigned long Ulong1; // Size=4 Offset=0
};
unsigned long PoolTag; // Size=4 Offset=4
union {
struct _EPROCESS* ProcessBilled; // Size=8 Offset=8
struct {
unsigned short AllocatorBackTraceIndex; // Size=2 Offset=8
unsigned short PoolTagHash; // Size=2 Offset=10
};
};
} POOL_HEADER, *PPOOL_HEADER;
#pragma pack(pop)
typedef struct _HANDLE_TABLE_ENTRY // Size=16
{
union {
ULONG_PTR VolatileLowValue; // Size=8 Offset=0
ULONG_PTR LowValue; // Size=8 Offset=0
struct _HANDLE_TABLE_ENTRY_INFO* InfoTable; // Size=8 Offset=0
struct {
ULONG_PTR Unlocked : 1; // Size=8 Offset=0 BitOffset=0
// BitCount=1
ULONG_PTR RefCnt : 16; // Size=8 Offset=0 BitOffset=1
// BitCount=16
ULONG_PTR Attributes : 3; // Size=8 Offset=0
// BitOffset=17 BitCount=3
ULONG_PTR
ObjectPointerBits : 44; // Size=8 Offset=0 BitOffset=20
// BitCount=44
};
};
union {
ULONG_PTR HighValue; // Size=8 Offset=8
struct _HANDLE_TABLE_ENTRY* NextFreeHandleEntry; // Size=8 Offset=8
union _EXHANDLE LeafHandleValue; // Size=8 Offset=8
struct {
ULONG GrantedAccessBits : 25; // Size=4 Offset=8
// BitOffset=0 BitCount=25
ULONG NoRightsUpgrade : 1; // Size=4 Offset=8
// BitOffset=25 BitCount=1
ULONG Spare : 6; // Size=4 Offset=8 BitOffset=26
// BitCount=6
};
};
ULONG TypeInfo; // Size=4 Offset=12
} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
typedef struct _HANDLE_TABLE_FREE_LIST {
EX_PUSH_LOCK FreeListLock;
PHANDLE_TABLE_ENTRY FirstFreeHandleEntry;
PHANDLE_TABLE_ENTRY LastFreeHandleEntry;
LONG HandleCount;
ULONG HighWaterMark;
} HANDLE_TABLE_FREE_LIST, *PHANDLE_TABLE_FREE_LIST;
typedef struct _HANDLE_TRACE_DB_ENTRY {
CLIENT_ID ClientId;
PVOID Handle;
ULONG Type;
PVOID StackTrace[16];
} HANDLE_TRACE_DB_ENTRY, *PHANDLE_TRACE_DB_ENTRY;
typedef struct _HANDLE_TRACE_DEBUG_INFO {
LONG RefCount;
ULONG TableSize;
ULONG BitMaskFlags;
FAST_MUTEX CloseCompactionLock;
ULONG CurrentStackIndex;
HANDLE_TRACE_DB_ENTRY TraceDb[1];
} HANDLE_TRACE_DEBUG_INFO, *PHANDLE_TRACE_DEBUG_INFO;
typedef struct _HANDLE_TABLE {
ULONG NextHandleNeedingPool;
LONG ExtraInfoPages;
ULONGLONG TableCode;
PEPROCESS QuotaProcess;
LIST_ENTRY HandleTableList;
ULONG UniqueProcessId;
union {
ULONG Flags;
struct {
UCHAR StrictFIFO : 1;
UCHAR EnableHandleExceptions : 1;
UCHAR Rundown : 1;
UCHAR Duplicated : 1;
UCHAR RaiseUMExceptionOnInvalidHandleClose : 1;
};
};
EX_PUSH_LOCK HandleContentionEvent;
EX_PUSH_LOCK HandleTableLock;
union {
HANDLE_TABLE_FREE_LIST FreeLists[1];
UCHAR ActualEntry[32];
};
struct _HANDLE_TRACE_DEBUG_INFO* DebugInfo;
} HANDLE_TABLE, *PHANDLE_TABLE;
typedef BOOLEAN (*EX_ENUMERATE_HANDLE_ROUTINE)(IN PHANDLE_TABLE_ENTRY
HandleTableEntry,
IN HANDLE Handle,
IN PVOID EnumParameter);
typedef struct _OBJECT_CREATE_INFORMATION {
ULONG Attributes;
PVOID RootDirectory;
CHAR ProbeMode;
ULONG PagedPoolCharge;
ULONG NonPagedPoolCharge;
ULONG SecurityDescriptorCharge;
PVOID SecurityDescriptor;
struct _SECURITY_QUALITY_OF_SERVICE* SecurityQos;
struct _SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
} OBJECT_CREATE_INFORMATION, *POBJECT_CREATE_INFORMATION;
typedef struct _OBJECT_HEADER {
LONGLONG PointerCount;
union {
LONGLONG HandleCount;
PVOID NextToFree;
};
EX_PUSH_LOCK Lock;
UCHAR TypeIndex;
union {
UCHAR TraceFlags;
struct {
UCHAR DbgRefTrace : 1;
UCHAR DbgTracePermanent : 1;
};
};
UCHAR InfoMask;
union {
UCHAR Flags;
struct {
UCHAR NewObject : 1;
UCHAR KernelObject : 1;
UCHAR KernelOnlyAccess : 1;
UCHAR ExclusiveObject : 1;
UCHAR PermanentObject : 1;
UCHAR DefaultSecurityQuota : 1;
UCHAR SingleHandleEntry : 1;
UCHAR DeletedInline : 1;
};
};
ULONG Reserved;
union {
POBJECT_CREATE_INFORMATION ObjectCreateInfo;
PVOID QuotaBlockCharged;
};
PVOID SecurityDescriptor;
QUAD Body;
} OBJECT_HEADER, *POBJECT_HEADER;
#define IMAGE_SCN_MEM_EXECUTE 0x20000000
#define IMAGE_SCN_MEM_READ 0x40000000
#define IMAGE_SCN_MEM_WRITE 0x80000000
#define IMAGE_SIZEOF_SHORT_NAME 8
typedef struct _IMAGE_SECTION_HEADER {
unsigned char Name[IMAGE_SIZEOF_SHORT_NAME];
union {
unsigned long PhysicalAddress;
unsigned long VirtualSize;
} Misc;
unsigned long VirtualAddress;
unsigned long SizeOfRawData;
unsigned long PointerToRawData;
unsigned long PointerToRelocations;
unsigned long PointerToLinenumbers;
unsigned short NumberOfRelocations;
unsigned short NumberOfLinenumbers;
unsigned long Characteristics;
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
typedef struct _IMAGE_FILE_HEADER {
unsigned short Machine;
unsigned short NumberOfSections;
unsigned long TimeDateStamp;
unsigned long PointerToSymbolTable;
unsigned long NumberOfSymbols;
unsigned short SizeOfOptionalHeader;
unsigned short Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
typedef struct _IMAGE_DATA_DIRECTORY {
unsigned long VirtualAddress;
unsigned long Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
typedef struct _IMAGE_OPTIONAL_HEADER64 {
unsigned short Magic;
unsigned char MajorLinkerVersion;
unsigned char MinorLinkerVersion;
unsigned long SizeOfCode;
unsigned long SizeOfInitializedData;
unsigned long SizeOfUninitializedData;
unsigned long AddressOfEntryPoint;
unsigned long BaseOfCode;
ULONGLONG ImageBase;
unsigned long SectionAlignment;
unsigned long FileAlignment;
unsigned short MajorOperatingSystemVersion;
unsigned short MinorOperatingSystemVersion;
unsigned short MajorImageVersion;
unsigned short MinorImageVersion;
unsigned short MajorSubsystemVersion;
unsigned short MinorSubsystemVersion;
unsigned long Win32VersionValue;
unsigned long SizeOfImage;
unsigned long SizeOfHeaders;
unsigned long CheckSum;
unsigned short Subsystem;
unsigned short DllCharacteristics;
ULONGLONG SizeOfStackReserve;
ULONGLONG SizeOfStackCommit;
ULONGLONG SizeOfHeapReserve;
ULONGLONG SizeOfHeapCommit;
unsigned long LoaderFlags;
unsigned long NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;
typedef unsigned long DWORD;
typedef unsigned short WORD;
typedef struct _IMAGE_OPTIONAL_HEADER32 {
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
unsigned short e_magic; // Magic number
unsigned short e_cblp; // Bytes on last page of file
unsigned short e_cp; // Pages in file
unsigned short e_crlc; // Relocations
unsigned short e_cparhdr; // Size of header in paragraphs
unsigned short e_minalloc; // Minimum extra paragraphs needed
unsigned short e_maxalloc; // Maximum extra paragraphs needed
unsigned short e_ss; // Initial (relative) SS value
unsigned short e_sp; // Initial SP value
unsigned short e_csum; // Checksum
unsigned short e_ip; // Initial IP value
unsigned short e_cs; // Initial (relative) CS value
unsigned short e_lfarlc; // File address of relocation table
unsigned short e_ovno; // Overlay number
unsigned short e_res[4]; // Reserved words
unsigned short e_oemid; // OEM identifier (for e_oeminfo)
unsigned short e_oeminfo; // OEM information; e_oemid specific
unsigned short e_res2[10]; // Reserved words
LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
typedef struct _KLDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
PVOID ExceptionTable;
ULONG ExceptionTableSize;
// ULONG padding on IA64
PVOID GpValue;
PVOID NonPagedDebugInfo;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT __Unused5;
PVOID SectionPointer;
ULONG CheckSum;
// ULONG padding on IA64
PVOID LoadedImports;
PVOID PatchInformation;
} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;
typedef struct _IMAGE_EXPORT_DIRECTORY {
DWORD Characteristics;
DWORD TimeDateStamp;
WORD MajorVersion;
WORD MinorVersion;
DWORD Name;
DWORD Base;
DWORD NumberOfFunctions;
DWORD NumberOfNames;
DWORD AddressOfFunctions;
DWORD AddressOfNames;
DWORD AddressOfNameOrdinals;
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
typedef struct _LOCAL_NT_HEADER {
unsigned long Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} LOCAL_NT_HEADER, *PLOCAL_NT_HEADER;
#define IMAGE_FIRST_SECTION(ntheader) \
((PIMAGE_SECTION_HEADER)((ULONG_PTR)(ntheader) + \
FIELD_OFFSET(LOCAL_NT_HEADER, OptionalHeader) + \
((ntheader))->FileHeader.SizeOfOptionalHeader))
/* creds: https://www.unknowncheats.me/forum/2602838-post2.html */
typedef struct _DBGKD_DEBUG_DATA_HEADER64 {
LIST_ENTRY64 List;
ULONG OwnerTag;
ULONG Size;
} DBGKD_DEBUG_DATA_HEADER64, *PDBGKD_DEBUG_DATA_HEADER64;
typedef NTSTATUS(__stdcall* ZwQuerySystemInformation)(
_In_ UINT32 SystemInformationClass,
_Inout_ PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength);
#define SYSTEM_BIGPOOL_INFORMATION_ID 0x42
typedef struct _SYSTEM_BIGPOOL_ENTRY {
union {
PVOID VirtualAddress;
ULONG_PTR NonPaged : 1;
};
SIZE_T SizeInBytes;
union {
UCHAR Tag[4];
ULONG TagUlong;
};
} SYSTEM_BIGPOOL_ENTRY, *PSYSTEM_BIGPOOL_ENTRY;
typedef struct _SYSTEM_BIGPOOL_INFORMATION {
ULONG Count;
_Field_size_(Count) SYSTEM_BIGPOOL_ENTRY AllocatedInfo[1];
} SYSTEM_BIGPOOL_INFORMATION, *PSYSTEM_BIGPOOL_INFORMATION;
typedef struct _KDDEBUGGER_DATA64 {
DBGKD_DEBUG_DATA_HEADER64 Header;
ULONG64 KernBase;
ULONG64 BreakpointWithStatus;
ULONG64 SavedContext;
USHORT ThCallbackStack;
USHORT NextCallback;
USHORT FramePointer;
USHORT PaeEnabled;
ULONG64 KiCallUserMode;
ULONG64 KeUserCallbackDispatcher;
ULONG64 PsLoadedModuleList;
ULONG64 PsActiveProcessHead;
ULONG64 PspCidTable;
ULONG64 ExpSystemResourcesList;
ULONG64 ExpPagedPoolDescriptor;
ULONG64 ExpNumberOfPagedPools;
ULONG64 KeTimeIncrement;
ULONG64 KeBugCheckCallbackListHead;
ULONG64 KiBugcheckData;
ULONG64 IopErrorLogListHead;
ULONG64 ObpRootDirectoryObject;
ULONG64 ObpTypeObjectType;
ULONG64 MmSystemCacheStart;
ULONG64 MmSystemCacheEnd;
ULONG64 MmSystemCacheWs;
ULONG64 MmPfnDatabase;
ULONG64 MmSystemPtesStart;
ULONG64 MmSystemPtesEnd;
ULONG64 MmSubsectionBase;
ULONG64 MmNumberOfPagingFiles;
ULONG64 MmLowestPhysicalPage;
ULONG64 MmHighestPhysicalPage;
ULONG64 MmNumberOfPhysicalPages;
ULONG64 MmMaximumNonPagedPoolInBytes;
ULONG64 MmNonPagedSystemStart;
ULONG64 MmNonPagedPoolStart;
ULONG64 MmNonPagedPoolEnd;
ULONG64 MmPagedPoolStart;
ULONG64 MmPagedPoolEnd;
ULONG64 MmPagedPoolInformation;
ULONG64 MmPageSize;
ULONG64 MmSizeOfPagedPoolInBytes;
ULONG64 MmTotalCommitLimit;
ULONG64 MmTotalCommittedPages;
ULONG64 MmSharedCommit;
ULONG64 MmDriverCommit;
ULONG64 MmProcessCommit;
ULONG64 MmPagedPoolCommit;
ULONG64 MmExtendedCommit;
ULONG64 MmZeroedPageListHead;
ULONG64 MmFreePageListHead;
ULONG64 MmStandbyPageListHead;
ULONG64 MmModifiedPageListHead;
ULONG64 MmModifiedNoWritePageListHead;
ULONG64 MmAvailablePages;
ULONG64 MmResidentAvailablePages;
ULONG64 PoolTrackTable;
ULONG64 NonPagedPoolDescriptor;
ULONG64 MmHighestUserAddress;
ULONG64 MmSystemRangeStart;
ULONG64 MmUserProbeAddress;
ULONG64 KdPrintCircularBuffer;
ULONG64 KdPrintCircularBufferEnd;
ULONG64 KdPrintWritePointer;
ULONG64 KdPrintRolloverCount;
ULONG64 MmLoadedUserImageList;
ULONG64 NtBuildLab;
ULONG64 KiNormalSystemCall;
ULONG64 KiProcessorBlock;
ULONG64 MmUnloadedDrivers;
ULONG64 MmLastUnloadedDriver;
ULONG64 MmTriageActionTaken;
ULONG64 MmSpecialPoolTag;
ULONG64 KernelVerifier;
ULONG64 MmVerifierData;
ULONG64 MmAllocatedNonPagedPool;
ULONG64 MmPeakCommitment;
ULONG64 MmTotalCommitLimitMaximum;
ULONG64 CmNtCSDVersion;
ULONG64 MmPhysicalMemoryBlock;
ULONG64 MmSessionBase;
ULONG64 MmSessionSize;
ULONG64 MmSystemParentTablePage;
ULONG64 MmVirtualTranslationBase;
USHORT OffsetKThreadNextProcessor;
USHORT OffsetKThreadTeb;
USHORT OffsetKThreadKernelStack;
USHORT OffsetKThreadInitialStack;
USHORT OffsetKThreadApcProcess;
USHORT OffsetKThreadState;
USHORT OffsetKThreadBStore;
USHORT OffsetKThreadBStoreLimit;
USHORT SizeEProcess;
USHORT OffsetEprocessPeb;
USHORT OffsetEprocessParentCID;
USHORT OffsetEprocessDirectoryTableBase;
USHORT SizePrcb;
USHORT OffsetPrcbDpcRoutine;
USHORT OffsetPrcbCurrentThread;
USHORT OffsetPrcbMhz;
USHORT OffsetPrcbCpuType;
USHORT OffsetPrcbVendorString;
USHORT OffsetPrcbProcStateContext;
USHORT OffsetPrcbNumber;
USHORT SizeEThread;
ULONG64 KdPrintCircularBufferPtr;
ULONG64 KdPrintBufferSize;
ULONG64 KeLoaderBlock;
USHORT SizePcr;
USHORT OffsetPcrSelfPcr;
USHORT OffsetPcrCurrentPrcb;
USHORT OffsetPcrContainedPrcb;
USHORT OffsetPcrInitialBStore;
USHORT OffsetPcrBStoreLimit;
USHORT OffsetPcrInitialStack;
USHORT OffsetPcrStackLimit;
USHORT OffsetPrcbPcrPage;
USHORT OffsetPrcbProcStateSpecialReg;
USHORT GdtR0Code;
USHORT GdtR0Data;
USHORT GdtR0Pcr;
USHORT GdtR3Code;
USHORT GdtR3Data;
USHORT GdtR3Teb;
USHORT GdtLdt;
USHORT GdtTss;
USHORT Gdt64R3CmCode;
USHORT Gdt64R3CmTeb;
ULONG64 IopNumTriageDumpDataBlocks;
ULONG64 IopTriageDumpDataBlocks;
} KDDEBUGGER_DATA64, *PKDDEBUGGER_DATA64;
typedef struct _KDDEBUGGER_DATA_ADDITION64 {
ULONG64 VfCrashDataBlock;
ULONG64 MmBadPagesDetected;
ULONG64 MmZeroedPageSingleBitErrorsDetected;
ULONG64 EtwpDebuggerData;
USHORT OffsetPrcbContext;
USHORT OffsetPrcbMaxBreakpoints;
USHORT OffsetPrcbMaxWatchpoints;
ULONG OffsetKThreadStackLimit;
ULONG OffsetKThreadStackBase;
ULONG OffsetKThreadQueueListEntry;
ULONG OffsetEThreadIrpList;
USHORT OffsetPrcbIdleThread;
USHORT OffsetPrcbNormalDpcState;
USHORT OffsetPrcbDpcStack;
USHORT OffsetPrcbIsrStack;
USHORT SizeKDPC_STACK_FRAME;
USHORT OffsetKPriQueueThreadListHead;
USHORT OffsetKThreadWaitReason;
USHORT Padding;
ULONG64 PteBase;
ULONG64 RetpolineStubFunctionTable;
ULONG RetpolineStubFunctionTableSize;
ULONG RetpolineStubOffset;
ULONG RetpolineStubSize;
} KDDEBUGGER_DATA_ADDITION64, *PKDDEBUGGER_DATA_ADDITION64;
typedef struct _DUMP_HEADER {
ULONG Signature;
ULONG ValidDump;
ULONG MajorVersion;
ULONG MinorVersion;
ULONG_PTR DirectoryTableBase;
ULONG_PTR PfnDataBase;
PLIST_ENTRY PsLoadedModuleList;
PLIST_ENTRY PsActiveProcessHead;
ULONG MachineImageType;
ULONG NumberProcessors;
ULONG BugCheckCode;
ULONG_PTR BugCheckParameter1;
ULONG_PTR BugCheckParameter2;
ULONG_PTR BugCheckParameter3;
ULONG_PTR BugCheckParameter4;
CHAR VersionUser[32];
struct _KDDEBUGGER_DATA64* KdDebuggerDataBlock;
} DUMP_HEADER, *PDUMP_HEADER;
typedef union _VIRTUAL_MEMORY_ADDRESS {
struct {
UINT64 PageIndex : 12; /* 0:11 */
UINT64 PtIndex : 9; /* 12:20 */
UINT64 PdIndex : 9; /* 21:29 */
UINT64 PdptIndex : 9; /* 30:38 */
UINT64 Pml4Index : 9; /* 39:47 */
UINT64 Unused : 16; /* 48:63 */
} Bits;
UINT64 BitAddress;
} VIRTUAL_ADDRESS, *PVIRTUAL_ADDRESS;
typedef union _PML4_ENTRY {
struct {
UINT64 Present : 1; /* 0 */
UINT64 ReadWrite : 1; /* 1 */
UINT64 UserSupervisor : 1; /* 2 */
UINT64 PageWriteThrough : 1; /* 3 */
UINT64 PageCacheDisable : 1; /* 4 */
UINT64 Accessed : 1; /* 5 */
UINT64 _Ignored0 : 1; /* 6 */
UINT64 _Reserved0 : 1; /* 7 */
UINT64 _Ignored1 : 4; /* 11:8 */
UINT64 PhysicalAddress : 40; /* 51:12 */
UINT64 _Ignored2 : 11; /* 62:52 */
UINT64 ExecuteDisable : 1; /* 63 */
} Bits;
UINT64 BitAddress;
} PML4E;
typedef union _PDPT_ENTRY {
struct {
UINT64 Present : 1; /* 0 */
UINT64 ReadWrite : 1; /* 1 */
UINT64 UserSupervisor : 1; /* 2 */
UINT64 PageWriteThrough : 1; /* 3 */
UINT64 PageCacheDisable : 1; /* 4 */
UINT64 Accessed : 1; /* 5 */
UINT64 _Ignored0 : 1; /* 6 */
UINT64 PageSize : 1; /* 7 */
UINT64 _Ignored1 : 4; /* 11:8 */
UINT64 PhysicalAddress : 40; /* 51:12 */
UINT64 _Ignored2 : 11; /* 62:52 */
UINT64 ExecuteDisable : 1; /* 63 */
} Bits;
UINT64 BitAddress;
} PDPTE;
typedef union _PD_ENTRY {
struct {
UINT64 Present : 1; /* 0 */
UINT64 ReadWrite : 1; /* 1 */
UINT64 UserSupervisor : 1; /* 2 */
UINT64 PageWriteThrough : 1; /* 3 */
UINT64 PageCacheDisable : 1; /* 4 */
UINT64 Accessed : 1; /* 5 */
UINT64 _Ignored0 : 1; /* 6 */
UINT64 PageSize : 1; /* 7 */
UINT64 _Ignored1 : 4; /* 11:8 */
UINT64 PhysicalAddress : 38; /* 49:12 */
UINT64 _Reserved0 : 2; /* 51:50 */
UINT64 _Ignored2 : 11; /* 62:52 */
UINT64 ExecuteDisable : 1; /* 63 */
} Bits;
UINT64 BitAddress;
} PDE;
typedef union _PT_ENTRY {
struct {
UINT64 Present : 1; /* 0 */
UINT64 ReadWrite : 1; /* 1 */
UINT64 UserSupervisor : 1; /* 2 */
UINT64 PageWriteThrough : 1; /* 3 */
UINT64 PageCacheDisable : 1; /* 4 */
UINT64 Accessed : 1; /* 5 */
UINT64 Dirty : 1; /* 6 */
UINT64 PageAttributeTable : 1; /* 7 */
UINT64 Global : 1; /* 8 */
UINT64 _Ignored0 : 3; /* 11:9 */
UINT64 PhysicalAddress : 38; /* 49:12 */
UINT64 _Reserved0 : 2; /* 51:50 */
UINT64 _Ignored1 : 7; /* 58:52 */
UINT64 ProtectionKey : 4; /* 62:59 */
UINT64 ExecuteDisable : 1; /* 63 */
} Bits;
UINT64 BitAddress;
} PTE;
typedef union _PDPT_ENTRY_LARGE {
struct {
UINT64 Present : 1; /* 0 */
UINT64 ReadWrite : 1; /* 1 */
UINT64 UserSupervisor : 1; /* 2 */
UINT64 PageWriteThrough : 1; /* 3 */
UINT64 PageCacheDisable : 1; /* 4 */
UINT64 Accessed : 1; /* 5 */
UINT64 Dirty : 1; /* 6 */
UINT64 PageSize : 1; /* 7 */
UINT64 Global : 1; /* 8 */
UINT64 _Ignored0 : 3; /* 11:9 */
UINT64 PageAttributeTable : 1; /* 12 */
UINT64 _Reserved0 : 17; /* 29:13 */
UINT64 PhysicalAddress : 22; /* 51:30 */
UINT64 _Ignored1 : 7; /* 58:52 */
UINT64 ProtectionKey : 4; /* 62:59 */
UINT64 ExecuteDisable : 1; /* 63 */
} Bits;
UINT64 BitAddress;
} PDPTE_LARGE;
typedef union _PD_ENTRY_LARGE {
struct {
UINT64 Present : 1; /* 0 */
UINT64 ReadWrite : 1; /* 1 */
UINT64 UserSupervisor : 1; /* 2 */
UINT64 PageWriteThrough : 1; /* 3 */
UINT64 PageCacheDisable : 1; /* 4 */
UINT64 Accessed : 1; /* 5 */
UINT64 Dirty : 1; /* 6 */
UINT64 PageSize : 1; /* 7 */
UINT64 Global : 1; /* 8 */
UINT64 _Ignored0 : 3; /* 11:9 */
UINT64 PageAttributeTalbe : 1; /* 12 */
UINT64 _Reserved0 : 8; /* 20:13 */
UINT64 PhysicalAddress : 29; /* 49:21 */
UINT64 _Reserved1 : 2; /* 51:50 */
UINT64 _Ignored1 : 7; /* 58:52 */
UINT64 ProtectionKey : 4; /* 62:59 */
UINT64 ExecuteDisable : 1; /* 63 */
} Bits;
UINT64 BitAddress;
} PDE_LARGE;
// typedef struct _KAPC_STATE
//{
// LIST_ENTRY ApcListHead[ MaximumMode ];
// struct _KPROCESS* Process;
// union {
// UCHAR InProgressFlags;
// struct
// {
// BOOLEAN KernelApcInProgress : 1;
// BOOLEAN SpecialApcInProgress : 1;
// };
// };
//
// BOOLEAN KernelApcPending;
// union {
// BOOLEAN UserApcPendingAll;
// struct
// {
// BOOLEAN SpecialUserApcPending : 1;
// BOOLEAN UserApcPending : 1;
// };
// };
// } KAPC_STATE, * PKAPC_STATE, * PRKAPC_STATE;
typedef struct _RAW_SMBIOS_DATA {
BYTE Used20CallingMethod;
BYTE SMBIOSMajorVersion;
BYTE SMBIOSMinorVersion;
BYTE DmiRevision;
UINT32 Length;
BYTE SMBIOSTableData[1];
} RAW_SMBIOS_DATA, *PRAW_SMBIOS_DATA;
typedef struct _SMBIOS_TABLE_HEADER {
UCHAR Type;
UCHAR Length;
USHORT Handle;
PCHAR TableData;
} SMBIOS_TABLE_HEADER, *PSMBIOS_TABLE_HEADER;
typedef struct _RAW_SMBIOS_TABLE_01 {
UCHAR Type;
UCHAR Length;
USHORT Handle;
UCHAR Manufacturer;
UCHAR ProductName;
UCHAR Version;
UCHAR SerialNumber;
UCHAR UUID[16];
UCHAR WakeUpType;
UCHAR SKUNumber;
UCHAR Family;
} RAW_SMBIOS_TABLE_01, *PRAW_SMBIOS_TABLE_01;
typedef struct _RAW_SMBIOS_TABLE_02 {
UCHAR Type;
UCHAR Length;
USHORT Handle;
BYTE Manufacturer;
BYTE Product;
BYTE Version;
BYTE SerialNumber;
BYTE AssetTag;
BYTE FeatureFlags;
BYTE LocationInChassis;
UINT16 ChassisHandle;
BYTE BoardType;
BYTE NumberOfContainedObjectHandles;
BYTE ContainedObjectHandles[256];
} RAW_SMBIOS_TABLE_02, *PRAW_SMBIOS_TABLE_02;
typedef struct _RTL_RELATIVE_NAME {
UNICODE_STRING RelativeName;
HANDLE ContainingDirectory;
void* CurDirRef;
} RTL_RELATIVE_NAME, *PRTL_RELATIVE_NAME;
typedef struct _STORAGE_DESCRIPTOR_HEADER {
ULONG Version;
ULONG Size;
} STORAGE_DESCRIPTOR_HEADER, *PSTORAGE_DESCRIPTOR_HEADER;
typedef enum _STORAGE_BUS_TYPE {
BusTypeUnknown = 0x00,
BusTypeScsi,
BusTypeAtapi,
BusTypeAta,
BusType1394,
BusTypeSsa,
BusTypeFibre,
BusTypeUsb,
BusTypeRAID,
BusTypeMaxReserved = 0x7F
} STORAGE_BUS_TYPE,
*PSTORAGE_BUS_TYPE;
typedef enum _STORAGE_SET_TYPE {
PropertyStandardSet = 0, // Sets the descriptor
PropertyExistsSet, // Used to test whether the descriptor is supported
PropertySetMaxDefined // use to validate the value
} STORAGE_SET_TYPE,
*PSTORAGE_SET_TYPE;
//
// define some initial property id's
//
typedef enum _STORAGE_QUERY_TYPE {
PropertyStandardQuery = 0, // Retrieves the descriptor
PropertyExistsQuery, // Used to test whether the descriptor is supported
PropertyMaskQuery, // Used to retrieve a mask of writeable fields in the
// descriptor
PropertyQueryMaxDefined // use to validate the value
} STORAGE_QUERY_TYPE,
*PSTORAGE_QUERY_TYPE;
typedef enum _STORAGE_PROPERTY_ID {
StorageDeviceProperty = 0,
StorageAdapterProperty,
StorageDeviceIdProperty,
StorageDeviceUniqueIdProperty, // See storduid.h for details
StorageDeviceWriteCacheProperty,
StorageMiniportProperty,
StorageAccessAlignmentProperty,
StorageDeviceSeekPenaltyProperty,
StorageDeviceTrimProperty,
StorageDeviceWriteAggregationProperty,
StorageDeviceDeviceTelemetryProperty,
StorageDeviceLBProvisioningProperty,
StorageDevicePowerProperty,
StorageDeviceCopyOffloadProperty,
StorageDeviceResiliencyProperty,
StorageDeviceMediumProductType,
StorageAdapterRpmbProperty,
StorageAdapterCryptoProperty,
StorageDeviceIoCapabilityProperty = 48,
StorageAdapterProtocolSpecificProperty,
StorageDeviceProtocolSpecificProperty,
StorageAdapterTemperatureProperty,
StorageDeviceTemperatureProperty,
StorageAdapterPhysicalTopologyProperty,
StorageDevicePhysicalTopologyProperty,
StorageDeviceAttributesProperty,
StorageDeviceManagementStatus,
StorageAdapterSerialNumberProperty,
StorageDeviceLocationProperty,
StorageDeviceNumaProperty,
StorageDeviceZonedDeviceProperty,
StorageDeviceUnsafeShutdownCount,
StorageDeviceEnduranceProperty,
StorageDeviceLedStateProperty,
StorageDeviceSelfEncryptionProperty = 64,
StorageFruIdProperty,
} STORAGE_PROPERTY_ID,
*PSTORAGE_PROPERTY_ID;
typedef struct _STORAGE_PROPERTY_QUERY {
STORAGE_PROPERTY_ID PropertyId;
STORAGE_QUERY_TYPE QueryType;
UCHAR AdditionalParameters[1];
} STORAGE_PROPERTY_QUERY, *PSTORAGE_PROPERTY_QUERY;
typedef struct _STORAGE_DEVICE_DESCRIPTOR {
ULONG Version;
ULONG Size;
UCHAR DeviceType;
UCHAR DeviceTypeModifier;
BOOLEAN RemovableMedia;
BOOLEAN CommandQueueing;
ULONG VendorIdOffset;
ULONG ProductIdOffset;
ULONG ProductRevisionOffset;
ULONG SerialNumberOffset;
STORAGE_BUS_TYPE BusType;
ULONG RawPropertiesLength;
UCHAR RawDeviceProperties[1];
} STORAGE_DEVICE_DESCRIPTOR, *PSTORAGE_DEVICE_DESCRIPTOR;
NTKERNELAPI
BOOLEAN
ExEnumHandleTable(__in PHANDLE_TABLE HandleTable,
__in EX_ENUMERATE_HANDLE_ROUTINE EnumHandleProcedure,
__in PVOID EnumParameter,
__out_opt PHANDLE Handle);
NTKERNELAPI
POBJECT_TYPE
NTAPI
ObGetObjectType(_In_ PVOID Object);
typedef struct _EX_PUSH_LOCK_WAIT_BLOCK* PEX_PUSH_LOCK_WAIT_BLOCK;
NTKERNELAPI
VOID FASTCALL
ExfUnblockPushLock(_Inout_ PEX_PUSH_LOCK PushLock,
_Inout_opt_ PEX_PUSH_LOCK_WAIT_BLOCK WaitBlock);
LPCSTR
NTSYSAPI
NTAPI
PsGetProcessImageFileName(PEPROCESS Process);
EXTERN_C
VOID
KeInitializeAffinityEx(PKAFFINITY_EX affinity);
EXTERN_C
VOID
KeAddProcessorAffinityEx(PKAFFINITY_EX affinity, INT num);
EXTERN_C
VOID
HalSendNMI(PKAFFINITY_EX affinity);
NTSTATUS
RtlQueryModuleInformation(ULONG* InformationLength,
ULONG SizePerModule,
PVOID InformationBuffer);
NTSTATUS
NTAPI
NtSetInformationProcess(_In_ HANDLE ProcessHandle,
_In_ PROCESSINFOCLASS ProcessInformationClass,
_In_ PVOID ProcessInformation,
_In_ ULONG ProcessInformationLength);
NTSYSAPI
ULONG
NTAPI
KeCapturePersistentThreadState(__in PCONTEXT Context,
__in_opt PKTHREAD Thread,
__in ULONG BugCheckCode,
__in ULONG_PTR BugCheckParameter1,
__in ULONG_PTR BugCheckParameter2,
__in ULONG_PTR BugCheckParameter3,
__in ULONG_PTR BugCheckParameter4,
__in PDUMP_HEADER DumpHeader);
BOOLEAN NTAPI
RtlDosPathNameToRelativeNtPathName_U(_In_ PCWSTR DosFileName,
_Out_ PUNICODE_STRING NtFileName,
_Out_opt_ PWSTR* FilePath,
_Out_opt_ PRTL_RELATIVE_NAME RelativeName);
typedef _Function_class_(KNORMAL_ROUTINE) _IRQL_requires_(PASSIVE_LEVEL)
_IRQL_requires_same_
VOID NTAPI
KNORMAL_ROUTINE(_In_opt_ PVOID NormalContext,
_In_opt_ PVOID SystemArgument1,
_In_opt_ PVOID SystemArgument2);
typedef KNORMAL_ROUTINE* PKNORMAL_ROUTINE;
typedef _Function_class_(KRUNDOWN_ROUTINE) _IRQL_requires_(PASSIVE_LEVEL)
_IRQL_requires_same_
VOID NTAPI
KRUNDOWN_ROUTINE(_In_ PRKAPC Apc);
typedef KRUNDOWN_ROUTINE* PKRUNDOWN_ROUTINE;
typedef _Function_class_(KKERNEL_ROUTINE) _IRQL_requires_(APC_LEVEL)
_IRQL_requires_same_
VOID NTAPI
KKERNEL_ROUTINE(_In_ PRKAPC Apc,
_Inout_ _Deref_pre_maybenull_ PKNORMAL_ROUTINE* NormalRoutine,
_Inout_ _Deref_pre_maybenull_ PVOID* NormalContext,
_Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument1,
_Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument2);
typedef KKERNEL_ROUTINE* PKKERNEL_ROUTINE;
typedef enum _KAPC_ENVIRONMENT {
OriginalApcEnvironment,
AttachedApcEnvironment,
CurrentApcEnvironment,
InsertApcEnvironment
} KAPC_ENVIRONMENT,
*PKAPC_ENVIRONMENT;
NTKERNELAPI
VOID NTAPI
KeInitializeApc(_Out_ PRKAPC Apc,
_In_ PRKTHREAD Thread,
_In_ KAPC_ENVIRONMENT Environment,
_In_ PKKERNEL_ROUTINE KernelRoutine,
_In_opt_ PKRUNDOWN_ROUTINE RundownRoutine,
_In_opt_ PKNORMAL_ROUTINE NormalRoutine,
_In_ KPROCESSOR_MODE Mode,
_In_opt_ PVOID NormalContext);
NTSTATUS
NTAPI
MmCopyVirtualMemory(PEPROCESS SourceProcess,
PVOID SourceAddress,
PEPROCESS TargetProcess,
PVOID TargetAddress,
SIZE_T BufferSize,
KPROCESSOR_MODE PreviousMode,
PSIZE_T ReturnSize);
NTKERNELAPI
BOOLEAN
NTAPI
KeInsertQueueApc(_Inout_ PRKAPC Apc,
_In_opt_ PVOID SystemArgument1,
_In_opt_ PVOID SystemArgument2,
_In_ KPRIORITY Increment);
C_ASSERT(FIELD_OFFSET(DUMP_HEADER, Signature) == 0);
C_ASSERT(FIELD_OFFSET(DUMP_HEADER, ValidDump) == 4);
C_ASSERT(FIELD_OFFSET(DUMP_HEADER, MajorVersion) == 8);
C_ASSERT(FIELD_OFFSET(DUMP_HEADER, MinorVersion) == 0xc);
C_ASSERT(FIELD_OFFSET(DUMP_HEADER, DirectoryTableBase) == 0x10);
C_ASSERT(FIELD_OFFSET(DUMP_HEADER, PfnDataBase) == 0x18);
C_ASSERT(FIELD_OFFSET(DUMP_HEADER, PsLoadedModuleList) == 0x20);
C_ASSERT(FIELD_OFFSET(DUMP_HEADER, PsActiveProcessHead) == 0x28);
C_ASSERT(FIELD_OFFSET(DUMP_HEADER, MachineImageType) == 0x30);
C_ASSERT(FIELD_OFFSET(DUMP_HEADER, NumberProcessors) == 0x34);
C_ASSERT(FIELD_OFFSET(DUMP_HEADER, BugCheckCode) == 0x38);
C_ASSERT(FIELD_OFFSET(DUMP_HEADER, BugCheckParameter1) == 0x40);
C_ASSERT(FIELD_OFFSET(DUMP_HEADER, BugCheckParameter2) == 0x48);
C_ASSERT(FIELD_OFFSET(DUMP_HEADER, BugCheckParameter3) == 0x50);
C_ASSERT(FIELD_OFFSET(DUMP_HEADER, BugCheckParameter4) == 0x58);
C_ASSERT(FIELD_OFFSET(DUMP_HEADER, KdDebuggerDataBlock) == 0x80);
#ifndef _WIN64
# define KDDEBUGGER_DATA_OFFSET 0x1068
#else
# define KDDEBUGGER_DATA_OFFSET 0x2080
#endif
#ifndef _WIN64
# define DUMP_BLOCK_SIZE 0x20000
#else
# define DUMP_BLOCK_SIZE 0x40000
#endif
#define IA32_GS_BASE 0xc0000101
#define KPCR_TSS_BASE_OFFSET 0x008
#define TSS_IST_OFFSET 0x01c
#define WINDOWS_USERMODE_MAX_ADDRESS 0x00007FFFFFFFFFFF
typedef struct _MACHINE_FRAME {
UINT64 rip;
UINT64 cs;
UINT64 eflags;
UINT64 rsp;
UINT64 ss;
} MACHINE_FRAME, *PMACHINE_FRAME;
NTKERNELAPI
_IRQL_requires_max_(APC_LEVEL)
_IRQL_requires_min_(PASSIVE_LEVEL)
_IRQL_requires_same_
VOID
KeGenericCallDpc(_In_ PKDEFERRED_ROUTINE Routine, _In_opt_ PVOID Context);
NTKERNELAPI
_IRQL_requires_(DISPATCH_LEVEL)
_IRQL_requires_same_
VOID
KeSignalCallDpcDone(_In_ PVOID SystemArgument1);
PEPROCESS
NTAPI
PsGetNextProcess(IN PEPROCESS OldProcess OPTIONAL);
PETHREAD
NTAPI
PsGetNextProcessThread(IN PEPROCESS Process, IN PETHREAD Thread OPTIONAL);
#define ABSOLUTE(wait) (wait)
#define RELATIVE(wait) (-(wait))
#define NANOSECONDS(nanos) (((signed __int64)(nanos)) / 100L)
#define MICROSECONDS(micros) (((signed __int64)(micros)) * NANOSECONDS(1000L))
#define MILLISECONDS(milli) (((signed __int64)(milli)) * MICROSECONDS(1000L))
#define SECONDS(seconds) (((signed __int64)(seconds)) * MILLISECONDS(1000L))
// https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
#define PROCESS_CREATE_PROCESS 0x0080
#define PROCESS_TERMINATE 0x0001
#define PROCESS_CREATE_THREAD 0x0002
#define PROCESS_QUERY_INFORMATION 0x0400
#define PROCESS_QUERY_LIMITED_INFORMATION 0x1000
#define PROCESS_SET_INFORMATION 0x0200
#define PROCESS_SET_QUOTA 0x0100
#define PROCESS_SUSPEND_RESUME 0x0800
#define PROCESS_VM_OPERATION 0x0008
#define PROCESS_VM_READ 0x0010
#define PROCESS_VM_WRITE 0x0020
typedef struct _NT_HEADER_64 {
UINT32 Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} NT_HEADER_64, *PNT_HEADER_64;
#endif
================================================
FILE: driver/containers/map.c
================================================
#include "map.h"
#include "../lib/stdlib.h"
VOID
RtlHashmapDelete(_In_ PRTL_HASHMAP Hashmap)
{
ExFreePoolWithTag(Hashmap->buckets, POOL_TAG_HASHMAP);
ExFreePoolWithTag(Hashmap->locks, POOL_TAG_HASHMAP);
ExDeleteLookasideListEx(&Hashmap->pool);
}
VOID
RtlHashmapSetInactive(_Inout_ PRTL_HASHMAP Hashmap)
{
Hashmap->active = FALSE;
}
NTSTATUS
RtlHashmapCreate(
_In_ UINT32 BucketCount,
_In_ UINT32 EntryObjectSize,
_In_ HASH_FUNCTION HashFunction,
_In_ COMPARE_FUNCTION CompareFunction,
_In_opt_ PVOID Context,
_Out_ PRTL_HASHMAP Hashmap)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
UINT32 entry_size = sizeof(RTL_HASHMAP_ENTRY) + EntryObjectSize;
PRTL_HASHMAP_ENTRY entry = NULL;
if (!CompareFunction || !HashFunction)
return STATUS_INVALID_PARAMETER;
Hashmap->buckets = ExAllocatePool2(
POOL_FLAG_NON_PAGED,
BucketCount * entry_size,
POOL_TAG_HASHMAP);
if (!Hashmap->buckets)
return STATUS_INSUFFICIENT_RESOURCES;
Hashmap->locks = ExAllocatePool2(
POOL_FLAG_NON_PAGED,
sizeof(KGUARDED_MUTEX) * BucketCount,
POOL_TAG_HASHMAP);
if (!Hashmap->locks) {
ExFreePoolWithTag(Hashmap->buckets, POOL_TAG_HASHMAP);
return STATUS_INSUFFICIENT_RESOURCES;
}
for (UINT32 index = 0; index < BucketCount; index++) {
entry = &Hashmap->buckets[index];
entry->in_use = FALSE;
InitializeListHead(&entry->entry);
KeInitializeGuardedMutex(&Hashmap->locks[index]);
}
status = ExInitializeLookasideListEx(
&Hashmap->pool,
NULL,
NULL,
NonPagedPoolNx,
0,
entry_size,
POOL_TAG_HASHMAP,
0);
if (!NT_SUCCESS(status)) {
DEBUG_ERROR("ExInitializeLookasideListEx: %x", status);
ExFreePoolWithTag(Hashmap->buckets, POOL_TAG_HASHMAP);
ExFreePoolWithTag(Hashmap->locks, POOL_TAG_HASHMAP);
return status;
}
Hashmap->bucket_count = BucketCount;
Hashmap->hash_function = HashFunction;
Hashmap->compare_function = CompareFunction;
Hashmap->object_size = EntryObjectSize;
Hashmap->active = TRUE;
Hashmap->context = Context;
return STATUS_SUCCESS;
}
FORCEINLINE
STATIC
PRTL_HASHMAP_ENTRY
RtlpHashmapFindUnusedEntry(_In_ PLIST_ENTRY Head)
{
PRTL_HASHMAP_ENTRY entry = NULL;
PLIST_ENTRY list_entry = Head->Flink;
while (list_entry != Head) {
entry = CONTAINING_RECORD(list_entry, RTL_HASHMAP_ENTRY, entry);
if (entry->in_use == FALSE) {
entry->in_use = TRUE;
return entry;
}
list_entry = list_entry->Flink;
}
return NULL;
}
FORCEINLINE
STATIC
PRTL_HASHMAP_ENTRY
RtlpHashmapAllocateBucketEntry(_In_ PRTL_HASHMAP Hashmap)
{
PRTL_HASHMAP_ENTRY entry = ExAllocateFromLookasideListEx(&Hashmap->pool);
if (!entry)
return NULL;
entry->in_use = TRUE;
return entry;
}
FORCEINLINE
STATIC
BOOLEAN
RtlpHashmapIsIndexInRange(_In_ PRTL_HASHMAP Hashmap, _In_ UINT32 Index)
{
return Index < Hashmap->bucket_count ? TRUE : FALSE;
}
INT32
RtlHashmapHashKeyAndAcquireBucket(_Inout_ PRTL_HASHMAP Hashmap, _In_ UINT64 Key)
{
UINT32 index = Hashmap->hash_function(Key);
if (!RtlpHashmapIsIndexInRange(Hashmap, index))
return -1;
KeAcquireGuardedMutex(&Hashmap->locks[index]);
return index;
}
VOID
RtlHashmapReleaseBucket(_Inout_ PRTL_HASHMAP Hashmap, _In_ UINT32 Index)
{
/* No index check here, assuming we exit the caller early if we fail on
* acquisition */
KeReleaseGuardedMutex(&Hashmap->locks[Index]);
}
/* assumes map lock is held */
PVOID
RtlHashmapEntryInsert(_In_ PRTL_HASHMAP Hashmap, _In_ UINT32 Index)
{
UINT32 index = 0;
PLIST_ENTRY list_head = NULL;
PRTL_HASHMAP_ENTRY entry = NULL;
PRTL_HASHMAP_ENTRY new_entry = NULL;
if (!Hashmap->active)
return NULL;
list_head = &(&Hashmap->buckets[index])->entry;
entry = RtlpHashmapFindUnusedEntry(list_head);
if (entry)
return entry;
new_entry = RtlpHashmapAllocateBucketEntry(Hashmap);
if (!new_entry) {
DEBUG_ERROR("Failed to allocate new entry");
return NULL;
}
InsertHeadList(list_head, &new_entry->entry);
return new_entry->object;
}
/* Returns a pointer to the start of the entries caller defined data. i.e
* &PRTL_HASHMAP_ENTRY->Object
*
* Also assumes lock is held.
*/
PVOID
RtlHashmapEntryLookup(
_In_ PRTL_HASHMAP Hashmap, _In_ UINT32 Index, _In_ PVOID Compare)
{
UINT32 index = 0;
PRTL_HASHMAP_ENTRY entry = NULL;
if (!Hashmap->active)
return NULL;
entry = &Hashmap->buckets[index];
while (entry) {
if (entry->in_use == FALSE)
goto increment;
if (Hashmap->compare_function(entry->object, Compare))
return entry->object;
increment:
entry = CONTAINING_RECORD(entry->entry.Flink, RTL_HASHMAP_ENTRY, entry);
}
DEBUG_ERROR("Unable to find entry in hashmap.");
return NULL;
}
/* Assumes lock is held */
BOOLEAN
RtlHashmapEntryDelete(
_Inout_ PRTL_HASHMAP Hashmap, _In_ UINT32 Index, _In_ PVOID Compare)
{
UINT32 index = 0;
PLIST_ENTRY list_head = NULL;
PLIST_ENTRY list_entry = NULL;
PRTL_HASHMAP_ENTRY entry = NULL;
if (!Hashmap->active)
return FALSE;
list_head = &(&Hashmap->buckets[index])->entry;
list_entry = list_head->Flink;
while (list_entry != list_head) {
entry = CONTAINING_RECORD(list_entry, RTL_HASHMAP_ENTRY, entry);
if (entry->in_use &&
Hashmap->compare_function(entry->object, Compare)) {
if (entry == list_head) {
entry->in_use = FALSE;
}
else {
RemoveEntryList(&entry->entry);
ExFreeToLookasideListEx(&Hashmap->pool, entry);
}
return TRUE;
}
list_entry = list_entry->Flink;
}
return FALSE;
}
/* assumes lock is held */
VOID
RtlHashmapEnumerate(
_In_ PRTL_HASHMAP Hashmap,
_In_ ENUMERATE_HASHMAP EnumerationCallback,
_In_opt_ PVOID Context)
{
PLIST_ENTRY list_head = NULL;
PLIST_ENTRY list_entry = NULL;
PRTL_HASHMAP_ENTRY entry = NULL;
for (UINT32 index = 0; index < Hashmap->bucket_count; index++) {
KeAcquireGuardedMutex(&Hashmap->locks[index]);
list_head = &Hashmap->buckets[index];
list_entry = list_head->Flink;
while (list_entry != list_head) {
entry = CONTAINING_RECORD(list_entry, RTL_HASHMAP_ENTRY, entry);
if (entry->in_use == TRUE)
EnumerationCallback(entry->object, Context);
list_entry = list_entry->Flink;
}
KeReleaseGuardedMutex(&Hashmap->locks[index]);
}
}
================================================
FILE: driver/containers/map.h
================================================
#ifndef MAP_H
#define MAP_H
#include "../common.h"
/* To improve efficiency, each entry contains a common header
* RTL_HASHMAP_ENTRY*, reducing the need to store a seperate pointer to the
* entrys data. */
typedef struct _RTL_HASHMAP_ENTRY {
LIST_ENTRY entry;
UINT32 in_use;
CHAR object[];
} RTL_HASHMAP_ENTRY, *PRTL_HASHMAP_ENTRY;
typedef UINT32 (*HASH_FUNCTION)(_In_ UINT64 Key);
/* Struct1 being the node being compared to the value in Struct 2*/
typedef BOOLEAN (*COMPARE_FUNCTION)(_In_ PVOID Struct1, _In_ PVOID Struct2);
typedef struct _RTL_HASHMAP {
/* Array of RTL_HASHMAP_ENTRIES with length = bucket_count */
PRTL_HASHMAP_ENTRY buckets;
/* per bucket locks */
PKGUARDED_MUTEX locks;
/* Number of buckets, ideally a prime number */
UINT32 bucket_count;
/* Size of each custom object existing after the RTL_HASHMAP_ENTRY */
UINT32 object_size;
/* Pointer to caller-designated callback routines */
HASH_FUNCTION hash_function;
COMPARE_FUNCTION compare_function;
/* in the future bucket entries will use this */
LOOKASIDE_LIST_EX pool;
/* user allocated context */
PVOID context;
volatile UINT32 active;
} RTL_HASHMAP, *PRTL_HASHMAP;
typedef VOID (*ENUMERATE_HASHMAP)(_In_ PRTL_HASHMAP_ENTRY Entry,
_In_opt_ PVOID Context);
#define STATUS_INVALID_HASHMAP_INDEX -1
/* Hashmap is caller allocated */
NTSTATUS
RtlHashmapCreate(_In_ UINT32 BucketCount,
_In_ UINT32 EntryObjectSize,
_In_ HASH_FUNCTION HashFunction,
_In_ COMPARE_FUNCTION CompareFunction,
_In_opt_ PVOID Context,
_Out_ PRTL_HASHMAP Hashmap);
PVOID
RtlHashmapEntryInsert(_In_ PRTL_HASHMAP Hashmap, _In_ UINT32 Index);
PVOID
RtlHashmapEntryLookup(_In_ PRTL_HASHMAP Hashmap,
_In_ UINT32 Index,
_In_ PVOID Compare);
BOOLEAN
RtlHashmapEntryDelete(_Inout_ PRTL_HASHMAP Hashmap,
_In_ UINT32 Index,
_In_ PVOID Compare);
VOID
RtlHashmapEnumerate(_In_ PRTL_HASHMAP Hashmap,
_In_ ENUMERATE_HASHMAP EnumerationCallback,
_In_opt_ PVOID Context);
VOID
RtlHashmapDelete(_In_ PRTL_HASHMAP Hashmap);
INT32
RtlHashmapHashKeyAndAcquireBucket(_Inout_ PRTL_HASHMAP Hashmap,
_In_ UINT64 Key);
VOID
RtlHashmapReleaseBucket(_Inout_ PRTL_HASHMAP Hashmap, _In_ UINT32 Index);
VOID
RtlHashmapSetInactive(_Inout_ PRTL_HASHMAP Hashmap);
#endif
================================================
FILE: driver/containers/tree.c
================================================
#include "tree.h"
#include "../lib/stdlib.h"
/*
* Basic red-black tree implementation. Currently, the enumeration routines are
* recursive, which may not be the best idea given the environment this is meant
* for (kernel mode). We can always fix that up later though :).
*
* Example of a Red-Black Tree:
*
* grandparent(B)
* |
* +--------+--------+
* | |
* parent(R) uncle(R)
* |
* +-----+-----+
* | |
* Node(R) sibling(B)
* |
* +-----+
* | |
* child ...
*
* Legend:
* - 'B' represents a Black node
* - 'R' represents a Red node
*
* Labels for components during insert and delete fix-up:
*
* - Node: The newly inserted node that may cause a violation.
* - Parent: The parent of the newly inserted node.
* - Grandparent: The grandparent of the newly inserted node.
* - Uncle: The sibling of the parent node.
* - Sibling: The sibling of the node to be deleted or fixed.
* - Child: The child of the node to be deleted or fixed.
*
* In this example:
* - Each 'B' is a black node.
* - Each 'R' is a red node.
* - The labels illustrate a typical structure that might be encountered during
* the insertion or deletion process, where the new node, its parent,
* grandparent, uncle, sibling, and child are involved in the rebalancing
* operations.
*
* Resources used:
* https://www.kernel.org/doc/Documentation/rbtree.txt
* https://github.com/torvalds/linux/blob/master/lib/rbtree.c
* https://www.osronline.com/article.cfm%5Earticle=516.htm
* https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/ns-ntddk-_rtl_avl_table
* (for structure ideas)
*
*/
FORCEINLINE
STATIC
VOID
RtlpRbTreeIncrementInsertionCount(_In_ PRB_TREE Tree)
{
InterlockedIncrement(&Tree->insertion_count);
}
FORCEINLINE
STATIC
VOID
RtlpRbTreeIncrementDeletionCount(_In_ PRB_TREE Tree)
{
InterlockedIncrement(&Tree->deletion_count);
}
FORCEINLINE
STATIC
VOID
RtlpRbTreeIncrementNodeCount(_In_ PRB_TREE Tree)
{
InterlockedIncrement(&Tree->node_count);
}
FORCEINLINE
STATIC
VOID
RtlpRbTreeDecrementNodeCount(_In_ PRB_TREE Tree)
{
InterlockedDecrement(&Tree->node_count);
}
VOID
RtlRbTreePrintCurrentStatistics(_In_ PRB_TREE Tree)
{
DEBUG_VERBOSE("Tree: %llx", (UINT64)Tree);
DEBUG_VERBOSE("Node count: %lx", Tree->node_count);
DEBUG_VERBOSE("Insertion count: %lx", Tree->insertion_count);
DEBUG_VERBOSE("Deletion count: %lx", Tree->deletion_count);
}
/**
* Initialises a caller allocated RB_TREE structure.
*
* Key Member Variables in `RB_TREE`:
*
* > `RB_COMPARE compare`:
* - This is a function pointer to the comparison function provided by the
* caller. It is used to compare two keys and maintain the order of the
* red-black tree.
*
* > `UINT32 object_size`:
* - This stores the size of the objects that will be stored in the tree. It
* is used to allocate memory for the nodes.
* - Lets say each node needs to have a THREAD_LIST_ENTRY object. The
* ObjectSize = sizeof(THREAD_LIST_OBJECT) and in turn will mean each node
* will be of size: sizeof(THREAD_LIST_OBJECT) + sizeof(RB_TREE_NODE). This is
* also this size the lookaside list pools will be set to.
*
* > `LOOKASIDE_LIST_EX pool`:
* - This is a lookaside list that provides a fast, efficient way to allocate
* and free fixed-size blocks of memory for the tree nodes. The size of each
* block is `ObjectSize + sizeof(RB_TREE_NODE)`.
*/
NTSTATUS
RtlRbTreeCreate(
_In_ RB_COMPARE Compare, _In_ UINT32 ObjectSize, _Out_ PRB_TREE Tree)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
if (!ARGUMENT_PRESENT(Compare) || ObjectSize == 0)
return STATUS_INVALID_PARAMETER;
status = ExInitializeLookasideListEx(
&Tree->pool,
NULL,
NULL,
NonPagedPoolNx,
0,
ObjectSize + sizeof(RB_TREE_NODE),
POOL_TAG_RB_TREE,
0);
if (!NT_SUCCESS(status))
return status;
Tree->compare = Compare;
Tree->deletion_count = 0;
Tree->insertion_count = 0;
Tree->node_count = 0;
KeInitializeGuardedMutex(&Tree->lock);
return STATUS_SUCCESS;
}
/* This function is used to maintain the balance of a red-black tree by
* performing a left rotation around a given node. A left rotation moves the
* given node down to the left and its right child up to take its place.
*
* The structure of the tree before and after the rotation is as follows:
*
* Before Rotation: After Rotation:
* (Node) (Right_Child)
* / \ / \
* (A) (Right_Child) -> (Node) (C)
* / \ / \
* (B) (C) (A) (B)
*/
STATIC
VOID
RtlpRbTreeRotateLeft(_In_ PRB_TREE Tree, _In_ PRB_TREE_NODE Node)
{
PRB_TREE_NODE right_child = Node->right;
Node->right = right_child->left;
if (right_child->left)
right_child->left->parent = Node;
right_child->parent = Node->parent;
if (!Node->parent)
Tree->root = right_child;
else if (Node == Node->parent->left)
Node->parent->left = right_child;
else
Node->parent->right = right_child;
right_child->left = Node;
Node->parent = right_child;
}
/*
* This function is used to maintain the balance of a red-black tree by
* performing a right rotation around a given node. A right rotation moves the
* given node down to the right and its left child up to take its place.
*
* The structure of the tree before and after the rotation is as follows:
*
* Before Rotation: After Rotation:
* (Node) (Left_Child)
* / \ / \
* (Left_Child) (C) -> (A) (Node)
* / \ / \
* (A) (B) (B) (C)
*
*/
STATIC
VOID
RtlpRbTreeRotateRight(_In_ PRB_TREE Tree, _In_ PRB_TREE_NODE Node)
{
PRB_TREE_NODE left_child = Node->left;
Node->left = left_child->right;
if (left_child->right)
left_child->right->parent = Node;
left_child->parent = Node->parent;
if (!Node->parent)
Tree->root = left_child;
else if (Node == Node->parent->right)
Node->parent->right = left_child;
else
Node->parent->left = left_child;
left_child->right = Node;
Node->parent = left_child;
}
/*
* This function ensures the red-black tree properties are maintained after a
* new node is inserted. It adjusts the colors and performs rotations as
* necessary.
*
* Example scenario:
*
* Inserted Node causing a fixup:
* (Grandparent) (Parent)
* / \ / \
* (Parent) (Uncle) -> (Node) (Grandparent)
* / / \
* (Node) (Left) (Uncle)
*/
STATIC
VOID
RtlpRbTreeFixupInsert(_In_ PRB_TREE Tree, _In_ PRB_TREE_NODE Node)
{
PRB_TREE_NODE uncle = NULL;
PRB_TREE_NODE parent = NULL;
PRB_TREE_NODE grandparent = NULL;
while ((parent = Node->parent) && parent->colour == red) {
grandparent = parent->parent;
if (parent == grandparent->left) {
uncle = grandparent->right;
if (uncle && uncle->colour == red) {
parent->colour = black;
uncle->colour = black;
grandparent->colour = red;
Node = grandparent;
}
else {
if (Node == parent->right) {
RtlpRbTreeRotateLeft(Tree, parent);
Node = parent;
parent = Node->parent;
}
parent->colour = black;
grandparent->colour = red;
RtlpRbTreeRotateRight(Tree, grandparent);
}
}
else {
uncle = grandparent->left;
if (uncle && uncle->colour == red) {
parent->colour = black;
uncle->colour = black;
grandparent->colour = red;
Node = grandparent;
}
else {
if (Node == parent->left) {
RtlpRbTreeRotateRight(Tree, parent);
Node = parent;
parent = Node->parent;
}
parent->colour = black;
grandparent->colour = red;
RtlpRbTreeRotateLeft(Tree, grandparent);
}
}
}
Tree->root->colour = black;
}
/*
* ASSUMES LOCK IS HELD!
*
* This function inserts a new node into the red-black tree, and then calls a
* fix-up routine to ensure the tree properties are maintained.
*
* Example insertion process:
*
* Before insertion:
* (Root)
* / \
* (Left) (Right)
*
* After insertion:
* (Root)
* / \
* (Left) (Right)
* /
* (Node)
*
* After fix-up:
* (Root)
* / \
* (Left) (Node)
* \
* (Right)
*/
PVOID
RtlRbTreeInsertNode(_In_ PRB_TREE Tree, _In_ PVOID Key)
{
UINT32 result = 0;
PRB_TREE_NODE node = NULL;
PRB_TREE_NODE parent = NULL;
PRB_TREE_NODE current = NULL;
node = ExAllocateFromLookasideListEx(&Tree->pool);
if (!node)
return NULL;
node->parent = NULL;
node->left = NULL;
node->right = NULL;
node->colour = red;
current = Tree->root;
while (current) {
parent = current;
result = Tree->compare(Key, current->object);
if (result == RB_TREE_LESS_THAN) {
current = current->left;
}
else if (result == RB_TREE_GREATER_THAN) {
current = current->right;
}
else {
ExFreeToLookasideListEx(&Tree->pool, node);
/* Since we allocate and free a node, no housekeeping regarding
* stats needs to be done. */
return current->object;
}
}
node->parent = parent;
if (!parent)
Tree->root = node;
else if (result == RB_TREE_LESS_THAN)
parent->left = node;
else
parent->right = node;
RtlpRbTreeFixupInsert(Tree, node);
RtlpRbTreeIncrementInsertionCount(Tree);
RtlpRbTreeIncrementNodeCount(Tree);
return node->object;
}
/*
* ASSUMES LOCK IS HELD!
*
* This function traverses the left children of the given node to find and
* return the node with the minimum key in the subtree.
*
* Example traversal to find minimum:
*
* (Root)
* / \
* (Left) (Right)
* /
* (Node)
*
* After finding minimum:
* (Root)
* / \
* (Node) (Right)
*
* Returns the left-most node.
*/
STATIC
PRB_TREE_NODE
RtlpRbTreeMinimum(_In_ PRB_TREE_NODE Node)
{
while (Node->left != NULL)
Node = Node->left;
return Node;
}
/*
* ASSUMES LOCK IS HELD!
*
* This function is called after a node is deleted from the Red-Black Tree.
* It ensures that the tree remains balanced and the Red-Black properties are
* maintained. It performs the necessary rotations and recoloring.
*
* Example fixup scenarios:
*
* Before Fixup: After Fixup:
* (Parent) (Parent)
* / \ / \
* (Node) (Sibling) (Node) (Sibling)
* / \ / \
* (Left) (Right) (Left) (Right)
*
* The fixup process ensures that the tree remains balanced.
*/
STATIC
VOID
RtlpRbTreeFixupDelete(_In_ PRB_TREE Tree, _In_ PRB_TREE_NODE Node)
{
PRB_TREE_NODE sibling = NULL;
while (Node != Tree->root && Node->colour == black) {
if (Node == Node->parent->left) {
sibling = Node->parent->right;
if (sibling && sibling->colour == red) {
sibling->colour = black;
Node->parent->colour = red;
RtlpRbTreeRotateLeft(Tree, Node->parent);
sibling = Node->parent->right;
}
if (sibling && (!sibling->left || sibling->left->colour == black) &&
(!sibling->right || sibling->right->colour == black)) {
sibling->colour = red;
Node = Node->parent;
}
else {
if (sibling &&
(!sibling->right || sibling->right->colour == black)) {
if (sibling->left)
sibling->left->colour = black;
sibling->colour = red;
RtlpRbTreeRotateRight(Tree, sibling);
sibling = Node->parent->right;
}
if (sibling) {
sibling->colour = Node->parent->colour;
Node->parent->colour = black;
if (sibling->right)
sibling->right->colour = black;
RtlpRbTreeRotateLeft(Tree, Node->parent);
}
Node = Tree->root;
}
}
else {
sibling = Node->parent->left;
if (sibling && sibling->colour == red) {
sibling->colour = black;
Node->parent->colour = red;
RtlpRbTreeRotateRight(Tree, Node->parent);
sibling = Node->parent->left;
}
if (sibling &&
(!sibling->right || sibling->right->colour == black) &&
(!sibling->left || sibling->left->colour == black)) {
sibling->colour = red;
Node = Node->parent;
}
else {
if (sibling &&
(!sibling->left || sibling->left->colour == black)) {
if (sibling->right)
sibling->right->colour = black;
sibling->colour = red;
RtlpRbTreeRotateLeft(Tree, sibling);
sibling = Node->parent->left;
}
if (sibling) {
sibling->colour = Node->parent->colour;
Node->parent->colour = black;
if (sibling->left)
sibling->left->colour = black;
RtlpRbTreeRotateRight(Tree, Node->parent);
}
Node = Tree->root;
}
}
}
Node->colour = black;
}
/*
* ASSUMES LOCK IS HELD!
*
* This function replaces the subtree rooted at the node `toBeReplacedNode` with
* the subtree rooted at the node `replacementNode`. It adjusts the parent
* pointers accordingly.
*
* Example scenario:
*
* Before Transplant: After Transplant:
* (ParentNode) (ParentNode)
* / \ / \
* (toBeReplaced) Sibling (Replacement) Sibling
* / \ / \
* Left Right Left Right
*
* The transplant process ensures that the subtree rooted at `replacementNode`
* takes the place of the subtree rooted at `t
gitextract_efljrolz/
├── .clang-format
├── .clang-format-cpp
├── .gitattributes
├── .gitignore
├── LICENSE.md
├── README.md
├── ac.sln
├── driver/
│ ├── apc.c
│ ├── apc.h
│ ├── arch.asm
│ ├── callbacks.c
│ ├── callbacks.h
│ ├── common.h
│ ├── containers/
│ │ ├── map.c
│ │ ├── map.h
│ │ ├── tree.c
│ │ └── tree.h
│ ├── cpp.hint
│ ├── crypt.c
│ ├── crypt.h
│ ├── driver.c
│ ├── driver.h
│ ├── driver.inf
│ ├── driver.vcxproj
│ ├── driver.vcxproj.filters
│ ├── hv.c
│ ├── hv.h
│ ├── hw.c
│ ├── hw.h
│ ├── ia32.h
│ ├── imports.c
│ ├── imports.h
│ ├── integrity.c
│ ├── integrity.h
│ ├── io.c
│ ├── io.h
│ ├── lib/
│ │ ├── stdlib.c
│ │ └── stdlib.h
│ ├── modules.c
│ ├── modules.h
│ ├── pe.c
│ ├── pe.h
│ ├── pool.c
│ ├── pool.h
│ ├── session.c
│ ├── session.h
│ ├── thread.c
│ ├── thread.h
│ ├── types/
│ │ ├── tpm12.h
│ │ ├── tpm20.h
│ │ ├── tpmptp.h
│ │ └── types.h
│ ├── util.c
│ └── util.h
├── module/
│ ├── client/
│ │ ├── message_queue.cpp
│ │ ├── message_queue.h
│ │ ├── pipe.cpp
│ │ └── pipe.h
│ ├── common.h
│ ├── crypt/
│ │ ├── crypt.cpp
│ │ └── crypt.h
│ ├── dispatcher/
│ │ ├── dispatcher.cpp
│ │ ├── dispatcher.h
│ │ ├── threadpool.cpp
│ │ ├── threadpool.h
│ │ ├── timer.cpp
│ │ └── timer.h
│ ├── helper.cpp
│ ├── helper.h
│ ├── imports.cpp
│ ├── imports.h
│ ├── kernel_interface/
│ │ ├── kernel_interface.cpp
│ │ └── kernel_interface.h
│ ├── main.cpp
│ ├── module.cpp
│ ├── module.h
│ ├── module.vcxproj
│ └── module.vcxproj.filters
└── server/
└── main.go
SYMBOL INDEX (1228 symbols across 48 files)
FILE: driver/apc.c
function VOID (line 7) | VOID
function VOID (line 16) | VOID
function BOOLEAN (line 47) | BOOLEAN
function VOID (line 71) | VOID
function VOID (line 88) | VOID
function NTSTATUS (line 134) | NTSTATUS
function VOID (line 162) | VOID
function BOOLEAN (line 213) | BOOLEAN
FILE: driver/callbacks.c
function VOID (line 34) | VOID
function VOID (line 41) | VOID
function VOID (line 48) | VOID
function VOID (line 55) | VOID
function VOID (line 62) | VOID
function VOID (line 69) | VOID
function VOID (line 87) | VOID
function VOID (line 111) | VOID
function NTSTATUS (line 123) | NTSTATUS
function VOID (line 207) | VOID
function STATIC (line 238) | STATIC
function STATIC (line 251) | STATIC
function STATIC (line 258) | STATIC
function VOID (line 321) | VOID
function VOID (line 400) | VOID
function VOID (line 420) | VOID
function VOID (line 458) | VOID
function VOID (line 499) | VOID
function NTSTATUS (line 533) | NTSTATUS
function STATIC (line 582) | STATIC
function NTSTATUS (line 600) | NTSTATUS
function VOID (line 618) | VOID
function BOOLEAN (line 630) | BOOLEAN
function STATIC (line 639) | STATIC
function VOID (line 660) | VOID
function VOID (line 667) | VOID
function VOID (line 739) | VOID
function VOID (line 790) | VOID
function STATIC (line 823) | STATIC
function STATIC (line 838) | STATIC
function OB_PREOP_CALLBACK_STATUS (line 856) | OB_PREOP_CALLBACK_STATUS
function VOID (line 981) | VOID NTAPI
function ACCESS_MASK (line 1000) | ACCESS_MASK
function STATIC (line 1009) | STATIC
function NTSTATUS (line 1177) | NTSTATUS
function STATIC (line 1213) | STATIC
function STATIC (line 1243) | STATIC
function STATIC (line 1292) | STATIC
function NTSTATUS (line 1324) | NTSTATUS
function VOID (line 1342) | VOID
function VOID (line 1360) | VOID
function NTSTATUS (line 1376) | NTSTATUS
function VOID (line 1411) | VOID
FILE: driver/callbacks.h
type DRIVER_LIST_ENTRY (line 15) | typedef struct _DRIVER_LIST_ENTRY {
type BOOLEAN (line 36) | typedef BOOLEAN (*PROCESS_MODULE_CALLBACK)(_In_ PPROCESS_MAP_MODULE_ENTR...
FILE: driver/common.h
type THREAD_LIST_HEAD (line 66) | typedef struct _THREAD_LIST_HEAD {
type DRIVER_LIST_HEAD (line 74) | typedef struct _DRIVER_LIST_HEAD {
type THREAD_LIST_ENTRY (line 88) | typedef struct _THREAD_LIST_ENTRY {
type PROCESS_MODULE_MAP_CONTEXT (line 97) | typedef struct _PROCESS_MODULE_MAP_CONTEXT {
type PROCESS_MAP_MODULE_ENTRY (line 101) | typedef struct _PROCESS_MAP_MODULE_ENTRY {
type PROCESS_LIST_ENTRY (line 108) | typedef struct _PROCESS_LIST_ENTRY {
type SECURITY_COOKIE (line 122) | typedef union _SECURITY_COOKIE {
type TIMER_OBJECT (line 132) | typedef struct _TIMER_OBJECT {
type ENVIRONMENT_TYPE (line 145) | typedef enum _ENVIRONMENT_TYPE {
type PROCESSOR_TYPE (line 152) | typedef enum _PROCESSOR_TYPE {
type SYSTEM_INFORMATION (line 173) | typedef struct _SYSTEM_INFORMATION {
type OB_CALLBACKS_CONFIG (line 184) | typedef struct _OB_CALLBACKS_CONFIG {
type DEFERRED_REPORT (line 190) | typedef struct _DEFERRED_REPORT {
type DEFERRED_REPORTS_LIST (line 197) | typedef struct _DEFERRED_REPORTS_LIST {
type IRP_QUEUE_HEAD (line 206) | typedef struct _IRP_QUEUE_HEAD {
type IRP_QUEUE_ENTRY (line 218) | typedef struct _IRP_QUEUE_ENTRY {
type HEARTBEAT_CONFIGURATION (line 232) | typedef struct _HEARTBEAT_CONFIGURATION {
type MODULE_INFORMATION (line 253) | typedef struct _MODULE_INFORMATION {
type SESSION_INITIATION_PACKET (line 261) | typedef struct _SESSION_INITIATION_PACKET {
type ACTIVE_SESSION (line 270) | typedef struct _ACTIVE_SESSION {
type KAFFINITY_EX (line 427) | typedef struct _KAFFINITY_EX {
type OBJECT_DIRECTORY_ENTRY (line 435) | typedef struct _OBJECT_DIRECTORY_ENTRY {
type OBJECT_DIRECTORY (line 442) | typedef struct _OBJECT_DIRECTORY {
type DEVICE_MAP (line 452) | typedef struct _DEVICE_MAP {
type RTL_MODULE_EXTENDED_INFO (line 461) | typedef struct _RTL_MODULE_EXTENDED_INFO {
type OBJECT_TYPE (line 492) | typedef struct _OBJECT_TYPE {
type PEB_LDR_DATA (line 508) | typedef struct _PEB_LDR_DATA {
type LDR_DATA_TABLE_ENTRY (line 514) | typedef struct _LDR_DATA_TABLE_ENTRY {
type PEB (line 533) | typedef struct _PEB {
type PEB32 (line 555) | typedef struct _PEB32 {
type PEB_LDR_DATA32 (line 576) | typedef struct _PEB_LDR_DATA32 {
type LDR_DATA_TABLE_ENTRY32 (line 585) | typedef struct _LDR_DATA_TABLE_ENTRY32 {
type HANDLE_TABLE_ENTRY_INFO (line 601) | typedef struct _HANDLE_TABLE_ENTRY_INFO {
type EXHANDLE (line 607) | typedef union _EXHANDLE {
type POOL_HEADER (line 619) | typedef struct _POOL_HEADER // Size=16
type HANDLE_TABLE_ENTRY (line 645) | typedef struct _HANDLE_TABLE_ENTRY // Size=16
type HANDLE_TABLE_FREE_LIST (line 679) | typedef struct _HANDLE_TABLE_FREE_LIST {
type HANDLE_TRACE_DB_ENTRY (line 687) | typedef struct _HANDLE_TRACE_DB_ENTRY {
type HANDLE_TRACE_DEBUG_INFO (line 695) | typedef struct _HANDLE_TRACE_DEBUG_INFO {
type HANDLE_TABLE (line 705) | typedef struct _HANDLE_TABLE {
type BOOLEAN (line 733) | typedef BOOLEAN (*EX_ENUMERATE_HANDLE_ROUTINE)(IN PHANDLE_TABLE_ENTRY
type OBJECT_CREATE_INFORMATION (line 738) | typedef struct _OBJECT_CREATE_INFORMATION {
type OBJECT_HEADER (line 751) | typedef struct _OBJECT_HEADER {
type IMAGE_SECTION_HEADER (line 795) | typedef struct _IMAGE_SECTION_HEADER {
type IMAGE_FILE_HEADER (line 811) | typedef struct _IMAGE_FILE_HEADER {
type IMAGE_DATA_DIRECTORY (line 821) | typedef struct _IMAGE_DATA_DIRECTORY {
type IMAGE_OPTIONAL_HEADER64 (line 828) | typedef struct _IMAGE_OPTIONAL_HEADER64 {
type DWORD (line 861) | typedef unsigned long DWORD;
type WORD (line 862) | typedef unsigned short WORD;
type IMAGE_OPTIONAL_HEADER32 (line 864) | typedef struct _IMAGE_OPTIONAL_HEADER32 {
type IMAGE_DOS_HEADER (line 898) | typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
type KLDR_DATA_TABLE_ENTRY (line 920) | typedef struct _KLDR_DATA_TABLE_ENTRY {
type IMAGE_EXPORT_DIRECTORY (line 942) | typedef struct _IMAGE_EXPORT_DIRECTORY {
type LOCAL_NT_HEADER (line 956) | typedef struct _LOCAL_NT_HEADER {
type DBGKD_DEBUG_DATA_HEADER64 (line 969) | typedef struct _DBGKD_DEBUG_DATA_HEADER64 {
type NTSTATUS (line 975) | typedef NTSTATUS(__stdcall* ZwQuerySystemInformation)(
type SYSTEM_BIGPOOL_ENTRY (line 983) | typedef struct _SYSTEM_BIGPOOL_ENTRY {
type SYSTEM_BIGPOOL_INFORMATION (line 995) | typedef struct _SYSTEM_BIGPOOL_INFORMATION {
type KDDEBUGGER_DATA64 (line 1000) | typedef struct _KDDEBUGGER_DATA64 {
type KDDEBUGGER_DATA_ADDITION64 (line 1133) | typedef struct _KDDEBUGGER_DATA_ADDITION64 {
type DUMP_HEADER (line 1160) | typedef struct _DUMP_HEADER {
type VIRTUAL_ADDRESS (line 1180) | typedef union _VIRTUAL_MEMORY_ADDRESS {
type PML4E (line 1195) | typedef union _PML4_ENTRY {
type PDPTE (line 1213) | typedef union _PDPT_ENTRY {
type PDE (line 1231) | typedef union _PD_ENTRY {
type PTE (line 1250) | typedef union _PT_ENTRY {
type PDPTE_LARGE (line 1271) | typedef union _PDPT_ENTRY_LARGE {
type PDE_LARGE (line 1293) | typedef union _PD_ENTRY_LARGE {
type RAW_SMBIOS_DATA (line 1340) | typedef struct _RAW_SMBIOS_DATA {
type SMBIOS_TABLE_HEADER (line 1349) | typedef struct _SMBIOS_TABLE_HEADER {
type RAW_SMBIOS_TABLE_01 (line 1357) | typedef struct _RAW_SMBIOS_TABLE_01 {
type RAW_SMBIOS_TABLE_02 (line 1372) | typedef struct _RAW_SMBIOS_TABLE_02 {
type RTL_RELATIVE_NAME (line 1390) | typedef struct _RTL_RELATIVE_NAME {
type STORAGE_DESCRIPTOR_HEADER (line 1396) | typedef struct _STORAGE_DESCRIPTOR_HEADER {
type STORAGE_BUS_TYPE (line 1401) | typedef enum _STORAGE_BUS_TYPE {
type STORAGE_SET_TYPE (line 1415) | typedef enum _STORAGE_SET_TYPE {
type STORAGE_QUERY_TYPE (line 1426) | typedef enum _STORAGE_QUERY_TYPE {
type STORAGE_PROPERTY_ID (line 1435) | typedef enum _STORAGE_PROPERTY_ID {
type STORAGE_PROPERTY_QUERY (line 1475) | typedef struct _STORAGE_PROPERTY_QUERY {
type STORAGE_DEVICE_DESCRIPTOR (line 1481) | typedef struct _STORAGE_DEVICE_DESCRIPTOR {
type _EX_PUSH_LOCK_WAIT_BLOCK (line 1509) | struct _EX_PUSH_LOCK_WAIT_BLOCK
type KNORMAL_ROUTINE (line 1569) | typedef KNORMAL_ROUTINE* PKNORMAL_ROUTINE;
type KRUNDOWN_ROUTINE (line 1575) | typedef KRUNDOWN_ROUTINE* PKRUNDOWN_ROUTINE;
type KKERNEL_ROUTINE (line 1585) | typedef KKERNEL_ROUTINE* PKKERNEL_ROUTINE;
type KAPC_ENVIRONMENT (line 1587) | typedef enum _KAPC_ENVIRONMENT {
type MACHINE_FRAME (line 1658) | typedef struct _MACHINE_FRAME {
type NT_HEADER_64 (line 1713) | typedef struct _NT_HEADER_64 {
FILE: driver/containers/map.c
function VOID (line 5) | VOID
function VOID (line 13) | VOID
function NTSTATUS (line 19) | NTSTATUS
function PRTL_HASHMAP_ENTRY (line 89) | PRTL_HASHMAP_ENTRY
function PRTL_HASHMAP_ENTRY (line 111) | PRTL_HASHMAP_ENTRY
function BOOLEAN (line 125) | BOOLEAN
function INT32 (line 131) | INT32
function VOID (line 143) | VOID
function PVOID (line 152) | PVOID
function PVOID (line 185) | PVOID
function BOOLEAN (line 213) | BOOLEAN
function VOID (line 251) | VOID
FILE: driver/containers/map.h
type RTL_HASHMAP_ENTRY (line 9) | typedef struct _RTL_HASHMAP_ENTRY {
type UINT32 (line 15) | typedef UINT32 (*HASH_FUNCTION)(_In_ UINT64 Key);
type BOOLEAN (line 18) | typedef BOOLEAN (*COMPARE_FUNCTION)(_In_ PVOID Struct1, _In_ PVOID Struc...
type RTL_HASHMAP (line 20) | typedef struct _RTL_HASHMAP {
type VOID (line 46) | typedef VOID (*ENUMERATE_HASHMAP)(_In_ PRTL_HASHMAP_ENTRY Entry,
FILE: driver/containers/tree.c
function VOID (line 58) | VOID
function VOID (line 66) | VOID
function VOID (line 74) | VOID
function VOID (line 82) | VOID
function VOID (line 88) | VOID
function NTSTATUS (line 120) | NTSTATUS
function STATIC (line 165) | STATIC
function STATIC (line 203) | STATIC
function STATIC (line 240) | STATIC
function PVOID (line 325) | PVOID
function STATIC (line 401) | STATIC
function STATIC (line 429) | STATIC
function STATIC (line 539) | STATIC
function STATIC (line 557) | STATIC
function VOID (line 598) | VOID
function PVOID (line 655) | PVOID
function STATIC (line 675) | STATIC
function VOID (line 690) | VOID
function STATIC (line 702) | STATIC
function VOID (line 722) | VOID
function STATIC (line 734) | STATIC
function VOID (line 747) | VOID
FILE: driver/containers/tree.h
type COLOUR (line 10) | typedef enum _COLOUR { red, black } COLOUR;
type RB_TREE_NODE (line 12) | typedef struct _RB_TREE_NODE {
type UINT32 (line 20) | typedef UINT32 (*RB_COMPARE)(_In_ PVOID Key, _In_ PVOID Object);
type RB_TREE (line 22) | typedef struct _RB_TREE {
type VOID (line 36) | typedef VOID (*RB_CALLBACK)(PRB_TREE_NODE Node);
type VOID (line 37) | typedef VOID (*RB_ENUM_CALLBACK)(_In_ PVOID Object, _In_opt_ PVOID Conte...
function VOID (line 69) | VOID
function VOID (line 77) | VOID
FILE: driver/crypt.c
function UINT64 (line 16) | UINT64
function STATIC (line 22) | STATIC
function UINT64 (line 35) | UINT64
function VOID (line 42) | VOID
function __m256i (line 78) | __m256i
function VOID (line 95) | VOID
function UINT64 (line 126) | UINT64
function STATIC (line 165) | STATIC
function UINT32 (line 191) | UINT32
function NTSTATUS (line 214) | NTSTATUS
function VOID (line 251) | VOID
function NTSTATUS (line 269) | NTSTATUS
function NTSTATUS (line 335) | NTSTATUS
function VOID (line 353) | VOID
function STATIC (line 373) | STATIC
function STATIC (line 391) | STATIC
function TPM2_PTP_INTERFACE_TYPE (line 415) | TPM2_PTP_INTERFACE_TYPE
function STATIC (line 450) | STATIC
function NTSTATUS (line 489) | NTSTATUS
function NTSTATUS (line 522) | NTSTATUS
FILE: driver/crypt.h
function FORCEINLINE (line 8) | FORCEINLINE
function FORCEINLINE (line 15) | FORCEINLINE
function FORCEINLINE (line 22) | FORCEINLINE
FILE: driver/driver.c
type DRIVER_CONFIG (line 81) | typedef struct _DRIVER_CONFIG {
function DECLSPEC_NOINLINE (line 135) | DECLSPEC_NOINLINE
function STATIC (line 146) | STATIC
function STATIC (line 154) | STATIC
function PUINT64 (line 162) | PUINT64
function __m256i (line 168) | __m256i*
function STATIC (line 174) | STATIC
function BCRYPT_ALG_HANDLE (line 182) | BCRYPT_ALG_HANDLE*
function PRTL_HASHMAP (line 189) | PRTL_HASHMAP
function BCRYPT_ALG_HANDLE (line 196) | BCRYPT_ALG_HANDLE*
function BOOLEAN (line 203) | BOOLEAN
function VOID (line 210) | VOID
function BOOLEAN (line 217) | BOOLEAN
function PSHARED_MAPPING (line 227) | PSHARED_MAPPING
function VOID (line 234) | VOID
function VOID (line 241) | VOID
function PUINT64 (line 248) | PUINT64
function BOOLEAN (line 255) | BOOLEAN
function PACTIVE_SESSION (line 264) | PACTIVE_SESSION
function LPCSTR (line 271) | LPCSTR
function PDEVICE_OBJECT (line 278) | PDEVICE_OBJECT
function PDRIVER_OBJECT (line 285) | PDRIVER_OBJECT
function PIRP_QUEUE_HEAD (line 292) | PIRP_QUEUE_HEAD
function PSYS_MODULE_VAL_CONTEXT (line 299) | PSYS_MODULE_VAL_CONTEXT
function PUNICODE_STRING (line 306) | PUNICODE_STRING
function PUNICODE_STRING (line 313) | PUNICODE_STRING
function PUNICODE_STRING (line 320) | PUNICODE_STRING
function PUNICODE_STRING (line 327) | PUNICODE_STRING
function PSYSTEM_INFORMATION (line 334) | PSYSTEM_INFORMATION
function PRB_TREE (line 341) | PRB_TREE
function PDRIVER_LIST_HEAD (line 348) | PDRIVER_LIST_HEAD
function STATIC (line 364) | STATIC
function STATIC (line 372) | STATIC
function STATIC (line 390) | STATIC
function STATIC (line 399) | STATIC
function STATIC (line 407) | STATIC
function STATIC (line 415) | STATIC
function STATIC (line 424) | STATIC
function STATIC (line 432) | STATIC
function STATIC (line 441) | STATIC
function STATIC (line 449) | STATIC
function STATIC (line 484) | STATIC
function STATIC (line 529) | STATIC
function STATIC (line 577) | STATIC
function STATIC (line 651) | STATIC
function STATIC (line 690) | STATIC
function STATIC (line 746) | STATIC
function STATIC (line 805) | STATIC
function STATIC (line 861) | STATIC
function STATIC (line 918) | STATIC
function NTSTATUS (line 937) | NTSTATUS
FILE: driver/hv.c
function BOOLEAN (line 27) | BOOLEAN
function NTSTATUS (line 90) | NTSTATUS
FILE: driver/hw.c
type NTSTATUS (line 17) | typedef NTSTATUS (*PCI_DEVICE_CALLBACK)(
function STATIC (line 66) | STATIC
function STATIC (line 128) | STATIC
function STATIC (line 187) | STATIC
function NTSTATUS (line 211) | NTSTATUS
function BOOLEAN (line 268) | BOOLEAN
function STATIC (line 279) | STATIC
function STATIC (line 312) | STATIC
function NTSTATUS (line 345) | NTSTATUS
FILE: driver/ia32.h
type UINT8 (line 3) | typedef unsigned char UINT8;
type UINT16 (line 4) | typedef unsigned short UINT16;
type UINT32 (line 5) | typedef unsigned int UINT32;
type UINT64 (line 6) | typedef unsigned long long UINT64;
type CR0 (line 65) | typedef union
type CR3 (line 289) | typedef union
type CR8 (line 756) | typedef union
type DR6 (line 816) | typedef union
type DR7 (line 904) | typedef union
type CPUID_EAX_00 (line 1131) | typedef struct
type CPUID_EAX_01 (line 1172) | typedef struct
type CPUID_EAX_04 (line 2087) | typedef struct
type CPUID_EAX_05 (line 2291) | typedef struct
type CPUID_EAX_06 (line 2449) | typedef struct
type CPUID_EAX_07 (line 2737) | typedef struct
type CPUID_EAX_09 (line 3457) | typedef struct
type CPUID_EAX_0A (line 3542) | typedef struct
type CPUID_EAX_0B (line 3739) | typedef struct
type CPUID_EAX_0D_ECX_00 (line 3862) | typedef struct
type CPUID_EAX_0D_ECX_01 (line 4011) | typedef struct
type CPUID_EAX_0D_ECX_N (line 4182) | typedef struct
type CPUID_EAX_0F_ECX_00 (line 4301) | typedef struct
type CPUID_EAX_0F_ECX_01 (line 4382) | typedef struct
type CPUID_EAX_10_ECX_00 (line 4501) | typedef struct
type CPUID_EAX_10_ECX_01 (line 4600) | typedef struct
type CPUID_EAX_10_ECX_02 (line 4683) | typedef struct
type CPUID_EAX_10_ECX_03 (line 4763) | typedef struct
type CPUID_EAX_12_ECX_00 (line 4861) | typedef struct
type CPUID_EAX_12_ECX_01 (line 4983) | typedef struct
type CPUID_EAX_12_ECX_02P_SLT_0 (line 5065) | typedef struct
type CPUID_EAX_12_ECX_02P_SLT_1 (line 5144) | typedef struct
type CPUID_EAX_14_ECX_00 (line 5268) | typedef struct
type CPUID_EAX_14_ECX_01 (line 5472) | typedef struct
type CPUID_EAX_15 (line 5579) | typedef struct
type CPUID_EAX_16 (line 5670) | typedef struct
type CPUID_EAX_17_ECX_00 (line 5761) | typedef struct
type CPUID_EAX_17_ECX_01_03 (line 5855) | typedef struct
type CPUID_EAX_17_ECX_N (line 5932) | typedef struct
type CPUID_EAX_18_ECX_00 (line 6027) | typedef struct
type CPUID_EAX_18_ECX_01P (line 6201) | typedef struct
type CPUID_EAX_80000000 (line 6376) | typedef struct
type CPUID_EAX_80000001 (line 6452) | typedef struct
type CPUID_EAX_80000002 (line 6601) | typedef struct
type CPUID_EAX_80000003 (line 6676) | typedef struct
type CPUID_EAX_80000004 (line 6751) | typedef struct
type CPUID_EAX_80000005 (line 6826) | typedef struct
type CPUID_EAX_80000006 (line 6902) | typedef struct
type CPUID_EAX_80000007 (line 7005) | typedef struct
type CPUID_EAX_80000008 (line 7084) | typedef struct
type IA32_PLATFORM_ID_REGISTER (line 7236) | typedef union
type IA32_APIC_BASE_REGISTER (line 7279) | typedef union
type IA32_FEATURE_CONTROL_REGISTER (line 7333) | typedef union
type IA32_TSC_ADJUST_REGISTER (line 7473) | typedef struct
type IA32_SPEC_CTRL_REGISTER (line 7491) | typedef union
type IA32_PRED_CMD_REGISTER (line 7543) | typedef union
type IA32_BIOS_UPDATE_SIGNATURE_REGISTER (line 7585) | typedef union
type IA32_SMM_MONITOR_CTL_REGISTER (line 7645) | typedef union
type IA32_MSEG_HEADER (line 7704) | typedef struct
type IA32_MPERF_REGISTER (line 7782) | typedef struct
type IA32_APERF_REGISTER (line 7799) | typedef struct
type IA32_MTRR_CAPABILITIES_REGISTER (line 7817) | typedef union
type IA32_ARCH_CAPABILITIES_REGISTER (line 7880) | typedef union
type IA32_FLUSH_CMD_REGISTER (line 7983) | typedef union
type IA32_TSX_CTRL_REGISTER (line 8012) | typedef union
type IA32_SYSENTER_CS_REGISTER (line 8052) | typedef union
type IA32_MCG_CAP_REGISTER (line 8120) | typedef union
type IA32_MCG_STATUS_REGISTER (line 8228) | typedef union
type IA32_PERFEVTSEL_REGISTER (line 8298) | typedef union
type IA32_PERF_STATUS_REGISTER (line 8423) | typedef union
type IA32_PERF_CTL_REGISTER (line 8451) | typedef union
type IA32_CLOCK_MODULATION_REGISTER (line 8488) | typedef union
type IA32_THERM_INTERRUPT_REGISTER (line 8545) | typedef union
type IA32_THERM_STATUS_REGISTER (line 8675) | typedef union
type IA32_MISC_ENABLE_REGISTER (line 8900) | typedef union
type IA32_ENERGY_PERF_BIAS_REGISTER (line 9085) | typedef union
type IA32_PACKAGE_THERM_STATUS_REGISTER (line 9116) | typedef union
type IA32_PACKAGE_THERM_INTERRUPT_REGISTER (line 9253) | typedef union
type IA32_DEBUGCTL_REGISTER (line 9351) | typedef union
type IA32_SMRR_PHYSBASE_REGISTER (line 9508) | typedef union
type IA32_SMRR_PHYSMASK_REGISTER (line 9546) | typedef union
type IA32_DCA_0_CAP_REGISTER (line 9595) | typedef union
type IA32_MTRR_PHYSBASE_REGISTER (line 9680) | typedef union
type IA32_MTRR_PHYSMASK_REGISTER (line 9735) | typedef union
type IA32_PAT_REGISTER (line 9875) | typedef union
type IA32_MC_CTL2_REGISTER (line 10005) | typedef union
type IA32_MTRR_DEF_TYPE_REGISTER (line 10043) | typedef union
type IA32_PERF_CAPABILITIES_REGISTER (line 10113) | typedef union
type IA32_FIXED_CTR_CTRL_REGISTER (line 10186) | typedef union
type IA32_PERF_GLOBAL_STATUS_REGISTER (line 10322) | typedef union
type IA32_PERF_GLOBAL_CTRL_REGISTER (line 10504) | typedef union
type IA32_PERF_GLOBAL_STATUS_RESET_REGISTER (line 10542) | typedef union
type IA32_PERF_GLOBAL_STATUS_SET_REGISTER (line 10659) | typedef union
type IA32_PERF_GLOBAL_INUSE_REGISTER (line 10766) | typedef union
type IA32_PEBS_ENABLE_REGISTER (line 10812) | typedef union
type IA32_VMX_BASIC_REGISTER (line 11027) | typedef union
type IA32_VMX_PINBASED_CTLS_REGISTER (line 11168) | typedef union
type IA32_VMX_PROCBASED_CTLS_REGISTER (line 11263) | typedef union
type IA32_VMX_EXIT_CTLS_REGISTER (line 11578) | typedef union
type IA32_VMX_ENTRY_CTLS_REGISTER (line 11793) | typedef union
type IA32_VMX_MISC_REGISTER (line 11967) | typedef union
type IA32_VMX_VMCS_ENUM_REGISTER (line 12179) | typedef union
type IA32_VMX_PROCBASED_CTLS2_REGISTER (line 12233) | typedef union
type IA32_VMX_EPT_VPID_CAP_REGISTER (line 12608) | typedef union
type IA32_VMX_TRUE_CTLS_REGISTER (line 12840) | typedef union
type IA32_VMX_VMFUNC_REGISTER (line 12882) | typedef union
type IA32_VMX_PROCBASED_CTLS3_REGISTER (line 12911) | typedef union
type IA32_VMX_EXIT_CTLS2_REGISTER (line 12980) | typedef union
type IA32_MCG_EXT_CTL_REGISTER (line 13022) | typedef union
type IA32_SGX_SVN_STATUS_REGISTER (line 13051) | typedef union
type IA32_RTIT_OUTPUT_BASE_REGISTER (line 13100) | typedef union
type IA32_RTIT_OUTPUT_MASK_PTRS_REGISTER (line 13143) | typedef union
type IA32_RTIT_CTL_REGISTER (line 13215) | typedef union
type IA32_RTIT_STATUS_REGISTER (line 13610) | typedef union
type IA32_RTIT_CR3_MATCH_REGISTER (line 13762) | typedef union
type IA32_RTIT_ADDR_REGISTER (line 13828) | typedef union
type IA32_U_CET_REGISTER (line 13879) | typedef union
type IA32_S_CET_REGISTER (line 14004) | typedef union
type IA32_PM_ENABLE_REGISTER (line 14193) | typedef union
type IA32_HWP_CAPABILITIES_REGISTER (line 14220) | typedef union
type IA32_HWP_REQUEST_PKG_REGISTER (line 14283) | typedef union
type IA32_HWP_INTERRUPT_REGISTER (line 14358) | typedef union
type IA32_HWP_REQUEST_REGISTER (line 14397) | typedef union
type IA32_HWP_STATUS_REGISTER (line 14484) | typedef union
type IA32_DEBUG_INTERFACE_REGISTER (line 14727) | typedef union
type IA32_L3_QOS_CFG_REGISTER (line 14785) | typedef union
type IA32_L2_QOS_CFG_REGISTER (line 14812) | typedef union
type IA32_QM_EVTSEL_REGISTER (line 14839) | typedef union
type IA32_QM_CTR_REGISTER (line 14878) | typedef union
type IA32_PQR_ASSOC_REGISTER (line 14925) | typedef union
type IA32_BNDCFGS_REGISTER (line 14968) | typedef union
type IA32_XSS_REGISTER (line 15011) | typedef union
type IA32_PKG_HDC_CTL_REGISTER (line 15037) | typedef union
type IA32_PM_CTL1_REGISTER (line 15066) | typedef union
type IA32_THREAD_STALL_REGISTER (line 15095) | typedef struct
type IA32_EFER_REGISTER (line 15114) | typedef union
type IA32_TSC_AUX_REGISTER (line 15226) | typedef union
type PDE_4MB_32 (line 15270) | typedef union
type PDE_32 (line 15428) | typedef union
type PTE_32 (line 15548) | typedef union
type PT_ENTRY_32 (line 15686) | typedef union
type PML4E_64 (line 15794) | typedef union
type PDPTE_1GB_64 (line 15940) | typedef union
type PDPTE_64 (line 16136) | typedef union
type PDE_2MB_64 (line 16282) | typedef union
type PDE_64 (line 16477) | typedef union
type PTE_64 (line 16623) | typedef union
type PT_ENTRY_64 (line 16807) | typedef union
type INVPCID_TYPE (line 16927) | typedef enum
type INVPCID_DESCRIPTOR (line 16960) | typedef union
type SEGMENT_DESCRIPTOR_REGISTER_32 (line 16999) | typedef struct
type SEGMENT_DESCRIPTOR_REGISTER_64 (line 17019) | typedef struct
type SEGMENT_ACCESS_RIGHTS (line 17038) | typedef union
type SEGMENT_DESCRIPTOR_32 (line 17207) | typedef struct
type SEGMENT_DESCRIPTOR_64 (line 17442) | typedef struct
type SEGMENT_DESCRIPTOR_INTERRUPT_GATE_64 (line 17681) | typedef struct
type SEGMENT_SELECTOR (line 17997) | typedef union
type TASK_STATE_SEGMENT_64 (line 18049) | typedef struct
type VMX_VIRTUALIZATION_EXCEPTION_INFORMATION (line 18810) | typedef struct
type VMX_EXIT_QUALIFICATION_DEBUG_EXCEPTION (line 18867) | typedef union
type VMX_EXIT_QUALIFICATION_TASK_SWITCH (line 18919) | typedef union
type VMX_EXIT_QUALIFICATION_MOV_CR (line 18955) | typedef union
type VMX_EXIT_QUALIFICATION_MOV_DR (line 19042) | typedef union
type VMX_EXIT_QUALIFICATION_IO_INSTRUCTION (line 19091) | typedef union
type VMX_EXIT_QUALIFICATION_APIC_ACCESS (line 19170) | typedef union
type VMX_EXIT_QUALIFICATION_EPT_VIOLATION (line 19231) | typedef union
type VMX_VMEXIT_INSTRUCTION_INFO_INS_OUTS (line 19453) | typedef union
type VMX_VMEXIT_INSTRUCTION_INFO_INVALIDATE (line 19499) | typedef union
type VMX_VMEXIT_INSTRUCTION_INFO_GDTR_IDTR_ACCESS (line 19607) | typedef union
type VMX_VMEXIT_INSTRUCTION_INFO_LDTR_TR_ACCESS (line 19735) | typedef union
type VMX_VMEXIT_INSTRUCTION_INFO_RDRAND_RDSEED (line 19870) | typedef union
type VMX_VMEXIT_INSTRUCTION_INFO_VMX_AND_XSAVES (line 19909) | typedef union
type VMX_VMEXIT_INSTRUCTION_INFO_VMREAD_VMWRITE (line 20008) | typedef union
type VMX_SEGMENT_ACCESS_RIGHTS (line 20156) | typedef union
type VMX_INTERRUPTIBILITY_STATE (line 20254) | typedef union
type VMX_GUEST_ACTIVITY_STATE (line 20333) | typedef enum
type VMX_PENDING_DEBUG_EXCEPTIONS (line 20363) | typedef union
type VMX_VMEXIT_REASON (line 20457) | typedef union
type VMX_IO_BITMAP (line 20533) | typedef struct
type VMX_MSR_BITMAP (line 20543) | typedef struct
type EPT_POINTER (line 20577) | typedef union
type EPT_PML4E (line 20662) | typedef union
type EPT_PDPTE_1GB (line 20746) | typedef union
type EPT_PDPTE (line 20929) | typedef union
type EPT_PDE_2MB (line 21013) | typedef union
type EPT_PDE (line 21195) | typedef union
type EPT_PTE (line 21279) | typedef union
type EPT_ENTRY (line 21467) | typedef union
type INVEPT_TYPE (line 21567) | typedef enum
type INVVPID_TYPE (line 21585) | typedef enum
type INVEPT_DESCRIPTOR (line 21627) | typedef struct
type INVVPID_DESCRIPTOR (line 21637) | typedef struct
type HLAT_POINTER (line 21661) | typedef union
type VMCS (line 21715) | typedef struct
type VMXON (line 21788) | typedef struct
type VMCS_COMPONENT_ENCODING (line 21837) | typedef union
type INTERRUPTION_TYPE (line 22982) | typedef enum
type VMENTRY_INTERRUPT_INFORMATION (line 23028) | typedef union
type VMEXIT_INTERRUPT_INFORMATION (line 23090) | typedef union
type EFLAGS (line 23426) | typedef union
type CONTROL_PROTECTION_EXCEPTION (line 23896) | typedef union
type EXCEPTION_VECTOR (line 23939) | typedef enum
type EXCEPTION_ERROR_CODE (line 24100) | typedef union
type PAGE_FAULT_EXCEPTION (line 24165) | typedef union
type VTD_ROOT_ENTRY (line 24410) | typedef struct
type VTD_CONTEXT_ENTRY (line 24469) | typedef struct
type VTD_VERSION_REGISTER (line 24632) | typedef union
type VTD_CAPABILITY_REGISTER (line 24670) | typedef union
type VTD_EXTENDED_CAPABILITY_REGISTER (line 25056) | typedef union
type VTD_GLOBAL_COMMAND_REGISTER (line 25563) | typedef union
type VTD_GLOBAL_STATUS_REGISTER (line 25766) | typedef union
type VTD_ROOT_TABLE_ADDRESS_REGISTER (line 25918) | typedef union
type VTD_CONTEXT_COMMAND_REGISTER (line 25971) | typedef union
type VTD_INVALIDATE_ADDRESS_REGISTER (line 26125) | typedef union
type VTD_IOTLB_INVALIDATE_REGISTER (line 26199) | typedef union
type XCR0 (line 26347) | typedef union
FILE: driver/imports.c
function PVOID (line 10) | PVOID
function NTSTATUS (line 159) | NTSTATUS
function VOID (line 177) | VOID
function NTSTATUS (line 187) | NTSTATUS
function BOOLEAN (line 199) | BOOLEAN
function NTSTATUS (line 209) | NTSTATUS
function NTSTATUS (line 222) | NTSTATUS
function HANDLE (line 235) | HANDLE
function HANDLE (line 245) | HANDLE
function NTSTATUS (line 255) | NTSTATUS
function PVOID (line 267) | PVOID
function POBJECT_TYPE (line 280) | POBJECT_TYPE
function VOID (line 290) | VOID
function LPCSTR (line 300) | LPCSTR
function INT (line 312) | INT
function VOID (line 321) | VOID
function NTSTATUS (line 332) | NTSTATUS
function PVOID (line 347) | PVOID
function NTSTATUS (line 359) | NTSTATUS
function VOID (line 374) | VOID
function VOID (line 385) | VOID
function VOID (line 395) | VOID
function NTSTATUS (line 405) | NTSTATUS
function NTSTATUS (line 427) | NTSTATUS
function VOID (line 438) | VOID
function VOID (line 448) | VOID
function NTSTATUS (line 458) | NTSTATUS
function VOID (line 469) | VOID
function NTSTATUS (line 479) | NTSTATUS
function VOID (line 492) | VOID
function KAFFINITY (line 504) | KAFFINITY
function SIZE_T (line 516) | SIZE_T
function VOID (line 525) | VOID
function NTSTATUS (line 536) | NTSTATUS
function PEPROCESS (line 551) | PEPROCESS
function NTSTATUS (line 561) | NTSTATUS
function SIZE_T (line 571) | SIZE_T
function NTSTATUS (line 581) | NTSTATUS
function PIO_WORKITEM (line 601) | PIO_WORKITEM
function VOID (line 611) | VOID
function VOID (line 621) | VOID
function NTSTATUS (line 634) | NTSTATUS
function NTSTATUS (line 653) | NTSTATUS
function NTSTATUS (line 662) | NTSTATUS
function NTSTATUS (line 684) | NTSTATUS
function NTSTATUS (line 712) | NTSTATUS
function NTSTATUS (line 722) | NTSTATUS
function NTSTATUS (line 740) | NTSTATUS
function VOID (line 768) | VOID
function VOID (line 778) | VOID
function NTSTATUS (line 788) | NTSTATUS
function NTSTATUS (line 803) | NTSTATUS
function VOID (line 825) | VOID
function NTSTATUS (line 835) | NTSTATUS
function NTSTATUS (line 858) | NTSTATUS
function PVOID (line 870) | PVOID
function NTSTATUS (line 880) | NTSTATUS
function ULONG (line 890) | ULONG
function VOID (line 902) | VOID
function VOID (line 915) | VOID
function HANDLE (line 928) | HANDLE
function USHORT (line 938) | USHORT
function NTSTATUS (line 954) | NTSTATUS
function VOID (line 967) | VOID
function VOID (line 977) | VOID
function NTSTATUS (line 989) | NTSTATUS
function VOID (line 1004) | VOID
function BOOLEAN (line 1028) | BOOLEAN
function VOID (line 1042) | VOID
function VOID (line 1052) | VOID
function PPHYSICAL_MEMORY_RANGE (line 1062) | PPHYSICAL_MEMORY_RANGE
function PVOID (line 1074) | PVOID
function LONG_PTR (line 1084) | LONG_PTR
function VOID (line 1094) | VOID
function PVOID (line 1104) | PVOID
function VOID (line 1116) | VOID
function VOID (line 1126) | VOID
function ULONG (line 1136) | ULONG
function LONG (line 1150) | LONG
function VOID (line 1162) | VOID
FILE: driver/imports.h
type NTSTATUS (line 27) | typedef
type BOOLEAN (line 33) | typedef
type NTSTATUS (line 38) | typedef
type NTSTATUS (line 44) | typedef
type HANDLE (line 49) | typedef
type HANDLE (line 54) | typedef
type NTSTATUS (line 59) | typedef
type POBJECT_TYPE (line 72) | typedef
type LPCSTR (line 83) | typedef
type INT (line 88) | typedef
type PCHAR (line 94) | typedef
type NTSTATUS (line 106) | typedef
type NTSTATUS (line 120) | typedef
type NTSTATUS (line 143) | typedef
type NTSTATUS (line 154) | typedef
type NTSTATUS (line 170) | typedef
type NTSTATUS (line 181) | typedef
type KAFFINITY (line 191) | typedef
type SIZE_T (line 196) | typedef
type NTSTATUS (line 208) | typedef
type PEPROCESS (line 215) | typedef
type NTSTATUS (line 220) | typedef
type SIZE_T (line 225) | typedef
type NTSTATUS (line 232) | typedef
type PIO_WORKITEM (line 241) | typedef
type NTSTATUS (line 259) | typedef
type NTSTATUS (line 269) | typedef
type NTSTATUS (line 274) | typedef
type NTSTATUS (line 285) | typedef
type NTSTATUS (line 299) | typedef
type NTSTATUS (line 305) | typedef
type NTSTATUS (line 314) | typedef
type NTSTATUS (line 339) | typedef
type NTSTATUS (line 348) | typedef
type NTSTATUS (line 365) | typedef
type NTSTATUS (line 375) | typedef
type NTSTATUS (line 388) | typedef
type ULONG (line 393) | typedef
type HANDLE (line 410) | typedef
type USHORT (line 415) | typedef
type NTSTATUS (line 423) | typedef
type NTSTATUS (line 441) | typedef
type BOOLEAN (line 460) | typedef
type PPHYSICAL_MEMORY_RANGE (line 479) | typedef
type LONG_PTR (line 490) | typedef
type ULONG (line 518) | typedef
type LONG (line 526) | typedef
type PIO_STACK_LOCATION (line 533) | typedef
type DRIVER_IMPORTS (line 644) | typedef struct _DRIVER_IMPORTS
FILE: driver/integrity.c
type INTEGRITY_CHECK_HEADER (line 21) | typedef struct _INTEGRITY_CHECK_HEADER {
type PROCESS_MODULE_INFORMATION (line 32) | typedef struct _PROCESS_MODULE_INFORMATION {
type PROCESS_MODULE_VALIDATION_RESULT (line 44) | typedef struct _PROCESS_MODULE_VALIDATION_RESULT {
type VAL_INTEGRITY_HEADER (line 51) | typedef struct _VAL_INTEGRITY_HEADER {
function NTSTATUS (line 147) | NTSTATUS
function STATIC (line 196) | STATIC
function BOOLEAN (line 246) | BOOLEAN
function BOOLEAN (line 254) | BOOLEAN
function UINT32 (line 262) | UINT32
function VOID (line 270) | VOID
function STATIC (line 280) | STATIC
function STATIC (line 396) | STATIC
function NTSTATUS (line 488) | NTSTATUS
function STATIC (line 557) | STATIC
function STATIC (line 601) | STATIC
function PRAW_SMBIOS_DATA (line 654) | PRAW_SMBIOS_DATA
function PSMBIOS_TABLE_HEADER (line 662) | PSMBIOS_TABLE_HEADER
function NTSTATUS (line 668) | NTSTATUS
function STATIC (line 760) | STATIC
function BOOLEAN (line 811) | BOOLEAN
function STATIC (line 817) | STATIC
function NTSTATUS (line 875) | NTSTATUS
function NTSTATUS (line 998) | NTSTATUS
function PCHAR (line 1069) | PCHAR
function SIZE_T (line 1077) | SIZE_T
function VOID (line 1085) | VOID
function NTSTATUS (line 1099) | NTSTATUS
function PVOID (line 1219) | PVOID
function STATIC (line 1255) | STATIC
function STATIC (line 1267) | STATIC
function STATIC (line 1312) | STATIC
function STATIC (line 1378) | STATIC
function STATIC (line 1409) | STATIC
function NTSTATUS (line 1453) | NTSTATUS
function VOID (line 1530) | VOID
function STATIC (line 1548) | STATIC
function VOID (line 1589) | VOID
function VOID (line 1595) | VOID
function NTSTATUS (line 1643) | NTSTATUS
function STATIC (line 1750) | STATIC
function VOID (line 1789) | VOID
function STATIC (line 1853) | STATIC
function NTSTATUS (line 1892) | NTSTATUS
function VOID (line 1972) | VOID
function VOID (line 1980) | VOID
function VOID (line 1988) | VOID
function UINT32 (line 1996) | UINT32
function UINT32 (line 2004) | UINT32
function VOID (line 2013) | VOID
function STATIC (line 2020) | STATIC
function VOID (line 2070) | VOID
function STATIC (line 2099) | STATIC
function VOID (line 2133) | VOID
function STATIC (line 2146) | STATIC
function VOID (line 2168) | VOID
function STATIC (line 2177) | STATIC
function NTSTATUS (line 2196) | NTSTATUS
function NTSTATUS (line 2239) | NTSTATUS
function BOOLEAN (line 2269) | BOOLEAN
function STATIC (line 2285) | STATIC
function STATIC (line 2300) | STATIC
function STATIC (line 2334) | STATIC
function VOID (line 2354) | VOID
function VOID (line 2364) | VOID
function VOID (line 2372) | VOID
function VOID (line 2381) | VOID
function VOID (line 2390) | VOID
function PHEARTBEAT_PACKET (line 2398) | PHEARTBEAT_PACKET
function STATIC (line 2427) | STATIC
function STATIC (line 2479) | STATIC
function NTSTATUS (line 2517) | NTSTATUS
function VOID (line 2541) | VOID
FILE: driver/integrity.h
type MODULE_DISPATCHER_HEADER (line 8) | typedef struct _MODULE_DISPATCHER_HEADER {
type SYSTEM_MODULE_INFORMATION (line 14) | typedef struct _SYSTEM_MODULE_INFORMATION {
type SYS_MODULE_VAL_CONTEXT (line 22) | typedef struct _SYS_MODULE_VAL_CONTEXT {
type SMBIOS_TABLE_INDEX (line 53) | typedef enum _SMBIOS_TABLE_INDEX {
FILE: driver/io.c
function STATIC (line 87) | STATIC
function STATIC (line 94) | STATIC
function STATIC (line 101) | STATIC
function STATIC (line 117) | STATIC
function STATIC (line 126) | STATIC
function STATIC (line 133) | STATIC
function STATIC (line 140) | STATIC
function UINT16 (line 150) | UINT16
function VOID (line 159) | VOID
function STATIC (line 170) | STATIC
function STATIC (line 197) | STATIC
function STATIC (line 237) | STATIC
function STATIC (line 246) | STATIC
function STATIC (line 256) | STATIC
function STATIC (line 278) | STATIC
function STATIC (line 312) | STATIC
function VOID (line 363) | VOID
function STATIC (line 369) | STATIC
function NTSTATUS (line 388) | NTSTATUS
function VOID (line 414) | VOID
function VOID (line 566) | VOID
function VOID (line 587) | VOID
function STATIC (line 610) | STATIC
function STATIC (line 638) | STATIC
function STATIC (line 654) | STATIC
function STATIC (line 725) | STATIC
function NTSTATUS (line 778) | NTSTATUS
function NTSTATUS (line 803) | NTSTATUS
function NTSTATUS (line 820) | NTSTATUS
function NTSTATUS (line 1218) | NTSTATUS
function NTSTATUS (line 1238) | NTSTATUS
FILE: driver/io.h
type SHARED_MAPPING_INIT (line 9) | typedef struct _SHARED_MAPPING_INIT {
type SHARED_STATE_OPERATION_ID (line 15) | typedef enum _SHARED_STATE_OPERATION_ID {
type SHARED_STATE (line 28) | typedef struct _SHARED_STATE {
type SHARED_MAPPING (line 34) | typedef struct _SHARED_MAPPING {
FILE: driver/lib/stdlib.c
function VOID (line 3) | VOID
function SIZE_T (line 13) | SIZE_T
function SIZE_T (line 24) | SIZE_T
function PCHAR (line 38) | PCHAR
function INT32 (line 60) | INT32
function PWCHAR (line 74) | PWCHAR
FILE: driver/modules.c
type WHITELISTED_REGIONS (line 54) | typedef struct _WHITELISTED_REGIONS {
type NMI_CONTEXT (line 60) | typedef struct _NMI_CONTEXT {
type DPC_CONTEXT (line 74) | typedef struct _DPC_CONTEXT {
function PRTL_MODULE_EXTENDED_INFO (line 162) | PRTL_MODULE_EXTENDED_INFO
function STATIC (line 183) | STATIC
function STATIC (line 208) | STATIC
function STATIC (line 215) | STATIC
function STATIC (line 284) | STATIC
function VOID (line 316) | VOID
function NTSTATUS (line 325) | NTSTATUS
function STATIC (line 375) | STATIC
function POBJECT_DIRECTORY_ENTRY (line 415) | POBJECT_DIRECTORY_ENTRY
function PVOID (line 423) | PVOID
function STATIC (line 429) | STATIC
function STATIC (line 459) | STATIC
function BOOLEAN (line 556) | BOOLEAN
function NTSTATUS (line 562) | NTSTATUS
function BOOLEAN (line 597) | BOOLEAN
function BOOLEAN (line 619) | BOOLEAN
function STATIC (line 632) | STATIC
function STATIC (line 663) | STATIC
function STATIC (line 697) | STATIC
function STATIC (line 733) | STATIC
function STATIC (line 771) | STATIC
function TASK_STATE_SEGMENT_64 (line 843) | TASK_STATE_SEGMENT_64*
function PMACHINE_FRAME (line 851) | PMACHINE_FRAME
function STATIC (line 857) | STATIC BOOLEAN
function STATIC (line 900) | STATIC
function NTSTATUS (line 937) | NTSTATUS
function STATIC (line 1021) | STATIC
function STATIC (line 1029) | STATIC
function STATIC (line 1064) | STATIC
function STATIC (line 1133) | STATIC
function STATIC (line 1147) | STATIC
function VOID (line 1228) | VOID
function VOID (line 1236) | VOID
function NTSTATUS (line 1249) | NTSTATUS
function VOID (line 1301) | VOID
function VOID (line 1310) | VOID
function STATIC (line 1346) | STATIC
function STATIC (line 1382) | STATIC
function STATIC (line 1405) | STATIC
function NTSTATUS (line 1433) | NTSTATUS
function STATIC (line 1475) | STATIC
function STATIC (line 1503) | STATIC
function STATIC (line 1513) | STATIC
function STATIC (line 1546) | STATIC
function STATIC (line 1666) | STATIC
function NTSTATUS (line 1704) | NTSTATUS
function NTSTATUS (line 1747) | NTSTATUS
function PVOID (line 1828) | PVOID
function VOID (line 1853) | VOID
function PRTL_MODULE_EXTENDED_INFO (line 1858) | PRTL_MODULE_EXTENDED_INFO
function BOOLEAN (line 1874) | BOOLEAN
function PVOID (line 1893) | PVOID
function STATIC (line 2018) | STATIC
function STATIC (line 2052) | STATIC
function NTSTATUS (line 2132) | NTSTATUS
FILE: driver/modules.h
type APC_OPERATION_ID (line 9) | typedef struct _APC_OPERATION_ID {
type SYSTEM_MODULES (line 16) | typedef struct _SYSTEM_MODULES {
type APC_CONTEXT_HEADER (line 25) | typedef struct _APC_CONTEXT_HEADER {
type APC_STACKWALK_CONTEXT (line 32) | typedef struct _APC_STACKWALK_CONTEXT {
FILE: driver/pe.c
function PNT_HEADER_64 (line 5) | PNT_HEADER_64
function PNT_HEADER_64 (line 19) | PNT_HEADER_64
function PIMAGE_DATA_DIRECTORY (line 30) | PIMAGE_DATA_DIRECTORY
function PIMAGE_DATA_DIRECTORY (line 42) | PIMAGE_DATA_DIRECTORY
function PIMAGE_EXPORT_DIRECTORY (line 57) | PIMAGE_EXPORT_DIRECTORY
function PIMAGE_EXPORT_DIRECTORY (line 70) | PIMAGE_EXPORT_DIRECTORY
function UINT32 (line 86) | UINT32
function UINT32 (line 92) | UINT32
function PVOID (line 101) | PVOID
FILE: driver/pool.c
function STATIC (line 30) | STATIC
function STATIC (line 53) | STATIC
function STATIC (line 77) | STATIC
function STATIC (line 114) | STATIC
function STATIC (line 157) | STATIC
function STATIC (line 200) | STATIC
function NTSTATUS (line 232) | NTSTATUS
function STATIC (line 278) | STATIC
function NTSTATUS (line 298) | NTSTATUS
FILE: driver/pool.h
type BOOLEAN (line 7) | typedef BOOLEAN (*PAGE_CALLBACK)(_In_ UINT64 Page, _In_ UINT32 PageSize,...
FILE: driver/session.c
function NTSTATUS (line 9) | NTSTATUS
function VOID (line 25) | VOID
function VOID (line 31) | VOID
function VOID (line 39) | VOID
function VOID (line 47) | VOID
function VOID (line 55) | VOID
function STATIC (line 64) | STATIC
function VOID (line 71) | VOID
function STATIC (line 93) | STATIC
function NTSTATUS (line 122) | NTSTATUS
function VOID (line 197) | VOID
function VOID (line 228) | VOID
function VOID (line 236) | VOID
function VOID (line 244) | VOID
FILE: driver/thread.c
function BOOLEAN (line 21) | BOOLEAN
function STATIC (line 82) | STATIC VOID
function VOID (line 139) | VOID
FILE: driver/types/tpm12.h
type UINT8 (line 32) | typedef UINT8 TPM_AUTH_DATA_USAGE;
type UINT8 (line 36) | typedef UINT8 TPM_PAYLOAD_TYPE;
type UINT8 (line 40) | typedef UINT8 TPM_VERSION_BYTE;
type UINT8 (line 44) | typedef UINT8 TPM_DA_STATE;
type UINT16 (line 48) | typedef UINT16 TPM_TAG;
type UINT16 (line 52) | typedef UINT16 TPM_PROTOCOL_ID;
type UINT16 (line 56) | typedef UINT16 TPM_STARTUP_TYPE;
type UINT16 (line 60) | typedef UINT16 TPM_ENC_SCHEME;
type UINT16 (line 64) | typedef UINT16 TPM_SIG_SCHEME;
type UINT16 (line 68) | typedef UINT16 TPM_MIGRATE_SCHEME;
type UINT16 (line 72) | typedef UINT16 TPM_PHYSICAL_PRESENCE;
type UINT16 (line 76) | typedef UINT16 TPM_ENTITY_TYPE;
type UINT16 (line 80) | typedef UINT16 TPM_KEY_USAGE;
type UINT16 (line 84) | typedef UINT16 TPM_EK_TYPE;
type UINT16 (line 88) | typedef UINT16 TPM_STRUCTURE_TAG;
type UINT16 (line 92) | typedef UINT16 TPM_PLATFORM_SPECIFIC;
type UINT32 (line 96) | typedef UINT32 TPM_COMMAND_CODE;
type UINT32 (line 100) | typedef UINT32 TPM_CAPABILITY_AREA;
type UINT32 (line 104) | typedef UINT32 TPM_KEY_FLAGS;
type UINT32 (line 108) | typedef UINT32 TPM_ALGORITHM_ID;
type UINT32 (line 112) | typedef UINT32 TPM_MODIFIER_INDICATOR;
type UINT32 (line 116) | typedef UINT32 TPM_ACTUAL_COUNT;
type UINT32 (line 120) | typedef UINT32 TPM_TRANSPORT_ATTRIBUTES;
type UINT32 (line 124) | typedef UINT32 TPM_AUTHHANDLE;
type UINT32 (line 128) | typedef UINT32 TPM_DIRINDEX;
type UINT32 (line 132) | typedef UINT32 TPM_KEY_HANDLE;
type UINT32 (line 136) | typedef UINT32 TPM_PCRINDEX;
type UINT32 (line 140) | typedef UINT32 TPM_RESULT;
type UINT32 (line 144) | typedef UINT32 TPM_RESOURCE_TYPE;
type UINT32 (line 149) | typedef UINT32 TPM_KEY_CONTROL;
type UINT32 (line 153) | typedef UINT32 TPM_NV_INDEX;
type UINT32 (line 160) | typedef UINT32 TPM_FAMILY_ID;
type UINT32 (line 165) | typedef UINT32 TPM_FAMILY_VERIFICATION;
type UINT32 (line 169) | typedef UINT32 TPM_STARTUP_EFFECTS;
type UINT32 (line 173) | typedef UINT32 TPM_SYM_MODE;
type UINT32 (line 177) | typedef UINT32 TPM_FAMILY_FLAGS;
type UINT32 (line 181) | typedef UINT32 TPM_DELEGATE_INDEX;
type UINT32 (line 185) | typedef UINT32 TPM_CMK_DELEGATE;
type UINT32 (line 189) | typedef UINT32 TPM_COUNT_ID;
type UINT32 (line 193) | typedef UINT32 TPM_REDIT_COMMAND;
type UINT32 (line 197) | typedef UINT32 TPM_TRANSHANDLE;
type UINT32 (line 201) | typedef UINT32 TPM_HANDLE;
type UINT32 (line 205) | typedef UINT32 TPM_FAMILY_OPERATION;
type TPM_STRUCT_VER (line 506) | typedef struct tdTPM_STRUCT_VER {
type TPM_VERSION (line 516) | typedef struct tdTPM_VERSION {
type TPM_DIGEST (line 529) | typedef struct tdTPM_DIGEST {
type TPM_DIGEST (line 537) | typedef TPM_DIGEST TPM_CHOSENID_HASH;
type TPM_DIGEST (line 542) | typedef TPM_DIGEST TPM_COMPOSITE_HASH;
type TPM_DIGEST (line 546) | typedef TPM_DIGEST TPM_DIRVALUE;
type TPM_DIGEST (line 548) | typedef TPM_DIGEST TPM_HMAC;
type TPM_DIGEST (line 552) | typedef TPM_DIGEST TPM_PCRVALUE;
type TPM_DIGEST (line 556) | typedef TPM_DIGEST TPM_AUDITDIGEST;
type TPM_NONCE (line 561) | typedef struct tdTPM_NONCE {
type TPM_NONCE (line 569) | typedef TPM_NONCE TPM_DAA_TPM_SEED;
type TPM_NONCE (line 573) | typedef TPM_NONCE TPM_DAA_CONTEXT_SEED;
type UINT8 (line 582) | typedef UINT8 tdTPM_AUTHDATA[20];
type tdTPM_AUTHDATA (line 584) | typedef tdTPM_AUTHDATA TPM_AUTHDATA;
type TPM_AUTHDATA (line 588) | typedef TPM_AUTHDATA TPM_SECRET;
type TPM_AUTHDATA (line 593) | typedef TPM_AUTHDATA TPM_ENCAUTH;
type TPM_KEY_HANDLE_LIST (line 599) | typedef struct tdTPM_KEY_HANDLE_LIST {
type TPM_KEY_FLAGS_BITS (line 673) | typedef enum tdTPM_KEY_FLAGS {
type TPM_CHANGEAUTH_VALIDATE (line 684) | typedef struct tdTPM_CHANGEAUTH_VALIDATE {
type TPM_KEY_PARMS (line 696) | typedef struct tdTPM_KEY_PARMS {
type TPM_STORE_PUBKEY (line 707) | typedef struct tdTPM_STORE_PUBKEY {
type TPM_PUBKEY (line 715) | typedef struct tdTPM_PUBKEY {
type TPM_MIGRATIONKEYAUTH (line 723) | typedef struct tdTPM_MIGRATIONKEYAUTH {
type TPM_COUNTER_VALUE (line 732) | typedef struct tdTPM_COUNTER_VALUE {
type TPM_SIGN_INFO (line 742) | typedef struct tdTPM_SIGN_INFO {
type TPM_MSA_COMPOSITE (line 754) | typedef struct tdTPM_MSA_COMPOSITE {
type TPM_CMK_AUTH (line 762) | typedef struct tdTPM_CMK_AUTH {
type TPM_SELECT_SIZE (line 780) | typedef struct tdTPM_SELECT_SIZE {
type TPM_CMK_MIGAUTH (line 789) | typedef struct tdTPM_CMK_MIGAUTH {
type TPM_CMK_SIGTICKET (line 798) | typedef struct tdTPM_CMK_SIGTICKET {
type TPM_CMK_MA_APPROVAL (line 807) | typedef struct tdTPM_CMK_MA_APPROVAL {
type TPM_PERMANENT_FLAGS (line 825) | typedef struct tdTPM_PERMANENT_FLAGS {
type TPM_STCLEAR_FLAGS (line 876) | typedef struct tdTPM_STCLEAR_FLAGS {
type TPM_STANY_FLAGS (line 897) | typedef struct tdTPM_STANY_FLAGS {
type TPM_STCLEAR_DATA (line 957) | typedef struct tdTPM_STCLEAR_DATA {
type TPM_PCR_SELECTION (line 995) | typedef struct tdTPM_PCR_SELECTION {
type TPM_PCR_COMPOSITE (line 1004) | typedef struct tdTPM_PCR_COMPOSITE {
type TPM_PCR_INFO (line 1013) | typedef struct tdTPM_PCR_INFO {
type UINT8 (line 1022) | typedef UINT8 TPM_LOCALITY_SELECTION;
type TPM_PCR_INFO_LONG (line 1033) | typedef struct tdTPM_PCR_INFO_LONG {
type TPM_PCR_INFO_SHORT (line 1046) | typedef struct tdTPM_PCR_INFO_SHORT {
type TPM_PCR_ATTRIBUTES (line 1055) | typedef struct tdTPM_PCR_ATTRIBUTES {
type TPM_STORED_DATA (line 1070) | typedef struct tdTPM_STORED_DATA {
type TPM_STORED_DATA12 (line 1083) | typedef struct tdTPM_STORED_DATA12 {
type TPM_SEALED_DATA (line 1096) | typedef struct tdTPM_SEALED_DATA {
type TPM_SYMMETRIC_KEY (line 1109) | typedef struct tdTPM_SYMMETRIC_KEY {
type TPM_BOUND_DATA (line 1119) | typedef struct tdTPM_BOUND_DATA {
type TPM_KEY (line 1137) | typedef struct tdTPM_KEY {
type TPM_KEY12 (line 1154) | typedef struct tdTPM_KEY12 {
type TPM_STORE_PRIVKEY (line 1172) | typedef struct tdTPM_STORE_PRIVKEY {
type TPM_STORE_ASYMKEY (line 1180) | typedef struct tdTPM_STORE_ASYMKEY {
type TPM_MIGRATE_ASYMKEY (line 1193) | typedef struct tdTPM_MIGRATE_ASYMKEY {
type TPM_CERTIFY_INFO (line 1214) | typedef struct tdTPM_CERTIFY_INFO {
type TPM_CERTIFY_INFO2 (line 1230) | typedef struct tdTPM_CERTIFY_INFO2 {
type TPM_QUOTE_INFO (line 1250) | typedef struct tdTPM_QUOTE_INFO {
type TPM_QUOTE_INFO2 (line 1260) | typedef struct tdTPM_QUOTE_INFO2 {
type TPM_EK_BLOB (line 1274) | typedef struct tdTPM_EK_BLOB {
type TPM_EK_BLOB_ACTIVATE (line 1284) | typedef struct tdTPM_EK_BLOB_ACTIVATE {
type TPM_EK_BLOB_AUTH (line 1294) | typedef struct tdTPM_EK_BLOB_AUTH {
type TPM_IDENTITY_CONTENTS (line 1302) | typedef struct tdTPM_IDENTITY_CONTENTS {
type TPM_IDENTITY_REQ (line 1312) | typedef struct tdTPM_IDENTITY_REQ {
type TPM_IDENTITY_PROOF (line 1324) | typedef struct tdTPM_IDENTITY_PROOF {
type TPM_ASYM_CA_CONTENTS (line 1342) | typedef struct tdTPM_ASYM_CA_CONTENTS {
type TPM_SYM_CA_ATTESTATION (line 1350) | typedef struct tdTPM_SYM_CA_ATTESTATION {
type TPM_CURRENT_TICKS (line 1360) | typedef struct tdTPM_CURRENT_TICKS {
type TPM_TRANSPORT_PUBLIC (line 1374) | typedef struct tdTPM_TRANSPORT_PUBLIC {
type TPM_TRANSPORT_INTERNAL (line 1391) | typedef struct tdTPM_TRANSPORT_INTERNAL {
type TPM_TRANSPORT_LOG_IN (line 1403) | typedef struct tdTPM_TRANSPORT_LOG_IN {
type TPM_TRANSPORT_LOG_OUT (line 1412) | typedef struct tdTPM_TRANSPORT_LOG_OUT {
type TPM_TRANSPORT_AUTH (line 1422) | typedef struct tdTPM_TRANSPORT_AUTH {
type TPM_AUDIT_EVENT_IN (line 1434) | typedef struct tdTPM_AUDIT_EVENT_IN {
type TPM_AUDIT_EVENT_OUT (line 1443) | typedef struct tdTPM_AUDIT_EVENT_OUT {
type TPM_CONTEXT_BLOB (line 1724) | typedef struct tdTPM_CONTEXT_BLOB {
type TPM_CONTEXT_SENSITIVE (line 1740) | typedef struct tdTPM_CONTEXT_SENSITIVE {
type TPM_NV_ATTRIBUTES (line 1774) | typedef struct tdTPM_NV_ATTRIBUTES {
type TPM_NV_DATA_PUBLIC (line 1794) | typedef struct tdTPM_NV_DATA_PUBLIC {
type TPM_DELEGATIONS (line 1815) | typedef struct tdTPM_DELEGATIONS {
type TPM_FAMILY_LABEL (line 1899) | typedef struct tdTPM_FAMILY_LABEL {
type TPM_FAMILY_TABLE_ENTRY (line 1906) | typedef struct tdTPM_FAMILY_TABLE_ENTRY {
type TPM_FAMILY_TABLE (line 1919) | typedef struct tdTPM_FAMILY_TABLE {
type TPM_DELEGATE_LABEL (line 1926) | typedef struct tdTPM_DELEGATE_LABEL {
type TPM_DELEGATE_PUBLIC (line 1933) | typedef struct tdTPM_DELEGATE_PUBLIC {
type TPM_DELEGATE_TABLE_ROW (line 1945) | typedef struct tdTPM_DELEGATE_TABLE_ROW {
type TPM_DELEGATE_TABLE (line 1956) | typedef struct tdTPM_DELEGATE_TABLE {
type TPM_DELEGATE_SENSITIVE (line 1963) | typedef struct tdTPM_DELEGATE_SENSITIVE {
type TPM_DELEGATE_OWNER_BLOB (line 1971) | typedef struct tdTPM_DELEGATE_OWNER_BLOB {
type TPM_DELEGATE_KEY_BLOB (line 1984) | typedef struct tdTPM_DELEGATE_KEY_BLOB {
type TPM_CAP_VERSION_INFO (line 2077) | typedef struct tdTPM_CAP_VERSION_INFO {
type TPM_DA_ACTION_TYPE (line 2090) | typedef struct tdTPM_DA_ACTION_TYPE {
type TPM_DA_INFO (line 2103) | typedef struct tdTPM_DA_INFO {
type TPM_DA_INFO_LIMITED (line 2117) | typedef struct tdTPM_DA_INFO_LIMITED {
type TPM_DAA_ISSUER (line 2158) | typedef struct tdTPM_DAA_ISSUER {
type TPM_DAA_TPM (line 2172) | typedef struct tdTPM_DAA_TPM {
type TPM_DAA_CONTEXT (line 2184) | typedef struct tdTPM_DAA_CONTEXT {
type TPM_DAA_JOINDATA (line 2196) | typedef struct tdTPM_DAA_JOINDATA {
type TPM_DAA_BLOB (line 2205) | typedef struct tdTPM_DAA_BLOB {
type TPM_DAA_SENSITIVE (line 2219) | typedef struct tdTPM_DAA_SENSITIVE {
type TPM_RQU_COMMAND_HDR (line 2241) | typedef struct tdTPM_RQU_COMMAND_HDR {
type TPM_RSP_COMMAND_HDR (line 2250) | typedef struct tdTPM_RSP_COMMAND_HDR {
FILE: driver/types/tpm20.h
type UINT16 (line 77) | typedef UINT16 BSIZE;
type UINT16 (line 85) | typedef UINT16 CONTEXT_SLOT;
type UINT64 (line 86) | typedef UINT64 CONTEXT_COUNTER;
type UINT8 (line 142) | typedef UINT8 BYTE;
type UINT32 (line 150) | typedef UINT32 TPM_AUTHORIZATION_SIZE;
type UINT32 (line 151) | typedef UINT32 TPM_PARAMETER_SIZE;
type UINT16 (line 152) | typedef UINT16 TPM_KEY_SIZE;
type UINT16 (line 153) | typedef UINT16 TPM_KEY_BITS;
type UINT32 (line 158) | typedef UINT32 TPM_GENERATED;
type UINT16 (line 162) | typedef UINT16 TPM_ALG_ID;
type UINT16 (line 205) | typedef UINT16 TPM_ECC_CURVE;
type UINT32 (line 217) | typedef UINT32 TPM_CC;
type UINT32 (line 331) | typedef UINT32 TPM_RC;
type INT8 (line 455) | typedef INT8 TPM_CLOCK_ADJUST;
type UINT16 (line 465) | typedef UINT16 TPM_EO;
type UINT16 (line 480) | typedef UINT16 TPM_ST;
type UINT16 (line 500) | typedef UINT16 TPM_SU;
type UINT8 (line 505) | typedef UINT8 TPM_SE;
type UINT32 (line 511) | typedef UINT32 TPM_CAP;
type UINT32 (line 526) | typedef UINT32 TPM_PT;
type UINT32 (line 597) | typedef UINT32 TPM_PT_PCR;
type UINT32 (line 617) | typedef UINT32 TPM_PS;
type UINT8 (line 644) | typedef UINT8 TPM_HT;
type UINT32 (line 656) | typedef UINT32 TPM_RH;
type TPM_HANDLE (line 677) | typedef TPM_HANDLE TPM_HC;
type TPMA_ALGORITHM (line 711) | typedef struct {
type TPMA_OBJECT (line 724) | typedef struct {
type TPMA_SESSION (line 744) | typedef struct {
type TPMA_LOCALITY (line 758) | typedef struct {
type TPMA_PERMANENT (line 768) | typedef struct {
type TPMA_STARTUP_CLEAR (line 780) | typedef struct {
type TPMA_MEMORY (line 789) | typedef struct {
type TPMA_CC (line 797) | typedef struct {
type BYTE (line 812) | typedef BYTE TPMI_YES_NO;
type TPM_HANDLE (line 815) | typedef TPM_HANDLE TPMI_DH_OBJECT;
type TPM_HANDLE (line 818) | typedef TPM_HANDLE TPMI_DH_PERSISTENT;
type TPM_HANDLE (line 821) | typedef TPM_HANDLE TPMI_DH_ENTITY;
type TPM_HANDLE (line 824) | typedef TPM_HANDLE TPMI_DH_PCR;
type TPM_HANDLE (line 827) | typedef TPM_HANDLE TPMI_SH_AUTH_SESSION;
type TPM_HANDLE (line 830) | typedef TPM_HANDLE TPMI_SH_HMAC;
type TPM_HANDLE (line 833) | typedef TPM_HANDLE TPMI_SH_POLICY;
type TPM_HANDLE (line 836) | typedef TPM_HANDLE TPMI_DH_CONTEXT;
type TPM_HANDLE (line 839) | typedef TPM_HANDLE TPMI_RH_HIERARCHY;
type TPM_HANDLE (line 842) | typedef TPM_HANDLE TPMI_RH_HIERARCHY_AUTH;
type TPM_HANDLE (line 845) | typedef TPM_HANDLE TPMI_RH_PLATFORM;
type TPM_HANDLE (line 848) | typedef TPM_HANDLE TPMI_RH_OWNER;
type TPM_HANDLE (line 851) | typedef TPM_HANDLE TPMI_RH_ENDORSEMENT;
type TPM_HANDLE (line 854) | typedef TPM_HANDLE TPMI_RH_PROVISION;
type TPM_HANDLE (line 857) | typedef TPM_HANDLE TPMI_RH_CLEAR;
type TPM_HANDLE (line 860) | typedef TPM_HANDLE TPMI_RH_NV_AUTH;
type TPM_HANDLE (line 863) | typedef TPM_HANDLE TPMI_RH_LOCKOUT;
type TPM_HANDLE (line 866) | typedef TPM_HANDLE TPMI_RH_NV_INDEX;
type TPM_ALG_ID (line 869) | typedef TPM_ALG_ID TPMI_ALG_HASH;
type TPM_ALG_ID (line 872) | typedef TPM_ALG_ID TPMI_ALG_ASYM;
type TPM_ALG_ID (line 875) | typedef TPM_ALG_ID TPMI_ALG_SYM;
type TPM_ALG_ID (line 878) | typedef TPM_ALG_ID TPMI_ALG_SYM_OBJECT;
type TPM_ALG_ID (line 881) | typedef TPM_ALG_ID TPMI_ALG_SYM_MODE;
type TPM_ALG_ID (line 884) | typedef TPM_ALG_ID TPMI_ALG_KDF;
type TPM_ALG_ID (line 887) | typedef TPM_ALG_ID TPMI_ALG_SIG_SCHEME;
type TPM_ALG_ID (line 890) | typedef TPM_ALG_ID TPMI_ECC_KEY_EXCHANGE;
type TPM_ST (line 893) | typedef TPM_ST TPMI_ST_COMMAND_TAG;
type TPMS_ALGORITHM_DESCRIPTION (line 898) | typedef struct {
type TPMU_HA (line 904) | typedef union {
type TPMT_HA (line 913) | typedef struct {
type TPM2B_DIGEST (line 919) | typedef struct {
type TPM2B_DATA (line 925) | typedef struct {
type TPM2B_DIGEST (line 931) | typedef TPM2B_DIGEST TPM2B_NONCE;
type TPM2B_DIGEST (line 934) | typedef TPM2B_DIGEST TPM2B_AUTH;
type TPM2B_DIGEST (line 937) | typedef TPM2B_DIGEST TPM2B_OPERAND;
type TPM2B_EVENT (line 940) | typedef struct {
type TPM2B_MAX_BUFFER (line 946) | typedef struct {
type TPM2B_MAX_NV_BUFFER (line 952) | typedef struct {
type TPM2B_TIMEOUT (line 958) | typedef struct {
type TPM2B_IV (line 964) | typedef struct {
type TPMU_NAME (line 970) | typedef union {
type TPM2B_NAME (line 976) | typedef struct {
type TPMS_PCR_SELECT (line 982) | typedef struct {
type TPMS_PCR_SELECTION (line 988) | typedef struct {
type TPMT_TK_CREATION (line 995) | typedef struct {
type TPMT_TK_VERIFIED (line 1002) | typedef struct {
type TPMT_TK_AUTH (line 1009) | typedef struct {
type TPMT_TK_HASHCHECK (line 1016) | typedef struct {
type TPMS_ALG_PROPERTY (line 1023) | typedef struct {
type TPMS_TAGGED_PROPERTY (line 1029) | typedef struct {
type TPMS_TAGGED_PCR_SELECT (line 1035) | typedef struct {
type TPML_CC (line 1042) | typedef struct {
type TPML_CCA (line 1048) | typedef struct {
type TPML_ALG (line 1054) | typedef struct {
type TPML_HANDLE (line 1060) | typedef struct {
type TPML_DIGEST (line 1066) | typedef struct {
type TPML_DIGEST_VALUES (line 1072) | typedef struct {
type TPM2B_DIGEST_VALUES (line 1078) | typedef struct {
type TPML_PCR_SELECTION (line 1084) | typedef struct {
type TPML_ALG_PROPERTY (line 1090) | typedef struct {
type TPML_TAGGED_TPM_PROPERTY (line 1096) | typedef struct {
type TPML_TAGGED_PCR_PROPERTY (line 1102) | typedef struct {
type TPML_ECC_CURVE (line 1108) | typedef struct {
type TPMU_CAPABILITIES (line 1114) | typedef union {
type TPMS_CAPABILITY_DATA (line 1127) | typedef struct {
type TPMS_CLOCK_INFO (line 1133) | typedef struct {
type TPMS_TIME_INFO (line 1141) | typedef struct {
type TPMS_TIME_ATTEST_INFO (line 1147) | typedef struct {
type TPMS_CERTIFY_INFO (line 1153) | typedef struct {
type TPMS_QUOTE_INFO (line 1159) | typedef struct {
type TPMS_COMMAND_AUDIT_INFO (line 1165) | typedef struct {
type TPMS_SESSION_AUDIT_INFO (line 1173) | typedef struct {
type TPMS_CREATION_INFO (line 1179) | typedef struct {
type TPMS_NV_CERTIFY_INFO (line 1185) | typedef struct {
type TPM_ST (line 1192) | typedef TPM_ST TPMI_ST_ATTEST;
type TPMU_ATTEST (line 1195) | typedef union {
type TPMS_ATTEST (line 1206) | typedef struct {
type TPM2B_ATTEST (line 1217) | typedef struct {
type TPMS_AUTH_COMMAND (line 1223) | typedef struct {
type TPMS_AUTH_RESPONSE (line 1231) | typedef struct {
type TPM_KEY_BITS (line 1240) | typedef TPM_KEY_BITS TPMI_AES_KEY_BITS;
type TPM_KEY_BITS (line 1243) | typedef TPM_KEY_BITS TPMI_SM4_KEY_BITS;
type TPMU_SYM_KEY_BITS (line 1246) | typedef union {
type TPMU_SYM_MODE (line 1254) | typedef union {
type TPMT_SYM_DEF (line 1261) | typedef struct {
type TPMT_SYM_DEF_OBJECT (line 1268) | typedef struct {
type TPM2B_SYM_KEY (line 1275) | typedef struct {
type TPMS_SYMCIPHER_PARMS (line 1281) | typedef struct {
type TPM2B_SENSITIVE_DATA (line 1286) | typedef struct {
type TPMS_SENSITIVE_CREATE (line 1292) | typedef struct {
type TPM2B_SENSITIVE_CREATE (line 1298) | typedef struct {
type TPMS_SCHEME_SIGHASH (line 1304) | typedef struct {
type TPM_ALG_ID (line 1309) | typedef TPM_ALG_ID TPMI_ALG_KEYEDHASH_SCHEME;
type TPMS_SCHEME_SIGHASH (line 1312) | typedef TPMS_SCHEME_SIGHASH TPMS_SCHEME_HMAC;
type TPMS_SCHEME_XOR (line 1315) | typedef struct {
type TPMU_SCHEME_KEYEDHASH (line 1321) | typedef union {
type TPMT_KEYEDHASH_SCHEME (line 1327) | typedef struct {
type TPMS_SCHEME_SIGHASH (line 1333) | typedef TPMS_SCHEME_SIGHASH TPMS_SCHEME_RSASSA;
type TPMS_SCHEME_SIGHASH (line 1334) | typedef TPMS_SCHEME_SIGHASH TPMS_SCHEME_RSAPSS;
type TPMS_SCHEME_SIGHASH (line 1337) | typedef TPMS_SCHEME_SIGHASH TPMS_SCHEME_ECDSA;
type TPMS_SCHEME_SIGHASH (line 1338) | typedef TPMS_SCHEME_SIGHASH TPMS_SCHEME_SM2;
type TPMS_SCHEME_SIGHASH (line 1339) | typedef TPMS_SCHEME_SIGHASH TPMS_SCHEME_ECSCHNORR;
type TPMS_SCHEME_ECDAA (line 1342) | typedef struct {
type TPMU_SIG_SCHEME (line 1348) | typedef union {
type TPMT_SIG_SCHEME (line 1359) | typedef struct {
type TPMS_SCHEME_OAEP (line 1365) | typedef struct {
type TPMS_SCHEME_ECDH (line 1370) | typedef struct {
type TPMS_SCHEME_MGF1 (line 1375) | typedef struct {
type TPMS_SCHEME_KDF1_SP800_56a (line 1380) | typedef struct {
type TPMS_SCHEME_KDF2 (line 1385) | typedef struct {
type TPMS_SCHEME_KDF1_SP800_108 (line 1390) | typedef struct {
type TPMU_KDF_SCHEME (line 1395) | typedef union {
type TPMT_KDF_SCHEME (line 1403) | typedef struct {
type TPM_ALG_ID (line 1409) | typedef TPM_ALG_ID TPMI_ALG_ASYM_SCHEME;
type TPMU_ASYM_SCHEME (line 1412) | typedef union {
type TPMT_ASYM_SCHEME (line 1423) | typedef struct {
type TPM_ALG_ID (line 1429) | typedef TPM_ALG_ID TPMI_ALG_RSA_SCHEME;
type TPMT_RSA_SCHEME (line 1432) | typedef struct {
type TPM_ALG_ID (line 1438) | typedef TPM_ALG_ID TPMI_ALG_RSA_DECRYPT;
type TPMT_RSA_DECRYPT (line 1441) | typedef struct {
type TPM2B_PUBLIC_KEY_RSA (line 1447) | typedef struct {
type TPM_KEY_BITS (line 1453) | typedef TPM_KEY_BITS TPMI_RSA_KEY_BITS;
type TPM2B_PRIVATE_KEY_RSA (line 1456) | typedef struct {
type TPM2B_ECC_PARAMETER (line 1462) | typedef struct {
type TPMS_ECC_POINT (line 1468) | typedef struct {
type TPM2B_ECC_POINT (line 1474) | typedef struct {
type TPM_ALG_ID (line 1480) | typedef TPM_ALG_ID TPMI_ALG_ECC_SCHEME;
type TPM_ECC_CURVE (line 1483) | typedef TPM_ECC_CURVE TPMI_ECC_CURVE;
type TPMT_ECC_SCHEME (line 1486) | typedef struct {
type TPMS_ALGORITHM_DETAIL_ECC (line 1492) | typedef struct {
type TPMS_SIGNATURE_RSASSA (line 1507) | typedef struct {
type TPMS_SIGNATURE_RSAPSS (line 1513) | typedef struct {
type TPMS_SIGNATURE_ECDSA (line 1519) | typedef struct {
type TPMU_SIGNATURE (line 1526) | typedef union {
type TPMT_SIGNATURE (line 1538) | typedef struct {
type TPMU_ENCRYPTED_SECRET (line 1544) | typedef union {
type TPM2B_ENCRYPTED_SECRET (line 1552) | typedef struct {
type TPM_ALG_ID (line 1560) | typedef TPM_ALG_ID TPMI_ALG_PUBLIC;
type TPMU_PUBLIC_ID (line 1563) | typedef union {
type TPMS_KEYEDHASH_PARMS (line 1571) | typedef struct {
type TPMS_ASYM_PARMS (line 1576) | typedef struct {
type TPMS_RSA_PARMS (line 1582) | typedef struct {
type TPMS_ECC_PARMS (line 1590) | typedef struct {
type TPMU_PUBLIC_PARMS (line 1598) | typedef union {
type TPMT_PUBLIC_PARMS (line 1607) | typedef struct {
type TPMT_PUBLIC (line 1613) | typedef struct {
type TPM2B_PUBLIC (line 1623) | typedef struct {
type TPM2B_PRIVATE_VENDOR_SPECIFIC (line 1629) | typedef struct {
type TPMU_SENSITIVE_COMPOSITE (line 1635) | typedef union {
type TPMT_SENSITIVE (line 1644) | typedef struct {
type TPM2B_SENSITIVE (line 1652) | typedef struct {
type _PRIVATE (line 1658) | typedef struct {
type TPM2B_PRIVATE (line 1665) | typedef struct {
type _ID_OBJECT (line 1671) | typedef struct {
type TPM2B_ID_OBJECT (line 1677) | typedef struct {
type TPMA_NV (line 1695) | typedef struct {
type TPMS_NV_PUBLIC (line 1725) | typedef struct {
type TPM2B_NV_PUBLIC (line 1734) | typedef struct {
type TPM2B_CONTEXT_SENSITIVE (line 1742) | typedef struct {
type TPMS_CONTEXT_DATA (line 1748) | typedef struct {
type TPM2B_CONTEXT_DATA (line 1754) | typedef struct {
type TPMS_CONTEXT (line 1760) | typedef struct {
type TPMS_CREATION_DATA (line 1770) | typedef struct {
type TPM2B_CREATION_DATA (line 1781) | typedef struct {
type TPM2_COMMAND_HEADER (line 1789) | typedef struct {
type TPM2_RESPONSE_HEADER (line 1795) | typedef struct {
FILE: driver/types/tpmptp.h
type PTP_FIFO_REGISTERS (line 25) | typedef struct {
type PTP_FIFO_REGISTERS (line 100) | typedef PTP_FIFO_REGISTERS* PTP_FIFO_REGISTERS_PTR;
type PTP_FIFO_INTERFACE_IDENTIFIER (line 105) | typedef union {
type PTP_FIFO_INTERFACE_CAPABILITY (line 126) | typedef union {
type PTP_CRB_REGISTERS (line 248) | typedef struct {
type PTP_CRB_REGISTERS (line 329) | typedef PTP_CRB_REGISTERS* PTP_CRB_REGISTERS_PTR;
type PTP_CRB_INTERFACE_IDENTIFIER (line 334) | typedef union {
type TPM2_PTP_INTERFACE_TYPE (line 360) | typedef enum {
FILE: driver/types/types.h
type PACKET_HEADER (line 48) | typedef struct _PACKET_HEADER {
type REPORT_PACKET_HEADER (line 55) | typedef struct _REPORT_PACKET_HEADER {
type HEARTBEAT_PACKET_HEADER (line 62) | typedef struct _HEARTBEAT_PACKET_HEADER {
type TABLE_ID (line 74) | typedef enum _TABLE_ID {
type HYPERVISOR_DETECTION_REPORT (line 80) | typedef struct _HYPERVISOR_DETECTION_REPORT {
type APC_STACKWALK_REPORT (line 89) | typedef struct _APC_STACKWALK_REPORT {
type DPC_STACKWALK_REPORT (line 97) | typedef struct _DPC_STACKWALK_REPORT {
type MODULE_VALIDATION_FAILURE (line 105) | typedef struct _MODULE_VALIDATION_FAILURE {
type DATA_TABLE_ROUTINE_REPORT (line 115) | typedef struct _DATA_TABLE_ROUTINE_REPORT {
type NMI_CALLBACK_FAILURE (line 124) | typedef struct _NMI_CALLBACK_FAILURE {
type INVALID_PROCESS_ALLOCATION_REPORT (line 134) | typedef struct _INVALID_PROCESS_ALLOCATION_REPORT {
type HIDDEN_SYSTEM_THREAD_REPORT (line 140) | typedef struct _HIDDEN_SYSTEM_THREAD_REPORT {
type ATTACH_PROCESS_REPORT (line 150) | typedef struct _ATTACH_PROCESS_REPORT {
type KPRCB_THREAD_VALIDATION_CTX (line 157) | typedef struct _KPRCB_THREAD_VALIDATION_CTX {
type OPEN_HANDLE_FAILURE_REPORT (line 168) | typedef struct _OPEN_HANDLE_FAILURE_REPORT {
type PROCESS_MODULE_VALIDATION_REPORT (line 180) | typedef struct _PROCESS_MODULE_VALIDATION_REPORT {
type HEARTBEAT_PACKET (line 188) | typedef struct _HEARTBEAT_PACKET {
type SYSTEM_MODULE_INTEGRITY_CHECK_REPORT (line 197) | typedef struct _SYSTEM_MODULE_INTEGRITY_CHECK_REPORT {
type EPT_HOOK_REPORT (line 205) | typedef struct _EPT_HOOK_REPORT {
type DRIVER_SELF_INTEGRITY_CHECK_REPORT (line 212) | typedef struct _DRIVER_SELF_INTEGRITY_CHECK_REPORT {
type BLACKLISTED_PCIE_DEVICE_REPORT (line 220) | typedef struct _BLACKLISTED_PCIE_DEVICE_REPORT {
FILE: driver/util.c
function LARGE_INTEGER (line 5) | LARGE_INTEGER
function NTSTATUS (line 19) | NTSTATUS
function NTSTATUS (line 48) | NTSTATUS
function VOID (line 77) | VOID
FILE: module/client/message_queue.h
function namespace (line 21) | namespace client {
FILE: module/client/pipe.h
function namespace (line 12) | namespace client {
FILE: module/crypt/crypt.cpp
type crypt (line 16) | namespace crypt {
type globals (line 19) | namespace globals {
function boolean (line 40) | boolean initialise_session_key() {
function boolean (line 56) | boolean initialise_provider() {
function boolean (line 96) | boolean decrypt_packet(void *packet, uint32_t packet_length) {
function get_padded_packet_size (line 116) | uint32_t get_padded_packet_size(uint32_t original_size) {
FILE: module/crypt/crypt.h
function namespace (line 6) | namespace crypt {
FILE: module/dispatcher/dispatcher.h
function namespace (line 11) | namespace dispatcher {
FILE: module/dispatcher/threadpool.h
function namespace (line 8) | namespace dispatcher {
FILE: module/dispatcher/timer.cpp
function HANDLE (line 15) | HANDLE dispatcher::timer::create_timer_object() {
FILE: module/dispatcher/timer.h
function namespace (line 26) | namespace dispatcher {
FILE: module/helper.cpp
function print_report_packet (line 68) | void
function print_heartbeat_packet (line 217) | void
FILE: module/helper.h
function namespace (line 5) | namespace helper {
FILE: module/imports.h
function namespace (line 3) | namespace imports
FILE: module/kernel_interface/kernel_interface.h
function namespace (line 9) | namespace kernel_interface {
FILE: module/main.cpp
function DWORD (line 5) | DWORD WINAPI Init(HINSTANCE hinstDLL) {
function BOOL (line 10) | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call,
FILE: module/module.h
function namespace (line 7) | namespace module {
FILE: server/main.go
function main (line 5) | func main() {
Condensed preview — 79 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (1,926K chars).
[
{
"path": ".clang-format",
"chars": 3046,
"preview": "BasedOnStyle: webkit\nAccessModifierOffset: -4\n\nAlignAfterOpenBracket: AlwaysBreak\nAlignConsecutiveAssignments: false\nAl"
},
{
"path": ".clang-format-cpp",
"chars": 29,
"preview": "---\nBasedOnStyle: LLVM\n\n...\n"
},
{
"path": ".gitattributes",
"chars": 2518,
"preview": "###############################################################################\n# Set default behavior to automatically "
},
{
"path": ".gitignore",
"chars": 6223,
"preview": "## Ignore Visual Studio temporary files, build results, and\n## files generated by popular Visual Studio add-ons.\n##\n## G"
},
{
"path": "LICENSE.md",
"chars": 34523,
"preview": " GNU AFFERO GENERAL PUBLIC LICENSE\n Version 3, 19 November 2007\n\n Copyright (C)"
},
{
"path": "README.md",
"chars": 6209,
"preview": "# ac\n\nopen source anti cheat (lol) which I made for fun.\n\n# features\n\n- Attached thread detection\n- Process module .text"
},
{
"path": "ac.sln",
"chars": 9081,
"preview": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 17\nVisualStudioVersion = 17.5.3350"
},
{
"path": "driver/apc.c",
"chars": 7320,
"preview": "#include \"apc.h\"\n\n#include \"driver.h\"\n#include \"imports.h\"\n#include \"lib/stdlib.h\"\n\nVOID\nGetApcContextByIndex(_Out_ PVOI"
},
{
"path": "driver/apc.h",
"chars": 598,
"preview": "#ifndef APC_H\n#define APC_H\n\n#include \"common.h\"\n\n#include \"apc.h\"\n\n#include \"driver.h\"\n#include \"imports.h\"\n\nVOID\nGetAp"
},
{
"path": "driver/arch.asm",
"chars": 1270,
"preview": ".code\n\n\n; Tests the emulation of the INVD instruction\n;\n; source and references:\n;\n; https://secret.club/2020/04/13/how-"
},
{
"path": "driver/callbacks.c",
"chars": 39297,
"preview": "#include \"callbacks.h\"\n\n#include \"containers/map.h\"\n#include \"containers/tree.h\"\n#include \"crypt.h\"\n#include \"driver.h\"\n"
},
{
"path": "driver/callbacks.h",
"chars": 3749,
"preview": "#ifndef CALLBACKS_H\n#define CALLBACKS_H\n\n#include \"driver.h\"\n#include \"common.h\"\n\n#include <wdf.h>\n\ntypedef void (*THREA"
},
{
"path": "driver/common.h",
"chars": 59301,
"preview": "#ifndef COMMON_H\n#define COMMON_H\n\n#include <ntifs.h>\n#include <wdftypes.h>\n#include \"io.h\"\n\n#include \"types/types.h\"\n#i"
},
{
"path": "driver/containers/map.c",
"chars": 6831,
"preview": "#include \"map.h\"\n\n#include \"../lib/stdlib.h\"\n\nVOID\nRtlHashmapDelete(_In_ PRTL_HASHMAP Hashmap)\n{\n ExFreePoolWithTag(H"
},
{
"path": "driver/containers/map.h",
"chars": 2683,
"preview": "#ifndef MAP_H\n#define MAP_H\n\n#include \"../common.h\"\n\n/* To improve efficiency, each entry contains a common header\n * RT"
},
{
"path": "driver/containers/tree.c",
"chars": 21048,
"preview": "#include \"tree.h\"\n\n#include \"../lib/stdlib.h\"\n\n/*\n * Basic red-black tree implementation. Currently, the enumeration rou"
},
{
"path": "driver/containers/tree.h",
"chars": 1934,
"preview": "#ifndef TREE_H\n#define TREE_H\n\n#include \"../common.h\"\n\n#define RB_TREE_EQUAL 0\n#define RB_TREE_LESS_THAN 1\n#de"
},
{
"path": "driver/cpp.hint",
"chars": 457,
"preview": "// Hint files help the Visual Studio IDE interpret Visual C++ identifiers\n// such as names of functions and macros.\n// F"
},
{
"path": "driver/crypt.c",
"chars": 16613,
"preview": "#include \"crypt.h\"\n\n#include \"driver.h\"\n#include \"imports.h\"\n#include \"lib/stdlib.h\"\n#include \"session.h\"\n#include \"type"
},
{
"path": "driver/crypt.h",
"chars": 1600,
"preview": "#ifndef CRYPT_H\n#define CRYPT_H\n\n#include \"common.h\"\n\n#define XOR_ROTATION_AMT 13\n\nFORCEINLINE\nVOID\nCryptEncryptPointer6"
},
{
"path": "driver/driver.c",
"chars": 27371,
"preview": "#include \"driver.h\"\n\n#include \"apc.h\"\n#include \"callbacks.h\"\n#include \"common.h\"\n#include \"crypt.h\"\n#include \"hv.h\"\n#inc"
},
{
"path": "driver/driver.h",
"chars": 1221,
"preview": "#ifndef DRIVER_H\n#define DRIVER_H\n\n#include \"common.h\"\n\n#include <wdf.h>\n\n#include \"modules.h\"\n#include \"integrity.h\"\n#i"
},
{
"path": "driver/driver.inf",
"chars": 2060,
"preview": ";\n; driver.inf\n;\n\n[Version]\nSignature=\"$WINDOWS NT$\"\nClass=System ; TODO: specify appropriate Class\nClassGuid={4d36e97d-"
},
{
"path": "driver/driver.vcxproj",
"chars": 13504,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"12.0\" xmlns=\"http://schemas.micros"
},
{
"path": "driver/driver.vcxproj.filters",
"chars": 5056,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
},
{
"path": "driver/hv.c",
"chars": 3605,
"preview": "#include \"hv.h\"\n\n#include \"common.h\"\n#include \"imports.h\"\n#include \"io.h\"\n#include \"lib/stdlib.h\"\n\n#include <intrin.h>\n\n"
},
{
"path": "driver/hv.h",
"chars": 198,
"preview": "#ifndef HV_H\n#define HV_H\n\n#include <ntifs.h>\n#include \"common.h\"\n\nNTSTATUS\nPerformVirtualizationDetection(_Inout_ PIRP "
},
{
"path": "driver/hw.c",
"chars": 10461,
"preview": "#include \"hw.h\"\n\n#include \"crypt.h\"\n#include \"imports.h\"\n#include \"lib/stdlib.h\"\n#include \"modules.h\"\n\n#define PCI_VENDO"
},
{
"path": "driver/hw.h",
"chars": 86,
"preview": "#ifndef HW_H\n#define HW_H\n\n#include \"common.h\"\n\nNTSTATUS\nValidatePciDevices();\n\n#endif"
},
{
"path": "driver/ia32.h",
"chars": 1064982,
"preview": "/** @file */\n#pragma once\ntypedef unsigned char UINT8;\ntypedef unsigned short UINT16;\ntypedef unsigned int "
},
{
"path": "driver/imports.c",
"chars": 40029,
"preview": "#include \"imports.h\"\n\n#include \"common.h\"\n#include \"driver.h\"\n#include \"crypt.h\"\n#include <stdarg.h>\n\n#include \"lib/stdl"
},
{
"path": "driver/imports.h",
"chars": 31543,
"preview": "#ifndef IMPORTS_H\n#define IMPORTS_H\n\n#include \"common.h\"\n\nPVOID\nImpResolveNtImport(PDRIVER_OBJECT DriverObject, PCZPSTR "
},
{
"path": "driver/integrity.c",
"chars": 69908,
"preview": "#include \"integrity.h\"\n\n#include \"callbacks.h\"\n#include \"common.h\"\n#include \"crypt.h\"\n#include \"driver.h\"\n#include \"impo"
},
{
"path": "driver/integrity.h",
"chars": 3617,
"preview": "#ifndef INTEGRITY_H\n#define INTEGRITY_H\n\n#include <ntifs.h>\n\n#include \"common.h\"\n\ntypedef struct _MODULE_DISPATCHER_HEAD"
},
{
"path": "driver/io.c",
"chars": 34593,
"preview": "#include \"io.h\"\n\n#include \"callbacks.h\"\n#include \"containers/map.h\"\n#include \"driver.h\"\n#include \"hv.h\"\n#include \"hw.h\"\n"
},
{
"path": "driver/io.h",
"chars": 1568,
"preview": "#ifndef IO_H\n#define IO_H\n\n#include <ntifs.h>\n#include <wdftypes.h>\n#include <wdf.h>\n#include \"common.h\"\n\ntypedef struct"
},
{
"path": "driver/lib/stdlib.c",
"chars": 1608,
"preview": "#include \"stdlib.h\"\n\nVOID\nIntCopyMemory(_In_ PVOID Destination, _In_ PVOID Source, _In_ SIZE_T Length)\n{\n PUCHAR dest"
},
{
"path": "driver/lib/stdlib.h",
"chars": 505,
"preview": "#ifndef STDLIB_H\n#define STDLIB_H\n\n#include \"../common.h\"\n\nVOID\nIntCopyMemory(_In_ PVOID Destination, _In_ PVOID Source,"
},
{
"path": "driver/modules.c",
"chars": 62570,
"preview": "#include \"modules.h\"\n\n#include \"apc.h\"\n#include \"callbacks.h\"\n#include \"containers/tree.h\"\n#include \"crypt.h\"\n#include \""
},
{
"path": "driver/modules.h",
"chars": 1742,
"preview": "#ifndef MODULES_H\n#define MODULES_H\n\n#include <ntifs.h>\n#include <intrin.h>\n\n#include \"common.h\"\n\ntypedef struct _APC_OP"
},
{
"path": "driver/pe.c",
"chars": 3206,
"preview": "#include \"pe.h\"\n\n#include \"lib/stdlib.h\"\n\nPNT_HEADER_64\nPeGetNtHeaderSafe(_In_ PVOID Image)\n{\n PIMAGE_DOS_HEADER dos "
},
{
"path": "driver/pe.h",
"chars": 871,
"preview": "#ifndef PE_H\n#define PE_H\n\n#include \"common.h\"\n\n#define IMAGE_DOS_SIGNATURE 0x5a4d /* MZ */\n#define IMAGE_NT_SIGNA"
},
{
"path": "driver/pool.c",
"chars": 7786,
"preview": "#include \"pool.h\"\n\n#include \"callbacks.h\"\n#include \"crypt.h\"\n#include \"ia32.h\"\n#include \"imports.h\"\n#include \"lib/stdlib"
},
{
"path": "driver/pool.h",
"chars": 304,
"preview": "#ifndef POOL_H\n#define POOL_H\n\n#include <ntifs.h>\n#include \"common.h\"\n\ntypedef BOOLEAN (*PAGE_CALLBACK)(_In_ UINT64 Page"
},
{
"path": "driver/session.c",
"chars": 6469,
"preview": "#include \"session.h\"\n\n#include \"crypt.h\"\n#include \"imports.h\"\n#include \"util.h\"\n\n#include \"lib/stdlib.h\"\n\nNTSTATUS\nSessi"
},
{
"path": "driver/session.h",
"chars": 637,
"preview": "#ifndef SESSION_H\n#define SESSION_H\n\n#include \"common.h\"\n\n#include \"driver.h\"\n\nNTSTATUS\nSessionInitialiseStructure();\n\nV"
},
{
"path": "driver/thread.c",
"chars": 4811,
"preview": "#include \"thread.h\"\n\n#include <intrin.h>\n\n#include \"callbacks.h\"\n#include \"driver.h\"\n#include \"pool.h\"\n\n#include \"contai"
},
{
"path": "driver/thread.h",
"chars": 214,
"preview": "#ifndef THREAD_H\n#define THREAD_H\n\n#include <ntifs.h>\n\n#include \"common.h\"\n#include \"callbacks.h\"\n\nBOOLEAN\nDoesThreadHav"
},
{
"path": "driver/types/tpm12.h",
"chars": 82562,
"preview": "/** @file\n TPM Specification data structures (TCG TPM Specification Version 1.2 Revision\n103) See http://trustedcomputi"
},
{
"path": "driver/types/tpm20.h",
"chars": 63104,
"preview": "/** @file\n TPM2.0 Specification data structures\n (Trusted Platform Module Library Specification, Family \"2.0\", Level 0"
},
{
"path": "driver/types/tpmptp.h",
"chars": 13940,
"preview": "/** @file\n Platform TPM Profile Specification definition for TPM2.0.\n It covers both FIFO and CRB interface.\n\nCopyrigh"
},
{
"path": "driver/types/types.h",
"chars": 7776,
"preview": "#ifndef TYPES_H\n#define TYPES_H\n\n#include \"../common.h\"\n\n#define REPORT_NMI_CALLBACK_FAILURE 50\n#define REPORT_MOD"
},
{
"path": "driver/util.c",
"chars": 2642,
"preview": "#include \"common.h\"\n\n#include \"lib/stdlib.h\"\n\nLARGE_INTEGER\nGenerateRandSeed()\n{\n LARGE_INTEGER system_time = {0};\n "
},
{
"path": "driver/util.h",
"chars": 554,
"preview": "#ifndef UTIL_H\n#define UTIL_H\n\n#include \"common.h\"\n\nLARGE_INTEGER\nGenerateRandSeed();\n\nNTSTATUS\nMapAndReadPhysical(_In_ "
},
{
"path": "module/client/message_queue.cpp",
"chars": 585,
"preview": "#include \"message_queue.h\"\n\n#include <Windows.h>\n\n#define TEST_STEAM_64_ID 123456789;\n\nclient::message_queue::message_qu"
},
{
"path": "module/client/message_queue.h",
"chars": 790,
"preview": "#ifndef REPORT_H\n#define REPORT_H\n\n#include <Windows.h>\n\n#include \"../dispatcher/threadpool.h\"\n\n#include \"../common.h\"\n\n"
},
{
"path": "module/client/pipe.cpp",
"chars": 998,
"preview": "#include \"pipe.h\"\n\n#include \"../common.h\"\n\n#include <intrin.h>\n\nclient::pipe::pipe(LPTSTR PipeName) {\n this->pipe_name "
},
{
"path": "module/client/pipe.h",
"chars": 1058,
"preview": "#pragma once\n\n#include <Windows.h>\n\n#define MESSAGE_TYPE_CLIENT_REPORT 1\n#define MESSAGE_TYPE_CLIENT_SEND 2\n#define MESS"
},
{
"path": "module/common.h",
"chars": 669,
"preview": "#pragma once\n\n#include <stdio.h>\n\n#include <atomic>\n#include <mutex>\n#include <optional>\n#include <vector>\n\n#define LOG_"
},
{
"path": "module/crypt/crypt.cpp",
"chars": 3595,
"preview": "#include \"crypt.h\"\n\n#include \"../common.h\"\n\n#include <bcrypt.h>\n#include <iomanip>\n#include <iostream>\n#include <stdio.h"
},
{
"path": "module/crypt/crypt.h",
"chars": 316,
"preview": "#pragma once\n\n#include <cstdint>\n#include <windows.h>\n\nnamespace crypt {\nconst unsigned char *get_test_key();\nconst unsi"
},
{
"path": "module/dispatcher/dispatcher.cpp",
"chars": 3742,
"preview": "#include \"dispatcher.h\"\n\n#include \"../client/message_queue.h\"\n#include \"../crypt/crypt.h\"\n#include \"../helper.h\"\n\n#inclu"
},
{
"path": "module/dispatcher/dispatcher.h",
"chars": 934,
"preview": "#pragma once\n\n#include \"threadpool.h\"\n\n#include \"timer.h\"\n\n#include \"../kernel_interface/kernel_interface.h\"\n\n#include \""
},
{
"path": "module/dispatcher/threadpool.cpp",
"chars": 2789,
"preview": "#include \"threadpool.h\"\n\n/*\n * This is the idle loop each thread will be running until a job is ready\n * for execution\n "
},
{
"path": "module/dispatcher/threadpool.h",
"chars": 707,
"preview": "#pragma once\n\n#include <functional>\n#include <mutex>\n#include <queue>\n#include <vector>\n\nnamespace dispatcher {\n/*\n * Th"
},
{
"path": "module/dispatcher/timer.cpp",
"chars": 4802,
"preview": "#include \"timer.h\"\n\n#include \"../common.h\"\n#include \"../helper.h\"\n\ndispatcher::timer::timer() {\n this->active_callbacks"
},
{
"path": "module/dispatcher/timer.h",
"chars": 1998,
"preview": "#pragma once\n\n#include <Windows.h>\n\n#include <array>\n#include <functional>\n#include <mutex>\n#include <optional>\n#include"
},
{
"path": "module/helper.cpp",
"chars": 10127,
"preview": "#include \"helper.h\"\n\n#include <chrono>\n#include <random>\n\n#include \"crypt/crypt.h\"\n\nvoid\nhelper::generate_rand_seed()\n{\n"
},
{
"path": "module/helper.h",
"chars": 453,
"preview": "#pragma once\n\n#include \"kernel_interface/kernel_interface.h\"\n\nnamespace helper {\nvoid generate_rand_seed();\nint generate"
},
{
"path": "module/imports.cpp",
"chars": 74,
"preview": "#include \"imports.h\"\n\nbool imports::initialise_imports() { return false; }"
},
{
"path": "module/imports.h",
"chars": 64,
"preview": "#pragma once\n\nnamespace imports\n{\nbool initialise_imports();\n\n\n}"
},
{
"path": "module/kernel_interface/kernel_interface.cpp",
"chars": 11482,
"preview": "#include \"kernel_interface.h\"\n\n#include <iostream>\n\n#include \"../common.h\"\n#include \"../crypt/crypt.h\"\n#include \"../help"
},
{
"path": "module/kernel_interface/kernel_interface.h",
"chars": 10083,
"preview": "#pragma once\n\n#include <Windows.h>\n\n#include \"../client/message_queue.h\"\n\n#include \"../module.h\"\n\nnamespace kernel_inter"
},
{
"path": "module/main.cpp",
"chars": 700,
"preview": "#include <Windows.h>\n\n#include \"module.h\"\n\nDWORD WINAPI Init(HINSTANCE hinstDLL) {\n module::run(hinstDLL);\n return 0;\n"
},
{
"path": "module/module.cpp",
"chars": 1757,
"preview": "#include \"module.h\"\n\n#include <Windows.h>\n\n#include \"client/message_queue.h\"\n#include \"dispatcher/dispatcher.h\"\n\n#includ"
},
{
"path": "module/module.h",
"chars": 295,
"preview": "#pragma once\n\n#include \"common.h\"\n\n#include <Windows.h>\n\nnamespace module {\nvoid run(HINSTANCE hinstDLL);\nvoid terminate"
},
{
"path": "module/module.vcxproj",
"chars": 11642,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/msb"
},
{
"path": "module/module.vcxproj.filters",
"chars": 1215,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
},
{
"path": "server/main.go",
"chars": 74,
"preview": "package main\n\nimport \"fmt\"\n\nfunc main() {\n\tfmt.Println(\"Hello, World!\")\n}\n"
}
]
About this extraction
This page contains the full source code of the donnaskiez/ac GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 79 files (1.8 MB), approximately 479.1k tokens, and a symbol index with 1228 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.